Skip to content

Latest commit

 

History

History
1441 lines (850 loc) · 30.3 KB

REFERENCE.md

File metadata and controls

1441 lines (850 loc) · 30.3 KB
Raw

Reference

Table of Contents

Classes

Public Classes

  • ds_389: Manages and configures the 389 Directory Server

Private Classes

  • ds_389::install: Install packages, setup user/group and runtime environment for 389 DS.

Defined types

Tasks

Classes

ds_389

Manages and configures the 389 Directory Server

Examples

include ds_389

Parameters

The following parameters are available in the ds_389 class:

cacert_rehash

Data type: String

The command that is used to rehash CA certificates.

cacerts_path

Data type: Stdlib::Absolutepath

Target directory the 389 ds certs should be exported to. Default: '/etc/openldap/cacerts'

dnf_module_name

Data type: Optional[String]

The name of the DNF module that should be enabled on RHEL. Optional.

Default value: undef

dnf_module_version

Data type: Optional[String]

The version of the DNF module that should be enabled on RHEL. Optional.

Default value: undef

group

Data type: String

Group account 389 ds user should belong to. Default: 'dirsrv'

home_dir

Data type: Stdlib::Absolutepath

Home directory for the 389 ds user account. Default: '/usr/share/dirsrv'

instances

Data type: Hash

A hash of ds_389::instance resources. Optional.

limits_config_dir

Data type: Stdlib::Absolutepath

Target directory for resource limit configuration.

nsstools_package_name

Data type: String

Name of the NSS tools package.

package_ensure

Data type: String

389 ds package state. Default 'installed'

package_name

Data type: Variant[String,Array]

Name of the 389 ds package to install. Default: '389-ds-base'

path

Data type: String

Specifies the content of the PATH environment variable when running commands. Should usually NOT be altered.

service_type

Data type: String

The service manager that should be used.

ssl_dir

Data type: Stdlib::Absolutepath

Target directory for generated SSL certificates.

ssl_version_min_support

Data type: Boolean

Obsolete parameter, only kept for compatibility with spacepants/puppet-ds_389. Will be removed in a later version.

supplier_role_name

Data type: String

In 389-ds the name of the supplier replication role was renamed from 'master' to 'supplier' in a backwards-incompatible fashion (issue #4656).

user

Data type: String

User account 389 ds should run as. Default: 'dirsrv'

user_shell

Data type: String

Shell for the user account. Usually a pseudo-shell to prevent console access.

Defined types

ds_389::add

Adds an ldif file to a 389 ds instance.

Examples

Adding an ldif file with required params.
ds_389::add { 'add_example_1':
  server_id    => 'foo',
  source       => 'puppet:///path/to/file.ldif',
  root_dn      => 'cn=Directory Manager',
  root_dn_pass => 'supersecure',
}
Adding an ldif file when using a template.
ds_389::add { 'add_example_2':
  server_id    => 'foo',
  content      => epp('profiles/template.ldif.epp'),
  root_dn      => 'cn=Directory Manager',
  root_dn_pass => 'supersecure',
}
Adding an ldif file when using all params.
ds_389::add { 'add_example_3':
  server_id    => 'foo',
  source       => '/path/to/file.ldif',
  root_dn      => 'cn=Directory Manager',
  root_dn_pass => 'supersecure',
  server_host  => 'foo.example.com',
  server_port  => 1389,
  user         => 'custom_user',
  group        => 'custom_group',
}

Parameters

The following parameters are available in the ds_389::add defined type:

content

Data type: Optional[String]

The content value to use for the ldif file. Required, unless providing the source.

Default value: undef

group

Data type: String

The group of the created ldif file. Default: $ds_389::group

Default value: $ds_389::group

protocol

Data type: Enum['ldap','ldaps']

The protocol to use when calling ldapadd. Default: 'ldap'

Default value: 'ldap'

root_dn_pass

Data type: Variant[String,Sensitive[String]]

The password to use when calling ldapadd. Required.

root_dn

Data type: String

The bind DN to use when calling ldapadd. Required.

server_host

Data type: String

The host to use when calling ldapadd. Default: $facts['networking']['fqdn']

Default value: $facts['networking']['fqdn']

server_id

Data type: String

The 389 ds instance name. Required.

server_port

Data type: Integer

The port to use when calling ldapadd. Default: 389

Default value: 389

source

Data type: Optional[String]

The source path to use for the ldif file. Required, unless providing the content.

