Skip to content

Latest commit

 

History

History
4225 lines (2038 loc) · 105 KB

REFERENCE.md

File metadata and controls

4225 lines (2038 loc) · 105 KB

Reference

Table of Contents

Classes

  • sssd: This class allows you to install and configure SSSD. It will forcefully disable nscd which consequently prevents you from using an nscd modu
  • sssd::config: Configuration class called from sssd. Sets up the [sssd] section of '/etc/sssd/sssd.conf', and, optionally, a domain section for the IPA
  • sssd::config::ipa_domain: Configures SSSD for the IPA domain to which the host has joined
  • sssd::install: Install the required packages for SSSD
  • sssd::install::client: Install the sssd-client package
  • sssd::pki: Class: sssd::pki Uses the following sssd class parameters to copy certs into a directory for the sssd application $sssd::pki * If 'simp',
  • sssd::service: Control the sssd service
  • sssd::service::autofs: This class sets up the [autofs] section of /etc/sssd.conf. The class parameters map directly to SSSD configuration. Full documentation of t
  • sssd::service::ifp: This class sets up the [ifp] section of /etc/sssd.conf. The class parameters map directly to SSSD configuration. Full documentation of thes
  • sssd::service::nss: This class sets up the [nss] section of /etc/sssd.conf. You may only have one of these per system. The class parameters map directly to SSSD
  • sssd::service::pac: This class sets up the [pac] section of /etc/sssd.conf. The class parameters map directly to SSSD configuration. Full documentation of thes
  • sssd::service::pam
  • sssd::service::ssh: This class sets up the [ssh] section of /etc/sssd.conf. The class parameters map directly to SSSD configuration. Full documentation of thes
  • sssd::service::sudo: This class sets up the [sudo] section of /etc/sssd.conf. The class parameters map directly to SSSD configuration. Full documentation of the

Defined types

  • sssd::config::entry: Add an entry to the /etc/sssd/conf.d directory
  • sssd::domain: Define: sssd::domain This define sets up a domain section of /etc/sssd.conf. This domain will be named after '$name' and should be listed in
  • sssd::provider::ad: Set up the 'ad' (Active Directory) id_provider section of a particular domain.
  • sssd::provider::files: Configures the 'files' id_provider section of a particular domain.
  • sssd::provider::ipa: This define sets up the 'ipa' provider section of a particular domain. $name should be the name of the associated domain in sssd.conf. See s
  • sssd::provider::krb5: Define: sssd::provider::krb5 This define sets up the 'krb5' provider section of a particular domain. $name should be the name of the associa
  • sssd::provider::ldap: Define: sssd::provider::ldap This define sets up the 'ldap' provider section of a particular domain. $name should be the name of the associa

Functions

  • sssd::supported_version: Returns true if the version of SSSD installed on the system is supported and false otherwise. Assumes that the system is relatively

Data types

Classes

sssd

This class allows you to install and configure SSSD.

It will forcefully disable nscd which consequently prevents you from using an nscd module at the same time, which is the correct behavior.

Full documentation of the parameters that map directly to SSSD configuration options can be found in the sssd.conf(5) man page.

Examples

sssd::provider::ldap in hieradata:
sssd::ldap_providers:
  ldap_users:
    ldap_access_filter: 'memberOf=cn=allowedusers,ou=Groups,dc=example,dc=com'
    ldap_chpass_uri: empty
    ldap_access_order: 'expire'
    etc...

Parameters

The following parameters are available in the sssd class:

authoritative

Data type: Boolean

Whether or not to purge all unmanaged files from /etc/sssd/conf.d.

Default value: false

domains

Data type: Array[String[1, 255]]

The sssd domains to be managed.

Default value: []

debug_level

Data type: Optional[Sssd::DebugLevel]

Default value: undef

debug_timestamps

Data type: Boolean

Default value: true

debug_microseconds

Data type: Boolean

Default value: false

description

Data type: Optional[String[1]]

Default value: undef

enable_files_domain

Data type: Boolean

Default value: true

config_file_version

Data type: Integer[1]

Default value: 2

services

Data type: Sssd::Services

Default value: ['nss','pam','ssh','sudo']

reconnection_retries

Data type: Integer[0]

Default value: 3

re_expression

Data type: Optional[String[1]]

Default value: undef

full_name_format

Data type: Optional[String[1]]

Default value: undef

try_inotify

Data type: Optional[Boolean]

Default value: undef

krb5_rcache_dir

Data type: Optional[String[1]]

Default value: undef

user

Data type: Optional[String[1]]

Default value: undef

default_domain_suffix

Data type: Optional[String[1]]

Default value: undef

override_space

Data type: Optional[String[1]]

Default value: undef

ldap_providers

Data type: Hash

This allows users to set up ldap sssd::provider::ldap resources via hieradata

Default value: {}

enumerate_users

Data type: Boolean

Have SSSD list and cache all the users that it can find on the remote system

  • Take care that you don't overwhelm your server if you enable this

Default value: false

include_svc_config

Data type: Boolean

If set to true, config will loop through the services set in sssd:service and include the configuration section for it. At this time the service sections contain only the most common parameters used. If you need to set a param that is not included you can turn this off and create a custom manifest to add the section you need. If you simply want to change a setting that exists, use hiera.

Default value: true

cache_credentials

Data type: Boolean

Have SSSD cache the credentials of users that login to the system

Default value: true

min_id

Data type: Integer[0]

The lowest user ID that SSSD should recognize from the server.

Default value: 1

auditd

Data type: Boolean

Default value: simplib::lookup('simp_options::auditd', { 'default_value' => false})

pki

Data type: Variant[Boolean,Enum['simp']]

  • If 'simp', include SIMP's pki module and use pki::copy to manage application certs in /etc/pki/simp_apps/sssd/x509
  • If true, do not include SIMP's pki module, but still use pki::copy to manage certs in /etc/pki/simp_apps/sssd/x509
  • If false, do not include SIMP's pki module and do not use pki::copy to manage certs. You will need to appropriately assign a subset of:
    • app_pki_dir
    • app_pki_key
    • app_pki_cert
    • app_pki_ca
    • app_pki_ca_dir

Default value: simplib::lookup('simp_options::pki', { 'default_value' => false})

app_pki_cert_source

Data type: Stdlib::Absolutepath

  • If pki = 'simp' or true, this is the directory from which certs will be copied, via pki::copy. Defaults to /etc/pki/simp/x509.

