Menu

Chef Supermarket

Adoptable Cookbooks List

Looking for a cookbook to adopt? You can now see a list of cookbooks available for adoption!
List of Adoptable Cookbooks

Supermarket Belongs to the Community

Supermarket belongs to the community. While Chef has the responsibility to keep it running and be stewards of its functionality, what it does and how it works is driven by the community. The chef/supermarket repository will continue to be where development of the Supermarket application takes place. Come be part of shaping the direction of Supermarket by opening issues and pull requests or by joining us on the Chef Mailing List.

View our collection of guides, documentation, and articles

Cookbooks
Advanced Options

Select Badges

Select Supported Platforms

Select Status

RSS

openldap (51) Versions 2.1.0

Installs and configures OpenLDAP (slapd) an open source implementation of LDAP.

Policyfile
Berkshelf
Knife 
cookbook 'openldap', '= 2.1.0', :supermarket
cookbook 'openldap', '= 2.1.0'
knife supermarket install openldap
knife supermarket download openldap
README
Dependencies
Changelog
Quality 100%

openldap Cookbook

Configures a server to be an OpenLDAP master, OpenLDAP replication slave, or OpenLDAP client.

Requirements

Platform

  • Ubuntu 10.04+
  • Debian

Chef

Chef version 0.10.10+ (with Ohai 0.6.12+) is required.

Cookbooks

  • openssh
  • nscd
  • openssl (for slave recipe)

Attributes

Be aware of the attributes used by this cookbook and adjust the defaults for your environment where required, in attributes/default.rb.

Overall install attributes

  • openldap['package_install_action'] - The action to be taken for all packages in the recipes. Defaults to :install, but can also be set to :upgrade to upgrade all packages referenced in the recipes.

Client node attributes

  • openldap['server_uri'] - the URI of the LDAP server
  • openldap['basedn'] - basedn
  • openldap['cn'] - admin
  • openldap['server'] - the LDAP server fully qualified domain name, default 'ldap'.node['domain'].
  • openldap['tls_enabled'] - specifies whether TLS will be used at all. Setting this to fals will result in your credentials being sent in clear-text.
  • openldap['tls_checkpeer'] - specifies whether the client should verify the server's TLS certificate. Highly recommended to set tls_checkpeer to true for production uses in order to avoid man-in-the-middle attacks. Defaults to false for testing and backwards compatibility.
  • openldap['pam_password'] - specifies the password change protocol to use. Defaults to md5.

Server node attributes

  • openldap['schemas'] - Array of ldap schema file names to load
  • openldap['modules'] - Array of slapd modules names to load
  • openldap['slapd_type'] - master | slave
  • openldap['slapd_rid'] - unique integer ID, required if type is slave.
  • openldap['slapd_master'] - hostname of slapd master, attempts to search for slapd_type master.
  • openldap['manage_ssl'] - Whether or not this cookbook manages your SSL certificates. If set to true, this cookbook will expect your SSL certificates to be in files/default/ssl and will configure slapd appropriately. If set to false, you will need to provide your SSL certificates prior to this recipe being run. Be sure to set openldap['ssl_cert'] and openldap['ssl_key'] appropriately.
  • openldap['ssl_cert'] - The full path to your SSL certificate.
  • openldap['ssl_key'] - The full path to your SSL key.
  • openldap['ssl_cert_source_cookbook'] - The cookbook to find the ssl cert. Defaults to this cookbook
  • openldap['ssl_cert_source_path'] - The path in the cookbook to find the ssl cert file.
  • openldap['ssl_key_source_cookbook'] - The cookbook to find the ssl key. Defaults to this cookbook
  • openldap['ssl_key_source_path'] - The path in the cookbook to find the ssl key file.
  • openldap['cafile'] - Your certificate authority's certificate (or intermediate authorities), if needed.

Recipes

auth

Sets up the system for using openldap for user authentication.

default

Empty placeholder recipe.

client

Install the openldap client packages.

server

Set up openldap to be a slapd server. Use this if your environment would only have a single slapd server.

master

Sets the node['openldap']['slapd_type'] to master and then includes the openldap::server recipe.

slave

Sets the node['openldap']['slapd_type'] to slave, then includes the openldap::server recipe. If the node is running chef-solo, then the node['openldap']['slapd_replpw'] and node['openldap']['slapd_master'] attributes must be set in the JSON attributes file passed to chef-solo.

