simp / pupmod-simp-simp_openldap Goto Github PK

This module is a component of the System Integrity Management Platform, a compliance-management framework built on Puppet.

If you find any issues, they can be submitted to our JIRA.

Please read our Contribution Guide.

• Description
• This is a SIMP module
• Setup
  • What simp_openldap affects
• Using simp_openldap
  • As a client
  • As a server
• Advanced configuration
• Limitations
• Development
  • Acceptance tests

This module provides a SIMP-oriented profile for configuring OpenLDAP server and client components.

See REFERENCE.md for API documentation.

This module is a component of the System Integrity Management Platform, a compliance-management framework built on Puppet.

If you find any issues, they can be submitted to our JIRA.

Please read our Contribution Guide

This module is optimally designed for use within a larger SIMP ecosystem, but it can be used independently:

• When included within the SIMP ecosystem, security compliance settings will be managed from the Puppet server.

• If used independently, all SIMP-managed security subsystems are disabled by default and must be explicitly opted into by administrators. Please review the simp-simp_options module for details.

• Installs LDAP client applications for interacting with an LDAP server
• Installs and configures OpenLDAP for TLS-enabled communication using both legacy TLS and STARTTLS
• Provides access control capabilities

NOTE: As a convenience, this module will configure /root/.ldaprc with global variables that facilitate LDAP client communication, only if the file does not already exist. This behavior prevents the module from modifying any custom configuration you have created, but also means the file will not be updated when you make module configuration changes that would result in different /root/.ldaprc content (e.g., enable/disable use of TLS, change the TLS certificate filenames, or change the root directory for TLS certificates). You must remove /root/.ldaprc and run puppet to pick up the changes.

To use this module for an LDAP client system, just include the class:

include 'simp_openldap'

To use the module to configure an LDAP server, include the following:

include 'simp_openldap::server'

This will configure a server with TLS and STARTTLS enabled. It will also populate the directory with a basic LDAP schema suitable for UNIX-system logins.

To configure the password policy, you will also need to include the simp_openldap::slapo::ppolicy class PRIOR TO INITIAL CONFIGURATION. Once the LDAP server has been configured, it will not update any data inside of the LDAP server itself, only the surrounding configuration.

For additional information, please see the SIMP Documentation.

It is possible to configure most aspects of the OpenLDAP server through this module. However, this gets complex quickly. The SIMP Documentation has some examples. Additional examples can be found in the acceptance tests.

SIMP Puppet modules are generally intended for use on Red Hat Enterprise Linux and compatible distributions, such as CentOS. Please see the metadata.json file for the most up-to-date list of supported operating systems, Puppet versions, and module dependencies.

Please see the SIMP Contribution Guidelines.

This module includes Beaker acceptance tests using the SIMP Beaker Helpers. By default the tests use Vagrant with VirtualBox as a back-end; Vagrant and VirtualBox must both be installed to run these tests without modification. To execute the tests run the following:

bundle install
bundle exec rake beaker:suites

Please refer to the SIMP Beaker Helpers documentation for more information.

Some environment variables may be useful:

BEAKER_debug=true
BEAKER_provision=no
BEAKER_destroy=no
BEAKER_use_fixtures_dir_for_modules=yes

• BEAKER_debug: show the commands being run on the STU and their output.
• BEAKER_destroy=no: prevent the machine destruction after the tests finish so you can inspect the state.
• BEAKER_provision=no: prevent the machine from being recreated. This can save a lot of time while you're writing the tests.
• BEAKER_use_fixtures_dir_for_modules=yes: cause all module dependencies to be loaded from the spec/fixtures/modules directory, based on the contents of .fixtures.yml. The contents of this directory are usually populated by bundle exec rake spec_prep. This can be used to run acceptance tests to run on isolated networks.