1CDIST-TYPE__OPENLDAP_SERVER(7)       cdist      CDIST-TYPE__OPENLDAP_SERVER(7)
2
3
4

NAME

6       cdist-type__openldap_server - Setup an openldap(4) server instance
7

DESCRIPTION

9       This  type  can be used to bootstrap an LDAP environment using openldap
10       as slapd.
11
12       It bootstraps the LDAP server with sane defaults and creates  and  man‐
13       ages the base DN defined by suffix.
14

REQUIRED PARAMETERS

16       manager-dn
17              The  rootdn  to set up in the directory.  E.g. cn=manager,dc=un‐
18              gleich,dc=ch. See slapd.conf(5).
19
20       manager-password
21              The password for manager-dn in the directory.  This will be used
22              to  connect  to  the LDAP server on the first slapd-url with the
23              given manager-dn.
24
25       manager-password-hash
26              The password for manager-dn in the directory.   This  should  be
27              valid  for  slapd.conf like {SSHA}qV+mCs3u8Q2sCmUXT4Ybw7MebHTAS‐
28              Myr.  Generate e.g. with: slappasswd -s weneedgoodsecurity.  See
29              slappasswd(8C),    slapd.conf(5).     TODO:    implement   this:
30              http://blog.adamsbros.org/2015/06/09/openldap-ssha-salted-hashes-by-hand/
31              to derive from the manager-password parameter and ensure idempo‐
32              tency (care with salts).  At that  point,  manager-password-hash
33              should be deprecated and ignored.
34
35       serverid
36              The  server  for  the  directory.   E.g.  dc=ungleich,dc=ch. See
37              slapd.conf(5).
38
39       suffix The suffix  for  the  directory.   E.g.  dc=ungleich,dc=ch.  See
40              slapd.conf(5).
41

REQUIRED MULTIPLE PARAMETERS

43       slapd-url
44              A  URL  for slapd to listen on.  Pass once for each URL you want
45              to  support,  e.g.:  --slapd-url  ldaps://my.fqdn/   --slapd-url
46              ldap://my.fqdn/.  The first instance that is passed will be used
47              as the main URL to connect to this LDAP server See the  -h  flag
48              in slapd(8C).
49

OPTIONAL PARAMETERS

51       syncrepl-credentials
52              Only  has  an effect if replicate is set; required in that case.
53              This secret is shared amongst the hosts that will replicate  the
54              directory.   Note that each replication server needs this secret
55              and it is saved in plain text in the directory.
56
57       syncrepl-searchbase
58              Only has an effect if replicate is set; required in  that  case.
59              The  searchbase to use for replication.  E.g. dc=ungleich,dc=ch.
60              See slapd.conf(5).
61
62       admin-email
63              Passed to cdist-type__letsencrypt_cert; has  otherwise  no  use.
64              Required  if  using __letsencrypt_cert.  Where to send Let's En‐
65              crypt emails like "certificate needs renewal".
66
67       tls-cipher-suite
68              Setting for TLSCipherSuite.  Defaults to NORMAL in a Debian-like
69              OS and HIGH:MEDIUM:+SSLv2 on FreeBSD.  See slapd.conf(5).
70
71       tls-cert
72              If  defined, __letsencrypt_cert is not used and this must be the
73              path in the remote hosts to  the  PEM-encoded  TLS  certificate.
74              Requires:  tls-privkey  and  tls-ca.  Permissions, existence and
75              renewal of these files are left up to the type's user.
76
77       tls-privkey
78              Required if tls-cert is defined.  Path in the  remote  hosts  to
79              the PEM-encoded private key file.
80
81       tls-ca Required  if  tls-cert  is defined.  Path in the remote hosts to
82              the PEM-encoded CA certificate file.
83
84       extra-config
85              Custom settings to be added in slapd.conf(5).
86

