The LDAP principal allows you to manage LDAP entries in a corporate directory. ldap_principal has support for a lot of use cases common in large organisations. It supports for example:
This entitlement allows you you to manage an unlimited amount of LDAP entries per LDAP server.
For more information checkout the sections below of take a look ar the documentation site for this module here
The LDAP principal allows you to manage LDAP entries in a corporate directory. ldap_principal has
support for a lot of use cases common in large organisations. It supports:
Check the rest of this section for more details.
The most obvious thing is: You need to manage attributes. the attributes
property allows you to do this. Here is an example:
ldap_principal { 'docker:cn=gonzo,ou=muppetshow,dc=example,dc=org':
ensure => 'present',
attributes => {
'sn' => 'gonzo',
'objectclass' => ['top', 'inetOrgPerson'],
'givenName' => 'Gonzo',
},
}
Large organizations go beyond just adding and removing entries in a directory. Obviously they need the most basic feature of adding entries to a group
(e.g. the MemberOf relation). And they need to do this in a way where you can add and remove certain memberships without touching other memberships.
That is because the responsibility of the membership attributes of a user in most companies is distributed to different parts of the organization.
The head of the finance department, for example, decides who gets to have a membership to the group seeFinancialReports
, while the IT department decides
who gets a membership to the group manageSystems
.
Here is an example:
ldap_principal { 'docker:cn=muppets,ou=muppetshow,dc=example,dc=org':
ensure => 'present',
attributes => {
'objectclass' => ['top', 'groupOfNames'],
},
present_in => {
'member' => [
'cn=kermit,ou=muppetshow,dc=example,dc=org',
'cn=piggy,ou=muppetshow,dc=example,dc=org',
'cn=gonzo,ou=muppetshow,dc=example,dc=org',
],
},
}
The ldap_principal
type supports all these operations.
Using the present_in
property,
you can specify which users must be present in a certain group. When you use this property, Puppet leaves all other group memberships as they are.
The reverse of this operation is the property absent_in
.
Like the word says, it makes sure the specified user is not available in a certain group.
ldap_principal { 'docker:cn=muppets,ou=muppetshow,dc=example,dc=org':
ensure => 'present',
attributes => {
'objectclass' => ['top', 'groupOfNames'],
},
absent_in => {
'member' => [
'cn=kermit,ou=muppetshow,dc=example,dc=org',
'cn=piggy,ou=muppetshow,dc=example,dc=org',
],
},
},
}
Like I said, a responsibility of the LDAP principals is mostly shared across the organization.
But you want to be sure your part of the LDAP tree only contains the ones you think are needed.
Puppet has purge
feature that allows you to remove resources that are not specified in your manifest.
But using this on LDAP, would also remove entries you don’t manage. So there needs to be a solution for purging just a container you manage.
ldap_principal
has this feature.
Setting the parameter purge
to true
on a certain LDAP container
means every entry not present in your manifest, will automatically be purged. This means your LDAP can remain clean and free of dangerous unwanted entries.
Here is an example:
ldap_principal { 'docker:ou=muppetshow,dc=example,dc=org':
ensure => 'absent',
purge => true,
}
But not only unknown entries can be dangerous, also unknown attributes can be a security hazard.
To tackle this, ldap_principal
has a feature called
purge_attributes
.
When you set this to true
, all attributes not specified in these LDAP entries, are removed.
Thus making sure only attributes specified in your manifest are found in your part of the LDAP container.
Here is an example:
ldap_principal { 'docker:cn=fozzie,ou=muppetshow,dc=example,dc=org':
ensure => 'present',
purge_attributes => true,
attributes => {
'objectclass' => ['top', 'inetOrgPerson'],
'userPassword' => "{SSHA512}2ZsyGTxVyEw14Cu9D/OXpTddfy/387D/rlR6R0VVdRIz+3Wn52fSYZpKAP1S\n9J/kRbkoBiPK/9eZMOZV6cgidzEyMzQ1Njc4",
'givenName' => 'Fozzie Bear',
'cn' => 'fozzie',
'sn' => 'Fozzie',
},
}
Some LDAP servers allow you to set the password value of an entry to a value that is encrypted before it is sent to the server.
This is inherently unsafe. Therefore in most larger organization, the password encryption is done by the LDAP server.
But because Puppet needs to manage encrypted attributes in an idempotent way, we need some way of control over the encrypted value.
The ldap_principal
Puppet type has support for transform
property.
Using this property, you can manage how Puppet transforms specified user values before comparing it to the current state.
ldap_principal { 'docker:cn=gonzo,dc=example,dc=org':
ensure => 'present',
attributes => {
'sn' => 'gonzo',
'objectclass' => ["top", "inetorgperson"],
'userPassword' => 'mysecretpassword',
'givenName' => 'Gonzo',
},
transform => {'userPassword' => 'hashed'},
}
If you need some or all of these requirements, check out the rest of the documentation for more details or go to the shop
We currently have the following licensing methods for you:
1) Free when used on VirtualBox
2) Base pack
3) Base pack with extra licenses for directory entries
4) Manage unlimited number of directory entries
5) Custom licensing
This module is Free when used on a VirtualBox testing machine. The software checks if you are using VirtualBox and allows usage. No need to get any licenses from us to get going. Just download the module from our own forge and get going. To download the module use:
puppet module install
--module_repository=http://forge.enterprisemodules.com
enterprisemodules-modulename
This FREE entitlement allows you to manage up to 50 LDAP entries on a LDAP server. To apply for the base pack we require you to supply all address information, including a valid company email address. Requests without a valid company email address unfortunately can not be accepted. Here you can purchase this license
When 50 directory entries is not sufficient, you can purchase additional licenses for directory entries. Here you can purchase licenses for your extra directory entries
When you purchase this license, you can manage as many directory entries in LDAP serves as you need.Here you can purchase this license
Our license manager is very flexible. If you have special requirements, please contact us so we can discuss other options.
When you have questions about licensing, please contact us or check our licensing FAQ
The ldap_principal
module requires:
Here you can find some more information regarding this puppet module: