Version information
This version is compatible with:
- Puppet Enterprise 2023.8.x, 2023.7.x, 2023.6.x, 2023.5.x, 2023.4.x, 2023.3.x, 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x
- Puppet >= 7.0.0 < 9.0.0
- , , , ,
Start using this module
Add this module to your Puppetfile:
mod 'simp-sssd', '7.11.0'
Learn more about managing modules with a PuppetfileDocumentation
Table of Contents
- Overview
- > Use an older version of the module if you need lower version support
- This is a SIMP module
- Module Description
- Setup
- Usage
- Development
Overview
This module installs and manages SSSD. It allows you to set configuration options in sssd.conf through puppet / hiera.
WARNING
This module only supports
sssd
> 1.16.0Use an older version of the module if you need lower version support
See REFERENCE.md for full API details
This is a SIMP module
This module is a component of the System Integrity Management Platform, a compliance-management framework built on Puppet.
If you find any issues, they can be submitted to our JIRA.
Please read our Contribution Guide.
This module is optimally designed for use within a larger SIMP ecosystem, but it can be used independently:
- When included within the SIMP ecosystem, security compliance settings will be managed from the Puppet server.
- In the future, all SIMP-managed security subsystems will be disabled by default and must be explicitly opted into by administrators. Please review simp/simp_options for details.
Module Description
This module installs, configures and manages SSSD. It is also cross compatible
with simp/pki
and simp/auditd
.
It allows connection via krb5, ldap and local authentication.
simp/sssd
also connects to autofs, nss, pac, pam, ssh, and sudo.
Setup
What simp sssd affects
Files managed by simp/sssd
:
- /etc/sssd/sssd.conf
- /etc/init.d/sssd
- (Optional) /etc/sssd/pki with
simp/pki
enabled
Services and operations managed or affected:
- sssd (running)
- nscd (stopped)
Packages installed:
- sssd (latest by Default)
- sssd-tools (optionally, latest by Default)
- sssd-dbus (optionally, if ifp is included in sssd::services)
Usage
Beginning with SIMP SSSD
The following will install and manage the service for SSSD. It will configure the services defined in sssd::services (by default nss, pam, ssh and sudo.) If the host is joined to an IPA domain it will configure SSSD for the IPA domain. Otherwise the module does not create sssd domains or providers automatically. If the host is EL6 or EL7 the module will fail if you do not create a sssd domain.
include ::sssd
To enable integration with the existing SIMP PKI module, set the value of the PKI SIMP option to true:
This will use the simp pki certificate distribution mechanism and set the pki values accordingly in the ldap provider.
simp_options::pki: true
To enable integration with the simp auditd module, set the value of AUDITD SIMP option to true:
simp_options::auditd: true
Creating Domains and Providers
To create an SSSD domain you must instantiate a sssd::domain defined type and add the domain name to the array of domains in hiera:
In hiera:
sssd::domains: ['ldapusers', 'LOCAL']
Create a manifest:
sssd::domain { 'ldapusers':
id_provider => 'ldap',
auth_provider => 'krb5',
access_provider => 'krb5',
...etc
}
sssd::domain { 'LOCAL':
id_provider => 'local',
...etc
}
To include configuration options for the providers of the SSSD domain, you must
instantiate the provider type with the same name as the domain it applies to.
For example, to set options for the ldap and krb5 providers for the ldapusers
domain defined above use the following:
sssd::provider::ldap { 'ldapusers':
ldap_access_filter => 'memberOf=cn=allowedusers,ou=Groups,dc=example,dc=com',
ldap_chpass_uri => empty,
ldap_access_order => 'expire',
...etc
}
sssd::provider::krb5 { 'ldapusers':
krb5_server => 'my.kerberos.server',
krb5_realm => 'mykrbrealm',
krb5_password => lookup('use_eyaml'),
...etc
}
More examples
Enabling Local Users
Using the LOCAL
provider is supported for EL6 but has been deprecated by the
vendor and is not recommended for use so is not documented here.
The following method works on EL7+ and is recommended by the vendor.
Add the following to your Hieradata:
---
sssd::enable_files_domain: true
More information can be found in sssd-local(5)
.
Using LDAP (Generic)
This should work with any general LDAP server, OpenLDAP, 389DS, etc...
sssd::domain { 'my_ldap':
description => 'LDAP Users',
id_provider => 'ldap',
auth_provider => 'ldap',
chpass_provider => 'ldap',
access_provider => 'ldap',
sudo_provider => 'ldap',
autofs_provider => 'ldap',
min_id => 500,
cache_credentials => true
}
sssd::provider::ldap { 'my_ldap':
ldap_default_authtok_type => 'password',
ldap_user_gecos => 'dn'
}
Using FreeIPA or Red Hat Directory Server
The sssd
class, by default, configures SSSD for an IPA domain,
when the host is joined to an IPA domain. If you want to manage this
configuration yourself, set sssd::auto_add_ipa_domain
to false.
Then, configure the domain and ipa
provider as follows
sssd::domain { 'my.domain':
description => "IPA Domain my.domain",
id_provider => 'ipa',
auth_provider => 'ipa',
chpass_provider => 'ipa',
access_provider => 'ipa',
sudo_provider => 'ipa',
autofs_provider => 'ipa',
}
sssd::provider::ipa { 'my.domain':
ipa_domain => 'my.domain'
ipa_server => [ 'ipaserver.my.domain' ]
}
Using Active Directory
For sssd
to properly function with AD, you will need to join the system to the
domain in whatever method suits your environment. There are several modules
containing relevant tasks but this is technically outside of the realm of sssd
so not included here.
$_my_ad_domain = 'test.domain'
# You may need to adjust these parameters for your exact environment but these
# should work for general use.
sssd::domain { $_my_ad_domain:
access_provider => 'ad',
cache_credentials => true,
id_provider => 'ad',
realmd_tags => 'manages-system joined-with-samba',
case_sensitive => true,
max_id => 0,
ignore_group_members => true,
use_fully_qualified_names => true
}
sssd::provider::ad { $_my_ad_domain:
ad_domain => $_my_ad_domain,
ad_servers => ["ad.${_my_ad_domain}"],
ldap_id_mapping => true,
ldap_schema => 'ad',
krb5_realm => upcase($_my_ad_domain),
dyndns_update => true,
default_shell => '/bin/bash',
fallback_homedir => '/home/%u@%d',
krb5_store_password_if_offline => true
}
Using Services
The following services can be managed by simp/sssd
.
- autofs
- ifp
- nss
- pac
- pam
- ssh
- sudo
Adding a service to the array of services in sssd::services will configure it using the defaults from its module, sssd::service::{service name} . Use hiera to override the defaults.
sssd::services: [ 'nss', 'pam', 'autofs']
The settings for the services have been known to change from one version of sssd
to the next. To overcome this problem, a parameter, custom_options
has been
added. It accepts a hash of options for the service. It will ignore the other
parameters in the service and use only these so you must add all options
that differ from the system defaults.
sssd::service::nss::custom_options:
description: 'The nss section of the config file'
filter_users: 'root'
filter_groups: 'root'
reconnection_retries: 3
mymissingparam: 'value'
Development
Please read our Contribution Guide.
Reference
Table of Contents
Classes
sssd
: This class allows you to install and configure SSSD. It will forcefully disable nscd which consequently prevents you from using an nscd modusssd::config
: Configuration class called from sssd. Sets up the[sssd]
section of '/etc/sssd/sssd.conf', and, optionally, a domain section for the IPAsssd::config::ipa_domain
: Configures SSSD for the IPA domain to which the host has joinedsssd::install
: Install the required packages for SSSDsssd::install::client
: Install the sssd-client packagesssd::pki
: Class: sssd::pki Uses the following sssd class parameters to copy certs into a directory for the sssd application $sssd::pki * If 'simp',sssd::service
: Control thesssd
servicesssd::service::autofs
: This class sets up the [autofs] section of /etc/sssd.conf. The class parameters map directly to SSSD configuration. Full documentation of tsssd::service::ifp
: This class sets up the [ifp] section of /etc/sssd.conf. The class parameters map directly to SSSD configuration. Full documentation of thessssd::service::nss
: This class sets up the [nss] section of /etc/sssd.conf. You may only have one of these per system. The class parameters map directly to SSSDsssd::service::pac
: This class sets up the [pac] section of /etc/sssd.conf. The class parameters map directly to SSSD configuration. Full documentation of thessssd::service::pam
sssd::service::ssh
: This class sets up the [ssh] section of /etc/sssd.conf. The class parameters map directly to SSSD configuration. Full documentation of thessssd::service::sudo
: This class sets up the [sudo] section of /etc/sssd.conf. The class parameters map directly to SSSD configuration. Full documentation of the
Defined types
sssd::config::entry
: Add an entry to the /etc/sssd/conf.d directorysssd::domain
: Define: sssd::domain This define sets up a domain section of /etc/sssd.conf. This domain will be named after '$name' and should be listed insssd::provider::ad
: Set up the 'ad' (Active Directory) id_provider section of a particular domain.sssd::provider::files
: Configures the 'files' id_provider section of a particular domain.sssd::provider::ipa
: This define sets up the 'ipa' provider section of a particular domain. $name should be the name of the associated domain in sssd.conf. See ssssd::provider::krb5
: Define: sssd::provider::krb5 This define sets up the 'krb5' provider section of a particular domain. $name should be the name of the associasssd::provider::ldap
: Define: sssd::provider::ldap This define sets up the 'ldap' provider section of a particular domain. $name should be the name of the associa
Functions
sssd::supported_version
: Returnstrue
if the version of SSSD installed on the system is supported andfalse
otherwise. Assumes that the system is relatively
Data types
Sssd::ADDefaultRight
: List of valid types for AD Provider setting ad_gpo_default_rightSssd::AccessProvider
: List of valid SSSD domain access providersSssd::AuthProvider
: List of valid types for sssd domain authentication providerSssd::ChpassProvider
: List of valid types for sssd domain change password providerSssd::DebugLevel
: Integer[0-9] or 2 byte Hexidecimal (ex. 0x0201)Sssd::IdProvider
: List of valid type for sssd domain ID provider.Sssd::LdapAccessOrder
: List of valid values for ldap provider ldap_access_order settingSssd::LdapAccountExpirePol
: List of valid values for ldap provider ldap_account_expire_policy '' corresponds to the default value (empty) per sssd-ldap(5) man pageSssd::LdapDefaultAuthtok
: List of valid values for ldap provider default auth tokenSssd::LdapDeref
: List of valid values for ldap provider deref settingSssd::LdapSchema
: List of valid setting for ldap provider ldap_schema setting.Sssd::LdapTlsReqcert
: List of valid setting for ldap provider ldap_tls_reqcert.Sssd::Services
: List of available sssd services
Classes
sssd
This class allows you to install and configure SSSD.
