Error LDIF content about puppet-openldap HOT 11 CLOSED

@marsanla could you give me some details? What puppet code are you using on what Operating System?

from puppet-openldap.

Same here... to me this happens under Debian 8. This is the puppet code I have:

$server_name = "master"
$dns_tld = "dev"
$admin_password = "p"
$cacert_dir = '/vagrant/etc/ssl/certs'
$cacert = "${cacert_dir}/master.dev.crt"
$ssl_key = '/vagrant/etc/ssl/private/master.dev.key'

class { 'openldap::server':
  ldaps_ifs => ['/'],
  enable    => true,
  ssl_cert  => "${cacert}",
  ssl_key   => "${ssl_key}",
}

openldap::server::database { "dc=${server_name},dc=${dns_tld}":
  ensure => present,
  rootdn => "cn=admin,dc=${server_name},dc=${dns_tld}",
  rootpw => "${admin_password}",
}

class { 'openldap::client':
  base       => "dc=${server_name},dc=${dns_tld}",
  uri        => ["ldap://${server_name}.${dns_tld}"],
  tls_cacert => "${cacert}",
}

from puppet-openldap.

@mdimjasevic did you generate you private key using OpenSSL or GnuTLS?

from puppet-openldap.

I'm encountering the same issue (same os: debian8) ; what is weird, is that if I run the ldapmodify by hand with the same ldif content as the one provided by the Puppet output when it fails, it works.

I tried replaying my catalog with olcLogLevel set at -1, but could not find any useful clue of what is going wrong in the log files.

Maybe something relevant to mention: after the puppet run, slapd is not running, but one of the config parameter seemed to have succeeded, my cn=config.ldif having the following content:

[...]
olcTLSCertificateKeyFile: /etc/ldap/ssl/hostname.key

from puppet-openldap.

Ok, I guess I figured out why: here are the default permissions on the files that are being referenced by the ldif on my setup:

root@georchestra:~# ls -lah /etc/ldap/ssl/
total 28K
drwxr-xr-x 2 root     root     4.0K Jul  4 12:31 .
drwxr-xr-x 6 root     root     4.0K Jul  4 12:24 ..
-rw-r--r-- 1 openldap openldap 2.0K Jul  4 12:24 ca.pem
-rw-r--r-- 1 openldap openldap 2.1K Jul  4 12:24 georchestra.mydomain.org.crt
-rw------- 1 openldap openldap  11K Jul  4 12:21 georchestra.mydomain.org.key

If files are chmod 600 before LDIF insertion in the slapd configuration, it works.

from puppet-openldap.

In fact, it seems to depend in which order the properties are inserted, need to dig a little further

from puppet-openldap.

Launching slapd in debug mode, checking what is done while trying to insert in several different orders (CA,key,cert or CA,cert,key), I can see the following trace:

TLS: only one of certfile and keyfile specified
55980dc5 send_ldap_result: conn=1001 op=1 p=3
55980dc5 send_ldap_response: msgid=2 tag=103 err=80

It works when all the parameters (olcTLSCACertificateFile, olcTLSCertificateFile, olcTLSCertificateKeyFile) are set in the same ldif, like the following:

dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/ssl/ca.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/ssl/vagrant.crt
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/ssl/vagrant.key

But I don't know how the providers (lib/puppet/provider/openldap_global_conf/olc.rb) can be rewritten to be able to take serveral parameters in one go.

from puppet-openldap.

@pmauduit thanks a lot for the diagnostic. I suppose we have to use post_resource_eval to apply all global parameters at the same time.

from puppet-openldap.

Should be fixed by c82be60

from puppet-openldap.

thanks for the fix !

from puppet-openldap.

Thanks :)

from puppet-openldap.