torian / puppet-ldap Goto Github PK

View Code? Open in Web Editor NEW

26.0 6.0 55.0 140 KB

OpenLDAP module for puppet

Ruby 20.66% Puppet 51.49% HTML 27.85%

puppet-ldap's Introduction

Puppet OpenLDAP Module

Introduction

Puppet module to manage client and server configuration for OpenLdap.

Usage

Ldap client

Ldap client configuration at its simplest:

class { 'ldap':
	uri  => 'ldap://ldapserver00 ldap://ldapserver01',
	base => 'dc=foo,dc=bar'
}

Enable TLS/SSL:

Note that ssl_cert should be the CA's certificate file, and it should be located under puppet:///files/ldap/.

class { 'ldap':
	uri      => 'ldap://ldapserver00 ldap://ldapserver01',
	base     => 'dc=foo,dc=bar',
	ssl      => true,
	ssl_cert => 'ldapserver.pem'
}

Enable nsswitch and pam configuration (requires both modules):

class { 'ldap':
  uri      => 'ldap://ldapserver00 ldap://ldapserver01',
  base     => 'dc=foo,dc=bar',
  ssl      => true
  ssl_cert => 'ldapserver.pem',

  nsswitch   => true,
  nss_passwd => 'ou=users',
  nss_shadow => 'ou=users',
  nss_group  => 'ou=groups',

  pam        => true,
}

OpenLdap Server

Master server

OpenLdap server as simple as it is:

class { 'ldap::server::master':
  suffix      => 'dc=foo,dc=bar',
  rootpw      => '{SHA}iEPX+SQWIR3p67lj/0zigSWTKHg=',
}

Configure an OpenLdap master with syncrepl enabled:

class { 'ldap::server::master':
  suffix      => 'dc=foo,dc=bar',
  rootpw      => '{SHA}iEPX+SQWIR3p67lj/0zigSWTKHg=',
  syncprov    => true,
  sync_binddn => 'cn=sync,dc=foo,dc=bar',
  modules_inc => [ 'syncprov' ],
  schema_inc  => [ 'gosa/samba3', 'gosa/gosystem' ],
  index_inc   => [
    'index memberUid            eq',
    'index mail                 eq',
    'index givenName            eq,subinitial',
    ],
}

With TLS/SSL enabled:

class { 'ldap::server::master':
  suffix      => 'dc=foo,dc=bar',
  rootpw      => '{SHA}iEPX+SQWIR3p67lj/0zigSWTKHg=',
  ssl         => true,
  ssl_ca      => 'ca.pem',
  ssl_cert    => 'master-ldap.pem',
  ssl_key     => 'master-ldap.key',
}

NOTE: SSL certificates should reside in you puppet master file repository 'puppet:///files/ldap/'

Slave server

Configure an OpenLdap slave:

class { 'ldap::server::slave':
  suffix        => 'dc=foo,dc=bar',
  rootpw        => '{SHA}iEPX+SQWIR3p67lj/0zigSWTKHg=',
  sync_rid      => '1234',
  sync_provider => 'ldap://ldapmaster',
  sync_updatedn => 'cn=admin,dc=foo,dc=bar',
  sync_binddn   => 'cn=sync,dc=foo,dc=bar',
  sync_bindpw   => 'super_secret',
  schema_inc    => [ 'gosa/samba3', 'gosa/gosystem' ],
  index_inc     => [
    'index memberUid            eq',
    'index mail                 eq',
    'index givenName            eq,subinitial',
    ],
}

Notes

Ldap client / server configuration tested on:

Debian: 5 / 6 / 7
Redhat: 5.x / 6.x
CentOS: 5.x / 6.x
OpenSuSe: 12.x
SLES: 11.x

Should also work on (I'd appreciate reports on this distros and versions):

Ubuntu
Fedora
Scientific Linux 6

Requirements

If nsswitch is enabled (nsswitch => true) you'll need puppet-nsswitch
If pam is enabled (pam => true) you'll need puppet-pam
If enable_motd is enabled (enable_motd => true) you'll need puppet-motd

TODO

ldap::server::master and ldap::server::slave do not copy the schemas specified by index_inc. It just adds an include to slapd
Need support for extending ACLs

