From 46e9939031bec49a92e6cc277c55b1b833eff60f Mon Sep 17 00:00:00 2001 From: Ben Langfeld Date: Sun, 11 May 2014 18:42:50 +0100 Subject: [PATCH 01/85] Add some basic integration tests using test-kitchen --- .gitignore | 4 ++ .kitchen.yml | 19 ++++++++ Gemfile | 9 +++- Gemfile.lock | 47 +++++++++++++++++-- Modulefile | 2 +- Puppetfile | 3 ++ Puppetfile.lock | 8 ++++ README.md | 6 +++ spec/fixtures/modules/ldap/manifests | 2 +- spec/fixtures/modules/ldap/templates | 2 +- .../master/serverspec/slapd_spec.rb | 22 +++++++++ test/puppet_repo/manifests/site.pp | 4 ++ 12 files changed, 119 insertions(+), 9 deletions(-) create mode 100644 .kitchen.yml create mode 100644 Puppetfile create mode 100644 Puppetfile.lock create mode 100644 test/integration/master/serverspec/slapd_spec.rb create mode 100644 test/puppet_repo/manifests/site.pp diff --git a/.gitignore b/.gitignore index d6de46a..0f0dfbc 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,7 @@ .swp pkg spec/fixtures +.kitchen/ +.kitchen.local.yml +.librarian +.tmp diff --git a/.kitchen.yml b/.kitchen.yml new file mode 100644 index 0000000..e99452e --- /dev/null +++ b/.kitchen.yml @@ -0,0 +1,19 @@ +--- +driver: + name: vagrant + +provisioner: + name: puppet_apply + manifests_path: test/puppet_repo/manifests + modules_path: .. + +platforms: +- name: nocm_ubuntu-12.04 + driver_plugin: vagrant + driver_config: + box: nocm_ubuntu-12.04 + box_url: http://puppet-vagrant-boxes.puppetlabs.com/ubuntu-server-12042-x64-vbox4210-nocm.box + +suites: + - name: master + manifest: master.pp diff --git a/Gemfile b/Gemfile index 462f94e..75795d8 100644 --- a/Gemfile +++ b/Gemfile @@ -1,6 +1,11 @@ -source :rubygems +source 'https://rubygems.org' gem 'rake', '~> 0.8.7' -gem 'puppet', '~> 2.7' +gem 'puppet', '~> 3.0' gem 'rspec-puppet', '~> 0.1.6' gem 'puppetlabs_spec_helper', '~> 0.4.1' + +gem 'test-kitchen', '~> 1.0' +gem 'kitchen-vagrant' +gem 'kitchen-puppet', github: 'neillturner/kitchen-puppet' +gem 'librarian-puppet' diff --git a/Gemfile.lock b/Gemfile.lock index 98e5146..2bf0e34 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -1,19 +1,46 @@ +GIT + remote: git://github.com/neillturner/kitchen-puppet.git + revision: ba421cb513426c15c4f2aaafc7e975217cf8978e + specs: + kitchen-puppet (0.0.7) + GEM - remote: http://rubygems.org/ + remote: https://rubygems.org/ specs: diff-lcs (1.2.4) facter (1.7.2) + hiera (1.3.2) + json_pure + highline (1.6.21) + json (1.8.1) + json_pure (1.8.0) + kitchen-vagrant (0.15.0) + test-kitchen (~> 1.0) + librarian (0.1.2) + highline + thor (~> 0.15) + librarian-puppet (1.0.2) + json + librarian (>= 0.1.2) metaclass (0.0.1) + mixlib-shellout (1.4.0) mocha (0.14.0) metaclass (~> 0.0.1) - puppet (2.7.22) - facter (~> 1.5) + net-scp (1.2.1) + net-ssh (>= 2.6.5) + net-ssh (2.9.0) + puppet (3.5.1) + facter (> 1.6, < 3) + hiera (~> 1.0) + json_pure + rgen (~> 0.6.5) puppetlabs_spec_helper (0.4.1) mocha (>= 0.10.5) rake rspec (>= 2.9.0) rspec-puppet (>= 0.1.1) rake (0.8.7) + rgen (0.6.6) rspec (2.13.0) rspec-core (~> 2.13.0) rspec-expectations (~> 2.13.0) @@ -24,12 +51,24 @@ GEM rspec-mocks (2.13.1) rspec-puppet (0.1.6) rspec + safe_yaml (1.0.3) + test-kitchen (1.2.1) + mixlib-shellout (~> 1.2) + net-scp (~> 1.1) + net-ssh (~> 2.7) + safe_yaml (~> 1.0) + thor (~> 0.18) + thor (0.19.1) PLATFORMS ruby DEPENDENCIES - puppet (~> 2.7) + kitchen-puppet! + kitchen-vagrant + librarian-puppet + puppet (~> 3.0) puppetlabs_spec_helper (~> 0.4.1) rake (~> 0.8.7) rspec-puppet (~> 0.1.6) + test-kitchen (~> 1.0) diff --git a/Modulefile b/Modulefile index fa0fa8a..0cd678e 100644 --- a/Modulefile +++ b/Modulefile @@ -8,4 +8,4 @@ description 'Manage OpenLDAP clients and server via Puppet' project_page 'https://github.com/torian/puppet-ldap' # Dependency -dependency 'puppetlabs/stdlib', '>= 4.1.0' +dependency 'puppetlabs/stdlib', '~> 3.0' diff --git a/Puppetfile b/Puppetfile new file mode 100644 index 0000000..68ef884 --- /dev/null +++ b/Puppetfile @@ -0,0 +1,3 @@ +forge "https://forge.puppetlabs.com" + +modulefile diff --git a/Puppetfile.lock b/Puppetfile.lock new file mode 100644 index 0000000..ef479ae --- /dev/null +++ b/Puppetfile.lock @@ -0,0 +1,8 @@ +FORGE + remote: https://forge.puppetlabs.com + specs: + puppetlabs/stdlib (3.2.1) + +DEPENDENCIES + puppetlabs/stdlib (~> 3.0) + diff --git a/README.md b/README.md index b2de422..152cb63 100644 --- a/README.md +++ b/README.md @@ -136,6 +136,12 @@ Requirements * If enable_motd is enabled (enable_motd => true) you'll need [puppet-motd](https://github.com/torian/puppet-motd.git) +Testing +------- + +Unit tests: `rake spec` +Integration tests: `kitchen test` + TODO ---- diff --git a/spec/fixtures/modules/ldap/manifests b/spec/fixtures/modules/ldap/manifests index 3510554..373b992 120000 --- a/spec/fixtures/modules/ldap/manifests +++ b/spec/fixtures/modules/ldap/manifests @@ -1 +1 @@ -../../../../../puppet-ldap/manifests \ No newline at end of file +../../../../manifests \ No newline at end of file diff --git a/spec/fixtures/modules/ldap/templates b/spec/fixtures/modules/ldap/templates index b47afbc..f8a06d1 120000 --- a/spec/fixtures/modules/ldap/templates +++ b/spec/fixtures/modules/ldap/templates @@ -1 +1 @@ -../../../../../puppet-ldap/templates \ No newline at end of file +../../../../templates \ No newline at end of file diff --git a/test/integration/master/serverspec/slapd_spec.rb b/test/integration/master/serverspec/slapd_spec.rb new file mode 100644 index 0000000..a48587e --- /dev/null +++ b/test/integration/master/serverspec/slapd_spec.rb @@ -0,0 +1,22 @@ +require 'serverspec' + +include Serverspec::Helper::Exec +include Serverspec::Helper::DetectOS + +RSpec.configure do |c| + c.before :all do + c.path = '/sbin:/usr/sbin' + end +end + +describe "slapd" do + + describe service('slapd') do + it { should be_enabled } + it { should be_running } + end + + describe port(389) do + it { should be_listening } + end +end diff --git a/test/puppet_repo/manifests/site.pp b/test/puppet_repo/manifests/site.pp new file mode 100644 index 0000000..4a11246 --- /dev/null +++ b/test/puppet_repo/manifests/site.pp @@ -0,0 +1,4 @@ +class { 'ldap::server::master': + suffix => 'dc=foo,dc=bar', + rootpw => '{SHA}iEPX+SQWIR3p67lj/0zigSWTKHg=', +} From 8873d41e282608fd9d6b9599b74e1b93daa292d9 Mon Sep 17 00:00:00 2001 From: Ben Langfeld Date: Sun, 11 May 2014 19:47:22 +0100 Subject: [PATCH 02/85] Move to a per-suite test manifest layout --- .kitchen.yml | 1 - {test/puppet_repo => puppet/master}/manifests/site.pp | 0 2 files changed, 1 deletion(-) rename {test/puppet_repo => puppet/master}/manifests/site.pp (100%) diff --git a/.kitchen.yml b/.kitchen.yml index e99452e..c060323 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -4,7 +4,6 @@ driver: provisioner: name: puppet_apply - manifests_path: test/puppet_repo/manifests modules_path: .. platforms: diff --git a/test/puppet_repo/manifests/site.pp b/puppet/master/manifests/site.pp similarity index 100% rename from test/puppet_repo/manifests/site.pp rename to puppet/master/manifests/site.pp From ee244363f229a743eb162cf9a7a3f6d211a1ce0b Mon Sep 17 00:00:00 2001 From: Ben Langfeld Date: Sun, 11 May 2014 22:42:50 +0100 Subject: [PATCH 03/85] This config is ignored anyway --- .kitchen.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.kitchen.yml b/.kitchen.yml index c060323..0378234 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -15,4 +15,3 @@ platforms: suites: - name: master - manifest: master.pp From 811c01084629b4db31160b968f715058abdac196 Mon Sep 17 00:00:00 2001 From: Ben Langfeld Date: Mon, 12 May 2014 00:31:45 +0100 Subject: [PATCH 04/85] Test root credentials work and the requested suffix is created --- puppet/master/manifests/site.pp | 2 +- templates/etc/openldap/slapd.conf.erb | 4 ++++ test/integration/master/serverspec/slapd_spec.rb | 15 +++++++++++++++ 3 files changed, 20 insertions(+), 1 deletion(-) diff --git a/puppet/master/manifests/site.pp b/puppet/master/manifests/site.pp index 4a11246..93b8108 100644 --- a/puppet/master/manifests/site.pp +++ b/puppet/master/manifests/site.pp @@ -1,4 +1,4 @@ class { 'ldap::server::master': suffix => 'dc=foo,dc=bar', - rootpw => '{SHA}iEPX+SQWIR3p67lj/0zigSWTKHg=', + rootpw => 'password', } diff --git a/templates/etc/openldap/slapd.conf.erb b/templates/etc/openldap/slapd.conf.erb index 939ea2e..a61f5dd 100644 --- a/templates/etc/openldap/slapd.conf.erb +++ b/templates/etc/openldap/slapd.conf.erb @@ -46,6 +46,10 @@ TLSCertificateKeyFile <%= scope.lookupvar('ldap::params::ssl_prefix') %>/<%= @s # FIXME: puppet backend bdb +database config +access to * + by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage + # FIXME: puppet database bdb suffix "<%= @suffix %>" diff --git a/test/integration/master/serverspec/slapd_spec.rb b/test/integration/master/serverspec/slapd_spec.rb index a48587e..d9bedd4 100644 --- a/test/integration/master/serverspec/slapd_spec.rb +++ b/test/integration/master/serverspec/slapd_spec.rb @@ -19,4 +19,19 @@ describe port(389) do it { should be_listening } end + + # Can bind as system root user + describe command('ldapwhoami -H ldapi:/// -Y EXTERNAL') do + it { should return_stdout /dn:gidNumber=0\+uidNumber=0,cn=peercred,cn=external,cn=auth/ } + end + + # Can bind as specified root user w/ password + describe command('ldapwhoami -H ldapi:/// -x -D cn=admin,dc=foo,dc=bar -w password') do + it { should return_stdout /dn:cn=admin,dc=foo,dc=bar/ } + end + + # Requested suffix exists in cn=config + describe command('ldapsearch -H ldapi:/// -Y EXTERNAL -b "cn=config" "(objectClass=olcDatabaseConfig)" olcSuffix') do + it { should return_stdout /olcSuffix: dc=foo,dc=bar/ } + end end From 1cf178191d84c283570e5e875430d9b8d2da006f Mon Sep 17 00:00:00 2001 From: Ben Langfeld Date: Mon, 12 May 2014 00:51:40 +0100 Subject: [PATCH 05/85] Test that a root org can be created at a fresh DIT and then read --- test/integration/master/serverspec/slapd_spec.rb | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/test/integration/master/serverspec/slapd_spec.rb b/test/integration/master/serverspec/slapd_spec.rb index d9bedd4..8feb565 100644 --- a/test/integration/master/serverspec/slapd_spec.rb +++ b/test/integration/master/serverspec/slapd_spec.rb @@ -34,4 +34,19 @@ describe command('ldapsearch -H ldapi:/// -Y EXTERNAL -b "cn=config" "(objectClass=olcDatabaseConfig)" olcSuffix') do it { should return_stdout /olcSuffix: dc=foo,dc=bar/ } end + + # The root organisation can be created + describe command("echo \"dn: dc=foo,dc=bar\nobjectClass: dcObject\nobjectClass: organization\ndc: foo\no: Foo Dot Bar\" | ldapadd -H ldapi:/// -Y EXTERNAL") do + it { should return_stdout /adding new entry/ } + end + + # Once created, the root org is readable by system root + describe command('ldapsearch -H ldapi:/// -Y EXTERNAL -s base -b "dc=foo,dc=bar"') do + it { should return_stdout /o: Foo Dot Bar/ } + end + + # Once created, the root org is readable by the DIT root user + describe command('ldapsearch -H ldapi:/// -x -D cn=admin,dc=foo,dc=bar -w password -s base -b "dc=foo,dc=bar"') do + it { should return_stdout /o: Foo Dot Bar/ } + end end From 86f660deb570172c7d5d86b03a430656003c5d8c Mon Sep 17 00:00:00 2001 From: Ben Langfeld Date: Mon, 12 May 2014 00:55:21 +0100 Subject: [PATCH 06/85] System root user needs management access to new DIT --- templates/etc/openldap/slapd.conf.erb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/templates/etc/openldap/slapd.conf.erb b/templates/etc/openldap/slapd.conf.erb index a61f5dd..c408b4e 100644 --- a/templates/etc/openldap/slapd.conf.erb +++ b/templates/etc/openldap/slapd.conf.erb @@ -107,6 +107,9 @@ limits dn.exact="<%= @sync_binddn%>" time.soft=unlimited time.hard=unlimited siz <%= idx %> <% end -%> +access to * + by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage + # users can authenticate and change their password access to dn.subtree="<%= @suffix %>" attrs=userPassword,shadowLastChange, <% if @syncprov and @sync_binddn != false then -%> From e17a9ef97dd68d87e39ec80b944511e84ba09c58 Mon Sep 17 00:00:00 2001 From: Ben Langfeld Date: Mon, 12 May 2014 11:00:20 +0100 Subject: [PATCH 07/85] Bad whitespace --- templates/etc/openldap/slapd.conf.erb | 1 - test/integration/master/serverspec/slapd_spec.rb | 1 - 2 files changed, 2 deletions(-) diff --git a/templates/etc/openldap/slapd.conf.erb b/templates/etc/openldap/slapd.conf.erb index c408b4e..076f2f0 100644 --- a/templates/etc/openldap/slapd.conf.erb +++ b/templates/etc/openldap/slapd.conf.erb @@ -140,4 +140,3 @@ access to dn.subtree="<%= @suffix %>" <% end -%> by self read by * read - diff --git a/test/integration/master/serverspec/slapd_spec.rb b/test/integration/master/serverspec/slapd_spec.rb index 8feb565..ffa1eac 100644 --- a/test/integration/master/serverspec/slapd_spec.rb +++ b/test/integration/master/serverspec/slapd_spec.rb @@ -10,7 +10,6 @@ end describe "slapd" do - describe service('slapd') do it { should be_enabled } it { should be_running } From ef2e9f59882c70f3ca26626531f380ebc836ea97 Mon Sep 17 00:00:00 2001 From: Ben Langfeld Date: Mon, 12 May 2014 12:11:57 +0100 Subject: [PATCH 08/85] Lock Ruby version Puppet has a bug w/ Ruby 2.1.0: https://tickets.puppetlabs.com/browse/PUP-1243 --- .ruby-version | 1 + Gemfile | 2 ++ 2 files changed, 3 insertions(+) create mode 100644 .ruby-version diff --git a/.ruby-version b/.ruby-version new file mode 100644 index 0000000..28c0c5e --- /dev/null +++ b/.ruby-version @@ -0,0 +1 @@ +2.0.0-p451 diff --git a/Gemfile b/Gemfile index 75795d8..a0f634a 100644 --- a/Gemfile +++ b/Gemfile @@ -1,5 +1,7 @@ source 'https://rubygems.org' +ruby '2.0.0' + gem 'rake', '~> 0.8.7' gem 'puppet', '~> 3.0' gem 'rspec-puppet', '~> 0.1.6' From e2d007355ab2fc75b768f424f3a05cb146756675 Mon Sep 17 00:00:00 2001 From: Ben Langfeld Date: Mon, 12 May 2014 12:18:48 +0100 Subject: [PATCH 09/85] Test coverage for loading of default schema --- test/integration/master/serverspec/slapd_spec.rb | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/test/integration/master/serverspec/slapd_spec.rb b/test/integration/master/serverspec/slapd_spec.rb index ffa1eac..7a13295 100644 --- a/test/integration/master/serverspec/slapd_spec.rb +++ b/test/integration/master/serverspec/slapd_spec.rb @@ -48,4 +48,10 @@ describe command('ldapsearch -H ldapi:/// -x -D cn=admin,dc=foo,dc=bar -w password -s base -b "dc=foo,dc=bar"') do it { should return_stdout /o: Foo Dot Bar/ } end + + %w{inetorgperson cosine nis core}.each do |schema| + describe command('ldapsearch -H ldapi:/// -Y EXTERNAL -b "cn=schema,cn=config" "(objectClass=olcSchemaConfig)" cn') do + it { should return_stdout /#{schema}/ } + end + end end From c6dd7a2966779e257934f5a5b28d97e75c59ff50 Mon Sep 17 00:00:00 2001 From: Ben Langfeld Date: Mon, 12 May 2014 12:21:21 +0100 Subject: [PATCH 10/85] Test coverage for loading of non-default, bundled schema --- puppet/master/manifests/site.pp | 5 +++-- test/integration/master/serverspec/slapd_spec.rb | 2 +- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/puppet/master/manifests/site.pp b/puppet/master/manifests/site.pp index 93b8108..4ced666 100644 --- a/puppet/master/manifests/site.pp +++ b/puppet/master/manifests/site.pp @@ -1,4 +1,5 @@ class { 'ldap::server::master': - suffix => 'dc=foo,dc=bar', - rootpw => 'password', + suffix => 'dc=foo,dc=bar', + rootpw => 'password', + schema_inc => ['ppolicy'], } diff --git a/test/integration/master/serverspec/slapd_spec.rb b/test/integration/master/serverspec/slapd_spec.rb index 7a13295..6f3aa7f 100644 --- a/test/integration/master/serverspec/slapd_spec.rb +++ b/test/integration/master/serverspec/slapd_spec.rb @@ -49,7 +49,7 @@ it { should return_stdout /o: Foo Dot Bar/ } end - %w{inetorgperson cosine nis core}.each do |schema| + %w{inetorgperson cosine nis core ppolicy}.each do |schema| describe command('ldapsearch -H ldapi:/// -Y EXTERNAL -b "cn=schema,cn=config" "(objectClass=olcSchemaConfig)" cn') do it { should return_stdout /#{schema}/ } end From 6f02843466b07967a754001ea051c65a8ad782db Mon Sep 17 00:00:00 2001 From: Ben Langfeld Date: Mon, 12 May 2014 12:30:13 +0100 Subject: [PATCH 11/85] Test coverage of loaded modules --- puppet/master/manifests/site.pp | 1 + test/integration/master/serverspec/slapd_spec.rb | 6 ++++++ 2 files changed, 7 insertions(+) diff --git a/puppet/master/manifests/site.pp b/puppet/master/manifests/site.pp index 4ced666..aa0b84d 100644 --- a/puppet/master/manifests/site.pp +++ b/puppet/master/manifests/site.pp @@ -2,4 +2,5 @@ suffix => 'dc=foo,dc=bar', rootpw => 'password', schema_inc => ['ppolicy'], + modules_inc => ['ppolicy'], } diff --git a/test/integration/master/serverspec/slapd_spec.rb b/test/integration/master/serverspec/slapd_spec.rb index 6f3aa7f..396689c 100644 --- a/test/integration/master/serverspec/slapd_spec.rb +++ b/test/integration/master/serverspec/slapd_spec.rb @@ -54,4 +54,10 @@ it { should return_stdout /#{schema}/ } end end + + %w{back_bdb ppolicy}.each do |mod| + describe command('ldapsearch -H ldapi:/// -Y EXTERNAL -b "cn=config" "(objectClass=olcModuleList)" olcModuleLoad') do + it { should return_stdout /#{mod}/ } + end + end end From 9ef3888a7b3a31cfdd9738f6fd56684050785156 Mon Sep 17 00:00:00 2001 From: Ben Langfeld Date: Mon, 12 May 2014 12:40:16 +0100 Subject: [PATCH 12/85] Test coverage for performance tweaks --- .../master/serverspec/slapd_spec.rb | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/test/integration/master/serverspec/slapd_spec.rb b/test/integration/master/serverspec/slapd_spec.rb index 396689c..38143f0 100644 --- a/test/integration/master/serverspec/slapd_spec.rb +++ b/test/integration/master/serverspec/slapd_spec.rb @@ -60,4 +60,24 @@ it { should return_stdout /#{mod}/ } end end + + # Last-modified overlay is on + describe command('ldapsearch -H ldapi:/// -Y EXTERNAL -b "cn=config" "(objectClass=olcDatabaseConfig)" olcLastMod') do + it { should return_stdout /olcLastMod: TRUE/ } + end + + # DB performance tweaks are set + [ + 'set_cachesize 0 2097152 0', + 'set_lk_max_objects 1500', + 'set_lk_max_locks 1500', + 'set_lk_max_lockers 1500', + ].each do |tweak| + describe command('ldapsearch -H ldapi:/// -Y EXTERNAL -b "cn=config" "(objectClass=olcDatabaseConfig)" olcDbConfig') do + it { should return_stdout /#{tweak}/ } + end + end + describe command('ldapsearch -H ldapi:/// -Y EXTERNAL -b "cn=config" "(objectClass=olcDatabaseConfig)" olcDbCheckpoint') do + it { should return_stdout /512 30/ } + end end From 0f511aac676541afcb2792358411efcfdb0f76f1 Mon Sep 17 00:00:00 2001 From: Ben Langfeld Date: Tue, 13 May 2014 00:07:40 +0100 Subject: [PATCH 13/85] Specs for indices --- puppet/master/manifests/site.pp | 1 + .../master/serverspec/slapd_spec.rb | 18 ++++++++++++++++++ 2 files changed, 19 insertions(+) diff --git a/puppet/master/manifests/site.pp b/puppet/master/manifests/site.pp index aa0b84d..d82bd27 100644 --- a/puppet/master/manifests/site.pp +++ b/puppet/master/manifests/site.pp @@ -3,4 +3,5 @@ rootpw => 'password', schema_inc => ['ppolicy'], modules_inc => ['ppolicy'], + index_inc => ['index mail pres'], } diff --git a/test/integration/master/serverspec/slapd_spec.rb b/test/integration/master/serverspec/slapd_spec.rb index 38143f0..61e552e 100644 --- a/test/integration/master/serverspec/slapd_spec.rb +++ b/test/integration/master/serverspec/slapd_spec.rb @@ -80,4 +80,22 @@ describe command('ldapsearch -H ldapi:/// -Y EXTERNAL -b "cn=config" "(objectClass=olcDatabaseConfig)" olcDbCheckpoint') do it { should return_stdout /512 30/ } end + + # Indices (default and specified) + describe command('ldapsearch -H ldapi:/// -Y EXTERNAL -b "cn=config" "(objectClass=olcDatabaseConfig)" olcDbIndex') do + [ + 'olcDbIndex: objectClass eq', + 'olcDbIndex: entryCSN eq', + 'olcDbIndex: entryUUID eq', + 'olcDbIndex: uidNumber eq', + 'olcDbIndex: gidNumber eq', + 'olcDbIndex: cn pres,eq,sub', + 'olcDbIndex: sn pres,eq,sub', + 'olcDbIndex: uid pres,eq,sub', + 'olcDbIndex: displayName pres,eq,sub', + 'olcDbIndex: mail pres', + ].each do |index| + it { should return_stdout /#{index}/ } + end + end end From 59e3c54d65ff6238b908907275b56d3517a74086 Mon Sep 17 00:00:00 2001 From: Ben Langfeld Date: Tue, 13 May 2014 00:07:53 +0100 Subject: [PATCH 14/85] Clearer nesting --- .../master/serverspec/slapd_spec.rb | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/test/integration/master/serverspec/slapd_spec.rb b/test/integration/master/serverspec/slapd_spec.rb index 61e552e..0b5092f 100644 --- a/test/integration/master/serverspec/slapd_spec.rb +++ b/test/integration/master/serverspec/slapd_spec.rb @@ -49,14 +49,14 @@ it { should return_stdout /o: Foo Dot Bar/ } end - %w{inetorgperson cosine nis core ppolicy}.each do |schema| - describe command('ldapsearch -H ldapi:/// -Y EXTERNAL -b "cn=schema,cn=config" "(objectClass=olcSchemaConfig)" cn') do + describe command('ldapsearch -H ldapi:/// -Y EXTERNAL -b "cn=schema,cn=config" "(objectClass=olcSchemaConfig)" cn') do + %w{inetorgperson cosine nis core ppolicy}.each do |schema| it { should return_stdout /#{schema}/ } end end - %w{back_bdb ppolicy}.each do |mod| - describe command('ldapsearch -H ldapi:/// -Y EXTERNAL -b "cn=config" "(objectClass=olcModuleList)" olcModuleLoad') do + describe command('ldapsearch -H ldapi:/// -Y EXTERNAL -b "cn=config" "(objectClass=olcModuleList)" olcModuleLoad') do + %w{back_bdb ppolicy}.each do |mod| it { should return_stdout /#{mod}/ } end end @@ -67,13 +67,13 @@ end # DB performance tweaks are set - [ - 'set_cachesize 0 2097152 0', - 'set_lk_max_objects 1500', - 'set_lk_max_locks 1500', - 'set_lk_max_lockers 1500', - ].each do |tweak| - describe command('ldapsearch -H ldapi:/// -Y EXTERNAL -b "cn=config" "(objectClass=olcDatabaseConfig)" olcDbConfig') do + describe command('ldapsearch -H ldapi:/// -Y EXTERNAL -b "cn=config" "(objectClass=olcDatabaseConfig)" olcDbConfig') do + [ + 'set_cachesize 0 2097152 0', + 'set_lk_max_objects 1500', + 'set_lk_max_locks 1500', + 'set_lk_max_lockers 1500', + ].each do |tweak| it { should return_stdout /#{tweak}/ } end end From 1c8dba5d7e877bcd8f3595bd0af4eb07ee8f313d Mon Sep 17 00:00:00 2001 From: Ben Langfeld Date: Tue, 13 May 2014 01:36:43 +0100 Subject: [PATCH 15/85] Tests for ACLs --- test/integration/master/serverspec/slapd_spec.rb | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/test/integration/master/serverspec/slapd_spec.rb b/test/integration/master/serverspec/slapd_spec.rb index 0b5092f..6d62780 100644 --- a/test/integration/master/serverspec/slapd_spec.rb +++ b/test/integration/master/serverspec/slapd_spec.rb @@ -98,4 +98,16 @@ it { should return_stdout /#{index}/ } end end + + # ACLs + describe command('ldapsearch -H ldapi:/// -LLL -Y EXTERNAL -b "cn=config" "(olcSuffix=dc=foo,dc=bar)" olcAccess | perl -p00e \'s/\r?\n //g\'') do + [ + /to \* by dn.base="gidNumber=0\+uidNumber=0,cn=peercred,cn=external,cn=auth" manage/, + /to dn.subtree="dc=foo,dc=bar" attrs=userPassword,shadowLastChange by self write by anonymous auth by \* none/, + /to dn.subtree="dc=foo,dc=bar" attrs=objectClass,entry,gecos,homeDirectory,uid,uidNumber,gidNumber,cn,memberUid by \* read/, + /to dn.subtree="dc=foo,dc=bar" by self read by \* read/, + ].each do |entry| + it { should return_stdout entry } + end + end end From 011d83ea33d81fed168c78c4e1f6e1aeabd06eac Mon Sep 17 00:00:00 2001 From: Ben Langfeld Date: Tue, 13 May 2014 21:37:39 +0100 Subject: [PATCH 16/85] Tests for syncprov --- puppet/master/manifests/site.pp | 4 +++- .../master/serverspec/slapd_spec.rb | 20 ++++++++++++++++--- 2 files changed, 20 insertions(+), 4 deletions(-) diff --git a/puppet/master/manifests/site.pp b/puppet/master/manifests/site.pp index d82bd27..9d01997 100644 --- a/puppet/master/manifests/site.pp +++ b/puppet/master/manifests/site.pp @@ -2,6 +2,8 @@ suffix => 'dc=foo,dc=bar', rootpw => 'password', schema_inc => ['ppolicy'], - modules_inc => ['ppolicy'], + modules_inc => ['ppolicy', 'syncprov'], index_inc => ['index mail pres'], + syncprov => true, + sync_binddn => 'cn=sync,dc=foo,dc=bar', } diff --git a/test/integration/master/serverspec/slapd_spec.rb b/test/integration/master/serverspec/slapd_spec.rb index 6d62780..9c7d326 100644 --- a/test/integration/master/serverspec/slapd_spec.rb +++ b/test/integration/master/serverspec/slapd_spec.rb @@ -103,11 +103,25 @@ describe command('ldapsearch -H ldapi:/// -LLL -Y EXTERNAL -b "cn=config" "(olcSuffix=dc=foo,dc=bar)" olcAccess | perl -p00e \'s/\r?\n //g\'') do [ /to \* by dn.base="gidNumber=0\+uidNumber=0,cn=peercred,cn=external,cn=auth" manage/, - /to dn.subtree="dc=foo,dc=bar" attrs=userPassword,shadowLastChange by self write by anonymous auth by \* none/, - /to dn.subtree="dc=foo,dc=bar" attrs=objectClass,entry,gecos,homeDirectory,uid,uidNumber,gidNumber,cn,memberUid by \* read/, - /to dn.subtree="dc=foo,dc=bar" by self read by \* read/, + /to dn.subtree="dc=foo,dc=bar" attrs=userPassword,shadowLastChange by dn.base="cn=sync,dc=foo,dc=bar" read by self write by anonymous auth by \* none/, + /to dn.subtree="dc=foo,dc=bar" attrs=objectClass,entry,gecos,homeDirectory,uid,uidNumber,gidNumber,cn,memberUid by dn.base="cn=sync,dc=foo,dc=bar" read by \* read/, + /to dn.subtree="dc=foo,dc=bar" by dn.base="cn=sync,dc=foo,dc=bar" read by self read by \* read/, ].each do |entry| it { should return_stdout entry } end end + + # Syncprov + describe command('ldapsearch -H ldapi:/// -Y EXTERNAL -b "cn=config" "(objectClass=olcModuleList)" olcModuleLoad') do + it { should return_stdout /syncprov/ } + end + + describe command('ldapsearch -H ldapi:/// -LLL -Y EXTERNAL -b "cn=config" "(objectClass=olcSyncProvConfig)" olcSpCheckpoint') do + it { should return_stdout /100 10/ } + end + + describe command('ldapsearch -H ldapi:/// -LLL -Y EXTERNAL -b "cn=config" "(objectClass=olcSyncProvConfig)" olcSpSessionlog') do + it { should return_stdout /100/ } + end + end From f3318aa89524d7eb39f2aed3f4c9c1f9b159adc7 Mon Sep 17 00:00:00 2001 From: Ben Langfeld Date: Wed, 14 May 2014 01:05:56 +0100 Subject: [PATCH 17/85] Test that TLS config makes it into LDAP TODO: Test actual TLS connections --- .kitchen.yml | 2 ++ Gemfile | 2 +- Gemfile.lock | 7 ++--- puppet/files/ldap/ca.key | 27 +++++++++++++++++++ puppet/files/ldap/ca.pem | 26 ++++++++++++++++++ puppet/files/ldap/ca.srl | 1 + puppet/files/ldap/master-ldap.csr | 17 ++++++++++++ puppet/files/ldap/master-ldap.key | 27 +++++++++++++++++++ puppet/files/ldap/master-ldap.pem | 21 +++++++++++++++ puppet/fileserver.conf | 3 +++ puppet/master/manifests/site.pp | 4 +++ .../master/serverspec/slapd_spec.rb | 6 +++++ 12 files changed, 139 insertions(+), 4 deletions(-) create mode 100644 puppet/files/ldap/ca.key create mode 100644 puppet/files/ldap/ca.pem create mode 100644 puppet/files/ldap/ca.srl create mode 100644 puppet/files/ldap/master-ldap.csr create mode 100644 puppet/files/ldap/master-ldap.key create mode 100644 puppet/files/ldap/master-ldap.pem create mode 100644 puppet/fileserver.conf diff --git a/.kitchen.yml b/.kitchen.yml index 0378234..ce4b673 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -5,6 +5,8 @@ driver: provisioner: name: puppet_apply modules_path: .. + fileserver_config_path: puppet/fileserver.conf + files_path: puppet/files platforms: - name: nocm_ubuntu-12.04 diff --git a/Gemfile b/Gemfile index a0f634a..2bb64b5 100644 --- a/Gemfile +++ b/Gemfile @@ -9,5 +9,5 @@ gem 'puppetlabs_spec_helper', '~> 0.4.1' gem 'test-kitchen', '~> 1.0' gem 'kitchen-vagrant' -gem 'kitchen-puppet', github: 'neillturner/kitchen-puppet' +gem 'kitchen-puppet', github: 'mojolingo/kitchen-puppet', branch: 'feature/fileserver' gem 'librarian-puppet' diff --git a/Gemfile.lock b/Gemfile.lock index 2bf0e34..c3c67d4 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -1,8 +1,9 @@ GIT - remote: git://github.com/neillturner/kitchen-puppet.git - revision: ba421cb513426c15c4f2aaafc7e975217cf8978e + remote: git://github.com/mojolingo/kitchen-puppet.git + revision: 2c91e3004ac04a399acb320939e81ecd6a367ef0 + branch: feature/fileserver specs: - kitchen-puppet (0.0.7) + kitchen-puppet (0.0.8) GEM remote: https://rubygems.org/ diff --git a/puppet/files/ldap/ca.key b/puppet/files/ldap/ca.key new file mode 100644 index 0000000..98ddd86 --- /dev/null +++ b/puppet/files/ldap/ca.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEogIBAAKCAQEAunW2cXtVvB6S5JAQWfF+J1BS30MTDUa3b1cOrGBOBxtBsOwT +Tpmldl1kS73NiAUkmyNraK9ROb26JZMx05hSzzbjmlfkpKY3yAB6+mGJ0AcS+E8y +H8axQ2vBiWtshB8EQieP0Gc7UwIkYCr1zjkPMUm9uRmeGB+SY6FzSM48oW0aJDXy +sHslQtYFvQNAnpsGbRb+6zCVJPm1ZUZIz5krfC7MgqZ4C0nmSwXcTGNScidgp1Wh +bW57uHyS/kCjg+Oy9aNvrn2l3x2rzb27hgRDJfmJnvHzbc0DFnH+OVjc6+BS8YiB +XZ2RomoBRuKr0+I8xNP/wGGmkA1MSB55vjZjgwIDAQABAoIBAGwur9PXwz6KXp/O +Fi6ZNqCIsgxnVj51sSggUpsgpSTqY4rK7cjEzIOIXBC15vHsSfjY7BCo52+g7Mew +R1CFKEahihyaskX1Spf372ImBVd1Q0Rebq6REXgUpQ2eDi/57vaTDZXUz06yB3jk +dAlagb4PEsy6WEeWydCUc9biEbt2GxN4h0GBMaEO+kv2V06F9yP2dLPJN3fTVP2M +W7MlAiwyAeQ4qejROsdFsriIr81MLdurIN90QrbKXVlFaFmg8a+35z3zvguZcskg +76da0PgNzM973/sXXA51N10hoUsWy+iurvUtNQz4/9SZYgcDG/cfoRzMVgFYsN4J +Nn6jAkECgYEA7uLL8A8rjH/csTAYDuszf9p83Pre9/8Zumbni0zpyXfkOdAdGxZJ +NO64VgkNDfzpqZ+nC9FyzQVP6hVhJM7ARtLDUD1Jk4VGMv1cByX4o7M80P66ltET +K8nu4UDqxu9jVi0hD+AVzT/UJnVpI/BCOFkpwPHqn8fM5URNEKdezV0CgYEAx9Fp +1JDFzMah5EjxNFxwDShZ30xF53f+YRuNssupXlib6mUDiCSzwWhdStANVnYFrbaP +o0XFe+OB1u+kE16hHGr7+c7Y28tiLJVu12H3vv3CjyvfW2FgOPaKuOGj50HcOEls +L3wn4UsrSTHuXSzJhhomSPTUuatWTw4y+cKYBl8CgYB9JFppm8jYhXL7b5Jq3lPQ +OokGynVbvUuhFp9dniEq5Z+tmZRlyDr5e8UdbQhlt4RA094SltppBMtkeWa2fYjE +kUy4ECMnIL4xoABBzmZ+ezr00Ty2HTjJy7NUVUmohWeokWOsiVtidnmQ3BkENqy6 +EBuLdC/RHD3+LNWiT8ueEQKBgExJkmsaXrpAt7xNcPF5vTn4xt8u4p1tvYvblizF +/sLLd7N0n3WR9aMIsl2GsyDobGCXC53dXHlhMcgas/zFKyOLYOpN45N+wdudrbTD +bW/YuDgrGtprge4dinbthsMa7PX8ajZy41LrfPoz+vpNyB7PywAdoT3FwWzrUeDz +P1FnAoGAcfIq1VhcE8A+0OAPHDaPAQ1PZEIjxRS1naAY9N/iPzI5nkCDwF2dns1W +DsGgHTFhQZUraQgDHQWFNMBW2sbWUmwsL139bhNAJ9K1n6mo5wFqgeHVwLJPiFAJ +gcZBzOnDj+oNB+xTi6HPFumfz3uMqsQxb8N0jbajj2kY3yLINJY= +-----END RSA PRIVATE KEY----- diff --git a/puppet/files/ldap/ca.pem b/puppet/files/ldap/ca.pem new file mode 100644 index 0000000..21960ef --- /dev/null +++ b/puppet/files/ldap/ca.pem @@ -0,0 +1,26 @@ +-----BEGIN CERTIFICATE----- +MIIEajCCA1KgAwIBAgIJAJfTO7cUrNPkMA0GCSqGSIb3DQEBBQUAMH8xCzAJBgNV +BAYTAkdCMRAwDgYDVQQIEwdFbmdsYW5kMRIwEAYDVQQHEwlMaXZlcnBvb2wxDTAL +BgNVBAoTBE5vbmUxDTALBgNVBAsTBE5vbmUxEDAOBgNVBAMTB2Zvby5iYXIxGjAY +BgkqhkiG9w0BCQEWC2Zvb0BiYXIuY29tMCAXDTE0MDUxMzIzNDEwNVoYDzIyOTQw +OTIyMjM0MTA1WjB/MQswCQYDVQQGEwJHQjEQMA4GA1UECBMHRW5nbGFuZDESMBAG +A1UEBxMJTGl2ZXJwb29sMQ0wCwYDVQQKEwROb25lMQ0wCwYDVQQLEwROb25lMRAw +DgYDVQQDEwdmb28uYmFyMRowGAYJKoZIhvcNAQkBFgtmb29AYmFyLmNvbTCCASIw +DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALp1tnF7VbwekuSQEFnxfidQUt9D +Ew1Gt29XDqxgTgcbQbDsE06ZpXZdZEu9zYgFJJsja2ivUTm9uiWTMdOYUs8245pX +5KSmN8gAevphidAHEvhPMh/GsUNrwYlrbIQfBEInj9BnO1MCJGAq9c45DzFJvbkZ +nhgfkmOhc0jOPKFtGiQ18rB7JULWBb0DQJ6bBm0W/uswlST5tWVGSM+ZK3wuzIKm +eAtJ5ksF3ExjUnInYKdVoW1ue7h8kv5Ao4PjsvWjb659pd8dq829u4YEQyX5iZ7x +823NAxZx/jlY3OvgUvGIgV2dkaJqAUbiq9PiPMTT/8BhppANTEgeeb42Y4MCAwEA +AaOB5jCB4zAdBgNVHQ4EFgQUoSs9QpGK8cxWGvYRXwa7Sx9puOMwgbMGA1UdIwSB +qzCBqIAUoSs9QpGK8cxWGvYRXwa7Sx9puOOhgYSkgYEwfzELMAkGA1UEBhMCR0Ix +EDAOBgNVBAgTB0VuZ2xhbmQxEjAQBgNVBAcTCUxpdmVycG9vbDENMAsGA1UEChME +Tm9uZTENMAsGA1UECxMETm9uZTEQMA4GA1UEAxMHZm9vLmJhcjEaMBgGCSqGSIb3 +DQEJARYLZm9vQGJhci5jb22CCQCX0zu3FKzT5DAMBgNVHRMEBTADAQH/MA0GCSqG +SIb3DQEBBQUAA4IBAQAXG/n4KTvwT6FNhF7O968g+QaQEMUqyVPIz96MsskCtYtq +rvUENANUYqln+KnjNuOEnpy0+S/l709LFyWMA5xW5RcnjBUXengVTNMbZUrUVXje +GOKRBSLO1cG9aSZY7bbbShpPgemyvEjCAqDJVWjcJk/VQeIQ5Wv7sWsn3fUkAvMl +bGRRDFQDd8J8UHpbXS2rScFmBjnoV457TO+Pm1Q4ce/5C7zGGLt88LJS5yBP97p1 +Jjd9rSTj1MHdNkFmD9nOur03CbNXPYWQ4ET4rU0DrTcha3NgedWGIWeup/OKpuao +KVQBwj+XFKmqPfp+hoQU+3Sbqjhw5J5pnb40/ayh +-----END CERTIFICATE----- diff --git a/puppet/files/ldap/ca.srl b/puppet/files/ldap/ca.srl new file mode 100644 index 0000000..ffd246b --- /dev/null +++ b/puppet/files/ldap/ca.srl @@ -0,0 +1 @@ +A792F799A476A268 diff --git a/puppet/files/ldap/master-ldap.csr b/puppet/files/ldap/master-ldap.csr new file mode 100644 index 0000000..98b1798 --- /dev/null +++ b/puppet/files/ldap/master-ldap.csr @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICxDCCAawCAQAwfzELMAkGA1UEBhMCR0IxEDAOBgNVBAgTB0VuZ2xhbmQxEjAQ +BgNVBAcTCUxpdmVycG9vbDENMAsGA1UEChMETm9uZTENMAsGA1UECxMETm9uZTEQ +MA4GA1UEAxMHZm9vLmJhcjEaMBgGCSqGSIb3DQEJARYLZm9vQGJhci5jb20wggEi +MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDcjNqfynb71pLCRvpLsaDLLrwJ +rMS+YwCncIwX67bUVYUTHtLkX9DEqHzGTW0VEVl5iBCD1+cR2XwU6XqNP2dsZMZU +/yypfjw8OPqHjBDu2qsKAsbU4vCpY/zhvRwlxhUg/MdaEPjosJgHWRj7nt/WHYoo +SgCrowZ+RrTB+0yRNBtXVMXWBA1ZpOQn8Tx2d2iBC5PS345+x3eJY/1M4uuKJW/d +tGjGkOpRDmKpR2lGixTjtwvV0TAjeEaJhEzGEp1Hr6qYNKF/IT8nP2WQtLOcP2L2 +4xqUFYDGivHtUndMRpzOsuUIcPwfBVgQiHKD17CVZIJNDBOiP3fuqC9Tu8w3AgMB +AAGgADANBgkqhkiG9w0BAQUFAAOCAQEAW9h1GmsYdbctBOvGG7I+r/MUHUVEEBTR +qcD6of+NYv9Ynp7vK+PxeUmzcRnfKQxeUkCbeoOb2j0dj2/+3K1B72o980Pc6my/ +s0C//xBlIawBZ4cqCcf8nC9IbZrDQJzhOlp7qBaKInsUdpHCQ/U285+7u7+naEX7 +OG42Z/n9x8T7DV4O/ySLSNsaEs3dGEZQzJTb4RnKLAFCBYqTE/BFLWpnxiyVYc9m +GdedQbPKHMrTCZVHQjuk+d1Z5QW5AV+FGJ/D0mQO+zYRdgHAsSJaHVT3vJVLU+Gm +8gEcwDETS9iGCUriimAIafYbVjWMc7GKZ3p2R0EYomaJeoJjnHqV2Q== +-----END CERTIFICATE REQUEST----- diff --git a/puppet/files/ldap/master-ldap.key b/puppet/files/ldap/master-ldap.key new file mode 100644 index 0000000..f6fdaa1 --- /dev/null +++ b/puppet/files/ldap/master-ldap.