  • If pki = false, this variable has no effect.

Default value: simplib::lookup('simp_options::pki::source', { 'default_value' => '/etc/pki/simp/x509'})

app_pki_dir

Data type: Stdlib::Absolutepath

This variable controls the basepath of $app_pki_key, $app_pki_cert, $app_pki_ca, $app_pki_ca_dir, and $app_pki_crl. It defaults to /etc/pki/simp_apps/sssd/x509.

Default value: '/etc/pki/simp_apps/sssd/x509'

auto_add_ipa_domain

Data type: Boolean

Whether to configure sssd for an IPA domain, when the host is joined to an IPA domain. When enabled, this feature helps to prevent user lockout for IPA-managed user accounts. Otherwise, you must configure the IPA domain yourself.

Default value: true

custom_config

Data type: Optional[String[1]]

A configuration that will be added to /etc/sssd/conf.d/00_puppet_custom.conf without validation

Default value: undef

sssd::config

Configuration class called from sssd.

Sets up the [sssd] section of '/etc/sssd/sssd.conf', and, optionally, a domain section for the IPA domain to which the host is joined. When the IPA domain is configured, the IPA domain is automatically added to $domains to generate the list of domains in the [sssd] section.

Parameters

The following parameters are available in the sssd::config class:

authoritative

Data type: Boolean

Set to true to purge unmanaged configuration files

Default value: pick(getvar("${module_name}::authoritative"), false)

sssd::config::ipa_domain

Configures SSSD for the IPA domain to which the host has joined

sssd::install

Install the required packages for SSSD

Parameters

The following parameters are available in the sssd::install class:

install_client

Data type: Boolean

If true, install the sssd client

Default value: true

install_user_tools

Data type: Boolean

If true, install the 'sssd-tools' package for administrative changes to the SSSD databases

Default value: true

package_ensure

Data type: String

Ensure setting for all packages installed by this module

Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' })

sssd::install::client

Install the sssd-client package

Parameters

The following parameters are available in the sssd::install::client class:

ensure

Data type: Any

Ensure setting for 'sssd-client' package

Default value: $::sssd::install::package_ensure

sssd::pki

Class: sssd::pki

Uses the following sssd class parameters to copy certs into a directory for the sssd application

$sssd::pki

  • If 'simp', include SIMP's pki module and use pki::copy to manage application certs in /etc/pki/simp_apps/sssd/x509
  • If true, do not include SIMP's pki module, but still use pki::copy to manage certs in /etc/pki/simp_apps/sssd/x509
  • If false, do not include SIMP's pki module and do not use pki::copy to manage certs. You will need to appropriately assign a subset of:
    • app_pki_dir
    • app_pki_key
    • app_pki_cert
    • app_pki_ca
    • app_pki_ca_dir

$ssd::app_pki_cert_source

  • If $sssd::pki = 'simp' or true, this is the directory from which certs will be copied, via pki::copy. Defaults to /etc/pki/simp/x509.

  • If $sssd::pki = false, this variable has no effect.

sssd::service

Control the sssd service

Parameters

The following parameters are available in the sssd::service class:

ensure

Data type: Variant[String[1],Boolean]

The ensure parameter of the service resource

Default value: sssd::supported_version()

enable

Data type: Boolean

The enable parameter of the service resource

Default value: sssd::supported_version()

sssd::service::autofs

This class sets up the [autofs] section of /etc/sssd.conf.

The class parameters map directly to SSSD configuration. Full documentation of these configuration options can be found in the sssd.conf(5) man page.

Parameters

The following parameters are available in the sssd::service::autofs class:

description

Data type: Optional[String]

Default value: undef

debug_level

Data type: Optional[Sssd::DebugLevel]

Default value: undef

debug_timestamps

Data type: Boolean

Default value: true

debug_microseconds

Data type: Boolean

Default value: false

autofs_negative_timeout

Data type: Optional[Integer]

Default value: undef

custom_options

Data type: Optional[Hash]

If defined, this hash will be used to create the service section instead of the parameters. You must provide all options in the section you want to add. Each entry in the hash will be added as a simple init pair key = value under the section in the sssd.conf file. No error checking will be performed.

Default value: undef

sssd::service::ifp

This class sets up the [ifp] section of /etc/sssd.conf.

The class parameters map directly to SSSD configuration. Full documentation of these configuration options can be found in the sssd.conf(5) and sssd-ifp man pages.

Parameters

The following parameters are available in the sssd::service::ifp class:

description

Data type: Optional[String]

Default value: undef

debug_level

Data type: Optional[Sssd::Debuglevel]

Default value: undef

debug_timestamps

Data type: Boolean

Default value: true

debug_microseconds

Data type: Boolean

Default value: false

wildcard_limit

Data type: Optional[Integer[0]]

Default value: undef

allowed_uids

Data type: Optional[Array[String[1]]]

Default value: undef

user_attributes

Data type: Optional[Array[String[1]]]

Default value: undef

custom_options

Data type: Optional[Hash]

If defined, this hash will be used to create the service section instead of the parameters. You must provide all options in the section you want to add. Each entry in the hash will be added as a simple init pair key = value under the section in the sssd.conf file. No error checking will be performed.

Default value: undef

sssd::service::nss

This class sets up the [nss] section of /etc/sssd.conf. You may only have one of these per system.

The class parameters map directly to SSSD configuration. Full documentation of these configuration options can be found in the sssd.conf(5) man page.

