Version information
This version is compatible with:
- Puppet Enterprise 2023.8.x, 2023.7.x, 2023.6.x, 2023.5.x, 2023.4.x, 2023.3.x, 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x
- Puppet >= 7.0.0 < 9.0.0
- , , , , , , , ,
Start using this module
Add this module to your Puppetfile:
mod 'puppet-openldap', '8.0.0'Learn more about managing modules with a PuppetfileDocumentation
OpenLDAP
Overview
The openldap module allows you to easily manage OpenLDAP with Puppet. By default it will use OLC (cn=config).
Features supported
| Object | olc (slapd.d) |
|---|---|
| global_conf | Y |
| database | Y |
| module | Y |
| overlay | Y |
| access | Y |
| index | Y |
| schema | Y |
Usage
Configuring the client
class { 'openldap::client': }
For a more customized configuration:
class { 'openldap::client':
base => 'dc=example,dc=com',
uri => ['ldap://ldap.example.com', 'ldap://ldap-master.example.com:666'],
tls_cacert => '/etc/ssl/certs/ca-certificates.crt',
}
Configuring the server
class { 'openldap::server': }
openldap::server::database { 'dc=foo,dc=example.com':
ensure => present,
}
For a more customized configuration:
class { 'openldap::server':
ldaps_ifs => ['/'],
ssl_cert => '/etc/ldap/ssl/slapd.pem',
ssl_key => '/etc/ldap/ssl/slapd.key',
}
If you need multiple databases:
class { 'openldap::server':
databases => {
'dc=foo,dc=example,dc=com' => {
directory => '/var/lib/ldap/foo',
},
'dc=bar,dc=example,dc=com' => {
directory => '/var/lib/ldap/bar',
},
},
}
Configuring a global parameter:
openldap::server::globalconf { 'security':
ensure => present,
value => 'tls=128',
}
Configuring multiple olc serverIDs for multiple master or mirror mode
openldap::server::globalconf { 'ServerID':
ensure => present,
value => { 'ServerID' => [ '1 ldap://master1.example.com', '2 ldap://master2.example.com' ] }
}
Configuring security for global
openldap::server::globalconf { 'Security':
ensure => present,
value => { 'Security' => [ 'simple_bind=128', 'ssf=128', 'tls=0' ] }
Configuring a database
openldap::server::database { 'dc=example,dc=com':
directory => '/var/lib/ldap',
rootdn => 'cn=admin,dc=example,dc=com',
rootpw => 'secret',
}
rootpw will be automatically converted to a SSHA hash with random salt.
Support SHA-2 password
openldap::server::database { 'dc=example,dc=com':
directory => '/var/lib/ldap',
rootdn => 'cn=admin,dc=example,dc=com',
rootpw => '{SHA384}QZdaK3FnibbilSPbthnf3cO8lBWsRyM9i1MZTUFP21RdBSLSNFgYc2eFFzJG/amX',
}
Configuring modules
openldap::server::module { 'memberof':
ensure => present,
}
Configuring overlays
openldap::server::overlay { 'memberof on dc=example,dc=com':
ensure => present,
}
Configuring ACPs/ACLs
Documentation about olcAcces state the following spec:
5.2.5.2. olcAccess: to <what> [ by <who> [<accesslevel>] [<control>] ]+
Define priority and suffix in the title:
openldap::server::access { '0 on dc=example,dc=com':
what => 'attrs=userPassword,shadowLastChange',
access => [
'by dn="cn=admin,dc=example,dc=com" write',
'by anonymous auth',
'by self write',
'by * none',
],
}
from the openldap documentation
The frontend is a special database that is used to hold database-level options that should be applied to all the other databases. Subsequent database definitions may also override some frontend settings.
So use the suffix 'cn=frontend' for this special database
openldap::server::access { '0 on cn=frontend' :
what => '*',
access => [
'by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage',
'by * break',
],
}
Note:
For purging unmanaged entries, rely on the resources resource:
resources { 'openldap_access':
purge => true,
}
openldap::server::access { '0 on dc=example,dc=com':
what => ...,
access => [...],
}
openldap::server::access { '1 on dc=example,dc=com':
what => ...,
access => [...],
}
Call your acl from a hash:
The class openldap::server::access_wrapper was designed to simplify creating ACL.
Each ACL is distinct hash in order to avoid collisions when multiple identical what are present (to * in this example).
$example_acl = [
{
'to *' => [
'by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage',
'by dn.exact=cn=admin,dc=example,dc=com write',
'by dn.exact=cn=replicator,dc=example,dc=com read',
'by * break',
],
},
{
'to attrs=userPassword,shadowLastChange' => [
'by dn="cn=admin,dc=example,dc=com" write',
'by self write',
'by anonymous auth',
],
},
{
'to *' => [
'by self read',
],
},
]
openldap::server::access_wrapper { 'dc=example,dc=com' :
acl => $example_acl,
}
Configuring Schemas
openldap::server::schema { 'samba':
ensure => present,
path => '/etc/ldap/schema/samba.schema',
require => Openldap::Server::Schema["inetorgperson"],
}
openldap::server::schema { 'nis':
ensure => present,
path => '/etc/ldap/schema/nis.ldif',
require => Openldap::Server::Schema["inetorgperson"],
}
Configuring Rewrite-overlay
openldap::server::database { 'relay':
ensure => present,
backend => 'relay',
suffix => 'o=example',
relay => 'dc=example,dc=com',
}->
openldap::server::overlay { "rwm on relay":
ensure => present,
suffix => 'cn=config',
overlay => 'rwm',
options => {
'olcRwmRewrite' => [
'rwm-rewriteEngine "on"',
'rwm-suffixmassage , "dc=example,dc=com"]',
},
}
Configuring Dbindex
# Configuration suffix
Openldap::Server::Dbindex {
suffix => 'dc=example,dc=com',
}
# The module only sets "objectClass eq" by default
openldap::server::dbindex {
'cn':
attribute => 'cn',
indices => 'eq,pres,sub';
'uid':
attribute => 'uid',
indices => 'eq,pres,sub';
'uidNumber':
attribute => 'uidNumber',
indices => 'eq,pres';
'gidNumber':
attribute => 'gidNumber',
indices => 'eq,pres';
'member':
attribute => 'member',
indices => 'eq,pres';
'memberUid':
attribute => 'memberUid',
indices => 'eq,pres';
}
Transfer Notice
This plugin was originally authored by Camptocamp. The maintainer preferred that Puppet Community take ownership of the module for future improvement and maintenance. Existing pull requests and issues were transferred over, please fork and continue to contribute here instead of Camptocamp.