Default value: undef

starttls

Data type: Boolean

Whether to use StartTLS when calling ldapadd. Default: false

Default value: false

user

Data type: String

The owner of the created ldif file. Default: $ds_389::user

Default value: $ds_389::user

ds_389::backup

Setup backup jobs for a 389 ds instance.

Examples

ds_389::backup { 'daily backup':
  root_dn      => 'cn=Directory Manager',
  root_dn_pass => 'supersecure',
  server_id    => 'instancename',
}

Parameters

The following parameters are available in the ds_389::backup defined type:

backup_dir

Data type: Optional[Stdlib::Absolutepath]

The directory where the backup files will be stored. The directory must be read- and writable for the 389-ds user. Default: /var/lib/dirsrv/slapd-instance/bak

Default value: undef

ensure

Data type: String

This parameter controls whether the backup job should be created (present) or removed (absent).

Default value: 'present'

environment

Data type: Array

Any environment settings associated with the backup cron job. Note that the PATH variable is automatically added to the environment.

Default value: []

protocol

Data type: Enum['ldap','ldaps']

The protocol to use when performing the backup.

Default value: 'ldaps'

root_dn_pass

Data type: Variant[String,Sensitive[String]]

The password to use when performing the backup. Required.

root_dn

Data type: String

The bind DN to use when performing the backup. Required.

rotate

Data type: Integer

The maximum backup age in days. Older backups will be removed.

Default value: 30

time

Data type: Array

An array containing the cron schedule in this order: minute, hour, weekday.

Default value: ['15', '23', '*']

server_host

Data type: String

The host to use when performing the backup. Default: $facts['networking']['fqdn']

Default value: $facts['networking']['fqdn']

server_id

Data type: String

The 389 ds instance name. Required.

server_port

Data type: Integer

The port to use when performing the backup. Default: 636

Default value: 636

success_file

Data type: Stdlib::Absolutepath

Specify a path where upon successful backup a file should be created for checking purposes.

Default value: '/tmp/389ds_backup_success'

ds_389::instance

Manages a 389 ds instance.

Examples

A basic instance with required params.
ds_389::instance { 'foo':
  root_dn      => 'cn=Directory Manager',
  suffix       => 'dc=example,dc=com',
  cert_db_pass => 'secret',
  root_dn_pass => 'supersecure',
  server_id    => 'specdirectory',
}

Parameters

The following parameters are available in the ds_389::instance defined type:

add_ldifs

Data type: Optional[Hash]

A hash of ldif add files. See add.pp. Optional.

Default value: undef

backup_enable

Data type: Boolean

Whether to enable a periodic backup job for this instance.

Default value: false

backup_notls

Data type: Boolean

Whether to disable TLS connection for the backup job.

Default value: false

base_load_ldifs

Data type: Optional[Hash]

A hash of ldif add files to load after all other config files have been added. Optional.

Default value: undef

cert_db_pass

Data type: Variant[String,Sensitive[String]]

The certificate db password to ensure. Required.

create_suffix

Data type: Boolean

Set this parameter to True to create a generic root node entry for the suffix in the database.

Default value: true

group

Data type: String

The group for the instance. Default: $ds_389::group

Default value: $ds_389::group

minssf

Data type: Integer

The minimum security strength for connections. Default: 0

Default value: 0

modify_ldifs

Data type: Optional[Hash]

A hash of ldif modify files. See modify.pp. Optional.

Default value: undef

plugins

Data type: Optional[Hash]

A hash of plugins to enable or disable. See plugin.pp. Optional.

Default value: undef

replication

Data type: Optional[Hash]

A replication config hash. See replication.pp. Optional.

