Version information
This version is compatible with:
- Puppet Enterprise 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x, 2018.1.x, 2017.3.x
- Puppet >= 5.0.0 < 7.0.0
- , ,
Start using this module
Add this module to your Puppetfile:
mod 'simp-simp_openldap', '6.4.3'
Learn more about managing modules with a PuppetfileDocumentation
This is a SIMP module
This module is a component of the System Integrity Management Platform, a compliance-management framework built on Puppet.
If you find any issues, they can be submitted to our JIRA.
Please read our Contribution Guide.
Table of Contents
- Description
- This is a SIMP module
- Setup
- Using simp_openldap
- Advanced configuration
- Limitations
- Development
Description
This module provides a SIMP-oriented profile for configuring OpenLDAP server and client components.
See REFERENCE.md for API documentation.
This is a SIMP module
This module is a component of the System Integrity Management Platform, a compliance-management framework built on Puppet.
If you find any issues, they can be submitted to our JIRA.
Please read our Contribution Guide
This module is optimally designed for use within a larger SIMP ecosystem, but it can be used independently:
-
When included within the SIMP ecosystem, security compliance settings will be managed from the Puppet server.
-
If used independently, all SIMP-managed security subsystems are disabled by default and must be explicitly opted into by administrators. Please review the
simp-simp_options
module for details.
Setup
What simp_openldap affects
- Installs LDAP client applications for interacting with an LDAP server
- Installs and configures OpenLDAP for TLS-enabled communication using both legacy TLS and STARTTLS
- Provides access control capabilities
Using simp_openldap
As a client
To use this module for an LDAP client system, just include the class:
include 'simp_openldap'
As a server
To use the module to configure an LDAP server, include the following:
include 'simp_openldap'
include 'simp_openldap::server'
This will configure a server with TLS and STARTTLS enabled. It will also populate the directory with a basic LDAP schema suitable for UNIX-system logins.
To configure the password policy, you will also need to include the
simp_openldap::slapo::ppolicy
class PRIOR TO INITIAL CONFIGURATION.
Once the LDAP server has been configured, it will not update any data inside of
the LDAP server itself, only the surrounding configuration.
For additional information, please see the SIMP Documentation.
Advanced configuration
It is possible to configure most aspects of the OpenLDAP server through this module. However, this gets complex quickly. The SIMP Documentation has some examples. Additional examples can be found in the acceptance tests.
Limitations
SIMP Puppet modules are generally intended for use on Red Hat Enterprise Linux
and compatible distributions, such as CentOS. Please see the metadata.json
file
for the most up-to-date list of supported operating systems, Puppet versions,
and module dependencies.
Development
Please see the SIMP Contribution Guidelines.
Acceptance tests
This module includes Beaker acceptance tests using the SIMP Beaker Helpers. By default the tests use Vagrant with VirtualBox as a back-end; Vagrant and VirtualBox must both be installed to run these tests without modification. To execute the tests run the following:
bundle install
bundle exec rake beaker:suites
Please refer to the SIMP Beaker Helpers documentation for more information.
Some environment variables may be useful:
BEAKER_debug=true
BEAKER_provision=no
BEAKER_destroy=no
BEAKER_use_fixtures_dir_for_modules=yes
BEAKER_debug
: show the commands being run on the STU and their output.BEAKER_destroy=no
: prevent the machine destruction after the tests finish so you can inspect the state.BEAKER_provision=no
: prevent the machine from being recreated. This can save a lot of time while you're writing the tests.BEAKER_use_fixtures_dir_for_modules=yes
: cause all module dependencies to be loaded from thespec/fixtures/modules
directory, based on the contents of.fixtures.yml
. The contents of this directory are usually populated bybundle exec rake spec_prep
. This can be used to run acceptance tests to run on isolated networks.
Reference
Table of Contents
Classes
simp_openldap
: This class provides a common base for both the client and server portions of an OpenLDAP-based sysetmsimp_openldap::client
: Set up /etc/openldap/ldap.conf with the global options for accessing the LDAP servers. Regarding: POODLE - CVE-2014-3566 The ``tls_cipher_ssimp_openldap::server
: Set up an OpenLDAP server It installs the server if not already installed and bootstraps it if necessary. You can quickly reset the entiresimp_openldap::server::conf
: NOTE: THIS IS A PRIVATE CLASS This class configures the brunt of the `simp_openldap::server::conf::default_ldif
: NOTE: THIS IS A PRIVATE CLASS This allows for the modification of thesimp_openldap::server::fix_bad_upgrade
: NOTE: THIS IS A PRIVATE CLASS We're not ready for using slapd.d Occassimp_openldap::server::install
: NOTE: THIS IS A PRIVATE CLASS Install the required packagessimp_openldap::server::service
: NOTE: THIS IS A PRIVATE CLASS Manage the OpenLDAP servicesimp_openldap::slapo::lastbind
: This class configures lastbind and set up a dynamic include that defines lastbind. See slapo-lastbind(5) for details of the options.simp_openldap::slapo::ppolicy
: Configure the password policy for a site This also includes the options for configuring the password checking plugin that's included with SIsimp_openldap::slapo::syncprov
: Allow other LDAP servers to synchronize with this one
Defined types
simp_openldap::server::access
: Manage access control entries inslapd.access
Remember that order matters! Entries will be listed in alphanumeric order after the ``simp_openldap::server::dynamic_include
: Add a dynamically included file into the LDAP system.simp_openldap::server::limits
: This define allows you to managelimits
sections under the main databasesimp_openldap::server::syncrepl
: This define configures the sycnrepl functionality of OpenLDAP which allows for directory synchronization pulls from a master server. $name s
Data types
Simp_Openldap::LogLevel
: OpenLDAP Log LevelsSimp_Openldap::SlapdConf::Disallow
: OpenLDAP slapd.conf disallow
Classes
simp_openldap
This class provides a common base for both the client and server portions of an OpenLDAP-based sysetm
Parameters
The following parameters are available in the simp_openldap
class.
ldap_uri
Data type: Array[Simplib::URI]
It is recommended that you make the master the last entry in this array
- Will default to
["ldap://${server_facts['servername']}"]
if not set
Default value: simplib::lookup('simp_options::ldap::uri', { 'default_value' => undef })
base_dn
Data type: String
The base DN of the LDAP entries
Default value: simplib::lookup('simp_options::ldap::base_dn', { 'default_value' => simplib::ldap::domain_to_dn() })
bind_dn
Data type: String
The use that should be used to bind to the LDAP server
Default value: simplib::lookup('simp_options::ldap::bind_dn', { 'default_value' => sprintf('cn=hostAuth,ou=Hosts,%s', simplib::ldap::domain_to_dn()) })
ldap_master
Data type: String
The LDAP Master server
- Will default to the last entry in
ldap_uri
if not set
Default value: simplib::lookup('simp_options::ldap::master', { 'default_value' => undef })
is_server
Data type: Boolean
Set this if you want to create an OpenLDAP server on your node
Default value: false
pki
Data type: Variant[Boolean, Enum['simp']]
- If 'simp', include SIMP's pki module and use pki::copy to manage application certs in /etc/pki/simp_apps/openldap/x509
- If true, do not include SIMP's pki module, but still use pki::copy to manage certs in /etc/pki/simp_apps/openldap/x509
- If false, do not include SIMP's pki module and do not use pki::copy
to manage certs. You will need to appropriately assign a subset of:
- app_pki_dir
- app_pki_key
- app_pki_cert
- app_pki_ca
- app_pki_ca_dir
Default value: simplib::lookup('simp_options::pki', { 'default_value' => false })
app_pki_external_source
Data type: String
-
If pki = 'simp' or true, this is the directory from which certs will be copied, via pki::copy. Defaults to /etc/pki/simp/x509.
-
If pki = false, this variable has no effect.
Default value: simplib::lookup('simp_options::pki::source', { 'default_value' => '/etc/pki/simp/x509' })
app_pki_dir
Data type: Stdlib::Absolutepath
This variable controls the basepath of $app_pki_key, $app_pki_cert, $app_pki_ca, $app_pki_ca_dir, and $app_pki_crl. It defaults to /etc/pki/simp_apps/openldap/x509.
