This is a SIMP module

This module is a component of the System Integrity Management Platform, a compliance-management framework built on Puppet.

If you find any issues, they can be submitted to our JIRA.

Please read our Contribution Guide.

Table of Contents

• Description
• This is a SIMP module
• Setup
  • What simp_openldap affects
• Using simp_openldap
  • As a client
  • As a server
• Advanced configuration
• Limitations
• Development
  • Acceptance tests

Description

This module provides a SIMP-oriented profile for configuring OpenLDAP server and client components.

See REFERENCE.md for API documentation.

This is a SIMP module

This module is a component of the System Integrity Management Platform, a compliance-management framework built on Puppet.

If you find any issues, they can be submitted to our JIRA.

Please read our Contribution Guide

This module is optimally designed for use within a larger SIMP ecosystem, but it can be used independently:

• When included within the SIMP ecosystem, security compliance settings will be managed from the Puppet server.

• If used independently, all SIMP-managed security subsystems are disabled by default and must be explicitly opted into by administrators. Please review the simp-simp_options module for details.

Setup

What simp_openldap affects

• Installs LDAP client applications for interacting with an LDAP server
• Installs and configures OpenLDAP for TLS-enabled communication using both legacy TLS and STARTTLS
• Provides access control capabilities

NOTE: As a convenience, this module will configure /root/.ldaprc with global variables that facilitate LDAP client communication, only if the file does not already exist. This behavior prevents the module from modifying any custom configuration you have created, but also means the file will not be updated when you make module configuration changes that would result in different /root/.ldaprc content (e.g., enable/disable use of TLS, change the TLS certificate filenames, or change the root directory for TLS certificates). You must remove /root/.ldaprc and run puppet to pick up the changes.

Using simp_openldap

As a client

To use this module for an LDAP client system, just include the class:

include 'simp_openldap'

As a server

To use the module to configure an LDAP server, include the following:

include 'simp_openldap::server'

This will configure a server with TLS and STARTTLS enabled. It will also populate the directory with a basic LDAP schema suitable for UNIX-system logins.

To configure the password policy, you will also need to include the simp_openldap::slapo::ppolicy class PRIOR TO INITIAL CONFIGURATION. Once the LDAP server has been configured, it will not update any data inside of the LDAP server itself, only the surrounding configuration.

For additional information, please see the SIMP Documentation.

Advanced configuration

It is possible to configure most aspects of the OpenLDAP server through this module. However, this gets complex quickly. The SIMP Documentation has some examples. Additional examples can be found in the acceptance tests.

Limitations

SIMP Puppet modules are generally intended for use on Red Hat Enterprise Linux and compatible distributions, such as CentOS. Please see the metadata.json file for the most up-to-date list of supported operating systems, Puppet versions, and module dependencies.

Development

Please see the SIMP Contribution Guidelines.

Acceptance tests

This module includes Beaker acceptance tests using the SIMP Beaker Helpers. By default the tests use Vagrant with VirtualBox as a back-end; Vagrant and VirtualBox must both be installed to run these tests without modification. To execute the tests run the following:

bundle install
bundle exec rake beaker:suites

Please refer to the SIMP Beaker Helpers documentation for more information.

Some environment variables may be useful:

BEAKER_debug=true
BEAKER_provision=no
BEAKER_destroy=no
BEAKER_use_fixtures_dir_for_modules=yes

• BEAKER_debug: show the commands being run on the STU and their output.
• BEAKER_destroy=no: prevent the machine destruction after the tests finish so you can inspect the state.
• BEAKER_provision=no: prevent the machine from being recreated. This can save a lot of time while you're writing the tests.
• BEAKER_use_fixtures_dir_for_modules=yes: cause all module dependencies to be loaded from the spec/fixtures/modules directory, based on the contents of .fixtures.yml. The contents of this directory are usually populated by bundle exec rake spec_prep. This can be used to run acceptance tests to run on isolated networks.

Reference

Table of Contents

Classes

Public Classes

• simp_openldap: Provides the base configuration necessary for an OpenLDAP client or server.
• simp_openldap::client: Install the openldap-clients package and configure global options
• simp_openldap::server: Set up an OpenLDAP server
• simp_openldap::slapo::lastbind: Configures lastbind and set up a dynamic include that defines lastbind.
• simp_openldap::slapo::ppolicy: Configure the password policy for a site
• simp_openldap::slapo::syncprov: Allow other LDAP servers to synchronize with this one

Private Classes

• simp_openldap::server::conf: Configures the brunt of the /etc/openldap configuration files
• simp_openldap::server::conf::default_ldif: Allows for the modification of the default LDIF entries in
• simp_openldap::server::fix_bad_upgrade: Workaround upgrade issues
• simp_openldap::server::install: Install the required packages
• simp_openldap::server::service: Manage the OpenLDAP service

Defined types

• simp_openldap::server::access: Manage access control entries in slapd.access
• simp_openldap::server::dynamic_include: Add a dynamically included file into the LDAP system.
• simp_openldap::server::limits: Manage limits sections under the main database
• simp_openldap::server::syncrepl: Configures the syncrepl functionality of OpenLDAP which allows

Data types

• Simp_Openldap::LogLevel: OpenLDAP Log Levels
• Simp_Openldap::SlapdConf::Disallow: OpenLDAP slapd.conf disallow

Classes

simp_openldap

Further configuration can be made via the simp_openldap::client and simp_openldap::server classes.

Parameters

The following parameters are available in the simp_openldap class:

• ldap_uri
• base_dn
• bind_dn
• ldap_master
• is_server
• pki
• app_pki_external_source
• app_pki_dir
• app_pki_key
• app_pki_cert
• app_pki_ca_dir
• app_pki_crl

ldap_uri

Data type: Array[Simplib::URI]

It is recommended that you make the master the last entry in this array

Default value: simplib::lookup('simp_options::ldap::uri', { 'default_value' => undef })

base_dn

Data type: String

The base DN of the LDAP entries

Default value: simplib::lookup('simp_options::ldap::base_dn', { 'default_value' => simplib::ldap::domain_to_dn() })

bind_dn

Data type: String

The user that should be used to bind to the LDAP server

Default value: simplib::lookup('simp_options::ldap::bind_dn', { 'default_value' => sprintf('cn=hostAuth,ou=Hosts,%s', simplib::ldap::domain_to_dn()) })

ldap_master

Data type: Simplib::URI

The LDAP Master server

• Will default to the last entry in ldap_uri if not set
• Only applicable for LDAP server configuration when chain overlay is enabled