It will forcefully disable nscd which consequently prevents you from using an nscd module at the same time, which is the correct behavior.
Full documentation of the parameters that map directly to SSSD configuration options can be found in the sssd.conf(5) man page.
Examples
sssd::provider::ldap in hieradata:
sssd::ldap_providers:
ldap_users:
ldap_access_filter: 'memberOf=cn=allowedusers,ou=Groups,dc=example,dc=com'
ldap_chpass_uri: empty
ldap_access_order: 'expire'
etc...
Parameters
The following parameters are available in the sssd
class:
authoritative
domains
debug_level
debug_timestamps
debug_microseconds
description
enable_files_domain
config_file_version
services
reconnection_retries
re_expression
full_name_format
try_inotify
krb5_rcache_dir
user
default_domain_suffix
override_space
ldap_providers
enumerate_users
include_svc_config
cache_credentials
min_id
auditd
pki
app_pki_cert_source
app_pki_dir
auto_add_ipa_domain
custom_config
authoritative
Data type: Boolean
Whether or not to purge all unmanaged files from /etc/sssd/conf.d.
Default value: false
domains
Data type: Array[String[1, 255]]
The sssd domains
to be managed.
Default value: []
debug_level
Data type: Optional[Sssd::DebugLevel]
Default value: undef
debug_timestamps
Data type: Boolean
Default value: true
debug_microseconds
Data type: Boolean
Default value: false
description
Data type: Optional[String[1]]
Default value: undef
enable_files_domain
Data type: Boolean
Default value: true
config_file_version
Data type: Integer[1]
Default value: 2
services
Data type: Sssd::Services
Default value: ['nss','pam','ssh','sudo']
reconnection_retries
Data type: Integer[0]
Default value: 3
re_expression
Data type: Optional[String[1]]
Default value: undef
full_name_format
Data type: Optional[String[1]]
Default value: undef
try_inotify
Data type: Optional[Boolean]
Default value: undef
krb5_rcache_dir
Data type: Optional[String[1]]
Default value: undef
user
Data type: Optional[String[1]]
Default value: undef
default_domain_suffix
Data type: Optional[String[1]]
Default value: undef
override_space
Data type: Optional[String[1]]
Default value: undef
ldap_providers
Data type: Hash
This allows users to set up ldap sssd::provider::ldap resources via hieradata
Default value: {}
enumerate_users
Data type: Boolean
Have SSSD list and cache all the users that it can find on the remote system
- Take care that you don't overwhelm your server if you enable this
Default value: false
include_svc_config
Data type: Boolean
If set to true, config will loop through the services set in sssd:service and include the configuration section for it. At this time the service sections contain only the most common parameters used. If you need to set a param that is not included you can turn this off and create a custom manifest to add the section you need. If you simply want to change a setting that exists, use hiera.
Default value: true
cache_credentials
Data type: Boolean
Have SSSD cache the credentials of users that login to the system
Default value: true
min_id
Data type: Integer[0]
The lowest user ID that SSSD should recognize from the server.
Default value: 1
auditd
Data type: Boolean
Default value: simplib::lookup('simp_options::auditd', { 'default_value' => false})
pki
Data type: Variant[Boolean,Enum['simp']]
- If 'simp', include SIMP's pki module and use pki::copy to manage application certs in /etc/pki/simp_apps/sssd/x509
- If true, do not include SIMP's pki module, but still use pki::copy to manage certs in /etc/pki/simp_apps/sssd/x509
- If false, do not include SIMP's pki module and do not use pki::copy
to manage certs. You will need to appropriately assign a subset of:
- app_pki_dir
- app_pki_key
- app_pki_cert
- app_pki_ca
- app_pki_ca_dir
Default value: simplib::lookup('simp_options::pki', { 'default_value' => false})
app_pki_cert_source
Data type: Stdlib::Absolutepath
-
If pki = 'simp' or true, this is the directory from which certs will be copied, via pki::copy. Defaults to /etc/pki/simp/x509.
-
If pki = false, this variable has no effect.
Default value: simplib::lookup('simp_options::pki::source', { 'default_value' => '/etc/pki/simp/x509'})
app_pki_dir
Data type: Stdlib::Absolutepath
This variable controls the basepath of $app_pki_key, $app_pki_cert, $app_pki_ca, $app_pki_ca_dir, and $app_pki_crl. It defaults to /etc/pki/simp_apps/sssd/x509.
Default value: '/etc/pki/simp_apps/sssd/x509'
auto_add_ipa_domain
Data type: Boolean
Whether to configure sssd for an IPA domain, when the host is joined to an IPA domain. When enabled, this feature helps to prevent user lockout for IPA-managed user accounts. Otherwise, you must configure the IPA domain yourself.
Default value: true
custom_config
Data type: Optional[String[1]]
A configuration that will be added to /etc/sssd/conf.d/00_puppet_custom.conf without validation
Default value: undef
sssd::config
Configuration class called from sssd.
Sets up the [sssd]
section of '/etc/sssd/sssd.conf', and,
optionally, a domain section for the IPA domain to which the host
is joined. When the IPA domain is configured, the IPA domain is
automatically added to $domains
to generate the list of domains
in the [sssd]
section.
Parameters
The following parameters are available in the sssd::config
class:
authoritative
Data type: Boolean
Set to true
to purge unmanaged configuration files
Default value: pick(getvar("${module_name}::authoritative"), false)
sssd::config::ipa_domain
Configures SSSD for the IPA domain to which the host has joined
sssd::install
Install the required packages for SSSD
Parameters
The following parameters are available in the sssd::install
class:
install_client
Data type: Boolean
If true
, install the sssd
client
Default value: true
install_user_tools
Data type: Boolean
If true
, install the 'sssd-tools' package for administrative
changes to the SSSD databases
Default value: true
package_ensure
Data type: String
Ensure setting for all packages installed by this module
Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' })
sssd::install::client
Install the sssd-client package
Parameters
The following parameters are available in the sssd::install::client
class:
ensure
Data type: Any
Ensure setting for 'sssd-client' package
Default value: $::sssd::install::package_ensure
sssd::pki
Class: sssd::pki
Uses the following sssd class parameters to copy certs into a directory for the sssd application
$sssd::pki
- If 'simp', include SIMP's pki module and use pki::copy to manage application certs in /etc/pki/simp_apps/sssd/x509
- If true, do not include SIMP's pki module, but still use pki::copy to manage certs in /etc/pki/simp_apps/sssd/x509
- If false, do not include SIMP's pki module and do not use pki::copy
to manage certs. You will need to appropriately assign a subset of:
- app_pki_dir
- app_pki_key
- app_pki_cert
- app_pki_ca
- app_pki_ca_dir
$ssd::app_pki_cert_source
-
If $sssd::pki = 'simp' or true, this is the directory from which certs will be copied, via pki::copy. Defaults to /etc/pki/simp/x509.
-
If $sssd::pki = false, this variable has no effect.
sssd::service
Control the sssd
service
Parameters
The following parameters are available in the sssd::service
class:
ensure
Data type: Variant[String[1],Boolean]
The ensure
parameter of the service resource
Default value: sssd::supported_version()
enable
Data type: Boolean
The enable
parameter of the service resource
Default value: sssd::supported_version()
sssd::service::autofs
This class sets up the [autofs] section of /etc/sssd.conf.
The class parameters map directly to SSSD configuration. Full documentation of these configuration options can be found in the sssd.conf(5) man page.
Parameters
The following parameters are available in the sssd::service::autofs
class:
description
Data type: Optional[String]
Default value: undef
debug_level
Data type: Optional[Sssd::DebugLevel]
Default value: undef
debug_timestamps
Data type: Boolean
Default value: true
debug_microseconds
Data type: Boolean
Default value: false
autofs_negative_timeout
Data type: Optional[Integer]
Default value: undef
custom_options
Data type: Optional[Hash]
If defined, this hash will be used to create the service section instead of the parameters. You must provide all options in the section you want to add. Each entry in the hash will be added as a simple init pair key = value under the section in the sssd.conf file. No error checking will be performed.
Default value: undef
sssd::service::ifp
This class sets up the [ifp] section of /etc/sssd.conf.
The class parameters map directly to SSSD configuration. Full documentation of these configuration options can be found in the sssd.conf(5) and sssd-ifp man pages.
Parameters
The following parameters are available in the sssd::service::ifp
class:
description
debug_level
debug_timestamps
debug_microseconds
wildcard_limit
allowed_uids
user_attributes
custom_options
description
Data type: Optional[String]
Default value: undef
debug_level
Data type: Optional[Sssd::Debuglevel]
Default value: undef
debug_timestamps
Data type: Boolean
Default value: true
debug_microseconds
Data type: Boolean
Default value: false
wildcard_limit
Data type: Optional[Integer[0]]
Default value: undef
allowed_uids
Data type: Optional[Array[String[1]]]
Default value: undef
user_attributes
Data type: Optional[Array[String[1]]]
Default value: undef
custom_options
Data type: Optional[Hash]
If defined, this hash will be used to create the service section instead of the parameters. You must provide all options in the section you want to add. Each entry in the hash will be added as a simple init pair key = value under the section in the sssd.conf file. No error checking will be performed.