CopyLeft

puppet-ldap's People

Contributors

Stargazers

Watchers

puppet-ldap's Issues

LDAP Server: Installation Error Due Missing "openldap" User When Using SSL

using the same manifest as in #22 but this time with the slapd package never having been on the system before (thus no openldap user), installation fails as the module is trying to chown the ssl files using the openldap user before having installed the slapd package:

debug: /Stage[main]/Ldap::Server::Master/Exec[Server certificate hash]/require: requires File[ssl_cert]
debug: /Stage[main]/Ldap::Server::Master/Service[slapd]/require: requires Package[slapd]
debug: /Stage[main]/Ldap::Server::Master/Service[slapd]/require: requires File[/etc/ldap/slapd.conf]
debug: /Stage[main]/Ldap::Server::Debian/File[/etc/default/slapd]/notify: subscribes to Service[slapd]
debug: /Stage[main]/Ldap::Server::Master/File[/etc/ldap/slapd.conf]/require: requires Package[slapd]
debug: /Stage[main]/Ldap::Server::Master/File[/etc/ldap/slapd.conf]/require: requires File[ssl_ca]
debug: /Stage[main]/Ldap::Server::Master/File[/etc/ldap/slapd.conf]/require: requires File[ssl_cert]
debug: /Stage[main]/Ldap::Server::Master/File[/etc/ldap/slapd.conf]/require: requires File[ssl_key]
debug: /Stage[main]/Ldap::Server::Master/File[/etc/ldap/slapd.conf]/notify: subscribes to Service[slapd]
debug: /Schedule[daily]: Skipping device resources because running on a host
debug: /Schedule[monthly]: Skipping device resources because running on a host
debug: /Schedule[hourly]: Skipping device resources because running on a host
info: mount[files]: allowing 127.0.0.1 access
err: /Stage[main]/Ldap::Server::Master/File[ssl_ca]/ensure: change from absent to file failed: Could not set 'file on ensure: Could not find user openldap at /etc/puppet/modules/ldap/manifests/server/master.pp:191
err: /Stage[main]/Ldap::Server::Master/File[ssl_key]/ensure: change from absent to file failed: Could not set 'file on ensure: Could not find user openldap at /etc/puppet/modules/ldap/manifests/server/master.pp:206
err: /Stage[main]/Ldap::Server::Master/File[ssl_cert]/ensure: change from absent to file failed: Could not set 'file on ensure: Could not find user openldap at /etc/puppet/modules/ldap/manifests/server/master.pp:199

nevertheless the slapd package seems to be installed. executing puppet apply a second time, the installation goes smoothly.

Debian created slapd.d means managed slapd.conf is ignored

The subject says it all really. On Debian Wheezy/Stable/7.0 the version of slapd creates an /etc/ldap/slapd.d which has LDIF et al inside it. This means that any changes this module makes to /etc/ldap/slapd.conf are ignored.

cannot use PAM + LDAP

the following error occured:
err: Could not retrieve catalog from remote server: Error 400 on SERVER: Could not find resource 'Class[Pam::Pamd]' for relationship on 'Class[Ldap]' on node some.node

LDAP Server: Stray Process Prevents Restart

on Debian 7.1 / puppet standalone v3.3.0, puppet applying the following manifest:

class { 'ldap::server::master':
  suffix      => 'dc=sample,dc=example,dc=com',
  rootpw      => '{SSHA}pWaJbwn761ZvaPRJtLjmxGshy5ZL6svQmR',
  ssl         => true,
  ssl_ca      => 'ca.pem',
  ssl_cert    => 'ldap-server.pem',
  ssl_key     => 'ldap-server.key',
}

causes errors in the installation:

Debug: Executing '/usr/bin/apt-get -q -y -o DPkg::Options::=--force-confold install slapd'
Nov 13 20:15:30 oculist slapd[20332]: @(#) $OpenLDAP: slapd  (Apr 23 2013 12:16:04) $#012#011root@lupin:/tmp/buildd/openldap-2.4.31/debian/build/servers/slapd
Nov 13 20:15:30 oculist slapd[20333]: slapd starting
Notice: /Stage[main]/Ldap::Server::Master/Package[slapd]/ensure: ensure changed 'purged' to 'present'
Debug: /Stage[main]/Ldap::Server::Master/Package[slapd]: The container Class[Ldap::Server::Master] will propagate my refresh event
Notice: /Stage[main]/Ldap::Server::Master/File[/etc/ldap/slapd.conf]/ensure: created
Info: /Stage[main]/Ldap::Server::Master/File[/etc/ldap/slapd.conf]: Scheduling refresh of Service[slapd]
Debug: /Stage[main]/Ldap::Server::Master/File[/etc/ldap/slapd.conf]: The container Class[Ldap::Server::Master] will propagate my refresh event
Debug: Finishing transaction 29705600
Info: FileBucket got a duplicate file {md5}db241334782551b92b24f9313d85893a
Info: /Stage[main]/Ldap::Server::Debian/File[/etc/default/slapd]: Filebucketed /etc/default/slapd to puppet with sum db241334782551b92b24f9313d85893a
Notice: /Stage[main]/Ldap::Server::Debian/File[/etc/default/slapd]/content: content changed '{md5}db241334782551b92b24f9313d85893a' to '{md5}5541a553ccce1a1c593f20e7283b4faf'
Info: /Stage[main]/Ldap::Server::Debian/File[/etc/default/slapd]: Scheduling refresh of Service[slapd]
Debug: /Stage[main]/Ldap::Server::Debian/File[/etc/default/slapd]: The container Class[Ldap::Server::Debian] will propagate my refresh event
Debug: Class[Ldap::Server::Debian]: The container Stage[main] will propagate my refresh event
Debug: Executing '/etc/init.d/slapd status'
Debug: Executing '/etc/init.d/slapd start'
Nov 13 20:15:30 oculist slapd[20373]: @(#) $OpenLDAP: slapd  (Apr 23 2013 12:16:04) $#012#011root@lupin:/tmp/buildd/openldap-2.4.31/debian/build/servers/slapd
Nov 13 20:15:30 oculist slapd[20373]: daemon: bind(8) failed errno=98 (Address already in use)
Nov 13 20:15:30 oculist slapd[20373]: daemon: bind(8) failed errno=98 (Address already in use)
Nov 13 20:15:30 oculist slapd[20373]: slapd stopped.
Nov 13 20:15:30 oculist slapd[20373]: connections_destroy: nothing to destroy.
Error: Could not start Service[slapd]: Execution of '/etc/init.d/slapd start' returned 1:
Error: /Stage[main]/Ldap::Server::Master/Service[slapd]/ensure: change from stopped to running failed: Could not start Service[slapd]: Execution of '/etc/init.d/slapd start' returned 1:

