Setting dboptions doesn't work twice

[unixmind]

Here is my short manifest example:

(Where I want to create one DIT, and I would like to set 2 HDB options)

[root@puppet manifests]# cat create_one_openldap_dit.pp
#
# requires "https://forge.puppet.com/camptocamp/openldap"
#
class nomodule::create_one_openldap_dit (
  $dit_dn        = 'dc=maatg,dc=fr',
  $dit_directory = '/var/lib/ldap/argonay',
  $dit_password  = 'my_password',
) {

  class { 'openldap::server':
    provider => 'olc',  # by default
    enable   => 'true', # by default
    start    => 'true', # by default
  }

  openldap::server::database { $dit_dn:
     ensure    => 'present',
     directory => $dit_directory,
     backend   => 'hdb',
     rootdn    => "cn=admin,${dit_dn}",
     rootpw    => $dit_password,
     dboptions => {
       cachesize  => 1024,
       checkpoint => '512 30',
     },
  }

}

First run:

Everything works fine ...

[root@openldap ~]# puppet agent -tv
Info: Using configured environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Notice: /File[/opt/puppetlabs/puppet/cache/lib/puppet/parser/functions/validate_base64.rb]/ensure: defined content as '{md5}90d29097af2835c2d04adef5a4c823a0'
Notice: /File[/opt/puppetlabs/puppet/cache/lib/puppet/parser/functions/validate_domain_name.rb]/ensure: defined content as '{md5}1db129fba43c8b0941fb0c105a19250a'
Notice: /File[/opt/puppetlabs/puppet/cache/lib/puppet/parser/functions/validate_ip_address_array.rb]/ensure: defined content as '{md5}5a7e1663ce67bd590ca115fecb9fe0e7'
Notice: /File[/opt/puppetlabs/puppet/cache/lib/puppet/parser/functions/validate_ipv4_address_array.rb]/ensure: defined content as '{md5}09e94e90c90dcc9f287b3f6e1baf5e93'
Notice: /File[/opt/puppetlabs/puppet/cache/lib/puppet/parser/functions/validate_ipv6_address_array.rb]/ensure: defined content as '{md5}d05a422b9d99f01e8dabd086f328bb4f'
Notice: /File[/opt/puppetlabs/puppet/cache/lib/puppet/parser/functions/validate_ldap_dn.rb]/ensure: defined content as '{md5}96f921ae01549a07ec775dc00c01b797'
Notice: /File[/opt/puppetlabs/puppet/cache/lib/puppet/parser/functions/validate_ldap_filter.rb]/ensure: defined content as '{md5}b501655b328d25a4638771d10c2cc8ea'
Notice: /File[/opt/puppetlabs/puppet/cache/lib/puppet/parser/functions/validate_ldap_sub_dn.rb]/ensure: defined content as '{md5}d465bcf18d98020c7380da7dc619f1bf'
Notice: /File[/opt/puppetlabs/puppet/cache/lib/puppet/parser/functions/validate_ldap_uri.rb]/ensure: defined content as '{md5}d13e24c36f8314b5306a41d2492bf96d'
Info: Loading facts
Info: Caching catalog for openldap.argonay.wou
Info: Applying configuration version '1488961963'
Notice: /Stage[main]/Openldap::Utils/Package[openldap-clients]/ensure: created
Notice: /Stage[main]/Openldap::Server::Install/Package[openldap-servers]/ensure: created
Notice: /Stage[main]/Openldap::Server::Config/Shellvar[slapd]/value: value changed ['ldapi:/// ldap:///'] to 'ldap:/// ldapi:/// '
Info: Class[Openldap::Server::Config]: Scheduling refresh of Class[Openldap::Server::Service]
Info: Class[Openldap::Server::Service]: Scheduling refresh of Service[slapd]
Notice: /Stage[main]/Openldap::Server::Service/Service[slapd]/enable: enable changed 'false' to 'true'
Notice: /Stage[main]/Openldap::Server::Service/Service[slapd]: Triggered 'refresh' from 1 events
Redirecting to /bin/systemctl stop  slapd.service
Redirecting to /bin/systemctl start  slapd.service
Notice: /Stage[main]/Openldap::Server::Slapdconf/Openldap::Server::Database[dc=my-domain,dc=com]/Openldap_database[dc=my-domain,dc=com]/ensure: removed
Notice: /Stage[main]/Nomodule::Create_one_openldap_dit/Openldap::Server::Database[dc=frederic,dc=wou]/File[/var/lib/ldap/argonay]/ensure: created
Notice: /Stage[main]/Nomodule::Create_one_openldap_dit/Openldap::Server::Database[dc=frederic,dc=wou]/Openldap_database[dc=frederic,dc=wou]/ensure: created
Notice: Applied catalog in 14.61 seconds

