Forge Home

Modules

Puppet

Resources

PuppetEcosystemPuppet CommunityUpdates

ipa

Manage IPA master, replicas, and clients
Project URLRSS FeedReport issues

18,810 downloads

17,053 latest version

1.5 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Support the Puppet Community by contributing to this module

You are welcome to contribute to this module by suggesting new features, currency updates, or fixes. Every contribution is valuable to help ensure that the module remains compatible with the latest Puppet versions and continues to meet community needs. Complete the following steps:

  1. Review the module’s contribution guidelines and any licenses. Ensure that your planned contribution aligns with the author’s standards and any legal requirements.
  2. Fork the repository on GitHub, make changes on a branch of your fork, and submit a pull request. The pull request must clearly document your proposed change.

For questions about updating the module, contact the module’s author.

Version information

  • 1.5.5 (latest)
  • 1.5.0
  • 1.0.2
  • 1.0.1
  • 0.0.2
  • 0.0.1
released Dec 19th 2013

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'huit-ipa', '1.5.5'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add huit-ipa
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install huit-ipa --version 1.5.5

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.

Download
Tags: redhat, rhel, ldap, kerberos, krb5, ipa, freeipa

Documentation

huit/ipa — version 1.5.5 Dec 19th 2013

IPA Puppet module

Build Status

Overview

Puppet module that can manage an IPA master, replicas and clients.

huit/puppet-ipa aims at the management and configuration of a complete IPA environment under Puppet control.

To start, an IPA master will be required as the beginning of the LDAP/Kerberos environment. IPA replicas can then be added for additional resiliancy.

The IPA primary master server will take a minimum of two Puppet runs to fully configure. This is because the ipa_adminhomedir, ipa_adminuidnumber and ipa_replicascheme facts are not available until the IPA primary master is installed and operational. These facts are necessary to automatically configure clients and replicas.

IPA replica servers will be automatically configured with a replication agreement on the IPA primary master server.

All Puppet nodes added as clients will automatically be added to the IPA domain through exported resources.

Multiple IPA domains are supported.

A cleanup parameter has been included to remove the IPA server or client packages from nodes.

Dependencies

The ability to use Exported resources and Stored Configuration enabled on the Puppet master.

puppetlabs/puppetlabs-firewall module.

puppetlabs/stdlib module.

Usage

Available parameters.

####master

Configures a server to be an IPA master LDAP/Kerberos node.

Defaults to 'false'.

####replica

Configures a server to be an IPA replica LDAP/Kerberos node.

Defaults to 'false'.

####client

Configures a server to be an IPA client.

Defaults to 'false'.

####cleanup

Removes IPA specific packages.

Defaults to 'false'.

####domain

Defines the LDAP domain.

Defaults to 'undef'.

####realm

Defines the Kerberos realm.

Defaults to 'undef'.

####adminpw

Defines the IPA administrative user password.

Defaults to 'undef'.

####dspw

Defines the IPA directory services password.

Defaults to 'undef'.

####otp

Defines an IPA client one-time-password.

Defaults to 'undef'.

####dns

Controls the option to configure a DNS zone with the IPA master setup.

Defaults to 'false'.

####forwarders

Defines an array of DNS forwarders to use when DNS is setup. An empty list will use the Root Nameservers.

Defaults to '[]'.

####loadbalance

Controls the option to include any additional hostnames to be used in a load balanced IPA client configuration.

Defaults to 'false'.

####ipaservers

Defines an array of additional hostnames to be used in a load balanced IPA client configuration.

Defaults to '[]'

####mkhomedir

Controls the option to create user home directories on first login.

Defaults to 'false'.

####ntp

Controls the option to configure NTP on a client.

Defaults to 'false'.

####kstart

Controls the installation of kstart.

Defaults to 'true'.

####desc

Controls the description entry of an IPA client.

Defaults to ''.

####locality

Controls the locality entry of an IPA client.

Defaults to ''.

####location

Controls the location entry of an IPA client.

Defaults to ''.

####sssdtools

Controls the installation of the SSSD tools package.

Defaults to 'true'.

####sssdtoolspkg

SSSD tools package name.

Defaults to 'sssd-tools'

####sssd

Controls the option to start the SSSD service if its not defined elsewhere. Note: Set to false if the SSSD service is defined in your site specific modules.

Defaults to 'true'.

####sudo

Controls the option to configure sudo in LDAP.

Defaults to 'false'.

####sudopw

Defines the sudo user bind password.

Defaults to 'undef'.

####debiansudopkg

Controls the installation of the Debian sudo-ldap package.

Defaults to 'true'.

####automount

Controls the option to configure automounter maps in LDAP.

Defaults to 'false'.

####autofs

Controls the option to start the autofs service and install the autofs package.

Defaults to 'false'.

####svrpkg

IPA server package name.

Defaults to 'ipa-server'.

####clntpkg

IPA client package name.

Defaults to 'ipa-client'.

####ldaputils

Controls the instalation of the LDAP utilities package.

Defaults to 'true'.

####ldaputilspkg

LDAP utilities package name.

Defaults to 'openldap-clients'.

Usage examples

Here are a few simple usage examples. If you don't want to put your passwords in the clear, then use hiera/gpg.

IPA master:

    node 'ipamaster.domain.name' {
      class { 'ipa':
        master  => true, # Only one master per Puppet master
        domain  => 'domain.name',
        realm   => 'DOMAIN.NAME',
        adminpw => 'somepasswd', # Cleartext example
        dspw    => hiera('some_passwd') # Using hiera
      }
    }

IPA replica:

    node 'ipareplica1.domain.name' {
      class { 'ipa':
        replica => true, # Multiple replicas can be setup.
        domain  => 'domain.name',
        realm   => 'DOMAIN.NAME',
        adminpw => 'somepasswd',
        dspw    => 'somepasswd',
        otp     => 'onetimepasswd'
      }
    }

Another IPA replica:

    node 'ipareplica2.domain.name' {
      class { 'ipa':
        replica => true,
        domain  => 'domain.name',
        realm   => 'DOMAIN.NAME',
        adminpw => hiera('some_passwd'),
        dspw    => hiera('some_passwd'), 
        otp     => hiera('one_time_passwd')
      }
    }

IPA client:

    node 'ipaclient.domain.name' {
      class { 'ipa':
        client      => true,
        domain      => 'domain.name',
        realm       => 'DOMAIN.NAME',
        loadbalance => true,
        ipaservers  => ['ipaloadbalanceddnsname.domain.name','ipamaster.domain.name','ipareplica1.domain.name','ipareplica2.domain.name'],
        desc        => 'This is an IPA client', # This string will show up the the description attribute of the computer account.
        otp         => hiera('one_time_passwd')
      }
    }

Cleanup parameter:

    node 'ipawhatever.domain.name' {
      class { 'ipa':
        cleanup => true # Removes IPA completely. Mutually exclusive from master, replica and client parameters.
      }
    }

Limitations

IPA master and replicas require a RedHat family OS.

Client configuration does not work with Ubuntu 8.04 and Ubuntu 10.04

License

huit/puppet-ipa - Puppet module that can manage an IPA master, replicas and clients.

Copyright (C) 2013 Harvard University Information Technology

This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program.  If not, see <http://www.gnu.org/licenses/>.

Support

Please report issues here.

For more information see https://github.com/huit/puppet-ipa.git