Previously: https://github.com/camptocamp/puppet-openldap
Reference
Table of Contents
Classes
openldap::client: See README.md for details.openldap::client::config: See README.md for details.openldap::client::install: See README.md for details.openldap::client::ldapvi: See README.md for details.openldap::client::utilsopenldap::server: See README.md for details.openldap::server::config: See README.md for details.openldap::server::install: See README.md for details.openldap::server::service: See README.md for details.openldap::server::slapdconf: See README.md for details.openldap::utils: See README.md for details.
Defined types
openldap::server::access: See README.md for details.openldap::server::access_wrapper: == Define openldap::server::access_wrapper Generate access from a given hash. === Parameters [suffix] Default: $name Mandatory. Theopenldap::server::database: See README.md for details.openldap::server::dbindex: See README.md for details.openldap::server::globalconf: See README.md for details.openldap::server::iterate_access: This is a 'private' class used by openldap::server::access_wrapperopenldap::server::module: See README.md for details.openldap::server::overlay: See README.md for details.openldap::server::schema: See README.md for details.
Resource types
openldap_access: Manages OpenLDAP ACPs/ACLsopenldap_database: Manages OpenLDAP BDB and HDB databases.openldap_dbindex: Manages OpenLDAP DB indexesopenldap_global_confopenldap_module: Manages OpenLDAP modules.openldap_overlay: Manages OpenLDAP Overlaysopenldap_schema: Manages OpenLDAP schemas.
Functions
Data types
Openldap::Access_hash: A valid acl value for openldap::server::access_wrapperOpenldap::Access_rule: A valid access rule for openldap::server::accessOpenldap::Access_title: A valid title for an openldap::server::access resourceOpenldap::Attribute: An LDAP attribute in the form "key: value"Openldap::Attributes: A set of LDAP attributesOpenldap::Limits: Limits for clientsOpenldap::Syncrepl: Parameters for database replication consumersOpenldap::Tls_moznss_compatibility: The list of possible values TLS_MOZNSS_COMPATIBILITY can have (based on the man page), and an 'absent' (a puppet directive to remove an exist
Classes
openldap::client
See README.md for details.
Parameters
The following parameters are available in the openldap::client class:
packagefilepackage_versionbasebind_policybind_timelimitbinddnbindpwldap_versionnetwork_timeoutscopesslsuffixtimelimittimeouturinss_base_groupnss_base_hostsnss_base_passwdnss_base_shadownss_initgroups_ignoreuserspam_filterpam_login_attributepam_member_attributepam_passwordtls_cacerttls_cacertdirtls_checkpeertls_reqcerttls_moznss_compatibilitysasl_mechsasl_realmsasl_authcidsasl_secpropssasl_nocanongssapi_signgssapi_encryptgssapi_allow_remote_principalsudoers_base
package
Data type: String[1]
file
Data type: Stdlib::Absolutepath
package_version
Data type: String[1]
Default value: installed
base
Data type: Optional[String[1]]
Default value: undef
bind_policy
Data type: Optional[String[1]]
Default value: undef
bind_timelimit
Data type: Optional[String[1]]
Default value: undef
binddn
Data type: Optional[String[1]]
Default value: undef
bindpw
Data type: Optional[String[1]]
Default value: undef
ldap_version
Data type: Optional[String[1]]
Default value: undef
network_timeout
Data type: Optional[String[1]]
Default value: undef
scope
Data type: Optional[String[1]]
Default value: undef
ssl
Data type: Optional[String[1]]
Default value: undef
suffix
Data type: Optional[String[1]]
Default value: undef
timelimit
Data type: Optional[String[1]]
Default value: undef
timeout
Data type: Optional[String[1]]
Default value: undef
uri
Data type: Optional[Variant[String[1],Array[String[1]]]]
Default value: undef
nss_base_group
Data type: Optional[String[1]]
Default value: undef
nss_base_hosts
Data type: Optional[String[1]]
Default value: undef
nss_base_passwd
Data type: Optional[String[1]]
Default value: undef
nss_base_shadow
Data type: Optional[String[1]]
Default value: undef
nss_initgroups_ignoreusers
Data type: Optional[String[1]]
Default value: undef
pam_filter
Data type: Optional[String[1]]
Default value: undef
pam_login_attribute
Data type: Optional[String[1]]
Default value: undef
pam_member_attribute
Data type: Optional[String[1]]
Default value: undef
pam_password
Data type: Optional[String[1]]
Default value: undef
tls_cacert
Data type: Optional[Stdlib::Absolutepath]
Default value: undef
tls_cacertdir
Data type: Optional[Stdlib::Absolutepath]
Default value: undef
tls_checkpeer
Data type: Optional[String[1]]
Default value: undef
tls_reqcert
Data type: Optional[String[1]]
Default value: undef
tls_moznss_compatibility
Data type: Optional[Openldap::Tls_moznss_compatibility]
Default value: undef
sasl_mech
Data type: Optional[String[1]]
Default value: undef
sasl_realm
Data type: Optional[String[1]]
Default value: undef
sasl_authcid
Data type: Optional[String[1]]
Default value: undef
sasl_secprops
Data type: Optional[Array[String[1]]]
Default value: undef
sasl_nocanon
Data type: Optional[Boolean]
Default value: undef
gssapi_sign
Data type: Optional[Boolean]
Default value: undef
gssapi_encrypt
Data type: Optional[Boolean]
Default value: undef
gssapi_allow_remote_principal
Data type: Optional[String[1]]
Default value: undef
sudoers_base
Data type: Optional[String[1]]
Default value: undef
openldap::client::config
See README.md for details.
openldap::client::install
See README.md for details.
openldap::client::ldapvi
See README.md for details.
