diff --git a/REFERENCE.md b/REFERENCE.md
new file mode 100644
index 00000000..026e11c6
--- /dev/null
+++ b/REFERENCE.md
@@ -0,0 +1,1808 @@
+# Reference
+
+
+
+## Table of Contents
+
+### Classes
+
+* [`openldap::client`](#openldap--client): See README.md for details.
+* [`openldap::client::config`](#openldap--client--config): See README.md for details.
+* [`openldap::client::install`](#openldap--client--install): See README.md for details.
+* [`openldap::client::ldapvi`](#openldap--client--ldapvi): See README.md for details.
+* [`openldap::client::utils`](#openldap--client--utils)
+* [`openldap::server`](#openldap--server): See README.md for details.
+* [`openldap::server::config`](#openldap--server--config): See README.md for details.
+* [`openldap::server::install`](#openldap--server--install): See README.md for details.
+* [`openldap::server::service`](#openldap--server--service): See README.md for details.
+* [`openldap::server::slapdconf`](#openldap--server--slapdconf): See README.md for details.
+* [`openldap::utils`](#openldap--utils): See README.md for details.
+
+### Defined types
+
+* [`openldap::server::access`](#openldap--server--access): See README.md for details.
+* [`openldap::server::access_wrapper`](#openldap--server--access_wrapper): == Define openldap::server::access_wrapper Generate access from a given hash. === Parameters [*suffix*] Default: $name Mandatory. The
+* [`openldap::server::database`](#openldap--server--database): See README.md for details.
+* [`openldap::server::dbindex`](#openldap--server--dbindex): See README.md for details.
+* [`openldap::server::globalconf`](#openldap--server--globalconf): See README.md for details.
+* [`openldap::server::iterate_access`](#openldap--server--iterate_access): This is a 'private' class used by openldap::server::access_wrapper
+* [`openldap::server::module`](#openldap--server--module): See README.md for details.
+* [`openldap::server::overlay`](#openldap--server--overlay): See README.md for details.
+* [`openldap::server::schema`](#openldap--server--schema): See README.md for details.
+
+### Resource types
+
+* [`openldap_access`](#openldap_access): Manages OpenLDAP ACPs/ACLs
+* [`openldap_database`](#openldap_database): Manages OpenLDAP BDB and HDB databases.
+* [`openldap_dbindex`](#openldap_dbindex): Manages OpenLDAP DB indexes
+* [`openldap_global_conf`](#openldap_global_conf)
+* [`openldap_module`](#openldap_module): Manages OpenLDAP modules.
+* [`openldap_overlay`](#openldap_overlay): Manages OpenLDAP Overlays
+* [`openldap_schema`](#openldap_schema): Manages OpenLDAP schemas.
+
+### Functions
+
+* [`openldap_password`](#openldap_password)
+
+### Data types
+
+* [`Openldap::Access_hash`](#Openldap--Access_hash): A valid acl value for openldap::server::access_wrapper
+* [`Openldap::Access_rule`](#Openldap--Access_rule): A valid access rule for openldap::server::access
+* [`Openldap::Access_title`](#Openldap--Access_title): A valid title for an openldap::server::access resource
+* [`Openldap::Attribute`](#Openldap--Attribute): An LDAP attribute in the form "key: value"
+* [`Openldap::Attributes`](#Openldap--Attributes): A set of LDAP attributes
+* [`Openldap::Tls_moznss_compatibility`](#Openldap--Tls_moznss_compatibility): The list of possible values TLS_MOZNSS_COMPATIBILITY can have (based on the man page), and an 'absent' (a puppet directive to remove an exist
+
+## Classes
+
+### `openldap::client`
+
+See README.md for details.
+
+#### Parameters
+
+The following parameters are available in the `openldap::client` class:
+
+* [`package`](#-openldap--client--package)
+* [`file`](#-openldap--client--file)
+* [`package_version`](#-openldap--client--package_version)
+* [`base`](#-openldap--client--base)
+* [`bind_policy`](#-openldap--client--bind_policy)
+* [`bind_timelimit`](#-openldap--client--bind_timelimit)
+* [`binddn`](#-openldap--client--binddn)
+* [`bindpw`](#-openldap--client--bindpw)
+* [`ldap_version`](#-openldap--client--ldap_version)
+* [`network_timeout`](#-openldap--client--network_timeout)
+* [`scope`](#-openldap--client--scope)
+* [`ssl`](#-openldap--client--ssl)
+* [`suffix`](#-openldap--client--suffix)
+* [`timelimit`](#-openldap--client--timelimit)
+* [`timeout`](#-openldap--client--timeout)
+* [`uri`](#-openldap--client--uri)
+* [`nss_base_group`](#-openldap--client--nss_base_group)
+* [`nss_base_hosts`](#-openldap--client--nss_base_hosts)
+* [`nss_base_passwd`](#-openldap--client--nss_base_passwd)
+* [`nss_base_shadow`](#-openldap--client--nss_base_shadow)
+* [`nss_initgroups_ignoreusers`](#-openldap--client--nss_initgroups_ignoreusers)
