Puppet Class: openldap::server

Inherits:
::openldap::params
Defined in:
manifests/server.pp

Overview

Installs and manages the OpenLDAP server.

Examples:

Create a standalone directory server listening on the standard LDAP TCP port 389 that disallows anonymous reads and allows users to update their own object

include ::openldap
include ::openldap::client

class { '::openldap::server':
  root_dn       => 'cn=Manager,dc=example,dc=com',
  root_password => '{SSHA}7dSAJPGe4YKKEvUPuGJIeSL/03GV2IMY',
  suffix        => 'dc=example,dc=com',
  access        => [
    [
      {
        'attrs' => ['userPassword'],
      },
      [
        {
          'who'    => ['self'],
          'access' => '=xw',
        },
        {
          'who'    => ['anonymous'],
          'access' => 'auth',
        },
      ],
    ],
    [
      {
        'dn' => '*',
      },
      [
        {
          'who'    => ['dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth'],
          'access' => 'manage',
        },
        {
          'who'    => ['self'],
          'access' => 'write',
        },
        {
          'who'    => ['users'],
          'access' => 'read',
        },
      ],
    ],
  ],
  indices       => [
    [['objectClass'], ['eq', 'pres']],
    [['ou', 'cn', 'mail', 'surname', 'givenname'], ['eq', 'pres', 'sub']],
  ],
  interfaces    => ["ldap://${::ipaddress}/"],
}
::openldap::server::schema { 'cosine':
  ensure => present,
}
::openldap::server::schema { 'inetorgperson':
  ensure => present,
}
::openldap::server::schema { 'nis':
  ensure  => present,
  require => ::Openldap::Server::Schema['cosine'],
}

Extend the above example to become a producer/master server for a number of consumer/slave servers

include ::openldap
include ::openldap::client

class { '::openldap::server':
  root_dn       => 'cn=Manager,dc=example,dc=com',
  root_password => '{SSHA}7dSAJPGe4YKKEvUPuGJIeSL/03GV2IMY',
  suffix        => 'dc=example,dc=com',
  access        => [
    [
      {
        'attrs' => ['userPassword'],
      },
      [
        {
          'who'    => ['self'],
          'access' => '=xw',
        },
        {
          'who'    => ['anonymous'],
          'access' => 'auth',
        },
      ],
    ],
    [
      {
        'dn' => '*',
      },
      [
        {
          'who'    => ['dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth'],
          'access' => 'manage',
        },
        {
          'who'    => ['self'],
          'access' => 'write',
        },
        {
          'who'    => ['users'],
          'access' => 'read',
        },
      ],
    ],
  ],
  indices       => [
    [['objectClass'], ['eq', 'pres']],
    [['ou', 'cn', 'mail', 'surname', 'givenname'], ['eq', 'pres', 'sub']],
  ],
  interfaces    => ["ldap://${::ipaddress}/"],
  replica_dn    => ['cn=replicator,dc=example,dc=com'],
  syncprov      => true,
}
::openldap::server::schema { 'cosine':
  ensure => present,
}
::openldap::server::schema { 'inetorgperson':
  ensure => present,
}
::openldap::server::schema { 'nis':
  ensure  => present,
  require => ::Openldap::Server::Schema['cosine'],
}

Extend this further to also enable delta replication

include ::openldap
include ::openldap::client

class { '::openldap::server':
  root_dn       => 'cn=Manager,dc=example,dc=com',
  root_password => '{SSHA}7dSAJPGe4YKKEvUPuGJIeSL/03GV2IMY',
  suffix        => 'dc=example,dc=com',
  access        => [
    [
      {
        'attrs' => ['userPassword'],
      },
      [
        {
          'who'    => ['self'],
          'access' => '=xw',
        },
        {
          'who'    => ['anonymous'],
          'access' => 'auth',
        },
      ],
    ],
    [
      {
        'dn' => '*',
      },
      [
        {
          'who'    => ['dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth'],
          'access' => 'manage',
        },
        {
          'who'    => ['self'],
          'access' => 'write',
        },
        {
          'who'    => ['users'],
          'access' => 'read',
        },
      ],
    ],
  ],
  accesslog     => true,
  indices       => [
    [['objectClass'], ['eq', 'pres']],
    [['ou', 'cn', 'mail', 'surname', 'givenname'], ['eq', 'pres', 'sub']],
  ],
  interfaces    => ["ldap://${::ipaddress}/"],
  replica_dn    => ['cn=replicator,dc=example,dc=com'],
  syncprov      => true,
}
::openldap::server::schema { 'cosine':
  ensure => present,
}
::openldap::server::schema { 'inetorgperson':
  ensure => present,
}
::openldap::server::schema { 'nis':
  ensure  => present,
  require => ::Openldap::Server::Schema['cosine'],
}

