mirror of https://github.com/philippdieter/puppet-ldapquery.git synced 2026-02-04 09:13:23 +00:00

Go to file

Zach Leslie 6b51380818 Specify net-ldap version in Gemfile

Ruby 2 is required for the latest version of net-ldap, but to support
puppetserver we need to also support 1.9.3.  Here we document the
version of net-ldap we require.

2016-03-11 10:13:39 -08:00

lib

Update require for puppet_x to use relative path

2016-03-11 10:13:39 -08:00

spec

Rewrite for testability

2015-05-20 12:55:18 -07:00

.fixtures.yml

Begin module testing

2015-05-18 22:09:37 -07:00

.gitignore

Ignore some files

2015-05-18 22:14:36 -07:00

.rspec

Begin module testing

2015-05-18 22:09:37 -07:00

.travis.yml

Disable sudo for travis to increase speed

2015-08-20 10:36:11 -07:00

Gemfile

Specify net-ldap version in Gemfile

2016-03-11 10:13:39 -08:00

LICENSE

Add a license

2015-05-18 21:45:02 -07:00

metadata.json

(rel) 0.1.7

2015-11-10 21:48:38 +00:00

Rakefile

Rewrite for testability

2015-05-20 12:55:18 -07:00

README.md

Improve documentation for setup and examples

2015-09-17 14:17:49 -07:00

README.md

Puppet-LDAPquery

A Puppet function to query LDAP.

Dependencies

The Ruby net-ldap gem is required to communicate with LDAP.

Sample Usage

On the Master

You must set the necessary variables in puppet.conf so the master can connect to your LDAP server.

You can simply add the static values like so:

[master]
ldaptls = true
ldapport = 636
ldapserver = ldap.example.com
ldapbase = dc=example,dc=com
ldapuser = cn=puppet,ou=people,dc=example,dc=com
ldappassword = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

Or, use Puppet to manage the values in puppet.conf by adding something like the following to the manifest that manages your master's puppet.conf.

$ldap_base   = hiera('ldap_base') # dc=example,dc=com
$ldap_user   = hiera('ldap_user') # cn=ldapuser,dc=puppetlabs,dc=com
$ldap_pass   = hiera('ldap_pass') # ultrasecure

package { 'net-ldap':
  ensure   => present,
  provider => 'gem'
}

file { '/etc/puppet/ldap_ca.pem':
  owner  => 'root',
  group  => '0',
  mode   => '0644',
  source => /path/to/my/ldap/ca.pem,
}

Ini_setting {
  ensure  => present,
  section => 'master',
  path    => '/etc/puppet/puppet.conf',
}

ini_setting { 'ldapserver':
  setting => 'ldapserver',
  value   => 'ldap.example.com',
}

ini_setting { 'ldapport':
  setting => 'ldapport',
  value   => '636',
}

ini_setting { 'ldapbase':
  setting => 'ldapbase',
  value   => $ldap_base,
}

ini_setting { 'ldapuser':
  setting => 'ldapuser',
  value   => $ldap_user,
}

ini_setting { 'ldappassword':
  setting => 'ldappassword',
  value   => $ldap_pass,
}

ini_setting { 'ldaptls':
  setting => 'ldaptls',
  value   => true,
}

In manifest

The ldapquery function is simple. Just passing an rfc4515 search filter will return the results of the query in list form. Optionally, a list of attributes of which to return the values may also be passed.

Consider the following manifest.

$attributes = [
  'loginshell',
  'uidnumber',
  'uid',
  'homedirectory',
]

$zach = ldapquery('(uid=zach)', $attributes)

Assuming there is only one LDAP object with the uid=zach, then the variable $zach now holds the following data structure:

[
  {
    'uid' => 'zach',
    'loginshell' => '/bin/zsh',
    'uidnumber' => '123',
    'homedirectory' => '/var/users/zach',
  }
]

Here is a slightly more complicate example that will generate virtual ssh_authorized_key resources for every 'posixAccount' that has a non-empty 'sshPublicKey' attribute.

$key_results  = ldapquery('(&(objectClass=ldapPublicKey)(sshPublicKey=*)(objectClass=posixAccount))', ['uid', 'sshPublicKey'])
$key_results.each |$u| {
  any2array($u['sshpublickey']).each |$k| {
    $keyparts = split($k, ' ')
    $comment = $keyparts[2]
    @ssh_authorized_key { "${$u['uid']}_${comment}":
      user    => $u['uid'],
      type    => $keyparts[0],
      key     => $keyparts[1],
      require => User[$u['uid']],
    }
  }
}