Puppet Class: ldap::client::sssd

Defined in:
modules/ldap/manifests/client/sssd.pp

Overview

Parameters:

  • servers (Array[Stdlib::Fqdn])
  • base_dn (String[1])
  • proxy_pass (String[1])
  • sudo_base_dn (String[1])
  • page_size (Integer)
  • ca_file (String[1]) 


5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
 
# File 'modules/ldap/manifests/client/sssd.pp', line 5

class ldap::client::sssd (
    Array[Stdlib::Fqdn] $servers,
    String[1]           $base_dn,
    String[1]           $proxy_pass,
    String[1]           $sudo_base_dn,
    Integer             $page_size,
    String[1]           $ca_file,
) {
    # this provides the /etc/ldap.yaml file, which is used to
    # lookup for sshkeys. We could switch at some point to a native
    # sssd mechanism for that, but meanwhile...
    $yaml_data = {
        'servers'  => $servers,
        'basedn'   => $base_dn,
        'user'     => "cn=proxyagent,ou=profile,${base_dn}",
        'password' => $proxy_pass,
    }
    file { '/etc/ldap.yaml':
        ensure  => file,
        content => to_yaml($yaml_data),
    }

    $packages_present = [
        'libpam-sss',
        'libnss-sss',
        'libsss-sudo',
        'sssd',
    ]

    $services = [
        'nss',
        'pam',
        'ssh',
        'sudo',
    ]

    # On bullseye, the services are started by socket, so there's no need to duplicate them in the sssd config itself.
    $socket_activation = debian::codename::ge('bullseye')

    if $socket_activation {
        $service_notify = ['sssd'] + $services.map |String $x| { "sssd-${x}" }
    } else {
        $service_notify = ['sssd']
    }

    # mkhomedir is not enabled automatically; activate it if needed
    exec { 'pam-auth-enable-mkhomedir':
        command => '/usr/sbin/pam-auth-update --force --enable mkhomedir',
        unless  => '/bin/grep pam_mkhomedir.so /etc/pam.d/common-session',
        require => Package['sssd', 'libpam-sss'],
    }

    package { $packages_present:
        ensure => 'present',
    }

    file { '/etc/nsswitch.conf':
        ensure  => 'present',
        content => file('ldap/nsswitch-sssd.conf'),
    }

    file { '/etc/sssd/sssd.conf':
        ensure  => 'present',
        owner   => 'root',
        group   => 'root',
        mode    => '0600',
        content => template('ldap/sssd.conf.erb'),
        notify  => Service[$service_notify],
        require => Package['sssd'],
    }

    if $socket_activation {
        $services.each |String $x| {
            # We declare these services to exist so that they can be restarted on config chagnes,
            # but not to start or be enabled as the socket units will take care of that during
            # normal operations.
            service { "sssd-${x}": }

            # And just to be sure, we ensure that the socket unit is enabled.
            service { "sssd-${x}.socket":
                enable => true,
            }
        }

        systemd::override { 'sssd-nss-auto-restart':
            unit   => 'sssd-nss.service',
            source => 'puppet:///modules/ldap/client/sssd/sssd-nss-auto-restart.override.service',
        }
    }

    service { 'sssd':
        ensure => 'running',
    }

    file { '/etc/ldap.conf':
        content => template('ldap/ldap.conf.erb'),
    }

    #
    # start of avoid confusions section
    $packages_absent = [
        'nscd',
        'nslcd',
        'sudo-ldap',
    ]

    package { $packages_absent:
        ensure => 'absent',
    }

    $files_absent = [
        '/etc/nscd.conf',
        '/etc/nslcd.conf',
        '/etc/sudo-ldap.conf',
    ]

    file { $files_absent:
        ensure => 'absent',
    }
    # end of avoid confusions section
    #
}