Having issues when managing Indexes.

Environment:

Puppet 3.7.4
OS: CentOS 6.6
OpenLDAP: 2.4.39

The first run the index creates and all is well.. subsequent runs the agent complains that the index already exists.

manifest:

openldap::server::dbindex { 'create index uid':
    ensure    => present,                  
    attribute => 'uid',
    suffix    => 'dc=messaging,dc=example,dc=com',
    indices   => 'pres,eq',
} 

Debug output:

==> openldap1: Debug: /Stage[main]/Main/Node[ldapmaster1.local]/Openldap::Server::Database[dc=messaging,dc=example,dc=com]/File[/var/lib/ldap]/before: requires Openldap_database[dc=messaging,dc=m2co
re,dc=com]
==> openldap1: Debug: /Stage[main]/Main/Node[ldapmaster1.local]/Openldap::Server::Dbindex[create index uid]/Openldap_dbindex[create index uid]: Autorequiring Openldap_database[dc=messaging,dc=example,dc=c
om]
==> openldap1: Info: Applying configuration version '1427410139'
==> openldap1: Debug: Prefetching yum resources for package
==> openldap1: Debug: Executing '/bin/rpm --version'
==> openldap1: Debug: Executing '/bin/rpm -qa --nosignature --nodigest --qf '%{NAME} %|EPOCH?{%{EPOCH}}:{0}| %{VERSION} %{RELEASE} %{ARCH}\n''
==> openldap1: Debug: Executing '/sbin/service slapd status'
==> openldap1: Debug: Executing '/sbin/chkconfig slapd'
==> openldap1: Debug: Prefetching olc resources for openldap_database
==> openldap1: Debug: Executing '/usr/sbin/slapcat -b cn=config -H ldap:///???(&(objectClass=olcDatabaseConfig)(|(objectClass=olcBdbConfig)(objectClass=olcHdbConfig)))'
==> openldap1: Debug: /Stage[main]/Openldap::Server::Slapdconf/Openldap::Server::Database[dc=my-domain,dc=com]/Openldap_database[dc=my-domain,dc=com]: Nothing to manage: no ensure and the resource doesn'
t exist
==> openldap1: Debug: Prefetching olc resources for openldap_dbindex
==> openldap1: Debug: Executing '/usr/sbin/slapcat -b cn=config -H ldap:///???(olcDbIndex=*)'
==> openldap1: Debug: Executing '/usr/sbin/slapcat -b cn=config -H ldap:///???(olcSuffix=dc=messaging,dc=example,dc=com)'
==> openldap1: Debug: dn: olcDatabase={2}bdb,cn=config
==> openldap1: add: olcDbIndex
==> openldap1: olcDbIndex: uid pres,eq
==> openldap1:
==> openldap1: Debug: Executing '/usr/bin/ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/openldap_dbindex20150326-19015-1wjocaz-0'
==> openldap1: Error: LDIF content:
==> openldap1: dn: olcDatabase={2}bdb,cn=config
==> openldap1: add: olcDbIndex
==> openldap1: olcDbIndex: uid pres,eq
==> openldap1:
==> openldap1: Error message: Execution of '/usr/bin/ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/openldap_dbindex20150326-19015-1wjocaz-0' returned 20: SASL/EXTERNAL authentication started
==> openldap1: SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
==> openldap1: SASL SSF: 0
==> openldap1: ldap_modify: Type or value exists (20)
==> openldap1: additional info: modify/add: olcDbIndex: value #0 already exists
==> openldap1: modifying entry "olcDatabase={2}bdb,cn=config"
==> openldap1: /vagrant/modules/openldap/lib/puppet/provider/openldap_dbindex/olc.rb:83:in create' ==> openldap1: /usr/lib/ruby/site_ruby/1.8/puppet/property/ensure.rb:16:inset_present'
==> openldap1: /usr/lib/ruby/site_ruby/1.8/puppet/property.rb:197:in send' ==> openldap1: /usr/lib/ruby/site_ruby/1.8/puppet/property.rb:197:incall_valuemethod'
==> openldap1: /usr/lib/ruby/site_ruby/1.8/puppet/property.rb:498:in set' ==> openldap1: /usr/lib/ruby/site_ruby/1.8/puppet/property.rb:581:insync'
==> openldap1: /usr/lib/ruby/site_ruby/1.8/puppet/transaction/resource_harness.rb:204:in sync' ==> openldap1: /usr/lib/ruby/site_ruby/1.8/puppet/transaction/resource_harness.rb:128:insync_if_needed'
==> openldap1: /usr/lib/ruby/site_ruby/1.8/puppet/transaction/resource_harness.rb:81:in perform_changes' ==> openldap1: /usr/lib/ruby/site_ruby/1.8/puppet/transaction/resource_harness.rb:20:inevaluate'
==> openldap1: /usr/lib/ruby/site_ruby/1.8/puppet/transaction.rb:204:in apply' ==> openldap1: /usr/lib/ruby/site_ruby/1.8/puppet/transaction.rb:217:ineval_resource'
==> openldap1: /usr/lib/ruby/site_ruby/1.8/puppet/transaction.rb:147:in call' ==> openldap1: /usr/lib/ruby/site_ruby/1.8/puppet/transaction.rb:147:inevaluate'
==> openldap1: /usr/lib/ruby/site_ruby/1.8/puppet/util.rb:327:in thinmark' ==> openldap1: /usr/lib/ruby/1.8/benchmark.rb:308:inrealtime'
==> openldap1: /usr/lib/ruby/site_ruby/1.8/puppet/util.rb:326:in thinmark' ==> openldap1: /usr/lib/ruby/site_ruby/1.8/puppet/transaction.rb:147:inevaluate'
==> openldap1: /usr/lib/ruby/site_ruby/1.8/puppet/graph/relationship_graph.rb:118:in traverse' ==> openldap1: /usr/lib/ruby/site_ruby/1.8/puppet/transaction.rb:138:inevaluate'
==> openldap1: /usr/lib/ruby/site_ruby/1.8/puppet/resource/catalog.rb:169:in apply' ==> openldap1: /usr/lib/ruby/site_ruby/1.8/puppet/util/log.rb:149:inwith_destination'
==> openldap1: /usr/lib/ruby/site_ruby/1.8/puppet/transaction/report.rb:112:in as_logging_destination' ==> openldap1: /usr/lib/ruby/site_ruby/1.8/puppet/resource/catalog.rb:168:inapply'
==> openldap1: /usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:120:in apply_catalog' ==> openldap1: /usr/lib/ruby/site_ruby/1.8/puppet/util.rb:161:inbenchmark'
==> openldap1: /usr/lib/ruby/1.8/benchmark.rb:308:in realtime' ==> openldap1: /usr/lib/ruby/site_ruby/1.8/puppet/util.rb:160:inbenchmark'
==> openldap1: /usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:119:in apply_catalog' ==> openldap1: /usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:227:inrun_internal'
==> openldap1: /usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:134:in run' ==> openldap1: /usr/lib/ruby/site_ruby/1.8/puppet/context.rb:64:inoverride'
==> openldap1: /usr/lib/ruby/site_ruby/1.8/puppet.rb:244:in override' ==> openldap1: /usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:133:inrun'
==> openldap1: /usr/lib/ruby/site_ruby/1.8/puppet/application/apply.rb:297:in apply_catalog' ==> openldap1: /usr/lib/ruby/site_ruby/1.8/puppet/application/apply.rb:231:inmain'
==> openldap1: /usr/lib/ruby/site_ruby/1.8/puppet/context.rb:64:in override' ==> openldap1: /usr/lib/ruby/site_ruby/1.8/puppet.rb:244:inoverride'
==> openldap1: /usr/lib/ruby/site_ruby/1.8/puppet/application/apply.rb:193:in main' ==> openldap1: /usr/lib/ruby/site_ruby/1.8/puppet/application/apply.rb:154:inrun_command'
==> openldap1: /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:381:in run' ==> openldap1: /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:507:inplugin_hook'
==> openldap1: /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:381:in run' ==> openldap1: /usr/lib/ruby/site_ruby/1.8/puppet/util.rb:488:inexit_on_fail'
==> openldap1: /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:381:in run' ==> openldap1: /usr/lib/ruby/site_ruby/1.8/puppet/util/command_line.rb:146:inrun'
==> openldap1: /usr/lib/ruby/site_ruby/1.8/puppet/util/command_line.rb:92:in `execute'
==> openldap1: /usr/bin/puppet:8
==> openldap1: Error: /Stage[main]/Main/Node[ldapmaster1.local]/Openldap::Server::Dbindex[create index uid]/Openldap_dbindex[create index uid]/ensure: change from absent to present failed: LDIF content:
==> openldap1: dn: olcDatabase={2}bdb,cn=config
==> openldap1: add: olcDbIndex
==> openldap1: olcDbIndex: uid pres,eq
==> openldap1:
==> openldap1: Error message: Execution of '/usr/bin/ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/openldap_dbindex20150326-19015-1wjocaz-0' returned 20: SASL/EXTERNAL authentication started
==> openldap1: SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
==> openldap1: SASL SSF: 0
==> openldap1: ldap_modify: Type or value exists (20)
==> openldap1: additional info: modify/add: olcDbIndex: value #0 already exists
==> openldap1: modifying entry "olcDatabase={2}bdb,cn=config"
==> openldap1: Debug: Finishing transaction 70294556675300
==> openldap1: Debug: Storing state
==> openldap1: Debug: Stored state in 0.02 seconds
==> openldap1: Notice: Finished catalog run in 1.19 seconds
==> openldap1: Debug: Using settings: adding file resource 'rrddir': 'File[/var/lib/puppet/rrd]{:group=>"puppet", :backup=>false, :ensure=>:directory, :owner=>"puppet", :loglevel=>:debug, :mode=>"750", :
path=>"/var/lib/puppet/rrd", :links=>:follow}'
==> openldap1: Debug: /File[/var/lib/puppet/rrd]/seluser: Found seluser default 'system_u' for /var/lib/puppet/rrd
==> openldap1: Debug: /File[/var/lib/puppet/rrd]/selrole: Found selrole default 'object_r' for /var/lib/puppet/rrd
==> openldap1: Debug: /File[/var/lib/puppet/rrd]/seltype: Found seltype default 'puppet_var_lib_t' for /var/lib/puppet/rrd
==> openldap1: Debug: /File[/var/lib/puppet/rrd]/selrange: Found selrange default 's0' for /var/lib/puppet/rrd
==> openldap1: Debug: Finishing transaction 70294557880440
==> openldap1: Debug: Received report to process from ldapmaster1.local
==> openldap1: Debug: Processing report from ldapmaster1.local with processor Puppet::Reports::Store
The SSH command responded with a non-zero exit status. Vagrant
assumes that this means the command failed. The output for this command
should be in the log above. Please read the output to determine what
went wrong.