Usage

Edit Rakefile variables for SSL certificate.

On client systems,

include_recipe "openldap::auth"

This will get the required packages and configuration for client systems. This will be required on server systems as well, so this is a good candidate for inclusion in a base role.

On server systems, if there's only one LDAP server, then use the openldap::server recipe. If replication is required, use the openldap::master and openldap::slave recipes instead.

When initially installing a brand new LDAP master server on Ubuntu 8.10, the configuration directory may need to be removed and recreated before slapd will start successfully. Doing this programmatically may cause other issues, so fix the directory manually :-).

$ sudo slaptest -F /etc/ldap/slapd.d
str2entry: invalid value for attributeType objectClass #1 (syntax 1.3.6.1.4.1.1466.115.121.1.38)
=> ldif_enum_tree: failed to read entry for /etc/ldap/slapd.d/cn=config/olcDatabase={1}bdb.ldif
slaptest: bad configuration directory!

For some reason slapd isn't getting started even though the service resource is notified to start, so start it manually.
Solution is to simply remove the configuration:

$ sudo rm -rf /etc/ldap/slapd.d/ /etc/ldap/slapd.conf
$ sudo chef-client
$ sudo /etc/init.d/slapd start

Or in your wrapper cookbook rewind with ubuntu related fix:

#Fix the wrong content of slapd.d dir on ubuntu 12.04
chef_gem "chef-rewind"
require 'chef/rewind'
case node['platform']
when 'ubuntu'
    rewind "package[slapd]" do
        response_file "slapd.seed"
        action :upgrade
        notifies :run, "execute[fix-ubuntu-slapdd]", :immediately
    end
end
#Removes slapd.d/cn=config and slapd.conf deployed from distribution. They will be re-created during the openldap recipe cooking.
execute "fix-ubuntu-slapdd" do
    cmd =  "   test -d #{node['openldap']['dir']}/slapd.d && rm -rf #{node['openldap']['dir']}/slapd.d/cn=config"
    cmd << " ; test -d #{node['openldap']['dir']}/slapd.conf && rm -rf #{node['openldap']['dir']}/slapd.conf"
    cmd << " ; touch #{node['openldap']['dir']}/.fix-ubuntu-slapdd.done"
    command cmd
    ignore_failure true
    action :nothing
    not_if { ::File.exists?("#{node['openldap']['dir']}/.fix-ubuntu-slapdd.done") }
end

A note about certificates

Certificates created by the Rakefile are self signed. If you have a purchased CA, that can be used.

We provide two methods of managing SSL certificates, based off of openldap['manage_ssl'].

If openldap['manage_ssl'] is true, then this cookbook manage your certificates itself, and will expect all certificates, intermediate certificates, and keys to be in the same file as defined in openldap['ssl_cert'].

Use https://github.com/atomic-penguin/cookbook-certificate cookbook for advanced certificate deployment or use wrapper cookbook with following code to source ssl files from the wrapper cookbook folder structure:

r = resources("cookbook_file[#{node['openldap']['ssl_cert']}]")
r.cookbook('NAME OF YOUR WRAPPER COOKBOK')

r = resources("cookbook_file[#{node['openldap']['ssl_key']}]")
r.cookbook('NAME OF YOUR WRAPPER COOKBOK')

Be sure to update the certificate locations in the templates as required. We suggest copying this cookbook to the site-cookbooks for such modifications, so you can still pull from our master for updates, and then merge your changes in.

However, if openldap['manage_ssl'] is false, then you will need to place the SSL certificates on the client file system prior to this cookbook being run. This provides you the flexibility to provide the same set of SSL certificates for multiple uses as well as in one place across your environment, but you will need to manage them.
- Set openldap['ssl_cert'], openldap['ssl_key'], and openldap['cafile'] appropriately.
- Ensure that that user openldap can access these files. Watch out for apparmor and SELinux if you are placing your SSL certificates in a non-default location.

New Directory

If installing for the first time, the initial directory needs to be created. Create an ldif file, and start populating the directory.

Passwords

Set the password, openldap['rootpw'] for the rootdn in the node's attributes. This should be a password hash generated from slappasswd. The default slappasswd command on Ubuntu 8.10 and Mac OS X 10.5 will generate a SHA1 hash:

$ slappasswd -s "secretsauce"
{SSHA}6BjlvtSbVCL88li8IorkqMSofkLio58/

Set this by default in the attributes file, or on the node's entry in the webui.