Create a server acting as a consumer of another server using delta replication and pass back a referral to clients on attempting to write

include ::openldap
include ::openldap::client

class { '::openldap::server':
  root_dn       => 'cn=Manager,dc=example,dc=com',
  root_password => '{SSHA}7dSAJPGe4YKKEvUPuGJIeSL/03GV2IMY',
  suffix        => 'dc=example,dc=com',
  access        => [
    [
      {
        'attrs' => ['userPassword'],
      },
      [
        {
          'who'    => ['self'],
          'access' => '=xw',
        },
        {
          'who'    => ['anonymous'],
          'access' => 'auth',
        },
      ],
    ],
    [
      {
        'dn' => '*',
      },
      [
        {
          'who'    => ['dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth'],
          'access' => 'manage',
        },
        {
          'who'    => ['self'],
          'access' => 'write',
        },
        {
          'who'    => ['users'],
          'access' => 'read',
        },
      ],
    ],
  ],
  indices       => [
    [['objectClass'], ['eq', 'pres']],
    [['ou', 'cn', 'mail', 'surname', 'givenname'], ['eq', 'pres', 'sub']],
  ],
  interfaces    => ["ldap://${::ipaddress}/"],
  syncrepl      => [
    {
      'rid'            => 1,
      'provider'       => 'ldap://ldap.example.com/',
      'searchbase'     => 'dc=example,dc=com',
      'bindmethod'     => 'simple',
      'binddn'         => 'cn=replicator,dc=example,dc=com',
      'credentials'    => 'secret',
      'logbase'        => 'cn=log',
      'logfilter'      => '(&(objectClass=auditWriteObject)(reqResult=0))',
      'schemachecking' => true,
      'type'           => 'refreshAndPersist',
      'retry'          => [[60, '+']],
      'syncdata'       => 'accesslog',
    },
  ],
  update_ref    => ['ldap://ldap.example.com/'],
}
::openldap::server::schema { 'cosine':
  ensure => present,
}
::openldap::server::schema { 'inetorgperson':
  ensure => present,
}
::openldap::server::schema { 'nis':
  ensure  => present,
  require => ::Openldap::Server::Schema['cosine'],
}

Parameters:

  • root_dn (Bodgitlib::LDAP::DN)

    The Root Distinguished Name used to administer the database.

  • root_password (String)

    The password for the Root Distinguished Name.

  • suffix (Bodgitlib::LDAP::DN)

    The suffix for the main database.

  • access (Array[OpenLDAP::Access, 1]) (defaults to: $::openldap::params::access)

    An array of ACLs to apply to the database, in the same form as the olcAccess attribute.

    Do not include an ACL for the DN used by replication, one is added automatically when the syncprov parameter is used.

  • accesslog (Boolean) (defaults to: false)

    Setting this to true will enable the accesslog overlay in conjunction with the syncprov overlay to enable delta replication.

    It will create a separate database with the suffix cn=log and use the value of the replica_dn parameter much like the syncprov setting to allow it to be accessed by consumers.

  • accesslog_cachesize (Optional[Integer[0]]) (defaults to: undef)

    Specify the size of the in-memory entry cache maintained by the bdb or hdb backends for the database used by the accesslog overlay. See the olcDbCacheSize attribute.

  • accesslog_checkpoint (Optional[OpenLDAP::Checkpoint]) (defaults to: undef)

    Specify the frequency for checkpointing the transaction log of the database used by the accesslog overlay. This is specified in the same form as the olcDbCheckpoint attribute.

  • accesslog_db_config (Optional[Array[String, 1]]) (defaults to: undef)

    An array of lines in the same form as the olcDbConfig attribute to tune the database used by the accesslog overlay. This results in creating a DB_CONFIG file for the database if the backend is either bdb or hdb.

  • accesslog_dn_cachesize (Optional[Integer[0]]) (defaults to: undef)

    Specify the size of the in-memory DN cache maintained by the bdb or hdb backends for the database used by the accesslog overlay. See the olcDbDNcacheSize attribute.

