openldap::server::overlay incorrectly parses suffix

[jouveits]

Using an "overlay on suffix" title for the openldap::server::overlay ends up with an incorrect suffix ("[]", see below). Is seems that the title is incorrectly parsed.

Using the suffix attributes provides the same result.

Affected Puppet, Ruby, OS and module versions/distributions

• Puppet: 6.24
• Ruby: 2.5.9
• Distribution: Centos 7
• Module version: 4.0.0

How to reproduce

  openldap::server::overlay { 'syncprov on olcDatabase={2}mdb,cn=config':
     ensure  => present,
     options => {
       'olcSpCheckpoint' => '100 10',
       'olcSpSessionlog' => '100'
     },
   }

What are you seeing

==> ldap-master.jcs: dn: olcOverlay=syncprov,[]
==> ldap-master.jcs: changetype: add
==> ldap-master.jcs: objectClass: olcConfig
==> ldap-master.jcs: objectClass: olcOverlayConfig
==> ldap-master.jcs: objectClass: olcSyncProvConfig
==> ldap-master.jcs: olcOverlay: syncprov
==> ldap-master.jcs: olcSpCheckpoint: 100 10
==> ldap-master.jcs: olcSpSessionlog: 100
==> ldap-master.jcs:
==> ldap-master.jcs: Error message: Execution of '/bin/ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/openldap_overlay20211007-7990-1vesjdo' returned 34: SASL/EXTERNAL authentication started
==> ldap-master.jcs: SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
==> ldap-master.jcs: SASL SSF: 0
==> ldap-master.jcs: ldap_add: Invalid DN syntax (34)
==> ldap-master.jcs: 	additional info: invalid DN
==> ldap-master.jcs: adding new entry "olcOverlay=syncprov,[]"

What behaviour did you expect instead

Obtained dn should be something like dn: olcOverlay=syncprov,olcDatabase={2}mdb,cn=config

[smortex]

Hey!

  openldap::server::overlay { 'syncprov on olcDatabase={2}mdb,cn=config':
     ensure  => present,
     options => {
       'olcSpCheckpoint' => '100 10',
       'olcSpSessionlog' => '100'
     },
   }

Hum… Should probably be like 🧐 :

  openldap::server::overlay { 'syncprov on dc=example,dc=com':
     ensure  => present,                 # ^^^^^^^^^^^^^^^^^
     options => {                        #     the suffix
       'olcSpCheckpoint' => '100 10',
       'olcSpSessionlog' => '100'
     },
   }

[jouveits]

The (working) configuration I am trying to obtain is this one:

dn: olcOverlay=syncprov,olcDatabase={2}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpCheckpoint: 100 10
olcSpSessionLog: 100

So enabling the syncprov overlay on the mdb database I want to synchronize, as mentioned in the openldap documentation: https://www.openldap.org/doc/admin24/guide.html#N-Way%20Multi-Provider

I tried the one you suggested, but I'm not obtaining the desired result.

[jnk0]

Same behaviour in version 6.0.0, you aren't able to add an overlay with suffix olcDatabase={2}hdb,cn=config.

[jnk0]

Okay, giving it another try reveals, after looking into openldap_overlay, following example

  openldap::server::overlay { 'ppolicy on dc=example,dc=net':
     ensure  => present,
     options => {
          'olcPPolicyDefault' => 'cn=default,ou=policies,dc=example,dc=net',
          'olcPPolicyForwardUpdates' => 'FALSE',
          'olcPPolicyHashCleartext' => 'TRUE',
          'olcPPolicyUseLockout' => 'FALSE'
     },
   }

produces expected result in database:

# {0}ppolicy, {2}hdb, config
dn: olcOverlay={0}ppolicy,olcDatabase={2}hdb,cn=config
objectClass: olcConfig
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
olcOverlay: {0}ppolicy
olcPPolicyDefault: cn=default,ou=policies,dc=example,dc=net
olcPPolicyHashCleartext: TRUE
olcPPolicyUseLockout: FALSE
olcPPolicyForwardUpdates: FALSE

I would suggest closing this issue, if it is not used to improve the docu.

[smortex]

👍 for improving any documentation! Can you please contribute some example based on your experience in a PR 😁 ?