Skip to content

Latest commit

 

History

History
133 lines (85 loc) · 3.45 KB

README.md

File metadata and controls

133 lines (85 loc) · 3.45 KB
Raw

puppet-ldapauthkeys

This is a Puppet module that sets up openssh-ldap-authkeys on a system.

Parameters

$authmap (hash)

Required.

Specifies a map of local users to LDAP users. Hash keys are the local user/group and members are LDAP entities.

Example:

root:
  - "&admins"
  - jimmy
"&shell-users":
  - "~self"

$config (hash)

Required.

Configuration for OLAK. If your ENC allows parameters to be specified as YAML (i.e. Foreman), you should be able to copy and paste a working olak.yml into this field.

Configuration format is formally defined in the following files:

  • types/olakconfig.pp
  • types/ldapconfig.pp
  • types/cacheconfig.pp
  • types/outputconfig.pp
  • types/loggingconfig.pp

A minimal configuration is:

ldap:
  basedn: dc=example,dc=com
  server_uri: ldap://ldap.example.com
  authdn: "cn=example-user, ou=Roles, dc=example, dc=com"
  authpw: supersecret123
  filters:
    user: "(objectClass=organizationalPerson)"
    group: "(objectClass=groupOfNames)"
  group_membership: dn
  attributes:
    username: uid
    ssh_key: sshKey
    group_name: cn
    group_member: member

$manage_package (boolean)

If true, the module will attempt to install the openssh-ldap-authkeys package.

Default: true

$package_name (string)

Name of the package to install using your distribution's package manager.

Default: autodetected based on distribution

$selinux_package_name (string)

Name of the separate package containing the SELinux policy, which will be installed if your system has SELinux enabled.

Default: ${package_name}-selinux

$package_ensure (string)

Version of the package to force to. Defaults to installed, which merely ensures the package is installed, and does not attempt to upgrade it if it's out of date. Set to latest to always upgrade the package (if an update is available) on any Puppet run.

Default: installed

$manage_sshd_config (boolean)

If true, sets all required configuration options in sshd_config. While this is designed to not clobber any existing sshd configuration you have, if you're using a module that fully manages the sshd configuration like saz-ssh, it's recommended to set this parameter to false and instead configure the following options through that module:

  • AuthorizedKeysCommand /usr/bin/openssh-ldap-suthkeys %u %t %k
  • AuthorizedKeysCommandUser olak
  • PermitUserEnvironment yes

Default: true

$sshd_config_path (string)

Path to the sshd_config file.

Default: /etc/ssh/sshd_config

$manage_sshd_service (boolean)

If true will manage the SSH service, which allows the module to automatically restart sshd if changes are made to the configuration. You will probably need to set this to false if there's anything else within your site that is managing the sshd configuration.

Default: true

$sshd_service_provider (string/undef)

Service provider for the sshd service. If omitted, uses the system's preferred service manager as determined by Puppet's built-in service resource.

Default: undef

$sshd_service_state (string)

State to enforce for the sshd service. Defaults to running

Default: running

$sshd_service_enable (boolean)

If true, enables the sshd service on system start.

Default: true

$sshd_service_name (string)

Name of the sshd service.

Default: autodetected based on distribution