Version information
This version is compatible with:
- Puppet Enterprise 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x, 2018.1.x, 2017.3.x, 2017.2.x, 2017.1.x, 2016.5.x, 2016.4.x
- Puppet >=4.0.0 < 8.0.0
- , , , , , , ,
Tasks:
- principal
Start using this module
Add this module to your Puppetfile:
mod 'enterprisemodules-ldap_principal', '1.3.0'
Learn more about managing modules with a PuppetfileDocumentation
Table of Contents
- Description
- Setup - The basics of getting started with ldap_principal
- Usage - Configuration options and additional functionality
- Reference - An under-the-hood peek at what the module is doing and how
- Limitations - OS compatibility, etc.
- Development - Guide for contributing to the module
Description
When you enter the search term 'LDAP' on the forge you get a whole load of modules that so something with LDAP. Most of these modules allow you to install and LDAP client or LDAP server. Some of these modules even allow you to do some management of entries inside of the LDAP server, but none of these solutions provide the whole spectrum of operations needed to manage LDAP in a large organization. This module does.
License
This is a commercially licensed module. But you can use the module on VirtualBox based development systems for FREE. When used on real systems a license is required. On regular nodes, usage upto 50 entries is for FREE.
You can license our modules in multiple ways. Our basic licensing model requires a subscription per node. But contact us for details.
Check the License for details.
Setup
Setup Requirements
The custom types and providers in this module have two external requirements:
- Puppet module
enterprisemodules-easy_type
installed. - the ruby gem (net_ldap gem)[https://github.com/ruby-ldap/ruby-net-ldap]
(net_ldap gem)[https://github.com/ruby-ldap/ruby-net-ldap]
The ldap_principal custom type use the ruby gem (net_ldap gem)[https://github.com/ruby-ldap/ruby-net-ldap]. Your puppet manifest must ensure installation of the gem. The Puppet types and provider will ensure it only starts its operations after the gem installed.
package {
'net-ldap':
ensure => 'present',
provider => pe_gem;
}
Beginning with ldap_principal
After installation, the first thing is to do is tell your puppet environment what LDAP servers you have in your organization. Although most organizations prefer to keep user information as centrally managed as possible, reality is that most organizations have multiple LDAP servers they need to manage.
Add the ldap_server
to the manifest
Using the ldap_server
type you can add information about your servers to the Puppet manifest. Here is an example:
ldap_server { 'production_ldap':
address => 'prod_ldap.example.com',
port => '389',
user_dn => 'cn=admin,dc=example,dc=org',
password => 'admin',
verify_ssl => 'false',
use_ssl => 'false',
base => 'dc=example,dc=org',
}
The ldap_server
type contains everyting needed to connect to the LDAP server and perform operations.
Because Puppet needs this information later, it will store it in /etc/ldap_server.yaml
. To ensure safety, the file is adequately secured, and the password is encrypted.
When you have more LDAP servers, you need to add them to your manifest too.
Ensuring an container entry
When you want manage entries in "your own" container, you must first ensure that the container exists. For example:
ldap_principal { 'production_ldap:ou=mydepartment,dc=example,dc=org':
ensure => 'present',
purge => true,
attributes => {
'objectclass' => ['organizationalUnit', 'top'],
'ou' => 'mydepartment',
},
}
This example ensures there is an organizationalUnit
LDAP container mydepartment
. The purge
property set to true
makes sure that entries in this container that are not in the manifest, will be removed by puppet. This ensures there are no unmanaged LDAP entries in our container.
