5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
|
# File 'modules/ldap/manifests/client/sssd.pp', line 5
class ldap::client::sssd (
Array[Stdlib::Fqdn] $servers,
String[1] $base_dn,
String[1] $proxy_pass,
String[1] $sudo_base_dn,
Integer $page_size,
String[1] $ca_file,
) {
# this provides the /etc/ldap.yaml file, which is used to
# lookup for sshkeys. We could switch at some point to a native
# sssd mechanism for that, but meanwhile...
$yaml_data = {
'servers' => $servers,
'basedn' => $base_dn,
'user' => "cn=proxyagent,ou=profile,${base_dn}",
'password' => $proxy_pass,
}
file { '/etc/ldap.yaml':
ensure => file,
content => to_yaml($yaml_data),
}
$packages_present = [
'libpam-sss',
'libnss-sss',
'libsss-sudo',
'sssd',
]
$services = [
'nss',
'pam',
'ssh',
'sudo',
]
# On bullseye, the services are started by socket, so there's no need to duplicate them in the sssd config itself.
$socket_activation = debian::codename::ge('bullseye')
if $socket_activation {
$service_notify = ['sssd'] + $services.map |String $x| { "sssd-${x}" }
} else {
$service_notify = ['sssd']
}
# mkhomedir is not enabled automatically; activate it if needed
exec { 'pam-auth-enable-mkhomedir':
command => '/usr/sbin/pam-auth-update --force --enable mkhomedir',
unless => '/bin/grep pam_mkhomedir.so /etc/pam.d/common-session',
require => Package['sssd', 'libpam-sss'],
}
package { $packages_present:
ensure => 'present',
}
file { '/etc/nsswitch.conf':
ensure => 'present',
content => file('ldap/nsswitch-sssd.conf'),
}
file { '/etc/sssd/sssd.conf':
ensure => 'present',
owner => 'root',
group => 'root',
mode => '0600',
content => template('ldap/sssd.conf.erb'),
notify => Service[$service_notify],
require => Package['sssd'],
}
if $socket_activation {
$services.each |String $x| {
# We declare these services to exist so that they can be restarted on config chagnes,
# but not to start or be enabled as the socket units will take care of that during
# normal operations.
service { "sssd-${x}": }
# And just to be sure, we ensure that the socket unit is enabled.
service { "sssd-${x}.socket":
enable => true,
}
}
systemd::override { 'sssd-nss-auto-restart':
unit => 'sssd-nss.service',
source => 'puppet:///modules/ldap/client/sssd/sssd-nss-auto-restart.override.service',
}
}
service { 'sssd':
ensure => 'running',
}
file { '/etc/ldap.conf':
content => template('ldap/ldap.conf.erb'),
}
#
# start of avoid confusions section
$packages_absent = [
'nscd',
'nslcd',
'sudo-ldap',
]
package { $packages_absent:
ensure => 'absent',
}
$files_absent = [
'/etc/nscd.conf',
'/etc/nslcd.conf',
'/etc/sudo-ldap.conf',
]
file { $files_absent:
ensure => 'absent',
}
# end of avoid confusions section
#
}
|