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEA3Izan8p2+9aSwkb6S7Ggyy68CazEvmMAp3CMF+u21FWFEx7S +5F/QxKh8xk1tFRFZeYgQg9fnEdl8FOl6jT9nbGTGVP8sqX48PDj6h4wQ7tqrCgLG +1OLwqWP84b0cJcYVIPzHWhD46LCYB1kY+57f1h2KKEoAq6MGfka0wftMkTQbV1TF +1gQNWaTkJ/E8dndogQuT0t+Ofsd3iWP9TOLriiVv3bRoxpDqUQ5iqUdpRosU47cL +1dEwI3hGiYRMxhKdR6+qmDShfyE/Jz9lkLSznD9i9uMalBWAxorx7VJ3TEaczrLl +CHD8HwVYEIhyg9ewlWSCTQwToj937qgvU7vMNwIDAQABAoIBAQDTJcq8xmJJUrFo +a/l+9EzjmRePD6fAOhpLM3X8BMAh4sondxAichT14fSrCT9Qty55Kqnc/5uKPDQN +9UVN6xDB9mzmvPHuRxu18DryAEfJ1PGBAQ2IjMgo88AMAjfrdguObFMSyEL0yvSR +vFwtsXnMjLVTQx4HNGmoBVtSh5tTOs91hz+L0iCXnqZwmQIQ956ZNVLts5PpvObu +4y3F8xu3cJBTaKGxPxvf41I4PSr660uogx/Lp15r54yGmxDrPdN66dLCJy/hYnZr +hlh4xq73sUL/IfYL6v9HuWLMF1sUaevt/gNT5BrLdffw/Z3qcuS8MBkuABhRpdtI +snPsLlqBAoGBAPRwQZuQNVT/WMro4GjR7dmCnqYIIB/ucySDo8qf1UvSSJthDkfA +RdK/TJC5HJ7NbTfS3AYrjJ73+vyrAvrHKGwDPUkkqSwz+7aQ18Ws4Yx8iP0kcgXU +EPqAAM4oTMT7gHO88r6J63bHD5g/soPPLT2jK61VSYrMVYqsqTddeAJBAoGBAOb7 +WapeSA/Lj5Rqn5mo9iQUIt+0At2qJB5sFY9Tw5VBJ2uCWmfEOGzJf8dOnugYNEHO +IUCUQDFfCbiUNiydytNTzqmWl+X8DUDiHNgGIlER+lIv0vA1d+KvATRCdAO7Q/+j +1gXN990odsxbt5fKVxyJZl91oH0RzSIv6OiqwsB3AoGBALjuDNTSn2a04MpysQTc +fiQnLDvUvekqj7Y6Wbq8fbSlXQUgwpsKHkk5LYX4ZmzGYjDvuEJ6xCKo3hw2jUSJ +VE2TjdQ+hjbJBVCz+Gq3RtTwivtpjVJXhJjgKrvNxXbqB96IPuZkld4A8A1xc29B +WKrfPfYfJkp6GOWXh1Y5wseBAoGAB45xgIFVGi8uo0xZrE06wDNocKkS7u2CAPzI +N8glvdxDzeCV1I82yVhONdb8m9su2nhD3jj7YKIbT06J9yuyVveG60Vh8sQsKtM6 +3lZVCRHtfoLSA8m8Ak53W55Q7U5TCynw9n+mfDW2rTjS6MRV1TkpgDX46h6K93NZ +y0LK3EECgYAWjjhJczbz8H+/3InYXw76Uo5hbzb6SmxvE+e03RhkuZe1Vi9qo5FN +7iAS+OkgDrMhOvoIOzUcLRs7h4/z8Y/S0Xne2XMS7CRkN1QN1vI/ht7hm3SH4qxN +tvdw0nlt13dF3hgnSR/sS0OPBKhMijGcBTGDKFsTNyh1cZIBTdgSKQ== +-----END RSA PRIVATE KEY----- diff --git a/puppet/files/ldap/master-ldap.pem b/puppet/files/ldap/master-ldap.pem new file mode 100644 index 0000000..ddcd2e9 --- /dev/null +++ b/puppet/files/ldap/master-ldap.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDejCCAmICCQCnkveZpHaiaDANBgkqhkiG9w0BAQUFADB/MQswCQYDVQQGEwJH +QjEQMA4GA1UECBMHRW5nbGFuZDESMBAGA1UEBxMJTGl2ZXJwb29sMQ0wCwYDVQQK +EwROb25lMQ0wCwYDVQQLEwROb25lMRAwDgYDVQQDEwdmb28uYmFyMRowGAYJKoZI +hvcNAQkBFgtmb29AYmFyLmNvbTAeFw0xNDA1MTMyMzU1MTJaFw0yODAxMjAyMzU1 +MTJaMH8xCzAJBgNVBAYTAkdCMRAwDgYDVQQIEwdFbmdsYW5kMRIwEAYDVQQHEwlM +aXZlcnBvb2wxDTALBgNVBAoTBE5vbmUxDTALBgNVBAsTBE5vbmUxEDAOBgNVBAMT +B2Zvby5iYXIxGjAYBgkqhkiG9w0BCQEWC2Zvb0BiYXIuY29tMIIBIjANBgkqhkiG +9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3Izan8p2+9aSwkb6S7Ggyy68CazEvmMAp3CM +F+u21FWFEx7S5F/QxKh8xk1tFRFZeYgQg9fnEdl8FOl6jT9nbGTGVP8sqX48PDj6 +h4wQ7tqrCgLG1OLwqWP84b0cJcYVIPzHWhD46LCYB1kY+57f1h2KKEoAq6MGfka0 +wftMkTQbV1TF1gQNWaTkJ/E8dndogQuT0t+Ofsd3iWP9TOLriiVv3bRoxpDqUQ5i +qUdpRosU47cL1dEwI3hGiYRMxhKdR6+qmDShfyE/Jz9lkLSznD9i9uMalBWAxorx +7VJ3TEaczrLlCHD8HwVYEIhyg9ewlWSCTQwToj937qgvU7vMNwIDAQABMA0GCSqG +SIb3DQEBBQUAA4IBAQCM6s2aQbWpn0iJd0jmbWKFauMdhtQHUWhj4PpyhAZLK8AQ +f3Z5Lt2ZwDXaK50TaB7z16RbcCdFcmU6L0uONOMBDpzZ/B5lADuwv375HO4NbCRT +qn2gXl8h9ylXBfwworkno0m/fLVsbuvq4R1HSOG4MHrMUh1gdISKsO2iRfxPdXA3 +arXjWD6pIRbH4Ns8JhGNv+wC3y++5Whp5jHq3ndKbc1CdeXU22lwXwAJPDm+EmN0 +HkcZG6nET54bnOCjXsYQnAP8OXtM2yTdszIe0T4OA+uGO1XKLYyLKtRZnYB7XQ/D +61XfaCpsnFo53VulPxhauPLRufhODQg/x6cbxmVr +-----END CERTIFICATE----- diff --git a/puppet/fileserver.conf b/puppet/fileserver.conf new file mode 100644 index 0000000..2a9d580 --- /dev/null +++ b/puppet/fileserver.conf @@ -0,0 +1,3 @@ +[files] + path /tmp/kitchen/files + allow * diff --git a/puppet/master/manifests/site.pp b/puppet/master/manifests/site.pp index 9d01997..1bb8c4c 100644 --- a/puppet/master/manifests/site.pp +++ b/puppet/master/manifests/site.pp @@ -6,4 +6,8 @@ index_inc => ['index mail pres'], syncprov => true, sync_binddn => 'cn=sync,dc=foo,dc=bar', + ssl => true, + ssl_ca => 'ca.pem', + ssl_cert => 'master-ldap.pem', + ssl_key => 'master-ldap.key', } diff --git a/test/integration/master/serverspec/slapd_spec.rb b/test/integration/master/serverspec/slapd_spec.rb index 9c7d326..bbb71ad 100644 --- a/test/integration/master/serverspec/slapd_spec.rb +++ b/test/integration/master/serverspec/slapd_spec.rb @@ -124,4 +124,10 @@ it { should return_stdout /100/ } end + # TLS + describe command('ldapsearch -H ldapi:/// -LLL -Y EXTERNAL -b "cn=config" "(cn=config)"') do + it { should return_stdout %r{olcTLSCACertificateFile: /etc/ssl/certs/ca\.pem} } + it { should return_stdout %r{olcTLSCertificateFile: /etc/ssl/certs/master-ldap\.pem} } + it { should return_stdout %r{olcTLSCertificateKeyFile: /etc/ssl/certs/master-ldap\.key} } + end end From 9ff46d226cd35291f7ec9dceed3abcb50d424566 Mon Sep 17 00:00:00 2001 From: Ben Langfeld Date: Wed, 14 May 2014 11:52:50 +0100 Subject: [PATCH 18/85] Test TLS connection LDAP client certificate verification needs to be setup. Puppet cannot manage multiple file resources with the same name. --- puppet/files/ldap/master-ldap.client.pem | 1 + puppet/master/manifests/site.pp | 7 +++++++ test/integration/master/serverspec/slapd_spec.rb | 3 +++ 3 files changed, 11 insertions(+) create mode 120000 puppet/files/ldap/master-ldap.client.pem diff --git a/puppet/files/ldap/master-ldap.client.pem b/puppet/files/ldap/master-ldap.client.pem new file mode 120000 index 0000000..7ffda6b --- /dev/null +++ b/puppet/files/ldap/master-ldap.client.pem @@ -0,0 +1 @@ +master-ldap.pem \ No newline at end of file diff --git a/puppet/master/manifests/site.pp b/puppet/master/manifests/site.pp index 1bb8c4c..0da6499 100644 --- a/puppet/master/manifests/site.pp +++ b/puppet/master/manifests/site.pp @@ -1,3 +1,10 @@ +class { 'ldap::client': + uri => 'ldaps:///', + base => 'dc=foo,dc=bar', + ssl => true, + ssl_cert => 'master-ldap.client.pem', +} + class { 'ldap::server::master': suffix => 'dc=foo,dc=bar', rootpw => 'password', diff --git a/test/integration/master/serverspec/slapd_spec.rb b/test/integration/master/serverspec/slapd_spec.rb index bbb71ad..92a57fe 100644 --- a/test/integration/master/serverspec/slapd_spec.rb +++ b/test/integration/master/serverspec/slapd_spec.rb @@ -130,4 +130,7 @@ it { should return_stdout %r{olcTLSCertificateFile: /etc/ssl/certs/master-ldap\.pem} } it { should return_stdout %r{olcTLSCertificateKeyFile: /etc/ssl/certs/master-ldap\.key} } end + describe command('ldapwhoami -H ldaps:/// -x -D cn=admin,dc=foo,dc=bar -w password') do + it { should return_stdout /dn:cn=admin,dc=foo,dc=bar/ } + end end From b625854d25d183013334704e53df20168df39704 Mon Sep 17 00:00:00 2001 From: Ben Langfeld Date: Wed, 14 May 2014 11:53:07 +0100 Subject: [PATCH 19/85] Build with puppet debug mode in test-kitchen --- .kitchen.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.kitchen.yml b/.kitchen.yml index ce4b673..04cd18e 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -7,6 +7,7 @@ provisioner: modules_path: .. fileserver_config_path: puppet/fileserver.conf files_path: puppet/files + puppet_debug: true platforms: - name: nocm_ubuntu-12.04 From 0b6206cabb59899a714389370c8ac7e05dba4eac Mon Sep 17 00:00:00 2001 From: Ben Langfeld Date: Wed, 14 May 2014 12:20:11 +0100 Subject: [PATCH 20/85] Add integration tests for slave server --- .kitchen.yml | 1 + puppet/slave/manifests/site.pp | 23 +++ .../master/serverspec/slapd_spec.rb | 2 +- .../slave/serverspec/slapd_spec.rb | 136 ++++++++++++++++++ 4 files changed, 161 insertions(+), 1 deletion(-) create mode 100644 puppet/slave/manifests/site.pp create mode 100644 test/integration/slave/serverspec/slapd_spec.rb diff --git a/.kitchen.yml b/.kitchen.yml index 04cd18e..f494b9c 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -18,3 +18,4 @@ platforms: suites: - name: master + - name: slave diff --git a/puppet/slave/manifests/site.pp b/puppet/slave/manifests/site.pp new file mode 100644 index 0000000..3141951 --- /dev/null +++ b/puppet/slave/manifests/site.pp @@ -0,0 +1,23 @@ +class { 'ldap::client': + uri => 'ldaps:///', + base => 'dc=foo,dc=bar', + ssl => true, + ssl_cert => 'master-ldap.client.pem', +} + +class { 'ldap::server::slave': + suffix => 'dc=foo,dc=bar', + rootpw => 'password', + schema_inc => ['ppolicy'], + modules_inc => ['ppolicy', 'syncprov'], + index_inc => ['index mail pres'], + sync_provider => 'ldapi:///', + sync_binddn => 'cn=sync,dc=foo,dc=bar', + sync_bindpw => 'foobar', + sync_rid => '123', + sync_updatedn => 'cn=admin,dc=foo,dc=bar', + ssl => true, + ssl_ca => 'ca.pem', + ssl_cert => 'master-ldap.pem', + ssl_key => 'master-ldap.key', +} diff --git a/test/integration/master/serverspec/slapd_spec.rb b/test/integration/master/serverspec/slapd_spec.rb index 92a57fe..07e9bc6 100644 --- a/test/integration/master/serverspec/slapd_spec.rb +++ b/test/integration/master/serverspec/slapd_spec.rb @@ -9,7 +9,7 @@ end end -describe "slapd" do +describe "slapd master" do describe service('slapd') do it { should be_enabled } it { should be_running } diff --git a/test/integration/slave/serverspec/slapd_spec.rb b/test/integration/slave/serverspec/slapd_spec.rb new file mode 100644 index 0000000..74165a5 --- /dev/null +++ b/test/integration/slave/serverspec/slapd_spec.rb @@ -0,0 +1,136 @@ +require 'serverspec' + +include Serverspec::Helper::Exec +include Serverspec::Helper::DetectOS + +RSpec.configure do |c| + c.before :all do + c.path = '/sbin:/usr/sbin' + end +end + +describe "slapd slave" do + describe service('slapd') do + it { should be_enabled } + it { should be_running } + end + + describe port(389) do + it { should be_listening } + end + + # Can bind as system root user + describe command('ldapwhoami -H ldapi:/// -Y EXTERNAL') do + it { should return_stdout /dn:gidNumber=0\+uidNumber=0,cn=peercred,cn=external,cn=auth/ } + end + + # Can bind as specified root user w/ password + describe command('ldapwhoami -H ldapi:/// -x -D cn=admin,dc=foo,dc=bar -w password') do + it { should return_stdout /dn:cn=admin,dc=foo,dc=bar/ } + end + + # Requested suffix exists in cn=config + describe command('ldapsearch -H ldapi:/// -Y EXTERNAL -b "cn=config" "(objectClass=olcDatabaseConfig)" olcSuffix') do + it { should return_stdout /olcSuffix: dc=foo,dc=bar/ } + end + + # The root organisation can be created + describe command("echo \"dn: dc=foo,dc=bar\nobjectClass: dcObject\nobjectClass: organization\ndc: foo\no: Foo Dot Bar\" | ldapadd -H ldapi:/// -Y EXTERNAL") do + it { should return_stdout /adding new entry/ } + end + + # Once created, the root org is readable by system root + describe command('ldapsearch -H ldapi:/// -Y EXTERNAL -s base -b "dc=foo,dc=bar"') do + it { should return_stdout /o: Foo Dot Bar/ } + end + + # Once created, the root org is readable by the DIT root user + describe command('ldapsearch -H ldapi:/// -x -D cn=admin,dc=foo,dc=bar -w password -s base -b "dc=foo,dc=bar"') do + it { should return_stdout /o: Foo Dot Bar/ } + end + + describe command('ldapsearch -H ldapi:/// -Y EXTERNAL -b "cn=schema,cn=config" "(objectClass=olcSchemaConfig)" cn') do + %w{inetorgperson cosine nis core ppolicy}.each do |schema| + it { should return_stdout /#{schema}/ } + end + end + + describe command('ldapsearch -H ldapi:/// -Y EXTERNAL -b "cn=config" "(objectClass=olcModuleList)" olcModuleLoad') do + %w{back_bdb ppolicy}.each do |mod| + it { should return_stdout /#{mod}/ } + end + end + + # Last-modified overlay is on + describe command('ldapsearch -H ldapi:/// -Y EXTERNAL -b "cn=config" "(objectClass=olcDatabaseConfig)" olcLastMod') do + it { should return_stdout /olcLastMod: TRUE/ } + end + + # DB performance tweaks are set + describe command('ldapsearch -H ldapi:/// -Y EXTERNAL -b "cn=config" "(objectClass=olcDatabaseConfig)" olcDbConfig') do + [ + 'set_cachesize 0 2097152 0', + 'set_lk_max_objects 1500', + 'set_lk_max_locks 1500', + 'set_lk_max_lockers 1500', + ].each do |tweak| + it { should return_stdout /#{tweak}/ } + end + end + describe command('ldapsearch -H ldapi:/// -Y EXTERNAL -b "cn=config" "(objectClass=olcDatabaseConfig)" olcDbCheckpoint') do + it { should return_stdout /512 30/ } + end + + # Indices (default and specified) + describe command('ldapsearch -H ldapi:/// -Y EXTERNAL -b "cn=config" "(objectClass=olcDatabaseConfig)" olcDbIndex') do + [ + 'olcDbIndex: objectClass eq', + 'olcDbIndex: entryCSN eq', + 'olcDbIndex: entryUUID eq', + 'olcDbIndex: uidNumber eq', + 'olcDbIndex: gidNumber eq', + 'olcDbIndex: cn pres,eq,sub', + 'olcDbIndex: sn pres,eq,sub', + 'olcDbIndex: uid pres,eq,sub', + 'olcDbIndex: displayName pres,eq,sub', + 'olcDbIndex: mail pres', + ].each do |index| + it { should return_stdout /#{index}/ } + end + end + + # ACLs + describe command('ldapsearch -H ldapi:/// -LLL -Y EXTERNAL -b "cn=config" "(olcSuffix=dc=foo,dc=bar)" olcAccess | perl -p00e \'s/\r?\n //g\'') do + [ + /to \* by dn.base="gidNumber=0\+uidNumber=0,cn=peercred,cn=external,cn=auth" manage/, + /to dn.subtree="dc=foo,dc=bar" attrs=userPassword,shadowLastChange by self write by anonymous auth by \* none/, + /to dn.subtree="dc=foo,dc=bar" attrs=objectClass,entry,gecos,homeDirectory,uid,uidNumber,gidNumber,cn,memberUid by \* read/, + /to dn.subtree="dc=foo,dc=bar" by self read by \* read/, + ].each do |entry| + it { should return_stdout entry } + end + end + + # Syncprov + describe command('ldapsearch -H ldapi:/// -Y EXTERNAL -b "cn=config" "(objectClass=olcModuleList)" olcModuleLoad') do + it { should return_stdout /syncprov/ } + end + + describe command('ldapsearch -H ldapi:/// -LLL -Y EXTERNAL -b "cn=config" "(objectClass=olcDatabaseConfig)" olcSyncrepl') do + its(:stdout) { should include 'rid=123 provider=ldapi:/// bindmethod=simple timeout=0 network-ti + meout=0 binddn="cn=sync,dc=foo,dc=bar" credentials="foobar" keepalive=0:0:0 s + tarttls=no filter="(objectClass=*)" searchbase="dc=foo,dc=bar" scope=sub attr + s="*" schemachecking=off type=refreshOnly interval=00:00:10:00 retry=undefine + d' } + end + + # TLS + describe command('ldapsearch -H ldapi:/// -LLL -Y EXTERNAL -b "cn=config" "(cn=config)"') do + it { should return_stdout %r{olcTLSCACertificateFile: /etc/ssl/certs/ca\.pem} } + it { should return_stdout %r{olcTLSCertificateFile: /etc/ssl/certs/master-ldap\.pem} } + it { should return_stdout %r{olcTLSCertificateKeyFile: /etc/ssl/certs/master-ldap\.key} } + end + describe command('ldapwhoami -H ldaps:/// -x -D cn=admin,dc=foo,dc=bar -w password') do + it { should return_stdout /dn:cn=admin,dc=foo,dc=bar/ } + end +end From 5e30e48f6b3f1f06206f15b2df77cdb3c5acb546 Mon Sep 17 00:00:00 2001 From: Ben Langfeld Date: Wed, 14 May 2014 12:20:23 +0100 Subject: [PATCH 21/85] Remove unused config --- templates/etc/openldap/slapd.conf.erb | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/templates/etc/openldap/slapd.conf.erb b/templates/etc/openldap/slapd.conf.erb index 076f2f0..1133163 100644 --- a/templates/etc/openldap/slapd.conf.erb +++ b/templates/etc/openldap/slapd.conf.erb @@ -3,7 +3,6 @@ # Manual changes are likey to be overwritten ############################################################################### -#allow bind_v2 <% if @bind_anon == true then -%> allow bind_anon_dn <% end -%> @@ -32,13 +31,11 @@ moduleload <%= mod %> <% @modules_inc.each do |mod| -%> moduleload <%= mod %> <% end -%> -#moduleload syncprov <% if @ssl == true then -%> TLSCACertificateFile <%= scope.lookupvar('ldap::params::ssl_prefix') %>/<%= @ssl_ca %> TLSCertificateFile <%= scope.lookupvar('ldap::params::ssl_prefix') %>/<%= @ssl_cert %> TLSCertificateKeyFile <%= scope.lookupvar('ldap::params::ssl_prefix') %>/<%= @ssl_key %> -#TLSVerifyClient allow <% end -%> ####################################################################### @@ -119,14 +116,6 @@ access to dn.subtree="<%= @suffix %>" attrs=userPassword,shadowLastChange, by anonymous auth by * none -#access to dn.subtree="<%= @suffix %>" attrs=sambaNTPassword,sambaLMPassword,sambaPwdMustChange,sambaBadPasswordCount,sambaBadPasswordTime,sambaPwdLastSet -#<% if @syncprov and @sync_binddn != false then -%> -# by dn.exact="<%= @sync_binddn %>" read -#<% end -%> -# by self write -# by anonymous auth -# by * none - ## some attributes need to be readable anonymously so that 'id user' can answer correctly access to dn.subtree="<%= @suffix %>" attrs=objectClass,entry,gecos,homeDirectory,uid,uidNumber,gidNumber,cn,memberUid <% if @syncprov and @sync_binddn != false then -%> From 09e7434fca0a5cbd58e2c4fb8b59509377f36e82 Mon Sep 17 00:00:00 2001 From: Ben Langfeld Date: Wed, 14 May 2014 12:33:12 +0100 Subject: [PATCH 22/85] Use Chef Bento base boxes --- .kitchen.yml | 6 +----- Gemfile | 2 +- Gemfile.lock | 6 +++--- 3 files changed, 5 insertions(+), 9 deletions(-) diff --git a/.kitchen.yml b/.kitchen.yml index f494b9c..9a1f623 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -10,11 +10,7 @@ provisioner: puppet_debug: true platforms: -- name: nocm_ubuntu-12.04 - driver_plugin: vagrant - driver_config: - box: nocm_ubuntu-12.04 - box_url: http://puppet-vagrant-boxes.puppetlabs.com/ubuntu-server-12042-x64-vbox4210-nocm.box + - name: ubuntu-12.04 suites: - name: master diff --git a/Gemfile b/Gemfile index 2bb64b5..7649d8b 100644 --- a/Gemfile +++ b/Gemfile @@ -9,5 +9,5 @@ gem 'puppetlabs_spec_helper', '~> 0.4.1' gem 'test-kitchen', '~> 1.0' gem 'kitchen-vagrant' -gem 'kitchen-puppet', github: 'mojolingo/kitchen-puppet', branch: 'feature/fileserver' +gem 'kitchen-puppet', github: 'mojolingo/kitchen-puppet', branch: 'feature/no_curl' gem 'librarian-puppet' diff --git a/Gemfile.lock b/Gemfile.lock index c3c67d4..7c78aae 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -1,9 +1,9 @@ GIT remote: git://github.com/mojolingo/kitchen-puppet.git - revision: 2c91e3004ac04a399acb320939e81ecd6a367ef0 - branch: feature/fileserver + revision: ef8a3380ecfb1a699c22c1c7a960d2c5939a97a4 + branch: feature/no_curl specs: - kitchen-puppet (0.0.8) + kitchen-puppet (0.0.9) GEM remote: https://rubygems.org/ From e03198b0812e4bc6354aee98dea7f2d73618c5b4 Mon Sep 17 00:00:00 2001 From: Ben Langfeld Date: Wed, 14 May 2014 17:48:38 +0100 Subject: [PATCH 23/85] kitchen-puppet contributions got merged --- Gemfile | 2 +- Gemfile.lock | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Gemfile b/Gemfile index 7649d8b..a0c1304 100644 --- a/Gemfile +++ b/Gemfile @@ -9,5 +9,5 @@ gem 'puppetlabs_spec_helper', '~> 0.4.1' gem 'test-kitchen', '~> 1.0' gem 'kitchen-vagrant' -gem 'kitchen-puppet', github: 'mojolingo/kitchen-puppet', branch: 'feature/no_curl' +gem 'kitchen-puppet', github: 'neillturner/kitchen-puppet', branch: 'master' gem 'librarian-puppet' diff --git a/Gemfile.lock b/Gemfile.lock index 7c78aae..b435aea 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -1,7 +1,7 @@ GIT - remote: git://github.com/mojolingo/kitchen-puppet.git - revision: ef8a3380ecfb1a699c22c1c7a960d2c5939a97a4 - branch: feature/no_curl + remote: git://github.com/neillturner/kitchen-puppet.git + revision: b8e7579962629b9b3c110d4569da0031a12df47d + branch: master specs: kitchen-puppet (0.0.9) From ba27f38303474355d5e5bca35bf520b1f624b9bf Mon Sep 17 00:00:00 2001 From: Ben Langfeld Date: Wed, 14 May 2014 18:09:35 +0100 Subject: [PATCH 24/85] Test on Debian and CentOS Will fail on CentOS pending RTC or https://github.com/torian/puppet-ldap/pull/28/files --- .kitchen.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.kitchen.yml b/.kitchen.yml index 9a1f623..37d0817 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -10,7 +10,11 @@ provisioner: puppet_debug: true platforms: + - name: debian-6.0.8 + - name: debian-7.2.0 - name: ubuntu-12.04 + - name: ubuntu-14.04 + - name: centos-6.4 suites: - name: master From 724413fd52142783c0679a1126300fefe5e3e408 Mon Sep 17 00:00:00 2001 From: Ben Langfeld Date: Wed, 14 May 2014 19:27:14 +0100 Subject: [PATCH 25/85] Integration tests should take platform differences into account --- .../master/serverspec/slapd_spec.rb | 22 +++++++++++++------ .../slave/serverspec/slapd_spec.rb | 22 +++++++++++++------ 2 files changed, 30 insertions(+), 14 deletions(-) diff --git a/test/integration/master/serverspec/slapd_spec.rb b/test/integration/master/serverspec/slapd_spec.rb index 07e9bc6..fa3be6f 100644 --- a/test/integration/master/serverspec/slapd_spec.rb +++ b/test/integration/master/serverspec/slapd_spec.rb @@ -69,10 +69,10 @@ # DB performance tweaks are set describe command('ldapsearch -H ldapi:/// -Y EXTERNAL -b "cn=config" "(objectClass=olcDatabaseConfig)" olcDbConfig') do [ - 'set_cachesize 0 2097152 0', - 'set_lk_max_objects 1500', - 'set_lk_max_locks 1500', - 'set_lk_max_lockers 1500', + 'set_cachesize\s*0 2097152 0', + 'set_lk_max_objects\s*1500', + 'set_lk_max_locks\s*1500', + 'set_lk_max_lockers\s*1500', ].each do |tweak| it { should return_stdout /#{tweak}/ } end @@ -126,9 +126,17 @@ # TLS describe command('ldapsearch -H ldapi:/// -LLL -Y EXTERNAL -b "cn=config" "(cn=config)"') do - it { should return_stdout %r{olcTLSCACertificateFile: /etc/ssl/certs/ca\.pem} } - it { should return_stdout %r{olcTLSCertificateFile: /etc/ssl/certs/master-ldap\.pem} } - it { should return_stdout %r{olcTLSCertificateKeyFile: /etc/ssl/certs/master-ldap\.key} } + let(:cert_path) do + case os[:family] + when 'RedHat' + '/etc/openldap/certs' + when 'Debian' + '/etc/ssl/certs' + end + end + it { should return_stdout %r{olcTLSCACertificateFile: #{cert_path}/ca\.pem} } + it { should return_stdout %r{olcTLSCertificateFile: #{cert_path}/master-ldap\.pem} } + it { should return_stdout %r{olcTLSCertificateKeyFile: #{cert_path}/master-ldap\.key} } end describe command('ldapwhoami -H ldaps:/// -x -D cn=admin,dc=foo,dc=bar -w password') do it { should return_stdout /dn:cn=admin,dc=foo,dc=bar/ } diff --git a/test/integration/slave/serverspec/slapd_spec.rb b/test/integration/slave/serverspec/slapd_spec.rb index 74165a5..14810e6 100644 --- a/test/integration/slave/serverspec/slapd_spec.rb +++ b/test/integration/slave/serverspec/slapd_spec.rb @@ -69,10 +69,10 @@ # DB performance tweaks are set describe command('ldapsearch -H ldapi:/// -Y EXTERNAL -b "cn=config" "(objectClass=olcDatabaseConfig)" olcDbConfig') do [ - 'set_cachesize 0 2097152 0', - 'set_lk_max_objects 1500', - 'set_lk_max_locks 1500', - 'set_lk_max_lockers 1500', + 'set_cachesize\s*0 2097152 0', + 'set_lk_max_objects\s*1500', + 'set_lk_max_locks\s*1500', + 'set_lk_max_lockers\s*1500', ].each do |tweak| it { should return_stdout /#{tweak}/ } end @@ -126,9 +126,17 @@ # TLS describe command('ldapsearch -H ldapi:/// -LLL -Y EXTERNAL -b "cn=config" "(cn=config)"') do - it { should return_stdout %r{olcTLSCACertificateFile: /etc/ssl/certs/ca\.pem} } - it { should return_stdout %r{olcTLSCertificateFile: /etc/ssl/certs/master-ldap\.pem} } - it { should return_stdout %r{olcTLSCertificateKeyFile: /etc/ssl/certs/master-ldap\.key} } + let(:cert_path) do + case os[:family] + when 'RedHat' + '/etc/openldap/certs' + when 'Debian' + '/etc/ssl/certs' + end + end + it { should return_stdout %r{olcTLSCACertificateFile: #{cert_path}/ca\.pem} } + it { should return_stdout %r{olcTLSCertificateFile: #{cert_path}/master-ldap\.pem} } + it { should return_stdout %r{olcTLSCertificateKeyFile: #{cert_path}/master-ldap\.key} } end describe command('ldapwhoami -H ldaps:/// -x -D cn=admin,dc=foo,dc=bar -w password') do it { should return_stdout /dn:cn=admin,dc=foo,dc=bar/ } From d6cc4cbe0ac2ad1edff73859033f23aa24c9be6d Mon Sep 17 00:00:00 2001 From: Ben Langfeld Date: Wed, 14 May 2014 19:27:28 +0100 Subject: [PATCH 26/85] Always load back_bdb module --- manifests/params.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/params.pp b/manifests/params.pp index eb0c266..467790a 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -161,7 +161,7 @@ default : { $schema_base = [ 'core', 'cosine', 'nis', 'inetorgperson', ] - $modules_base = [ ] + $modules_base = [ 'back_bdb' ] } } From eab56fdcff847a9c941edefcdce32f3babd4b8a4 Mon Sep 17 00:00:00 2001 From: Ben Langfeld Date: Wed, 14 May 2014 19:48:35 +0100 Subject: [PATCH 27/85] Ubuntu 14.04 has problems installing Puppet --- .kitchen.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.kitchen.yml b/.kitchen.yml index 37d0817..f677d66 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -13,7 +13,6 @@ platforms: - name: debian-6.0.8 - name: debian-7.2.0 - name: ubuntu-12.04 - - name: ubuntu-14.04 - name: centos-6.4 suites: From 94f3202481a04ee899f0a03d212a6ae57c1739c4 Mon Sep 17 00:00:00 2001 From: Ben Langfeld Date: Wed, 14 May 2014 22:24:33 +0100 Subject: [PATCH 28/85] Debian and Ubuntu store certs in the same place --- test/integration/master/serverspec/slapd_spec.rb | 2 +- test/integration/slave/serverspec/slapd_spec.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/test/integration/master/serverspec/slapd_spec.rb b/test/integration/master/serverspec/slapd_spec.rb index fa3be6f..efc527c 100644 --- a/test/integration/master/serverspec/slapd_spec.rb +++ b/test/integration/master/serverspec/slapd_spec.rb @@ -130,7 +130,7 @@ case os[:family] when 'RedHat' '/etc/openldap/certs' - when 'Debian' + when 'Debian', 'Ubuntu' '/etc/ssl/certs' end end diff --git a/test/integration/slave/serverspec/slapd_spec.rb b/test/integration/slave/serverspec/slapd_spec.rb index 14810e6..7fb7bbf 100644 --- a/test/integration/slave/serverspec/slapd_spec.rb +++ b/test/integration/slave/serverspec/slapd_spec.rb @@ -130,7 +130,7 @@ case os[:family] when 'RedHat' '/etc/openldap/certs' - when 'Debian' + when 'Debian', 'Ubuntu' '/etc/ssl/certs' end end From 547f7afdeec7498960dc2fb0bf0e736cd37449ba Mon Sep 17 00:00:00 2001 From: Ben Langfeld Date: Wed, 14 May 2014 22:27:57 +0100 Subject: [PATCH 29/85] First pass at running without a config file The strategy here is to populate cn=config from the config file, but not to utilise it at runtime. Here's the background: You have to let Debian manage the initial slapd config, because it attempts to start the daemon after package installation, which fails if configuration is not present. This failure breaks the rest of the Puppet run. If slapd.d exists when the slaptest command is run to convert slapd.conf to slapd.d, no actual conversion takes place. Because you now have a wrong configuration and a started slapd, you now have a wrong database. Both the slapd.d configuration and the /var/lib/ldap data must be purged before any new records can be added. There's ONE BIG HUGE CAVEAT DANGER DANGER WARNING here that I've not yet figured out: when slapd.conf changes, it triggers a reset of slapd.d, which in turn wipes out the LDAP database. We can't go to production like this, obviously, but we can get a dev environment up and running. --- manifests/server/master.pp | 29 +++++++++++++++++++++++++---- templates/etc/default/slapd.erb | 2 +- templates/slapd.seed.erb | 20 ++++++++++++++++++++ 3 files changed, 46 insertions(+), 5 deletions(-) create mode 100644 templates/slapd.seed.erb diff --git a/manifests/server/master.pp b/manifests/server/master.pp index 82c5565..490e9ae 100644 --- a/manifests/server/master.pp +++ b/manifests/server/master.pp @@ -146,8 +146,22 @@ motd::register { 'ldap::server::master': } } + file { ['/var/cache/local', '/var/cache/local/preseeding']: + ensure => directory, + owner => 'root', + group => 'root', + } + + file { "/var/cache/local/preseeding/slapd.seed": + ensure => present, + content => template("ldap/slapd.seed.erb"), + owner => 'root', + group => 'root', + } + package { $ldap::params::server_package: - ensure => $ensure + ensure => $ensure, + responsefile => "/var/cache/local/preseeding/slapd.seed", } service { $ldap::params::service: @@ -156,8 +170,8 @@ pattern => $ldap::params::server_pattern, require => [ Package[$ldap::params::server_package], - File["${ldap::params::prefix}/${ldap::params::server_config}"], - ] + Exec['slapd-config-convert'], + ], } if (!empty($cnconfig_attrs)) { @@ -185,7 +199,7 @@ file { "${ldap::params::prefix}/${ldap::params::server_config}": ensure => $ensure, content => template("ldap/${ldap::params::prefix}/${ldap::params::server_config}.erb"), - notify => Service[$ldap::params::service], + notify => Exec['slapd-config-convert'], require => $ssl ? { false => [ Package[$ldap::params::server_package], @@ -199,6 +213,13 @@ } } + exec { "slapd-config-convert": + command => "/bin/sh -c 'rm -rf ${ldap::params::prefix}/slapd.d/* && rm -rf ${ldap::params::db_prefix}/* && /usr/sbin/slaptest -n 0 -f ${ldap::params::prefix}/${ldap::params::server_config} -F ${ldap::params::prefix}/slapd.d/ && /bin/chown -R ${ldap::params::server_owner}:${ldap::params::server_group} ${ldap::params::prefix}/slapd.d'", + refreshonly => true, + notify => Service[$ldap::params::service], + user => $ldap::params::server_owner, + } + $msg_prefix = 'SSL enabled. You must specify' $msg_suffix = '(filename). It should be located at puppet:///files/ldap' diff --git a/templates/etc/default/slapd.erb b/templates/etc/default/slapd.erb index ab7f902..dc5cf48 100644 --- a/templates/etc/default/slapd.erb +++ b/templates/etc/default/slapd.erb @@ -1,7 +1,7 @@ # Default location of the slapd.conf file or slapd.d cn=config directory. If # empty, use the compiled-in default (/etc/ldap/slapd.d with a fallback to # /etc/ldap/slapd.conf). -SLAPD_CONF=/etc/ldap/slapd.conf +#SLAPD_CONF=/etc/ldap/slapd.conf # System account to run the slapd server under. If empty the server # will run as root. diff --git a/templates/slapd.seed.erb b/templates/slapd.seed.erb new file mode 100644 index 0000000..2351c04 --- /dev/null +++ b/templates/slapd.seed.erb @@ -0,0 +1,20 @@ +slapd slapd/password1 password +slapd slapd/internal/adminpw password +slapd slapd/password2 password +slapd slapd/allow_ldap_v2 boolean false +slapd slapd/password_mismatch note +slapd slapd/suffix_change boolean false +slapd slapd/fix_directory boolean true +slapd slapd/invalid_config boolean true +slapd slapd/slave_databases_require_updateref note +slapd shared/organization string monkey +slapd slapd/upgrade_slapcat_failure note +slapd slapd/dump_database_destdir string /var/backups/slapd-VERSION +slapd slapd/autoconf_modules boolean true +slapd slapd/purge_database boolean false +slapd slapd/backend select BDB +slapd slapd/no_configuration boolean false +slapd slapd/migrate_ldbm_to_bdb boolean true +slapd slapd/move_old_database boolean true +slapd slapd/dump_database select when needed +slapd slapd/upgrade_slapadd_failure note From 07ba59c072da25e12abfd44b5f5709d795f76d65 Mon Sep 17 00:00:00 2001 From: Ben Langfeld Date: Thu, 15 May 2014 10:03:51 +0100 Subject: [PATCH 30/85] Absorb ldapdn type/provider for directory manipulation From https://github.com/gtmtechltd/puppet_ldapdn, which is unreleased on the forge and specifies copyright-free --- README.md | 93 ++++++++ lib/puppet/provider/ldapdn/ldapdn.rb | 206 ++++++++++++++++++ lib/puppet/type/ldapdn.rb | 47 ++++ puppet/master/manifests/site.pp | 10 + .../master/serverspec/slapd_spec.rb | 5 + 5 files changed, 361 insertions(+) create mode 100644 lib/puppet/provider/ldapdn/ldapdn.rb create mode 100644 lib/puppet/type/ldapdn.rb diff --git a/README.md b/README.md index 152cb63..c3e268d 100644 --- a/README.md +++ b/README.md @@ -109,6 +109,99 @@ Configure an OpenLdap slave: ], } +### Directory updates + +This module includes a puppet type and provider that aims to simply managing ldap entries via ldapmodify and ldapadd commands. + +In essence the mechanism it uses is described as follows: + +* Translate the