Enter persons
Now that we have the container, we can enter all the persons (or another type of entries) to it.
ldap_principal { 'production_ldap:cn=kermit,ou=muppetshow,dc=example,dc=org':
ensure => 'present',
purge_attributes => true,
attributes => {
'objectclass' => ['top', 'inetOrgPerson'],
'userPassword' => "{SSHA512}2ZsyGTxVyEw14Cu9D/OXpTddfy/387D/rlR6R0VVdRIz+3Wn52fSYZpKAP1S\n9J/kRbkoBiPK/9eZMOZV6cgidzEyMzQ1Njc4",
'givenName' => 'Kermit the frog',
'cn' => 'kermit,
'sn' => 'Kermit',
},
}
Here we make sure there is a kermit
entry in the muppetshow
. If the LDAP server doesn't contain an entry, Puppet will create it. If the LDAP server already contains this entry, but some of the properties are different, Puppet will update the specified attributes. Because the purge_attributes
parameter is set to true
any other attributes available on the LDAP server, but not in the manifest, will be removed.
Manage group entries
The LDAP directory also can contain groups. You can manage a group with the present_in
or absent_in
properties. Here we create a group muppets
and we make sure kermit
is in that group.
ldap_principal { 'production_ldap:cn=muppets,ou=muppetshow,dc=example,dc=org':
ensure => 'present',
attributes => {
'objectclass' => ['top', 'groupOfNames'],
},
present_in => {
'member' => [
'cn=kermit,ou=muppetshow,dc=example,dc=org',
],
},
}
All other entries in the group muppets
are left as the are. We only make sure that kermit
is in the group. When we want to make sure an entry is NOT available in the group, we use the [absent_in
(/docs/ldap_principal/ldap_principal.html#ldap_principal_absent_in)] property:
...
absent_in => {
'member' => [
'cn=piggy,ou=muppetshow,dc=example,dc=org',
],
},
...
Making sure an entry is not available
Like standard in Puppet, removing an entry is easy:
ldap_principal { 'production_ldap:cn=gonzo,ou=muppetshow,dc=example,dc=org':
ensure => 'absent',
}
Managing the password
In the examples before, we use the hashed password. Some of the LDAP servers don't allow this, and you must use an unencrypted password. But because Puppet needs to manage encrypted attributes in an idempotent way, we need some way of control over the encrypted value. You can do this by using the transform
property.
Here is an example:
ldap_principal { 'docker:cn=piggy,ou=muppetshow, dc=example,dc=org':
ensure => 'present',
attributes => {
'cn' => 'piggy',
'givenname' => 'Miss Piggy',
'objectclass' => ['top', 'inetOrgPerson'],
'sn' => 'piggy',
'userpassword' => 'MissPiggy'
},
transform => {'userpassword' => 'hashed'},
}
In this definition, the value specified at the attribute ‘userPassword’, will first be presented to the Puppet function hashed_compare and then compared with the value returned from the ldap server. The specified function will NOT be applied before sending the value to the LDAP server.
At this point in time, we support passwords using the SSHA512
hash.
Manifest ordering
As you can see in the examples, we add no explicit ordering. This is because the ldap_principal
type supports setting up automatic relations on all entries. When ensuring
entries it will make sure the parents are created before the children. When absenting
entries, it will first remove the children before removing the parents.
Basic setup done
This concludes setting up the basic entries. This example should help you get started and fill your manifest
Reference
Check our documentation for a full description of all properties.
Limitations
Supported Operation systems
This module support a broad range of Linux operating systems:
- RHEL 4,5,6,7
- CentOS 4,5,6,7
- OracleLinux 4,5,6,7
- Scientific 4,5,6,7
Supported Puppet versions
This module requires Puppet 4 to run. It suports both the opes source versions as well as Puppet Enterprise.
What are tasks?
Modules can contain tasks that take action outside of a desired state managed by Puppet. It’s perfect for troubleshooting or deploying one-off changes, distributing scripts to run across your infrastructure, or automating changes that need to happen in a particular order as part of an application deployment.