Default value: simplib::lookup('simp_options::ldap::master', { 'default_value' => $ldap_uri[-1] })

is_server

Data type: Boolean

Set this if you want to create an OpenLDAP server on your node

Default value: false

pki

Data type: Variant[Boolean, Enum['simp']]

• If 'simp', include SIMP's pki module and use pki::copy to manage application certs in /etc/pki/simp_apps/openldap/x509
• If true, do not include SIMP's pki module, but still use pki::copy to manage certs in /etc/pki/simp_apps/openldap/x509
• If false, do not include SIMP's pki module and do not use pki::copy to manage certs. You will need to appropriately assign a subset of:
  • app_pki_dir
  • app_pki_key
  • app_pki_cert
  • app_pki_ca
  • app_pki_ca_dir

Default value: simplib::lookup('simp_options::pki', { 'default_value' => false })

app_pki_external_source

Data type: String

• If pki = 'simp' or true, this is the directory from which certs will be copied, via pki::copy. Defaults to /etc/pki/simp/x509.

• If pki = false, this variable has no effect.

Default value: simplib::lookup('simp_options::pki::source', { 'default_value' => '/etc/pki/simp/x509' })

app_pki_dir

Data type: Stdlib::Absolutepath

This variable controls the basepath of $app_pki_key, $app_pki_cert, $app_pki_ca, $app_pki_ca_dir, and $app_pki_crl. It defaults to /etc/pki/simp_apps/openldap/x509.

Default value: '/etc/pki/simp_apps/openldap/x509'

app_pki_key

Data type: Stdlib::AbsolutePath

Path and name of the private SSL key file.

Default value: "${app_pki_dir}/private/${facts['networking']['fqdn']}.pem"

app_pki_cert

Data type: Stdlib::AbsolutePath

Path and name of the public SSL certificate.

Default value: "${app_pki_dir}/public/${facts['networking']['fqdn']}.pub"

app_pki_ca_dir

Data type: Stdlib::AbsolutePath

Path to the CA.

Default value: "${app_pki_dir}/cacerts"

app_pki_crl

Data type: Optional[Stdlib::Absolutepath]

Path to the CRL file.

Default value: undef

simp_openldap::client

for accessing the LDAP servers.

• See also
  • ldap.conf(5)
    • for details.

Parameters

The following parameters are available in the simp_openldap::client class:

• uri
• base_dn
• bind_dn
• deref
• referrals
• sizelimit
• timelimit
• use_tls
• app_pki_key
• app_pki_cert
• app_pki_ca_dir
• app_pki_crl
• strip_128_bit_ciphers
• tls_cipher_suite
• tls_crlcheck
• tls_reqcert
• openldap_clients_ensure
• nss_pam_ldapd_ensure

uri

Data type: Array[Simplib::URI]

LDAP servers

Default value: $simp_openldap::ldap_uri

base_dn

Data type: Optional[String]

The base DN of the LDAP entries

Default value: $simp_openldap::base_dn

bind_dn

Data type: String[1]

The user that should be used to bind to the LDAP server

Default value: $simp_openldap::bind_dn

deref

Data type: Enum['never','searching','finding','always']

How alias dereferencing is done when performing a search

Default value: 'never'

referrals

Data type: Enum['on','off']

Whether the client should automatically follow referrals returned by LDAP servers

Default value: 'on'

sizelimit

Data type: Integer

Size limit (number of entries) to use when performing searches

Default value: 0

timelimit

Data type: Integer

Time limit (in seconds) to use when performing searches

Default value: 15

use_tls

Data type: Variant[Enum['simp'],Boolean]

Use TLS when connecting to the ldap server. By default this will mirror simp_options::pki, but needs to be distinct as the client and server configurations could vary.

Default value: $simp_openldap::pki

app_pki_key

Data type: Stdlib::Absolutepath

Path and name of the private SSL key file

Default value: $simp_openldap::app_pki_key

app_pki_cert

Data type: Stdlib::Absolutepath

Path and name of the public SSL certificate

Default value: $simp_openldap::app_pki_cert

app_pki_ca_dir

Data type: Stdlib::Absolutepath

Path to the CA.

Default value: $simp_openldap::app_pki_ca_dir

app_pki_crl

Data type: Optional[Stdlib::Absolutepath]

Path to the CRL file.

Default value: $simp_openldap::app_pki_crl

strip_128_bit_ciphers

Data type: Optional[Boolean]

• DEPRECATED

Default value: undef

tls_cipher_suite

Data type: Array[String[1]]

The default ciphers to use for TLS

Default value: simplib::lookup('simp_options::openssl::cipher_suite', { 'default_value' => ['DEFAULT','!MEDIUM'] })

tls_crlcheck

Data type: Enum['none','peer','all']

Whether the Certificate Revocation List (CRL) of the CA should be used to verify if the server certificates have not been revoked

Default value: 'none'

tls_reqcert

Data type: Enum['never','allow','try','demand','hard']

The checks to perform on server certificates in a TLS session

Default value: 'allow'

openldap_clients_ensure

Data type: String

The ensure status of the openldap-clients package

Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' })

nss_pam_ldapd_ensure

Data type: String

DEPRECATED The nss-pam-ldapd package is no longer installed

Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' })

simp_openldap::server

It installs the server if not already installed and bootstraps it if necessary.

You can quickly reset the entire server by removing all files from /var/lib/ldap/db/* and then re-running puppet. Note that this will erase the contents of your database, so you will want to use slapcat to save any data that you may require later for restoration.

If you need to re-bootstrap, you also must remove the file /etc/openldap/puppet_bootstrapped.lock since this is in place as a protective measure.

Please look at the simp_openldap::server::access stanzas below so that you can understand how to modify the access controls via puppet.

The default access settings start at 1000 and go through 3000 except for a default entry at 100000 that allows users to read everything and then denies access. These are spread this far apart so that you can easily override and/or circumvent them to your site specifications.

NOTE: To get the bootstrap to run again, you must remove the lock file at /etc/openldap/puppet_bootstrapped.lock and remove the database files in /var/lib/ldap/db/*.

