Pulling Strings With Puppet - James Turnbull [46]
The first step in using LDAP for our node configuration is to ensure the Ruby LDAP libraries are installed. First, check for the presence of the LDAP libraries.
If this command does not return installed, the libraries are not installed. You can either install them via your distribution's package management system or download them from the Ruby/LDAP site. In Table 6-1, you can see a list of the currently available Ruby/LDAP packages for a variety of distributions.
If there isn't a package for your distribution, you can download the required libraries either in the form of an RPM or a source package from the Ruby/LDAP site. The Ruby/LDAP site is located at http://ruby-ldap.sourceforge.net/.
If you need to compile the libraries yourself, download the current version, 0.9.7 at the time of writing, and unpack it.
To compile Ruby/LDAP you will also need the Ruby development headers (usually provided by your distribution's ruby-devel package).
You can check for successful installation with the ruby -rldap -e "puts :installed" command.
Next you need to set up your LDAP server. You can use OpenLDAP, Red Hat Directory Server (or Fedora Directory Server), Sun's Directory Server, or one of a variety of other LDAP servers. We're going to assume we are using OpenLDAP, and we're also going to assume we've already got it set up and running.
Tip - For some quick start instructions on setting up OpenLDAP, you can refer to http://www.openldap.org/doc/admin23/quickstart.html.
The first step we need to take for our LDAP configuration is to add the Puppet schema to our LDAP directory's configuration.
Caution -► You may need to tweak or translate the default LDAP schema for some directory servers, but it is suitable for OpenLDAP.
The Puppet schema document is available in the Puppet source package in the ext/ldap/puppet. schema file or can be taken from the project's Git repository at http: //reductivelabs. com/git/puppet/. We need to add it to our schema directory and slapd.conf configuration file. For example, on a Debian host, the schema directory is /etc/ldap/schema, and the slapd.conf configuration is located in the /etc/ldap directory. Copy the puppet. schema file into the appropriate directory.
Now we add an include statement to our slapd. conf configuration file; there should be a number of existing statements you can model.
To update OpenLDAP, we now need to restart our server.
Once we've configured the LDAP server, we need to tell Puppet to use an LDAP server as the source of its node configuration. We configure this in the [puppetmasterd] section of the puppet. conf configuration file as you can see in Listing 6-6.
LDAP configuration is very simple. First, we set the ldapnodes option to true. Next we specify the hostname of our LDAP server, in our case ldapserver.testing.com, in the ldapserver option. Lastly, in the ldapbase option, we specify the base search path. Puppet recommends that hosts be stored in an OU called Hosts under our main directory structure, but you can configure this to suit your environment.
As with external nodes, in the forthcoming 0.24 release of Puppet you will also need to add the configuration option node_terminus to your puppet. conf configuration file. The ldapnodes configuration option will then become deprecated and should be removed.
As discussed previously the node_terminus configuration option is used to configure Puppet for node sources other than the default flat-file manifests. Here, using the ldap option tells Puppet to seek node configurations in an LDAP directory. All other configuration options remain the same.
If required, you can specify a user and password using the ldapuser and ldappassword options and override the default LDAP port of 389 with the ldapport option. There is some limited support for TLS or SSL, but only if your LDAP server does not require client-side certificates. You can see a full list of the potential LDAP options at http://reductivelabs.com/trac/puppet/wiki/ConfigurationReference.
After configuring