pe_ldap_config task is incompatible with PE2023.8.0

[vchepkov]

API method GET /v1/ds has been removed and it's impossible to configure LDAP server now:

https://github.com/puppetlabs/puppetlabs-peadm/blob/main/tasks/pe_ldap_config.rb#L34

[bastelfreak]

It would be great if Puppet could finally adopt https://github.com/abuxton/puppet_ds. It's hard to explain to users why an automation company doesn't offer a way to configure their own software in an automated way. The task in PEADM has the problem that we cannot use it to continuously enforce the state. I would prefer it if Perforce would update the puppet_ds module and use it in PEADM.

[bastelfreak]

Raised support ticket 01286074 for this

[ragingra]

Hey @vchepkov, Thanks for raising the issue!

I've raised a PR to cover install or an initial LDAP config. The functionality isn't completely the same as the old, as it doesn't cover update or deleting. I am a little unsure on the workflow and how you might have used the original. If you are able to give any detail around it, then we understand if were fixing your issue.

#515

@bastelfreak This might be a little out of scope for this ticket and require input from @GSPatton

[bastelfreak]

@GSPatton ping? :)

Edit:

@ragingra none of my customers used the LDAP functionality in PEADM, all of them rely on https://github.com/abuxton/puppet_ds.

[GSPatton]

@bastelfreak thanks for this suggestion. How many customers, roughly, use https://github.com/abuxton/puppet_ds? Could you give a quick overview of how using this module is preferred to managing LDAP using PEADM? What is lacking in PEADM that this module solves?

My initial thoughts are that adopting another module may be out of the current scope as it would introduce additional maintenance overhead and our team's resources are already quite limited. Although I am very interested in how our users are managing LDAP in PE and how we can align with those use cases.

[vchepkov]

@ragingra , the goal is configuring LDAP during infrastructure provisioning
we have used puppet_ds module before, but changes to API made it incompatible.

[bastelfreak]

@GSPatton long before PEADM existed, PE was around and people had a need to automate it. None of the PE environments I saw in the past years had a manual configuration. People want to automate Puppet Enterprise with Puppet. This is usually done via three modules:

• https://github.com/abuxton/puppet_ds
• https://forge.puppet.com/modules/pltraining/rbac/
• https://forge.puppet.com/modules/puppetlabs/node_manager/readme

Until a few months ago, none of those modules were officially supported by Puppet. The node_manager module was adopted by the content team, which is a great step forwards. All of those modules were also recommended by various PSEs at Puppet (the rbac module is even written by them).

While a task for LDAP configuration in PEADM is okay for the initial provisioning for PEADM, it solves only half of the problems. As mentioned above, people want to continuously enforce their configuration with Puppet. That doesn't work with a task, only with Puppet Code. And because Puppet ignored that in the past years, the community came up with https://github.com/abuxton/puppet_ds. I would highly appreciate it if Puppet would invest into that module and use it in PEADM instead of having a separate task in PEADM.

How many customers, roughly, use https://github.com/abuxton/puppet_ds?

This is hard to measure. The majorities of customers I interact with have a short contract for a day or week. Just to assist with their PE upgrade or a specific module development or performance problems or similar stuff. But I can say that I'm active in the Puppet ecosystem since years and I haven't seen a single PE install that, if LDAP is used, didn't rely on https://github.com/abuxton/puppet_ds. This makes is easy for customers to enforce and change LDAP settings.

[bastelfreak]

@GSPatton do you have an update here?