Real time config support

.gitignore

@@ -1,3 +1,7 @@
 .swp
 pkg
 spec/fixtures
+.kitchen/
+.kitchen.local.yml
+.librarian
+.tmp

.kitchen.yml

@@ -0,0 +1,20 @@
+---
+driver:
+  name: vagrant
+
+provisioner:
+  name: puppet_apply
+  modules_path: ..
+  fileserver_config_path: puppet/fileserver.conf
+  files_path: puppet/files
+  puppet_debug: true
+
+platforms:
+  - name: debian-6.0.8
+  - name: debian-7.2.0
+  - name: ubuntu-12.04
+  - name: centos-6.4
+
+suites:
+  - name: master
+  - name: slave

.ruby-version

@@ -0,0 +1 @@
+2.0.0-p451

Gemfile

@@ -1,6 +1,13 @@
-source :rubygems
+source 'https://rubygems.org'
+
+ruby '2.0.0'
 
 gem 'rake', '~> 0.8.7'
-gem 'puppet', '~> 2.7'
+gem 'puppet', '~> 3.0'
 gem 'rspec-puppet', '~> 0.1.6'
 gem 'puppetlabs_spec_helper', '~> 0.4.1'
+
+gem 'test-kitchen', '~> 1.0'
+gem 'kitchen-vagrant'
+gem 'kitchen-puppet', github: 'neillturner/kitchen-puppet', branch: 'master'
+gem 'librarian-puppet'

Gemfile.lock

@@ -1,19 +1,47 @@
+GIT
+  remote: git://github.com/neillturner/kitchen-puppet.git
+  revision: b8e7579962629b9b3c110d4569da0031a12df47d
+  branch: master
+  specs:
+    kitchen-puppet (0.0.9)
+
 GEM
-  remote: http://rubygems.org/
+  remote: https://rubygems.org/
   specs:
     diff-lcs (1.2.4)
     facter (1.7.2)
+    hiera (1.3.2)
+      json_pure
+    highline (1.6.21)
+    json (1.8.1)
+    json_pure (1.8.0)
+    kitchen-vagrant (0.15.0)
+      test-kitchen (~> 1.0)
+    librarian (0.1.2)
+      highline
+      thor (~> 0.15)
+    librarian-puppet (1.0.2)
+      json
+      librarian (>= 0.1.2)
     metaclass (0.0.1)
+    mixlib-shellout (1.4.0)
     mocha (0.14.0)
       metaclass (~> 0.0.1)
-    puppet (2.7.22)
-      facter (~> 1.5)
+    net-scp (1.2.1)
+      net-ssh (>= 2.6.5)
+    net-ssh (2.9.0)
+    puppet (3.5.1)
+      facter (> 1.6, < 3)
+      hiera (~> 1.0)
+      json_pure
+      rgen (~> 0.6.5)
     puppetlabs_spec_helper (0.4.1)
       mocha (>= 0.10.5)
       rake
       rspec (>= 2.9.0)
       rspec-puppet (>= 0.1.1)
     rake (0.8.7)
+    rgen (0.6.6)
     rspec (2.13.0)
       rspec-core (~> 2.13.0)
       rspec-expectations (~> 2.13.0)
@@ -24,12 +52,24 @@ GEM
     rspec-mocks (2.13.1)
     rspec-puppet (0.1.6)
       rspec
+    safe_yaml (1.0.3)
+    test-kitchen (1.2.1)
+      mixlib-shellout (~> 1.2)
+      net-scp (~> 1.1)
+      net-ssh (~> 2.7)
+      safe_yaml (~> 1.0)
+      thor (~> 0.18)
+    thor (0.19.1)
 
 PLATFORMS
   ruby
 
 DEPENDENCIES
-  puppet (~> 2.7)
+  kitchen-puppet!
+  kitchen-vagrant
+  librarian-puppet
+  puppet (~> 3.0)
   puppetlabs_spec_helper (~> 0.4.1)
   rake (~> 0.8.7)
   rspec-puppet (~> 0.1.6)
+  test-kitchen (~> 1.0)

