The openldap module allows you to easily manage OpenLDAP with Puppet. By default it will use OLC (cn=config) on OpenLDAP 2.3+ and slapd.conf otherwise.
###Configuring the client
class { 'openldap::client': }
For a more customized configuration:
class { 'openldap::client':
base => 'dc=example,dc=com',
uri => ['ldap://ldap.example.com', 'ldap://ldap-master.example.com:666'],
tls_cacert => '/etc/ssl/certs/ca-certificates.crt',
}
###Configuring the server
class { 'openldap::server': }
For a more customized configuration:
class { 'openldap::server':
ssl => true,
ssl_cert => '/etc/ldap/ssl/slapd.pem',
ssl_key => '/etc/ldap/ssl/slapd.key',
}
Configure the default database:
class { 'openldap::server':
databases => {
'dc=example,dc=com' => {
directory => '/var/lib/ldap',
},
},
}
If only one database is passed to openldap::server
then it is used to during installation.
If you need multiple databases, you have to set the default one:
class { 'openldap::server':
databases => {
'dc=foo,dc=example,dc=com' => {
directory => '/var/lib/ldap/foo',
},
'dc=bar,dc=example,dc=com' => {
directory => '/var/lib/ldap/bar',
},
},
default_database => 'dc=bar,dc=example,dc=com',
}
To force using slapd.conf on OpenLDAP 2.3+ (not working yet):
class { 'openldap::server':
provider => 'augeas',
}
###Configuring a database
openldap::server::database { 'dc=example,dc=com':
directory => '/var/lib/ldap',
rootpw => openldap_password('mySuperSecretPassword'),
}
###Configuring ACPs/ACLs (experimental)
openldap::server::access {
'to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=example,dc=com" on dc=example,dc=com':
access => 'write';
'to attrs=userPassword,shadowLastChange by anonymous on dc=example,dc=com':
access => 'auth';
'to attrs=userPassword,shadowLastChange by self on dc=example,dc=com':
access => 'write';
'to attrs=userPassword,shadowLastChange by * on dc=example,dc=com':
access => 'none';
}
openldap::server::access { 'to dn.base="" by * on dc=example,dc=com':
access => 'read',
}
openldap::server::access {
'to * by dn="cn=admin,dc=example,dc=com" on dc=example,dc=com':
access => 'write';
'to * by * on dc=example,dc=com':
access => 'read';
}
Classes:
- openldap
- openldap::client
- openldap::client::config
- openldap::client::install
- openldap::client::service
- openldap::server
- openldap::server::config
- openldap::server::install
- openldap::server::service
Resources:
- openldap_access
- openldap_database
- openldap_global_conf
- openldap::server::access
- openldap::server::database
- openldap::server::globalconf
###Class: openldap
####client
Whether or not manage the OpenLDAP client.
####server
whether or not manage the OpenLDAP server.
###Class: openldap::client
####package
Name of the package to install. Defaults to libldap-2.4-2
on Debian.
####file
Name of the configuration file. Defaults to /etc/ldap/ldap.conf
on Debian.
####base
Specifies the default base DN to use when performing ldap operations.
####uri
Specifies the URI(s) of an LDAP server(s) to which the LDAP library should connect.
####tls_cacert
Specifies the file that contains certificates for all of the Certificate
Authorities the client will recognize.
###Class: openldap::server
####package
Name of the package to install. Defaults to slapd
on Debian.
####service
Name of the service. Defaults to slapd
on Debian.
####enable
Should the service be enabled during boot time?
####start
Should the service be started by Puppet
####provider
The provider to use to manage configuration.
Can be olc
to manage configuration via (cn=config) or augeas
to use slapd.conf.
Defaults to olc
on OpenLDAP 2.3+ and augeas otherwise.
####ssl
Should OpenLDAP listen on SSL.
####ssl_cert
Specifies the file that contains the slapd server certificate.
####ssl_key
Specifies the file that contains the slapd server private key.
####ssl_ca
Specifies the file that contains certificates for all of the Certificate
Authorities that slapd will recognize.
###Resource: openldap::server::access
This resource allows you to manage OpenLDAP accesses to a database.
###ensure
Whether or not the resource should be present, or if its position should be forced.
Possible values are: present
, absent
and positioned
.
###position
The position where the entry should be created. If omitted, it will be appended to the end of the file.
The position is of the form <before|after> access to <what> by <whom>
, for example:
before access to * by *
after access to dn="cn=admin,dc=nodomain" by self
If ensure
is set to present
, the position will only be used when creating the entry.
If ensure
is set to positioned
, the entry will be destroyed and created again in the right position if it was not properly positioned. Beware of ordering between you resources!
###what
The entries and/or attributes to which the access applies.
###by
Which entities are granted access.
###suffix
On which database the access applies.
###access
The access rule.
###control
Controls the flow of access rule application.
###Resource: openldap::server::database
This resource allows you to manage OpenLDAP bdb and hdb databases.
####suffix
Specify the DN suffix of queries that will be passed to this backend database. This is the namevar.
####index
Index of the database to replace (otherwise create a new one if not exists).
####backend
Backend of the database. Must be one of bdb
or hdb
.
####directory
Specify the directory where the BDB files containing this database and
associated indexes live. A separate directory must be specified for each
database. The default is /var/lib/ldap
.
####rootdn
Specify the distinguished name that is not subject to access control or
administrative limit restrictions for operations on this database.
####rootpw
Specify a password (or hash of the password) for the rootdn.