Default value: '/etc/pki/simp_apps/openldap/x509'
app_pki_key
Data type: Stdlib::AbsolutePath
Path and name of the private SSL key file.
Default value: "${app_pki_dir}/private/${facts['fqdn']}.pem"
app_pki_cert
Data type: Stdlib::AbsolutePath
Path and name of the public SSL certificate.
Default value: "${app_pki_dir}/public/${facts['fqdn']}.pub"
app_pki_ca_dir
Data type: Stdlib::AbsolutePath
Path to the CA.
Default value: "${app_pki_dir}/cacerts"
app_pki_crl
Data type: Optional[Stdlib::Absolutepath]
Path to the CRL file.
Default value: undef
simp_openldap::client
Set up /etc/openldap/ldap.conf with the global options for accessing the LDAP servers.
Regarding: POODLE - CVE-2014-3566
The tls_cipher_suite
parameter is set to HIGH:-SSLv2
because OpenLDAP
cannot set the SSL provider natively.
By default, it will run TLSv1 but cannot handle TLSv1.2 therefore the SSLv3 ciphers cannot be eliminated. Take care to ensure that your clients only connect with TLSv1 if possible.
- See also
- ldap.conf(5)
- for details.
- ldap.conf(5)
Parameters
The following parameters are available in the simp_openldap::client
class.
use_tls
Data type: Variant[Enum['simp'],Boolean]
Use TLS when connecting to the ldap server. By default this will mirror simp_options::pki, but needs to be distinct as the client and server configurations could vary.
Default value: $::simp_openldap::pki
app_pki_key
Data type: Stdlib::Absolutepath
Path and name of the private SSL key file
Default value: $::simp_openldap::app_pki_key
app_pki_cert
Data type: Stdlib::Absolutepath
Path and name of the public SSL certificate
Default value: $::simp_openldap::app_pki_cert
app_pki_ca_dir
Data type: Stdlib::Absolutepath
Path to the CA.
Default value: $::simp_openldap::app_pki_ca_dir
app_pki_crl
Data type: Optional[Stdlib::Absolutepath]
Path to the CRL file.
Default value: $::simp_openldap::app_pki_crl
strip_128_bit_ciphers
Data type: Boolean
On EL6 systems, all 128-bit ciphers will be removed from tls_cipher_suite
- This is due to a bug in the LDAP client libraries that does not appear to honor the order of the SSL ciphers and will attempt to connect with 128-bit ciphers and not use stronger ciphers when those are present. This breaks connections to securely configured LDAP servers.
Default value: true
openldap_clients_ensure
Data type: String
The ensure status of the openldap-clients package
Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' })
nss_pam_ldapd_ensure
Data type: String
The ensure status of the nss-pam-ldapd package
Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' })
uri
Data type: Array[Simplib::URI]
Default value: $::simp_openldap::_ldap_uri
base_dn
Data type: Optional[String]
Default value: $::simp_openldap::base_dn
bind_dn
Data type: String[1]
Default value: $::simp_openldap::bind_dn
referrals
Data type: Enum['on','off']
Default value: 'on'
sizelimit
Data type: Integer
Default value: 0
timelimit
Data type: Integer
Default value: 15
tls_cipher_suite
Data type: Array[String[1]]
Default value: simplib::lookup('simp_options::openssl::cipher_suite', { 'default_value' => ['DEFAULT','!MEDIUM'] })
tls_crlcheck
Data type: Enum['none','peer','all']
Default value: 'none'
deref
Data type: Enum['never','searching','finding','always']
Default value: 'never'
tls_reqcert
Data type: Enum['never','allow','try','demand','hard']
Default value: 'allow'
simp_openldap::server
Set up an OpenLDAP server
It installs the server if not already installed and bootstraps it if necessary.
You can quickly reset the entire server by removing all files from
/var/lib/ldap/db/*
and then re-runing puppet. Note that this will erase
the contents of your database, so you will want to use slapcat
to save
any data that you may require later for restoration.
If you need to re-bootstrap, you also must remove the file
/etc/openldap/puppet_bootstrapped.lock
since this is in place as a
protective measure.
Please look at the simp_openldap::server::access
stanzas below so that
you can understand how to modify the access controls via puppet.
The default access settings start at 1000
and go through 3000
except
for a default entry at 100000
that allows users to read everything and
then denies access. These are spread this far apart so that you can easily
override and/or circumvent them to your site specifications.
NOTE: To get the bootstrap to run again, you must remove the lock file at
/etc/openldap/puppet_bootstrapped.lock
and remove the database files in
/var/lib/ldap/db/*
.
Parameters
The following parameters are available in the simp_openldap::server
class.
schema_sync
Data type: Boolean
Synchronize all schemas from $schema_source
Default value: true
schema_source
Data type: String
The location from which to download the schemas
Default value: "puppet:///modules/${module_name}/etc/openldap/schema"
allow_sync
Data type: Boolean
Provide the ability for other hosts to use LDAP synchronization as clients to this server
- Class variables will need to be set according to the
simp_openldap::slapo::syncprov
class requirements
Default value: true
sync_dn
Data type: String
The DN that is allowed to synchronize from the LDAP server
Default value: simplib::lookup('simp_options::ldap::sync_dn', { 'default_value' => "cn=LDAPSync,ou=Hosts,${::simp_openldap::base_dn}" })
use_ppolicy
Data type: Boolean
Include the default password policy overlay
Default value: true
use_tcpwrappers
If true, enable tcpwrappers for slapd.
tcpwrappers
Data type: Boolean
Default value: simplib::lookup('simp_options::tcpwrappers', { 'default_value' => false })
simp_openldap::server::conf
NOTE: THIS IS A PRIVATE CLASS
This class configures the brunt of the /etc/openldap
configuration files
Regarding: POODLE - CVE-2014-3566
Using module defaults and openldap-servers >= 2.4.40, a minimum bound of TLS v1.2 will be set. TLSv1 and SSLv3 ciphers will be removed from the cipher suite.
If openldap-servers is < 2.4.40, the tls_cipher_suite
parameter will
default to DEFAULT:!MEDIUM
because OpenLDAP < 2.4.40 cannot ensure the SSL
provider natively. Take care to ensure that your clients only connect with
TLSv1 if possible.
- See also
- slapd.conf(5)
- slapd-bdb(5)
Parameters
The following parameters are available in the simp_openldap::server::conf
class.
