ldap principal

Overview

This type allows you to manage a LDAP entry (e.g. a principal) on an LDAP server.

Here is an example on how to use this:

ldap_principal { 'ldap_server:cn=hajee,dc=example,dc=org':
  ensure             => 'present',
  attributes_added   => {
      'Group'        => 'superusers'
  },
  attributes         => {
      'userPassword' => 'MySecretPassword',
      'GivenName'    => 'Bert Hajee',
      'Password'     => 'verysecret',
  }
  transform         => {'password' => 'ssha512'}
}

Attributes

Attribute Name Short Description
absent_in Using this property, you can manage group relations.
attributes Set’s the attributes of the specfied LDAP entry.
disable_corrective_change Disable the modification of a resource when Puppet decides it is a corrective change.
disable_corrective_ensure Disable the creation or removal of a resource when Puppet decides is a corrective change.
distinguished_name The distinguished name of the principal you want to manage.
ensure The basic property that the resource should be in.
force Delete all subentries when deleting a tree.
ldap_server The name of the LDAP server.
name The full name of the LDAP principal.
present_in Using this property, you can manage group relations.
provider resource.
purge are not in the manifest, are automaticaly removed.
purge_attributes Aitomaticaly remove none specfied properies.
transform The transformation function that will be applied to specified attributes.

absent_in

Using this property, you can manage group relations. You can make sure an LDAP entry is not in a group.

Here is an example:

ldap_principal { ‘ldap_server:cn=muppets,ou=muppetshow,dc=example,dc=org’: … absent_in => { ‘member’ => [ ‘cn=kermit,ou=muppetshow,dc=example,dc=org’, ‘cn=piggy,ou=muppetshow,dc=example,dc=org’, ], … },

This puppet code makes sure that kermit and piggy are no longer part of the group muppets.

Back to overview of ldap_principal

attributes

Set's the attributes of the specfied LDAP entry.

Using the property, you can set the attributes of a LDAP entry. The ldap_principal has
who modes of operation, see the `purge_attributes` for more details about the two modes.

When the `purge_attributes` is not specfied or false, Puppet **only** works on th attributes specfied.
All other attributes will be untouched. Here is an example:

    ldap_principal { 'docker:cn=piggy,ou=muppetshow,dc=example,dc=org':
      ...
      attributes => {
        'sn'           => 'piggy',
        'objectclass'  => ['top', 'inetOrgPerson'],
        'userPassword' => "{SSHA512}2ZsyGTxVyEw14Cu9D/OXpTddfy/387D/rlR6R0VVdRIz+3Wn52fSYZpKAP1S 9J/kRbkoBiPK/9eZMOZV6cgidzEyMzQ1Njc4",
        'givenName'    => 'Miss Piggy',
      },
      ...
    }

Back to overview of ldap_principal

disable_corrective_change

Disable the modification of a resource when Puppet decides it is a corrective change.

(requires easy_type V2.11.0 or higher)

When using a Puppet Server, Puppet knows about adaptive and corrective changes. A corrective change is when Puppet notices that the resource has changed, but the catalog has not changed. This can occur for example, when a user, by accident or willingly, changed something on the system that Puppet is managing. The normal Puppet process then repairs this and puts the resource back in the state as defined in the catalog. This process is precisely what you want most of the time, but not always. This can sometimes also occur when a hardware or network error occurs. Then Puppet cannot correctly determine the current state of the system and thinks the resource is changed, while in fact, it is not. Letting Puppet recreate remove or change the resource in these cases, is NOT wat you want.

Using the disable_corrective_change parameter, you can disable corrective changes on the current resource.

Here is an example of this:

crucial_resource {'be_carefull':
  ...
  disable_corrective_change => true,
  ...
}

When a corrective ensure does happen on the resource Puppet will not modify the resource and signal an error:

    Error: Corrective change present requested by catalog, but disabled by parameter disable_corrective_change
    Error: /Stage[main]/Main/Crucial_resource[be_carefull]/parameter: change from '10' to '20' failed: Corrective change present requested by catalog, but disabled by parameter disable_corrective_change. (corrective)

Back to overview of ldap_principal

disable_corrective_ensure

Disable the creation or removal of a resource when Puppet decides is a corrective change.

(requires easy_type V2.11.0 or higher)

When using a Puppet Server, Puppet knows about adaptive and corrective changes. A corrective change is when Puppet notices that the resource has changed, but the catalog has not changed. This can occur for example, when a user, by accident or willingly, changed something on the system that Puppet is managing. The normal Puppet process then repairs this and puts the resource back in the state as defined in the catalog. This process is precisely what you want most of the time, but not always. This can sometimes also occur when a hardware or network error occurs. Then Puppet cannot correctly determine the current state of the system and thinks the resource is changed, while in fact, it is not. Letting Puppet recreate remove or change the resource in these cases, is NOT wat you want.

Using the disable_corrective_ensure parameter, you can disable corrective ensure present or ensure absent actions on the current resource.