+* [`pam_filter`](#-openldap--client--pam_filter)
+* [`pam_login_attribute`](#-openldap--client--pam_login_attribute)
+* [`pam_member_attribute`](#-openldap--client--pam_member_attribute)
+* [`pam_password`](#-openldap--client--pam_password)
+* [`tls_cacert`](#-openldap--client--tls_cacert)
+* [`tls_cacertdir`](#-openldap--client--tls_cacertdir)
+* [`tls_checkpeer`](#-openldap--client--tls_checkpeer)
+* [`tls_reqcert`](#-openldap--client--tls_reqcert)
+* [`tls_moznss_compatibility`](#-openldap--client--tls_moznss_compatibility)
+* [`sasl_mech`](#-openldap--client--sasl_mech)
+* [`sasl_realm`](#-openldap--client--sasl_realm)
+* [`sasl_authcid`](#-openldap--client--sasl_authcid)
+* [`sasl_secprops`](#-openldap--client--sasl_secprops)
+* [`sasl_nocanon`](#-openldap--client--sasl_nocanon)
+* [`gssapi_sign`](#-openldap--client--gssapi_sign)
+* [`gssapi_encrypt`](#-openldap--client--gssapi_encrypt)
+* [`gssapi_allow_remote_principal`](#-openldap--client--gssapi_allow_remote_principal)
+* [`sudoers_base`](#-openldap--client--sudoers_base)
+
+##### `package`
+
+Data type: `String[1]`
+
+
+
+##### `file`
+
+Data type: `Stdlib::Absolutepath`
+
+
+
+##### `package_version`
+
+Data type: `String[1]`
+
+
+
+Default value: `installed`
+
+##### `base`
+
+Data type: `Optional[String[1]]`
+
+
+
+Default value: `undef`
+
+##### `bind_policy`
+
+Data type: `Optional[String[1]]`
+
+
+
+Default value: `undef`
+
+##### `bind_timelimit`
+
+Data type: `Optional[String[1]]`
+
+
+
+Default value: `undef`
+
+##### `binddn`
+
+Data type: `Optional[String[1]]`
+
+
+
+Default value: `undef`
+
+##### `bindpw`
+
+Data type: `Optional[String[1]]`
+
+
+
+Default value: `undef`
+
+##### `ldap_version`
+
+Data type: `Optional[String[1]]`
+
+
+
+Default value: `undef`
+
+##### `network_timeout`
+
+Data type: `Optional[String[1]]`
+
+
+
+Default value: `undef`
+
+##### `scope`
+
+Data type: `Optional[String[1]]`
+
+
+
+Default value: `undef`
+
+##### `ssl`
+
+Data type: `Optional[String[1]]`
+
+
+
+Default value: `undef`
+
+##### `suffix`
+
+Data type: `Optional[String[1]]`
+
+
+
+Default value: `undef`
+
+##### `timelimit`
+
+Data type: `Optional[String[1]]`
+
+
+
+Default value: `undef`
+
+##### `timeout`
+
+Data type: `Optional[String[1]]`
+
+
+
+Default value: `undef`
+
+##### `uri`
+
+Data type: `Optional[Variant[String[1],Array[String[1]]]]`
+
+
+
+Default value: `undef`
+
+##### `nss_base_group`
+
+Data type: `Optional[String[1]]`
+
+
+
+Default value: `undef`
+
+##### `nss_base_hosts`
+
+Data type: `Optional[String[1]]`
+
+
+
+Default value: `undef`
+
+##### `nss_base_passwd`
+
+Data type: `Optional[String[1]]`
+
+
+
+Default value: `undef`
+
+##### `nss_base_shadow`
+
+Data type: `Optional[String[1]]`
+
+
+
+Default value: `undef`
+
+##### `nss_initgroups_ignoreusers`
+
+Data type: `Optional[String[1]]`
+
+
+
+Default value: `undef`
+
+##### `pam_filter`
+
+Data type: `Optional[String[1]]`
+
+
+
+Default value: `undef`
+
+##### `pam_login_attribute`
+
+Data type: `Optional[String[1]]`
+
+
+
+Default value: `undef`
+
+##### `pam_member_attribute`
+
+Data type: `Optional[String[1]]`
+
+
+
+Default value: `undef`
+
+##### `pam_password`
+
+Data type: `Optional[String[1]]`
+
+
+
+Default value: `undef`
+
+##### `tls_cacert`
+
+Data type: `Optional[Stdlib::Absolutepath]`
+
+
+
+Default value: `undef`
+
+##### `tls_cacertdir`
+
+Data type: `Optional[Stdlib::Absolutepath]`
+
+
+
+Default value: `undef`
+
+##### `tls_checkpeer`
+
+Data type: `Optional[String[1]]`
+
+
+
+Default value: `undef`
+
+##### `tls_reqcert`
+
+Data type: `Optional[String[1]]`
+
+
+
+Default value: `undef`
+
+##### `tls_moznss_compatibility`
+
+Data type: `Optional[Openldap::Tls_moznss_compatibility]`
+
+
+
+Default value: `undef`
+
+##### `sasl_mech`
+
+Data type: `Optional[String[1]]`
+
+
+
+Default value: `undef`
+
+##### `sasl_realm`
+
+Data type: `Optional[String[1]]`
+
+
+
+Default value: `undef`
+
+##### `sasl_authcid`
+
+Data type: `Optional[String[1]]`
+
+
+
+Default value: `undef`
+
+##### `sasl_secprops`
+
+Data type: `Optional[Array[String[1]]]`
+
+
+
+Default value: `undef`
+
+##### `sasl_nocanon`
+
+Data type: `Optional[Boolean]`
+
+
+
+Default value: `undef`
+
+##### `gssapi_sign`
+
+Data type: `Optional[Boolean]`
+
+
+
+Default value: `undef`
+
+##### `gssapi_encrypt`
+
+Data type: `Optional[Boolean]`
+
+
+
+Default value: `undef`
+
+##### `gssapi_allow_remote_principal`
+
+Data type: `Optional[String[1]]`
+
+
+
+Default value: `undef`
+
+##### `sudoers_base`
+
+Data type: `Optional[String[1]]`
+
+
+
+Default value: `undef`
+
+### `openldap::client::config`
+
+See README.md for details.
+
+### `openldap::client::install`
+
+See README.md for details.
+
+### `openldap::client::ldapvi`
+
+See README.md for details.
+
+#### Parameters
+
+The following parameters are available in the `openldap::client::ldapvi` class:
+
+* [`package`](#-openldap--client--ldapvi--package)
+
+##### `package`
+
+Data type: `String[1]`
+
+
+
+Default value: `'ldapvi'`
+
+### `openldap::client::utils`
+
+The openldap::client::utils class.
+
+### `openldap::server`
+
+See README.md for details.
+
+#### Parameters
+
+The following parameters are available in the `openldap::server` class:
+
+* [`krb5_keytab_file`](#-openldap--server--krb5_keytab_file)
+* [`krb5_client_keytab_file`](#-openldap--server--krb5_client_keytab_file)
+* [`manage_policy_rc_d`](#-openldap--server--manage_policy_rc_d)
+* [`package`](#-openldap--server--package)
+* [`confdir`](#-openldap--server--confdir)
+* [`conffile`](#-openldap--server--conffile)
+* [`service`](#-openldap--server--service)
+* [`owner`](#-openldap--server--owner)
+* [`group`](#-openldap--server--group)
+* [`escape_ldapi_ifs`](#-openldap--server--escape_ldapi_ifs)
+* [`ldapi_ifs`](#-openldap--server--ldapi_ifs)
+* [`default_directory`](#-openldap--server--default_directory)
+* [`manage_epel`](#-openldap--server--manage_epel)
+* [`package_version`](#-openldap--server--package_version)
+* [`enable_chown`](#-openldap--server--enable_chown)
+* [`service_hasstatus`](#-openldap--server--service_hasstatus)
+* [`enable`](#-openldap--server--enable)
+* [`start`](#-openldap--server--start)
+* [`ssl_key`](#-openldap--server--ssl_key)
+* [`ssl_cert`](#-openldap--server--ssl_cert)
+* [`ssl_ca`](#-openldap--server--ssl_ca)
+* [`databases`](#-openldap--server--databases)
+* [`ldap_ifs`](#-openldap--server--ldap_ifs)
+* [`ldaps_ifs`](#-openldap--server--ldaps_ifs)
+* [`slapd_params`](#-openldap--server--slapd_params)
+* [`ldap_port`](#-openldap--server--ldap_port)
+* [`ldap_address`](#-openldap--server--ldap_address)
+* [`ldaps_port`](#-openldap--server--ldaps_port)
+* [`ldaps_address`](#-openldap--server--ldaps_address)
+* [`ldapi_socket_path`](#-openldap--server--ldapi_socket_path)
+* [`register_slp`](#-openldap--server--register_slp)
+* [`ldap_config_backend`](#-openldap--server--ldap_config_backend)
+* [`enable_memory_limit`](#-openldap--server--enable_memory_limit)
+
+##### `krb5_keytab_file`
+
+Data type: `Optional[Stdlib::Absolutepath]`
+
+if set, manage the env variable KRB5_KTNAME on Debian based operating systems. This is required when
+configuring sasl with backend GSSAPI
+
+Default value: `undef`
+
+##### `krb5_client_keytab_file`
+
+Data type: `Optional[Stdlib::Absolutepath]`
+
+if set, manage the env variable KRB5_CLIENT_KTNAME on Debian based operating systems. This is required when
+configuring sasl with backend GSSAPI
+
+Default value: `undef`
+
+##### `manage_policy_rc_d`
+
+Data type: `Optional[Boolean]`
+
+If set, manage /usr/sbin/policy-rc.d on Debian based operating systems to not automatically start the LDAP server
+when installing slapd. This is required when preseeding the package with the no_configuration flag as we have to.
+
+Default value: `undef`
+
+##### `package`
+
+Data type: `String[1]`
+
+
+
+##### `confdir`
+
+Data type: `String[1]`
+
+
+
+##### `conffile`
+
+Data type: `String[1]`
+
+
+
+##### `service`
+
+Data type: `String[1]`
+
+
+
+##### `owner`
+
+Data type: `String[1]`
+
+
+
+##### `group`
+
+Data type: `String[1]`
+
+
+
+##### `escape_ldapi_ifs`
+
+Data type: `Boolean`
+
+
+
+##### `ldapi_ifs`
+
+Data type: `Array[String[1]]`
+
+
+
+##### `default_directory`
+
+Data type: `Stdlib::Absolutepath`
+
+
+
+##### `manage_epel`
+
+Data type: `Boolean`
+
+
+
+Default value: `true`
+
+##### `package_version`
+
+Data type: `String[1]`
+
+
+
+Default value: `installed`
+
+##### `enable_chown`
+
+Data type: `Optional[Boolean]`
+
+
+
+Default value: `undef`
+
+##### `service_hasstatus`
+
+Data type: `Optional[Boolean]`
+
+
+
+Default value: `undef`
+
+##### `enable`
+
+Data type: `Boolean`
+
+
+
+Default value: `true`
+
+##### `start`
+
+Data type: `Boolean`
+
+
+
+Default value: `true`
+
+##### `ssl_key`
+
+Data type: `Optional[Stdlib::Absolutepath]`
+
+
+
+Default value: `undef`
+
+##### `ssl_cert`
+
+Data type: `Optional[Stdlib::Absolutepath]`
+
+
+
+Default value: `undef`
+
+##### `ssl_ca`
+
+Data type: `Optional[Stdlib::Absolutepath]`
+
+
+
+Default value: `undef`
+
+##### `databases`
+
+Data type: `Hash`
+
+
+
+Default value: `{}`
+
+##### `ldap_ifs`
+
+Data type: `Array[String[1]]`
+
+
+
+Default value: `['/']`
+
+##### `ldaps_ifs`
+
+Data type: `Array[String[1]]`
+
+
+
+Default value: `[]`
+
+##### `slapd_params`
+
+Data type: `Optional[String]`
+
+
+
+Default value: `undef`
+
+##### `ldap_port`
+
+Data type: `Optional[Stdlib::Port]`
+
+
+
+Default value: `undef`
+
+##### `ldap_address`
+
+Data type: `Optional[Stdlib::IP::Address]`
+
+
+
+Default value: `undef`
+
+##### `ldaps_port`
+
+Data type: `Optional[Stdlib::Port]`
+
+
+
+Default value: `undef`
+
+##### `ldaps_address`
+
+Data type: `Optional[Stdlib::IP::Address]`
+
+
+
+Default value: `undef`
+
+##### `ldapi_socket_path`
+
+Data type: `Optional[Stdlib::Absolutepath]`
+
+
+
+Default value: `undef`
+
+##### `register_slp`
+
+Data type: `Optional[Boolean]`
+
+
+
+Default value: `undef`
+
+##### `ldap_config_backend`
+
+Data type: `Optional[String]`
+
+
+
+Default value: `undef`
+
+##### `enable_memory_limit`
+
+Data type: `Optional[Boolean]`
+
+
+
+Default value: `undef`
+
+### `openldap::server::config`
+
+See README.md for details.
