From 615489e117de1b09b9bc670173d58bd78aca454a Mon Sep 17 00:00:00 2001 From: Steven Pritchard Date: Wed, 27 Nov 2024 09:57:34 -0600 Subject: [PATCH 01/25] Migrate ERB templates to EPP Fixes #152 --- CHANGELOG | 3 + manifests/domain.pp | 51 +++++++++++++- metadata.json | 2 +- templates/domain.epp | 159 +++++++++++++++++++++++++++++++++++++++++++ templates/domain.erb | 114 ------------------------------- 5 files changed, 212 insertions(+), 117 deletions(-) create mode 100644 templates/domain.epp delete mode 100644 templates/domain.erb diff --git a/CHANGELOG b/CHANGELOG index dc82d37..84bd019 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,3 +1,6 @@ +* Tue Sep 23 2025 Steven Pritchard - 7.14.0 +- Migrate ERB templates to EPP (#152) + * Wed Jun 11 2025 Chris Tessmer - 7.13.1 - Fix rubocop issues diff --git a/manifests/domain.pp b/manifests/domain.pp index 10e3986..90c04a6 100644 --- a/manifests/domain.pp +++ b/manifests/domain.pp @@ -123,8 +123,55 @@ Optional[String] $ldap_user_search_filter = undef, Optional[Hash] $custom_options = undef ) { - sssd::config::entry { "puppet_domain_${name}": - content => template('sssd/domain.erb') + content => epp( + 'sssd/domain.epp', + { + 'id_provider' => $id_provider, + 'debug_level' => $debug_level, + 'debug_timestamps' => $debug_timestamps, + 'debug_microseconds' => $debug_microseconds, + 'description' => $description, + 'min_id' => $min_id, + 'max_id' => $max_id, + 'enumerate' => $enumerate, + 'subdomain_enumerate' => $subdomain_enumerate, + 'force_timeout' => $force_timeout, + 'entry_cache_timeout' => $entry_cache_timeout, + 'entry_cache_user_timeout' => $entry_cache_user_timeout, + 'entry_cache_group_timeout' => $entry_cache_group_timeout, + 'entry_cache_netgroup_timeout' => $entry_cache_netgroup_timeout, + 'entry_cache_service_timeout' => $entry_cache_service_timeout, + 'entry_cache_sudo_timeout' => $entry_cache_sudo_timeout, + 'entry_cache_autofs_timeout' => $entry_cache_autofs_timeout, + 'entry_cache_ssh_host_timeout' => $entry_cache_ssh_host_timeout, + 'refresh_expired_interval' => $refresh_expired_interval, + 'cache_credentials' => $cache_credentials, + 'account_cache_expiration' => $account_cache_expiration, + 'pwd_expiration_warning' => $pwd_expiration_warning, + 'use_fully_qualified_names' => $use_fully_qualified_names, + 'ignore_group_members' => $ignore_group_members, + 'access_provider' => $access_provider, + 'auth_provider' => $auth_provider, + 'chpass_provider' => $chpass_provider, + 'sudo_provider' => $sudo_provider, + 'selinux_provider' => $selinux_provider, + 'subdomains_provider' => $subdomains_provider, + 'autofs_provider' => $autofs_provider, + 'hostid_provider' => $hostid_provider, + 're_expression' => $re_expression, + 'full_name_format' => $full_name_format, + 'lookup_family_order' => $lookup_family_order, + 'dns_resolver_timeout' => $dns_resolver_timeout, + 'dns_discovery_domain' => $dns_discovery_domain, + 'override_gid' => $override_gid, + 'case_sensitive' => $case_sensitive, + 'proxy_fast_alias' => $proxy_fast_alias, + 'realmd_tags' => $realmd_tags, + 'proxy_pam_target' => $proxy_pam_target, + 'proxy_lib_name' => $proxy_lib_name, + 'ldap_user_search_filter' => $ldap_user_search_filter, + }, + ) } } diff --git a/metadata.json b/metadata.json index ce4b74b..0fc29c3 100644 --- a/metadata.json +++ b/metadata.json @@ -1,6 +1,6 @@ { "name": "simp-sssd", - "version": "7.13.1", + "version": "7.14.0", "author": "SIMP Team", "summary": "Manages SSSD", "license": "Apache-2.0", diff --git a/templates/domain.epp b/templates/domain.epp new file mode 100644 index 0000000..d7ca2b0 --- /dev/null +++ b/templates/domain.epp @@ -0,0 +1,159 @@ +<% | + Sssd::IdProvider $id_provider, + Optional[Sssd::DebugLevel] $debug_level, + Boolean $debug_timestamps, + Boolean $debug_microseconds, + Optional[String] $description, + Integer[0] $min_id, + Integer[0] $max_id, + Boolean $enumerate, + Boolean $subdomain_enumerate, + Optional[Integer] $force_timeout, + Optional[Integer] $entry_cache_timeout, + Optional[Integer] $entry_cache_user_timeout, + Optional[Integer] $entry_cache_group_timeout, + Optional[Integer] $entry_cache_netgroup_timeout, + Optional[Integer] $entry_cache_service_timeout, + Optional[Integer] $entry_cache_sudo_timeout, + Optional[Integer] $entry_cache_autofs_timeout, + Optional[Integer] $entry_cache_ssh_host_timeout, + Optional[Integer] $refresh_expired_interval, + Boolean $cache_credentials, + Integer[0] $account_cache_expiration, + Optional[Integer[0]] $pwd_expiration_warning, + Boolean $use_fully_qualified_names, + Boolean $ignore_group_members, + Optional[Sssd::AccessProvider] $access_provider, + Optional[Sssd::AuthProvider] $auth_provider, + Optional[Sssd::ChpassProvider] $chpass_provider, + Optional[Enum['ldap', 'ipa','ad','none']] $sudo_provider, + Optional[Enum['ipa', 'none']] $selinux_provider, + Optional[Enum['ipa', 'ad','none']] $subdomains_provider, + Optional[Enum['ad', 'ldap', 'ipa','none']] $autofs_provider, + Optional[Enum['ipa', 'none']] $hostid_provider, + Optional[String] $re_expression, + Optional[String] $full_name_format, + Optional[String] $lookup_family_order, + Integer[0] $dns_resolver_timeout, + Optional[String] $dns_discovery_domain, + Optional[String] $override_gid, + Variant[Boolean,Enum['preserving']] $case_sensitive, + Boolean $proxy_fast_alias, + Optional[String] $realmd_tags, + Optional[String] $proxy_pam_target, + Optional[String] $proxy_lib_name, + Optional[String] $ldap_user_search_filter, + Optional[Hash] $custom_options, +| -%> + +# sssd::domain <%= $name %> +[domain/<%= $name %>] +<% if $debug_level { -%> +debug_level = <%= $debug_level %> +<% } -%> +debug_timestamps = <%= $debug_timestamps %> +debug_microseconds = <%= $debug_microseconds %> +<% if $description { -%> +description = <%= $description %> +<% } -%> +min_id = <%= $min_id %> +max_id = <%= $max_id %> +enumerate = <%= $enumerate %> +<% if $subdomain_enumerate { -%> +subdomain_enumerate = <%= $subdomain_enumerate %> +<% } -%> +<% if $force_timeout { -%> +force_timeout = <%= $force_timeout %> +<% } -%> +<% if $entry_cache_timeout { -%> +entry_cache_timeout = <%= $entry_cache_timeout %> +<% } -%> +<% if $entry_cache_user_timeout { -%> +entry_cache_user_timeout = <%= $entry_cache_user_timeout %> +<% } -%> +<% if $entry_cache_group_timeout { -%> +entry_cache_group_timeout = <%= $entry_cache_group_timeout %> +<% } -%> +<% if $entry_cache_netgroup_timeout { -%> +entry_cache_netgroup_timeout = <%= $entry_cache_netgroup_timeout %> +<% } -%> +<% if $entry_cache_service_timeout { -%> +entry_cache_service_timeout = <%= $entry_cache_service_timeout %> +<% } -%> +<% if $entry_cache_sudo_timeout { -%> +entry_cache_sudo_timeout = <%= $entry_cache_sudo_timeout %> +<% } -%> +<% if $entry_cache_autofs_timeout { -%> +entry_cache_autofs_timeout = <%= $entry_cache_autofs_timeout %> +<% } -%> +<% if $entry_cache_ssh_host_timeout { -%> +entry_cache_ssh_host_timeout = <%= $entry_cache_ssh_host_timeout %> +<% } -%> +<% if $refresh_expired_interval { -%> +refresh_expired_interval = <%= $refresh_expired_interval %> +<% } -%> +cache_credentials = <%= $cache_credentials %> +account_cache_expiration = <%= $account_cache_expiration %> +<% if $pwd_expiration_warning { -%> +pwd_expiration_warning = <%= $pwd_expiration_warning %> +<% } -%> +use_fully_qualified_names = <%= $use_fully_qualified_names %> +ignore_group_members = <%= $ignore_group_members %> +id_provider = <%= $id_provider %> +<% if $auth_provider { -%> +auth_provider = <%= $auth_provider %> +<% } -%> +<% if $access_provider { -%> +access_provider = <%= $access_provider %> +<% } -%> +<% if $chpass_provider { -%> +chpass_provider = <%= $chpass_provider %> +<% } -%> +<% if $sudo_provider { -%> +sudo_provider = <%= $sudo_provider %> +<% } -%> +<% if $selinux_provider { -%> +selinux_provider = <%= $selinux_provider %> +<% } -%> +<% if $subdomains_provider { -%> +subdomains_provider = <%= $subdomains_provider %> +<% } -%> +<% if $autofs_provider { -%> +autofs_provider = <%= $autofs_provider %> +<% } -%> +<% if $hostid_provider { -%> +hostid_provider = <%= $hostid_provider %> +<% } -%> +<% if $re_expression { -%> +re_expression = <%= $re_expression %> +<% } -%> +<% if $full_name_format { -%> +full_name_format = <%= $full_name_format %> +<% } -%> +<% if $lookup_family_order { -%> +lookup_family_order = <%= $lookup_family_order %> +<% } -%> +dns_resolver_timeout = <%= $dns_resolver_timeout %> +<% if $dns_discovery_domain { -%> +dns_discovery_domain = <%= $dns_discovery_domain %> +<% } -%> +<% if $override_gid { -%> +override_gid = <%= $override_gid %> +<% } -%> +case_sensitive = <%= $case_sensitive %> +proxy_fast_alias = <%= $proxy_fast_alias %> +<% if $realmd_tags { -%> +realmd_tags = <%= $realmd_tags %> +<% } -%> +<% if $ldap_user_search_filter { -%> +ldap_user_search_filter = <%= $ldap_user_search_filter %> +<% } -%> +<% if $proxy_pam_target { -%> +proxy_pam_target = <%= $proxy_pam_target %> +<% } -%> +<% if $proxy_lib_name { -%> +proxy_lib_name = <%= $proxy_lib_name %> +<% } -%> +<% $custom_options.each |$opt, $value| { -%> +<%= $opt %> = <%= $value %> +<% } -%> diff --git a/templates/domain.erb b/templates/domain.erb deleted file mode 100644 index 7ddb181..0000000 --- a/templates/domain.erb +++ /dev/null @@ -1,114 +0,0 @@ - -# sssd::domain <%= @name %> -[domain/<%= @name %>] -<% if @debug_level -%> -debug_level = <%= @debug_level %> -<% end -%> -debug_timestamps = <%= @debug_timestamps.to_s %> -debug_microseconds = <%= @debug_microseconds.to_s %> -<% if @description -%> -description = <%= @description %> -<% end -%> -min_id = <%= @min_id.to_s %> -max_id = <%= @max_id.to_s %> -enumerate = <%= @enumerate.to_s %> -<% if @subdomain_enumerate -%> -subdomain_enumerate = <%= @subdomain_enumerate %> -<% end -%> -<% if @force_timeout -%> -force_timeout = <%= @force_timeout.to_s %> -<% end -%> -<% if @entry_cache_timeout -%> -entry_cache_timeout = <%= @entry_cache_timeout.to_s %> -<% end -%> -<% if @entry_cache_user_timeout -%> -entry_cache_user_timeout = <%= @entry_cache_user_timeout.to_s %> -<% end -%> -<% if @entry_cache_group_timeout -%> -entry_cache_group_timeout = <%= @entry_cache_group_timeout.to_s %> -<% end -%> -<% if @entry_cache_netgroup_timeout -%> -entry_cache_netgroup_timeout = <%= @entry_cache_netgroup_timeout.to_s %> -<% end -%> -<% if @entry_cache_service_timeout -%> -entry_cache_service_timeout = <%= @entry_cache_service_timeout.to_s %> -<% end -%> -<% if @entry_cache_sudo_timeout -%> -entry_cache_sudo_timeout = <%= @entry_cache_sudo_timeout.to_s %> -<% end -%> -<% if @entry_cache_autofs_timeout -%> -entry_cache_autofs_timeout = <%= @entry_cache_autofs_timeout.to_s %> -<% end -%> -<% if @entry_cache_ssh_host_timeout -%> -entry_cache_ssh_host_timeout = <%= @entry_cache_ssh_host_timeout.to_s %> -<% end -%> -<% if @refresh_expired_interval -%> -refresh_expired_interval = <%= @refresh_expired_interval.to_s %> -<% end -%> -cache_credentials = <%= @cache_credentials.to_s %> -account_cache_expiration = <%= @account_cache_expiration.to_s %> -<% if @pwd_expiration_warning -%> -pwd_expiration_warning = <%= @pwd_expiration_warning.to_s %> -<% end -%> -use_fully_qualified_names = <%= @use_fully_qualified_names.to_s %> -ignore_group_members = <%= @ignore_group_members.to_s %> -id_provider = <%= @id_provider %> -<% if @auth_provider -%> -auth_provider = <%= @auth_provider %> -<% end -%> -<% if @access_provider -%> -access_provider = <%= @access_provider %> -<% end -%> -<% if @chpass_provider -%> -chpass_provider = <%= @chpass_provider %> -<% end -%> -<% if @sudo_provider -%> -sudo_provider = <%= @sudo_provider %> -<% end -%> -<% if @selinux_provider -%> -selinux_provider = <%= @selinux_provider %> -<% end -%> -<% if @subdomains_provider -%> -subdomains_provider = <%= @subdomains_provider %> -<% end -%> -<% if @autofs_provider -%> -autofs_provider = <%= @autofs_provider %> -<% end -%> -<% if @hostid_provider -%> -hostid_provider = <%= @hostid_provider %> -<% end -%> -<% if @re_expression -%> -re_expression = <%= @re_expression %> -<% end -%> -<% if @full_name_format -%> -full_name_format = <%= @full_name_format %> -<% end -%> -<% if @lookup_family_order -%> -lookup_family_order = <%= @lookup_family_order %> -<% end -%> -dns_resolver_timeout = <%= @dns_resolver_timeout.to_s %> -<% if @dns_discovery_domain %> -dns_discovery_domain = <%= @dns_discovery_domain %> -<% end -%> -<% if @override_gid -%> -override_gid = <%= @override_gid %> -<% end -%> -case_sensitive = <%= @case_sensitive.to_s %> -proxy_fast_alias = <%= @proxy_fast_alias.to_s %> -<% if @realmd_tags -%> -realmd_tags = <%= @realmd_tags %> -<% end -%> -<% if @ldap_user_search_filter -%> -ldap_user_search_filter = <%= @ldap_user_search_filter %> -<% end -%> -<% if @proxy_pam_target %> -proxy_pam_target = <%= @proxy_pam_target %> -<% end -%> -<% if @proxy_lib_name %> -proxy_lib_name = <%= @proxy_lib_name %> -<% end -%> -<% if @custom_options -%> -<% @custom_options.each do |opt,value| -%> -<%= opt %> = <%= value %> -<% end -%> -<% end -%> From 61da81acebae13b9215dede0c0528fd34c661343 Mon Sep 17 00:00:00 2001 From: Steven Pritchard Date: Thu, 18 Sep 2025 17:04:05 -0500 Subject: [PATCH 02/25] Migrate additional files --- manifests/config.pp | 34 +++- manifests/provider/ad.pp | 58 +++++- manifests/provider/files.pp | 8 +- manifests/provider/ipa.pp | 37 +++- manifests/provider/krb5.pp | 41 ++-- manifests/provider/ldap.pp | 154 ++++++++++++++- manifests/service/autofs.pp | 24 ++- manifests/service/ifp.pp | 24 ++- manifests/service/nss.pp | 40 +++- manifests/service/pac.pp | 25 ++- manifests/service/pam.pp | 36 +++- manifests/service/ssh.pp | 26 ++- manifests/service/sudo.pp | 32 +++- templates/provider/ad.epp | 212 +++++++++++++++++++++ templates/provider/ad.erb | 158 ---------------- templates/provider/files.epp | 12 ++ templates/provider/files.erb | 8 - templates/provider/ipa.epp | 97 ++++++++++ templates/provider/ipa.erb | 66 ------- templates/provider/ldap.epp | 352 +++++++++++++++++++++++++++++++++++ templates/provider/ldap.erb | 200 -------------------- templates/service/autofs.epp | 22 +++ templates/service/autofs.erb | 14 -- templates/service/ifp.epp | 28 +++ templates/service/ifp.erb | 19 -- templates/service/nss.epp | 68 +++++++ templates/service/nss.erb | 45 ----- templates/service/pac.epp | 22 +++ templates/service/pac.erb | 14 -- templates/service/pam.epp | 51 +++++ templates/service/pam.erb | 33 ---- templates/service/ssh.epp | 23 +++ templates/service/ssh.erb | 15 -- templates/service/sudo.epp | 20 ++ templates/service/sudo.erb | 12 -- templates/sssd.conf.epp | 63 +++++++ templates/sssd.conf.erb | 45 ----- 37 files changed, 1430 insertions(+), 708 deletions(-) create mode 100644 templates/provider/ad.epp delete mode 100644 templates/provider/ad.erb create mode 100644 templates/provider/files.epp delete mode 100644 templates/provider/files.erb create mode 100644 templates/provider/ipa.epp delete mode 100644 templates/provider/ipa.erb create mode 100644 templates/provider/ldap.epp delete mode 100644 templates/provider/ldap.erb create mode 100644 templates/service/autofs.epp delete mode 100644 templates/service/autofs.erb create mode 100644 templates/service/ifp.epp delete mode 100644 templates/service/ifp.erb create mode 100644 templates/service/nss.epp delete mode 100644 templates/service/nss.erb create mode 100644 templates/service/pac.epp delete mode 100644 templates/service/pac.erb create mode 100644 templates/service/pam.epp delete mode 100644 templates/service/pam.erb create mode 100644 templates/service/ssh.epp delete mode 100644 templates/service/ssh.erb create mode 100644 templates/service/sudo.epp delete mode 100644 templates/service/sudo.erb create mode 100644 templates/sssd.conf.epp delete mode 100644 templates/sssd.conf.erb diff --git a/manifests/config.pp b/manifests/config.pp index 4ddb740..913adf2 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -13,8 +13,8 @@ # @author https://github.com/simp/pupmod-simp-sssd/graphs/contributors # class sssd::config ( - Boolean $authoritative = pick(getvar("${module_name}::authoritative"), false) -){ + Boolean $authoritative = pick(getvar("${module_name}::authoritative"), false), +) { assert_private() include $module_name @@ -52,19 +52,19 @@ file { '/etc/sssd': ensure => 'directory', - mode => 'go-rw' + mode => 'go-rw', } file { '/etc/sssd/conf.d': ensure => 'directory', purge => $authoritative, - recurse => true + recurse => true, } unless $authoritative { tidy { '/etc/sssd/conf.d': matches => '*_puppet_*.conf', - recurse => true + recurse => true, } } @@ -72,7 +72,27 @@ owner => 'root', group => 'root', mode => '0600', - content => template("${module_name}/sssd.conf.erb"), - notify => Class["${module_name}::service"] + content => epp( + "${module_name}/sssd.conf.epp", + { + '_domains' => $_domains, + '_debug_level' => $_debug_level, + '_debug_timestamps' => $_debug_timestamps, + '_debug_microseconds' => $_debug_microseconds, + '_description' => $_description, + '_enable_files_domain' => $_enable_files_domain, + '_config_file_version' => $_config_file_version, + '_services' => $_services, + '_reconnection_retries' => $_reconnection_retries, + '_re_expression' => $_re_expression, + '_full_name_format' => $_full_name_format, + '_try_inotify' => $_try_inotify, + '_krb5_rcache_dir' => $_krb5_rcache_dir, + '_user' => $_user, + '_default_domain_suffix' => $_default_domain_suffix, + '_override_space' => $_override_space, + }, + ), + notify => Class["${module_name}::service"], } } diff --git a/manifests/provider/ad.pp b/manifests/provider/ad.pp index 7c0e227..3863fa6 100644 --- a/manifests/provider/ad.pp +++ b/manifests/provider/ad.pp @@ -151,6 +151,62 @@ Optional[String[1]] $ldap_user_ssh_public_key = undef, ) { sssd::config::entry { "puppet_provider_${name}_ad": - content => template("${module_name}/provider/ad.erb") + content => epp( + "${module_name}/provider/ad.epp", + { + 'ad_domain' => $ad_domain, + 'ad_enabled_domains' => $ad_enabled_domains, + 'ad_servers' => $ad_servers, + 'ad_backup_servers' => $ad_backup_servers, + 'ad_hostname' => $ad_hostname, + 'ad_enable_dns_sites' => $ad_enable_dns_sites, + 'ad_access_filters' => $ad_access_filters, + 'ad_site' => $ad_site, + 'ad_enable_gc' => $ad_enable_gc, + 'ad_gpo_access_control' => $ad_gpo_access_control, + 'ad_gpo_cache_timeout' => $ad_gpo_cache_timeout, + 'ad_gpo_map_interactive' => $ad_gpo_map_interactive, + 'ad_gpo_map_remote_interactive' => $ad_gpo_map_remote_interactive, + 'ad_gpo_map_network' => $ad_gpo_map_network, + 'ad_gpo_map_batch' => $ad_gpo_map_batch, + 'ad_gpo_map_service' => $ad_gpo_map_service, + 'ad_gpo_map_permit' => $ad_gpo_map_permit, + 'ad_gpo_map_deny' => $ad_gpo_map_deny, + 'ad_gpo_default_right' => $ad_gpo_default_right, + 'ad_gpo_implicit_deny' => $ad_gpo_implicit_deny, + 'ad_gpo_ignore_unreadable' => $ad_gpo_ignore_unreadable, + 'ad_maximum_machine_account_password_age' => $ad_maximum_machine_account_password_age, + 'ad_machine_account_password_renewal_opts' => $ad_machine_account_password_renewal_opts, + 'default_shell' => $default_shell, + 'dyndns_update' => $dyndns_update, + 'dyndns_ttl' => $dyndns_ttl, + 'dyndns_ifaces' => $dyndns_ifaces, + 'dyndns_refresh_interval' => $dyndns_refresh_interval, + 'dyndns_update_ptr' => $dyndns_update_ptr, + 'dyndns_force_tcp' => $dyndns_force_tcp, + 'dyndns_server' => $dyndns_server, + 'override_homedir' => $override_homedir, + 'fallback_homedir' => $fallback_homedir, + 'homedir_substring' => $homedir_substring, + 'krb5_realm' => $krb5_realm, + 'krb5_confd_path' => $krb5_confd_path, + 'krb5_use_enterprise_principal' => $krb5_use_enterprise_principal, + 'krb5_store_password_if_offline' => $krb5_store_password_if_offline, + 'ldap_id_mapping' => $ldap_id_mapping, + 'ldap_schema' => $ldap_schema, + 'ldap_idmap_range_min' => $ldap_idmap_range_min, + 'ldap_idmap_range_max' => $ldap_idmap_range_max, + 'ldap_idmap_range_size' => $ldap_idmap_range_size, + 'ldap_idmap_default_domain_sid' => $ldap_idmap_default_domain_sid, + 'ldap_idmap_default_domain' => $ldap_idmap_default_domain, + 'ldap_idmap_autorid_compat' => $ldap_idmap_autorid_compat, + 'ldap_idmap_helper_table_size' => $ldap_idmap_helper_table_size, + 'ldap_use_tokengroups' => $ldap_use_tokengroups, + 'ldap_group_objectsid' => $ldap_group_objectsid, + 'ldap_user_objectsid' => $ldap_user_objectsid, + 'ldap_user_extra_attrs' => $ldap_user_extra_attrs, + 'ldap_user_ssh_public_key' => $ldap_user_ssh_public_key, + } + ), } } diff --git a/manifests/provider/files.pp b/manifests/provider/files.pp index ab00994..7d95224 100644 --- a/manifests/provider/files.pp +++ b/manifests/provider/files.pp @@ -22,6 +22,12 @@ Optional[Array[Stdlib::Absolutepath]] $group_files = undef ) { sssd::config::entry { "puppet_provider_${name}_files": - content => template("${module_name}/provider/files.erb") + content => epp( + "${module_name}/provider/files.epp", + { + 'passwd_files' => $passwd_files, + 'group_files' => $group_files, + } + ), } } diff --git a/manifests/provider/ipa.pp b/manifests/provider/ipa.pp index 68c87b5..a2cff7e 100644 --- a/manifests/provider/ipa.pp +++ b/manifests/provider/ipa.pp @@ -73,7 +73,7 @@ Boolean $krb5_store_password_if_offline = true, Stdlib::AbsolutePath $ldap_tls_cacert = '/etc/ipa/ca.crt', Array[String] $ldap_tls_cipher_suite = ['HIGH','-SSLv2'], - Boolean $use_service_discovery = true + Boolean $use_service_discovery = true, ) { if $use_service_discovery { $_ipa_server = ['_srv_'] + $ipa_server @@ -83,6 +83,39 @@ } sssd::config::entry { "puppet_provider_${name}_ipa": - content => template("${module_name}/provider/ipa.erb") + content => epp( + "${module_name}/provider/ipa.epp", + { + 'ipa_domain' => $ipa_domain, + 'ipa_server' => $ipa_server, + 'ipa_backup_server' => $ipa_backup_server, + 'ipa_enable_dns_sites' => $ipa_enable_dns_sites, + 'ipa_hostname' => $ipa_hostname, + 'ipa_server_mode' => $ipa_server_mode, + 'dyndns_auth' => $dyndns_auth, + 'dyndns_force_tcp' => $dyndns_force_tcp, + 'dyndns_iface' => $dyndns_iface, + 'dyndns_refresh_interval' => $dyndns_refresh_interval, + 'dyndns_server' => $dyndns_server, + 'dyndns_ttl' => $dyndns_ttl, + 'dyndns_update' => $dyndns_update, + 'dyndns_update_ptr' => $dyndns_update_ptr, + 'ipa_automount_location' => $ipa_automount_location, + 'ipa_hbac_refresh' => $ipa_hbac_refresh, + 'ipa_hbac_search_base' => $ipa_hbac_search_base, + 'ipa_hbac_selinux' => $ipa_hbac_selinux, + 'ipa_host_search_base' => $ipa_host_search_base, + 'ipa_master_domains_search_base' => $ipa_master_domains_search_base, + 'ipa_selinux_search_base' => $ipa_selinux_search_base, + 'ipa_subdomains_search_base' => $ipa_subdomains_search_base, + 'ipa_views_search_base' => $ipa_views_search_base, + 'krb5_confd_path' => $krb5_confd_path, + 'krb5_realm' => $krb5_realm, + 'krb5_store_password_if_offline' => $krb5_store_password_if_offline, + 'ldap_tls_cacert' => $ldap_tls_cacert, + 'ldap_tls_cipher_suite' => $ldap_tls_cipher_suite, + 'use_service_discovery' => $use_service_discovery, + } + ), } } diff --git a/manifests/provider/krb5.pp b/manifests/provider/krb5.pp index 5986e0f..bd7e398 100644 --- a/manifests/provider/krb5.pp +++ b/manifests/provider/krb5.pp @@ -47,24 +47,27 @@ ) { sssd::config::entry { "puppet_provider_${name}_krb5": - content => epp("${module_name}/provider/krb5", { - 'domain' => $title, - 'krb5_server' => $krb5_server, - 'krb5_realm' => $krb5_realm, - 'debug_level' => $debug_level, - 'debug_timestamps' => $debug_timestamps, - 'debug_microseconds' => $debug_microseconds, - 'krb5_kpasswd' => $krb5_kpasswd, - 'krb5_ccachedir' => $krb5_ccachedir, - 'krb5_ccname_template' => $krb5_ccname_template, - 'krb5_auth_timeout' => $krb5_auth_timeout, - 'krb5_validate' => $krb5_validate, - 'krb5_keytab' => $krb5_keytab, - 'krb5_store_password_if_offline' => $krb5_store_password_if_offline, - 'krb5_renewable_lifetime' => $krb5_renewable_lifetime, - 'krb5_lifetime' => $krb5_lifetime, - 'krb5_renew_interval' => $krb5_renew_interval, - 'krb5_use_fast' => $krb5_use_fast - }) + content => epp( + "${module_name}/provider/krb5", + { + 'domain' => $title, + 'krb5_server' => $krb5_server, + 'krb5_realm' => $krb5_realm, + 'debug_level' => $debug_level, + 'debug_timestamps' => $debug_timestamps, + 'debug_microseconds' => $debug_microseconds, + 'krb5_kpasswd' => $krb5_kpasswd, + 'krb5_ccachedir' => $krb5_ccachedir, + 'krb5_ccname_template' => $krb5_ccname_template, + 'krb5_auth_timeout' => $krb5_auth_timeout, + 'krb5_validate' => $krb5_validate, + 'krb5_keytab' => $krb5_keytab, + 'krb5_store_password_if_offline' => $krb5_store_password_if_offline, + 'krb5_renewable_lifetime' => $krb5_renewable_lifetime, + 'krb5_lifetime' => $krb5_lifetime, + 'krb5_renew_interval' => $krb5_renew_interval, + 'krb5_use_fast' => $krb5_use_fast, + }, + ) } } diff --git a/manifests/provider/ldap.pp b/manifests/provider/ldap.pp index a9dba1c..7f0f5a8 100644 --- a/manifests/provider/ldap.pp +++ b/manifests/provider/ldap.pp @@ -375,6 +375,158 @@ } sssd::config::entry { "puppet_provider_${title}_ldap": - content => template("${module_name}/provider/ldap.erb") + content => epp( + "${module_name}/provider/ldap.epp", + { + 'debug_level' => $debug_level, + 'debug_timestamps' => $debug_timestamps, + 'debug_microseconds' => $debug_microseconds, + 'ldap_uri' => $ldap_uri, + 'ldap_backup_uri' => $ldap_backup_uri, + 'ldap_chpass_uri' => $ldap_chpass_uri, + 'ldap_chpass_backup_uri' => $ldap_chpass_backup_uri, + 'ldap_chpass_update_last_change' => $ldap_chpass_update_last_change, + 'ldap_search_base' => $ldap_search_base, + 'ldap_schema' => $ldap_schema, + 'ldap_default_bind_dn' => $ldap_default_bind_dn, + 'ldap_default_authtok_type' => $ldap_default_authtok_type, + 'ldap_default_authtok' => $ldap_default_authtok, + 'ldap_user_cert' => $ldap_user_cert, + 'ldap_user_object_class' => $ldap_user_object_class, + 'ldap_user_name' => $ldap_user_name, + 'ldap_user_uid_number' => $ldap_user_uid_number, + 'ldap_user_gid_number' => $ldap_user_gid_number, + 'ldap_user_gecos' => $ldap_user_gecos, + 'ldap_user_home_directory' => $ldap_user_home_directory, + 'ldap_user_shell' => $ldap_user_shell, + 'ldap_user_uuid' => $ldap_user_uuid, + 'ldap_user_objectsid' => $ldap_user_objectsid, + 'ldap_user_modify_timestamp' => $ldap_user_modify_timestamp, + 'ldap_user_shadow_last_change' => $ldap_user_shadow_last_change, + 'ldap_user_shadow_min' => $ldap_user_shadow_min, + 'ldap_user_shadow_max' => $ldap_user_shadow_max, + 'ldap_user_shadow_warning' => $ldap_user_shadow_warning, + 'ldap_user_shadow_inactive' => $ldap_user_shadow_inactive, + 'ldap_user_shadow_expire' => $ldap_user_shadow_expire, + 'ldap_user_krb_last_pwd_change' => $ldap_user_krb_last_pwd_change, + 'ldap_user_krb_password_expiration' => $ldap_user_krb_password_expiration, + 'ldap_user_ad_account_expires' => $ldap_user_ad_account_expires, + 'ldap_user_ad_user_account_control' => $ldap_user_ad_user_account_control, + 'ldap_ns_account_lock' => $ldap_ns_account_lock, + 'ldap_user_nds_login_disabled' => $ldap_user_nds_login_disabled, + 'ldap_user_nds_login_expiration_time' => $ldap_user_nds_login_expiration_time, + 'ldap_user_nds_login_allowed_time_map' => $ldap_user_nds_login_allowed_time_map, + 'ldap_user_principal' => $ldap_user_principal, + 'ldap_user_extra_attrs' => $ldap_user_extra_attrs, + 'ldap_user_ssh_public_key' => $ldap_user_ssh_public_key, + 'ldap_force_upper_case_realm' => $ldap_force_upper_case_realm, + 'ldap_enumeration_refresh_timeout' => $ldap_enumeration_refresh_timeout, + 'ldap_purge_cache_timeout' => $ldap_purge_cache_timeout, + 'ldap_user_fullname' => $ldap_user_fullname, + 'ldap_user_member_of' => $ldap_user_member_of, + 'ldap_user_authorized_service' => $ldap_user_authorized_service, + 'ldap_user_authorized_host' => $ldap_user_authorized_host, + 'ldap_group_object_class' => $ldap_group_object_class, + 'ldap_group_name' => $ldap_group_name, + 'ldap_group_gid_number' => $ldap_group_gid_number, + 'ldap_group_member' => $ldap_group_member, + 'ldap_group_uuid' => $ldap_group_uuid, + 'ldap_group_objectsid' => $ldap_group_objectsid, + 'ldap_group_modify_timestamp' => $ldap_group_modify_timestamp, + 'ldap_group_type' => $ldap_group_type, + 'ldap_group_nesting_level' => $ldap_group_nesting_level, + 'ldap_groups_use_matching_rule_in_chain' => $ldap_groups_use_matching_rule_in_chain, + 'ldap_initgroups_use_matching_rule_in_chain' => $ldap_initgroups_use_matching_rule_in_chain, + 'ldap_use_tokengroups' => $ldap_use_tokengroups, + 'ldap_netgroup_object_class' => $ldap_netgroup_object_class, + 'ldap_netgroup_name' => $ldap_netgroup_name, + 'ldap_netgroup_member' => $ldap_netgroup_member, + 'ldap_netgroup_triple' => $ldap_netgroup_triple, + 'ldap_netgroup_uuid' => $ldap_netgroup_uuid, + 'ldap_netgroup_modify_timestamp' => $ldap_netgroup_modify_timestamp, + 'ldap_service_name' => $ldap_service_name, + 'ldap_service_port' => $ldap_service_port, + 'ldap_service_proto' => $ldap_service_proto, + 'ldap_service_search_base' => $ldap_service_search_base, + 'ldap_search_timeout' => $ldap_search_timeout, + 'ldap_enumeration_search_timeout' => $ldap_enumeration_search_timeout, + 'ldap_network_timeout' => $ldap_network_timeout, + 'ldap_opt_timeout' => $ldap_opt_timeout, + 'ldap_connection_expire_timeout' => $ldap_connection_expire_timeout, + 'ldap_page_size' => $ldap_page_size, + 'ldap_disable_paging' => $ldap_disable_paging, + 'ldap_disable_range_retrieval' => $ldap_disable_range_retrieval, + 'ldap_sasl_minssf' => $ldap_sasl_minssf, + 'ldap_deref_threshold' => $ldap_deref_threshold, + 'ldap_tls_reqcert' => $ldap_tls_reqcert, + 'ldap_tls_cacert' => $ldap_tls_cacert, + 'ldap_tls_cacertdir' => $ldap_tls_cacertdir, + 'ldap_tls_key' => $ldap_tls_key, + 'ldap_tls_cert' => $ldap_tls_cert, + 'strip_128_bit_ciphers' => $strip_128_bit_ciphers, + 'ldap_tls_cipher_suite' => $ldap_tls_cipher_suite, + 'ldap_id_use_start_tls' => $ldap_id_use_start_tls, + 'ldap_id_mapping' => $ldap_id_mapping, + 'ldap_min_id' => $ldap_min_id, + 'ldap_max_id' => $ldap_max_id, + 'ldap_sasl_mech' => $ldap_sasl_mech, + 'ldap_sasl_authid' => $ldap_sasl_authid, + 'ldap_sasl_realm' => $ldap_sasl_realm, + 'ldap_sasl_canonicalize' => $ldap_sasl_canonicalize, + 'ldap_krb5_keytab' => $ldap_krb5_keytab, + 'ldap_krb5_init_creds' => $ldap_krb5_init_creds, + 'ldap_krb5_ticket_lifetime' => $ldap_krb5_ticket_lifetime, + 'krb5_server' => $krb5_server, + 'krb5_backup_server' => $krb5_backup_server, + 'krb5_realm' => $krb5_realm, + 'krb5_canonicalize' => $krb5_canonicalize, + 'krb5_use_kdcinfo' => $krb5_use_kdcinfo, + 'ldap_account_expire_policy' => $_ldap_account_expire_policy, + 'ldap_pwd_policy' => $ldap_pwd_policy, + 'ldap_referrals' => $ldap_referrals, + 'ldap_dns_service_name' => $ldap_dns_service_name, + 'ldap_chpass_dns_service_name' => $ldap_chpass_dns_service_name, + 'ldap_access_filter' => $ldap_access_filter, + 'ldap_access_order' => $ldap_access_order, + 'ldap_pwdlockout_dn' => $ldap_pwdlockout_dn, + 'ldap_deref' => $ldap_deref, + 'ldap_sudorule_object_class' => $ldap_sudorule_object_class, + 'ldap_sudorule_name' => $ldap_sudorule_name, + 'ldap_sudorule_command' => $ldap_sudorule_command, + 'ldap_sudorule_host' => $ldap_sudorule_host, + 'ldap_sudorule_user' => $ldap_sudorule_user, + 'ldap_sudorule_option' => $ldap_sudorule_option, + 'ldap_sudorule_runasuser' => $ldap_sudorule_runasuser, + 'ldap_sudorule_runasgroup' => $ldap_sudorule_runasgroup, + 'ldap_sudorule_notbefore' => $ldap_sudorule_notbefore, + 'ldap_sudorule_notafter' => $ldap_sudorule_notafter, + 'ldap_sudorule_order' => $ldap_sudorule_order, + 'ldap_sudo_full_refresh_interval' => $ldap_sudo_full_refresh_interval, + 'ldap_sudo_smart_refresh_interval' => $ldap_sudo_smart_refresh_interval, + 'ldap_sudo_use_host_filter' => $ldap_sudo_use_host_filter, + 'ldap_sudo_hostnames' => $ldap_sudo_hostnames, + 'ldap_sudo_ip' => $ldap_sudo_ip, + 'ldap_sudo_include_netgroups' => $ldap_sudo_include_netgroups, + 'ldap_sudo_include_regexp' => $ldap_sudo_include_regexp, + 