Parameters

The following parameters are available in the simp_openldap::server class:

• schema_sync
• schema_source
• allow_sync
• sync_dn
• use_ppolicy
• tcpwrappers

schema_sync

Data type: Boolean

Synchronize all schemas from $schema_source

Default value: true

schema_source

Data type: String

The location from which to download the schemas

Default value: "puppet:///modules/${module_name}/etc/openldap/schema"

allow_sync

Data type: Boolean

Provide the ability for other hosts to use LDAP synchronization as clients to this server

• Class variables will need to be set according to the simp_openldap::slapo::syncprov class requirements

Default value: true

sync_dn

Data type: String

The DN that is allowed to synchronize from the LDAP server

Default value: simplib::lookup('simp_options::ldap::sync_dn', { 'default_value' => "cn=LDAPSync,ou=Hosts,${simp_openldap::base_dn}" })

use_ppolicy

Data type: Boolean

Include the default password policy overlay

Default value: true

tcpwrappers

Data type: Boolean

If true, enable tcpwrappers for slapd.

Default value: simplib::lookup('simp_options::tcpwrappers', { 'default_value' => false })

simp_openldap::slapo::lastbind

Configures lastbind and set up a dynamic include that defines lastbind.

• See also
  • slapo-lastbind(5)
    • for details of the options.

Parameters

The following parameters are available in the simp_openldap::slapo::lastbind class:

• lastbind_precision
• lastbind_ensure

lastbind_precision

Data type: Integer[0]

Determines the amount of time, in seconds, after which to update the authTimestamp entry.

Default value: 3600

lastbind_ensure

Data type: String

The ensure status of packages to be managed

Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' })

simp_openldap::slapo::ppolicy

This also includes the options for configuring the password checking plugin that's included with SIMP.

• See also
  • slapo-ppolicy(5)

Parameters

The following parameters are available in the simp_openldap::slapo::ppolicy class:

• suffix
• min_points
• use_cracklib
• min_upper
• min_lower
• min_digit
• min_punct
• max_consecutive_per_class
• ppolicy_ensure
• ppolicy_default
• ppolicy_hash_cleartext
• ppolicy_use_lockout

suffix

Data type: Optional[String[1]]

The Base DN of the LDAP domain to which you wish to connect.

Default value: $simp_openldap::base_dn

min_points

Data type: Integer[0]

The minimum number of character classes that must be included in your password for it to succeed.

Default value: 3

use_cracklib

Data type: Boolean

If true, use cracklib when checking the password.

Default value: true

min_upper

Data type: Integer[0]

The minimum number of upper case characters that must be present for the password to be valid.

Default value: 0

min_lower

Data type: Integer[0]

The minimum number of lower case characters that must be present for the password to be valid.

Default value: 0

min_digit

Data type: Integer[0]

The minimum number of digit characters that must be present for the password to be valid.

Default value: 0

min_punct

Data type: Integer[0]

The minimum number of punctuation characters that must be present for the password to be valid.

Default value: 0

max_consecutive_per_class

Data type: Integer[0]

The maximum number of characters from any character class that can exist in a row.

Default value: 3

ppolicy_ensure

Data type: String

The ensure status of the simp-ppolicy-check-password package

Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' })

ppolicy_default

Data type: Optional[String[1]]

Default value: undef

ppolicy_hash_cleartext

Data type: Optional[String[1]]

Default value: undef

ppolicy_use_lockout

Data type: Optional[String[1]]

Default value: undef

simp_openldap::slapo::syncprov

Allow other LDAP servers to synchronize with this one

• See also
  • slapo-syncprov(5)

Parameters

The following parameters are available in the simp_openldap::slapo::syncprov class:

• checkpoint
• sessionlog
• nopresent
• reloadhint
• sync_size_soft_limit
• sync_size_hard_limit
• sync_time_soft_limit
• sync_time_hard_limit

checkpoint

Data type: Optional[Pattern['^\d+\s\d+$']]

Default value: undef

sessionlog

Data type: Optional[String[1]]

Default value: undef

nopresent

Data type: Boolean

Default value: false

reloadhint

Data type: Boolean

Default value: false

sync_size_soft_limit

Data type: Variant[Enum['unlimited'], Integer]

Default value: 'unlimited'

sync_size_hard_limit

Data type: Variant[Enum['unlimited'], Integer]

Default value: 'unlimited'

sync_time_soft_limit

Data type: Variant[Enum['unlimited'], Integer]

Default value: 'unlimited'

sync_time_hard_limit

Data type: Variant[Enum['unlimited'], Integer]

Default value: 'unlimited'

Defined types

simp_openldap::server::access

Remember that order matters! Entries will be listed in alphanumeric order after the $order parameter is processed.

• See also
  • slapd.access(5)

Parameters

The following parameters are available in the simp_openldap::server::access defined type:

• name
• what
• comment
• who
• access
• control
• content
• order

name

The unique name of the dynamic include. This does become part of the sort order so be careful!

what

Data type: String

The entity this access control directive applies to.

comment

Data type: Optional[String]

An arbitrary comment that will be included above the entry

• You do not need to include the leading #

Default value: undef

who

Data type: Optional[String]

Whom this access rule applies to.

Default value: undef

access

Data type: Optional[String]

The access level or the specific access privileges the who field will have

Default value: undef

control

Data type: Optional[String]

The control of the flow of access rule application to be applied

Default value: undef

content

Data type: Optional[String]

the *entire content under $what

• If you do not specify this, $who is a required variable
• If you do specify this, $who will be ignored

Default value: undef

order

Data type: Integer

The default sort order of the entry to be added

Default value: 1000

simp_openldap::server::dynamic_include

Add a dynamically included file into the LDAP system.

Parameters

The following parameters are available in the simp_openldap::server::dynamic_include defined type:

• content
• order

content

Data type: String

The literal content of the dynamic include

order

Data type: Integer

The numeric order of the dynamic include

Default value: 100

simp_openldap::server::limits

Manage limits sections under the main database

• See also
  • slapd.conf(5)

Parameters

The following parameters are available in the simp_openldap::server::limits defined type:

• name
• who
• limits

name

A unique name for the limits entry

who

Data type: String

Any of the following values (not validated)

• * All, including anonymous and authenticated users
• anonymous Anonymous (non-authenticated) users
• users Authenticated users
• self User associated with target entry
• dn[.<basic-style>]=<regex> Users matching a regular expression
• dn.<scope-style>=<DN> Users within scope of a DN
• group[/oc[/at]]=<pattern> Members of a group

limits

Data type: Variant[Array[String],String]

A list of limits to apply to $who per slapd.conf(5)

simp_openldap::server::syncrepl

for directory synchronization pulls from a master server.