Default value: undef
sssd::service::nss
This class sets up the [nss] section of /etc/sssd.conf. You may only have one of these per system.
The class parameters map directly to SSSD configuration. Full documentation of these configuration options can be found in the sssd.conf(5) man page.
Parameters
The following parameters are available in the sssd::service::nss
class:
description
debug_level
debug_timestamps
debug_microseconds
reconnection_retries
fd_limit
command
enum_cache_timeout
entry_cache_nowait_percentage
entry_negative_timeout
filter_users
filter_groups
filter_users_in_groups
override_homedir
fallback_homedir
override_shell
vetoed_shells
default_shell
get_domains_timeout
memcache_timeout
user_attributes
custom_options
description
Data type: Optional[String]
Default value: undef
debug_level
Data type: Optional[Sssd::DebugLevel]
Default value: undef
debug_timestamps
Data type: Boolean
Default value: true
debug_microseconds
Data type: Boolean
Default value: false
reconnection_retries
Data type: Integer
Default value: 3
fd_limit
Data type: Optional[Integer]
Default value: undef
command
Data type: Optional[String]
Default value: undef
enum_cache_timeout
Data type: Integer
Default value: 120
entry_cache_nowait_percentage
Data type: Integer
Default value: 0
entry_negative_timeout
Data type: Integer
Default value: 15
filter_users
Data type: String
Default value: 'root'
filter_groups
Data type: String
Default value: 'root'
filter_users_in_groups
Data type: Boolean
Default value: true
override_homedir
Data type: Optional[String]
Default value: undef
fallback_homedir
Data type: Optional[String]
Default value: undef
override_shell
Data type: Optional[String]
Default value: undef
vetoed_shells
Data type: Optional[String]
Default value: undef
default_shell
Data type: Optional[String]
Default value: undef
get_domains_timeout
Data type: Optional[Integer]
Default value: undef
memcache_timeout
Data type: Optional[Integer]
Default value: undef
user_attributes
Data type: Optional[String]
Default value: undef
custom_options
Data type: Optional[Hash]
If defined, this hash will be used to create the service section instead of the parameters. You must provide all options in the section you want to add. Each entry in the hash will be added as a simple init pair key = value under the section in the sssd.conf file. No error checking will be performed.
Default value: undef
sssd::service::pac
This class sets up the [pac] section of /etc/sssd.conf.
The class parameters map directly to SSSD configuration. Full documentation of these configuration options can be found in the sssd.conf(5) man page.
Parameters
The following parameters are available in the sssd::service::pac
class:
description
Data type: Optional[String]
Default value: undef
debug_level
Data type: Optional[Sssd::DebugLevel]
Default value: undef
debug_timestamps
Data type: Boolean
Default value: true
debug_microseconds
Data type: Boolean
Default value: false
allowed_uids
Data type: Array[String]
Default value: []
custom_options
Data type: Optional[Hash]
If defined, this hash will be used to create the service section instead of the parameters. You must provide all options in the section you want to add. Each entry in the hash will be added as a simple init pair key = value under the section in the sssd.conf file. No error checking will be performed.
Default value: undef
sssd::service::pam
The sssd::service::pam class.
Parameters
The following parameters are available in the sssd::service::pam
class:
description
debug_level
debug_timestamps
debug_microseconds
pam_cert_auth
reconnection_retries
command
offline_credentials_expiration
offline_failed_login_attempts
offline_failed_login_delay
pam_verbosity
pam_id_timeout
pam_pwd_expiration_warning
get_domains_timeout
pam_trusted_users
pam_public_domains
custom_options
description
Data type: Optional[String]
Default value: undef
debug_level
Data type: Optional[Sssd::DebugLevel]
Default value: undef
debug_timestamps
Data type: Boolean
Default value: true
debug_microseconds
Data type: Boolean
Default value: false
pam_cert_auth
Data type: Boolean
Default value: false
reconnection_retries
Data type: Integer
Default value: 3
command
Data type: Optional[String]
Default value: undef
offline_credentials_expiration
Data type: Integer
Default value: 0
offline_failed_login_attempts
Data type: Integer
Default value: 3
offline_failed_login_delay
Data type: Integer
Default value: 5
pam_verbosity
Data type: Integer
Default value: 1
pam_id_timeout
Data type: Integer
Default value: 5
pam_pwd_expiration_warning
Data type: Integer
Default value: 7
get_domains_timeout
Data type: Optional[Integer]
Default value: undef
pam_trusted_users
Data type: Optional[String]
Default value: undef
pam_public_domains
Data type: Optional[String]
Default value: undef
custom_options
Data type: Optional[Hash]
Default value: undef
sssd::service::ssh
This class sets up the [ssh] section of /etc/sssd.conf.
The class parameters map directly to SSSD configuration. Full documentation of these configuration options can be found in the sssd.conf(5) man page.
Parameters
The following parameters are available in the sssd::service::ssh
class:
description
debug_level
debug_timestamps
debug_microseconds
ssh_hash_known_hosts
ssh_known_hosts_timeout
custom_options
description
Data type: Optional[String]
Default value: undef
debug_level
Data type: Optional[Sssd::DebugLevel]
Default value: undef
debug_timestamps
Data type: Boolean
Default value: true
debug_microseconds
Data type: Boolean
Default value: false
ssh_hash_known_hosts
Data type: Boolean
Default value: true
ssh_known_hosts_timeout
Data type: Optional[Integer]
Default value: undef
custom_options
Data type: Optional[Hash]
If defined, this hash will be used to create the service section instead of the parameters. You must provide all options in the section you want to add. Each entry in the hash will be added as a simple init pair key = value under the section in the sssd.conf file. No error checking will be performed.
Default value: undef
sssd::service::sudo
This class sets up the [sudo] section of /etc/sssd.conf.
The class parameters map directly to SSSD configuration. Full documentation of these configuration options can be found in the sssd.conf(5) man page.
Parameters
The following parameters are available in the sssd::service::sudo
class:
description
debug_level
debug_timestamps
debug_microseconds
sudo_threshold
sudo_timed
custom_options
description
Data type: Optional[String]
Default value: undef
debug_level
Data type: Optional[Sssd::Debuglevel]
Default value: undef
debug_timestamps
Data type: Boolean
Default value: true
debug_microseconds
Data type: Boolean
Default value: false
sudo_threshold
Data type: Integer[1]
Default value: 50
sudo_timed
Data type: Boolean
Default value: false
custom_options
Data type: Optional[Hash]
If defined, this hash will be used to create the service section instead of the parameters. You must provide all options in the section you want to add. Each entry in the hash will be added as a simple init pair key = value under the section in the sssd.conf file. No error checking will be performed.
Default value: undef
Defined types
sssd::config::entry
Add an entry to the /etc/sssd/conf.d directory
Parameters
The following parameters are available in the sssd::config::entry
defined type:
name
A unique name that will be used for generating the target filename
Should not be fully qualified
content
Data type: String
The content of the target file
order
Data type: Integer[0]
Default value: 50
sssd::domain
Define: sssd::domain
This define sets up a domain section of /etc/sssd.conf. This domain will be named after '$name' and should be listed in your main sssd.conf if you wish to activate it.
You will need to call the associated provider segments to make this fully functional.
It is entirely possible to make a configuration file that is complete nonsense by failing to set the correct combinations of providers. See the SSSD documentation for details.
When you call the associated providers, you should be sure to name them based on the name of this domain.
Full documentation of the parameters that map directly to SSSD configuration options can be found in the sssd.conf(5) man page.
Parameters
The following parameters are available in the sssd::domain
defined type:
name
id_provider
debug_level
debug_timestamps
debug_microseconds
description
min_id
max_id
enumerate
subdomain_enumerate
force_timeout
entry_cache_timeout
entry_cache_user_timeout
entry_cache_group_timeout
entry_cache_netgroup_timeout
entry_cache_service_timeout
entry_cache_sudo_timeout
entry_cache_autofs_timeout
entry_cache_ssh_host_timeout
refresh_expired_interval
cache_credentials
account_cache_expiration
pwd_expiration_warning
use_fully_qualified_names
ignore_group_members
access_provider
auth_provider
chpass_provider
sudo_provider
selinux_provider
subdomains_provider
autofs_provider
hostid_provider
re_expression
full_name_format
lookup_family_order
dns_resolver_timeout
dns_discovery_domain
override_gid
case_sensitive
proxy_fast_alias
realmd_tags
proxy_pam_target
proxy_lib_name
ldap_user_search_filter
name
The name of the domain. This will be placed at [domain/$name] in the configuration file.
