oracular (7) cdist-type__openldap_server.7.gz

Provided by: cdist_7.0.0-4_all bug

NAME

       cdist-type__openldap_server - Setup an openldap(4) server instance

DESCRIPTION

       This type can be used to bootstrap an LDAP environment using openldap as slapd.

       It  bootstraps  the  LDAP  server  with  sane defaults and creates and manages the base DN
       defined by suffix.

REQUIRED PARAMETERS

       manager-dn
              The rootdn to set up in  the  directory.   E.g.  cn=manager,dc=ungleich,dc=ch.  See
              slapd.conf(5).

       manager-password
              The  password for manager-dn in the directory.  This will be used to connect to the
              LDAP server on the first slapd-url with the given manager-dn.

       manager-password-hash
              The password for manager-dn in the directory.  This should be valid for  slapd.conf
              like  {SSHA}qV+mCs3u8Q2sCmUXT4Ybw7MebHTASMyr.   Generate  e.g.  with: slappasswd -s
              weneedgoodsecurity.  See  slappasswd(8C),  slapd.conf(5).   TODO:  implement  this:
              http://blog.adamsbros.org/2015/06/09/openldap-ssha-salted-hashes-by-hand/ to derive
              from the manager-password parameter and ensure idempotency (care with  salts).   At
              that point, manager-password-hash should be deprecated and ignored.

       serverid
              The server for the directory.  E.g. dc=ungleich,dc=ch. See slapd.conf(5).

       suffix The suffix for the directory.  E.g. dc=ungleich,dc=ch. See slapd.conf(5).

REQUIRED MULTIPLE PARAMETERS

       slapd-url
              A  URL  for  slapd to listen on.  Pass once for each URL you want to support, e.g.:
              --slapd-url ldaps://my.fqdn/ --slapd-url ldap://my.fqdn/.  The first instance  that
              is  passed  will  be used as the main URL to connect to this LDAP server See the -h
              flag in slapd(8C).

OPTIONAL PARAMETERS

       syncrepl-credentials
              Only has an effect if replicate is set; required in  that  case.   This  secret  is
              shared  amongst  the  hosts  that  will  replicate  the  directory.  Note that each
              replication server needs this  secret  and  it  is  saved  in  plain  text  in  the
              directory.

       syncrepl-searchbase
              Only  has  an effect if replicate is set; required in that case.  The searchbase to
              use for replication.  E.g. dc=ungleich,dc=ch. See slapd.conf(5).

       admin-email
              Passed to cdist-type__letsencrypt_cert; has otherwise no use.   Required  if  using
              __letsencrypt_cert.   Where  to  send  Let's Encrypt emails like "certificate needs
              renewal".

       tls-cipher-suite
              Setting  for  TLSCipherSuite.   Defaults  to  NORMAL  in  a  Debian-like   OS   and
              HIGH:MEDIUM:+SSLv2 on FreeBSD.  See slapd.conf(5).

       tls-cert
              If  defined, __letsencrypt_cert is not used and this must be the path in the remote
              hosts to the  PEM-encoded  TLS  certificate.   Requires:  tls-privkey  and  tls-ca.
              Permissions, existence and renewal of these files are left up to the type's user.

       tls-privkey
              Required  if  tls-cert  is  defined.   Path  in the remote hosts to the PEM-encoded
              private key file.

       tls-ca Required if tls-cert is defined.  Path in the remote hosts to  the  PEM-encoded  CA
              certificate file.

       extra-config
              Custom settings to be added in slapd.conf(5).

OPTIONAL MULTIPLE PARAMETERS

       syncrepl-host
              Only  has  an effect if replicate is set; required in that case.  Set once per host
              that will replicate the directory.

       module LDAP module to  load.  See  slapd.conf(5).  Some  dependencies  might  have  to  be
              installed beforehand. Default value is OS-dependent, see manifest.

       schema Name  of  LDAP schema to load. Must be the name without extension of a .schema file
              in     slapd's     schema     directory     (usually      /etc/slapd/schema      or
              /usr/local/etc/openldap/schema).   Example  value: inetorgperson The type user must
              ensure that the schema file is deployed.  This defaults to a sensible  subset,  for
              details see the type definition.

       description
              The description of the base DN passed in the suffix parameter.  Defaults to Managed
              by cdist, do not edit manually.

BOOLEAN PARAMETERS

       staging
              Passed to cdist-type__letsencrypt_cert;  has  otherwise  no  use.   Obtain  a  test
              certificate from a staging server.

       replicate
              Whether   to  setup  replication  or  not.   If  present  syncrepl-credentials  and
              syncrepl-host are also required.

EXAMPLES

          # Example of a simple server with manual certificate management.
          pki_prefix="/usr/local/etc/pki/realms/ldap.camilion.cloud"
          __openldap_server \
              --manager-dn 'cn=manager,dc=camilion,dc=cloud' \
              --manager-password "foo" \
              --manager-password-hash '{SSHA}foo' \
              --serverid 0 \
              --suffix 'dc=camilion,dc=cloud' \
              --slapd-url 'ldaps://ldap.camilion.cloud' \
              --tls-cert "${pki_prefix}/default.crt" \
              --tls-privkey "${pki_prefix}/default.key" \
              --tls-ca "${pki_prefix}/CA.crt"

          # The created basedn looks as follows:
          #
          # dn: dc=camilion,dc=cloud
          # objectClass: top
          # objectClass: dcObject
          # objectClass: organization
          # o: Managed by cdist, do not edit manually.
          # dc: camilion
          #
          # Do not change it manually, the type will overwrite your changes.

          #
          # Changing to a replicated setup is a simple change to something like:
          #
          # Example for multiple servers with replication and automatic
          # Let's Encrypt certificate management through certbot.
          id=1
          for host in ldap-test1.ungleich.ch ldap-test2.ungleich.ch; do
              echo "__ungleich_ldap \
                  --manager-dn 'cn=manager,dc=ungleich,dc=ch' \
                  --manager-psasword 'foo' \
                  --manager-password-hash '{SSHA}fooo' \
                  --serverid '${id}' \
                  --suffix 'dc=ungleich,dc=ch' \
                  --slapd-url ldap://${host} \
                  --searchbase 'dc=ungleich,dc=ch' \
                  --syncrepl-credentials 'fooo' \
                  --syncrepl-host 'ldap-test1.ungleich.ch' \
                  --syncrepl-host 'ldap-test2.ungleich.ch' \
                  --description 'Ungleich LDAP server'" \
                  --staging \
                  | cdist config -i - -v ${host}
              id=$((id + 1))
          done

          # The created basedn looks as follows:
          #
          # dn: dc=ungleich,dc=ch
          # objectClass: top
          # objectClass: dcObject
          # objectClass: organization
          # o: Ungleich LDAP server
          # dc: ungleich
          #
          # Do not change it manually, the type will overwrite your changes.

SEE ALSO

       cdist-type__letsencrypt_cert(7)

AUTHORS

       ungleich <foss--@--ungleich.ch> Evilham <contact--@--evilham.com>

COPYING

       Copyright (C) 2020 ungleich glarus ag. You can redistribute it and/or modify it under  the
       terms  of  the  GNU  General  Public License as published by the Free Software Foundation,
       either version 3 of the License, or (at your option) any later version.

       ungleich GmbH 2021