Here is an example of this:

crucial_resource {'be_carefull':
  ensure                    => 'present',
  ...
  disable_corrective_ensure => true,
  ...
}

When a corrective ensure does happen on the resource Puppet will not create or remove the resource and signal an error:

    Error: Corrective ensure present requested by catalog, but disabled by parameter disable_corrective_ensure.
    Error: /Stage[main]/Main/Crucial_resource[be_carefull]/ensure: change from 'absent' to 'present' failed: Corrective ensure present requested by catalog, but disabled by parameter disable_corrective_ensure. (corrective)

Back to overview of ldap_principal

distinguished_name

The distinguished name of the principal you want to manage.

Back to overview of ldap_principal

ensure

The basic property that the resource should be in.

Valid values are present, absent.

Back to overview of ldap_principal

force

Delete all subentries when deleting a tree. Be careful. When this value is set to true, alle entries below specfied entry will be deleted too. Here is an example on how to use this:

ldap_principal { 'ldap_server:ou=muppetshow,dc=example,dc=org':
  ...
  force      => true,
  ...
}

When the force parameter, is not set and the container contains leaf entries, Puppet will issue an error saying so. If the parameter force is set to true, the container including all contents will be recursively removed.

Valid values are true, false, yes, no, true, false.

Back to overview of ldap_principal

ldap_server

The name of the LDAP server.

This must be server registered with the ldap_server type. See the custom type ldap_server for more information on how to register an LDAP server.

Back to overview of ldap_principal

name

The full name of the LDAP principal.

a full name consist of an LDAP server a double colon and then a LDAP identifier narrowing down to one LDAP entry.

Here is an example of a full qualified LDAP principal name:

ldap_principal { 'ldap_server:cn=hajee,dc=example,dc=org':
  ...
}

Back to overview of ldap_principal

present_in

Using this property, you can manage group relations. You make sure the LDAP intry is present in a group.

You can make sure a specific LDAP entry is part of a group. Here is an example:

ldap_principal { ‘ldap_server:cn=muppets,ou=muppetshow,dc=example,dc=org’: … present_in => { ‘member’ => [ ‘cn=kermit,ou=muppetshow,dc=example,dc=org’, ‘cn=piggy,ou=muppetshow,dc=example,dc=org’, ], }, }

This puppet code makes sure that kermit and piggy are part of the group muppets.

Back to overview of ldap_principal

provider

The specific backend to use for this ldap_principal resource. You will seldom need to specify this — Puppet will usually discover the appropriate provider for your platform.Available providers are:

net_ldap
Manage an LDAP principal

Back to overview of ldap_principal

purge

When you set this parameter to true, entries that are in that in this container, but are not in the manifest, are automaticaly removed.

This parameter is valid on a container entry. It doesn’t do anything on regular ldap entries.

Here is en example:

ldap_principal { 'ldap_server:ou=muppetshow,dc=example,dc=org':
  ...
  purge      => true,
  ...
}

Valid values are true, false, yes, no.

Back to overview of ldap_principal

purge_attributes

Aitomaticaly remove none specfied properies.

When you specify the parameter `purge_properties`, properties that the server
returns, but are not in your manifest, will be removed. Here is an example:

    ldap_principal { 'ldap_server:cn=fozzie,ou=muppetshow,dc=example,dc=org':
      ...
      purge_attributes => true,
      attributes => {
        'objectclass'  => ['top', 'inetOrgPerson'],
        'userPassword' => "{SSHA512}2ZsyGTxVyEw14Cu9D/OXpTddfy/387D/rlR6R0VVdRIz+3Wn52fSYZpKAP1S 9J/kRbkoBiPK/9eZMOZV6cgidzEyMzQ1Njc4",
        # 'givenName'    => 'Fozzie Bear',
        'cn'           => 'fozzie',
        'sn'           => 'Fozzie',
      },
      ...
    }

As you can see the `givenName` propery has been commented out. When the server still
has the attribute for the principal, puppet will remove it because it is not specfied.
When purge_attribute is **not** set, puppet will leave it like it was.

Valid values are true, false, yes, no, true, false.

Back to overview of ldap_principal

transform

The transformation function that will be applied to specified attributes.

Here is an example.

ldap_principal { 'docker:cn=gonzo,dc=example,dc=org':
  ensure            => 'present',
  attributes        => {
    'sn'            => 'gonzo',
    'objectclass'   => ["top", "inetorgperson"],
    'userPassword'  => 'mysecretpassword',
    'givenName'     => 'Gonzo',
  },
  transform => {'userPassword' => 'hashed'},
}

In this definition, the value specified at the attribute ‘userPassword’, will first be presented to the Puppet function hashed_compare and then compared with the value returned from the ldap server. The specfied function will NOT be applied before sending the value to the LDAP server.

You can use this when the LDAP server requires unhashed passwords on applying, but returns the hashed password. Because Puppet only applies the transform function for comparisson, you can use regular password values in your manifest.

Back to overview of ldap_principal