puppet "ldapdn" resource into an in-memory ldif +* ldapsearch the existing dn to verify the current contents (if any) +* compare the results of the search with what should be the case +* work out which add/modify/delete commands are required to get to the desired state +* write out an appropriate ldif file +* execute it via an ldapmodify statement. + +Examples of usage are as follows: + +First you might like to set a root password: + +```puppet +ldapdn { "add manager password": + dn => "olcDatabase={2}bdb,cn=config", + attributes => ["olcRootPW: password"], + unique_attributes => ["olcRootPW"], + ensure => present, +} +``` + +`attributes` sets the attributes that you wish to set (be sure to separate key and value with ). +`unique_attributes` can be used to specify the behaviour of `ldapmodify` when there is an existing attribute with this name. If the attribute key is specified here, then `ldapmodify` will issue a replace, replacing the existing value (if any), whereas if the attribute key is not specified here, then `ldapmodify` will simply ensure the attribute exists with the value required, alongside other values if also specified (e.g. for `objectClass`). + +```puppet +$organizational_units = ["Groups", "People", "Programs"] +ldap::add_organizational_unit { $organizational_units: } + +define ldap::add_organizational_unit () { + ldapdn { "ou ${name}": + dn => "ou=${name},dc=example,dc=com", + attributes => [ "ou: ${name}", + "objectClass: organizationalUnit" ], + unique_attributes => ["ou"], + ensure => present, + } +} +``` + +In the above example, multiple groups are created. Notice in each case, that `objectClass` does not form part of the `unique_attributes`, so that (in future) more `objectClasses` may be added to each ou, without them being replaced. + +By default, all ldap commands are issued with the `-QY EXTERNAL` SASL auth mechanism. + +Here is how you can create a database in the first place: + +```puppet +ldapdn { "add database": + dn => "dc=example,dc=com", + attributes => ["dc: example", + "objectClass: top", + "objectClass: dcObject", + "objectClass: organization", + "o: example.com"], + unique_attributes => ["dc", "o"], + ensure => present +} +``` + +Additionally, you may need to specify alternative authentication options when managing resources: + +```puppet +ldapdn { "add database": + dn => "dc=example,dc=com", + attributes => ["dc: example", + "objectClass: top", + "objectClass: dcObject", + "objectClass: organization", + "o: example.com"], + unique_attributes => ["dc", "o"], + ensure => present, + auth_opts => ["-xD", "cn=admin,dc=example,dc=com", "-w", "somePassword"], +} +``` + +Sometimes you will want to ensure an attribute exists, but wont care about its subsequent value. An example of this is a password. + +```puppet +ldapdn { "add password": + dn => "cn=Geoff,ou=Staff,dc=example,dc=com", + attributes => ["olcUserPassword: {SSHA}somehash..."], + unique_attributes => ["olcUserPassword"], + indifferent_attributes => ["olcUserPassword"], + ensure => present +} +``` + +By specifying `indifferent_attributes, ensure => present` will ensure that if the key doesn't exist, it will create it with the desired password hash, but if the key does exist, it won't bother replacing it again. In this way you can keep passwords managed by something like phpldapadmin if you so wish. + Notes ----- diff --git a/lib/puppet/provider/ldapdn/ldapdn.rb b/lib/puppet/provider/ldapdn/ldapdn.rb new file mode 100644 index 0000000..db4e1a6 --- /dev/null +++ b/lib/puppet/provider/ldapdn/ldapdn.rb @@ -0,0 +1,206 @@ +require 'puppet/provider' +require 'tempfile' + +Puppet::Type.type(:ldapdn).provide :ldapdn do + desc "" + + commands :ldapmodifycmd => "/usr/bin/ldapmodify" + commands :ldapaddcmd => "/usr/bin/ldapadd" + commands :ldapsearchcmd => "/usr/bin/ldapsearch" + + def create + ldap_apply_work + end + + def destroy + ldap_apply_work + end + + def exists? + @work_to_do = ldap_work_to_do(parse_attributes) + + # This is a bit of a butchery of an exists? method which is designed to return yes or no, + # Whereas we are editing a multi-faceted record, and it might be in a semi-desired state. + # However, as I want to still use the ensure param, I will have to live within its rules + + if @work_to_do.empty? + true if resource[:ensure] == :present + false if resource[:ensure] == :absent + else + false if resource[:ensure] == :present + true if resource[:ensure] == :absent + end + end + + def parse_attributes + ldap_attributes = {} + Array(resource[:attributes]).each do |asserted_attribute| + key,value = asserted_attribute.split(':', 2) + ldap_attributes[key] = [] if ldap_attributes[key].nil? + ldap_attributes[key] << value.strip! + end + ldap_attributes + end + + def ldap_apply_work + @work_to_do.each do |modify_type, modifications| + modify_record = [] + modify_record << "dn: #{resource[:dn]}" + + modify_record << "changetype: modify" if modify_type == :ldapmodify + + modifications.each do |attribute, instructions| + add_type="add" + instructions.each do |instruction| + case instruction.first + when :add + modify_record << "add: #{attribute}" if add_type == "add" and modify_type == :ldapmodify + modify_record << "#{attribute}: #{instruction.last}" + modify_record << "-" if modify_type == :ldapmodify + when :delete + modify_record << "delete: #{attribute}" + modify_record << "-" + when :replace + modify_record << "replace: #{attribute}" if add_type == "add" + add_type = "replace" + end + end + end + + ldif = Tempfile.open("ldap_apply_work") + ldif_file = ldif.path + ldif.write modify_record.join("\n") + ldif.close + + cmd = case modify_type + when :ldapmodify + :ldapmodifycmd + when :ldapadd + :ldapaddcmd + end + + begin + command = [command(cmd), "-H", "ldapi:///", "-d", "0", "-f", ldif_file] + command += resource[:auth_opts] || ["-QY", "EXTERNAL"] + Puppet.debug("\n\n" + File.open(ldif_file, 'r') { |file| file.read }) + output = execute(command) + Puppet.debug(output) + rescue Puppet::ExecutionFailure => ex + raise Puppet::Error, "Ldap Modify Error:\n\n#{modify_record.join("\n")}\n\nError details:\n#{ex.message}" + end + end + end + + def ldap_work_to_do(asserted_attributes) + command = [command(:ldapsearchcmd), "-H", "ldapi:///", "-b", resource[:dn], "-s", "base", "-LLL", "-d", "0"] + command += resource[:auth_opts] || ["-QY", "EXTERNAL"] + begin + ldapsearch_output = execute(command) + Puppet.debug("ldapdn >>\n#{to_json2(asserted_attributes)}") + Puppet.debug("ldapsearch >>\n#{ldapsearch_output}") + rescue Puppet::ExecutionFailure => ex + if ex.message.scan '/No such object (32)/' + Puppet.debug("Could not find object: #{resource[:dn]}") + return {} if resource[:ensure] == :absent + work_to_do = {} + asserted_attributes.each do |asserted_key, asserted_values| + key_work_to_do = [] + asserted_values.each do |asserted_value| + key_work_to_do << [ :add, asserted_value ] + end + work_to_do[asserted_key] = key_work_to_do + end + Puppet.debug("WorkToDo: { :ldapadd => #{work_to_do}}") + return { :ldapadd => work_to_do } + else + raise ex + end + end + + unique_attributes = resource[:unique_attributes] + unique_attributes = [] if unique_attributes.nil? + + indifferent_attributes = resource[:indifferent_attributes] + indifferent_attributes = [] if indifferent_attributes.nil? + + work_to_do = {} + found_attributes = {} + found_keys = [] + + asserted_attributes.each do |asserted_key, asserted_value| + work_to_do[asserted_key] = [] + found_attributes[asserted_key] = [] + end + + ldapsearch_output.split(/\r?\n(?!\s)/).each do |line| + line.gsub!(/[\r\n] /, '') + line.gsub!(/\r?\n?$/, '') + current_key,current_value = line.split(/:+ /, 2) + found_keys << current_key + if asserted_attributes.key?(current_key) + Puppet.debug("search() #{current_key}: #{current_value}") + same_as_an_asserted_value = false + asserted_attributes[current_key].each do |asserted_value| + Puppet.debug("check() #{current_key}: #{current_value} <===> #{current_key}: #{asserted_value}") + same_as_an_asserted_value = true if asserted_value == current_value + same_as_an_asserted_value = true if asserted_value.clone.gsub(/^\{.*?\}/, "") == current_value.clone.gsub(/^\{.*?\}/, "") + end + if same_as_an_asserted_value + Puppet.debug("asserted and found: #{current_key}: #{current_value}") + work_to_do[current_key] << [ :delete ] if resource[:ensure] == :absent + found_attributes[current_key] << current_value.clone.gsub(/^\{.*?\}/, "") + else + Puppet.debug("not asserted: #{current_key}: #{current_value}") + work_to_do[current_key] << [ :replace ] if resource[:ensure] == :present \ + and unique_attributes.include?(current_key) \ + and !indifferent_attributes.include?(current_key) + end + end + end + + asserted_attributes.each do |asserted_key, asserted_values| + asserted_values.each do |asserted_value| + Puppet.debug("assert() #{asserted_key}: #{asserted_value}") + + if resource[:ensure] == :present + work_to_do[asserted_key] << [ :add, asserted_value ] unless found_attributes[ asserted_key ].include?(asserted_value.clone.gsub(/^\{.*?\}/, "")) \ + or (found_keys.include?(asserted_key) and indifferent_attributes.include?(asserted_key)) + end + end + end + + work_to_do.delete_if {|key, operations| operations.empty?} + + if work_to_do.empty? + Puppet.debug("conclusion: nothing to do") + {} + else + Puppet.debug("conclusion: work to do: #{to_json2(work_to_do)}") + { :ldapmodify => work_to_do } + end + end + + def to_json2(stringin) + case stringin.class.to_s + when "String" + return "'" + stringin + "'" + when "Array" + x = [] + stringin.each do |term| + x << to_json2(term) + end + return "[ " + x.join(', ') + " ]" + when "Hash" + x = [] + stringin.each do |key, value| + x << [to_json2(key), to_json2(value)] + end + return "{ " + x.collect {|k| k.first.to_s + " => " + k.last.to_s}.join(', ') + " }" + when "Symbol" + return ":" + stringin.to_s + else + return "!OBJ(" + stringin.class.to_s + ":" + stringin.to_s + ")" + end + return "" + end +end diff --git a/lib/puppet/type/ldapdn.rb b/lib/puppet/type/ldapdn.rb new file mode 100644 index 0000000..7cf7f41 --- /dev/null +++ b/lib/puppet/type/ldapdn.rb @@ -0,0 +1,47 @@ +Puppet::Type.newtype :ldapdn do + ensurable do + newvalue :present do + provider.create + end + + newvalue :absent do + provider.destroy + end + + defaultto :present + end + + autorequire(:service) do + %w{ldap slapd} + end + + @doc = "This type provides the capability to manage LDAP DN entries." + + newparam :name do + desc "The canonical name of the rule." + + isnamevar + + newvalues(/^.*$/) + end + + newparam :attributes, :array_matching => :all do + desc "Specify the attribute you want to ldapmodify" + end + + newparam :unique_attributes, :array_matching => :all do + desc "Specify the attribute that are unique in the dn" + end + + newparam :indifferent_attributes, :array_matching => :all do + desc "Specify the attributes you dont care about their subsequent values (e.g. passwords)" + end + + newparam :dn do + desc "Specify the value of the attribute you want to ldapmodify" + end + + newparam :auth_opts do + desc "Specify the options passed to ldapadd/ldapmodify for authentication. Defaults to -QY EXTERNAL." + end +end diff --git a/puppet/master/manifests/site.pp b/puppet/master/manifests/site.pp index 0da6499..bdd39c3 100644 --- a/puppet/master/manifests/site.pp +++ b/puppet/master/manifests/site.pp @@ -18,3 +18,13 @@ ssl_cert => 'master-ldap.pem', ssl_key => 'master-ldap.key', } + +ldapdn { "ou users": + dn => "ou=users,dc=foo,dc=bar", + attributes => [ + 'ou: users', + 'objectClass: organizationalUnit' + ], + unique_attributes => ["ou"], + ensure => present, +} diff --git a/test/integration/master/serverspec/slapd_spec.rb b/test/integration/master/serverspec/slapd_spec.rb index efc527c..1288bdd 100644 --- a/test/integration/master/serverspec/slapd_spec.rb +++ b/test/integration/master/serverspec/slapd_spec.rb @@ -141,4 +141,9 @@ describe command('ldapwhoami -H ldaps:/// -x -D cn=admin,dc=foo,dc=bar -w password') do it { should return_stdout /dn:cn=admin,dc=foo,dc=bar/ } end + + # Directory can be manipulated by ldapdn resources + describe command('ldapsearch -H ldapi:/// -Y EXTERNAL -s base -b "ou=users,dc=foo,dc=bar" "(objectClass=organizationalUnit)"') do + it { should return_stdout /ou: users/ } + end end From e02d381e453ea823b9819e3d32260505d18e1feb Mon Sep 17 00:00:00 2001 From: Ben Langfeld Date: Thu, 15 May 2014 10:19:06 +0100 Subject: [PATCH 31/85] Simplification of ldapdn provider --- lib/puppet/provider/ldapdn/ldapdn.rb | 48 +++++++--------------------- 1 file changed, 12 insertions(+), 36 deletions(-) diff --git a/lib/puppet/provider/ldapdn/ldapdn.rb b/lib/puppet/provider/ldapdn/ldapdn.rb index db4e1a6..ebe4d63 100644 --- a/lib/puppet/provider/ldapdn/ldapdn.rb +++ b/lib/puppet/provider/ldapdn/ldapdn.rb @@ -22,13 +22,11 @@ def exists? # This is a bit of a butchery of an exists? method which is designed to return yes or no, # Whereas we are editing a multi-faceted record, and it might be in a semi-desired state. # However, as I want to still use the ensure param, I will have to live within its rules - - if @work_to_do.empty? - true if resource[:ensure] == :present - false if resource[:ensure] == :absent - else - false if resource[:ensure] == :present - true if resource[:ensure] == :absent + case resource[:ensure] + when :present + @work_to_do.empty? + when :absent + !@work_to_do.empty? end end @@ -50,11 +48,13 @@ def ldap_apply_work modify_record << "changetype: modify" if modify_type == :ldapmodify modifications.each do |attribute, instructions| - add_type="add" + add_type = "add" instructions.each do |instruction| case instruction.first when :add - modify_record << "add: #{attribute}" if add_type == "add" and modify_type == :ldapmodify + if add_type == "add" and modify_type == :ldapmodify + modify_record << "add: #{attribute}" + end modify_record << "#{attribute}: #{instruction.last}" modify_record << "-" if modify_type == :ldapmodify when :delete @@ -96,7 +96,7 @@ def ldap_work_to_do(asserted_attributes) command += resource[:auth_opts] || ["-QY", "EXTERNAL"] begin ldapsearch_output = execute(command) - Puppet.debug("ldapdn >>\n#{to_json2(asserted_attributes)}") + Puppet.debug("ldapdn >>\n#{asserted_attributes.inspect}") Puppet.debug("ldapsearch >>\n#{ldapsearch_output}") rescue Puppet::ExecutionFailure => ex if ex.message.scan '/No such object (32)/' @@ -169,38 +169,14 @@ def ldap_work_to_do(asserted_attributes) end end - work_to_do.delete_if {|key, operations| operations.empty?} + work_to_do.delete_if { |key, operations| operations.empty? } if work_to_do.empty? Puppet.debug("conclusion: nothing to do") {} else - Puppet.debug("conclusion: work to do: #{to_json2(work_to_do)}") + Puppet.debug("conclusion: work to do: #{work_to_do.inspect}") { :ldapmodify => work_to_do } end end - - def to_json2(stringin) - case stringin.class.to_s - when "String" - return "'" + stringin + "'" - when "Array" - x = [] - stringin.each do |term| - x << to_json2(term) - end - return "[ " + x.join(', ') + " ]" - when "Hash" - x = [] - stringin.each do |key, value| - x << [to_json2(key), to_json2(value)] - end - return "{ " + x.collect {|k| k.first.to_s + " => " + k.last.to_s}.join(', ') + " }" - when "Symbol" - return ":" + stringin.to_s - else - return "!OBJ(" + stringin.class.to_s + ":" + stringin.to_s + ")" - end - return "" - end end From 0653534759597f66685a63411e33b506ff2305f2 Mon Sep 17 00:00:00 2001 From: Ben Langfeld Date: Thu, 15 May 2014 10:36:48 +0100 Subject: [PATCH 32/85] Use ldapdn type for specifying individual config options cnconfig_attrs was changed from a Hash to an Array, since keys may have multiple values in LDAP and this is the least-friction method of specification for those familiar with writing LDIFs. This also obviated the dependency on stdlib, since we no longer need to check if cnconfig_attrs is empty. --- Modulefile | 3 -- Puppetfile.lock | 6 ---- manifests/init.pp | 1 - manifests/server/master.pp | 26 ++++++----------- manifests/server/slave.pp | 27 ++++++----------- puppet/master/manifests/site.pp | 29 ++++++++++--------- templates/etc/ldap/slapd.d | 1 - .../slapd.d/cn=config-update.ldif.erb | 16 ---------- .../master/serverspec/slapd_spec.rb | 5 ++++ 9 files changed, 38 insertions(+), 76 deletions(-) delete mode 120000 templates/etc/ldap/slapd.d delete mode 100644 templates/etc/openldap/slapd.d/cn=config-update.ldif.erb diff --git a/Modulefile b/Modulefile index 0cd678e..8338cd9 100644 --- a/Modulefile +++ b/Modulefile @@ -6,6 +6,3 @@ license 'GPL v2' summary 'OpenLDAP module for Puppet.' description 'Manage OpenLDAP clients and server via Puppet' project_page 'https://github.com/torian/puppet-ldap' - -# Dependency -dependency 'puppetlabs/stdlib', '~> 3.0' diff --git a/Puppetfile.lock b/Puppetfile.lock index ef479ae..51949ef 100644 --- a/Puppetfile.lock +++ b/Puppetfile.lock @@ -1,8 +1,2 @@ -FORGE - remote: https://forge.puppetlabs.com - specs: - puppetlabs/stdlib (3.2.1) - DEPENDENCIES - puppetlabs/stdlib (~> 3.0) diff --git a/manifests/init.pp b/manifests/init.pp index 8793ea8..72a306d 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -39,7 +39,6 @@ # class ldap($ensure = present) { - include stdlib include ldap::params package { $ldap::params::package : diff --git a/manifests/server/master.pp b/manifests/server/master.pp index 490e9ae..ff7db7f 100644 --- a/manifests/server/master.pp +++ b/manifests/server/master.pp @@ -32,8 +32,9 @@ # # [cnconfig_attrs] # Default cn=config attributes that needs to be changed -# upon runs -# *Optional* (defaults to {}) +# upon runs. An array of attributes as key-value pairs. +# eg. ['olcConcurrency: 1'] +# *Optional* (defaults to []) # # [log_level] # @@ -126,7 +127,7 @@ $schema_inc = [], $modules_inc = [], $index_inc = [], - $cnconfig_attrs = {}, + $cnconfig_attrs = [], $log_level = '0', $bind_anon = true, $ssl = false, @@ -174,20 +175,11 @@ ], } - if (!empty($cnconfig_attrs)) { - - $cnconfig_default_attrs = $ldap::params::cnconfig_default_attrs - - file {"${ldap::params::prefix}/slapd.d/cn=config-update.ldif": - ensure => present, - content => template("ldap/${ldap::params::prefix}/slapd.d/cn=config-update.ldif.erb"), - require => Service[$ldap::params::service], - } - - exec{"/usr/bin/ldapmodify -Y EXTERNAL -H ldapi:/// -f ${ldap::params::prefix}/slapd.d/cn=config-update.ldif && rm -f ${ldap::params::prefix}/slapd.d/cn=config-update.ldif": - require => File["${ldap::params::prefix}/slapd.d/cn=config-update.ldif"], - } - + ldapdn { "cnconfig_attrs": + dn => "cn=config", + attributes => $cnconfig_attrs, + unique_attributes => $ldap::params::cnconfig_default_attrs, + ensure => present, } File { diff --git a/manifests/server/slave.pp b/manifests/server/slave.pp index 3d49c19..eee1e79 100644 --- a/manifests/server/slave.pp +++ b/manifests/server/slave.pp @@ -66,8 +66,9 @@ # # [cnconfig_attrs] # Default cn=config attributes that needs to be changed -# upon runs -# *Optional* (defaults to {}) +# upon runs. An array of attributes as key-value pairs. +# eg. ['olcConcurrency: 1'] +# *Optional* (defaults to []) # # [log_level] # OpenLdap server log level. @@ -176,7 +177,7 @@ $schema_inc = [], $modules_inc = [], $index_inc = [], - $cnconfig_attrs = {}, + $cnconfig_attrs = [], $log_level = '0', $bind_anon = true, $ssl = false, @@ -212,21 +213,11 @@ ] } - - if (!empty($cnconfig_attrs)) { - - $cnconfig_default_attrs = $ldap::params::cnconfig_default_attrs - - file {"${ldap::params::prefix}/slapd.d/cn=config-update.ldif": - ensure => present, - content => template("ldap/${ldap::params::prefix}/slapd.d/cn=config-update.ldif.erb"), - require => Service[$ldap::params::service], - } - - exec{"/usr/bin/ldapmodify -Y EXTERNAL -H ldapi:/// -f ${ldap::params::prefix}/slapd.d/cn=config-update.ldif && rm -f ${ldap::params::prefix}/slapd.d/cn=config-update.ldif": - require => File["${ldap::params::prefix}/slapd.d/cn=config-update.ldif"], - } - + ldapdn { "cnconfig_attrs": + dn => "cn=config", + attributes => $cnconfig_attrs, + unique_attributes => $ldap::params::cnconfig_default_attrs, + ensure => present, } File { diff --git a/puppet/master/manifests/site.pp b/puppet/master/manifests/site.pp index bdd39c3..f1b208e 100644 --- a/puppet/master/manifests/site.pp +++ b/puppet/master/manifests/site.pp @@ -6,25 +6,26 @@ } class { 'ldap::server::master': - suffix => 'dc=foo,dc=bar', - rootpw => 'password', - schema_inc => ['ppolicy'], - modules_inc => ['ppolicy', 'syncprov'], - index_inc => ['index mail pres'], - syncprov => true, - sync_binddn => 'cn=sync,dc=foo,dc=bar', - ssl => true, - ssl_ca => 'ca.pem', - ssl_cert => 'master-ldap.pem', - ssl_key => 'master-ldap.key', + suffix => 'dc=foo,dc=bar', + rootpw => 'password', + schema_inc => ['ppolicy'], + modules_inc => ['ppolicy', 'syncprov'], + index_inc => ['index mail pres'], + syncprov => true, + sync_binddn => 'cn=sync,dc=foo,dc=bar', + ssl => true, + ssl_ca => 'ca.pem', + ssl_cert => 'master-ldap.pem', + ssl_key => 'master-ldap.key', + cnconfig_attrs => ['olcConcurrency: 1'], } ldapdn { "ou users": - dn => "ou=users,dc=foo,dc=bar", - attributes => [ + dn => "ou=users,dc=foo,dc=bar", + attributes => [ 'ou: users', 'objectClass: organizationalUnit' ], unique_attributes => ["ou"], - ensure => present, + ensure => present, } diff --git a/templates/etc/ldap/slapd.d b/templates/etc/ldap/slapd.d deleted file mode 120000 index abdc0b0..0000000 --- a/templates/etc/ldap/slapd.d +++ /dev/null @@ -1 +0,0 @@ -../openldap/slapd.d \ No newline at end of file diff --git a/templates/etc/openldap/slapd.d/cn=config-update.ldif.erb b/templates/etc/openldap/slapd.d/cn=config-update.ldif.erb deleted file mode 100644 index 0d1e620..0000000 --- a/templates/etc/openldap/slapd.d/cn=config-update.ldif.erb +++ /dev/null @@ -1,16 +0,0 @@ -dn: cn=config -changetype: modify -<% @cnconfig_attrs.each_pair do |key, value| -%> -<% if value != '' and @cnconfig_default_attrs.include?(key) -%> -replace: <%= key %> -<%= key %>: <%= value %> -- -<% elsif @cnconfig_attrs.include?(key) and value == '' -%> -delete: <%= key %> -- -<% else -%> -add: <%= key %> -<%= key %>: <%= value %> -- -<% end -%> -<% end -%> diff --git a/test/integration/master/serverspec/slapd_spec.rb b/test/integration/master/serverspec/slapd_spec.rb index 1288bdd..8d3fe70 100644 --- a/test/integration/master/serverspec/slapd_spec.rb +++ b/test/integration/master/serverspec/slapd_spec.rb @@ -146,4 +146,9 @@ describe command('ldapsearch -H ldapi:/// -Y EXTERNAL -s base -b "ou=users,dc=foo,dc=bar" "(objectClass=organizationalUnit)"') do it { should return_stdout /ou: users/ } end + + # Setting arbitrary config options + describe command('ldapsearch -H ldapi:/// -LLL -Y EXTERNAL -b "cn=config" "(cn=config)" olcConcurrency') do + it { should return_stdout %r{olcConcurrency: 1} } + end end From 7df22b38c89d0de54694608eb9cdfecdf30a85b4 Mon Sep 17 00:00:00 2001 From: Ben Langfeld Date: Fri, 16 May 2014 14:06:55 +0100 Subject: [PATCH 33/85] Database needs to be created to add OUs to it --- puppet/master/manifests/site.pp | 14 ++++++++++++++ test/integration/master/serverspec/slapd_spec.rb | 5 ----- 2 files changed, 14 insertions(+), 5 deletions(-) diff --git a/puppet/master/manifests/site.pp b/puppet/master/manifests/site.pp index f1b208e..90732bf 100644 --- a/puppet/master/manifests/site.pp +++ b/puppet/master/manifests/site.pp @@ -20,6 +20,19 @@ cnconfig_attrs => ['olcConcurrency: 1'], } +ldapdn { 'add database': + ensure => present, + dn => 'dc=foo,dc=bar', + attributes => [ + 'dc: foo', + 'objectClass: top', + 'objectClass: dcObject', + 'objectClass: organization', + 'o: Foo Dot Bar', + ], + unique_attributes => ['dc', 'o'], +} + ldapdn { "ou users": dn => "ou=users,dc=foo,dc=bar", attributes => [ @@ -28,4 +41,5 @@ ], unique_attributes => ["ou"], ensure => present, + require => Ldapdn['add database'], } diff --git a/test/integration/master/serverspec/slapd_spec.rb b/test/integration/master/serverspec/slapd_spec.rb index 8d3fe70..ccca4ee 100644 --- a/test/integration/master/serverspec/slapd_spec.rb +++ b/test/integration/master/serverspec/slapd_spec.rb @@ -34,11 +34,6 @@ it { should return_stdout /olcSuffix: dc=foo,dc=bar/ } end - # The root organisation can be created - describe command("echo \"dn: dc=foo,dc=bar\nobjectClass: dcObject\nobjectClass: organization\ndc: foo\no: Foo Dot Bar\" | ldapadd -H ldapi:/// -Y EXTERNAL") do - it { should return_stdout /adding new entry/ } - end - # Once created, the root org is readable by system root describe command('ldapsearch -H ldapi:/// -Y EXTERNAL -s base -b "dc=foo,dc=bar"') do it { should return_stdout /o: Foo Dot Bar/ } From 85b1ad088608321d22616d51859c6208df205406 Mon Sep 17 00:00:00 2001 From: Ben Langfeld Date: Fri, 16 May 2014 14:18:55 +0100 Subject: [PATCH 34/85] No need to nuke the database @bklang hypothesised: "Because you now have a wrong configuration and a started slapd, you now have a wrong database. Both the slapd.d configuration and the /var/lib/ldap data must be purged before any new records can be added." Turns out this was wrong, and this is not at all necessary. --- manifests/server/master.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/server/master.pp b/manifests/server/master.pp index ff7db7f..e0a10fb 100644 --- a/manifests/server/master.pp +++ b/manifests/server/master.pp @@ -206,7 +206,7 @@ } exec { "slapd-config-convert": - command => "/bin/sh -c 'rm -rf ${ldap::params::prefix}/slapd.d/* && rm -rf ${ldap::params::db_prefix}/* && /usr/sbin/slaptest -n 0 -f ${ldap::params::prefix}/${ldap::params::server_config} -F ${ldap::params::prefix}/slapd.d/ && /bin/chown -R ${ldap::params::server_owner}:${ldap::params::server_group} ${ldap::params::prefix}/slapd.d'", + command => "/bin/sh -c 'rm -rf ${ldap::params::prefix}/slapd.d/* && /usr/sbin/slaptest -n 0 -f ${ldap::params::prefix}/${ldap::params::server_config} -F ${ldap::params::prefix}/slapd.d/ && /bin/chown -R ${ldap::params::server_owner}:${ldap::params::server_group} ${ldap::params::prefix}/slapd.d'", refreshonly => true, notify => Service[$ldap::params::service], user => $ldap::params::server_owner, From 37c8fc1356dc03bbe3b3ea9fdb39db3ce5a2204c Mon Sep 17 00:00:00 2001 From: Ben Langfeld Date: Sat, 17 May 2014 13:16:49 +0100 Subject: [PATCH 35/85] Dead whitespace --- manifests/server/master.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/server/master.pp b/manifests/server/master.pp index e0a10fb..03b0d93 100644 --- a/manifests/server/master.pp +++ b/manifests/server/master.pp @@ -258,7 +258,7 @@ # Additional configurations (for rc scripts) case $::osfamily { - + 'Debian' : { class { 'ldap::server::debian': ssl => $ssl } } From 853cdf82c278be5434214baef4031b171f09ee2f Mon Sep 17 00:00:00 2001 From: Ben Langfeld Date: Sat, 17 May 2014 16:41:14 +0100 Subject: [PATCH 36/85] Reduce unnecessary indenting --- manifests/server/master.pp | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/manifests/server/master.pp b/manifests/server/master.pp index 03b0d93..a134078 100644 --- a/manifests/server/master.pp +++ b/manifests/server/master.pp @@ -166,13 +166,13 @@ } service { $ldap::params::service: - ensure => running, - enable => true, - pattern => $ldap::params::server_pattern, - require => [ + ensure => running, + enable => true, + pattern => $ldap::params::server_pattern, + require => [ Package[$ldap::params::server_package], Exec['slapd-config-convert'], - ], + ], } ldapdn { "cnconfig_attrs": @@ -183,9 +183,9 @@ } File { - mode => '0640', - owner => $ldap::params::server_owner, - group => $ldap::params::server_group, + mode => '0640', + owner => $ldap::params::server_owner, + group => $ldap::params::server_group, } file { "${ldap::params::prefix}/${ldap::params::server_config}": @@ -210,6 +210,7 @@ refreshonly => true, notify => Service[$ldap::params::service], user => $ldap::params::server_owner, + } $msg_prefix = 'SSL enabled. You must specify' From 024c81cc291de21d2ca7844d802649a25cd90b03 Mon Sep 17 00:00:00 2001 From: Ben Langfeld Date: Mon, 19 May 2014 18:00:12 +0100 Subject: [PATCH 37/85] Initial conversion to direct manipulation of cn=config The stuff left in slapd.conf.erb is what remains to be tested and subsequently moved to cn=config --- lib/puppet/provider/ldapdn/ldapdn.rb | 2 + manifests/builtin_schema.pp | 7 ++ manifests/module.pp | 11 +++ manifests/params.pp | 2 + manifests/server/master.pp | 101 +++++++++++++++++++------- templates/etc/openldap/slapd.conf.erb | 73 ------------------- templates/slapd.seed.erb | 3 +- 7 files changed, 99 insertions(+), 100 deletions(-) create mode 100644 manifests/builtin_schema.pp create mode 100644 manifests/module.pp diff --git a/lib/puppet/provider/ldapdn/ldapdn.rb b/lib/puppet/provider/ldapdn/ldapdn.rb index ebe4d63..834618f 100644 --- a/lib/puppet/provider/ldapdn/ldapdn.rb +++ b/lib/puppet/provider/ldapdn/ldapdn.rb @@ -54,6 +54,8 @@ def ldap_apply_work when :add if add_type == "add" and modify_type == :ldapmodify modify_record << "add: #{attribute}" + else + add_type = "add" end modify_record << "#{attribute}: #{instruction.last}" modify_record << "-" if modify_type == :ldapmodify diff --git a/manifests/builtin_schema.pp b/manifests/builtin_schema.pp new file mode 100644 index 0000000..7d2227a --- /dev/null +++ b/manifests/builtin_schema.pp @@ -0,0 +1,7 @@ +define ldap::builtin_schema() { + exec { "load_schema_${name}": + cwd => $ldap::params::schema_prefix, + command => "/usr/bin/ldapadd -QY EXTERNAL -H ldapi:/// < ${name}.ldif", + unless => "/usr/bin/ldapsearch -QY EXTERNAL -H ldapi:/// -b 'cn=schema,cn=config' '(cn=*${name})' | grep 'numEntries: 1'", + } +} diff --git a/manifests/module.pp b/manifests/module.pp new file mode 100644 index 0000000..1086488 --- /dev/null +++ b/manifests/module.pp @@ -0,0 +1,11 @@ +define ldap::module() { + include ldap + + ldapdn { "${name} module config": + dn => "cn=module{0},cn=config", + attributes => [ + "olcModuleLoad: ${name}" + ], + ensure => present, + } +} diff --git a/manifests/params.pp b/manifests/params.pp index 467790a..6a3886e 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -1,6 +1,8 @@ class ldap::params { + $moduledir = "${::puppet_vardir}/ldap" + case $::osfamily { 'Debian' : { diff --git a/manifests/server/master.pp b/manifests/server/master.pp index a134078..38f8829 100644 --- a/manifests/server/master.pp +++ b/manifests/server/master.pp @@ -171,10 +171,71 @@ pattern => $ldap::params::server_pattern, require => [ Package[$ldap::params::server_package], - Exec['slapd-config-convert'], ], } + ldapdn { "database config": + dn => "olcDatabase={1}bdb,cn=config", + attributes => [ + 'olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage', + 'olcAccess: to dn.subtree="dc=foo,dc=bar" attrs=userPassword,shadowLastChange by dn.base="cn=sync,dc=foo,dc=bar" read by self write by anonymous auth by * none', + 'olcAccess: to dn.subtree="dc=foo,dc=bar" attrs=objectClass,entry,gecos,homeDirectory,uid,uidNumber,gidNumber,cn,memberUid by dn.base="cn=sync,dc=foo,dc=bar" read by * read', + 'olcAccess: to dn.subtree="dc=foo,dc=bar" by dn.base="cn=sync,dc=foo,dc=bar" read by self read by * read', + 'olcDbIndex: objectClass eq', + 'olcDbIndex: entryCSN eq', + 'olcDbIndex: entryUUID eq', + 'olcDbIndex: uidNumber eq', + 'olcDbIndex: gidNumber eq', + 'olcDbIndex: cn pres,eq,sub', + 'olcDbIndex: sn pres,eq,sub', + 'olcDbIndex: uid pres,eq,sub', + 'olcDbIndex: displayName pres,eq,sub', + 'olcDbIndex: mail pres', + 'olcLastMod: TRUE', + "olcRootPW: ${rootpw}", + ], + unique_attributes => [ + 'olcAccess', + 'olcLastMod', + 'olcRootPW', + ], + ensure => present, + } + + ldapdn { "module config": + dn => "cn=module{0},cn=config", + attributes => [ + "olcModulePath: ${ldap::params::module_prefix}", + ], + unique_attributes => ['olcModulePath'], + ensure => present, + } + + ldap::module { $ldap::params::modules_base: } + ldap::module { $modules_inc: } + + ldap::builtin_schema { $ldap::params::schema_base: } + ldap::builtin_schema { $schema_inc: } + + if($syncprov) { + ldapdn { "syncprov_config": + dn => "olcOverlay=syncprov,olcDatabase={1}bdb,cn=config", + attributes => [ + 'objectClass: olcOverlayConfig', + 'objectClass: olcSyncProvConfig', + 'olcOverlay: syncprov', + "olcSpCheckpoint: ${syncprov_checkpoint}", + "olcSpSessionLog: ${syncprov_sessionlog}", + ], + unique_attributes => [ + 'olcOverlay', + 'olcSpCheckpoint', + 'olcSpSessionlog', + ], + ensure => present, + } + } + ldapdn { "cnconfig_attrs": dn => "cn=config", attributes => $cnconfig_attrs, @@ -188,31 +249,6 @@ group => $ldap::params::server_group, } - file { "${ldap::params::prefix}/${ldap::params::server_config}": - ensure => $ensure, - content => template("ldap/${ldap::params::prefix}/${ldap::params::server_config}.erb"), - notify => Exec['slapd-config-convert'], - require => $ssl ? { - false => [ - Package[$ldap::params::server_package], - ], - true => [ - Package[$ldap::params::server_package], - File['ssl_ca'], - File['ssl_cert'], - File['ssl_key'], - ] - } - } - - exec { "slapd-config-convert": - command => "/bin/sh -c 'rm -rf ${ldap::params::prefix}/slapd.d/* && /usr/sbin/slaptest -n 0 -f ${ldap::params::prefix}/${ldap::params::server_config} -F ${ldap::params::prefix}/slapd.d/ && /bin/chown -R ${ldap::params::server_owner}:${ldap::params::server_group} ${ldap::params::prefix}/slapd.d'", - refreshonly => true, - notify => Service[$ldap::params::service], - user => $ldap::params::server_owner, - - } - $msg_prefix = 'SSL enabled. You must specify' $msg_suffix = '(filename). It should be located at puppet:///files/ldap' @@ -255,6 +291,19 @@ path => [ "/bin", "/usr/bin", "/sbin", "/usr/sbin" ] } + ldapdn { "SSL config": + dn => "cn=config", + attributes => [ + "olcTLSCACertificateFile: ${ldap::params::ssl_prefix}/${ssl_ca}", + "olcTLSCertificateFile: ${ldap::params::ssl_prefix}/${ssl_cert}", + "olcTLSCertificateKeyFile: ${ldap::params::ssl_prefix}/${ssl_key}", + ], + unique_attributes => $ldap::params::cnconfig_default_attrs, + ensure => present, + require => [File['ssl_ca'], File['ssl_cert'], File['ssl_key'], Exec['Server certificate hash']], + notify => Service[$ldap::params::service], + } + } # Additional configurations (for rc scripts) diff --git a/templates/etc/openldap/slapd.conf.erb b/templates/etc/openldap/slapd.conf.erb index 1133163..ca4faa2 100644 --- a/templates/etc/openldap/slapd.conf.erb +++ b/templates/etc/openldap/slapd.conf.erb @@ -7,46 +7,17 @@ allow bind_anon_dn <% end -%> -# Schema and objectClass definitions -<% scope.lookupvar('ldap::params::schema_base').each do |schema| -%> -include <%= scope.lookupvar('ldap::params::schema_prefix') %>/<%= schema %>.schema -<% end -%> - -# Additional schemas -<% scope.lookupvar('schema_inc').each do |schema| -%> -include <%= scope.lookupvar('ldap::params::schema_prefix') %>/<%= schema %>.schema -<% end -%> - pidfile <%= scope.lookupvar('ldap::params::server_run') %>/slapd.pid argsfile <%= scope.lookupvar('ldap::params::server_run') %>/slapd.args # Read slapd.conf(5) for possible values loglevel <%= @log_level %> -modulepath <%= scope.lookupvar('ldap::params::module_prefix') %> -<% scope.lookupvar('ldap::params::modules_base').each do |mod| -%> -moduleload <%= mod %> -<% end -%> - -<% @modules_inc.each do |mod| -%> -moduleload <%= mod %> -<% end -%> - -<% if @ssl == true then -%> -TLSCACertificateFile <%= scope.lookupvar('ldap::params::ssl_prefix') %>/<%= @ssl_ca %> -TLSCertificateFile <%= scope.lookupvar('ldap::params::ssl_prefix') %>/<%= @ssl_cert %> -TLSCertificateKeyFile <%= scope.lookupvar('ldap::params::ssl_prefix') %>/<%= @ssl_key %> -<% end -%> - ####################################################################### # FIXME: puppet backend bdb -database config -access to * - by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage - # FIXME: puppet database bdb suffix "<%= @suffix %>" @@ -57,12 +28,6 @@ rootpw "<%= @rootpw %>" ####################################################################### # << Syncprov -<% if has_variable?