#Authconfig
A Puppet module that installs and configures authconfig on EL distributions.
It can manage LDAP, NIS, Kerberos and SMB/Winbind related authentication specifics. It also handles enable/disable of caching (nscd).
include authconfig
This will install the authconfig package if necessary and set ldap
, ldapauth
and ldaptls
to disable
by default.
class { 'authconfig' :
ldap => true,
ldapauth => true,
ldaptls => false,
ldapserver => '192.168.42.42',
ldapbasedn => 'dc=example,dc=com',
ldaploadcacert => 'http://www.example.com/certificates/Example_CA.pem'
sssd => false,
sssdauth => false,
forcelegacy => false,
pamaccess => false,
krb5 => true,
krb5realm => 'example.com',
krb5kdc => ['kdc1.example.com', 'kdc2.example.com'],
krb5kadmin => 'kadmin.example.com',
cache => true,
winbind => false,
winbindauth => false,
smbsecurity => 'ads',
smbrealm => 'example.com',
smbworkgroup => 'MYGROUP',
winbindjoin => 'user@domain%password',
}
This will install the authconfig package if necessary and set ldap
and ldapauth
to enable
. It will query the LDAP server located at ldapserver
address at ldapbasedn
.
In the mean time it will set ldaptls
to disable
. The you can simply do the same for NIS.
In general, if the option is of type --enableoption/--disableoption
simply set true if you want to enable it, false otherwise.
Whether to enable LDAP for user information.
Whether to enable LDAP for user authentication.
Whether to enable use of TLS with LDAP.
LDAP server address to connect to.
LDAP base dn to connet to.
Loads a CA certificate over HTTP.
Password hashing algorithm
Whether to enable SSSD - caches credentials from a remote provider such as LDAP.
Whether to enable SSSD Auth - Allows users to authenticate from a local cache pulled from a remote provider such as LDAP.
Pass true or false, which equate to yes or no - undef will not set the value. Used in conjunction with SSSD and other caching services.
Whether to enable NIS for user information.
NIS Domain
NIS Server
Enable shadow password
Enable fingerprint authentication
Whether to enable pam access - Allows administrators to configure the authentication process to run the pam_access module during account authorization.
Whether to bypass checking network authentication services for authorization
Whether to allow authentication of system accounts
Whether to enable Kerberos.
Specify Kerberos realm.
Specify Kerberos KDC
Specify Kerberos administration server
Enable use of DNS to find kerberos KDCs
Enable use of DNS to find kerberos realms
Prefer dns over wins or nis for hostname resolution
Whether to enable Winbind
Whether to enable Winbind for user authentication
The style of Winbind connection. Default: ads
Specify Active Directory realm
Specify Active Directory workgroup
Specify Active Directory server or servers. Pass a string or an array.
Specify user credentials of a domain administrator in the form username@domain%password
Whether to use naming services caches
Whether to automatically create user home dir on first login
Boolean to determine if the LDAP schema uses rfc2307 (false) or rfc2307bis (true).
Only valid if sssd
is true.
If this value is true
on a system that does not support rfc2307bis (RHEL < 6), a catalog error will be generated.
Apache License v2
Yanis Guenane - yguenane@gmail.com