Version information
This version is compatible with:
- Puppet Enterprise 2018.1.x, 2017.3.x, 2017.2.x, 2017.1.x, 2016.5.x, 2016.4.x
- Puppet >= 4.7.0 < 6.0.0
Tasks:
- flush_secldapclntd
Start using this module
Add this module to your Puppetfile:
mod 'larkit-aixldap', '0.2.3'Learn more about managing modules with a PuppetfileDocumentation
aixldap
- Source: https://github.com/LarkIT/puppetmodule-aixldap
- Documentation: https://larkit.github.io/puppetmodule-aixldap/
- Forge: https://forge.puppet.com/larkit/aixldap
This module will setup your AIX system to use AD LDAP Authentication.
This module probably over-steps the concept of "do one thing" pretty far. I contend that the GSKit8 stuff and management of the SSL KDB file probably belongs in its own module, but for now its a self contained "setup my ldap authentication" module. This module also attempts to make sure that local accounts will have SYSTEM=compat registry=files added to them so that they still work.
Table of Contents
- Description
- Setup - The basics of getting started with aixldap
- Usage - Configuration options and additional functionality
- Reference - An under-the-hood peek at what the module is doing and how
- Limitations - OS compatibility, etc.
- Development - Guide for contributing to the module
Description
The aixldap module will install the necessary packages and configure Active Directory (AD) Kerberos LDAP authentication.
Setup
What aixldap affects
- Installs idsldap.clnt, krb5 and GSKit8 packages
- Setup a kdb file to trust the AD CA cert for SSL
- Configure ldap (mksecldap) and set some custom parameters in ldap.cfg.
- Optionally configure custom user_map and group_map files.
- Configure Kerberos (mkkrb5clnt)
- Optionally enable (activate) LDAP authentication.
- Configure /etc/security/mkuser.default, /etc/methods.cfg and /etc/netsvc.conf appropriate for LDAP authentication (making local users local)
- Start LDAP services (secldapclntd)
- Ensures that local users have appropriate attributes set to work after LDAP authentication is enabled.
Setup Requirements
- You must have the LDAP packages hosted somewhere accessible to the AIX system. Currently the default location to stage them is
/tmp/pkg. You may want to stage them at provisioning time or make them available over NFS / autofs (puppet-autofs). - You should also know the LDAP directory you are binding to. You will likely need several details that are not readily available to a casual user.
- You will need a BindDN and Password for searching the directory (service account). - NOTE: This may not be strictly required in all cases, but this code requires it.
- If your directory uses SSL, you will need the CA Certificate, as LDAP is very picky about SSL.
- Example code to use a "temporary" NFS mount:
# AIX Package Repo - This content is not specifically profile material
class profile::aix_pkg_repo (
String $repo_mount,
String $repo_path = '/var/run/pkg_repo',
)
# Create mountpoint
file { $repo_path:
ensure => directory,
before => Mount[$repo_path],
}
# Create filesystem mount reference (do not mount)
mount { $repo_path:
ensure => 'unmounted',
atboot => false,
device => $repo_mount,
fstype => 'nfs',
options => 'ro,fg,intr'
}
# List dependencies on this repo_path
$pkg_repo_dependencies = [
Exec['install-aixldap-packages-all-at-once'],
#Package['rpm.rte'],
]
# Make sure the dependencies process before the mountpoint is unmounted again.
$pkg_repo_dependencies.each | $res | {
# This may seem backwards, but remember the "Mount[$repo_path]" will actually unmount
$res -> Mount[$repo_path]
}
# This will *mount* the pkg_repo before changing the dependent resources
transition { "mount ${repo_path}":
resource => Mount[$repo_path],
attributes => { ensure => 'mounted' },
prior_to => $pkg_repo_dependencies,
}
}
Beginning with aixldap
At the most basic level, this module is going to require a few values in hieradata (or in the class call):
- basedn - usually something like dc=DOMAIN,dc=COM
- binddn - account used to bind for ldap searches (currently required)
- bindpw - password for bind account
- bindpw_crypted (use secldapclntd -e "thepassword")
- ldapservers - comma separated list of ldapservers
If you want to use SSL, you will also need to provide:
- use_ssl: 'yes' (if you use hiera, make sure yes is in quotes or it will come back as the boolean true)
- ssl_ca_cert_content (or ssl_ca_cert_file)
There are many other parameters that you can set to customize other parts. Please refer to the [manifests/init.pp] code for details.
Usage
AIX base profile:
# Specify this as early as possible in your AIX Base profile so that ANY users created will have this in scope.
User {
ia_load_module => 'files',
attributes => ['SYSTEM=compat','registry=files']
}
include aixldap
Hiera:
aixldap::basedn: dc=mydomain,dc=com
aixldap::binddn: cn=myldapuser,ou=People,dc=mydomain,dc=com
aixldap::bindpw: ENC.........please_use_eyaml!
aixldap::bindpw_crypted: (use secldapclntd -e 'bind_password') ... and maybe use eymal too?
aixldap::ldapservers: adserver.sub.domain.com
Special Note: If you need to have multiple userbasedn values, you can specify them as an array like so:
aixldap::ldap_cfg_options:
userbasedn:
- OU=Users,OU=UnixTeam,dc=mydomain,dc=com
- OU=ServiceAccounts,dc=mydomain,dc=com
Reference
See https://larkit.github.io/puppetmodule-aixldap/
Limitations
This is only compatible with AIX. We have only tested it on AIX 7.1 (TL2 and TL4) and AIX 7.2 (TL1). NOTE that the idsldap* packages are TL specific. Check your oslevel -s output (facter os.release.full)
Development
Feel free to fork/cone and submit pull requests.
Release Notes
See CHANGELOG.md.
What are tasks?
Modules can contain tasks that take action outside of a desired state managed by Puppet. It’s perfect for troubleshooting or deploying one-off changes, distributing scripts to run across your infrastructure, or automating changes that need to happen in a particular order as part of an application deployment.
Tasks in this module release
flush_secldapclntd
Flush cache on secldapclntd
Changelog
All notable changes to this project will be documented in this file.
Release v0.2.3
- Update version_requirement for stdlib to 7.0.0
Release v0.2.2
- Updated path in shell fact to work in other OS's (EL6)
- Updated method for fixing local users default attributes to prevent duplicate user resources.
Release v0.2.1
- Add /bin to path for aix_local_nonsystems_users.sh fact for Ubunutu
Release v0.2.0
- Support multiple userbasedn attributes (as an array to ldap_cfg_options)
- Updated default values for groupbasedn and hostbasedn
- Updated to PDK 1.6.0
Release v0.1.3
- Fix metadata to point to larkit/chsec 0.1.4 (re-release of bwilcox/chsec with fixes)
Release 0.1.2
- Fix a couple permissions related issues
- Add missing "4" on the end of the program_64 for NIS (like that matters)
- Fix /etc/security/mkuser.defaults is no longer replaced, specific attributes are set using chsec
- Remove workaround for chsec values with spaces, with chsec update to 0.1.4
- Updated /etc/netsvc.conf handling to be more advanced (allow overriding hosts line)
Release 0.1.1
- Fix issue with Linux OS that doesn't have /bin/ksh
Release 0.1.0
- Initial Release
Dependencies
- puppetlabs/stdlib (>= 4.13.1 < 7.0.0)
- larkit/chsec (>= 0.1.4 < 2.0.0)