1CDIST-TYPE__OPENLDAP_SERVER(7)       cdist      CDIST-TYPE__OPENLDAP_SERVER(7)
2
3
4

NAME

6       cdist-type__openldap_server - Setup an openldap(4) server instance
7

DESCRIPTION

9       This  type  can be used to bootstrap an LDAP environment using openldap
10       as slapd.
11
12       It bootstraps the LDAP server with sane defaults and creates  and  man‐
13       ages the base DN defined by suffix.
14

REQUIRED PARAMETERS

16       manager-dn
17              The   rootdn   to   set  up  in  the  directory.   E.g.  cn=man‐
18              ager,dc=ungleich,dc=ch. See slapd.conf(5).
19
20       manager-password
21              The password for manager-dn in the directory.  This will be used
22              to  connect  to  the LDAP server on the first slapd-url with the
23              given manager-dn.
24
25       manager-password-hash
26              The password for manager-dn in the directory.   This  should  be
27              valid  for  slapd.conf like {SSHA}qV+mCs3u8Q2sCmUXT4Ybw7MebHTAS‐
28              Myr.  Generate e.g. with: slappasswd -s weneedgoodsecurity.  See
29              slappasswd(8C),    slapd.conf(5).     TODO:    implement   this:
30              http://blog.adamsbros.org/2015/06/09/openldap-ssha-salted-hashes-by-hand/
31                 to  derive  from  the  manager-password  parameter and ensure
32                 idempotency (care with salts).  At that point,  manager-pass‐
33                 word-hash should be deprecated and ignored.
34
35       serverid
36              The  server  for  the  directory.   E.g.  dc=ungleich,dc=ch. See
37              slapd.conf(5).
38
39       suffix The suffix  for  the  directory.   E.g.  dc=ungleich,dc=ch.  See
40              slapd.conf(5).
41

REQUIRED MULTIPLE PARAMETERS

43       slapd-url
44              A  URL  for slapd to listen on.  Pass once for each URL you want
45              to  support,  e.g.:  --slapd-url  ldaps://my.fqdn/   --slapd-url
46              ldap://my.fqdn/.  The first instance that is passed will be used
47              as the main URL to connect to this LDAP server See the  -h  flag
48              in slapd(8C).
49

OPTIONAL PARAMETERS

51       syncrepl-credentials
52              Only  has  an effect if replicate is set; required in that case.
53              This secret is shared amongst the hosts that will replicate  the
54              directory.   Note that each replication server needs this secret
55              and it is saved in plain text in the directory.
56
57       syncrepl-searchbase
58              Only has an effect if replicate is set; required in  that  case.
59              The  searchbase to use for replication.  E.g. dc=ungleich,dc=ch.
60              See slapd.conf(5).
61
62       admin-email
63              Passed to cdist-type__letsencrypt_cert; has  otherwise  no  use.
64              Required  if  using  __letsencrypt_cert.   Where  to  send Let's
65              Encrypt emails like "certificate needs renewal".
66
67       tls-cipher-suite
68              Setting for TLSCipherSuite.  Defaults to NORMAL in a Debian-like
69              OS and HIGH:MEDIUM:+SSLv2 on FreeBSD.  See slapd.conf(5).
70
71       tls-cert
72              If  defined, __letsencrypt_cert is not used and this must be the
73              path in the remote hosts to  the  PEM-encoded  TLS  certificate.
74              Requires:  tls-privkey  and  tls-ca.  Permissions, existence and
75              renewal of these files are left up to the type's user.
76
77       tls-privkey
78              Required if tls-cert is defined.  Path in the  remote  hosts  to
79              the PEM-encoded private key file.
80
81       tls-ca Required  if  tls-cert  is defined.  Path in the remote hosts to
82              the PEM-encoded CA certificate file.
83