rootdn
Data type: Optional[String[1]]
The DN of the administrative LDAP user
Default value: simplib::lookup('simp_options::ldap::root_dn', { 'default_value' => "cn=LDAPAdmin,ou=People,${::simp_openldap::base_dn}" })
rootpw
Data type: Optional[String[1]]
This is the output of slappasswd
for your LDAP administrative account
Default value: undef
syncdn
Data type: String[1]
The DN of the LDAP synchronization user
- Used for DB replication
Default value: simplib::lookup('simp_options::ldap::sync_dn', { 'default_value' => "cn=LDAPSync,ou=Hosts,${::simp_openldap::base_dn}" })
syncpw
Data type: Optional[String[1]]
This is the output of slappasswd
for your LDAP sync account
Default value: simplib::lookup('simp_options::ldap::sync_hash', { 'default_value' => undef })
binddn
Data type: String[1]
The DN of the LDAP host authorization user
This user should not have the ability to do anything besides bind to the LDAP system for further authentication
Default value: simplib::lookup('simp_options::ldap::bind_dn', { 'default_value' => $::simp_openldap::bind_dn })
bindpw
Data type: Optional[String[1]]
This is the output of slappasswd
for your LDAP bind account
Default value: simplib::lookup('simp_options::ldap::bind_hash', { 'default_value' => undef })
audit_transactions
Data type: Boolean
Set OpenLDAP to audit all transactions in the database
- This will output an LDIF file with all details of what changed on the system and may contain sensitive information
Default value: true
audit_to_syslog
Data type: Boolean
Forward all audit logs to syslog
- This may contain sensitive information
Default value: true
auditlog
Data type: Stdlib::Absolutepath
The path to the slapd audit log
- Only effective if
$audit_transactions
is enabled
Default value: '/var/log/slapd.audit'
auditlog_rotate
Data type: Enum['daily','weekly','monthly','yearly']
The frequency with which the slapd audit logs should be rotated
Default value: 'daily'
auditlog_preserve
Data type: Integer[0]
The number of rotated audit logs to preserve
Default value: 7
authz_policy
Data type: Enum['none','from','to','any']
Set the appropriate authz-policy
entry
Default value: 'to'
authz_regexp
Data type: Array[Struct[{ match => String[1], replace => String[1] }] ]
Used to convert simple usernames to an LDAP DN for authorization
- Set to an empty Array
[]
to have this value ignored - Entries will be added to the configuration file in order so order them from most strict to least strict in your Array
- NOTE: The default is fairly lenient
Default value: [{ 'match' => '^uid=([^,]+),.*', 'replace' => "uid=\$1,ou=People,${::simp_openldap::base_dn}" }]
default_schemas
Data type: Array[String[1]]
The default schemas from /etc/openldap/schema
to include
/etc/openldap/schema
will be prepended and.schema
will be appended- It is highly recommended that you keep the default list
- If you decide to override, these defaults will not be merged with what you provide
Core
,Cosine
,InetOrgPerson
, andNIS
will always be included
Default value: [ 'openssh-lpk', 'freeradius', 'autofs' ]
trusted_nets
Data type: Simplib::Netlist
The networks that should be allowed into the server
Default value: simplib::lookup('simp_options::trusted_nets', { 'default_value' => ['127.0.0.1'] })
force_log_quick_kill
Data type: Boolean
Create an incron
job that will immediately destroy any recovery log
file written to the log directory
- Setting this is not recommended but can be used on systems where you have issues with recovery log size and the way that OpenLDAP manages them
Default value: false
include_chain_overlay
Data type: Boolean
Include a chain overlay to allow for referral chaining
- This is only needed on LDAP replicant nodes
Default value: false
master
Data type: Optional[String[1]]
If include_chain_overlay
is set, then this is the upstream master that
will be used for referral chaining
Default value: $::simp_openldap::_ldap_master
listen_ldap
Data type: Boolean
Listen on the default LDAP port for ldap://
conenctions
Default value: true
listen_ldapi
Data type: Boolean
Listen on the default LDAP port for ldapi://
conenctions
Default value: true
listen_ldaps
Data type: Boolean
Listen on the default LDAPS port for ldaps://
conenctions
Default value: true
custom_options
Data type: Array[String]
Command line options that will be placed into the openldap configuration file
- These are not validated for correct functionality!
Default value: []
password_hash
Data type: Enum['SSHA','SHA','SMD5','MD5','CRYPT','CLEARTEXT']
The hash algorithm to use for passwords
Default value: 'SSHA'
sizelimit
Data type: Variant[Enum['unlimited'], Integer[1]]
The default size limit for queries
- If any of the
$sizelimit_*
options are set, this will be overridden inslapd.conf
Default value: 500
sizelimit_soft
Data type: Optional[Variant[Enum['unlimited'], Integer[1]]]
Corresponds to size.soft
in slapd.conf
Default value: undef
sizelimit_hard
Data type: Optional[Variant[Enum['unlimited'], Integer[1]]]
Corresponds to size.hard
in slapd.conf
Default value: undef
sizelimit_unchecked
Data type: Optional[Variant[Enum['unlimited'], Integer[1]]]
Corresponds to size.unchecked
in slapd.conf
Default value: undef
slapd_shutdown_timeout
Data type: Integer[0]
Maximum allowed time to wait for slapd shutdown (in seconds)
Default value: 3
threads
Data type: Variant[Enum['dynamic'],Integer[1]]
Set the number of threads to run
dynamic
sets the limit to4 * processorcount
- There is a default minimum of
8
and a max of16
Default value: 'dynamic'
timelimit
Data type: Variant[Enum['unlimited'], Integer[1]]
The default time limit for queries (in seconds)
- If any of the
$timelimit_*
options are set, this will be overridden inslapd.conf
Default value: 3600
timelimit_soft
Data type: Optional[Variant[Enum['unlimited'], Integer[1]]]
Corresponds to time.soft
in slapd.conf
Default value: undef
timelimit_hard
Data type: Optional[Variant[Enum['unlimited'], Integer[1]]]
Corresponds to time.hard
in slapd.conf
Default value: undef
tls_protocol_min
Data type: Optional[Float]
This option is only compatible with openldap-servers >= 2.4.40.
From the slapd.conf man page: Specifies minimum SSL/TLS protocol version that will be negotiated. If the server doesn't support at least that version, the SSL handshake will fail. To require TLS 1.x or higher, set this option to 3.(x+1), e.g.,
TLSProtocolMin 3.2
would require TLS 1.1.
Default value: undef
tls_verify_client
Data type: Enum['never','allow','try','demand','hard','true']
TLS client verification level
Do not set this more restrictive than 'try' unless you really know what you are doing and have exensively tested it in your environment
Default value: 'allow'
db_cachesize
Data type: Pattern['^\d+\s\d+\s\d+$']
Set the BDB backend cache size
- The format is
<gigabytes> <bytes> <segements>
Default value: '0 268435456 1'
db_log_autoremove
Data type: Boolean
Tells the OpenLDAP BDB back end database to automatically remove all recovery log files when possible
- Setting this means that you are responsible for backing up your database and that incremental recovery may not be possible
Default value: true
ulimit_max_open_files
Data type: Integer[1024]
Set the number of open file handles that OpenLDAP may use
Default value: 81920
syslog
Data type: Boolean
Enable the SIMP logging infrastructure
Default value: simplib::lookup('simp_options::syslog', {'default_value' => false })
logrotate
Data type: Boolean
Enable the SIMP log rotate infrastructure
Default value: simplib::lookup('simp_options::logrotate', {'default_value' => false })
log_to_file
Data type: Boolean
Send the output logs to the file specified in $log_file
- Has no effect if
$syslog
is not set
Default value: false
log_file
Data type: Stdlib::Absolutepath
Output all logs to this file via syslog
- Has no effect if
$log_to_file
is not set
Default value: '/var/log/slapd.log'
forward_all_logs
Data type: Boolean
Forward all OpenLDAP logs via syslog
- Has no effect if
$syslog
is not set
Default value: false
firewall
Data type: Boolean
Enable the SIMP firewall
Default value: simplib::lookup('simp_options::firewall', {'default_value' => false })
use_tls
Data type: Variant[Enum['simp'],Boolean]
Enable TLS in openldap. By default this will mirror simp_options::pki, but needs to be distinct as the client and server configurations could vary.
Default value: $::simp_openldap::pki
app_pki_key
Data type: Stdlib::Absolutepath
Path and name of the private SSL key file
Default value: $::simp_openldap::app_pki_key
app_pki_cert
Data type: Stdlib::Absolutepath
Path and name of the public SSL certificate
Default value: $::simp_openldap::app_pki_cert
app_pki_ca_dir
Data type: Stdlib::Absolutepath
Path to the CA.
Default value: $::simp_openldap::app_pki_ca_dir
app_pki_crl
Data type: Optional[Stdlib::Absolutepath]
Path to the CRL file.
