Closed huckabeec closed 1 week ago
smortex
commented
2 weeks ago What does puppet resource openldap_global_conf TLSProtocolMin say? What does your catalog look like? Anything interesting from puppet resource openldap_global_conf comparing to what you see above?
Ideally a minimal example reproducing the problem would help.
huckabeec
commented
2 weeks ago What does
puppet resource openldap_global_conf TLSProtocolMinsay?
# puppet resource openldap_global_conf TLSProtocolMin
openldap_global_conf { 'TLSProtocolMin':
ensure => 'present',
provider => 'olc',
value => '3.3',
}
What does your catalog look like?
The globalconf section is this:
openldap::server::globalconf { 'GlobalConf':
ensure => present,
value => {
'TLSProtocolMin' => '3.3',
'TLSCipherSuite' => 'HIGH',
'LocalSSF' => '128',
'SizeLimit' => 'size.soft=50000 size.hard=50000',
'Security' => [
'ssf=128',
'simple_bind=128',
'update_ssf=128'
],
'ServerID' => [
'1001 ldap://server1.XXX.YYY',
'1002 ldap://server2.XXX.YYY',
'1003 ldap://server3.XXX.YYY',
]
}
}Anything interesting from
puppet resource openldap_global_confcomparing to what you see above?
# puppet resource openldap_global_conf
openldap_global_conf { 'LocalSSF':
ensure => 'present',
provider => 'olc',
value => '128',
}
openldap_global_conf { 'Security':
ensure => 'present',
provider => 'olc',
value => ['ssf=128', 'simple_bind=128', 'update_ssf=128'],
}
openldap_global_conf { 'ServerID':
ensure => 'present',
provider => 'olc',
value => ['1001 ldap://server1.XXX.YYY', '1002 ldap://server2.XXX.YYY', '1003 ldap://server3.XXX.YYY'],
}
openldap_global_conf { 'TLSCertificateFile':
ensure => 'present',
provider => 'olc',
value => '/etc/pki/tls/certs/server.pem',
}
openldap_global_conf { 'TLSCertificateKeyFile':
ensure => 'present',
provider => 'olc',
value => '/etc/pki/tls/private/server.key',
}
openldap_global_conf { 'TLSCipherSuite':
ensure => 'present',
provider => 'olc',
value => 'HIGH',
}
openldap_global_conf { 'TLSProtocolMin':
ensure => 'present',
provider => 'olc',
value => '3.3',
}The globalconf section is this:
openldap::server::globalconf { 'GlobalConf': ensure => present, value => { 'TLSProtocolMin' => '3.3', 'TLSCipherSuite' => 'HIGH', 'LocalSSF' => '128', 'SizeLimit' => 'size.soft=50000 size.hard=50000', 'Security' => [ 'ssf=128', 'simple_bind=128', 'update_ssf=128' ], 'ServerID' => [ '1001 ldap://server1.XXX.YYY', '1002 ldap://server2.XXX.YYY', '1003 ldap://server3.XXX.YYY', ] } }
If I am correct, this should rather match what puppet resource openldap_global_conf output, that is multiple openldap::server::globalconf resources that configure a single item each, e.g. from my control repo configuration:
openldap::server::globalconf { 'LogLevel':
value => 'stats',
}
openldap::server::globalconf { 'TLSProtocolMin':
# 3.3 = TLS 1.2+
value => '3.3',
}OK, I'll try it like that
That worked, so I need to track down the source of that other config format and squash it since that's wrong.
I've punted back to trying to use the openldap-servers RPM that is available in RHEL8 (openldap-servers-2.4.46-19.el8_10.x86_64), and initially the module works OK, but now I've got the problem where it is trying to re-add all of the olcGlobal items again which fails as most of those are single types. E.g. the error is:
olcTLSProtocolMin: no equality matching ruleThe entries are definitely already there:
This started after adding some schemas, adding modules, and adding ACLs to the basedn. Slapcat still works via the ldapi:/// and ldap:/// interfaces for root so it doesn't seem to be an ACL issue.
I can't tell from the debug output provided by the module what is missing.