Allow matchingRule and attrstyle in olcAccess

.fixtures.yml

@@ -1,12 +1,13 @@
+---
 fixtures:
   repositories:
-    stdlib: 'https://github.com/puppetlabs/puppetlabs-stdlib.git'
-    augeasproviders_shellvar: 'https://github.com/voxpupuli/puppet-augeasproviders_shellvar.git'
-    augeasproviders_core: 'https://github.com/voxpupuli/puppet-augeasproviders_core.git'
-    systemd: 'https://github.com/voxpupuli/puppet-systemd.git'
-    epel: 'https://github.com/voxpupuli/puppet-epel.git'
-    yumrepo_core: 'https://github.com/puppetlabs/puppetlabs-yumrepo_core.git'
-    augeas_core: 'https://github.com/puppetlabs/puppetlabs-augeas_core.git'
-    facts: 'https://github.com/puppetlabs/puppetlabs-facts.git'
-    puppet_agent: 'https://github.com/puppetlabs/puppetlabs-puppet_agent.git'
-    provision: 'https://github.com/puppetlabs/provision.git'
+    augeas_core: https://github.com/puppetlabs/puppetlabs-augeas_core.git
+    augeasproviders_core: https://github.com/voxpupuli/puppet-augeasproviders_core.git
+    augeasproviders_shellvar: https://github.com/voxpupuli/puppet-augeasproviders_shellvar.git
+    epel: https://github.com/voxpupuli/puppet-epel.git
+    facts: https://github.com/puppetlabs/puppetlabs-facts.git
+    provision: https://github.com/puppetlabs/provision.git
+    puppet_agent: https://github.com/puppetlabs/puppetlabs-puppet_agent.git
+    stdlib: https://github.com/puppetlabs/puppetlabs-stdlib.git
+    systemd: https://github.com/voxpupuli/puppet-systemd.git
+    yumrepo_core: https://github.com/puppetlabs/puppetlabs-yumrepo_core.git

.github/workflows/ci.yml

@@ -16,6 +16,9 @@ concurrency:
   group: ${{ github.ref_name }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   puppet:
     name: Puppet

.github/workflows/labeler.yml

@@ -8,6 +8,10 @@ name: "Pull Request Labeler"
 on:
   pull_request_target: {}
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   labeler:
     permissions:

.github/workflows/prepare_release.yml

@@ -0,0 +1,27 @@
+---
+# Managed by modulesync - DO NOT EDIT
+# https://voxpupuli.org/docs/updating-files-managed-with-modulesync/
+
+name: 'Prepare Release'
+
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: 'Module version to be released. Must be a valid semver string without leading v. (1.2.3)'
+        required: false
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  release_prep:
+    uses: 'voxpupuli/gha-puppet/.github/workflows/prepare_release.yml@v3'
+    with:
+      version: ${{ github.event.inputs.version }}
+      allowed_owner: 'voxpupuli'
+    secrets:
+      # Configure secrets here:
+      #  https://docs.github.com/en/actions/security-guides/encrypted-secrets
+      github_pat: '${{ secrets.PCCI_PAT_RELEASE_PREP }}'

.github/workflows/release.yml

@@ -10,6 +10,9 @@ on:
     tags:
       - '*'
 
+permissions:
+  contents: write
+
 jobs:
   release:
     name: Release
@@ -21,10 +24,3 @@ jobs:
       #  https://docs.github.com/en/actions/security-guides/encrypted-secrets
       username: ${{ secrets.PUPPET_FORGE_USERNAME }}
       api_key: ${{ secrets.PUPPET_FORGE_API_KEY }}
-
-  create-github-release:
-    name: Create GitHub Release
-    runs-on: ubuntu-latest
-    steps:
-      - name: Create GitHub release
-        uses: voxpupuli/gha-create-a-github-release@v1

.msync.yml

@@ -2,4 +2,4 @@
 # Managed by modulesync - DO NOT EDIT
 # https://voxpupuli.org/docs/updating-files-managed-with-modulesync/
 
-modulesync_config_version: '9.3.0'
+modulesync_config_version: '10.0.0'

CHANGELOG.md

@@ -4,7 +4,21 @@ All notable changes to this project will be documented in this file.
 Each new release typically also includes the latest modulesync defaults.
 These should not affect the functionality of the module.
 
