openldap Cookbook

Configures a server to be an OpenLDAP provider or replication consumer. Also includes a recipe to install the client libs, but not to setup actual LDAP auth as there are several ways to do this. We recommend looking at the sssd_ldap cookbook.

Maintainers

This cookbook is maintained by the Sous Chefs. The Sous Chefs are a community of Chef cookbook maintainers working together to maintain important cookbooks. If you’d like to know more please visit sous-chefs.org or come chat with us on the Chef Community Slack in #sous-chefs.

Requirements

Platforms

• Ubuntu
• Debian
• FreeBSD
• RHEL/CentOS >= 7.0 NOTE: RHEL 8 removed support for openldap. We provide support via a repository provided by the OSUOSL.
• Fedora
• openSUSE Leap

Chef

• Chef 15.3+

Cookbooks

• dpkg_autostart

Attributes

This is not an exhaustive list of attributes as most are directly comparable to their OpenLDAP equivalents.

Required

• openldap['rootpw']

This should be a password hash generated from slappasswd. The default slappasswd command will generate a salted SHA1 hash:

$ slappasswd -s "secretsauce"
{SSHA}6BjlvtSbVCL88li8IorkqMSofkLio58/

Set this via a node/role/env attribute or in a wrapper cookbook with an encrypted data_bag. OpenLDAP will fail to start if this is not set.

Install/Upgrade

• openldap['package_install_action'] - The action to be taken for all packages in the recipes. Defaults to :install, but can also be set to :upgrade to upgrade all packages referenced in the recipes.

General configuration

• openldap['schemas'] - Array of ldap schema file names to load
• openldap['modules'] - Array of slapd modules names to load
• `openldap['indexes]' - Array of indexes to use
• openldap['admin_cn'] - Admin CN name administrators (default)
• openldap['user_attrs'] - User access attributes userPassword,shadowLastChange (default)

TLS/SSL

If openldap['ldaps_enabled'] or openldap['tls_enabled'] are set, then openldap['tls_cert'] and openldap['tls_key'] must also be set and the files must exist prior to execution. Depending on the certificates, openldap['tls_cafile'] may also need to be set. See the test cookbook for an example.

• openldap['ldaps_enabled'] - listen on LDAPS (636) true | false (default)
• openldap['tls_enabled'] - true | false (default)
• openldap['tls_cert'] - full path to your SSL certificate
• openldap['tls_key'] - full path to your SSL key
• openldap['tls_cafile'] - full path to your CA certificate (or intermediate authorities), if needed.
• openldap['tls_ciphersuite'] - OpenSSL cipher suite specification to use, defaults to none (use system default)

Replication

Attributes related to replication (syncrepl). Only used if a provider or consumer.

• openldap['slapd_type'] - 'provider' | 'consumer', default is nil
• openldap['slapd_provider'] - hostname of slapd provider
• openldap['slapd_replpw'] - replication password
• openldap['slapd_rid'] - unique integer ID, required if type is consumer
• openldap['syncrepl_uri'] - ldap (default) | ldaps
• openldap['syncrepl_port'] - '389 (default) | 636'
• openldap['syncrepl_cn'] - the CN (only) of the user to use as binddn as consumer

The following syncrepl values are set by default, others can be added by setting the appropriate key value pair in the openldap['syncrepl_*_config] (See the OpenLDAP Adminstrator Guide):

• openldap']['syncrepl_provider_config']['overlay'] - defaults to 'syncprov'
• openldap']['syncrepl_provider_config']['syncprov-checkpoint'] - defaults to '100 10'
• openldap']['syncrepl_provider_config']['syncprov-sessionlog'] - defaults to '100'
• openldap['syncrepl_consumer_config']['type'] - defaults to 'refreshAndPersist'
• openldap['syncrepl_consumer_config']['interval'] - interval for the sync. Defaults to 1 day
• openldap['syncrepl_consumer_config']['searchbase'] - calculated in recipe
• openldap['syncrepl_consumer_config']['filter'] - search filter to use in the replication
• openldap['syncrepl_consumer_config']['scope'] - defaults to 'sub'
• openldap['syncrepl_consumer_config']['schemachecking'] - defaults to 'off'
• openldap['syncrepl_consumer_config']['bindmethod'] - defaults to 'simple'
• openldap['syncrepl_consumer_config']['binddn'] - calculated in recipe
• openldap['syncrepl_consumer_config']['starttls'] - yes | no (default)
• openldap['syncrepl_consumer_config']['credentials'] - defaults to openldap['slapd_replpw']

Recipes

default

Install and configure OpenLDAP (slapd).

Resources

• install

Contributors

This project exists thanks to all the people who contribute.

Backers

Thank you to all our backers!

Sponsors

Support this project by becoming a sponsor. Your logo will show up here with a link to your website.