Parameters
The following parameters are available in the openldap::client::ldapvi class:
package
Data type: String[1]
Default value: 'ldapvi'
openldap::client::utils
The openldap::client::utils class.
openldap::server
See README.md for details.
Parameters
The following parameters are available in the openldap::server class:
krb5_keytab_filekrb5_client_keytab_filepackageconfdirconffileserviceownergroupescape_ldapi_ifsldapi_ifsdefault_directorymanage_epelpackage_versionenable_chownservice_hasstatusenablestartssl_keyssl_certssl_cadatabasesldap_ifsldaps_ifsslapd_paramsldap_portldap_addressldaps_portldaps_addressldapi_socket_pathregister_slpldap_config_backendenable_memory_limit
krb5_keytab_file
Data type: Optional[Stdlib::Absolutepath]
if set, manage the env variable KRB5_KTNAME on Debian based operating systems. This is required when configuring sasl with backend GSSAPI
Default value: undef
krb5_client_keytab_file
Data type: Optional[Stdlib::Absolutepath]
if set, manage the env variable KRB5_CLIENT_KTNAME on Debian based operating systems. This is required when configuring sasl with backend GSSAPI
Default value: undef
package
Data type: String[1]
confdir
Data type: String[1]
conffile
Data type: String[1]
service
Data type: String[1]
owner
Data type: String[1]
group
Data type: String[1]
escape_ldapi_ifs
Data type: Boolean
ldapi_ifs
Data type: Array[String[1]]
default_directory
Data type: Stdlib::Absolutepath
manage_epel
Data type: Boolean
Default value: true
package_version
Data type: String[1]
Default value: installed
enable_chown
Data type: Optional[Boolean]
Default value: undef
service_hasstatus
Data type: Optional[Boolean]
Default value: undef
enable
Data type: Boolean
Default value: true
start
Data type: Boolean
Default value: true
ssl_key
Data type: Optional[Stdlib::Absolutepath]
Default value: undef
ssl_cert
Data type: Optional[Stdlib::Absolutepath]
Default value: undef
ssl_ca
Data type: Optional[Stdlib::Absolutepath]
Default value: undef
databases
Data type: Hash
Default value: {}
ldap_ifs
Data type: Array[String[1]]
Default value: ['/']
ldaps_ifs
Data type: Array[String[1]]
Default value: []
slapd_params
Data type: Optional[String]
Default value: undef
ldap_port
Data type: Optional[Stdlib::Port]
Default value: undef
ldap_address
Data type: Optional[Stdlib::IP::Address]
Default value: undef
ldaps_port
Data type: Optional[Stdlib::Port]
Default value: undef
ldaps_address
Data type: Optional[Stdlib::IP::Address]
Default value: undef
ldapi_socket_path
Data type: Optional[Stdlib::Absolutepath]
Default value: undef
register_slp
Data type: Optional[Boolean]
Default value: undef
ldap_config_backend
Data type: Optional[String]
Default value: undef
enable_memory_limit
Data type: Optional[Boolean]
Default value: undef
openldap::server::config
See README.md for details.
openldap::server::install
See README.md for details.
openldap::server::service
See README.md for details.
openldap::server::slapdconf
See README.md for details.
openldap::utils
See README.md for details.
Parameters
The following parameters are available in the openldap::utils class:
package
Data type: Optional[String[1]]
Default value: undef
package_version
Data type: String[1]
Default value: installed
Defined types
openldap::server::access
See README.md for details.
Parameters
The following parameters are available in the openldap::server::access defined type:
what
Data type: String[1]
access
Data type: Array[Openldap::Access_rule]
ensure
Data type: Enum['present', 'absent']
Default value: 'present'
openldap::server::access_wrapper
== Define openldap::server::access_wrapper
Generate access from a given hash.
=== Parameters
[suffix] Default: $name Mandatory. The suffix to apply acls
[acl] Default: Mandatory. Array of Hash in the form { => , ... }
example: $acl = [ { 'to ' => [ 'by dn.base="cn=replicator,dc=suretecsystems,dc=com" write', 'by break' ], }, { 'to dn.base=""' => [ 'by * read', ], }, { 'to dn.base="cn=Subschema"' => [ 'by * read', ], }, { 'to dn.subtree="cn=Monitor"' => [ 'by dn.exact="uid=admin,dc=suretecsystems,dc=com" write', 'by users read', 'by * none', ], }, { 'to ' => [ 'by self write', 'by none', ] }, ]
Parameters
The following parameters are available in the openldap::server::access_wrapper defined type:
acl
Data type: Array[Hash[Pattern[/\Ato\s/], Array[Openldap::Access_rule], 1, 1]]
suffix
Data type: String[1]
Default value: $name
openldap::server::database
See README.md for details.
