Puppet Class: profile::openldap
- Defined in:
- modules/profile/manifests/openldap.pp
Overview
SPDX-License-Identifier: Apache-2.0 openldap server
3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 |
# File 'modules/profile/manifests/openldap.pp', line 3
class profile::openldap (
$hostname = lookup('profile::openldap::hostname'),
$mirror_mode = lookup('profile::openldap::mirror_mode'),
$backup = lookup('profile::openldap::backup'),
$sync_pass = lookup('profile::openldap::sync_pass'),
$master = lookup('profile::openldap::master'),
$server_id = lookup('profile::openldap::server_id'),
$hash_passwords = lookup('profile::openldap::hash_passwords'),
$read_only = lookup('profile::openldap::read_only'),
$certname = lookup('profile::openldap::certname'),
$storage_backend = lookup('profile::openldap::storage_backend'),
Array[OpenStack::ControlNode] $openstack_control_nodes = lookup('profile::openstack::eqiad1::openstack_control_nodes'),
Integer $size_limit = lookup('profile::openldap::size_limit'),
Array[String[1]] $firewall_src_sets = lookup('profile::openldap::firewall_src_sets', {default_value => ['PRODUCTION_NETWORKS', 'CLOUD_NETWORKS']}),
){
# Certificate needs to be readable by slapd
acme_chief::cert { $certname:
puppet_svc => 'slapd',
key_group => 'openldap',
}
$suffix = 'dc=wikimedia,dc=org'
$epp_params = {
'suffix' => $suffix,
'cloudcontrol_hosts' => $openstack_control_nodes.map |OpenStack::ControlNode $node| { $node['host_fqdn'] },
}
class { '::openldap':
server_id => $server_id,
sync_pass => $sync_pass,
suffix => $suffix,
datadir => '/var/lib/ldap/labs',
ca => '/etc/ssl/certs/ca-certificates.crt',
certificate => "/etc/acmecerts/${certname}/live/rsa-2048.chained.crt",
key => "/etc/acmecerts/${certname}/live/rsa-2048.key",
extra_schemas => ['dnsdomain2.schema', 'nova_sun.schema', 'openssh-ldap.schema',
'puppet.schema', 'sudo.schema', 'wmf-user.schema'],
extra_indices => 'openldap/main-indices.erb',
extra_acls => epp('openldap/main-acls.epp', $epp_params),
mirrormode => $mirror_mode,
master => $master,
hash_passwords => $hash_passwords,
read_only => $read_only,
size_limit => $size_limit,
storage_backend => $storage_backend,
}
# Ldap services are used all over the place, including within
# WMCS and on various prod hosts.
firewall::service { 'ldap':
proto => 'tcp',
port => [389, 636],
src_sets => $firewall_src_sets,
}
$monitoring_rw_desc = $read_only.bool2str('read-only', 'writable')
monitoring::service { 'ldap':
description => "LDAP (${monitoring_rw_desc} server)",
check_command => 'check_ldap!dc=wikimedia,dc=org',
critical => false,
notes_url => 'https://wikitech.wikimedia.org/wiki/LDAP#Troubleshooting',
}
if $backup {
backup::openldapset { 'openldap': }
}
include profile::openldap::restarts
}
|