OPTIONAL MULTIPLE PARAMETERS

88       syncrepl-host
89              Only has an effect if replicate is set; required in  that  case.
90              Set once per host that will replicate the directory.
91
92       module LDAP  module to load. See slapd.conf(5). Some dependencies might
93              have to be installed beforehand. Default value is  OS-dependent,
94              see manifest.
95
96       schema Name  of LDAP schema to load. Must be the name without extension
97              of  a  .schema  file  in  slapd's  schema   directory   (usually
98              /etc/slapd/schema  or  /usr/local/etc/openldap/schema).  Example
99              value: inetorgperson The type user must ensure that  the  schema
100              file  is  deployed.  This defaults to a sensible subset, for de‐
101              tails see the type definition.
102
103       description
104              The description of the base DN passed in the  suffix  parameter.
105              Defaults to Managed by cdist, do not edit manually.
106

BOOLEAN PARAMETERS

108       staging
109              Passed  to  cdist-type__letsencrypt_cert;  has otherwise no use.
110              Obtain a test certificate from a staging server.
111
112       replicate
113              Whether to setup replication or not.  If  present  syncrepl-cre‐
114              dentials and syncrepl-host are also required.
115

EXAMPLES

117          # Example of a simple server with manual certificate management.
118          pki_prefix="/usr/local/etc/pki/realms/ldap.camilion.cloud"
119          __openldap_server \
120              --manager-dn 'cn=manager,dc=camilion,dc=cloud' \
121              --manager-password "foo" \
122              --manager-password-hash '{SSHA}foo' \
123              --serverid 0 \
124              --suffix 'dc=camilion,dc=cloud' \
125              --slapd-url 'ldaps://ldap.camilion.cloud' \
126              --tls-cert "${pki_prefix}/default.crt" \
127              --tls-privkey "${pki_prefix}/default.key" \
128              --tls-ca "${pki_prefix}/CA.crt"
129
130          # The created basedn looks as follows:
131          #
132          # dn: dc=camilion,dc=cloud
133          # objectClass: top
134          # objectClass: dcObject
135          # objectClass: organization
136          # o: Managed by cdist, do not edit manually.
137          # dc: camilion
138          #
139          # Do not change it manually, the type will overwrite your changes.
140
141
142          #
143          # Changing to a replicated setup is a simple change to something like:
144          #
145          # Example for multiple servers with replication and automatic
146          # Let's Encrypt certificate management through certbot.
147          id=1
148          for host in ldap-test1.ungleich.ch ldap-test2.ungleich.ch; do
149              echo "__ungleich_ldap \
150                  --manager-dn 'cn=manager,dc=ungleich,dc=ch' \
151                  --manager-psasword 'foo' \
152                  --manager-password-hash '{SSHA}fooo' \
153                  --serverid '${id}' \
154                  --suffix 'dc=ungleich,dc=ch' \
155                  --slapd-url ldap://${host} \
156                  --searchbase 'dc=ungleich,dc=ch' \
157                  --syncrepl-credentials 'fooo' \
158                  --syncrepl-host 'ldap-test1.ungleich.ch' \
159                  --syncrepl-host 'ldap-test2.ungleich.ch' \
160                  --description 'Ungleich LDAP server'" \
161                  --staging \
162                  | cdist config -i - -v ${host}
163              id=$((id + 1))
164          done
165
166          # The created basedn looks as follows:
167          #
168          # dn: dc=ungleich,dc=ch
169          # objectClass: top
170          # objectClass: dcObject
171          # objectClass: organization
172          # o: Ungleich LDAP server
173          # dc: ungleich
174          #
175          # Do not change it manually, the type will overwrite your changes.
176

SEE ALSO

178       cdist-type__letsencrypt_cert(7)
179

AUTHORS

181       ungleich <foss--@--ungleich.ch> Evilham <contact--@--evilham.com>
182

COPYING

184       Copyright  (C)  2020 ungleich glarus ag. You can redistribute it and/or
185       modify it under the terms of the GNU General  Public  License  as  pub‐
186       lished  by  the  Free  Software Foundation, either version 3 of the Li‐
187       cense, or (at your option) any later version.
188
190       ungleich GmbH 2020
191
192
193
194
1956.9.6                            Apr 20, 2021   CDIST-TYPE__OPENLDAP_SERVER(7)
Impressum