search

voxpupuli / puppet-openldap

Manage OpenLDAP with Puppet
Apache License 2.0
37 stars 134 forks source link

openldap::server::overlay incorrectly parses suffix #334

Open jouveits opened 2 years ago

jouveits commented 2 years ago

Using an "overlay on suffix" title for the openldap::server::overlay ends up with an incorrect suffix ("[]", see below). Is seems that the title is incorrectly parsed.

Using the suffix attributes provides the same result.

Affected Puppet, Ruby, OS and module versions/distributions

How to reproduce

  openldap::server::overlay { 'syncprov on olcDatabase={2}mdb,cn=config':
     ensure  => present,
     options => {
       'olcSpCheckpoint' => '100 10',
       'olcSpSessionlog' => '100'
     },
   }

What are you seeing

==> ldap-master.jcs: dn: olcOverlay=syncprov,[]
==> ldap-master.jcs: changetype: add
==> ldap-master.jcs: objectClass: olcConfig
==> ldap-master.jcs: objectClass: olcOverlayConfig
==> ldap-master.jcs: objectClass: olcSyncProvConfig
==> ldap-master.jcs: olcOverlay: syncprov
==> ldap-master.jcs: olcSpCheckpoint: 100 10
==> ldap-master.jcs: olcSpSessionlog: 100
==> ldap-master.jcs:
==> ldap-master.jcs: Error message: Execution of '/bin/ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/openldap_overlay20211007-7990-1vesjdo' returned 34: SASL/EXTERNAL authentication started
==> ldap-master.jcs: SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
==> ldap-master.jcs: SASL SSF: 0
==> ldap-master.jcs: ldap_add: Invalid DN syntax (34)
==> ldap-master.jcs:    additional info: invalid DN
==> ldap-master.jcs: adding new entry "olcOverlay=syncprov,[]"

What behaviour did you expect instead

Obtained dn should be something like dn: olcOverlay=syncprov,olcDatabase={2}mdb,cn=config

smortex commented 2 years ago

Hey!

  openldap::server::overlay { 'syncprov on olcDatabase={2}mdb,cn=config':
     ensure  => present,
     options => {
       'olcSpCheckpoint' => '100 10',
       'olcSpSessionlog' => '100'
     },
   }

Hum… Should probably be like :monocle_face: :

  openldap::server::overlay { 'syncprov on dc=example,dc=com':
     ensure  => present,                 # ^^^^^^^^^^^^^^^^^
     options => {                        #     the suffix
       'olcSpCheckpoint' => '100 10',
       'olcSpSessionlog' => '100'
     },
   }
jouveits commented 2 years ago

The (working) configuration I am trying to obtain is this one:

dn: olcOverlay=syncprov,olcDatabase={2}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpCheckpoint: 100 10
olcSpSessionLog: 100

So enabling the syncprov overlay on the mdb database I want to synchronize, as mentioned in the openldap documentation: https://www.openldap.org/doc/admin24/guide.html#N-Way%20Multi-Provider

I tried the one you suggested, but I'm not obtaining the desired result.

jnk0 commented 1 year ago

Same behaviour in version 6.0.0, you aren't able to add an overlay with suffix olcDatabase={2}hdb,cn=config.

jnk0 commented 1 year ago

Okay, giving it another try reveals, after looking into openldap_overlay, following example

  openldap::server::overlay { 'ppolicy on dc=example,dc=net':
     ensure  => present,
     options => {
          'olcPPolicyDefault' => 'cn=default,ou=policies,dc=example,dc=net',
          'olcPPolicyForwardUpdates' => 'FALSE',
          'olcPPolicyHashCleartext' => 'TRUE',
          'olcPPolicyUseLockout' => 'FALSE'
     },
   }

produces expected result in database:

# {0}ppolicy, {2}hdb, config
dn: olcOverlay={0}ppolicy,olcDatabase={2}hdb,cn=config
objectClass: olcConfig
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
olcOverlay: {0}ppolicy
olcPPolicyDefault: cn=default,ou=policies,dc=example,dc=net
olcPPolicyHashCleartext: TRUE
olcPPolicyUseLockout: FALSE
olcPPolicyForwardUpdates: FALSE

I would suggest closing this issue, if it is not used to improve the docu.

smortex commented 1 year ago

:+1: for improving any documentation! Can you please contribute some example based on your experience in a PR :grin: ?