[root@ldapmaster1 ~]# /usr/sbin/slapcat -b cn=config -H 'ldap:///???(&(objectClass=olcDatabaseConfig)(|(objectClass=olcBdbConfig)(objectClass=olcHdbConfig)))' |grep uid
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external
olcDbIndex: uid pres,eq
creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

Am I right if I say the module now need https://github.com/adrienthebo/puppet-boolean ?

Because I just update (git pull) and get this error
err: Could not retrieve catalog from remote server: Could not intern from pson: Could not autoload openldap_database: no such file to load -- puppet/property/boolean

and with find we can see inside ./type/openldap_database.rb require 'puppet/property/boolean'

The only thing I didn't known : Is really https://github.com/adrienthebo/puppet-boolean ? or another ?

I'm having an issue configuring a replication provider.
I'm using this doc as a guideline
https://help.ubuntu.com/lts/serverguide/openldap-server.html#openldap-server-replication

I have translated the recommended ldif file into puppet DSL for this module.
example:

  openldap::server::overlay{ 'accesslog overlay on dc=example,dc=com':
    overlay  => 'accesslog',
    suffix   => 'dc=example,dc=com',
    options  => {
      'olcAccessLogDB'=>'cn=accesslog',
      'olcAccessLogOps'=>'writes',
      'olcAccessLogSuccess'=>'TRUE',
      'olcAccessLogPurge'=>'07+00:00 01+00:00'
    }
  }

this stanza generates the following ldif:

dn: olcOverlay=accesslog,olcDatabase={1}hdb,cn=config
changetype: add
objectClass: olcConfig
objectClass: olcOverlayConfig
objectClass: olcAccessLogConfig
olcOverlay: accesslog
olcAccessLogDB: cn=accesslog
olcAccessLogOps: writes
olcAccessLogSuccess: TRUE
olcAccessLogPurge: 07+00:00 01+00:00

this ldif when saved to a file and loaded using ldapmodify seems to work

however when applied by puppet it results in the following error:

Error message: Execution of '/usr/bin/ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/openldap_overlay20151023-24665-ppse1y' returned 21: SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
ldap_add: Invalid syntax (21)
    additional info: objectClass: value #2 invalid per syntax
adding new entry "olcOverlay=accesslog,olcDatabase={1}hdb,cn=config"

which if i'm not mistaken indicates that the ObjectClass: olcAccessLogConfig is invalid...

this error happens on each of the overlays I attempt to apply

but in all three cases the generated ldif appears valid and can be applied successfully using traditional means..

