Configures a server to be an OpenLDAP provider or replication consumer with custom resources. It does not set up LDAP auth clients as there are several ways to do this. We recommend looking at the sssd_ldap cookbook.
This cookbook is maintained by the Sous Chefs. The Sous Chefs are a community of Chef cookbook maintainers working together to maintain important cookbooks. If you’d like to know more please visit sous-chefs.org or come chat with us on the Chef Community Slack in #sous-chefs.
- Ubuntu 22.04+
- Debian 12+
- RHEL-family 8 NOTE: RHEL 8 removed support for openldap. We provide support via a repository provided by the OSUOSL.
- Amazon Linux 2023
- Fedora
- openSUSE Leap
- Chef 15.3+
- dpkg_autostart
This cookbook no longer ships recipes or attributes. See migration.md for the breaking change from openldap::default and node['openldap'] attributes to custom resources.
This is not an exhaustive list of properties as most are directly comparable to their OpenLDAP equivalents.
rootpw
This should be a password hash generated from slappasswd. The default slappasswd command will generate a salted SHA1 hash:
$ slappasswd -s "secretsauce"
{SSHA}6BjlvtSbVCL88li8IorkqMSofkLio58/Set this property from a wrapper cookbook or data bag value. OpenLDAP will fail to start if this is not set.
package_action- The action to be taken for all packages in the install resource. Defaults to:install, but can also be set to:upgrade.
schemas- Array of LDAP schema file names to loadmodules- Array of slapd modules names to loadindexes- Array of indexes to useadmin_cn- Admin CN nameadministrators(default)user_attrs- User access attributesuserPassword,shadowLastChange(default)
If ldaps_enabled or tls_enabled are set, then tls_cert and tls_key must also be set and the files must exist prior to execution. Depending on the certificates, tls_cafile may also need to be set. See the test cookbook for an example.
ldaps_enabled- listen on LDAPS (636) true | false (default)tls_enabled- true | false (default)tls_cert- full path to your SSL certificatetls_key- full path to your SSL keytls_cafile- full path to your CA certificate (or intermediate authorities), if needed.tls_ciphersuite- OpenSSL cipher suite specification to use, defaults to none (use system default)
Attributes related to replication (syncrepl). Only used if a provider or consumer.
slapd_type-'provider' | 'consumer', default isnilslapd_provider- hostname of slapd providerslapd_replpw- replication passwordslapd_rid- unique integer ID, required if type is consumersyncrepl_uri-ldap (default) | ldapssyncrepl_port-'389 (default) | 636'syncrepl_cn- the CN (only) of the user to use as binddn as consumer
The following syncrepl values are set by default, others can be added by setting the appropriate key value
pair in syncrepl_*_config (See the OpenLDAP Adminstrator Guide):
syncrepl_provider_config['overlay']- defaults tosyncprovsyncrepl_provider_config['syncprov-checkpoint']- defaults to100 10syncrepl_provider_config['syncprov-sessionlog']- defaults to100syncrepl_consumer_config['type']- defaults torefreshAndPersistsyncrepl_consumer_config['interval']- interval for the sync. Defaults to 1 daysyncrepl_consumer_config['searchbase']- calculated frombasednsyncrepl_consumer_config['filter']- search filter to use in the replicationsyncrepl_consumer_config['scope']- defaults tosubsyncrepl_consumer_config['schemachecking']- defaults tooffsyncrepl_consumer_config['bindmethod']- defaults tosimplesyncrepl_consumer_config['binddn']- calculated fromsyncrepl_cnandbasednsyncrepl_consumer_config['starttls']-yes | no (default)syncrepl_consumer_config['credentials']- defaults toslapd_replpw
This project exists thanks to all the people who contribute.
Thank you to all our backers!
Support this project by becoming a sponsor. Your logo will show up here with a link to your website.