-## [v8.0.0](https://github.com/voxpupuli/puppet-openldap/tree/v8.0.0) (2024-06-09)
+## [v8.1.0](https://github.com/voxpupuli/puppet-openldap/tree/v8.1.0) (2025-01-24)
+
+[Full Changelog](https://github.com/voxpupuli/puppet-openldap/compare/v8.0.0...v8.1.0)
+
+**Implemented enhancements:**
+
+- Add `PPolicyCheckModule` as a valid database/overlay option [\#440](https://github.com/voxpupuli/puppet-openldap/pull/440) ([gcoxmoz](https://github.com/gcoxmoz))
+- Allow Sensitive\[String\[1\]\] for rootpw [\#439](https://github.com/voxpupuli/puppet-openldap/pull/439) ([WoutResseler](https://github.com/WoutResseler))
+- Add support for FreeBSD 14 [\#427](https://github.com/voxpupuli/puppet-openldap/pull/427) ([smortex](https://github.com/smortex))
+
+**Merged pull requests:**
+
+- puppet/systemd: allow 8.x [\#438](https://github.com/voxpupuli/puppet-openldap/pull/438) ([jay7x](https://github.com/jay7x))
+
+## [v8.0.0](https://github.com/voxpupuli/puppet-openldap/tree/v8.0.0) (2024-06-10)
 
 [Full Changelog](https://github.com/voxpupuli/puppet-openldap/compare/v7.0.2...v8.0.0)
 

Gemfile

@@ -4,10 +4,8 @@
 source ENV['GEM_SOURCE'] || 'https://rubygems.org'
 
 group :test do
-  gem 'voxpupuli-test', '~> 9.0',   :require => false
-  gem 'coveralls',                  :require => false
-  gem 'simplecov-console',          :require => false
-  gem 'puppet_metadata', '~> 4.0',  :require => false
+  gem 'voxpupuli-test', '~> 11.0',  :require => false
+  gem 'puppet_metadata', '~> 5.0',  :require => false
 end
 
 group :development do
@@ -16,17 +14,15 @@ group :development do
 end
 
 group :system_tests do
-  gem 'voxpupuli-acceptance', '~> 3.0',  :require => false
+  gem 'voxpupuli-acceptance', '~> 3.5',  :require => false
 end
 
 group :release do
-  gem 'voxpupuli-release', '~> 3.0',  :require => false
+  gem 'voxpupuli-release', '~> 4.0',  :require => false
 end
 
 gem 'rake', :require => false
-gem 'facter', ENV['FACTER_GEM_VERSION'], :require => false, :groups => [:test]
 
-puppetversion = ENV['PUPPET_GEM_VERSION'] || [">= 7.24", "< 9"]
-gem 'puppet', puppetversion, :require => false, :groups => [:test]
+gem 'openvox', ENV.fetch('OPENVOX_GEM_VERSION', [">= 7", "< 9"]), :require => false, :groups => [:test]
 
 # vim: syntax=ruby

REFERENCE.md

@@ -892,6 +892,8 @@ The following parameters are available in the `openldap::server::database` defin
 * [`dbmaxsize`](#-openldap--server--database--dbmaxsize)
 * [`timelimit`](#-openldap--server--database--timelimit)
 * [`updateref`](#-openldap--server--database--updateref)
+* [`lastbind`](#-openldap--server--database--lastbind)
+* [`lastbindprecision`](#-openldap--server--database--lastbindprecision)
 * [`limits`](#-openldap--server--database--limits)
 * [`dboptions`](#-openldap--server--database--dboptions)
 * [`synctype`](#-openldap--server--database--synctype)
@@ -943,15 +945,15 @@ Default value: `undef`
 
 ##### <a name="-openldap--server--database--rootdn"></a>`rootdn`
 
-Data type: `Optional[String[1]]`
+Data type: `Optional[Variant[Sensitive[String[1]],String[1]]]`
 
 
 
 Default value: `undef`
 
 ##### <a name="-openldap--server--database--rootpw"></a>`rootpw`
 
-Data type: `Optional[String[1]]`
+Data type: `Optional[Variant[Sensitive[String[1]],String[1]]]`
 
 
 
@@ -1003,6 +1005,22 @@ Data type: `Optional[String[1]]`
 
 
 
+Default value: `undef`
+
+##### <a name="-openldap--server--database--lastbind"></a>`lastbind`
+
+Data type: `Optional[Boolean]`
+
+
+
+Default value: `undef`
+
+##### <a name="-openldap--server--database--lastbindprecision"></a>`lastbindprecision`
+
+Data type: `Optional[Integer[0]]`
+
+
+
 Default value: `undef`
 
 ##### <a name="-openldap--server--database--limits"></a>`limits`
@@ -1368,6 +1386,16 @@ Default value: `present`
 
 The index of the database.
 