('syncprov') and @syncprov == true then -%> -overlay syncprov -syncprov-checkpoint <%= @syncprov_checkpoint %> -syncprov-sessionlog <%= @syncprov_sessionlog %> -<% end -%> - <% if has_variable?('sync_rid') then -%> syncrepl rid=<%= @sync_rid %> provider=<%= @sync_provider %> @@ -80,18 +45,6 @@ syncrepl rid=<%= @sync_rid %> updateref <%= @sync_provider %> <% end -%> -####################################################################### - -checkpoint 512 30 -dbconfig set_cachesize 0 2097152 0 -dbconfig set_lk_max_objects 1500 -dbconfig set_lk_max_locks 1500 -dbconfig set_lk_max_lockers 1500 - -####################################################################### - -lastmod on - <% if @syncprov and @sync_binddn != false then -%> limits dn.exact="<%= @sync_binddn%>" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited <% end -%> @@ -103,29 +56,3 @@ limits dn.exact="<%= @sync_binddn%>" time.soft=unlimited time.hard=unlimited siz <% @index_inc.each do |idx| -%> <%= idx %> <% end -%> - -access to * - by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage - -# users can authenticate and change their password -access to dn.subtree="<%= @suffix %>" attrs=userPassword,shadowLastChange, -<% if @syncprov and @sync_binddn != false then -%> - by dn.exact="<%= @sync_binddn %>" read -<% end -%> - by self write - by anonymous auth - by * none - -## some attributes need to be readable anonymously so that 'id user' can answer correctly -access to dn.subtree="<%= @suffix %>" attrs=objectClass,entry,gecos,homeDirectory,uid,uidNumber,gidNumber,cn,memberUid -<% if @syncprov and @sync_binddn != false then -%> - by dn.exact="<%= @sync_binddn %>" read -<% end -%> - by * read - -access to dn.subtree="<%= @suffix %>" -<% if @syncprov and @sync_binddn != false then -%> - by dn.exact="<%= @sync_binddn %>" read -<% end -%> - by self read - by * read diff --git a/templates/slapd.seed.erb b/templates/slapd.seed.erb index 2351c04..46cb335 100644 --- a/templates/slapd.seed.erb +++ b/templates/slapd.seed.erb @@ -7,7 +7,7 @@ slapd slapd/suffix_change boolean false slapd slapd/fix_directory boolean true slapd slapd/invalid_config boolean true slapd slapd/slave_databases_require_updateref note -slapd shared/organization string monkey +slapd shared/organization string <%= @suffix %> slapd slapd/upgrade_slapcat_failure note slapd slapd/dump_database_destdir string /var/backups/slapd-VERSION slapd slapd/autoconf_modules boolean true @@ -18,3 +18,4 @@ slapd slapd/migrate_ldbm_to_bdb boolean true slapd slapd/move_old_database boolean true slapd slapd/dump_database select when needed slapd slapd/upgrade_slapadd_failure note +slapd slapd/domain string <%= @suffix.gsub(',dc=', '.').gsub('dc=', '') %> From fb0b3c0e30b5f5a431b48a26a965af1b1caa4d78 Mon Sep 17 00:00:00 2001 From: Ben Langfeld Date: Mon, 26 May 2014 16:15:08 -0300 Subject: [PATCH 38/85] Set log level in dynamic config --- manifests/server/master.pp | 9 +++++++++ puppet/master/manifests/site.pp | 1 + puppet/slave/manifests/site.pp | 1 + test/integration/master/serverspec/slapd_spec.rb | 5 +++++ test/integration/slave/serverspec/slapd_spec.rb | 5 +++++ 5 files changed, 21 insertions(+) diff --git a/manifests/server/master.pp b/manifests/server/master.pp index 38f8829..afbaed3 100644 --- a/manifests/server/master.pp +++ b/manifests/server/master.pp @@ -236,6 +236,15 @@ } } + ldapdn { "global confg": + dn => "cn=config", + attributes => [ + "olcLogLevel: ${log_level}", + ], + unique_attributes => $ldap::params::cnconfig_default_attrs, + ensure => present, + } + ldapdn { "cnconfig_attrs": dn => "cn=config", attributes => $cnconfig_attrs, diff --git a/puppet/master/manifests/site.pp b/puppet/master/manifests/site.pp index 90732bf..0a0e2ca 100644 --- a/puppet/master/manifests/site.pp +++ b/puppet/master/manifests/site.pp @@ -18,6 +18,7 @@ ssl_cert => 'master-ldap.pem', ssl_key => 'master-ldap.key', cnconfig_attrs => ['olcConcurrency: 1'], + log_level => '4', } ldapdn { 'add database': diff --git a/puppet/slave/manifests/site.pp b/puppet/slave/manifests/site.pp index 3141951..3d20deb 100644 --- a/puppet/slave/manifests/site.pp +++ b/puppet/slave/manifests/site.pp @@ -20,4 +20,5 @@ ssl_ca => 'ca.pem', ssl_cert => 'master-ldap.pem', ssl_key => 'master-ldap.key', + log_level => '4', } diff --git a/test/integration/master/serverspec/slapd_spec.rb b/test/integration/master/serverspec/slapd_spec.rb index ccca4ee..80c3031 100644 --- a/test/integration/master/serverspec/slapd_spec.rb +++ b/test/integration/master/serverspec/slapd_spec.rb @@ -146,4 +146,9 @@ describe command('ldapsearch -H ldapi:/// -LLL -Y EXTERNAL -b "cn=config" "(cn=config)" olcConcurrency') do it { should return_stdout %r{olcConcurrency: 1} } end + + # Log level + describe command('ldapsearch -H ldapi:/// -LLL -Y EXTERNAL -b "cn=config" "(cn=config)" olcLogLevel') do + it { should return_stdout %r{olcLogLevel: 4} } + end end diff --git a/test/integration/slave/serverspec/slapd_spec.rb b/test/integration/slave/serverspec/slapd_spec.rb index 7fb7bbf..aac6b26 100644 --- a/test/integration/slave/serverspec/slapd_spec.rb +++ b/test/integration/slave/serverspec/slapd_spec.rb @@ -141,4 +141,9 @@ describe command('ldapwhoami -H ldaps:/// -x -D cn=admin,dc=foo,dc=bar -w password') do it { should return_stdout /dn:cn=admin,dc=foo,dc=bar/ } end + + # Log level + describe command('ldapsearch -H ldapi:/// -LLL -Y EXTERNAL -b "cn=config" "(cn=config)" olcLogLevel') do + it { should return_stdout %r{olcLogLevel: 4} } + end end From e956174dbfe8ed59553a91474ec3852158517639 Mon Sep 17 00:00:00 2001 From: Ben Langfeld Date: Mon, 26 May 2014 16:17:21 -0300 Subject: [PATCH 39/85] Missing specs for slave --- test/integration/slave/serverspec/slapd_spec.rb | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/test/integration/slave/serverspec/slapd_spec.rb b/test/integration/slave/serverspec/slapd_spec.rb index aac6b26..7cfcb98 100644 --- a/test/integration/slave/serverspec/slapd_spec.rb +++ b/test/integration/slave/serverspec/slapd_spec.rb @@ -142,6 +142,16 @@ it { should return_stdout /dn:cn=admin,dc=foo,dc=bar/ } end + # Directory can be manipulated by ldapdn resources + describe command('ldapsearch -H ldapi:/// -Y EXTERNAL -s base -b "ou=users,dc=foo,dc=bar" "(objectClass=organizationalUnit)"') do + it { should return_stdout /ou: users/ } + end + + # Setting arbitrary config options + describe command('ldapsearch -H ldapi:/// -LLL -Y EXTERNAL -b "cn=config" "(cn=config)" olcConcurrency') do + it { should return_stdout %r{olcConcurrency: 1} } + end + # Log level describe command('ldapsearch -H ldapi:/// -LLL -Y EXTERNAL -b "cn=config" "(cn=config)" olcLogLevel') do it { should return_stdout %r{olcLogLevel: 4} } From 1b8bdfdb5829daa8d69fd1b42410645481121066 Mon Sep 17 00:00:00 2001 From: Ben Langfeld Date: Mon, 26 May 2014 16:33:56 -0300 Subject: [PATCH 40/85] Move PID and args files to dynamic config --- manifests/server/master.pp | 3 +++ templates/etc/openldap/slapd.conf.erb | 6 ------ test/integration/master/serverspec/slapd_spec.rb | 10 ++++++++++ test/integration/slave/serverspec/slapd_spec.rb | 10 ++++++++++ 4 files changed, 23 insertions(+), 6 deletions(-) diff --git a/manifests/server/master.pp b/manifests/server/master.pp index afbaed3..f16076a 100644 --- a/manifests/server/master.pp +++ b/manifests/server/master.pp @@ -239,10 +239,13 @@ ldapdn { "global confg": dn => "cn=config", attributes => [ + "olcArgsFile: ${ldap::params::server_run}/slapd.args", "olcLogLevel: ${log_level}", + "olcPidFile: ${ldap::params::server_run}/slapd.pid", ], unique_attributes => $ldap::params::cnconfig_default_attrs, ensure => present, + notify => Service[$ldap::params::service], } ldapdn { "cnconfig_attrs": diff --git a/templates/etc/openldap/slapd.conf.erb b/templates/etc/openldap/slapd.conf.erb index ca4faa2..0bf58e0 100644 --- a/templates/etc/openldap/slapd.conf.erb +++ b/templates/etc/openldap/slapd.conf.erb @@ -7,12 +7,6 @@ allow bind_anon_dn <% end -%> -pidfile <%= scope.lookupvar('ldap::params::server_run') %>/slapd.pid -argsfile <%= scope.lookupvar('ldap::params::server_run') %>/slapd.args - -# Read slapd.conf(5) for possible values -loglevel <%= @log_level %> - ####################################################################### # FIXME: puppet diff --git a/test/integration/master/serverspec/slapd_spec.rb b/test/integration/master/serverspec/slapd_spec.rb index 80c3031..be2a900 100644 --- a/test/integration/master/serverspec/slapd_spec.rb +++ b/test/integration/master/serverspec/slapd_spec.rb @@ -151,4 +151,14 @@ describe command('ldapsearch -H ldapi:/// -LLL -Y EXTERNAL -b "cn=config" "(cn=config)" olcLogLevel') do it { should return_stdout %r{olcLogLevel: 4} } end + + # PID file + describe command('ldapsearch -H ldapi:/// -LLL -Y EXTERNAL -b "cn=config" "(cn=config)" olcPidFile') do + it { should return_stdout %r{olcPidFile: /var/run/slapd/slapd.pid} } + end + + # Args file + describe command('ldapsearch -H ldapi:/// -LLL -Y EXTERNAL -b "cn=config" "(cn=config)" olcArgsFile') do + it { should return_stdout %r{olcArgsFile: /var/run/slapd/slapd.args} } + end end diff --git a/test/integration/slave/serverspec/slapd_spec.rb b/test/integration/slave/serverspec/slapd_spec.rb index 7cfcb98..340488b 100644 --- a/test/integration/slave/serverspec/slapd_spec.rb +++ b/test/integration/slave/serverspec/slapd_spec.rb @@ -156,4 +156,14 @@ describe command('ldapsearch -H ldapi:/// -LLL -Y EXTERNAL -b "cn=config" "(cn=config)" olcLogLevel') do it { should return_stdout %r{olcLogLevel: 4} } end + + # PID file + describe command('ldapsearch -H ldapi:/// -LLL -Y EXTERNAL -b "cn=config" "(cn=config)" olcPidFile') do + it { should return_stdout %r{olcPidFile: /var/run/slapd/slapd.pid} } + end + + # Args file + describe command('ldapsearch -H ldapi:/// -LLL -Y EXTERNAL -b "cn=config" "(cn=config)" olcArgsFile') do + it { should return_stdout %r{olcArgsFile: /var/run/slapd/slapd.args} } + end end From 606f89a37cd958c59252e2abf84818d7c75223a3 Mon Sep 17 00:00:00 2001 From: Ben Langfeld Date: Mon, 26 May 2014 17:12:54 -0300 Subject: [PATCH 41/85] Log level should only have one value --- manifests/params.pp | 3 +++ 1 file changed, 3 insertions(+) diff --git a/manifests/params.pp b/manifests/params.pp index 6a3886e..b721570 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -93,6 +93,7 @@ 'olcIndexSubstrIfAnyStep', 'olcIndexIntLen', 'olcLocalSSF', + 'olcLogLevel', 'olcPidFile', 'olcReadOnly', 'olcReverseLookup', @@ -207,6 +208,7 @@ 'olcIndexSubstrIfAnyStep', 'olcIndexIntLen', 'olcLocalSSF', + 'olcLogLevel', 'olcPidFile', 'olcReadOnly', 'olcReverseLookup', @@ -296,6 +298,7 @@ 'olcIndexSubstrIfAnyStep', 'olcIndexIntLen', 'olcLocalSSF', + 'olcLogLevel', 'olcPidFile', 'olcReadOnly', 'olcReverseLookup', From 2d80400f96ada0c47371432ac942e4eb22a92b2e Mon Sep 17 00:00:00 2001 From: Ben Langfeld Date: Mon, 26 May 2014 18:55:47 -0300 Subject: [PATCH 42/85] Fix up slave config --- manifests/server/slave.pp | 141 ++++++++++++++---- puppet/slave/manifests/site.pp | 55 +++++-- templates/etc/openldap/slapd.conf.erb | 24 --- .../slave/serverspec/slapd_spec.rb | 16 +- 4 files changed, 165 insertions(+), 71 deletions(-) diff --git a/manifests/server/slave.pp b/manifests/server/slave.pp index eee1e79..3c03e7a 100644 --- a/manifests/server/slave.pp +++ b/manifests/server/slave.pp @@ -186,7 +186,7 @@ $ssl_key = false, $sync_type = 'refreshOnly', $sync_interval = '00:00:10:00', - $sync_base = '', + $sync_base = $suffix, $sync_filter = '(objectClass=*)', $sync_attrs = '*', $sync_scope = 'sub', @@ -199,18 +199,111 @@ motd::register { 'ldap::server::slave': } } + file { ['/var/cache/local', '/var/cache/local/preseeding']: + ensure => directory, + owner => 'root', + group => 'root', + } + + file { "/var/cache/local/preseeding/slapd.seed": + ensure => present, + content => template("ldap/slapd.seed.erb"), + owner => 'root', + group => 'root', + } + package { $ldap::params::server_package: - ensure => $ensure + ensure => $ensure, + responsefile => "/var/cache/local/preseeding/slapd.seed", } service { $ldap::params::service: - ensure => running, - enable => true, - pattern => $ldap::params::server_pattern, - require => [ + ensure => running, + enable => true, + pattern => $ldap::params::server_pattern, + require => [ Package[$ldap::params::server_package], - File["${ldap::params::prefix}/${ldap::params::server_config}"], - ] + ], + } + + ldapdn { "database config": + dn => "olcDatabase={1}bdb,cn=config", + attributes => [ + 'olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage', + 'olcAccess: to dn.subtree="dc=foo,dc=bar" attrs=userPassword,shadowLastChange by self write by anonymous auth by * none', + 'olcAccess: to dn.subtree="dc=foo,dc=bar" attrs=objectClass,entry,gecos,homeDirectory,uid,uidNumber,gidNumber,cn,memberUid by * read', + 'olcAccess: to dn.subtree="dc=foo,dc=bar" by self read by * read', + 'olcDbIndex: objectClass eq', + 'olcDbIndex: entryCSN eq', + 'olcDbIndex: entryUUID eq', + 'olcDbIndex: uidNumber eq', + 'olcDbIndex: gidNumber eq', + 'olcDbIndex: cn pres,eq,sub', + 'olcDbIndex: sn pres,eq,sub', + 'olcDbIndex: uid pres,eq,sub', + 'olcDbIndex: displayName pres,eq,sub', + 'olcDbIndex: mail pres', + 'olcLastMod: TRUE', + "olcRootPW: ${rootpw}", + ], + unique_attributes => [ + 'olcAccess', + 'olcLastMod', + 'olcRootPW', + ], + ensure => present, + } + + ldapdn { "module config": + dn => "cn=module{0},cn=config", + attributes => [ + "olcModulePath: ${ldap::params::module_prefix}", + ], + unique_attributes => ['olcModulePath'], + ensure => present, + } + + ldap::module { $ldap::params::modules_base: } + ldap::module { $modules_inc: } + + ldap::builtin_schema { $ldap::params::schema_base: } + ldap::builtin_schema { $schema_inc: } + + ldapdn { "syncrepl": + dn => "olcDatabase={1}bdb,cn=config", + attributes => [ + "olcSyncrepl: rid=${sync_rid} provider=${sync_provider} bindmethod=simple timeout=0 network-timeout=0 binddn=\"${sync_binddn}\" credentials=\"${sync_bindpw}\" keepalive=0:0:0 starttls=no filter=\"${sync_filter}\" searchbase=\"${sync_base}\" scope=${sync_scope} attrs=\"${sync_attrs}\" schemachecking=off type=${sync_type} interval=${sync_interval} retry=undefined", + "olcLimits: dn.exact=\"${sync_binddn}\" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited", + ], + unique_attributes => [ + 'olcLimits', + 'olcSyncrepl', + ], + ensure => present, + } + + ldapdn { "updateref": + dn => "olcDatabase={1}bdb,cn=config", + attributes => [ + "olcUpdateRef: ${sync_provider}", + ], + unique_attributes => [ + 'olcUpdateRef', + ], + ensure => present, + require => Ldapdn['syncrepl'], + } + + ldapdn { "global confg": + dn => "cn=config", + attributes => [ + "olcArgsFile: ${ldap::params::server_run}/slapd.args", + "olcLogLevel: ${log_level}", + "olcPidFile: ${ldap::params::server_run}/slapd.pid", + ], + unique_attributes => $ldap::params::cnconfig_default_attrs, + ensure => present, + notify => Service[$ldap::params::service], } ldapdn { "cnconfig_attrs": @@ -226,23 +319,6 @@ group => $ldap::params::server_group, } - file { "${ldap::params::prefix}/${ldap::params::server_config}": - ensure => $ensure, - content => template("ldap/${ldap::params::prefix}/${ldap::params::server_config}.erb"), - notify => Service[$ldap::params::service], - require => $ssl ? { - false => [ - Package[$ldap::params::server_package], - ], - true => [ - Package[$ldap::params::server_package], - File['ssl_ca'], - File['ssl_cert'], - File['ssl_key'], - ] - } - } - $msg_prefix = 'SSL enabled. You must specify' $msg_suffix = '(filename). It should be located at puppet:///files/ldap' @@ -285,11 +361,24 @@ path => [ "/bin", "/usr/bin", "/sbin", "/usr/sbin" ] } + ldapdn { "SSL config": + dn => "cn=config", + attributes => [ + "olcTLSCACertificateFile: ${ldap::params::ssl_prefix}/${ssl_ca}", + "olcTLSCertificateFile: ${ldap::params::ssl_prefix}/${ssl_cert}", + "olcTLSCertificateKeyFile: ${ldap::params::ssl_prefix}/${ssl_key}", + ], + unique_attributes => $ldap::params::cnconfig_default_attrs, + ensure => present, + require => [File['ssl_ca'], File['ssl_cert'], File['ssl_key'], Exec['Server certificate hash']], + notify => Service[$ldap::params::service], + } + } # Additional configurations (for rc scripts) case $::osfamily { - + 'Debian' : { class { 'ldap::server::debian': ssl => $ssl } } diff --git a/puppet/slave/manifests/site.pp b/puppet/slave/manifests/site.pp index 3d20deb..44092f0 100644 --- a/puppet/slave/manifests/site.pp +++ b/puppet/slave/manifests/site.pp @@ -6,19 +6,44 @@ } class { 'ldap::server::slave': - suffix => 'dc=foo,dc=bar', - rootpw => 'password', - schema_inc => ['ppolicy'], - modules_inc => ['ppolicy', 'syncprov'], - index_inc => ['index mail pres'], - sync_provider => 'ldapi:///', - sync_binddn => 'cn=sync,dc=foo,dc=bar', - sync_bindpw => 'foobar', - sync_rid => '123', - sync_updatedn => 'cn=admin,dc=foo,dc=bar', - ssl => true, - ssl_ca => 'ca.pem', - ssl_cert => 'master-ldap.pem', - ssl_key => 'master-ldap.key', - log_level => '4', + suffix => 'dc=foo,dc=bar', + rootpw => 'password', + schema_inc => ['ppolicy'], + modules_inc => ['ppolicy', 'syncprov'], + index_inc => ['index mail pres'], + sync_provider => 'ldapi:///', + sync_binddn => 'cn=sync,dc=foo,dc=bar', + sync_bindpw => 'foobar', + sync_rid => '123', + sync_updatedn => 'cn=admin,dc=foo,dc=bar', + ssl => true, + ssl_ca => 'ca.pem', + ssl_cert => 'master-ldap.pem', + ssl_key => 'master-ldap.key', + log_level => '4', + cnconfig_attrs => ['olcConcurrency: 1'], +} + +ldapdn { 'add database': + ensure => present, + dn => 'dc=foo,dc=bar', + attributes => [ + 'dc: foo', + 'objectClass: top', + 'objectClass: dcObject', + 'objectClass: organization', + 'o: Foo Dot Bar', + ], + unique_attributes => ['dc', 'o'], +} + +ldapdn { "ou users": + dn => "ou=users,dc=foo,dc=bar", + attributes => [ + 'ou: users', + 'objectClass: organizationalUnit' + ], + unique_attributes => ["ou"], + ensure => present, + require => Ldapdn['add database'], } diff --git a/templates/etc/openldap/slapd.conf.erb b/templates/etc/openldap/slapd.conf.erb index 0bf58e0..ca51afc 100644 --- a/templates/etc/openldap/slapd.conf.erb +++ b/templates/etc/openldap/slapd.conf.erb @@ -19,30 +19,6 @@ directory <%= scope.lookupvar('ldap::params::db_prefix') %> rootdn "<%= @rootdn %>" rootpw "<%= @rootpw %>" -####################################################################### -# << Syncprov - -<% if has_variable?('sync_rid') then -%> -syncrepl rid=<%= @sync_rid %> - provider=<%= @sync_provider %> - type=<%= @sync_type %> - interval=<%= @sync_interval %> - searchbase="<% if @sync_base == '' then %><%= @suffix %><% else %><%= @sync_base %><% end %>" - filter="<%= @sync_filter %>" - attrs="<%= @sync_attrs %>" - scope=<%= @sync_scope %> - schemachecking=off - bindmethod=simple - binddn="<%= @sync_binddn %>" - credentials="<%= @sync_bindpw %>" - -updateref <%= @sync_provider %> -<% end -%> - -<% if @syncprov and @sync_binddn != false then -%> -limits dn.exact="<%= @sync_binddn%>" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited -<% end -%> - <% scope.lookupvar('ldap::params::index_base').each do |idx| -%> <%= idx %> <% end -%> diff --git a/test/integration/slave/serverspec/slapd_spec.rb b/test/integration/slave/serverspec/slapd_spec.rb index 340488b..662474c 100644 --- a/test/integration/slave/serverspec/slapd_spec.rb +++ b/test/integration/slave/serverspec/slapd_spec.rb @@ -116,12 +116,16 @@ it { should return_stdout /syncprov/ } end - describe command('ldapsearch -H ldapi:/// -LLL -Y EXTERNAL -b "cn=config" "(objectClass=olcDatabaseConfig)" olcSyncrepl') do - its(:stdout) { should include 'rid=123 provider=ldapi:/// bindmethod=simple timeout=0 network-ti - meout=0 binddn="cn=sync,dc=foo,dc=bar" credentials="foobar" keepalive=0:0:0 s - tarttls=no filter="(objectClass=*)" searchbase="dc=foo,dc=bar" scope=sub attr - s="*" schemachecking=off type=refreshOnly interval=00:00:10:00 retry=undefine - d' } + describe command('ldapsearch -H ldapi:/// -LLL -Y EXTERNAL -b "cn=config" "(olcSuffix=dc=foo,dc=bar)" olcSyncrepl | perl -p00e \'s/\r?\n //g\'') do + its(:stdout) { should include 'rid=123 provider=ldapi:/// bindmethod=simple timeout=0 network-timeout=0 binddn="cn=sync,dc=foo,dc=bar" credentials="foobar" keepalive=0:0:0 starttls=no filter="(objectClass=*)" searchbase="dc=foo,dc=bar" scope=sub attrs="*" schemachecking=off type=refreshOnly interval=00:00:10:00 retry=undefined' } + end + + describe command('ldapsearch -H ldapi:/// -LLL -Y EXTERNAL -b "cn=config" "(olcSuffix=dc=foo,dc=bar)" olcLimits | perl -p00e \'s/\r?\n //g\'') do + its(:stdout) { should include 'dn.exact="cn=sync,dc=foo,dc=bar" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited' } + end + + describe command('ldapsearch -H ldapi:/// -LLL -Y EXTERNAL -b "cn=config" "(olcSuffix=dc=foo,dc=bar)" olcUpdateRef | perl -p00e \'s/\r?\n //g\'') do + its(:stdout) { should include 'ldapi:///' } end # TLS From f3bf6e62828724e8c9d61874314e2d6eaefb3e1c Mon Sep 17 00:00:00 2001 From: Ben Langfeld Date: Mon, 26 May 2014 20:51:19 -0300 Subject: [PATCH 43/85] Don't hard-code indices --- manifests/index.pp | 13 +++++ manifests/params.pp | 54 +++++++++---------- manifests/server/master.pp | 13 ++--- manifests/server/slave.pp | 13 ++--- puppet/master/manifests/site.pp | 2 +- puppet/slave/manifests/site.pp | 2 +- templates/etc/openldap/slapd.conf.erb | 20 ------- .../master/serverspec/slapd_spec.rb | 20 +++---- .../slave/serverspec/slapd_spec.rb | 20 +++---- 9 files changed, 68 insertions(+), 89 deletions(-) create mode 100644 manifests/index.pp diff --git a/manifests/index.pp b/manifests/index.pp new file mode 100644 index 0000000..07f5d60 --- /dev/null +++ b/manifests/index.pp @@ -0,0 +1,13 @@ +define ldap::index() { + include ldap + + define index() { + ldapdn { "${name} index": + dn => "olcDatabase={1}bdb,cn=config", + attributes => [ + "olcDbIndex: ${name}" + ], + ensure => present, + } + } +} diff --git a/manifests/params.pp b/manifests/params.pp index b721570..547e7c1 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -56,15 +56,15 @@ $schema_prefix = "${prefix}/schema" $schema_base = [ 'core', 'cosine', 'nis', 'inetorgperson', ] $index_base = [ - 'index objectclass eq', - 'index entryCSN eq', - 'index entryUUID eq', - 'index uidNumber eq', - 'index gidNumber eq', - 'index cn pres,sub,eq', - 'index sn pres,sub,eq', - 'index uid pres,sub,eq', - 'index displayName pres,sub,eq', + 'objectClass eq', + 'entryCSN eq', + 'entryUUID eq', + 'uidNumber eq', + 'gidNumber eq', + 'cn pres,sub,eq', + 'sn pres,sub,eq', + 'uid pres,sub,eq', + 'displayName pres,sub,eq', ] # @@ -171,15 +171,15 @@ $server_run = '/var/run/openldap' $index_base = [ - 'index objectclass eq', - 'index entryCSN eq', - 'index entryUUID eq', - 'index uidNumber eq', - 'index gidNumber eq', - 'index cn pres,sub,eq', - 'index sn pres,sub,eq', - 'index uid pres,sub,eq', - 'index displayName pres,sub,eq', + 'objectclass eq', + 'entryCSN eq', + 'entryUUID eq', + 'uidNumber eq', + 'gidNumber eq', + 'cn pres,sub,eq', + 'sn pres,sub,eq', + 'uid pres,sub,eq', + 'displayName pres,sub,eq', ] # @@ -261,15 +261,15 @@ $schema_base = [ 'core', 'cosine', 'nis', 'inetorgperson', ] $modules_base = [ 'back_bdb' ] $index_base = [ - 'index objectclass eq', - 'index entryCSN eq', - 'index entryUUID eq', - 'index uidNumber eq', - 'index gidNumber eq', - 'index cn pres,sub,eq', - 'index sn pres,sub,eq', - 'index uid pres,sub,eq', - 'index displayName pres,sub,eq', + 'objectclass eq', + 'entryCSN eq', + 'entryUUID eq', + 'uidNumber eq', + 'gidNumber eq', + 'cn pres,sub,eq', + 'sn pres,sub,eq', + 'uid pres,sub,eq', + 'displayName pres,sub,eq', ] # diff --git a/manifests/server/master.pp b/manifests/server/master.pp index f16076a..faa33fd 100644 --- a/manifests/server/master.pp +++ b/manifests/server/master.pp @@ -181,16 +181,6 @@ 'olcAccess: to dn.subtree="dc=foo,dc=bar" attrs=userPassword,shadowLastChange by dn.base="cn=sync,dc=foo,dc=bar" read by self write by anonymous auth by * none', 'olcAccess: to dn.subtree="dc=foo,dc=bar" attrs=objectClass,entry,gecos,homeDirectory,uid,uidNumber,gidNumber,cn,memberUid by dn.base="cn=sync,dc=foo,dc=bar" read by * read', 'olcAccess: to dn.subtree="dc=foo,dc=bar" by dn.base="cn=sync,dc=foo,dc=bar" read by self read by * read', - 'olcDbIndex: objectClass eq', - 'olcDbIndex: entryCSN eq', - 'olcDbIndex: entryUUID eq', - 'olcDbIndex: uidNumber eq', - 'olcDbIndex: gidNumber eq', - 'olcDbIndex: cn pres,eq,sub', - 'olcDbIndex: sn pres,eq,sub', - 'olcDbIndex: uid pres,eq,sub', - 'olcDbIndex: displayName pres,eq,sub', - 'olcDbIndex: mail pres', 'olcLastMod: TRUE', "olcRootPW: ${rootpw}", ], @@ -211,6 +201,9 @@ ensure => present, } + ldap::index { $ldap::params::index_base: } + ldap::index { $index_inc: } + ldap::module { $ldap::params::modules_base: } ldap::module { $modules_inc: } diff --git a/manifests/server/slave.pp b/manifests/server/slave.pp index 3c03e7a..984259f 100644 --- a/manifests/server/slave.pp +++ b/manifests/server/slave.pp @@ -233,16 +233,6 @@ 'olcAccess: to dn.subtree="dc=foo,dc=bar" attrs=userPassword,shadowLastChange by self write by anonymous auth by * none', 'olcAccess: to dn.subtree="dc=foo,dc=bar" attrs=objectClass,entry,gecos,homeDirectory,uid,uidNumber,gidNumber,cn,memberUid by * read', 'olcAccess: to dn.subtree="dc=foo,dc=bar" by self read by * read', - 'olcDbIndex: objectClass eq', - 'olcDbIndex: entryCSN eq', - 'olcDbIndex: entryUUID eq', - 'olcDbIndex: uidNumber eq', - 'olcDbIndex: gidNumber eq', - 'olcDbIndex: cn pres,eq,sub', - 'olcDbIndex: sn pres,eq,sub', - 'olcDbIndex: uid pres,eq,sub', - 'olcDbIndex: displayName pres,eq,sub', - 'olcDbIndex: mail pres', 'olcLastMod: TRUE', "olcRootPW: ${rootpw}", ], @@ -254,6 +244,9 @@ ensure => present, } + ldap::index { $ldap::params::index_base: } + ldap::index { $index_inc: } + ldapdn { "module config": dn => "cn=module{0},cn=config", attributes => [ diff --git a/puppet/master/manifests/site.pp b/puppet/master/manifests/site.pp index 0a0e2ca..586940e 100644 --- a/puppet/master/manifests/site.pp +++ b/puppet/master/manifests/site.pp @@ -10,7 +10,7 @@ rootpw => 'password', schema_inc => ['ppolicy'], modules_inc => ['ppolicy', 'syncprov'], - index_inc => ['index mail pres'], + index_inc => ['mail pres'], syncprov => true, sync_binddn => 'cn=sync,dc=foo,dc=bar', ssl => true, diff --git a/puppet/slave/manifests/site.pp b/puppet/slave/manifests/site.pp index 44092f0..dc13378 100644 --- a/puppet/slave/manifests/site.pp +++ b/puppet/slave/manifests/site.pp @@ -10,7 +10,7 @@ rootpw => 'password', schema_inc => ['ppolicy'], modules_inc => ['ppolicy', 'syncprov'], - index_inc => ['index mail pres'], + index_inc => ['mail pres'], sync_provider => 'ldapi:///', sync_binddn => 'cn=sync,dc=foo,dc=bar', sync_bindpw => 'foobar', diff --git a/templates/etc/openldap/slapd.conf.erb b/templates/etc/openldap/slapd.conf.erb index ca51afc..605a7c0 100644 --- a/templates/etc/openldap/slapd.conf.erb +++ b/templates/etc/openldap/slapd.conf.erb @@ -6,23 +6,3 @@ <% if @bind_anon == true then -%> allow bind_anon_dn <% end -%> - -####################################################################### - -# FIXME: puppet -backend bdb - -# FIXME: puppet -database bdb -suffix "<%= @suffix %>" -directory <%= scope.lookupvar('ldap::params::db_prefix') %> -rootdn "<%= @rootdn %>" -rootpw "<%= @rootpw %>" - -<% scope.lookupvar('ldap::params::index_base').each do |idx| -%> -<%= idx %> -<% end -%> - -<% @index_inc.each do |idx| -%> -<%= idx %> -<% end -%> diff --git a/test/integration/master/serverspec/slapd_spec.rb b/test/integration/master/serverspec/slapd_spec.rb index be2a900..9273ab7 100644 --- a/test/integration/master/serverspec/slapd_spec.rb +++ b/test/integration/master/serverspec/slapd_spec.rb @@ -79,16 +79,16 @@ # Indices (default and specified) describe command('ldapsearch -H ldapi:/// -Y EXTERNAL -b "cn=config" "(objectClass=olcDatabaseConfig)" olcDbIndex') do [ - 'olcDbIndex: objectClass eq', - 'olcDbIndex: entryCSN eq', - 'olcDbIndex: entryUUID eq', - 'olcDbIndex: uidNumber eq', - 'olcDbIndex: gidNumber eq', - 'olcDbIndex: cn pres,eq,sub', - 'olcDbIndex: sn pres,eq,sub', - 'olcDbIndex: uid pres,eq,sub', - 'olcDbIndex: displayName pres,eq,sub', - 'olcDbIndex: mail pres', + 'olcDbIndex: objectClass \s*eq', + 'olcDbIndex: entryCSN \s*eq', + 'olcDbIndex: entryUUID \s*eq', + 'olcDbIndex: uidNumber \s*eq', + 'olcDbIndex: gidNumber \s*eq', + 'olcDbIndex: cn \s*pres,sub,eq', + 'olcDbIndex: sn \s*pres,sub,eq', + 'olcDbIndex: uid \s*pres,sub,eq', + 'olcDbIndex: displayName \s*pres,sub,eq', + 'olcDbIndex: mail \s*pres', ].each do |index| it { should return_stdout /#{index}/ } end diff --git a/test/integration/slave/serverspec/slapd_spec.rb b/test/integration/slave/serverspec/slapd_spec.rb index 662474c..7309cd5 100644 --- a/test/integration/slave/serverspec/slapd_spec.rb +++ b/test/integration/slave/serverspec/slapd_spec.rb @@ -84,16 +84,16 @@ # Indices (default and specified) describe command('ldapsearch -H ldapi:/// -Y EXTERNAL -b "cn=config" "(objectClass=olcDatabaseConfig)" olcDbIndex') do [ - 'olcDbIndex: objectClass eq', - 'olcDbIndex: entryCSN eq', - 'olcDbIndex: entryUUID eq', - 'olcDbIndex: uidNumber eq', - 'olcDbIndex: gidNumber eq', - 'olcDbIndex: cn pres,eq,sub', - 'olcDbIndex: sn pres,eq,sub', - 'olcDbIndex: uid pres,eq,sub', - 'olcDbIndex: displayName pres,eq,sub', - 'olcDbIndex: mail pres', + 'olcDbIndex: objectClass \s*eq', + 'olcDbIndex: entryCSN \s*eq', + 'olcDbIndex: entryUUID \s*eq', + 'olcDbIndex: uidNumber \s*eq', + 'olcDbIndex: gidNumber \s*eq', + 'olcDbIndex: cn \s*pres,sub,eq', + 'olcDbIndex: sn \s*pres,sub,eq', + 'olcDbIndex: uid \s*pres,sub,eq', + 'olcDbIndex: displayName \s*pres,sub,eq', + 'olcDbIndex: mail \s*pres', ].each do |index| it { should return_stdout /#{index}/ } end From 12b2156eda1e42517d3a2cb9c998e9fc7e654819 Mon Sep 17 00:00:00 2001 From: Ben Langfeld Date: Mon, 26 May 2014 21:14:10 -0300 Subject: [PATCH 44/85] Do away with the last of the server config file --- manifests/server/master.pp | 10 ++++++++++ manifests/server/slave.pp | 10 ++++++++++ puppet/master/manifests/site.pp | 1 + templates/etc/ldap/slapd.conf.erb | 1 - templates/etc/openldap/slapd.conf.erb | 8 -------- test/integration/master/serverspec/slapd_spec.rb | 5 +++++ test/integration/slave/serverspec/slapd_spec.rb | 5 +++++ 7 files changed, 31 insertions(+), 9 deletions(-) delete mode 120000 templates/etc/ldap/slapd.conf.erb delete mode 100644 templates/etc/openldap/slapd.conf.erb diff --git a/manifests/server/master.pp b/manifests/server/master.pp index faa33fd..d73315c 100644 --- a/manifests/server/master.pp +++ b/manifests/server/master.pp @@ -248,6 +248,16 @@ ensure => present, } + if(!