+
+### `openldap::server::install`
+
+See README.md for details.
+
+### `openldap::server::service`
+
+See README.md for details.
+
+### `openldap::server::slapdconf`
+
+See README.md for details.
+
+### `openldap::utils`
+
+See README.md for details.
+
+#### Parameters
+
+The following parameters are available in the `openldap::utils` class:
+
+* [`package`](#-openldap--utils--package)
+* [`package_version`](#-openldap--utils--package_version)
+
+##### `package`
+
+Data type: `Optional[String[1]]`
+
+
+
+Default value: `undef`
+
+##### `package_version`
+
+Data type: `String[1]`
+
+
+
+Default value: `installed`
+
+## Defined types
+
+### `openldap::server::access`
+
+See README.md for details.
+
+#### Parameters
+
+The following parameters are available in the `openldap::server::access` defined type:
+
+* [`what`](#-openldap--server--access--what)
+* [`access`](#-openldap--server--access--access)
+* [`ensure`](#-openldap--server--access--ensure)
+
+##### `what`
+
+Data type: `String[1]`
+
+
+
+##### `access`
+
+Data type: `Array[Openldap::Access_rule]`
+
+
+
+##### `ensure`
+
+Data type: `Enum['present', 'absent']`
+
+
+
+Default value: `'present'`
+
+### `openldap::server::access_wrapper`
+
+== Define openldap::server::access_wrapper
+
+Generate access from a given hash.
+
+=== Parameters
+
+[*suffix*]
+ Default: $name
+ Mandatory. The suffix to apply acls
+
+[*acl*]
+ Default:
+ Mandatory. Array of Hash in the form { => , ... }
+
+ example:
+ $acl = [
+ {
+ 'to *' => [
+ 'by dn.base="cn=replicator,dc=suretecsystems,dc=com" write',
+ 'by * break'
+ ],
+ },
+ {
+ 'to dn.base=""' => [
+ 'by * read',
+ ],
+ },
+ {
+ 'to dn.base="cn=Subschema"' => [
+ 'by * read',
+ ],
+ },
+ {
+ 'to dn.subtree="cn=Monitor"' => [
+ 'by dn.exact="uid=admin,dc=suretecsystems,dc=com" write',
+ 'by users read',
+ 'by * none',
+ ],
+ },
+ {
+ 'to *' => [
+ 'by self write',
+ 'by * none',
+ ]
+ },
+ ]
+
+#### Parameters
+
+The following parameters are available in the `openldap::server::access_wrapper` defined type:
+
+* [`acl`](#-openldap--server--access_wrapper--acl)
+* [`suffix`](#-openldap--server--access_wrapper--suffix)
+
+##### `acl`
+
+Data type: `Array[Hash[Pattern[/\Ato\s/], Array[Openldap::Access_rule], 1, 1]]`
+
+
+
+##### `suffix`
+
+Data type: `String[1]`
+
+
+
+Default value: `$name`
+
+### `openldap::server::database`
+
+See README.md for details.
