1CDIST-TYPE__OPENLDAP_SERVER(7) cdist CDIST-TYPE__OPENLDAP_SERVER(7)
2
3
4
6 cdist-type__openldap_server - Setup an openldap(4) server instance
7
9 This type can be used to bootstrap an LDAP environment using openldap
10 as slapd.
11
12 It bootstraps the LDAP server with sane defaults and creates and man‐
13 ages the base DN defined by suffix.
14
16 manager-dn
17 The rootdn to set up in the directory. E.g. cn=man‐
18 ager,dc=ungleich,dc=ch. See slapd.conf(5).
19
20 manager-password
21 The password for manager-dn in the directory. This will be used
22 to connect to the LDAP server on the first slapd-url with the
23 given manager-dn.
24
25 manager-password-hash
26 The password for manager-dn in the directory. This should be
27 valid for slapd.conf like {SSHA}qV+mCs3u8Q2sCmUXT4Ybw7MebHTAS‐
28 Myr. Generate e.g. with: slappasswd -s weneedgoodsecurity. See
29 slappasswd(8C), slapd.conf(5). TODO: implement this:
30 http://blog.adamsbros.org/2015/06/09/openldap-ssha-salted-hashes-by-hand/
31 to derive from the manager-password parameter and ensure
32 idempotency (care with salts). At that point, manager-pass‐
33 word-hash should be deprecated and ignored.
34
35 serverid
36 The server for the directory. E.g. dc=ungleich,dc=ch. See
37 slapd.conf(5).
38
39 suffix The suffix for the directory. E.g. dc=ungleich,dc=ch. See
40 slapd.conf(5).
41
43 slapd-url
44 A URL for slapd to listen on. Pass once for each URL you want
45 to support, e.g.: --slapd-url ldaps://my.fqdn/ --slapd-url
46 ldap://my.fqdn/. The first instance that is passed will be used
47 as the main URL to connect to this LDAP server See the -h flag
48 in slapd(8C).
49
51 syncrepl-credentials
52 Only has an effect if replicate is set; required in that case.
53 This secret is shared amongst the hosts that will replicate the
54 directory. Note that each replication server needs this secret
55 and it is saved in plain text in the directory.
56
57 syncrepl-searchbase
58 Only has an effect if replicate is set; required in that case.
59 The searchbase to use for replication. E.g. dc=ungleich,dc=ch.
60 See slapd.conf(5).
61
62 admin-email
63 Passed to cdist-type__letsencrypt_cert; has otherwise no use.
64 Required if using __letsencrypt_cert. Where to send Let's
65 Encrypt emails like "certificate needs renewal".
66
67 tls-cipher-suite
68 Setting for TLSCipherSuite. Defaults to NORMAL in a Debian-like
69 OS and HIGH:MEDIUM:+SSLv2 on FreeBSD. See slapd.conf(5).
70
71 tls-cert
72 If defined, __letsencrypt_cert is not used and this must be the
73 path in the remote hosts to the PEM-encoded TLS certificate.
74 Requires: tls-privkey and tls-ca. Permissions, existence and
75 renewal of these files are left up to the type's user.
76
77 tls-privkey
78 Required if tls-cert is defined. Path in the remote hosts to
79 the PEM-encoded private key file.
80
81 tls-ca Required if tls-cert is defined. Path in the remote hosts to
82 the PEM-encoded CA certificate file.
83
85 syncrepl-host
86 Only has an effect if replicate is set; required in that case.
87 Set once per host that will replicate the directory.
88
89 module LDAP module to load. See slapd.conf(5). Default value is
90 OS-dependent, see manifest.
91
92 schema Name of LDAP schema to load. Must be the name without extension
93 of a .schema file in slapd's schema directory (usually
94 /etc/slapd/schema or /usr/local/etc/openldap/schema). Example
95 value: inetorgperson The type user must ensure that the schema
96 file is deployed. This defaults to a sensible subset, for
97 details see the type definition.
98
99 description
100 The description of the base DN passed in the suffix parameter.
101 Defaults to Managed by cdist, do not edit manually.
102
104 staging
105 Passed to cdist-type__letsencrypt_cert; has otherwise no use.
106 Obtain a test certificate from a staging server.
107
108 replicate
109 Whether to setup replication or not. If present syncrepl-cre‐
110 dentials and syncrepl-host are also required.
111
113 # Example of a simple server with manual certificate management.
114 pki_prefix="/usr/local/etc/pki/realms/ldap.camilion.cloud"
115 __openldap_server \
116 --manager-dn 'cn=manager,dc=camilion,dc=cloud' \
117 --manager-password "foo" \
118 --manager-password-hash '{SSHA}foo' \
119 --serverid 0 \
120 --suffix 'dc=camilion,dc=cloud' \
121 --slapd-url 'ldaps://ldap.camilion.cloud' \
122 --tls-cert "${pki_prefix}/default.crt" \
123 --tls-privkey "${pki_prefix}/default.key" \
124 --tls-ca "${pki_prefix}/CA.crt"
125
126 # The created basedn looks as follows:
127 #
128 # dn: dc=camilion,dc=cloud
129 # objectClass: top
130 # objectClass: dcObject
131 # objectClass: organization
132 # o: Managed by cdist, do not edit manually.
133 # dc: camilion
134 #
135 # Do not change it manually, the type will overwrite your changes.
136
137
138 #
139 # Changing to a replicated setup is a simple change to something like:
140 #
141 # Example for multiple servers with replication and automatic
142 # Let's Encrypt certificate management through certbot.
143 id=1
144 for host in ldap-test1.ungleich.ch ldap-test2.ungleich.ch; do
145 echo "__ungleich_ldap \
146 --manager-dn 'cn=manager,dc=ungleich,dc=ch' \
147 --manager-psasword 'foo' \
148 --manager-password-hash '{SSHA}fooo' \
149 --serverid '${id}' \
150 --suffix 'dc=ungleich,dc=ch' \
151 --slapd-url ldap://${host} \
152 --searchbase 'dc=ungleich,dc=ch' \
153 --syncrepl-credentials 'fooo' \
154 --syncrepl-host 'ldap-test1.ungleich.ch' \
155 --syncrepl-host 'ldap-test2.ungleich.ch' \
156 --description 'Ungleich LDAP server'" \
157 --staging \
158 | cdist config -i - -v ${host}
159 id=$((id + 1))
160 done
161
162 # The created basedn looks as follows:
163 #
164 # dn: dc=ungleich,dc=ch
165 # objectClass: top
166 # objectClass: dcObject
167 # objectClass: organization
168 # o: Ungleich LDAP server
169 # dc: ungleich
170 #
171 # Do not change it manually, the type will overwrite your changes.
172
174 cdist-type__letsencrypt_cert(7)
175
177 ungleich <foss--@--ungleich.ch> Evilham <contact--@--evilham.com>
178
180 Copyright (C) 2020 ungleich glarus ag. You can redistribute it and/or
181 modify it under the terms of the GNU General Public License as pub‐
182 lished by the Free Software Foundation, either version 3 of the
183 License, or (at your option) any later version.
184
186 ungleich GmbH 2019
187
188
189
190
1916.3.0 Dec 12, 2019 CDIST-TYPE__OPENLDAP_SERVER(7)