$bind_anon) { + ldapdn { "disallow_bind_anon": + dn => "cn=config", + attributes => [ + 'olcDisallows: bind_anon', + ], + ensure => present, + } + } + File { mode => '0640', owner => $ldap::params::server_owner, diff --git a/manifests/server/slave.pp b/manifests/server/slave.pp index 984259f..c1feb2d 100644 --- a/manifests/server/slave.pp +++ b/manifests/server/slave.pp @@ -306,6 +306,16 @@ ensure => present, } + if(!$bind_anon) { + ldapdn { "disallow_bind_anon": + dn => "cn=config", + attributes => [ + 'olcDisallows: bind_anon', + ], + ensure => present, + } + } + File { mode => '0640', owner => $ldap::params::server_owner, diff --git a/puppet/master/manifests/site.pp b/puppet/master/manifests/site.pp index 586940e..cd3853c 100644 --- a/puppet/master/manifests/site.pp +++ b/puppet/master/manifests/site.pp @@ -19,6 +19,7 @@ ssl_key => 'master-ldap.key', cnconfig_attrs => ['olcConcurrency: 1'], log_level => '4', + bind_anon => false, } ldapdn { 'add database': diff --git a/templates/etc/ldap/slapd.conf.erb b/templates/etc/ldap/slapd.conf.erb deleted file mode 120000 index a6581c5..0000000 --- a/templates/etc/ldap/slapd.conf.erb +++ /dev/null @@ -1 +0,0 @@ -../openldap/slapd.conf.erb \ No newline at end of file diff --git a/templates/etc/openldap/slapd.conf.erb b/templates/etc/openldap/slapd.conf.erb deleted file mode 100644 index 605a7c0..0000000 --- a/templates/etc/openldap/slapd.conf.erb +++ /dev/null @@ -1,8 +0,0 @@ -############################################################################### -# << FILE MANAGED BY PUPPET >> -# Manual changes are likey to be overwritten -############################################################################### - -<% if @bind_anon == true then -%> -allow bind_anon_dn -<% end -%> diff --git a/test/integration/master/serverspec/slapd_spec.rb b/test/integration/master/serverspec/slapd_spec.rb index 9273ab7..a8a50ab 100644 --- a/test/integration/master/serverspec/slapd_spec.rb +++ b/test/integration/master/serverspec/slapd_spec.rb @@ -161,4 +161,9 @@ describe command('ldapsearch -H ldapi:/// -LLL -Y EXTERNAL -b "cn=config" "(cn=config)" olcArgsFile') do it { should return_stdout %r{olcArgsFile: /var/run/slapd/slapd.args} } end + + # Bind Anon + describe command('ldapsearch -H ldapi:/// -LLL -Y EXTERNAL -b "cn=config" "(cn=config)" olcBindAnon') do + its(:stdout) { should include 'olcDisallows: bind_anon' } + end end diff --git a/test/integration/slave/serverspec/slapd_spec.rb b/test/integration/slave/serverspec/slapd_spec.rb index 7309cd5..4183820 100644 --- a/test/integration/slave/serverspec/slapd_spec.rb +++ b/test/integration/slave/serverspec/slapd_spec.rb @@ -170,4 +170,9 @@ describe command('ldapsearch -H ldapi:/// -LLL -Y EXTERNAL -b "cn=config" "(cn=config)" olcArgsFile') do it { should return_stdout %r{olcArgsFile: /var/run/slapd/slapd.args} } end + + # Bind Anon + describe command('ldapsearch -H ldapi:/// -LLL -Y EXTERNAL -b "cn=config" "(cn=config)" olcBindAnon') do + its(:stdout) { should_not include 'olcDisallows: bind_anon' } + end end From 1ed9a1a35c1f7c06f6d98f771199642de4b01a88 Mon Sep 17 00:00:00 2001 From: Ben Langfeld Date: Mon, 26 May 2014 21:14:24 -0300 Subject: [PATCH 45/85] Fix definition --- manifests/index.pp | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/manifests/index.pp b/manifests/index.pp index 07f5d60..da7a974 100644 --- a/manifests/index.pp +++ b/manifests/index.pp @@ -1,13 +1,11 @@ define ldap::index() { include ldap - define index() { - ldapdn { "${name} index": - dn => "olcDatabase={1}bdb,cn=config", - attributes => [ - "olcDbIndex: ${name}" - ], - ensure => present, - } + ldapdn { "${name} index": + dn => "olcDatabase={1}bdb,cn=config", + attributes => [ + "olcDbIndex: ${name}" + ], + ensure => present, } } From 062f4c54c8a27a6b54f17167f5d08cd0fc73b171 Mon Sep 17 00:00:00 2001 From: Ben Langfeld Date: Mon, 26 May 2014 21:14:51 -0300 Subject: [PATCH 46/85] Indices are space sensitive --- manifests/params.pp | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/manifests/params.pp b/manifests/params.pp index 547e7c1..e98ace9 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -56,7 +56,7 @@ $schema_prefix = "${prefix}/schema" $schema_base = [ 'core', 'cosine', 'nis', 'inetorgperson', ] $index_base = [ - 'objectClass eq', + 'objectClass eq', 'entryCSN eq', 'entryUUID eq', 'uidNumber eq', @@ -171,7 +171,7 @@ $server_run = '/var/run/openldap' $index_base = [ - 'objectclass eq', + 'objectClass eq', 'entryCSN eq', 'entryUUID eq', 'uidNumber eq', @@ -261,7 +261,7 @@ $schema_base = [ 'core', 'cosine', 'nis', 'inetorgperson', ] $modules_base = [ 'back_bdb' ] $index_base = [ - 'objectclass eq', + 'objectClass eq', 'entryCSN eq', 'entryUUID eq', 'uidNumber eq', From 4ef906b69de5394ee091c6d47a733a8ffa194a0a Mon Sep 17 00:00:00 2001 From: Ben Langfeld Date: Mon, 26 May 2014 21:15:06 -0300 Subject: [PATCH 47/85] Named this attribute wrong --- test/integration/master/serverspec/slapd_spec.rb | 2 +- test/integration/slave/serverspec/slapd_spec.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/test/integration/master/serverspec/slapd_spec.rb b/test/integration/master/serverspec/slapd_spec.rb index a8a50ab..ac8adc6 100644 --- a/test/integration/master/serverspec/slapd_spec.rb +++ b/test/integration/master/serverspec/slapd_spec.rb @@ -163,7 +163,7 @@ end # Bind Anon - describe command('ldapsearch -H ldapi:/// -LLL -Y EXTERNAL -b "cn=config" "(cn=config)" olcBindAnon') do + describe command('ldapsearch -H ldapi:/// -LLL -Y EXTERNAL -b "cn=config" "(cn=config)" olcDisallows') do its(:stdout) { should include 'olcDisallows: bind_anon' } end end diff --git a/test/integration/slave/serverspec/slapd_spec.rb b/test/integration/slave/serverspec/slapd_spec.rb index 4183820..2c94bed 100644 --- a/test/integration/slave/serverspec/slapd_spec.rb +++ b/test/integration/slave/serverspec/slapd_spec.rb @@ -172,7 +172,7 @@ end # Bind Anon - describe command('ldapsearch -H ldapi:/// -LLL -Y EXTERNAL -b "cn=config" "(cn=config)" olcBindAnon') do + describe command('ldapsearch -H ldapi:/// -LLL -Y EXTERNAL -b "cn=config" "(cn=config)" olcDisallows') do its(:stdout) { should_not include 'olcDisallows: bind_anon' } end end From b30c4f8016562f8a8badaa60c3c7219b3f573bdb Mon Sep 17 00:00:00 2001 From: Ben Langfeld Date: Mon, 26 May 2014 21:18:54 -0300 Subject: [PATCH 48/85] Resource ordering here was broken --- manifests/server/master.pp | 1 - manifests/server/slave.pp | 1 - 2 files changed, 2 deletions(-) diff --git a/manifests/server/master.pp b/manifests/server/master.pp index d73315c..f411e3e 100644 --- a/manifests/server/master.pp +++ b/manifests/server/master.pp @@ -238,7 +238,6 @@ ], unique_attributes => $ldap::params::cnconfig_default_attrs, ensure => present, - notify => Service[$ldap::params::service], } ldapdn { "cnconfig_attrs": diff --git a/manifests/server/slave.pp b/manifests/server/slave.pp index c1feb2d..f7f943e 100644 --- a/manifests/server/slave.pp +++ b/manifests/server/slave.pp @@ -296,7 +296,6 @@ ], unique_attributes => $ldap::params::cnconfig_default_attrs, ensure => present, - notify => Service[$ldap::params::service], } ldapdn { "cnconfig_attrs": From ee8df6b6d13f5e58b224e67a930e251d1dbe02ab Mon Sep 17 00:00:00 2001 From: Ben Langfeld Date: Tue, 27 May 2014 15:26:08 -0300 Subject: [PATCH 49/85] Some OS' only have .schema schemas --- files/convertschema.sh | 87 +++++++++++++++++++++++++++++++ manifests/builtin_schema.pp | 11 ++++ manifests/params.pp | 2 - manifests/server/convertschema.pp | 12 +++++ 4 files changed, 110 insertions(+), 2 deletions(-) create mode 100644 files/convertschema.sh create mode 100644 manifests/server/convertschema.pp diff --git a/files/convertschema.sh b/files/convertschema.sh new file mode 100644 index 0000000..fa34b8d --- /dev/null +++ b/files/convertschema.sh @@ -0,0 +1,87 @@ +#!/bin/sh + +# Script to convert schema files to LDIF files +# +# OPTIONS: +# -s The input schema file to convert +# -l The resulting LDIF file +# -d A comma separated list of schema dependencies +# -sd The schema directory +# + +SCHEMAFILE="" +LDIFFILE="" +DEPS="" +SCHEMADIR="" + +while getopts "s:l:d:sd:" options; do + case $options in + s ) SCHEMAFILE=$OPTARG;; + l ) LDIFFILE=$OPTARG;; + d ) DEPS=$OPTARG;; + sd ) SCHEMADIR=$OPTARG;; + * ) echo "Specify input schema file with -s and output LDIF file with -l" + exit 1;; + esac +done + +# do we have -s? +if [ x${SCHEMAFILE} = "x" ]; then + echo "Please specify a input schema file with -s" + exit 1 +fi + +# do we have -l? +if [ x${LDIFFILE} = "x" ]; then + echo "Please specify an output LDIF file with -l" + exit 1 +fi + +# can we write to -l? +if [ -f ${LDIFFILE} ]; then + if [ ! -w ${LDIFFILE} ]; then + echo "Cannot write to ${LDIFFILE}" + exit 1 + fi +else + if [ ! -w `dirname ${LDIFFILE}` ]; then + echo "Cannot write to `dirname ${LDIFFILE}` to create ${LDIFFILE}" + exit 1 + fi +fi + +# do we have -sd? +if [ x${SCHEMADIR} = "x" ]; then + SCHEMADIR=/etc/ldap/schema +fi + +# Get the base name of the schema file +BASENAME=`basename ${SCHEMAFILE} | cut -d'.' -f1` + +# Create a temporary config file and directory to set the schemas to process +TEMPDIR=$(mktemp -d) || exit 1 +TEMPFILE=$(tempfile -d ${TEMPDIR}) || exit 1 + +# Add all of the dependencies +for dep in `echo ${DEPS} | sed s/,/\\\n/g`; do + if [ -f "${SCHEMADIR}/${dep}.schema" ]; then + echo "include ${SCHEMADIR}/${dep}.schema" >> ${TEMPFILE} + fi +done +echo "include ${SCHEMAFILE}" >> ${TEMPFILE} + +# Determine the index of the schema +SCHEMAINDEX=$(slapcat -f ${TEMPFILE} -F ${TEMPDIR} -n 0 | grep "${BASENAME},cn=schema") +SCHEMADN=$(echo "${SCHEMAINDEX}" | sed 's/dn: //g') + +# Convert the schema to LDIF format +slapcat -f ${TEMPFILE} -F ${TEMPDIR} -n 0 -H ldap:///${SCHEMADN} -l ${TEMPDIR}/cn=${BASENAME}.ldif || exit 1 + +# Remove index information +sed -e "s/{[0-9]*}${BASENAME}/${BASENAME}/g" \ + -e "/^structuralObjectClass:/d; /^entryUUID:/d; /^creatorsName:/d; /^createTimestamp:/d" \ + -e "/^entryCSN:/d; /^modifiersName:/d; /^creatorsName:/d; /^modifyTimestamp:/d" \ + ${TEMPDIR}/cn=${BASENAME}.ldif > ${LDIFFILE} + +# Cleanup resources +rm -rf -- "${TEMPDIR}" diff --git a/manifests/builtin_schema.pp b/manifests/builtin_schema.pp index 7d2227a..a4ea35d 100644 --- a/manifests/builtin_schema.pp +++ b/manifests/builtin_schema.pp @@ -1,7 +1,18 @@ define ldap::builtin_schema() { + include ldap::server::convertschema + + # Create the LDIF file from the conversion script + exec { "convert_schema_${name}_to_ldif": + cwd => $ldap::params::schema_prefix, + creates => "${ldap::params::schema_prefix}/${name}.ldif", + command => "${ldap::params::prefix}/convertschema.sh -s ${name}.schema -l ${name}.ldif", + require => File["${ldap::params::prefix}/convertschema.sh"], + } + exec { "load_schema_${name}": cwd => $ldap::params::schema_prefix, command => "/usr/bin/ldapadd -QY EXTERNAL -H ldapi:/// < ${name}.ldif", unless => "/usr/bin/ldapsearch -QY EXTERNAL -H ldapi:/// -b 'cn=schema,cn=config' '(cn=*${name})' | grep 'numEntries: 1'", + require => Exec["convert_schema_${name}_to_ldif"], } } diff --git a/manifests/params.pp b/manifests/params.pp index e98ace9..d507af4 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -1,8 +1,6 @@ class ldap::params { - $moduledir = "${::puppet_vardir}/ldap" - case $::osfamily { 'Debian' : { diff --git a/manifests/server/convertschema.pp b/manifests/server/convertschema.pp new file mode 100644 index 0000000..623e74d --- /dev/null +++ b/manifests/server/convertschema.pp @@ -0,0 +1,12 @@ +class ldap::server::convertschema() { + + # Upload the conversion script for the schemas + file { "${ldap::params::prefix}/convertschema.sh": + owner => 'root', + group => 'root', + mode => '0750', + source => 'puppet:///modules/ldap/convertschema.sh', + require => File[$ldap::params::prefix], + } + +} From 6d79156594c37c1924066d0018d57369b55e574e Mon Sep 17 00:00:00 2001 From: Ben Langfeld Date: Tue, 27 May 2014 16:07:39 -0300 Subject: [PATCH 50/85] TLS config can only take a single value --- manifests/params.pp | 36 +++++++++--------------------------- 1 file changed, 9 insertions(+), 27 deletions(-) diff --git a/manifests/params.pp b/manifests/params.pp index d507af4..9d8ac4c 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -65,15 +65,6 @@ 'displayName pres,sub,eq', ] - # - # olcTLS* attributes are not defined here - # because they do have their own behavior - # according to the puppet module parameters - # - # olcTLSCACertificatePath = $ssl_ca - # olcTLSCertificateFile = $ssl_cert - # olcTLSCertificateKeyFile = $ssl_key - # $cnconfig_default_attrs = [ 'olcConfigFile', 'olcConfigDir', @@ -98,6 +89,9 @@ 'olcSaslSecProps', 'olcSockbufMaxIncoming', 'olcSockbufMaxIncomingAuth', + 'olcTLSCACertificateFile', + 'olcTLSCertificateKeyFile', + 'olcTLSCertificateFile', 'olcTLSVerifyClient', 'olcThreads', 'olcToolThreads', @@ -180,15 +174,6 @@ 'displayName pres,sub,eq', ] - # - # olcTLS* attributes are not defined here - # because they do have their own behavior - # according to the puppet module parameters - # - # olcTLSCACertificatePath = $ssl_ca - # olcTLSCertificateFile = $ssl_cert - # olcTLSCertificateKeyFile = $ssl_key - # $cnconfig_default_attrs = [ 'olcConfigFile', 'olcConfigDir', @@ -213,6 +198,9 @@ 'olcSaslSecProps', 'olcSockbufMaxIncoming', 'olcSockbufMaxIncomingAuth', + 'olcTLSCACertificateFile', + 'olcTLSCertificateKeyFile', + 'olcTLSCertificateFile', 'olcTLSVerifyClient', 'olcThreads', 'olcToolThreads', @@ -270,15 +258,6 @@ 'displayName pres,sub,eq', ] - # - # olcTLS* attributes are not defined here - # because they do have their own behavior - # according to the puppet module parameters - # - # olcTLSCACertificatePath = $ssl_ca - # olcTLSCertificateFile = $ssl_cert - # olcTLSCertificateKeyFile = $ssl_key - # $cnconfig_default_attrs = [ 'olcConfigFile', 'olcConfigDir', @@ -303,6 +282,9 @@ 'olcSaslSecProps', 'olcSockbufMaxIncoming', 'olcSockbufMaxIncomingAuth', + 'olcTLSCACertificateFile', + 'olcTLSCertificateKeyFile', + 'olcTLSCertificateFile', 'olcTLSVerifyClient', 'olcThreads', 'olcToolThreads', From ce3f037a44e7c60b5cf138885ee29e7da270e29b Mon Sep 17 00:00:00 2001 From: Ben Langfeld Date: Tue, 27 May 2014 16:07:54 -0300 Subject: [PATCH 51/85] `tempfile` is not present on CentOS --- files/convertschema.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/files/convertschema.sh b/files/convertschema.sh index fa34b8d..fe2dc7e 100644 --- a/files/convertschema.sh +++ b/files/convertschema.sh @@ -60,7 +60,7 @@ BASENAME=`basename ${SCHEMAFILE} | cut -d'.' -f1` # Create a temporary config file and directory to set the schemas to process TEMPDIR=$(mktemp -d) || exit 1 -TEMPFILE=$(tempfile -d ${TEMPDIR}) || exit 1 +TEMPFILE=$(mktemp -p ${TEMPDIR}) || exit 1 # Add all of the dependencies for dep in `echo ${DEPS} | sed s/,/\\\n/g`; do From c532a9d344929c44405568f6037d9b36acb246ca Mon Sep 17 00:00:00 2001 From: Ben Langfeld Date: Tue, 27 May 2014 16:13:41 -0300 Subject: [PATCH 52/85] Main DB DN varies between OS' --- manifests/index.pp | 2 +- manifests/params.pp | 4 ++++ manifests/server/master.pp | 4 ++-- manifests/server/slave.pp | 6 +++--- 4 files changed, 10 insertions(+), 6 deletions(-) diff --git a/manifests/index.pp b/manifests/index.pp index da7a974..367f047 100644 --- a/manifests/index.pp +++ b/manifests/index.pp @@ -2,7 +2,7 @@ include ldap ldapdn { "${name} index": - dn => "olcDatabase={1}bdb,cn=config", + dn => $ldap::params::main_db_dn, attributes => [ "olcDbIndex: ${name}" ], diff --git a/manifests/params.pp b/manifests/params.pp index 9d8ac4c..0308e06 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -23,6 +23,8 @@ $ssl_prefix = '/etc/ssl/certs' $server_run = '/var/run/slapd' + $main_db_dn = 'olcDatabase={1}bdb,cn=config' + case $::operatingsystemmajrelease { 5 : { @@ -112,6 +114,8 @@ $server_package = [ 'openldap-servers' ] $server_config = 'slapd.conf' + $main_db_dn = 'olcDatabase={2}bdb,cn=config' + case $::operatingsystemmajrelease { 5 : { $service = 'ldap' diff --git a/manifests/server/master.pp b/manifests/server/master.pp index f411e3e..64f2a15 100644 --- a/manifests/server/master.pp +++ b/manifests/server/master.pp @@ -175,7 +175,7 @@ } ldapdn { "database config": - dn => "olcDatabase={1}bdb,cn=config", + dn => $ldap::params::main_db_dn, attributes => [ 'olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage', 'olcAccess: to dn.subtree="dc=foo,dc=bar" attrs=userPassword,shadowLastChange by dn.base="cn=sync,dc=foo,dc=bar" read by self write by anonymous auth by * none', @@ -212,7 +212,7 @@ if($syncprov) { ldapdn { "syncprov_config": - dn => "olcOverlay=syncprov,olcDatabase={1}bdb,cn=config", + dn => "olcOverlay=syncprov,${ldap::params::main_db_dn}", attributes => [ 'objectClass: olcOverlayConfig', 'objectClass: olcSyncProvConfig', diff --git a/manifests/server/slave.pp b/manifests/server/slave.pp index f7f943e..7ce6a9a 100644 --- a/manifests/server/slave.pp +++ b/manifests/server/slave.pp @@ -227,7 +227,7 @@ } ldapdn { "database config": - dn => "olcDatabase={1}bdb,cn=config", + dn => $ldap::params::main_db_dn, attributes => [ 'olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage', 'olcAccess: to dn.subtree="dc=foo,dc=bar" attrs=userPassword,shadowLastChange by self write by anonymous auth by * none', @@ -263,7 +263,7 @@ ldap::builtin_schema { $schema_inc: } ldapdn { "syncrepl": - dn => "olcDatabase={1}bdb,cn=config", + dn => $ldap::params::main_db_dn, attributes => [ "olcSyncrepl: rid=${sync_rid} provider=${sync_provider} bindmethod=simple timeout=0 network-timeout=0 binddn=\"${sync_binddn}\" credentials=\"${sync_bindpw}\" keepalive=0:0:0 starttls=no filter=\"${sync_filter}\" searchbase=\"${sync_base}\" scope=${sync_scope} attrs=\"${sync_attrs}\" schemachecking=off type=${sync_type} interval=${sync_interval} retry=undefined", "olcLimits: dn.exact=\"${sync_binddn}\" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited", @@ -276,7 +276,7 @@ } ldapdn { "updateref": - dn => "olcDatabase={1}bdb,cn=config", + dn => $ldap::params::main_db_dn, attributes => [ "olcUpdateRef: ${sync_provider}", ], From d1023e4e8316fa4a2f7553b4dfecbe4769944048 Mon Sep 17 00:00:00 2001 From: Ben Langfeld Date: Tue, 27 May 2014 16:13:54 -0300 Subject: [PATCH 53/85] Schema conversion requires the server to be up --- manifests/builtin_schema.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/builtin_schema.pp b/manifests/builtin_schema.pp index a4ea35d..141ac78 100644 --- a/manifests/builtin_schema.pp +++ b/manifests/builtin_schema.pp @@ -6,7 +6,7 @@ cwd => $ldap::params::schema_prefix, creates => "${ldap::params::schema_prefix}/${name}.ldif", command => "${ldap::params::prefix}/convertschema.sh -s ${name}.schema -l ${name}.ldif", - require => File["${ldap::params::prefix}/convertschema.sh"], + require => [Package[$ldap::params::server_package], File["${ldap::params::prefix}/convertschema.sh"]], } exec { "load_schema_${name}": From f686d729b8cb84dfff3d7fdb853189c24741e559 Mon Sep 17 00:00:00 2001 From: Ben Langfeld Date: Tue, 27 May 2014 18:04:47 -0300 Subject: [PATCH 54/85] We need to be smarter about managing indices They can't be replaced as easily because they have complex values --- lib/puppet/provider/ldapdn/ldapdn.rb | 7 ++++++- puppet/master/manifests/site.pp | 2 +- puppet/slave/manifests/site.pp | 2 +- test/integration/master/serverspec/slapd_spec.rb | 2 +- test/integration/slave/serverspec/slapd_spec.rb | 2 +- 5 files changed, 10 insertions(+), 5 deletions(-) diff --git a/lib/puppet/provider/ldapdn/ldapdn.rb b/lib/puppet/provider/ldapdn/ldapdn.rb index 834618f..9d2f52e 100644 --- a/lib/puppet/provider/ldapdn/ldapdn.rb +++ b/lib/puppet/provider/ldapdn/ldapdn.rb @@ -2,6 +2,8 @@ require 'tempfile' Puppet::Type.type(:ldapdn).provide :ldapdn do + INDEX_KEY_MATCHER = /(\S*)\s* .*/ + desc "" commands :ldapmodifycmd => "/usr/bin/ldapmodify" @@ -146,10 +148,13 @@ def ldap_work_to_do(asserted_attributes) Puppet.debug("check() #{current_key}: #{current_value} <===> #{current_key}: #{asserted_value}") same_as_an_asserted_value = true if asserted_value == current_value same_as_an_asserted_value = true if asserted_value.clone.gsub(/^\{.*?\}/, "") == current_value.clone.gsub(/^\{.*?\}/, "") + if current_key == 'olcDbIndex' && asserted_value.match(INDEX_KEY_MATCHER)[1] == current_value.match(INDEX_KEY_MATCHER)[1] + same_as_an_asserted_value = true + end end if same_as_an_asserted_value Puppet.debug("asserted and found: #{current_key}: #{current_value}") - work_to_do[current_key] << [ :delete ] if resource[:ensure] == :absent + work_to_do[current_key] << [ :delete ] if resource[:ensure] == :absent || current_key == 'olcDbIndex' found_attributes[current_key] << current_value.clone.gsub(/^\{.*?\}/, "") else Puppet.debug("not asserted: #{current_key}: #{current_value}") diff --git a/puppet/master/manifests/site.pp b/puppet/master/manifests/site.pp index cd3853c..ee432a3 100644 --- a/puppet/master/manifests/site.pp +++ b/puppet/master/manifests/site.pp @@ -10,7 +10,7 @@ rootpw => 'password', schema_inc => ['ppolicy'], modules_inc => ['ppolicy', 'syncprov'], - index_inc => ['mail pres'], + index_inc => ['title pres'], syncprov => true, sync_binddn => 'cn=sync,dc=foo,dc=bar', ssl => true, diff --git a/puppet/slave/manifests/site.pp b/puppet/slave/manifests/site.pp index dc13378..52c4c30 100644 --- a/puppet/slave/manifests/site.pp +++ b/puppet/slave/manifests/site.pp @@ -10,7 +10,7 @@ rootpw => 'password', schema_inc => ['ppolicy'], modules_inc => ['ppolicy', 'syncprov'], - index_inc => ['mail pres'], + index_inc => ['title pres'], sync_provider => 'ldapi:///', sync_binddn => 'cn=sync,dc=foo,dc=bar', sync_bindpw => 'foobar', diff --git a/test/integration/master/serverspec/slapd_spec.rb b/test/integration/master/serverspec/slapd_spec.rb index ac8adc6..5bd7aba 100644 --- a/test/integration/master/serverspec/slapd_spec.rb +++ b/test/integration/master/serverspec/slapd_spec.rb @@ -88,7 +88,7 @@ 'olcDbIndex: sn \s*pres,sub,eq', 'olcDbIndex: uid \s*pres,sub,eq', 'olcDbIndex: displayName \s*pres,sub,eq', - 'olcDbIndex: mail \s*pres', + 'olcDbIndex: title \s*pres', ].each do |index| it { should return_stdout /#{index}/ } end diff --git a/test/integration/slave/serverspec/slapd_spec.rb b/test/integration/slave/serverspec/slapd_spec.rb index 2c94bed..ab8a1ab 100644 --- a/test/integration/slave/serverspec/slapd_spec.rb +++ b/test/integration/slave/serverspec/slapd_spec.rb @@ -93,7 +93,7 @@ 'olcDbIndex: sn \s*pres,sub,eq', 'olcDbIndex: uid \s*pres,sub,eq', 'olcDbIndex: displayName \s*pres,sub,eq', - 'olcDbIndex: mail \s*pres', + 'olcDbIndex: title \s*pres', ].each do |index| it { should return_stdout /#{index}/ } end From 15de2a346eb42c760e30adbc02539529b3d915c7 Mon Sep 17 00:00:00 2001 From: Ben Langfeld Date: Tue, 27 May 2014 18:05:11 -0300 Subject: [PATCH 55/85] We don't actually care about these values They're really read-only anyway --- test/integration/master/serverspec/slapd_spec.rb | 10 ---------- test/integration/slave/serverspec/slapd_spec.rb | 10 ---------- 2 files changed, 20 deletions(-) diff --git a/test/integration/master/serverspec/slapd_spec.rb b/test/integration/master/serverspec/slapd_spec.rb index 5bd7aba..16b1092 100644 --- a/test/integration/master/serverspec/slapd_spec.rb +++ b/test/integration/master/serverspec/slapd_spec.rb @@ -62,16 +62,6 @@ end # DB performance tweaks are set - describe command('ldapsearch -H ldapi:/// -Y EXTERNAL -b "cn=config" "(objectClass=olcDatabaseConfig)" olcDbConfig') do - [ - 'set_cachesize\s*0 2097152 0', - 'set_lk_max_objects\s*1500', - 'set_lk_max_locks\s*1500', - 'set_lk_max_lockers\s*1500', - ].each do |tweak| - it { should return_stdout /#{tweak}/ } - end - end describe command('ldapsearch -H ldapi:/// -Y EXTERNAL -b "cn=config" "(objectClass=olcDatabaseConfig)" olcDbCheckpoint') do it { should return_stdout /512 30/ } end diff --git a/test/integration/slave/serverspec/slapd_spec.rb b/test/integration/slave/serverspec/slapd_spec.rb index ab8a1ab..d3641dc 100644 --- a/test/integration/slave/serverspec/slapd_spec.rb +++ b/test/integration/slave/serverspec/slapd_spec.rb @@ -67,16 +67,6 @@ end # DB performance tweaks are set - describe command('ldapsearch -H ldapi:/// -Y EXTERNAL -b "cn=config" "(objectClass=olcDatabaseConfig)" olcDbConfig') do - [ - 'set_cachesize\s*0 2097152 0', - 'set_lk_max_objects\s*1500', - 'set_lk_max_locks\s*1500', - 'set_lk_max_lockers\s*1500', - ].each do |tweak| - it { should return_stdout /#{tweak}/ } - end - end describe command('ldapsearch -H ldapi:/// -Y EXTERNAL -b "cn=config" "(objectClass=olcDatabaseConfig)" olcDbCheckpoint') do it { should return_stdout /512 30/ } end From 3b82d4c9e5debf4c9cd3cfa5fc4f19628cf17b09 Mon Sep 17 00:00:00 2001 From: Ben Langfeld Date: Tue, 27 May 2014 18:05:28 -0300 Subject: [PATCH 56/85] Runfiles are stored in different places on CentOS --- test/integration/master/serverspec/slapd_spec.rb | 13 +++++++++++-- test/integration/slave/serverspec/slapd_spec.rb | 13 +++++++++++-- 2 files changed, 22 insertions(+), 4 deletions(-) diff --git a/test/integration/master/serverspec/slapd_spec.rb b/test/integration/master/serverspec/slapd_spec.rb index 16b1092..35bfc1b 100644 --- a/test/integration/master/serverspec/slapd_spec.rb +++ b/test/integration/master/serverspec/slapd_spec.rb @@ -142,14 +142,23 @@ it { should return_stdout %r{olcLogLevel: 4} } end + let(:run_dir) do + case property[:os_by_host]['localhost'][:family] + when /redhat/i + '/var/run/openldap' + else + '/var/run/slapd' + end + end + # PID file describe command('ldapsearch -H ldapi:/// -LLL -Y EXTERNAL -b "cn=config" "(cn=config)" olcPidFile') do - it { should return_stdout %r{olcPidFile: /var/run/slapd/slapd.pid} } + it { should return_stdout %r{olcPidFile: #{run_dir}/slapd.pid} } end # Args file describe command('ldapsearch -H ldapi:/// -LLL -Y EXTERNAL -b "cn=config" "(cn=config)" olcArgsFile') do - it { should return_stdout %r{olcArgsFile: /var/run/slapd/slapd.args} } + it { should return_stdout %r{olcArgsFile: #{run_dir}/slapd.args} } end # Bind Anon diff --git a/test/integration/slave/serverspec/slapd_spec.rb b/test/integration/slave/serverspec/slapd_spec.rb index d3641dc..4fd9e99 100644 --- a/test/integration/slave/serverspec/slapd_spec.rb +++ b/test/integration/slave/serverspec/slapd_spec.rb @@ -151,14 +151,23 @@ it { should return_stdout %r{olcLogLevel: 4} } end + let(:run_dir) do + case property[:os_by_host]['localhost'][:family] + when /redhat/i + '/var/run/openldap' + else + '/var/run/slapd' + end + end + # PID file describe command('ldapsearch -H ldapi:/// -LLL -Y EXTERNAL -b "cn=config" "(cn=config)" olcPidFile') do - it { should return_stdout %r{olcPidFile: /var/run/slapd/slapd.pid} } + it { should return_stdout %r{olcPidFile: #{run_dir}/slapd.pid} } end # Args file describe command('ldapsearch -H ldapi:/// -LLL -Y EXTERNAL -b "cn=config" "(cn=config)" olcArgsFile') do - it { should return_stdout %r{olcArgsFile: /var/run/slapd/slapd.args} } + it { should return_stdout %r{olcArgsFile: #{run_dir}/slapd.args} } end # Bind Anon From eecf77ae176a9f4d2322a1d028d80621030f611c Mon Sep 17 00:00:00 2001 From: Ben Langfeld Date: Tue, 27 May 2014 18:06:52 -0300 Subject: [PATCH 57/85] Setup the database correctly on CentOS These parts aren't seeded like on Debian --- manifests/server/master.pp | 4 ++++ manifests/server/slave.pp | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/manifests/server/master.pp b/manifests/server/master.pp index 64f2a15..e87bfb3 100644 --- a/manifests/server/master.pp +++ b/manifests/server/master.pp @@ -182,11 +182,15 @@ 'olcAccess: to dn.subtree="dc=foo,dc=bar" attrs=objectClass,entry,gecos,homeDirectory,uid,uidNumber,gidNumber,cn,memberUid by dn.base="cn=sync,dc=foo,dc=bar" read by * read', 'olcAccess: to dn.subtree="dc=foo,dc=bar" by dn.base="cn=sync,dc=foo,dc=bar" read by self read by * read', 'olcLastMod: TRUE', + "olcSuffix: ${suffix}", + "olcRootDN: ${rootdn}", "olcRootPW: ${rootpw}", ], unique_attributes => [ 'olcAccess', 'olcLastMod', + 'olcSuffix', + 'olcRootDN', 'olcRootPW', ], ensure => present, diff --git a/manifests/server/slave.pp b/manifests/server/slave.pp index 7ce6a9a..e571f0f 100644 --- a/manifests/server/slave.pp +++ b/manifests/server/slave.pp @@ -234,11 +234,15 @@ 'olcAccess: to dn.subtree="dc=foo,dc=bar" attrs=objectClass,entry,gecos,homeDirectory,uid,uidNumber,gidNumber,cn,memberUid by * read', 'olcAccess: to dn.subtree="dc=foo,dc=bar" by self read by * read', 'olcLastMod: TRUE', + "olcSuffix: ${suffix}", + "olcRootDN: ${rootdn}", "olcRootPW: ${rootpw}", ], unique_attributes => [ 'olcAccess', 'olcLastMod', + 'olcSuffix', + 'olcRootDN', 'olcRootPW', ], ensure => present, From 78c0dc6fe33dde6b55589f4585ebbabae0f75a46 Mon Sep 17 00:00:00 2001 From: Ben Langfeld Date: Tue, 27 May 2014 18:07:17 -0300 Subject: [PATCH 58/85] CentOS doesn't load any modules by default --- manifests/module.pp | 1 + manifests/server/master.pp | 2 ++ manifests/server/slave.pp | 2 ++ 3 files changed, 5 insertions(+) diff --git a/manifests/module.pp b/manifests/module.pp index 1086488..5a92601 100644 --- a/manifests/module.pp +++ b/manifests/module.pp @@ -7,5 +7,6 @@ "olcModuleLoad: ${name}" ], ensure => present, + require => Ldapdn['module config'], } } diff --git a/manifests/server/master.pp b/manifests/server/master.pp index e87bfb3..0b480d7 100644 --- a/manifests/server/master.pp +++ b/manifests/server/master.pp @@ -199,6 +199,8 @@ ldapdn { "module config": dn => "cn=module{0},cn=config", attributes => [ + 'objectClass: olcModuleList', + 'cn: module{0}', "olcModulePath: ${ldap::params::module_prefix}", ], unique_attributes => ['olcModulePath'], diff --git a/manifests/server/slave.pp b/manifests/server/slave.pp index e571f0f..f86e86e 100644 --- a/manifests/server/slave.pp +++ b/manifests/server/slave.pp @@ -254,6 +254,8 @@ ldapdn { "module config": dn => "cn=module{0},cn=config", attributes => [ + 'objectClass: olcModuleList', + 'cn: module{0}', "olcModulePath: ${ldap::params::module_prefix}", ], unique_attributes => ['olcModulePath'], From 364c78be5f22f9c0d26988bde06118ed14d9fe8d Mon Sep 17 00:00:00 2001 From: Ben Langfeld Date: Tue, 27 May 2014 18:07:36 -0300 Subject: [PATCH 59/85] Only create one syncprov config instance --- manifests/server/master.