Forge Home

centrify

Puppet module to manage Centrify Express

53,954 downloads

18,552 latest version

4.3 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Support the Puppet Community by contributing to this module

You are welcome to contribute to this module by suggesting new features, currency updates, or fixes. Every contribution is valuable to help ensure that the module remains compatible with the latest Puppet versions and continues to meet community needs. Complete the following steps:

  1. Review the module’s contribution guidelines and any licenses. Ensure that your planned contribution aligns with the author’s standards and any legal requirements.
  2. Fork the repository on GitHub, make changes on a branch of your fork, and submit a pull request. The pull request must clearly document your proposed change.

For questions about updating the module, contact the module’s author.

Version information

  • 1.0.2 (latest)
  • 1.0.1
  • 1.0.0
  • 0.3.0
  • 0.2.0
  • 0.1.0
released Mar 29th 2017
This version is compatible with:
  • Puppet Enterprise 2017.2.x, 2017.1.x, 2016.5.x, 2016.4.x
  • Puppet >= 4.0.0 < 5.0.0
  • ,

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'walkamongus-centrify', '1.0.2'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add walkamongus-centrify
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install walkamongus-centrify --version 1.0.2

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.

Download
Tags: centrify

Documentation

walkamongus/centrify — version 1.0.2 Mar 29th 2017

Build Status

Table of Contents

  1. Overview
  2. Module Description - What the module does and why it is useful
  3. Setup - The basics of getting started with centrify
  4. Usage - Configuration options and additional functionality
  5. Reference - An under-the-hood peek at what the module is doing and how
  6. Limitations - OS compatibility, etc.

Overview

This module installs and configures the Centrify Express Direct Control Agent and the Centrify-enabled OpenSSH daemon.

Module Description

Centrify Express is a free utility for integrating Linux/Unix clients into an Active Directory infrastructure.

This module will install the DC agent and OpenSSH packages, configure their respective configuration files, and join and Active Directory domain via one of two methods:

  • Username and password
  • Kerberos keytab file

It also manages the Centrify DC agent and OpenSSH daemons.

Setup

What centrify affects

  • Packages
    • centrifydc
    • centrifydc-openssh
  • Files
    • /etc/centrifydc/centrifydc.conf
    • /etc/centrifydc/ssh/sshd_config
    • /etc/krb5.conf (optional initialization)
    • /etc/centrifydc/users.allow
    • /etc/centrifydc/users.deny
    • /etc/centrifydc/groups.allow
    • /etc/centrifydc/groups.deny
  • Services
    • centrifydc
    • centrifydc-sshd
  • Cron
    • flush and reload cronjob
  • Execs
    • for username and password joins
      • the adjoin command is run with supplied credentials
    • for keytab joins
      • the kerberos config file (/etc/krb5.conf) will be removed if it contains the string 'EXAMPLE.COM' to allow for the module to initialize the proper contents if initialization is requested
      • the kinit command is run to obtain an initial TGT
      • the adjoin command is run to join via keytab
    • the adflush and adreload commands are run post-join
    • the adjoin command is run to precreate computer and extension objects if precreate => true
    • the adlicense --express command is run if use_express_license => true (the default) and licensed features are enabled

Setup Requirements

  • Packages
    • this module assumes that the centrify packages are available via the native package management commands i.e. the packages are available via a repository known to the system
  • Puppet
    • pluginsync must be enabled
  • Keytabs
    • this module does not manage keytabs -- the krb_keytab parameter is an absolute path to a keytab deployed in some way outside of this module

Beginning with centrify

Set up a basic Centrify Express installation and join an Active Directory domain via username and password:

class { '::centrify':
  domain        => 'example.com',
  join_user     => 'user',
  join_password => 'password',
}

