(R)?ex the friendly automation framework



Rex-1.14.3 is now available on CPAN. It contains bug fixes for local package installation, command existence checks, and Git tests.


The Rex-1.14.2 release is now available on CPAN. It contains bug fixes for running local commands on Windows, cloning git repositories, and test suite fixes for the upcoming perl-5.38.0 release.

Call for papers TPRC 2023

Dean Hamstead from the The Perl and Raku Foundation Marketing Committee has sent an invitation to present about Rex at TPRC 2023. I’m posting it here to increase visibility.


The Rex-1.14.1 release is now available on CPAN. It contains bug fixes and documentation updates.


The Rex-1.14.0 release is now available on CPAN. It contains improved Rexfile loading, documentation updates, and bumps the minimum required Perl version to 5.12.5.


Learning automation using Rex

Ferenc Erki (FErki) will be the guest of Gábor Szabó on the next Code Maven live stream to learn about automation using Rex. Register for the free event via Code Maven or Meetup, and join the discussion!

Unexpected use cases with Rex

Unexpected use cases with Rex at the 22nd German Perl/Raku Workshop 2020 in Erlangen by Ferenc Erki (FErki).

Rex & Friends

Rex & Friends talk at the Barcelona Perl & Friends 2019 by Ferenc Erki (FErki).

» Home » Docs » Rex book » Managing datacenters and the cloud » Deploying OpenLDAP and SSSD

Deploying OpenLDAP and SSSD

OpenLDAP (http://www.openldap.org/) is an open source directory server widely used for account management. It is easy to setup and administrate. There are also some Webfrontends like http://phpldapadmin.sourceforge.net/ and https://www.ldap-account-manager.org/lamcms/.

SSSD (https://fedorahosted.org/sssd/) is the acronym for System Security Services Daemon. With its help it is possible to to authenticate your linux users against an OpenLDAP directory server with some nifty additions like offline support.


This guide is written for CentOS 6. So if you're using another distribution you might need to change some things.

Project Setup

To initialize your project you can use the rexify command to download the code and all dependencies.

rexify --init=https://github.com/RexOps/ldap-sssd-ssh-rex.git

This command will download the code and all dependencies into the folder ldap-sssd-ssh-rex.

Exploring the Rexfile

Now i will guide you through the Rexfile so that you can modify it to your needs and setup your OpenLDAP/SSSD infrastructure.

Loading all required libraries

If you open the Rexfile you'll see at the top some use commands.

use Rex -feature => ['1.0'];

This loads the base functions of Rex 1.0, so that you can use them inside the Rexfile.

use Rex::LDAP::OpenLDAP;
use Rex::LDAP::OpenLDAP::Commands;
use Rex::LDAP::OpenLDAP::UserManagement::Commands;
use Rex::LDAP::OpenLDAP::UserManagement::Client;
use Rex::LDAP::OpenLDAP::UserManagement::Server;

This loads all the LDAP functions we're going to use to setup the OpenLDAP server and the authentication on the clients.


You also need to tell Rex how it can login to your servers. Rex supports password and key authentication.

user "root";
password "box";

Here Rex is taught to login as user root with the password box. If you want to use key based authentication you can use something like this.

user "root";
private_key "/home/your-user/.ssh/id_rsa";
public_key "/home/your-user/.ssh/id_rsa.pub";

Group your server

Rex also needs to know on which server it should connect. So you can define server groups.

group server => "auth01";
group client => "auth01", "fe[01..10]";

Setup OpenLDAP

To setup OpenLDAP it is important to follow one rule. Never ever try to manage the configuration files inside /etc/openldap/slapd.d with an editor or by writing to the files directly. Sooner or later this will get you into trouble. So always use ldapmodify/ldapadd command to change things inside this directory.

With Rex you can use ldap_entry resource to manage these entries.

The default installation of OpenLDAP is not able to manage SSH Keys inside it. But there is a schema we will add to it later so that this is possible, too.

If you consider to put your OpenLDAP installation to production i recommend you to read http://www.openldap.org/doc/admin24/replication.html how to setup replication.

This tutorial also do not cover the access control management. Please read http://www.openldap.org/doc/admin24/access-control.html for more information on this topic.

In the Rexfile you'll find the task setup_server.

task "setup_server",
  group => "server",
  make {
    # we will add more code here in a bit

This task is configured to run on all servers registered in the group server.

Rex::LDAP::OpenLDAP::setup {
    ldap_admin_password         => 'admin',
    ldap_base_dn                => 'dc=rexify,dc=org',
    ldap_base_dn_admin_password => 'test',
    ldap_configure_tls          => TRUE,


First it install OpenLDAP and create a root database for you. It also configures the admin password of your LDAP server.

