From 655c32d0cb7e56f4d8c630c7495fb5ed2af0419c Mon Sep 17 00:00:00 2001 From: Johnson Earls Date: Fri, 25 Mar 2016 03:59:01 +0000 Subject: [PATCH 1/3] Fix the versioncmp issue that is causing travis builds to fail --- manifests/init.pp | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/manifests/init.pp b/manifests/init.pp index 656d040..d0686de 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -221,7 +221,10 @@ } if $::osfamily == 'RedHat' { - if versioncmp($::operatingsystemmajrelease, '6') >= 0 { +# put $::operatingsystemmajrelease in quotes to force it to a string. +# to make lint happy, the string has to have more than just the bare variable. :P +# so compare ${::operatingsystemmajrelease}.0 against 6.0 + if versioncmp("${::operatingsystemmajrelease}.0", '6.0') >= 0 { $forcelegacy_flg = $forcelegacy ? { true => '--enableforcelegacy', default => '--disableforcelegacy', From 544f58930b52a8f1918f07931697c91c21b0a8fa Mon Sep 17 00:00:00 2001 From: Johnson Earls Date: Fri, 25 Mar 2016 04:23:39 +0000 Subject: [PATCH 2/3] define empty ldaploadcacert_val if not using ldaploadcacert --- manifests/init.pp | 2 ++ 1 file changed, 2 insertions(+) diff --git a/manifests/init.pp b/manifests/init.pp index d0686de..dab0a98 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -204,6 +204,8 @@ if $ldaploadcacert { $ldaploadcacert_val = "--ldaploadcacert='${ldaploadcacert}'" + } else { + $ldaploadcacert_val = '' } if $ldapserver { From a048ed7aeb8857f236459ef13fea2d8c99a663f6 Mon Sep 17 00:00:00 2001 From: Johnson Earls Date: Fri, 25 Mar 2016 04:14:13 +0000 Subject: [PATCH 3/3] improve sssd configuration * add ability to configure the rfc2307bis sssd option * if sssd enabled, install sssd packages if necessary * if sssd enabled, ensure sssd services are running *after* authconfig runs * if sssd enabled, do not install ldap packages or start ldap services --- README.md | 6 ++++++ manifests/init.pp | 37 +++++++++++++++++++++++++++++++++++-- manifests/params.pp | 6 ++++++ 3 files changed, 47 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 5c31475..283ec4a 100644 --- a/README.md +++ b/README.md @@ -187,6 +187,12 @@ Whether to use naming services caches Whether to automatically create user home dir on first login +#### `rfc2307bis` + +Boolean to determine if the LDAP schema uses rfc2307 (false) or rfc2307bis (true). +Only valid if `sssd` is true. +If this value is `true` on a system that does not support rfc2307bis (RHEL < 6), a catalog error will be generated. + ## License Apache License v2 diff --git a/manifests/init.pp b/manifests/init.pp index dab0a98..c9a1fea 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -119,6 +119,11 @@ # #Whether to automatically create user home dir on first login # +# [*rfc2307bis*] +# Boolean to determine if the LDAP schema uses rfc2307 (false) or rfc2307bis (true). +# If this value is `true` on a system that does not support rfc2307bis, a catalog error will be generated. +# (Default: false) +# # === Authors # # Yanis Guenane @@ -165,6 +170,7 @@ $smartc = false, $smartcaction = false, $smartcrequire = false, + $rfc2307bis = false, ) inherits authconfig::params { case $::osfamily { @@ -222,6 +228,17 @@ default => '--disablesssdauth', } + if $authconfig::params::enablerfc2307bis_allowed { + $rfc2307bis_flg = $rfc2307bis ? { + true => '--enablerfc2307bis' , + default => '--disablerfc2307bis' , + } + } elsif $rfc2307bis { + fail('rfc2307bis is not supported on client operating system') + } else { + $rfc2307bis_flg = '' + } + if $::osfamily == 'RedHat' { # put $::operatingsystemmajrelease in quotes to force it to a string. # to make lint happy, the string has to have more than just the bare variable. :P @@ -466,7 +483,7 @@ $extra_flags = "${preferdns_flg} ${forcelegacy_flg} ${pamaccess_flg}" $pass_flags = "${md5_flg} ${passalgo_val} ${shadow_flg}" - $authconfig_flags = "${ldap_flags} ${nis_flags} ${pass_flags} ${krb5_flags} ${winbind_flags} ${extra_flags} ${cache_flg} ${mkhomedir_flg} ${sssd_flg} ${sssdauth_flg} ${locauthorize_flg} ${sysnetauth_flg} ${smartcard_flags}" + $authconfig_flags = "${ldap_flags} ${nis_flags} ${pass_flags} ${krb5_flags} ${winbind_flags} ${extra_flags} ${cache_flg} ${mkhomedir_flg} ${sssd_flg} ${sssdauth_flg} ${rfc2307bis_flg} ${locauthorize_flg} ${sysnetauth_flg} ${smartcard_flags}" $authconfig_update_cmd = "authconfig ${authconfig_flags} --updateall" $authconfig_test_cmd = "authconfig ${authconfig_flags} --test" $exec_check_cmd = "/usr/bin/test \"`${authconfig_test_cmd}`\" = \"`authconfig --test`\"" @@ -489,7 +506,23 @@ } } - if $ldap { + if $sssd { + # if we're using sssd, then sssd takes care of ldap connectivity. + # therefore, we only need the sssd packages and services, not the + # ldap packages and services + package { $authconfig::params::sssd_packages: + ensure => installed, + } + # sssd services must only run after the authconfig command has set + # up the config. + service { $authconfig::params::sssd_services: + ensure => running, + enable => true, + hasstatus => true, + hasrestart => true, + require => Exec['authconfig command'], + } + } elsif $ldap { package { $authconfig::params::ldap_packages: ensure => installed, } -> diff --git a/manifests/params.pp b/manifests/params.pp index dea22ea..259e0ed 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -3,6 +3,9 @@ $packages = ['authconfig'] $cache_packages = ['nscd'] + $sssd_packages = $::operatingsystemmajrelease ? { + default => ['sssd', 'sssd-client'] + } $ldap_packages = $::operatingsystemmajrelease ? { 7 => ['openldap-clients', 'nss-pam-ldapd'], default => ['openldap-clients', 'nss-pam-ldapd', 'pam_ldap'] @@ -17,7 +20,10 @@ $services = [] $cache_services = ['nscd'] $ldap_services = ['nslcd'] + $sssd_services = ['sssd'] $smartcard_packages = [ 'nss-tools', 'nss-pam-ldapd', 'esc', 'pam_pkcs11', 'pam_krb5', 'coolkey', 'pcsc-lite-ccid', 'pcsc-lite', 'pcsc-lite-libs' ] + $enablerfc2307bis_allowed = (versioncmp("${::operatingsystemmajrelease}.0", '6.0') >= 0) + }