Comments (11)
@marsanla could you give me some details? What puppet code are you using on what Operating System?
from puppet-openldap.
Same here... to me this happens under Debian 8. This is the puppet code I have:
$server_name = "master"
$dns_tld = "dev"
$admin_password = "p"
$cacert_dir = '/vagrant/etc/ssl/certs'
$cacert = "${cacert_dir}/master.dev.crt"
$ssl_key = '/vagrant/etc/ssl/private/master.dev.key'
class { 'openldap::server':
ldaps_ifs => ['/'],
enable => true,
ssl_cert => "${cacert}",
ssl_key => "${ssl_key}",
}
openldap::server::database { "dc=${server_name},dc=${dns_tld}":
ensure => present,
rootdn => "cn=admin,dc=${server_name},dc=${dns_tld}",
rootpw => "${admin_password}",
}
class { 'openldap::client':
base => "dc=${server_name},dc=${dns_tld}",
uri => ["ldap://${server_name}.${dns_tld}"],
tls_cacert => "${cacert}",
}
from puppet-openldap.
@mdimjasevic did you generate you private key using OpenSSL or GnuTLS?
from puppet-openldap.
I'm encountering the same issue (same os: debian8) ; what is weird, is that if I run the ldapmodify by hand with the same ldif content as the one provided by the Puppet output when it fails, it works.
I tried replaying my catalog with olcLogLevel set at -1, but could not find any useful clue of what is going wrong in the log files.
Maybe something relevant to mention: after the puppet run, slapd is not running, but one of the config parameter seemed to have succeeded, my cn=config.ldif having the following content:
[...]
olcTLSCertificateKeyFile: /etc/ldap/ssl/hostname.key
from puppet-openldap.
Ok, I guess I figured out why: here are the default permissions on the files that are being referenced by the ldif on my setup:
root@georchestra:~# ls -lah /etc/ldap/ssl/
total 28K
drwxr-xr-x 2 root root 4.0K Jul 4 12:31 .
drwxr-xr-x 6 root root 4.0K Jul 4 12:24 ..
-rw-r--r-- 1 openldap openldap 2.0K Jul 4 12:24 ca.pem
-rw-r--r-- 1 openldap openldap 2.1K Jul 4 12:24 georchestra.mydomain.org.crt
-rw------- 1 openldap openldap 11K Jul 4 12:21 georchestra.mydomain.org.key
If files are chmod 600
before LDIF insertion in the slapd configuration, it works.
from puppet-openldap.
In fact, it seems to depend in which order the properties are inserted, need to dig a little further
from puppet-openldap.
Launching slapd in debug mode, checking what is done while trying to insert in several different orders (CA,key,cert or CA,cert,key), I can see the following trace:
TLS: only one of certfile and keyfile specified
55980dc5 send_ldap_result: conn=1001 op=1 p=3
55980dc5 send_ldap_response: msgid=2 tag=103 err=80
It works when all the parameters (olcTLSCACertificateFile, olcTLSCertificateFile, olcTLSCertificateKeyFile) are set in the same ldif, like the following:
dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/ssl/ca.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/ssl/vagrant.crt
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/ssl/vagrant.key
But I don't know how the providers (lib/puppet/provider/openldap_global_conf/olc.rb) can be rewritten to be able to take serveral parameters in one go.
from puppet-openldap.
@pmauduit thanks a lot for the diagnostic. I suppose we have to use post_resource_eval
to apply all global parameters at the same time.
from puppet-openldap.
Should be fixed by c82be60
from puppet-openldap.
thanks for the fix !
from puppet-openldap.
Thanks :)
from puppet-openldap.
Related Issues (20)
- openldap::server::overlay does not allow tuples as options HOT 2
- [poll] What to do with the islast parameter of openldap_access?
- openldap::server::database initdb data type should support value false
- `$openldap::server::database::mirrormode` does not enable olcMirrorMode
- openldap::server::overlay incorrectly parses suffix HOT 5
- openldap::server::dbindex is missing documentation HOT 3
- Unable to configure openldap on FreeBSD 13.0-RELEASE HOT 5
- Wrong data type for `$openldap::server::database::limits`
- LDIF mangling is in schema provider does not handle LDIF line wrapping correctly HOT 1
- Data type enforcement for openldap_database security is not idempotent HOT 1
- dc=my-domain,dc=com entry in Database HOT 3
- Inconsistent parameters for `openldap::client`
- Version 6.1.0 breaks disabling nonexistent services HOT 3
- cn=accesslog database: Parameter suffix failed
- Parameter suffix failed, because of too restrictive patterns in openldap/lib/puppet/type/openldap_database.rb HOT 2
- No parameter named 'multiprovider' HOT 4
- no parameter named 'multiprovider' HOT 3
- Cannot ensure: absent on dbindex
- acls with identical access definitions are not implemented correctly
- Unable to configure hashing with the pw-pbkdf2 module
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from puppet-openldap.