chain overlay not supported

[nickurbanik]

Affected Puppet, Ruby, OS and module versions/distributions

• Puppet: 6.3.0
• Ruby: 3.3.4
• Distribution: CentOS 7
• Module version: HEAD

How to reproduce (e.g Puppet code you use)

profiles::openldap::overlay:
    chain on ou=my-suffix:
        ensure: present
        options:
            olcChainReturnError: 'TRUE'

What are you seeing

Error: Could not prefetch openldap_database provider 'olc': No resource and no name in property hash in olc instance
Error: Failed to apply catalog: No resource and no name in property hash in olc instance

What behaviour did you expect instead

I expected this entry to be made in cn=config:

dn: olcOverlay={6}chain,olcDatabase={3}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcChainConfig
olcOverlay: {6}chain
olcChainReturnError: TRUE

Any additional information you'd like to impart

https://github.com/voxpupuli/puppet-openldap/blob/master/lib/puppet/provider/openldap_overlay/olc.rb does not include the chain overlay, with objectClass olcChainConfig.

The chain overlay differs from other overlays in that it is built into the ldap backend, and is not a separate module. The OpenLDAP 2.6.8 code includes https://git.openldap.org/openldap/openldap/-/blob/master/tests/scripts/test022-ppolicy, which specifies two LDAP entries to implement the chain overlay:

dn: olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcChainConfig
olcOverlay: {0}chain

dn: olcDatabase=ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config
changetype: add
objectClass: olcLDAPConfig
objectClass: olcChainDatabase
olcDBURI: $URI1
olcDbIDAssertBind: bindmethod=simple
  binddn="cn=manager,dc=example,dc=com"
  credentials=secret
  mode=self

• Please may we have support for the chain overlay (essential with ppolicy and where users interact with replicas)
• How do we represent the second LDAP entry in our puppet manifest/YAML?