Default value: $::simp_openldap::app_pki_crl
suffix
Data type: String[1]
Default value: $::simp_openldap::base_dn
argsfile
Data type: Stdlib::Absolutepath
Default value: '/var/run/openldap/slapd.args'
bind_anon
Data type: Boolean
Default value: false
cachesize
Data type: Integer[1]
Default value: 10000
checkpoint
Data type: Pattern['(^\d+\s\d+$|^$)']
Default value: '1024 5'
concurrency
Data type: Optional[Integer[1]]
Default value: undef
conn_max_pending
Data type: Integer[1]
Default value: 100
conn_max_pending_auth
Data type: Integer[1]
Default value: 1000
default_searchbase
Data type: Optional[String[1]]
Default value: undef
disallow
Data type: Array[Simp_Openldap::SlapdConf::Disallow]
Default value: ['bind_anon','tls_2_anon']
ditcontentrule
Data type: Optional[String[1]]
Default value: undef
gentlehup
Data type: Boolean
Default value: false
idletimeout
Data type: Integer[0]
Default value: 0
index_substr_any_step
Data type: Integer[0]
Default value: 2
index_substr_any_len
Data type: Integer[0]
Default value: 4
index_substr_if_maxlen
Data type: Integer[0]
Default value: 4
index_substr_if_minlen
Data type: Integer[0]
Default value: 2
index_intlen
Data type: Integer[0]
Default value: 4
slapd_log_level
Data type: Array[Simp_Openldap::LogLevel]
Default value: ['stats', 'sync']
password_crypt_salt_format
Data type: String[1]
Default value: '%s'
pidfile
Data type: Stdlib::Absolutepath
Default value: '/var/run/openldap/slapd.pid'
reverse_lookup
Data type: Boolean
Default value: false
schemadn
Data type: String[1]
Default value: 'cn=Subschema'
security
Data type: Array[String[1]]
Default value: ['ssf=256', 'tls=256', 'update_ssf=256', 'simple_bind=256', 'update_tls=256']
sockbuf_max_incoming
Data type: Integer[1]
Default value: 262143
sockbuf_max_incoming_auth
Data type: Integer[1]
Default value: 4194303
sortvals
Data type: Array[String]
Default value: []
tcp_buffer
Data type: Optional[Integer]
Default value: undef
writetimeout
Data type: Integer[0]
Default value: 0
tls_cipher_suite
Data type: Optional[Array[String[1]]]
Default value: undef
tls_crl_check
Data type: Enum['none','peer','all']
Default value: 'none'
database
Data type: String[1]
Default value: 'bdb'
directory
Data type: Stdlib::Absolutepath
Default value: '/var/lib/ldap'
db_add_content_acl
Data type: Boolean
Default value: false
db_lastmod
Data type: Boolean
Default value: true
db_maxderefdepth
Data type: Integer[1]
Default value: 15
db_mirrormode
Data type: Boolean
Default value: false
db_monitoring
Data type: Boolean
Default value: true
db_readonly
Data type: Boolean
Default value: false
db_max_locks
Data type: Integer[1]
Default value: 3000
db_max_lock_objects
Data type: Integer[1]
Default value: 1500
db_max_lock_lockers
Data type: Integer[1]
Default value: 1500
db_log_region_max_size
Data type: Integer[1]
Default value: 262144
db_log_buffer_size
Data type: Integer[1]
Default value: 2097152
simp_openldap::server::conf::default_ldif
NOTE: THIS IS A PRIVATE CLASS
This allows for the modification of the default LDIF entries in /etc/openldap/default.ldif. It will not modify any active values in a running LDAP server.
Parameters
The following parameters are available in the simp_openldap::server::conf::default_ldif
class.
users_group_id
Data type: Integer[1]
Default value: 100
administrators_group_id
Data type: Integer[500]
Default value: 700
ppolicy_pwd_min_age
Data type: Integer[0]
Default value: 86400
ppolicy_pwd_max_age
Data type: Integer[1]
Default value: 15552000
ppolicy_pwd_in_history
Data type: Integer[0]
Default value: 24
ppolicy_pwd_check_quality
Data type: Integer[0]
Default value: 2
ppolicy_pwd_min_length
Data type: Integer[0]
Default value: 14
ppolicy_pwd_expire_warning
Data type: Integer[0]
Default value: 1209600
ppolicy_pwd_grace_authn_limit
Data type: Integer
Default value: -
ppolicy_pwd_lockout
Data type: Boolean
Default value: true
ppolicy_pwd_lockout_duration
Data type: Integer[0]
Default value: 900
ppolicy_pwd_max_failure
Data type: Integer[0]
Default value: 5
ppolicy_pwd_failure_count_interval
Data type: Integer[0]
Default value: 900
ppolicy_pwd_must_change
Data type: Boolean
Default value: true
ppolicy_pwd_allow_user_change
Data type: Boolean
Default value: true
ppolicy_pwd_safe_modify
Data type: Boolean
Default value: false
simp_openldap::server::fix_bad_upgrade
NOTE: THIS IS A PRIVATE CLASS
We're not ready for using slapd.d
Occasionally, the updated openldap RPM packages come out with an automatic upgrade to slapd.d functionality.
This works around having your system destroyed by that "feature"
This pops up in the RPM updates from time to time
simp_openldap::server::install
NOTE: THIS IS A PRIVATE CLASS
Install the required packages
Parameters
The following parameters are available in the simp_openldap::server::install
class.
ensure
Data type: Enum['latest','installed','present']
The state for the packages to be in
Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' })
simp_openldap::server::service
NOTE: THIS IS A PRIVATE CLASS
Manage the OpenLDAP service
Parameters
The following parameters are available in the simp_openldap::server::service
class.
slapd_svc
Data type: String[1]
The actual service name
Default value: 'slapd'
simp_openldap::slapo::lastbind
This class configures lastbind and set up a dynamic include that defines lastbind. See slapo-lastbind(5) for details of the options.
Parameters
The following parameters are available in the simp_openldap::slapo::lastbind
class.
lastbind_precision
Data type: Integer[0]
Determines the amount of time, in seconds, after which to update the authTimestamp entry.
Default value: 3600
lastbind_ensure
Data type: String
The ensure status of packages to be managed
Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' })
simp_openldap::slapo::ppolicy
Configure the password policy for a site
This also includes the options for configuring the password checking plugin that's included with SIMP.
- See also
- slapo-ppolicy(5)
Parameters
The following parameters are available in the simp_openldap::slapo::ppolicy
class.
suffix
Data type: Optional[String[1]]
The Base DN of the LDAP domain to which you wish to connect.
Default value: $::simp_openldap::base_dn
min_points
Data type: Integer[0]
The minimum number of character classes that must be included in your password for it to succeed.
Default value: 3
use_cracklib
Data type: Boolean
If true, use cracklib when checking the password.
Default value: true
min_upper
Data type: Integer[0]
The minimum number of upper case characters that must be present for the password to be valid.
Default value: 0
min_lower
Data type: Integer[0]
The minimum number of lower case characters that must be present for the password to be valid.
Default value: 0
min_digit
Data type: Integer[0]
The minimum number of digit characters that must be present for the password to be valid.
Default value: 0
min_punct
Data type: Integer[0]
The minimum number of punctuation characters that must be present for the password to be valid.
Default value: 0
max_consecutive_per_class
Data type: Integer[0]
The maximum number of characters from any character class that can exist in a row.
Default value: 3
ppolicy_ensure
Data type: String
The ensure status of the simp-ppolicy-check-password package
Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' })
ppolicy_default
Data type: Optional[String[1]]
Default value: undef
ppolicy_hash_cleartext
Data type: Optional[String[1]]
Default value: undef
ppolicy_use_lockout
Data type: Optional[String[1]]
Default value: undef
simp_openldap::slapo::syncprov
Allow other LDAP servers to synchronize with this one
- See also
- slapo-syncprov(5)
Parameters
The following parameters are available in the simp_openldap::slapo::syncprov
class.
checkpoint
Data type: Optional[Pattern['^\d+\s\d+$']]
Default value: undef
sessionlog
Data type: Optional[String[1]]
Default value: undef
nopresent
Data type: Boolean
Default value: false
reloadhint
Data type: Boolean
Default value: false
sync_size_soft_limit
Data type: Variant[Enum['unlimited'], Integer]
Default value: 'unlimited'
sync_size_hard_limit
Data type: Variant[Enum['unlimited'], Integer]
Default value: 'unlimited'
sync_time_soft_limit
Data type: Variant[Enum['unlimited'], Integer]
Default value: 'unlimited'
sync_time_hard_limit
Data type: Variant[Enum['unlimited'], Integer]
Default value: 'unlimited'
Defined types
simp_openldap::server::access
Manage access control entries in slapd.access
Remember that order matters! Entries will be listed in alphanumeric order
after the $order
parameter is processed.
