Puppet Class: profile::openldap

Defined in:
modules/profile/manifests/openldap.pp

Overview

SPDX-License-Identifier: Apache-2.0 openldap server

Parameters:

  • hostname (Any) (defaults to: lookup('profile::openldap::hostname'))
  • mirror_mode (Any) (defaults to: lookup('profile::openldap::mirror_mode'))
  • backup (Any) (defaults to: lookup('profile::openldap::backup'))
  • sync_pass (Any) (defaults to: lookup('profile::openldap::sync_pass'))
  • master (Any) (defaults to: lookup('profile::openldap::master'))
  • server_id (Any) (defaults to: lookup('profile::openldap::server_id'))
  • hash_passwords (Any) (defaults to: lookup('profile::openldap::hash_passwords'))
  • read_only (Any) (defaults to: lookup('profile::openldap::read_only'))
  • certname (Any) (defaults to: lookup('profile::openldap::certname'))
  • openstack_controllers (Array[Stdlib::Fqdn]) (defaults to: lookup('profile::openstack::eqiad1::openstack_controllers'))
  • size_limit (Integer) (defaults to: lookup('profile::openldap::size_limit')) 


3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
 
# File 'modules/profile/manifests/openldap.pp', line 3

class profile::openldap (
    $hostname = lookup('profile::openldap::hostname'),
    $mirror_mode = lookup('profile::openldap::mirror_mode'),
    $backup = lookup('profile::openldap::backup'),
    $sync_pass = lookup('profile::openldap::sync_pass'),
    $master = lookup('profile::openldap::master'),
    $server_id = lookup('profile::openldap::server_id'),
    $hash_passwords = lookup('profile::openldap::hash_passwords'),
    $read_only = lookup('profile::openldap::read_only'),
    $certname = lookup('profile::openldap::certname'),
    Array[Stdlib::Fqdn] $openstack_controllers = lookup('profile::openstack::eqiad1::openstack_controllers'),
    Integer             $size_limit = lookup('profile::openldap::size_limit'),
){
    # Certificate needs to be readable by slapd
    acme_chief::cert { $certname:
        puppet_svc => 'slapd',
        key_group  => 'openldap',
    }

    $suffix = 'dc=wikimedia,dc=org'

    class { '::openldap':
        server_id      => $server_id,
        sync_pass      => $sync_pass,
        suffix         => $suffix,
        datadir        => '/var/lib/ldap/labs',
        ca             => '/etc/ssl/certs/ca-certificates.crt',
        certificate    => "/etc/acmecerts/${certname}/live/rsa-2048.chained.crt",
        key            => "/etc/acmecerts/${certname}/live/rsa-2048.key",
        extra_schemas  => ['dnsdomain2.schema', 'nova_sun.schema', 'openssh-ldap.schema',
                          'puppet.schema', 'sudo.schema', 'wmf-user.schema'],
        extra_indices  => 'openldap/main-indices.erb',
        extra_acls     => template('openldap/main-acls.erb'),
        mirrormode     => $mirror_mode,
        master         => $master,
        hash_passwords => $hash_passwords,
        read_only      => $read_only,
        size_limit     => $size_limit,
    }

    # Ldap services are used all over the place, including within
    # WMCS and on various prod hosts.
    ferm::service { 'ldap':
        proto  => 'tcp',
        port   => '(389 636)',
        srange => '($PRODUCTION_NETWORKS $LABS_NETWORKS)',
    }

    $monitoring_rw_desc = $read_only.bool2str('read-only', 'writable')
    monitoring::service { 'ldap':
        description   => "LDAP (${monitoring_rw_desc} server)",
        check_command => 'check_ldap!dc=wikimedia,dc=org',
        critical      => false,
        notes_url     => 'https://wikitech.wikimedia.org/wiki/LDAP#Troubleshooting',
    }

    if $backup {
        backup::openldapset { 'openldap': }
    }

    include profile::openldap::restarts
}