it seems that after ensuring the slapd package is installed, slapd is started up. apparently the module tries to start up slapd again, which results in a "address in use" problem.

doing a "service restart slapd" fails.
*ps -fu openldap" shows a running slapd.
after "kill " the restart works fine.

Mismatch between github and puppet-forge versions

When cloning the module from github I get version 0.2.5, but the most recent version on the puppet forge is 0.2.4

usage?

I cannot use this module (new to puppet)

I copied all the files to "/etc/puppet/modules/torian-puppet-ldap";

edited:
/etc/puppet/modules/torian-puppet-ldap/manifests/init.pp
and added
class { 'ldap':
uri => 'ldap://192.168.1.5',
base => 'dc=mydomain,dc=com'
}

edited and added to "/etc/puppet/manifests/nodes.pp" the line "include torian-puppet-ldap"

LDAP Server: Installation Fails When Using SSL And openssl Is Not Installed

when using a manifest as in #22 on a pristine Debian 7.1 with no openssl installed, installation fails due missing /etc/ssl directory while placing the ssl_cert files:

debug: /Stage[main]/Ldap::Server::Master/Service[slapd]/require: requires File[/etc/ldap/slapd.conf]
debug: /Schedule[daily]: Skipping device resources because running on a host
debug: /Schedule[monthly]: Skipping device resources because running on a host
debug: /Schedule[hourly]: Skipping device resources because running on a host
info: mount[files]: allowing 127.0.0.1 access
err: /Stage[main]/Ldap::Server::Master/File[ssl_ca]/ensure: change from absent to file failed: Could not set 'file on ensure: No such file or directory - /etc/ssl/certs/ca.pem.puppettmp_5064 at /etc/puppet/modules/ldap/manifests/server/master.pp:191
err: /Stage[main]/Ldap::Server::Master/File[ssl_key]/ensure: change from absent to file failed: Could not set 'file on ensure: No such file or directory - /etc/ssl/certs/ldap-server.key.puppettmp_3901 at /etc/puppet/modules/ldap/manifests/server/master.pp:206
err: /Stage[main]/Ldap::Server::Master/File[ssl_cert]/ensure: change from absent to file failed: Could not set 'file on ensure: No such file or directory - /etc/ssl/certs/ldap-server.pem.puppettmp_142 at /etc/puppet/modules/ldap/manifests/server/master.pp:199

suggestion is to define a dependency on openssl or alternatively GnuTLS.

missing comma

on ldap slave server there is a comma missing in README.md:

sync_provider => 'ldap://ldapmaster'

LDAP client does not work on ubuntu

This is the requested report that this module does not work for Ubuntu 12.04 LTS systems. :)
I noticed when using this module for configuring an Ubuntu system to authenticate users against an LDAP server, the LDAP server is never queried for user account information.

After some brief poking around I believe this is because Ubuntu is using /etc/ldap.conf and /etc/ldap.secret whis is not supported within this module. The contents of /etc/ldap.conf seems to differ from what's in /etc/ldap/ldap.conf, but I haven't had the time yet to analyze it in full detail.

RedHat supported, not CentOS?

Looking at init.pp and a CentOS system, I think your module would work fine on CentOS. Is there a reason init.pp only matches 'Redhat' and not /(RedHat/CentOS)/ ?

Looks like this issue is present in the complimentary modules, pam, motd and nsswitch. Suggest using $osfamily instead of $operatingsystem, or the above regex for RedHat or CentOS.