- See also
- slapd.access(5)
Parameters
The following parameters are available in the simp_openldap::server::access
defined type.
name
The unique name of the dynamic include. This does become part of the sort order so be careful!
comment
Data type: Optional[String]
An arbitrary comment that will be included above the entry
- You do not need to include the leading
#
Default value: undef
content
Data type: Optional[String]
the *entire content under $what
- If you do not specify this,
$who
is a required variable - If you do specify this,
$who
will be ignored
Default value: undef
order
Data type: Integer
The default sort order of the entry to be added
Default value: 1000
what
Data type: String
who
Data type: Optional[String]
Default value: undef
access
Data type: Optional[String]
Default value: undef
control
Data type: Optional[String]
Default value: undef
simp_openldap::server::dynamic_include
Add a dynamically included file into the LDAP system.
Parameters
The following parameters are available in the simp_openldap::server::dynamic_include
defined type.
content
Data type: String
The literal content of the dynamic include
order
Data type: Integer
The numeric order of the dynamic include
Default value: 100
simp_openldap::server::limits
This define allows you to manage limits
sections under the main
database
- See also
- slapd.conf(5)
Parameters
The following parameters are available in the simp_openldap::server::limits
defined type.
name
A unique name for the limits entry
who
Data type: String
Any of the following values (not validated)
*
All, including anonymous and authenticated usersanonymous
Anonymous (non-authenticated) usersusers
Authenticated usersself
User associated with target entrydn[.<basic-style>]=<regex>
Users matching a regular expressiondn.<scope-style>=<DN>
Users within scope of a DNgroup[/oc[/at]]=<pattern>
Members of a group
limits
Data type: Variant[Array[String],String]
A list of limits to apply to $who
per slapd.conf(5)
simp_openldap::server::syncrepl
This define configures the sycnrepl functionality of OpenLDAP which allows for directory synchronization pulls from a master server.
$name should be the 'rid' of the syncrepl instance and must be between 0 and 1000, non-inclusive.
- See also
- slapd.conf(5)
Parameters
The following parameters are available in the simp_openldap::server::syncrepl
defined type.
syncrepl_retry
Data type: String[1]
Default value: '60 10 600 +'
provider
Data type: Optional[String[1]]
Default value: simplib::lookup('simp_options::ldap::master', { 'default_value' => undef })
searchbase
Data type: Optional[String[1]]
Default value: simplib::lookup('simp_options::ldap::base_dn', { 'default_value' => undef })
syncrepl_type
Data type: Enum['refreshOnly','refreshAndPersist']
Default value: 'refreshAndPersist'
interval
Data type: Optional[String[1]]
Default value: undef
filter
Data type: Optional[String[1]]
Default value: undef
syncrepl_scope
Data type: String[1]
Default value: 'sub'
attrs
Data type: String[1]
Default value: '*,+'
attrsonly
Data type: Optional[String[1]]
Default value: undef
sizelimit
Data type: Variant[Enum['unlimited'], Integer[0]]
Default value: 'unlimited'
timelimit
Data type: Variant[Enum['unlimited'], Integer[0]]
Default value: 'unlimited'
schemachecking
Data type: Enum['on','off']
Default value: 'off'
starttls
Data type: Variant[Enum['critical'], Boolean]
Default value: 'critical'
bindmethod
Data type: Enum['simple','sasl']
Default value: 'simple'
binddn
Data type: Optional[String[1]]
Default value: simplib::lookup('simp_options::ldap::sync_dn', {'default_value' => undef })
saslmech
Data type: Optional[String[1]]
Default value: undef
authcid
Data type: Optional[String[1]]
Default value: undef
authzid
Data type: Optional[String[1]]
Default value: undef
credentials
Data type: Optional[String[1]]
Default value: simplib::lookup('simp_options::ldap::sync_pw', { 'default_value' => undef })
realm
Data type: Optional[String[1]]
Default value: undef
secprops
Data type: Optional[String[1]]
Default value: undef
logbase
Data type: Optional[String[1]]
Default value: undef
logfilter
Data type: Optional[String[1]]
Default value: undef
syncdata
Data type: Enum['default','accesslog']
Default value: 'default'
updateref
Data type: Optional[String[1]]
Default value: undef
Data types
Simp_Openldap::LogLevel
OpenLDAP Log Levels
Alias of Variant[Integer[-1,65535], Enum[ 'any', '-', 'trace', 'packets', 'args', 'conns', 'BER', 'ber', 'filter', 'config', 'ACL', 'acl', 'stats', 'stats2', 'shell', 'parse', 'cache', 'index', 'sync', 'none' ]]
Simp_Openldap::SlapdConf::Disallow
OpenLDAP slapd.conf disallow
Alias of Enum['bind_anon', 'bind_simple', 'tls_2_anon', 'tls_authc', 'proxy_authz_non_critical', 'dontusecopy_non_critical']
- Tue Aug 04 2020 Trevor Vaughan tvaughan@onyxpoint.com - 6.4.3-0
- Align terminology with vendor changes
- Thu Jul 23 2020 Jeanne Greulich jeanne.greulich@onyxpoint.com - 6.4.2-0
- update the upper bound of simplib for SIMP 6.5 release
- Tue Sep 24 2019 Trevor Vaughan tvaughan@onyxpoint.com - 6.4.1-0
- Updated README.md
- Added REFERENCE.md
- Cleaned up some test fixtures
- Fri Aug 02 2019 Robert Vincent pillarsdotnet@gmail.com - 6.4.1-0
- Support puppetlabs/concat 6.x.
- Thu Jun 06 2019 Steven Pritchard steven.pritchard@onyxpoint.com - 6.4.0-0
- Add v2 compliance_markup data
- Tue Mar 19 2019 Liz Nemsick lnemsick.simp@gmail.com - 6.3.2-0
- Use simplib::validate_re_array in lieu of deprecated Puppet 3 validate_re_array
- Use Puppet Integer() in lieu of simplib's deprecated Puppet 3 to_integer
- Mon Mar 04 2019 Liz Nemsick lnemsick.simp@gmail.com - 6.3.1-0
- Expanded the upper limit of the concat and stdlib Puppet module versions
- Updated a URL in the README.md
- Fri Oct 12 2018 Nick Miller nick.miller@onyxpoint.com - 6.3.0-0
- Added the following package ensure parameters
- $simp_openldap::client::openldap_clients_ensure
- $simp_openldap::client::nss_pam_ldapd_ensure
- $simp_openldap::slapo::lastbind::lastbind_ensure
- $simp_openldap::slapo::ppolicy::ppolicy_ensure
- Changed the defaults for all package ensures from 'latest' to the following:
simp_options::package_ensure
when that parameter is present- 'installed' otherwise
- Require Puppet versions greater than 4.10.4, and don't test on it
- Update badges and contribution guide URL in README.md
- Tue Sep 11 2018 Nicholas Markowski nicholas.markowski@onyxpoint.com - 6.3.0-0
- Updated $app_pki_external_source to accept any string. This matches the functionality of pki::copy.
- Mon Aug 20 2018 Mark Fitch CodePhase@users.noreply.github.com - 6.2.1-0
- Ensure that the
concat
statement foraccess.conf
is sorted innumeric
order for consistency.
- Thu Jun 14 2018 Nick Miller nick.miller@onyxpoint.com - 6.2.1-0
- Update to support Puppet 5 and OEL
- Update systemd fixtures and CI assets
- Fix acceptance test by not testing text of failure code, only the exit code
- Remove unneeded simp/auditd dependency
- Mon Dec 04 2017 Trevor Vaughan tvaughan@onyxpoint.com - 6.2.0-0
- Allow setting the 'users' and 'administrators' GIDs in the default ldif file
- Thu Nov 16 2017 Trevor Vaughan tvaughan@onyxpoint.com - 6.1.2-0
- Fix an incorrect dependency for puppetlabs/concat in the metadata.json
- Wed Nov 15 2017 Trevor Vaughan tvaughan@onyxpoint.com - 6.1.1-0
- Fixed an issue where pki::copy was not correctly hooked into the server logic and a system PKI update would not properly propagate into the OpenLDAP service restart.