OPTIONAL MULTIPLE PARAMETERS

85       syncrepl-host
86              Only has an effect if replicate is set; required in  that  case.
87              Set once per host that will replicate the directory.
88
89       module LDAP  module  to  load.  See  slapd.conf(5).   Default  value is
90              OS-dependent, see manifest.
91
92       schema Name of LDAP schema to load. Must be the name without  extension
93              of   a   .schema  file  in  slapd's  schema  directory  (usually
94              /etc/slapd/schema or  /usr/local/etc/openldap/schema).   Example
95              value:  inetorgperson  The type user must ensure that the schema
96              file is deployed.  This  defaults  to  a  sensible  subset,  for
97              details see the type definition.
98
99       description
100              The  description  of the base DN passed in the suffix parameter.
101              Defaults to Managed by cdist, do not edit manually.
102

BOOLEAN PARAMETERS

104       staging
105              Passed to cdist-type__letsencrypt_cert; has  otherwise  no  use.
106              Obtain a test certificate from a staging server.
107
108       replicate
109              Whether  to  setup replication or not.  If present syncrepl-cre‐
110              dentials and syncrepl-host are also required.
111

EXAMPLES

113          # Example of a simple server with manual certificate management.
114          pki_prefix="/usr/local/etc/pki/realms/ldap.camilion.cloud"
115          __openldap_server \
116              --manager-dn 'cn=manager,dc=camilion,dc=cloud' \
117              --manager-password "foo" \
118              --manager-password-hash '{SSHA}foo' \
119              --serverid 0 \
120              --suffix 'dc=camilion,dc=cloud' \
121              --slapd-url 'ldaps://ldap.camilion.cloud' \
122              --tls-cert "${pki_prefix}/default.crt" \
123              --tls-privkey "${pki_prefix}/default.key" \
124              --tls-ca "${pki_prefix}/CA.crt"
125
126          # The created basedn looks as follows:
127          #
128          # dn: dc=camilion,dc=cloud
129          # objectClass: top
130          # objectClass: dcObject
131          # objectClass: organization
132          # o: Managed by cdist, do not edit manually.
133          # dc: camilion
134          #
135          # Do not change it manually, the type will overwrite your changes.
136
137
138          #
139          # Changing to a replicated setup is a simple change to something like:
140          #
141          # Example for multiple servers with replication and automatic
142          # Let's Encrypt certificate management through certbot.
143          id=1
144          for host in ldap-test1.ungleich.ch ldap-test2.ungleich.ch; do
145              echo "__ungleich_ldap \
146                  --manager-dn 'cn=manager,dc=ungleich,dc=ch' \
147                  --manager-psasword 'foo' \
148                  --manager-password-hash '{SSHA}fooo' \
149                  --serverid '${id}' \
150                  --suffix 'dc=ungleich,dc=ch' \
151                  --slapd-url ldap://${host} \
152                  --searchbase 'dc=ungleich,dc=ch' \
153                  --syncrepl-credentials 'fooo' \
154                  --syncrepl-host 'ldap-test1.ungleich.ch' \
155                  --syncrepl-host 'ldap-test2.ungleich.ch' \
156                  --description 'Ungleich LDAP server'" \
157                  --staging \
158                  | cdist config -i - -v ${host}
159              id=$((id + 1))
160          done
161
162          # The created basedn looks as follows:
163          #
164          # dn: dc=ungleich,dc=ch
165          # objectClass: top
166          # objectClass: dcObject
167          # objectClass: organization
168          # o: Ungleich LDAP server
169          # dc: ungleich
170          #
171          # Do not change it manually, the type will overwrite your changes.
172

SEE ALSO

174       cdist-type__letsencrypt_cert(7)
175

AUTHORS

177       ungleich <foss--@--ungleich.ch> Evilham <contact--@--evilham.com>
178

COPYING

180       Copyright (C) 2020 ungleich glarus ag. You can redistribute  it  and/or
181       modify  it  under  the  terms of the GNU General Public License as pub‐
182       lished by the  Free  Software  Foundation,  either  version  3  of  the
183       License, or (at your option) any later version.
184
186       ungleich GmbH 2019
187
188
189
190
1916.3.0                            Dec 12, 2019   CDIST-TYPE__OPENLDAP_SERVER(7)
Impressum