id_provider
Data type: Sssd::IdProvider
debug_level
Data type: Optional[Sssd::DebugLevel]
Default value: undef
debug_timestamps
Data type: Boolean
Default value: true
debug_microseconds
Data type: Boolean
Default value: false
description
Data type: Optional[String]
Default value: undef
min_id
Data type: Integer[0]
Default value: 1
max_id
Data type: Integer[0]
Default value: 0
enumerate
Data type: Boolean
Default value: false
subdomain_enumerate
Data type: Boolean
Default value: false
force_timeout
Data type: Optional[Integer]
Default value: undef
entry_cache_timeout
Data type: Optional[Integer]
Default value: undef
entry_cache_user_timeout
Data type: Optional[Integer]
Default value: undef
entry_cache_group_timeout
Data type: Optional[Integer]
Default value: undef
entry_cache_netgroup_timeout
Data type: Optional[Integer]
Default value: undef
entry_cache_service_timeout
Data type: Optional[Integer]
Default value: undef
entry_cache_sudo_timeout
Data type: Optional[Integer]
Default value: undef
entry_cache_autofs_timeout
Data type: Optional[Integer]
Default value: undef
entry_cache_ssh_host_timeout
Data type: Optional[Integer]
Default value: undef
refresh_expired_interval
Data type: Optional[Integer]
Default value: undef
cache_credentials
Data type: Boolean
Default value: false
account_cache_expiration
Data type: Integer[0]
Default value: 0
pwd_expiration_warning
Data type: Optional[Integer[0]]
Default value: undef
use_fully_qualified_names
Data type: Boolean
Default value: false
ignore_group_members
Data type: Boolean
Default value: true
access_provider
Data type: Optional[Sssd::AccessProvider]
Default value: undef
auth_provider
Data type: Optional[Sssd::AuthProvider]
Default value: undef
chpass_provider
Data type: Optional[Sssd::ChpassProvider]
Default value: undef
sudo_provider
Data type: Optional[Enum['ldap', 'ipa','ad','none']]
Default value: undef
selinux_provider
Data type: Optional[Enum['ipa', 'none']]
Default value: undef
subdomains_provider
Data type: Optional[Enum['ipa', 'ad','none']]
Default value: undef
autofs_provider
Data type: Optional[Enum['ldap', 'ipa','none']]
Default value: undef
hostid_provider
Data type: Optional[Enum['ipa', 'none']]
Default value: undef
re_expression
Data type: Optional[String]
Default value: undef
full_name_format
Data type: Optional[String]
Default value: undef
lookup_family_order
Data type: Optional[String]
Default value: undef
dns_resolver_timeout
Data type: Integer[0]
Default value: 5
dns_discovery_domain
Data type: Optional[String]
Default value: undef
override_gid
Data type: Optional[String]
Default value: undef
case_sensitive
Data type: Variant[Boolean,Enum['preserving']]
Default value: true
proxy_fast_alias
Data type: Boolean
Default value: false
realmd_tags
Data type: Optional[String]
Default value: undef
proxy_pam_target
Data type: Optional[String]
Default value: undef
proxy_lib_name
Data type: Optional[String]
Default value: undef
ldap_user_search_filter
Data type: Optional[String]
Default value: undef
sssd::provider::ad
NOTE: You MUST connect the system to the domain prior to using this defined type.
Any parameter not explicitly documented directly follows the documentation from sssd-ad(5).
- See also
- sssd-ad(5)
Parameters
The following parameters are available in the sssd::provider::ad
defined type:
ad_domain
ad_enabled_domains
ad_servers
ad_backup_servers
ad_hostname
ad_enable_dns_sites
ad_access_filters
ad_site
ad_enable_gc
ad_gpo_access_control
ad_gpo_cache_timeout
ad_gpo_map_interactive
ad_gpo_map_remote_interactive
ad_gpo_map_network
ad_gpo_map_batch
ad_gpo_map_service
ad_gpo_map_permit
ad_gpo_map_deny
ad_gpo_default_right
ad_gpo_implicit_deny
ad_gpo_ignore_unreadable
ad_maximum_machine_account_password_age
ad_machine_account_password_renewal_opts
default_shell
dyndns_update
dyndns_ttl
dyndns_ifaces
dyndns_refresh_interval
dyndns_update_ptr
dyndns_force_tcp
dyndns_server
override_homedir
fallback_homedir
homedir_substring
krb5_realm
krb5_use_enterprise_principal
krb5_store_password_if_offline
krb5_confd_path
ldap_id_mapping
ldap_schema
ldap_idmap_range_min
ldap_idmap_range_max
ldap_idmap_range_size
ldap_idmap_default_domain_sid
ldap_idmap_default_domain
ldap_idmap_autorid_compat
ldap_idmap_helper_table_size
ldap_use_tokengroups
ldap_group_objectsid
ldap_user_objectsid
ldap_user_extra_attrs
ldap_user_ssh_public_key
ad_domain
Data type: Optional[String[1]]
Default value: undef
ad_enabled_domains
Data type: Optional[Array[String[1],1]]
An explicit list of AD enabled domains
- An error will be raised if
ad_domain
is specified and not in this list
Default value: undef
ad_servers
Data type: Optional[Array[Variant[Simplib::Hostname, Enum['_srv_']]]]
A list of AD servers in failover order
- Ignored if
autodiscovery
is enabled
Default value: undef
ad_backup_servers
Data type: Optional[Array[Simplib::Hostname,1]]
A list of AD backup servers in failover order
- Ignored if
autodiscovery
is enabled
Default value: undef
ad_hostname
Data type: Optional[Simplib::Hostname]
Default value: undef
ad_enable_dns_sites
Data type: Optional[Boolean]
Default value: undef
ad_access_filters
Data type: Optional[Array[String[1],1]]
A list of access filters for the system
Default value: undef
ad_site
Data type: Optional[String[1]]
Default value: undef
ad_enable_gc
Data type: Optional[Boolean]
Default value: undef
ad_gpo_access_control
Data type: Optional[Enum['disabled','enforcing','permissive']]
Default value: undef
ad_gpo_cache_timeout
Data type: Optional[Integer[1]]
Default value: undef
ad_gpo_map_interactive
Data type: Optional[Array[String[1],1]]
Default value: undef
ad_gpo_map_remote_interactive
Data type: Optional[Array[String[1],1]]
Default value: undef
ad_gpo_map_network
Data type: Optional[Array[String[1],1]]
Default value: undef
ad_gpo_map_batch
Data type: Optional[Array[String[1],1]]
Default value: undef
ad_gpo_map_service
Data type: Optional[Array[String[1],1]]
Default value: undef
ad_gpo_map_permit
Data type: Optional[Array[String[1],1]]
Default value: undef
ad_gpo_map_deny
Data type: Optional[Array[String[1],1]]
Default value: undef
ad_gpo_default_right
Data type: Optional[Sssd::ADDefaultRight]
Default value: undef
ad_gpo_implicit_deny
Data type: Optional[Boolean]
(new in sssd V2.0 and later)
Default value: undef
ad_gpo_ignore_unreadable
Data type: Optional[Boolean]
(new in sssd V2.0 and later)
Default value: undef
ad_maximum_machine_account_password_age
Data type: Optional[Integer[0]]
Default value: undef
ad_machine_account_password_renewal_opts
Data type: Optional[Pattern['^\d+:\d+$']]
Default value: undef
default_shell
Data type: Optional[String[1]]
Default value: undef
dyndns_update
Data type: Boolean
Default value: true
dyndns_ttl
Data type: Optional[Integer]
Default value: undef
dyndns_ifaces
Data type: Optional[Array[String[1],1]]
List of interfaces whose IP Addresses should be used for dynamic DNS updates. Used for the dyndns_iface setting.
- Has no effect if
dyndns_update
is not set totrue
Default value: undef
dyndns_refresh_interval
Data type: Optional[Integer]
Default value: undef
dyndns_update_ptr
Data type: Optional[Boolean]
Default value: undef
dyndns_force_tcp
Data type: Optional[Boolean]
Default value: undef
dyndns_server
Data type: Optional[Simplib::Hostname]
Default value: undef
override_homedir
Data type: Optional[String[1]]
Default value: undef
fallback_homedir
Data type: Optional[String[1]]
Default value: undef
homedir_substring
Data type: Optional[Stdlib::Absolutepath]
Default value: undef
krb5_realm
Data type: Optional[String[1]]
Default value: $ad_domain
krb5_use_enterprise_principal
Data type: Optional[Boolean]
Default value: undef
krb5_store_password_if_offline
Data type: Boolean
Default value: false
krb5_confd_path
Data type: Optional[Variant[Enum['none'],Stdlib::Absolutepath]]
Default value: undef
ldap_id_mapping
Data type: Boolean
Default value: true
ldap_schema
Data type: Optional[String[1]]
Default value: undef
ldap_idmap_range_min
Data type: Optional[Integer[0]]
Default value: undef
ldap_idmap_range_max
Data type: Optional[Integer[1]]
Default value: undef
ldap_idmap_range_size
Data type: Optional[Integer[1]]
Default value: undef
ldap_idmap_default_domain_sid
Data type: Optional[String[1]]
Default value: undef
ldap_idmap_default_domain
Data type: Optional[String[1]]
Default value: undef
ldap_idmap_autorid_compat
Data type: Optional[Boolean]
Default value: undef
ldap_idmap_helper_table_size
Data type: Optional[Integer[1]]
Default value: undef
ldap_use_tokengroups
Data type: Boolean
Default value: true
ldap_group_objectsid
Data type: Optional[String[1]]
Default value: undef
ldap_user_objectsid
Data type: Optional[String[1]]
Default value: undef
ldap_user_extra_attrs
Data type: Optional[String[1]]
Can be used to enable public key storage for ssh When used this way, set this param and param ldap_user_ssh_public_key to 'altSecurityIdentities'
Default value: undef
ldap_user_ssh_public_key
Data type: Optional[String[1]]
Can be used to enable public key storage for ssh When used this way, set this param and param ldap_user_extra_attrs to 'altSecurityIdentities'
Default value: undef
sssd::provider::files
NOTE: This defined type has no effect on SSSD < 1.16.0
$name should be the name of the associated domain in sssd.conf.
This is not necessary for the file provider unless you want to use files other then /etc/passwd and /etc/group
See man 'sssd-files' for additional information.
Parameters
The following parameters are available in the sssd::provider::files
defined type:
name
The name of the associated domain section in the configuration file.
passwd_files
Data type: Optional[Array[Stdlib::Absolutepath]]
Default value: undef
group_files
Data type: Optional[Array[Stdlib::Absolutepath]]
Default value: undef
sssd::provider::ipa
This define sets up the 'ipa' provider section of a particular domain. $name should be the name of the associated domain in sssd.conf.
See sssd-ipa.conf(5) for additional information.
Regarding: POODLE - CVE-2014-3566
The tls_cipher_suite variable is set to HIGH:-SSLv2 by default because OpenLDAP cannot set the SSL provider natively. By default, it will run TLSv1 but cannot handle TLSv1.2 therefore the SSLv3 ciphers cannot be eliminated. Take care to ensure that your clients only connect with TLSv1 if possible.