+##### `lastbind`
+
+Valid values: `true`, `false`
+
+This option controls whether slapd will automatically maintain the pwdLastSuccess attribute for entries
+
+##### `lastbindprecision`
+
+specifies how frequently pwdLastSuccess will be updated
+
 ##### `limits`
 
 Limits the number entries returned and/or the time spent by a request
@@ -1745,10 +1773,10 @@ Alias of
 
 ```puppet
 Hash[Openldap::Access_title, Struct[{
-    position => Optional[Variant[Integer,String[1]]],
-    what     => Optional[String[1]],
-    access   => Array[Openldap::Access_rule],
-    suffix   => Optional[String[1]],
+      position => Optional[Variant[Integer,String[1]]],
+      what     => Optional[String[1]],
+      access   => Array[Openldap::Access_rule],
+      suffix   => Optional[String[1]],
   }]]
 ```
 

lib/puppet/provider/openldap.rb

@@ -158,6 +158,8 @@ def add_or_replace_key(key, force_replace = :false)
       IndexSubstrAnyLen
       IndexSubstrAnyStep
       IndexIntLen
+      LastBind
+      LastBindPrecision
       LastMod
       ListenerThreads
       LocalSSF
@@ -212,6 +214,7 @@ def add_or_replace_key(key, force_replace = :false)
       DbMaxSize
       DbMode
       DbSearchStack
+      PPolicyCheckModule
       PPolicyDefault
       PPolicyHashCleartext
       PPolicyForwardUpdates

lib/puppet/provider/openldap_access/olc.rb

@@ -30,7 +30,7 @@ def self.instances
           suffix = line.split[1]
         when %r{^olcAccess: }
           begin
-            position, what, bys = line.match(%r{^olcAccess:\s+\{(\d+)\}to\s+(\S+(?:\s+filter=\S+)?(?:\s+attrs=\S+)?(?:\s+val=\S+)?)(\s+by\s+.*)+$}).captures
+            position, what, bys = line.match(%r{^olcAccess:\s+\{(\d+)\}to\s+(\S+(?:\s+filter=\S+)?(?:\s+attrs=\S+)?(?:\s+val(?:/\S+)?(?:\.\S+)?=\S+)?)(\s+by\s+.*)+$}).captures
           rescue StandardError
             raise Puppet::Error, "Failed to parse olcAccess for suffix '#{suffix}': #{line}"
           end

lib/puppet/provider/openldap_database/olc.rb

@@ -28,6 +28,8 @@ def self.instances
       dbmaxsize = nil
       timelimit = nil
       updateref = nil
+      lastbind = nil
+      lastbindprecision = nil
       dboptions = {}
       mirrormode = nil
       multiprovider = nil
@@ -59,6 +61,10 @@ def self.instances
           timelimit = line.split[1]
         when %r{^olcUpdateref: }i
           updateref = line.split[1]
+        when %r{^olcLastBind: }
+          lastbind = line.split[1] == 'TRUE' ? :true : :false
+        when %r{^olcLastBindPrecision: }
+          lastbindprecision = line.split[1]
         when %r{^olcDb\S+: }i
           optname, optvalue = line.split(': ', 2)
           optname.downcase!
@@ -120,6 +126,8 @@ def self.instances
         timelimit: timelimit,
         dbmaxsize: dbmaxsize,
         updateref: updateref,
+        lastbind: lastbind,
+        lastbindprecision: lastbindprecision,
         dboptions: dboptions,
         mirrormode: mirrormode,
         multiprovider: multiprovider,
@@ -243,6 +251,8 @@ def create
     t << "olcDbMaxSize: #{resource[:dbmaxsize]}\n" if resource[:dbmaxsize]
     t << "olcTimeLimit: #{resource[:timelimit]}\n" if resource[:timelimit]
     t << "olcUpdateref: #{resource[:updateref]}\n" if resource[:updateref]
+    t << "olcLastBind: #{resource[:lastbind] == :true ? 'TRUE' : 'FALSE'}\n" if resource[:lastbind]
+    t << "olcLastBindPrecision: #{resource[:lastbindprecision]}\n" if resource[:lastbindprecision]
     resource[:dboptions]&.each do |k, v|
       t << case k
            when 'dbnosync'
@@ -338,6 +348,14 @@ def updateref=(value)
     @property_flush[:updateref] = value
   end
 
