Giters

arjenz / pupmod-simp-simp_openldap

The SIMP openldap Puppet Module

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

License CII Best Practices Puppet Forge Puppet Forge Downloads Build Status

This is a SIMP module

This module is a component of the System Integrity Management Platform, a compliance-management framework built on Puppet.

If you find any issues, they can be submitted to our JIRA.

Please read our Contribution Guide.

Table of Contents

Description

This module provides a SIMP-oriented profile for configuring OpenLDAP server and client components.

See REFERENCE.md for API documentation.

This is a SIMP module

This module is a component of the System Integrity Management Platform, a compliance-management framework built on Puppet.

If you find any issues, they can be submitted to our JIRA.

Please read our Contribution Guide

This module is optimally designed for use within a larger SIMP ecosystem, but it can be used independently:

  • When included within the SIMP ecosystem, security compliance settings will be managed from the Puppet server.

  • If used independently, all SIMP-managed security subsystems are disabled by default and must be explicitly opted into by administrators. Please review the simp-simp_options module for details.

Setup

What simp_openldap affects

  • Installs LDAP client applications for interacting with an LDAP server
  • Installs and configures OpenLDAP for TLS-enabled communication using both legacy TLS and STARTTLS
  • Provides access control capabilities

NOTE: As a convenience, this module will configure /root/.ldaprc with global variables that facilitate LDAP client communication, only if the file does not already exist. This behavior prevents the module from modifying any custom configuration you have created, but also means the file will not be updated when you make module configuration changes that would result in different /root/.ldaprc content (e.g., enable/disable use of TLS, change the TLS certificate filenames, or change the root directory for TLS certificates). You must remove /root/.ldaprc and run puppet to pick up the changes.

Using simp_openldap

As a client

To use this module for an LDAP client system, just include the class:

include 'simp_openldap'

As a server

To use the module to configure an LDAP server, include the following:

include 'simp_openldap::server'

This will configure a server with TLS and STARTTLS enabled. It will also populate the directory with a basic LDAP schema suitable for UNIX-system logins.

To configure the password policy, you will also need to include the simp_openldap::slapo::ppolicy class PRIOR TO INITIAL CONFIGURATION. Once the LDAP server has been configured, it will not update any data inside of the LDAP server itself, only the surrounding configuration.

For additional information, please see the SIMP Documentation.

Advanced configuration

It is possible to configure most aspects of the OpenLDAP server through this module. However, this gets complex quickly. The SIMP Documentation has some examples. Additional examples can be found in the acceptance tests.

Limitations

SIMP Puppet modules are generally intended for use on Red Hat Enterprise Linux and compatible distributions, such as CentOS. Please see the metadata.json file for the most up-to-date list of supported operating systems, Puppet versions, and module dependencies.

Development

Please see the SIMP Contribution Guidelines.

Acceptance tests

This module includes Beaker acceptance tests using the SIMP Beaker Helpers. By default the tests use Vagrant with VirtualBox as a back-end; Vagrant and VirtualBox must both be installed to run these tests without modification. To execute the tests run the following:

bundle install
bundle exec rake beaker:suites

Please refer to the SIMP Beaker Helpers documentation for more information.

Some environment variables may be useful:

BEAKER_debug=true
BEAKER_provision=no
BEAKER_destroy=no
BEAKER_use_fixtures_dir_for_modules=yes
  • BEAKER_debug: show the commands being run on the STU and their output.
  • BEAKER_destroy=no: prevent the machine destruction after the tests finish so you can inspect the state.
  • BEAKER_provision=no: prevent the machine from being recreated. This can save a lot of time while you're writing the tests.
  • BEAKER_use_fixtures_dir_for_modules=yes: cause all module dependencies to be loaded from the spec/fixtures/modules directory, based on the contents of .fixtures.yml. The contents of this directory are usually populated by bundle exec rake spec_prep. This can be used to run acceptance tests to run on isolated networks.

About

The SIMP openldap Puppet Module

License:Other

Languages

Language:Ruby 48.5%Language:Puppet 35.1%Language:HTML 15.9%Language:Shell 0.6%