Parameters
The following parameters are available in the sssd::provider::ipa
defined type:
name
ipa_domain
ipa_server
ipa_backup_server
ipa_enable_dns_sites
ipa_hostname
ipa_server_mode
dyndns_auth
dyndns_force_tcp
dyndns_iface
dyndns_refresh_interval
dyndns_server
dyndns_ttl
dyndns_update
dyndns_update_ptr
ipa_automount_location
ipa_hbac_refresh
ipa_hbac_search_base
ipa_hbac_selinux
ipa_host_search_base
ipa_master_domains_search_base
ipa_selinux_search_base
ipa_subdomains_search_base
ipa_views_search_base
krb5_confd_path
krb5_realm
krb5_store_password_if_offline
ldap_tls_cacert
ldap_tls_cipher_suite
use_service_discovery
name
ipa_domain
Data type: String[1]
ipa_server
Data type: Array[Simplib::Host]
ipa_backup_server
Data type: Optional[Array[Simplib::Host]]
Default value: undef
ipa_enable_dns_sites
Data type: Boolean
Default value: false
ipa_hostname
Data type: Simplib::Hostname
Default value: $facts['networking']['fqdn']
ipa_server_mode
Data type: Boolean
Default value: false
dyndns_auth
Data type: Enum['none','GSS-TSIG']
Default value: 'GSS-TSIG'
dyndns_force_tcp
Data type: Optional[Boolean]
Default value: undef
dyndns_iface
Data type: Optional[Array[String[1]]]
Default value: undef
dyndns_refresh_interval
Data type: Optional[Integer[0]]
Default value: undef
dyndns_server
Data type: Optional[Simplib::Host]
Default value: undef
dyndns_ttl
Data type: Optional[Integer[0]]
Default value: undef
dyndns_update
Data type: Boolean
Default value: true
dyndns_update_ptr
Data type: Optional[Boolean]
Default value: undef
ipa_automount_location
Data type: Optional[String]
Default value: undef
ipa_hbac_refresh
Data type: Optional[Integer[0]]
Default value: undef
ipa_hbac_search_base
Data type: Optional[String]
Default value: undef
ipa_hbac_selinux
Data type: Optional[Integer[0]]
Default value: undef
ipa_host_search_base
Data type: Optional[String]
Default value: undef
ipa_master_domains_search_base
Data type: Optional[String]
Default value: undef
ipa_selinux_search_base
Data type: Optional[String]
Default value: undef
ipa_subdomains_search_base
Data type: Optional[String]
Default value: undef
ipa_views_search_base
Data type: Optional[String]
Default value: undef
krb5_confd_path
Data type: Optional[Stdlib::AbsolutePath]
Default value: undef
krb5_realm
Data type: Optional[String]
Default value: undef
krb5_store_password_if_offline
Data type: Boolean
Default value: true
ldap_tls_cacert
Data type: Stdlib::AbsolutePath
Default value: '/etc/ipa/ca.crt'
ldap_tls_cipher_suite
Data type: Array[String]
Default value: ['HIGH','-SSLv2']
use_service_discovery
Data type: Boolean
Whether to add 'srv' to the list of IPA servers, thereby enabling service discovery of these servers
Default value: true
sssd::provider::krb5
Define: sssd::provider::krb5
This define sets up the 'krb5' provider section of a particular domain. $name should be the name of the associated domain in sssd.conf.
See sssd-krb5.conf(5) for additional information.
Parameters
The following parameters are available in the sssd::provider::krb5
defined type:
name
krb5_server
krb5_realm
debug_level
debug_timestamps
debug_microseconds
krb5_kpasswd
krb5_ccachedir
krb5_ccname_template
krb5_auth_timeout
krb5_validate
krb5_keytab
krb5_store_password_if_offline
krb5_renewable_lifetime
krb5_lifetime
krb5_renew_interval
krb5_use_fast
name
The name of the associated domain section in the configuration file.
krb5_server
Data type: Optional[Simplib::Host]
Default value: undef
krb5_realm
Data type: String
debug_level
Data type: Optional[Sssd::DebugLevel]
Default value: undef
debug_timestamps
Data type: Boolean
Default value: true
debug_microseconds
Data type: Boolean
Default value: false
krb5_kpasswd
Data type: Optional[String]
Default value: undef
krb5_ccachedir
Data type: Optional[Stdlib::Absolutepath]
Default value: undef
krb5_ccname_template
Data type: Optional[Stdlib::Absolutepath]
Default value: undef
krb5_auth_timeout
Data type: Integer
Default value: 15
krb5_validate
Data type: Boolean
Default value: false
krb5_keytab
Data type: Optional[Stdlib::Absolutepath]
Default value: undef
krb5_store_password_if_offline
Data type: Boolean
Default value: false
krb5_renewable_lifetime
Data type: Optional[String]
Default value: undef
krb5_lifetime
Data type: Optional[String]
Default value: undef
krb5_renew_interval
Data type: Integer
Default value: 0
krb5_use_fast
Data type: Optional[Enum['never','try','demand']]
Default value: undef
sssd::provider::ldap
Define: sssd::provider::ldap
This define sets up the 'ldap' provider section of a particular domain. $name should be the name of the associated domain in sssd.conf.
Configuration notes:
-
See sssd-ldap.conf(5) for additional information.
-
Be careful with the following configuration:
- ldap_netgroup_search_base
- ldap_user_search_base
- ldap_group_search_base
- ldap_sudo_search_base
- ldap_autofs_search_base
-
Be sure to read the man page for the following advanced configuration:
- ldap_idmap_range_min
- ldap_idmap_range_max
- ldap_idmap_range_size
- ldap_idmap_default_domain_sid
- ldap_idmap_default_domain
- ldap_idmap_autorid_compat
Regarding: POODLE - CVE-2014-3566
The tls_cipher_suite variable is set to HIGH:-SSLv2 by default because OpenLDAP cannot set the SSL provider natively. By default, it will run TLSv1 but cannot handle TLSv1.2 therefore the SSLv3 ciphers cannot be eliminated. Take care to ensure that your clients only connect with TLSv1 if possible.
Advanced Configuration - Read the man page
Parameters
The following parameters are available in the sssd::provider::ldap
defined type:
name
strip_128_bit_ciphers
debug_level
debug_timestamps
debug_microseconds
ldap_uri
ldap_backup_uri
ldap_chpass_uri
ldap_chpass_backup_uri
ldap_chpass_update_last_change
ldap_search_base
ldap_schema
ldap_default_bind_dn
ldap_default_authtok_type
ldap_default_authtok
ldap_user_cert
ldap_user_object_class
ldap_user_name
ldap_user_uid_number
ldap_user_gid_number
ldap_user_gecos
ldap_user_home_directory
ldap_user_shell
ldap_user_uuid
ldap_user_objectsid
ldap_user_modify_timestamp
ldap_user_shadow_last_change
ldap_user_shadow_min
ldap_user_shadow_max
ldap_user_shadow_warning
ldap_user_shadow_inactive
ldap_user_shadow_expire
ldap_user_krb_last_pwd_change
ldap_user_krb_password_expiration
ldap_user_ad_account_expires
ldap_user_ad_user_account_control
ldap_ns_account_lock
ldap_user_nds_login_disabled
ldap_user_nds_login_expiration_time
ldap_user_nds_login_allowed_time_map
ldap_user_principal
ldap_user_extra_attrs
ldap_user_ssh_public_key
ldap_force_upper_case_realm
ldap_enumeration_refresh_timeout
ldap_purge_cache_timeout
ldap_user_fullname
ldap_user_member_of
ldap_user_authorized_service
ldap_user_authorized_host
ldap_group_object_class
ldap_group_name
ldap_group_gid_number
ldap_group_member
ldap_group_uuid
ldap_group_objectsid
ldap_group_modify_timestamp
ldap_group_type
ldap_group_nesting_level
ldap_groups_use_matching_rule_in_chain
ldap_initgroups_use_matching_rule_in_chain
ldap_use_tokengroups
ldap_netgroup_object_class
ldap_netgroup_name
ldap_netgroup_member
ldap_netgroup_triple
ldap_netgroup_uuid
ldap_netgroup_modify_timestamp
ldap_service_name
ldap_service_port
ldap_service_proto
ldap_service_search_base
ldap_search_timeout
ldap_enumeration_search_timeout
ldap_network_timeout
ldap_opt_timeout
ldap_connection_expire_timeout
ldap_page_size
ldap_disable_paging
ldap_disable_range_retrieval
ldap_sasl_minssf
ldap_deref_threshold
ldap_tls_reqcert
ldap_tls_cacert
app_pki_ca_dir
app_pki_key
app_pki_cert
strip_128_bit_ciphers
ldap_tls_cipher_suite
ldap_id_use_start_tls
ldap_id_mapping
ldap_min_id
ldap_max_id
ldap_sasl_mech
ldap_sasl_authid
ldap_sasl_realm
ldap_sasl_canonicalize
ldap_krb5_keytab
ldap_krb5_init_creds
ldap_krb5_ticket_lifetime
krb5_server
krb5_backup_server
krb5_realm
krb5_canonicalize
krb5_use_kdcinfo
ldap_pwd_policy
ldap_referrals
ldap_dns_service_name
ldap_chpass_dns_service_name
ldap_access_filter
ldap_account_expire_policy
ldap_access_order
ldap_pwdlockout_dn
ldap_deref
ldap_sudorule_object_class
ldap_sudorule_name
ldap_sudorule_command
ldap_sudorule_host
ldap_sudorule_user
ldap_sudorule_option
ldap_sudorule_runasuser
ldap_sudorule_runasgroup
ldap_sudorule_notbefore
ldap_sudorule_notafter
ldap_sudorule_order
ldap_sudo_full_refresh_interval
ldap_sudo_smart_refresh_interval
ldap_sudo_use_host_filter
ldap_sudo_hostnames
ldap_sudo_ip
ldap_sudo_include_netgroups
ldap_sudo_include_regexp
ldap_autofs_map_master_name
ldap_autofs_map_object_class
ldap_autofs_map_name
ldap_autofs_entry_object_class
ldap_autofs_entry_key
ldap_autofs_entry_value
ldap_netgroup_search_base
ldap_user_search_base
ldap_group_search_base
ldap_sudo_search_base
ldap_autofs_search_base
ldap_idmap_range_min
ldap_idmap_range_max