Happy to test these modules on CentOS.

Error when trying to install

Sorry but I tried to install your puppet-ldap on debian 7 with SSL but I get this error message :
"err: Failed to apply catalog: Parameter unless failed on Exec[Build cert hash]: 'test -f /etc/ssl/certs/$(openssl x509 -noout -hash -in /etc/ssl/certs/ca.pem).0' is not qualified and no path was specified. Please qualify the command or specify a path".
I do not understand where the problem is. Thank you.

Aliasing File[ssl_cert] fails when both class {'ldap::server::master':} and class {'ldap':} are defined

I have a base_node that has an ldap client definition and an ldap_master node that inherits base_node. With this configuration, I get the following error:

Error: Failed to apply catalog: Cannot alias File[ssl_cert] to ["/etc/ssl/certs/mycert.pem"] at /etc/puppet/modules/ldap/manifests/server/master.pp:199; resource ["File", "/etc/ssl/certs/mycert.pem"] already declared at /etc/puppet/modules/ldap/manifests/init.pp:214

    node base_node {
            class { 'pam::pamd':
                    pam_ldap => true,
            }

            class { 'ldap':
                    uri => 'ldap://ldap_master',
                    base => 'dc=example,dc=com',
                    ssl => true,
                    ssl_cert => 'mycert.pem',
                    nsswitch => true,
                    nss_passwd => 'ou=users',
                    nss_shadow => 'ou=users',
                    nss_group => 'ou=groups',
                    pam => true
            }
    }

    node default inherits base_node {
    }

    node ldap_master inherits base_node {
            class {'ldap::server::master':
                    suffix => 'dc=example,dc=com',
                    rootpw => '',
                    ssl => true,
                    ssl_ca => 'ldap_master.ca',
                    ssl_cert => 'mycert.pem',
                    ssl_key => 'ldap_master.key',
            }
    }

Install Error "No such file or directory" - Ubuntu 12.04, Puppet Enterprise 3.0.0

Ubuntu 12.04, Puppet 3.2.2 (Puppet Enterprise 3.0.0)

Install causes the following error:

# puppet module install torian/ldap Notice: Preparing to install into /etc/puppetlabs/puppet/modules ... Notice: Downloading from https://forge.puppetlabs.com ... Notice: Installing -- do not interrupt ... Error: No such file or directory - /etc/puppetlabs/puppet/modules/ldap/spec/fixtures/modules/motd/manifests Error: Try 'puppet help module install' for usage

When trying to use an SSL cert, Exec[Build cert hash] fails, because no path is specified

This is on a Fedora machine, but the error itself lies in the lack of path attribute in the exec.

Error: Parameter unless failed on Exec[Build cert hash]: 'test -f /etc/openldap/certs/$(openssl x509 -noout -hash -in /etc/openldap/certs/ourCert.pem).0' is not qualified and no path was specified. Please qualify the command or specify a path. at /etc/puppet/modules/ldap/manifests/init.pp:221

server in Ubuntu 13.10 failed to start (wrong pid location)

Settingup the server on Ubuntu 13.10 fails when starting slapd.

changing $server_run to /var/run/slapd fixes this.

Usage?

I can't seem to figure out the proper usage of this module. I keep getting

err: Could not retrieve catalog from remote server: Error 400 on SERVER: Must pass base to Class[Ldap] at /etc/puppet/modules/ldap/manifests/init.pp:68

pardon my incompetence if that's what it is!

Warning: Symlinks in modules are unsupported. Please investigate symlink torian-ldap-0.2.4/spec/fixtures/modules/concat/manifests->../../../../../puppet-concat/manifests.

I'm relatively new to puppet but when issuing sudo puppet module install torian-ldap the response is as follows:
Warning: Symlinks in modules are unsupported. Please investigate symlink torian-ldap-0.2.4/spec/fixtures/modules/concat/manifests->../../../../../puppet-concat/manifests.

It did install successfully, just figured you should know that.

issue not able to install your ldap module

Hi,

Here is the issue when installing your module.

Let me know

/opt/puppet/bin/puppet module install torian-ldap
Notice: Preparing to install into /etc/puppetlabs/puppet/modules ...
Notice: Downloading from https://forgeapi.puppetlabs.com ...
Notice: Installing -- do not interrupt ...
Error: No such file or directory - /etc/puppetlabs/puppet/modules/ldap/spec/fixtures/modules/ldap/templates
Error: Try 'puppet help module install' for usage

Does not work with Ubuntu 14.04

I am very new with puppet and LDAP, but I think the module does not work with Ubuntu 14.04. I am unable to login after installing with puppet. When I install the module and configure it like this guide says, everything works. What the config script does is creating a directory under /etc/ldap/slapd.conf as opposed to a file. If you need more info, let me know (and tell me how I can provide them).