Newer
Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
class su_ldap::certificate (
$load_balanced_name = undef,
) {
## ERROR CHECKING ##
if (!$load_balanced_name) {
fail("Missing required parameter 'load_balanced_name'")
}
# Install a certificate that has as its CN (common name) the
# load-balanced name and as subject-alternative names the name of the
# master and all the replicas. For example, for the dev environment the
# common name should be "ldap-dev.stanford.edu" and the SANs should be:
#
# ldap-dev0.stanford.edu
# ldap-dev1.stanford.edu
# ldap-dev2.stanford.edu
# ldap-dev3.stanford.edu
# ldap-dev4.stanford.edu
# ldap-dev5.stanford.edu
# ldap-dev6.stanford.edu
#
# Always have at least 5 (two masters and three replicas); it wouldn't
# hurt to throw in a few extras in case you need to add another server
# later.
#
# Save the certificate in the cert-files module with the load-balanced
# name, e.g., "ldap-dev.stanford.edu". Use the load-balanced name even
# if the environment is not load-balanced.
apache::cert::comodo{$load_balanced_name:
ensure => present,
identity => $load_balanced_name,
keyname => "ssl-key/${load_balanced_name}",
}
# We also need to install a file containing all the InCommon
# intermediate and root certificates that make up the certificate chain
# for the above certificate. If we don't do this, certain clients, when
# trying to STARTTLS, will be unhappy.
file { '/etc/ssl/certs/ldap-cabundle.pem':
ensure => present,
source => 'puppet:///modules/su_ldap/etc/ssl/certs/ldap-cabundle.pem',
}
}