+
+#### Parameters
+
+The following parameters are available in the `openldap::server::database` defined type:
+
+* [`ensure`](#-openldap--server--database--ensure)
+* [`directory`](#-openldap--server--database--directory)
+* [`suffix`](#-openldap--server--database--suffix)
+* [`relay`](#-openldap--server--database--relay)
+* [`backend`](#-openldap--server--database--backend)
+* [`rootdn`](#-openldap--server--database--rootdn)
+* [`rootpw`](#-openldap--server--database--rootpw)
+* [`initdb`](#-openldap--server--database--initdb)
+* [`readonly`](#-openldap--server--database--readonly)
+* [`sizelimit`](#-openldap--server--database--sizelimit)
+* [`dbmaxsize`](#-openldap--server--database--dbmaxsize)
+* [`timelimit`](#-openldap--server--database--timelimit)
+* [`updateref`](#-openldap--server--database--updateref)
+* [`limits`](#-openldap--server--database--limits)
+* [`dboptions`](#-openldap--server--database--dboptions)
+* [`synctype`](#-openldap--server--database--synctype)
+* [`mirrormode`](#-openldap--server--database--mirrormode)
+* [`multiprovider`](#-openldap--server--database--multiprovider)
+* [`syncusesubentry`](#-openldap--server--database--syncusesubentry)
+* [`syncrepl`](#-openldap--server--database--syncrepl)
+* [`security`](#-openldap--server--database--security)
+
+##### `ensure`
+
+Data type: `Enum['present', 'absent']`
+
+
+
+Default value: `present`
+
+##### `directory`
+
+Data type: `Optional[Stdlib::Absolutepath]`
+
+
+
+Default value: `undef`
+
+##### `suffix`
+
+Data type: `String[1]`
+
+
+
+Default value: `$title`
+
+##### `relay`
+
+Data type: `Optional[String[1]]`
+
+
+
+Default value: `undef`
+
+##### `backend`
+
+Data type: `Optional[String[1]]`
+
+
+
+Default value: `undef`
+
+##### `rootdn`
+
+Data type: `Optional[String[1]]`
+
+
+
+Default value: `undef`
+
+##### `rootpw`
+
+Data type: `Optional[String[1]]`
+
+
+
+Default value: `undef`
+
+##### `initdb`
+
+Data type: `Optional[Boolean]`
+
+
+
+Default value: `undef`
+
+##### `readonly`
+
+Data type: `Boolean`
+
+
+
+Default value: `false`
+
+##### `sizelimit`
+
+Data type: `Optional[String[1]]`
+
+
+
+Default value: `undef`
+
+##### `dbmaxsize`
+
+Data type: `Optional[String[1]]`
+
+
+
+Default value: `undef`
+
+##### `timelimit`
+
+Data type: `Optional[String[1]]`
+
+
+
+Default value: `undef`
+
+##### `updateref`
+
+Data type: `Optional[String[1]]`
+
+
+
+Default value: `undef`
+
+##### `limits`
+
+Data type: `Array[String[1]]`
+
+
+
+Default value: `[]`
+
+##### `dboptions`
+
+Data type: `Hash[String[1],Variant[String[1],Array[String[1]]]]`
+
+
+
+Default value: `{}`
+
+##### `synctype`
+
+Data type: `Optional[String[1]]`
+
+
+
+Default value: `undef`
+
+##### `mirrormode`
+
+Data type: `Optional[Boolean]`
+
+
+
+Default value: `undef`
+
+##### `multiprovider`
+
+Data type: `Optional[Boolean]`
+
+
+
+Default value: `undef`
+
+##### `syncusesubentry`
+
+Data type: `Optional[String[1]]`
+
+
+
+Default value: `undef`
+
+##### `syncrepl`
+
+Data type: `Optional[Variant[String[1],Array[String[1]]]]`
+
+
+
+Default value: `undef`
+
+##### `security`
+
+Data type:
+
+```puppet
+Hash[
+ Enum[
+ 'transport',
+ 'sasl',
+ 'simple_bind',
+ 'ssf',
+ 'tls',
+ 'update_sasl',
+ 'update_ssf',
+ 'update_tls',
+ 'update_transport',
+ ],
+ Integer[0]
+ ]
+```
+
+
+
+Default value: `{}`
+
+### `openldap::server::dbindex`
+
+See README.md for details.
+
+#### Parameters
+
+The following parameters are available in the `openldap::server::dbindex` defined type:
+
+* [`ensure`](#-openldap--server--dbindex--ensure)
+* [`suffix`](#-openldap--server--dbindex--suffix)
+* [`attribute`](#-openldap--server--dbindex--attribute)
+* [`indices`](#-openldap--server--dbindex--indices)
+
+##### `ensure`
+
+Data type: `Optional[Enum['present', 'absent']]`
+
+
+
+Default value: `undef`
+
+##### `suffix`
+
+Data type: `Optional[String[1]]`
+
+
+
+Default value: `undef`
+
+##### `attribute`
+
+Data type: `String[1]`
+
+
+
+Default value: `$name`
+
+##### `indices`
+
+Data type: `Optional[String[1]]`
+
+
+
+Default value: `undef`
+
+### `openldap::server::globalconf`
+
+See README.md for details.
+
+#### Parameters
+
+The following parameters are available in the `openldap::server::globalconf` defined type:
+
+* [`value`](#-openldap--server--globalconf--value)
+* [`ensure`](#-openldap--server--globalconf--ensure)
+
+##### `value`
+
+Data type: `Variant[String[1],Array[String[1],1],Openldap::Attributes]`
+
+
+
+##### `ensure`
+
+Data type: `Enum['present', 'absent']`
+
+
+
+Default value: `'present'`
+
+### `openldap::server::iterate_access`
+
+This is a 'private' class used by openldap::server::access_wrapper
+
+#### Parameters
+
+The following parameters are available in the `openldap::server::iterate_access` defined type:
+
+* [`hash`](#-openldap--server--iterate_access--hash)
+
+##### `hash`
+
+Data type: `Openldap::Access_hash`
+
+
+
+### `openldap::server::module`
+
+See README.md for details.
+
+#### Parameters
+
+The following parameters are available in the `openldap::server::module` defined type:
+
+* [`ensure`](#-openldap--server--module--ensure)
+
+##### `ensure`
+
+Data type: `Optional[Enum['present', 'absent']]`
+
+
+
+Default value: `undef`
+
+### `openldap::server::overlay`
+
+See README.md for details.
