Merge pull request Mylezeem#36 from jearls/improve-sssd-configuration

Improve sssd configuration
gothicx · Apr 6, 2016 · ad108f6 · ad108f6
2 parents 3051826 + a048ed7
commit ad108f6
Show file tree

Hide file tree

Showing 3 changed files with 53 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -187,6 +187,12 @@ Whether to use naming services caches
 
 Whether to automatically create user home dir on first login
 
+#### `rfc2307bis`
+
+Boolean to determine if the LDAP schema uses rfc2307 (false) or rfc2307bis (true).
+Only valid if `sssd` is true.
+If this value is `true` on a system that does not support rfc2307bis (RHEL < 6), a catalog error will be generated.
+
 ## License
 
 Apache License v2

diff --git a/manifests/init.pp b/manifests/init.pp
@@ -119,6 +119,11 @@
 #
 #Whether to automatically create user home dir on first login
 #
+#  [*rfc2307bis*]
+#    Boolean to determine if the LDAP schema uses rfc2307 (false) or rfc2307bis (true).
+#    If this value is `true` on a system that does not support rfc2307bis, a catalog error will be generated.
+#    (Default: false)
+#
 # === Authors
 #
 # Yanis Guenane <[email protected]>
@@ -165,6 +170,7 @@
   $smartc         = false,
   $smartcaction   = false,
   $smartcrequire  = false,
+  $rfc2307bis     = false,
 ) inherits authconfig::params {
 
   case $::osfamily {
@@ -204,6 +210,8 @@
 
       if $ldaploadcacert {
         $ldaploadcacert_val = "--ldaploadcacert='${ldaploadcacert}'"
+      } else {
+        $ldaploadcacert_val = ''
       }
 
       if $ldapserver {
@@ -220,8 +228,22 @@
         default => '--disablesssdauth',
       }
 
+      if $authconfig::params::enablerfc2307bis_allowed {
+        $rfc2307bis_flg = $rfc2307bis ? {
+          true    => '--enablerfc2307bis' ,
+          default => '--disablerfc2307bis' ,
+        }
+      } elsif $rfc2307bis {
+        fail('rfc2307bis is not supported on client operating system')
+      } else {
+        $rfc2307bis_flg = ''
+      }
+
       if $::osfamily == 'RedHat' {
-        if versioncmp($::operatingsystemmajrelease, '6') >= 0 {
+# put $::operatingsystemmajrelease in quotes to force it to a string.
+# to make lint happy, the string has to have more than just the bare variable. :P
+# so compare ${::operatingsystemmajrelease}.0 against 6.0
+        if versioncmp("${::operatingsystemmajrelease}.0", '6.0') >= 0 {
           $forcelegacy_flg = $forcelegacy ? {
             true    => '--enableforcelegacy',
             default => '--disableforcelegacy',
@@ -461,7 +483,7 @@
       $extra_flags = "${preferdns_flg} ${forcelegacy_flg} ${pamaccess_flg}"
 
       $pass_flags            = "${md5_flg} ${passalgo_val} ${shadow_flg}"
-      $authconfig_flags      = "${ldap_flags} ${nis_flags} ${pass_flags} ${krb5_flags} ${winbind_flags} ${extra_flags} ${cache_flg} ${mkhomedir_flg} ${sssd_flg} ${sssdauth_flg} ${locauthorize_flg} ${sysnetauth_flg} ${smartcard_flags}"
+      $authconfig_flags      = "${ldap_flags} ${nis_flags} ${pass_flags} ${krb5_flags} ${winbind_flags} ${extra_flags} ${cache_flg} ${mkhomedir_flg} ${sssd_flg} ${sssdauth_flg} ${rfc2307bis_flg} ${locauthorize_flg} ${sysnetauth_flg} ${smartcard_flags}"
       $authconfig_update_cmd = "authconfig ${authconfig_flags} --updateall"
       $authconfig_test_cmd   = "authconfig ${authconfig_flags} --test"
       $exec_check_cmd        = "/usr/bin/test \"`${authconfig_test_cmd}`\" = \"`authconfig --test`\""
@@ -484,7 +506,23 @@
         }
       }
 
-      if $ldap {
+      if $sssd {
+        # if we're using sssd, then sssd takes care of ldap connectivity.
+        # therefore, we only need the sssd packages and services, not the
+        # ldap packages and services
+        package { $authconfig::params::sssd_packages:
+          ensure => installed,
+        }
+        # sssd services must only run after the authconfig command has set
+        # up the config.
+        service { $authconfig::params::sssd_services:
+          ensure     => running,
+          enable     => true,
+          hasstatus  => true,
+          hasrestart => true,
+          require    => Exec['authconfig command'],
+        }
+      } elsif $ldap {
         package { $authconfig::params::ldap_packages:
           ensure => installed,
         } ->

diff --git a/manifests/params.pp b/manifests/params.pp
@@ -3,6 +3,9 @@
 
   $packages           = ['authconfig']
   $cache_packages     = ['nscd']
+  $sssd_packages      = $::operatingsystemmajrelease ? {
+    default => ['sssd', 'sssd-client']
+  }
   $ldap_packages      = $::operatingsystemmajrelease ? {
     7       => ['openldap-clients', 'nss-pam-ldapd'],
     default => ['openldap-clients', 'nss-pam-ldapd', 'pam_ldap']
@@ -17,7 +20,10 @@
   $services           = []
   $cache_services     = ['nscd']
   $ldap_services      = ['nslcd']
+  $sssd_services      = ['sssd']
 
   $smartcard_packages = [ 'nss-tools', 'nss-pam-ldapd', 'esc', 'pam_pkcs11', 'pam_krb5', 'coolkey', 'pcsc-lite-ccid', 'pcsc-lite', 'pcsc-lite-libs' ]
 
+  $enablerfc2307bis_allowed = (versioncmp("${::operatingsystemmajrelease}.0", '6.0') >= 0)
+
 }