  • accesslog_envflags (Optional[Array[String, 1]]) (defaults to: undef)

    An array of flags for configuring the LMDB library used by the mdb backend.

  • accesslog_index_cachesize (Optional[Integer[0]]) (defaults to: undef)

    Specify the size of the in-memory index cache maintained by the bdb or hdb backends for the database used by the accesslog overlay. See the olcDbIDLcacheSize attribute.

  • args_file (Stdlib::Absolutepath) (defaults to: $::openldap::params::args_file)

    Where slapd writes out its command-line arguments.

  • auditlog (Boolean) (defaults to: false)

    Setting this to true will enable the auditlog overlay.

  • auditlog_file (Optional[Stdlib::Absolutepath]) (defaults to: undef)

    The LDIF file where the auditlog overlay writes any changes.

  • authz_policy (Optional[Enum['none', 'from', 'to', 'any', 'all']]) (defaults to: undef)

    Maps to the olcAuthzPolicy attribute, accepts one of none, from, to, any, or all.

  • backend_modules (Array[OpenLDAP::Backend]) (defaults to: $::openldap::params::backend_modules)

    An array of database backends that are built as modules and therefore require loading before use. The backend names are listed without the back_ prefix and any extension that the module filename might have.

  • backend_packages (Hash[OpenLDAP::Backend, String]) (defaults to: $::openldap::params::backend_packages)

    A hash keyed by database backend with the package name that provides it as the value. As with backend_modules the backend is used without any back_ prefix and any extension that the module filename might have.

  • chain (Boolean) (defaults to: false)

    Setting this to true enables the chain overlay which transparently forwards writes to a slave/consumer on behalf of the client to the master/producer indicated by the configured update referral URI.

  • chain_id_assert_bind (Optional[OpenLDAP::LDAP::IDAssertBind]) (defaults to: undef)

    Maps to the olcDbIDAssertBind attribute on the LDAP database used by the chain overlay.

  • chain_rebind_as_user (Optional[Boolean]) (defaults to: undef)

    Maps to the olcDbRebindAsUser attribute on the LDAP database used by the chain overlay.

  • chain_return_error (Optional[Boolean]) (defaults to: undef)

    Maps to the olcChainReturnError attribute on the chain overlay.

  • chain_tls (Optional[OpenLDAP::LDAP::TLS]) (defaults to: undef)

    Maps to the olcDbStartTLS attribute on the LDAP database used by the chain overlay. See the tls entry in the slapd-ldap man page for more information on usage and accepted values.

  • data_cachesize (Optional[Integer[0]]) (defaults to: undef)

    Specify the size of the in-memory entry cache maintained by the bdb or hdb backends for the main database. See the olcDbCacheSize attribute.

  • data_checkpoint (Optional[OpenLDAP::Checkpoint]) (defaults to: undef)

    Specify the frequency for checkpointing the transaction log of the main database. This is specified in the same form as the olcDbCheckpoint attribute.

  • data_db_config (Optional[Array[String, 1]]) (defaults to: undef)

    An array of lines in the same form as the olcDbConfig attribute to tune the main database. This results in creating a DB_CONFIG file for the database if the backend is either bdb or hdb.

  • data_directory (Stdlib::Absolutepath) (defaults to: $::openldap::params::data_directory)

    The base directory used for database storage. Rather than store one database at the top level, this module creates a sub-directory per-database. Any unmanaged files in the top-level directory will be purged.

  • data_dn_cachesize (Optional[Integer[0]]) (defaults to: undef)

    Specify the size of the in-memory index cache maintained by the bdb or hdb backends for the main database. See the olcDbDNcacheSize attribute.

  • data_envflags (Optional[Array[String, 1]]) (defaults to: undef)

    An array of flags for configuring the LMDB library used by the mdb backend.

  • data_index_cachesize (Optional[Integer[0]]) (defaults to: undef)

    Specify the size of the in-memory index cache maintained by the bdb or hdb backends for the main database. See the olcDbIDLcacheSize attribute.

  • db_backend (OpenLDAP::Backend) (defaults to: $::openldap::params::db_backend)

    The chosen database backend, usually one of hdb, bdb, or mdb.

  • group (String) (defaults to: $::openldap::params::group)

    The group that runs the slapd process.

