diff --git a/.puppet-lint.rc b/.puppet-lint.rc index eb56769..77a1e10 100644 --- a/.puppet-lint.rc +++ b/.puppet-lint.rc @@ -8,7 +8,6 @@ --relative --no-class_inherits_from_params_class-check --no-140chars-check ---no-trailing_comma-check --no-params-empty-string-assignment-check # This is here because the code can't handle lookups in parameters and SIMP # modules have a LOT of those diff --git a/CHANGELOG b/CHANGELOG index dc82d37..2e141d7 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,3 +1,6 @@ +* Tue Sep 23 2025 Steven Pritchard - 8.0.0 +- Migrate ERB templates to EPP (#152) + * Wed Jun 11 2025 Chris Tessmer - 7.13.1 - Fix rubocop issues diff --git a/REFERENCE.md b/REFERENCE.md index b8f2f2a..568173c 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -436,11 +436,11 @@ The following parameters are available in the `sssd::install::client` class: ##### `ensure` -Data type: `Any` +Data type: `String` Ensure setting for 'sssd-client' package -Default value: `$::sssd::install::package_ensure` +Default value: `$sssd::install::package_ensure` ### `sssd::pki` @@ -1302,7 +1302,7 @@ The content of the target file Data type: `Integer[0]` - +The order in which the file should be processed Default value: `50` @@ -1729,6 +1729,10 @@ Default value: `undef` Data type: `Optional[String]` + + +Default value: `undef` + ##### `custom_options` Data type: `Optional[Hash]` @@ -1736,9 +1740,8 @@ Data type: `Optional[Hash]` If defined, this hash will be used to create the service section instead of the parameters. You must provide all options in the section you want to add. Each entry in the hash will be -added as a simple init pair -key = value -under the section in the sssd.conf file. +added as a simple init pair key = value under the section in +the sssd.conf file. No error checking will be performed. Default value: `undef` diff --git a/manifests/config.pp b/manifests/config.pp index 4ddb740..190bd72 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -13,8 +13,8 @@ # @author https://github.com/simp/pupmod-simp-sssd/graphs/contributors # class sssd::config ( - Boolean $authoritative = pick(getvar("${module_name}::authoritative"), false) -){ + Boolean $authoritative = pick(getvar("${module_name}::authoritative"), false), +) { assert_private() include $module_name @@ -52,27 +52,93 @@ file { '/etc/sssd': ensure => 'directory', - mode => 'go-rw' + mode => 'go-rw', } file { '/etc/sssd/conf.d': ensure => 'directory', purge => $authoritative, - recurse => true + recurse => true, } unless $authoritative { tidy { '/etc/sssd/conf.d': matches => '*_puppet_*.conf', - recurse => true + recurse => true, } } + # Build configuration lines in order (matching expected test output) + # Services configuration - sudo has to be started by the socket + $filtered_services = Array($_services) - ['sudo'] + $services_line = $_services.empty ? { + true => [], + false => $filtered_services.empty ? { true => [], false => ["services = ${filtered_services.join(',')}"] } + } + + # Basic configuration + $description_line = $_description ? { undef => [], default => ["description = ${_description}"] } + + # Domains configuration + $domains_line = $_domains.empty ? { true => [], false => ["domains = ${Array($_domains).join(', ')}"] } + + # Required configuration parameters + $config_file_version_line = ["config_file_version = ${_config_file_version}"] + $reconnection_retries_line = ["reconnection_retries = ${_reconnection_retries}"] + + # Optional string parameters + $re_expression_line = $_re_expression ? { undef => [], default => ["re_expression = ${_re_expression}"] } + $full_name_format_line = $_full_name_format ? { undef => [], default => ["full_name_format = ${_full_name_format}"] } + + # Optional boolean parameters (special undef checking) + $try_inotify_line = $_try_inotify ? { undef => [], default => ["try_inotify = ${_try_inotify}"] } + $enable_files_domain_line = $_enable_files_domain ? { undef => [], default => ["enable_files_domain = ${_enable_files_domain}"] } + + # Optional directory and user parameters + $krb5_rcache_dir_line = $_krb5_rcache_dir ? { undef => [], default => ["krb5_rcache_dir = ${_krb5_rcache_dir}"] } + $user_line = $_user ? { undef => [], default => ["user = ${_user}"] } + $default_domain_suffix_line = $_default_domain_suffix ? { undef => [], default => ["default_domain_suffix = ${_default_domain_suffix}"] } + $override_space_line = $_override_space ? { undef => [], default => ["override_space = ${_override_space}"] } + + # Debug configuration + $debug_level_line = $_debug_level ? { undef => [], default => ["debug_level = ${_debug_level}"] } + $debug_timestamps_line = ["debug_timestamps = ${_debug_timestamps}"] + $debug_microseconds_line = ["debug_microseconds = ${_debug_microseconds}"] + + # Combine all lines in order + $config_lines = ( + $services_line + + $description_line + + $domains_line + + $config_file_version_line + + $reconnection_retries_line + + $re_expression_line + + $full_name_format_line + + $try_inotify_line + + $krb5_rcache_dir_line + + $user_line + + $default_domain_suffix_line + + $override_space_line + + $enable_files_domain_line + + $debug_level_line + + $debug_timestamps_line + + $debug_microseconds_line + ) + + # Join all configuration lines + $content = (['# sssd::config'] + $config_lines).join("\n") + file { '/etc/sssd/sssd.conf': owner => 'root', group => 'root', mode => '0600', - content => template("${module_name}/sssd.conf.erb"), - notify => Class["${module_name}::service"] + content => epp( + "${module_name}/generic.epp", + { + 'title' => 'sssd', + 'content' => $content, + }, + ), + notify => Class["${module_name}::service"], } } diff --git a/manifests/config/entry.pp b/manifests/config/entry.pp index c55ebaf..76643dc 100644 --- a/manifests/config/entry.pp +++ b/manifests/config/entry.pp @@ -7,11 +7,13 @@ # # @param content # The content of the target file +# @param order +# The order in which the file should be processed # -define sssd::config::entry( +define sssd::config::entry ( String $content, - Integer[0] $order = 50 -){ + Integer[0] $order = 50, +) { assert_private() if $title =~ /\// { @@ -28,6 +30,6 @@ group => 'root', mode => '0600', content => $content, - notify => Class["${module_name}::service"] + notify => Class["${module_name}::service"], } } diff --git a/manifests/config/ipa_domain.pp b/manifests/config/ipa_domain.pp index c1d3a25..5d7a75c 100644 --- a/manifests/config/ipa_domain.pp +++ b/manifests/config/ipa_domain.pp @@ -18,13 +18,12 @@ autofs_provider => 'ipa', min_id => $sssd::min_id, enumerate => $sssd::enumerate_users, - cache_credentials => $sssd::cache_credentials + cache_credentials => $sssd::cache_credentials, } sssd::provider::ipa { $_ipa_domain: ipa_domain => $_ipa_domain, - ipa_server => [ $_ipa_server ] + ipa_server => [$_ipa_server], } } } - diff --git a/manifests/domain.pp b/manifests/domain.pp index 10e3986..33dd92f 100644 --- a/manifests/domain.pp +++ b/manifests/domain.pp @@ -121,10 +121,140 @@ Optional[String] $proxy_pam_target = undef, Optional[String] $proxy_lib_name = undef, Optional[String] $ldap_user_search_filter = undef, - Optional[Hash] $custom_options = undef + Optional[Hash] $custom_options = undef, ) { + # Build configuration lines in order (matching expected test output) + # Debug settings + $debug_level_line = $debug_level ? { undef => [], default => ["debug_level = ${debug_level}"] } + $debug_timestamps_line = ["debug_timestamps = ${debug_timestamps}"] + $debug_microseconds_line = ["debug_microseconds = ${debug_microseconds}"] + + # Description and basic settings + $description_line = $description ? { undef => [], default => ["description = ${description}"] } + $min_id_line = ["min_id = ${min_id}"] + $max_id_line = ["max_id = ${max_id}"] + $enumerate_line = ["enumerate = ${enumerate}"] + + # Subdomain and timeout settings + $subdomain_enumerate_line = $subdomain_enumerate ? { false => [], default => ["subdomain_enumerate = ${subdomain_enumerate}"] } + $force_timeout_line = $force_timeout ? { undef => [], default => ["force_timeout = ${force_timeout}"] } + + # Entry cache timeout settings + $entry_cache_timeout_line = $entry_cache_timeout ? { undef => [], default => ["entry_cache_timeout = ${entry_cache_timeout}"] } + $entry_cache_user_timeout_line = $entry_cache_user_timeout ? { undef => [], default => ["entry_cache_user_timeout = ${entry_cache_user_timeout}"] } + $entry_cache_group_timeout_line = $entry_cache_group_timeout ? { undef => [], default => ["entry_cache_group_timeout = ${entry_cache_group_timeout}"] } + $entry_cache_netgroup_timeout_line = $entry_cache_netgroup_timeout ? { undef => [], default => ["entry_cache_netgroup_timeout = ${entry_cache_netgroup_timeout}"] } + $entry_cache_service_timeout_line = $entry_cache_service_timeout ? { undef => [], default => ["entry_cache_service_timeout = ${entry_cache_service_timeout}"] } + $entry_cache_sudo_timeout_line = $entry_cache_sudo_timeout ? { undef => [], default => ["entry_cache_sudo_timeout = ${entry_cache_sudo_timeout}"] } + $entry_cache_autofs_timeout_line = $entry_cache_autofs_timeout ? { undef => [], default => ["entry_cache_autofs_timeout = ${entry_cache_autofs_timeout}"] } + $entry_cache_ssh_host_timeout_line = $entry_cache_ssh_host_timeout ? { undef => [], default => ["entry_cache_ssh_host_timeout = ${entry_cache_ssh_host_timeout}"] } + $refresh_expired_interval_line = $refresh_expired_interval ? { undef => [], default => ["refresh_expired_interval = ${refresh_expired_interval}"] } + + # Cache settings + $cache_credentials_line = ["cache_credentials = ${cache_credentials}"] + $account_cache_expiration_line = ["account_cache_expiration = ${account_cache_expiration}"] + $pwd_expiration_warning_line = $pwd_expiration_warning ? { undef => [], default => ["pwd_expiration_warning = ${pwd_expiration_warning}"] } + + # Naming settings + $use_fully_qualified_names_line = ["use_fully_qualified_names = ${use_fully_qualified_names}"] + $ignore_group_members_line = ["ignore_group_members = ${ignore_group_members}"] + + # Provider settings (id_provider is required, others optional) + $id_provider_line = ["id_provider = ${id_provider}"] + $auth_provider_line = $auth_provider ? { undef => [], default => ["auth_provider = ${auth_provider}"] } + $access_provider_line = $access_provider ? { undef => [], default => ["access_provider = ${access_provider}"] } + $chpass_provider_line = $chpass_provider ? { undef => [], default => ["chpass_provider = ${chpass_provider}"] } + $sudo_provider_line = $sudo_provider ? { undef => [], default => ["sudo_provider = ${sudo_provider}"] } + $selinux_provider_line = $selinux_provider ? { undef => [], default => ["selinux_provider = ${selinux_provider}"] } + $subdomains_provider_line = $subdomains_provider ? { undef => [], default => ["subdomains_provider = ${subdomains_provider}"] } + $autofs_provider_line = $autofs_provider ? { undef => [], default => ["autofs_provider = ${autofs_provider}"] } + $hostid_provider_line = $hostid_provider ? { undef => [], default => ["hostid_provider = ${hostid_provider}"] } + + # Pattern and formatting settings + $re_expression_line = $re_expression ? { undef => [], default => ["re_expression = ${re_expression}"] } + $full_name_format_line = $full_name_format ? { undef => [], default => ["full_name_format = ${full_name_format}"] } + $lookup_family_order_line = $lookup_family_order ? { undef => [], default => ["lookup_family_order = ${lookup_family_order}"] } + + # DNS settings + $dns_resolver_timeout_line = ["dns_resolver_timeout = ${dns_resolver_timeout}"] + $dns_discovery_domain_line = $dns_discovery_domain ? { undef => [], default => ["dns_discovery_domain = ${dns_discovery_domain}"] } + + # Override and case sensitivity settings + $override_gid_line = $override_gid ? { undef => [], default => ["override_gid = ${override_gid}"] } + $case_sensitive_line = ["case_sensitive = ${case_sensitive}"] + $proxy_fast_alias_line = ["proxy_fast_alias = ${proxy_fast_alias}"] + + # Optional provider-specific settings + $realmd_tags_line = $realmd_tags ? { undef => [], default => ["realmd_tags = ${realmd_tags}"] } + $ldap_user_search_filter_line = $ldap_user_search_filter ? { undef => [], default => ["ldap_user_search_filter = ${ldap_user_search_filter}"] } + $proxy_pam_target_line = $proxy_pam_target ? { undef => [], default => ["proxy_pam_target = ${proxy_pam_target}"] } + $proxy_lib_name_line = $proxy_lib_name ? { undef => [], default => ["proxy_lib_name = ${proxy_lib_name}"] } + + # Custom options processing + $custom_options_lines = $custom_options ? { + undef => [], + default => $custom_options.keys.sort.map |$opt| { "${opt} = ${custom_options[$opt]}" } + } + + # Combine all lines in order + $config_lines = ( + $debug_level_line + + $debug_timestamps_line + + $debug_microseconds_line + + $description_line + + $min_id_line + + $max_id_line + + $enumerate_line + + $subdomain_enumerate_line + + $force_timeout_line + + $entry_cache_timeout_line + + $entry_cache_user_timeout_line + + $entry_cache_group_timeout_line + + $entry_cache_netgroup_timeout_line + + $entry_cache_service_timeout_line + + $entry_cache_sudo_timeout_line + + $entry_cache_autofs_timeout_line + + $entry_cache_ssh_host_timeout_line + + $refresh_expired_interval_line + + $cache_credentials_line + + $account_cache_expiration_line + + $pwd_expiration_warning_line + + $use_fully_qualified_names_line + + $ignore_group_members_line + + $id_provider_line + + $auth_provider_line + + $access_provider_line + + $chpass_provider_line + + $sudo_provider_line + + $selinux_provider_line + + $subdomains_provider_line + + $autofs_provider_line + + $hostid_provider_line + + $re_expression_line + + $full_name_format_line + + $lookup_family_order_line + + $dns_resolver_timeout_line + + $dns_discovery_domain_line + + $override_gid_line + + $case_sensitive_line + + $proxy_fast_alias_line + + $realmd_tags_line + + $ldap_user_search_filter_line + + $proxy_pam_target_line + + $proxy_lib_name_line + + $custom_options_lines + ) + + # Join all configuration lines + $content = (["# sssd::domain ${name}"] + $config_lines).join("\n") sssd::config::entry { "puppet_domain_${name}": - content => template('sssd/domain.erb') + content => epp( + "${module_name}/generic", + { + 'title' => "domain/${name}", + 'content' => $content, + }, + ), } } diff --git a/manifests/init.pp b/manifests/init.pp index 2bfa27a..491fb1e 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -121,7 +121,7 @@ Stdlib::Absolutepath $app_pki_cert_source = simplib::lookup('simp_options::pki::source', { 'default_value' => '/etc/pki/simp/x509'}), Stdlib::Absolutepath $app_pki_dir = '/etc/pki/simp_apps/sssd/x509', Boolean $auto_add_ipa_domain = true, - Optional[String[1]] $custom_config = undef + Optional[String[1]] $custom_config = undef, ) { include 'sssd::install' include 'sssd::config' @@ -135,7 +135,7 @@ if $custom_config { sssd::config::entry { 'puppet_custom': content => $custom_config, - order => 99999 + order => 99999, } } @@ -153,7 +153,7 @@ include 'auditd' auditd::rule { 'sssd': - content => '-w /etc/sssd/ -p wa -k CFG_sssd' + content => '-w /etc/sssd/ -p wa -k CFG_sssd', } } diff --git a/manifests/install.pp b/manifests/install.pp index 70fd48c..341cfd7 100644 --- a/manifests/install.pp +++ b/manifests/install.pp @@ -15,7 +15,7 @@ class sssd::install ( Boolean $install_client = true, Boolean $install_user_tools = true, - String $package_ensure = simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' }) + String $package_ensure = simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' }), ) { assert_private() @@ -24,12 +24,12 @@ } package { ['sssd', 'sssd-dbus']: - ensure => $package_ensure + ensure => $package_ensure, } if $install_user_tools { package { 'sssd-tools': - ensure => $package_ensure + ensure => $package_ensure, } } } diff --git a/manifests/install/client.pp b/manifests/install/client.pp index be07d71..1ab635b 100644 --- a/manifests/install/client.pp +++ b/manifests/install/client.pp @@ -6,9 +6,9 @@ # @author https://github.com/simp/pupmod-simp-sssd/graphs/contributors # class sssd::install::client ( - $ensure = $::sssd::install::package_ensure -){ + String $ensure = $sssd::install::package_ensure +) { package { 'sssd-client': - ensure => $ensure + ensure => $ensure, } } diff --git a/manifests/pki.pp b/manifests/pki.pp index 64355f8..8ce096a 100644 --- a/manifests/pki.pp +++ b/manifests/pki.pp @@ -22,8 +22,7 @@ # # * If $sssd::pki = false, this variable has no effect. # -class sssd::pki -{ +class sssd::pki { assert_private() include "${module_name}::service" @@ -32,7 +31,7 @@ pki::copy { 'sssd' : source => $sssd::app_pki_cert_source, pki => $sssd::pki, - notify => Class["${module_name}::service"] + notify => Class["${module_name}::service"], } } } diff --git a/manifests/provider/ad.pp b/manifests/provider/ad.pp index 7c0e227..1b3a9e9 100644 --- a/manifests/provider/ad.pp +++ b/manifests/provider/ad.pp @@ -150,7 +150,235 @@ Optional[String[1]] $ldap_user_extra_attrs = undef, Optional[String[1]] $ldap_user_ssh_public_key = undef, ) { + # Create parameter hash for easier access + $param_values = { + 'ad_domain' => $ad_domain, + 'ad_enabled_domains' => $ad_enabled_domains, + 'ad_servers' => $ad_servers, + 'ad_backup_servers' => $ad_backup_servers, + 'ad_hostname' => $ad_hostname, + 'ad_enable_dns_sites' => $ad_enable_dns_sites, + 'ad_access_filters' => $ad_access_filters, + 'ad_site' => $ad_site, + 'ad_enable_gc' => $ad_enable_gc, + 'ad_gpo_access_control' => $ad_gpo_access_control, + 'ad_gpo_cache_timeout' => $ad_gpo_cache_timeout, + 'ad_gpo_map_interactive' => $ad_gpo_map_interactive, + 'ad_gpo_map_remote_interactive' => $ad_gpo_map_remote_interactive, + 'ad_gpo_map_network' => $ad_gpo_map_network, + 'ad_gpo_map_batch' => $ad_gpo_map_batch, + 'ad_gpo_map_service' => $ad_gpo_map_service, + 'ad_gpo_map_permit' => $ad_gpo_map_permit, + 'ad_gpo_map_deny' => $ad_gpo_map_deny, + 'ad_gpo_default_right' => $ad_gpo_default_right, + 'ad_gpo_implicit_deny' => $ad_gpo_implicit_deny, + 'ad_gpo_ignore_unreadable' => $ad_gpo_ignore_unreadable, + 'ad_maximum_machine_account_password_age' => $ad_maximum_machine_account_password_age, + 'ad_machine_account_password_renewal_opts' => $ad_machine_account_password_renewal_opts, + 'default_shell' => $default_shell, + 'override_homedir' => $override_homedir, + 'fallback_homedir' => $fallback_homedir, + 'homedir_substring' => $homedir_substring, + 'krb5_realm' => $krb5_realm, + 'krb5_confd_path' => $krb5_confd_path, + 'krb5_use_enterprise_principal' => $krb5_use_enterprise_principal, + 'krb5_store_password_if_offline' => $krb5_store_password_if_offline, + 'ldap_id_mapping' => $ldap_id_mapping, + 'ldap_schema' => $ldap_schema, + 'ldap_idmap_range_min' => $ldap_idmap_range_min, + 'ldap_idmap_range_max' => $ldap_idmap_range_max, + 'ldap_idmap_range_size' => $ldap_idmap_range_size, + 'ldap_idmap_default_domain_sid' => $ldap_idmap_default_domain_sid, + 'ldap_idmap_default_domain' => $ldap_idmap_default_domain, + 'ldap_idmap_autorid_compat' => $ldap_idmap_autorid_compat, + 'ldap_idmap_helper_table_size' => $ldap_idmap_helper_table_size, + 'ldap_use_tokengroups' => $ldap_use_tokengroups, + 'ldap_group_objectsid' => $ldap_group_objectsid, + 'ldap_user_objectsid' => $ldap_user_objectsid, + 'ldap_user_extra_attrs' => $ldap_user_extra_attrs, + 'ldap_user_ssh_public_key' => $ldap_user_ssh_public_key, + } + + # Build configuration lines array (order matches expected test output) + $ad_domain_line = $ad_domain ? { undef => [], default => ["ad_domain = ${ad_domain}"] } + $ad_enabled_domains_line = $ad_enabled_domains ? { undef => [], default => ["ad_enabled_domains = ${ad_enabled_domains.join(', ')}"] } + + $ad_server_lines = $ad_servers ? { + undef => [], + default => ["ad_server = ${ad_servers.join(', ')}"] + ($ad_backup_servers ? { undef => [], default => ["ad_backup_server = ${ad_backup_servers.join(', ')}"] }) + } + + $ad_hostname_line = $ad_hostname ? { undef => [], default => ["ad_hostname = ${ad_hostname}"] } + $ad_enable_dns_sites_line = $ad_enable_dns_sites ? { undef => [], default => ["ad_enable_dns_sites = ${ad_enable_dns_sites}"] } + $ad_access_filters_line = $ad_access_filters ? { undef => [], default => ["ad_access_filter = ${ad_access_filters.join('?')}"] } + $ad_site_line = $ad_site ? { undef => [], default => ["ad_site = ${ad_site}"] } + $ad_enable_gc_line = $ad_enable_gc ? { undef => [], default => ["ad_enable_gc = ${ad_enable_gc}"] } + + # GPO parameters + $ad_gpo_access_control_line = $ad_gpo_access_control ? { undef => [], default => ["ad_gpo_access_control = ${ad_gpo_access_control}"] } + $ad_gpo_cache_timeout_line = $ad_gpo_cache_timeout ? { undef => [], default => ["ad_gpo_cache_timeout = ${ad_gpo_cache_timeout}"] } + $ad_gpo_map_interactive_line = $ad_gpo_map_interactive ? { undef => [], default => ["ad_gpo_map_interactive = ${ad_gpo_map_interactive.join(', ')}"] } + $ad_gpo_map_remote_interactive_line = $ad_gpo_map_remote_interactive ? { undef => [], default => ["ad_gpo_map_remote_interactive = ${ad_gpo_map_remote_interactive.join(', ')}"] } + $ad_gpo_map_network_line = $ad_gpo_map_network ? { undef => [], default => ["ad_gpo_map_network = ${ad_gpo_map_network.join(', ')}"] } + $ad_gpo_map_batch_line = $ad_gpo_map_batch ? { undef => [], default => ["ad_gpo_map_batch = ${ad_gpo_map_batch.join(', ')}"] } + $ad_gpo_map_service_line = $ad_gpo_map_service ? { undef => [], default => ["ad_gpo_map_service = ${ad_gpo_map_service.join(', ')}"] } + $ad_gpo_map_permit_line = $ad_gpo_map_permit ? { undef => [], default => ["ad_gpo_map_permit = ${ad_gpo_map_permit.join(', ')}"] } + $ad_gpo_map_deny_line = $ad_gpo_map_deny ? { undef => [], default => ["ad_gpo_map_deny = ${ad_gpo_map_deny.join(', ')}"] } + $ad_gpo_default_right_line = $ad_gpo_default_right ? { undef => [], default => ["ad_gpo_default_right = ${ad_gpo_default_right}"] } + $ad_gpo_implicit_deny_line = $ad_gpo_implicit_deny ? { undef => [], default => ["ad_gpo_implicit_deny = ${ad_gpo_implicit_deny}"] } + $ad_gpo_ignore_unreadable_line = $ad_gpo_ignore_unreadable ? { undef => [], default => ["ad_gpo_ignore_unreadable = ${ad_gpo_ignore_unreadable}"] } + + # Machine account parameters + $ad_maximum_machine_account_password_age_line = $ad_maximum_machine_account_password_age ? { undef => [], default => ["ad_maximum_machine_account_password_age = ${ad_maximum_machine_account_password_age}"] } + $ad_machine_account_password_renewal_opts_line = $ad_machine_account_password_renewal_opts ? { undef => [], default => ["ad_machine_account_password_renewal_opts = ${ad_machine_account_password_renewal_opts}"] } + + # General parameters + $default_shell_line = $default_shell ? { undef => [], default => ["default_shell = ${default_shell}"] } + + # Dynamic DNS parameters + $dyndns_update_line = $dyndns_update ? { undef => [], default => ["dyndns_update = ${dyndns_update}"] } + $dyndns_conditional_lines = $dyndns_update ? { + true => ( + ($dyndns_ttl ? { undef => [], default => ["dyndns_ttl = ${dyndns_ttl}"] }) + + ($dyndns_ifaces ? { undef => [], default => ["dyndns_iface = ${dyndns_ifaces.join(', ')}"] }) + + ($dyndns_refresh_interval ? { undef => [], default => ["dyndns_refresh_interval = ${dyndns_refresh_interval}"] }) + + ($dyndns_update_ptr ? { undef => [], default => ["dyndns_update_ptr = ${dyndns_update_ptr}"] }) + + ($dyndns_force_tcp ? { undef => [], default => ["dyndns_force_tcp = ${dyndns_force_tcp}"] }) + + ($dyndns_server ? { undef => [], default => ["dyndns_server = ${dyndns_server}"] }) + ), + default => [] + } + + # Home directory parameters + $override_homedir_line = $override_homedir ? { undef => [], default => ["override_homedir = ${override_homedir}"] } + $homedir_substring_line = $homedir_substring ? { undef => [], default => ["homedir_substring = ${homedir_substring}"] } + $fallback_homedir_line = $fallback_homedir ? { undef => [], default => ["fallback_homedir = ${fallback_homedir}"] } + + # Kerberos parameters + $krb5_realm_line = $krb5_realm ? { undef => [], default => ["krb5_realm = ${krb5_realm}"] } + $krb5_confd_path_line = $krb5_confd_path ? { undef => [], default => ["krb5_confd_path = ${krb5_confd_path}"] } + $krb5_use_enterprise_principal_line = $krb5_use_enterprise_principal ? { undef => [], default => ["krb5_use_enterprise_principal = ${krb5_use_enterprise_principal}"] } + $krb5_store_password_if_offline_line = $krb5_store_password_if_offline ? { undef => [], default => ["krb5_store_password_if_offline = ${krb5_store_password_if_offline}"] } + + # LDAP ID mapping (always present) + $ldap_id_mapping_line = ["ldap_id_mapping = ${ldap_id_mapping}"] + $ldap_idmap_conditional_lines = $ldap_id_mapping ? { + true => ( + ($ldap_schema ? { undef => [], default => ["ldap_schema = ${ldap_schema}"] }) + + ($ldap_idmap_range_min ? { undef => [], default => ["ldap_idmap_range_min = ${ldap_idmap_range_min}"] }) + + ($ldap_idmap_range_max ? { undef => [], default => ["ldap_idmap_range_max = ${ldap_idmap_range_max}"] }) + + ($ldap_idmap_range_size ? { undef => [], default => ["ldap_idmap_range_size = ${ldap_idmap_range_size}"] }) + + ($ldap_idmap_default_domain_sid ? { undef => [], default => ["ldap_idmap_default_domain_sid = ${ldap_idmap_default_domain_sid}"] }) + + ($ldap_idmap_default_domain ? { undef => [], default => ["ldap_idmap_default_domain = ${ldap_idmap_default_domain}"] }) + + ($ldap_idmap_autorid_compat ? { undef => [], default => ["ldap_idmap_autorid_compat = ${ldap_idmap_autorid_compat}"] }) + + ($ldap_idmap_helper_table_size ? { undef => [], default => ["ldap_idmap_helper_table_size = ${ldap_idmap_helper_table_size}"] }) + ), + default => [] + } + + # LDAP parameters (always present) + $ldap_use_tokengroups_line = ["ldap_use_tokengroups = ${ldap_use_tokengroups}"] + $ldap_group_objectsid_line = $ldap_group_objectsid ? { undef => [], default => ["ldap_group_objectsid = ${ldap_group_objectsid}"] } + $ldap_user_objectsid_line = $ldap_user_objectsid ? { undef => [], default => ["ldap_user_objectsid = ${ldap_user_objectsid}"] } + $ldap_user_extra_attrs_line = $ldap_user_extra_attrs ? { undef => [], default => ["ldap_user_extra_attrs = ${ldap_user_extra_attrs}"] } + $ldap_user_ssh_public_key_line = $ldap_user_ssh_public_key ? { undef => [], default => ["ldap_user_ssh_public_key = ${ldap_user_ssh_public_key}"] } + + # Combine all lines in order + $config_lines = ( + $ad_domain_line + + $ad_enabled_domains_line + + $ad_server_lines + + $ad_hostname_line + + $ad_enable_dns_sites_line + + $ad_access_filters_line + + $ad_site_line + + $ad_enable_gc_line + + $ad_gpo_access_control_line + + $ad_gpo_cache_timeout_line + + $ad_gpo_map_interactive_line + + $ad_gpo_map_remote_interactive_line + + $ad_gpo_map_network_line + + $ad_gpo_map_batch_line + + $ad_gpo_map_service_line + + $ad_gpo_map_permit_line + + $ad_gpo_map_deny_line + + $ad_gpo_default_right_line + + $ad_gpo_implicit_deny_line + + $ad_gpo_ignore_unreadable_line + + $ad_maximum_machine_account_password_age_line + + $ad_machine_account_password_renewal_opts_line + + $default_shell_line + + $dyndns_update_line + + $dyndns_conditional_lines + + $override_homedir_line + + $homedir_substring_line + + $fallback_homedir_line + + $krb5_realm_line + + $krb5_confd_path_line + + $krb5_use_enterprise_principal_line + + $krb5_store_password_if_offline_line + + $ldap_id_mapping_line + + $ldap_idmap_conditional_lines + + $ldap_use_tokengroups_line + + $ldap_group_objectsid_line + + $ldap_user_objectsid_line + + $ldap_user_extra_attrs_line + + $ldap_user_ssh_public_key_line + ) + + # Boolean parameters that should always be output + $boolean_params = { + 'dyndns_update' => $dyndns_update, + 'krb5_store_password_if_offline' => $krb5_store_password_if_offline, + 'ldap_id_mapping' => $ldap_id_mapping, + 'ldap_use_tokengroups' => $ldap_use_tokengroups, + } + + # Optional boolean parameters (only output if not undef) + $optional_boolean_params = { + 'ad_enable_dns_sites' => $ad_enable_dns_sites, + 'ad_enable_gc' => $ad_enable_gc, + 'ad_gpo_implicit_deny' => $ad_gpo_implicit_deny, + 'ad_gpo_ignore_unreadable' => $ad_gpo_ignore_unreadable, + 'krb5_use_enterprise_principal' => $krb5_use_enterprise_principal, + 'ldap_idmap_autorid_compat' => $ldap_idmap_autorid_compat, + } + + # Array parameters with different separators and special handling + $array_params = { + 'ad_enabled_domains' => { 'value' => $ad_enabled_domains, 'separator' => ', ' }, + 'ad_servers' => { 'value' => $ad_servers, 'separator' => ', ', 'param_name' => 'ad_server' }, + 'ad_backup_servers' => { 'value' => $ad_backup_servers, 'separator' => ', ', 'param_name' => 'ad_backup_server' }, + 'ad_access_filters' => { 'value' => $ad_access_filters, 'separator' => '?', 'param_name' => 'ad_access_filter' }, + 'ad_gpo_map_interactive' => { 'value' => $ad_gpo_map_interactive, 'separator' => ', ' }, + 'ad_gpo_map_remote_interactive' => { 'value' => $ad_gpo_map_remote_interactive, 'separator' => ', ' }, + 'ad_gpo_map_network' => { 'value' => $ad_gpo_map_network, 'separator' => ', ' }, + 'ad_gpo_map_batch' => { 'value' => $ad_gpo_map_batch, 'separator' => ', ' }, + 'ad_gpo_map_service' => { 'value' => $ad_gpo_map_service, 'separator' => ', ' }, + 'ad_gpo_map_permit' => { 'value' => $ad_gpo_map_permit, 'separator' => ', ' }, + 'ad_gpo_map_deny' => { 'value' => $ad_gpo_map_deny, 'separator' => ', ' }, + } + + # DynDNS parameters (only included if dyndns_update is true) + $dyndns_params = { + 'dyndns_ttl' => $dyndns_ttl, + 'dyndns_ifaces' => $dyndns_ifaces, # Special case: array with param_name 'dyndns_iface' + 'dyndns_refresh_interval' => $dyndns_refresh_interval, + 'dyndns_update_ptr' => $dyndns_update_ptr, + 'dyndns_force_tcp' => $dyndns_force_tcp, + 'dyndns_server' => $dyndns_server, + } + + # Join all configuration lines + $content = (['# sssd::provider::ad'] + $config_lines).join("\n") + sssd::config::entry { "puppet_provider_${name}_ad": - content => template("${module_name}/provider/ad.erb") + content => epp( + "${module_name}/generic.epp", + { + 'title' => "domain/${title}", + 'content' => $content, + }, + ), } } diff --git a/manifests/provider/files.pp b/manifests/provider/files.pp index ab00994..e93c6f8 100644 --- a/manifests/provider/files.pp +++ b/manifests/provider/files.pp @@ -19,9 +19,28 @@ # define sssd::provider::files ( Optional[Array[Stdlib::Absolutepath]] $passwd_files = undef, - Optional[Array[Stdlib::Absolutepath]] $group_files = undef + Optional[Array[Stdlib::Absolutepath]] $group_files = undef, ) { + # Build configuration lines in order (matching expected test output) + $passwd_files_line = ($passwd_files and !$passwd_files.empty) ? { true => ["passwd_files = ${passwd_files.join(', ')}"], false => [] } + $group_files_line = ($group_files and !$group_files.empty) ? { true => ["group_files = ${group_files.join(', ')}"], false => [] } + + # Combine all lines in order + $config_lines = ( + $passwd_files_line + + $group_files_line + ) + + # Join all configuration lines + $content = (['# sssd::provider::files'] + $config_lines).join("\n") + sssd::config::entry { "puppet_provider_${name}_files": - content => template("${module_name}/provider/files.erb") + content => epp( + "${module_name}/generic.epp", + { + 'title' => "domain/${title}", + 'content' => $content, + } + ), } } diff --git a/manifests/provider/ipa.pp b/manifests/provider/ipa.pp index 68c87b5..eeec5aa 100644 --- a/manifests/provider/ipa.pp +++ b/manifests/provider/ipa.pp @@ -73,16 +73,98 @@ Boolean $krb5_store_password_if_offline = true, Stdlib::AbsolutePath $ldap_tls_cacert = '/etc/ipa/ca.crt', Array[String] $ldap_tls_cipher_suite = ['HIGH','-SSLv2'], - Boolean $use_service_discovery = true + Boolean $use_service_discovery = true, ) { - if $use_service_discovery { - $_ipa_server = ['_srv_'] + $ipa_server - } - else { - $_ipa_server = $ipa_server + # Build configuration lines in order (matching expected test output) + # IPA domain configuration (required) + $ipa_domain_line = ["ipa_domain = ${ipa_domain}"] + + # IPA server configuration with service discovery logic + $ipa_server_line = $use_service_discovery ? { + true => ["ipa_server = _srv_,${ipa_server.join(',')}"], + false => ["ipa_server = ${ipa_server.join(',')}"] } + # IPA backup server configuration (optional) + $ipa_backup_server_line = $ipa_backup_server ? { undef => [], default => ["ipa_backup_server = ${ipa_backup_server.join(',')}"] } + + # IPA boolean settings (required) + $ipa_enable_dns_sites_line = ["ipa_enable_dns_sites = ${ipa_enable_dns_sites}"] + $ipa_hostname_line = ["ipa_hostname = ${ipa_hostname}"] + $ipa_server_mode_line = ["ipa_server_mode = ${ipa_server_mode}"] + + # Dynamic DNS settings + $dyndns_auth_line = ["dyndns_auth = ${dyndns_auth}"] + $dyndns_force_tcp_line = $dyndns_force_tcp ? { undef => [], default => ["dyndns_force_tcp = ${dyndns_force_tcp}"] } + $dyndns_iface_line = $dyndns_iface ? { undef => [], default => ["dyndns_iface = ${dyndns_iface.join(',')}"] } + $dyndns_refresh_interval_line = $dyndns_refresh_interval ? { undef => [], default => ["dyndns_refresh_interval = ${dyndns_refresh_interval}"] } + $dyndns_server_line = $dyndns_server ? { undef => [], default => ["dyndns_server = ${dyndns_server}"] } + $dyndns_ttl_line = $dyndns_ttl ? { undef => [], default => ["dyndns_ttl = ${dyndns_ttl}"] } + $dyndns_update_line = ["dyndns_update = ${dyndns_update}"] + $dyndns_update_ptr_line = $dyndns_update_ptr ? { undef => [], default => ["dyndns_update_ptr = ${dyndns_update_ptr}"] } + + # IPA-specific optional settings + $ipa_automount_location_line = $ipa_automount_location ? { undef => [], default => ["ipa_automount_location = ${ipa_automount_location}"] } + $ipa_hbac_refresh_line = $ipa_hbac_refresh ? { undef => [], default => ["ipa_hbac_refresh = ${ipa_hbac_refresh}"] } + $ipa_hbac_search_base_line = $ipa_hbac_search_base ? { undef => [], default => ["ipa_hbac_search_base = ${ipa_hbac_search_base}"] } + $ipa_hbac_selinux_line = $ipa_hbac_selinux ? { undef => [], default => ["ipa_hbac_selinux = ${ipa_hbac_selinux}"] } + $ipa_host_search_base_line = $ipa_host_search_base ? { undef => [], default => ["ipa_host_search_base = ${ipa_host_search_base}"] } + $ipa_master_domains_search_base_line = $ipa_master_domains_search_base ? { undef => [], default => ["ipa_master_domains_search_base = ${ipa_master_domains_search_base}"] } + $ipa_selinux_search_base_line = $ipa_selinux_search_base ? { undef => [], default => ["ipa_selinux_search_base = ${ipa_selinux_search_base}"] } + $ipa_subdomains_search_base_line = $ipa_subdomains_search_base ? { undef => [], default => ["ipa_subdomains_search_base = ${ipa_subdomains_search_base}"] } + $ipa_views_search_base_line = $ipa_views_search_base ? { undef => [], default => ["ipa_views_search_base = ${ipa_views_search_base}"] } + + # Kerberos settings + $krb5_confd_path_line = $krb5_confd_path ? { undef => [], default => ["krb5_confd_path = ${krb5_confd_path}"] } + $krb5_realm_line = $krb5_realm ? { undef => [], default => ["krb5_realm = ${krb5_realm}"] } + $krb5_store_password_if_offline_line = ["krb5_store_password_if_offline = ${krb5_store_password_if_offline}"] + + # LDAP TLS settings (required) + $ldap_tls_cacert_line = ["ldap_tls_cacert = ${ldap_tls_cacert}"] + $ldap_tls_cipher_suite_line = ["ldap_tls_cipher_suite = ${ldap_tls_cipher_suite.join(':')}"] + + # Combine all lines in order + $config_lines = ( + $ipa_domain_line + + $ipa_server_line + + $ipa_backup_server_line + + $ipa_enable_dns_sites_line + + $ipa_hostname_line + + $ipa_server_mode_line + + $dyndns_auth_line + + $dyndns_force_tcp_line + + $dyndns_iface_line + + $dyndns_refresh_interval_line + + $dyndns_server_line + + $dyndns_ttl_line + + $dyndns_update_line + + $dyndns_update_ptr_line + + $ipa_automount_location_line + + $ipa_hbac_refresh_line + + $ipa_hbac_search_base_line + + $ipa_hbac_selinux_line + + $ipa_host_search_base_line + + $ipa_master_domains_search_base_line + + $ipa_selinux_search_base_line + + $ipa_subdomains_search_base_line + + $ipa_views_search_base_line + + $krb5_confd_path_line + + $krb5_realm_line + + $krb5_store_password_if_offline_line + + $ldap_tls_cacert_line + + $ldap_tls_cipher_suite_line + ) + + # Join all configuration lines + $content = (['# sssd::provider::ipa'] + $config_lines).join("\n") + sssd::config::entry { "puppet_provider_${name}_ipa": - content => template("${module_name}/provider/ipa.erb") + content => epp( + "${module_name}/generic.epp", + { + 'title' => "domain/${title}", + 'content' => $content, + }, + ), } } diff --git a/manifests/provider/krb5.pp b/manifests/provider/krb5.pp index 5986e0f..dff9494 100644 --- a/manifests/provider/krb5.pp +++ b/manifests/provider/krb5.pp @@ -28,8 +28,8 @@ # @author https://github.com/simp/pupmod-simp-sssd/graphs/contributors # define sssd::provider::krb5 ( - Optional[Simplib::Host] $krb5_server = undef, String $krb5_realm, + Optional[Simplib::Host] $krb5_server = undef, Optional[Sssd::DebugLevel] $debug_level = undef, Boolean $debug_timestamps = true, Boolean $debug_microseconds = false, @@ -43,28 +43,67 @@ Optional[String] $krb5_renewable_lifetime = undef, Optional[String] $krb5_lifetime = undef, Integer $krb5_renew_interval = 0, - Optional[Enum['never','try','demand']] $krb5_use_fast = undef + Optional[Enum['never','try','demand']] $krb5_use_fast = undef, ) { + # Build configuration lines in order (matching expected test output) + # Debug settings + $debug_level_line = $debug_level ? { undef => [], default => ["debug_level = ${debug_level}"] } + $debug_timestamps_line = ["debug_timestamps = ${debug_timestamps}"] + $debug_microseconds_line = ["debug_microseconds = ${debug_microseconds}"] + + # Kerberos server settings + $krb5_server_line = $krb5_server ? { undef => [], default => ["krb5_server = ${krb5_server}"] } + $krb5_realm_line = ["krb5_realm = ${krb5_realm}"] + $krb5_kpasswd_line = $krb5_kpasswd ? { undef => [], default => ["krb5_kpasswd = ${krb5_kpasswd}"] } + + # Cache settings + $krb5_ccachedir_line = $krb5_ccachedir ? { undef => [], default => ["krb5_ccachedir = ${krb5_ccachedir}"] } + $krb5_ccname_template_line = $krb5_ccname_template ? { undef => [], default => ["krb5_ccname_template = ${krb5_ccname_template}"] } + + # Authentication settings + $krb5_auth_timeout_line = ["krb5_auth_timeout = ${krb5_auth_timeout}"] + $krb5_validate_line = ["krb5_validate = ${krb5_validate}"] + $krb5_keytab_line = $krb5_keytab ? { undef => [], default => ["krb5_keytab = ${krb5_keytab}"] } + $krb5_store_password_if_offline_line = ["krb5_store_password_if_offline = ${krb5_store_password_if_offline}"] + + # Lifetime settings + $krb5_renewable_lifetime_line = $krb5_renewable_lifetime ? { undef => [], default => ["krb5_renewable_lifetime = ${krb5_renewable_lifetime}"] } + $krb5_lifetime_line = $krb5_lifetime ? { undef => [], default => ["krb5_lifetime = ${krb5_lifetime}"] } + $krb5_renew_interval_line = ["krb5_renew_interval = ${krb5_renew_interval}"] + + # Advanced settings + $krb5_use_fast_line = $krb5_use_fast ? { undef => [], default => ["krb5_use_fast = ${krb5_use_fast}"] } + + # Combine all lines in order + $config_lines = ( + $debug_level_line + + $debug_timestamps_line + + $debug_microseconds_line + + $krb5_server_line + + $krb5_realm_line + + $krb5_kpasswd_line + + $krb5_ccachedir_line + + $krb5_ccname_template_line + + $krb5_auth_timeout_line + + $krb5_validate_line + + $krb5_keytab_line + + $krb5_store_password_if_offline_line + + $krb5_renewable_lifetime_line + + $krb5_lifetime_line + + $krb5_renew_interval_line + + $krb5_use_fast_line + ) + + # Join all configuration lines + $content = (['# sssd::provider::krb5'] + $config_lines).join("\n") sssd::config::entry { "puppet_provider_${name}_krb5": - content => epp("${module_name}/provider/krb5", { - 'domain' => $title, - 'krb5_server' => $krb5_server, - 'krb5_realm' => $krb5_realm, - 'debug_level' => $debug_level, - 'debug_timestamps' => $debug_timestamps, - 'debug_microseconds' => $debug_microseconds, - 'krb5_kpasswd' => $krb5_kpasswd, - 'krb5_ccachedir' => $krb5_ccachedir, - 'krb5_ccname_template' => $krb5_ccname_template, - 'krb5_auth_timeout' => $krb5_auth_timeout, - 'krb5_validate' => $krb5_validate, - 'krb5_keytab' => $krb5_keytab, - 'krb5_store_password_if_offline' => $krb5_store_password_if_offline, - 'krb5_renewable_lifetime' => $krb5_renewable_lifetime, - 'krb5_lifetime' => $krb5_lifetime, - 'krb5_renew_interval' => $krb5_renew_interval, - 'krb5_use_fast' => $krb5_use_fast - }) + content => epp( + "${module_name}/generic.epp", + { + 'title' => "domain/${title}", + 'content' => $content, + }, + ), } } diff --git a/manifests/provider/ldap.pp b/manifests/provider/ldap.pp index a9dba1c..ca5ed97 100644 --- a/manifests/provider/ldap.pp +++ b/manifests/provider/ldap.pp @@ -357,24 +357,367 @@ } if $app_pki_ca_dir { - $ldap_tls_cacertdir = $app_pki_ca_dir + $_ldap_tls_cacertdir = $app_pki_ca_dir } elsif $client_tls { - $ldap_tls_cacertdir = "${sssd::app_pki_dir}/cacerts" + $_ldap_tls_cacertdir = "${sssd::app_pki_dir}/cacerts" + } else { + $_ldap_tls_cacertdir = undef } if $app_pki_key { - $ldap_tls_key = $app_pki_key + $_ldap_tls_key = $app_pki_key } elsif $client_tls { - $ldap_tls_key = "${sssd::app_pki_dir}/private/${$facts['networking']['fqdn']}.pem" + $_ldap_tls_key = "${sssd::app_pki_dir}/private/${$facts['networking']['fqdn']}.pem" + } else { + $_ldap_tls_key = undef } if $app_pki_cert { - $ldap_tls_cert = $app_pki_cert + $_ldap_tls_cert = $app_pki_cert } elsif $client_tls { - $ldap_tls_cert = "${sssd::app_pki_dir}/public/${$facts['networking']['fqdn']}.pub" + $_ldap_tls_cert = "${sssd::app_pki_dir}/public/${$facts['networking']['fqdn']}.pub" + } else { + $_ldap_tls_cert = undef } + # Determine SSSD major version + if $facts['sssd_version'] =~ String[1] { + $sssd_major_version = Integer($facts['sssd_version'].split(/\./)[0]) + } elsif $facts['os']['release']['major'] < '8' { + $sssd_major_version = 1 + } else { + $sssd_major_version = 2 + } + + # Build configuration content + $simple_params = [ + 'debug_level', + 'debug_timestamps', + 'debug_microseconds', + 'ldap_search_base', + 'ldap_schema', + 'ldap_default_bind_dn', + 'ldap_default_authtok_type', + 'ldap_default_authtok', + 'ldap_user_cert', + 'ldap_user_object_class', + 'ldap_user_name', + 'ldap_user_uid_number', + 'ldap_user_gid_number', + 'ldap_user_gecos', + 'ldap_user_home_directory', + 'ldap_user_shell', + 'ldap_user_uuid', + 'ldap_user_objectsid', + 'ldap_user_modify_timestamp', + 'ldap_user_shadow_last_change', + 'ldap_user_shadow_min', + 'ldap_user_shadow_max', + 'ldap_user_shadow_warning', + 'ldap_user_shadow_inactive', + 'ldap_user_shadow_expire', + 'ldap_user_krb_last_pwd_change', + 'ldap_user_krb_password_expiration', + 'ldap_user_ad_account_expires', + 'ldap_user_ad_user_account_control', + 'ldap_ns_account_lock', + 'ldap_user_nds_login_disabled', + 'ldap_user_nds_login_expiration_time', + 'ldap_user_nds_login_allowed_time_map', + 'ldap_user_principal', + 'ldap_user_ssh_public_key', + 'ldap_force_upper_case_realm', + 'ldap_enumeration_refresh_timeout', + 'ldap_purge_cache_timeout', + 'ldap_user_fullname', + 'ldap_user_member_of', + 'ldap_user_authorized_service', + 'ldap_user_authorized_host', + 'ldap_group_object_class', + 'ldap_group_name', + 'ldap_group_gid_number', + 'ldap_group_member', + 'ldap_group_uuid', + 'ldap_group_objectsid', + 'ldap_group_modify_timestamp', + 'ldap_group_type', + 'ldap_group_nesting_level', + 'ldap_use_tokengroups', + 'ldap_netgroup_object_class', + 'ldap_netgroup_name', + 'ldap_netgroup_member', + 'ldap_netgroup_triple', + 'ldap_netgroup_uuid', + 'ldap_netgroup_modify_timestamp', + 'ldap_service_name', + 'ldap_service_port', + 'ldap_service_proto', + 'ldap_service_search_base', + 'ldap_search_timeout', + 'ldap_enumeration_search_timeout', + 'ldap_network_timeout', + 'ldap_opt_timeout', + 'ldap_connection_expire_timeout', + 'ldap_page_size', + 'ldap_disable_paging', + 'ldap_disable_range_retrieval', + 'ldap_sasl_minssf', + 'ldap_deref_threshold', + 'ldap_tls_reqcert', + 'ldap_tls_cacert', + 'ldap_tls_cacertdir', + 'ldap_tls_cert', + 'ldap_tls_key', + 'ldap_id_use_start_tls', + 'ldap_id_mapping', + 'ldap_min_id', + 'ldap_max_id', + 'ldap_sasl_mech', + 'ldap_sasl_authid', + 'ldap_sasl_realm', + 'ldap_sasl_canonicalize', + 'ldap_krb5_keytab', + 'ldap_krb5_init_creds', + 'ldap_krb5_ticket_lifetime', + 'krb5_realm', + 'krb5_canonicalize', + 'krb5_use_kdcinfo', + 'ldap_pwd_policy', + 'ldap_referrals', + 'ldap_dns_service_name', + 'ldap_chpass_dns_service_name', + 'ldap_chpass_update_last_change', + 'ldap_access_filter', + 'ldap_pwdlockout_dn', + 'ldap_deref', + 'ldap_sudorule_object_class', + 'ldap_sudorule_name', + 'ldap_sudorule_command', + 'ldap_sudorule_host', + 'ldap_sudorule_user', + 'ldap_sudorule_option', + 'ldap_sudorule_runasuser', + 'ldap_sudorule_runasgroup', + 'ldap_sudorule_notbefore', + 'ldap_sudorule_notafter', + 'ldap_sudorule_order', + 'ldap_sudo_full_refresh_interval', + 'ldap_sudo_smart_refresh_interval', + 'ldap_sudo_use_host_filter', + 'ldap_sudo_include_netgroups ', + 'ldap_sudo_include_regexp', + 'ldap_autofs_map_master_name', + 'ldap_autofs_map_object_class', + 'ldap_autofs_map_name', + 'ldap_autofs_entry_object_class', + 'ldap_autofs_entry_key', + 'ldap_autofs_entry_value', + 'ldap_netgroup_search_base', + 'ldap_user_search_base', + 'ldap_group_search_base', + 'ldap_sudo_search_base', + 'ldap_autofs_search_base', + 'ldap_idmap_range_min', + 'ldap_idmap_range_max', + 'ldap_idmap_range_size', + 'ldap_idmap_default_domain_sid', + 'ldap_idmap_default_domain', + 'ldap_idmap_autorid_compat', + ] + + # Add version-specific parameters + if versioncmp(String($sssd_major_version), '2') < 0 { + $version_specific_params = [ + 'ldap_groups_use_matching_rule_in_chain', + 'ldap_initgroups_use_matching_rule_in_chain', + ] + } else { + $version_specific_params = [] + } + + # Create a hash of all parameters for easier access + $param_values = { + 'debug_level' => $debug_level, + 'debug_timestamps' => $debug_timestamps, + 'debug_microseconds' => $debug_microseconds, + 'ldap_search_base' => $ldap_search_base, + 'ldap_schema' => $ldap_schema, + 'ldap_default_bind_dn' => $ldap_default_bind_dn, + 'ldap_default_authtok_type' => $ldap_default_authtok_type, + 'ldap_default_authtok' => $ldap_default_authtok, + 'ldap_user_cert' => $ldap_user_cert, + 'ldap_user_object_class' => $ldap_user_object_class, + 'ldap_user_name' => $ldap_user_name, + 'ldap_user_uid_number' => $ldap_user_uid_number, + 'ldap_user_gid_number' => $ldap_user_gid_number, + 'ldap_user_gecos' => $ldap_user_gecos, + 'ldap_user_home_directory' => $ldap_user_home_directory, + 'ldap_user_shell' => $ldap_user_shell, + 'ldap_user_uuid' => $ldap_user_uuid, + 'ldap_user_objectsid' => $ldap_user_objectsid, + 'ldap_user_modify_timestamp' => $ldap_user_modify_timestamp, + 'ldap_user_shadow_last_change' => $ldap_user_shadow_last_change, + 'ldap_user_shadow_min' => $ldap_user_shadow_min, + 'ldap_user_shadow_max' => $ldap_user_shadow_max, + 'ldap_user_shadow_warning' => $ldap_user_shadow_warning, + 'ldap_user_shadow_inactive' => $ldap_user_shadow_inactive, + 'ldap_user_shadow_expire' => $ldap_user_shadow_expire, + 'ldap_user_krb_last_pwd_change' => $ldap_user_krb_last_pwd_change, + 'ldap_user_krb_password_expiration' => $ldap_user_krb_password_expiration, + 'ldap_user_ad_account_expires' => $ldap_user_ad_account_expires, + 'ldap_user_ad_user_account_control' => $ldap_user_ad_user_account_control, + 'ldap_ns_account_lock' => $ldap_ns_account_lock, + 'ldap_user_nds_login_disabled' => $ldap_user_nds_login_disabled, + 'ldap_user_nds_login_expiration_time' => $ldap_user_nds_login_expiration_time, + 'ldap_user_nds_login_allowed_time_map' => $ldap_user_nds_login_allowed_time_map, + 'ldap_user_principal' => $ldap_user_principal, + 'ldap_user_ssh_public_key' => $ldap_user_ssh_public_key, + 'ldap_force_upper_case_realm' => $ldap_force_upper_case_realm, + 'ldap_enumeration_refresh_timeout' => $ldap_enumeration_refresh_timeout, + 'ldap_purge_cache_timeout' => $ldap_purge_cache_timeout, + 'ldap_user_fullname' => $ldap_user_fullname, + 'ldap_user_member_of' => $ldap_user_member_of, + 'ldap_user_authorized_service' => $ldap_user_authorized_service, + 'ldap_user_authorized_host' => $ldap_user_authorized_host, + 'ldap_group_object_class' => $ldap_group_object_class, + 'ldap_group_name' => $ldap_group_name, + 'ldap_group_gid_number' => $ldap_group_gid_number, + 'ldap_group_member' => $ldap_group_member, + 'ldap_group_uuid' => $ldap_group_uuid, + 'ldap_group_objectsid' => $ldap_group_objectsid, + 'ldap_group_modify_timestamp' => $ldap_group_modify_timestamp, + 'ldap_group_type' => $ldap_group_type, + 'ldap_group_nesting_level' => $ldap_group_nesting_level, + 'ldap_use_tokengroups' => $ldap_use_tokengroups, + 'ldap_netgroup_object_class' => $ldap_netgroup_object_class, + 'ldap_netgroup_name' => $ldap_netgroup_name, + 'ldap_netgroup_member' => $ldap_netgroup_member, + 'ldap_netgroup_triple' => $ldap_netgroup_triple, + 'ldap_netgroup_uuid' => $ldap_netgroup_uuid, + 'ldap_netgroup_modify_timestamp' => $ldap_netgroup_modify_timestamp, + 'ldap_service_name' => $ldap_service_name, + 'ldap_service_port' => $ldap_service_port, + 'ldap_service_proto' => $ldap_service_proto, + 'ldap_service_search_base' => $ldap_service_search_base, + 'ldap_search_timeout' => $ldap_search_timeout, + 'ldap_enumeration_search_timeout' => $ldap_enumeration_search_timeout, + 'ldap_network_timeout' => $ldap_network_timeout, + 'ldap_opt_timeout' => $ldap_opt_timeout, + 'ldap_connection_expire_timeout' => $ldap_connection_expire_timeout, + 'ldap_page_size' => $ldap_page_size, + 'ldap_disable_paging' => $ldap_disable_paging, + 'ldap_disable_range_retrieval' => $ldap_disable_range_retrieval, + 'ldap_sasl_minssf' => $ldap_sasl_minssf, + 'ldap_deref_threshold' => $ldap_deref_threshold, + 'ldap_tls_reqcert' => $ldap_tls_reqcert, + 'ldap_tls_cacert' => $ldap_tls_cacert, + 'ldap_tls_cacertdir' => $_ldap_tls_cacertdir, + 'ldap_tls_cert' => $_ldap_tls_cert, + 'ldap_tls_key' => $_ldap_tls_key, + 'ldap_id_use_start_tls' => $ldap_id_use_start_tls, + 'ldap_id_mapping' => $ldap_id_mapping, + 'ldap_min_id' => $ldap_min_id, + 'ldap_max_id' => $ldap_max_id, + 'ldap_sasl_mech' => $ldap_sasl_mech, + 'ldap_sasl_authid' => $ldap_sasl_authid, + 'ldap_sasl_realm' => $ldap_sasl_realm, + 'ldap_sasl_canonicalize' => $ldap_sasl_canonicalize, + 'ldap_krb5_keytab' => $ldap_krb5_keytab, + 'ldap_krb5_init_creds' => $ldap_krb5_init_creds, + 'ldap_krb5_ticket_lifetime' => $ldap_krb5_ticket_lifetime, + 'krb5_realm' => $krb5_realm, + 'krb5_canonicalize' => $krb5_canonicalize, + 'krb5_use_kdcinfo' => $krb5_use_kdcinfo, + 'ldap_pwd_policy' => $ldap_pwd_policy, + 'ldap_referrals' => $ldap_referrals, + 'ldap_dns_service_name' => $ldap_dns_service_name, + 'ldap_chpass_dns_service_name' => $ldap_chpass_dns_service_name, + 