Version information
released Jul 11th 2013
Start using this module
Add this module to your Puppetfile:
mod 'torian-ldap', '0.2.4'Learn more about managing modules with a PuppetfileDocumentation
torian/ldap — version 0.2.4 Jul 11th 2013
Puppet OpenLDAP Module
Introduction
Puppet module to manage client and server configuration for OpenLdap.
Usage
Ldap client
Ldap client configuration at its simplest:
class { 'ldap':
uri => 'ldap://ldapserver00 ldap://ldapserver01',
base => 'dc=foo,dc=bar'
}
Enable TLS/SSL:
Note that ssl_cert should be the CA's certificate file, and it should be located under puppet:///files/ldap/.
class { 'ldap':
uri => 'ldap://ldapserver00 ldap://ldapserver01',
base => 'dc=foo,dc=bar',
ssl => true,
ssl_cert => 'ldapserver.pem'
}
Enable nsswitch and pam configuration (requires both modules):
class { 'ldap':
uri => 'ldap://ldapserver00 ldap://ldapserver01',
base => 'dc=foo,dc=bar',
ssl => true
ssl_cert => 'ldapserver.pem',
nsswitch => true,
nss_passwd => 'ou=users',
nss_shadow => 'ou=users',
nss_group => 'ou=groups',
pam => true,
}
OpenLdap Server
Master server
OpenLdap server as simple as it is:
class { 'ldap::server::master':
suffix => 'dc=foo,dc=bar',
rootpw => '{SHA}iEPX+SQWIR3p67lj/0zigSWTKHg=',
}
Configure an OpenLdap master with syncrepl enabled:
class { 'ldap::server::master':
suffix => 'dc=foo,dc=bar',
rootpw => '{SHA}iEPX+SQWIR3p67lj/0zigSWTKHg=',
syncprov => true,
sync_binddn => 'cn=sync,dc=foo,dc=bar',
modules_inc => [ 'syncprov' ],
schema_inc => [ 'gosa/samba3', 'gosa/gosystem' ],
index_inc => [
'index memberUid eq',
'index mail eq',
'index givenName eq,subinitial',
],
}
With TLS/SSL enabled:
class { 'ldap::server::master':
suffix => 'dc=foo,dc=bar',
rootpw => '{SHA}iEPX+SQWIR3p67lj/0zigSWTKHg=',
ssl => true,
ssl_ca => 'ca.pem',
ssl_cert => 'master-ldap.pem',
ssl_key => 'master-ldap.key',
}
NOTE: SSL certificates should reside in you puppet master file repository 'puppet:///files/ldap/'
Slave server
Configure an OpenLdap slave:
class { 'ldap::server::slave':
suffix => 'dc=foo,dc=bar',
rootpw => '{SHA}iEPX+SQWIR3p67lj/0zigSWTKHg=',
sync_rid => '1234',
sync_provider => 'ldap://ldapmaster'
sync_updatedn => 'cn=admin,dc=foo,dc=bar',
sync_binddn => 'cn=sync,dc=foo,dc=bar',
sync_bindpw => 'super_secret',
schema_inc => [ 'gosa/samba3', 'gosa/gosystem' ],
index_inc => [
'index memberUid eq',
'index mail eq',
'index givenName eq,subinitial',
],
}
Notes
Ldap client / server configuration tested on:
- Debian: 5 / 6 / 7
- Redhat: 5.x / 6.x
- CentOS: 5.x / 6.x
- OpenSuSe: 12.x
- SLES: 11.x
Should also work on (I'd appreciate reports on this distros and versions):
- Ubuntu
- Fedora
- Scientific Linux 6
Requirements
- If nsswitch is enabled (nsswitch => true) you'll need puppet-nsswitch
- If pam is enabled (pam => true) you'll need puppet-pam
- If enable_motd is enabled (enable_motd => true) you'll need puppet-motd
TODO
- ldap::server::master and ldap::server::slave do not copy the schemas specified by index_inc. It just adds an include to slapd
- Need support for extending ACLs
CopyLeft
Copyleft (C) 2012 Emiliano Castagnari ecastag@gmail.com (a.k.a. Torian)
2013-07-11 - Version 0.2.4
- Fixed misplaced fail() on ldap::server::slave
2013-07-11 - Version 0.2.3
- Added support for CentOS
- Fixed rhel 5.x regression. ldap utils do not create ldap user. Revert it to root ownership
- @pronix commit: Use correct variable reference in templates (@)
- @rhysrhaven commit to fix exec (ldap::server::master/slave) behavior on puppet 3.x
- revert ownership of ldap.conf due to a problem on rhel6.3
- @Spredzy commit: replaced $::operatingsystem by $::osfamily
- Added rc scripts configuration files for debian & redhat (/etc/{default,sysconfig})
- Bugfix #7: Debian created slapd.d means managed slapd.conf is ignored
- Bugfix: Debian - Server modules dir is set to /usr/lib/modules, not /usr/lib64/modules, except for Lenny.
2013-05-28 - Version 0.2.2
- Updated doc to reflect support for RHEL 6.x
- Fixed service name on rhel (5.x = ldap / 6.x = slapd)
2013-05-09 - Version 0.2.1
- ldap::server::slave() working
- template bugfix when called from ldap::server::slave()
2013-05-07 - Version 0.2.0
- TLS/SSL works at ldap::server::master()
- generate server certificate hash
- Updated README.md
- Fixed permission on certificates for rhel
- Fixed ldap owner and group on rhel
- Fixed service and script name on rhel
2013-04-29 - Version 0.1.5
- Added support for OVS
- Added support for OpenSuSE 12.x / SLES 11.x for client configuration
- Added support for OpenSuSE 12.x / SLES 11.x for server configuration
- changed dependency for openldap service (requires slapd.conf)
- changed dependency for slapd.conf to require only the server package
- fixed duplicated directory management (ldap() and ldap::server::master())
2013-04-27 - Version 0.1.4
- pam / nss attributes are included into ldap.conf if $pam => true / $nss => true
- pam_ldap config file is a symlink generated by module pam
2013-04-24 - Version 0.1.3
- init.pp: added dependencies on ldap() for config files
- init.pp: fixed missing path on RHEL
- removed symlink generation of /etc/ldap.conf for rhel. This file should be handled by pam / nsswitch.
2013-04-16 - Version 0.1.2
- init.pp: certificate source missed 'files' prefix
- params.pp: fixed cacertdir variable
- Improved rdoc documentation
- Removed github flavored markup as it does not play well with puppet forge
- Removed bad linked fixture for concat and motd
2013-04-08 - Version 0.1.1
- Fixed support on the client side fot SSL/TLS
- Added binddn / bindpw parameters for client (zoide)
2013-04-08 - Version 0.0.1
- Initial commit