$name should be the 'rid' of the syncrepl instance and must be between 0 and 1000, non-inclusive.

• See also
  • slapd.conf(5)

Parameters

The following parameters are available in the simp_openldap::server::syncrepl defined type:

• syncrepl_retry
• provider
• searchbase
• syncrepl_type
• interval
• filter
• syncrepl_scope
• attrs
• attrsonly
• sizelimit
• timelimit
• schemachecking
• starttls
• bindmethod
• binddn
• saslmech
• authcid
• authzid
• credentials
• realm
• secprops
• logbase
• logfilter
• syncdata
• updateref

syncrepl_retry

Data type: String[1]

Default value: '60 10 600 +'

provider

Data type: Optional[String[1]]

Default value: simplib::lookup('simp_options::ldap::master', { 'default_value' => undef })

searchbase

Data type: Optional[String[1]]

Default value: simplib::lookup('simp_options::ldap::base_dn', { 'default_value' => undef })

syncrepl_type

Data type: Enum['refreshOnly','refreshAndPersist']

Default value: 'refreshAndPersist'

interval

Data type: Optional[String[1]]

Default value: undef

filter

Data type: Optional[String[1]]

Default value: undef

syncrepl_scope

Data type: String[1]

Default value: 'sub'

attrs

Data type: String[1]

Default value: '*,+'

attrsonly

Data type: Optional[String[1]]

Default value: undef

sizelimit

Data type: Variant[Enum['unlimited'], Integer[0]]

Default value: 'unlimited'

timelimit

Data type: Variant[Enum['unlimited'], Integer[0]]

Default value: 'unlimited'

schemachecking

Data type: Enum['on','off']

Default value: 'off'

starttls

Data type: Variant[Enum['critical'], Boolean]

Default value: 'critical'

bindmethod

Data type: Enum['simple','sasl']

Default value: 'simple'

binddn

Data type: Optional[String[1]]

Default value: simplib::lookup('simp_options::ldap::sync_dn', {'default_value' => undef })

saslmech

Data type: Optional[String[1]]

Default value: undef

authcid

Data type: Optional[String[1]]

Default value: undef

authzid

Data type: Optional[String[1]]

Default value: undef

credentials

Data type: Optional[String[1]]

Default value: simplib::lookup('simp_options::ldap::sync_pw', { 'default_value' => undef })

realm

Data type: Optional[String[1]]

Default value: undef

secprops

Data type: Optional[String[1]]

Default value: undef

logbase

Data type: Optional[String[1]]

Default value: undef

logfilter

Data type: Optional[String[1]]

Default value: undef

syncdata

Data type: Enum['default','accesslog']

Default value: 'default'

updateref

Data type: Optional[String[1]]

Default value: undef

Data types

Simp_Openldap::LogLevel

OpenLDAP Log Levels

Alias of

Variant[Integer[-1,65535], Enum[
  'any',
  '-',
  'trace',
  'packets',
  'args',
  'conns',
  'BER',
  'ber',
  'filter',
  'config',
  'ACL',
  'acl',
  'stats',
  'stats2',
  'shell',
  'parse',
  'cache',
  'index',
  'sync',
  'none'
]]

Simp_Openldap::SlapdConf::Disallow

OpenLDAP slapd.conf disallow

Alias of Enum['bind_anon', 'bind_simple', 'tls_2_anon', 'tls_authc', 'proxy_authz_non_critical', 'dontusecopy_non_critical']

• Fri Sep 13 2024 Steven Pritchard steve@sicura.us - 6.11.0

• [puppetsync] Update module dependencies to support simp-iptables 7.x

• Mon Oct 23 2023 Steven Pritchard steve@sicura.us - 6.10.0

• [puppetsync] Add EL9 support

• Wed Oct 18 2023 Steven Pritchard steve@sicura.us - 6.9.1

• Replace call to FileTest.exists? with FileTest.exist? for compatibility with Ruby 3

• Wed Oct 11 2023 Steven Pritchard steve@sicura.us - 6.9.0

• [puppetsync] Updates for Puppet 8
  • These updates may include the following:
    • Update Gemfile
    • Add support for Puppet 8
    • Drop support for Puppet 6
    • Update module dependencies

• Thu Sep 28 2023 Steven Pritchard steve@sicura.us - 6.8.0

• Add AlmaLinux 8 support

• Tue Sep 26 2023 Steven Pritchard steve@sicura.us - 6.7.1

• Fix rspec tests

• Mon Jun 12 2023 Chris Tessmer chris.tessmer@onyxpoint.com - 6.7.0

• Add RockyLinux 8 support

• Thu Jun 17 2021 Chris Tessmer chris.tessmer@onyxpoint.com - 6.6.0

• Removed support for Puppet 5
• Ensured support for Puppet 7 in requirements and stdlib

• Mon Feb 08 2021 Liz Nemsick lnemsick.simp@gmail.com - 6.5.0

• Fixed bug where the pki:copy resource could no longer be created for OpenLDAP clients.
  • The 'ldap' group is no longer created by any of the installed OpenLDAP client packages.
• Expanded simp/rsyslog dependendency range to < 9.0.0.

• Tue Dec 15 2020 Trevor Vaughan tvaughan@onyxpoint.com - 6.5.0

• Fix comparison of Float with String on simp_openldap::server::conf::tls_protocol_min
• Removed support for EL 6 due to EOL
• Deprecated parameters only applicable to EL 6:
  • simp_openldap::client::strip_128_bit_ciphers
  • simp_openldap::client::nss_pam_ldapd_ensure
• Added support for Puppet 7

• Tue Aug 04 2020 Trevor Vaughan tvaughan@onyxpoint.com - 6.4.3-0

• Align terminology with vendor changes

• Thu Jul 23 2020 Jeanne Greulich jeanne.greulich@onyxpoint.com - 6.4.2-0

• update the upper bound of simplib for SIMP 6.5 release

• Tue Sep 24 2019 Trevor Vaughan tvaughan@onyxpoint.com - 6.4.1-0

• Updated README.md
• Added REFERENCE.md
• Cleaned up some test fixtures

• Fri Aug 02 2019 Robert Vincent pillarsdotnet@gmail.com - 6.4.1-0

• Support puppetlabs/concat 6.x.