  • indices (Optional[Array[OpenLDAP::Index, 1]]) (defaults to: undef)

    An array of index definitions in the same form as the olcDbIndex attribute.

    Do not include an index for the attributes applicable to the syncprov overlay. They are added automatically.

  • interfaces (Optional[Array[Bodgitlib::LDAP::URI::Simple, 1]]) (defaults to: $::openldap::params::interfaces)

    An array of ldap:/// and/or ldaps:/// URI's to listen on.

  • limits (Optional[Array[OpenLDAP::Limit, 1]]) (defaults to: undef)

    An array of limits in the same form as the olcLimits attribute.

    Do not include a limit for the DN used by replication, one is added automatically when the syncprov parameter is used.

  • local_ssf (Optional[Integer[0]]) (defaults to: $::openldap::params::local_ssf)

    Security strength factor assigned to ldapi connections. This defaults to 256 which is a safeguard to prevent locking the Puppet agent out as it uses this connection to manipulate the configuration.

  • log_level (Optional[Array[OpenLDAP::LogLevel, 1]]) (defaults to: undef)

    Set the logging level. Maps to the olcLogLevel attribute.

  • memberof (Boolean) (defaults to: false)

    Setting this to true enables the memberOf overlay. See the entry in slapo-memberof(5) man page for more details.

  • module_extension (String) (defaults to: $::openldap::params::module_extension)

    The extension module files have, normally .la.

  • overlay_modules (Array[OpenLDAP::Overlay]) (defaults to: $::openldap::params::overlay_modules)

    A list of overlays by name that are modules.

  • overlay_packages (Hash[OpenLDAP::Overlay, String]) (defaults to: $::openldap::params::overlay_packages)

    A hash keyed by overlay name with the package name that provides it as the value.

  • package_ensure (String) (defaults to: $::openldap::params::server_package_ensure)

    The standard package ensure parameter, usually present.

  • package_name (String) (defaults to: $::openldap::params::server_package_name)

    The name of the package to install that provides the LDAP slapd daemon.

  • password_crypt_salt_format (Optional[String]) (defaults to: undef)

    The format of the salt for hashing user passwords. Corresponds to the olcPasswordCryptSaltFormat attribute. See the entry in the slapd-config(5) man page for formatting details.

  • password_hash (Optional[Array[OpenLDAP::PasswordHash, 1]]) (defaults to: undef)

    The password hashing scheme to use for user passwords. Can be set to a list containing any of the following:

    • {SSHA}, {SHA}

    • {SMD5}, {MD5}

    • {CRYPT}

    • {CLEARTEXT}

    The following schemes are also accepted however this requires additional modules to be loaded which are often not available by default:

    • {SSHA256}, {SSHA384}, {SSHA512}, {SHA256}, {SHA384}, {SHA512}

    • {TOTP1}, {TOTP256}, {TOTP512}

    • {PBKDF2}, {PBKDF2-SHA1}, {PBKDF2-SHA256}, {PBKDF2-SHA512}

    • {BSDMD5}

    • {NS-MTA-MD5}

    • {APR1}

    • {RADIUS}

    • {KERBEROS}

    If this is not set, LDAP uses {SSHA} by default. Corresponds to the olcPasswordHash attribute.

  • password_modules (Hash[OpenLDAP::PasswordHash, String]) (defaults to: $::openldap::params::password_modules)

    A hash keyed by password hashing scheme with the module name that provides it as the value. The hashing scheme is listed complete with enclosing {}'s and the value is listed without any extension that the module filename might have.

  • password_packages (Hash[String, String]) (defaults to: $::openldap::params::password_packages)

    A hash keyed by any values in password_modules with the package name that provides it as the value.

  • pid_file (Stdlib::Absolutepath) (defaults to: $::openldap::params::pid_file)

    Where slapd writes out its PID.

  • ppolicy (Boolean) (defaults to: false)

    Setting this to true will enable the ppolicy overlay on the main database allowing the enforcement of password strength/complexity as well as account lockout. The ppolicy schema will be loaded automatically.

  • ppolicy_default (Optional[Bodgitlib::LDAP::DN]) (defaults to: undef)

    A Distinguished Name of the default password policy object to use if a user does not have a pwdPolicySubEntry attribute. This must exist under the main suffix.

  • ppolicy_forward_updates (Optional[Boolean]) (defaults to: undef)

    If this server is a consumer/slave this setting controls whether password policy operational attributes are written locally or forwarded to the producer/master, (which means they can come back via replication). This requires enabling the chain overlay.