+
+#### Parameters
+
+The following parameters are available in the `openldap::server::overlay` defined type:
+
+* [`ensure`](#-openldap--server--overlay--ensure)
+* [`overlay`](#-openldap--server--overlay--overlay)
+* [`suffix`](#-openldap--server--overlay--suffix)
+* [`options`](#-openldap--server--overlay--options)
+
+##### `ensure`
+
+Data type: `Enum['present', 'absent']`
+
+
+
+Default value: `present`
+
+##### `overlay`
+
+Data type: `String[1]`
+
+
+
+Default value: `regsubst($title, '^(\S+)\s+on\s+(\S+)$', '\1')`
+
+##### `suffix`
+
+Data type: `String[1]`
+
+
+
+Default value: `regsubst($title, '^(\S+)\s+on\s+(\S+)$', '\2')`
+
+##### `options`
+
+Data type: `Optional[Openldap::Attributes]`
+
+
+
+Default value: `undef`
+
+### `openldap::server::schema`
+
+See README.md for details.
+
+#### Parameters
+
+The following parameters are available in the `openldap::server::schema` defined type:
+
+* [`ensure`](#-openldap--server--schema--ensure)
+* [`path`](#-openldap--server--schema--path)
+
+##### `ensure`
+
+Data type: `Optional[Enum['present', 'absent']]`
+
+
+
+Default value: `undef`
+
+##### `path`
+
+Data type: `Stdlib::Absolutepath`
+
+
+
+Default value:
+
+```puppet
+$facts['os']['family'] ? {
+ 'Debian' => "/etc/ldap/schema/${title}.schema",
+ 'Redhat' => "/etc/openldap/schema/${title}.schema",
+ 'Archlinux' => "/etc/openldap/schema/${title}.schema",
+ 'FreeBSD' => "/usr/local/etc/openldap/schema/${title}.schema",
+ 'Suse' => "/etc/openldap/schema/${title}.schema"
+```
+
+## Resource types
+
+### `openldap_access`
+
+Manages OpenLDAP ACPs/ACLs
+
+#### Properties
+
+The following properties are available in the `openldap_access` type.
+
+##### `access`
+
+Access rule.
+
+##### `ensure`
+
+Valid values: `present`, `absent`
+
+The basic property that the resource should be in.
+
+Default value: `present`
+
+##### `what`
+
+The entries and/or attributes to which the access applies
+
+#### Parameters
+
+The following parameters are available in the `openldap_access` type.
+
+* [`name`](#-openldap_access--name)
+* [`position`](#-openldap_access--position)
+* [`provider`](#-openldap_access--provider)
+* [`suffix`](#-openldap_access--suffix)
+* [`target`](#-openldap_access--target)
+
+##### `name`
+
+namevar
+
+The default namevar
+
+##### `position`
+
+Where to place the new entry
+
+##### `provider`
+
+The specific backend to use for this `openldap_access` resource. You will seldom need to specify this --- Puppet will
+usually discover the appropriate provider for your platform.
+
+##### `suffix`
+
+The suffix to which the access applies
+
+##### `target`
+
+The slapd.conf file
+
+### `openldap_database`
+
+Manages OpenLDAP BDB and HDB databases.
+
+#### Properties
+
+The following properties are available in the `openldap_database` type.
+
+##### `backend`
+
+Valid values: `bdb`, `hdb`, `mdb`, `monitor`, `config`, `relay`, `ldap`
+
+The name of the backend.
+
+##### `dbmaxsize`
+
+Specifies the maximum size of the DB in bytes.
+
+##### `dboptions`
+
+Hash to pass specific HDB/BDB options for the database
+
+##### `directory`
+
+The directory where the BDB files containing this database and associated indexes live.
+
+##### `ensure`
+
+Valid values: `present`, `absent`
+
+The basic property that the resource should be in.
+
+Default value: `present`
+
+##### `index`
+
+The index of the database.
+
+##### `limits`
+
+Limits the number entries returned and/or the time spent by a request
+
+##### `mirrormode`
+
+Valid values: `true`, `false`
+
+This option puts a replica database into "mirror" mode, deprecated as of 2.5
+
+##### `multiprovider`
+
+Valid values: `true`, `false`
+
+This option puts a replica database into "multiprovider" mode
+
+##### `readonly`
+
+Puts the database into read-only mode.
+
+##### `rootdn`
+
+The distinguished name that is not subject to access control or administrative limit restrictions for operations on this database.
+
+##### `rootpw`
+
+Password (or hash of the password) for the rootdn.
+
+##### `security`
+
+The olcSecurity configuration.
+
+##### `sizelimit`
+
+Specifies the maximum number of entries to return from a search operation.
+
+##### `syncrepl`
+
+Specify the current database as a replica which is kept up-to-date with the master content by establishing the current slapd(8) as a replication consumer site running a syncrepl replication engine.
+
+##### `syncusesubentry`
+
+Store the syncrepl contextCSN in a subentry instead of the context entry of the database
+
+##### `timelimit`
+
+Specifies the maximum number of seconds (in real time) slapd will spend answering a search request.
+
+##### `updateref`
+
+This directive is only applicable in a slave slapd. It specifies the URL to return to clients which submit update requests upon the replica.
+
+#### Parameters
+
+The following parameters are available in the `openldap_database` type.
+
+* [`initdb`](#-openldap_database--initdb)
+* [`organization`](#-openldap_database--organization)
+* [`provider`](#-openldap_database--provider)
+* [`relay`](#-openldap_database--relay)
+* [`suffix`](#-openldap_database--suffix)
+* [`synctype`](#-openldap_database--synctype)
+* [`target`](#-openldap_database--target)
+
+##### `initdb`
+
+Valid values: `true`, `false`
+
+When true it initiales the database with the top object. When false, it does not create any object in the database, so
+you have to create it by other mechanism. It defaults to false when the backend is one of config, ldap, monitor or
+relay, true otherwise.
+
+##### `organization`
+
+Organization name used when initdb is true
+
+##### `provider`
+
+The specific backend to use for this `openldap_database` resource. You will seldom need to specify this --- Puppet will
+usually discover the appropriate provider for your platform.