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/server/master.pp b/manifests/server/master.pp index 0b480d7..59d58ce 100644 --- a/manifests/server/master.pp +++ b/manifests/server/master.pp @@ -218,7 +218,7 @@ if($syncprov) { ldapdn { "syncprov_config": - dn => "olcOverlay=syncprov,${ldap::params::main_db_dn}", + dn => "olcOverlay={0}syncprov,${ldap::params::main_db_dn}", attributes => [ 'objectClass: olcOverlayConfig', 'objectClass: olcSyncProvConfig', From b04107cf6cf7407cbf4cff1c472f6408f3b3f2cf Mon Sep 17 00:00:00 2001 From: Ben Langfeld Date: Tue, 27 May 2014 18:08:38 -0300 Subject: [PATCH 60/85] DB Checkpoint isn't always set --- manifests/server/master.pp | 2 ++ manifests/server/slave.pp | 2 ++ 2 files changed, 4 insertions(+) diff --git a/manifests/server/master.pp b/manifests/server/master.pp index 59d58ce..75b3f5e 100644 --- a/manifests/server/master.pp +++ b/manifests/server/master.pp @@ -181,6 +181,7 @@ 'olcAccess: to dn.subtree="dc=foo,dc=bar" attrs=userPassword,shadowLastChange by dn.base="cn=sync,dc=foo,dc=bar" read by self write by anonymous auth by * none', 'olcAccess: to dn.subtree="dc=foo,dc=bar" attrs=objectClass,entry,gecos,homeDirectory,uid,uidNumber,gidNumber,cn,memberUid by dn.base="cn=sync,dc=foo,dc=bar" read by * read', 'olcAccess: to dn.subtree="dc=foo,dc=bar" by dn.base="cn=sync,dc=foo,dc=bar" read by self read by * read', + 'olcDbCheckpoint: 512 30', 'olcLastMod: TRUE', "olcSuffix: ${suffix}", "olcRootDN: ${rootdn}", @@ -188,6 +189,7 @@ ], unique_attributes => [ 'olcAccess', + 'olcDbCheckpoint', 'olcLastMod', 'olcSuffix', 'olcRootDN', diff --git a/manifests/server/slave.pp b/manifests/server/slave.pp index f86e86e..437573d 100644 --- a/manifests/server/slave.pp +++ b/manifests/server/slave.pp @@ -233,6 +233,7 @@ 'olcAccess: to dn.subtree="dc=foo,dc=bar" attrs=userPassword,shadowLastChange by self write by anonymous auth by * none', 'olcAccess: to dn.subtree="dc=foo,dc=bar" attrs=objectClass,entry,gecos,homeDirectory,uid,uidNumber,gidNumber,cn,memberUid by * read', 'olcAccess: to dn.subtree="dc=foo,dc=bar" by self read by * read', + 'olcDbCheckpoint: 512 30', 'olcLastMod: TRUE', "olcSuffix: ${suffix}", "olcRootDN: ${rootdn}", @@ -240,6 +241,7 @@ ], unique_attributes => [ 'olcAccess', + 'olcDbCheckpoint', 'olcLastMod', 'olcSuffix', 'olcRootDN', From b31574f1e887a9cedada82d5e977e27f1aa9313f Mon Sep 17 00:00:00 2001 From: Ben Langfeld Date: Wed, 28 May 2014 12:53:34 -0300 Subject: [PATCH 61/85] Manage indices as a batch since they can't easily be replaced individually --- lib/puppet/provider/ldapdn/ldapdn.rb | 7 +------ manifests/index.pp | 11 ----------- manifests/server/master.pp | 13 +++++++++++-- manifests/server/slave.pp | 13 +++++++++++-- 4 files changed, 23 insertions(+), 21 deletions(-) delete mode 100644 manifests/index.pp diff --git a/lib/puppet/provider/ldapdn/ldapdn.rb b/lib/puppet/provider/ldapdn/ldapdn.rb index 9d2f52e..834618f 100644 --- a/lib/puppet/provider/ldapdn/ldapdn.rb +++ b/lib/puppet/provider/ldapdn/ldapdn.rb @@ -2,8 +2,6 @@ require 'tempfile' Puppet::Type.type(:ldapdn).provide :ldapdn do - INDEX_KEY_MATCHER = /(\S*)\s* .*/ - desc "" commands :ldapmodifycmd => "/usr/bin/ldapmodify" @@ -148,13 +146,10 @@ def ldap_work_to_do(asserted_attributes) Puppet.debug("check() #{current_key}: #{current_value} <===> #{current_key}: #{asserted_value}") same_as_an_asserted_value = true if asserted_value == current_value same_as_an_asserted_value = true if asserted_value.clone.gsub(/^\{.*?\}/, "") == current_value.clone.gsub(/^\{.*?\}/, "") - if current_key == 'olcDbIndex' && asserted_value.match(INDEX_KEY_MATCHER)[1] == current_value.match(INDEX_KEY_MATCHER)[1] - same_as_an_asserted_value = true - end end if same_as_an_asserted_value Puppet.debug("asserted and found: #{current_key}: #{current_value}") - work_to_do[current_key] << [ :delete ] if resource[:ensure] == :absent || current_key == 'olcDbIndex' + work_to_do[current_key] << [ :delete ] if resource[:ensure] == :absent found_attributes[current_key] << current_value.clone.gsub(/^\{.*?\}/, "") else Puppet.debug("not asserted: #{current_key}: #{current_value}") diff --git a/manifests/index.pp b/manifests/index.pp deleted file mode 100644 index 367f047..0000000 --- a/manifests/index.pp +++ /dev/null @@ -1,11 +0,0 @@ -define ldap::index() { - include ldap - - ldapdn { "${name} index": - dn => $ldap::params::main_db_dn, - attributes => [ - "olcDbIndex: ${name}" - ], - ensure => present, - } -} diff --git a/manifests/server/master.pp b/manifests/server/master.pp index 75b3f5e..2f76f44 100644 --- a/manifests/server/master.pp +++ b/manifests/server/master.pp @@ -209,8 +209,17 @@ ensure => present, } - ldap::index { $ldap::params::index_base: } - ldap::index { $index_inc: } + $index_base = $ldap::params::index_base + $indices = split(inline_template("<%= (@index_base + @index_inc).map { |index| \"olcDbIndex: #{index}\" }.join(';') %>"),';') + + ldapdn { "indices": + dn => $ldap::params::main_db_dn, + attributes => $indices, + unique_attributes => [ + 'olcDbIndex', + ], + ensure => present, + } ldap::module { $ldap::params::modules_base: } ldap::module { $modules_inc: } diff --git a/manifests/server/slave.pp b/manifests/server/slave.pp index 437573d..c8a6010 100644 --- a/manifests/server/slave.pp +++ b/manifests/server/slave.pp @@ -250,8 +250,17 @@ ensure => present, } - ldap::index { $ldap::params::index_base: } - ldap::index { $index_inc: } + $index_base = $ldap::params::index_base + $indices = split(inline_template("<%= (@index_base + @index_inc).map { |index| \"olcDbIndex: #{index}\" }.join(';') %>"),';') + + ldapdn { "indices": + dn => $ldap::params::main_db_dn, + attributes => $indices, + unique_attributes => [ + 'olcDbIndex', + ], + ensure => present, + } ldapdn { "module config": dn => "cn=module{0},cn=config", From d70b1719bf9b21b8800c3dc2313a8e5e1f3f6ce4 Mon Sep 17 00:00:00 2001 From: Ben Langfeld Date: Wed, 28 May 2014 12:55:08 -0300 Subject: [PATCH 62/85] Proper capitalisation --- manifests/server/master.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/server/master.pp b/manifests/server/master.pp index 2f76f44..4cea47e 100644 --- a/manifests/server/master.pp +++ b/manifests/server/master.pp @@ -235,7 +235,7 @@ 'objectClass: olcSyncProvConfig', 'olcOverlay: syncprov', "olcSpCheckpoint: ${syncprov_checkpoint}", - "olcSpSessionLog: ${syncprov_sessionlog}", + "olcSpSessionlog: ${syncprov_sessionlog}", ], unique_attributes => [ 'olcOverlay', From 18bc068b048c2557cad01024d5ee83f2f95fe9ca Mon Sep 17 00:00:00 2001 From: Ben Langfeld Date: Wed, 28 May 2014 13:34:32 -0300 Subject: [PATCH 63/85] Ensure that syncprov config can be created cleanly --- lib/puppet/provider/ldapdn/ldapdn.rb | 184 ++++++++++++++++++++++++++- 1 file changed, 181 insertions(+), 3 deletions(-) diff --git a/lib/puppet/provider/ldapdn/ldapdn.rb b/lib/puppet/provider/ldapdn/ldapdn.rb index 834618f..4244412 100644 --- a/lib/puppet/provider/ldapdn/ldapdn.rb +++ b/lib/puppet/provider/ldapdn/ldapdn.rb @@ -1,6 +1,184 @@ require 'puppet/provider' require 'tempfile' +module PuppetLDAP + # This is shamelessly stolen from ActiveSuport 3.2 until Puppet moves to Ruby 1.9. It is required to prevent declared attributes being reordered (eg objectClass being moved from first position). + + class OrderedHash < ::Hash + # Returns true to make sure that this hash is extractable via Array#extract_options! + def extractable_options? + true + end + + # Hash is ordered in Ruby 1.9! + if RUBY_VERSION < '1.9' + + # In MRI the Hash class is core and written in C. In particular, methods are + # programmed with explicit C function calls and polymorphism is not honored. + # + # For example, []= is crucial in this implementation to maintain the @keys + # array but hash.c invokes rb_hash_aset() originally. This prevents method + # reuse through inheritance and forces us to reimplement stuff. + # + # For instance, we cannot use the inherited #merge! because albeit the algorithm + # itself would work, our []= is not being called at all by the C code. + + def initialize(*args, &block) + super + @keys = [] + end + + def self.[](*args) + ordered_hash = new + + if (args.length == 1 && args.first.is_a?(Array)) + args.first.each do |key_value_pair| + next unless (key_value_pair.is_a?(Array)) + ordered_hash[key_value_pair[0]] = key_value_pair[1] + end + + return ordered_hash + end + + unless (args.size % 2 == 0) + raise ArgumentError.new("odd number of arguments for Hash") + end + + args.each_with_index do |val, ind| + next if (ind % 2 != 0) + ordered_hash[val] = args[ind + 1] + end + + ordered_hash + end + + def initialize_copy(other) + super + # make a deep copy of keys + @keys = other.keys + end + + def []=(key, value) + @keys << key unless has_key?(key) + super + end + + def delete(key) + if has_key? key + index = @keys.index(key) + @keys.delete_at index + end + super + end + + def delete_if + super + sync_keys! + self + end + + def reject! + super + sync_keys! + self + end + + def reject(&block) + dup.reject!(&block) + end + + def keys + @keys.dup + end + + def values + @keys.collect { |key| self[key] } + end + + def to_hash + self + end + + def to_a + @keys.map { |key| [ key, self[key] ] } + end + + def each_key + return to_enum(:each_key) unless block_given? + @keys.each { |key| yield key } + self + end + + def each_value + return to_enum(:each_value) unless block_given? + @keys.each { |key| yield self[key]} + self + end + + def each + return to_enum(:each) unless block_given? + @keys.each {|key| yield [key, self[key]]} + self + end + + def each_pair + return to_enum(:each_pair) unless block_given? + @keys.each {|key| yield key, self[key]} + self + end + + alias_method :select, :find_all + + def clear + super + @keys.clear + self + end + + def shift + k = @keys.first + v = delete(k) + [k, v] + end + + def merge!(other_hash) + if block_given? + other_hash.each { |k, v| self[k] = key?(k) ? yield(k, self[k], v) : v } + else + other_hash.each { |k, v| self[k] = v } + end + self + end + + alias_method :update, :merge! + + def merge(other_hash, &block) + dup.merge!(other_hash, &block) + end + + # When replacing with another hash, the initial order of our keys must come from the other hash -ordered or not. + def replace(other) + super + @keys = other.keys + self + end + + def invert + OrderedHash[self.to_a.map!{|key_value_pair| key_value_pair.reverse}] + end + + def inspect + "#" + end + + private + def sync_keys! + @keys.delete_if {|k| !has_key?(k)} + end + end + end +end + Puppet::Type.type(:ldapdn).provide :ldapdn do desc "" @@ -31,7 +209,7 @@ def exists? end def parse_attributes - ldap_attributes = {} + ldap_attributes = PuppetLDAP::OrderedHash.new Array(resource[:attributes]).each do |asserted_attribute| key,value = asserted_attribute.split(':', 2) ldap_attributes[key] = [] if ldap_attributes[key].nil? @@ -104,7 +282,7 @@ def ldap_work_to_do(asserted_attributes) if ex.message.scan '/No such object (32)/' Puppet.debug("Could not find object: #{resource[:dn]}") return {} if resource[:ensure] == :absent - work_to_do = {} + work_to_do = PuppetLDAP::OrderedHash.new asserted_attributes.each do |asserted_key, asserted_values| key_work_to_do = [] asserted_values.each do |asserted_value| @@ -125,7 +303,7 @@ def ldap_work_to_do(asserted_attributes) indifferent_attributes = resource[:indifferent_attributes] indifferent_attributes = [] if indifferent_attributes.nil? - work_to_do = {} + work_to_do = PuppetLDAP::OrderedHash.new found_attributes = {} found_keys = [] From a46dc88b3de67b12918e9ac4c38453415a84bcac Mon Sep 17 00:00:00 2001 From: Ben Langfeld Date: Wed, 28 May 2014 13:49:02 -0300 Subject: [PATCH 64/85] Can't create syncprov config until the plugin is loaded --- manifests/server/master.pp | 1 + 1 file changed, 1 insertion(+) diff --git a/manifests/server/master.pp b/manifests/server/master.pp index 4cea47e..247f466 100644 --- a/manifests/server/master.pp +++ b/manifests/server/master.pp @@ -243,6 +243,7 @@ 'olcSpSessionlog', ], ensure => present, + require => Ldap::Module['syncprov'], } } From 350bfafb4d692c89876547fb8d8b08eec4e3a89e Mon Sep 17 00:00:00 2001 From: Ben Langfeld Date: Wed, 28 May 2014 16:31:56 -0300 Subject: [PATCH 65/85] We need to be sure the directory exists --- manifests/server/convertschema.pp | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/manifests/server/convertschema.pp b/manifests/server/convertschema.pp index 623e74d..59ddaa0 100644 --- a/manifests/server/convertschema.pp +++ b/manifests/server/convertschema.pp @@ -1,5 +1,11 @@ class ldap::server::convertschema() { + file { $ldap::params::prefix: + owner => $ldap::params::server_owner, + group => $ldap::params::server_group, + ensure => directory, + } + # Upload the conversion script for the schemas file { "${ldap::params::prefix}/convertschema.sh": owner => 'root', From d1da8e0e94e91fd3fbcc634ab46ea390103533e2 Mon Sep 17 00:00:00 2001 From: Ben Langfeld Date: Wed, 28 May 2014 18:12:13 -0300 Subject: [PATCH 66/85] Avoid duplicate resource declaration --- manifests/client.pp | 8 -------- manifests/init.pp | 8 ++++++++ manifests/server/convertschema.pp | 6 ------ 3 files changed, 8 insertions(+), 14 deletions(-) diff --git a/manifests/client.pp b/manifests/client.pp index d878fdc..0ed932d 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -210,14 +210,6 @@ group => $ldap::params::group, } - file { $ldap::params::prefix: - ensure => $ensure ? { - present => directory, - default => absent, - }, - require => Package[$ldap::params::package], - } - if($sudoers_base) { if(! $sudoers_filter) { fail('If sudoers_base attribute is set, you must define sudoers_filter') diff --git a/manifests/init.pp b/manifests/init.pp index 72a306d..2111879 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -41,6 +41,14 @@ include ldap::params + file { $ldap::params::prefix: + ensure => $ensure ? { + present => directory, + default => absent, + }, + require => Package[$ldap::params::package], + } + package { $ldap::params::package : ensure => $ensure, } diff --git a/manifests/server/convertschema.pp b/manifests/server/convertschema.pp index 59ddaa0..623e74d 100644 --- a/manifests/server/convertschema.pp +++ b/manifests/server/convertschema.pp @@ -1,11 +1,5 @@ class ldap::server::convertschema() { - file { $ldap::params::prefix: - owner => $ldap::params::server_owner, - group => $ldap::params::server_group, - ensure => directory, - } - # Upload the conversion script for the schemas file { "${ldap::params::prefix}/convertschema.sh": owner => 'root', From 3554650cfa555fd7cf47ad073e1658fcf9625e77 Mon Sep 17 00:00:00 2001 From: Ben Langfeld Date: Wed, 28 May 2014 19:53:15 -0300 Subject: [PATCH 67/85] Ensure that binding as a normal user works properly --- manifests/server/master.pp | 6 ++--- manifests/server/slave.pp | 6 ++--- puppet/master/manifests/site.pp | 27 +++++++++++++++++++ puppet/slave/manifests/site.pp | 27 +++++++++++++++++++ .../master/serverspec/slapd_spec.rb | 11 +++++--- .../slave/serverspec/slapd_spec.rb | 6 ++--- 6 files changed, 71 insertions(+), 12 deletions(-) diff --git a/manifests/server/master.pp b/manifests/server/master.pp index 247f466..7211f9a 100644 --- a/manifests/server/master.pp +++ b/manifests/server/master.pp @@ -177,10 +177,10 @@ ldapdn { "database config": dn => $ldap::params::main_db_dn, attributes => [ + 'olcAccess: to dn.subtree="dc=foo,dc=bar" attrs=userPassword,shadowLastChange by dn.base="cn=sync,dc=foo,dc=bar" read by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write by self write by anonymous auth by * none', + 'olcAccess: to dn.subtree="dc=foo,dc=bar" attrs=objectClass,entry,gecos,homeDirectory,uid,uidNumber,gidNumber,cn,memberUid by dn.base="cn=sync,dc=foo,dc=bar" read by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write by * read', + 'olcAccess: to dn.subtree="dc=foo,dc=bar" by dn.base="cn=sync,dc=foo,dc=bar" read by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write by self read by * read', 'olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage', - 'olcAccess: to dn.subtree="dc=foo,dc=bar" attrs=userPassword,shadowLastChange by dn.base="cn=sync,dc=foo,dc=bar" read by self write by anonymous auth by * none', - 'olcAccess: to dn.subtree="dc=foo,dc=bar" attrs=objectClass,entry,gecos,homeDirectory,uid,uidNumber,gidNumber,cn,memberUid by dn.base="cn=sync,dc=foo,dc=bar" read by * read', - 'olcAccess: to dn.subtree="dc=foo,dc=bar" by dn.base="cn=sync,dc=foo,dc=bar" read by self read by * read', 'olcDbCheckpoint: 512 30', 'olcLastMod: TRUE', "olcSuffix: ${suffix}", diff --git a/manifests/server/slave.pp b/manifests/server/slave.pp index c8a6010..0221889 100644 --- a/manifests/server/slave.pp +++ b/manifests/server/slave.pp @@ -229,10 +229,10 @@ ldapdn { "database config": dn => $ldap::params::main_db_dn, attributes => [ + 'olcAccess: to dn.subtree="dc=foo,dc=bar" attrs=userPassword,shadowLastChange by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write by self write by anonymous auth by * none', + 'olcAccess: to dn.subtree="dc=foo,dc=bar" attrs=objectClass,entry,gecos,homeDirectory,uid,uidNumber,gidNumber,cn,memberUid by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write by * read', + 'olcAccess: to dn.subtree="dc=foo,dc=bar" by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write by self read by * read', 'olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage', - 'olcAccess: to dn.subtree="dc=foo,dc=bar" attrs=userPassword,shadowLastChange by self write by anonymous auth by * none', - 'olcAccess: to dn.subtree="dc=foo,dc=bar" attrs=objectClass,entry,gecos,homeDirectory,uid,uidNumber,gidNumber,cn,memberUid by * read', - 'olcAccess: to dn.subtree="dc=foo,dc=bar" by self read by * read', 'olcDbCheckpoint: 512 30', 'olcLastMod: TRUE', "olcSuffix: ${suffix}", diff --git a/puppet/master/manifests/site.pp b/puppet/master/manifests/site.pp index ee432a3..03abf53 100644 --- a/puppet/master/manifests/site.pp +++ b/puppet/master/manifests/site.pp @@ -45,3 +45,30 @@ ensure => present, require => Ldapdn['add database'], } + +ldapdn { "test user": + dn => "uid=testuser,ou=users,dc=foo,dc=bar", + attributes => [ + 'objectClass: top', + 'objectClass: person', + 'objectClass: organizationalPerson', + 'objectClass: inetOrgPerson', + 'cn: Joe Bloggs', + 'sn: Bloggs', + 'uid: someuser', + 'givenName: Joe', + 'mail: foo@bar.com', + 'userPassword: {ssha}YlANix4RcH5rySCWSmzoSzbvj2hzb21lc2FsdA==', # somepassword + ], + unique_attributes => [ + 'uid', + 'cn', + 'sn', + 'givenName', + 'mail', + 'userPassword', + ], + indifferent_attributes => ["userPassword"], + ensure => present, + require => Ldapdn['ou users'], +} diff --git a/puppet/slave/manifests/site.pp b/puppet/slave/manifests/site.pp index 52c4c30..26ef58f 100644 --- a/puppet/slave/manifests/site.pp +++ b/puppet/slave/manifests/site.pp @@ -47,3 +47,30 @@ ensure => present, require => Ldapdn['add database'], } + +ldapdn { "test user": + dn => "uid=testuser,ou=users,dc=foo,dc=bar", + attributes => [ + 'objectClass: top', + 'objectClass: person', + 'objectClass: organizationalPerson', + 'objectClass: inetOrgPerson', + 'cn: Joe Bloggs', + 'sn: Bloggs', + 'uid: someuser', + 'givenName: Joe', + 'mail: foo@bar.com', + 'userPassword: {ssha}YlANix4RcH5rySCWSmzoSzbvj2hzb21lc2FsdA==', # somepassword + ], + unique_attributes => [ + 'uid', + 'cn', + 'sn', + 'givenName', + 'mail', + 'userPassword', + ], + indifferent_attributes => ["userPassword"], + ensure => present, + require => Ldapdn['ou users'], +} diff --git a/test/integration/master/serverspec/slapd_spec.rb b/test/integration/master/serverspec/slapd_spec.rb index 35bfc1b..dd73804 100644 --- a/test/integration/master/serverspec/slapd_spec.rb +++ b/test/integration/master/serverspec/slapd_spec.rb @@ -29,6 +29,11 @@ it { should return_stdout /dn:cn=admin,dc=foo,dc=bar/ } end + # Can bind as a created user + describe command('ldapwhoami -H ldapi:/// -x -D uid=testuser,ou=users,dc=foo,dc=bar -w somepassword') do + it { should return_stdout /dn:uid=testuser,ou=users,dc=foo,dc=bar/ } + end + # Requested suffix exists in cn=config describe command('ldapsearch -H ldapi:/// -Y EXTERNAL -b "cn=config" "(objectClass=olcDatabaseConfig)" olcSuffix') do it { should return_stdout /olcSuffix: dc=foo,dc=bar/ } @@ -88,9 +93,9 @@ describe command('ldapsearch -H ldapi:/// -LLL -Y EXTERNAL -b "cn=config" "(olcSuffix=dc=foo,dc=bar)" olcAccess | perl -p00e \'s/\r?\n //g\'') do [ /to \* by dn.base="gidNumber=0\+uidNumber=0,cn=peercred,cn=external,cn=auth" manage/, - /to dn.subtree="dc=foo,dc=bar" attrs=userPassword,shadowLastChange by dn.base="cn=sync,dc=foo,dc=bar" read by self write by anonymous auth by \* none/, - /to dn.subtree="dc=foo,dc=bar" attrs=objectClass,entry,gecos,homeDirectory,uid,uidNumber,gidNumber,cn,memberUid by dn.base="cn=sync,dc=foo,dc=bar" read by \* read/, - /to dn.subtree="dc=foo,dc=bar" by dn.base="cn=sync,dc=foo,dc=bar" read by self read by \* read/, + /to dn.subtree="dc=foo,dc=bar" attrs=userPassword,shadowLastChange by dn.base="cn=sync,dc=foo,dc=bar" read by dn.base="gidNumber=0\+uidNumber=0,cn=peercred,cn=external,cn=auth" write by self write by anonymous auth by \* none/, + /to dn.subtree="dc=foo,dc=bar" attrs=objectClass,entry,gecos,homeDirectory,uid,uidNumber,gidNumber,cn,memberUid by dn.base="cn=sync,dc=foo,dc=bar" read by dn.base="gidNumber=0\+uidNumber=0,cn=peercred,cn=external,cn=auth" write by \* read/, + /to dn.subtree="dc=foo,dc=bar" by dn.base="cn=sync,dc=foo,dc=bar" read by dn.base="gidNumber=0\+uidNumber=0,cn=peercred,cn=external,cn=auth" write by self read by \* read/, ].each do |entry| it { should return_stdout entry } end diff --git a/test/integration/slave/serverspec/slapd_spec.rb b/test/integration/slave/serverspec/slapd_spec.rb index 4fd9e99..de9f062 100644 --- a/test/integration/slave/serverspec/slapd_spec.rb +++ b/test/integration/slave/serverspec/slapd_spec.rb @@ -93,9 +93,9 @@ describe command('ldapsearch -H ldapi:/// -LLL -Y EXTERNAL -b "cn=config" "(olcSuffix=dc=foo,dc=bar)" olcAccess | perl -p00e \'s/\r?\n //g\'') do [ /to \* by dn.base="gidNumber=0\+uidNumber=0,cn=peercred,cn=external,cn=auth" manage/, - /to dn.subtree="dc=foo,dc=bar" attrs=userPassword,shadowLastChange by self write by anonymous auth by \* none/, - /to dn.subtree="dc=foo,dc=bar" attrs=objectClass,entry,gecos,homeDirectory,uid,uidNumber,gidNumber,cn,memberUid by \* read/, - /to dn.subtree="dc=foo,dc=bar" by self read by \* read/, + /to dn.subtree="dc=foo,dc=bar" attrs=userPassword,shadowLastChange by dn.base="gidNumber=0\+uidNumber=0,cn=peercred,cn=external,cn=auth" write by self write by anonymous auth by \* none/, + /to dn.subtree="dc=foo,dc=bar" attrs=objectClass,entry,gecos,homeDirectory,uid,uidNumber,gidNumber,cn,memberUid by dn.base="gidNumber=0\+uidNumber=0,cn=peercred,cn=external,cn=auth" write by \* read/, + /to dn.subtree="dc=foo,dc=bar" by dn.base="gidNumber=0\+uidNumber=0,cn=peercred,cn=external,cn=auth" write by self read by \* read/, ].each do |entry| it { should return_stdout entry } end From 88a87d823be0f405267d56466c413282ee58931d Mon Sep 17 00:00:00 2001 From: Ben Langfeld Date: Thu, 29 May 2014 10:08:42 -0300 Subject: [PATCH 68/85] Don't hard-code test domain --- manifests/server/master.pp | 6 +++--- manifests/server/slave.pp | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/manifests/server/master.pp b/manifests/server/master.pp index 7211f9a..a50a7ab 100644 --- a/manifests/server/master.pp +++ b/manifests/server/master.pp @@ -177,9 +177,9 @@ ldapdn { "database config": dn => $ldap::params::main_db_dn, attributes => [ - 'olcAccess: to dn.subtree="dc=foo,dc=bar" attrs=userPassword,shadowLastChange by dn.base="cn=sync,dc=foo,dc=bar" read by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write by self write by anonymous auth by * none', - 'olcAccess: to dn.subtree="dc=foo,dc=bar" attrs=objectClass,entry,gecos,homeDirectory,uid,uidNumber,gidNumber,cn,memberUid by dn.base="cn=sync,dc=foo,dc=bar" read by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write by * read', - 'olcAccess: to dn.subtree="dc=foo,dc=bar" by dn.base="cn=sync,dc=foo,dc=bar" read by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write by self read by * read', + "olcAccess: to dn.subtree=\"${suffix}\" attrs=userPassword,shadowLastChange by dn.base=\"cn=sync,${suffix}\" read by dn.base=\"gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\" write by self write by anonymous auth by * none", + "olcAccess: to dn.subtree=\"${suffix}\" attrs=objectClass,entry,gecos,homeDirectory,uid,uidNumber,gidNumber,cn,memberUid by dn.base=\"cn=sync,${suffix}\" read by dn.base=\"gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\" write by * read", + "olcAccess: to dn.subtree=\"${suffix}\" by dn.base=\"cn=sync,${suffix}\" read by dn.base=\"gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\" write by self read by * read", 'olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage', 'olcDbCheckpoint: 512 30', 'olcLastMod: TRUE', diff --git a/manifests/server/slave.pp b/manifests/server/slave.pp index 0221889..0d73cda 100644 --- a/manifests/server/slave.pp +++ b/manifests/server/slave.pp @@ -229,9 +229,9 @@ ldapdn { "database config": dn => $ldap::params::main_db_dn, attributes => [ - 'olcAccess: to dn.subtree="dc=foo,dc=bar" attrs=userPassword,shadowLastChange by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write by self write by anonymous auth by * none', - 'olcAccess: to dn.subtree="dc=foo,dc=bar" attrs=objectClass,entry,gecos,homeDirectory,uid,uidNumber,gidNumber,cn,memberUid by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write by * read', - 'olcAccess: to dn.subtree="dc=foo,dc=bar" by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write by self read by * read', + "olcAccess: to dn.subtree=\"${suffix}\" attrs=userPassword,shadowLastChange by dn.base=\"gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\" write by self write by anonymous auth by * none", + "olcAccess: to dn.subtree=\"${suffix}\" attrs=objectClass,entry,gecos,homeDirectory,uid,uidNumber,gidNumber,cn,memberUid by dn.base=\"gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\" write by * read", + "olcAccess: to dn.subtree=\"${suffix}\" by dn.base=\"gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\" write by self read by * read", 'olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage', 'olcDbCheckpoint: 512 30', 'olcLastMod: TRUE', From 47e3daf7c40dc087f49c96ebeb9f62a45c75cd29 Mon Sep 17 00:00:00 2001 From: Ben Langfeld Date: Thu, 29 May 2014 15:49:26 -0300 Subject: [PATCH 69/85] Remove bad spaces --- templates/slapd.seed.erb | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/templates/slapd.seed.erb b/templates/slapd.seed.erb index 46cb335..6588116 100644 --- a/templates/slapd.seed.erb +++ b/templates/slapd.seed.erb @@ -1,5 +1,5 @@ slapd slapd/password1 password -slapd slapd/internal/adminpw password +slapd slapd/internal/adminpw password slapd slapd/password2 password slapd slapd/allow_ldap_v2 boolean false slapd slapd/password_mismatch note @@ -7,15 +7,15 @@ slapd slapd/suffix_change boolean false slapd slapd/fix_directory boolean true slapd slapd/invalid_config boolean true slapd slapd/slave_databases_require_updateref note -slapd shared/organization string <%= @suffix %> +slapd shared/organization string <%= @suffix %> slapd slapd/upgrade_slapcat_failure note -slapd slapd/dump_database_destdir string /var/backups/slapd-VERSION +slapd slapd/dump_database_destdir string /var/backups/slapd-VERSION slapd slapd/autoconf_modules boolean true slapd slapd/purge_database boolean false slapd slapd/backend select BDB slapd slapd/no_configuration boolean false slapd slapd/migrate_ldbm_to_bdb boolean true slapd slapd/move_old_database boolean true -slapd slapd/dump_database select when needed +slapd slapd/dump_database select when needed slapd slapd/upgrade_slapadd_failure note slapd slapd/domain string <%= @suffix.gsub(',dc=', '.').gsub('dc=', '') %> From 7a613ead3c3ad1ee51709856300080366de8a301 Mon Sep 17 00:00:00 2001 From: Ben Langfeld Date: Thu, 29 May 2014 18:01:02 -0300 Subject: [PATCH 70/85] Nest some types under server --- manifests/{ => server}/builtin_schema.pp | 2 +- manifests/server/master.pp | 10 +++++----- manifests/{ => server}/module.pp | 2 +- manifests/server/slave.pp | 8 ++++---- 4 files changed, 11 insertions(+), 11 deletions(-) rename manifests/{ => server}/builtin_schema.pp (95%) rename manifests/{ => server}/module.pp (87%) diff --git a/manifests/builtin_schema.pp b/manifests/server/builtin_schema.pp similarity index 95% rename from manifests/builtin_schema.pp rename to manifests/server/builtin_schema.pp index 141ac78..57dd84d 100644 --- a/manifests/builtin_schema.pp +++ b/manifests/server/builtin_schema.pp @@ -1,4 +1,4 @@ -define ldap::builtin_schema() { +define ldap::server::builtin_schema() { include ldap::server::convertschema # Create the LDIF file from the conversion script diff --git a/manifests/server/master.pp b/manifests/server/master.pp index a50a7ab..f1f4fd0 100644 --- a/manifests/server/master.pp +++ b/manifests/server/master.pp @@ -221,11 +221,11 @@ ensure => present, } - ldap::module { $ldap::params::modules_base: } - ldap::module { $modules_inc: } + ldap::server::module { $ldap::params::modules_base: } + ldap::server::module { $modules_inc: } - ldap::builtin_schema { $ldap::params::schema_base: } - ldap::builtin_schema { $schema_inc: } + ldap::server::builtin_schema { $ldap::params::schema_base: } + ldap::server::builtin_schema { $schema_inc: } if($syncprov) { ldapdn { "syncprov_config": @@ -243,7 +243,7 @@ 'olcSpSessionlog', ], ensure => present, - require => Ldap::Module['syncprov'], + require => Ldap::Server::Module['syncprov'], } } diff --git a/manifests/module.pp b/manifests/server/module.pp similarity index 87% rename from manifests/module.pp rename to manifests/server/module.pp index 5a92601..dace933 100644 --- a/manifests/module.pp +++ b/manifests/server/module.pp @@ -1,4 +1,4 @@ -define ldap::module() { +define ldap::server::module() { include ldap ldapdn { "${name} module config": diff --git a/manifests/server/slave.pp b/manifests/server/slave.pp index 0d73cda..8388b2e 100644 --- a/manifests/server/slave.pp +++ b/manifests/server/slave.pp @@ -273,11 +273,11 @@ ensure => present, } - ldap::module { $ldap::params::modules_base: } - ldap::module { $modules_inc: } + ldap::server::module { $ldap::params::modules_base: } + ldap::server::module { $modules_inc: } - ldap::builtin_schema { $ldap::params::schema_base: } - ldap::builtin_schema { $schema_inc: } + ldap::server::builtin_schema { $ldap::params::schema_base: } + ldap::server::builtin_schema { $schema_inc: } ldapdn { "syncrepl": dn => $ldap::params::main_db_dn, From c251e09112e35fcf8dfab41d0b11ca47e79bff01 Mon Sep 17 00:00:00 2001 From: Ben Langfeld Date: Thu, 29 May 2014 23:22:23 -0300 Subject: [PATCH 71/85] Extract common code between master and slave server manifests --- manifests/server/database.pp | 145 +++++++++++++++++++++ manifests/server/generic.pp | 237 +++++++++++++++++++++++++++++++++++ manifests/server/master.pp | 227 ++++----------------------------- manifests/server/slave.pp | 207 ++++-------------------------- 4 files changed, 425 insertions(+), 391 deletions(-) create mode 100644 manifests/server/database.pp create mode 100644 manifests/server/generic.pp diff --git a/manifests/server/database.pp b/manifests/server/database.pp new file mode 100644 index 0000000..960b036 --- /dev/null +++ b/manifests/server/database.pp @@ -0,0 +1,145 @@ +# == Define: ldap::server::database +# +# Puppet module to manage database configuration for +# **OpenLdap**. +# +# +# === Parameters +# +# [suffix] +# +# **Required** +# +# [rootpw] +# +# **Required** +# +# [rootdn] +# +# *Optional* (defaults to 'cn=admin,${suffix}') +# +# [index_inc] +# +# *Optional* (defaults to []) +# +# [syncprov] +# +# *Optional* (defaults to false) +# +# [syncprov_checkpoint] +# +# *Optional* (defaults to '100 10') +# +# [syncprov_sessionlog] +# +# *Optional* (defaults to *'100'*) +# +# [sync_binddn] +# +# *Optional* (defaults to *'false'*) +# +# [ensure] +# *Optional* (defaults to 'present') +# +# +# === Examples +# +# ldap::server::database { 'secondary': +# suffix => 