I got correct attributes in the configuration DIT

[root@openldap ~]# ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b olcDatabase={2}hdb,cn=config
dn: olcDatabase={2}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap/argonay
olcSuffix: dc=frederic,dc=wou
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external
 ,cn=auth manage by * break
olcAccess: {1}to attrs=userPassword by self write by anonymous auth by dn="cn=
 admin,dc=frederic,dc=wou" write by * none
olcAccess: {2}to dn.base="" by * read
olcAccess: {3}to * by self write by dn="cn=admin,dc=frederic,dc=wou" write by
 * read
olcRootDN: cn=admin,dc=frederic,dc=wou
olcRootPW: my_password
olcDbCacheSize: 1024
olcDbCheckpoint: 512 30
olcDbIndex: objectClass eq

Second run:

I'm experiencing some issues

[root@openldap ~]# puppet agent -tv
Info: Using configured environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for openldap.argonay.wou
Info: Applying configuration version '1488962181'
Notice: /Stage[main]/Openldap::Server::Service/Service[slapd]/ensure: ensure changed 'running' to 'stopped'
Notice: /Stage[main]/Nomodule::Create_one_openldap_dit/Openldap::Server::Database[dc=frederic,dc=wou]/Openldap_database[dc=frederic,dc=wou]/rootpw: changed password
Notice: /Stage[main]/Nomodule::Create_one_openldap_dit/Openldap::Server::Database[dc=frederic,dc=wou]/Openldap_database[dc=frederic,dc=wou]/dboptions: dboptions changed {'cachesize' => '1024', 'checkpoint' => '512 30', 'index' => 'objectClass eq'} to '{"cachesize"=>1024, "checkpoint"=>"512 30"}'
Error: /Stage[main]/Nomodule::Create_one_openldap_dit/Openldap::Server::Database[dc=frederic,dc=wou]/Openldap_database[dc=frederic,dc=wou]: Could not evaluate: LDIF content:
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}Fl6khDBiQ2fTBXhYYGd44TZHRpIFniUl
-
replace: olcDbcachesize
olcDbcachesize: 1024
-
replace: olcDbcheckpoint
olcDbcheckpoint: 512 30
-

Error message: Execution of '/usr/bin/ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/openldap_database20170308-4810-1rknos0' returned 255: ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
Info: Stage[main]: Unscheduling all events on Stage[main]
Notice: Applied catalog in 0.82 seconds

Far worse, I lost access to "cn=config" !!!

[root@openldap ~]# ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)

[jrevillard]

Any update on that please ? It's a blocking issue for us.

Best.

[mcanevet]

A unit test or an acceptance test would help to reproduce and hopefully solve this issue.

[webratz]

I'm also seeing that issue. As long as I never change any parameters in the config everything is fine. As soon as something is changed the update fails with the following slightly different errors

