Skip to content

Commit

Permalink
(#143) Added support for smartcard params for pam and ldap (#144)
Browse files Browse the repository at this point in the history
* (#143) Added support for smartcard params for pam and ldap

Fixes #143

* Added releng stuff
  • Loading branch information
michael-riddle authored Apr 10, 2024
1 parent 574d7cc commit a731a10
Show file tree
Hide file tree
Showing 10 changed files with 98 additions and 1 deletion.
5 changes: 5 additions & 0 deletions CHANGELOG
Original file line number Diff line number Diff line change
@@ -1,3 +1,8 @@
* Wed Apr 10 2024 Mike Riddle <mike@sicura.us> - 7.10.0
- Added the pam_cert_auth parameter to the pam service
- Added the ldap_user_cert parameter to the ldap provider
- Users can now specify ldap providers via hieradata using sssd::ldap_providers

* Wed Nov 29 2023 Virus2500 <_________@gmail.com> - 7.9.0
- add domain option ldap_user_search_filter

Expand Down
40 changes: 40 additions & 0 deletions REFERENCE.md
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,19 @@ using an nscd module at the same time, which is the correct behavior.
Full documentation of the parameters that map directly to SSSD
configuration options can be found in the sssd.conf(5) man page.

#### Examples

##### sssd::provider::ldap in hieradata:

```puppet
sssd::ldap_providers:
ldap_users:
ldap_access_filter: 'memberOf=cn=allowedusers,ou=Groups,dc=example,dc=com'
ldap_chpass_uri: empty
ldap_access_order: 'expire'
etc...
```

#### Parameters

The following parameters are available in the `sssd` class:
Expand All @@ -84,6 +97,7 @@ The following parameters are available in the `sssd` class:
* [`user`](#-sssd--user)
* [`default_domain_suffix`](#-sssd--default_domain_suffix)
* [`override_space`](#-sssd--override_space)
* [`ldap_providers`](#-sssd--ldap_providers)
* [`enumerate_users`](#-sssd--enumerate_users)
* [`include_svc_config`](#-sssd--include_svc_config)
* [`cache_credentials`](#-sssd--cache_credentials)
Expand Down Expand Up @@ -231,6 +245,14 @@ Data type: `Optional[String[1]]`

Default value: `undef`

##### <a name="-sssd--ldap_providers"></a>`ldap_providers`

Data type: `Hash`

This allows users to set up ldap sssd::provider::ldap resources via hieradata

Default value: `{}`

##### <a name="-sssd--enumerate_users"></a>`enumerate_users`

Data type: `Boolean`
Expand Down Expand Up @@ -937,6 +959,7 @@ The following parameters are available in the `sssd::service::pam` class:
* [`debug_level`](#-sssd--service--pam--debug_level)
* [`debug_timestamps`](#-sssd--service--pam--debug_timestamps)
* [`debug_microseconds`](#-sssd--service--pam--debug_microseconds)
* [`pam_cert_auth`](#-sssd--service--pam--pam_cert_auth)
* [`reconnection_retries`](#-sssd--service--pam--reconnection_retries)
* [`command`](#-sssd--service--pam--command)
* [`offline_credentials_expiration`](#-sssd--service--pam--offline_credentials_expiration)
Expand Down Expand Up @@ -980,6 +1003,14 @@ Data type: `Boolean`



Default value: `false`

##### <a name="-sssd--service--pam--pam_cert_auth"></a>`pam_cert_auth`

Data type: `Boolean`



Default value: `false`

##### <a name="-sssd--service--pam--reconnection_retries"></a>`reconnection_retries`
Expand Down Expand Up @@ -2735,6 +2766,7 @@ The following parameters are available in the `sssd::provider::ldap` defined typ
* [`ldap_default_bind_dn`](#-sssd--provider--ldap--ldap_default_bind_dn)
* [`ldap_default_authtok_type`](#-sssd--provider--ldap--ldap_default_authtok_type)
* [`ldap_default_authtok`](#-sssd--provider--ldap--ldap_default_authtok)
* [`ldap_user_cert`](#-sssd--provider--ldap--ldap_user_cert)
* [`ldap_user_object_class`](#-sssd--provider--ldap--ldap_user_object_class)
* [`ldap_user_name`](#-sssd--provider--ldap--ldap_user_name)
* [`ldap_user_uid_number`](#-sssd--provider--ldap--ldap_user_uid_number)
Expand Down Expand Up @@ -2985,6 +3017,14 @@ Data type: `Optional[String[1]]`

Default value: `simplib::lookup('simp_options::ldap::bind_pw', { 'default_value' => undef })`