Default value: undef

root_dn_pass

Data type: Variant[String,Sensitive[String]]

The root dn password to ensure. Required.

root_dn

Data type: String

The root dn to ensure. Required.

schema_extensions

Data type: Optional[Hash]

A hash of schemas to ensure. See schema.pp. Optional.

Default value: undef

server_host

Data type: String

The fqdn for the instance. Default: $facts['networking']['fqdn']

Default value: $facts['networking']['fqdn']

server_id

Data type: String

The server identifier for the instance. Default: $facts['networking']['hostname']

Default value: $facts['networking']['hostname']

server_port

Data type: Integer

The port to use for non-SSL traffic. Default: 389

Default value: 389

server_ssl_port

Data type: Integer

The port to use for SSL traffic. Default: 636

Default value: 636

ssl

Data type: Optional[Hash]

An ssl config hash. See ssl.pp. Optional.

Default value: undef

ssl_version_min

Data type: Optional[String]

The minimum TLS version the instance should support. Optional.

Default value: undef

subject_alt_names

Data type: Optional[Array]

An array of subject alt names, if using self-signed certificates. Optional.

Default value: undef

suffix

Data type: String

The LDAP suffix to use. Required.

user

Data type: String

The user for the instance. Default: $ds_389::user

Default value: $ds_389::user

ds_389::modify

Adds an ldif modify file to a 389 ds instance.

Examples

Adding an ldif modify file with required params.
ds_389::modify { 'modify_example_1':
  server_id    => 'foo',
  source       => 'puppet:///path/to/file.ldif',
  root_dn      => 'cn=Directory Manager',
  root_dn_pass => 'supersecure',
}
Adding an ldif modify file with required params.
ds_389::modify { 'modify_example_2':
  server_id    => 'foo',
  content      => epp('profiles/template.ldif.epp'),
  root_dn      => 'cn=Directory Manager',
  root_dn_pass => 'supersecure',
}
Adding an ldif modify file when using all params.
ds_389::modify { 'modify_example_3':
  server_id    => 'foo',
  source       => '/path/to/file.ldif',
  root_dn      => 'cn=Directory Manager',
  root_dn_pass => 'supersecure',
  server_host  => 'foo.example.com',
  server_port  => 1389,
  user         => 'custom_user',
  group        => 'custom_group',
}

Parameters

The following parameters are available in the ds_389::modify defined type:

content

Data type: Optional[String]

The content value to use for the ldif file. Required, unless providing the source.

Default value: undef

group

Data type: String

The group of the created ldif file. Default: $ds_389::group

Default value: $ds_389::group

protocol

Data type: Enum['ldap','ldaps']

The protocol to use when calling ldapmodify. Default: 'ldap'

Default value: 'ldap'

root_dn_pass

Data type: Variant[String,Sensitive[String]]

The password to use when calling ldapmodify. Required.

root_dn

Data type: String

The bind DN to use when calling ldapmodify. Required.

server_host

Data type: String

The host to use when calling ldapmodify. Default: $facts['networking']['fqdn']

Default value: $facts['networking']['fqdn']

server_id

Data type: String

The 389 ds instance name. Required.

server_port

Data type: Integer

The port to use when calling ldapmodify. Default: 389

Default value: 389

source

Data type: Optional[String]

The source path to use for the ldif file. Required, unless providing the content.

Default value: undef

starttls

Data type: Boolean

Whether to use StartTLS when calling ldapmodify. Default: false

Default value: false

user

Data type: String

The owner of the created ldif file. Default: $ds_389::user

Default value: $ds_389::user

ds_389::plugin

Manages a plugin for a 389 ds instance.

Examples

Enable a plugin with required params.
ds_389::plugin { 'memberof':
  server_id    => 'foo',
  root_dn      => 'cn=Directory Manager',
  root_dn_pass => 'supersecure',
}
Disable a plugin when using all params.
ds_389::plugin { 'memberof':
  ensure       => 'disabled',
  server_id    => 'foo',
  root_dn      => 'cn=Directory Manager',
  root_dn_pass => 'supersecure',
  server_host  => 'foo.example.com',
  server_port  => 1389,
}

Parameters

The following parameters are available in the ds_389::plugin defined type:

ensure

Data type: Enum['enabled','disabled']

The desired state of the plugin. Default: 'enabled'

Default value: 'enabled'

options

Data type: Array

An array containing additional plugin options. See man 8 dsconf for a complete list. Note that several options can only be applied once, further attempts will fail. Optional.

