We now have puppet-lint-checkunsafeinterpolations and it detect some
issues. Fix them.
The database readonly
properly expects a boolean, but the olc
provider doesn't take care to parse the existing value into a boolean,
thus leading to issues.
Simply applies the same logic applied to olcMirrorMode
for
olcReadOnly
.
n/a
In my opinion, it would be logical to grant access to the RootDN if it is set and not to the abstract admin.
modulesync 5.4.0
Since it's entirely possible to have a distinguished name of style
o=My Cool Organization
even for the root of the database, we really need to respect the proper
handling of spacey arguments to olcAccess (with the relevant quotes
around them).
n/a
In openldap::server::config
, if redhat 8-or-newer, there's a systemd::dropin_file
that makes a startup file so you can tune the user /usr/sbin/slapd
runs as.
The problem is, there's a subtle assumption here that your binary is actually /usr/sbin/slapd
. Ever since RHEL7.4, the openldap-servers
has been deprecated, so some of us have pivoted over to using Symas' packages, which installs everything in /opt
. That is, Puppet says to use /usr/sbin/slapd
"because you're on RHEL8" (wrong), instead of "because you're using a RHEL-styled package". So this makes it more explicit why you're using this file, and takes it away when you use a different package.
"Why not just symlink slapd?" Tried, didn't work. systemd was not pleased by this.
"Why not just make the fully-pathed slapd executable be a parameter which defaults to /usr/sbin/slapd
". Thought about it. But for the most part I'm thinking "this file adds unnecessary noise" so I went for the path of least surprise and removed it.
<!--
Thank you for contributing to this project!
-->
I encountered an LDAP error 80 (LDAP_OTHER
) whilst adding SSL certificates:
class { 'openldap::server':
ssl_cert => '/etc/ssl/certs/foo.com.crt',
ssl_key => '/etc/ssl/private/foo.com.key',
ssl_ca => '/etc/ssl/certs/foo.com.ca-bundle',
}
Doesn't delete temporary files before they're used
The database readonly
property expects a boolean, but the olc provider doesn't take care to parse the existing value into a boolean, thus leading to issues.
Simply applies the same logic applied to olcMirrorMode
for olcReadOnly
.
Fixes #207
Fixes #358
In openldap::server::config
, if redhat 8-or-newer, there's a systemd::dropin_file
that makes a startup file so you can tune the user /usr/sbin/slapd
runs as.
The problem is, there's a subtle assumption here that your binary is actually /usr/sbin/slapd
. Ever since RHEL7.4, the openldap-servers
has been deprecated, so some of us have pivoted over to using Symas' packages, which installs everything in /opt
. That is, Puppet says to use /usr/sbin/slapd
"because you're on RHEL8" (wrong), instead of "because you're using a RHEL-styled package".
Supersedes #429 . 429 is a better fix by dropping the systemd hack file altogether when you use a non-RH package. As we roll towards RHEL9 and everyone is having to use non-RH packages, more folks will see that, but minimally this starts unblocking the path to get there.
Closes #429