Modulefile

@@ -6,6 +6,3 @@ license 'GPL v2'
 summary 'OpenLDAP module for Puppet.'
 description 'Manage OpenLDAP clients and server via Puppet'
 project_page 'https://github.com/torian/puppet-ldap'
-
-# Dependency
-dependency 'puppetlabs/stdlib', '>= 4.1.0'

Puppetfile

@@ -0,0 +1,3 @@
+forge "https://forge.puppetlabs.com"
+
+modulefile

Puppetfile.lock

@@ -0,0 +1,2 @@
+DEPENDENCIES
+

README.md

@@ -109,6 +109,99 @@ Configure an OpenLdap slave:
         ],
     }
 
+### Directory updates
+
+This module includes a puppet type and provider that aims to simply managing ldap entries via ldapmodify and ldapadd commands.
+
+In essence the mechanism it uses is described as follows:
+
+* Translate the puppet "ldapdn" resource into an in-memory ldif
+* ldapsearch the existing dn to verify the current contents (if any)
+* compare the results of the search with what should be the case
+* work out which add/modify/delete commands are required to get to the desired state
+* write out an appropriate ldif file
+* execute it via an ldapmodify statement.
+
+Examples of usage are as follows:
+
+First you might like to set a root password:
+
+```puppet
+ldapdn { "add manager password":
+  dn => "olcDatabase={2}hdb,cn=config",
+  attributes => ["olcRootPW: password"],
+  unique_attributes => ["olcRootPW"],
+  ensure => present,
+}
+```
+
+`attributes` sets the attributes that you wish to set (be sure to separate key and value with <semi-colon space>).
+`unique_attributes` can be used to specify the behaviour of `ldapmodify` when there is an existing attribute with this name. If the attribute key is specified here, then `ldapmodify` will issue a replace, replacing the existing value (if any), whereas if the attribute key is not specified here, then `ldapmodify` will simply ensure the attribute exists with the value required, alongside other values if also specified (e.g. for `objectClass`).
+
+```puppet
+$organizational_units = ["Groups", "People", "Programs"]
+ldap::add_organizational_unit { $organizational_units: }
+
+define ldap::add_organizational_unit () {
+  ldapdn { "ou ${name}":
+    dn => "ou=${name},dc=example,dc=com",
+    attributes => [ "ou: ${name}",
+                    "objectClass: organizationalUnit" ],
+    unique_attributes => ["ou"],
+    ensure => present,
+  }
+}
+```
+
+In the above example, multiple groups are created. Notice in each case, that `objectClass` does not form part of the `unique_attributes`, so that (in future) more `objectClasses` may be added to each ou, without them being replaced.
+
+By default, all ldap commands are issued with the `-QY EXTERNAL` SASL auth mechanism.
+
+Here is how you can create a database in the first place:
+
+```puppet
+ldapdn { "add database":
+  dn => "dc=example,dc=com",
+  attributes => ["dc: example",
+                 "objectClass: top",
+                 "objectClass: dcObject",
+                 "objectClass: organization",
+                 "o: example.com"],
+  unique_attributes => ["dc", "o"],
+  ensure => present
+}
+```
+
+Additionally, you may need to specify alternative authentication options when managing resources:
+
+```puppet
+ldapdn { "add database":
+  dn => "dc=example,dc=com",
+  attributes => ["dc: example",
+                 "objectClass: top",
+                 "objectClass: dcObject",
+                 "objectClass: organization",
+                 "o: example.com"],
+  unique_attributes => ["dc", "o"],
+  ensure => present,
+  auth_opts => ["-xD", "cn=admin,dc=example,dc=com", "-w", "somePassword"],
+}
+```
+
+Sometimes you will want to ensure an attribute exists, but wont care about its subsequent value. An example of this is a password.
+
+```puppet
+ldapdn { "add password":
+  dn => "cn=Geoff,ou=Staff,dc=example,dc=com",
+  attributes => ["olcUserPassword: {SSHA}somehash..."],
+  unique_attributes => ["olcUserPassword"],
+  indifferent_attributes => ["olcUserPassword"],
+  ensure => present
+}
+```
+
+By specifying `indifferent_attributes, ensure => present` will ensure that if the key doesn't exist, it will create it with the desired password hash, but if the key does exist, it won't bother replacing it again. In this way you can keep passwords managed by something like phpldapadmin if you so wish.
+
 Notes
 -----
 
