If you want to use SSL, you'll have to ensure JRuby can verify your LDAP server certificate. Available options: none (which is simple, but with bind_dn and bind_password ignored), simple, sasl.
The password that goes with your bind_dn. The bind DN necessary to query your LDAP instance, for example: cn=admin,dc=example,dc=com. Default: 389 when use_ssl is false, 636 when use_ssl is true. The port that your LDAP service listens on. I suppose you can re-use your yaml/eyaml hiera file, but I think you'll need to be sure your hiera.yaml contains the LDAP section before yaml or eyaml sections. Indirect queries also support hiera interpolation, so you should be able to write something like: my_class::host_aliases: 'ldap:///ou=Hosts,dc=example,dc=com?cn?sub?cn=%'Īn array of yaml formatted files in your hiera tree that link variables to LDAP queries. Then, when the puppet master prepares the for node, for the value of users it will look up the LDAP query in nodes/.ldap, perform the query, and plug the value into the users variable. Īnd the file nodes/.ldap looks like this: my_class::users: 'ldap:///ou=People,dc=example,dc=com?sub?uid=*'Īnd you my_class module looks like this: class my_class ( Array $users = ) This allows for automatic class parameter lookup.įor example, if you configure your hiera.yaml like this. You can also use 'indirect' LDAP queries, where the actual query is looked up in a yaml file, much like regular hiera keys are looked up. The above examples are all 'direct' the LDAP URL is just a parameter to the hiera call. You'll get your entire LDAP tree as result. I.e., if you do hiera ( 'ldap:///dc=example,dc=com' ) You can also leave out trailing question marks. If you omit the scope, it will default to 'sub', and if you leave out the filter, it will default to 'objectClass=*'. If you omit the attributes from the query, you'll get all attributes. You have to include the base DN in your query. This results in: - dn: 'cn=admins,ou=Groups,dc=example' The exception is the value of attribute 'dn', which is a string instead of an array.įor example, if your groups are 'posixGroups' in the 'ou=Groups' subtree, you can query the members of the 'admins' group as follows: hiera ( 'ldap:///ou=Groups,dc=example,dc=com?memberUid?sub?(cn=admins)' ) The value of a hash key, or attribute, is an array of values found in LDAP. The result will be an array of hashes, with the LDAP attributes as keys. Where LDAP search is formatted like an LDAP URL, like so: ?. In your puppet code, you can now query your LDAP instance with a hiera call: hiera ( 'ldap:///' ) In order to perform LDAP searches, hiera would connect to, using simple binding without username and password, without using SSL, on the default port 389.
To be able to query your LDAP instance from hiera, you'll have to configure how to connect to your LDAP instance, in your hiera hierarchy, i.e. You'll also need read access to the LDAP instance you want to query from your puppet master.
This gem needs to be installed on your puppet master: $ sudo /opt/puppetlabs/bin/puppetserver gem install jruby-ldap This backend leverages the jruby-ldap ruby gem.
This backend only reads from LDAP, and does not need write access. It is intended to be used in a puppet environment with a puppet master it (likely) won't work in a masterless puppet environment. This is a custom Hiera 5 backend, that allows hiera to perform LDAP queries.