+
+##### `relay`
+
+The relay configuration.
+
+##### `suffix`
+
+The default namevar.
+
+##### `synctype`
+
+Valid values: `inclusive`, `minimum`
+
+Whether specified dboptions should be considered the complete list (inclusive) or the minimum list (minimum) of
+dboptions the database should have. Defaults to minimum.
+
+Valid values are inclusive, minimum.
+
+Default value: `minimum`
+
+##### `target`
+
+
+### `openldap_dbindex`
+
+Manages OpenLDAP DB indexes
+
+#### Properties
+
+The following properties are available in the `openldap_dbindex` type.
+
+##### `ensure`
+
+Valid values: `present`, `absent`
+
+The basic property that the resource should be in.
+
+Default value: `present`
+
+##### `indices`
+
+The indices to maintain
+
+#### Parameters
+
+The following parameters are available in the `openldap_dbindex` type.
+
+* [`attribute`](#-openldap_dbindex--attribute)
+* [`name`](#-openldap_dbindex--name)
+* [`provider`](#-openldap_dbindex--provider)
+* [`suffix`](#-openldap_dbindex--suffix)
+* [`target`](#-openldap_dbindex--target)
+
+##### `attribute`
+
+The attribute to index
+
+Default value: `default`
+
+##### `name`
+
+namevar
+
+The default namevar
+
+##### `provider`
+
+The specific backend to use for this `openldap_dbindex` resource. You will seldom need to specify this --- Puppet will
+usually discover the appropriate provider for your platform.
+
+##### `suffix`
+
+The suffix to which the index applies
+
+##### `target`
+
+The slapd.conf file
+
+### `openldap_global_conf`
+
+The openldap_global_conf type.
+
+#### Properties
+
+The following properties are available in the `openldap_global_conf` type.
+
+##### `ensure`
+
+Valid values: `present`, `absent`
+
+The basic property that the resource should be in.
+
+Default value: `present`
+
+##### `value`
+
+
+
+#### Parameters
+
+The following parameters are available in the `openldap_global_conf` type.
+
+* [`name`](#-openldap_global_conf--name)
+* [`provider`](#-openldap_global_conf--provider)
+* [`target`](#-openldap_global_conf--target)
+
+##### `name`
+
+namevar
+
+
+##### `provider`
+
+The specific backend to use for this `openldap_global_conf` resource. You will seldom need to specify this --- Puppet
+will usually discover the appropriate provider for your platform.
+
+##### `target`
+
+
+### `openldap_module`
+
+Manages OpenLDAP modules.
+
+#### Properties
+
+The following properties are available in the `openldap_module` type.
+
+##### `ensure`
+
+Valid values: `present`, `absent`
+
+The basic property that the resource should be in.
+
+Default value: `present`
+
+#### Parameters
+
+The following parameters are available in the `openldap_module` type.
+
+* [`name`](#-openldap_module--name)
+* [`provider`](#-openldap_module--provider)
+* [`target`](#-openldap_module--target)
+
+##### `name`
+
+namevar
+
+The default namevar.
+
+##### `provider`
+
+The specific backend to use for this `openldap_module` resource. You will seldom need to specify this --- Puppet will
+usually discover the appropriate provider for your platform.
+
+##### `target`
+
+
+### `openldap_overlay`
+
+Manages OpenLDAP Overlays
+
+#### Properties
+
+The following properties are available in the `openldap_overlay` type.
+
+##### `ensure`
+
+Valid values: `present`, `absent`
+
+The basic property that the resource should be in.
+
+Default value: `present`
+
+##### `index`
+
+The index of the overlay.
+
+##### `options`
+
+Overlay options.
+
+#### Parameters
+
+The following parameters are available in the `openldap_overlay` type.
+
+* [`name`](#-openldap_overlay--name)
+* [`overlay`](#-openldap_overlay--overlay)
+* [`provider`](#-openldap_overlay--provider)
+* [`suffix`](#-openldap_overlay--suffix)
+* [`target`](#-openldap_overlay--target)
+
+##### `name`
+
+namevar
+
+The default namevar
+
+##### `overlay`
+
+The name of the overlay to apply
+
+##### `provider`
+
+The specific backend to use for this `openldap_overlay` resource. You will seldom need to specify this --- Puppet will
+usually discover the appropriate provider for your platform.
+
+##### `suffix`
+
+The suffix to which the overlay applies
+
+##### `target`
+
+The slapd.conf file
+
+### `openldap_schema`
+
+Manages OpenLDAP schemas.
+
+#### Properties
+
+The following properties are available in the `openldap_schema` type.
+
+##### `date`
+
+The modifyTimestamp of the schema.
+
+##### `ensure`
+
+Valid values: `present`, `absent`
+
+The basic property that the resource should be in.
+
+Default value: `present`
+
+##### `index`
+
+The index of the schema.
+
+#### Parameters
+
+The following parameters are available in the `openldap_schema` type.
+
+* [`name`](#-openldap_schema--name)
+* [`path`](#-openldap_schema--path)
+* [`provider`](#-openldap_schema--provider)
+
+##### `name`
+
+namevar
+
+The default namevar.
+
+##### `path`
+
+The location to the schema file.
+
+##### `provider`
+
+The specific backend to use for this `openldap_schema` resource. You will seldom need to specify this --- Puppet will
+usually discover the appropriate provider for your platform.
+
+## Functions
+
+### `openldap_password`
+
+Type: Ruby 4.x API
+
+The openldap_password function.
+
+#### `openldap_password(String $secret, Optional[Enum["CRYPT","MD5","SMD5","SSHA","SHA"]] $scheme)`
+
+The openldap_password function.
+
+Returns: `String` The hashed secret.