'dc=foo,dc=bar', +# rootpw => '{SHA}iEPX+SQWIR3p67lj/0zigSWTKHg=', +# syncprov => true, +# sync_binddn => 'cn=sync,dc=foo,dc=bar', +# index_inc => [ +# 'index memberUid eq', +# 'index mail eq', +# 'index givenName eq,subinitial', +# ], +# } +# +# === Authors +# +# Emiliano Castagnari ecastag@gmail.com (a.k.a. Torian) +# +# +# === Copyleft +# +# Copyleft (C) 2012 Emiliano Castagnari ecastag@gmail.com (a.k.a. Torian) +# +# +define ldap::server::database( + $suffix, + $rootpw, + $rootdn = "cn=admin,${suffix}", + $index_inc = [], + $syncprov = false, + $syncprov_checkpoint = '100 10', + $syncprov_sessionlog = '100', + $sync_binddn = false, + $master = false, +) { + + require ldap + + if($master and $syncprov) { + $readable_by_sync = "by dn.base=\"cn=sync,${suffix}\" read " + } else { + $readable_by_sync = "" + } + + ldapdn { "database config": + dn => $ldap::params::main_db_dn, + attributes => [ + "olcAccess: to dn.subtree=\"${suffix}\" attrs=userPassword,shadowLastChange ${readable_by_sync}by dn.base=\"gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\" write by self write by anonymous auth by * none", + "olcAccess: to dn.subtree=\"${suffix}\" attrs=objectClass,entry,gecos,homeDirectory,uid,uidNumber,gidNumber,cn,memberUid ${readable_by_sync}by dn.base=\"gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\" write by * read", + "olcAccess: to dn.subtree=\"${suffix}\" ${readable_by_sync}by dn.base=\"gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\" write by self read by * read", + 'olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage', + 'olcDbCheckpoint: 512 30', + 'olcLastMod: TRUE', + "olcSuffix: ${suffix}", + "olcRootDN: ${rootdn}", + "olcRootPW: ${rootpw}", + ], + unique_attributes => [ + 'olcAccess', + 'olcDbCheckpoint', + 'olcLastMod', + 'olcSuffix', + 'olcRootDN', + 'olcRootPW', + ], + ensure => present, + } + + $index_base = $ldap::params::index_base + $indices = split(inline_template("<%= (@index_base + @index_inc).map { |index| \"olcDbIndex: #{index}\" }.join(';') %>"),';') + + ldapdn { "indices": + dn => $ldap::params::main_db_dn, + attributes => $indices, + unique_attributes => [ + 'olcDbIndex', + ], + ensure => present, + } + + if($syncprov) { + ldapdn { "syncprov_config": + dn => "olcOverlay={0}syncprov,${ldap::params::main_db_dn}", + attributes => [ + 'objectClass: olcOverlayConfig', + 'objectClass: olcSyncProvConfig', + 'olcOverlay: syncprov', + "olcSpCheckpoint: ${syncprov_checkpoint}", + "olcSpSessionlog: ${syncprov_sessionlog}", + ], + unique_attributes => [ + 'olcOverlay', + 'olcSpCheckpoint', + 'olcSpSessionlog', + ], + ensure => present, + require => Ldap::Server::Module['syncprov'], + } + } + +} diff --git a/manifests/server/generic.pp b/manifests/server/generic.pp new file mode 100644 index 0000000..8d5e6e2 --- /dev/null +++ b/manifests/server/generic.pp @@ -0,0 +1,237 @@ +# == Class: ldap::server::generic +# +# Puppet module to manage server configuration for +# **OpenLdap**. +# +# +# === Parameters +# +# [suffix] +# +# **Required** +# +# [schema_inc] +# +# *Optional* (defaults to []) +# +# [modules_inc] +# +# *Optional* (defaults to []) +# +# [cnconfig_attrs] +# Default cn=config attributes that needs to be changed +# upon runs. An array of attributes as key-value pairs. +# eg. ['olcConcurrency: 1'] +# *Optional* (defaults to []) +# +# [log_level] +# +# *Optional* (defaults to 0) +# +# [bind_anon] +# +# *Optional* (defaults to true) +# +# [ssl] +# +# *Requires*: ssl_{cert,ca,key} parameter +# *Optional* (defaults to false) +# +# [ssl_cert] +# +# *Optional* (defaults to false) +# +# [ssl_ca] +# +# *Optional* (defaults to false) +# +# [ssl_key] +# +# *Optional* (defaults to false) +# +# [enable_motd] +# Use motd to report the usage of this module. +# *Requires*: https://github.com/torian/puppet-motd.git +# *Optional* (defaults to false) +# +# [ensure] +# *Optional* (defaults to 'present') +# +# === Authors +# +# Emiliano Castagnari ecastag@gmail.com (a.k.a. Torian) +# +# +# === Copyleft +# +# Copyleft (C) 2012 Emiliano Castagnari ecastag@gmail.com (a.k.a. Torian) +# +# +class ldap::server::generic( + $suffix, + $schema_inc = [], + $modules_inc = [], + $cnconfig_attrs = [], + $log_level = '0', + $bind_anon = true, + $ssl = false, + $ssl_ca = false, + $ssl_cert = false, + $ssl_key = false, + $ensure = present) { + + require ldap + + file { ['/var/cache/local', '/var/cache/local/preseeding']: + ensure => directory, + owner => 'root', + group => 'root', + } + + file { "/var/cache/local/preseeding/slapd.seed": + ensure => present, + content => template("ldap/slapd.seed.erb"), + owner => 'root', + group => 'root', + } + + package { $ldap::params::server_package: + ensure => $ensure, + responsefile => "/var/cache/local/preseeding/slapd.seed", + } + + service { $ldap::params::service: + ensure => running, + enable => true, + pattern => $ldap::params::server_pattern, + require => [ + Package[$ldap::params::server_package], + ], + } + + ldapdn { "module config": + dn => "cn=module{0},cn=config", + attributes => [ + 'objectClass: olcModuleList', + 'cn: module{0}', + "olcModulePath: ${ldap::params::module_prefix}", + ], + unique_attributes => ['olcModulePath'], + ensure => present, + } + + ldap::server::module { $ldap::params::modules_base: } + ldap::server::module { $modules_inc: } + + ldap::server::builtin_schema { $ldap::params::schema_base: } + ldap::server::builtin_schema { $schema_inc: } + + ldapdn { "global confg": + dn => "cn=config", + attributes => [ + "olcArgsFile: ${ldap::params::server_run}/slapd.args", + "olcLogLevel: ${log_level}", + "olcPidFile: ${ldap::params::server_run}/slapd.pid", + ], + unique_attributes => $ldap::params::cnconfig_default_attrs, + ensure => present, + } + + ldapdn { "cnconfig_attrs": + dn => "cn=config", + attributes => $cnconfig_attrs, + unique_attributes => $ldap::params::cnconfig_default_attrs, + ensure => present, + } + + if(!$bind_anon) { + ldapdn { "disallow_bind_anon": + dn => "cn=config", + attributes => [ + 'olcDisallows: bind_anon', + ], + ensure => present, + } + } + + File { + mode => '0640', + owner => $ldap::params::server_owner, + group => $ldap::params::server_group, + } + + $msg_prefix = 'SSL enabled. You must specify' + $msg_suffix = '(filename). It should be located at puppet:///files/ldap' + + if($ssl) { + + if(!$ssl_ca) { fail("${msg_prefix} ssl_ca ${msg_suffix}") } + file { 'ssl_ca': + ensure => present, + source => "puppet:///files/ldap/${ssl_ca}", + path => "${ldap::params::ssl_prefix}/${ssl_ca}", + mode => '0644', + } + + if(!$ssl_cert) { fail("${msg_prefix} ssl_cert ${msg_suffix}") } + file { 'ssl_cert': + ensure => present, + source => "puppet:///files/ldap/${ssl_cert}", + path => "${ldap::params::ssl_prefix}/${ssl_cert}", + mode => '0644', + } + + if(!$ssl_key) { fail("${msg_prefix} ssl_key ${msg_suffix}") } + file { 'ssl_key': + ensure => present, + source => "puppet:///files/ldap/${ssl_key}", + path => "${ldap::params::ssl_prefix}/${ssl_key}", + } + + # Create certificate hash file + exec { 'Server certificate hash': + command => "ln -s ${ldap::params::ssl_prefix}/${ssl_cert} ${ldap::params::cacertdir}/$(openssl x509 -noout -hash -in ${ldap::params::ssl_prefix}/${ssl_cert}).0", + unless => "test -f ${ldap::params::cacertdir}/$(openssl x509 -noout -hash -in ${ldap::params::ssl_prefix}/${ssl_cert}).0", + provider => $::puppetversion ? { + /^3./ => 'shell', + /^2.7/ => 'shell', + /^2.6/ => 'posix', + default => 'posix' + }, + require => File['ssl_cert'], + path => [ "/bin", "/usr/bin", "/sbin", "/usr/sbin" ] + } + + ldapdn { "SSL config": + dn => "cn=config", + attributes => [ + "olcTLSCACertificateFile: ${ldap::params::ssl_prefix}/${ssl_ca}", + "olcTLSCertificateFile: ${ldap::params::ssl_prefix}/${ssl_cert}", + "olcTLSCertificateKeyFile: ${ldap::params::ssl_prefix}/${ssl_key}", + ], + unique_attributes => $ldap::params::cnconfig_default_attrs, + ensure => present, + require => [File['ssl_ca'], File['ssl_cert'], File['ssl_key'], Exec['Server certificate hash']], + notify => Service[$ldap::params::service], + } + + } + + # Additional configurations (for rc scripts) + case $::osfamily { + + 'Debian' : { + class { 'ldap::server::debian': ssl => $ssl } + } + + 'RedHat' : { + class { 'ldap::server::redhat': ssl => $ssl } + } + + #'Suse' : { + # class { 'ldap::server::suse': ssl => $ssl } + #} + + } + +} diff --git a/manifests/server/master.pp b/manifests/server/master.pp index f1f4fd0..fb59f25 100644 --- a/manifests/server/master.pp +++ b/manifests/server/master.pp @@ -147,213 +147,30 @@ motd::register { 'ldap::server::master': } } - file { ['/var/cache/local', '/var/cache/local/preseeding']: - ensure => directory, - owner => 'root', - group => 'root', + class { 'ldap::server::generic': + suffix => $suffix, + schema_inc => $schema_inc, + modules_inc => $modules_inc, + cnconfig_attrs => $cnconfig_attrs, + log_level => $log_level, + bind_anon => $bind_anon, + ssl => $ssl, + ssl_ca => $ssl_ca, + ssl_cert => $ssl_cert, + ssl_key => $ssl_key, + ensure => $ensure, } - file { "/var/cache/local/preseeding/slapd.seed": - ensure => present, - content => template("ldap/slapd.seed.erb"), - owner => 'root', - group => 'root', - } - - package { $ldap::params::server_package: - ensure => $ensure, - responsefile => "/var/cache/local/preseeding/slapd.seed", - } - - service { $ldap::params::service: - ensure => running, - enable => true, - pattern => $ldap::params::server_pattern, - require => [ - Package[$ldap::params::server_package], - ], - } - - ldapdn { "database config": - dn => $ldap::params::main_db_dn, - attributes => [ - "olcAccess: to dn.subtree=\"${suffix}\" attrs=userPassword,shadowLastChange by dn.base=\"cn=sync,${suffix}\" read by dn.base=\"gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\" write by self write by anonymous auth by * none", - "olcAccess: to dn.subtree=\"${suffix}\" attrs=objectClass,entry,gecos,homeDirectory,uid,uidNumber,gidNumber,cn,memberUid by dn.base=\"cn=sync,${suffix}\" read by dn.base=\"gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\" write by * read", - "olcAccess: to dn.subtree=\"${suffix}\" by dn.base=\"cn=sync,${suffix}\" read by dn.base=\"gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\" write by self read by * read", - 'olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage', - 'olcDbCheckpoint: 512 30', - 'olcLastMod: TRUE', - "olcSuffix: ${suffix}", - "olcRootDN: ${rootdn}", - "olcRootPW: ${rootpw}", - ], - unique_attributes => [ - 'olcAccess', - 'olcDbCheckpoint', - 'olcLastMod', - 'olcSuffix', - 'olcRootDN', - 'olcRootPW', - ], - ensure => present, - } - - ldapdn { "module config": - dn => "cn=module{0},cn=config", - attributes => [ - 'objectClass: olcModuleList', - 'cn: module{0}', - "olcModulePath: ${ldap::params::module_prefix}", - ], - unique_attributes => ['olcModulePath'], - ensure => present, - } - - $index_base = $ldap::params::index_base - $indices = split(inline_template("<%= (@index_base + @index_inc).map { |index| \"olcDbIndex: #{index}\" }.join(';') %>"),';') - - ldapdn { "indices": - dn => $ldap::params::main_db_dn, - attributes => $indices, - unique_attributes => [ - 'olcDbIndex', - ], - ensure => present, - } - - ldap::server::module { $ldap::params::modules_base: } - ldap::server::module { $modules_inc: } - - ldap::server::builtin_schema { $ldap::params::schema_base: } - ldap::server::builtin_schema { $schema_inc: } - - if($syncprov) { - ldapdn { "syncprov_config": - dn => "olcOverlay={0}syncprov,${ldap::params::main_db_dn}", - attributes => [ - 'objectClass: olcOverlayConfig', - 'objectClass: olcSyncProvConfig', - 'olcOverlay: syncprov', - "olcSpCheckpoint: ${syncprov_checkpoint}", - "olcSpSessionlog: ${syncprov_sessionlog}", - ], - unique_attributes => [ - 'olcOverlay', - 'olcSpCheckpoint', - 'olcSpSessionlog', - ], - ensure => present, - require => Ldap::Server::Module['syncprov'], - } - } - - ldapdn { "global confg": - dn => "cn=config", - attributes => [ - "olcArgsFile: ${ldap::params::server_run}/slapd.args", - "olcLogLevel: ${log_level}", - "olcPidFile: ${ldap::params::server_run}/slapd.pid", - ], - unique_attributes => $ldap::params::cnconfig_default_attrs, - ensure => present, - } - - ldapdn { "cnconfig_attrs": - dn => "cn=config", - attributes => $cnconfig_attrs, - unique_attributes => $ldap::params::cnconfig_default_attrs, - ensure => present, - } - - if(!$bind_anon) { - ldapdn { "disallow_bind_anon": - dn => "cn=config", - attributes => [ - 'olcDisallows: bind_anon', - ], - ensure => present, - } - } - - File { - mode => '0640', - owner => $ldap::params::server_owner, - group => $ldap::params::server_group, - } - - $msg_prefix = 'SSL enabled. You must specify' - $msg_suffix = '(filename). It should be located at puppet:///files/ldap' - - if($ssl) { - - if(!$ssl_ca) { fail("${msg_prefix} ssl_ca ${msg_suffix}") } - file { 'ssl_ca': - ensure => present, - source => "puppet:///files/ldap/${ssl_ca}", - path => "${ldap::params::ssl_prefix}/${ssl_ca}", - mode => '0644', - } - - if(!$ssl_cert) { fail("${msg_prefix} ssl_cert ${msg_suffix}") } - file { 'ssl_cert': - ensure => present, - source => "puppet:///files/ldap/${ssl_cert}", - path => "${ldap::params::ssl_prefix}/${ssl_cert}", - mode => '0644', - } - - if(!$ssl_key) { fail("${msg_prefix} ssl_key ${msg_suffix}") } - file { 'ssl_key': - ensure => present, - source => "puppet:///files/ldap/${ssl_key}", - path => "${ldap::params::ssl_prefix}/${ssl_key}", - } - - # Create certificate hash file - exec { 'Server certificate hash': - command => "ln -s ${ldap::params::ssl_prefix}/${ssl_cert} ${ldap::params::cacertdir}/$(openssl x509 -noout -hash -in ${ldap::params::ssl_prefix}/${ssl_cert}).0", - unless => "test -f ${ldap::params::cacertdir}/$(openssl x509 -noout -hash -in ${ldap::params::ssl_prefix}/${ssl_cert}).0", - provider => $::puppetversion ? { - /^3./ => 'shell', - /^2.7/ => 'shell', - /^2.6/ => 'posix', - default => 'posix' - }, - require => File['ssl_cert'], - path => [ "/bin", "/usr/bin", "/sbin", "/usr/sbin" ] - } - - ldapdn { "SSL config": - dn => "cn=config", - attributes => [ - "olcTLSCACertificateFile: ${ldap::params::ssl_prefix}/${ssl_ca}", - "olcTLSCertificateFile: ${ldap::params::ssl_prefix}/${ssl_cert}", - "olcTLSCertificateKeyFile: ${ldap::params::ssl_prefix}/${ssl_key}", - ], - unique_attributes => $ldap::params::cnconfig_default_attrs, - ensure => present, - require => [File['ssl_ca'], File['ssl_cert'], File['ssl_key'], Exec['Server certificate hash']], - notify => Service[$ldap::params::service], - } - - } - - # Additional configurations (for rc scripts) - case $::osfamily { - - 'Debian' : { - class { 'ldap::server::debian': ssl => $ssl } - } - - 'RedHat' : { - class { 'ldap::server::redhat': ssl => $ssl } - } - - #'Suse' : { - # class { 'ldap::server::suse': ssl => $ssl } - #} - + ldap::server::database { 'primary': + suffix => $suffix, + rootpw => $rootpw, + rootdn => $rootdn, + index_inc => $index_inc, + syncprov => $syncprov, + syncprov_checkpoint => $syncprov_checkpoint, + syncprov_sessionlog => $syncprov_sessionlog, + sync_binddn => $sync_binddn, + master => true, } } - diff --git a/manifests/server/slave.pp b/manifests/server/slave.pp index 8388b2e..0e72db4 100644 --- a/manifests/server/slave.pp +++ b/manifests/server/slave.pp @@ -199,86 +199,20 @@ motd::register { 'ldap::server::slave': } } - file { ['/var/cache/local', '/var/cache/local/preseeding']: - ensure => directory, - owner => 'root', - group => 'root', + class { 'ldap::server::generic': + suffix => $suffix, + schema_inc => $schema_inc, + modules_inc => $modules_inc, + cnconfig_attrs => $cnconfig_attrs, + log_level => $log_level, + bind_anon => $bind_anon, + ssl => $ssl, + ssl_ca => $ssl_ca, + ssl_cert => $ssl_cert, + ssl_key => $ssl_key, + ensure => $ensure, } - file { "/var/cache/local/preseeding/slapd.seed": - ensure => present, - content => template("ldap/slapd.seed.erb"), - owner => 'root', - group => 'root', - } - - package { $ldap::params::server_package: - ensure => $ensure, - responsefile => "/var/cache/local/preseeding/slapd.seed", - } - - service { $ldap::params::service: - ensure => running, - enable => true, - pattern => $ldap::params::server_pattern, - require => [ - Package[$ldap::params::server_package], - ], - } - - ldapdn { "database config": - dn => $ldap::params::main_db_dn, - attributes => [ - "olcAccess: to dn.subtree=\"${suffix}\" attrs=userPassword,shadowLastChange by dn.base=\"gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\" write by self write by anonymous auth by * none", - "olcAccess: to dn.subtree=\"${suffix}\" attrs=objectClass,entry,gecos,homeDirectory,uid,uidNumber,gidNumber,cn,memberUid by dn.base=\"gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\" write by * read", - "olcAccess: to dn.subtree=\"${suffix}\" by dn.base=\"gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\" write by self read by * read", - 'olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage', - 'olcDbCheckpoint: 512 30', - 'olcLastMod: TRUE', - "olcSuffix: ${suffix}", - "olcRootDN: ${rootdn}", - "olcRootPW: ${rootpw}", - ], - unique_attributes => [ - 'olcAccess', - 'olcDbCheckpoint', - 'olcLastMod', - 'olcSuffix', - 'olcRootDN', - 'olcRootPW', - ], - ensure => present, - } - - $index_base = $ldap::params::index_base - $indices = split(inline_template("<%= (@index_base + @index_inc).map { |index| \"olcDbIndex: #{index}\" }.join(';') %>"),';') - - ldapdn { "indices": - dn => $ldap::params::main_db_dn, - attributes => $indices, - unique_attributes => [ - 'olcDbIndex', - ], - ensure => present, - } - - ldapdn { "module config": - dn => "cn=module{0},cn=config", - attributes => [ - 'objectClass: olcModuleList', - 'cn: module{0}', - "olcModulePath: ${ldap::params::module_prefix}", - ], - unique_attributes => ['olcModulePath'], - ensure => present, - } - - ldap::server::module { $ldap::params::modules_base: } - ldap::server::module { $modules_inc: } - - ldap::server::builtin_schema { $ldap::params::schema_base: } - ldap::server::builtin_schema { $schema_inc: } - ldapdn { "syncrepl": dn => $ldap::params::main_db_dn, attributes => [ @@ -304,114 +238,15 @@ require => Ldapdn['syncrepl'], } - ldapdn { "global confg": - dn => "cn=config", - attributes => [ - "olcArgsFile: ${ldap::params::server_run}/slapd.args", - "olcLogLevel: ${log_level}", - "olcPidFile: ${ldap::params::server_run}/slapd.pid", - ], - unique_attributes => $ldap::params::cnconfig_default_attrs, - ensure => present, - } - - ldapdn { "cnconfig_attrs": - dn => "cn=config", - attributes => $cnconfig_attrs, - unique_attributes => $ldap::params::cnconfig_default_attrs, - ensure => present, - } - - if(!$bind_anon) { - ldapdn { "disallow_bind_anon": - dn => "cn=config", - attributes => [ - 'olcDisallows: bind_anon', - ], - ensure => present, - } - } - - File { - mode => '0640', - owner => $ldap::params::server_owner, - group => $ldap::params::server_group, - } - - $msg_prefix = 'SSL enabled. You must specify' - $msg_suffix = '(filename). It should be located at puppet:///files/ldap' - - if($ssl) { - - if(!$ssl_ca) { fail("${msg_prefix} ssl_ca ${msg_suffix}") } - file { 'ssl_ca': - ensure => present, - source => "puppet:///files/ldap/${ssl_ca}", - path => "${ldap::params::ssl_prefix}/${ssl_ca}", - mode => '0644', - } - - if(!$ssl_cert) { fail("${msg_prefix} ssl_cert ${msg_suffix}") } - file { 'ssl_cert': - ensure => present, - source => "puppet:///files/ldap/${ssl_cert}", - path => "${ldap::params::ssl_prefix}/${ssl_cert}", - mode => '0644', - } - - if(!$ssl_key) { fail("${msg_prefix} ssl_key ${msg_suffix}") } - file { 'ssl_key': - ensure => present, - source => "puppet:///files/ldap/${ssl_key}", - path => "${ldap::params::ssl_prefix}/${ssl_key}", - } - - # Create certificate hash file - exec { 'Server certificate hash': - command => "ln -s ${ldap::params::ssl_prefix}/${ssl_cert} ${ldap::params::cacertdir}/$(openssl x509 -noout -hash -in ${ldap::params::ssl_prefix}/${ssl_cert}).0", - unless => "test -f ${ldap::params::cacertdir}/$(openssl x509 -noout -hash -in ${ldap::params::ssl_prefix}/${ssl_cert}).0", - provider => $::puppetversion ? { - /^3./ => 'shell', - /^2.7/ => 'shell', - /^2.6/ => 'posix', - default => 'posix' - }, - require => File['ssl_cert'], - path => [ "/bin", "/usr/bin", "/sbin", "/usr/sbin" ] - } - - ldapdn { "SSL config": - dn => "cn=config", - attributes => [ - "olcTLSCACertificateFile: ${ldap::params::ssl_prefix}/${ssl_ca}", - "olcTLSCertificateFile: ${ldap::params::ssl_prefix}/${ssl_cert}", - "olcTLSCertificateKeyFile: ${ldap::params::ssl_prefix}/${ssl_key}", - ], - unique_attributes => $ldap::params::cnconfig_default_attrs, - ensure => present, - require => [File['ssl_ca'], File['ssl_cert'], File['ssl_key'], Exec['Server certificate hash']], - notify => Service[$ldap::params::service], - } - - } - - # Additional configurations (for rc scripts) - case $::osfamily { - - 'Debian' : { - class { 'ldap::server::debian': ssl => $ssl } - } - - 'RedHat' : { - class { 'ldap::server::redhat': ssl => $ssl } - } - - #'Suse' : { - # class { 'ldap::server::suse': ssl => $ssl } - #} - + ldap::server::database { 'primary': + suffix => $suffix, + rootpw => $rootpw, + rootdn => $rootdn, + index_inc => $index_inc, + syncprov => $syncprov, + syncprov_checkpoint => $syncprov_checkpoint, + syncprov_sessionlog => $syncprov_sessionlog, + sync_binddn => $sync_binddn, } } - -# vim: ts=4 From 12a2ea53a5e5b98f3e4cba094a3beed0d7d7b4da Mon Sep 17 00:00:00 2001 From: Ben Langfeld Date: Thu, 29 May 2014 23:22:32 -0300 Subject: [PATCH 72/85] Fix a resource name --- puppet/master/manifests/site.pp | 2 +- puppet/slave/manifests/site.pp | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/puppet/master/manifests/site.pp b/puppet/master/manifests/site.pp index 03abf53..441c7f9 100644 --- a/puppet/master/manifests/site.pp +++ b/puppet/master/manifests/site.pp @@ -55,7 +55,7 @@ 'objectClass: inetOrgPerson', 'cn: Joe Bloggs', 'sn: Bloggs', - 'uid: someuser', + 'uid: testuser', 'givenName: Joe', 'mail: foo@bar.com', 'userPassword: {ssha}YlANix4RcH5rySCWSmzoSzbvj2hzb21lc2FsdA==', # somepassword diff --git a/puppet/slave/manifests/site.pp b/puppet/slave/manifests/site.pp index 26ef58f..f6a0fad 100644 --- a/puppet/slave/manifests/site.pp +++ b/puppet/slave/manifests/site.pp @@ -57,7 +57,7 @@ 'objectClass: inetOrgPerson', 'cn: Joe Bloggs', 'sn: Bloggs', - 'uid: someuser', + 'uid: testuser', 'givenName: Joe', 'mail: foo@bar.com', 'userPassword: {ssha}YlANix4RcH5rySCWSmzoSzbvj2hzb21lc2FsdA==', # somepassword From bfcec3312d221444d864308155c4835e096d8a8a Mon Sep 17 00:00:00 2001 From: Ben Langfeld Date: Fri, 30 May 2014 10:32:43 -0300 Subject: [PATCH 73/85] Combine some resources This is now possible because attribute order is not modified from what is declared --- manifests/server/slave.pp | 12 +----------- 1 file changed, 1 insertion(+), 11 deletions(-) diff --git a/manifests/server/slave.pp b/manifests/server/slave.pp index 0e72db4..d765401 100644 --- a/manifests/server/slave.pp +++ b/manifests/server/slave.pp @@ -218,24 +218,14 @@ attributes => [ "olcSyncrepl: rid=${sync_rid} provider=${sync_provider} bindmethod=simple timeout=0 network-timeout=0 binddn=\"${sync_binddn}\" credentials=\"${sync_bindpw}\" keepalive=0:0:0 starttls=no filter=\"${sync_filter}\" searchbase=\"${sync_base}\" scope=${sync_scope} attrs=\"${sync_attrs}\" schemachecking=off type=${sync_type} interval=${sync_interval} retry=undefined", "olcLimits: dn.exact=\"${sync_binddn}\" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited", + "olcUpdateRef: ${sync_provider}", ], unique_attributes => [ 'olcLimits', 'olcSyncrepl', - ], - ensure => present, - } - - ldapdn { "updateref": - dn => $ldap::params::main_db_dn, - attributes => [ - "olcUpdateRef: ${sync_provider}", - ], - unique_attributes => [ 'olcUpdateRef', ], ensure => present, - require => Ldapdn['syncrepl'], } ldap::server::database { 'primary': From 4ec9ace6a23c13742b9f25c1524bf34f283eaff0 Mon Sep 17 00:00:00 2001 From: Ben Langfeld Date: Fri, 30 May 2014 10:33:43 -0300 Subject: [PATCH 74/85] More robust ordering --- manifests/server/slave.pp | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/manifests/server/slave.pp b/manifests/server/slave.pp index d765401..3b0bfdd 100644 --- a/manifests/server/slave.pp +++ b/manifests/server/slave.pp @@ -213,6 +213,17 @@ ensure => $ensure, } + ldap::server::database { 'primary': + suffix => $suffix, + rootpw => $rootpw, + rootdn => $rootdn, + index_inc => $index_inc, + syncprov => $syncprov, + syncprov_checkpoint => $syncprov_checkpoint, + syncprov_sessionlog => $syncprov_sessionlog, + sync_binddn => $sync_binddn, + } + ldapdn { "syncrepl": dn => $ldap::params::main_db_dn, attributes => [ @@ -226,17 +237,7 @@ 'olcUpdateRef', ], ensure => present, - } - - ldap::server::database { 'primary': - suffix => $suffix, - rootpw => $rootpw, - rootdn => $rootdn, - index_inc => $index_inc, - syncprov => $syncprov, - syncprov_checkpoint => $syncprov_checkpoint, - syncprov_sessionlog => $syncprov_sessionlog, - sync_binddn => $sync_binddn, + require => Ldap::Server::Database['primary'], } } From 0938479a9cf102788fb0ae1d3074a0a31761c13f Mon Sep 17 00:00:00 2001 From: Ben Langfeld Date: Fri, 30 May 2014 14:04:15 -0300 Subject: [PATCH 75/85] Allow management of multiple databases --- manifests/params.pp | 4 +- manifests/server/database.pp | 35 +- manifests/server/master.pp | 2 +- manifests/server/slave.pp | 6 +- puppet/master/manifests/site.pp | 64 ++++ puppet/slave/manifests/site.pp | 1 + .../master/serverspec/slapd_spec.rb | 336 +++++++++++------- 7 files changed, 309 insertions(+), 139 deletions(-) diff --git a/manifests/params.pp b/manifests/params.pp index 0308e06..72daa13 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -23,7 +23,7 @@ $ssl_prefix = '/etc/ssl/certs' $server_run = '/var/run/slapd' - $main_db_dn = 'olcDatabase={1}bdb,cn=config' + $main_db_name = '{1}bdb' case $::operatingsystemmajrelease { 5 : { @@ -114,7 +114,7 @@ $server_package = [ 'openldap-servers' ] $server_config = 'slapd.conf' - $main_db_dn = 'olcDatabase={2}bdb,cn=config' + $main_db_name = '{2}bdb' case $::operatingsystemmajrelease { 5 : { diff --git a/manifests/server/database.pp b/manifests/server/database.pp index 960b036..021ee68 100644 --- a/manifests/server/database.pp +++ b/manifests/server/database.pp @@ -44,7 +44,7 @@ # # === Examples # -# ldap::server::database { 'secondary': +# ldap::server::database { 'olcDatabase={1}bdb,cn=config': # suffix => 'dc=foo,dc=bar', # rootpw => '{SHA}iEPX+SQWIR3p67lj/0zigSWTKHg=', # syncprov => true, @@ -80,15 +80,33 @@ require ldap + $dn = "olcDatabase=${name},cn=config" + $directory = "${ldap::params::db_prefix}/${name}" + if($master and $syncprov) { $readable_by_sync = "by dn.base=\"cn=sync,${suffix}\" read " } else { $readable_by_sync = "" } - ldapdn { "database config": - dn => $ldap::params::main_db_dn, + File { + mode => '0600', + owner => $ldap::params::server_owner, + group => $ldap::params::server_group, + require => Package[$ldap::params::server_package], + } + + file { $directory: + ensure => directory, + } + + ldapdn { "${name} database config": + dn => $dn, attributes => [ + 'objectClass: olcDatabaseConfig', + 'objectClass: olcBdbConfig', + "olcDatabase: ${name}", + "olcDbDirectory: ${directory}", "olcAccess: to dn.subtree=\"${suffix}\" attrs=userPassword,shadowLastChange ${readable_by_sync}by dn.base=\"gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\" write by self write by anonymous auth by * none", "olcAccess: to dn.subtree=\"${suffix}\" attrs=objectClass,entry,gecos,homeDirectory,uid,uidNumber,gidNumber,cn,memberUid ${readable_by_sync}by dn.base=\"gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\" write by * read", "olcAccess: to dn.subtree=\"${suffix}\" ${readable_by_sync}by dn.base=\"gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\" write by self read by * read", @@ -101,20 +119,23 @@ ], unique_attributes => [ 'olcAccess', + 'olcDatabase', 'olcDbCheckpoint', + 'olcDbDirectory', 'olcLastMod', 'olcSuffix', 'olcRootDN', 'olcRootPW', ], ensure => present, + require => File[$directory], } $index_base = $ldap::params::index_base $indices = split(inline_template("<%= (@index_base + @index_inc).map { |index| \"olcDbIndex: #{index}\" }.join(';') %>"),';') - ldapdn { "indices": - dn => $ldap::params::main_db_dn, + ldapdn { "${name} indices": + dn => $dn, attributes => $indices, unique_attributes => [ 'olcDbIndex', @@ -123,8 +144,8 @@ } if($syncprov) { - ldapdn { "syncprov_config": - dn => "olcOverlay={0}syncprov,${ldap::params::main_db_dn}", + ldapdn { "${name} syncprov_config": + dn => "olcOverlay={0}syncprov,${dn}", attributes => [ 'objectClass: olcOverlayConfig', 'objectClass: olcSyncProvConfig', diff --git a/manifests/server/master.pp b/manifests/server/master.pp index fb59f25..0a72b60 100644 --- a/manifests/server/master.pp +++ b/manifests/server/master.pp @@ -161,7 +161,7 @@ ensure => $ensure, } - ldap::server::database { 'primary': + ldap::server::database { $ldap::params::main_db_name: suffix => $suffix, rootpw => $rootpw, rootdn => $rootdn, diff --git a/manifests/server/slave.pp b/manifests/server/slave.pp index 3b0bfdd..88c34cd 100644 --- a/manifests/server/slave.pp +++ b/manifests/server/slave.pp @@ -213,7 +213,7 @@ ensure => $ensure, } - ldap::server::database { 'primary': + ldap::server::database { $ldap::params::main_db_name: suffix => $suffix, rootpw => $rootpw, rootdn => $rootdn, @@ -225,7 +225,7 @@ } ldapdn { "syncrepl": - dn => $ldap::params::main_db_dn, + dn => "olcDatabase=${ldap::params::main_db_name},cn=config", attributes => [ "olcSyncrepl: rid=${sync_rid} provider=${sync_provider} bindmethod=simple timeout=0 network-timeout=0 binddn=\"${sync_binddn}\" credentials=\"${sync_bindpw}\" keepalive=0:0:0 starttls=no filter=\"${sync_filter}\" searchbase=\"${sync_base}\" scope=${sync_scope} attrs=\"${sync_attrs}\" schemachecking=off type=${sync_type} interval=${sync_interval} retry=undefined", "olcLimits: dn.exact=\"${sync_binddn}\" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited", @@ -237,7 +237,7 @@ 'olcUpdateRef', ], ensure => present, - require => Ldap::Server::Database['primary'], + require => Ldap::Server::Database[$ldap::params::main_db_name], } } diff --git a/puppet/master/manifests/site.pp b/puppet/master/manifests/site.pp index 441c7f9..8c39e05 100644 --- a/puppet/master/manifests/site.pp +++ b/puppet/master/manifests/site.pp @@ -33,6 +33,7 @@ 'o: Foo Dot Bar', ], unique_attributes => ['dc', 'o'], + require => Class['ldap::server::master'], } ldapdn { "ou users": @@ -72,3 +73,66 @@ ensure => present, require => Ldapdn['ou users'], } + +# Secondary database + +ldap::server::database { '{2}bdb': + suffix => 'dc=doo,dc=dah', + rootpw => 'otherpassword', + index_inc => ['title pres'], + syncprov => true, + sync_binddn => 'cn=sync,dc=doo,dc=dah', + master => true, +} + +ldapdn { 'add secondary database': + ensure => present, + dn => 'dc=doo,dc=dah', + attributes => [ + 'dc: doo', + 'objectClass: top', + 'objectClass: dcObject', + 'objectClass: organization', + 'o: Doo Dot Dah', + ], + unique_attributes => ['dc', 'o'], + require => Ldap::Server::Database['{2}bdb'], +} + +ldapdn { "secondary - ou users": + dn => "ou=users,dc=doo,dc=dah", + attributes => [ + 'ou: users', + 'objectClass: organizationalUnit' + ], + unique_attributes => ["ou"], + ensure => present, + require => Ldapdn['add secondary database'], +} + +ldapdn { "secondary - test user": + dn => "uid=testuser,ou=users,dc=doo,dc=dah", + attributes => [ + 'objectClass: top', + 'objectClass: person', + 'objectClass: organizationalPerson', + 'objectClass: inetOrgPerson', + 'cn: Joe Bloggs', + 'sn: Bloggs', + 'uid: testuser', + 'givenName: Joe', + 'mail: foo@bar.com', + 'userPassword: {ssha}YlANix4RcH5rySCWSmzoSzbvj2hzb21lc2FsdA==', # somepassword + ], + unique_attributes => [ + 'uid', + 'cn', + 'sn', + 'givenName', + 'mail', + 'userPassword', + ], + indifferent_attributes => ["userPassword"], + ensure => present, + require => Ldapdn['secondary - ou users'], +} diff --git a/puppet/slave/manifests/site.pp b/puppet/slave/manifests/site.pp index f6a0fad..cf48e49 100644 --- a/puppet/slave/manifests/site.pp +++ b/puppet/slave/manifests/site.pp @@ -35,6 +35,7 @@ 'o: Foo Dot Bar', ], unique_attributes => ['dc', 