This module is a component of the System Integrity Management Platform, a compliance-management framework built on Puppet.
If you find any issues, they can be submitted to our JIRA.
Please read our Contribution Guide.
- Description
- This is a SIMP module
- Setup
- Using simp_openldap
- Advanced configuration
- Limitations
- Development
This module provides a SIMP-oriented profile for configuring OpenLDAP server and client components.
See REFERENCE.md for API documentation.
This module is a component of the System Integrity Management Platform, a compliance-management framework built on Puppet.
If you find any issues, they can be submitted to our JIRA.
Please read our Contribution Guide
This module is optimally designed for use within a larger SIMP ecosystem, but it can be used independently:
-
When included within the SIMP ecosystem, security compliance settings will be managed from the Puppet server.
-
If used independently, all SIMP-managed security subsystems are disabled by default and must be explicitly opted into by administrators. Please review the
simp-simp_options
module for details.
- Installs LDAP client applications for interacting with an LDAP server
- Installs and configures OpenLDAP for TLS-enabled communication using both legacy TLS and STARTTLS
- Provides access control capabilities
NOTE: As a convenience, this module will configure /root/.ldaprc
with
global variables that facilitate LDAP client communication, only if the file
does not already exist. This behavior prevents the module from modifying any
custom configuration you have created, but also means the file will not be
updated when you make module configuration changes that would result in
different /root/.ldaprc
content (e.g., enable/disable use of TLS, change the
TLS certificate filenames, or change the root directory for TLS certificates).
You must remove /root/.ldaprc
and run puppet to pick up the changes.
To use this module for an LDAP client system, just include the class:
include 'simp_openldap'
To use the module to configure an LDAP server, include the following:
include 'simp_openldap::server'
This will configure a server with TLS and STARTTLS enabled. It will also populate the directory with a basic LDAP schema suitable for UNIX-system logins.
To configure the password policy, you will also need to include the
simp_openldap::slapo::ppolicy
class PRIOR TO INITIAL CONFIGURATION.
Once the LDAP server has been configured, it will not update any data inside of
the LDAP server itself, only the surrounding configuration.
For additional information, please see the SIMP Documentation.
It is possible to configure most aspects of the OpenLDAP server through this module. However, this gets complex quickly. The SIMP Documentation has some examples. Additional examples can be found in the acceptance tests.
SIMP Puppet modules are generally intended for use on Red Hat Enterprise Linux
and compatible distributions, such as CentOS. Please see the metadata.json
file
for the most up-to-date list of supported operating systems, Puppet versions,
and module dependencies.
Please see the SIMP Contribution Guidelines.
This module includes Beaker acceptance tests using the SIMP Beaker Helpers. By default the tests use Vagrant with VirtualBox as a back-end; Vagrant and VirtualBox must both be installed to run these tests without modification. To execute the tests run the following:
bundle install
bundle exec rake beaker:suites
Please refer to the SIMP Beaker Helpers documentation for more information.
Some environment variables may be useful:
BEAKER_debug=true
BEAKER_provision=no
BEAKER_destroy=no
BEAKER_use_fixtures_dir_for_modules=yes
BEAKER_debug
: show the commands being run on the STU and their output.BEAKER_destroy=no
: prevent the machine destruction after the tests finish so you can inspect the state.BEAKER_provision=no
: prevent the machine from being recreated. This can save a lot of time while you're writing the tests.BEAKER_use_fixtures_dir_for_modules=yes
: cause all module dependencies to be loaded from thespec/fixtures/modules
directory, based on the contents of.fixtures.yml
. The contents of this directory are usually populated bybundle exec rake spec_prep
. This can be used to run acceptance tests to run on isolated networks.