• Thu Jun 06 2019 Steven Pritchard steven.pritchard@onyxpoint.com - 6.4.0-0

• Add v2 compliance_markup data

• Tue Mar 19 2019 Liz Nemsick lnemsick.simp@gmail.com - 6.3.2-0

• Use simplib::validate_re_array in lieu of deprecated Puppet 3 validate_re_array
• Use Puppet Integer() in lieu of simplib's deprecated Puppet 3 to_integer

• Mon Mar 04 2019 Liz Nemsick lnemsick.simp@gmail.com - 6.3.1-0

• Expanded the upper limit of the concat and stdlib Puppet module versions
• Updated a URL in the README.md

• Fri Oct 12 2018 Nick Miller nick.miller@onyxpoint.com - 6.3.0-0

• Added the following package ensure parameters
  • $simp_openldap::client::openldap_clients_ensure
  • $simp_openldap::client::nss_pam_ldapd_ensure
  • $simp_openldap::slapo::lastbind::lastbind_ensure
  • $simp_openldap::slapo::ppolicy::ppolicy_ensure
• Changed the defaults for all package ensures from 'latest' to the following:
  • simp_options::package_ensure when that parameter is present
  • 'installed' otherwise
• Require Puppet versions greater than 4.10.4, and don't test on it
• Update badges and contribution guide URL in README.md

• Tue Sep 11 2018 Nicholas Markowski nicholas.markowski@onyxpoint.com - 6.3.0-0

• Updated $app_pki_external_source to accept any string. This matches the functionality of pki::copy.

• Mon Aug 20 2018 Mark Fitch CodePhase@users.noreply.github.com - 6.2.1-0

• Ensure that the concat statement for access.conf is sorted in numeric order for consistency.

• Thu Jun 14 2018 Nick Miller nick.miller@onyxpoint.com - 6.2.1-0

• Update to support Puppet 5 and OEL
• Update systemd fixtures and CI assets
• Fix acceptance test by not testing text of failure code, only the exit code
• Remove unneeded simp/auditd dependency

• Mon Dec 04 2017 Trevor Vaughan tvaughan@onyxpoint.com - 6.2.0-0

• Allow setting the 'users' and 'administrators' GIDs in the default ldif file

• Thu Nov 16 2017 Trevor Vaughan tvaughan@onyxpoint.com - 6.1.2-0

• Fix an incorrect dependency for puppetlabs/concat in the metadata.json

• Wed Nov 15 2017 Trevor Vaughan tvaughan@onyxpoint.com - 6.1.1-0

• Fixed an issue where pki::copy was not correctly hooked into the server logic and a system PKI update would not properly propagate into the OpenLDAP service restart.

• Thu Nov 09 2017 Liz Nemsick lnemsick.simp@gmail.com - 6.1.1-0

• Adjust text search strings in acceptance tests

• Tue Aug 01 2017 Nick Markowski nmarkowski@keywcorp.com - 6.1.0-0

• Per CVE-2014-3566, SSLv3 and TLSv1 ciphers should be disallowed. Recent-ish updates to openldap-servers, shipped with SIMP-6.0.0-0, includes a parameter to specify a minimum bound of TLS protocol in slapd.conf, TLSProtocolMin. (see https://access.redhat.com/solutions/1234843)
• This commit includes puppetry to remove TLSv1.0, SSLv3, and SSLv2 from the TLS cipher suites, and set a minimum TLS protocol of TLSv1.2, given openldap-servers is >= 2.4.40.
• Updated syncdn and binddn defaults in server::conf

• Fri Jul 14 2017 Jeanne Greulich jeannegreulich@onyxpoint.com - 6.0.4-0

• Udated default_ldif.erb temlate so it would accept DC= or dc= for the base dn.

• Wed Apr 19 2017 Nick Markowski nmarkowski@keywcorp.com - 6.0.3-0

• Updated logrotate to use new lastaction API
• Updated all ldap DNs to uppercase DC=
• Update puppet requirement in metadata.json

• Fri Apr 07 2017 Trevor Vaughan tvaughan@onyxpoint.com - 6.0.2-0

• Ensure that 128-bit ciphers are not present in ldap.conf for EL6 systems

• Mon Mar 13 2017 Nick Markowski nmarkowski@keywcorp.com - 6.0.1-0

• server::conf::rootpw default no longer references simp_options, it defaults to undef

• Wed Mar 08 2017 Trevor Vaughan tvaughan@onyxpoint.com - 6.0.1-0

• Removed the 'acl' log level from the default list since it was causing low server response time on some EL7 systems
• Corrected the openldap::server::conf::conn_max_pending_auth to be set to 1000 instead of 100

• Wed Jan 25 2017 Trevor Vaughan tvaughan@onyxpoint.com - 6.0.0-0

• Rename from 'openldap' to 'simp_openldap' so that we can migrate to an alternate backend in the future

• Mon Jan 23 2017 Nick Markowski nmarkowski@keywcorp.com - 6.0.0-0

• Calls to rsyslog::rule no longer contain 'if' logic

• Thu Jan 12 2017 Nick Markowski nmarkowski@keywcorp.com - 6.0.0-0

• Updated pki scheme, application certs now managed in /etc/pki/simp_apps/openldap/x509

• Mon Dec 19 2016 Jeanne Greulich jgreulich.simp@onyxpoint.com - 6.0.0-0

• Updated global catalysts
• Strong typed variables
• General housekeeping

• Wed Nov 23 2016 Jeanne Greulich jgreulich.simp@onyxpoint.com - 5.0.1-0

• update requirement versions

• Tue Nov 22 2016 Nick Miller nick.miller@onyxpoint.com - 5.0.1-0

• Reset max_consecutive_per_class in openldap::slapo::ppolicy to 3

• Mon Nov 21 2016 Chris Tessmer chris.tessmer@onyxpoint.com - 5.0.0-0

• Updated to compliance_markup version 2

• Tue Nov 15 2016 Liz Nemsick lnemsick.simp@gmail.com - 5.0.0-0

• Updated iptables dependency version

• Wed Oct 12 2016 Trevor Vaughan tvaughan@onyxpoint.com - 5.0.0-0

• Updated to use the version of 'simpcat' that does not conflict with 'puppetlabs/concat'.