Parameters

The following parameters are available in the sssd::service::nss class:

description

Data type: Optional[String]

Default value: undef

debug_level

Data type: Optional[Sssd::DebugLevel]

Default value: undef

debug_timestamps

Data type: Boolean

Default value: true

debug_microseconds

Data type: Boolean

Default value: false

reconnection_retries

Data type: Integer

Default value: 3

fd_limit

Data type: Optional[Integer]

Default value: undef

command

Data type: Optional[String]

Default value: undef

enum_cache_timeout

Data type: Integer

Default value: 120

entry_cache_nowait_percentage

Data type: Integer

Default value: 0

entry_negative_timeout

Data type: Integer

Default value: 15

filter_users

Data type: String

Default value: 'root'

filter_groups

Data type: String

Default value: 'root'

filter_users_in_groups

Data type: Boolean

Default value: true

override_homedir

Data type: Optional[String]

Default value: undef

fallback_homedir

Data type: Optional[String]

Default value: undef

override_shell

Data type: Optional[String]

Default value: undef

vetoed_shells

Data type: Optional[String]

Default value: undef

default_shell

Data type: Optional[String]

Default value: undef

get_domains_timeout

Data type: Optional[Integer]

Default value: undef

memcache_timeout

Data type: Optional[Integer]

Default value: undef

user_attributes

Data type: Optional[String]

Default value: undef

custom_options

Data type: Optional[Hash]

If defined, this hash will be used to create the service section instead of the parameters. You must provide all options in the section you want to add. Each entry in the hash will be added as a simple init pair key = value under the section in the sssd.conf file. No error checking will be performed.

Default value: undef

sssd::service::pac

This class sets up the [pac] section of /etc/sssd.conf.

The class parameters map directly to SSSD configuration. Full documentation of these configuration options can be found in the sssd.conf(5) man page.

Parameters

The following parameters are available in the sssd::service::pac class:

description

Data type: Optional[String]

Default value: undef

debug_level

Data type: Optional[Sssd::DebugLevel]

Default value: undef

debug_timestamps

Data type: Boolean

Default value: true

debug_microseconds

Data type: Boolean

Default value: false

allowed_uids

Data type: Array[String]

Default value: []

custom_options

Data type: Optional[Hash]

If defined, this hash will be used to create the service section instead of the parameters. You must provide all options in the section you want to add. Each entry in the hash will be added as a simple init pair key = value under the section in the sssd.conf file. No error checking will be performed.

Default value: undef

sssd::service::pam

The sssd::service::pam class.

Parameters

The following parameters are available in the sssd::service::pam class:

description

Data type: Optional[String]

Default value: undef

debug_level

Data type: Optional[Sssd::DebugLevel]

Default value: undef

debug_timestamps

Data type: Boolean

Default value: true

debug_microseconds

Data type: Boolean

Default value: false

pam_cert_auth

Data type: Boolean

Default value: false

reconnection_retries

Data type: Integer

Default value: 3

command

Data type: Optional[String]

Default value: undef

offline_credentials_expiration

Data type: Integer

Default value: 0

offline_failed_login_attempts

Data type: Integer

Default value: 3

offline_failed_login_delay

Data type: Integer

Default value: 5

pam_verbosity

Data type: Integer

Default value: 1

pam_id_timeout

Data type: Integer

Default value: 5

pam_pwd_expiration_warning

Data type: Integer

Default value: 7

get_domains_timeout

Data type: Optional[Integer]

Default value: undef

pam_trusted_users

Data type: Optional[String]

Default value: undef

pam_public_domains

Data type: Optional[String]

Default value: undef

custom_options

Data type: Optional[Hash]

Default value: undef

sssd::service::ssh

This class sets up the [ssh] section of /etc/sssd.conf.

The class parameters map directly to SSSD configuration. Full documentation of these configuration options can be found in the sssd.conf(5) man page.

Parameters

The following parameters are available in the sssd::service::ssh class:

description

Data type: Optional[String]

Default value: undef

debug_level

Data type: Optional[Sssd::DebugLevel]

Default value: undef

debug_timestamps

Data type: Boolean

Default value: true

debug_microseconds

Data type: Boolean

Default value: false

ssh_hash_known_hosts

Data type: Boolean

Default value: true

ssh_known_hosts_timeout

Data type: Optional[Integer]

Default value: undef

custom_options

Data type: Optional[Hash]

If defined, this hash will be used to create the service section instead of the parameters. You must provide all options in the section you want to add. Each entry in the hash will be added as a simple init pair key = value under the section in the sssd.conf file. No error checking will be performed.

Default value: undef

sssd::service::sudo

This class sets up the [sudo] section of /etc/sssd.conf.

The class parameters map directly to SSSD configuration. Full documentation of these configuration options can be found in the sssd.conf(5) man page.

Parameters

The following parameters are available in the sssd::service::sudo class:

description

Data type: Optional[String]

Default value: undef

debug_level

Data type: Optional[Sssd::Debuglevel]

Default value: undef

debug_timestamps

Data type: Boolean

Default value: true

debug_microseconds

Data type: Boolean

Default value: false

sudo_threshold

Data type: Integer[1]

Default value: 50

sudo_timed

Data type: Boolean

Default value: false

custom_options

Data type: Optional[Hash]

If defined, this hash will be used to create the service section instead of the parameters. You must provide all options in the section you want to add. Each entry in the hash will be added as a simple init pair key = value under the section in the sssd.conf file. No error checking will be performed.

Default value: undef

Defined types

sssd::config::entry

Add an entry to the /etc/sssd/conf.d directory

Parameters

The following parameters are available in the sssd::config::entry defined type:

name

A unique name that will be used for generating the target filename

Should not be fully qualified

content

Data type: String

The content of the target file

order

Data type: Integer[0]

Default value: 50

sssd::domain

Define: sssd::domain

This define sets up a domain section of /etc/sssd.conf. This domain will be named after '$name' and should be listed in your main sssd.conf if you wish to activate it.

You will need to call the associated provider segments to make this fully functional.

It is entirely possible to make a configuration file that is complete nonsense by failing to set the correct combinations of providers. See the SSSD documentation for details.

When you call the associated providers, you should be sure to name them based on the name of this domain.

Full documentation of the parameters that map directly to SSSD configuration options can be found in the sssd.conf(5) man page.

