Hi,
At my work, we use LDAP as the backend for Puppet node definitions. Each host would have an LDAP entry specifying things like which puppet classes to apply, host specific variables, environment (which git branch to use for puppet manifests and a few other things.
There are different teams that would like to be able to manage these attributes when deploying software. For example, DBA should be able to manage DB servers while QA need to be able to configure their hosts to test different software.
Any hosts that DBA can manage has a role=DBA applied and likewise an QA hosts has role=QA set. Since role is multi-valued, a QA DB can have role=DBA and role=QA set on it, since both QA and DBAs might need to be able to make changes to the host.
Our slapd.conf has these ACLS
access to dn.subtree="ou=hosts,dc=example,dc=info" filter=(role=DBA)
attrs=puppetclass,puppetvar,environment
by group/groupOfUniqueNames/uniqueMember="cn=dba,ou=groups,dc=example,dc=info" write
by group="cn=sysadmin,ou=ldapgroup,dc=example,dc=info" write
by * read
access to dn.subtree="ou=hosts,dc=example,dc=info" filter=(role=QA)
attrs=puppetclass,puppetvar,environment
by group/groupOfUniqueNames/uniqueMember="cn=qa,ou=groups,dc=example,dc=info" write
by group="cn=sysadmin,ou=ldapgroup,dc=example,dc=info" write
by * read
let say a LDAP host entry looks like this:
dn: cn=
qadb1.int.example.info,ou=QAServers,dc=tor,ou=hosts,dc=example,dc=info
objectClass: puppetClient
objectClass: device
objectClass: exampleHost
objectClass:
dNSDomain2
cn=
qadb1.int.example.inforole: DBA
role: QA