Hi i am trying to install ldap, and i am getting this error, and i dont know whats going on? ...

If you could give me some clue..

Thanks!

 Error: LDIF content:
==> 13genius.com: dn: cn=config
==> 13genius.com: add: olcTLSCertificateKeyFile
==> 13genius.com: olcTLSCertificateKeyFile: /vagrant/ssl/13genius.key
==> 13genius.com: 
==> 13genius.com: Error message: Execution of '/usr/bin/ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/openldap_global_conf20141215-13808-1aop167' returned 80: SASL/EXTERNAL authentication started
==> 13genius.com: SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
==> 13genius.com: SASL SSF: 0
==> 13genius.com: ldap_modify: Other (e.g., implementation specific) error (80)
==> 13genius.com: modifying entry "cn=config"
==> 13genius.com: 
==> 13genius.com: 
==> 13genius.com: Error: /Stage[main]/Openldap::Server::Slapdconf/Openldap::Server::Globalconf[TLSCertificateKeyFile]/Openldap_global_conf[TLSCertificateKeyFile]/ensure: change from absent to present failed: LDIF content:
==> 13genius.com: dn: cn=config
==> 13genius.com: add: olcTLSCertificateKeyFile
==> 13genius.com: olcTLSCertificateKeyFile: /vagrant/ssl/13genius.key
==> 13genius.com: 
==> 13genius.com: Error message: Execution of '/usr/bin/ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/openldap_global_conf20141215-13808-1aop167' returned 80: SASL/EXTERNAL authentication started
==> 13genius.com: SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
==> 13genius.com: SASL SSF: 0
==> 13genius.com: ldap_modify: Other (e.g., implementation specific) error (80)
==> 13genius.com: modifying entry "cn=config"
==> 13genius.com: 
==> 13genius.com: 

Hi,
The following piece of code cannot work:

openldap::server::overlay { "refint on ${ldap_search_base}"
  ensure  => 'present',
  options => {
    'olcRefintAttribute' => 'memberOf memberUid',
  },
}

As the following ldif file is created:

dn: olcOverlay=refint,olcDatabase={2}hdb,cn=config
changetype: add
objectClass: olcConfig
objectClass: olcOverlayConfig
olcOverlay: refint
olcRefintAttribute: memberOf memberUid

And ldapadd fails with the following error:

Object class violation (65) additional info: attribute 'olcRefintAttribute' not allowed

The problem is that the objectClass olcRefintConfig should be added to the object.
I tried to add the objectClass in the options hash, but the problem is that it tries to replace the objectClass thus it fails...

Best,
Baptiste

When creating a new database with openldap_database olc provider, it creates :

• the database (https://github.com/camptocamp/puppet-openldap/blob/fb061ad750d217ee1591c07d9e8bf617c56642d2/lib/puppet/provider/openldap_database/olc.rb#L118 )
• the admin user and the base organization if initdb = true ( https://github.com/camptocamp/puppet-openldap/blob/fb061ad750d217ee1591c07d9e8bf617c56642d2/lib/puppet/provider/openldap_database/olc.rb#L92 )

However, destroy method only deletes the database itself, but let admin and organization. Especially, even with:

openldap::server::database { 'dc=my-domain,dc=com':
    ensure => absent
}

we still have the default cn=admin and organization:

# slapcat 
dn: dc=my-domain,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: xxx.yyyy
dc: my-domain
structuralObjectClass: organization
entryUUID: a825da52-a490-1034-883c-819eebab80eb
creatorsName: cn=admin,dc=my-domain,dc=com
createTimestamp: 20150611141946Z
entryCSN: 20150611141946.725294Z#000000#000#000000
modifiersName: cn=admin,dc=my-domain,dc=com
modifyTimestamp: 20150611141946Z

dn: cn=admin,dc=my-domain,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: xxxxxxxxxxxxxxxxxx=
structuralObjectClass: organizationalRole
entryUUID: a8262a02-a490-1034-883d-819eebab80eb
creatorsName: cn=admin,dc=my-domain,dc=com
createTimestamp: 20150611141946Z
entryCSN: 20150611141946.727337Z#000000#000#000000
modifiersName: cn=admin,dc=my-domain,dc=com
modifyTimestamp: 20150611141946Z

As the module tries to take care of default database deletion, it should also probably handle this. As a more general feature, as it manages default admin and organization creation, it should also be able to manage deletion.

My guess is that it that the ldif code inside initdb could be factorized to either add or delete the objects. If that's your opinion too, I might be able to create a PR :)

Maxence

Currently there are parameters for timelimit and sizelimit at the database level. However, timelimit and sizelimit are only global configurations. As far as I am aware, limits are configured at the database level using the "limits" keyword using a very different syntax (limits <who> <limit> [<limit> [...]]). Attempting to set the olcTimeLimit or olcSizeLimit properties on a DB resource results in an error.

Please let me know if I'm missing something, but my request is to add support for "limits" at the database and remove timelimit/sizelimit from being allowed to be set at the database level.

http://www.openldap.org/doc/admin24/limits.html

There may be a typo in the openldap_module provider:

Error: Failed to apply catalog: undefined local variable or method `expection' for Puppet::Type::Openldap_module::ProviderOlc:Class

Should this be 'Exception' instead of 'expection'? (on line 24 of openldap_module/olc.rb)

Could you explain how it's suppoed to work? I do not see the provider parameter listed under ruby type.

