GitHub puppet-openldap
Manage OpenLDAP with Puppet

Repo Checks ( 19 of 26 successfull )
Metadata Valid
No translation
passed
Correct Puppet Version Range
Supported Puppet version range is %{PUPPET_SUPPORT_RANGE}
passed
With Puppet Version Range
Puppet version range is present in requirements in metadata.json
passed
With Operatingsystem Support
No translation
passed
Operatingsystems
No translation
passed
Supports Only Current Debian
No translation
passed
Supports Latest Debian
No translation
passed
Supports Only Current Ubuntu
No translation
passed
Supports Latest Ubuntu
No translation
failed
Supports Only Current Sles
No translation
passed
Supports Latest Sles
No translation
failed
Supports Only Current Opensuse
No translation
passed
Supports Latest Opensuse
No translation
failed
Supports Only Current Redhat
No translation
passed
Supports Latest Redhat
No translation
failed
Supports Only Current Centos
No translation
passed
Supports Latest Centos
No translation
failed
Supports Only Current Freebsd
No translation
passed
Supports Latest Freebsd
No translation
passed
In Modulesync Repo
Is listed as a module managed using modulesync_config
passed
Synced
Has a .msync.yml file
passed
Latest Modulesync
Has been synchronized with the latest tagged version of modulesync_config
failed
Has Modulesync
Is present in voxpupuli/modulesync_config/managed_modules.yml
passed
Released
Is in modulesync_config and in forge releases.
passed
Valid Sync File
If a (optional) sync file is present, it must not contain a `.travis.yml` entry.
passed
Reference Dot Md
The repository has a REFERENCE.md. It needs to be generated / puppet-strings documentation is missing.
failed

Open Pull Requests

Fix unsafe interpolations

We now have puppet-lint-checkunsafeinterpolations and it detect some
issues. Fix them.

Open PR in GitHub
Fix readonly handling
bug

Pull Request (PR) description

The database readonly properly expects a boolean, but the olc
provider doesn't take care to parse the existing value into a boolean,
thus leading to issues.

Simply applies the same logic applied to olcMirrorMode for
olcReadOnly.

This Pull Request (PR) fixes the following issues

n/a

Open PR in GitHub
Add support for FreeBSD 14
enhancement
Changing database access
backwards-incompatible

Pull Request (PR) description

In my opinion, it would be logical to grant access to the RootDN if it is set and not to the abstract admin.

This Pull Request (PR) fixes the following issues

Open PR in GitHub
modulesync 5.4.0
modulesync

modulesync 5.4.0

Open PR in GitHub
Allow spaces in targets of olcAccess statements

Pull Request (PR) description

Since it's entirely possible to have a distinguished name of style

o=My Cool Organization

even for the root of the database, we really need to respect the proper
handling of spacey arguments to olcAccess (with the relevant quotes
around them).

This Pull Request (PR) fixes the following issues

n/a

Open PR in GitHub
Create olcDbDirectory before its database and the start of slapd

Rehash of #397

Pull Request (PR) description

There is an ordering in manifests/server/database.pp:

puppet
Class['openldap::server::service']
-> Openldap::Server::Database[$title]

This is subtly bad. The service (slapd) must be spun up before a database can be created, and that makes sense. However, it means the service happens before the whole defined resource Openldap::Server::Database ... and there is more going on in the defined resource of manifests/server/database.pp than just the openldap_database creation: there is also the creation of File[$manage_directory]. In most folks' cases, using a vendor-made package, this directory will be something like /var/lib/ldap, which happens to be installed by the RPM/dpkg package, so "you get it for free" / it already exists. Thus the file creation doesn't need to be done by puppet and ordering doesn't matter. However, if you set the directory to something else (that doesn't exist), you have a circular dependency problem. slapd (the service) needs the database's directory to exist before slapd starts up -> slapd is ordered before the database manifest -> the database manifest creates the database directory -> the database directory has to happen before the service.

Ultimately, the ordering is in error. The service has to happen before openldap_database BUT NOT all of the ridealong items in openldap::server::database. That breaks out of the dependency loop, and allows the directory creation to be marked as required before the Service is started.

Very likely, most folks are running one-DB-only in /var/lib/ldap (which matches most examples) and haven't tickled this issue. That said, OpenLDAP maintainers are advising folks to use subdirectories which puts this into the realm of needing to make a directory upon install, particularly when you want a second database.

Open PR in GitHub
Allow for an outsider package on RHEL8+

In openldap::server::config, if redhat 8-or-newer, there's a systemd::dropin_file that makes a startup file so you can tune the user /usr/sbin/slapd runs as.

The problem is, there's a subtle assumption here that your binary is actually /usr/sbin/slapd. Ever since RHEL7.4, the openldap-servers has been deprecated, so some of us have pivoted over to using Symas' packages, which installs everything in /opt. That is, Puppet says to use /usr/sbin/slapd "because you're on RHEL8" (wrong), instead of "because you're using a RHEL-styled package". So this makes it more explicit why you're using this file, and takes it away when you use a different package.

"Why not just symlink slapd?" Tried, didn't work. systemd was not pleased by this.
"Why not just make the fully-pathed slapd executable be a parameter which defaults to /usr/sbin/slapd". Thought about it. But for the most part I'm thinking "this file adds unnecessary noise" so I went for the path of least surprise and removed it.

Open PR in GitHub
Don't delete temporary file before using it

<!--
Thank you for contributing to this project!

-->

Pull Request (PR) description

I encountered an LDAP error 80 (LDAP_OTHER) whilst adding SSL certificates:

class { 'openldap::server':
ssl_cert => '/etc/ssl/certs/foo.com.crt',
ssl_key => '/etc/ssl/private/foo.com.key',
ssl_ca => '/etc/ssl/certs/foo.com.ca-bundle',
}

This Pull Request (PR) fixes the following issues

Doesn't delete temporary files before they're used

Open PR in GitHub
Fix readonly database property

The database readonly property expects a boolean, but the olc provider doesn't take care to parse the existing value into a boolean, thus leading to issues.

Simply applies the same logic applied to olcMirrorMode for olcReadOnly.

Fixes #207
Fixes #358

Open PR in GitHub