The openldap module allows you to easily manage OpenLDAP with Puppet. By default it will use OLC (cn=config).
| Object | olc (slapd.d) | augeas (slapd.conf) |
|---|---|---|
| global_conf | Y | N |
| database | Y | Y |
| module | Y | N |
| overlay | Y | N |
| access | Y | N |
| index | Y | N |
| schema | Y | N |
###Configuring the client
class { 'openldap::client': }For a more customized configuration:
class { 'openldap::client':
base => 'dc=example,dc=com',
uri => ['ldap://ldap.example.com', 'ldap://ldap-master.example.com:666'],
tls_cacert => '/etc/ssl/certs/ca-certificates.crt',
}###Configuring the server
class { 'openldap::server': }
openldap::server::database { 'dc=foo,dc=example.com':
ensure => present,
}For a more customized configuration:
class { 'openldap::server':
ldaps_ifs => ['/'],
ssl_cert => '/etc/ldap/ssl/slapd.pem',
ssl_key => '/etc/ldap/ssl/slapd.key',
}If you need multiple databases:
class { 'openldap::server':
databases => {
'dc=foo,dc=example,dc=com' => {
directory => '/var/lib/ldap/foo',
},
'dc=bar,dc=example,dc=com' => {
directory => '/var/lib/ldap/bar',
},
},
}To force using slapd.conf:
class { 'openldap::server':
provider => 'augeas',
}Configuring a global parameter:
openldap::server::globalconf { 'security':
ensure => present,
value => 'tls=128',
}###Configuring a database
openldap::server::database { 'dc=example,dc=com':
directory => '/var/lib/ldap',
rootdn => 'cn=admin,dc=example,dc=com',
rootpw => 'secret',
}rootpw will be automatically converted to a SSHA hash with random salt.
###Configuring modules
openldap::server::module { 'memberof':
ensure => present,
}###Configuring overlays
openldap::server::overlay { 'memberof on dc=example,dc=com':
ensure => present,
}###Configuring ACPs/ACLs
openldap::server::access {
'to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=example,dc=com" on dc=example,dc=com':
access => 'write';
'to attrs=userPassword,shadowLastChange by anonymous on dc=example,dc=com':
access => 'auth';
'to attrs=userPassword,shadowLastChange by self on dc=example,dc=com':
access => 'write';
'to attrs=userPassword,shadowLastChange by * on dc=example,dc=com':
access => 'none';
}
openldap::server::access { 'to dn.base="" by * on dc=example,dc=com':
access => 'read',
}
openldap::server::access {
'to * by dn="cn=admin,dc=example,dc=com" on dc=example,dc=com':
access => 'write';
'to * by * on dc=example,dc=com':
access => 'read';
}###Configuring Schemas
openldap::server::schema { 'samba':
ensure => present,
path => '/etc/ldap/schema/samba.schema',
require => Openldap::Server::Schema["inetorgperson"],
}
openldap::server::schema { 'nis':
ensure => present,
path => '/etc/ldap/schema/nis.ldif',
require => Openldap::Server::Schema["inetorgperson"],
}