puppet-openldap icon indicating copy to clipboard operation
puppet-openldap copied to clipboard

Published 20 hours ago verified publisher icon voxpupuli

Default access rules on new database

Open scorillo opened this issue 4 years ago • 1 comments

Can this default access rules for newly created databases be added later (in openldap::server::database) using the openldap::server::access resources?

https://github.com/voxpupuli/puppet-openldap/blob/ed3804fa5b25a05b648c091852ff628cc553388e/lib/puppet/provider/openldap_database/olc.rb#L264-L274 The current implementation (via the LDIF used for database creation) will lead to this kind of errors on the first puppet agent run if you also try to manage the access rules for those new databases.

Error: LDIF content:
dn: olcDatabase={2}bdb,cn=config
add: olcAccess
olcAccess: {0}to *
  by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage
  by * break

Error message: Execution of '/bin/ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/openldap_access20210906-316889-sm5v7l' returned 20: SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
ldap_modify: Type or value exists (20)
        additional info: modify/add: olcAccess: value #0 already exists
modifying entry "olcDatabase={2}bdb,cn=config"
Error: /Stage[main]/Ospw_infrastructure::Profiles::Ldap::Setup::Acls_slave/Openldap::Server::Access[0 on dc=example,dc=com]/Openldap_access[0 on dc=example,dc=com]/ensure: change from 'absent' to 'present' failed: LDIF content:
dn: olcDatabase={2}bdb,cn=config
add: olcAccess
olcAccess: {0}to *
  by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage
  by * break

Error message: Execution of '/bin/ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/openldap_access20210906-316889-sm5v7l' returned 20: SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
ldap_modify: Type or value exists (20)
        additional info: modify/add: olcAccess: value #0 already exists
modifying entry "olcDatabase={2}bdb,cn=config" (corrective)

Or at least let the user control their presence using the 'initdb` parameter:

    if resource[:initdb] == :true
      t << "olcAccess: to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break\n"
      t << "olcAccess: to attrs=userPassword\n"
      t << "  by self write\n"
      t << "  by anonymous auth\n"
      t << "  by dn=\"cn=admin,#{resource[:suffix]}\" write\n"
      t << "  by * none\n"
      t << "olcAccess: to dn.base=\"\" by * read\n"
      t << "olcAccess: to *\n"
      t << "  by self write\n"
      t << "  by dn=\"cn=admin,#{resource[:suffix]}\" write\n"
      t << "  by * read\n"
    end

Or both :wink: @smortex @alexjfisher

scorillo avatar Sep 06 '21 11:09 scorillo

I never experienced this because the OpenLDAP directories I manage existed before I used this module, but these default olcAccess does not make much sense for me :astonished:… I would drop them completely.

smortex avatar Sep 06 '21 22:09 smortex