The second function call add_ssh_public_key will add the SSH-key schema to the OpenLDAP server, so that it is possible to add the public ssh keys into OpenLDAP.

Populating OpenLDAP

Now you have a working OpenLDAP you need to populate it with some data.

First we need to create a default folder structure inside it, so you can manage your groups and users. For this you can use the ldap_entry resource. This resource ensures that the entry exists and has the options set that are defined.

ldap_entry "ou=People,dc=rexify,dc=org",
  ensure      => 'present',
  objectClass => [ 'top', 'organizationalUnit' ],
  ou          => 'People';

ldap_entry "ou=Groups,dc=rexify,dc=org",
  ensure      => 'present',
  objectClass => [ 'top', 'organizationalUnit' ],
  ou          => 'Groups';

ldap_entry "ou=Services,dc=rexify,dc=org",
  ensure      => 'present',
  objectClass => [ 'top', 'organizationalUnit' ],
  ou          => 'Services';

This code creates 3 folders (the LDAP name for such a folder is organizationalUnit, hence the acronym ou). One for the user accounts ou=People,dc=rexify,dc=org, one for the groups ou=Groups,dc=rexify,dc=org and one for special service accounts ou=Services,dc=rexify,dc=org.

You can create you own structure this is just an example.

Then you need to create a service user for sssd. SSSD use this user to search the LDAP database to find the user that tries to login.

ldap_account "sssd",
  ensure        => 'present',
  dn            => 'ou=Services,dc=rexify,dc=org',
  givenName     => 'SSSD',
  sn            => 'Service User',
  uidNumber     => '4000',
  gidNumber     => 0,
  loginShell    => '/bin/false',
  homeDirectory => '/tmp',
  userPassword  => 'abcdef';

Now lets create a sample group and user.

ldap_group "ldapusers",
  ensure    => 'present',
  dn        => 'ou=Groups,dc=rexify,dc=org',
  gidNumber => 3000;

ldap_account "sampleuser",
  ensure        => 'present',
  dn            => 'ou=People,dc=rexify,dc=org',
  givenName     => 'SampleUser',
  sn            => 'Surename',
  uidNumber     => 5000,
  gidNumber     => 3000,
  homeDirectory => '/home/sampleuser',
  loginShell    => '/bin/bash',
  mail          => 'sample.user@gmail.com',
  userPassword  => '{CRYPT}vPYgtKD.j9iL2',
  sshPublicKey  => 'ssh-rsa AAAAB3NzaC1y...',
  groups        => ['cn=ldapusers,ou=Groups,dc=rexify,dc=org'];

This will create a group names ldapusers inside the organizational unit (ou) ou=Groups,dc=rexify,dc=org and a user sampleuser inside ou=People,dc=rexify,dc=org. You can create the crypted password string with the tool slapdpasswd.
Setup SSSD

Now, after you have setup OpenLDAP it is time to setup SSSD. For this there is a task setup_client inside the Rexfile.

task "setup_client",
  group => "client",
  make {
    # we will add more code here in a bit

This task is configured to run on all servers inside the group client.

Rex::LDAP::OpenLDAP::UserManagement::Client::setup {
    ldap_base_dn       => 'dc=rexify,dc=org',
    ldap_uri           => 'ldaps://',
    ldap_bind_dn       => 'cn=sssd,ou=Services,dc=rexify,dc=org',
    ldap_bind_password => 'abcdef',
    ldap_base_user_dn  => 'ou=People,dc=rexify,dc=org',
    ldap_base_group_dn => 'ou=Groups,dc=rexify,dc=org',
    configure_ssh_ldap => TRUE,

Setup SSHD

Since a few versions SSHd supports the execution of an external executable on connection. This is done with the AuthorizedKeysCommand option. If you use the configure_ssh_ldap option on client setup it will upload a script that queries the LDAP server for the ssh key of the user that wants to login.

The configuration of this script can be done in the file /etc/ssh/pubkey.yaml. The Rex::LDAP::OpenLDAP::UserManagement::Client::setup task automatically creates the right configuration for you.

host: 'dc=rexify,dc=org'
bind_dn: 'cn=sssd,ou=Services,dc=rexify,dc=org'
bind_pw: 'abcdef'
base_dn: 'dc=rexify,dc=org'
filter: (&(uid={{LOGIN_NAME}})(objectClass=posixAccount))
#        verify: optional
#        cafile: /etc/openldap/certs/cacert.pem

Proudly powered by Perl and built with Statocles

GitHub repository and discussions / Chat on Matrix and IRC / Mailing list on Google Groups (retired: rex-users@freelists)

MetaCPAN / Twitter / StackShare / Server Fault   -.ô.-   Disclaimer