@@ -136,6 +229,12 @@ Requirements
  * If enable_motd is enabled (enable_motd => true) you'll need
    [puppet-motd](https://github.com/torian/puppet-motd.git)
 
+Testing
+-------
+
+Unit tests: `rake spec`
+Integration tests: `kitchen test`
+
 TODO
 ----
 

files/convertschema.sh

@@ -0,0 +1,87 @@
+#!/bin/sh
+
+# Script to convert schema files to LDIF files
+#
+# OPTIONS:
+#  -s The input schema file to convert
+#  -l The resulting LDIF file
+#  -d A comma separated list of schema dependencies
+#  -sd  The schema directory
+#
+
+SCHEMAFILE=""
+LDIFFILE=""
+DEPS=""
+SCHEMADIR=""
+
+while getopts "s:l:d:sd:" options; do
+  case $options in
+    s ) SCHEMAFILE=$OPTARG;;
+    l ) LDIFFILE=$OPTARG;;
+    d ) DEPS=$OPTARG;;
+    sd ) SCHEMADIR=$OPTARG;;
+    * ) echo "Specify input schema file with -s and output LDIF file with -l"
+        exit 1;;
+  esac
+done
+
+# do we have -s?
+if [ x${SCHEMAFILE} = "x" ]; then
+  echo "Please specify a input schema file with -s"
+  exit 1
+fi
+
+# do we have -l?
+if [ x${LDIFFILE} = "x" ]; then
+  echo "Please specify an output LDIF file with -l"
+  exit 1
+fi
+
+# can we write to -l?
+if [ -f ${LDIFFILE} ]; then
+  if [ ! -w ${LDIFFILE} ]; then
+    echo "Cannot write to ${LDIFFILE}"
+    exit 1
+  fi
+else
+  if [ ! -w `dirname ${LDIFFILE}` ]; then
+    echo "Cannot write to `dirname ${LDIFFILE}` to create ${LDIFFILE}"
+    exit 1
+  fi
+fi
+
+# do we have -sd?
+if [ x${SCHEMADIR} = "x" ]; then
+  SCHEMADIR=/etc/ldap/schema
+fi
+
+# Get the base name of the schema file
+BASENAME=`basename ${SCHEMAFILE} | cut -d'.' -f1`
+
+# Create a temporary config file and directory to set the schemas to process
+TEMPDIR=$(mktemp -d) || exit 1
+TEMPFILE=$(mktemp -p ${TEMPDIR}) || exit 1
+
+# Add all of the dependencies
+for dep in `echo ${DEPS} | sed s/,/\\\n/g`; do
+  if [ -f "${SCHEMADIR}/${dep}.schema" ]; then
+    echo "include ${SCHEMADIR}/${dep}.schema" >> ${TEMPFILE}
+  fi
+done
+echo "include ${SCHEMAFILE}" >> ${TEMPFILE}
+
+# Determine the index of the schema
+SCHEMAINDEX=$(slapcat -f ${TEMPFILE} -F ${TEMPDIR} -n 0 | grep "${BASENAME},cn=schema")
+SCHEMADN=$(echo "${SCHEMAINDEX}" | sed 's/dn: //g')
+
+# Convert the schema to LDIF format
+slapcat -f ${TEMPFILE} -F ${TEMPDIR} -n 0 -H ldap:///${SCHEMADN} -l ${TEMPDIR}/cn=${BASENAME}.ldif || exit 1
+
+# Remove index information
+sed -e "s/{[0-9]*}${BASENAME}/${BASENAME}/g" \
+  -e "/^structuralObjectClass:/d; /^entryUUID:/d; /^creatorsName:/d; /^createTimestamp:/d" \
+  -e "/^entryCSN:/d; /^modifiersName:/d; /^creatorsName:/d; /^modifyTimestamp:/d" \
+  ${TEMPDIR}/cn=${BASENAME}.ldif > ${LDIFFILE}
+
+# Cleanup resources
+rm -rf -- "${TEMPDIR}"