  • ppolicy_hash_cleartext (Optional[Boolean]) (defaults to: undef)

    Setting this to true forces cleartext passwords to be hashed when updated via Add or Modify operations. This is not necessary if the Password Modify extended operation is normally used.

  • ppolicy_use_lockout (Optional[Boolean]) (defaults to: undef)

    Setting this to true makes a bind to a locked account return an AccountLocked error instead of InvalidCredentials.

  • refint (Boolean) (defaults to: false)

    Setting this to true will enable the refint overlay on the main database allowing referential integrity on attribute values.

  • refint_attributes (Optional[Array[String, 1]]) (defaults to: undef)

    Array of attributes for which integrity will be maintained.

  • refint_nothing (Optional[Bodgitlib::LDAP::DN]) (defaults to: undef)

    Arbitrary value to be used as a placeholder when the last value would otherwise be deleted.

  • replica_dn (Optional[Array[Bodgitlib::LDAP::DN, 1]]) (defaults to: undef)

    The Distinguished Names used by consumer/slave servers to connect to this server in order to replicate content.

  • schema_dir (Stdlib::Absolutepath) (defaults to: $::openldap::params::schema_dir)

    The base directory used to store the schemas shipped with OpenLDAP. This is used as a default by the openldap::server::schema defined type.

  • security (Optional[OpenLDAP::Security]) (defaults to: undef)

    Specify minimum security strength factors in the same form as the olcSecurity attribute.

  • size_limit (Optional[OpenLDAP::Limit::Size]) (defaults to: undef)

    Specify the maximum number of entries to return from a search operation. Maps to the olcSizeLimit attribute set on the frontend database.

  • smbk5pwd (Boolean) (defaults to: false)

    Setting this to true will enable the smbk5pwd overlay. In order to add this overlay to the database, the schema files for any enabled backends also need to be loaded. Both Red Hat and Debian/Ubuntu enable the Samba backend by default which requires the Samba schema. Debian/Ubuntu additionally enable the Kerberos backend which requires the Heimdal KDC/HDB schema and also slapd will need to be able to access the KDC master key (m-key) file.

  • smbk5pwd_backends (Optional[Array[Enum['krb5', 'samba', 'shadow'], 1]]) (defaults to: undef)

    By default, all backends compiled into the overlay are enabled. Pass in an array of backends to enable only some of them. This affects which schemas need to be loaded and any additional setup steps. This maps to the olcSmbK5PwdEnable attribute.

  • smbk5pwd_must_change (Optional[Integer[0]]) (defaults to: undef)

    Maps to the olcSmbK5PwdMustChange attribute controlling how long until Samba passwords expire after a password change.

  • ssl_ca (Optional[Stdlib::Absolutepath]) (defaults to: undef)

    Maps to the olcTLSCACertificateFile attribute.

  • ssl_cert (Optional[Stdlib::Absolutepath]) (defaults to: undef)

    Maps to the olcTLSCertificateFile attribute.

  • ssl_certs_dir (Optional[Stdlib::Absolutepath]) (defaults to: undef)

    Maps to the olcTLSCACertificatePath attribute.

  • ssl_cipher (Optional[String]) (defaults to: undef)

    Maps to the olcTLSCipherSuite attribute.

  • ssl_dhparam (Optional[Stdlib::Absolutepath]) (defaults to: undef)

    Maps to the olcTLSDHParamFile attribute.

  • ssl_key (Optional[Stdlib::Absolutepath]) (defaults to: undef)

    Maps to the olcTLSCertificateKeyFile attribute.

  • ssl_protocol (Optional[Variant[Integer[0], Float[0]]]) (defaults to: undef)

    Maps to the olcTLSProtocolMin attribute.

  • syncprov (Boolean) (defaults to: false)

    Setting this to true will enable the syncprov overlay on the main database allowing consumer/slave servers to replicate the content.

    An additional index entryCSN,entryUUID eq will be appended to those passed by the indices parameter.

    The value of the replica_dn parameter is also used to prepend the ACL to * by dn.exact="${replica_dn}" read by * break to those passed by the access parameter to allow the consumers to read all of the data. The limit dn.exact="${replica_dn}" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited is also prepended to any limits passed with the limits parameter.

