Puppet Class: profile::openldap_clouddev

Defined in:
modules/profile/manifests/openldap_clouddev.pp

Overview

openldap server

Parameters:

  • hostname (Any) (defaults to: lookup('profile::openldap::hostname'))
  • mirror_mode (Any) (defaults to: lookup('profile::openldap::mirror_mode'))
  • backup (Any) (defaults to: lookup('profile::openldap::backup'))
  • sync_pass (Any) (defaults to: lookup('profile::openldap_clouddev::openldap::sync_pass'))
  • master (Any) (defaults to: lookup('profile::openldap::master'))
  • server_id (Any) (defaults to: lookup('profile::openldap::server_id'))
  • hash_passwords (Any) (defaults to: lookup('profile::openldap::hash_passwords'))
  • read_only (Any) (defaults to: lookup('profile::openldap::read_only'))
  • certname (Any) (defaults to: lookup('profile::openldap::certname'))
  • storage_backend (Any) (defaults to: lookup('profile::openldap::storage_backend'))
  • openstack_control_nodes (Array[OpenStack::ControlNode]) (defaults to: lookup('profile::openstack::codfw1dev::openstack_control_nodes'))


2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
# File 'modules/profile/manifests/openldap_clouddev.pp', line 2

class profile::openldap_clouddev (
    $hostname = lookup('profile::openldap::hostname'),
    $mirror_mode = lookup('profile::openldap::mirror_mode'),
    $backup = lookup('profile::openldap::backup'),
    $sync_pass = lookup('profile::openldap_clouddev::openldap::sync_pass'),
    $master = lookup('profile::openldap::master'),
    $server_id = lookup('profile::openldap::server_id'),
    $hash_passwords = lookup('profile::openldap::hash_passwords'),
    $read_only = lookup('profile::openldap::read_only'),
    $certname = lookup('profile::openldap::certname'),
    $storage_backend = lookup('profile::openldap::storage_backend'),
    Array[OpenStack::ControlNode] $openstack_control_nodes = lookup('profile::openstack::codfw1dev::openstack_control_nodes'),

){
    # Certificate needs to be readable by slapd
    acme_chief::cert { $certname:
        puppet_svc => 'slapd',
        key_group  => 'openldap',
    }

    $suffix = 'dc=wikimedia,dc=org'

    $epp_params = {
        'suffix'             => $suffix,
        'cloudcontrol_hosts' => $openstack_control_nodes.map |OpenStack::ControlNode $node| { $node['cloud_private_fqdn'] },
    }

    class { '::openldap':
        server_id       => $server_id,
        sync_pass       => $sync_pass,
        suffix          => $suffix,
        datadir         => '/var/lib/ldap/labs',
        ca              => '/etc/ssl/certs/ca-certificates.crt',
        certificate     => "/etc/acmecerts/${certname}/live/rsa-2048.chained.crt",
        key             => "/etc/acmecerts/${certname}/live/rsa-2048.key",
        extra_schemas   => ['dnsdomain2.schema', 'nova_sun.schema', 'openssh-ldap.schema',
                            'puppet.schema', 'sudo.schema', 'wmf-user.schema'],
        extra_indices   => 'openldap/main-indices.erb',
        extra_acls      => epp('openldap/main-acls.epp', $epp_params),
        mirrormode      => $mirror_mode,
        master          => $master,
        hash_passwords  => $hash_passwords,
        read_only       => $read_only,
        storage_backend => $storage_backend,
    }

    # Ldap services are used all over the place, including within
    # WMCS and on various prod hosts.
    ferm::service { 'ldap':
        proto  => 'tcp',
        port   => [389, 636],
        srange => '($PRODUCTION_NETWORKS $LABS_NETWORKS)',
    }

    monitoring::service { 'ldap':
        description   => 'LDAP WMCS test cluster',
        check_command => 'check_ldap!dc=wikimedia,dc=org',
        critical      => false,
        notes_url     => 'https://wikitech.wikimedia.org/wiki/LDAP#Troubleshooting',
    }

    if $backup {
        backup::openldapset { 'openldap': }
    }

    include profile::openldap::restarts
}