- Overview
- Usage - Configuration options and additional functionality
- Reference - An under-the-hood peek at what the module is doing and how
- Limitations - OS compatibility, etc.
- Credits
This module installs and configures SSSD (System Security Services Daemon)
SSSD is used to provide access to identity and authentication remote resource through a common framework that can provide caching and offline support to the system.
Example configuration:
class {'::sssd':
config => {
'sssd' => {
'domains' => 'ad.example.com',
'config_file_version' => 2,
'services' => ['nss', 'pam'],
},
'domain/ad.example.com' => {
'ad_domain' => 'ad.example.com',
'ad_server' => ['server01.ad.example.com', 'server02.ad.example.com'],
'krb5_realm' => 'AD.EXAMPLE.COM',
'realmd_tags' => 'joined-with-samba',
'cache_credentials' => true,
'id_provider' => 'ad',
'krb5_store_password_if_offline' => true,
'default_shell' => '/bin/bash',
'ldap_id_mapping' => false,
'use_fully_qualified_names' => false,
'fallback_homedir' => '/home/%d/%u',
'access_provider' => 'simple',
'simple_allow_groups' => ['admins', 'users'],
}
}
}...or the same config in Hiera:
sssd::config:
'sssd':
'domains': 'ad.example.com'
'config_file_version': 2
'services':
- 'nss'
- 'pam'
'domain/ad.example.com':
'ad_domain': 'ad.example.com'
'ad_server':
- 'server01.ad.example.com'
- 'server02.ad.example.com'
'krb5_realm': 'AD.EXAMPLE.COM'
'realmd_tags': 'joined-with-samba'
'cache_credentials': true
'id_provider': 'ad'
'krb5_store_password_if_offline': true
'default_shell': '/bin/bash'
'ldap_id_mapping': false
'use_fully_qualified_names': false
'fallback_homedir': '/home/%d/%u'
'access_provider': 'simple'
'simple_allow_groups':
- 'admins'
- 'users'Will be represented in sssd.conf like this:
[sssd]
domains = ad.example.com
config_file_version = 2
services = nss, pam
[domain/ad.example.com]
ad_domain = ad.example.com
ad_server = server01.ad.example.com, server02.ad.example.com
krb5_realm = AD.EXAMPLE.COM
realmd_tags = joined-with-samba
cache_credentials = true
id_provider = ad
krb5_store_password_if_offline = true
default_shell = /bin/bash
ldap_id_mapping = false
use_fully_qualified_names = false
fallback_homedir = /home/%d/%u
access_provider = simple
simple_allow_groups = admins, usersTip: Using 'ad' as id_provider require you to run 'adcli join domain' on the target node. adcli join creates a computer account in the domain for the local machine, and sets up a keytab for the machine.
Example:
$ sudo adcli join ad.example.com#####ensure
Defines if sssd and its relevant packages are to be installed or removed. Valid values are 'present' and 'absent'.
Type: string
Default: present
#####config
Configuration options structured like the sssd.conf file. Array values will be joined into comma-separated lists.
Type: hash
Default:
config => {
'sssd' => {
'config_file_version' => '2',
'services' => 'nss, pam',
'domains' => 'ad.example.com',
},
'domain/ad.example.com' => {
'id_provider' => 'ad',
'krb5_realm' => 'AD.EXAMPLE.COM',
'cache_credentials' => true,
},
}#####mkhomedir
Set to 'true' to enable auto-creation of home directories on user login.
Type: boolean
Default: true
#####logindefs_*
These parameters adjust the settings with the same names in /etc/login.defs on systems in the RedHat family.
Tested on:
- Fedora 22,23
- (RHEL|CentOS|OracleLinux) 5,6,7
- Ubuntu 14.04
- sssd.conf template from walkamongus-sssd by Chadwick Banning
- Anchor pattern, mkhomedir code, RHEL5 support and spec tests by Chris Edester
- service_ensure option by sd-robbruce
- sssd.conf consistency during first Puppet run by ndelic0
- Non-sorting config keys for newer ruby versions by gizmoguy