Because of errors with the current fore package due:
e1a5447

Looks like slapd should be restarted before interface changes are taken into account.

having this code:

  class { 'openldap::server': }
  openldap::server::database { 'o=xxxxx':
    ensure => present,
    rootdn    => 'cn=admin,o=xxxxx',
    rootpw    => 'secret',
  }

results in:

ldapsearch -x -h localhost -b o=xxxxx
dn: cn=admin,o=xxxxx
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: c2VjcmV0

I think it would be nice to be able to add indexes in the same way we add access records.

Hi,

I am not able to install your module.It is throwing me error

/opt/puppet/bin/puppet module install camptocamp-openldap
Notice: Preparing to install into /etc/puppetlabs/puppet/modules ...
Notice: Downloading from https://forgeapi.puppetlabs.com ...
Notice: Found at least one version of camptocamp-openldap compatible with PE (3.2.3);
Notice: Skipping versions which don't express PE compatibility. To install
the most recent version of the module regardless of compatibility
with PE, use the '--ignore-requirements' flag.
Notice: Found at least one version of puppetlabs-stdlib compatible with PE (3.2.3);
Notice: Skipping versions which don't express PE compatibility. To install
the most recent version of the module regardless of compatibility
with PE, use the '--ignore-requirements' flag.
Notice: Installing -- do not interrupt ...
Error: No such file or directory - /etc/puppetlabs/puppet/modules/openldap/spec/acceptance/nodesets/default.yml
Error: Try 'puppet help module install' for usage

I am using redhat 6.4. Is your module complatiable for redhat as I saw only debian

Let me know

It would be handy to be able to set concrete interfaces and to be able to disable them (e.g. to allow only secured access).

To account for overlay options that have forced line breaks in them, the overlay provider 'provider/openldap_overlay/olc.rb' file should have the following:

Instead of paragraph.split("\n") it should be paragraph.gsub("\n ", "").split("\n\n"). If the line break for the options is not accounted for, the provider thinks that the attribute is different and must be changed, when in reality, it is only parsing everything up to the first line break for the comparison.

I started with a much more complicated pp file, but ended up reducing it repetitively until I was down to your minimum example and still received the same error. Can you sanity check this for me?

class { 'openldap::server': }
openldap::server::database { 'dc=foo,dc=com':
  ensure => present,
}

It currently results in the error in the subject. The rest is below. It is the same error with recent from puppetforge or from github.

OS: Debian 7.7 minimal install

 err: Could not retrieve catalog from remote server: Error 400 on SERVER: Invalid parameter provider on Openldap_database[dc=my-domain,dc=com] at /etc/puppet/environments/dimes/modules/openldap/manifests/server/database.pp:44 on node xxx.xx.xxxxxxx.com

Much thanks for your help.

Hi, how can i define options for an overlay, e.g. 'olcSpCheckpoint' and 'olcSpSessionlog' for 'syncprov'?

I noticed ':options' in '/lib/puppet/type/openldap_overlay.rb', but that doesn't seem to be used anywhere...

I have been playing around with this module and I was looking for an option to manage the data and import the content from an ldif in a repeatable way.

How do you typically deal with that?

I am running into this error:

Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Invalid parameter provider

and after reading through the closed issues found that it is due to lack of official support for Ubuntu 14.04.

Are there any plans to support it?

It seems the type doesn't work properly: while trying to add multiple indices on a running openldap, puppet crashes:

Error message: Execution of '/usr/bin/ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/openldap_dbindex20151110-28704-5ufp39' returned 20: SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
ldap_modify: Type or value exists (20)
        additional info: modify/add: olcDbIndex: value #0 already exists
modifying entry "olcDatabase={1}mdb,cn=config"
Error: /Stage[main]/Foo::Ldap/Openldap::Server::Dbindex[uidNumber]/Openldap_dbindex[uidNumber]/ensure: change from absent to present failed: LDIF content:
dn: olcDatabase={1}mdb,cn=config
add: olcDbIndex
olcDbIndex: uidNumber eq

Error message: Execution of '/usr/bin/ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/openldap_dbindex20151110-28704-5ufp39' returned 20: SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
ldap_modify: Type or value exists (20)
        additional info: modify/add: olcDbIndex: value #0 already exists
modifying entry "olcDatabase={1}mdb,cn=config"
Error: LDIF content:
dn: olcDatabase={1}mdb,cn=config
add: olcDbIndex
olcDbIndex: cn pres,sub,eq

Error message: Execution of '/usr/bin/ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/openldap_dbindex20151110-28704-157phwt' returned 20: SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
ldap_modify: Type or value exists (20)
        additional info: modify/add: olcDbIndex: value #0 already exists
modifying entry "olcDatabase={1}mdb,cn=config"
Error: /Stage[main]/Foo::Ldap/Openldap::Server::Dbindex[cn]/Openldap_dbindex[cn]/ensure: change from absent to present failed: LDIF content:
dn: olcDatabase={1}mdb,cn=config
add: olcDbIndex
olcDbIndex: cn pres,sub,eq

Error message: Execution of '/usr/bin/ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/openldap_dbindex20151110-28704-157phwt' returned 20: SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
ldap_modify: Type or value exists (20)
        additional info: modify/add: olcDbIndex: value #0 already exists
modifying entry "olcDatabase={1}mdb,cn=config"
Error: LDIF content:
dn: olcDatabase={1}mdb,cn=config
add: olcDbIndex
olcDbIndex: uid pres,sub,eq

Error message: Execution of '/usr/bin/ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/openldap_dbindex20151110-28704-1yo0yvs' returned 20: SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
ldap_modify: Type or value exists (20)
        additional info: modify/add: olcDbIndex: value #0 already exists
modifying entry "olcDatabase={1}mdb,cn=config"
Error: /Stage[main]/Foo::Ldap/Openldap::Server::Dbindex[uid]/Openldap_dbindex[uid]/ensure: change from absent to present failed: LDIF content:
dn: olcDatabase={1}mdb,cn=config
add: olcDbIndex
olcDbIndex: uid pres,sub,eq

Error message: Execution of '/usr/bin/ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/openldap_dbindex20151110-28704-1yo0yvs' returned 20: SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
ldap_modify: Type or value exists (20)
        additional info: modify/add: olcDbIndex: value #0 already exists
modifying entry "olcDatabase={1}mdb,cn=config"

It seems the first index was added (this is a fourth run after many tests), but the following weren't.