'o'], + require => Class['ldap::server::slave'], } ldapdn { "ou users": diff --git a/test/integration/master/serverspec/slapd_spec.rb b/test/integration/master/serverspec/slapd_spec.rb index dd73804..b774b19 100644 --- a/test/integration/master/serverspec/slapd_spec.rb +++ b/test/integration/master/serverspec/slapd_spec.rb @@ -10,164 +10,248 @@ end describe "slapd master" do - describe service('slapd') do - it { should be_enabled } - it { should be_running } - end + describe "server-wide concerns" do + describe service('slapd') do + it { should be_enabled } + it { should be_running } + end - describe port(389) do - it { should be_listening } - end + describe port(389) do + it { should be_listening } + end - # Can bind as system root user - describe command('ldapwhoami -H ldapi:/// -Y EXTERNAL') do - it { should return_stdout /dn:gidNumber=0\+uidNumber=0,cn=peercred,cn=external,cn=auth/ } - end + # Can bind as system root user + describe command('ldapwhoami -H ldapi:/// -Y EXTERNAL') do + it { should return_stdout /dn:gidNumber=0\+uidNumber=0,cn=peercred,cn=external,cn=auth/ } + end - # Can bind as specified root user w/ password - describe command('ldapwhoami -H ldapi:/// -x -D cn=admin,dc=foo,dc=bar -w password') do - it { should return_stdout /dn:cn=admin,dc=foo,dc=bar/ } - end + describe command('ldapsearch -H ldapi:/// -Y EXTERNAL -b "cn=schema,cn=config" "(objectClass=olcSchemaConfig)" cn') do + %w{inetorgperson cosine nis core ppolicy}.each do |schema| + it { should return_stdout /#{schema}/ } + end + end - # Can bind as a created user - describe command('ldapwhoami -H ldapi:/// -x -D uid=testuser,ou=users,dc=foo,dc=bar -w somepassword') do - it { should return_stdout /dn:uid=testuser,ou=users,dc=foo,dc=bar/ } - end + describe command('ldapsearch -H ldapi:/// -Y EXTERNAL -b "cn=config" "(objectClass=olcModuleList)" olcModuleLoad') do + %w{back_bdb ppolicy}.each do |mod| + it { should return_stdout /#{mod}/ } + end + end - # Requested suffix exists in cn=config - describe command('ldapsearch -H ldapi:/// -Y EXTERNAL -b "cn=config" "(objectClass=olcDatabaseConfig)" olcSuffix') do - it { should return_stdout /olcSuffix: dc=foo,dc=bar/ } - end + # Syncprov + describe command('ldapsearch -H ldapi:/// -Y EXTERNAL -b "cn=config" "(objectClass=olcModuleList)" olcModuleLoad') do + it { should return_stdout /syncprov/ } + end - # Once created, the root org is readable by system root - describe command('ldapsearch -H ldapi:/// -Y EXTERNAL -s base -b "dc=foo,dc=bar"') do - it { should return_stdout /o: Foo Dot Bar/ } - end + # TLS + describe command('ldapsearch -H ldapi:/// -LLL -Y EXTERNAL -b "cn=config" "(cn=config)"') do + let(:cert_path) do + case os[:family] + when 'RedHat' + '/etc/openldap/certs' + when 'Debian', 'Ubuntu' + '/etc/ssl/certs' + end + end + it { should return_stdout %r{olcTLSCACertificateFile: #{cert_path}/ca\.pem} } + it { should return_stdout %r{olcTLSCertificateFile: #{cert_path}/master-ldap\.pem} } + it { should return_stdout %r{olcTLSCertificateKeyFile: #{cert_path}/master-ldap\.key} } + end + describe command('ldapwhoami -H ldaps:/// -x -D cn=admin,dc=foo,dc=bar -w password') do + it { should return_stdout /dn:cn=admin,dc=foo,dc=bar/ } + end - # Once created, the root org is readable by the DIT root user - describe command('ldapsearch -H ldapi:/// -x -D cn=admin,dc=foo,dc=bar -w password -s base -b "dc=foo,dc=bar"') do - it { should return_stdout /o: Foo Dot Bar/ } - end + # Setting arbitrary config options + describe command('ldapsearch -H ldapi:/// -LLL -Y EXTERNAL -b "cn=config" "(cn=config)" olcConcurrency') do + it { should return_stdout %r{olcConcurrency: 1} } + end - describe command('ldapsearch -H ldapi:/// -Y EXTERNAL -b "cn=schema,cn=config" "(objectClass=olcSchemaConfig)" cn') do - %w{inetorgperson cosine nis core ppolicy}.each do |schema| - it { should return_stdout /#{schema}/ } + # Log level + describe command('ldapsearch -H ldapi:/// -LLL -Y EXTERNAL -b "cn=config" "(cn=config)" olcLogLevel') do + it { should return_stdout %r{olcLogLevel: 4} } end - end - describe command('ldapsearch -H ldapi:/// -Y EXTERNAL -b "cn=config" "(objectClass=olcModuleList)" olcModuleLoad') do - %w{back_bdb ppolicy}.each do |mod| - it { should return_stdout /#{mod}/ } + let(:run_dir) do + case property[:os_by_host]['localhost'][:family] + when /redhat/i + '/var/run/openldap' + else + '/var/run/slapd' + end end - end - # Last-modified overlay is on - describe command('ldapsearch -H ldapi:/// -Y EXTERNAL -b "cn=config" "(objectClass=olcDatabaseConfig)" olcLastMod') do - it { should return_stdout /olcLastMod: TRUE/ } - end + # PID file + describe command('ldapsearch -H ldapi:/// -LLL -Y EXTERNAL -b "cn=config" "(cn=config)" olcPidFile') do + it { should return_stdout %r{olcPidFile: #{run_dir}/slapd.pid} } + end - # DB performance tweaks are set - describe command('ldapsearch -H ldapi:/// -Y EXTERNAL -b "cn=config" "(objectClass=olcDatabaseConfig)" olcDbCheckpoint') do - it { should return_stdout /512 30/ } - end + # Args file + describe command('ldapsearch -H ldapi:/// -LLL -Y EXTERNAL -b "cn=config" "(cn=config)" olcArgsFile') do + it { should return_stdout %r{olcArgsFile: #{run_dir}/slapd.args} } + end - # Indices (default and specified) - describe command('ldapsearch -H ldapi:/// -Y EXTERNAL -b "cn=config" "(objectClass=olcDatabaseConfig)" olcDbIndex') do - [ - 'olcDbIndex: objectClass \s*eq', - 'olcDbIndex: entryCSN \s*eq', - 'olcDbIndex: entryUUID \s*eq', - 'olcDbIndex: uidNumber \s*eq', - 'olcDbIndex: gidNumber \s*eq', - 'olcDbIndex: cn \s*pres,sub,eq', - 'olcDbIndex: sn \s*pres,sub,eq', - 'olcDbIndex: uid \s*pres,sub,eq', - 'olcDbIndex: displayName \s*pres,sub,eq', - 'olcDbIndex: title \s*pres', - ].each do |index| - it { should return_stdout /#{index}/ } + # Bind Anon + describe command('ldapsearch -H ldapi:/// -LLL -Y EXTERNAL -b "cn=config" "(cn=config)" olcDisallows') do + its(:stdout) { should include 'olcDisallows: bind_anon' } end end - # ACLs - describe command('ldapsearch -H ldapi:/// -LLL -Y EXTERNAL -b "cn=config" "(olcSuffix=dc=foo,dc=bar)" olcAccess | perl -p00e \'s/\r?\n //g\'') do - [ - /to \* by dn.base="gidNumber=0\+uidNumber=0,cn=peercred,cn=external,cn=auth" manage/, - /to dn.subtree="dc=foo,dc=bar" attrs=userPassword,shadowLastChange by dn.base="cn=sync,dc=foo,dc=bar" read by dn.base="gidNumber=0\+uidNumber=0,cn=peercred,cn=external,cn=auth" write by self write by anonymous auth by \* none/, - /to dn.subtree="dc=foo,dc=bar" attrs=objectClass,entry,gecos,homeDirectory,uid,uidNumber,gidNumber,cn,memberUid by dn.base="cn=sync,dc=foo,dc=bar" read by dn.base="gidNumber=0\+uidNumber=0,cn=peercred,cn=external,cn=auth" write by \* read/, - /to dn.subtree="dc=foo,dc=bar" by dn.base="cn=sync,dc=foo,dc=bar" read by dn.base="gidNumber=0\+uidNumber=0,cn=peercred,cn=external,cn=auth" write by self read by \* read/, - ].each do |entry| - it { should return_stdout entry } + describe 'primary database' do + # Can bind as specified root user w/ password + describe command('ldapwhoami -H ldapi:/// -x -D cn=admin,dc=foo,dc=bar -w password') do + it { should return_stdout /dn:cn=admin,dc=foo,dc=bar/ } end - end - # Syncprov - describe command('ldapsearch -H ldapi:/// -Y EXTERNAL -b "cn=config" "(objectClass=olcModuleList)" olcModuleLoad') do - it { should return_stdout /syncprov/ } - end + # Can bind as a created user + describe command('ldapwhoami -H ldapi:/// -x -D uid=testuser,ou=users,dc=foo,dc=bar -w somepassword') do + it { should return_stdout /dn:uid=testuser,ou=users,dc=foo,dc=bar/ } + end - describe command('ldapsearch -H ldapi:/// -LLL -Y EXTERNAL -b "cn=config" "(objectClass=olcSyncProvConfig)" olcSpCheckpoint') do - it { should return_stdout /100 10/ } - end + # Requested suffix exists in cn=config + describe command('ldapsearch -H ldapi:/// -Y EXTERNAL -b "cn=config" "(olcSuffix=dc=foo,dc=bar)" olcSuffix') do + it { should return_stdout /olcSuffix: dc=foo,dc=bar/ } + end - describe command('ldapsearch -H ldapi:/// -LLL -Y EXTERNAL -b "cn=config" "(objectClass=olcSyncProvConfig)" olcSpSessionlog') do - it { should return_stdout /100/ } - end + # Once created, the root org is readable by system root + describe command('ldapsearch -H ldapi:/// -Y EXTERNAL -s base -b "dc=foo,dc=bar"') do + it { should return_stdout /o: Foo Dot Bar/ } + end + + # Once created, the root org is readable by the DIT root user + describe command('ldapsearch -H ldapi:/// -x -D cn=admin,dc=foo,dc=bar -w password -s base -b "dc=foo,dc=bar"') do + it { should return_stdout /o: Foo Dot Bar/ } + end - # TLS - describe command('ldapsearch -H ldapi:/// -LLL -Y EXTERNAL -b "cn=config" "(cn=config)"') do - let(:cert_path) do - case os[:family] - when 'RedHat' - '/etc/openldap/certs' - when 'Debian', 'Ubuntu' - '/etc/ssl/certs' + # Directory can be manipulated by ldapdn resources + describe command('ldapsearch -H ldapi:/// -Y EXTERNAL -s base -b "ou=users,dc=foo,dc=bar" "(objectClass=organizationalUnit)"') do + it { should return_stdout /ou: users/ } + end + + # Last-modified overlay is on + describe command('ldapsearch -H ldapi:/// -Y EXTERNAL -b "cn=config" "(olcSuffix=dc=foo,dc=bar)" olcLastMod') do + it { should return_stdout /olcLastMod: TRUE/ } + end + + # DB performance tweaks are set + describe command('ldapsearch -H ldapi:/// -Y EXTERNAL -b "cn=config" "(olcSuffix=dc=foo,dc=bar)" olcDbCheckpoint') do + it { should return_stdout /512 30/ } + end + + # Indices (default and specified) + describe command('ldapsearch -H ldapi:/// -Y EXTERNAL -b "cn=config" "(olcSuffix=dc=foo,dc=bar)" olcDbIndex') do + [ + 'olcDbIndex: objectClass \s*eq', + 'olcDbIndex: entryCSN \s*eq', + 'olcDbIndex: entryUUID \s*eq', + 'olcDbIndex: uidNumber \s*eq', + 'olcDbIndex: gidNumber \s*eq', + 'olcDbIndex: cn \s*pres,sub,eq', + 'olcDbIndex: sn \s*pres,sub,eq', + 'olcDbIndex: uid \s*pres,sub,eq', + 'olcDbIndex: displayName \s*pres,sub,eq', + 'olcDbIndex: title \s*pres', + ].each do |index| + it { should return_stdout /#{index}/ } end end - it { should return_stdout %r{olcTLSCACertificateFile: #{cert_path}/ca\.pem} } - it { should return_stdout %r{olcTLSCertificateFile: #{cert_path}/master-ldap\.pem} } - it { should return_stdout %r{olcTLSCertificateKeyFile: #{cert_path}/master-ldap\.key} } - end - describe command('ldapwhoami -H ldaps:/// -x -D cn=admin,dc=foo,dc=bar -w password') do - it { should return_stdout /dn:cn=admin,dc=foo,dc=bar/ } - end - # Directory can be manipulated by ldapdn resources - describe command('ldapsearch -H ldapi:/// -Y EXTERNAL -s base -b "ou=users,dc=foo,dc=bar" "(objectClass=organizationalUnit)"') do - it { should return_stdout /ou: users/ } - end + # ACLs + describe command('ldapsearch -H ldapi:/// -LLL -Y EXTERNAL -b "cn=config" "(olcSuffix=dc=foo,dc=bar)" olcAccess | perl -p00e \'s/\r?\n //g\'') do + [ + /to \* by dn.base="gidNumber=0\+uidNumber=0,cn=peercred,cn=external,cn=auth" manage/, + /to dn.subtree="dc=foo,dc=bar" attrs=userPassword,shadowLastChange by dn.base="cn=sync,dc=foo,dc=bar" read by dn.base="gidNumber=0\+uidNumber=0,cn=peercred,cn=external,cn=auth" write by self write by anonymous auth by \* none/, + /to dn.subtree="dc=foo,dc=bar" attrs=objectClass,entry,gecos,homeDirectory,uid,uidNumber,gidNumber,cn,memberUid by dn.base="cn=sync,dc=foo,dc=bar" read by dn.base="gidNumber=0\+uidNumber=0,cn=peercred,cn=external,cn=auth" write by \* read/, + /to dn.subtree="dc=foo,dc=bar" by dn.base="cn=sync,dc=foo,dc=bar" read by dn.base="gidNumber=0\+uidNumber=0,cn=peercred,cn=external,cn=auth" write by self read by \* read/, + ].each do |entry| + it { should return_stdout entry } + end + end - # Setting arbitrary config options - describe command('ldapsearch -H ldapi:/// -LLL -Y EXTERNAL -b "cn=config" "(cn=config)" olcConcurrency') do - it { should return_stdout %r{olcConcurrency: 1} } + # Syncprov + describe command('ldapsearch -H ldapi:/// -LLL -Y EXTERNAL -b "cn=config" "(objectClass=olcSyncProvConfig)" olcSpCheckpoint') do + it { should return_stdout /100 10/ } + end + describe command('ldapsearch -H ldapi:/// -LLL -Y EXTERNAL -b "cn=config" "(objectClass=olcSyncProvConfig)" olcSpSessionlog') do + it { should return_stdout /100/ } + end end - # Log level - describe command('ldapsearch -H ldapi:/// -LLL -Y EXTERNAL -b "cn=config" "(cn=config)" olcLogLevel') do - it { should return_stdout %r{olcLogLevel: 4} } - end + describe 'secondary database' do + # Can bind as specified root user w/ password + describe command('ldapwhoami -H ldapi:/// -x -D cn=admin,dc=doo,dc=dah -w otherpassword') do + it { should return_stdout /dn:cn=admin,dc=doo,dc=dah/ } + end - let(:run_dir) do - case property[:os_by_host]['localhost'][:family] - when /redhat/i - '/var/run/openldap' - else - '/var/run/slapd' + # Can bind as a created user + describe command('ldapwhoami -H ldapi:/// -x -D uid=testuser,ou=users,dc=doo,dc=dah -w somepassword') do + it { should return_stdout /dn:uid=testuser,ou=users,dc=doo,dc=dah/ } end - end - # PID file - describe command('ldapsearch -H ldapi:/// -LLL -Y EXTERNAL -b "cn=config" "(cn=config)" olcPidFile') do - it { should return_stdout %r{olcPidFile: #{run_dir}/slapd.pid} } - end + # Requested suffix exists in cn=config + describe command('ldapsearch -H ldapi:/// -Y EXTERNAL -b "cn=config" "(olcSuffix=dc=doo,dc=dah)" olcSuffix') do + it { should return_stdout /olcSuffix: dc=doo,dc=dah/ } + end - # Args file - describe command('ldapsearch -H ldapi:/// -LLL -Y EXTERNAL -b "cn=config" "(cn=config)" olcArgsFile') do - it { should return_stdout %r{olcArgsFile: #{run_dir}/slapd.args} } - end + # Once created, the root org is readable by system root + describe command('ldapsearch -H ldapi:/// -Y EXTERNAL -s base -b "dc=doo,dc=dah"') do + it { should return_stdout /o: Doo Dot Dah/ } + end + + # Once created, the root org is readable by the DIT root user + describe command('ldapsearch -H ldapi:/// -x -D cn=admin,dc=doo,dc=dah -w otherpassword -s base -b "dc=doo,dc=dah"') do + it { should return_stdout /o: Doo Dot Dah/ } + end + + # Directory can be manipulated by ldapdn resources + describe command('ldapsearch -H ldapi:/// -Y EXTERNAL -s base -b "ou=users,dc=doo,dc=dah" "(objectClass=organizationalUnit)"') do + it { should return_stdout /ou: users/ } + end + + # Last-modified overlay is on + describe command('ldapsearch -H ldapi:/// -Y EXTERNAL -b "cn=config" "(olcSuffix=dc=doo,dc=dah)" olcLastMod') do + it { should return_stdout /olcLastMod: TRUE/ } + end + + # DB performance tweaks are set + describe command('ldapsearch -H ldapi:/// -Y EXTERNAL -b "cn=config" "(olcSuffix=dc=doo,dc=dah)" olcDbCheckpoint') do + it { should return_stdout /512 30/ } + end - # Bind Anon - describe command('ldapsearch -H ldapi:/// -LLL -Y EXTERNAL -b "cn=config" "(cn=config)" olcDisallows') do - its(:stdout) { should include 'olcDisallows: bind_anon' } + # Indices (default and specified) + describe command('ldapsearch -H ldapi:/// -Y EXTERNAL -b "cn=config" "(olcSuffix=dc=doo,dc=dah)" olcDbIndex') do + [ + 'olcDbIndex: objectClass \s*eq', + 'olcDbIndex: entryCSN \s*eq', + 'olcDbIndex: entryUUID \s*eq', + 'olcDbIndex: uidNumber \s*eq', + 'olcDbIndex: gidNumber \s*eq', + 'olcDbIndex: cn \s*pres,sub,eq', + 'olcDbIndex: sn \s*pres,sub,eq', + 'olcDbIndex: uid \s*pres,sub,eq', + 'olcDbIndex: displayName \s*pres,sub,eq', + 'olcDbIndex: title \s*pres', + ].each do |index| + it { should return_stdout /#{index}/ } + end + end + + # ACLs + describe command('ldapsearch -H ldapi:/// -LLL -Y EXTERNAL -b "cn=config" "(olcSuffix=dc=doo,dc=dah)" olcAccess | perl -p00e \'s/\r?\n //g\'') do + [ + /to \* by dn.base="gidNumber=0\+uidNumber=0,cn=peercred,cn=external,cn=auth" manage/, + /to dn.subtree="dc=doo,dc=dah" attrs=userPassword,shadowLastChange by dn.base="cn=sync,dc=doo,dc=dah" read by dn.base="gidNumber=0\+uidNumber=0,cn=peercred,cn=external,cn=auth" write by self write by anonymous auth by \* none/, + /to dn.subtree="dc=doo,dc=dah" attrs=objectClass,entry,gecos,homeDirectory,uid,uidNumber,gidNumber,cn,memberUid by dn.base="cn=sync,dc=doo,dc=dah" read by dn.base="gidNumber=0\+uidNumber=0,cn=peercred,cn=external,cn=auth" write by \* read/, + /to dn.subtree="dc=doo,dc=dah" by dn.base="cn=sync,dc=doo,dc=dah" read by dn.base="gidNumber=0\+uidNumber=0,cn=peercred,cn=external,cn=auth" write by self read by \* read/, + ].each do |entry| + it { should return_stdout entry } + end + end + + # Syncprov + describe command('ldapsearch -H ldapi:/// -LLL -Y EXTERNAL -b "cn=config" "(objectClass=olcSyncProvConfig)" olcSpCheckpoint') do + it { should return_stdout /100 10/ } + end + describe command('ldapsearch -H ldapi:/// -LLL -Y EXTERNAL -b "cn=config" "(objectClass=olcSyncProvConfig)" olcSpSessionlog') do + it { should return_stdout /100/ } + end end end From 72d9b23aa01d89c9163a02cccc6d02c78971fcc5 Mon Sep 17 00:00:00 2001 From: Ben Langfeld Date: Mon, 2 Jun 2014 14:13:52 -0300 Subject: [PATCH 76/85] Remove unnecessary symlinks --- spec/fixtures/modules/ldap/manifests | 1 - spec/fixtures/modules/ldap/templates | 1 - 2 files changed, 2 deletions(-) delete mode 120000 spec/fixtures/modules/ldap/manifests delete mode 120000 spec/fixtures/modules/ldap/templates diff --git a/spec/fixtures/modules/ldap/manifests b/spec/fixtures/modules/ldap/manifests deleted file mode 120000 index 373b992..0000000 --- a/spec/fixtures/modules/ldap/manifests +++ /dev/null @@ -1 +0,0 @@ -../../../../manifests \ No newline at end of file diff --git a/spec/fixtures/modules/ldap/templates b/spec/fixtures/modules/ldap/templates deleted file mode 120000 index f8a06d1..0000000 --- a/spec/fixtures/modules/ldap/templates +++ /dev/null @@ -1 +0,0 @@ -../../../../templates \ No newline at end of file From ca7dd4ddb0dd06a951f4deed62880e2606caa421 Mon Sep 17 00:00:00 2001 From: Ben Langfeld Date: Thu, 5 Jun 2014 15:13:48 -0300 Subject: [PATCH 77/85] Set all DB options in a single resource Previously indices could have been set before the DB was created. This simplifies even more. --- lib/puppet/provider/ldapdn/ldapdn.rb | 2 +- manifests/server/database.pp | 48 ++++++++++++---------------- 2 files changed, 22 insertions(+), 28 deletions(-) diff --git a/lib/puppet/provider/ldapdn/ldapdn.rb b/lib/puppet/provider/ldapdn/ldapdn.rb index 4244412..465f4c3 100644 --- a/lib/puppet/provider/ldapdn/ldapdn.rb +++ b/lib/puppet/provider/ldapdn/ldapdn.rb @@ -210,7 +210,7 @@ def exists? def parse_attributes ldap_attributes = PuppetLDAP::OrderedHash.new - Array(resource[:attributes]).each do |asserted_attribute| + Array(resource[:attributes]).flatten.each do |asserted_attribute| key,value = asserted_attribute.split(':', 2) ldap_attributes[key] = [] if ldap_attributes[key].nil? ldap_attributes[key] << value.strip! diff --git a/manifests/server/database.pp b/manifests/server/database.pp index 021ee68..65d058b 100644 --- a/manifests/server/database.pp +++ b/manifests/server/database.pp @@ -100,28 +100,34 @@ ensure => directory, } + $database_options = [ + 'objectClass: olcDatabaseConfig', + 'objectClass: olcBdbConfig', + "olcDatabase: ${name}", + "olcDbDirectory: ${directory}", + "olcAccess: to dn.subtree=\"${suffix}\" attrs=userPassword,shadowLastChange ${readable_by_sync}by dn.base=\"gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\" write by self write by anonymous auth by * none", + "olcAccess: to dn.subtree=\"${suffix}\" attrs=objectClass,entry,gecos,homeDirectory,uid,uidNumber,gidNumber,cn,memberUid ${readable_by_sync}by dn.base=\"gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\" write by * read", + "olcAccess: to dn.subtree=\"${suffix}\" ${readable_by_sync}by dn.base=\"gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\" write by self read by * read", + 'olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage', + 'olcDbCheckpoint: 512 30', + 'olcLastMod: TRUE', + "olcSuffix: ${suffix}", + "olcRootDN: ${rootdn}", + "olcRootPW: ${rootpw}", + ] + + $index_base = $ldap::params::index_base + $indices = split(inline_template("<%= (@index_base + @index_inc).map { |index| \"olcDbIndex: #{index}\" }.join(';') %>"),';') + ldapdn { "${name} database config": dn => $dn, - attributes => [ - 'objectClass: olcDatabaseConfig', - 'objectClass: olcBdbConfig', - "olcDatabase: ${name}", - "olcDbDirectory: ${directory}", - "olcAccess: to dn.subtree=\"${suffix}\" attrs=userPassword,shadowLastChange ${readable_by_sync}by dn.base=\"gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\" write by self write by anonymous auth by * none", - "olcAccess: to dn.subtree=\"${suffix}\" attrs=objectClass,entry,gecos,homeDirectory,uid,uidNumber,gidNumber,cn,memberUid ${readable_by_sync}by dn.base=\"gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\" write by * read", - "olcAccess: to dn.subtree=\"${suffix}\" ${readable_by_sync}by dn.base=\"gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\" write by self read by * read", - 'olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage', - 'olcDbCheckpoint: 512 30', - 'olcLastMod: TRUE', - "olcSuffix: ${suffix}", - "olcRootDN: ${rootdn}", - "olcRootPW: ${rootpw}", - ], + attributes => [$database_options, $indices], unique_attributes => [ 'olcAccess', 'olcDatabase', 'olcDbCheckpoint', 'olcDbDirectory', + 'olcDbIndex', 'olcLastMod', 'olcSuffix', 'olcRootDN', @@ -131,18 +137,6 @@ require => File[$directory], } - $index_base = $ldap::params::index_base - $indices = split(inline_template("<%= (@index_base + @index_inc).map { |index| \"olcDbIndex: #{index}\" }.join(';') %>"),';') - - ldapdn { "${name} indices": - dn => $dn, - attributes => $indices, - unique_attributes => [ - 'olcDbIndex', - ], - ensure => present, - } - if($syncprov) { ldapdn { "${name} syncprov_config": dn => "olcOverlay={0}syncprov,${dn}", From 7daff68e85fd6e94778180f21cdc693fca6dc5e7 Mon Sep 17 00:00:00 2001 From: Ben Langfeld Date: Fri, 6 Jun 2014 15:39:17 -0300 Subject: [PATCH 78/85] Properly use specified sync bindDN in ACLs --- manifests/server/database.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/server/database.pp b/manifests/server/database.pp index 65d058b..b47eabf 100644 --- a/manifests/server/database.pp +++ b/manifests/server/database.pp @@ -84,7 +84,7 @@ $directory = "${ldap::params::db_prefix}/${name}" if($master and $syncprov) { - $readable_by_sync = "by dn.base=\"cn=sync,${suffix}\" read " + $readable_by_sync = "by dn.base=\"${sync_binddn}\" read " } else { $readable_by_sync = "" } From 626c12870bae325417fe196e45ff5382b6fb9032 Mon Sep 17 00:00:00 2001 From: Ben Langfeld Date: Fri, 6 Jun 2014 15:39:29 -0300 Subject: [PATCH 79/85] Properly specify overlay order --- manifests/server/database.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/server/database.pp b/manifests/server/database.pp index b47eabf..3332421 100644 --- a/manifests/server/database.pp +++ b/manifests/server/database.pp @@ -143,7 +143,7 @@ attributes => [ 'objectClass: olcOverlayConfig', 'objectClass: olcSyncProvConfig', - 'olcOverlay: syncprov', + 'olcOverlay: {0}syncprov', "olcSpCheckpoint: ${syncprov_checkpoint}", "olcSpSessionlog: ${syncprov_sessionlog}", ], From d672427c2f4edae92cf5d55a613daa2bb1fac9a8 Mon Sep 17 00:00:00 2001 From: Ben Langfeld Date: Fri, 6 Jun 2014 17:24:50 -0300 Subject: [PATCH 80/85] Use HDB by default Supersedes BDB --- README.md | 2 +- manifests/params.pp | 12 ++++++------ manifests/server/database.pp | 4 ++-- puppet/master/manifests/site.pp | 4 ++-- templates/slapd.seed.erb | 2 +- test/integration/master/serverspec/slapd_spec.rb | 2 +- test/integration/slave/serverspec/slapd_spec.rb | 2 +- 7 files changed, 14 insertions(+), 14 deletions(-) diff --git a/README.md b/README.md index c3e268d..d6ad837 100644 --- a/README.md +++ b/README.md @@ -128,7 +128,7 @@ First you might like to set a root password: ```puppet ldapdn { "add manager password": - dn => "olcDatabase={2}bdb,cn=config", + dn => "olcDatabase={2}hdb,cn=config", attributes => ["olcRootPW: password"], unique_attributes => ["olcRootPW"], ensure => present, diff --git a/manifests/params.pp b/manifests/params.pp index 72daa13..cf54e07 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -23,7 +23,7 @@ $ssl_prefix = '/etc/ssl/certs' $server_run = '/var/run/slapd' - $main_db_name = '{1}bdb' + $main_db_name = '{1}hdb' case $::operatingsystemmajrelease { 5 : { @@ -51,7 +51,7 @@ } - $modules_base = [ 'back_bdb' ] + $modules_base = [ 'back_hdb' ] $schema_prefix = "${prefix}/schema" $schema_base = [ 'core', 'cosine', 'nis', 'inetorgperson', ] @@ -114,7 +114,7 @@ $server_package = [ 'openldap-servers' ] $server_config = 'slapd.conf' - $main_db_name = '{2}bdb' + $main_db_name = '{2}hdb' case $::operatingsystemmajrelease { 5 : { @@ -155,12 +155,12 @@ /(?i:OVS)/ : { $schema_base = [ 'core', 'cosine', 'nis', 'inetorgperson', 'authldap' ] - $modules_base = [ 'back_bdb' ] + $modules_base = [ 'back_hdb' ] } default : { $schema_base = [ 'core', 'cosine', 'nis', 'inetorgperson', ] - $modules_base = [ 'back_bdb' ] + $modules_base = [ 'back_hdb' ] } } @@ -249,7 +249,7 @@ $ssl_prefix = '/etc/ssl/certs' $server_run = '/var/run/slapd' $schema_base = [ 'core', 'cosine', 'nis', 'inetorgperson', ] - $modules_base = [ 'back_bdb' ] + $modules_base = [ 'back_hdb' ] $index_base = [ 'objectClass eq', 'entryCSN eq', diff --git a/manifests/server/database.pp b/manifests/server/database.pp index 3332421..78b4266 100644 --- a/manifests/server/database.pp +++ b/manifests/server/database.pp @@ -44,7 +44,7 @@ # # === Examples # -# ldap::server::database { 'olcDatabase={1}bdb,cn=config': +# ldap::server::database { 'olcDatabase={1}hdb,cn=config': # suffix => 'dc=foo,dc=bar', # rootpw => '{SHA}iEPX+SQWIR3p67lj/0zigSWTKHg=', # syncprov => true, @@ -102,7 +102,7 @@ $database_options = [ 'objectClass: olcDatabaseConfig', - 'objectClass: olcBdbConfig', + 'objectClass: olcHdbConfig', "olcDatabase: ${name}", "olcDbDirectory: ${directory}", "olcAccess: to dn.subtree=\"${suffix}\" attrs=userPassword,shadowLastChange ${readable_by_sync}by dn.base=\"gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\" write by self write by anonymous auth by * none", diff --git a/puppet/master/manifests/site.pp b/puppet/master/manifests/site.pp index 8c39e05..be39594 100644 --- a/puppet/master/manifests/site.pp +++ b/puppet/master/manifests/site.pp @@ -76,7 +76,7 @@ # Secondary database -ldap::server::database { '{2}bdb': +ldap::server::database { '{2}hdb': suffix => 'dc=doo,dc=dah', rootpw => 'otherpassword', index_inc => ['title pres'], @@ -96,7 +96,7 @@ 'o: Doo Dot Dah', ], unique_attributes => ['dc', 'o'], - require => Ldap::Server::Database['{2}bdb'], + require => Ldap::Server::Database['{2}hdb'], } ldapdn { "secondary - ou users": diff --git a/templates/slapd.seed.erb b/templates/slapd.seed.erb index 6588116..392150d 100644 --- a/templates/slapd.seed.erb +++ b/templates/slapd.seed.erb @@ -12,7 +12,7 @@ slapd slapd/upgrade_slapcat_failure note slapd slapd/dump_database_destdir string /var/backups/slapd-VERSION slapd slapd/autoconf_modules boolean true slapd slapd/purge_database boolean false -slapd slapd/backend select BDB +slapd slapd/backend select HDB slapd slapd/no_configuration boolean false slapd slapd/migrate_ldbm_to_bdb boolean true slapd slapd/move_old_database boolean true diff --git a/test/integration/master/serverspec/slapd_spec.rb b/test/integration/master/serverspec/slapd_spec.rb index b774b19..c677888 100644 --- a/test/integration/master/serverspec/slapd_spec.rb +++ b/test/integration/master/serverspec/slapd_spec.rb @@ -32,7 +32,7 @@ end describe command('ldapsearch -H ldapi:/// -Y EXTERNAL -b "cn=config" "(objectClass=olcModuleList)" olcModuleLoad') do - %w{back_bdb ppolicy}.each do |mod| + %w{back_hdb ppolicy}.each do |mod| it { should return_stdout /#{mod}/ } end end diff --git a/test/integration/slave/serverspec/slapd_spec.rb b/test/integration/slave/serverspec/slapd_spec.rb index de9f062..2f4babd 100644 --- a/test/integration/slave/serverspec/slapd_spec.rb +++ b/test/integration/slave/serverspec/slapd_spec.rb @@ -56,7 +56,7 @@ end describe command('ldapsearch -H ldapi:/// -Y EXTERNAL -b "cn=config" "(objectClass=olcModuleList)" olcModuleLoad') do - %w{back_bdb ppolicy}.each do |mod| + %w{back_hdb ppolicy}.each do |mod| it { should return_stdout /#{mod}/ } end end From 8cb006860ab86b174594ecea30a8045c20a3b0ac Mon Sep 17 00:00:00 2001 From: Ben Langfeld Date: Fri, 6 Jun 2014 18:14:05 -0300 Subject: [PATCH 81/85] Make sure that server is fully initialised before databases can be created Schema & modules loaded, etc --- manifests/server/database.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/server/database.pp b/manifests/server/database.pp index 78b4266..d63a871 100644 --- a/manifests/server/database.pp +++ b/manifests/server/database.pp @@ -134,7 +134,7 @@ 'olcRootPW', ], ensure => present, - require => File[$directory], + require => [Class['ldap::server::generic'], File[$directory]], } if($syncprov) { From 7e0498abdc0590d0bb9ccba6ca8189a25ede5ffc Mon Sep 17 00:00:00 2001 From: Ben Langfeld Date: Fri, 6 Jun 2014 19:00:39 -0300 Subject: [PATCH 82/85] Don't setup syncprov on a database until the database is configured --- manifests/server/database.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/server/database.pp b/manifests/server/database.pp index d63a871..d862c27 100644 --- a/manifests/server/database.pp +++ b/manifests/server/database.pp @@ -153,7 +153,7 @@ 'olcSpSessionlog', ], ensure => present, - require => Ldap::Server::Module['syncprov'], + require => [Ldapdn["${name} database config"], Ldap::Server::Module['syncprov']], } } From 88701a2fb8ab9b8f055ac4c732637b6f5ac9e740 Mon Sep 17 00:00:00 2001 From: Ben Langfeld Date: Fri, 6 Jun 2014 19:01:20 -0300 Subject: [PATCH 83/85] Don't try and set a rootpw on a database if none is provided --- manifests/server/database.pp | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/manifests/server/database.pp b/manifests/server/database.pp index d862c27..2ebb48b 100644 --- a/manifests/server/database.pp +++ b/manifests/server/database.pp @@ -68,7 +68,7 @@ # define ldap::server::database( $suffix, - $rootpw, + $rootpw = false, $rootdn = "cn=admin,${suffix}", $index_inc = [], $syncprov = false, @@ -100,7 +100,7 @@ ensure => directory, } - $database_options = [ + $main_database_options = [ 'objectClass: olcDatabaseConfig', 'objectClass: olcHdbConfig', "olcDatabase: ${name}", @@ -113,9 +113,14 @@ 'olcLastMod: TRUE', "olcSuffix: ${suffix}", "olcRootDN: ${rootdn}", - "olcRootPW: ${rootpw}", ] + if($rootpw) { + $database_options = [$main_database_options, "olcRootPW: ${rootpw}"] + } else { + $database_options = $main_database_options + } + $index_base = $ldap::params::index_base $indices = split(inline_template("<%= (@index_base + @index_inc).map { |index| \"olcDbIndex: #{index}\" }.join(';') %>"),';') From 35d26c6d155461ac4f625a2d4886bfe13b9a9c05 Mon Sep 17 00:00:00 2001 From: Ben Langfeld Date: Fri, 6 Jun 2014 22:17:19 -0300 Subject: [PATCH 84/85] Don't create an initial BDB database (overlapping with HDB) --- templates/slapd.seed.erb | 1 - 1 file changed, 1 deletion(-) diff --git a/templates/slapd.seed.erb b/templates/slapd.seed.erb index 392150d..8890d38 100644 --- a/templates/slapd.seed.erb +++ b/templates/slapd.seed.erb @@ -12,7 +12,6 @@ slapd slapd/upgrade_slapcat_failure note slapd slapd/dump_database_destdir string /var/backups/slapd-VERSION slapd slapd/autoconf_modules boolean true slapd slapd/purge_database boolean false -slapd slapd/backend select HDB slapd slapd/no_configuration boolean false slapd slapd/migrate_ldbm_to_bdb boolean true slapd slapd/move_old_database boolean true From 3a7a24ee8b956836745425581c520c4acc92f522 Mon Sep 17 00:00:00 2001 From: Ben Langfeld Date: Sat, 7 Jun 2014 11:36:47 -0300 Subject: [PATCH 85/85] Make database data directory configurable --- manifests/server/database.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/server/database.pp b/manifests/server/database.pp index 2ebb48b..51b5bb1 100644 --- a/manifests/server/database.pp +++ b/manifests/server/database.pp @@ -76,12 +76,12 @@ $syncprov_sessionlog = '100', $sync_binddn = false, $master = false, + $directory = "${ldap::params::db_prefix}/${name}", ) { require ldap $dn = "olcDatabase=${name},cn=config" - $directory = "${ldap::params::db_prefix}/${name}" if($master and $syncprov) { $readable_by_sync = "by dn.base=\"${sync_binddn}\" read "