Parameters
The following parameters are available in the openldap::server::database defined type:
ensuredirectorysuffixrelaybackendrootdnrootpwinitdbreadonlysizelimitdbmaxsizetimelimitupdatereflimitsdboptionssynctypemirrormodemultiprovidersyncusesubentrysyncreplsecurity
ensure
Data type: Enum['present', 'absent']
Default value: present
directory
Data type: Optional[Stdlib::Absolutepath]
Default value: undef
suffix
Data type: String[1]
Default value: $title
relay
Data type: Optional[String[1]]
Default value: undef
backend
Data type: Optional[String[1]]
Default value: undef
rootdn
Data type: Optional[String[1]]
Default value: undef
rootpw
Data type: Optional[String[1]]
Default value: undef
initdb
Data type: Optional[Boolean]
Default value: undef
readonly
Data type: Boolean
Default value: false
sizelimit
Data type: Optional[String[1]]
Default value: undef
dbmaxsize
Data type: Optional[String[1]]
Default value: undef
timelimit
Data type: Optional[String[1]]
Default value: undef
updateref
Data type: Optional[String[1]]
Default value: undef
limits
Data type: Openldap::Limits
Default value: {}
dboptions
Data type: Hash[String[1],Variant[String[1],Array[String[1]]]]
Default value: {}
synctype
Data type: Optional[String[1]]
Default value: undef
mirrormode
Data type: Optional[Boolean]
Default value: undef
multiprovider
Data type: Optional[Boolean]
Default value: undef
syncusesubentry
Data type: Optional[String[1]]
Default value: undef
syncrepl
Data type: Array[Openldap::Syncrepl]
Default value: []
security
Data type:
Hash[
Enum[
'transport',
'sasl',
'simple_bind',
'ssf',
'tls',
'update_sasl',
'update_ssf',
'update_tls',
'update_transport',
],
Integer[0]
]
Default value: {}
openldap::server::dbindex
See README.md for details.
Parameters
The following parameters are available in the openldap::server::dbindex defined type:
ensure
Data type: Optional[Enum['present', 'absent']]
Default value: undef
suffix
Data type: Optional[String[1]]
Default value: undef
attribute
Data type: String[1]
Default value: $name
indices
Data type: Optional[String[1]]
Default value: undef
openldap::server::globalconf
See README.md for details.
Parameters
The following parameters are available in the openldap::server::globalconf defined type:
value
Data type: Variant[String[1],Array[String[1],1],Openldap::Attributes]
ensure
Data type: Enum['present', 'absent']
Default value: 'present'
openldap::server::iterate_access
This is a 'private' class used by openldap::server::access_wrapper
Parameters
The following parameters are available in the openldap::server::iterate_access defined type:
hash
Data type: Openldap::Access_hash
openldap::server::module
See README.md for details.
Parameters
The following parameters are available in the openldap::server::module defined type:
ensure
Data type: Optional[Enum['present', 'absent']]
Default value: undef
openldap::server::overlay
See README.md for details.
Parameters
The following parameters are available in the openldap::server::overlay defined type:
ensure
Data type: Enum['present', 'absent']
Default value: present
overlay
Data type: String[1]
Default value: regsubst($title, '^(\S+)\s+on\s+(\S+)$', '\1')
suffix
Data type: String[1]
Default value: regsubst($title, '^(\S+)\s+on\s+(\S+)$', '\2')
options
Data type: Optional[Openldap::Attributes]
Default value: undef
openldap::server::schema
See README.md for details.
Parameters
The following parameters are available in the openldap::server::schema defined type:
ensure
Data type: Optional[Enum['present', 'absent']]
Default value: undef
path
Data type: Stdlib::Absolutepath
Default value:
$facts['os']['family'] ? {
'Debian' => "/etc/ldap/schema/${title}.schema",
'Redhat' => "/etc/openldap/schema/${title}.schema",
'Archlinux' => "/etc/openldap/schema/${title}.schema",
'FreeBSD' => "/usr/local/etc/openldap/schema/${title}.schema",
'Suse' => "/etc/openldap/schema/${title}.schema"
Resource types
openldap_access
Manages OpenLDAP ACPs/ACLs
Properties
The following properties are available in the openldap_access type.
access
Access rule.
ensure
Valid values: present, absent
The basic property that the resource should be in.
Default value: present
what
The entries and/or attributes to which the access applies
Parameters
The following parameters are available in the openldap_access type.
name
namevar
The default namevar
position
Where to place the new entry
provider
The specific backend to use for this openldap_access resource. You will seldom need to specify this --- Puppet will
usually discover the appropriate provider for your platform.
suffix
The suffix to which the access applies
target
The slapd.conf file
openldap_database
Manages OpenLDAP BDB and HDB databases.
Properties
The following properties are available in the openldap_database type.
backend
Valid values: bdb, hdb, mdb, monitor, config, relay, ldap
The name of the backend.
dbmaxsize
Specifies the maximum size of the DB in bytes.
dboptions
Hash to pass specific HDB/BDB options for the database
directory
The directory where the BDB files containing this database and associated indexes live.
ensure
Valid values: present, absent
The basic property that the resource should be in.
Default value: present
index
The index of the database.
limits
Limits the number entries returned and/or the time spent by a request
mirrormode
Valid values: true, false
This option puts a replica database into "mirror" mode, deprecated as of 2.5
multiprovider
Valid values: true, false
This option puts a replica database into "multiprovider" mode
readonly
Puts the database into read-only mode.
rootdn
The distinguished name that is not subject to access control or administrative limit restrictions for operations on this database.
rootpw
Password (or hash of the password) for the rootdn.
security
The olcSecurity configuration.
sizelimit
Specifies the maximum number of entries to return from a search operation.
syncrepl
Specify the current database as a replica which is kept up-to-date with the master content by establishing the current slapd(8) as a replication consumer site running a syncrepl replication engine.
syncusesubentry
Store the syncrepl contextCSN in a subentry instead of the context entry of the database
timelimit
Specifies the maximum number of seconds (in real time) slapd will spend answering a search request.
updateref
This directive is only applicable in a slave slapd. It specifies the URL to return to clients which submit update requests upon the replica.
Parameters
The following parameters are available in the openldap_database type.
initdb
Valid values: true, false
When true it initiales the database with the top object. When false, it does not create any object in the database, so you have to create it by other mechanism. It defaults to false when the backend is one of config, ldap, monitor or relay, true otherwise.
organization
Organization name used when initdb is true
provider
The specific backend to use for this openldap_database resource. You will seldom need to specify this --- Puppet will
usually discover the appropriate provider for your platform.
relay
The relay configuration.
suffix
The default namevar.
synctype
Valid values: inclusive, minimum
Whether specified dboptions should be considered the complete list (inclusive) or the minimum list (minimum) of dboptions the database should have. Defaults to minimum.