After poking around in the doc and examples we can find, it seems the next indices creation ldif should embed the following directive:

changetype: modify

This will prevent openldap to believe it has to create another index thing, and just update the existing one in order to add the new index itself.

The generated ldif should hence be something like:

dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: cn pres,sub,eq

Would be marvelous to get this working 😸

Currently it's too hard to understand what was changed in the release.

The generated ldif for an update should contain a special line, and should look as follow:

dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: cn pres,sub,eq

Note the line with "changetype".

But we should solve #102 before checking this issue.

Hello,

Node invocation:
class { 'openldap::server': }

Puppet says:

SERVER: Failed to parse template openldap/preseed.erb:
Filepath: /vagrant/puppet/modules/openldap/templates/preseed.erb
Line: 1
Detail: undefined method `join' for nil:NilClass
at /vagrant/puppet/modules/openldap/manifests/server/install.pp:23 on node olt.1

Hi,

I don't known if it's a bug or only not implemented or I just don't known how to use it.

Let's say I want put a replication (but can be any overlay), I want add for example
olcSpCheckpoint: 200 20
so with LDIF I'm going to make a ldapmodify on something like

dn: olcOverlay={0}syncprov,olcDatabase={1}mdb,cn=config
changetype: modify
add: olcSpCheckpoint
olcSpCheckpoint: 200 20

Can I do that with puppet-openldap module ?

I try to make something like

openldap::server::overlay { 'syncprov on dc=obspm,dc=fr':
   ensure  => present,
   options => {'olcSpCheckpoint' => '200 20'}
 }

but it's not working because (I think) inside the ldif the module create

dn: olcOverlay=syncprov,olcDatabase={1}mdb,cn=config
changetype: add
objectClass: olcConfig
objectClass: olcOverlayConfig
olcOverlay: syncprov
olcSpCheckpoint: 200 20

they don' t have the

 add: olcSpCheckpoint

regards

Just tried using librarian-puppet to update this module and it's failing because it's searching for domcleal-augeasproviders instead of domcleal/augeasproviders. I made a note on 1b9a21a

I'm trying to test this module with CentOS 7 and OpenLDAP 2.4.39.

I've defined the following simple manifest to test:

  $dn = 'dc=dt0388,dc=local'
  $rootpw = 'password'

  # Install openldap server
  class { 'openldap::server':
  }

  openldap::server::database { $dn:
    ensure => present,
    rootdn => "cn=admin,${dn}",
    rootpw => openldap_password('password')
  }

  package { 'net-ldap':
    ensure   => present,
    provider => 'gem'
  }

  ldap_entry { "ou=groups,${dn}":
    ensure   => present,
    attributes => {
      'ou' => 'groups',
      'objectClass' => ['top','organizationalUnit']
    },
    host     => 'localhost',
    ssl      => false,
    port     => 389,
    base     => $dn,
    username => "cn=admin,${dn}",
    password => $rootpw,
    require  => [Openldap::Server::Database[$dn],Package['net-ldap']]
  }

When I try and run Puppet agent, i get the following failure:

Debug: Executing '/bin/ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/openldap_database20141020-15695-gi73ec'
Error: LDIF content:
dn: olcDatabase=bdb,cn=config
changetype: add
objectClass: olcDatabaseConfig
objectClass: olcBdbConfig
olcDatabase: bdb
olcDbCheckpoint: 512 30
olcDbConfig: set_cachesize 0 2097152 0
olcDbConfig: set_lk_max_objects 1500
olcDbConfig: set_lk_max_locks 1500
olcDbConfig: set_lk_max_lockers 1500
olcLastMod: TRUE
olcDbDirectory: /var/lib/ldap
olcRootDN: cn=admin,dc=dt0388,dc=local
olcRootPW: {SSHA}tZJU3RmiN2CSKwj3k0+5gl1b2iaYs6nT
olcSuffix: dc=dt0388,dc=local
olcDbIndex: objectClass eq
olcAccess: to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
olcAccess: to attrs=userPassword,shadowLastChange
  by self write
  by anonymous auth
  by dn="cn=admin,dc=dt0388,dc=local" write
  by * none
olcAccess: to dn.base="" by * read
olcAccess: to *
  by self write
  by dn="cn=admin,dc=dt0388,dc=local" write
  by * read

Error message: Execution of '/bin/ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/openldap_database20141020-15695-gi73ec' returned 80: SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
ldap_add: Other (e.g., implementation specific) error (80)
        additional info: <olcAccess> handler exited with 1
adding new entry "olcDatabase=bdb,cn=config"
Error: /Stage[main]/Main/Openldap::Server::Database[dc=dt0388,dc=local]/Openldap_database[dc=dt0388,dc=local]/ensure: change from absent to present failed: LDIF content:
dn: olcDatabase=bdb,cn=config
changetype: add
objectClass: olcDatabaseConfig
objectClass: olcBdbConfig
olcDatabase: bdb
olcDbCheckpoint: 512 30
olcDbConfig: set_cachesize 0 2097152 0
olcDbConfig: set_lk_max_objects 1500
olcDbConfig: set_lk_max_locks 1500
olcDbConfig: set_lk_max_lockers 1500
olcLastMod: TRUE
olcDbDirectory: /var/lib/ldap
olcRootDN: cn=admin,dc=dt0388,dc=local
olcRootPW: {SSHA}tZJU3RmiN2CSKwj3k0+5gl1b2iaYs6nT
olcSuffix: dc=dt0388,dc=local
olcDbIndex: objectClass eq
olcAccess: to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
olcAccess: to attrs=userPassword,shadowLastChange
  by self write
  by anonymous auth
  by dn="cn=admin,dc=dt0388,dc=local" write
  by * none
olcAccess: to dn.base="" by * read
olcAccess: to *
  by self write
  by dn="cn=admin,dc=dt0388,dc=local" write
  by * read

Error message: Execution of '/bin/ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/openldap_database20141020-15695-gi73ec' returned 80: SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
ldap_add: Other (e.g., implementation specific) error (80)
        additional info: <olcAccess> handler exited with 1
adding new entry "olcDatabase=bdb,cn=config"

A full debug log can be found here: https://gist.github.com/fatmcgav/be7bc2e39abab08a094f

I've also redirected the openldap logs to a separate file, and can see the following in the logs when the Puppet agent runs:
Edit: Moved slapd.log to: https://gist.github.com/fatmcgav/be7bc2e39abab08a094f#file-slapd-log

Any ideas?