Default value: []

protocol

Data type: Enum['ldap','ldaps']

The protocol to use when calling ldapadd. Default: 'ldap'

Default value: 'ldap'

root_dn_pass

Data type: Variant[String,Sensitive[String]]

The password to use when calling ldapadd. Required.

root_dn

Data type: String

The bind DN to use when calling ldapadd. Required.

server_host

Data type: String

The host to use when calling ldapadd. Default: $facts['networking']['fqdn']

Default value: $facts['networking']['fqdn']

server_id

Data type: String

The 389 ds instance name. Required.

server_port

Data type: Integer

The port to use when calling ldapadd. Default: 389

Default value: 389

ds_389::replication

Sets up replication for a 389 ds instance.

Examples

A basic consumer with required params.
ds_389::replication { 'consumer1':
  bind_dn          => 'cn=Replication Manager,cn=config',
  replication_pass => 'supersecret',
  root_dn          => 'cn=Directory Manager',
  root_dn_pass     => 'supersecure',
  role             => 'consumer',
  suffix           => 'dc=example,dc=com',
}
A basic hub with 2 consumers.
ds_389::replication { 'hub1':
  bind_dn          => 'cn=Replication Manager,cn=config',
  replication_pass => 'supersecret',
  root_dn          => 'cn=Directory Manager',
  root_dn_pass     => 'supersecure',
  role             => 'hub',
  suffix           => 'dc=example,dc=com',
  consumers        => [
    'consumer1',
    'consumer2',
  ],
}
A basic supplier in multi-master mode with 2 other suppliers and initializing replication.
ds_389::replication { 'supplier1':
  bind_dn          => 'cn=Replication Manager,cn=config',
  replication_pass => 'supersecret',
  root_dn          => 'cn=Directory Manager',
  root_dn_pass     => 'supersecure',
  role             => 'supplier',
  suffix           => 'dc=example,dc=com',
  init_suppliers   => true,
  suppliers        => [
    'supplier1',
    'supplier2',
  ],
}

Parameters

The following parameters are available in the ds_389::replication defined type:

bind_dn

Data type: Optional[String]

The bind dn of the replication user. Required.

Default value: undef

consumers

Data type: Optional[Array]

An array of consumer names to ensure. Optional.

Default value: undef

excluded_attributes

Data type: Optional[Array]

An array of attributes to exclude from replication. Optional.

Default value: undef

group

Data type: String

The group of the created ldif file. Default: $ds_389::group

Default value: $ds_389::group

hubs

Data type: Optional[Array]

An array of hub names to ensure. Optional.

Default value: undef

id

Data type: Optional[Integer]

The replica id. Optional unless declaring a supplier.

Default value: undef

init_consumers

Data type: Boolean

Whether to initialize replication for consumers. Default: false

Default value: false

init_hubs

Data type: Boolean

Whether to initialize replication for hubs. Default: false

Default value: false

init_suppliers

Data type: Boolean

Whether to initialize replication for suppliers. Default: false

Default value: false

protocol

Data type: Enum['ldap','ldaps']

The protocol to use when calling ldapmodify. Default: 'ldap'

Default value: 'ldap'

purge_delay

Data type: Integer

Time in seconds state information stored in replica entries is retained. Default: 604800

Default value: 604800

replica_port

Data type: Integer

The port to use for replication. Default: 389

Default value: 389

replica_transport

Data type: Enum['LDAP','SSL','TLS','LDAPS','StartTLS']

The transport type to use for replication. Default: 'LDAP'

Default value: 'LDAP'

replication_pass

Data type: Variant[String,Sensitive[String]]

The password of the replication user. Required.

replication_user

Data type: String

The user account to use for replication.

