devsnack/control-repo
1
0
Fork 0
Code Releases Activity
7384f0857a
control-repo/site-modules/profile/manifests/sssd.pp
Bill Glick 0e9d96eee7
ASDPLNG-54: Review puppet-profile_allow_ssh_from_bastion 
Add basic sssd data for NCSA
setup common NCSA settings for SSSD
Setup sssd debug_level
Add profile hiera data
enable and include profile_allow_ssh_from_bastion
enable ncsa/sshd
added groups for allow_ssh_from_bastion to control repo
Remove simple_allow_groups from default sssd and let ssh add them
Add default bastion_nodelist to control repo
Upgrade concat module
include ::pam_access
point to latest tag of profile_pam_access
point profile_pam_access to topic branch
Update to ncsa/sshd v0.3.0
Update profile_allow_ssh_from_bastion to v0.2.0
Update profile_pam_access to v0.0.4
2021-02-15 12:24:50 -06:00

55 lines
1.8 KiB
Puppet
Raw Blame History

# Configure SSSD for use with LDAP and Kerberos
#
# @summary Configure SSSD for use with LDAP and Kerberos
# Requires ncsa/sssd and bodgit/sssd as dependancy.
#
# @example
# include profile::sssd
class profile::sssd (
# PARAMETERS: general
Boolean $enablemkhomedir,
Array[String] $authconfig_pkgs,
#String $cacert-content,
#String $cacert-file-path,
) {
# INSTALL INCOMMON ROOT CA
# TODO - make this a paramter, then use a hiera interpolation lookup in hiera
#file { ${cacert-file-path} :
# content => "${cacert-content}",
# mode => '0444',
# before => Service['sssd'],
#}
include ::sssd
# ENABLE MKHOMEDIR (create homedir on first login)
ensure_packages( $authconfig_pkgs )
# create appropriate args
if $enablemkhomedir {
$authconfig_args = ['--enablemkhomedir', '--enablesssd', '--enablesssdauth']
}
else {
$authconfig_args = ['--disablemkhomedir', '--enablesssd', '--enablesssdauth']
}
$authconfig_args_f = join($authconfig_args, ' ')
# run authconfig
exec { 'enablesssdauth':
path => '/bin/:/sbin/:/usr/bin/:/usr/sbin/',
onlyif => 'test `grep -i "SSSD" /etc/sysconfig/authconfig | grep "=yes" | wc -l` -lt 2',
command => "authconfig ${authconfig_args_f} --updateall", # should we just be using '--update'?
}
# ENSURE SSSD SERVICE IS RESTARTED IF/WHEN ANY KRB5 CFG FILES CHANGE
# $krb_cfgfile_data = lookup( 'system_authnz::kerberos::cfg_file_settings',
# Hash,
# 'hash' )
# # setup a "notify" relationship from filename to service
# $krb_cfgfile_data.each() | $filename, $junk | {
# File[ $filename ] ~> Class[ '::sssd::service' ]
# }
}
View Git Blame Copy Permalink