Adoptable Cookbooks List

Looking for a cookbook to adopt? You can now see a list of cookbooks available for adoption!
List of Adoptable Cookbooks

Supermarket Belongs to the Community

Supermarket belongs to the community. While Chef has the responsibility to keep it running and be stewards of its functionality, what it does and how it works is driven by the community. The chef/supermarket repository will continue to be where development of the Supermarket application takes place. Come be part of shaping the direction of Supermarket by opening issues and pull requests or by joining us on the Chef Mailing List.

Select Badges

Select Supported Platforms

Select Status


openldap (42) Versions 0.11.2

Installs and configures OpenLDAP (slapd) an open source implementation of LDAP.

cookbook 'openldap', '= 0.11.2', :supermarket
cookbook 'openldap', '= 0.11.2'
knife supermarket install openldap
knife supermarket download openldap
Quality -%


Configures a server to be an OpenLDAP master, OpenLDAP replication
slave, or OpenLDAP client.



Ubuntu 10.04 was primarily used in testing this cookbook. Other Ubuntu
versions and Debian may work. Red Hat and derivatives are not fully
supported, but we take patches.


  • openssh
  • nscd
  • openssl (for slave recipe)


Be aware of the attributes used by this cookbook and adjust the
defaults for your environment where required, in

Client node attributes

  • openldap[:basedn] - basedn
  • openldap[:server] - the LDAP server fully qualified domain name, default 'ldap'.node[:domain].

Server node attributes

  • openldap[:slapd_type] - master | slave
  • openldap[:slapd_rid] - unique integer ID, required if type is slave.
  • openldap[:slapd_master] - hostname of slapd master, attempts to search for slapd_type master.

Apache configuration attributes

Attributes useful for Apache authentication with LDAP.

COOK-128 - set automatically based on openldap[:server] and
openldap[:basedn] if those attributes are set. openldap[:auth_bindpw]
remains nil by default as a default value is not easily predicted.

  • openldap[:auth_type] - determine whether binddn and bindpw are required (openldap no, ad yes)
  • openldap[:auth_url] - AuthLDAPURL
  • openldap[:auth_binddn] - AuthLDAPBindDN
  • openldap[:auth_bindpw] - AuthLDAPBindPassword



Sets up the system for using openldap for user authentication.


Empty recipe, you may want client.


Install the openldap client packages.


Set up openldap to be a slapd server. Use this if your environment
would only have a single slapd server.


Sets the node['openldap']['slapd_type'] to master and then includes
the openldap::server recipe.


Sets the node['openldap']['slapd_type'] to slave, then includes the
openldap::server recipe. If the node is running chef-solo, then the
node['openldap']['slapd_replpw'] and
node['openldap']['slapd_master'] attributes must be set in the JSON
attributes file passed to chef-solo.


Edit Rakefile variables for SSL certificate.

On client systems,

include_recipe "openldap::auth"

This will get the required packages and configuration for client
systems. This will be required on server systems as well, so this is a
good candidate for inclusion in a base role.

On server systems, if there's only one LDAP server, then use the
openldap::server recipe. If replication is required, use the
openldap::master and openldap::slave recipes instead.

When initially installing a brand new LDAP master server on Ubuntu
8.10, the configuration directory may need to be removed and recreated
before slapd will start successfully. Doing this programmatically may
cause other issues, so fix the directory manually :-).

$ sudo slaptest -F /etc/ldap/slapd.d
str2entry: invalid value for attributeType objectClass #1 (syntax
=> ldif_enum_tree: failed to read entry for /etc/ldap/slapd.d/cn=config/olcDatabase={1}bdb.ldif
slaptest: bad configuration directory!

Simply remove the configuration, rerun chef-client. For some reason
slapd isn't getting started even though the service resource is
notified to start, so start it manually.

$ sudo rm -rf /etc/ldap/slapd.d/ /etc/ldap/slapd.conf
$ sudo chef-client
$ sudo /etc/init.d/slapd start

A note about certificates

Certificates created by the Rakefile are self signed. If you have a
purchased CA, that can be used. Be sure to update the certificate
locations in the templates as required. We suggest copying this
cookbook to the site-cookbooks for such modifications, so you can
still pull from our master for updates, and then merge your changes

New Directory:

If installing for the first time, the initial directory needs to be
created. Create an ldif file, and start populating the directory.


Set the password, openldap[:rootpw] for the rootdn in the node's
attributes. This should be a password hash generated from slappasswd.
The default slappasswd command on Ubuntu 8.10 and Mac OS X 10.5 will
generate a SHA1 hash:

$ slappasswd -s "secretsauce"

Set this by default in the attributes file, or on the node's entry in
the webui.

License and Author

Author:: Joshua Timberman (
Copyright:: 2009, Opscode, Inc

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
See the License for the specific language governing permissions and
limitations under the License.

No quality metric results found