Cheers
Gavin

The puppet provider needs to manage the olcSmbK5PwdConfig objectclass in the create def.

It seems that this resource does not check (or incorrectly) if the entry was already added to the global conf and keeps trying to create. Which of course fails since it is already present.

This is the exact error that I'm getting:

Error: /Stage[main]/Dap::Ldap/Openldap::Server::Globalconf[serverid]/Openldap_global_conf[serverid]/ensure: change from absent to present failed: LDIF content:
dn: cn=config
add: olcserverid
olcserverid: 1 ldap://server01.dap/

Error message: Execution of '/usr/bin/ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/openldap_global_conf20151102-8922-1h9syex' returned 20: SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
ldap_modify: Type or value exists (20)
    additional info: modify/add: olcServerID: value #0 already exists
modifying entry "cn=config"

This is the error to expect when you try to add LDAP attribute that already exists. I've looked at the module's code and there is a check if an entry already exists. That check looks OK to me, In a debug log I can also see that this check is being executed:

Debug: Executing '/usr/sbin/slapcat -b cn=config -H ldap:///???(objectClass=olcGlobal)'

But it stills tries to add the attribute:

Debug: dn: cn=config
add: olcserverid
olcserverid: 1 ldap://woluhosta01.dap/

Due to slappasswd not being in normal user's path, its in /usr/sbin

Or did I miss something? ;)

The destroy function mess with files in $server_confdir/cn=config even if the header says:
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
At least, new checksum should be generated...

It possibly make subsequent fail in the test chain, but this specific error is in :after section and does not trigger the build failure.

debian-6-x64 20:27:19$ puppet apply --strict_variables --verbose --detailed-exitcodes --order=random /tmp/apply_manifest.pp.xMLmc7
  Info: Loading facts
  Notice: Compiled catalog for debian-6-x64.c.eco-emissary-99515.internal in environment production in 1.44 seconds
  Info: Applying configuration version '1447964843'
  Notice: /Stage[main]/Main/Openldap::Server::Database[dc=foo,dc=com]/Openldap_database[dc=foo,dc=com]/ensure: removed
  Error: Could not set 'absent' on ensure: No such file or directory @ unlink_internal - /etc/ldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif at 60:/etc/puppetlabs/code/modules/openldap/manifests/server/database.pp
  Error: Could not set 'absent' on ensure: No such file or directory @ unlink_internal - /etc/ldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif at 60:/etc/puppetlabs/code/modules/openldap/manifests/server/database.pp
  Wrapped exception:
  No such file or directory @ unlink_internal - /etc/ldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif
  Error: /Stage[main]/Main/Openldap::Server::Database[dc=bar,dc=com]/Openldap_database[dc=bar,dc=com]/ensure: change from present to absent failed: Could not set 'absent' on ensure: No such file or directory @ unlink_internal - /etc/ldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif at 60:/etc/puppetlabs/code/modules/openldap/manifests/server/database.pp
  Notice: /Stage[main]/Main/Openldap::Server::Database[cn=config]/Openldap_database[cn=config]/rootdn: rootdn changed 'cn=newadmin,cn=config' to 'cn=admin,cn=config'

The documented usage for openldap::server::access really doesn't work very well. I'm trying to get this to correctly order things, and it doesn't seem to behave well.

If I set position to the "<before|after> access to by " syntax from the documentation, it appears to have no effect. I can't see how that's implemented, nor can I see this documented in openldap if it's some sort of openldap ordering thing.

If I set integers, this seems to work OK, but doesn't work if the title doesn't include "on $suffix" at the end, despite the type presuming to allow this in the title_patterns - as none of the exact titles in my config match any of the exact title that are in the database.

Seems to me that if the title is required to be a certain format (which is quite unfortunate, but, whatever) then it should error if it is incorrect, rather than attempting to go through with it.

It appears, possibly rightly, that when using the openldap_password function as part of a openldap::server::database resource, a resource change is triggered on every Puppet run due to the function generating a different hash each time.

Is there any way of making this idempotent?

Hi All,
after an initial struggle I managed to have a basic database setup.

When I add ACL to the profile (exactly the same snippet as the configuration just with a different domain) I get several errors.

Here's the snippet:

    ::openldap::server::access {
      'to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=ccmteam,dc=com" on dc=ccmteam,dc=com':
        access => 'write';

      'to attrs=userPassword,shadowLastChange by anonymous on dc=ccmteam,dc=com':
        access => 'auth';

      'to attrs=userPassword,shadowLastChange by self on dc=ccmteam,dc=com':
        access => 'write';

      'to attrs=userPassword,shadowLastChange by * on dc=ccmteam,dc=com':
        access => 'none';
    }

and here are the errors:

Error: Execution of '/usr/bin/ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/openldap_access20140512-1923-vjuj84-0' returned 80: SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
ldap_modify: Other (e.g., implementation specific) error (80)
        additional info: <olcAccess> handler exited with 1
modifying entry "olcDatabase={3}bdb,cn=config"
Error: /Stage[main]/Ccm::Profile::Openldap/Openldap::Server::Access[to attrs=userPassword,shadowLastChange by self on dc=ccmteam,dc=com]/Openldap_access[to attrs=userPassword,shadowLastChange by self on dc=ccmteam,dc=com]/ensure: change from absent to present failed: Execution of '/usr/bin/ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/openldap_access20140512-1923-vjuj84-0' returned 80: SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
ldap_modify: Other (e.g., implementation specific) error (80)
        additional info: <olcAccess> handler exited with 1
modifying entry "olcDatabase={3}bdb,cn=config"
Error: Execution of '/usr/bin/ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/openldap_access20140512-1923-s8tnvy-0' returned 80: SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
ldap_modify: Other (e.g., implementation specific) error (80)
        additional info: <olcAccess> handler exited with 1
modifying entry "olcDatabase={3}bdb,cn=config"
Error: /Stage[main]/Ccm::Profile::Openldap/Openldap::Server::Access[to attrs=userPassword,shadowLastChange by anonymous on dc=ccmteam,dc=com]/Openldap_access[to attrs=userPassword,shadowLastChange by anonymous on dc=ccmteam,dc=com]/ensure: change from absent to present failed: Execution of '/usr/bin/ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/openldap_access20140512-1923-s8tnvy-0' returned 80: SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
ldap_modify: Other (e.g., implementation specific) error (80)
        additional info: <olcAccess> handler exited with 1
modifying entry "olcDatabase={3}bdb,cn=config"
Error: Execution of '/usr/bin/ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/openldap_access20140512-1923-mhpwp4-0' returned 80: SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
ldap_modify: Other (e.g., implementation specific) error (80)
        additional info: <olcAccess> handler exited with 1
modifying entry "olcDatabase={3}bdb,cn=config"
Error: /Stage[main]/Ccm::Profile::Openldap/Openldap::Server::Access[to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=ccmteam,dc=com" on dc=ccmteam,dc=com]/Openldap_access[to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=ccmteam,dc=com" on dc=ccmteam,dc=com]/ensure: change from absent to present failed: Execution of '/usr/bin/ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/openldap_access20140512-1923-mhpwp4-0' returned 80: SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
ldap_modify: Other (e.g., implementation specific) error (80)
        additional info: <olcAccess> handler exited with 1
modifying entry "olcDatabase={3}bdb,cn=config"
Error: Execution of '/usr/bin/ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/openldap_access20140512-1923-1ds12tb-0' returned 80: SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
ldap_modify: Other (e.g., implementation specific) error (80)
        additional info: <olcAccess> handler exited with 1
modifying entry "olcDatabase={3}bdb,cn=config"
Error: /Stage[main]/Ccm::Profile::Openldap/Openldap::Server::Access[to attrs=userPassword,shadowLastChange by * on dc=ccmteam,dc=com]/Openldap_access[to attrs=userPassword,shadowLastChange by * on dc=ccmteam,dc=com]/ensure: change from absent to present failed: Execution of '/usr/bin/ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/openldap_access20140512-1923-1ds12tb-0' returned 80: SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
ldap_modify: Other (e.g., implementation specific) error (80)
        additional info: <olcAccess> handler exited with 1
modifying entry "olcDatabase={3}bdb,cn=config"

Please note that external authentication is working:

[root@openldap01 ~]# ldapsearch -Y EXTERNAL -H ldapi:/// -b 'dc=ccmteam,dc=com'
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth  
SASL SSF: 0
# extended LDIF
#
# LDAPv3
# base <dc=ccmteam,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

# numResponses: 1

Do you have any idea of what's going on?
I wanted to try those commands manually but the files in /tmp where not present after the agent run.

Thanks for your help.

Error that I get:

$ sudo librarian-puppet install
Unable to find module 'domcleal-augeasproviders_core' on https://forgeapi.puppetlabs.com

This is becaues domcleal-augeasproviders_core has seemingly been moved to herculesteam-augeasproviders_core.

I have several complex ACLs that I would like to apply to my ldap server as single entry rules:

eg: to attrs=userPassword by self write by dn.subtree="ou=replication,dc=ls,dc=cbn" read by * auth

The current way that ACLs are created and managed won't allow me to do this. Other ACLs that are giving grief are ones with more than one element in the what selector

eg: to dn.subtree="ou=kerberos,dc=ls,dc=cbn" attrs=krbExtraData,krbPrincipalKey by * none

openldap supports an 'internal' monitoring framework ( http://www.openldap.org/doc/admin24/monitoringslapd.html ) which provides a cn=Monitor subtree.

To enable it, we need to add a "database monitor", so probably using openldap_database type, which right now only seems to support [hbm]db types ( https://github.com/camptocamp/puppet-openldap/blob/master/lib/puppet/type/openldap_database.rb#L19 ).

https://github.com/camptocamp/puppet-openldap/blob/master/lib/puppet/provider/openldap_database/olc.rb#L118 seems fine, so it looks like the only thing to do is to have lower restriction on db type, but this might lead to some side effects I'm not thinking to.

The slapd service will fail to start on RHEL 6.4 when using the module to deploy the OpenLDAP server. This happens even with the minimal provided example (on fresh RHEL 6.4 installation):

# Nodes running the LDAP service.
node "ldap1.example.com", "ldap2.example.com" {
  class { 'openldap::server':  }
}

Looking at the slapd logs, the following message was reported:

Sep  2 11:36:49 ldap2 slapd[2083]: @(#) $OpenLDAP: slapd 2.4.23 (Oct 31 2012 08:14:14) $#012#[email protected]:/builddir/build/BUILD/openldap-2.4.23/openldap-2.4.23/build-servers/servers/slapd
Sep  2 11:36:49 ldap2 slapd[2084]: bdb_db_open: warning - no DB_CONFIG file found in directory /var/lib/ldap: (2).#012Expect poor performance for suffix "dc=my-domain,dc=com".
Sep  2 11:36:49 ldap2 slapd[2084]: slapd starting
Sep  2 11:36:49 ldap2 slapd[2084]: daemon: listen(ldap:///, 5) failed errno=98 (Address already in use)
Sep  2 11:36:49 ldap2 slapd[2084]: slapd stopped.

After looking a bit more into the cause, I was able to determine that the issue is caused by the changes made in /etc/sysconfig/ldap configuration file. Apparently, if you (at the same time) set both SLAPD_URLS, and one of the SLAPD_LDAP, SLAPD_LDAPI, or SLAPD_LDAPS, this will cause slapd to try listening (well, just making a wild guess here) on same interface twice, and therefore it will fail with its start-up.

After deploying the OpenLDAP server package via Puppet (and puppet-openldap module), and then commenting-out the SLAPD_URLS option in /etc/sysconfig/ldap, I was able to finally start the slapd service.

This could also be a bug in RHEL init scripts (maybe specific for 6.4 release), or even OpenLDAP.

I would like to known how you do something like ldapmodify with

  dn: olcDatabase={1}hdb,cn=config
  changetype: modify
  add:olcSyncrepl
  olcSyncrepl: {0}rid=000
    provider=.....
    type=refreshAndPersist
    retry="5 5 300 +"
    searchbase="...."
    attrs="*,+"
    schemachecking=on
    bindmethod=simple
    binddn="...."
    credentials="..."

maybe they already have something but I didn't find it.

Is the schema type actually implemented already? I don't see it anywhere in the code.