Valid values are inclusive, minimum.
Default value: minimum
target
openldap_dbindex
Manages OpenLDAP DB indexes
Properties
The following properties are available in the openldap_dbindex type.
ensure
Valid values: present, absent
The basic property that the resource should be in.
Default value: present
indices
The indices to maintain
Parameters
The following parameters are available in the openldap_dbindex type.
attribute
The attribute to index
Default value: default
name
namevar
The default namevar
provider
The specific backend to use for this openldap_dbindex resource. You will seldom need to specify this --- Puppet will
usually discover the appropriate provider for your platform.
suffix
The suffix to which the index applies
target
The slapd.conf file
openldap_global_conf
The openldap_global_conf type.
Properties
The following properties are available in the openldap_global_conf type.
ensure
Valid values: present, absent
The basic property that the resource should be in.
Default value: present
value
Parameters
The following parameters are available in the openldap_global_conf type.
name
namevar
provider
The specific backend to use for this openldap_global_conf resource. You will seldom need to specify this --- Puppet
will usually discover the appropriate provider for your platform.
target
openldap_module
Manages OpenLDAP modules.
Properties
The following properties are available in the openldap_module type.
ensure
Valid values: present, absent
The basic property that the resource should be in.
Default value: present
Parameters
The following parameters are available in the openldap_module type.
name
namevar
The default namevar.
provider
The specific backend to use for this openldap_module resource. You will seldom need to specify this --- Puppet will
usually discover the appropriate provider for your platform.
target
openldap_overlay
Manages OpenLDAP Overlays
Properties
The following properties are available in the openldap_overlay type.
ensure
Valid values: present, absent
The basic property that the resource should be in.
Default value: present
index
The index of the overlay.
options
Overlay options.
Parameters
The following parameters are available in the openldap_overlay type.
name
namevar
The default namevar
overlay
The name of the overlay to apply
provider
The specific backend to use for this openldap_overlay resource. You will seldom need to specify this --- Puppet will
usually discover the appropriate provider for your platform.
suffix
The suffix to which the overlay applies
target
The slapd.conf file
openldap_schema
Manages OpenLDAP schemas.
Properties
The following properties are available in the openldap_schema type.
date
The modifyTimestamp of the schema.
ensure
Valid values: present, absent
The basic property that the resource should be in.
Default value: present
index
The index of the schema.
Parameters
The following parameters are available in the openldap_schema type.
name
namevar
The default namevar.
path
The location to the schema file.
provider
The specific backend to use for this openldap_schema resource. You will seldom need to specify this --- Puppet will
usually discover the appropriate provider for your platform.
Functions
openldap_password
Type: Ruby 4.x API
The openldap_password function.
openldap_password(String $secret, Optional[Enum["CRYPT","MD5","SMD5","SSHA","SHA"]] $scheme)
The openldap_password function.
Returns: String The hashed secret.
secret
Data type: String
The secret to be hashed.
scheme
Data type: Optional[Enum["CRYPT","MD5","SMD5","SSHA","SHA"]]
The optional scheme to use (defaults to SSHA).
Data types
Openldap::Access_hash
A valid acl value for openldap::server::access_wrapper
Alias of
Hash[Openldap::Access_title, Struct[{
position => Optional[Variant[Integer,String[1]]],
what => Optional[String[1]],
access => Array[Openldap::Access_rule],
suffix => Optional[String[1]],
}]]
Openldap::Access_rule
A valid access rule for openldap::server::access
Alias of Pattern[/\Aby /]
Openldap::Access_title
A valid title for an openldap::server::access resource
Alias of Pattern[/\A\d+ on /]
Openldap::Attribute
An LDAP attribute in the form "key: value"
Alias of Pattern[/\A[^ ]+: [^\n]+/]
Openldap::Attributes
A set of LDAP attributes
Alias of
Variant[Hash[
String[1],
Variant[
String[1],
Array[
String[1],
1,
],
],
], Array[
Openldap::Attribute,
1,
], Openldap::Attribute]
Openldap::Limits
Limits for clients
Alias of
Hash[String[1], Struct[
{
# Specify time limits
Optional['time'] => Variant[Integer[0], Enum['unlimited']],
Optional['time.soft'] => Variant[Integer[0], Enum['unlimited']],
Optional['time.hard'] => Variant[Integer[0], Enum['unlimited']],
# Specifying size limits
Optional['size'] => Variant[Integer[0], Enum['unlimited']],
Optional['size.soft'] => Variant[Integer[0], Enum['unlimited']],
Optional['size.hard'] => Variant[Integer[0], Enum['unlimited']],
Optional['size.unchecked'] => Variant[Integer[0], Enum['disabled', 'unlimited']],
# Size limits and Paged Results
Optional['size.pr'] => Variant[Integer[0], Enum['noEstimate', 'unlimited']],
Optional['size.prtotal'] => Variant[Integer[0], Enum['disabled', 'unlimited']],
},
]]
Openldap::Syncrepl
Parameters for database replication consumers
Alias of
Struct[{
rid => Variant[Integer[0, 999], Pattern['\A\d{1,3}\z']],
provider => Pattern['\Aldaps?://[^/:]+(:\d+)?\z'],
searchbase => String[1],
Optional['type'] => Enum['refreshOnly', 'refreshAndPersist'],
Optional[interval] => Pattern['\A\d{2}:\d{2}:\d{2}:\d{2}\z'],
Optional[retry] => String[1],
Optional[filter] => String[1],
Optional[scope] => Enum['sub', 'one','base'],
Optional[attrs] => String[1],
Optional[exattrs] => String[1],
Optional[attrsonly] => Boolean,
Optional[sizelimit] => Integer[0],
Optional[timelimit] => Integer[0],
Optional[schemachecking] => Enum['on', 'off'],
Optional[network-timeout] => Integer[0],
Optional[timeout] => Integer[0],
Optional[updatedn] => String[1],
Optional[bindmethod] => Enum['simple', 'sasl'],
Optional[binddn] => String[1],
Optional[saslmech] => String[1],
Optional[authcid] => String[1],
Optional[authzid] => String[1],
Optional[credentials] => Variant[String[1], Sensitive[String[1]]],
Optional[realm] => String[1],
Optional[secprops] => String[1],
Optional[keepalive] => Pattern['\A\d+:\d+:\d+\z'],
Optional[starttls] => Enum['yes', 'critical'],
Optional[tls_cert] => Stdlib::Absolutepath,
Optional[tls_key] => Stdlib::Absolutepath,
Optional[tls_cacert] => Stdlib::Absolutepath,
Optional[tls_cacertdir] => Stdlib::Absolutepath,
Optional[tls_reqcert] => Enum['never', 'allow', 'try', 'demand'],
Optional[tls_cipher_suite] => String[1],
Optional[tls_crlcheck] => Enum['none', 'peer', 'all'],
Optional[tls_protocol_min] => Pattern['\A\d+(\.\d+)?\z'],
Optional[suffixmassage] => String[1],
Optional[logbase] => String[1],
Optional[logfilter] => String[1],
Optional[syncdata] => Enum['default', 'accesslog', 'changelog'],
}]
Openldap::Tls_moznss_compatibility
The list of possible values TLS_MOZNSS_COMPATIBILITY can have (based on the man page), and an 'absent' (a puppet directive to remove an existing declaration).