• Thu Oct 06 2016 Liz Nemsick lnemsick.simp@gmail.com - 4.1.9-0

• Fixed bug in which multiple URIs in ldap hieradata were not written into ldap.conf.
• Corrected variable reference in ldap.conf.erb

• Mon Aug 01 2016 Nicholas Hughes nicholasmhughes@gmail.com - 4.1.8-0

• Corrected variable references in pam_ldap.conf.erb

• Wed Jul 13 2016 Nick Markowski nmarkowski@keywcorp.com - 4.1.7-0

• Ruby-ldap is not needed in this module, and is therefore no longer ensured present.

• Thu Jul 07 2016 Nick Miller nick.miller@onyxpoint.com - 4.1.6-0

• Added acceptance tests
• Added a parameter to the client class to disable tls connections. This makes the .ldaprc file empty instead of containing your tls credentials.

• Thu May 19 2016 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.5-0

• Update to work with Puppet 4.4 with strict variable checking

• Sat Mar 26 2016 Nick Markowski nmarkowski@keywcorp.com - 4.1.4-0

• nslcd group and user are ensured.
• nslcd uid and gid default to 65 (nslcd). nslcd is no longer in the ldap group.
• Created an nslcd conf dir for convenient cert location. Defaults to /etc/nslcd.d. If use_simp_pki is true, pki::copy copies the system certs here.
• nslcd.conf tls options now have proper defaults. Fixed syntax errors in nslcd.conf and pam_ldap.conf

• Wed Mar 23 2016 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.3-0

• Added an openldap::server::service class for external profiles that need to restart the service without triggering unnecessary side effects.

• Sat Mar 19 2016 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.2-0

• Migrated use_simp_pki to a global catalyst.
• Fixed several ordering bugs as well as issues with being unable to work standalone.

• Mon Mar 14 2016 Nick Markowski nmarkowski@keywcorp.com - 4.1.1-10

• Ensure that EL6.7+ uses SSSD over NSCD

• Mon Feb 29 2016 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.1-9

• Updated to work cleanly with Puppet 4.3.2

• Tue Feb 23 2016 Ralph Wright ralph.wright@onyxpoint.com - 4.1.1-8

• Added compliance function support

• Tue Dec 08 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.1-7

• The default.ldif template has been updated to provide the capability to modify the password setting defaults. This will not affect the running LDAP server.

• Thu Nov 12 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.1-6

• Replaced all 'lsb' facts with 'operatingsystem' facts.
• Updated to use SSSD by default on EL<7.

• Mon Nov 09 2015 Chris Tessmer chris.tessmer@onypoint.com - 4.1.1-5

• migration to simplib and simpcat (lib/ only)

• Mon Nov 09 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.1-4

• Changed pwdGraceAuthnLimit to '-1' to allow users to change their passwords post expiry.

• Thu Jul 30 2015 Kendall Moore kmoore@keywcorp.com - 4.1.1-3

• Updated to use the new rsyslog module.

• Thu Jul 30 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.1-2

• The Password Policy overlay was getting loaded into the default.ldif even if you didn't want to use it. This has been fixed.
• Made the password policy overlay align with the latest SIMP build of the plugin.
• This means that you must have version simp-ppolicy-check-password-2.4.39-0 or later available to the system being configured.

• Sat May 16 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.1-1

• More closely align with the published STIG guidelines.

• Thu Mar 26 2015 Jacob Gingrich jgingrich@onyxpoint.com - 4.1.1-0

• Updated the module for facter 2.4.
• nslcd threads set to 5, no longer 'dynamic'.

• Thu Mar 12 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-17

• Fixed an incorrect call to sync_password instead of sync_pw in syncrepl.pp.
• Fixed an incorrect call to $::openldap::server::sync_dn to ldap::sync_dn in hiera.

• Thu Feb 19 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-16

• Migrated to the new 'simp' environment.
• Changed calls directly to /etc/init.d/rsyslog to '/sbin/service rsyslog' so that both RHEL6 and RHEL7 are properly supported.

• Fri Jan 16 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-15

• Changed puppet-server requirement to puppet

• Wed Nov 05 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-14

• Changed the cipher sets to the workround FIPS compliant set since RHEL6.6 includes the bug that plagues RHEL7.
• Details: https://bugzilla.redhat.com/show_bug.cgi?id=1123092

• Sun Nov 02 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-13

• Updated to add support for custom options as well as proper support for the RHEL7 configuration file location.

• Fri Oct 17 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-12

• CVE-2014-3566: Updated ciphers to help mitigate POODLE. Unfortunately, OpenSSL cannot set the SSL protocol to be used. However, all clients will negotiate the most secure first and testing has indicated that they are all using TLSv1.

• Fri Oct 03 2014 Kendall Moore kmoore@keywcorp.com - 4.1.0-11

• Updated the manifests and templates for missing variables from ssh_ldap.conf.

• Thu Aug 21 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-10

• Properly account for the fact that @uri is an array, not a string.

• Thu Aug 07 2014 Kendall Moore kmoore@keywcorp.com - 4.1.0-9

• Enabled authlogin_nsswitch_use_ldap for nslcd to work with targeted SELinux mode on

• Tue Jul 22 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-8

• Updated to handle the recompiled/deconflicted simp-ppolicy-check-password RPM for RHEL7.

• Wed Jul 09 2014 Adam Yohrling adam.yohrling@onyxpoint.com - 4.1.0-7

• Modified client certs to point at /etc/pki instead of /etc/openldap/pki, which is the server location.

• Mon Jul 07 2014 Nick Markowski nmarkowski@keywcorp.com - 4.1.0-6

• Spec tests were missing Facts used by supporting modules, due to updates over time. Spec tests now run cleanly.

• Mon Jun 30 2014 Adam Yohrling adam.yohrling@onyxpoint.com - 4.1.0-5

• Updated the sync_dn default value to be correct syntactically with a 'cn=' and also modified the ou from People to Hosts to match the standard SIMP default.

• Sun Jun 22 2014 Kendall Moore kmoore@keywcorp.com - 4.1.0-4

• Removed MD5 file checksums for FIPS compliance.