 (/Stage[main]/Sre_ldap/Openldap::Server::Overlay[memberof on dc=example,dc=com]/Openldap_overlay[memberof on dc=example,dc=com]/options) options changed {'olcMemberOfDangling' => 'error', 'olcMemberOfRefInt' => 'TRUE'} to '{"olcMemberOfDangling"=>"drop", "olcMemberOfRefInt"=>"TRUE"}'
 (/Stage[main]/Sre_ldap/Openldap::Server::Overlay[memberof on dc=example,dc=com]/Openldap_overlay[memberof on dc=example,dc=com]) Could not evaluate: LDIF content:
 (/Stage[main]/Sre_ldap/Openldap::Server::Overlay[memberof on dc=example,dc=com]/Openldap_overlay[memberof on dc=example,dc=com]) dn: olcOverlay={0}memberof,olcDatabase={2}hdb,cn=config
 (/Stage[main]/Sre_ldap/Openldap::Server::Overlay[memberof on dc=example,dc=com]/Openldap_overlay[memberof on dc=example,dc=com]) changetype: modify
 (/Stage[main]/Sre_ldap/Openldap::Server::Overlay[memberof on dc=example,dc=com]/Openldap_overlay[memberof on dc=example,dc=com]) replace: olcMemberOfDangling
 (/Stage[main]/Sre_ldap/Openldap::Server::Overlay[memberof on dc=example,dc=com]/Openldap_overlay[memberof on dc=example,dc=com]) olcMemberOfDangling: drop
 (/Stage[main]/Sre_ldap/Openldap::Server::Overlay[memberof on dc=example,dc=com]/Openldap_overlay[memberof on dc=example,dc=com]) -
 (/Stage[main]/Sre_ldap/Openldap::Server::Overlay[memberof on dc=example,dc=com]/Openldap_overlay[memberof on dc=example,dc=com]) replace: olcMemberOfRefInt
 (/Stage[main]/Sre_ldap/Openldap::Server::Overlay[memberof on dc=example,dc=com]/Openldap_overlay[memberof on dc=example,dc=com]) olcMemberOfRefInt: TRUE
 (/Stage[main]/Sre_ldap/Openldap::Server::Overlay[memberof on dc=example,dc=com]/Openldap_overlay[memberof on dc=example,dc=com]) -
 (/Stage[main]/Sre_ldap/Openldap::Server::Overlay[memberof on dc=example,dc=com]/Openldap_overlay[memberof on dc=example,dc=com])
 (/Stage[main]/Sre_ldap/Openldap::Server::Overlay[memberof on dc=example,dc=com]/Openldap_overlay[memberof on dc=example,dc=com]) Error message: Execution of '/usr/bin/ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/openldap_overlay20170629-11468-ps1ju4' returned 80: SASL/EXTERNAL authentication started
 (/Stage[main]/Sre_ldap/Openldap::Server::Overlay[memberof on dc=example,dc=com]/Openldap_overlay[memberof on dc=example,dc=com]) SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
 (/Stage[main]/Sre_ldap/Openldap::Server::Overlay[memberof on dc=example,dc=com]/Openldap_overlay[memberof on dc=example,dc=com]) SASL SSF: 0

[rturnbull1977]

Has there been any progress on this issue, I'm experiencing the same thing.

[rturnbull1977]

So in working with/using this code I have discovered the proper syntax to get this to work properly.
Currently I'm using version 1.15.0 of this module ( running under puppet 3.8.7 ). Anyways, here is my definition that I used in my code....

class { 'openldap::server': ldaps_ifs => ["/"], databases => { 'o=MYDOMAIN,c=CA' => { directory => '/var/lib/ldap',
rootdn => 'cn=Manager,o=MYDOMAIN,c=CA', rootpw => '{SSHA}BLAHBLAHBLAH-notpostingmyencryptedpassword', initdb => true, ensure => present, backend => 'hdb', dboptions => { dbconfig => [ 'set_cachesize 0 268435456 1', 'set_lg_regionmax 262144', 'set_lg_bsize 2097152', ], }, }, 'cn=Monitor' => { ensure => absent, }, }, }

This is how I got my code to work.... basically you have to have,

dboptions => { dbconfig => [ "DATABASE BACKEND OPTIONNAME VALUE", "SECOND DATABASE BACKEND OPTIONNAME VALUE", "THIRD DATABASE BACKEND OPTIONNAME VALUE", ], # NOTE THIS IS AN ARRAY },

Hope this helps - the documentation is not very helpful ( does not have any documentation on setting dbconfig/dboptions). I found this by going into the lib directory and discovering/working out the syntax. See /lib/puppet/provider/openldap_database/olc.rb ( these options don't exist for provider augeas ).

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.