Alias of Enum['on', 'true', 'yes', 'off', 'false', 'no', 'absent']
Changelog
All notable changes to this project will be documented in this file. Each new release typically also includes the latest modulesync defaults. These should not affect the functionality of the module.
v8.0.0 (2024-06-09)
Breaking changes:
- Rework
openldap::server::databaseinterface for thelimitsparameter #414 (smortex) - Rework
openldap::server::databaseinterface for thesyncreplparameter #412 (smortex) - Remove deprecated code #388 (smortex)
Implemented enhancements:
- Loosen restrictive regex on syncrepl keepalive #421 (gcoxmoz)
- update puppet-systemd upper bound to 8.0.0 #419 (TheMeier)
- Bump puppet-epel version #415 (Valantin)
- Add krb5 client keytab var #411 (Valantin)
- puppet/epel: Allow 5.x #410 (zilchms)
- Add support for Debian 12 #408 (smortex)
- Allow systemd 6.x #405 (gcoxmoz)
Closed issues:
- Syncrepl needs a better documentation #221
v7.0.2 (2024-01-06)
Fixed bugs:
Closed issues:
- Parameter suffix failed, because of too restrictive patterns in openldap/lib/puppet/type/openldap_database.rb #396
- cn=accesslog database: Parameter suffix failed #391
v7.0.1 (2023-12-27)
Fixed bugs:
- Fix openldap_password function to avoid errors with latest Puppet 7 #398 (treydock)
- Fix openldap_schema replace without attribute types #393 (dmaes)
Merged pull requests:
v7.0.0 (2023-07-10)
Breaking changes:
- Drop Puppet 6 support #379 (bastelfreak)
- Grant access to the specified RootDN if one is given #362 (VictorPavlushin)
Implemented enhancements:
- Improve service bootstraping on Debian #387 (smortex)
- Relax dependencies version requirements #385 (smortex)
- Allow management of the package versions installed #384 (gcoxmoz)
- Add olcMultiProvider as a database config parameter #383 (gcoxmoz)
- Add support for Puppet 8 #381 (smortex)
Closed issues:
- Version 6.1.0 breaks disabling nonexistent services #386
Merged pull requests:
v6.1.0 (2023-04-13)
Implemented enhancements:
- Support Ubuntu 22.04 #376 (chrisongthb)
- Add EL9 support #375 (treydock)
- Add EL8 support #373 (treydock)
- Allow to configure more overlays #370 (smortex)
Closed issues:
- dc=my-domain,dc=com entry in Database #366
Merged pull requests:
- Rework default database lifecycle on Debian #372 (smortex)
- Update tests to remove skips #371 (smortex)
v6.0.1 (2023-03-01)
Fixed bugs:
Merged pull requests:
- Document
openldap::server::dbindexin the README #365 (phaedriel) - Remove legacy facts from hiera configuration #364 (smortex)
v6.0.0 (2022-11-22)
Breaking changes:
Implemented enhancements:
Fixed bugs:
- replica chaining to support ldap backend suffix #354 (gotvach)
- Return integers for openldap_database olcSecurity #353 (gcoxmoz)
Closed issues:
- Data type enforcement for openldap_database security is not idempotent #360
v5.0.1 (2022-02-02)
Fixed bugs:
v5.0.0 (2022-01-25)
Breaking changes:
- Drop support for FreeBSD 11 (EOL) #331 (smortex)
- Be more strict with access resource titles / ACL syntax #324 (smortex)
Fixed bugs:
- Fix
$openldap::server::database::dboptionsdata type #348 (smortex) - Fix
$openldap::server::database::securitydata type #347 (smortex) - Fix
$openldap::server::database::limitsdata type #346 (Donatien26) - Fix FreeBSD default database directory #342 (smortex)
- Fix FreeBSD slapd.d bootstrapping #341 (smortex)
- Fix FreeBSD default value for ldapi_ifs #340 (smortex)
- Fix provider for
cn=configbootstrap on FreeBSD #339 (smortex) - Fix
$openldap::server::database::mirrormodedata type #335 (smortex)
Closed issues:
- Wrong data type for
$openldap::server::database::limits#345 - Unable to configure openldap on FreeBSD 13.0-RELEASE #338
$openldap::server::database::mirrormodedoes not enable olcMirrorMode #333undefined method 'flatten' for nil:NilClassin openldap_access provider #294- Documentation for frontend acl is incorrect #282
Merged pull requests:
- Fix suffix of frontend database in README #336 (smortex)
- Simplify some code duplication #332 (smortex)
v4.0.0 (2021-09-27)
Breaking changes:
- Drop support for openldap_access' islast parameter #327 (smortex)
- Drop support of Debian 8, 9 and Ubuntu 16.04 (EOL) #313 (smortex)
- Acceptance tests for CentOS 7 , remove RHEL6 #309 (treydock)
Implemented enhancements:
- Include missing class instead of raising an error #322 (smortex)
- Update FreeBSD package names #321 (smortex)
- Add support for Debian 11 #314 (smortex)
Fixed bugs:
- Fix $openldap::server::database data type #329 (smortex)
- Fix openldap_access's what parameter #326 (smortex)
- Fix data type for openldap::server::overlay::options #320 (smortex)
- Fix data type for $openldap::server::globalconf::value #318 (smortex)
- Fix purging puppet resource openldap_access #315 (smortex)
- Fix type of $openldap::server::access_wrapper::acl #312 (smortex)
Closed issues:
- openldap::server::database initdb data type should support value false #328