Tasks in this module release
History
1.3.0 23-12-2020
- [release] Add puppet 7 support to metadata
1.2.0 07-10-2019
- [release] Add support for RHEL 8
- [core] puppet data types added (#6)
- [docs] Update documentation
1.1.2 09-02-2018
- [tasks] Add tasks for basic resources
- [release] Fix link to license in readme
1.1.1 25-01-2018
- [release] Update README and license text
- [release] Add secure files
- [ldap_server] Handle use_ssl and verify_ssl properties better
- [ldap_principal] Do LDAP operations once
1.1.0 15-02-2017
- [ldap_principal] Fix inclusion of present_in attributes on_create
- [core] Add support for multiple password
- [transformers] Implemented other hashing algorithms
1.0.0 18-01-2017
- [documentation] Updated the documentation
- [core] Updated metadata to version 1.0.0
- [docs] Added initail set of documentation
- [ldap_principal] Use new features from easy_type for prefetching
- [core] Add support for newest version of easy_type
0.0.5
- [core] Update versions
- [style] Rubocop failure free
- ldap_principal] Make puppet generate compatible
- [ldap_principal] Fix ‘request did not contain any modification’ error
- [travis] Only run on Puppet 4 and higher
- [transformer] Don’t crash when current_hash is nil
- [ldap_principal] Fix issue when member contains only one entry
- [ldap_principal] auto ordering also on absenting
0.0.4
- Fix loading and licensing issues when using Puppetmaster
0.0.3
- Adding core of the functionality
0.0.2
- Using enterprisemodules-easy_type
0.0.1
- Initial version
Dependencies
- enterprisemodules/easy_type (>= 2.3.14 < 3.0.0)
Enterprise Modules License d.d. January 2018 This license (“License”) governs the terms and conditions under which ldap_config module (“the Software”) is licensed by Enterprise Modules B.V, a limited liability company in the Netherlands, registered in the Dutch Chamber of Commerce: 63689537 (“Licensor”), to the user of the Software (“Licensee”). Article 1. Grant of license 1.1 Licensor hereby grants to Licensee the right to use the Software for its internal business purposes. 1.2 The license granted in the previous paragraph is limited to the use on VirtualBox Virtual machines. For further use a commercial license must be directly obtained from Licensor. Article 2. License limitations 2.1 All right, title and interest to the Software, the accompanying documentation and all modifications and extensions thereto rest and remain with Licensor. Licensee only has the rights and permissions explicitly granted by this License or granted in writing otherwise. Licensee shall not use, copy, modify, distribute or publish the Software in any other manner. Nothing in this License is intended to, and shall not be construed to, transfer to Licensee any rights in intellectual property developed by Licensor. 2.2 In particular, Licensee shall not: a) provide copies of the Software to third parties, including to entities controlling, controlled by or under common control with Licensee; b) sublicense the Software or otherwise make available the Software to such third parties, including by rental, Software-as-a-Service models or otherwise; c) remove indications of Licensor as copyright holder of the Software or to remove or render illegible any part thereof. 2.3 The Software comprises third-party open source software. The respective third-party rights holders grant Licensee the rights indicated in the applicable open source licenses. These licenses can be found in the documentation. The License does not apply to this open source software, and nothing in this License shall be construed as a limitation of any right granted under an open source license. Article 3. Trademark 3.1 This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Software. Article 4. Limitation of Liability 4.1 Licensor provides the Software on an "AS IS" basis, and expressly disclaims all conditions, representations or warranties, express or implied, including without limitation any implied warranties of merchantability, fitness for a particular purpose, and non-infringement of third party rights regarding the Software. Licensor is solely responsible for determining the appropriateness of using the Software and assume any risks associated arising out of or in connection with the Software and this License. 4.2 Licensor shall not be liable for any damages, including consequential, special, punitive and/or incidental damages or fines imposed by regulatory bodies, arising out of or in connection with the Software and this License. 4.3 Licensee shall release, defend, indemnify and hold harmless Licensor from and against any and all claims, damages and liability arising in connection with the Software, including from claims, damages or liability from customers of Licensee. Article 5. Miscellaneous 5.1 Licensor reserves the right to change any or all parts of this License without prior notice. 5.2 The law of the Netherlands governs this License and the terms and conditions therein. 5.3 Any disputes arising between Licensor and Licensee in connection with the License will be settled by the competent courts in the Netherlands for the principal place of business of the Licensor.