ldap_idmap_range_size
ldap_idmap_default_domain_sid
ldap_idmap_default_domain
ldap_idmap_autorid_compat
name
The name of the associated domain section in the configuration file
strip_128_bit_ciphers
Data type: Boolean
DEPRECATED - EL6-only - Will be removed in a future release
Default value: true
debug_level
Data type: Optional[Sssd::DebugLevel]
Default value: undef
debug_timestamps
Data type: Optional[Boolean]
Default value: undef
debug_microseconds
Data type: Boolean
Default value: false
ldap_uri
Data type: Optional[Array[Simplib::URI,1]]
Default value: simplib::lookup('simp_options::ldap::uri', { 'default_value' => undef })
ldap_backup_uri
Data type: Optional[Array[Simplib::URI,1]]
Default value: undef
ldap_chpass_uri
Data type: Optional[Array[Simplib::URI,1]]
Default value: undef
ldap_chpass_backup_uri
Data type: Optional[Array[Simplib::URI,1]]
Default value: undef
ldap_chpass_update_last_change
Data type: Boolean
Default value: true
ldap_search_base
Data type: Optional[String[1]]
Default value: simplib::lookup('simp_options::ldap::base_dn', { 'default_value' => undef })
ldap_schema
Data type: Sssd::LdapSchema
Default value: 'rfc2307'
ldap_default_bind_dn
Data type: Optional[String[1]]
Default value: simplib::lookup('simp_options::ldap::bind_dn', { 'default_value' => undef })
ldap_default_authtok_type
Data type: Optional[Sssd::LdapDefaultAuthtok]
Default value: undef
ldap_default_authtok
Data type: Optional[String[1]]
Default value: simplib::lookup('simp_options::ldap::bind_pw', { 'default_value' => undef })
ldap_user_cert
Data type: Optional[String[1]]
Default value: undef
ldap_user_object_class
Data type: Optional[String[1]]
Default value: undef
ldap_user_name
Data type: Optional[String[1]]
Default value: undef
ldap_user_uid_number
Data type: Optional[String[1]]
Default value: undef
ldap_user_gid_number
Data type: Optional[String[1]]
Default value: undef
ldap_user_gecos
Data type: Optional[String[1]]
Default value: undef
ldap_user_home_directory
Data type: Optional[String[1]]
Default value: undef
ldap_user_shell
Data type: Optional[String[1]]
Default value: undef
ldap_user_uuid
Data type: Optional[String[1]]
Default value: undef
ldap_user_objectsid
Data type: Optional[String[1]]
Default value: undef
ldap_user_modify_timestamp
Data type: Optional[String[1]]
Default value: undef
ldap_user_shadow_last_change
Data type: Optional[String[1]]
Default value: undef
ldap_user_shadow_min
Data type: Optional[String[1]]
Default value: undef
ldap_user_shadow_max
Data type: Optional[String[1]]
Default value: undef
ldap_user_shadow_warning
Data type: Optional[String[1]]
Default value: undef
ldap_user_shadow_inactive
Data type: Optional[String[1]]
Default value: undef
ldap_user_shadow_expire
Data type: Optional[String[1]]
Default value: undef
ldap_user_krb_last_pwd_change
Data type: Optional[String[1]]
Default value: undef
ldap_user_krb_password_expiration
Data type: Optional[String[1]]
Default value: undef
ldap_user_ad_account_expires
Data type: Optional[String[1]]
Default value: undef
ldap_user_ad_user_account_control
Data type: Optional[String[1]]
Default value: undef
ldap_ns_account_lock
Data type: Optional[String[1]]
Default value: undef
ldap_user_nds_login_disabled
Data type: Optional[String[1]]
Default value: undef
ldap_user_nds_login_expiration_time
Data type: Optional[String[1]]
Default value: undef
ldap_user_nds_login_allowed_time_map
Data type: Optional[String[1]]
Default value: undef
ldap_user_principal
Data type: Optional[String[1]]
Default value: undef
ldap_user_extra_attrs
Data type: Optional[Array[String[1],1]]
Default value: undef
ldap_user_ssh_public_key
Data type: Optional[String[1]]
Default value: undef
ldap_force_upper_case_realm
Data type: Boolean
Default value: false
ldap_enumeration_refresh_timeout
Data type: Optional[Integer[0]]
Default value: undef
ldap_purge_cache_timeout
Data type: Optional[Integer[0]]
Default value: undef
ldap_user_fullname
Data type: Optional[String[1]]
Default value: undef
ldap_user_member_of
Data type: Optional[String[1]]
Default value: undef
ldap_user_authorized_service
Data type: Optional[String[1]]
Default value: undef
ldap_user_authorized_host
Data type: Optional[String[1]]
Default value: undef
ldap_group_object_class
Data type: Optional[String[1]]
Default value: undef
ldap_group_name
Data type: Optional[String[1]]
Default value: undef
ldap_group_gid_number
Data type: Optional[String[1]]
Default value: undef
ldap_group_member
Data type: Optional[String[1]]
Default value: undef
ldap_group_uuid
Data type: Optional[String[1]]
Default value: undef
ldap_group_objectsid
Data type: Optional[String[1]]
Default value: undef
ldap_group_modify_timestamp
Data type: Optional[String[1]]
Default value: undef
ldap_group_type
Data type: Optional[Integer]
Default value: undef
ldap_group_nesting_level
Data type: Optional[Integer]
Default value: undef
ldap_groups_use_matching_rule_in_chain
Data type: Boolean
Default value: false
ldap_initgroups_use_matching_rule_in_chain
Data type: Boolean
Default value: false
ldap_use_tokengroups
Data type: Boolean
Default value: false
ldap_netgroup_object_class
Data type: Optional[String[1]]
Default value: undef
ldap_netgroup_name
Data type: Optional[String[1]]
Default value: undef
ldap_netgroup_member
Data type: Optional[String[1]]
Default value: undef
ldap_netgroup_triple
Data type: Optional[String[1]]
Default value: undef
ldap_netgroup_uuid
Data type: Optional[String[1]]
Default value: undef
ldap_netgroup_modify_timestamp
Data type: Optional[String[1]]
Default value: undef
ldap_service_name
Data type: Optional[String[1]]
Default value: undef
ldap_service_port
Data type: Optional[String[1]]
Default value: undef
ldap_service_proto
Data type: Optional[String[1]]
Default value: undef
ldap_service_search_base
Data type: Optional[String[1]]
Default value: undef
ldap_search_timeout
Data type: Optional[Integer[0]]
Default value: undef
ldap_enumeration_search_timeout
Data type: Optional[Integer[0]]
Default value: undef
ldap_network_timeout
Data type: Optional[Integer[0]]
Default value: undef
ldap_opt_timeout
Data type: Optional[Integer[0]]
Default value: undef
ldap_connection_expire_timeout
Data type: Optional[Integer[0]]
Default value: undef
ldap_page_size
Data type: Optional[Integer[0]]
Default value: undef
ldap_disable_paging
Data type: Boolean
Default value: false
ldap_disable_range_retrieval
Data type: Boolean
Default value: false
ldap_sasl_minssf
Data type: Optional[Integer]
Default value: undef
ldap_deref_threshold
Data type: Optional[Integer[0]]
Default value: undef
ldap_tls_reqcert
Data type: Sssd::LdapTlsReqcert
Default value: 'demand'
ldap_tls_cacert
Data type: Optional[String[1]]
Default value: undef
app_pki_ca_dir
Data type: Optional[Stdlib::Absolutepath]
Default value: undef
app_pki_key
Data type: Optional[Stdlib::Absolutepath]
Default value: undef
app_pki_cert
Data type: Optional[Stdlib::Absolutepath]
Default value: undef
strip_128_bit_ciphers
Default value: true
ldap_tls_cipher_suite
Data type: Array[String[1]]
Default value: ['HIGH','-SSLv2']
ldap_id_use_start_tls
Data type: Boolean
Default value: true
ldap_id_mapping
Data type: Boolean
Default value: false
ldap_min_id
Data type: Optional[Integer[0]]
Default value: undef
ldap_max_id
Data type: Optional[Integer[0]]
Default value: undef
ldap_sasl_mech
Data type: Optional[String[1]]
Default value: undef
ldap_sasl_authid
Data type: Optional[String[1]]
Default value: undef
ldap_sasl_realm
Data type: Optional[String[1]]
Default value: undef
ldap_sasl_canonicalize
Data type: Boolean
Default value: false
ldap_krb5_keytab
Data type: Optional[Stdlib::Absolutepath]
Default value: undef
ldap_krb5_init_creds
Data type: Boolean
Default value: true
ldap_krb5_ticket_lifetime
Data type: Optional[Integer]
Default value: undef
krb5_server
Data type: Optional[Array[String[1],1]]
Default value: undef
krb5_backup_server
Data type: Optional[Array[String[1],1]]
Default value: undef
krb5_realm
Data type: Optional[String[1]]
Default value: undef
krb5_canonicalize
Data type: Boolean
Default value: false
krb5_use_kdcinfo
Data type: Boolean
Default value: true
ldap_pwd_policy
Data type: Enum['none','shadow','mit_kerberos']
Default value: ($ldap_account_expire_policy == 'shadow') ? { true => 'shadow', default => 'none'
ldap_referrals
Data type: Boolean
Default value: true
ldap_dns_service_name
Data type: Optional[String[1]]
Default value: undef
ldap_chpass_dns_service_name
Data type: Optional[String[1]]
Default value: undef
ldap_access_filter
Data type: Optional[String[1]]
Default value: undef
ldap_account_expire_policy
Data type: Sssd::LdapAccountExpirePol
Set this to '' when you want to omit this configuration in order to use the system default.
