5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
|
# File 'modules/ldap/manifests/client/sssd.pp', line 5
class ldap::client::sssd (
Array[Stdlib::Fqdn] $servers,
String[1] $base_dn,
String[1] $proxy_pass,
String[1] $sudo_base_dn,
Integer $page_size,
String[1] $ca_file,
) {
# this provides the /etc/ldap.yaml file, which is used to
# lookup for sshkeys. We could switch at some point to a native
# sssd mechanism for that, but meanwhile...
$yaml_data = {
'servers' => $servers,
'basedn' => $base_dn,
'user' => "cn=proxyagent,ou=profile,${base_dn}",
'password' => $proxy_pass,
}
file { '/etc/ldap.yaml':
ensure => file,
content => to_yaml($yaml_data),
}
$packages_present = [
'libpam-sss',
'libnss-sss',
'libsss-sudo',
'sssd',
]
$services = [
'nss',
'pam',
'ssh',
'sudo',
]
# On bullseye, the services are started by socket, so there's no need to duplicate them in the sssd config itself.
$socket_activation = debian::codename::ge('bullseye')
if $socket_activation {
$service_notify = ['sssd'] + $services.map |String $x| { "sssd-${x}" }
} else {
# Trixie has the other units marked as dependencies;
# If we try to explicitly notify them puppet complains
# about 'may be requested by dependency only'
$service_notify = ['sssd']
}
# mkhomedir is not enabled automatically; activate it if needed
exec { 'pam-auth-enable-mkhomedir':
command => '/usr/sbin/pam-auth-update --force --enable mkhomedir',
unless => '/bin/grep pam_mkhomedir.so /etc/pam.d/common-session',
require => Package['sssd', 'libpam-sss'],
}
package { $packages_present:
ensure => 'present',
}
file { '/etc/nsswitch.conf':
ensure => 'present',
content => file('ldap/nsswitch-sssd.conf'),
}
if debian::codename::le('bookworm') {
# sssd on bookworm crashes if mode isn't 0600
$sssd_conf_mode = '0600'
} else {
# Trixie sssd goes ahead and changes the perms to 6400 on startup
# which causes it to war with puppet
$sssd_conf_mode = '0640'
}
file { '/etc/sssd/sssd.conf':
ensure => 'present',
owner => 'root',
group => 'root',
mode => $sssd_conf_mode,
content => template('ldap/sssd.conf.erb'),
notify => Service[$service_notify],
require => Package['sssd'],
}
if $socket_activation {
$services.each |String $x| {
# We declare these services to exist so that they can be restarted on config chagnes,
# but not to start or be enabled as the socket units will take care of that during
# normal operations.
service { "sssd-${x}": }
# And just to be sure, we ensure that the socket unit is enabled.
service { "sssd-${x}.socket":
enable => true,
}
}
systemd::override { 'sssd-nss-auto-restart':
unit => 'sssd-nss.service',
source => 'puppet:///modules/ldap/client/sssd/sssd-nss-auto-restart.override.service',
}
}
service { 'sssd':
ensure => 'running',
}
file { '/etc/ldap.conf':
content => template('ldap/ldap.conf.erb'),
}
#
# start of avoid confusions section
$packages_absent = [
'nscd',
'nslcd',
'sudo-ldap',
]
package { $packages_absent:
ensure => 'absent',
}
$files_absent = [
'/etc/nscd.conf',
'/etc/nslcd.conf',
'/etc/sudo-ldap.conf',
]
file { $files_absent:
ensure => 'absent',
}
# end of avoid confusions section
#
}
|