• Wed Apr 30 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-3

• Made numerous modifications to support the removal of the 'default_classes' material.
• Changes to defines:
  • syncrepl::conf => syncrepl
  • slapd::conf =>
  • slapo::ppolicy::conf =>
  • slapo::syncprov::conf =>
• Added support for multiple top level hiera values to support a more generic LDAP infrastructure.
  • ldap::base_dn
  • ldap::bind_dn
  • ldap::bind_pw
  • ldap::bind_hash
  • ldap::sync_dn
  • ldap::root_dn
  • ldap::root_hash
  • ldap::uri (array)
  • ldap::master
• Updated to use the pki::copy define.
• Removed the openldap::slapd::pki class
• Removed all reliance on Rsync and added the setting of schemas to openldap::server. Made the schema source variable so that you can add your own elsewhere if you so choose. Users can add to our file space if they wish.

• Thu Feb 13 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-2

• WARNING: All legacy code is probably broken at this point!
• Converted all string booleans to booleans
• Added new options to slapd.conf
• Removed unused nss_* options from pam_ldap.conf
• Updated the slapd.conf.erb template to actually use all of the variables in the manifest
• Modified the slapd_pki.pp to copy the PKI files instead of messing about with ACLs.
• Update to remove warnings about IPTables not being detected. This is a nuisance when allowing other applications to manage iptables legitimately.
• Added several additional safety features to bootstrap_ldap.
• A lock file was added at /etc/openldap/puppet_bootstrapped.lock that will need to be removed before bootstrap will run again.
• When OS upgrades reconfigure the LDAP configuration structure, the execs handle things properly.

• Mon Jan 06 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-1

• Ensure that Exec['bootstrap_ldap'] does not break LDAP slave syncing.

• Thu Dec 12 2013 Morgan Haskel morgan.haskel@onyxpoint.com - 4.1.0-0

• Added support for LDAP referral chaining by default.

• Sat Dec 07 2013 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-20

• The lastbind material was updated to properly require the simp-lastbind package.

• Wed Nov 27 2013 Nick Markowski nmarkowski@keywcorp.com - 4.0.0-19

• Ldap bootstrap now uses slaptest to ensure a sane ldap config before blowing the databases away. Re-wrote fixperms to ensure ALL files in /var/lib/ldap/ owned by ldap.

• Tue Nov 19 2013 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-19

• Fixed a bug in the handling of slapd.access. This should be turned into a native type.

• Mon Oct 21 2013 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-18

• Removed akeys completely.
• Cleaned up some code in the templates.

• Tue Oct 08 2013 Nick Markowski nmarkowski@keywcorp.com - 4.0.0-18

• Updated template to reference instance variables with @

• Wed Oct 02 2013 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-17

• Use 'versioncmp' for all version comparisons.

• Thu Sep 26 2013 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-16

• Added a dependency on the cacerts directory to the nslcd service.

• Tue Sep 03 2013 Nick Markowski nmarkowski@keywcorp.com - 4.0-15

• Incorporated the lastbind overlay to record an authTimestamp which updates every time a user binds.

• Wed Jul 10 2013 Trevor Vaughan tvaughan@onyxpoint.com - 4.0-14

• The settings on the LDAP server were not set to allow the LDAPSync user to pull more than the default number of entries. This caused the slave servers to only pull a subset of the proper entries. This has been fixed so that including syncprov will set the correct pull settings.

• Fri May 24 2013 Adam Yohrling adam.yohrling@onyxpoint.com 4.0-13

• Patched slapd.pp to use a dynamic ldap_sync_dn and ldap_bind_dn so that existing servers can optionally be used without reconfiguration.

• Thu May 02 2013 Nick Markowski nmarkowski@keywcorp.com 4.0-13

• Removed pull_keys, as openssh now uses openssh-ldap to authenticate public keys.
• Ensured akeys cron job absent.
• Added an exec to slapd.pp to check permissions on /var/lib/ldap/* and chown them to ldap:ldap if necessary.
• Changed the slapcat runuser to ldap.

• Mon Feb 25 2013 Maintenance 4.0-12

• Added a call to $::rsync_timeout to the rsync call since it is now required.

• Fri Jan 11 2013 Maintenance 4.0.0-11

• Added support for environments that do not require a bind password or username.

• Wed Nov 07 2012 Maintenance 4.0.0-10

• Added support for locker manipulation in DB_CONFIG as well as multi-thread support.
• Made the checkpoint variable optional in slapd.conf.
• Add the ability to nuke log files using incrond by setting the $force_log_quick_kill variable in openldap::slapd::conf.
• Update to enable transaction auditing by default.
• Updated akeys to ignore anything that is not a regular file or link.

• Mon Sep 24 2012 Maintenance 4.0.0-9

• Update toakeys to print to syslog by default.

• Thu Aug 02 2012 Maintenance 4.0.0-8

• Ensure that nslcd is restarted when host PKI keys are updated.

• Thu Jun 07 2012 Maintenance 4.0.0-7

• Ensure that Arrays in templates are flattened.
• Call facts as instance variables.
• Moved mit-tests to /usr/share/simp...
• Removed test for pam lock
• Updated pp files to better meet Puppet's recommended style guide.

• Mon Mar 12 2012 Maintenance 4.0.0-6

• Updated tests.
• Improved test stubs.

• Fri Feb 10 2012 Maintenance 4.0.0-5

• Removed the local user tests from here and added them to common.

• Wed Dec 14 2011 Maintenance 4.0.0-4

• Added an initial suite of tests.
• Updated the spec file to not require a separate file list.
• Scoped all of the top level variables.
• Made sure that syncrepl.la is only included pre-5.7.
• Dropped the bind_timelimit to '5' to alleviate login failures.
• Added a section for prod_nscd to the RHEL < 6 portion of the openldap client_auth segment.

• Mon Dec 05 2011 Maintenance 4.0.0-3

• Permissions on akeys match those set by the cron permissions check script in the 'sec' module.

• Mon Nov 07 2011 Maintenance 4.0.0-2

• Fixed call to rsyslog restart for RHEL6.
• Modified the openldap module such that you can now use openldap::slapd::access::add to add custom access control capabilities to /etc/openldap/slapd.access.
• Added a variable $openldap::slapd::slapd_svc to hold the name of the 'slapd' service since it changes from 'ldap' to 'slapd' in RHEL6.
• Fixed the portions that were required to use an OpenLDAP slave in RHEL6.
• Updated to use both nscd and nslcd.
• Added a selective variable for the location of the PAM LDAP configuration file based on the version of Red Hat that it's being installed under.

