I looked at some of the ldap modules for puppet on github. It looks complicated. I'm not really sure why it has to be so complicated.
Alright, so here is the easy way to do it. I'm using Puppet v2.x but it's the same concept for any configuration manager.
Enable LDAP Auth
On your centos 6 test client, run the authconfig command. I've provided a simple example below. Make sure you pass --help to authconfig so you can see all of the options. Your options will likely be different from mine.
example:
authconfig --update --ldapserver=myldapserver.domain.com --ldapbasedn=dc=sub,dc=domain,dc=com --enablesssd --enablesssdauth --enablelocauthorize --enablemkhome
Make sure authentication works the way you expect it to work.
Replicate the working configs
Copy the following files to your puppet master:
/etc/openldap/ldap.conf
/etc/nsswitch.conf
/etc/pam.d/system-auth-ac
/etc/pam.d/password-auth-ac
/etc/sssd/sssd.conf
Create a module to sync these files. After the sync, you have to restart sssd. I've included my sample module below. In my sample, I am running a mix of v5 and v6. Therefore, I am using a variable to determine the difference.
When a new machine is provisioned, puppet will sync the necessary files and restart sssd and authentication will work immediately. Once you get this going, it is pretty much, set it and forget about it.
class auth {
case $lsbmajdistrelease {
'5': {
file { "/etc/ldap.conf":
ensure => present,
source => "puppet:///modules/auth/cent5/ldap.conf",
group => "root",
owner => "root",
mode => "644"
}
file { "/etc/nsswitch.conf":
ensure => present,
source => "puppet:///modules/auth/cent5/nsswitch.conf",
group => "root",
owner => "root",
mode => "644",
require => [ File["/etc/ldap.conf"], File["/etc/pam.d/system-auth-ac"] ],
}
file { "/etc/pam.d/system-auth-ac":
ensure => present,
source => "puppet:///modules/auth/cent5/system-auth-ac",
group => "root",
owner => "root",
mode => "644"
}
}#5
'6': {
file { "/etc/openldap/ldap.conf":
ensure => present,
source => "puppet:///modules/auth/cent6/ldap.conf",
group => "root",
owner => "root",
mode => "644"
}
file { "/etc/nsswitch.conf":
ensure => present,
source => "puppet:///modules/auth/cent6/nsswitch.conf",
group => "root",
owner => "root",
mode => "644",
require => [ File["/etc/openldap/ldap.conf"], File["/etc/pam.d/system-auth-ac"], File["/etc/pam.d/password-auth-ac"], File["/etc/sssd/sssd.conf"] ],
}
file { "/etc/pam.d/system-auth-ac":
ensure => present,
source => "puppet:///modules/auth/cent6/system-auth-ac",
group => "root",
owner => "root",
mode => "644"
}
file { "/etc/pam.d/password-auth-ac":
ensure => present,
source => "puppet:///modules/auth/cent6/password-auth-ac",
group => "root",
owner => "root",
mode => "644"
}
file { "/etc/sssd/sssd.conf":
ensure => present,
source => "puppet:///modules/auth/cent6/sssd.conf",
group => "root",
owner => "root",
mode => "600"
}
#in v6, we have to restart sssd in order for the ldap changes to take affect
exec { restart_sssd:
command => "/etc/init.d/sssd restart",
refreshonly => true,
subscribe => File["/etc/openldap/ldap.conf",
"/etc/pam.d/system-auth-ac",
"/etc/pam.d/password-auth-ac",
"/etc/sssd/sssd.conf",
"/etc/nsswitch.conf"],
require => File["/etc/nsswitch.conf"],
}
}#6
}#case
}#class
No comments:
Post a Comment