bf64a51a42
Previously, its impossible to know if the results you are working with in the puppet manifest are in string or array form without counting them. This work ensures that an array is always returned, even if there is only one item returned. This is useful in situations where an attribute is commonly both multi-valued and single-valued to avoid complext manifest code.
Puppet-LDAPquery
A Puppet function to query LDAP.
Dependencies
The Ruby net-ldap gem is required to communicate with LDAP.
Sample Usage
On the Master
You must set the necessary variables in puppet.conf so the master can connect
to your LDAP server.
You can simply add the static values like so:
[master]
ldaptls = true
ldapport = 636
ldapserver = ldap.example.com
ldapbase = dc=example,dc=com
ldapuser = cn=puppet,ou=people,dc=example,dc=com
ldappassword = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Or, use Puppet to manage the values in puppet.conf by adding something like
the following to the manifest that manages your master's puppet.conf.
$ldap_base = hiera('ldap_base') # dc=example,dc=com
$ldap_user = hiera('ldap_user') # cn=ldapuser,dc=puppetlabs,dc=com
$ldap_pass = hiera('ldap_pass') # ultrasecure
package { 'net-ldap':
ensure => present,
provider => 'gem'
}
file { '/etc/puppet/ldap_ca.pem':
owner => 'root',
group => '0',
mode => '0644',
source => /path/to/my/ldap/ca.pem,
}
Ini_setting {
ensure => present,
section => 'master',
path => '/etc/puppet/puppet.conf',
}
ini_setting { 'ldapserver':
setting => 'ldapserver',
value => 'ldap.example.com',
}
ini_setting { 'ldapport':
setting => 'ldapport',
value => '636',
}
ini_setting { 'ldapbase':
setting => 'ldapbase',
value => $ldap_base,
}
ini_setting { 'ldapuser':
setting => 'ldapuser',
value => $ldap_user,
}
ini_setting { 'ldappassword':
setting => 'ldappassword',
value => $ldap_pass,
}
ini_setting { 'ldaptls':
setting => 'ldaptls',
value => true,
}
In manifest
The ldapquery function is simple. Just passing an rfc4515 search filter
will return the results of the query in list form. Optionally, a list of
attributes of which to return the values may also be passed.
Consider the following manifest.
$attributes = [
'loginshell',
'uidnumber',
'uid',
'homedirectory',
]
$zach = ldapquery('(uid=zach)', $attributes)
Assuming there is only one LDAP object with the uid=zach, then the variable
$zach now holds the following data structure:
[
{
'uid' => 'zach',
'loginshell' => '/bin/zsh',
'uidnumber' => '123',
'homedirectory' => '/var/users/zach',
}
]
Here is a slightly more complicate example that will generate virtual
ssh_authorized_key resources for every 'posixAccount' that has a non-empty
'sshPublicKey' attribute.
$key_results = ldapquery('(&(objectClass=ldapPublicKey)(sshPublicKey=*)(objectClass=posixAccount))', ['uid', 'sshPublicKey'])
$key_results.each |$u| {
any2array($u['sshpublickey']).each |$k| {
$keyparts = split($k, ' ')
$comment = $keyparts[2]
@ssh_authorized_key { "${$u['uid']}_${comment}":
user => $u['uid'],
type => $keyparts[0],
key => $keyparts[1],
require => User[$u['uid']],
}
}
}