Awesome
openldap Cookbook
Configures a server to be an OpenLDAP provider or replication consumer. Also includes a recipe to install the client libs, but not to setup actual LDAP auth as there are several ways to do this. We recommend looking at the sssd_ldap cookbook.
Maintainers
This cookbook is maintained by the Sous Chefs. The Sous Chefs are a community of Chef cookbook maintainers working together to maintain important cookbooks. If you’d like to know more please visit sous-chefs.org or come chat with us on the Chef Community Slack in #sous-chefs.
Requirements
Platforms
- Ubuntu
- Debian
- FreeBSD
- RHEL/CentOS >= 7.0 NOTE: RHEL 8 removed support for openldap. We provide support via a repository provided by the OSUOSL.
- Fedora
- openSUSE Leap
Chef
- Chef 15.3+
Cookbooks
- dpkg_autostart
Attributes
This is not an exhaustive list of attributes as most are directly comparable to their OpenLDAP equivalents.
Required
openldap['rootpw']
This should be a password hash generated from slappasswd. The default slappasswd command will generate a salted SHA1 hash:
$ slappasswd -s "secretsauce"
{SSHA}6BjlvtSbVCL88li8IorkqMSofkLio58/
Set this via a node/role/env attribute or in a wrapper cookbook with an encrypted data_bag. OpenLDAP will fail to start if this is not set.
Install/Upgrade
openldap['package_install_action']
- The action to be taken for all packages in the recipes. Defaults to :install, but can also be set to :upgrade to upgrade all packages referenced in the recipes.
General configuration
openldap['schemas']
- Array of ldap schema file names to loadopenldap['modules']
- Array of slapd modules names to load- `openldap['indexes]' - Array of indexes to use
openldap['admin_cn']
- Admin CN nameadministrators (default)
openldap['user_attrs']
- User access attributesuserPassword,shadowLastChange (default)
TLS/SSL
If openldap['ldaps_enabled']
or openldap['tls_enabled']
are set, then openldap['tls_cert']
and openldap['tls_key']
must also be set and the files must exist prior to execution. Depending on the certificates, openldap['tls_cafile']
may also need to be set. See the test cookbook for an example.
openldap['ldaps_enabled']
- listen on LDAPS (636) true | false (default)openldap['tls_enabled']
- true | false (default)openldap['tls_cert']
- full path to your SSL certificateopenldap['tls_key']
- full path to your SSL keyopenldap['tls_cafile']
- full path to your CA certificate (or intermediate authorities), if needed.openldap['tls_ciphersuite']
- OpenSSL cipher suite specification to use, defaults to none (use system default)
Replication
Attributes related to replication (syncrepl). Only used if a provider or consumer.
openldap['slapd_type']
-'provider' | 'consumer'
, default isnil
openldap['slapd_provider']
- hostname of slapd provideropenldap['slapd_replpw']
- replication passwordopenldap['slapd_rid']
- unique integer ID, required if type is consumeropenldap['syncrepl_uri']
-ldap (default) | ldaps
openldap['syncrepl_port']
-'389 (default) | 636'
openldap['syncrepl_cn']
- the CN (only) of the user to use as binddn as consumer
The following syncrepl values are set by default, others can be added by setting the appropriate key value
pair in the openldap['syncrepl_*_config]
(See the OpenLDAP Adminstrator Guide):
openldap']['syncrepl_provider_config']['overlay']
- defaults to 'syncprov'openldap']['syncrepl_provider_config']['syncprov-checkpoint']
- defaults to '100 10'openldap']['syncrepl_provider_config']['syncprov-sessionlog']
- defaults to '100'openldap['syncrepl_consumer_config']['type']
- defaults to 'refreshAndPersist'openldap['syncrepl_consumer_config']['interval']
- interval for the sync. Defaults to 1 dayopenldap['syncrepl_consumer_config']['searchbase']
- calculated in recipeopenldap['syncrepl_consumer_config']['filter']
- search filter to use in the replicationopenldap['syncrepl_consumer_config']['scope']
- defaults to 'sub'openldap['syncrepl_consumer_config']['schemachecking']
- defaults to 'off'openldap['syncrepl_consumer_config']['bindmethod']
- defaults to 'simple'openldap['syncrepl_consumer_config']['binddn']
- calculated in recipeopenldap['syncrepl_consumer_config']['starttls']
-yes | no (default)
openldap['syncrepl_consumer_config']['credentials']
- defaults toopenldap['slapd_replpw']
Recipes
default
Install and configure OpenLDAP (slapd).
Resources
Contributors
This project exists thanks to all the people who contribute.
Backers
Thank you to all our backers!
Sponsors
Support this project by becoming a sponsor. Your logo will show up here with a link to your website.