License & Authors

Copyright:: 2008-2015, Chef Software, Inc

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

Dependent cookbooks

openssh >= 0.0.0
nscd >= 0.0.0
openssl >= 0.0.0

Contingent cookbooks

eldap Applicable Versions
eldap 0.1.0
eldap 0.1.1
eldap 0.1.2
paramount Applicable Versions
paramount 0.1.1
paramount 0.1.8
phpldapadmin Applicable Versions
phpldapadmin 0.2.1
zarafa Applicable Versions
zarafa 1.1.0
zarafa 1.2.0
zarafa 1.2.1
zarafa 1.3.0
zarafa 2.1.0

openldap Cookbok CHANGELOG

This file is used to list changes made in each version of the openldap cookbook.

v2.1.0 (2015-03-10)

  • Resolve the one and only Food Critic warning
  • Remove legacy LDAP Apache2 attributes that aren't used in this cookbook or in the Apache2 cookbook
  • Add an attribute for schemas to enable in the slapd config
  • Add an attribute for the modules to load in the slapd config
  • Make the cn used an attribute

v2.0.0 (2015-03-06)

  • Added URI to the client config so clients can communicate with the LDAP server
  • Change all package resource actions from upgrade -> install and introduce and attribute if you want to change it back. Upgrading openldap when a new package comes out is not a desired action on production systems.
  • Update the "Generated by Chef for xyz" comment blocks in the config templates to be consistent. This will result in config changes / service restarts due to notification
  • Install the most recent version of the Berkeley DB utils package. This adds support for Trusty and RHEL, but will result in a newer version of the bd-util package being installed on Precise systems.
  • Added new attributes to set the cookbook and source path for the SSL keys and certs. This reduces the need to fork / modify this cookbook
  • Added a new attribute for controlling the log level of the server
  • Make the ldap client package an attribute with support for RHEL
  • Fix the search logic in the slave recipe to not fail
  • Converted the cookbook to platform_family to better support Ubuntu. This means the cookbook will no longer work on Chef versions prior to 0.10.10
  • Updated Gemfile with up to date dependency versions
  • Updated Contributing doc to match the current process
  • Added a chefignore file to prevent ds_store files from ending up in /usr/local/bin
  • Switched all modes to strings to preserve the leading 0
  • Added a rubocop.yml file and resolved the majority of rubocop complaints
  • Updated platforms in the kitchen.yml file

v1.12.13 (2015-02-18)

  • reverting OpenSSL module namespace change

v1.12.12 (2015-02-17)

  • Updating to work with latest openssl cookbook

v1.12.10 (2014-04-09)

  • [COOK-4239] - Service enable/start resource moved to end
  • [COOK-4239] - Fix sslfiles + ubuntu fix

v1.12.8 (2014-01-03)

Merged nildomain branch

v1.12.6 (2014-01-03)

adding checks for node['domain'].nil? in attributes

v1.12.4

  • [COOK-3772] - nscd clears don't work
  • [COOK-411] - Openldap authentication should validate server certificate

v1.12.2

Improvement

  • COOK-3699 - OpenLDAP Cookbooks - add extra options

u tv0.12.0

New Feature

  • COOK-3561 - Support out of band SSL certificates in openldap::server

Bug

  • COOK-3548 - Fix an issue where preseeding may fail if directory does not exist
  • COOK-3543 - Do not try to set up as a slave
  • COOK-3351 - Fix a typo in ldap-ldap.conf.erb template

v0.11.4

Bug

v0.11.2

Bug

  • [COOK-2496]: openldap: rootpw is badly set in attributes file
  • [COOK-2970]: openldap cookbook has foodcritic failures

v0.11.0

  • [COOK-1588] - general cleanup/improvements
  • [COOK-1985] - attributes file has a search method

v0.10.0

  • [COOK-307] - create directory with attribute

v0.9.4

  • Initial/Current release

Foodcritic Metric 
            
2.1.0 passed this metric

Sous Chefs Sous Chefs
Jason Field
Lance Albertson

Details

View Source View Issues

Updated March 10, 2015 Created on

Supported Platforms

  • debian >= 0.0.0
  • ubuntu >= 0.0.0

License

Apache 2.0

Download Cookbook