Puppet Class: sssd

Defined in:
manifests/init.pp

Summary

Base sssd class

Overview

Installs and configures SSSD

Examples:

Declaring the class

include sssd

Parameters:

  • ensure (Enum['present', 'absent']) (defaults to: 'present')

    Ensure if the sssd config file is to be present or absent.

  • config (Hash) (defaults to: { 'sssd' => { 'domains' => $::domain, 'config_file_version' => 2, 'services' => ['nss', 'pam'], }, "domain/${::domain}" => { 'access_provider' => 'simple', 'simple_allow_users' => ['root'], }, })

    Hash containing entire SSSD config.

  • sssd_package (String) (defaults to: 'sssd')

    Name of the sssd package. Only set this if your platform is not supported or you know what you're doing.

  • sssd_package_ensure (String) (defaults to: 'present')

    Sets the ensure parameter of the sssd package.

  • sssd_service (String) (defaults to: 'sssd')

    Name of the sssd service.

  • extra_packages (Array) (defaults to: [])

    Array of extra packages.

  • extra_packages_ensure (String) (defaults to: 'present')

    Value of ensure parameter for extra packages.

  • config_file (Stdlib::Absolutepath) (defaults to: '/etc/sssd/sssd.conf')

    Path to the sssd config file.

  • config_template (String) (defaults to: 'sssd/sssd.conf.erb')

    Defines the template used for the sssd config.

  • mkhomedir (Boolean) (defaults to: true)

    Whether or not to manage auto-creation of home directories on user login.

  • manage_oddjobd (Boolean) (defaults to: false)

    Whether or not to manage the oddjobd service.

  • service_ensure (Variant[Boolean, Enum['running', 'stopped']]) (defaults to: 'running')

    Ensure if services should be running/stopped.

  • service_dependencies (Array) (defaults to: [])

    Array of service resource names to manage before managing sssd related services. Intended to be used to manage messagebus service to prevent Error: Could not start Service[oddjobd].

  • enable_mkhomedir_flags (Array) (defaults to: [ '--enablesssd', '--enablesssdauth', '--enablemkhomedir', ])

    Array of flags to use with authconfig to enable auto-creation of home directories.

  • disable_mkhomedir_flags (Array) (defaults to: [ '--enablesssd', '--enablesssdauth', '--disablemkhomedir', ])

    Array of flags to use with authconfig to disable auto-creation of home directories.

  • ensure_absent_flags (Array) (defaults to: [ '--disablesssd', '--disablesssdauth', ])

    Array of flags to use with authconfig when service is disabled.



47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
# File 'manifests/init.pp', line 47

class sssd (
  Enum['present', 'absent'] $ensure = 'present',
  Hash $config = {
    'sssd'               => {
      'domains'             => $::domain,
      'config_file_version' => 2,
      'services'            => ['nss', 'pam'],
    },
    "domain/${::domain}" => {
      'access_provider'    => 'simple',
      'simple_allow_users' => ['root'],
    },
  },
  String $sssd_package = 'sssd',
  String $sssd_package_ensure = 'present',
  String $sssd_service = 'sssd',
  Array $extra_packages = [],
  String $extra_packages_ensure = 'present',
  Stdlib::Absolutepath $config_file = '/etc/sssd/sssd.conf',
  String $config_template = 'sssd/sssd.conf.erb',
  Boolean $mkhomedir = true,
  Boolean $manage_oddjobd = false,
  Variant[Boolean, Enum['running', 'stopped']] $service_ensure = 'running',
  Array $service_dependencies = [],
  Array $enable_mkhomedir_flags = [
    '--enablesssd',
    '--enablesssdauth',
    '--enablemkhomedir',
  ],
  Array $disable_mkhomedir_flags = [
    '--enablesssd',
    '--enablesssdauth',
    '--disablemkhomedir',
  ],
  Array $ensure_absent_flags = [
    '--disablesssd',
    '--disablesssdauth',
  ],
) {

