1CDIST-TYPE__OPENLDAP_SERVER(7) cdist CDIST-TYPE__OPENLDAP_SERVER(7)
2
3
4
6 cdist-type__openldap_server - Setup an openldap(4) server instance
7
9 This type can be used to bootstrap an LDAP environment using openldap
10 as slapd.
11
12 It bootstraps the LDAP server with sane defaults and creates and man‐
13 ages the base DN defined by suffix.
14
16 manager-dn
17 The rootdn to set up in the directory. E.g. cn=manager,dc=un‐
18 gleich,dc=ch. See slapd.conf(5).
19
20 manager-password
21 The password for manager-dn in the directory. This will be used
22 to connect to the LDAP server on the first slapd-url with the
23 given manager-dn.
24
25 manager-password-hash
26 The password for manager-dn in the directory. This should be
27 valid for slapd.conf like {SSHA}qV+mCs3u8Q2sCmUXT4Ybw7MebHTAS‐
28 Myr. Generate e.g. with: slappasswd -s weneedgoodsecurity. See
29 slappasswd(8C), slapd.conf(5). TODO: implement this:
30 http://blog.adamsbros.org/2015/06/09/openldap-ssha-salted-hashes-by-hand/
31 to derive from the manager-password parameter and ensure idempo‐
32 tency (care with salts). At that point, manager-password-hash
33 should be deprecated and ignored.
34
35 serverid
36 The server for the directory. E.g. dc=ungleich,dc=ch. See
37 slapd.conf(5).
38
39 suffix The suffix for the directory. E.g. dc=ungleich,dc=ch. See
40 slapd.conf(5).
41
43 slapd-url
44 A URL for slapd to listen on. Pass once for each URL you want
45 to support, e.g.: --slapd-url ldaps://my.fqdn/ --slapd-url
46 ldap://my.fqdn/. The first instance that is passed will be used
47 as the main URL to connect to this LDAP server See the -h flag
48 in slapd(8C).
49
51 syncrepl-credentials
52 Only has an effect if replicate is set; required in that case.
53 This secret is shared amongst the hosts that will replicate the
54 directory. Note that each replication server needs this secret
55 and it is saved in plain text in the directory.
56
57 syncrepl-searchbase
58 Only has an effect if replicate is set; required in that case.
59 The searchbase to use for replication. E.g. dc=ungleich,dc=ch.
60 See slapd.conf(5).
61
62 admin-email
63 Passed to cdist-type__letsencrypt_cert; has otherwise no use.
64 Required if using __letsencrypt_cert. Where to send Let's En‐
65 crypt emails like "certificate needs renewal".
66
67 tls-cipher-suite
68 Setting for TLSCipherSuite. Defaults to NORMAL in a Debian-like
69 OS and HIGH:MEDIUM:+SSLv2 on FreeBSD. See slapd.conf(5).
70
71 tls-cert
72 If defined, __letsencrypt_cert is not used and this must be the
73 path in the remote hosts to the PEM-encoded TLS certificate.
74 Requires: tls-privkey and tls-ca. Permissions, existence and
75 renewal of these files are left up to the type's user.
76
77 tls-privkey
78 Required if tls-cert is defined. Path in the remote hosts to
79 the PEM-encoded private key file.
80
81 tls-ca Required if tls-cert is defined. Path in the remote hosts to
82 the PEM-encoded CA certificate file.
83
84 extra-config
85 Custom settings to be added in slapd.conf(5).
86
88 syncrepl-host
89 Only has an effect if replicate is set; required in that case.
90 Set once per host that will replicate the directory.
91
92 module LDAP module to load. See slapd.conf(5). Some dependencies might
93 have to be installed beforehand. Default value is OS-dependent,
94 see manifest.
95
96 schema Name of LDAP schema to load. Must be the name without extension
97 of a .schema file in slapd's schema directory (usually
98 /etc/slapd/schema or /usr/local/etc/openldap/schema). Example
99 value: inetorgperson The type user must ensure that the schema
100 file is deployed. This defaults to a sensible subset, for de‐
101 tails see the type definition.
102
103 description
104 The description of the base DN passed in the suffix parameter.
105 Defaults to Managed by cdist, do not edit manually.
106
108 staging
109 Passed to cdist-type__letsencrypt_cert; has otherwise no use.
110 Obtain a test certificate from a staging server.
111
112 replicate
113 Whether to setup replication or not. If present syncrepl-cre‐
114 dentials and syncrepl-host are also required.
115
117 # Example of a simple server with manual certificate management.
118 pki_prefix="/usr/local/etc/pki/realms/ldap.camilion.cloud"
119 __openldap_server \
120 --manager-dn 'cn=manager,dc=camilion,dc=cloud' \
121 --manager-password "foo" \
122 --manager-password-hash '{SSHA}foo' \
123 --serverid 0 \
124 --suffix 'dc=camilion,dc=cloud' \
125 --slapd-url 'ldaps://ldap.camilion.cloud' \
126 --tls-cert "${pki_prefix}/default.crt" \
127 --tls-privkey "${pki_prefix}/default.key" \
128 --tls-ca "${pki_prefix}/CA.crt"
129
130 # The created basedn looks as follows:
131 #
132 # dn: dc=camilion,dc=cloud
133 # objectClass: top
134 # objectClass: dcObject
135 # objectClass: organization
136 # o: Managed by cdist, do not edit manually.
137 # dc: camilion
138 #
139 # Do not change it manually, the type will overwrite your changes.
140
141
142 #
143 # Changing to a replicated setup is a simple change to something like:
144 #
145 # Example for multiple servers with replication and automatic
146 # Let's Encrypt certificate management through certbot.
147 id=1
148 for host in ldap-test1.ungleich.ch ldap-test2.ungleich.ch; do
149 echo "__ungleich_ldap \
150 --manager-dn 'cn=manager,dc=ungleich,dc=ch' \
151 --manager-psasword 'foo' \
152 --manager-password-hash '{SSHA}fooo' \
153 --serverid '${id}' \
154 --suffix 'dc=ungleich,dc=ch' \
155 --slapd-url ldap://${host} \
156 --searchbase 'dc=ungleich,dc=ch' \
157 --syncrepl-credentials 'fooo' \
158 --syncrepl-host 'ldap-test1.ungleich.ch' \
159 --syncrepl-host 'ldap-test2.ungleich.ch' \
160 --description 'Ungleich LDAP server'" \
161 --staging \
162 | cdist config -i - -v ${host}
163 id=$((id + 1))
164 done
165
166 # The created basedn looks as follows:
167 #
168 # dn: dc=ungleich,dc=ch
169 # objectClass: top
170 # objectClass: dcObject
171 # objectClass: organization
172 # o: Ungleich LDAP server
173 # dc: ungleich
174 #
175 # Do not change it manually, the type will overwrite your changes.
176
178 cdist-type__letsencrypt_cert(7)
179
181 ungleich <foss--@--ungleich.ch> Evilham <contact--@--evilham.com>
182
184 Copyright (C) 2020 ungleich glarus ag. You can redistribute it and/or
185 modify it under the terms of the GNU General Public License as pub‐
186 lished by the Free Software Foundation, either version 3 of the Li‐
187 cense, or (at your option) any later version.
188
190 ungleich GmbH 2020
191
192
193
194
1956.9.6 Apr 20, 2021 CDIST-TYPE__OPENLDAP_SERVER(7)