Default value: 'shadow'
ldap_access_order
Data type: Sssd::LdapAccessOrder
Default value: ['expire','lockout','ppolicy','pwd_expire_policy_renew']
ldap_pwdlockout_dn
Data type: Optional[String[1]]
Default value: undef
ldap_deref
Data type: Optional[Sssd::LdapDeref]
Default value: undef
ldap_sudorule_object_class
Data type: Optional[String[1]]
Default value: undef
ldap_sudorule_name
Data type: Optional[String[1]]
Default value: undef
ldap_sudorule_command
Data type: Optional[String[1]]
Default value: undef
ldap_sudorule_host
Data type: Optional[String[1]]
Default value: undef
ldap_sudorule_user
Data type: Optional[String[1]]
Default value: undef
ldap_sudorule_option
Data type: Optional[String[1]]
Default value: undef
ldap_sudorule_runasuser
Data type: Optional[String[1]]
Default value: undef
ldap_sudorule_runasgroup
Data type: Optional[String[1]]
Default value: undef
ldap_sudorule_notbefore
Data type: Optional[String[1]]
Default value: undef
ldap_sudorule_notafter
Data type: Optional[String[1]]
- Fri Sep 13 2024 Steven Pritchard steve@sicura.us - 7.11.0
- [puppetsync] Update module dependencies to support simp-iptables 7.x
- Wed Apr 10 2024 Mike Riddle mike@sicura.us - 7.10.0
- Added the pam_cert_auth parameter to the pam service
- Added the ldap_user_cert parameter to the ldap provider
- Users can now specify ldap providers via hieradata using sssd::ldap_providers
- Wed Nov 29 2023 Virus2500 _________@gmail.com - 7.9.0
- add domain option ldap_user_search_filter
- Mon Oct 23 2023 Steven Pritchard steve@sicura.us - 7.8.0
- [puppetsync] Add EL9 support
- Wed Oct 11 2023 Steven Pritchard steve@sicura.us - 7.7.0
- [puppetsync] Updates for Puppet 8
- These updates may include the following:
- Update Gemfile
- Add support for Puppet 8
- Drop support for Puppet 6
- Update module dependencies
- These updates may include the following:
- Thu Aug 31 2023 Steven Pritchard steve@sicura.us - 7.6.0
- Add AlmaLinux 8 support
- Mon Jun 12 2023 Chris Tessmer chris.tessmer@onyxpoint.com - 7.5.0
- Add RockyLinux 8 support
-
Thu Aug 25 2022 Chris Tessmer chris.tessmer@onyxpoint.com - 7.4.2
- Fixed:
- Made the
ldap_uri
parameter optional
- Made the
- Fixed:
-
Fri Jul 15 2022 Mark Fitch mark.fitch1@hotmail.com - 7.4.1
- Fixed:
- Added missing parameters
ldap_user_extra_attrs
andldap_user_ssh_public_key
to allow SSH keys to be fetched from AD
- Added missing parameters
- Fixed:
-
Wed Jun 22 2022 Yehuda Katz ykatz@cs.umd.edu - 7.4.1
- Allow
krb5_server
to be optional as implemented in the template
- Fri Jun 03 2022 Chris Tessmer chris.tessmer@onyxpoint.com - 7.4.0
- Update from camptocamp/systemd to puppet/systemd
- Thu May 26 2022 Chris Tessmer chris.tessmer@onyxpoint.com - 7.3.0
- Changed:
- Made provider parameters Optional to support certain AD/realmd configurations:
- sssd::provider::krb5::krb5_server
- sssd::provider::ldap::ldap_search_base
- sssd::provider::ldap::ldap_default_bind_dn
- Made provider parameters Optional to support certain AD/realmd configurations:
- Fixed:
- nil? bug in template for ad provider
- Fri Aug 27 2021 Henry Pauli henry+spam@mixict.nl - 7.2.0
- Add an option in sssd::install to not install sssd client. This aids in better compatibility with non RedHat based systems where the ssssd-client package may not exists.
- Thu Aug 05 2021 Trevor Vaughan tvaughan@onyxpoint.com - 7.1.1
- Add an override for sssd-sudo.service to start it as root:root. This aligns with how sssd itself would start the service and the daemon cannot access /var/lib/sss/db/config.ldb otherwise.
- Thu Jun 17 2021 Chris Tessmer chris.tessmer@onyxpoint.com - 7.1.0
- Removed support for Puppet 5
- Ensured support for Puppet 7 in requirements and stdlib
- Thu Jun 03 2021 Jeanne Greulich jeanne.greulich@onyxpoint.com - 7.0.2
- Added tests for ds389 ldap server
- SSSD will not start and the module fail if no domains are defined. The enable_files_domain setting is set to true to ensure that sssd will start.
- Wed Jun 02 2021 Trevor Vaughan tvaughan@onyxpoint.com - 7.0.1
- Fixed:
- sssd-sudo.socket service
- Wed May 19 2021 Trevor Vaughan tvaughan@onyxpoint.com - 7.0.0
- Fixed:
sssd::provider::ldap::ldap_pwd_policy
is based on the value inldap_account_expire_policy
to properly account for non-shadow systemssssd::provider::ldap::ldap_access_order
is set to the modern set- A typo in the
sssd::LdapAccountExpirePol
data type was fixed - Ported the krb5 ERB template to EPP and fixed a typo
- Removed:
sssd::manage_service
- obsoletesssd::ldap_access_order_defaults()
- obsolelte- Removed EL6-only artifacts
- Removed the
LOCAL
domain - Support for Puppet 5 was dropped
- Changed:
- Fail if a version of
sssd
is being managed < 1.16.0 - Now use the
/etc/sssd/conf.d
directory instead ofconcat
- The
sssd::service
class is now private - Moved the
/etc/sssd
directory configuration intosssd::config
- Fail if a version of
- Added:
sssd::config::entry
defined type which allows consistent management of permissions and dependencies on config files- Users can set
sssd::custom_config
to aString
that will be placed into/etc/sssd/conf.d/zz_puppet_custom.conf
- Allow users to optionally purge the
/etc/sssd/conf.d
directory (disabled by default) - Trigger the
sssd-sudo.socket
service instead of including the service in the main configuration per thesssd
documentation and error messages in the logs - Support for puppetlabs/stdlib 7 was added
- Thu Feb 18 2021 Trevor Vaughan tvaughan@onyxpoint.com - 6.4.0-0
- Ensure that systems bound to FreeIPA, but not connected do not cause compilation issues.
- Wed Jan 13 2021 Chris Tessmer chris.tessmer@onyxpoint.com - 6.4.0-0
- Removed EL6 from supported OSes
- Added puppet 7 support
- Thu Apr 23 2020 Trevor Vaughan tvaughan@onyxpoint.com - 6.3.1-0
- Ensure that EL6/7+ use the 'files' or 'local' provider as is appropriate for their platform
- Migrate the documentation to focus on the 'files' provider since 'local' is not recommended to be used any longer
- Fixed the core acceptance tests
- Tue Jan 21 2020 Jeanne Greulich jeanne.greulich@onyxpoint.com - 6.3.0-0
- Added EL8 support
- Removed requirement for sssd domain entry for el8 and SSSD V2 since using the implicit files provider is valid and even recommended for performance by some. An sssd domain is still required for el6 and el7.
- Automatically include the service section if the service is included in sssd::services.
- Removed deprecated variables from ldap provider for EL8.
- Added new variables for providers in EL8.
- Added ifp to list of services in service type
- Added files to types of providers
- Added support for simplib version 4.0
- Tue Jun 04 2019 steven.pritchard steven.pritchard@onyxpoint.com - 6.2.0-0
- Add v2 compliance_markup data
- Thu Mar 14 2019 Trevor Vaughan tvaughan@onyxpoint.com - 6.1.6-0
- Fix the Active Directory tests
- Mon Mar 04 2019 Liz Nemsick lnemsick.simp@gmail.com - 6.1.6-0
- Expanded the upper limit of the stdlib Puppet module version
- Updated URLs in the README.md
- Fri Feb 22 2019 Trevor Vaughan tvaughan@onyxpoint.com - 6.1.5-0
- Change the sssd::provider::ldap::ldap_access_order defaults to ['ppolicy','pwd_expire_policy_renew'] by default to prevent accidental system lockouts on upgrade.
- Mon Jan 21 2019 Trevor Vaughan tvaughan@onyxpoint.com - 6.1.4-0
- Generated a REFERENCE.md
- Set the 'min_id' settings across the board to '1' to match the sssd defaults since they really have nothing to do with the target system's relationship with a centralized authentication service.
- Update the sssd::provider::ldap::ldap_access_order parameter to support the
ppolicy related options that were added in sssd 1.14.0
- ppolicy
- pwd_expire_policy_reject
- pwd_expire_policy_warn
- pwd_expire_policy_renew
- Fri Oct 12 2018 Nick Miller nick.miller@onyxpoint.com - 6.1.3-0
- Changed $sssd::install::package_ensure from 'latest' to 'installed'
- It will also respect
simp_options::package_ensure
- It will also respect
- Tue Sep 18 2018 Adam Yohrling adam.yohrling@onyxpoint.com - 6.1.3-0
- Added OracleLinux to operating system check for 128 bit cipher work-around
- Tue Aug 28 2018 Liz Nemsick lnemsick.simp@gmail.com - 6.1.3-0
- Fixed a bug in which the ldap_account_expire_policy setting for the LDAP provider could not be configured to use the system default. Now, when sssd::provider::ldap::ldap_account_expire_policy is set to '', that configuration parameter will not be written to the sssd configuration file. This allows the system default to be applied.
- Fixed a bug in which any boolean setting for the LDAP provider configuration could not be configured to be 'false'.
- Fixed bugs in which sssd::provider::ldap::debug_timestamps and sssd::provider::ldap::ldap_search_timeout were erroneously typed to be strings, instead of a Boolean and an Integer, respectively.
