# profiles::openldap::init class profiles::openldap::server ( $database = $profiles::openldap::params::database, $syncrepl = $profiles::openldap::params::syncrepl, $multiprovider = $profiles::openldap::params::multiprovider, $data_path = $profiles::openldap::params::data_path, $ssl_cert = $profiles::openldap::params::ssl_cert, $ssl_key = $profiles::openldap::params::ssl_key, $ssl_ca = $profiles::openldap::params::ssl_ca, $rootdn = $profiles::openldap::params::rootdn, $rootpw = $profiles::openldap::params::rootpw, $db_config_path = $profiles::openldap::params::db_config_path, $cache_size_gb = $profiles::openldap::params::cache_size_gb, $log_dir = $profiles::openldap::params::log_dir, $log_max_size_mb = $profiles::openldap::params::log_max_size_mb, $log_buffer_size_mb = $profiles::openldap::params::log_buffer_size_mb, ) inherits profiles::openldap::params { # ensure the path to $data_path exists mkdir::p {$data_path:} # if selinux is defined, manage it if $::facts['os']['selinux']['config_mode'] == 'enforcing' { # set slapd_db_t to all files under the data_path selinux::fcontext { $data_path: ensure => 'present', seltype => 'slapd_db_t', pathspec => "${data_path}(/.*)?", } exec { "restorecon_${data_path}": path => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'], command => "restorecon -Rv ${data_path}", refreshonly => true, subscribe => Selinux::Fcontext[$data_path], } } # manage the openldap server class { 'openldap::server': ldap_address => $facts['networking']['ip'], ldaps_address => $facts['networking']['ip'], ssl_cert => $ssl_cert, ssl_key => $ssl_key, ssl_ca => $ssl_ca, subscribe => [ File[$ssl_key], File[$ssl_ca], ], } openldap::server::database { $database: ensure => present, syncrepl => $syncrepl, directory => $data_path, rootdn => $rootdn, rootpw => $rootpw, mirrormode => true, } # manage modules openldap::server::module { 'memberof': ensure => present, } openldap::server::module { 'syncprov': ensure => present, } # manage overlays openldap::server::overlay { "memberof on ${database}": ensure => present, } # Update after 10 changes or 1 minute. # Ensure there's enough room for 1000 changes in the log. openldap::server::overlay { "syncprov on ${database}": ensure => present, options => { 'olcSpCheckpoint' => '10 1', 'olcSpSessionlog' => '100' }, require => [ Openldap::Server::Dbindex['entryCSN'], Openldap::Server::Dbindex['entryUUID'], Openldap::Server::Module['syncprov'], ], } # add schemas openldap::server::schema { 'cosine': ensure => present, path => '/etc/openldap/schema/cosine.schema', } openldap::server::schema { 'inetorgperson': ensure => present, path => '/etc/openldap/schema/inetorgperson.schema', require => Openldap::Server::Schema['cosine'], } openldap::server::schema { 'nis': ensure => present, path => '/etc/openldap/schema/nis.ldif', require => Openldap::Server::Schema['inetorgperson'], } $acls = [ { 'to attrs=userPassword,shadowLastChange' => [ "by dn=\"${rootdn}\" write", 'by self write', 'by anonymous auth', 'by * none', ], }, { 'to dn.base=""' => [ 'by * read', ], }, { 'to *' => [ "by dn=\"${rootdn}\" write", 'by self write', 'by users read', 'by anonymous auth', 'by * none', ], }, ] openldap::server::access_wrapper { $database : acl => $acls, } # manage dbindex Openldap::Server::Dbindex { suffix => $database, } openldap::server::dbindex { 'cn': attribute => 'cn', indices => 'eq,pres,sub'; 'uid': attribute => 'uid', indices => 'eq,pres,sub'; 'uidNumber': attribute => 'uidNumber', indices => 'eq,pres'; 'gidNumber': attribute => 'gidNumber', indices => 'eq,pres'; 'member': attribute => 'member', indices => 'eq,pres'; 'memberUid': attribute => 'memberUid', indices => 'eq,pres'; 'entryCSN': attribute => 'entryCSN', indices => 'eq,pres'; 'entryUUID': attribute => 'entryUUID', indices => 'eq,pres'; } # manage DB_CONFIG file { $db_config_path: ensure => file, content => template('profiles/openldap/db_config.erb'), owner => 'ldap', group => 'ldap', mode => '0644', } file { $log_dir: ensure => directory, owner => 'ldap', group => 'ldap', mode => '0755', require => Class['openldap::server'], } }