  # Fail on unsupported platforms
  if ($::facts['os']['family'] == 'RedHat') and !($::facts['os']['release']['major'] in ['5', '6', '7', '25', '26']) {
    fail("osfamily RedHat's os.release.major is <${::facts['os']['release']['major']}> and must be 5, 6 or 7 for EL and 25 or 26 for Fedora.")
  }

  if $::facts['os']['family'] == 'Suse' {
    if !($::facts['os']['release']['major'] in ['11', '12']) {
      fail("osfamily Suse's os.release.major is <${::facts['os']['release']['major']}> and must be 11 or 12.")
    }
    if ($::facts['os']['release']['major'] == '11') and !($::facts['os']['release']['minor'] in ['3', '4']) {
      fail("Suse 11's os.release.minor is <${::facts['os']['release']['minor']}> and must be 3 or 4.")
    }
  }

  if ($::facts['os']['family'] == 'Debian') and !($::facts['os']['release']['major'] in ['7', '8', '14', '16']) {
    fail("osfamily Debian's os.release.major is <${::facts['os']['release']['major']}> and must be 7 or 8 for Debian and 14 or 16 for Ubuntu.")
  }

  ensure_packages($sssd_package,
    {
      ensure => $sssd_package_ensure,
      before => File['sssd.conf'],
    }
  )

  if $extra_packages {
    ensure_packages($extra_packages,
      {
        ensure  => $extra_packages_ensure,
        require => Package[$sssd_package],
      }
    )
  }

  if ! empty($service_dependencies) {
    if $mkhomedir and $manage_oddjobd {
      $before = 'Service[oddjobd]'
    } else {
      $before = undef
    }

    ensure_resource('service', $service_dependencies,
      {
        ensure     => running,
        hasstatus  => true,
        hasrestart => true,
        enable     => true,
        before     => $before,
      }
    )
  }

  if $mkhomedir and $manage_oddjobd {
    ensure_resource('service', 'oddjobd',
      {
        ensure     => $service_ensure,
        enable     => true,
        hasstatus  => true,
        hasrestart => true,
      }
    )
  }

  $file_ensure = $ensure ? {
    'present' => 'file',
    default   => $ensure,
  }

  file { 'sssd.conf':
    ensure  => $file_ensure,
    path    => $config_file,
    owner   => 'root',
    group   => 'root',
    mode    => '0600',
    content => template($config_template),
  }

  case $::osfamily {
    'RedHat': {
      if $ensure == 'present' {
        $authconfig_flags = $mkhomedir ? {
          true  => join($enable_mkhomedir_flags, ' '),
          false => join($disable_mkhomedir_flags, ' '),
        }
      }
      else {
        $authconfig_flags = join($ensure_absent_flags, ' ')
      }

      $authconfig_update_cmd = "/usr/sbin/authconfig ${authconfig_flags} --update"
      $authconfig_test_cmd   = "/usr/sbin/authconfig ${authconfig_flags} --test"
      $authconfig_check_cmd  = "/usr/bin/test \"`${authconfig_test_cmd}`\" = \"`/usr/sbin/authconfig --test`\""

      exec { 'authconfig-mkhomedir':
        command => $authconfig_update_cmd,
        unless  => $authconfig_check_cmd,
        require => File['sssd.conf'],
      }
    }
    'Debian': {
      if $mkhomedir {
        file { '/usr/share/pam-configs/pam_mkhomedir':
          ensure => 'file',
          owner  => 'root',
          group  => 'root',
          mode   => '0644',
          source => 'puppet:///modules/sssd/pam_mkhomedir',
          notify => Exec['pam-auth-update'],
        }

        exec { 'pam-auth-update':
          path        => '/bin:/usr/bin:/sbin:/usr/sbin',
          refreshonly => true,
        }
      }
    }
    'Suse': {
      $pamconfig_mkhomedir_check_cmd  = '/usr/sbin/pam-config -q --mkhomedir | grep session:'
      $pamconfig_check_cmd  = '/usr/sbin/pam-config -q --sss | grep session:'

      if $mkhomedir {

        exec { 'pam-config -a --mkhomedir':
          path   => '/bin:/usr/bin:/sbin:/usr/sbin',
          unless => $pamconfig_mkhomedir_check_cmd,
        }
      }

      exec { 'pam-config -a --sss':
        path   => '/bin:/usr/bin:/sbin:/usr/sbin',
        unless => $pamconfig_check_cmd,
      }
    }
    default: { }
  }

  $service_ensure_real = $sssd::ensure ? {
    'absent' => 'stopped',
    default  => $sssd::service_ensure,
  }

  $service_enable = $service_ensure ? {
    'stopped' => false,
    default   => true,
  }

  ensure_resource('service', $sssd_service,
    {
      ensure     => $service_ensure_real,
      enable     => $service_enable,
      hasstatus  => true,
      hasrestart => true,
      subscribe  => File['sssd.conf'],
    }
  )
}