- Fixed bugs in which ad_enable_dns_sites, ad_enable_gc settings, dyndns_update, dyndns_update_ptr, krb5_use_enterprise_principal, and ldap_idmap_autorid_compat settings for the AD provider could not be configured to be 'false'.
- Fixed bugs in which ad_gpo_map_interactive, ad_gpo_map_remote_interactive, ad_gpo_map_network, ad_gpo_map_batch, ad_gpo_map_service, ad_gpo_map_permit and ad_gpo_map_deny settings for the AD provider were incorrectly formatted.
- Fixed a bug in which the dyndns_iface setting for the AD provider was not set from sssd::provider::ad::dyndns_ifaces.
- Thu Aug 23 2018 Adam Yohrling adam.yohrling@onyxpoint.com - 6.1.3-0
- Add support for Oracle Enterprise Linux
- Add support for Puppet 5
- Fri Jul 13 2018 Adam Yohrling adam.yohrling@onyxpoint.com - 6.1.3-0
- Added ldap_use_tokengroups, ldap_group_objectsid, ldap_user_objectsid to sssd::provider::ad
- Updated required version of puppetlabs-stdlib to 4.19.0 since fact function is used
- Tue Jun 19 2018 Nick Miller nick.miller@onyxpoint.com - 6.1.2-0
- Avoid changing the permissions from the vendored RPM
- /etc/sssd/ owner is no longer managed
- /etc/sssd/ perms went from 0640 to 0711
- /etc/init.d/sssd went from 0754 to 0755 on EL6
- Update version range of auditd dependency in metadata.json
- Cleanup requires in metadata.json
- Cleanup unneeded fixtures and update CI assets
- Wed Mar 28 2018 Nick Miller nick.miller@onyxpoint.com - 6.1.1-0
- sssd::provider::ad::ldap_schema should be a string, not a boolean
- AD test cleanup
- Wed Mar 14 2018 Philippe Muller philippe.muller@gmail.com - 6.1.0-0
- Allow passing ldap_tls_cacert to sssd::provider::ldap
- Wed Feb 28 2018 Nick Miller nick.miller@onyxpoint.com - 6.1.0-0
- Some template and concat changes to make debugging the module easier
- Add headers to more easily diagnose where to stick params
- Order the concat sections
- Add some missing params from sssd::provider::ad
- default_shell
- dyndns_update
- fallback_homedir
- krb5_realm
- krb5_store_password_if_offline
- ldap_schema
- Fri Jan 19 2018 Liz Nemsick lnemsick.simp@gmail.com - 6.1.0-0
- Added sssd class option to automatically configure SSSD for an IPA domain, when the host is joined to an IPA domain.
- Fri Dec 15 2017 Liz Nemsick lnemsick.simp@gmail.com - 6.1.0-0
- Leveraged PR from Mark Fitch to add ima provider configuration
- Wed Dec 13 2017 Trevor Vaughan tvaughan@onyxpoint.com - 6.1.0-0
- Enforce limits set in /etc/login.defs for uid_min and uid_max by default and fall back to something sensible for SSSD
- Mon Sep 18 2017 Lucas Yamanishi lucas.yamanishi@onyxpoint.com - 6.0.4-0
- Set minimum length on sssd::domains
- Mon Sep 11 2017 Judy Johnson judy.johnson@onyxpoint.com - 6.0.3-0
- Only enable 'try_inotify' if explicitly set
- Wed Aug 30 2017 Nick Markowski nmarkowski@keywcorp.com - 6.0.3-0
- Sssd::DebugLevel now handles all variants specfied in sssd.conf man page
- All instances of debug_level are now typed as Sssd::DebugLevel
- Thu Jul 06 2017 Liz Nemsick lnemsick.simp@gmail.com - 6.0.2-0
- Confine puppet version in metadata.json
- Fri Apr 07 2017 Trevor Vaughan tvaughan@onyxpoint.com - 6.0.1-0
- Worked around a bug in EL6 where the ldap client library incorrectly handles 128 bit ciphers in the cipher list
- Fri Mar 17 2017 Clayton Mentzer, Liz Nemsick 6.0.0-1
- Updated README
- Update puppet version in .travis.yaml
- Thu Feb 09 2017 Jeanne Greulich jeanne.greulich@onyxpoint.com - 6.0.0-0
- Changed type of debug level to be consistent for all modules.
- Mon Jan 23 2017 Trevor Vaughan tvaughan@onyxpoint.com - 6.0.0-0
- Migrated to using puppetlabs-concat
- Added support for Active Directory Domains
- Thu Jan 12 2017 Nick Markowski nmarkowski@keywcorp.com - 6.0.0-0
- Updated to use new pki scheme.
- Application certs now managed in /etc/pki/simp_apps/sssd/x509
- Strongly typed
- Mon Dec 19 2016 Jeanne Greulich jgreulich@onyxpoint.com - 6.0.0-0
- Update Global Catalysts
- Wed Nov 23 2016 Jeanne Greulich jgreulich@onyxpoint.com - 5.0.0-0
- Fix dependancies for simp 6 bump
- Mon Nov 21 2016 Chris Tessmer chris.tessmer@onyxpoint.com - 5.0.0-0
- Updated to compliance_markup version 2
- Fri Sep 30 2016 Trevor Vaughan tvaughan@onyxpoint.com - 5.0.0-0
- Updated to use the version of 'simpcat' that does not conflict with 'puppetlabs/concat'.
- Mon Aug 01 2016 Nicholas Hughes nicholasmhughes@gmail.com - 4.1.3-0
- Fixed incorrect variable references in ldap.erb.
- Sat Mar 19 2016 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.2-0
- Migrated use_simp_pki to a global catalyst.
- Mon Mar 14 2016 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.1-0
- Moved to Semantic Versioning 2.0
- Fixed a bug in the LDAP provider where we had
ldap_chpass_updates_last_change
as well asldap_chpass_update_last_change
. These were consolidated into a correct singleldap_chpass_update_last_change
Boolean. - Removed RPM dependencies on 'simp-boostrap' and 'puppet' since these are technically not necessary for just installing the module.
- Tue Mar 01 2016 Ralph Wright ralph.wright@onyxpoint.com - 4.1.0-9
- Added compliance function support
- Thu Dec 24 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-8
- Added an sssd::install::client class for installing only the client libraries.
- Mon Nov 09 2015 Chris Tessmer chris.tessmer@onypoint.com - 4.1.0-7
- migration to simplib and simpcat (lib/ only)
- Thu Apr 02 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-7
- Fixed variable references in some templates.
- Thu Feb 19 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-6
- Migrated to the new 'simp' environment.
- Fri Jan 16 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-4
- Changed puppet-server requirement to puppet
- Thu Nov 06 2014 Chris Tessmer ctessmer@onyxpoint.com - 4.1.0-3
- Remove sssd::conf as it is no longer needed and causes duplicate concat_fragment error
- Fri Oct 17 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-2
-
CVE-2014-3566: Updated cipher suites to help mitigate POODLE.
-
The tls_cipher_suite variable is set to HIGH:-SSLv2 because OpenLDAP cannot set the SSL provider natively. By default, it will run TLSv1 but cannot handle TLSv1.2 therefore the SSLv3 ciphers cannot be eliminated. Take care to ensure that your clients only connect with TLSv1 if possible.
- Sun Jun 22 2014 Kendall Moore kmoore@keywcorp.com - 4.1.0-1
- Removed MD5 file checksums for FIPS compliance.
- Mon Apr 14 2014 Kendall Moore kmoore@keywcorp.com - 4.1.0-0
- Refactored manifests to pass all lint tests.
- Removed all singleton defines.
- Added spec tests.
- Fri Apr 04 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-0
- Added some validation and removed the 'stock' class. It now resides in the 'simp' module.
- Collapsed the sssd::conf class into sssd.
- Thu Feb 13 2014 Kendall Moore kmoore@keywcorp.com - 4.0.0-1
- Converted all string booleans to native booleans.
- Fri Oct 25 2013 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-0
- Updated all 'source' File parameters to use the modules directory for Puppet 3 compatibility.
- Mon Oct 07 2013 Kendall Moore kmoore@keywcorp.com 2.0.0-8
- Updated all erb templates to properly scope variables.
- Mon Jan 07 2013 Maintenance 2.0.0-7
- Created a Cucumber test to toggle the sssd flag to true and ensure that the sssd service is running and the nscd service is stopped.
- Thu Jun 07 2012 Maintenance 2.0.0-6
- Ensure that Arrays in templates are flattened.
- Call facts as instance variables.
- Moved mit-tests to /usr/share/simp...
- Updated pp files to better meet Puppet's recommended style guide.
- Fri Mar 02 2012 Maintenance 2.0.0-5
- Improved test stubs.
- Mon Dec 26 2011 Maintenance 2.0-4
- Updated the spec file to not require a separate file list.
- Mon Oct 03 2011 Maintenance 2.0-3
- Updates to work around the fact that the latest version of SSSD will silently allow expired users to access the system due to bugs in the way it works with OpenLDAP.
- Fri Jul 15 2011 Maintenance 2.0-2
- Ensure that the minimum uid for LDAP is set to 501 by default.
- Wed May 25 2011 Maintenance - 2.0.0-1
- Updated to fix a bug where nscd was not getting shut down at boot time and sssd was not triggered to start.
- Tue Apr 05 2011 Maintenance - 2.0.0-0
- Initial offering of the SSSD module.
- The use requires the $use_sssd variable to be set to 'true' within scope.
Dependencies
- puppet/systemd (>= 4.0.2 < 8.0.0)
- puppetlabs/stdlib (>= 8.0.0 < 10.0.0)
- simp/simplib (>= 4.9.0 < 5.0.0)
pupmod-simp-sssd - A Puppet Module for managing SSSD -- Per Section 105 of the Copyright Act of 1976, these works are not entitled to domestic copyright protection under US Federal law. The US Government retains the right to pursue copyright protections outside of the United States. The United States Government has unlimited rights in this software and all derivatives thereof, pursuant to the contracts under which it was developed and the License under which it falls. --- Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.