Default value: 'Replication Manager'

role

Data type: Enum['supplier','hub','consumer']

Replication role. Either 'supplier', 'hub', or 'consumer'. Required.

root_dn_pass

Data type: Variant[String,Sensitive[String]]

The root dn password for configuring replication. Required.

root_dn

Data type: String

The root dn for configuring replication. Required.

server_host

Data type: String

The host to use when calling ldapmodify. Default: $fqdn

Default value: $facts['networking']['fqdn']

server_port

Data type: Integer

The port to use when calling ldapmodify. Default: 389

Default value: 389

starttls

Data type: Boolean

Whether to use StartTLS when calling ldapmodify. Default: false

Default value: false

suffix

Data type: String

The LDAP suffix to use. Required.

supplier_role_name

Data type: String

In 389-ds the name of the supplier replication role was renamed from 'master' to 'supplier' in a backwards-incompatible fashion (issue #4656).

Default value: $ds_389::supplier_role_name

suppliers

Data type: Optional[Array]

An array of supplier names to ensure. Optional.

Default value: undef

user

Data type: String

The owner of the created ldif file. Default: $ds_389::user

Default value: $ds_389::user

ds_389::schema

Adds a schema extension ldif file to a 389 ds instance.

Examples

Adding a schema extension with required params.
ds_389::schema { '50example':
  server_id => 'foo',
  source    => 'puppet:///path/to/file.ldif',
}

Parameters

The following parameters are available in the ds_389::schema defined type:

group

Data type: String

The group of the created ldif file. Default: $ds_389::group

Default value: $ds_389::group

server_id

Data type: String

The 389 ds instance name. Required.

source

Data type: String

The source path to use for the ldif file. Required.

user

Data type: String

The owner of the created ldif file. Default: $ds_389::user

Default value: $ds_389::user

ds_389::service

Manages the service for a 389 ds instance.

Parameters

The following parameters are available in the ds_389::service defined type:

service_enable

Data type: Boolean

Whether the service should be enabled. Default: true

Default value: true

service_ensure

Data type: String

The state the service should be in. Default: 'running'

Default value: 'running'

ds_389::ssl

Manages SSL for a 389 ds instance.

Examples

ds_389::ssl { 'foo':
  cert_name    => 'fooCert'
  root_dn      => 'cn=Directory Manager',
  root_dn_pass => 'supersecure',
}

Parameters

The following parameters are available in the ds_389::ssl defined type:

cert_name

Data type: String

The nickname of the SSL cert to use. Required.

group

Data type: String

The group of the created ldif file. Default: $ds_389::group

Default value: $ds_389::group

minssf

Data type: Integer

The minimum security strength for connections. Default: 0

Default value: 0

root_dn_pass

Data type: Variant[String,Sensitive[String]]

The password to use when calling ldapmodify. Required.

root_dn

Data type: String

The bind DN to use when calling ldapmodify. Required.

server_host

Data type: String

The host to use when calling ldapmodify. Default: $facts['networking']['fqdn']

Default value: $facts['networking']['fqdn']

server_port

Data type: Integer

The port to use when calling ldapmodify. Default: 389

Default value: 389

server_ssl_port

Data type: Integer

The port to use for SSL traffic. Default: 636

Default value: 636

ssl_version_min

Data type: String

The minimum TLS version to allow. Default: 'TLS1.1'

Default value: 'TLS1.1'

user

Data type: String

The owner of the created ldif file. Default: $ds_389::user

Default value: $ds_389::user

Tasks

reinit_consumer

Allows you to reinitialize replication for a consumer

Supports noop? false

Parameters

instance_name

Data type: String[1]

Directory Server instance name

replica_name

Data type: String[1]

Replica name to initialize

suffix

Data type: String[1]

LDAP suffix to use

server_host

Data type: String[1]

Host to connect to

server_port

Data type: Integer

SSL port to connect to

protocol

Data type: String[1]

Connection protocol

starttls

Data type: Boolean

Connect with StartTLS

root_dn

Data type: String[1]

The root dn to bind as

root_dn_pass

Data type: String[1]

The root dn password