# Puppet-LDAPquery

[![Build Status](https://travis-ci.org/xaque208/puppet-ldapquery.svg?branch=master)](https://travis-ci.org/xaque208/puppet-ldapquery)

A Puppet function to query LDAP.

## Dependencies

The Ruby `net-ldap` gem is required to communicate with LDAP.

## Sample Usage

### On the Master


You must set the necessary variables in `puppet.conf` so the master can connect
to your LDAP server.

You can simply add the static values like so:

```INI
[master]
ldaptls = true
ldapport = 636
ldapserver = ldap.example.com
ldapbase = dc=example,dc=com
ldapuser = cn=puppet,ou=people,dc=example,dc=com
ldappassword = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
```

Or, use Puppet to manage the values in `puppet.conf` by adding something like
the following to the manifest that manages your master's `puppet.conf`.

```Puppet
$ldap_base   = hiera('ldap_base') # dc=example,dc=com
$ldap_user   = hiera('ldap_user') # cn=ldapuser,dc=puppetlabs,dc=com
$ldap_pass   = hiera('ldap_pass') # ultrasecure

package { 'net-ldap':
  ensure   => present,
  provider => 'gem'
}

file { '/etc/puppet/ldap_ca.pem':
  owner  => 'root',
  group  => '0',
  mode   => '0644',
  source => /path/to/my/ldap/ca.pem,
}

Ini_setting {
  ensure  => present,
  section => 'master',
  path    => '/etc/puppet/puppet.conf',
}

ini_setting { 'ldapserver':
  setting => 'ldapserver',
  value   => 'ldap.example.com',
}

ini_setting { 'ldapport':
  setting => 'ldapport',
  value   => '636',
}

ini_setting { 'ldapbase':
  setting => 'ldapbase',
  value   => $ldap_base,
}

ini_setting { 'ldapuser':
  setting => 'ldapuser',
  value   => $ldap_user,
}

ini_setting { 'ldappassword':
  setting => 'ldappassword',
  value   => $ldap_pass,
}

ini_setting { 'ldaptls':
  setting => 'ldaptls',
  value   => true,
}
```


### In manifest

The `ldapquery` function is simple.  Just passing an `rfc4515` search filter
will return the results of the query in list form.  Optionally, a list of
attributes of which to return the values may also be passed.

Consider the following manifest.

```Puppet
$attributes = [
  'loginshell',
  'uidnumber',
  'uid',
  'homedirectory',
]

$zach = ldapquery('(uid=zach)', $attributes)
```

Assuming there is only one LDAP object with the `uid=zach`, then the variable
`$zach` now holds the following data structure:

```Ruby
[
  {
    'uid' => 'zach',
    'loginshell' => '/bin/zsh',
    'uidnumber' => '123',
    'homedirectory' => '/var/users/zach',
  }
]
```

Here is a slightly more complicate example that will generate *virtual*
`ssh_authorized_key` resources for every 'posixAccount' that has a non-empty
'sshPublicKey' attribute.

```Puppet
$key_results  = ldapquery('(&(objectClass=ldapPublicKey)(sshPublicKey=*)(objectClass=posixAccount))', ['uid', 'sshPublicKey'])
$key_results.each |$u| {
  any2array($u['sshpublickey']).each |$k| {
    $keyparts = split($k, ' ')
    $comment = $keyparts[2]
    @ssh_authorized_key { "${$u['uid']}_${comment}":
      user    => $u['uid'],
      type    => $keyparts[0],
      key     => $keyparts[1],
      require => User[$u['uid']],
    }
  }
}
```