  • syncprov_checkpoint (Optional[OpenLDAP::Checkpoint]) (defaults to: $::openldap::params::syncprov_checkpoint)

    Maps to the olcSpCheckpoint attribute.

  • syncprov_sessionlog (Optional[Integer[0]]) (defaults to: $::openldap::params::syncprov_sessionlog)

    Maps to the olcSpSessionlog attribute.

  • syncrepl (Optional[Array[OpenLDAP::Syncrepl, 1]]) (defaults to: undef)

    An array of olcSyncrepl attribute values used to establish a replication relationship between this server and a producer.

  • time_limit (Optional[OpenLDAP::Limit::Time]) (defaults to: undef)

    Specify the maximum number of seconds slapd will spend answering a search request. Maps to the olcTimeLimit attribute set on the frontend database.

  • unique (Boolean) (defaults to: false)

    Setting this to true will enable the unique overlay on the main database allowing the enforcement of attribute value uniqueness.

  • unique_uri (Optional[Array[OpenLDAP::Unique, 1]]) (defaults to: undef)

    Maps to the olcUniqueURI attribute.

  • update_ref (Optional[Array[Bodgitlib::LDAP::URI::Simple, 1]]) (defaults to: undef)

    One or more referral URI's to return for referring writes from a read-only replica server to the original producer/master server. These are used to configure the chain overlay.

  • user (String) (defaults to: $::openldap::params::user)

    The user that runs the slapd process.

See Also:



491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
 
# File 'manifests/server.pp', line 491

class openldap::server (
  Bodgitlib::LDAP::DN                                 $root_dn,
  String                                              $root_password,
  Bodgitlib::LDAP::DN                                 $suffix,
  Array[OpenLDAP::Access, 1]                          $access                     = $::openldap::params::access,
  Boolean                                             $accesslog                  = false,
  Optional[Integer[0]]                                $accesslog_cachesize        = undef,
  Optional[OpenLDAP::Checkpoint]                      $accesslog_checkpoint       = undef,
  Optional[Array[String, 1]]                          $accesslog_db_config        = undef,
  Optional[Integer[0]]                                $accesslog_dn_cachesize     = undef,
  Optional[Array[String, 1]]                          $accesslog_envflags         = undef,
  Optional[Integer[0]]                                $accesslog_index_cachesize  = undef,
  Stdlib::Absolutepath                                $args_file                  = $::openldap::params::args_file,
  Boolean                                             $auditlog                   = false,
  Optional[Stdlib::Absolutepath]                      $auditlog_file              = undef,
  Optional[Enum['none', 'from', 'to', 'any', 'all']]  $authz_policy               = undef,
  Array[OpenLDAP::Backend]                            $backend_modules            = $::openldap::params::backend_modules,
  Hash[OpenLDAP::Backend, String]                     $backend_packages           = $::openldap::params::backend_packages,
  Boolean                                             $chain                      = false,
  Optional[OpenLDAP::LDAP::IDAssertBind]              $chain_id_assert_bind       = undef,
  Optional[Boolean]                                   $chain_rebind_as_user       = undef,
  Optional[Boolean]                                   $chain_return_error         = undef,
  Optional[OpenLDAP::LDAP::TLS]                       $chain_tls                  = undef,
  Optional[Integer[0]]                                $data_cachesize             = undef,
  Optional[OpenLDAP::Checkpoint]                      $data_checkpoint            = undef,
  Optional[Array[String, 1]]                          $data_db_config             = undef,
  Stdlib::Absolutepath                                $data_directory             = $::openldap::params::data_directory,
  Optional[Integer[0]]                                $data_dn_cachesize          = undef,
  Optional[Array[String, 1]]                          $data_envflags              = undef,
  Optional[Integer[0]]                                $data_index_cachesize       = undef,
  OpenLDAP::Backend                                   $db_backend                 = $::openldap::params::db_backend,
  String                                              $group                      = $::openldap::params::group,
  Optional[Array[OpenLDAP::Index, 1]]                 $indices                    = undef,
  Optional[Array[Bodgitlib::LDAP::URI::Simple, 1]]    $interfaces                 = $::openldap::params::interfaces,
  Optional[Array[OpenLDAP::Limit, 1]]                 $limits                     = undef,
  Optional[Integer[0]]                                $local_ssf                  = $::openldap::params::local_ssf,
  Optional[Array[OpenLDAP::LogLevel, 1]]              $log_level                  = undef,
  String                                              $module_extension           = $::openldap::params::module_extension,
  Boolean                                             $memberof                   = false,
  Array[OpenLDAP::Overlay]                            $overlay_modules            = $::openldap::params::overlay_modules,
  Hash[OpenLDAP::Overlay, String]                     $overlay_packages           = $::openldap::params::overlay_packages,
  String                                              $package_ensure             = $::openldap::params::server_package_ensure,
  String                                              $package_name               = $::openldap::params::server_package_name,
  Optional[String]                                    $password_crypt_salt_format = undef,
  Optional[Array[OpenLDAP::PasswordHash, 1]]          $password_hash              = undef,
  Hash[OpenLDAP::PasswordHash, String]                $password_modules           = $::openldap::params::password_modules,
  Hash[String, String]                                $password_packages          = $::openldap::params::password_packages,
  Stdlib::Absolutepath                                $pid_file                   = $::openldap::params::pid_file,
  Boolean                                             $ppolicy                    = false,
  Optional[Bodgitlib::LDAP::DN]                       $ppolicy_default            = undef,
  Optional[Boolean]                                   $ppolicy_forward_updates    = undef,
  Optional[Boolean]                                   $ppolicy_hash_cleartext     = undef,
  Optional[Boolean]                                   $ppolicy_use_lockout        = undef,
  Boolean                                             $refint                     = false,
  Optional[Array[String, 1]]                          $refint_attributes          = undef,
  Optional[Bodgitlib::LDAP::DN]                       $refint_nothing             = undef,
  Optional[Array[Bodgitlib::LDAP::DN, 1]]             $replica_dn                 = undef,
  Stdlib::Absolutepath                                $schema_dir                 = $::openldap::params::schema_dir,
  Optional[OpenLDAP::Security]                        $security                   = undef,
  Optional[OpenLDAP::Limit::Size]                     $size_limit                 = undef,
  Boolean                                             $smbk5pwd                   = false,
  Optional[Array[Enum['krb5', 'samba', 'shadow'], 1]] $smbk5pwd_backends          = undef,
  Optional[Integer[0]]                                $smbk5pwd_must_change       = undef,
  Optional[Stdlib::Absolutepath]                      $ssl_ca                     = undef,
  Optional[Stdlib::Absolutepath]                      $ssl_cert                   = undef,
  Optional[Stdlib::Absolutepath]                      $ssl_certs_dir              = undef,
  Optional[String]                                    $ssl_cipher                 = undef,
  Optional[Stdlib::Absolutepath]                      $ssl_dhparam                = undef,
  Optional[Stdlib::Absolutepath]                      $ssl_key                    = undef,
  Optional[Variant[Integer[0], Float[0]]]             $ssl_protocol               = undef,
  Boolean                                             $syncprov                   = false,
  Optional[OpenLDAP::Checkpoint]                      $syncprov_checkpoint        = $::openldap::params::syncprov_checkpoint,
  Optional[Integer[0]]                                $syncprov_sessionlog        = $::openldap::params::syncprov_sessionlog,
  Optional[Array[OpenLDAP::Syncrepl, 1]]              $syncrepl                   = undef,
  Optional[OpenLDAP::Limit::Time]                     $time_limit                 = undef,
  Boolean                                             $unique                     = false,
  Optional[Array[OpenLDAP::Unique, 1]]                $unique_uri                 = undef,
  Optional[Array[Bodgitlib::LDAP::URI::Simple, 1]]    $update_ref                 = undef,
  String                                              $user                       = $::openldap::params::user,
) inherits ::openldap::params {

  if ! (defined(Class['::openldap']) or defined(Class['::openldap::client'])) {
    fail('You must include either the openldap or openldap::client class as appropriate before using the openldap::server class')
  }

  if $auditlog and ! $auditlog_file {
    fail('Audit Logging ovelay requires a log file')
  }

  if $chain and ! $update_ref {
    fail('Chain overlay requires an update referral URL')
  }

  if $refint and ! $refint_attributes {
    fail('Referential Integrity overlay requires attributes')
  }

  if $syncprov and ! $replica_dn {
    fail('Sync Provider overlay requires a replica DN')
  }

  contain ::openldap::server::install
  contain ::openldap::server::config
  contain ::openldap::server::service

  Class['::openldap::server::install'] -> Class['::openldap::server::service']
  Class['::openldap::server::install'] -> Class['::openldap::server::config']
}