- Thu Nov 09 2017 Liz Nemsick lnemsick.simp@gmail.com - 6.1.1-0
- Adjust text search strings in acceptance tests
- Tue Aug 01 2017 Nick Markowski nmarkowski@keywcorp.com - 6.1.0-0
- Per CVE-2014-3566, SSLv3 and TLSv1 ciphers should be disallowed. Recent-ish updates to openldap-servers, shipped with SIMP-6.0.0-0, includes a parameter to specify a minimum bound of TLS protocol in slapd.conf, TLSProtocolMin. (see https://access.redhat.com/solutions/1234843)
- This commit includes puppetry to remove TLSv1.0, SSLv3, and SSLv2 from the TLS cipher suites, and set a minimum TLS protocol of TLSv1.2, given openldap-servers is >= 2.4.40.
- Updated syncdn and binddn defaults in server::conf
- Fri Jul 14 2017 Jeanne Greulich jeannegreulich@onyxpoint.com - 6.0.4-0
- Udated default_ldif.erb temlate so it would accept DC= or dc= for the base dn.
- Wed Apr 19 2017 Nick Markowski nmarkowski@keywcorp.com - 6.0.3-0
- Updated logrotate to use new lastaction API
- Updated all ldap DNs to uppercase DC=
- Update puppet requirement in metadata.json
- Fri Apr 07 2017 Trevor Vaughan tvaughan@onyxpoint.com - 6.0.2-0
- Ensure that 128-bit ciphers are not present in ldap.conf for EL6 systems
- Mon Mar 13 2017 Nick Markowski nmarkowski@keywcorp.com - 6.0.1-0
- server::conf::rootpw default no longer references simp_options, it defaults to undef
- Wed Mar 08 2017 Trevor Vaughan tvaughan@onyxpoint.com - 6.0.1-0
- Removed the 'acl' log level from the default list since it was causing low server response time on some EL7 systems
- Corrected the openldap::server::conf::conn_max_pending_auth to be set to 1000 instead of 100
- Wed Jan 25 2017 Trevor Vaughan tvaughan@onyxpoint.com - 6.0.0-0
- Rename from 'openldap' to 'simp_openldap' so that we can migrate to an alternate backend in the future
- Mon Jan 23 2017 Nick Markowski nmarkowski@keywcorp.com - 6.0.0-0
- Calls to rsyslog::rule no longer contain 'if' logic
- Thu Jan 12 2017 Nick Markowski nmarkowski@keywcorp.com - 6.0.0-0
- Updated pki scheme, application certs now managed in /etc/pki/simp_apps/openldap/x509
- Mon Dec 19 2016 Jeanne Greulich jgreulich.simp@onyxpoint.com - 6.0.0-0
- Updated global catalysts
- Strong typed variables
- General housekeeping
- Wed Nov 23 2016 Jeanne Greulich jgreulich.simp@onyxpoint.com - 5.0.1-0
- update requirement versions
- Tue Nov 22 2016 Nick Miller nick.miller@onyxpoint.com - 5.0.1-0
- Reset max_consecutive_per_class in openldap::slapo::ppolicy to 3
- Mon Nov 21 2016 Chris Tessmer chris.tessmer@onyxpoint.com - 5.0.0-0
- Updated to compliance_markup version 2
- Tue Nov 15 2016 Liz Nemsick lnemsick.simp@gmail.com - 5.0.0-0
- Updated iptables dependency version
- Wed Oct 12 2016 Trevor Vaughan tvaughan@onyxpoint.com - 5.0.0-0
- Updated to use the version of 'simpcat' that does not conflict with 'puppetlabs/concat'.
- Thu Oct 06 2016 Liz Nemsick lnemsick.simp@gmail.com - 4.1.9-0
- Fixed bug in which multiple URIs in ldap hieradata were not written into ldap.conf.
- Corrected variable reference in ldap.conf.erb
- Mon Aug 01 2016 Nicholas Hughes nicholasmhughes@gmail.com - 4.1.8-0
- Corrected variable references in pam_ldap.conf.erb
- Wed Jul 13 2016 Nick Markowski nmarkowski@keywcorp.com - 4.1.7-0
- Ruby-ldap is not needed in this module, and is therefore no longer ensured present.
- Thu Jul 07 2016 Nick Miller nick.miller@onyxpoint.com - 4.1.6-0
- Added acceptance tests
- Added a parameter to the client class to disable tls connections. This makes the .ldaprc file empty instead of containing your tls credentials.
- Thu May 19 2016 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.5-0
- Update to work with Puppet 4.4 with strict variable checking
- Sat Mar 26 2016 Nick Markowski nmarkowski@keywcorp.com - 4.1.4-0
- nslcd group and user are ensured.
- nslcd uid and gid default to 65 (nslcd). nslcd is no longer in the ldap group.
- Created an nslcd conf dir for convenient cert location. Defaults to /etc/nslcd.d. If use_simp_pki is true, pki::copy copies the system certs here.
- nslcd.conf tls options now have proper defaults. Fixed syntax errors in nslcd.conf and pam_ldap.conf
- Wed Mar 23 2016 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.3-0
- Added an
openldap::server::service
class for external profiles that need to restart the service without triggering unnecessary side effects.
- Sat Mar 19 2016 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.2-0
- Migrated use_simp_pki to a global catalyst.
- Fixed several ordering bugs as well as issues with being unable to work standalone.
- Mon Mar 14 2016 Nick Markowski nmarkowski@keywcorp.com - 4.1.1-10
- Ensure that EL6.7+ uses SSSD over NSCD
- Mon Feb 29 2016 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.1-9
- Updated to work cleanly with Puppet 4.3.2
- Tue Feb 23 2016 Ralph Wright ralph.wright@onyxpoint.com - 4.1.1-8
- Added compliance function support
- Tue Dec 08 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.1-7
- The default.ldif template has been updated to provide the capability to modify the password setting defaults. This will not affect the running LDAP server.
- Thu Nov 12 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.1-6
- Replaced all 'lsb' facts with 'operatingsystem' facts.
- Updated to use SSSD by default on EL<7.
- Mon Nov 09 2015 Chris Tessmer chris.tessmer@onypoint.com - 4.1.1-5
- migration to simplib and simpcat (lib/ only)
- Mon Nov 09 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.1-4
- Changed pwdGraceAuthnLimit to '-1' to allow users to change their passwords post expiry.
- Thu Jul 30 2015 Kendall Moore kmoore@keywcorp.com - 4.1.1-3
- Updated to use the new rsyslog module.
- Thu Jul 30 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.1-2
- The Password Policy overlay was getting loaded into the default.ldif even if you didn't want to use it. This has been fixed.
- Made the password policy overlay align with the latest SIMP build of the plugin.
- This means that you must have version simp-ppolicy-check-password-2.4.39-0 or later available to the system being configured.
- Sat May 16 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.1-1
- More closely align with the published STIG guidelines.
- Thu Mar 26 2015 Jacob Gingrich jgingrich@onyxpoint.com - 4.1.1-0
- Updated the module for facter 2.4.
- nslcd threads set to 5, no longer 'dynamic'.
- Thu Mar 12 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-17
- Fixed an incorrect call to sync_password instead of sync_pw in syncrepl.pp.
- Fixed an incorrect call to $::openldap::server::sync_dn to ldap::sync_dn in hiera.
- Thu Feb 19 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-16
- Migrated to the new 'simp' environment.
- Changed calls directly to /etc/init.d/rsyslog to '/sbin/service rsyslog' so that both RHEL6 and RHEL7 are properly supported.
