From 47f614031fc800ec0d758fe7bfca2fb2d5a43d9e Mon Sep 17 00:00:00 2001 From: Ossi Herrala Date: Tue, 5 Feb 2013 12:35:21 +0000 Subject: [PATCH 1/3] Generate CA certificate database from file /etc/openldap/ca-certificates.crt --- ldap/manifests/init.pp | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/ldap/manifests/init.pp b/ldap/manifests/init.pp index 4f1e731..45a16b9 100644 --- a/ldap/manifests/init.pp +++ b/ldap/manifests/init.pp @@ -436,6 +436,22 @@ class ldap::server { notify => Service["slapd"], } + file { "/etc/openldap/cacerts": + ensure => directory, + mode => "0755", + owner => "root", + group => "root", + require => Package["openldap-server"], + } + exec { "populate-etc-openldap-cacerts": + path => "/bin:/usr/bin:/sbin:/usr/sbin", + command => "csplit /etc/openldap/ca-certificates.crt '/BEGIN/' '{*}' ; sh -c 'for i in x* ; do name=`openssl x509 -hash -noout -in \$i`.0 ; openssl x509 -hash -in \$i -out \$name ; done' && rm -f x* .0", + cwd => "/etc/openldap/cacerts", + onlyif => "find /etc/openldap/cacerts ! -newer /etc/openldap/ca-certificates.crt | egrep '.*' || [ -z \"`ls /etc/openldap/cacerts`\" ]", + require => File["/etc/openldap/cacerts"], + before => Service["slapd"], + } + file { "slapd.conf": ensure => present, path => "${config}/slapd.conf", From 6ab334fa625c4815fee3f5bd6f75ea8a7098a8ee Mon Sep 17 00:00:00 2001 From: Ossi Herrala Date: Tue, 5 Feb 2013 12:56:14 +0000 Subject: [PATCH 2/3] Run slaptest to validate configuration files before (re)starting slapd service. --- ldap/manifests/init.pp | 36 ++++++++++++++++++++++-------------- 1 file changed, 22 insertions(+), 14 deletions(-) diff --git a/ldap/manifests/init.pp b/ldap/manifests/init.pp index 45a16b9..a28ee40 100644 --- a/ldap/manifests/init.pp +++ b/ldap/manifests/init.pp @@ -365,7 +365,7 @@ class ldap::server { command => "usermod -a -G ssl-cert openldap", unless => "id -n -G openldap | grep '\\bssl-cert\\b'", require => Package["openldap-server"], - before => Service["slapd"], + before => Exec["slaptest"], } } "fedora": { @@ -424,7 +424,7 @@ class ldap::server { default => "root", }, require => Package["openldap-server"], - notify => Service["slapd"], + notify => Exec["slaptest"], } file { "${ssl::private}/slapd.key": ensure => present, @@ -433,7 +433,7 @@ class ldap::server { owner => "root", group => $group, require => Package["openldap-server"], - notify => Service["slapd"], + notify => Exec["slaptest"], } file { "/etc/openldap/cacerts": @@ -449,7 +449,7 @@ class ldap::server { cwd => "/etc/openldap/cacerts", onlyif => "find /etc/openldap/cacerts ! -newer /etc/openldap/ca-certificates.crt | egrep '.*' || [ -z \"`ls /etc/openldap/cacerts`\" ]", require => File["/etc/openldap/cacerts"], - before => Service["slapd"], + before => Exec["slaptest"], } file { "slapd.conf": @@ -459,7 +459,7 @@ class ldap::server { mode => "0640", owner => "root", group => $group, - notify => Service["slapd"], + notify => Exec["slaptest"], require => Package["openldap-server"], } file { "${config}/slapd.conf.d": @@ -484,7 +484,7 @@ class ldap::server { mode => "0644", owner => "root", group => "root", - notify => Service["slapd"], + notify => Exec["slaptest"], require => Package["openldap-server"], } } @@ -495,12 +495,20 @@ class ldap::server { mode => "0644", owner => "root", group => "root", - notify => Service["slapd"], + notify => Exec["slaptest"], require => Package["openldap-server"], } } } + exec { "slaptest": + command => "slaptest", + path => "/bin:/usr/bin:/sbin:/usr/sbin", + refreshonly => true, + require => File["${config}/slapd.conf.d"], + notify => Service["slapd"], + } + service { "slapd": name => $service_name, start => $::operatingsystem ? { @@ -509,7 +517,7 @@ class ldap::server { }, ensure => running, enable => true, - require => Package ["openldap-server"] + require => Package["openldap-server"] } if $ldap_datadir { @@ -578,7 +586,7 @@ class ldap::server { path => "/bin:/usr/bin:/sbin:/usr/sbin", refreshonly => true, require => File["${config}/slapd.conf.d"], - notify => Service["slapd"], + notify => Exec["slaptest"], } ldap::server::schema { [ "core", "cosine", "ppolicy", ]: idx => 10, @@ -590,13 +598,13 @@ class ldap::server { owner => "root", group => $group, require => Exec["generate-slapd-database-config"], - notify => Service["slapd"], + notify => Exec["slaptest"], } exec { "generate-slapd-database-config": command => "find ${config}/slapd.conf.d/db.*.conf -exec echo 'include {}' \\; > ${config}/slapd.conf.d/database.conf", path => "/bin:/usr/bin:/sbin:/usr/sbin", refreshonly => true, - notify => Service["slapd"], + notify => Exec["slaptest"], } } @@ -654,7 +662,7 @@ define ldap::server::database($aclsource = "", $master = "", $syncpw = "", $modu mode => "0640", owner => "root", group => $ldap::server::group, - notify => Service["slapd"], + notify => Exec["slaptest"], } file { "${ldap::server::config}/slapd.conf.d/index.${name}.conf": @@ -665,7 +673,7 @@ define ldap::server::database($aclsource = "", $master = "", $syncpw = "", $modu mode => "0640", owner => "root", group => $ldap::server::group, - notify => Service["slapd"], + notify => Exec["slaptest"], } file { "/srv/ldap/${name}": @@ -690,7 +698,7 @@ define ldap::server::database($aclsource = "", $master = "", $syncpw = "", $modu }, seltype => "slapd_db_t", require => File["/srv/ldap/${name}"], - before => Service["slapd"], + before => Exec["slaptest"], } } From 11d7479ca81f55bafe97417627f0db7e1528dc90 Mon Sep 17 00:00:00 2001 From: Ossi Herrala Date: Tue, 5 Feb 2013 13:52:52 +0000 Subject: [PATCH 3/3] Remove CA certificate database creation code for now. --- ldap/manifests/init.pp | 16 ---------------- 1 file changed, 16 deletions(-) diff --git a/ldap/manifests/init.pp b/ldap/manifests/init.pp index a28ee40..220ed3f 100644 --- a/ldap/manifests/init.pp +++ b/ldap/manifests/init.pp @@ -436,22 +436,6 @@ class ldap::server { notify => Exec["slaptest"], } - file { "/etc/openldap/cacerts": - ensure => directory, - mode => "0755", - owner => "root", - group => "root", - require => Package["openldap-server"], - } - exec { "populate-etc-openldap-cacerts": - path => "/bin:/usr/bin:/sbin:/usr/sbin", - command => "csplit /etc/openldap/ca-certificates.crt '/BEGIN/' '{*}' ; sh -c 'for i in x* ; do name=`openssl x509 -hash -noout -in \$i`.0 ; openssl x509 -hash -in \$i -out \$name ; done' && rm -f x* .0", - cwd => "/etc/openldap/cacerts", - onlyif => "find /etc/openldap/cacerts ! -newer /etc/openldap/ca-certificates.crt | egrep '.*' || [ -z \"`ls /etc/openldap/cacerts`\" ]", - require => File["/etc/openldap/cacerts"], - before => Exec["slaptest"], - } - file { "slapd.conf": ensure => present, path => "${config}/slapd.conf",