Usage

Set up Centrify Express and join an Active Directory domain via a keytab (initializing a basic krb5.conf file), allow a list of users, set a configuration directive in the centrifydc.conf file, and install a daily cronjob that flushes and reloads Centrify:

class { '::centrify':
  join_user             => 'joinuser',
  domain                => 'example.com',
  join_type             => 'keytab',
  krb_keytab            => '/etc/example.keytab',
  initialize_krb_config => true,
  install_flush_cronjob => true,
  allow_users           => [
    'user1',
    'user2',
  ],
  krb_config            => {
    'libdefaults'  => {
      'dns_lookup_realm' => 'false',
      'ticket_lifetime'  => '24h',
      'renew_lifetime'   => '7d',
      'forwardable'      => 'true',
      'rdns'             => 'false',
      'default_realm'    => 'EXAMPLE.COM',
    },
    'realms'       => {
      'EXAMPLE.COM' => {
        'kdc'          => 'kerberos.example.com',
        'admin_server' => 'kerberos.example.com',
      },
    },
    'domain_realm' => {
      '.example.com' => 'EXAMPLE.COM',
      'example.com'  => 'EXAMPLE.COM',
    },
  },
}

centrifydc_line { 'nss.runtime.defaultvalue.var.home':
  ensure => present,
  value  => '/home',
}

Reference

###Parameters

  • dc_package_name: String. Name of the centrifydc package.
  • sshd_package_name: String. Name of the centrifydc-openssh package.
  • dc_package_ensure: String. Set to 'present' or 'absent'.
  • sshd_package_ensure: String. Set to 'present' or 'absent'.
  • dc_service_name: String. Name of the centrifydc service daemon.
  • sshd_service_name: String. Name of the centrifydc-sshd service daemon.
  • sshd_service_ensure: String. Value of the ensure parameter of the sshd service resource.
  • sshd_service_enable: Boolean. Value for the enable parameter of the sshd service resource.
  • dc_config_file: String. Absolute path to the centrifydc.conf file.
  • sshd_config_file: String. Absolute path to the centrify sshd_config file.
  • krb_config_file: String. Absolute path to the kerberos krb5.conf file.
  • allow_users_file: String. Absolute path to the file listing allowed users.
  • deny_users_file: String. Absolute path to the file listing denied users.
  • allow_groups_file: String. Absolute path to the file listing allowed groups.
  • deny_groups_file: String. Absolute path to the file listing denied groups.
  • allow_users: Array. Array of allowed users to be placed in the allow_users_file.
  • deny_users: Array. Array of denied users to be placed in the deny_users_file.
  • allow_groups: Array. Array of allowed groups to be placed in the allow_groups_file.
  • deny_groups: Array. Array of denied groups to be placed in the denied_groups_file.
  • domain: String. Active Directory domain to join.
  • join_type : Enum. What type of domain join to perform. Accepts a value of password, keytab, or selfserve.
  • join_user: String. User account used to join the Active Directory domain.
  • join_password: String. Password for join_user account.
  • krb_keytab: String. Absolute path to the keytab file used to join the domain.
  • initialize_krb_config: Boolean. Whether to initialize krb_config_file with the contents of krb_config.
  • krb_config: Hash. Configuration used to initialize krb_config_file for performing a keytab join.
  • server : String. Name of DC to join to. Specify if using a join_type of selfserve.
  • zone: String. Name of the zone in which to place the computer account.
  • container: String. LDAP path to the OU container in which to place the computer account.
  • use_express_license: Boolean. If true, set the adlicense to express if licensed features are enabled.
  • install_flush_cronjob: Boolean. Whether to install a cronjob that flushes and reloads Centrify.
  • flush_cronjob_min: String. Cron minute for flush and reload cronjob.
  • flush_cronjob_hour: String. Cron hour for flush and reload cronjob.
  • flush_cronjob_monthday: String. Cron day of month for flush and reload cronjob.
  • flush_cronjob_month: String. Cron month for flush and reload cronjob.
  • flush_cronjob_weekday: String. Cron day of week for flush and reload cronjob.
  • extra_args: Array. Array of extra arguments to pass to the adjoin command.
  • precreate: Boolean. If true, adjoin will run to precreate the computer and extension object in AD prior to joining.

###Types

  • centrifydc_line: Set configuration directives in the centrifydc.conf file.

###Classes

  • centrify::install
  • centrify::config
  • centrify::service
  • centrify::join
  • centrify::cron
  • centrify::adjoin::password
  • centrify::adjoin::keytab
  • centrify::adjoin::selfserve

Limitations

This module requires Puppet >= 4.0.0.