- Fri Jan 16 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-15
- Changed puppet-server requirement to puppet
- Wed Nov 05 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-14
- Changed the cipher sets to the workround FIPS compliant set since RHEL6.6 includes the bug that plagues RHEL7.
- Details: https://bugzilla.redhat.com/show_bug.cgi?id=1123092
- Sun Nov 02 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-13
- Updated to add support for custom options as well as proper support for the RHEL7 configuration file location.
- Fri Oct 17 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-12
- CVE-2014-3566: Updated ciphers to help mitigate POODLE. Unfortunately, OpenSSL cannot set the SSL protocol to be used. However, all clients will negotiate the most secure first and testing has indicated that they are all using TLSv1.
- Fri Oct 03 2014 Kendall Moore kmoore@keywcorp.com - 4.1.0-11
- Updated the manifests and templates for missing variables from ssh_ldap.conf.
- Thu Aug 21 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-10
- Properly account for the fact that @uri is an array, not a string.
- Thu Aug 07 2014 Kendall Moore kmoore@keywcorp.com - 4.1.0-9
- Enabled authlogin_nsswitch_use_ldap for nslcd to work with targeted SELinux mode on
- Tue Jul 22 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-8
- Updated to handle the recompiled/deconflicted simp-ppolicy-check-password RPM for RHEL7.
- Wed Jul 09 2014 Adam Yohrling adam.yohrling@onyxpoint.com - 4.1.0-7
- Modified client certs to point at /etc/pki instead of /etc/openldap/pki, which is the server location.
- Mon Jul 07 2014 Nick Markowski nmarkowski@keywcorp.com - 4.1.0-6
- Spec tests were missing Facts used by supporting modules, due to updates over time. Spec tests now run cleanly.
- Mon Jun 30 2014 Adam Yohrling adam.yohrling@onyxpoint.com - 4.1.0-5
- Updated the sync_dn default value to be correct syntactically with a 'cn=' and also modified the ou from People to Hosts to match the standard SIMP default.
- Sun Jun 22 2014 Kendall Moore kmoore@keywcorp.com - 4.1.0-4
- Removed MD5 file checksums for FIPS compliance.
- Wed Apr 30 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-3
- Made numerous modifications to support the removal of the 'default_classes' material.
- Changes to defines:
- syncrepl::conf => syncrepl
- slapd::conf =>
- slapo::ppolicy::conf =>
- slapo::syncprov::conf =>
- Added support for multiple top level hiera values to support a more generic
LDAP infrastructure.
- ldap::base_dn
- ldap::bind_dn
- ldap::bind_pw
- ldap::bind_hash
- ldap::sync_dn
- ldap::root_dn
- ldap::root_hash
- ldap::uri (array)
- ldap::master
- Updated to use the pki::copy define.
- Removed the openldap::slapd::pki class
- Removed all reliance on Rsync and added the setting of schemas to openldap::server. Made the schema source variable so that you can add your own elsewhere if you so choose. Users can add to our file space if they wish.
- Thu Feb 13 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-2
- WARNING: All legacy code is probably broken at this point!
- Converted all string booleans to booleans
- Added new options to slapd.conf
- Removed unused nss_* options from pam_ldap.conf
- Updated the slapd.conf.erb template to actually use all of the variables in the manifest
- Modified the slapd_pki.pp to copy the PKI files instead of messing about with ACLs.
- Update to remove warnings about IPTables not being detected. This is a nuisance when allowing other applications to manage iptables legitimately.
- Added several additional safety features to bootstrap_ldap.
- A lock file was added at /etc/openldap/puppet_bootstrapped.lock that will need to be removed before bootstrap will run again.
- When OS upgrades reconfigure the LDAP configuration structure, the execs handle things properly.
- Mon Jan 06 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-1
- Ensure that Exec['bootstrap_ldap'] does not break LDAP slave syncing.
- Thu Dec 12 2013 Morgan Haskel morgan.haskel@onyxpoint.com - 4.1.0-0
- Added support for LDAP referral chaining by default.
- Sat Dec 07 2013 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-20
- The lastbind material was updated to properly require the simp-lastbind package.
- Wed Nov 27 2013 Nick Markowski nmarkowski@keywcorp.com - 4.0.0-19
- Ldap bootstrap now uses slaptest to ensure a sane ldap config before blowing the databases away. Re-wrote fixperms to ensure ALL files in /var/lib/ldap/ owned by ldap.
- Tue Nov 19 2013 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-19
- Fixed a bug in the handling of slapd.access. This should be turned into a native type.
- Mon Oct 21 2013 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-18
- Removed akeys completely.
- Cleaned up some code in the templates.
- Tue Oct 08 2013 Nick Markowski nmarkowski@keywcorp.com - 4.0.0-18
- Updated template to reference instance variables with @
- Wed Oct 02 2013 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-17
- Use 'versioncmp' for all version comparisons.
- Thu Sep 26 2013 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-16
- Added a dependency on the cacerts directory to the nslcd service.
- Tue Sep 03 2013 Nick Markowski nmarkowski@keywcorp.com - 4.0-15
- Incorporated the lastbind overlay to record an authTimestamp which updates every time a user binds.
- Wed Jul 10 2013 Trevor Vaughan tvaughan@onyxpoint.com - 4.0-14
- The settings on the LDAP server were not set to allow the LDAPSync user to pull more than the default number of entries. This caused the slave servers to only pull a subset of the proper entries. This has been fixed so that including syncprov will set the correct pull settings.
- Fri May 24 2013 Adam Yohrling adam.yohrling@onyxpoint.com 4.0-13
- Patched slapd.pp to use a dynamic ldap_sync_dn and ldap_bind_dn so that existing servers can optionally be used without reconfiguration.
- Thu May 02 2013 Nick Markowski nmarkowski@keywcorp.com 4.0-13
- Removed pull_keys, as openssh now uses openssh-ldap to authenticate public keys.
- Ensured akeys cron job absent.
- Added an exec to slapd.pp to check permissions on /var/lib/ldap/* and chown them to ldap:ldap if necessary.
- Changed the slapcat runuser to ldap.
- Mon Feb 25 2013 Maintenance 4.0-12
- Added a call to $::rsync_timeout to the rsync call since it is now required.
- Fri Jan 11 2013 Maintenance 4.0.0-11
- Added support for environments that do not require a bind password or username.
- Wed Nov 07 2012 Maintenance 4.0.0-10
- Added support for locker manipulation in DB_CONFIG as well as multi-thread support.
- Made the checkpoint variable optional in slapd.conf.
- Add the ability to nuke log files using incrond by setting the $force_log_quick_kill variable in openldap::slapd::conf.
- Update to enable transaction auditing by default.
- Updated akeys to ignore anything that is not a regular file or link.
- Mon Sep 24 2012 Maintenance 4.0.0-9
- Update toakeys to print to syslog by default.
- Thu Aug 02 2012 Maintenance 4.0.0-8
- Ensure that nslcd is restarted when host PKI keys are updated.
- Thu Jun 07 2012 Maintenance 4.0.0-7
- Ensure that Arrays in templates are flattened.
- Call facts as instance variables.
- Moved mit-tests to /usr/share/simp...
- Removed test for pam lock
- Updated pp files to better meet Puppet's recommended style guide.
- Mon Mar 12 2012 Maintenance 4.0.0-6
- Updated tests.
- Improved test stubs.
- Fri Feb 10 2012 Maintenance 4.0.0-5
- Removed the local user tests from here and added them to common.
- Wed Dec 14 2011 Maintenance 4.0.0-4
- Added an initial suite of tests.
- Updated the spec file to not require a separate file list.
- Scoped all of the top level variables.
- Made sure that syncrepl.la is only included pre-5.7.
- Dropped the bind_timelimit to '5' to alleviate login failures.
- Added a section for prod_nscd to the RHEL < 6 portion of the openldap client_auth segment.
- Mon Dec 05 2011 Maintenance 4.0.0-3
- Permissions on akeys match those set by the cron permissions check script in the 'sec' module.