+  def lastbind=(value)
+    @property_flush[:lastbind] = value
+  end
+
+  def lastbindprecision=(value)
+    @property_flush[:lastbindprecision] = value
+  end
+
   def dboptions=(value)
     @property_flush[:dboptions] = value
   end
@@ -416,6 +434,8 @@ def flush
       end
       t << "replace: olcSyncrepl\n#{resource[:syncrepl].map { |x| "olcSyncrepl: #{x}" }.join("\n")}\n-\n" if @property_flush[:syncrepl]
       t << "replace: olcUpdateref\nolcUpdateref: #{resource[:updateref]}\n-\n" if @property_flush[:updateref]
+      t << "replace: olcLastBind\nolcLastBind: #{resource[:lastbind] == :true ? 'TRUE' : 'FALSE'}\n-\n" if @property_flush[:lastbind]
+      t << "replace: olcLastBindPrecision\nolcLastBindPrecision: #{resource[:lastbindprecision]}\n" if @property_flush[:lastbindprecision]
       t << "replace: olcMirrorMode\nolcMirrorMode: #{resource[:mirrormode] == :true ? 'TRUE' : 'FALSE'}\n-\n" if @property_flush[:mirrormode]
       t << "replace: olcMultiProvider\nolcMultiProvider: #{resource[:multiprovider] == :true ? 'TRUE' : 'FALSE'}\n-\n" if @property_flush[:multiprovider]
       t << "replace: olcSyncUseSubentry\nolcSyncUseSubentry: #{resource[:syncusesubentry]}\n-\n" if @property_flush[:syncusesubentry]

lib/puppet/provider/openldap_overlay/olc.rb

@@ -69,6 +69,7 @@ def create
       'auditlog'    => 'olcAuditLogConfig',
       'autoca'      => 'olcAutoCAConfig',
       'autogroup'   => 'olcAutomaticGroups',
+      'chain'       => 'olcChainConfig',
       'collect'     => 'olcCollectConfig',
       'constraint'  => 'olcConstraintConfig',
       'dds'         => 'olcDDSConfig',
@@ -115,7 +116,10 @@ def create
   end
 
   def getDn(suffix)
-    if suffix == 'cn=config'
+    case suffix
+    when 'cn=frontend'
+      'olcDatabase={-1}frontend,cn=config'
+    when 'cn=config'
       if resource[:overlay].to_s == 'rwm'
         slapcat('(olcDatabase=relay)').split("\n").map do |line|
           return line.split[1] if line =~ %r{^dn: }
@@ -134,6 +138,7 @@ def self.getSuffix(database)
     found = false
     slapcat("(olcDatabase=#{database})").split("\n").map do |line|
       found = true if line =~ %r{^dn: olcDatabase=#{database.gsub('{', '\{').gsub('}', '\}')},}
+      return 'cn=frontend' if database == '{-1}frontend'
       return 'cn=config' if database == '{0}config'
       return 'cn=config' if database =~ %r{\{\d+\}relay$}
       return line.split[1] if line =~ %r{^olcSuffix: } && found

lib/puppet/type/openldap_database.rb

@@ -185,6 +185,15 @@ def should_to_s(_newvalue)
     desc 'This directive is only applicable in a slave slapd. It specifies the URL to return to clients which submit update requests upon the replica.'
   end
 
+  newproperty(:lastbind, boolean: true) do
+    desc 'This option controls whether slapd will automatically maintain the pwdLastSuccess attribute for entries'
+    newvalues(:true, :false)
+  end
+
+  newproperty(:lastbindprecision) do
+    desc 'specifies how frequently pwdLastSuccess will be updated'
+  end
+
   newproperty(:dboptions) do
     desc 'Hash to pass specific HDB/BDB options for the database'