- openldap::server::overlay does not allow tuples as options #319
- Regression in treatment of Globalconf #317
- Purging openldap_access is highly unreliable. #280
v3.1.0 (2021-08-28)
Implemented enhancements:
Fixed bugs:
Closed issues:
- Modernizing the module #270
Merged pull requests:
v3.0.0 (2021-08-11)
Breaking changes:
Implemented enhancements:
- Add support for Ubuntu 20.04 #303 (smortex)
- Add support for Debian 10 #302 (smortex)
- Add support for FreeBSD 13 #301 (smortex)
- Add data types for all parameters #300 (smortex)
- Remove slapd_sockets shellvar when empty #299 (smortex)
- Switch to regular OpenLDAP packages on FreeBSD #296 (smortex)
- Move from params.pp to Hiera data #287 (smortex)
- Bootstrap cn=config database on FreeBSD #278 (HerveMARTIN)
- Add support for Suse and SLES #275 (SimonHoenscheid)
- Remove dead code #269 (smortex)
- Add support for FreeBSD #267 (smortex)
- Catch olcAccess regex parse failures #264 (spakka)
Fixed bugs:
- Fix starting LDAP on Suse #298 (smortex)
- Fix warning about malformed YAML file #285 (smortex)
- Unbreak with Puppet 7.4.0 / 6.21.0 on Debian 10 #284 (smortex)
Closed issues:
Merged pull requests:
- Update badges in README.md #308 (root-expert)
- puppetlabs/stdlib: allow 7.x #305 (smortex)
- Add management of TLS_MOZNSS_COMPATIBILITY to ldap.conf #272 (gcoxmoz)
2.0.0 (2020-03-02)
- update dependencies and Puppet version #261 (Dan33l)
- declare this module as compatible with ubuntu1804 #260 (Dan33l)
- Port openldap_password() to Puppet 4.x function API #258 (raphink)
2020-01-28 - Release 1.18.0
- Fix acceptance #257 (raphink)
- Convert to PDK #254 (raphink)
- add parameter nss_initgroups_ignoreusers #253 (tobiWu)
- Mark test as pending #252 (mcanevet)
- Fix title_patterns to support multiple fields in what #250 (raphink)
- add sssvlv overlay compatibility #247 (clement-dufaure)
- Add support for back_ldap and specific values of attrs in ACLs #246 (jdow)
- Fix regexp in access_wrapper #243 (amateo)
- Enable usage of puppetlabs-stdlib 5.x.x #240 (jacksgt)
- Fix regex for group-based limits #235 (kasimon)
- Add socks support #233 (jas01)
- Fix usage of slapcat when removing an overlay #232 (treydock)
- Fix setting ACL if they had been set before #230 (fklajn-opera)
- cn can be in uppercase #190 (Poil)
- Add support for back_sock #173 (jas01)
- Support SASL and GSSAPI options in ldap.conf #165 (modax)
2018-09-07 - Release 1.17.0
- Drop legacy PE statement and puppet_version in metadata.json
- Bump to minimal recommended Puppet version
- Bump stdlib to 4.13.1 to get data types
- Replace validate_* calls with datatypes
- Drop legacy tests
- Add Archlinux support (GH #187)
- Ensure that the password is hashed on db creation
- Set sensible default for dbindex attribute
- Rewrite openldap_password to use native Ruby
- Fix title patterns to no longer use unsupported proc (GH #222)
- Remove Debian 6 support and add Debian 9
- Fix openldap_overlap to perform add operation when adding new options
- Support schema update via OLC
- Add support to modify openldap_schema resources
2017-06-06 - Release 1.16.1
- Fix metadata.json
2017-06-06 - Release 1.16.0
- Fixed bug for spaces in the "by" section of the rule
- Allow to set rewrite overlay with a relay database
- Fixes errata - puppet creates a rwm overlay every runs
- Any prefixed numbers should be absent in the options
- Refactor openldap::server::access
- Add security attribute to database resource
- Syncrepl now run idempotently
- Use ldapmodify function instead of the slapdd which is not defined
- Support Amazon linux 2015+ and make version checks more flexible
- Mod global conf
- Fix variables out of scope
- Make NETWORK_TIMEOUT a configurable option
- Use contain instead of include
- Fix ordering so that Openldap::Server::Globalconf resources will come after the openldap service
- Change updateref order to avoid error ' must appear after syncrepl or updatedn
- Adding dbmaxsize parameter for big dbs
- Remove requirements from metadata.json
- Supports SHA2 password
- Allow openldap::client config values to have 'absent' value remove the entry from ldap.conf
- openldap_database: Default to mdb for new Ubuntus
2016-08-22 - Release 1.15.0
- Add base provider that implements common commands and methods and use it
- Fixed an idempotency issue on the syncrepl variable
- Fix idempotency issue when ensuring absent of multiple databases
2016-02-18 - Release 1.14.0
- Add support for the rwm overlay (issue #117)
- Manage line breaks in overlay config and add smbk5pwd overlay support (issue #122)
- Avoid duplicate declaration of openldap-clients package (issue #123)
- Allow dn, filter and attrs to be defined concurrently (issue #124)
2016-01-11 - Release 1.13.0
- Fix for frontend and config databases
- Add serveral params for ldap.conf to openldap::client.