- Mon Nov 07 2011 Maintenance 4.0.0-2
- Fixed call to rsyslog restart for RHEL6.
- Modified the openldap module such that you can now use openldap::slapd::access::add to add custom access control capabilities to /etc/openldap/slapd.access.
- Added a variable $openldap::slapd::slapd_svc to hold the name of the 'slapd' service since it changes from 'ldap' to 'slapd' in RHEL6.
- Fixed the portions that were required to use an OpenLDAP slave in RHEL6.
- Updated to use both nscd and nslcd.
- Added a selective variable for the location of the PAM LDAP configuration file based on the version of Red Hat that it's being installed under.
- Mon Oct 10 2011 Maintenance 4.0.0-1
- Updated to put quotes around everything that need it in a comparison statement so that puppet > 2.5 doesn't explode with an undef error.
- Modified all multi-line exec statements to act as defined on a single line to address bugs in puppet 2.7.5
- Added entries to openldap::slapd::conf to handle all sizelimit and timelimit combinations as well as the ability to handle individual entries based on DN.
- Updated the default LDIF file to fully enable the password compliance checking.
- Updated auth_config.pp to handle the fact that SSSD can't deal with shadow passwords properly.
- Wed Aug 24 2011 Maintenance 4.0-0
- Akeys and /etc/ldap.conf can now use ldaps.
- Incrond now watches for permissions changes on local_keys and spawns akeys appropriately.
- Passwords now expire at 180 days by default.
- Ensure that we use the 'slapd' service instead of 'ldap' for RHEL6.
- Replaced the 'listen' array in openldap::slapd::conf with listen_ldap, listen_ldapi, and listen_ldaps.
- Added the slapd_shutdown_timeout variable to openldap::slapd::conf.
- Removed the call to functions::init_mod_open_files in openldap::slapd::conf with a fully templated /etc/sysconfig/ldap file.
- Removed the call to openldap-servers-overlays since they are now included with the main package.
- Updated the syncprov template to properly load the syncprov module.
- Mon Jun 13 2011 Maintenance - 2.0.0-3
- Rewrote the akeys script to properly handle the situation where you have local certs that don't work with the remote LDAP server.
- Fixed this module for the case where the $use_sssd variable doesn't exist.
- Default password length is now 14
- Changed the default password expiration to 60 days.
- Tue May 17 2011 Maintenance - 2.0.0-2
- Fixed the password policy entries to properly install. Unfortunately, users will need to fix this manually in the actively running LDAP.
- Fri Apr 22 2011 Maintenance - 2.0.0-1
- Added the variable $enable_logging to slapd::conf so that local4 can be captured.
- Changed puppet://$puppet_server/ to puppet:///
- The pull_keys define now simply takes all of the values that akeys requires instead of pulling them from /etc/ldap.conf. This is because SSSD does not populate /etc/ldap.conf.
- Updated to support the use of SSSD
- Added akeys_timeout variable so that you can modify the timeouts in the akeys script.
- The openldap module now expects to have an associated rsync space that is password protected.
- /etc/cron.hourly/akeys now deletes /etc/cron.hourly/akeys.pl if it exists.
- Ensure that slapd restarts if any part of the cert space gets changed.
- Updated akeys.erb to preserve permissions when copying files from local_keys.
- Updated the /etc/ldap.conf template and define to incorporate all possible pam_* options from pam_ldap(5)
- Updated to use the new concat type.
- Changed all instances of defined(Class['foo']) to defined('foo') per the directions from the Puppet mailing list.
- Do not log to an audit log by default.
- Do not pass the audit log to syslog by default.
- Rotate the audit log.
- Add support for the SIMP supplied openldap password policy module.
- Stop slapd from purging /etc/openldap
- Change default password mode in /etc/ldap.conf to exop to allow for server side password enforcement.
- PwdChangeQuality is now set to 2 in default.ldif. This means that the server will only accept password changes on passwords that it can read. This requires the 'exop' change above.
- pwdGraceAuthNL is now set to 0 in default.ldif. We do not want to allow "grace" logins after lockout.
- Stop slapd from purging /etc/openldap
- Updated to use rsync native type
- Updated to use concat_build and concat_fragment types
- Tue Jan 11 2011 Maintenance 2.0.0-0
- Refactored for SIMP-2.0.0-alpha release
- Fri Jan 07 2011 Maintenance - 1.0-6
- Now support multiple SSH keys in LDAP!
- Migrated akeys.pl to akeys and re-wrote it in Ruby based on ruby-ldap. This seems to work much more quickly than the old PERL script.
- Wed Oct 27 2010 Maintenance - 1.0-5
- Fix audit logging issues in OpenLDAP so that it actually uses the audit module.
- Ensure that auditing is able to be disabled.
- Tue Oct 26 2010 Maintenance - 1.0-4
- Converting all spec files to check for directories prior to copy.
- Thu Sep 09 2010 Maintenance 1.0-3
- Replaced tcpwrappers::tcpwrappers_allow with tcpwrappers::allow.
- Tue Aug 10 2010 Maintenance 1.0-2
- Modified the ppolicy overlay settings to use the proper DN for the default password policy. The policy now takes effect properly.
- Wed Jul 14 2010 Maintenance 1.0-1
- Added schema for freeradius
- Fri May 21 2010 Maintenance 1.0-0
- Added Dependency on pupmod-ssh
- Code doc and refactor.
- Thu Jan 28 2010 Maintenance 0.1-32
- Critical: Fixed a bug in akeys.pl that would result in the deletion of all local keys from the auth_keys directory.
- Thu Jan 14 2010 Maintenance 0.1-31
- Minor refactor to call the new function for setting max open files.
- Wed Jan 06 2010 Maintenance 0.1-30
- You can now set the maximum number of open files using the
$ulimit_max_open_files variable in the openldap::slapd::conf define.
- The default has been set to 81920 which should handle almost any site.
- Thu Dec 31 2009 Maintenance 0.1-29
- Fixed an issue with ssl start_tls not being present in the /etc/ldap.conf configuration by default.
- Added an option 'use_certs' that indicates whether or not the client should use the host's PKI certificates.
- Set SSL to be enabled by default.
- Tue Dec 15 2009 Maintenance 0.1-28
- Moved the copy of /etc/ssh/local_keys to the top of the akeys.pl script so that LDAP errors would not prevent it from happening.
- Now support base64 encoded entries in the akeys.pl script for the SSH key in LDAP.
- Modified the configuration to use the last entry in ldapuri as the default LDAP master and a variable, ldap_master_uri for explicitly setting the value.
- Openldap slave no longer validates certs in support of GNOME.
- Mon Nov 02 2009 Maintenance 0.1-27
- Changed the permissions on /etc/ldap.conf to 644 by default so that the GUI applications would work better by default.
- Tue Oct 06 2009 Maintenance 0.1-26
- Added a fact $openldap_arch to provide the build architecture of the openldap running on the target system.
- Modified the modulepath segment of the slapd.pp manifest to use the $openldap_arch fact instead of the $architecture fact.
- Tue Sep 29 2009 Maintenance 0.1-25
- Split out the module path to support both 64 and 32 bit properly
Dependencies
- puppetlabs/concat (>= 2.0.0 < 7.0.0)
- puppetlabs/stdlib (>= 4.13.1 < 7.0.0)
- simp/iptables (>= 6.0.0 < 7.0.0)
- simp/logrotate (>= 6.1.0 < 7.0.0)
- simp/pki (>= 6.0.0 < 7.0.0)
- simp/rsyslog (>= 7.0.0 < 8.0.0)
- simp/simplib (>= 3.7.0 < 5.0.0)
- simp/tcpwrappers (>= 6.0.0 < 7.0.0)
## TITLE ## Per Section 105 of the Copyright Act of 1976, these works are not entitled to domestic copyright protection under US Federal law. The US Government retains the right to pursue copyright protections outside of the United States. The United States Government has unlimited rights in this software and all derivatives thereof, pursuant to the contracts under which it was developed and the License under which it falls. --- Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.