##### <a name="-sssd--provider--ldap--ldap_user_cert"></a>`ldap_user_cert`

Data type: `Optional[String[1]]`



Default value: `undef`

##### <a name="-sssd--provider--ldap--ldap_user_object_class"></a>`ldap_user_object_class`

Data type: `Optional[String[1]]`
Expand Down
17 changes: 17 additions & 0 deletions manifests/init.pp
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,16 @@
# @param user
# @param default_domain_suffix
# @param override_space
# @param ldap_providers
# This allows users to set up ldap sssd::provider::ldap resources via hieradata
# @example sssd::provider::ldap in hieradata:
# sssd::ldap_providers:
# ldap_users:
# ldap_access_filter: 'memberOf=cn=allowedusers,ou=Groups,dc=example,dc=com'
# ldap_chpass_uri: empty
# ldap_access_order: 'expire'
# etc...
#
# @param enumerate_users
# Have SSSD list and cache all the users that it can find on the remote system
#
Expand Down Expand Up @@ -100,6 +110,7 @@
Optional[String[1]] $user = undef,
Optional[String[1]] $default_domain_suffix = undef,
Optional[String[1]] $override_space = undef,
Hash $ldap_providers = {},
Boolean $enable_files_domain = true,
Boolean $enumerate_users = false,
Boolean $cache_credentials = true,
Expand Down Expand Up @@ -145,4 +156,10 @@
content => '-w /etc/sssd/ -p wa -k CFG_sssd'
}
}

$ldap_providers.each |$key, $value| {
sssd::provider::ldap { $key:
* => $value,
}
}
}
2 changes: 2 additions & 0 deletions manifests/provider/ldap.pp
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,7 @@
# @param ldap_default_bind_dn
# @param ldap_default_authtok_type
# @param ldap_default_authtok
# @param ldap_user_cert
# @param ldap_user_object_class
# @param ldap_user_name
# @param ldap_user_uid_number
Expand Down Expand Up @@ -205,6 +206,7 @@
Optional[String[1]] $ldap_default_bind_dn = simplib::lookup('simp_options::ldap::bind_dn', { 'default_value' => undef }),
Optional[Sssd::LdapDefaultAuthtok] $ldap_default_authtok_type = undef,
Optional[String[1]] $ldap_default_authtok = simplib::lookup('simp_options::ldap::bind_pw', { 'default_value' => undef }),
Optional[String[1]] $ldap_user_cert = undef,
Optional[String[1]] $ldap_user_object_class = undef,
Optional[String[1]] $ldap_user_name = undef,
Optional[String[1]] $ldap_user_uid_number = undef,
Expand Down
2 changes: 2 additions & 0 deletions manifests/service/pam.pp
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@
# @param debug_level
# @param debug_timestamps
# @param debug_microseconds
# @param pam_cert_auth
# @param reconnection_retries
# @param command
# @param offline_credentials_expiration
Expand Down Expand Up @@ -37,6 +38,7 @@
Optional[Sssd::DebugLevel] $debug_level = undef,
Boolean $debug_timestamps = true,
Boolean $debug_microseconds = false,
Boolean $pam_cert_auth = false,
Integer $reconnection_retries = 3,
Optional[String] $command = undef,
Integer $offline_credentials_expiration = 0,
Expand Down
2 changes: 1 addition & 1 deletion metadata.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "simp-sssd",
"version": "7.9.0",
"version": "7.10.0",
"author": "SIMP Team",
"summary": "Manages SSSD",
"license": "Apache-2.0",
Expand Down
16 changes: 16 additions & 0 deletions spec/classes/init_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -88,6 +88,22 @@
.with_order(99999)
}
end

context 'with ldap provider' do
let(:params) {{
:ldap_providers => {
:test_provider => {
:ldap_access_filter => 'memberOf=cn=allowedusers,ou=Groups,dc=example,dc=com',
}
}
}}

it {
is_expected.to create_sssd__provider__ldap('test_provider').with( {
:ldap_access_filter => 'memberOf=cn=allowedusers,ou=Groups,dc=example,dc=com',
} )
}
end
end
end
end
Expand Down
11 changes: 11 additions & 0 deletions spec/defines/provider/ldap_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -104,6 +104,17 @@
is_expected.to create_sssd__config__entry("puppet_provider_#{title}_ldap").with_content(expected)
end
end

context 'with ldap_user_cert set' do
let(:params) {{ :ldap_user_cert => 'userCertificate;binary' }}

it { is_expected.to compile.with_all_deps }
it {
is_expected.to create_sssd__config__entry("puppet_provider_#{title}_ldap")
.with_content(%r(ldap_user_cert = userCertificate;binary))
}
end

context 'with app_pki_ca_dir set' do
let(:params) {{ :app_pki_ca_dir => '/path/to/ca' }}

Expand Down
1 change: 1 addition & 0 deletions templates/provider/ldap.erb
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@
'ldap_default_bind_dn',
'ldap_default_authtok_type',
'ldap_default_authtok',
'ldap_user_cert',
'ldap_user_object_class',
'ldap_user_name',
'ldap_user_uid_number',
Expand Down
3 changes: 3 additions & 0 deletions templates/service/pam.erb
Original file line number Diff line number Diff line change
Expand Up @@ -28,3 +28,6 @@ pam_trusted_users = <%= @pam_trusted_users %>
<% if @pam_public_domains -%>
pam_public_domains = <%= @pam_public_domains %>
<% end -%>
<% if @pam_cert_auth -%>
pam_cert_auth = True
<% end -%>

0 comments on commit a731a10

Please sign in to comment.