Hi,
On CentOS 6 and 7 (it seems to start from rhel 6, as explain https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/ch-Directory_Servers.html#s1-OpenLDAP) OpenLDAP is using a Mozilla NSS database for TLS instead of OpenSSL.
When doing this olcTLSCACertificatePath should point to the path of the moznss database, olcTLSCertificateFile should be the name of the certificate in the database, not a path to a file and olc TLSCertificateKeyFile is not used (or at least not mandatory).
Lines starting at https://github.com/camptocamp/puppet-openldap/blob/1.9.2/manifests/server/slapdconf.pp#L33 prevent to configure such a setup (validate_absolute_path is unhappy).
See http://www.openldap.org/doc/admin24/tls.html and http://www.openldap.org/faq/data/cache/1514.html for some more information on this.
I don't know how you want to adress this (version test, moznss parameter in the slapdconf.pp or params.pp? Use validate_string and make key optional for all?), but if you have some recomendations I can create a PR.
Thanks,
Baptiste

Hi,

There is any possibility to add support for (olc)Security? http://www.zytrax.com/books/ldap/ch6/#security
It's a good way to accept only TLS > 128 connections

Thank you :)

Hi,

I'm using a centos 7 server and initially configured openldap server as below:

class profiles::openldap::server {
  class { '::openldap::server':
    provider => 'olc',
  }

  ::openldap::server::database { 'dc=example,dc=com':
    directory => '/var/lib/ldap',
    rootdn    => 'cn=admin,dc=example,dc=com',
    rootpw    => 'password',
  }
}

I later renamed the basedn and applied it to the ldap server. Now I see both the basedn's and I can connect to either one. Is there a way to remove the old basedn if we rename the basedn?

As a complication of the new password hasher introduced in 4b2f0b2, multiple passwords generated for the same agent will have the same salt. This significantly decreases the usefulness of the salt. The fault lies in line 10 of the openldap_password function.

Sorry for one more issue ;)

I just observed this while adding other databases:

openldap_database { 'test':
    directory => '/var/lib/ldap.test',
    suffix    => $suffix,
    rootdn    => "cn=Manager,${suffix}",
    rootpw    => openldap_password('secret'),
    provider  => olc,
}

ldap_add: Other (e.g., implementation specific) error (80)
    additional info: <olcRootPW> can only be set when rootdn is under suffix

While enabling puts debug output I noticed a newline in the LDIF data

olcDbDirectory: /var/lib/ldap.test
olcRootDN: cn=Manager,dc=...
olcRootPW: {SSHA}XXX

olcSuffix: dc=...

So maybe just a missing strip?

When adding a ".strip!" the problem is gone. Not sure if thats the best solution, because I'm no Ruby developer ;)

The module on Ubuntu seems to be broken, mainly because the default database provider for Ubuntu is (right now) hdb.

The recent change for Debian 8+ to have mdb as default cause all Ubuntu versions to get their default changed to mdb as well, because all of the current Ubuntu versions (10.04,12.04,14.,15.) have a major version number bigger than 8.

This means that when the module tries to remove the default olcDatabase={1}mdb.ldif file it can't find it, as the file is called olcDatabase={1}hdb.ldif.

A fix for that would be to introduce an additional switch statement on $::operatingsystem when the $::osfamily is Debian.

Hello,
we're trying to add Suse support to this module and for checkout and comparison
it would be easier if you would create tags corresponding to the version number you entered at forge.puppetlabs.com.
Thanks in advance,
Jo

I could be wrong, but I believe the dependency for stdlib should be > 4.x and not 3.x. The puppet function "any2array" was not introduced until 4.x (and it's being used as part of this module).
thanks,

Hi,
I was gonna test this module but then I got stuck because of the following errors. I'm on CentOS 6.4 x86_64 for what it's worth.

Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Invalid parameter provider at /etc/puppet/environments/development/modules/openldap/manifests/server/database.pp:37 on node node.domain.tld

I tried commenting the provider parameter in database.pp and the next error was:

Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Invalid parameter provider at /etc/puppet/environments/development/modules/openldap/manifests/server/access.pp:24 on node.domain.tld

Commented also that and the error this time was:

Error: Could not autoload puppet/type/openldap_access: no such file to load -- /var/lib/puppet/lib/puppet/type/../../../../augeasproviders/lib/augeasproviders/  
type.rb  
Error: Could not retrieve catalog from remote server: Could not intern from text/pson: Could not autoload puppet/type/openldap_access: no such file to load --   
/var/lib/puppet/lib/puppet/type/../../../../augeasproviders/lib/augeasproviders/type.rb  

I noticed that in type/openldap_database.rb the provider parameter is not defined.
Unfortunately this is all I can debug since I'm no expert on the subject (but I can test if you need me to).

If I run a "find /etc/puppet/modules -perm 400" I get the following list of files that are read-only to the owner only. My puppet server (using apache/passenger) is unable to serve up the files in lib/puppet/type to agents running remotely. I may have my puppet server configured incorrectly (all files under /etc/puppet are owned by root) but I have lots of modules and this is the only one with files that are read-only. I can fix it (find $PUPPET_DIR/modules -perm 400 -exec chmod 444 {} ;
) after puppet-librarian runs, but is there a reason why those need to be 400?

/etc/puppet/modules/openldap/templates/preseed.erb
/etc/puppet/modules/openldap/lib/puppet/type/openldap_module.rb
/etc/puppet/modules/openldap/lib/puppet/type/openldap_overlay.rb
/etc/puppet/modules/openldap/lib/puppet/type/openldap_global_conf.rb
/etc/puppet/modules/openldap/lib/puppet/parser/functions/openldap_password.rb
/etc/puppet/modules/openldap/spec/defines/openldap_server_module_spec.rb
/etc/puppet/modules/openldap/spec/defines/openldap_server_globalconf_spec.rb
/etc/puppet/modules/openldap/spec/unit/puppet/parser/functions/openldap_password_spec.rb
/etc/puppet/modules/openldap/spec/classes/openldap_server_service_spec.rb
/etc/puppet/modules/openldap/spec/classes/openldap_server_config_spec.rb
/etc/puppet/modules/openldap/spec/classes/openldap_client_install_spec.rb
/etc/puppet/modules/openldap/spec/classes/openldap_server_install_spec.rb
/etc/puppet/modules/openldap/spec/classes/openldap_client_spec.rb
/etc/puppet/modules/openldap/manifests/server/overlay.pp
/etc/puppet/modules/openldap/manifests/server/globalconf.pp
/etc/puppet/modules/openldap/manifests/server/module.pp