'ldap_chpass_update_last_change' => $ldap_chpass_update_last_change, + 'ldap_access_filter' => $ldap_access_filter, + 'ldap_pwdlockout_dn' => $ldap_pwdlockout_dn, + 'ldap_deref' => $ldap_deref, + 'ldap_sudorule_object_class' => $ldap_sudorule_object_class, + 'ldap_sudorule_name' => $ldap_sudorule_name, + 'ldap_sudorule_command' => $ldap_sudorule_command, + 'ldap_sudorule_host' => $ldap_sudorule_host, + 'ldap_sudorule_user' => $ldap_sudorule_user, + 'ldap_sudorule_option' => $ldap_sudorule_option, + 'ldap_sudorule_runasuser' => $ldap_sudorule_runasuser, + 'ldap_sudorule_runasgroup' => $ldap_sudorule_runasgroup, + 'ldap_sudorule_notbefore' => $ldap_sudorule_notbefore, + 'ldap_sudorule_notafter' => $ldap_sudorule_notafter, + 'ldap_sudorule_order' => $ldap_sudorule_order, + 'ldap_sudo_full_refresh_interval' => $ldap_sudo_full_refresh_interval, + 'ldap_sudo_smart_refresh_interval' => $ldap_sudo_smart_refresh_interval, + 'ldap_sudo_use_host_filter' => $ldap_sudo_use_host_filter, + 'ldap_sudo_include_netgroups ' => $ldap_sudo_include_netgroups, + 'ldap_sudo_include_regexp' => $ldap_sudo_include_regexp, + 'ldap_autofs_map_master_name' => $ldap_autofs_map_master_name, + 'ldap_autofs_map_object_class' => $ldap_autofs_map_object_class, + 'ldap_autofs_map_name' => $ldap_autofs_map_name, + 'ldap_autofs_entry_object_class' => $ldap_autofs_entry_object_class, + 'ldap_autofs_entry_key' => $ldap_autofs_entry_key, + 'ldap_autofs_entry_value' => $ldap_autofs_entry_value, + 'ldap_netgroup_search_base' => $ldap_netgroup_search_base, + 'ldap_user_search_base' => $ldap_user_search_base, + 'ldap_group_search_base' => $ldap_group_search_base, + 'ldap_sudo_search_base' => $ldap_sudo_search_base, + 'ldap_autofs_search_base' => $ldap_autofs_search_base, + 'ldap_idmap_range_min' => $ldap_idmap_range_min, + 'ldap_idmap_range_max' => $ldap_idmap_range_max, + 'ldap_idmap_range_size' => $ldap_idmap_range_size, + 'ldap_idmap_default_domain_sid' => $ldap_idmap_default_domain_sid, + 'ldap_idmap_default_domain' => $ldap_idmap_default_domain, + 'ldap_idmap_autorid_compat' => $ldap_idmap_autorid_compat, + 'ldap_groups_use_matching_rule_in_chain' => $ldap_groups_use_matching_rule_in_chain, + 'ldap_initgroups_use_matching_rule_in_chain' => $ldap_initgroups_use_matching_rule_in_chain, + } + + # Process simple parameters + $simple_config_lines = ($simple_params + $version_specific_params).filter |$param| { + $param_values[$param] != undef + }.map |$param| { + "${param} = ${$param_values[$param]}" + } + + # Handle special case for ldap_account_expire_policy + $account_expire_line = $_ldap_account_expire_policy ? { + undef => [], + default => ["ldap_account_expire_policy = ${_ldap_account_expire_policy}"], + } + + # Process array parameters with custom separators + $array_params = { + 'ldap_uri' => { 'value' => $ldap_uri, 'separator' => ',' }, + 'ldap_backup_uri' => { 'value' => $ldap_backup_uri, 'separator' => ',' }, + 'ldap_chpass_uri' => { 'value' => $ldap_chpass_uri, 'separator' => ',' }, + 'ldap_chpass_backup_uri' => { 'value' => $ldap_chpass_backup_uri, 'separator' => ',' }, + 'ldap_user_extra_attrs' => { 'value' => $ldap_user_extra_attrs, 'separator' => ',' }, + 'ldap_tls_cipher_suite' => { 'value' => $ldap_tls_cipher_suite, 'separator' => ':' }, + 'ldap_access_order' => { 'value' => $ldap_access_order, 'separator' => ',' }, + 'ldap_sudo_hostnames' => { 'value' => $ldap_sudo_hostnames, 'separator' => ' ' }, + 'ldap_sudo_ip' => { 'value' => $ldap_sudo_ip, 'separator' => ' ' }, + 'krb5_server' => { 'value' => $krb5_server, 'separator' => ',' }, + 'krb5_backup_server' => { 'value' => $krb5_backup_server, 'separator' => ',' }, + } + + $array_config_lines = $array_params.filter |$param, $config| { + $config['value'] != undef and !$config['value'].empty + }.map |$param, $config| { + "${param} = ${Array($config['value']).unique.join($config['separator'])}" + } + + # Combine all configuration lines and sort them + $all_config_lines = ($simple_config_lines + $account_expire_line + $array_config_lines).sort + $content = (['# sssd::provider::ldap'] + $all_config_lines).join("\n") + sssd::config::entry { "puppet_provider_${title}_ldap": - content => template("${module_name}/provider/ldap.erb") + content => epp( + "${module_name}/generic.epp", + { + 'title' => "domain/${title}", + 'content' => $content, + }, + ), } } diff --git a/manifests/service.pp b/manifests/service.pp index e3b4821..7185607 100644 --- a/manifests/service.pp +++ b/manifests/service.pp @@ -10,14 +10,14 @@ # class sssd::service ( Variant[String[1],Boolean] $ensure = sssd::supported_version(), - Boolean $enable = sssd::supported_version() -){ + Boolean $enable = sssd::supported_version(), +) { assert_private() service { 'sssd': ensure => $ensure, enable => $enable, hasrestart => true, - hasstatus => true + hasstatus => true, } } diff --git a/manifests/service/autofs.pp b/manifests/service/autofs.pp index f25b9a2..49c9862 100644 --- a/manifests/service/autofs.pp +++ b/manifests/service/autofs.pp @@ -26,18 +26,49 @@ Boolean $debug_timestamps = true, Boolean $debug_microseconds = false, Optional[Integer] $autofs_negative_timeout = undef, - Optional[Hash] $custom_options = undef + Optional[Hash] $custom_options = undef, ) { if $custom_options { - $_content = epp("${module_name}/service/custom_options.epp", { + $_content = epp( + "${module_name}/service/custom_options.epp", + { 'service_name' => 'autofs', - 'options' => $custom_options - }) + 'options' => $custom_options, + }, + ) } else { - $_content = template("${module_name}/service/autofs.erb") + # Build configuration lines in order (matching expected test output) + # Debug settings + $description_line = $description ? { undef => [], default => ["description = ${description}"] } + $debug_level_line = $debug_level ? { undef => [], default => ["debug_level = ${debug_level}"] } + $debug_timestamps_line = ["debug_timestamps = ${debug_timestamps}"] + $debug_microseconds_line = ["debug_microseconds = ${debug_microseconds}"] + + # AutoFS-specific settings + $autofs_negative_timeout_line = $autofs_negative_timeout ? { undef => [], default => ["autofs_negative_timeout = ${autofs_negative_timeout}"] } + + # Combine all lines in order + $config_lines = ( + $description_line + + $debug_level_line + + $debug_timestamps_line + + $debug_microseconds_line + + $autofs_negative_timeout_line + ) + + # Join all configuration lines + $content = (['# sssd::service::autofs'] + $config_lines).join("\n") + + $_content = epp( + "${module_name}/generic.epp", + { + 'title' => 'autofs', + 'content' => $content, + }, + ) } sssd::config::entry { 'puppet_service_autofs': - content => $_content + content => $_content, } } diff --git a/manifests/service/ifp.pp b/manifests/service/ifp.pp index d46d158..fe25232 100644 --- a/manifests/service/ifp.pp +++ b/manifests/service/ifp.pp @@ -34,15 +34,50 @@ Optional[Hash] $custom_options = undef, ) { if $custom_options { - $_content = epp("${module_name}/service/custom_options.epp", { + $_content = epp( + "${module_name}/service/custom_options.epp", + { 'service_name' => 'ifp', - 'options' => $custom_options - }) + 'options' => $custom_options, + }, + ) } else { - $_content = template("${module_name}/service/ifp.erb") + # Build configuration lines in order (matching expected test output) + # Debug settings + $description_line = $description ? { undef => [], default => ["description = ${description}"] } + $debug_level_line = $debug_level ? { undef => [], default => ["debug_level = ${debug_level}"] } + $debug_timestamps_line = ["debug_timestamps = ${debug_timestamps}"] + $debug_microseconds_line = ["debug_microseconds = ${debug_microseconds}"] + + # IFP-specific settings + $allowed_uids_line = $allowed_uids ? { undef => [], default => ["allowed_uids = ${allowed_uids.join(', ')}"] } + $user_attributes_line = $user_attributes ? { undef => [], default => ["user_attributes = ${user_attributes.join(', ')}"] } + $wildcard_limit_line = $wildcard_limit ? { undef => [], default => ["wildcard_limit = ${wildcard_limit}"] } + + # Combine all lines in order + $config_lines = ( + $description_line + + $debug_level_line + + $debug_timestamps_line + + $debug_microseconds_line + + $allowed_uids_line + + $user_attributes_line + + $wildcard_limit_line + ) + + # Join all configuration lines + $content = (['# sssd::service::ifp'] + $config_lines).join("\n") + + $_content = epp( + "${module_name}/generic.epp", + { + 'title' => 'ifp', + 'content' => $content, + }, + ) } sssd::config::entry { 'puppet_service_ifp': - content => $_content + content => $_content, } } diff --git a/manifests/service/nss.pp b/manifests/service/nss.pp index b6e997f..110091b 100644 --- a/manifests/service/nss.pp +++ b/manifests/service/nss.pp @@ -59,18 +59,92 @@ Optional[Integer] $get_domains_timeout = undef, Optional[Integer] $memcache_timeout = undef, Optional[String] $user_attributes = undef, - Optional[Hash] $custom_options = undef + Optional[Hash] $custom_options = undef, ) { if $custom_options { - $_content = epp("${module_name}/service/custom_options.epp", { + # Use custom options template for backwards compatibility + $_content = epp( + "${module_name}/service/custom_options.epp", + { 'service_name' => 'nss', - 'options' => $custom_options - }) + 'options' => $custom_options, + }, + ) } else { - $_content = template("${module_name}/service/nss.erb") + # Build configuration lines in order (matching expected test output) + # Debug settings + $description_line = $description ? { undef => [], default => ["description = ${description}"] } + $debug_level_line = $debug_level ? { undef => [], default => ["debug_level = ${debug_level}"] } + $debug_timestamps_line = ["debug_timestamps = ${debug_timestamps}"] + $debug_microseconds_line = ["debug_microseconds = ${debug_microseconds}"] + + # Connection settings + $reconnection_retries_line = ["reconnection_retries = ${reconnection_retries}"] + $fd_limit_line = $fd_limit ? { undef => [], default => ["fd_limit = ${fd_limit}"] } + $command_line = $command ? { undef => [], default => ["command = ${command}"] } + + # Cache settings + $enum_cache_timeout_line = ["enum_cache_timeout = ${enum_cache_timeout}"] + $entry_cache_nowait_percentage_line = ["entry_cache_nowait_percentage = ${entry_cache_nowait_percentage}"] + $entry_negative_timeout_line = ["entry_negative_timeout = ${entry_negative_timeout}"] + + # Filter settings + $filter_users_line = ["filter_users = ${filter_users}"] + $filter_groups_line = ["filter_groups = ${filter_groups}"] + $filter_users_in_groups_line = ["filter_users_in_groups = ${filter_users_in_groups}"] + + # Home directory settings + $override_homedir_line = $override_homedir ? { undef => [], default => ["override_homedir = ${override_homedir}"] } + $fallback_homedir_line = $fallback_homedir ? { undef => [], default => ["fallback_homedir = ${fallback_homedir}"] } + + # Shell settings + $override_shell_line = $override_shell ? { undef => [], default => ["override_shell = ${override_shell}"] } + $vetoed_shells_line = $vetoed_shells ? { undef => [], default => ["vetoed_shells = ${vetoed_shells}"] } + $default_shell_line = $default_shell ? { undef => [], default => ["default_shell = ${default_shell}"] } + + # Timeout and attribute settings + $get_domains_timeout_line = $get_domains_timeout ? { undef => [], default => ["get_domains_timeout = ${get_domains_timeout}"] } + $memcache_timeout_line = $memcache_timeout ? { undef => [], default => ["memcache_timeout = ${memcache_timeout}"] } + $user_attributes_line = $user_attributes ? { undef => [], default => ["user_attributes = ${user_attributes}"] } + + # Combine all lines in order + $config_lines = ( + $description_line + + $debug_level_line + + $debug_timestamps_line + + $debug_microseconds_line + + $reconnection_retries_line + + $fd_limit_line + + $command_line + + $enum_cache_timeout_line + + $entry_cache_nowait_percentage_line + + $entry_negative_timeout_line + + $filter_users_line + + $filter_groups_line + + $filter_users_in_groups_line + + $override_homedir_line + + $fallback_homedir_line + + $override_shell_line + + $vetoed_shells_line + + $default_shell_line + + $get_domains_timeout_line + + $memcache_timeout_line + + $user_attributes_line + ) + + # Join all configuration lines + $content = (['# sssd::service::nss'] + $config_lines).join("\n") + + $_content = epp( + "${module_name}/generic.epp", + { + 'title' => 'nss', + 'content' => $content, + }, + ) } sssd::config::entry { 'puppet_service_nss': - content => $_content + content => $_content, } } diff --git a/manifests/service/pac.pp b/manifests/service/pac.pp index bcc5364..3f1cb50 100644 --- a/manifests/service/pac.pp +++ b/manifests/service/pac.pp @@ -25,19 +25,49 @@ Boolean $debug_timestamps = true, Boolean $debug_microseconds = false, Array[String] $allowed_uids = [], - Optional[Hash] $custom_options = undef - + Optional[Hash] $custom_options = undef, ) { if $custom_options { - $_content = epp("${module_name}/service/custom_options.epp", { + $_content = epp( + "${module_name}/service/custom_options.epp", + { 'service_name' => 'pac', - 'options' => $custom_options - }) + 'options' => $custom_options, + }, + ) } else { - $_content = template("${module_name}/service/pac.erb") + # Build configuration lines in order (matching expected test output) + # Debug settings + $description_line = $description ? { undef => [], default => ["description = ${description}"] } + $debug_level_line = $debug_level ? { undef => [], default => ["debug_level = ${debug_level}"] } + $debug_timestamps_line = ["debug_timestamps = ${debug_timestamps}"] + $debug_microseconds_line = ["debug_microseconds = ${debug_microseconds}"] + + # PAC-specific settings + $allowed_uids_line = $allowed_uids.empty ? { true => [], false => ["allowed_uids = ${allowed_uids.join(',')}"] } + + # Combine all lines in order + $config_lines = ( + $description_line + + $debug_level_line + + $debug_timestamps_line + + $debug_microseconds_line + + $allowed_uids_line + ) + + # Join all configuration lines + $content = (['# sssd::service::pac'] + $config_lines).join("\n") + + $_content = epp( + "${module_name}/generic.epp", + { + 'title' => 'pac', + 'content' => $content, + }, + ) } sssd::config::entry { 'puppet_service_pac': - content => $_content + content => $_content, } } diff --git a/manifests/service/pam.pp b/manifests/service/pam.pp index 80e5bb2..08df0a9 100644 --- a/manifests/service/pam.pp +++ b/manifests/service/pam.pp @@ -50,19 +50,77 @@ Optional[Integer] $get_domains_timeout = undef, Optional[String] $pam_trusted_users = undef, Optional[String] $pam_public_domains = undef, - Optional[Hash] $custom_options = undef - + Optional[Hash] $custom_options = undef, ) { if $custom_options { - $_content = epp("${module_name}/service/custom_options.epp", { + $_content = epp( + "${module_name}/service/custom_options.epp", + { 'service_name' => 'pam', - 'options' => $custom_options - }) + 'options' => $custom_options, + }, + ) } else { - $_content = template("${module_name}/service/pam.erb") + # Build configuration lines in order (matching expected test output) + # Debug settings + $description_line = $description ? { undef => [], default => ["description = ${description}"] } + $debug_level_line = $debug_level ? { undef => [], default => ["debug_level = ${debug_level}"] } + $debug_timestamps_line = ["debug_timestamps = ${debug_timestamps}"] + $debug_microseconds_line = ["debug_microseconds = ${debug_microseconds}"] + + # Connection settings + $reconnection_retries_line = ["reconnection_retries = ${reconnection_retries}"] + $command_line = $command ? { undef => [], default => ["command = ${command}"] } + + # Offline settings + $offline_credentials_expiration_line = ["offline_credentials_expiration = ${offline_credentials_expiration}"] + $offline_failed_login_attempts_line = ["offline_failed_login_attempts = ${offline_failed_login_attempts}"] + $offline_failed_login_delay_line = ["offline_failed_login_delay = ${offline_failed_login_delay}"] + + # PAM-specific settings + $pam_verbosity_line = ["pam_verbosity = ${pam_verbosity}"] + $pam_id_timeout_line = ["pam_id_timeout = ${pam_id_timeout}"] + $pam_pwd_expiration_warning_line = ["pam_pwd_expiration_warning = ${pam_pwd_expiration_warning}"] + $pam_cert_auth_line = $pam_cert_auth ? { true => ['pam_cert_auth = True'], false => [] } + + # Optional settings + $get_domains_timeout_line = $get_domains_timeout ? { undef => [], default => ["get_domains_timeout = ${get_domains_timeout}"] } + $pam_trusted_users_line = $pam_trusted_users ? { undef => [], default => ["pam_trusted_users = ${pam_trusted_users}"] } + $pam_public_domains_line = $pam_public_domains ? { undef => [], default => ["pam_public_domains = ${pam_public_domains}"] } + + # Combine all lines in order + $config_lines = ( + $description_line + + $debug_level_line + + $debug_timestamps_line + + $debug_microseconds_line + + $reconnection_retries_line + + $command_line + + $offline_credentials_expiration_line + + $offline_failed_login_attempts_line + + $offline_failed_login_delay_line + + $pam_verbosity_line + + $pam_id_timeout_line + + $pam_pwd_expiration_warning_line + + $get_domains_timeout_line + + $pam_trusted_users_line + + $pam_public_domains_line + + $pam_cert_auth_line + ) + + # Join all configuration lines + $content = (['# sssd::service::pam'] + $config_lines).join("\n") + + $_content = epp( + "${module_name}/generic.epp", + { + 'title' => 'pam', + 'content' => $content, + }, + ) } sssd::config::entry { 'puppet_service_pam': - content => $_content + content => $_content, } } diff --git a/manifests/service/ssh.pp b/manifests/service/ssh.pp index 0840943..b32ae29 100644 --- a/manifests/service/ssh.pp +++ b/manifests/service/ssh.pp @@ -28,19 +28,51 @@ Boolean $debug_microseconds = false, Boolean $ssh_hash_known_hosts = true, Optional[Integer] $ssh_known_hosts_timeout = undef, - Optional[Hash] $custom_options = undef - + Optional[Hash] $custom_options = undef, ) { if $custom_options { - $_content = epp("${module_name}/service/custom_options.epp", { + $_content = epp( + "${module_name}/service/custom_options.epp", + { 'service_name' => 'ssh', - 'options' => $custom_options - }) + 'options' => $custom_options, + }, + ) } else { - $_content = template("${module_name}/service/ssh.erb") + # Build configuration lines in order (matching expected test output) + # Debug settings + $description_line = $description ? { undef => [], default => ["description = ${description}"] } + $debug_level_line = $debug_level ? { undef => [], default => ["debug_level = ${debug_level}"] } + $debug_timestamps_line = ["debug_timestamps = ${debug_timestamps}"] + $debug_microseconds_line = ["debug_microseconds = ${debug_microseconds}"] + + # SSH-specific settings + $ssh_hash_known_hosts_line = ["ssh_hash_known_hosts = ${ssh_hash_known_hosts}"] + $ssh_known_hosts_timeout_line = $ssh_known_hosts_timeout ? { undef => [], default => ["ssh_known_hosts_timeout = ${ssh_known_hosts_timeout}"] } + + # Combine all lines in order + $config_lines = ( + $description_line + + $debug_level_line + + $debug_timestamps_line + + $debug_microseconds_line + + $ssh_hash_known_hosts_line + + $ssh_known_hosts_timeout_line + ) + + # Join all configuration lines + $content = (['# sssd::service::ssh'] + $config_lines).join("\n") + + $_content = epp( + "${module_name}/generic.epp", + { + 'title' => 'ssh', + 'content' => $content, + }, + ) } sssd::config::entry { 'puppet_service_ssh': - content => $_content + content => $_content, } } diff --git a/manifests/service/sudo.pp b/manifests/service/sudo.pp index 3da72fa..5e1d6f6 100644 --- a/manifests/service/sudo.pp +++ b/manifests/service/sudo.pp @@ -29,20 +29,52 @@ Boolean $debug_microseconds = false, Boolean $sudo_timed = false, Integer[1] $sudo_threshold = 50, - Optional[Hash] $custom_options = undef - + Optional[Hash] $custom_options = undef, ) { if $custom_options { - $_content = epp("${module_name}/service/custom_options.epp", { + $_content = epp( + "${module_name}/service/custom_options.epp", + { 'service_name' => 'sudo', - 'options' => $custom_options - }) + 'options' => $custom_options, + }, + ) } else { - $_content = template("${module_name}/service/sudo.erb") + # Build configuration lines in order (matching expected test output) + # Debug settings + $description_line = $description ? { undef => [], default => ["description = ${description}"] } + $debug_level_line = $debug_level ? { undef => [], default => ["debug_level = ${debug_level}"] } + $debug_timestamps_line = ["debug_timestamps = ${debug_timestamps}"] + $debug_microseconds_line = ["debug_microseconds = ${debug_microseconds}"] + + # Sudo-specific settings + $sudo_threshold_line = ["sudo_threshold = ${sudo_threshold}"] + $sudo_timed_line = ["sudo_timed = ${sudo_timed}"] + + # Combine all lines in order + $config_lines = ( + $description_line + + $debug_level_line + + $debug_timestamps_line + + $debug_microseconds_line + + $sudo_threshold_line + + $sudo_timed_line + ) + + # Join all configuration lines + $content = (['# sssd::service::sudo'] + $config_lines).join("\n") + + $_content = epp( + "${module_name}/generic.epp", + { + 'title' => 'sudo', + 'content' => $content, + }, + ) } sssd::config::entry { 'puppet_service_sudo': - content => $_content + content => $_content, } $_override_content = @(END) @@ -58,15 +90,15 @@ systemd::dropin_file { '00_sssd_sudo_user_group.conf': unit => 'sssd-sudo.service', content => $_override_content, - selinux_ignore_defaults => true + selinux_ignore_defaults => true, } service { 'sssd-sudo.socket': enable => true, require => [ Sssd::Config::Entry['puppet_service_sudo'], - Systemd::Dropin_file['00_sssd_sudo_user_group.conf'] + Systemd::Dropin_file['00_sssd_sudo_user_group.conf'], ], - notify => Class["${module_name}::service"] + notify => Class["${module_name}::service"], } } diff --git a/metadata.json b/metadata.json index ce4b74b..015ad55 100644 --- a/metadata.json +++ b/metadata.json @@ -1,6 +1,6 @@ { "name": "simp-sssd", - "version": "7.13.1", + "version": "8.0.0", "author": "SIMP Team", "summary": "Manages SSSD", "license": "Apache-2.0", diff --git a/spec/classes/config_spec.rb b/spec/classes/config_spec.rb index 19782c5..f1ca511 100644 --- a/spec/classes/config_spec.rb +++ b/spec/classes/config_spec.rb @@ -1,8 +1,8 @@ require 'spec_helper' default_content = <<~EOM - # sssd::config [sssd] + # sssd::config services = nss,pam,ssh config_file_version = 2 reconnection_retries = 3 @@ -12,8 +12,8 @@ EOM default_content_with_domains = <<~EOM - # sssd::config [sssd] + # sssd::config services = nss,pam,ssh domains = FILE, LDAP config_file_version = 2 @@ -25,8 +25,8 @@ default_content_with_ipa_domain = default_content_with_domains.gsub('FILE, LDAP', 'FILE, LDAP, ipa.example.com') default_content_plus_optional = <<~EOM - # sssd::config [sssd] + # sssd::config services = nss,pam,ssh description = sssd section description domains = FILE, LDAP diff --git a/spec/classes/service/ifp_spec.rb b/spec/classes/service/ifp_spec.rb index 974a935..8b2c41f 100644 --- a/spec/classes/service/ifp_spec.rb +++ b/spec/classes/service/ifp_spec.rb @@ -8,8 +8,8 @@ context 'with default params' do expected = <<~EXPECTED - # sssd::service::ifp [ifp] + # sssd::service::ifp debug_timestamps = true debug_microseconds = false EXPECTED @@ -29,8 +29,8 @@ end expected = <<~EXPECTED - # sssd::service::ifp [ifp] + # sssd::service::ifp debug_timestamps = true debug_microseconds = false allowed_uids = me, you diff --git a/templates/domain.erb b/templates/domain.erb deleted file mode 100644 index 7ddb181..0000000 --- a/templates/domain.erb +++ /dev/null @@ -1,114 +0,0 @@ - -# sssd::domain <%= @name %> -[domain/<%= @name %>] -<% if @debug_level -%> -debug_level = <%= @debug_level %> -<% end -%> -debug_timestamps = <%= @debug_timestamps.to_s %> -debug_microseconds = <%= @debug_microseconds.to_s %> -<% if @description -%> -description = <%= @description %> -<% end -%> -min_id = <%= @min_id.to_s %> -max_id = <%= @max_id.to_s %> -enumerate = <%= @enumerate.to_s %> -<% if @subdomain_enumerate -%> -subdomain_enumerate = <%= @subdomain_enumerate %> -<% end -%> -<% if @force_timeout -%> -force_timeout = <%= @force_timeout.to_s %> -<% end -%> -<% if @entry_cache_timeout -%> -entry_cache_timeout = <%= @entry_cache_timeout.to_s %> -<% end -%> -<% if @entry_cache_user_timeout -%> -entry_cache_user_timeout = <%= @entry_cache_user_timeout.to_s %> -<% end -%> -<% if @entry_cache_group_timeout -%> -entry_cache_group_timeout = <%= @entry_cache_group_timeout.to_s %> -<% end -%> -<% if @entry_cache_netgroup_timeout -%> -entry_cache_netgroup_timeout = <%= @entry_cache_netgroup_timeout.to_s %> -<% end -%> -<% if @entry_cache_service_timeout -%> -entry_cache_service_timeout = <%= @entry_cache_service_timeout.to_s %> -<% end -%> -<% if @entry_cache_sudo_timeout -%> -entry_cache_sudo_timeout = <%= @entry_cache_sudo_timeout.to_s %> -<% end -%> -<% if @entry_cache_autofs_timeout -%> -entry_cache_autofs_timeout = <%= @entry_cache_autofs_timeout.to_s %> -<% end -%> -<% if @entry_cache_ssh_host_timeout -%> -entry_cache_ssh_host_timeout = <%= @entry_cache_ssh_host_timeout.to_s %> -<% end -%> -<% if @refresh_expired_interval -%> -refresh_expired_interval = <%= @refresh_expired_interval.to_s %> -<% end -%> -cache_credentials = <%= @cache_credentials.to_s %> -account_cache_expiration = <%= @account_cache_expiration.to_s %> -<% if @pwd_expiration_warning -%> -pwd_expiration_warning = <%= @pwd_expiration_warning.to_s %> -<% end -%> -use_fully_qualified_names = <%= @use_fully_qualified_names.to_s %> -ignore_group_members = <%= @ignore_group_members.to_s %> -id_provider = <%= @id_provider %> -<% if @auth_provider -%> -auth_provider = <%= @auth_provider %> -<% end -%> -<% if @access_provider -%> -access_provider = <%= @access_provider %> -<% end -%> -<% if @chpass_provider -%> -chpass_provider = <%= @chpass_provider %> -<% end -%> -<% if @sudo_provider -%> -sudo_provider = <%= @sudo_provider %> -<% end -%> -<% if @selinux_provider -%> -selinux_provider = <%= @selinux_provider %> -<% end -%> -<% if @subdomains_provider -%> -subdomains_provider = <%= @subdomains_provider %> -<% end -%> -<% if @autofs_provider -%> -autofs_provider = <%= @autofs_provider %> -<% end -%> -<% if @hostid_provider -%> -hostid_provider = <%= @hostid_provider %> -<% end -%> -<% if @re_expression -%> -re_expression = <%= @re_expression %> -<% end -%> -<% if @full_name_format -%> -full_name_format = <%= @full_name_format %> -<% end -%> -<% if @lookup_family_order -%> -lookup_family_order = <%= @lookup_family_order %> -<% end -%> -dns_resolver_timeout = <%= @dns_resolver_timeout.to_s %> -<% if @dns_discovery_domain %> -dns_discovery_domain = <%= @dns_discovery_domain %> -<% end -%> -<% if @override_gid -%> -override_gid = <%= @override_gid %> -<% end -%> -case_sensitive = <%= @case_sensitive.to_s %> -proxy_fast_alias = <%= @proxy_fast_alias.to_s %> -<% if @realmd_tags -%> -realmd_tags = <%= @realmd_tags %> -<% end -%> -<% if @ldap_user_search_filter -%> -ldap_user_search_filter = <%= @ldap_user_search_filter %> -<% end -%> -<% if @proxy_pam_target %> -proxy_pam_target = <%= @proxy_pam_target %> -<% end -%> -<% if @proxy_lib_name %> -proxy_lib_name = <%= @proxy_lib_name %> -<% end -%> -<% if @custom_options -%> -<% @custom_options.each do |opt,value| -%> -<%= opt %> = <%= value %> -<% end -%> -<% end -%> diff --git a/templates/generic.epp b/templates/generic.epp new file mode 100644 index 0000000..98d50de --- /dev/null +++ b/templates/generic.epp @@ -0,0 +1,6 @@ +<%- | + String[1] $title, + String[1] $content, +| -%> +[<%= $title %>] +<%= $content %> diff --git a/templates/provider/ad.erb b/templates/provider/ad.erb deleted file mode 100644 index 2698861..0000000 --- a/templates/provider/ad.erb +++ /dev/null @@ -1,158 +0,0 @@ -[domain/<%= @title %>] -# sssd::provider::ad -<% if @ad_domain -%> -ad_domain = <%= @ad_domain %> -<% end -%> -<% if @ad_enabled_domains -%> -ad_enabled_domains = <%= @ad_enabled_domains.join(', ') %> -<% end -%> -<% if @ad_servers -%> -ad_server = <%= @ad_servers.join(', ') %> -<% if @ad_backup_servers -%> -ad_backup_server = <%= @ad_backup_servers.join(', ') %> -<% end -%> -<% end -%> -<% if @ad_hostname -%> -ad_hostname = <%= @ad_hostname %> -<% end -%> -<% unless @ad_enable_dns_sites.nil? -%> -ad_enable_dns_sites = <%= @ad_enable_dns_sites %> -<% end -%> -<% if @ad_access_filters -%> -ad_access_filter = <%= @ad_access_filters.join('?') %> -<% end -%> -<% if @ad_site -%> -ad_site = <%= @ad_site %> -<% end -%> -<% unless @ad_enable_gc.nil? -%> -ad_enable_gc = <%= @ad_enable_gc %> -<% end -%> -<% if @ad_gpo_access_control -%> -ad_gpo_access_control = <%= @ad_gpo_access_control %> -<% end -%> -<% if @ad_gpo_cache_timeout -%> -ad_gpo_cache_timeout = <%= @ad_gpo_cache_timeout %> -<% end -%> -<% if @ad_gpo_map_interactive -%> -ad_gpo_map_interactive = <%= @ad_gpo_map_interactive.join(', ') %> -<% end -%> -<% if @ad_gpo_map_remote_interactive -%> -ad_gpo_map_remote_interactive = <%= @ad_gpo_map_remote_interactive.join(', ') %> -<% end -%> -<% if @ad_gpo_map_network -%> -ad_gpo_map_network = <%= @ad_gpo_map_network.join(', ') %> -<% end -%> -<% if @ad_gpo_map_batch -%> -ad_gpo_map_batch = <%= @ad_gpo_map_batch.join(', ') %> -<% end -%> -<% if @ad_gpo_map_service -%> -ad_gpo_map_service = <%= @ad_gpo_map_service.join(', ') %> -<% end -%> -<% if @ad_gpo_map_permit -%> -ad_gpo_map_permit = <%= @ad_gpo_map_permit.join(', ') %> -<% end -%> -<% if @ad_gpo_map_deny -%> -ad_gpo_map_deny = <%= @ad_gpo_map_deny.join(', ') %> -<% end -%> -<% if @ad_gpo_default_right -%> -ad_gpo_default_right = <%= @ad_gpo_default_right %> -<% end -%> -<% unless @ad_gpo_implicit_deny.nil? -%> -ad_gpo_implicit_deny = <%= @ad_gpo_implicit_deny %> -<% end -%> -<% unless @ad_gpo_ignore_unreadable.nil? -%> -ad_gpo_ignore_unreadable = <%= @ad_gpo_ignore_unreadable %> -<% end -%> -<% if @ad_maximum_machine_account_password_age -%> -ad_maximum_machine_account_password_age = <%= @ad_maximum_machine_account_password_age %> -<% end -%> -<% if @ad_machine_account_password_renewal_opts -%> -ad_machine_account_password_renewal_opts = <%= @ad_machine_account_password_renewal_opts %> -<% end -%> -<% if @default_shell -%> -default_shell = <%= @default_shell %> -<% end -%> -<% unless @dyndns_update.nil? -%> -dyndns_update = <%= @dyndns_update %> -<% end -%> -<% if @dyndns_update -%> -<% if @dyndns_ttl -%> -dyndns_ttl = <%= @dyndns_ttl %> -<% end -%> -<% if @dyndns_ifaces -%> -dyndns_iface = <%= @dyndns_ifaces.join(', ') %> -<% end -%> -<% if @dyndns_refresh_interval -%> -dyndns_refresh_interval = <%= @dyndns_refresh_interval %> -<% end -%> -<% unless @dyndns_update_ptr.nil? -%> -dyndns_update_ptr = <%= @dyndns_update_ptr %> -<% end -%> -<% unless @dyndns_force_tcp.nil? -%> -dyndns_force_tcp = <%= @dyndns_force_tcp %> -<% end -%> -<% if @dyndns_server -%> -dyndns_server = <%= @dyndns_server %> -<% end -%> -<% end -%> -<% if @override_homedir -%> -override_homedir = <%= @override_homedir %> -<% end -%> -<% if @homedir_substring -%> -homedir_substring = <%= @homedir_substring %> -<% end -%> -<% if @fallback_homedir -%> -fallback_homedir = <%= @fallback_homedir %> -<% end -%> -<% if @krb5_realm -%> -krb5_realm = <%= @krb5_realm %> -<% end -%> -<% if @krb5_confd_path -%> -krb5_confd_path = <%= @krb5_confd_path %> -<% end -%> -<% unless @krb5_use_enterprise_principal.nil? -%> -krb5_use_enterprise_principal = <%= @krb5_use_enterprise_principal %> -<% end -%> -<% unless @krb5_store_password_if_offline.nil? -%> -krb5_store_password_if_offline = <%= @krb5_store_password_if_offline.to_s %> -<% end -%> -ldap_id_mapping = <%= @ldap_id_mapping %> -<% if @ldap_id_mapping -%> -<% if @ldap_schema -%> -ldap_schema = <%= @ldap_schema %> -<% end -%> -<% if @ldap_idmap_range_min -%> -ldap_idmap_range_min = <%= @ldap_idmap_range_min %> -<% end -%> -<% if @ldap_idmap_range_max -%> -ldap_idmap_range_max = <%= @ldap_idmap_range_max %> -<% end -%> -<% if @ldap_idmap_range_size -%> -ldap_idmap_range_size = <%= @ldap_idmap_range_size %> -<% end -%> -<% if @ldap_idmap_default_domain_sid -%> -ldap_idmap_default_domain_sid = <%= @ldap_idmap_default_domain_sid %> -<% end -%> -<% if @ldap_idmap_default_domain -%> -ldap_idmap_default_domain = <%= @ldap_idmap_default_domain %> -<% end -%> -<% unless @ldap_idmap_autorid_compat.nil? -%> -ldap_idmap_autorid_compat = <%= @ldap_idmap_autorid_compat %> -<% end -%> -<% if @ldap_idmap_helper_table_size -%> -ldap_idmap_helper_table_size = <%= @ldap_idmap_helper_table_size %> -<% end -%> -<% end -%> -ldap_use_tokengroups = <%= @ldap_use_tokengroups %> -<% if @ldap_group_objectsid -%> -ldap_group_objectsid = <%= @ldap_group_objectsid %> -<% end -%> -<% if @ldap_user_objectsid -%> -ldap_user_objectsid = <%= @ldap_user_objectsid %> -<% end -%> -<% if @ldap_user_extra_attrs -%> -ldap_user_extra_attrs = <%= @ldap_user_extra_attrs %> -<% end -%> -<% if @ldap_user_ssh_public_key -%> -ldap_user_ssh_public_key = <%= @ldap_user_ssh_public_key %> -<% end -%> diff --git a/templates/provider/files.erb b/templates/provider/files.erb deleted file mode 100644 index d40255b..0000000 --- a/templates/provider/files.erb +++ /dev/null @@ -1,8 +0,0 @@ -[domain/<%= @title %>] -# sssd::provider::files -<% if @passwd_files and ! @passwd_files.empty? -%> -passwd_files = <%= @passwd_files.join(', ') %> -<% end -%> -<% if @group_files and ! @group_files.empty? -%> -group_files = <%= @group_files.join(', ') %> -<% end -%> diff --git a/templates/provider/ipa.erb b/templates/provider/ipa.erb deleted file mode 100644 index 7142c01..0000000 --- a/templates/provider/ipa.erb +++ /dev/null @@ -1,66 +0,0 @@ -[domain/<%= @title %>] -# sssd::provider::ipa -ipa_domain = <%= @ipa_domain %> -ipa_server = <%= @_ipa_server.join(',') %> -<% unless @ipa_backup_server.nil? -%> -ipa_backup_server = <%= @ipa_backup_server.join(',') %> -<% end -%> -ipa_enable_dns_sites = <%= @ipa_enable_dns_sites %> -ipa_hostname = <%= @ipa_hostname %> -ipa_server_mode = <%= @ipa_server_mode %> -dyndns_auth = <%= @dyndns_auth %> -<% unless @dyndns_force_tcp.nil? -%> -dyndns_force_tcp = <%= @dyndns_force_tcp %> -<% end -%> -<% unless @dyndns_iface.nil? -%> -dyndns_iface = <%= @dyndns_iface.join(',') %> -<% end -%> -<% unless @dyndns_refresh_interval.nil? -%> -dyndns_refresh_interval = <%= @dyndns_refresh_interval %> -<% end -%> -<% unless @dyndns_server.nil? -%> -dyndns_server = <%= @dyndns_server %> -<% end -%> -<% unless @dyndns_ttl.nil? -%> -dyndns_ttl = <%= @dyndns_ttl %> -<% end -%> -dyndns_update = <%= @dyndns_update %> -<% unless @dyndns_update_ptr.nil? -%> -dyndns_update_ptr = <%= @dyndns_update_ptr %> -<% end -%> -<% unless @ipa_automount_location.nil? -%> -ipa_automount_location = <%= @ipa_automount_location %> -<% end -%> -<% unless @ipa_hbac_refresh.nil? -%> -ipa_hbac_refresh = <%= @ipa_hbac_refresh %> -<% end -%> -<% unless @ipa_hbac_search_base.nil? -%> -ipa_hbac_search_base = <%= @ipa_hbac_search_base %> -<% end -%> -<% unless @ipa_hbac_selinux.nil? -%> -ipa_hbac_selinux = <%= @ipa_hbac_selinux %> -<% end -%> -<% unless @ipa_host_search_base.nil? -%> -ipa_host_search_base = <%= @ipa_host_search_base %> -<% end -%> -<% unless @ipa_master_domains_search_base.nil? -%> -ipa_master_domains_search_base = <%= @ipa_master_domains_search_base %> -<% end -%> -<% unless @ipa_selinux_search_base.nil? -%> -ipa_selinux_search_base = <%= @ipa_selinux_search_base %> -<% end -%> -<% unless @ipa_subdomains_search_base.nil? -%> -ipa_subdomains_search_base = <%= @ipa_subdomains_search_base %> -<% end -%> -<% unless @ipa_views_search_base.nil? -%> -ipa_views_search_base = <%= @ipa_views_search_base %> -<% end -%> -<% unless @krb5_confd_path.nil? -%> -krb5_confd_path = <%= @krb5_confd_path %> -<% end -%> -<% unless @krb5_realm.nil? -%> -krb5_realm = <%= @krb5_realm %> -<% end -%> -krb5_store_password_if_offline = <%= @krb5_store_password_if_offline %> -ldap_tls_cacert = <%= @ldap_tls_cacert %> -ldap_tls_cipher_suite = <%= @ldap_tls_cipher_suite.join(':') %> diff --git a/templates/provider/krb5.epp b/templates/provider/krb5.epp deleted file mode 100644 index 141422e..0000000 --- a/templates/provider/krb5.epp +++ /dev/null @@ -1,55 +0,0 @@ -<%- | - String $domain, - Optional[Simplib::Host] $krb5_server = undef, - String $krb5_realm, - Optional[Sssd::DebugLevel] $debug_level = undef, - Boolean $debug_timestamps = true, - Boolean $debug_microseconds = false, - Optional[String] $krb5_kpasswd = undef, - Optional[Stdlib::Absolutepath] $krb5_ccachedir = undef, - Optional[Stdlib::Absolutepath] $krb5_ccname_template = undef, - Integer $krb5_auth_timeout = 15, - Boolean $krb5_validate = false, - Optional[Stdlib::Absolutepath] $krb5_keytab = undef, - Boolean $krb5_store_password_if_offline = false, - Optional[String] $krb5_renewable_lifetime = undef, - Optional[String] $krb5_lifetime = undef, - Integer $krb5_renew_interval = 0, - Optional[Enum['never','try','demand']] $krb5_use_fast = undef -| -%> -[domain/<%= $domain %>] -# sssd::provider::krb5 -<% if $debug_level { -%> -debug_level = <%= $debug_level %> -<% } -%> -debug_timestamps = <%= $debug_timestamps %> -debug_microseconds = <%= $debug_microseconds %> -<% if $krb5_server { -%> -krb5_server = <%= $krb5_server %> -<% } -%> -krb5_realm = <%= $krb5_realm %> -<% if $krb5_kpasswd { -%> -krb5_kpasswd = <%= $krb5_kpasswd %> -<% } -%> -<% if $krb5_ccachedir { -%> -krb5_ccachedir = <%= $krb5_ccachedir %> -<% } -%> -<% if $krb5_ccname_template { -%> -krb5_ccname_template = <%= $krb5_ccname_template %> -<% } -%> -krb5_auth_timeout = <%= $krb5_auth_timeout %> -krb5_validate = <%= $krb5_validate %> -<% if $krb5_keytab { -%> -krb5_keytab = <%= $krb5_keytab %> -<% } -%> -krb5_store_password_if_offline = <%= $krb5_store_password_if_offline %> -<% if $krb5_renewable_lifetime { -%> -krb5_renewable_lifetime = <%= $krb5_renewable_lifetime %> -<% } -%> -<% if $krb5_lifetime { -%> -krb5_lifetime = <%= $krb5_lifetime %> -<% } -%> -krb5_renew_interval = <%= $krb5_renew_interval %> -<% if $krb5_use_fast { -%> -krb5_use_fast = <%= $krb5_use_fast %> -<% } -%> diff --git a/templates/provider/ldap.erb b/templates/provider/ldap.erb deleted file mode 100644 index aa95bd6..0000000 --- a/templates/provider/ldap.erb +++ /dev/null @@ -1,200 +0,0 @@ -[domain/<%= @title %>] -# sssd::provider::ldap -<% -# Simply too many options to make it more confusing than this... - _string_params = [ - 'debug_level', - 'debug_timestamps', - 'debug_microseconds', - 'ldap_search_base', - 'ldap_schema', - 'ldap_default_bind_dn', - 'ldap_default_authtok_type', - 'ldap_default_authtok', - 'ldap_user_cert', - 'ldap_user_object_class', - 'ldap_user_name', - 'ldap_user_uid_number', - 'ldap_user_gid_number', - 'ldap_user_gecos', - 'ldap_user_home_directory', - 'ldap_user_shell', - 'ldap_user_uuid', - 'ldap_user_objectsid', - 'ldap_user_modify_timestamp', - 'ldap_user_shadow_last_change', - 'ldap_user_shadow_min', - 'ldap_user_shadow_max', - 'ldap_user_shadow_warning', - 'ldap_user_shadow_inactive', - 'ldap_user_shadow_expire', - 'ldap_user_krb_last_pwd_change', - 'ldap_user_krb_password_expiration', - 'ldap_user_ad_account_expires', - 'ldap_user_ad_user_account_control', - 'ldap_ns_account_lock', - 'ldap_user_nds_login_disabled', - 'ldap_user_nds_login_expiration_time', - 'ldap_user_nds_login_allowed_time_map', - 'ldap_user_principal', - 'ldap_user_ssh_public_key', - 'ldap_force_upper_case_realm', - 'ldap_enumeration_refresh_timeout', - 'ldap_purge_cache_timeout', - 'ldap_user_fullname', - 'ldap_user_member_of', - 'ldap_user_authorized_service', - 'ldap_user_authorized_host', - 'ldap_group_object_class', - 'ldap_group_name', - 'ldap_group_gid_number', - 'ldap_group_member', - 'ldap_group_uuid', - 'ldap_group_objectsid', - 'ldap_group_modify_timestamp', - 'ldap_group_type', - 'ldap_group_nesting_level', - 'ldap_use_tokengroups', - 'ldap_netgroup_object_class', - 'ldap_netgroup_name', - 'ldap_netgroup_member', - 'ldap_netgroup_triple', - 'ldap_netgroup_uuid', - 'ldap_netgroup_modify_timestamp', - 'ldap_service_name', - 'ldap_service_port', - 'ldap_service_proto', - 'ldap_service_search_base', - 'ldap_search_timeout', - 'ldap_enumeration_search_timeout', - 'ldap_network_timeout', - 'ldap_opt_timeout', - 'ldap_connection_expire_timeout', - 'ldap_page_size', - 'ldap_disable_paging', - 'ldap_disable_range_retrieval', - 'ldap_sasl_minssf', - 'ldap_deref_threshold', - 'ldap_tls_reqcert', - 'ldap_tls_cacert', - 'ldap_tls_cacertdir', - 'ldap_tls_cert', - 'ldap_tls_key', - 'ldap_id_use_start_tls', - 'ldap_id_mapping', - 'ldap_min_id', - 'ldap_max_id', - 'ldap_sasl_mech', - 'ldap_sasl_authid', - 'ldap_sasl_realm', - 'ldap_sasl_canonicalize', - 'ldap_krb5_keytab', - 'ldap_krb5_init_creds', - 'ldap_krb5_ticket_lifetime', - 'krb5_realm', - 'krb5_canonicalize', - 'krb5_use_kdcinfo', - 'ldap_pwd_policy', - 'ldap_referrals', - 'ldap_dns_service_name', - 'ldap_chpass_dns_service_name', - 'ldap_chpass_update_last_change', - 'ldap_access_filter', - '_ldap_account_expire_policy', - 'ldap_pwdlockout_dn', - 'ldap_deref', - 'ldap_sudorule_object_class', - 'ldap_sudorule_name', - 'ldap_sudorule_command', - 'ldap_sudorule_host', - 'ldap_sudorule_user', - 'ldap_sudorule_option', - 'ldap_sudorule_runasuser', - 'ldap_sudorule_runasgroup', - 'ldap_sudorule_notbefore', - 'ldap_sudorule_notafter', - 'ldap_sudorule_order', - 'ldap_sudo_full_refresh_interval', - 'ldap_sudo_smart_refresh_interval', - 'ldap_sudo_use_host_filter', - 'ldap_sudo_include_netgroups ', - 'ldap_sudo_include_regexp', - 'ldap_autofs_map_master_name', - 'ldap_autofs_map_object_class', - 'ldap_autofs_map_name', - 'ldap_autofs_entry_object_class', - 'ldap_autofs_entry_key', - 'ldap_autofs_entry_value', - 'ldap_netgroup_search_base', - 'ldap_user_search_base', - 'ldap_group_search_base', - 'ldap_sudo_search_base', - 'ldap_autofs_search_base', - 'ldap_idmap_range_min', - 'ldap_idmap_range_max', - 'ldap_idmap_range_size', - 'ldap_idmap_default_domain_sid', - 'ldap_idmap_default_domain', - 'ldap_idmap_autorid_compat' - ] - - #options only available in sssd v1 (the version used prior to el8) - _string_params_v1 = [ - 'ldap_groups_use_matching_rule_in_chain', - 'ldap_initgroups_use_matching_rule_in_chain', - ] - - _array_params = { - 'ldap_uri' => ',', - 'ldap_backup_uri' => ',', - 'ldap_chpass_uri' => ',', - 'ldap_chpass_backup_uri' => ',', - 'ldap_user_extra_attrs' => ',', - 'ldap_tls_cipher_suite' => ':', - 'ldap_access_order' => ',', - 'ldap_sudo_hostnames' => ' ', - 'ldap_sudo_ip' => ' ', - 'krb5_server' => ',', - 'krb5_backup_server' => ',' - } - - if @facts['sssd_version'].nil? - if @facts['os']['release']['major'] < '8' - _sssd_major_version = 1 - else - _sssd_major_version = 2 - end - else - _sssd_major_version = @facts['sssd_version'].split('.').first.to_i - end - - _output = [] - _string_params.each do |param| - value = eval(%(@#{param})) - - # Make sure to distinguish between nil and false, as we may need to - # set a parameter to false in this config! - unless value.nil? - _output << %(#{param.sub(/^_/,'')} = #{value.to_s}) - end - end - - # if os < el8 add in params used in sssd V1 only - if _sssd_major_version < 2 - _string_params_v1.each do |param| - value = eval(%(@#{param})) - unless value.nil? - _output << %(#{param.sub(/^_/,'')} = #{value.to_s}) - end - end - end - - _array_params.keys.each do |param| - value = eval(%(@#{param})) - - if value && !value.empty? - _output << %(#{param.sub(/^_/,'')} = #{Array(value).uniq.join(_array_params[param])}) - end - end --%> -<%= _output.sort.join("\n") %> diff --git a/templates/service/autofs.erb b/templates/service/autofs.erb deleted file mode 100644 index e3729bc..0000000 --- a/templates/service/autofs.erb +++ /dev/null @@ -1,14 +0,0 @@ - -# sssd::service::autofs -[autofs] -<% if @description -%> -description = <%= @description %> -<% end -%> -<% if @debug_level -%> -debug_level = <%= @debug_level.to_s %> -<% end -%> -debug_timestamps = <%= @debug_timestamps.to_s %> -debug_microseconds = <%= @debug_microseconds.to_s %> -<% if @autofs_negative_timeout -%> -autofs_negative_timeout = <%= @autofs_negative_timeout.to_s %> -<% end -%> diff --git a/templates/service/ifp.erb b/templates/service/ifp.erb deleted file mode 100644 index e3ee5e6..0000000 --- a/templates/service/ifp.erb +++ /dev/null @@ -1,19 +0,0 @@ -# sssd::service::ifp -[ifp] -<% if @description -%> -description = <%= @description %> -<% end -%> -<% if @debug_level -%> -debug_level = <%= @debug_level %> -<% end -%> -debug_timestamps = <%= @debug_timestamps.to_s %> -debug_microseconds = <%= @debug_microseconds.to_s %> -<% if @allowed_uids -%> -allowed_uids = <%= @allowed_uids.join(', ') %> -<% end -%> -<% if @user_attributes -%> -user_attributes = <%= @user_attributes.join(', ') %> -<% end -%> -<% if @wildcard_limit -%> -wildcard_limit = <%= @wildcard_limit.to_s %> -<% end -%> diff --git a/templates/service/nss.erb b/templates/service/nss.erb deleted file mode 100644 index 6404cc3..0000000 --- a/templates/service/nss.erb +++ /dev/null @@ -1,45 +0,0 @@ - -# sssd::service::nss -[nss] -<% if @description -%> -description = <%= @description %> -<% end -%> -<% if @debug_level -%> -debug_level = <%= @debug_level %> -<% end -%> -debug_timestamps = <%= @debug_timestamps.to_s %> -debug_microseconds = <%= @debug_microseconds.to_s %> -reconnection_retries = <%= @reconnection_retries.to_s %> -<% if @command -%> -command = <%= @command %> -<% end -%> -enum_cache_timeout = <%= @enum_cache_timeout.to_s %> -entry_cache_nowait_percentage = <%= @entry_cache_nowait_percentage.to_s %> -entry_negative_timeout = <%= @entry_negative_timeout.to_s %> -filter_users = <%= @filter_users %> -filter_groups = <%= @filter_groups %> -filter_users_in_groups = <%= @filter_users_in_groups.to_s %> -<% if @override_homedir -%> -override_homedir = <%= @override_homedir %> -<% end -%> -<% if @fallback_homedir -%> -fallback_homedir = <%= @fallback_homedir %> -<% end -%> -<% if @override_shell -%> -override_shell = <%= @override_shell %> -<% end -%> -<% if @vetoed_shells -%> -vetoed_shells = <%= @vetoed_shells%> -<% end -%> -<% if @default_shell -%> -default_shell = <%= @default_shell %> -<% end -%> -<% if @get_domains_timeout -%> -get_domains_timeout = <%= @get_domains_timeout.to_s %> -<% end -%> -<% if @memcache_timeout -%> -memcache_timeout = <%= @memcache_timeout.to_s %> -<% end -%> -<% if @user_attributes -%> -user_attributes = <%= @user_attributes %> -<% end -%> diff --git a/templates/service/pac.erb b/templates/service/pac.erb deleted file mode 100644 index 74fe9fb..0000000 --- a/templates/service/pac.erb +++ /dev/null @@ -1,14 +0,0 @@ - -# sssd::service::pac -[pac] -<% if @description -%> -description = <%= @description %> -<% end -%> -<% if @debug_level -%> -debug_level = <%= @debug_level %> -<% end -%> -debug_timestamps = <%= @debug_timestamps.to_s %> -debug_microseconds = <%= @debug_microseconds.to_s %> -<% unless @allowed_uids.empty? -%> -allowed_uids = <%= Array(@allowed_uids).join(',') %> -<% end -%> diff --git a/templates/service/pam.erb b/templates/service/pam.erb deleted file mode 100644 index d141c2e..0000000 --- a/templates/service/pam.erb +++ /dev/null @@ -1,33 +0,0 @@ - -# sssd::service::pam -[pam] -<% if @description -%> -description = <%= @description %> -<% end -%> -<% if @debug_level -%> -debug_level = <%= @debug_level %> -<% end -%> -debug_timestamps = <%= @debug_timestamps.to_s %> -debug_microseconds = <%= @debug_microseconds.to_s %> -reconnection_retries = <%= @reconnection_retries.to_s %> -<% if @command -%> -command = <%= @command %> -<% end -%> -offline_credentials_expiration = <%= @offline_credentials_expiration.to_s %> -offline_failed_login_attempts = <%= @offline_failed_login_attempts.to_s %> -offline_failed_login_delay = <%= @offline_failed_login_delay.to_s %> -pam_verbosity = <%= @pam_verbosity.to_s %> -pam_id_timeout = <%= @pam_id_timeout.to_s %> -pam_pwd_expiration_warning = <%= @pam_pwd_expiration_warning.to_s %> -<% if @get_domains_timeout -%> -get_domains_timeout = <%= @get_domains_timeout.to_s %> -<% end -%> -<% if @pam_trusted_users -%> -pam_trusted_users = <%= @pam_trusted_users %> -<% end -%> -<% if @pam_public_domains -%> -pam_public_domains = <%= @pam_public_domains %> -<% end -%> -<% if @pam_cert_auth -%> -pam_cert_auth = True -<% end -%> diff --git a/templates/service/ssh.erb b/templates/service/ssh.erb deleted file mode 100644 index 0b6748d..0000000 --- a/templates/service/ssh.erb +++ /dev/null @@ -1,15 +0,0 @@ - -# sssd::service::ssh -[ssh] -<% if @description -%> -description = <%= @description %> -<% end -%> -<% if @debug_level -%> -debug_level = <%= @debug_level %> -<% end -%> -debug_timestamps = <%= @debug_timestamps.to_s %> -debug_microseconds = <%= @debug_microseconds.to_s %> -ssh_hash_known_hosts = <%= @ssh_hash_known_hosts.to_s %> -<% if @ssh_known_hosts_timeout -%> -ssh_known_hosts_timeout = <%= @ssh_known_hosts_timeout.to_s %> -<% end -%> diff --git a/templates/service/sudo.erb b/templates/service/sudo.erb deleted file mode 100644 index f934386..0000000 --- a/templates/service/sudo.erb +++ /dev/null @@ -1,12 +0,0 @@ - -# sssd::service::sudo -[sudo] -<% if @description -%> -description = <%= @description %> -<% end -%> -<% if @debug_level -%> -debug_level = <%= @debug_level %> -<% end -%> -debug_timestamps = <%= @debug_timestamps.to_s %> -debug_microseconds = <%= @debug_microseconds.to_s %> -sudo_timed = <%= @sudo_timed.to_s %> diff --git a/templates/sssd.conf.erb b/templates/sssd.conf.erb deleted file mode 100644 index 52c4200..0000000 --- a/templates/sssd.conf.erb +++ /dev/null @@ -1,45 +0,0 @@ -# sssd::config -[sssd] -<% - # sudo has to be started by the socket - unless Array(@_services).empty? --%> -services = <%= (Array(@_services) - ['sudo']).join(',') %> -<% end -%> -<% if @_description -%> -description = <%= @_description %> -<% end -%> -<% unless @_domains.empty? -%> -domains = <%= Array(@_domains).join(', ') %> -<% end -%> -config_file_version = <%= @_config_file_version.to_s %> -reconnection_retries = <%= @_reconnection_retries.to_s %> -<% if @_re_expression -%> -re_expression = <%= @_re_expression %> -<% end -%> -<% if @_full_name_format -%> -full_name_format = <%= @_full_name_format %> -<% end -%> -<% unless @_try_inotify.nil? -%> -try_inotify = <%= @_try_inotify.to_s %> -<% end -%> -<% if @_krb5_rcache_dir -%> -krb5_rcache_dir = <%= @_krb5_rcache_dir %> -<% end -%> -<% if @_user -%> -user = <%= @_user %> -<% end -%> -<% if @_default_domain_suffix -%> -default_domain_suffix = <%= @_default_domain_suffix %> -<% end -%> -<% if @_override_space-%> -override_space = <%= @_override_space%> -<% end -%> -<% unless @_enable_files_domain.nil? -%> -enable_files_domain = <%= @_enable_files_domain %> -<% end -%> -<% unless @_debug_level.nil? -%> -debug_level = <%= @_debug_level %> -<% end -%> -debug_timestamps = <%= @_debug_timestamps.to_s %> -debug_microseconds = <%= @_debug_microseconds.to_s %>