• Mon Oct 10 2011 Maintenance 4.0.0-1

• Updated to put quotes around everything that need it in a comparison statement so that puppet > 2.5 doesn't explode with an undef error.
• Modified all multi-line exec statements to act as defined on a single line to address bugs in puppet 2.7.5
• Added entries to openldap::slapd::conf to handle all sizelimit and timelimit combinations as well as the ability to handle individual entries based on DN.
• Updated the default LDIF file to fully enable the password compliance checking.
• Updated auth_config.pp to handle the fact that SSSD can't deal with shadow passwords properly.

• Wed Aug 24 2011 Maintenance 4.0-0

• Akeys and /etc/ldap.conf can now use ldaps.
• Incrond now watches for permissions changes on local_keys and spawns akeys appropriately.
• Passwords now expire at 180 days by default.
• Ensure that we use the 'slapd' service instead of 'ldap' for RHEL6.
• Replaced the 'listen' array in openldap::slapd::conf with listen_ldap, listen_ldapi, and listen_ldaps.
• Added the slapd_shutdown_timeout variable to openldap::slapd::conf.
• Removed the call to functions::init_mod_open_files in openldap::slapd::conf with a fully templated /etc/sysconfig/ldap file.
• Removed the call to openldap-servers-overlays since they are now included with the main package.
• Updated the syncprov template to properly load the syncprov module.

• Mon Jun 13 2011 Maintenance - 2.0.0-3

• Rewrote the akeys script to properly handle the situation where you have local certs that don't work with the remote LDAP server.
• Fixed this module for the case where the $use_sssd variable doesn't exist.
• Default password length is now 14
• Changed the default password expiration to 60 days.

• Tue May 17 2011 Maintenance - 2.0.0-2

• Fixed the password policy entries to properly install. Unfortunately, users will need to fix this manually in the actively running LDAP.

• Fri Apr 22 2011 Maintenance - 2.0.0-1

• Added the variable $enable_logging to slapd::conf so that local4 can be captured.
• Changed puppet://$puppet_server/ to puppet:///
• The pull_keys define now simply takes all of the values that akeys requires instead of pulling them from /etc/ldap.conf. This is because SSSD does not populate /etc/ldap.conf.
• Updated to support the use of SSSD
• Added akeys_timeout variable so that you can modify the timeouts in the akeys script.
• The openldap module now expects to have an associated rsync space that is password protected.
• /etc/cron.hourly/akeys now deletes /etc/cron.hourly/akeys.pl if it exists.
• Ensure that slapd restarts if any part of the cert space gets changed.
• Updated akeys.erb to preserve permissions when copying files from local_keys.
• Updated the /etc/ldap.conf template and define to incorporate all possible pam_* options from pam_ldap(5)
• Updated to use the new concat type.
• Changed all instances of defined(Class['foo']) to defined('foo') per the directions from the Puppet mailing list.
• Do not log to an audit log by default.
• Do not pass the audit log to syslog by default.
• Rotate the audit log.
• Add support for the SIMP supplied openldap password policy module.
• Stop slapd from purging /etc/openldap
• Change default password mode in /etc/ldap.conf to exop to allow for server side password enforcement.
• PwdChangeQuality is now set to 2 in default.ldif. This means that the server will only accept password changes on passwords that it can read. This requires the 'exop' change above.
• pwdGraceAuthNL is now set to 0 in default.ldif. We do not want to allow "grace" logins after lockout.
• Stop slapd from purging /etc/openldap
• Updated to use rsync native type
• Updated to use concat_build and concat_fragment types

• Tue Jan 11 2011 Maintenance 2.0.0-0

• Refactored for SIMP-2.0.0-alpha release

• Fri Jan 07 2011 Maintenance - 1.0-6

• Now support multiple SSH keys in LDAP!
• Migrated akeys.pl to akeys and re-wrote it in Ruby based on ruby-ldap. This seems to work much more quickly than the old PERL script.

• Wed Oct 27 2010 Maintenance - 1.0-5

• Fix audit logging issues in OpenLDAP so that it actually uses the audit module.
• Ensure that auditing is able to be disabled.

• Tue Oct 26 2010 Maintenance - 1.0-4

• Converting all spec files to check for directories prior to copy.

• Thu Sep 09 2010 Maintenance 1.0-3

• Replaced tcpwrappers::tcpwrappers_allow with tcpwrappers::allow.

• Tue Aug 10 2010 Maintenance 1.0-2

• Modified the ppolicy overlay settings to use the proper DN for the default password policy. The policy now takes effect properly.

• Wed Jul 14 2010 Maintenance 1.0-1

• Added schema for freeradius

• Fri May 21 2010 Maintenance 1.0-0

• Added Dependency on pupmod-ssh
• Code doc and refactor.

• Thu Jan 28 2010 Maintenance 0.1-32

• Critical: Fixed a bug in akeys.pl that would result in the deletion of all local keys from the auth_keys directory.

• Thu Jan 14 2010 Maintenance 0.1-31

• Minor refactor to call the new function for setting max open files.

• Wed Jan 06 2010 Maintenance 0.1-30

• You can now set the maximum number of open files using the $ulimit_max_open_files variable in the openldap::slapd::conf define.
  • The default has been set to 81920 which should handle almost any site.

• Thu Dec 31 2009 Maintenance 0.1-29

• Fixed an issue with ssl start_tls not being present in the /etc/ldap.conf configuration by default.
• Added an option 'use_certs' that indicates whether or not the client should use the host's PKI certificates.
• Set SSL to be enabled by default.

• Tue Dec 15 2009 Maintenance 0.1-28

• Moved the copy of /etc/ssh/local_keys to the top of the akeys.pl script so that LDAP errors would not prevent it from happening.
• Now support base64 encoded entries in the akeys.pl script for the SSH key in LDAP.
• Modified the configuration to use the last entry in ldapuri as the default LDAP master and a variable, ldap_master_uri for explicitly setting the value.
• Openldap slave no longer validates certs in support of GNOME.

• Mon Nov 02 2009 Maintenance 0.1-27

• Changed the permissions on /etc/ldap.conf to 644 by default so that the GUI applications would work better by default.

• Tue Oct 06 2009 Maintenance 0.1-26

• Added a fact $openldap_arch to provide the build architecture of the openldap running on the target system.
• Modified the modulepath segment of the slapd.pp manifest to use the $openldap_arch fact instead of the $architecture fact.

• Tue Sep 29 2009 Maintenance 0.1-25

• Split out the module path to support both 64 and 32 bit properly