Parameters

The following parameters are available in the sssd::domain defined type:

name

The name of the domain. This will be placed at [domain/$name] in the configuration file.

id_provider

Data type: Sssd::IdProvider

debug_level

Data type: Optional[Sssd::DebugLevel]

Default value: undef

debug_timestamps

Data type: Boolean

Default value: true

debug_microseconds

Data type: Boolean

Default value: false

description

Data type: Optional[String]

Default value: undef

min_id

Data type: Integer[0]

Default value: 1

max_id

Data type: Integer[0]

Default value: 0

enumerate

Data type: Boolean

Default value: false

subdomain_enumerate

Data type: Boolean

Default value: false

force_timeout

Data type: Optional[Integer]

Default value: undef

entry_cache_timeout

Data type: Optional[Integer]

Default value: undef

entry_cache_user_timeout

Data type: Optional[Integer]

Default value: undef

entry_cache_group_timeout

Data type: Optional[Integer]

Default value: undef

entry_cache_netgroup_timeout

Data type: Optional[Integer]

Default value: undef

entry_cache_service_timeout

Data type: Optional[Integer]

Default value: undef

entry_cache_sudo_timeout

Data type: Optional[Integer]

Default value: undef

entry_cache_autofs_timeout

Data type: Optional[Integer]

Default value: undef

entry_cache_ssh_host_timeout

Data type: Optional[Integer]

Default value: undef

refresh_expired_interval

Data type: Optional[Integer]

Default value: undef

cache_credentials

Data type: Boolean

Default value: false

account_cache_expiration

Data type: Integer[0]

Default value: 0

pwd_expiration_warning

Data type: Optional[Integer[0]]

Default value: undef

use_fully_qualified_names

Data type: Boolean

Default value: false

ignore_group_members

Data type: Boolean

Default value: true

access_provider

Data type: Optional[Sssd::AccessProvider]

Default value: undef

auth_provider

Data type: Optional[Sssd::AuthProvider]

Default value: undef

chpass_provider

Data type: Optional[Sssd::ChpassProvider]

Default value: undef

sudo_provider

Data type: Optional[Enum['ldap', 'ipa','ad','none']]

Default value: undef

selinux_provider

Data type: Optional[Enum['ipa', 'none']]

Default value: undef

subdomains_provider

Data type: Optional[Enum['ipa', 'ad','none']]

Default value: undef

autofs_provider

Data type: Optional[Enum['ad', 'ldap', 'ipa','none']]

Default value: undef

hostid_provider

Data type: Optional[Enum['ipa', 'none']]

Default value: undef

re_expression

Data type: Optional[String]

Default value: undef

full_name_format

Data type: Optional[String]

Default value: undef

lookup_family_order

Data type: Optional[String]

Default value: undef

dns_resolver_timeout

Data type: Integer[0]

Default value: 5

dns_discovery_domain

Data type: Optional[String]

Default value: undef

override_gid

Data type: Optional[String]

Default value: undef

case_sensitive

Data type: Variant[Boolean,Enum['preserving']]

Default value: true

proxy_fast_alias

Data type: Boolean

Default value: false

realmd_tags

Data type: Optional[String]

Default value: undef

proxy_pam_target

Data type: Optional[String]

Default value: undef

proxy_lib_name

Data type: Optional[String]

Default value: undef

ldap_user_search_filter

Data type: Optional[String]

custom_options

Data type: Optional[Hash]

If defined, this hash will be used to create the service section instead of the parameters. You must provide all options in the section you want to add. Each entry in the hash will be added as a simple init pair key = value under the section in the sssd.conf file. No error checking will be performed.

Default value: undef

sssd::provider::ad

NOTE: You MUST connect the system to the domain prior to using this defined type.

Any parameter not explicitly documented directly follows the documentation from sssd-ad(5).

  • See also
    • sssd-ad(5)

Parameters

The following parameters are available in the sssd::provider::ad defined type:

ad_domain

Data type: Optional[String[1]]

Default value: undef

ad_enabled_domains

Data type: Optional[Array[String[1],1]]

An explicit list of AD enabled domains

  • An error will be raised if ad_domain is specified and not in this list

Default value: undef

ad_servers

Data type: Optional[Array[Variant[Simplib::Hostname, Enum['_srv_']]]]

A list of AD servers in failover order

  • Ignored if autodiscovery is enabled

Default value: undef

ad_backup_servers

Data type: Optional[Array[Simplib::Hostname,1]]

A list of AD backup servers in failover order

  • Ignored if autodiscovery is enabled

Default value: undef

ad_hostname

Data type: Optional[Simplib::Hostname]

Default value: undef

ad_enable_dns_sites

Data type: Optional[Boolean]

Default value: undef

ad_access_filters

Data type: Optional[Array[String[1],1]]

A list of access filters for the system

Default value: undef

ad_site

Data type: Optional[String[1]]

Default value: undef

ad_enable_gc

Data type: Optional[Boolean]

Default value: undef

ad_gpo_access_control

Data type: Optional[Enum['disabled','enforcing','permissive']]

Default value: undef

ad_gpo_cache_timeout

Data type: Optional[Integer[1]]

Default value: undef

ad_gpo_map_interactive

Data type: Optional[Array[String[1],1]]

Default value: undef

ad_gpo_map_remote_interactive

Data type: Optional[Array[String[1],1]]

Default value: undef

ad_gpo_map_network

Data type: Optional[Array[String[1],1]]

Default value: undef

ad_gpo_map_batch

Data type: Optional[Array[String[1],1]]

Default value: undef

ad_gpo_map_service

Data type: Optional[Array[String[1],1]]

Default value: undef

ad_gpo_map_permit

Data type: Optional[Array[String[1],1]]

Default value: undef

ad_gpo_map_deny

Data type: Optional[Array[String[1],1]]

Default value: undef

ad_gpo_default_right

Data type: Optional[Sssd::ADDefaultRight]

Default value: undef

ad_gpo_implicit_deny

Data type: Optional[Boolean]

(new in sssd V2.0 and later)

Default value: undef

ad_gpo_ignore_unreadable

Data type: Optional[Boolean]

(new in sssd V2.0 and later)

Default value: undef

ad_maximum_machine_account_password_age

Data type: Optional[Integer[0]]

Default value: undef

ad_machine_account_password_renewal_opts

Data type: Optional[Pattern['^\d+:\d+$']]

Default value: undef

default_shell

Data type: Optional[String[1]]

Default value: undef

dyndns_update

Data type: Boolean

Default value: true

dyndns_ttl

Data type: Optional[Integer]

Default value: undef

dyndns_ifaces

Data type: Optional[Array[String[1],1]]

List of interfaces whose IP Addresses should be used for dynamic DNS updates. Used for the dyndns_iface setting.

  • Has no effect if dyndns_update is not set to true

Default value: undef

dyndns_refresh_interval

Data type: Optional[Integer]

Default value: undef

dyndns_update_ptr

Data type: Optional[Boolean]

Default value: undef

dyndns_force_tcp

Data type: Optional[Boolean]

Default value: undef

dyndns_server

Data type: Optional[Simplib::Hostname]

Default value: undef

override_homedir

Data type: Optional[String[1]]

Default value: undef

fallback_homedir

Data type: Optional[String[1]]

Default value: undef

homedir_substring

Data type: Optional[Stdlib::Absolutepath]

Default value: undef

krb5_realm

Data type: Optional[String[1]]

Default value: $ad_domain

krb5_use_enterprise_principal

Data type: Optional[Boolean]

Default value: undef

krb5_store_password_if_offline

Data type: Boolean

Default value: false

krb5_confd_path

Data type: Optional[Variant[Enum['none'],Stdlib::Absolutepath]]

Default value: undef

ldap_id_mapping

Data type: Boolean

Default value: true

ldap_schema

Data type: Optional[String[1]]

Default value: undef

ldap_idmap_range_min

Data type: Optional[Integer[0]]

Default value: undef

ldap_idmap_range_max

Data type: Optional[Integer[1]]

Default value: undef

ldap_idmap_range_size

Data type: Optional[Integer[1]]

Default value: undef

ldap_idmap_default_domain_sid

Data type: Optional[String[1]]

Default value: undef

ldap_idmap_default_domain

Data type: Optional[String[1]]

Default value: undef

ldap_idmap_autorid_compat

Data type: Optional[Boolean]

Default value: undef

ldap_idmap_helper_table_size

Data type: Optional[Integer[1]]

Default value: undef

ldap_use_tokengroups

Data type: Boolean

Default value: true

ldap_group_objectsid

Data type: Optional[String[1]]

Default value: undef

ldap_user_objectsid

Data type: Optional[String[1]]

Default value: undef

ldap_user_extra_attrs

Data type: Optional[String[1]]

Can be used to enable public key storage for ssh When used this way, set this param and param ldap_user_ssh_public_key to 'altSecurityIdentities'

Default value: undef

ldap_user_ssh_public_key

Data type: Optional[String[1]]

Can be used to enable public key storage for ssh When used this way, set this param and param ldap_user_extra_attrs to 'altSecurityIdentities'

Default value: undef

sssd::provider::files

NOTE: This defined type has no effect on SSSD < 1.16.0

$name should be the name of the associated domain in sssd.conf.

This is not necessary for the file provider unless you want to use files other then /etc/passwd and /etc/group

See man 'sssd-files' for additional information.

Parameters

The following parameters are available in the sssd::provider::files defined type:

name

The name of the associated domain section in the configuration file.

passwd_files

Data type: Optional[Array[Stdlib::Absolutepath]]

Default value: undef

group_files

Data type: Optional[Array[Stdlib::Absolutepath]]

Default value: undef

sssd::provider::ipa

This define sets up the 'ipa' provider section of a particular domain. $name should be the name of the associated domain in sssd.conf.

See sssd-ipa.conf(5) for additional information.

Regarding: POODLE - CVE-2014-3566

The tls_cipher_suite variable is set to HIGH:-SSLv2 by default because OpenLDAP cannot set the SSL provider natively. By default, it will run TLSv1 but cannot handle TLSv1.2 therefore the SSLv3 ciphers cannot be eliminated. Take care to ensure that your clients only connect with TLSv1 if possible.

Parameters

The following parameters are available in the sssd::provider::ipa defined type:

name
ipa_domain

Data type: String[1]

ipa_server

Data type: Array[Simplib::Host]

ipa_backup_server

Data type: Optional[Array[Simplib::Host]]

Default value: undef

ipa_enable_dns_sites

Data type: Boolean

Default value: false

ipa_hostname

Data type: Simplib::Hostname

Default value: $facts['networking']['fqdn']

ipa_server_mode

Data type: Boolean

Default value: false

dyndns_auth

Data type: Enum['none','GSS-TSIG']

Default value: 'GSS-TSIG'

dyndns_force_tcp

Data type: Optional[Boolean]

Default value: undef

dyndns_iface

Data type: Optional[Array[String[1]]]

Default value: undef

dyndns_refresh_interval

Data type: Optional[Integer[0]]

Default value: undef

dyndns_server

Data type: Optional[Simplib::Host]

Default value: undef

dyndns_ttl

Data type: Optional[Integer[0]]

Default value: undef

dyndns_update

Data type: Boolean

Default value: true

dyndns_update_ptr

Data type: Optional[Boolean]

Default value: undef

ipa_automount_location

Data type: Optional[String]

Default value: undef

ipa_hbac_refresh

Data type: Optional[Integer[0]]

Default value: undef

ipa_hbac_search_base

Data type: Optional[String]

Default value: undef

ipa_hbac_selinux

Data type: Optional[Integer[0]]

Default value: undef

ipa_host_search_base

Data type: Optional[String]

Default value: undef

ipa_master_domains_search_base

Data type: Optional[String]

Default value: undef

ipa_selinux_search_base

Data type: Optional[String]

Default value: undef

ipa_subdomains_search_base

Data type: Optional[String]

Default value: undef

ipa_views_search_base

Data type: Optional[String]

Default value: undef

krb5_confd_path

Data type: Optional[Stdlib::AbsolutePath]

Default value: undef

krb5_realm

Data type: Optional[String]

Default value: undef

krb5_store_password_if_offline

Data type: Boolean

Default value: true

ldap_tls_cacert

Data type: Stdlib::AbsolutePath

Default value: '/etc/ipa/ca.crt'

ldap_tls_cipher_suite

Data type: Array[String]

Default value: ['HIGH','-SSLv2']

use_service_discovery

Data type: Boolean

Whether to add 'srv' to the list of IPA servers, thereby enabling service discovery of these servers

Default value: true

sssd::provider::krb5

Define: sssd::provider::krb5

This define sets up the 'krb5' provider section of a particular domain. $name should be the name of the associated domain in sssd.conf.

See sssd-krb5.conf(5) for additional information.

Parameters

The following parameters are available in the sssd::provider::krb5 defined type:

name

The name of the associated domain section in the configuration file.

krb5_server

Data type: Optional[Simplib::Host]

Default value: undef

krb5_realm

Data type: String

debug_level

Data type: Optional[Sssd::DebugLevel]

Default value: undef

debug_timestamps

Data type: Boolean

Default value: true

debug_microseconds

Data type: Boolean

Default value: false

krb5_kpasswd

Data type: Optional[String]

Default value: undef

krb5_ccachedir

Data type: Optional[Stdlib::Absolutepath]

Default value: undef

krb5_ccname_template

Data type: Optional[Stdlib::Absolutepath]

Default value: undef

krb5_auth_timeout

Data type: Integer

Default value: 15

krb5_validate

Data type: Boolean

Default value: false

krb5_keytab

Data type: Optional[Stdlib::Absolutepath]

Default value: undef

krb5_store_password_if_offline

Data type: Boolean

Default value: false

krb5_renewable_lifetime

Data type: Optional[String]

Default value: undef

krb5_lifetime

Data type: Optional[String]

Default value: undef

krb5_renew_interval

Data type: Integer

Default value: 0

krb5_use_fast

Data type: Optional[Enum['never','try','demand']]

Default value: undef

sssd::provider::ldap

Define: sssd::provider::ldap

This define sets up the 'ldap' provider section of a particular domain. $name should be the name of the associated domain in sssd.conf.

Configuration notes:

  • See sssd-ldap.conf(5) for additional information.

  • Be careful with the following configuration:

    • ldap_netgroup_search_base
    • ldap_user_search_base
    • ldap_group_search_base
    • ldap_sudo_search_base
    • ldap_autofs_search_base
  • Be sure to read the man page for the following advanced configuration:

    • ldap_idmap_range_min
    • ldap_idmap_range_max
    • ldap_idmap_range_size
    • ldap_idmap_default_domain_sid
    • ldap_idmap_default_domain
    • ldap_idmap_autorid_compat

Regarding: POODLE - CVE-2014-3566

The tls_cipher_suite variable is set to HIGH:-SSLv2 by default because OpenLDAP cannot set the SSL provider natively. By default, it will run TLSv1 but cannot handle TLSv1.2 therefore the SSLv3 ciphers cannot be eliminated. Take care to ensure that your clients only connect with TLSv1 if possible.

Advanced Configuration - Read the man page

Parameters

The following parameters are available in the sssd::provider::ldap defined type:

name

The name of the associated domain section in the configuration file

strip_128_bit_ciphers

Data type: Boolean

DEPRECATED - EL6-only - Will be removed in a future release

Default value: true

client_tls

Data type: Boolean

Set to false to disable setting up client-side TLS

Default value: true

debug_level

Data type: Optional[Sssd::DebugLevel]

Default value: undef

debug_timestamps

Data type: Optional[Boolean]

Default value: undef

debug_microseconds

Data type: Boolean

Default value: false

ldap_uri

Data type: Optional[Array[Simplib::URI,1]]

Default value: simplib::lookup('simp_options::ldap::uri', { 'default_value' => undef })

ldap_backup_uri

Data type: Optional[Array[Simplib::URI,1]]

Default value: undef

ldap_chpass_uri

Data type: Optional[Array[Simplib::URI,1]]

Default value: undef

ldap_chpass_backup_uri

Data type: Optional[Array[Simplib::URI,1]]

Default value: undef

ldap_chpass_update_last_change

Data type: Boolean

Default value: true

ldap_search_base

Data type: Optional[String[1]]

Default value: simplib::lookup('simp_options::ldap::base_dn', { 'default_value' => undef })

ldap_schema

Data type: Sssd::LdapSchema

Default value: 'rfc2307'

ldap_default_bind_dn

Data type: Optional[String[1]]

Default value: simplib::lookup('simp_options::ldap::bind_dn', { 'default_value' => undef })

ldap_default_authtok_type

Data type: Optional[Sssd::LdapDefaultAuthtok]

Default value: undef

ldap_default_authtok

Data type: Optional[String[1]]

Default value: simplib::lookup('simp_options::ldap::bind_pw', { 'default_value' => undef })

ldap_user_cert

Data type: Optional[String[1]]

Default value: undef

ldap_user_object_class

Data type: Optional[String[1]]

Default value: undef

ldap_user_name

Data type: Optional[String[1]]

Default value: undef

ldap_user_uid_number

Data type: Optional[String[1]]

Default value: undef

ldap_user_gid_number

Data type: Optional[String[1]]

Default value: undef

ldap_user_gecos

Data type: Optional[String[1]]

Default value: undef

ldap_user_home_directory

Data type: Optional[String[1]]

Default value: undef

ldap_user_shell

Data type: Optional[String[1]]

Default value: undef

ldap_user_uuid

Data type: Optional[String[1]]

Default value: undef

ldap_user_objectsid

Data type: Optional[String[1]]

Default value: undef

ldap_user_modify_timestamp

Data type: Optional[String[1]]

Default value: undef

ldap_user_shadow_last_change

Data type: Optional[String[1]]

Default value: undef

ldap_user_shadow_min

Data type: Optional[String[1]]

Default value: undef

ldap_user_shadow_max

Data type: Optional[String[1]]

Default value: undef

ldap_user_shadow_warning

Data type: Optional[String[1]]

Default value: undef

ldap_user_shadow_inactive

Data type: Optional[String[1]]

Default value: undef

ldap_user_shadow_expire

Data type: Optional[String[1]]

Default value: undef

ldap_user_krb_last_pwd_change

Data type: Optional[String[1]]

Default value: undef

ldap_user_krb_password_expiration

Data type: Optional[String[1]]

Default value: undef

ldap_user_ad_account_expires

Data type: Optional[String[1]]

Default value: undef

ldap_user_ad_user_account_control

Data type: Optional[String[1]]

Default value: undef

ldap_ns_account_lock

Data type: Optional[String[1]]

Default value: undef

ldap_user_nds_login_disabled

Data type: Optional[String[1]]

Default value: undef

ldap_user_nds_login_expiration_time

Data type: Optional[String[1]]

Default value: undef

ldap_user_nds_login_allowed_time_map

Data type: Optional[String[1]]

Default value: undef

ldap_user_principal

Data type: Optional[String[1]]

Default value: undef

ldap_user_extra_attrs

Data type: Optional[Array[String[1],1]]

Default value: undef

ldap_user_ssh_public_key

Data type: Optional[String[1]]

Default value: undef

ldap_force_upper_case_realm

Data type: Boolean

Default value: false

ldap_enumeration_refresh_timeout

Data type: Optional[Integer[0]]

Default value: undef

ldap_purge_cache_timeout

Data type: Optional[Integer[0]]

Default value: undef

ldap_user_fullname

Data type: Optional[String[1]]

Default value: undef

ldap_user_member_of

Data type: Optional[String[1]]

Default value: undef

ldap_user_authorized_service

Data type: Optional[String[1]]

Default value: undef

ldap_user_authorized_host

Data type: Optional[String[1]]

Default value: undef

ldap_group_object_class

Data type: Optional[String[1]]

Default value: undef

ldap_group_name

Data type: Optional[String[1]]

Default value: undef

ldap_group_gid_number

Data type: Optional[String[1]]

Default value: undef

ldap_group_member

Data type: Optional[String[1]]

Default value: undef

ldap_group_uuid

Data type: Optional[String[1]]

Default value: undef

ldap_group_objectsid

Data type: Optional[String[1]]

Default value: undef

ldap_group_modify_timestamp

Data type: Optional[String[1]]

Default value: undef

ldap_group_type

Data type: Optional[Integer]

Default value: undef

ldap_group_nesting_level

Data type: Optional[Integer]

Default value: undef

ldap_groups_use_matching_rule_in_chain

Data type: Boolean

Default value: false

ldap_initgroups_use_matching_rule_in_chain

Data type: Boolean

Default value: false

ldap_use_tokengroups

Data type: Boolean

Default value: false

ldap_netgroup_object_class

Data type: Optional[String[1]]

Default value: undef

ldap_netgroup_name

Data type: Optional[String[1]]

Default value: undef

ldap_netgroup_member

Data type: Optional[String[1]]

Default value: undef

ldap_netgroup_triple

Data type: Optional[String[1]]

Default value: undef

ldap_netgroup_uuid

Data type: Optional[String[1]]

Default value: undef

ldap_netgroup_modify_timestamp

Data type: Optional[String[1]]

Default value: undef

ldap_service_name

Data type: Optional[String[1]]

Default value: undef

ldap_service_port

Data type: Optional[String[1]]

Default value: undef

ldap_service_proto

Data type: Optional[String[1]]

Default value: undef

ldap_service_search_base

Data type: Optional[String[1]]

Default value: undef

ldap_search_timeout

Data type: Optional[Integer[0]]

Default value: undef

ldap_enumeration_search_timeout

Data type: Optional[Integer[0]]

Default value: undef

ldap_network_timeout

Data type: Optional[Integer[0]]

Default value: undef

ldap_opt_timeout

Data type: Optional[Integer[0]]

Default value: undef

ldap_connection_expire_timeout

Data type: Optional[Integer[0]]

Default value: undef

ldap_page_size

Data type: Optional[Integer[0]]

Default value: undef

ldap_disable_paging

Data type: Boolean

Default value: false

ldap_disable_range_retrieval

Data type: Boolean

Default value: false

ldap_sasl_minssf

Data type: Optional[Integer]

Default value: undef

ldap_deref_threshold

Data type: Optional[Integer[0]]

Default value: undef

ldap_tls_reqcert

Data type: Sssd::LdapTlsReqcert

Default value: 'demand'

ldap_tls_cacert

Data type: Optional[String[1]]

Default value: undef

app_pki_ca_dir

Data type: Optional[Stdlib::Absolutepath]

Default value: undef

app_pki_key

Data type: Optional[Stdlib::Absolutepath]

Default value: undef

app_pki_cert

Data type: Optional[Stdlib::Absolutepath]

Default value: undef

strip_128_bit_ciphers

Default value: true

ldap_tls_cipher_suite

Data type: Array[String[1]]

Default value: ['HIGH','-SSLv2']

ldap_id_use_start_tls

Data type: Boolean

Default value: true

ldap_id_mapping

Data type: Boolean

Default value: false

ldap_min_id

Data type: Optional[Integer[0]]

Default value: undef

ldap_max_id

Data type: Optional[Integer[0]]

Default value: undef

ldap_sasl_mech

Data type: Optional[String[1]]

Default value: undef

ldap_sasl_authid

Data type: Optional[String[1]]

Default value: undef

ldap_sasl_realm

Data type: Optional[String[1]]

Default value: undef

ldap_sasl_canonicalize

Data type: Boolean

Default value: false

ldap_krb5_keytab

Data type: Optional[Stdlib::Absolutepath]

Default value: undef

ldap_krb5_init_creds

Data type: Boolean

Default value: true

ldap_krb5_ticket_lifetime

Data type: Optional[Integer]

Default value: undef

krb5_server

Data type: Optional[Array[String[1],1]]

Default value: undef

krb5_backup_server

Data type: Optional[Array[String[1],1]]

Default value: undef

krb5_realm

Data type: Optional[String[1]]

Default value: undef

krb5_canonicalize

Data type: Boolean

Default value: false

krb5_use_kdcinfo

Data type: Boolean

Default value: true

ldap_pwd_policy

Data type: Enum['none','shadow','mit_kerberos']

Default value: ($ldap_account_expire_policy == 'shadow') ? { true => 'shadow', default => 'none'

ldap_referrals

Data type: Boolean

Default value: true

ldap_dns_service_name

Data type: Optional[String[1]]

Default value: undef

ldap_chpass_dns_service_name

Data type: Optional[String[1]]

Default value: undef

ldap_access_filter

Data type: Optional[String[1]]

Default value: undef

ldap_account_expire_policy

Data type: Sssd::LdapAccountExpirePol

Set this to '' when you want to omit this configuration in order to use the system default.

Default value: 'shadow'

ldap_access_order

Data type: Sssd::LdapAccessOrder

Default value: ['expire','lockout','ppolicy','pwd_expire_policy_renew']

ldap_pwdlockout_dn

Data type: Optional[String[1]]

Default value: undef

ldap_deref

Data type: Optional[Sssd::LdapDeref]

Default value: undef

ldap_sudorule_object_class

Data type: Optional[String[1]]

Default value: undef

ldap_sudorule_name

Data type: Optional[String[1]]

Default value: undef

ldap_sudorule_command

Data type: Optional[String[1]]

Default value: undef

ldap_sudorule_host

Data type: Optional[String[1]]

Default value: undef

ldap_sudorule_user

Data type: Optional[String[1]]

Default value: undef

ldap_sudorule_option

Data type: Optional[String[1]]

Default value: undef

ldap_sudorule_runasuser

Data type: Optional[String[1]]

Default value: undef

ldap_sudorule_runasgroup

Data type: Optional[String[1]]

Default value: undef

ldap_sudorule_notbefore

Data type: Optional[String[1]]

Default value: undef

ldap_sudorule_notafter

Data type: Optional[String[1]]

Default value: undef

ldap_sudorule_order

Data type: Optional[String[1]]

Default value: undef

ldap_sudo_full_refresh_interval

Data type: Optional[Integer[0]]

Default value: undef

ldap_sudo_smart_refresh_interval

Data type: Optional[Integer[0]]

Default value: undef

ldap_sudo_use_host_filter

Data type: Boolean

Default value: true

ldap_sudo_hostnames

Data type: Optional[Array[String[1],1]]

Default value: undef

ldap_sudo_ip

Data type: Optional[Array[String[1],1]]

Default value: undef

ldap_sudo_include_netgroups

Data type: Boolean

Default value: true

ldap_sudo_include_regexp

Data type: Boolean

Default value: true

ldap_autofs_map_master_name

Data type: Optional[String[1]]

Default value: undef

ldap_autofs_map_object_class

Data type: Optional[String[1]]

Default value: undef

ldap_autofs_map_name

Data type: Optional[String[1]]

Default value: undef

ldap_autofs_entry_object_class

Data type: Optional[String[1]]

Default value: undef

ldap_autofs_entry_key

Data type: Optional[String[1]]

Default value: undef

ldap_autofs_entry_value

Data type: Optional[String[1]]

Default value: undef

ldap_netgroup_search_base

Data type: Optional[String[1]]

Default value: undef

ldap_user_search_base

Data type: Optional[String[1]]

Default value: undef

ldap_group_search_base

Data type: Optional[String[1]]

Default value: undef

ldap_sudo_search_base

Data type: Optional[String[1]]

Default value: undef

ldap_autofs_search_base

Data type: Optional[String[1]]

Default value: undef

ldap_idmap_range_min

Data type: Optional[Integer[0]]

Default value: undef

ldap_idmap_range_max

Data type: Optional[Integer[0]]

Default value: undef

ldap_idmap_range_size

Data type: Optional[Integer[0]]

Default value: undef

ldap_idmap_default_domain_sid

Data type: Optional[String[1]]

Default value: undef

ldap_idmap_default_domain

Data type: Optional[String[1]]

Default value: undef

ldap_idmap_autorid_compat

Data type: Boolean

Default value: false

Functions

sssd::supported_version

Type: Puppet Language

Returns true if the version of SSSD installed on the system is supported and false otherwise.

Assumes that the system is relatively modern and therefore, supported by default

sssd::supported_version()

Returns true if the version of SSSD installed on the system is supported and false otherwise.

Assumes that the system is relatively modern and therefore, supported by default

Returns: Boolean

Data types

Sssd::ADDefaultRight

List of valid types for AD Provider setting ad_gpo_default_right

Alias of Enum['interactive', 'remote_interactive', 'network', 'batch', 'service', 'permit', 'deny']

Sssd::AccessProvider

List of valid SSSD domain access providers

Alias of Enum['permit', 'deny', 'ldap', 'ipa', 'ad', 'simple']

Sssd::AuthProvider

List of valid types for sssd domain authentication provider

Alias of Enum['ldap', 'krb5', 'ipa', 'ad', 'proxy', 'files', 'none']

Sssd::ChpassProvider

List of valid types for sssd domain change password provider

Alias of Enum['ldap', 'krb5', 'ipa', 'ad', 'proxy', 'none']

Sssd::DebugLevel

Integer[0-9] or 2 byte Hexidecimal (ex. 0x0201)

Alias of Variant[Integer[0,9], Pattern[/0x\h{4}$/]]

Sssd::IdProvider

List of valid type for sssd domain ID provider.

Alias of Enum['proxy', 'ldap', 'ipa', 'ad', 'files']

Sssd::LdapAccessOrder

List of valid values for ldap provider ldap_access_order setting

Alias of

Array[Enum[
  'filter',
  'lockout',
  'ppolicy', # Only available in sssd >= 1.14.0
  'expire',
  'pwd_expire_policy_reject', # Only available in sssd >= 1.14.0
  'pwd_expire_policy_warn', # Only available in sssd >= 1.14.0
  'pwd_expire_policy_renew', # Only available in sssd >= 1.14.0
  'authorized_service',
  'host'
]]

Sssd::LdapAccountExpirePol

List of valid values for ldap provider ldap_account_expire_policy '' corresponds to the default value (empty) per sssd-ldap(5) man page

Alias of Enum['', 'shadow', 'ad', 'rhds', 'ipa', '389ds', 'nds']

Sssd::LdapDefaultAuthtok

List of valid values for ldap provider default auth token

Alias of Enum['password', 'obfuscated_password']

Sssd::LdapDeref

List of valid values for ldap provider deref setting

Alias of Enum['never', 'searching', 'finding', 'always']

Sssd::LdapSchema

List of valid setting for ldap provider ldap_schema setting.

Alias of Enum['rfc2307', 'rfc2307bis', 'IPA', 'AD']

Sssd::LdapTlsReqcert

List of valid setting for ldap provider ldap_tls_reqcert.

Alias of Enum['never', 'allow', 'try', 'demand', 'hard']

Sssd::Services

List of available sssd services

Alias of Array[Enum['nss','pam','sudo','autofs','ssh','pac','ifp']]