puppet-openldap
puppet-openldap copied to clipboard
voxpupuli
openldap::server::overlay incorrectly parses suffix
Using an "overlay on suffix" title for the openldap::server::overlay ends up with an incorrect suffix ("[]", see below). Is seems that the title is incorrectly parsed.
Using the suffix attributes provides the same result.
Affected Puppet, Ruby, OS and module versions/distributions
- Puppet: 6.24
- Ruby: 2.5.9
- Distribution: Centos 7
- Module version: 4.0.0
How to reproduce
openldap::server::overlay { 'syncprov on olcDatabase={2}mdb,cn=config':
ensure => present,
options => {
'olcSpCheckpoint' => '100 10',
'olcSpSessionlog' => '100'
},
}
What are you seeing
==> ldap-master.jcs: dn: olcOverlay=syncprov,[]
==> ldap-master.jcs: changetype: add
==> ldap-master.jcs: objectClass: olcConfig
==> ldap-master.jcs: objectClass: olcOverlayConfig
==> ldap-master.jcs: objectClass: olcSyncProvConfig
==> ldap-master.jcs: olcOverlay: syncprov
==> ldap-master.jcs: olcSpCheckpoint: 100 10
==> ldap-master.jcs: olcSpSessionlog: 100
==> ldap-master.jcs:
==> ldap-master.jcs: Error message: Execution of '/bin/ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/openldap_overlay20211007-7990-1vesjdo' returned 34: SASL/EXTERNAL authentication started
==> ldap-master.jcs: SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
==> ldap-master.jcs: SASL SSF: 0
==> ldap-master.jcs: ldap_add: Invalid DN syntax (34)
==> ldap-master.jcs: additional info: invalid DN
==> ldap-master.jcs: adding new entry "olcOverlay=syncprov,[]"
What behaviour did you expect instead
Obtained dn should be something like dn: olcOverlay=syncprov,olcDatabase={2}mdb,cn=config
Hey!
openldap::server::overlay { 'syncprov on olcDatabase={2}mdb,cn=config': ensure => present, options => { 'olcSpCheckpoint' => '100 10', 'olcSpSessionlog' => '100' }, }
Hum… Should probably be like :monocle_face: :
openldap::server::overlay { 'syncprov on dc=example,dc=com':
ensure => present, # ^^^^^^^^^^^^^^^^^
options => { # the suffix
'olcSpCheckpoint' => '100 10',
'olcSpSessionlog' => '100'
},
}
The (working) configuration I am trying to obtain is this one:
dn: olcOverlay=syncprov,olcDatabase={2}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpCheckpoint: 100 10
olcSpSessionLog: 100
So enabling the syncprov overlay on the mdb database I want to synchronize, as mentioned in the openldap documentation: https://www.openldap.org/doc/admin24/guide.html#N-Way%20Multi-Provider
I tried the one you suggested, but I'm not obtaining the desired result.
Same behaviour in version 6.0.0, you aren't able to add an overlay with suffix olcDatabase={2}hdb,cn=config.
Okay, giving it another try reveals, after looking into openldap_overlay, following example
openldap::server::overlay { 'ppolicy on dc=example,dc=net':
ensure => present,
options => {
'olcPPolicyDefault' => 'cn=default,ou=policies,dc=example,dc=net',
'olcPPolicyForwardUpdates' => 'FALSE',
'olcPPolicyHashCleartext' => 'TRUE',
'olcPPolicyUseLockout' => 'FALSE'
},
}
produces expected result in database:
# {0}ppolicy, {2}hdb, config
dn: olcOverlay={0}ppolicy,olcDatabase={2}hdb,cn=config
objectClass: olcConfig
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
olcOverlay: {0}ppolicy
olcPPolicyDefault: cn=default,ou=policies,dc=example,dc=net
olcPPolicyHashCleartext: TRUE
olcPPolicyUseLockout: FALSE
olcPPolicyForwardUpdates: FALSE
I would suggest closing this issue, if it is not used to improve the docu.
:+1: for improving any documentation! Can you please contribute some example based on your experience in a PR :grin: ?