+
+##### `secret`
+
+Data type: `String`
+
+The secret to be hashed.
+
+##### `scheme`
+
+Data type: `Optional[Enum["CRYPT","MD5","SMD5","SSHA","SHA"]]`
+
+The optional scheme to use (defaults to SSHA).
+
+## Data types
+
+### `Openldap::Access_hash`
+
+A valid acl value for openldap::server::access_wrapper
+
+Alias of
+
+```puppet
+Hash[Openldap::Access_title, Struct[{
+ position => Optional[Variant[Integer,String[1]]],
+ what => Optional[String[1]],
+ access => Array[Openldap::Access_rule],
+ suffix => Optional[String[1]],
+ }]]
+```
+
+### `Openldap::Access_rule`
+
+A valid access rule for openldap::server::access
+
+Alias of `Pattern[/\Aby /]`
+
+### `Openldap::Access_title`
+
+A valid title for an openldap::server::access resource
+
+Alias of `Pattern[/\A\d+ on /]`
+
+### `Openldap::Attribute`
+
+An LDAP attribute in the form "key: value"
+
+Alias of `Pattern[/\A[^ ]+: [^\n]+/]`
+
+### `Openldap::Attributes`
+
+A set of LDAP attributes
+
+Alias of
+
+```puppet
+Variant[Hash[
+ String[1],
+ Variant[
+ String[1],
+ Array[
+ String[1],
+ 1,
+ ],
+ ],
+ ], Array[
+ Openldap::Attribute,
+ 1,
+ ], Openldap::Attribute]
+```
+
+### `Openldap::Tls_moznss_compatibility`
+
+The list of possible values TLS_MOZNSS_COMPATIBILITY can have (based on the man page), and an 'absent' (a puppet directive to remove an existing declaration).
+
+Alias of `Enum['on', 'true', 'yes', 'off', 'false', 'no', 'absent']`
+
diff --git a/manifests/server.pp b/manifests/server.pp
index 0a084ae4..e449bcbd 100644
--- a/manifests/server.pp
+++ b/manifests/server.pp
@@ -1,4 +1,10 @@
# See README.md for details.
+# @param krb5_keytab_file
+# if set, manage the env variable KRB5_KTNAME on Debian based operating systems. This is required when
+# configuring sasl with backend GSSAPI
+# @param krb5_client_keytab_file
+# if set, manage the env variable KRB5_CLIENT_KTNAME on Debian based operating systems. This is required when
+# configuring sasl with backend GSSAPI
# @param manage_policy_rc_d
# If set, manage /usr/sbin/policy-rc.d on Debian based operating systems to not automatically start the LDAP server
# when installing slapd. This is required when preseeding the package with the no_configuration flag as we have to.
@@ -32,6 +38,7 @@
Optional[Stdlib::Absolutepath] $ldapi_socket_path = undef,
Optional[Boolean] $register_slp = undef,
Optional[Stdlib::Absolutepath] $krb5_keytab_file = undef,
+ Optional[Stdlib::Absolutepath] $krb5_client_keytab_file = undef,
Optional[String] $ldap_config_backend = undef,
Optional[Boolean] $enable_memory_limit = undef,
Optional[Boolean] $manage_policy_rc_d = undef,
diff --git a/manifests/server/config.pp b/manifests/server/config.pp
index 669589f9..92df2e0c 100644
--- a/manifests/server/config.pp
+++ b/manifests/server/config.pp
@@ -13,6 +13,7 @@
$ldapi_socket_path = $openldap::server::ldapi_socket_path
$register_slp = $openldap::server::register_slp
$krb5_keytab_file = $openldap::server::krb5_keytab_file
+ $krb5_client_keytab_file = $openldap::server::krb5_client_keytab_file
$ldap_config_backend = $openldap::server::ldap_config_backend
$enable_memory_limit = $openldap::server::enable_memory_limit
@@ -50,7 +51,22 @@
variable => 'SLAPD_SERVICES',
value => $slapd_ldap_urls,
}
-
+ if $krb5_keytab_file {
+ shellvar { 'krb5_ktname':
+ ensure => exported,
+ target => '/etc/default/slapd',
+ variable => 'KRB5_KTNAME',
+ value => $krb5_keytab_file,
+ }
+ }
+ if $krb5_client_keytab_file {
+ shellvar { 'krb5_client_ktname':
+ ensure => exported,
+ target => '/etc/default/slapd',
+ variable => 'KRB5_CLIENT_KTNAME',
+ value => $krb5_client_keytab_file,
+ }
+ }
# Debian configuration include database creation. We skip this with
# preseeding files so we need to manualy bootstrap cn=config (but not the
# databases).
diff --git a/spec/classes/openldap_server_config_spec.rb b/spec/classes/openldap_server_config_spec.rb
index 3bb630e9..aecc181c 100644
--- a/spec/classes/openldap_server_config_spec.rb
+++ b/spec/classes/openldap_server_config_spec.rb
@@ -17,5 +17,23 @@
it { is_expected.not_to contain_openldap__globalconf('TLSCACertificateFile') }
end
end
+
+ next if facts[:osfamily] != 'Debian'
+
+ context "on #{os} with KRB5 conf" do
+ let(:facts) do
+ facts
+ end
+
+ let(:pre_condition) do
+ "class {'openldap::server': krb5_client_keytab_file => '/etc/krb5.keytab', }"
+ end
+
+ context 'with /etc/krb5.keytab' do
+ it { is_expected.to compile.with_all_deps }
+ it { is_expected.to contain_class('openldap::server::config') }
+ it { is_expected.to contain_shellvar('krb5_client_ktname').with(value: '/etc/krb5.keytab') }
+ end
+ end
end
end