- Add timeout and timelimit options
- Add sudo options
- Add binddn and bindpw options to ldap client
2015-11-18 - Release 1.12.0
- Add objectClass for the unique overlay
- Support for adding access based on olcDatabase
- Fix prefetch with composite namevars
- Use puppet4 for acceptance tests
2015-11-09 - Release 1.11.0
- Do not try to hash password if it is given in "{SSHA}" form
- Add cn=config suffix support
- Add readonly support to openldap_database's augeas provider
2015-10-09 - Release 1.10.0
- Fix ACL changes
- Fix syncprov overlay
- Add support for refint overlay
2015-08-21 - Release 1.9.2
- Use docker for acceptance tests
2015-07-08 - Release 1.9.1
- Fix TLS setting on new versions of OpenLDAP
2015-07-08 - Release 1.9.0
- Add more parameters to openldap::server::database
- Add support for accesslog overlay
2015-06-26 - Release 1.8.2
- Fix strict_variables activation with rspec-puppet 2.2
2015-06-24 - Release 1.8.1
- Add missing 'ensure' parameter to 'openldap::server::globalconf'
2015-06-19 - Release 1.8.0
- Revert "Use ruby to generate idempotent SSHA password (more secure password)
- Add support to configure overlays on a database
- Fix some issues on Ubuntu (no official support yet)
- Update documentation
- Don't convert schema if already in LDIF format
2015-06-19 - Release 1.7.0
- Add
initdbparam toopenldap::server::databasedefine to allow to not initialize database.
2015-05-28 - Release 1.6.5
- Add beaker_spec_helper to Gemfile
2015-05-26 - Release 1.6.4
- Use random application order in nodeset
2015-05-26 - Release 1.6.3
- add utopic & vivid nodesets
2015-05-25 - Release 1.6.2
- Don't allow failure on Puppet 4
2015-05-13 - Release 1.6.1
- Add puppet-lint-file_source_rights-check gem
2015-05-13 - Release 1.6.0
- Add support for schema
2015-05-12 - Release 1.5.5
- Don't pin beaker
2015-05-12 - Release 1.5.4
- Add documentation for puppet::server::globalconf
- Fix Beaker on Docker
2015-04-29 - Release 1.5.3
- Avoid logging password
2015-04-21 - Release 1.5.2
- Correct client package name for RHEL
2015-04-17 - Release 1.5.1
- Add beaker nodesets
2015-04-08 - Release 1.5.0
- Generate random salt for rootpw instead of using fqdn
- Deprecates openldap_password function
- Fix database destroy
2015-04-03 - Release 1.4.1
- Fix acceptance tests
2015-03-29 - Release 1.4.0
- Add more acceptance tests to travis matrix
- Confine pinning to rspec 3.1 to ruby 1.8
- openldap_password does not use slappasswd anymore
- openldap_password is idempotent
- Add MDB backend support
- Remove RedHat 5 support (may still work but not tested on travis)
- Add RedHat 7 support
- Add Debian 8 support
- Database creation don't require nis schema anymore
- Fix openldap_module on RedHat
- Set selinux to permissive on acceptance tests
2015-03-24 - Release 1.3.2
- Various spec improvements
- Fix specs
2015-03-06 - Release 1.3.1
- Destroy default database before creating new ones
2015-02-18 - Release 1.3.0
- Use params pattern
- Some minor fixes
2015-01-07 - Release 1.2.3
- Fix unquoted strings in cases
2015-01-05 - Release 1.2.2
- Fix .travis.yml
2014-12-18 - Release 1.2.1
- Various improvements in unit tests
2014-12-09 Release 1.2.0
- Fix metadata.json
- Add future parser tests
- Fix code for future parser
- Migrate tests to rspec 3 syntax
- Use puppet_facts in specs
2014-11-17 Release 1.1.4
- Fix acceptance tests
2014-11-13 Release 1.1.3
- Fix README
- Use Travis DPL for automatic releases
- Deprecate 2.7 support and add 3.7 support
- Lint metadata.json
2014-10-20 Release 1.1.2
- Really setup automatic forge releases
2014-10-20 Release 1.1.0
- Setup automatic forge releases
2014-10-07 Release 1.0.0
- Change usage : one must explicitely configure an openldap::server::database resource
2014-10-05 Release 0.5.3
- Fix service startup on RedHat
2014-09-23 Release 0.5.2
- Updated dependencies for augeasproviders
- Acceptance tests refactoring
2014-09-05 Release 0.5.1
- Fix for ruby 1.8.7
- Fix overlay
- Use .puppet-lin.rc
- Update travis matrix
2014-08-26 Release 0.5.0
- User augeasproviders 2.0.0 and re-enable augeas provider.
2014-07-02 Release 0.4.0
- This release add ability to specify ldap* interfaces and thus removes openldap::server::ssl parameter. It also add a new type/provider/define to manage dbindex.
* This Changelog was automatically generated by github_changelog_generator
Dependencies
- puppetlabs/stdlib (>= 4.13.1 < 10.0.0)
- puppetlabs/augeas_core (>= 1.0.0 < 2.0.0)
- puppet/augeasproviders_core (>= 2.0.0 < 5.0.0)
- puppet/augeasproviders_shellvar (>= 2.0.0 < 7.0.0)
- puppet/systemd (>= 3.0.0 < 8.0.0)
- puppet/epel (>= 4.1.0 < 7.0.0)
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "[]"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright [yyyy] [name of copyright owner]
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.