Default access rules on new database

[scorillo]

Can this default access rules for newly created databases be added later (in openldap::server::database) using the openldap::server::access resources?

puppet-openldap/lib/puppet/provider/openldap_database/olc.rb

Lines 264 to 274 in ed3804f

	t << "olcAccess: to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break\n"
	t << "olcAccess: to attrs=userPassword\n"
	t << " by self write\n"
	t << " by anonymous auth\n"
	t << " by dn=\"cn=admin,#{resource[:suffix]}\" write\n"
	t << " by * none\n"
	t << "olcAccess: to dn.base=\"\" by * read\n"
	t << "olcAccess: to *\n"
	t << " by self write\n"
	t << " by dn=\"cn=admin,#{resource[:suffix]}\" write\n"
	t << " by * read\n"

The current implementation (via the LDIF used for database creation) will lead to this kind of errors on the first puppet agent run if you also try to manage the access rules for those new databases.

Error: LDIF content:
dn: olcDatabase={2}bdb,cn=config
add: olcAccess
olcAccess: {0}to *
  by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage
  by * break

Error message: Execution of '/bin/ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/openldap_access20210906-316889-sm5v7l' returned 20: SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
ldap_modify: Type or value exists (20)
        additional info: modify/add: olcAccess: value #0 already exists
modifying entry "olcDatabase={2}bdb,cn=config"
Error: /Stage[main]/Ospw_infrastructure::Profiles::Ldap::Setup::Acls_slave/Openldap::Server::Access[0 on dc=example,dc=com]/Openldap_access[0 on dc=example,dc=com]/ensure: change from 'absent' to 'present' failed: LDIF content:
dn: olcDatabase={2}bdb,cn=config
add: olcAccess
olcAccess: {0}to *
  by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage
  by * break

Error message: Execution of '/bin/ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/openldap_access20210906-316889-sm5v7l' returned 20: SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
ldap_modify: Type or value exists (20)
        additional info: modify/add: olcAccess: value #0 already exists
modifying entry "olcDatabase={2}bdb,cn=config" (corrective)

Or at least let the user control their presence using the 'initdb` parameter:

    if resource[:initdb] == :true
      t << "olcAccess: to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break\n"
      t << "olcAccess: to attrs=userPassword\n"
      t << "  by self write\n"
      t << "  by anonymous auth\n"
      t << "  by dn=\"cn=admin,#{resource[:suffix]}\" write\n"
      t << "  by * none\n"
      t << "olcAccess: to dn.base=\"\" by * read\n"
      t << "olcAccess: to *\n"
      t << "  by self write\n"
      t << "  by dn=\"cn=admin,#{resource[:suffix]}\" write\n"
      t << "  by * read\n"
    end

Or both 😉
@smortex @alexjfisher

[smortex]

I never experienced this because the OpenLDAP directories I manage existed before I used this module, but these default olcAccess does not make much sense for me 😲… I would drop them completely.