Version information
This version is compatible with:
- Puppet Enterprise 2025.3.x, 2025.2.x, 2025.1.x, 2023.8.x, 2023.7.x, 2023.6.x, 2023.5.x, 2023.4.x, 2023.3.x, 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x
- Puppet >= 6.21.0 < 9.0.0
- CentOS,RedHat,OracleLinux,Rocky,AlmaLinux
Start using this module
Add this module to your Puppetfile:
mod 'jcpunk-authselect', '1.1.2'Learn more about managing modules with a PuppetfileDocumentation
authselect
Manage authselect profile on systems that support it.
Table of Contents
Description
Set your authselect profile and any required features.
Setup
What authselect affects
This will alter your host's fundemental authentication and lookups via authselect. Understand what that means before using it.
Setup Requirements
You will need to start any required services BEFORE the authselect class runs.
This class does not track things like sssd or winbind services.
You may use Class[authselect] or Exec[authselect set profile] to ensure your services are running.
Usage
Basic class usage
Example class invocation:
class { 'authselect':
profile => 'sssd',
profile_options => [ 'with-mkhomedir', 'with-faillock']
}
And the Hiera file would look like:
authselect::profile: sssd
authselect::profile_options:
- with-mkhomedir
- without-pam-u2f-nouserok
Creating and selecting a custom profile
Example custom profile configuration:
class { 'authselect
profile_manage => true,
profile => 'custom/new_profile',
custom_profiles => {
'new_profile' => {
'base_profile' => 'sssd',
'contents' => {
'nsswitch.conf' => {
'content' => '<your custom nsswitch content here>'
}
}
}
}
}
And the Hierafile would look like:
authselect::profile_manage: true
authselect::profile: 'custom/new_profile'
authselect::custom_profiles:
new_profile:
base_profile: 'sssd'
contents:
nsswitch.conf:
content: '<your custom nsswitch content here>'
The code above will create a new custom authselect profile called 'new_profile'. The profile will be based off of the sssd profile. The profile will also contain an nsswitch file that will contain the custom content specified in the content parameter. To use the new custom profile the authselect::profile parameter will need to prefix the name of the custom profile with custom/ as shown above.
Facts
This class also provides two facts: authselect_profile and authselect_profile_features.
Development
Folks should use the repo listed in metadata.json.
Reference
Table of Contents
Classes
authselect: Manage authselect's active profileauthselect::config: Configure authselectauthselect::package: Manage the authselect package(s)
Defined types
authselect::custom_profile: Manage a custom authselect profileauthselect::custom_profile_content: Manage file contents in a custom authselect profile
Classes
authselect
This will select the requested authselect profile
group: files systemd {exclude if "with-custom-group"} netgroup: files {exclude if "with-custom-netgroup"} automount: files {exclude if "with-custom-automount"} services: files {exclude if "with-custom-services"} sudoers: files {include if "with-sudo"}' ensure: 'file' owner: 'root' group: 'root' mode: '0664'
Examples
Specifying a custom profile
authselect::profile: 'custom/custom_profile_name'
Specifying a vendor profile
authselect::profile: 'sssd'
Creating several profiles with different parameters
authselect::custom_profiles:
'local_user_minimal':
base_profile: 'minimal'
'local_user_linked_nsswitch':
symlink_nsswitch: true
'local_user_custom_nsswitch':
contents:
'nsswitch.conf':
content: 'passwd: files systemd {exclude if "with-custom-passwd"}
Parameters
The following parameters are available in the authselect class:
package_manage
Data type: Boolean
Should this class manage the authselect package(s)
package_ensure
Data type: String
Passed to package ensure for the authselect package(s)
package_names
Data type: Array[String[1], 1]
Packages to manage in this class
profile_manage
Data type: Boolean
Should this class set the active profile
profile
Data type: String[1]
Which authselect profile should be used. Note: If using a custom (non-vendor) profile you must prefix the name with 'custom/'
profile_options
Data type: Array[String, 0]
What options should we pass to authselect ie, what features should be enabled/disabled?
custom_profiles
Data type: Hash
Custom profiles to manage
authselect::config
Configure authselect
Examples
include authselect::config
authselect::package
Manage the authselect package(s)
Examples
include authselect::package
Defined types
authselect::custom_profile
Manage a custom authselect profile
Examples
authselect::custom_profile { 'namevar': }
Parameters
The following parameters are available in the authselect::custom_profile defined type:
contents
Data type: Hash
Custom profile contents use this only if you fully understand how authselect works!
Default value: {}
base_profile
Data type: Enum['sssd','winbind', 'nis', 'minimal']
the profile to base your custom profile off of, defaults to sssd
Default value: 'sssd'
vendor
Data type: Boolean
Specify whether this profile goes into the custom folder or the vendor profile in authselect keep in mind that if you wish to select a custom profile you must prefix the name of the profile with 'custom/' when setting authselect::profile
Default value: false
symlink_meta
Data type: Boolean
Symlink meta files from the base profile instead of copying them
Default value: false
symlink_nsswitch
Data type: Boolean
Symlink nsswitch files from the base profile instead of copying them
Default value: false
symlink_pam
Data type: Boolean
Symlink pam files from the base profile instead of copying them
Default value: false
symlink_dconf
Data type: Boolean
Symlink dconf files from the base profile instead of copying them
Default value: false
authselect::custom_profile_content
Manage file contents in a custom authselect profile
Examples
authselect::custom_profile_content { 'myprofile/filename':
content => "File contents\n",
}
Parameters
The following parameters are available in the authselect::custom_profile_content defined type:
content
Data type: String
The file resource content attribute
path
Data type: Pattern[ /^\/etc\/authselect\/custom\/[^\/]+\/[^\/]+$/, /^\/usr\/share\/authselect\/vendor\/[^\/]+\/[^\/]+$/ ]
The full path to the managed file
Default value: "/etc/authselect/custom/${name}"
ensure
Data type: Stdlib::Ensure::File
The file resource ensure attribute
Default value: 'file'
owner
Data type: String[1]
The file resource owner attribute
Default value: 'root'
group
Data type: String[1]
The file resource group attribute
Default value: 'root'
mode
Data type: Stdlib::Filemode
The file resource mode attribute
Default value: '0644'
Changelog
All notable changes to this project will be documented in this file.
Release 1.1.2
Features
- Note puppet8 support
Release 1.1.1
Bug Fixes
- Return exec resource with static name for ordering
Release 1.1.0
- Added the ability for users to create and manage custom profiles
Release 1.0.1
Bug Fixes
- Authselect now runs correctly when changing profile, but leaving options alone
Release 1.0.0
Features
- The exec which sets the profile now has a static name
- When not managing the profile, a noop exec is created with the static name for ordering purposes
Breaking Change
The exec resource which sets the profile is now statically named authselect set profile.
Release 0.1.3
Bug Fixes
- Fix #2, better test coverage
Release 0.1.2
Bug Fixes
- Fix #1, module not idempotent
Release 0.1.1
Bug Fixes
- Fix typo in doc
Release 0.1.0
Known Limitations
- No way to track services like
sssdorwinbind - No support for creating/deploying custom profiles