'ldap_autofs_map_master_name' => $ldap_autofs_map_master_name, + 'ldap_autofs_map_object_class' => $ldap_autofs_map_object_class, + 'ldap_autofs_map_name' => $ldap_autofs_map_name, + 'ldap_autofs_entry_object_class' => $ldap_autofs_entry_object_class, + 'ldap_autofs_entry_key' => $ldap_autofs_entry_key, + 'ldap_autofs_entry_value' => $ldap_autofs_entry_value, + 'ldap_netgroup_search_base' => $ldap_netgroup_search_base, + 'ldap_user_search_base' => $ldap_user_search_base, + 'ldap_group_search_base' => $ldap_group_search_base, + 'ldap_sudo_search_base' => $ldap_sudo_search_base, + 'ldap_autofs_search_base' => $ldap_autofs_search_base, + 'ldap_idmap_range_min' => $ldap_idmap_range_min, + 'ldap_idmap_range_max' => $ldap_idmap_range_max, + 'ldap_idmap_range_size' => $ldap_idmap_range_size, + 'ldap_idmap_default_domain_sid' => $ldap_idmap_default_domain_sid, + 'ldap_idmap_default_domain' => $ldap_idmap_default_domain, + 'ldap_idmap_autorid_compat' => $ldap_idmap_autorid_compat, + 'client_tls' => $client_tls, + } + ), } } diff --git a/manifests/service/autofs.pp b/manifests/service/autofs.pp index f25b9a2..a1dd0a0 100644 --- a/manifests/service/autofs.pp +++ b/manifests/service/autofs.pp @@ -26,18 +26,30 @@ Boolean $debug_timestamps = true, Boolean $debug_microseconds = false, Optional[Integer] $autofs_negative_timeout = undef, - Optional[Hash] $custom_options = undef + Optional[Hash] $custom_options = undef, ) { if $custom_options { - $_content = epp("${module_name}/service/custom_options.epp", { + $_content = epp( + "${module_name}/service/custom_options.epp", + { 'service_name' => 'autofs', - 'options' => $custom_options - }) + 'options' => $custom_options, + }, + ) } else { - $_content = template("${module_name}/service/autofs.erb") + $_content = epp( + "${module_name}/service/autofs.epp", + { + 'description' => $description, + 'debug_level' => $debug_level, + 'debug_timestamps' => $debug_timestamps, + 'debug_microseconds' => $debug_microseconds, + 'autofs_negative_timeout' => $autofs_negative_timeout, + }, + ) } sssd::config::entry { 'puppet_service_autofs': - content => $_content + content => $_content, } } diff --git a/manifests/service/ifp.pp b/manifests/service/ifp.pp index d46d158..0356c43 100644 --- a/manifests/service/ifp.pp +++ b/manifests/service/ifp.pp @@ -34,15 +34,29 @@ Optional[Hash] $custom_options = undef, ) { if $custom_options { - $_content = epp("${module_name}/service/custom_options.epp", { + $_content = epp( + "${module_name}/service/custom_options.epp", + { 'service_name' => 'ifp', - 'options' => $custom_options - }) + 'options' => $custom_options, + }, + ) } else { - $_content = template("${module_name}/service/ifp.erb") + $_content = epp( + "${module_name}/service/ifp.epp", + { + 'description' => $description, + 'debug_level' => $debug_level, + 'debug_timestamps' => $debug_timestamps, + 'debug_microseconds' => $debug_microseconds, + 'wildcard_limit' => $wildcard_limit, + 'allowed_uids' => $allowed_uids, + 'user_attributes' => $user_attributes, + }, + ) } sssd::config::entry { 'puppet_service_ifp': - content => $_content + content => $_content, } } diff --git a/manifests/service/nss.pp b/manifests/service/nss.pp index b6e997f..4bdbb45 100644 --- a/manifests/service/nss.pp +++ b/manifests/service/nss.pp @@ -59,18 +59,46 @@ Optional[Integer] $get_domains_timeout = undef, Optional[Integer] $memcache_timeout = undef, Optional[String] $user_attributes = undef, - Optional[Hash] $custom_options = undef + Optional[Hash] $custom_options = undef, ) { if $custom_options { - $_content = epp("${module_name}/service/custom_options.epp", { + $_content = epp( + "${module_name}/service/custom_options.epp", + { 'service_name' => 'nss', - 'options' => $custom_options - }) + 'options' => $custom_options, + }, + ) } else { - $_content = template("${module_name}/service/nss.erb") + $_content = epp( + "${module_name}/service/nss.epp", + { + 'description' => $description, + 'debug_level' => $debug_level, + 'debug_timestamps' => $debug_timestamps, + 'debug_microseconds' => $debug_microseconds, + 'reconnection_retries' => $reconnection_retries, + 'fd_limit' => $fd_limit, + 'command' => $command, + 'enum_cache_timeout' => $enum_cache_timeout, + 'entry_cache_nowait_percentage' => $entry_cache_nowait_percentage, + 'entry_negative_timeout' => $entry_negative_timeout, + 'filter_users' => $filter_users, + 'filter_groups' => $filter_groups, + 'filter_users_in_groups' => $filter_users_in_groups, + 'override_homedir' => $override_homedir, + 'fallback_homedir' => $fallback_homedir, + 'override_shell' => $override_shell, + 'vetoed_shells' => $vetoed_shells, + 'default_shell' => $default_shell, + 'get_domains_timeout' => $get_domains_timeout, + 'memcache_timeout' => $memcache_timeout, + 'user_attributes' => $user_attributes, + }, + ) } sssd::config::entry { 'puppet_service_nss': - content => $_content + content => $_content, } } diff --git a/manifests/service/pac.pp b/manifests/service/pac.pp index bcc5364..020b9e4 100644 --- a/manifests/service/pac.pp +++ b/manifests/service/pac.pp @@ -25,19 +25,30 @@ Boolean $debug_timestamps = true, Boolean $debug_microseconds = false, Array[String] $allowed_uids = [], - Optional[Hash] $custom_options = undef - + Optional[Hash] $custom_options = undef, ) { if $custom_options { - $_content = epp("${module_name}/service/custom_options.epp", { + $_content = epp( + "${module_name}/service/custom_options.epp", + { 'service_name' => 'pac', - 'options' => $custom_options - }) + 'options' => $custom_options, + }, + ) } else { - $_content = template("${module_name}/service/pac.erb") + $_content = epp( + "${module_name}/service/pac.epp", + { + 'description' => $description, + 'debug_level' => $debug_level, + 'debug_timestamps' => $debug_timestamps, + 'debug_microseconds' => $debug_microseconds, + 'allowed_uids' => $allowed_uids, + }, + ) } sssd::config::entry { 'puppet_service_pac': - content => $_content + content => $_content, } } diff --git a/manifests/service/pam.pp b/manifests/service/pam.pp index 80e5bb2..d6d9082 100644 --- a/manifests/service/pam.pp +++ b/manifests/service/pam.pp @@ -50,19 +50,41 @@ Optional[Integer] $get_domains_timeout = undef, Optional[String] $pam_trusted_users = undef, Optional[String] $pam_public_domains = undef, - Optional[Hash] $custom_options = undef - + Optional[Hash] $custom_options = undef, ) { if $custom_options { - $_content = epp("${module_name}/service/custom_options.epp", { + $_content = epp( + "${module_name}/service/custom_options.epp", + { 'service_name' => 'pam', - 'options' => $custom_options - }) + 'options' => $custom_options, + }, + ) } else { - $_content = template("${module_name}/service/pam.erb") + $_content = epp( + "${module_name}/service/pam.epp", + { + 'description' => $description, + 'debug_level' => $debug_level, + 'debug_timestamps' => $debug_timestamps, + 'debug_microseconds' => $debug_microseconds, + 'pam_cert_auth' => $pam_cert_auth, + 'reconnection_retries' => $reconnection_retries, + 'command' => $command, + 'offline_credentials_expiration' => $offline_credentials_expiration, + 'offline_failed_login_attempts' => $offline_failed_login_attempts, + 'offline_failed_login_delay' => $offline_failed_login_delay, + 'pam_verbosity' => $pam_verbosity, + 'pam_id_timeout' => $pam_id_timeout, + 'pam_pwd_expiration_warning' => $pam_pwd_expiration_warning, + 'get_domains_timeout' => $get_domains_timeout, + 'pam_trusted_users' => $pam_trusted_users, + 'pam_public_domains' => $pam_public_domains, + }, + ) } sssd::config::entry { 'puppet_service_pam': - content => $_content + content => $_content, } } diff --git a/manifests/service/ssh.pp b/manifests/service/ssh.pp index 0840943..6cf0a17 100644 --- a/manifests/service/ssh.pp +++ b/manifests/service/ssh.pp @@ -28,19 +28,31 @@ Boolean $debug_microseconds = false, Boolean $ssh_hash_known_hosts = true, Optional[Integer] $ssh_known_hosts_timeout = undef, - Optional[Hash] $custom_options = undef - + Optional[Hash] $custom_options = undef, ) { if $custom_options { - $_content = epp("${module_name}/service/custom_options.epp", { + $_content = epp( + "${module_name}/service/custom_options.epp", + { 'service_name' => 'ssh', - 'options' => $custom_options - }) + 'options' => $custom_options, + }, + ) } else { - $_content = template("${module_name}/service/ssh.erb") + $_content = epp( + "${module_name}/service/ssh.epp", + { + 'description' => $description, + 'debug_level' => $debug_level, + 'debug_timestamps' => $debug_timestamps, + 'debug_microseconds' => $debug_microseconds, + 'ssh_hash_known_hosts' => $ssh_hash_known_hosts, + 'ssh_known_hosts_timeout' => $ssh_known_hosts_timeout, + }, + ) } sssd::config::entry { 'puppet_service_ssh': - content => $_content + content => $_content, } } diff --git a/manifests/service/sudo.pp b/manifests/service/sudo.pp index 3da72fa..eb978fa 100644 --- a/manifests/service/sudo.pp +++ b/manifests/service/sudo.pp @@ -29,20 +29,32 @@ Boolean $debug_microseconds = false, Boolean $sudo_timed = false, Integer[1] $sudo_threshold = 50, - Optional[Hash] $custom_options = undef - + Optional[Hash] $custom_options = undef, ) { if $custom_options { - $_content = epp("${module_name}/service/custom_options.epp", { + $_content = epp( + "${module_name}/service/custom_options.epp", + { 'service_name' => 'sudo', - 'options' => $custom_options - }) + 'options' => $custom_options, + }, + ) } else { - $_content = template("${module_name}/service/sudo.erb") + $_content = epp( + "${module_name}/service/sudo.epp", + { + 'description' => $description, + 'debug_level' => $debug_level, + 'debug_timestamps' => $debug_timestamps, + 'debug_microseconds' => $debug_microseconds, + 'sudo_timed' => $sudo_timed, + 'sudo_threshold' => $sudo_threshold, + }, + ) } sssd::config::entry { 'puppet_service_sudo': - content => $_content + content => $_content, } $_override_content = @(END) @@ -58,15 +70,15 @@ systemd::dropin_file { '00_sssd_sudo_user_group.conf': unit => 'sssd-sudo.service', content => $_override_content, - selinux_ignore_defaults => true + selinux_ignore_defaults => true, } service { 'sssd-sudo.socket': enable => true, require => [ Sssd::Config::Entry['puppet_service_sudo'], - Systemd::Dropin_file['00_sssd_sudo_user_group.conf'] + Systemd::Dropin_file['00_sssd_sudo_user_group.conf'], ], - notify => Class["${module_name}::service"] + notify => Class["${module_name}::service"], } } diff --git a/templates/provider/ad.epp b/templates/provider/ad.epp new file mode 100644 index 0000000..b3b1d7c --- /dev/null +++ b/templates/provider/ad.epp @@ -0,0 +1,212 @@ +<% | + Optional[String[1]] $ad_domain, + Optional[Array[String[1],1]] $ad_enabled_domains, + Optional[Array[Variant[Simplib::Hostname, Enum['_srv_']]]] $ad_servers, + Optional[Array[Simplib::Hostname,1]] $ad_backup_servers, + Optional[Simplib::Hostname] $ad_hostname, + Optional[Boolean] $ad_enable_dns_sites, + Optional[Array[String[1],1]] $ad_access_filters, + Optional[String[1]] $ad_site, + Optional[Boolean] $ad_enable_gc, + Optional[Enum['disabled','enforcing','permissive']] $ad_gpo_access_control, + Optional[Integer[1]] $ad_gpo_cache_timeout, + Optional[Array[String[1],1]] $ad_gpo_map_interactive, + Optional[Array[String[1],1]] $ad_gpo_map_remote_interactive, + Optional[Array[String[1],1]] $ad_gpo_map_network, + Optional[Array[String[1],1]] $ad_gpo_map_batch, + Optional[Array[String[1],1]] $ad_gpo_map_service, + Optional[Array[String[1],1]] $ad_gpo_map_permit, + Optional[Array[String[1],1]] $ad_gpo_map_deny, + Optional[Sssd::ADDefaultRight] $ad_gpo_default_right, + Optional[Boolean] $ad_gpo_implicit_deny, + Optional[Boolean] $ad_gpo_ignore_unreadable, + Optional[Integer[0]] $ad_maximum_machine_account_password_age, + Optional[Pattern['^\d+:\d+$']] $ad_machine_account_password_renewal_opts, + Optional[String[1]] $default_shell, + Boolean $dyndns_update, + Optional[Integer] $dyndns_ttl, + Optional[Array[String[1],1]] $dyndns_ifaces, + Optional[Integer] $dyndns_refresh_interval, + Optional[Boolean] $dyndns_update_ptr, + Optional[Boolean] $dyndns_force_tcp, + Optional[Simplib::Hostname] $dyndns_server, + Optional[String[1]] $override_homedir, + Optional[String[1]] $fallback_homedir, + Optional[Stdlib::Absolutepath] $homedir_substring, + Optional[String[1]] $krb5_realm, + Optional[Variant[Enum['none'],Stdlib::Absolutepath]] $krb5_confd_path, + Optional[Boolean] $krb5_use_enterprise_principal, + Boolean $krb5_store_password_if_offline, + Boolean $ldap_id_mapping, + Optional[String[1]] $ldap_schema, + Optional[Integer[0]] $ldap_idmap_range_min, + Optional[Integer[1]] $ldap_idmap_range_max, + Optional[Integer[1]] $ldap_idmap_range_size, + Optional[String[1]] $ldap_idmap_default_domain_sid, + Optional[String[1]] $ldap_idmap_default_domain, + Optional[Boolean] $ldap_idmap_autorid_compat, + Optional[Integer[1]] $ldap_idmap_helper_table_size, + Boolean $ldap_use_tokengroups, + Optional[String[1]] $ldap_group_objectsid, + Optional[String[1]] $ldap_user_objectsid, + Optional[String[1]] $ldap_user_extra_attrs, + Optional[String[1]] $ldap_user_ssh_public_key, +| -%> +[domain/<%= $title %>] +# sssd::provider::ad +<% if $ad_domain { -%> +ad_domain = <%= $ad_domain %> +<% } -%> +<% if $ad_enabled_domains { -%> +ad_enabled_domains = <%= $ad_enabled_domains.join(', ') %> +<% } -%> +<% if $ad_servers { -%> +ad_server = <%= $ad_servers.join(', ') %> +<% if $ad_backup_servers { -%> +ad_backup_server = <%= $ad_backup_servers.join(', ') %> +<% } -%> +<% } -%> +<% if $ad_hostname { -%> +ad_hostname = <%= $ad_hostname %> +<% } -%> +<% unless $ad_enable_dns_sites.nil? -%> +ad_enable_dns_sites = <%= $ad_enable_dns_sites %> +<% } -%> +<% if $ad_access_filters { -%> +ad_access_filter = <%= $ad_access_filters.join('?') %> +<% } -%> +<% if $ad_site { -%> +ad_site = <%= $ad_site %> +<% } -%> +<% unless $ad_enable_gc.nil? -%> +ad_enable_gc = <%= $ad_enable_gc %> +<% } -%> +<% if $ad_gpo_access_control { -%> +ad_gpo_access_control = <%= $ad_gpo_access_control %> +<% } -%> +<% if $ad_gpo_cache_timeout { -%> +ad_gpo_cache_timeout = <%= $ad_gpo_cache_timeout %> +<% } -%> +<% if $ad_gpo_map_interactive { -%> +ad_gpo_map_interactive = <%= $ad_gpo_map_interactive.join(', ') %> +<% } -%> +<% if $ad_gpo_map_remote_interactive { -%> +ad_gpo_map_remote_interactive = <%= $ad_gpo_map_remote_interactive.join(', ') %> +<% } -%> +<% if $ad_gpo_map_network { -%> +ad_gpo_map_network = <%= $ad_gpo_map_network.join(', ') %> +<% } -%> +<% if $ad_gpo_map_batch { -%> +ad_gpo_map_batch = <%= $ad_gpo_map_batch.join(', ') %> +<% } -%> +<% if $ad_gpo_map_service { -%> +ad_gpo_map_service = <%= $ad_gpo_map_service.join(', ') %> +<% } -%> +<% if $ad_gpo_map_permit { -%> +ad_gpo_map_permit = <%= $ad_gpo_map_permit.join(', ') %> +<% } -%> +<% if $ad_gpo_map_deny { -%> +ad_gpo_map_deny = <%= $ad_gpo_map_deny.join(', ') %> +<% } -%> +<% if $ad_gpo_default_right { -%> +ad_gpo_default_right = <%= $ad_gpo_default_right %> +<% } -%> +<% unless $ad_gpo_implicit_deny.nil? -%> +ad_gpo_implicit_deny = <%= $ad_gpo_implicit_deny %> +<% } -%> +<% unless $ad_gpo_ignore_unreadable.nil? -%> +ad_gpo_ignore_unreadable = <%= $ad_gpo_ignore_unreadable %> +<% } -%> +<% if $ad_maximum_machine_account_password_age { -%> +ad_maximum_machine_account_password_age = <%= $ad_maximum_machine_account_password_age %> +<% } -%> +<% if $ad_machine_account_password_renewal_opts { -%> +ad_machine_account_password_renewal_opts = <%= $ad_machine_account_password_renewal_opts %> +<% } -%> +<% if $default_shell { -%> +default_shell = <%= $default_shell %> +<% } -%> +<% unless $dyndns_update.nil? -%> +dyndns_update = <%= $dyndns_update %> +<% } -%> +<% if $dyndns_update { -%> +<% if $dyndns_ttl { -%> +dyndns_ttl = <%= $dyndns_ttl %> +<% } -%> +<% if $dyndns_ifaces { -%> +dyndns_iface = <%= $dyndns_ifaces.join(', ') %> +<% } -%> +<% if $dyndns_refresh_interval { -%> +dyndns_refresh_interval = <%= $dyndns_refresh_interval %> +<% } -%> +<% unless $dyndns_update_ptr.nil? -%> +dyndns_update_ptr = <%= $dyndns_update_ptr %> +<% } -%> +<% unless $dyndns_force_tcp.nil? -%> +dyndns_force_tcp = <%= $dyndns_force_tcp %> +<% } -%> +<% if $dyndns_server { -%> +dyndns_server = <%= $dyndns_server %> +<% } -%> +<% } -%> +<% if $override_homedir { -%> +override_homedir = <%= $override_homedir %> +<% } -%> +<% if $homedir_substring { -%> +homedir_substring = <%= $homedir_substring %> +<% } -%> +<% if $fallback_homedir { -%> +fallback_homedir = <%= $fallback_homedir %> +<% } -%> +<% if $krb5_realm { -%> +krb5_realm = <%= $krb5_realm %> +<% } -%> +<% if $krb5_confd_path { -%> +krb5_confd_path = <%= $krb5_confd_path %> +<% } -%> +<% unless $krb5_use_enterprise_principal.nil? -%> +krb5_use_enterprise_principal = <%= $krb5_use_enterprise_principal %> +<% } -%> +<% unless $krb5_store_password_if_offline.nil? -%> +krb5_store_password_if_offline = <%= $krb5_store_password_if_offline %> +<% } -%> +ldap_id_mapping = <%= $ldap_id_mapping %> +<% if $ldap_id_mapping { -%> +<% if $ldap_schema { -%> +ldap_schema = <%= $ldap_schema %> +<% } -%> +<% if $ldap_idmap_range_min { -%> +ldap_idmap_range_min = <%= $ldap_idmap_range_min %> +<% } -%> +<% if $ldap_idmap_range_max { -%> +ldap_idmap_range_max = <%= $ldap_idmap_range_max %> +<% } -%> +<% if $ldap_idmap_range_size { -%> +ldap_idmap_range_size = <%= $ldap_idmap_range_size %> +<% } -%> +<% if $ldap_idmap_default_domain_sid { -%> +ldap_idmap_default_domain_sid = <%= $ldap_idmap_default_domain_sid %> +<% } -%> +<% if $ldap_idmap_default_domain { -%> +ldap_idmap_default_domain = <%= $ldap_idmap_default_domain %> +<% } -%> +<% unless $ldap_idmap_autorid_compat.nil? -%> +ldap_idmap_autorid_compat = <%= $ldap_idmap_autorid_compat %> +<% } -%> +<% if $ldap_idmap_helper_table_size { -%> +ldap_idmap_helper_table_size = <%= $ldap_idmap_helper_table_size %> +<% } -%> +<% } -%> +ldap_use_tokengroups = <%= $ldap_use_tokengroups %> +<% if $ldap_group_objectsid { -%> +ldap_group_objectsid = <%= $ldap_group_objectsid %> +<% } -%> +<% if $ldap_user_objectsid { -%> +ldap_user_objectsid = <%= $ldap_user_objectsid %> +<% } -%> +<% if $ldap_user_extra_attrs { -%> +ldap_user_extra_attrs = <%= $ldap_user_extra_attrs %> +<% } -%> +<% if $ldap_user_ssh_public_key { -%> +ldap_user_ssh_public_key = <%= $ldap_user_ssh_public_key %> +<% } -%> diff --git a/templates/provider/ad.erb b/templates/provider/ad.erb deleted file mode 100644 index 2698861..0000000 --- a/templates/provider/ad.erb +++ /dev/null @@ -1,158 +0,0 @@ -[domain/<%= @title %>] -# sssd::provider::ad -<% if @ad_domain -%> -ad_domain = <%= @ad_domain %> -<% end -%> -<% if @ad_enabled_domains -%> -ad_enabled_domains = <%= @ad_enabled_domains.join(', ') %> -<% end -%> -<% if @ad_servers -%> -ad_server = <%= @ad_servers.join(', ') %> -<% if @ad_backup_servers -%> -ad_backup_server = <%= @ad_backup_servers.join(', ') %> -<% end -%> -<% end -%> -<% if @ad_hostname -%> -ad_hostname = <%= @ad_hostname %> -<% end -%> -<% unless @ad_enable_dns_sites.nil? -%> -ad_enable_dns_sites = <%= @ad_enable_dns_sites %> -<% end -%> -<% if @ad_access_filters -%> -ad_access_filter = <%= @ad_access_filters.join('?') %> -<% end -%> -<% if @ad_site -%> -ad_site = <%= @ad_site %> -<% end -%> -<% unless @ad_enable_gc.nil? -%> -ad_enable_gc = <%= @ad_enable_gc %> -<% end -%> -<% if @ad_gpo_access_control -%> -ad_gpo_access_control = <%= @ad_gpo_access_control %> -<% end -%> -<% if @ad_gpo_cache_timeout -%> -ad_gpo_cache_timeout = <%= @ad_gpo_cache_timeout %> -<% end -%> -<% if @ad_gpo_map_interactive -%> -ad_gpo_map_interactive = <%= @ad_gpo_map_interactive.join(', ') %> -<% end -%> -<% if @ad_gpo_map_remote_interactive -%> -ad_gpo_map_remote_interactive = <%= @ad_gpo_map_remote_interactive.join(', ') %> -<% end -%> -<% if @ad_gpo_map_network -%> -ad_gpo_map_network = <%= @ad_gpo_map_network.join(', ') %> -<% end -%> -<% if @ad_gpo_map_batch -%> -ad_gpo_map_batch = <%= @ad_gpo_map_batch.join(', ') %> -<% end -%> -<% if @ad_gpo_map_service -%> -ad_gpo_map_service = <%= @ad_gpo_map_service.join(', ') %> -<% end -%> -<% if @ad_gpo_map_permit -%> -ad_gpo_map_permit = <%= @ad_gpo_map_permit.join(', ') %> -<% end -%> -<% if @ad_gpo_map_deny -%> -ad_gpo_map_deny = <%= @ad_gpo_map_deny.join(', ') %> -<% end -%> -<% if @ad_gpo_default_right -%> -ad_gpo_default_right = <%= @ad_gpo_default_right %> -<% end -%> -<% unless @ad_gpo_implicit_deny.nil? -%> -ad_gpo_implicit_deny = <%= @ad_gpo_implicit_deny %> -<% end -%> -<% unless @ad_gpo_ignore_unreadable.nil? -%> -ad_gpo_ignore_unreadable = <%= @ad_gpo_ignore_unreadable %> -<% end -%> -<% if @ad_maximum_machine_account_password_age -%> -ad_maximum_machine_account_password_age = <%= @ad_maximum_machine_account_password_age %> -<% end -%> -<% if @ad_machine_account_password_renewal_opts -%> -ad_machine_account_password_renewal_opts = <%= @ad_machine_account_password_renewal_opts %> -<% end -%> -<% if @default_shell -%> -default_shell = <%= @default_shell %> -<% end -%> -<% unless @dyndns_update.nil? -%> -dyndns_update = <%= @dyndns_update %> -<% end -%> -<% if @dyndns_update -%> -<% if @dyndns_ttl -%> -dyndns_ttl = <%= @dyndns_ttl %> -<% end -%> -<% if @dyndns_ifaces -%> -dyndns_iface = <%= @dyndns_ifaces.join(', ') %> -<% end -%> -<% if @dyndns_refresh_interval -%> -dyndns_refresh_interval = <%= @dyndns_refresh_interval %> -<% end -%> -<% unless @dyndns_update_ptr.nil? -%> -dyndns_update_ptr = <%= @dyndns_update_ptr %> -<% end -%> -<% unless @dyndns_force_tcp.nil? -%> -dyndns_force_tcp = <%= @dyndns_force_tcp %> -<% end -%> -<% if @dyndns_server -%> -dyndns_server = <%= @dyndns_server %> -<% end -%> -<% end -%> -<% if @override_homedir -%> -override_homedir = <%= @override_homedir %> -<% end -%> -<% if @homedir_substring -%> -homedir_substring = <%= @homedir_substring %> -<% end -%> -<% if @fallback_homedir -%> -fallback_homedir = <%= @fallback_homedir %> -<% end -%> -<% if @krb5_realm -%> -krb5_realm = <%= @krb5_realm %> -<% end -%> -<% if @krb5_confd_path -%> -krb5_confd_path = <%= @krb5_confd_path %> -<% end -%> -<% unless @krb5_use_enterprise_principal.nil? -%> -krb5_use_enterprise_principal = <%= @krb5_use_enterprise_principal %> -<% end -%> -<% unless @krb5_store_password_if_offline.nil? -%> -krb5_store_password_if_offline = <%= @krb5_store_password_if_offline.to_s %> -<% end -%> -ldap_id_mapping = <%= @ldap_id_mapping %> -<% if @ldap_id_mapping -%> -<% if @ldap_schema -%> -ldap_schema = <%= @ldap_schema %> -<% end -%> -<% if @ldap_idmap_range_min -%> -ldap_idmap_range_min = <%= @ldap_idmap_range_min %> -<% end -%> -<% if @ldap_idmap_range_max -%> -ldap_idmap_range_max = <%= @ldap_idmap_range_max %> -<% end -%> -<% if @ldap_idmap_range_size -%> -ldap_idmap_range_size = <%= @ldap_idmap_range_size %> -<% end -%> -<% if @ldap_idmap_default_domain_sid -%> -ldap_idmap_default_domain_sid = <%= @ldap_idmap_default_domain_sid %> -<% end -%> -<% if @ldap_idmap_default_domain -%> -ldap_idmap_default_domain = <%= @ldap_idmap_default_domain %> -<% end -%> -<% unless @ldap_idmap_autorid_compat.nil? -%> -ldap_idmap_autorid_compat = <%= @ldap_idmap_autorid_compat %> -<% end -%> -<% if @ldap_idmap_helper_table_size -%> -ldap_idmap_helper_table_size = <%= @ldap_idmap_helper_table_size %> -<% end -%> -<% end -%> -ldap_use_tokengroups = <%= @ldap_use_tokengroups %> -<% if @ldap_group_objectsid -%> -ldap_group_objectsid = <%= @ldap_group_objectsid %> -<% end -%> -<% if @ldap_user_objectsid -%> -ldap_user_objectsid = <%= @ldap_user_objectsid %> -<% end -%> -<% if @ldap_user_extra_attrs -%> -ldap_user_extra_attrs = <%= @ldap_user_extra_attrs %> -<% end -%> -<% if @ldap_user_ssh_public_key -%> -ldap_user_ssh_public_key = <%= @ldap_user_ssh_public_key %> -<% end -%> diff --git a/templates/provider/files.epp b/templates/provider/files.epp new file mode 100644 index 0000000..5203731 --- /dev/null +++ b/templates/provider/files.epp @@ -0,0 +1,12 @@ +<% | + Optional[Array[Stdlib::Absolutepath]] $passwd_files, + Optional[Array[Stdlib::Absolutepath]] $group_files, +| -%> +[domain/<%= $title %>] +# sssd::provider::files +<% if $passwd_files and ! $passwd_files.empty { -%> +passwd_files = <%= $passwd_files.join(', ') %> +<% } -%> +<% if $group_files and ! $group_files.empty { -%> +group_files = <%= $group_files.join(', ') %> +<% } -%> diff --git a/templates/provider/files.erb b/templates/provider/files.erb deleted file mode 100644 index d40255b..0000000 --- a/templates/provider/files.erb +++ /dev/null @@ -1,8 +0,0 @@ -[domain/<%= @title %>] -# sssd::provider::files -<% if @passwd_files and ! @passwd_files.empty? -%> -passwd_files = <%= @passwd_files.join(', ') %> -<% end -%> -<% if @group_files and ! @group_files.empty? -%> -group_files = <%= @group_files.join(', ') %> -<% end -%> diff --git a/templates/provider/ipa.epp b/templates/provider/ipa.epp new file mode 100644 index 0000000..0ddb6ed --- /dev/null +++ b/templates/provider/ipa.epp @@ -0,0 +1,97 @@ +<% | + String[1] $ipa_domain, + Array[Simplib::Host] $ipa_server, + Optional[Array[Simplib::Host]] $ipa_backup_server, + Boolean $ipa_enable_dns_sites, + Simplib::Hostname $ipa_hostname, + Boolean $ipa_server_mode, + Enum['none','GSS-TSIG'] $dyndns_auth, + Optional[Boolean] $dyndns_force_tcp, + Optional[Array[String[1]]] $dyndns_iface, + Optional[Integer[0]] $dyndns_refresh_interval, + Optional[Simplib::Host] $dyndns_server, + Optional[Integer[0]] $dyndns_ttl, + Boolean $dyndns_update, + Optional[Boolean] $dyndns_update_ptr, + Optional[String] $ipa_automount_location, + Optional[Integer[0]] $ipa_hbac_refresh, + Optional[String] $ipa_hbac_search_base, + Optional[Integer[0]] $ipa_hbac_selinux, + Optional[String] $ipa_host_search_base, + Optional[String] $ipa_master_domains_search_base, + Optional[String] $ipa_selinux_search_base, + Optional[String] $ipa_subdomains_search_base, + Optional[String] $ipa_views_search_base, + Optional[Stdlib::AbsolutePath] $krb5_confd_path, + Optional[String] $krb5_realm, + Boolean $krb5_store_password_if_offline, + Stdlib::AbsolutePath $ldap_tls_cacert, + Array[String] $ldap_tls_cipher_suite, + Boolean $use_service_discovery, +| -%> +[domain/<%= $title %>] +# sssd::provider::ipa +ipa_domain = <%= $ipa_domain %> +ipa_server = <%= $_ipa_server.join(',') %> +<% unless $ipa_backup_server =~ Undef { -%> +ipa_backup_server = <%= $ipa_backup_server.join(',') %> +<% } -%> +ipa_enable_dns_sites = <%= $ipa_enable_dns_sites %> +ipa_hostname = <%= $ipa_hostname %> +ipa_server_mode = <%= $ipa_server_mode %> +dyndns_auth = <%= $dyndns_auth %> +<% unless $dyndns_force_tcp =~ Undef { -%> +dyndns_force_tcp = <%= $dyndns_force_tcp %> +<% } -%> +<% unless $dyndns_iface =~ Undef { -%> +dyndns_iface = <%= $dyndns_iface.join(',') %> +<% } -%> +<% unless $dyndns_refresh_interval =~ Undef { -%> +dyndns_refresh_interval = <%= $dyndns_refresh_interval %> +<% } -%> +<% unless $dyndns_server =~ Undef { -%> +dyndns_server = <%= $dyndns_server %> +<% } -%> +<% unless $dyndns_ttl =~ Undef { -%> +dyndns_ttl = <%= $dyndns_ttl %> +<% } -%> +dyndns_update = <%= $dyndns_update %> +<% unless $dyndns_update_ptr =~ Undef { -%> +dyndns_update_ptr = <%= $dyndns_update_ptr %> +<% } -%> +<% unless $ipa_automount_location =~ Undef { -%> +ipa_automount_location = <%= $ipa_automount_location %> +<% } -%> +<% unless $ipa_hbac_refresh =~ Undef { -%> +ipa_hbac_refresh = <%= $ipa_hbac_refresh %> +<% } -%> +<% unless $ipa_hbac_search_base =~ Undef { -%> +ipa_hbac_search_base = <%= $ipa_hbac_search_base %> +<% } -%> +<% unless $ipa_hbac_selinux =~ Undef { -%> +ipa_hbac_selinux = <%= $ipa_hbac_selinux %> +<% } -%> +<% unless $ipa_host_search_base =~ Undef { -%> +ipa_host_search_base = <%= $ipa_host_search_base %> +<% } -%> +<% unless $ipa_master_domains_search_base =~ Undef { -%> +ipa_master_domains_search_base = <%= $ipa_master_domains_search_base %> +<% } -%> +<% unless $ipa_selinux_search_base =~ Undef { -%> +ipa_selinux_search_base = <%= $ipa_selinux_search_base %> +<% } -%> +<% unless $ipa_subdomains_search_base =~ Undef { -%> +ipa_subdomains_search_base = <%= $ipa_subdomains_search_base %> +<% } -%> +<% unless $ipa_views_search_base =~ Undef { -%> +ipa_views_search_base = <%= $ipa_views_search_base %> +<% } -%> +<% unless $krb5_confd_path =~ Undef { -%> +krb5_confd_path = <%= $krb5_confd_path %> +<% } -%> +<% unless $krb5_realm =~ Undef { -%> +krb5_realm = <%= $krb5_realm %> +<% } -%> +krb5_store_password_if_offline = <%= $krb5_store_password_if_offline %> +ldap_tls_cacert = <%= $ldap_tls_cacert %> +ldap_tls_cipher_suite = <%= $ldap_tls_cipher_suite.join(':') %> diff --git a/templates/provider/ipa.erb b/templates/provider/ipa.erb deleted file mode 100644 index 7142c01..0000000 --- a/templates/provider/ipa.erb +++ /dev/null @@ -1,66 +0,0 @@ -[domain/<%= @title %>] -# sssd::provider::ipa -ipa_domain = <%= @ipa_domain %> -ipa_server = <%= @_ipa_server.join(',') %> -<% unless @ipa_backup_server.nil? -%> -ipa_backup_server = <%= @ipa_backup_server.join(',') %> -<% end -%> -ipa_enable_dns_sites = <%= @ipa_enable_dns_sites %> -ipa_hostname = <%= @ipa_hostname %> -ipa_server_mode = <%= @ipa_server_mode %> -dyndns_auth = <%= @dyndns_auth %> -<% unless @dyndns_force_tcp.nil? -%> -dyndns_force_tcp = <%= @dyndns_force_tcp %> -<% end -%> -<% unless @dyndns_iface.nil? -%> -dyndns_iface = <%= @dyndns_iface.join(',') %> -<% end -%> -<% unless @dyndns_refresh_interval.nil? -%> -dyndns_refresh_interval = <%= @dyndns_refresh_interval %> -<% end -%> -<% unless @dyndns_server.nil? -%> -dyndns_server = <%= @dyndns_server %> -<% end -%> -<% unless @dyndns_ttl.nil? -%> -dyndns_ttl = <%= @dyndns_ttl %> -<% end -%> -dyndns_update = <%= @dyndns_update %> -<% unless @dyndns_update_ptr.nil? -%> -dyndns_update_ptr = <%= @dyndns_update_ptr %> -<% end -%> -<% unless @ipa_automount_location.nil? -%> -ipa_automount_location = <%= @ipa_automount_location %> -<% end -%> -<% unless @ipa_hbac_refresh.nil? -%> -ipa_hbac_refresh = <%= @ipa_hbac_refresh %> -<% end -%> -<% unless @ipa_hbac_search_base.nil? -%> -ipa_hbac_search_base = <%= @ipa_hbac_search_base %> -<% end -%> -<% unless @ipa_hbac_selinux.nil? -%> -ipa_hbac_selinux = <%= @ipa_hbac_selinux %> -<% end -%> -<% unless @ipa_host_search_base.nil? -%> -ipa_host_search_base = <%= @ipa_host_search_base %> -<% end -%> -<% unless @ipa_master_domains_search_base.nil? -%> -ipa_master_domains_search_base = <%= @ipa_master_domains_search_base %> -<% end -%> -<% unless @ipa_selinux_search_base.nil? -%> -ipa_selinux_search_base = <%= @ipa_selinux_search_base %> -<% end -%> -<% unless @ipa_subdomains_search_base.nil? -%> -ipa_subdomains_search_base = <%= @ipa_subdomains_search_base %> -<% end -%> -<% unless @ipa_views_search_base.nil? -%> -ipa_views_search_base = <%= @ipa_views_search_base %> -<% end -%> -<% unless @krb5_confd_path.nil? -%> -krb5_confd_path = <%= @krb5_confd_path %> -<% end -%> -<% unless @krb5_realm.nil? -%> -krb5_realm = <%= @krb5_realm %> -<% end -%> -krb5_store_password_if_offline = <%= @krb5_store_password_if_offline %> -ldap_tls_cacert = <%= @ldap_tls_cacert %> -ldap_tls_cipher_suite = <%= @ldap_tls_cipher_suite.join(':') %> diff --git a/templates/provider/ldap.epp b/templates/provider/ldap.epp new file mode 100644 index 0000000..f670035 --- /dev/null +++ b/templates/provider/ldap.epp @@ -0,0 +1,352 @@ +<% | + Optional[Sssd::DebugLevel] $debug_level, + Optional[Boolean] $debug_timestamps, + Boolean $debug_microseconds, + Optional[Array[Simplib::URI,1]] $ldap_uri, + Optional[Array[Simplib::URI,1]] $ldap_backup_uri, + Optional[Array[Simplib::URI,1]] $ldap_chpass_uri, + Optional[Array[Simplib::URI,1]] $ldap_chpass_backup_uri, + Boolean $ldap_chpass_update_last_change, + Optional[String[1]] $ldap_search_base, + Sssd::LdapSchema $ldap_schema, + Optional[String[1]] $ldap_default_bind_dn, + Optional[Sssd::LdapDefaultAuthtok] $ldap_default_authtok_type, + Optional[String[1]] $ldap_default_authtok, + Optional[String[1]] $ldap_user_cert, + Optional[String[1]] $ldap_user_object_class, + Optional[String[1]] $ldap_user_name, + Optional[String[1]] $ldap_user_uid_number, + Optional[String[1]] $ldap_user_gid_number, + Optional[String[1]] $ldap_user_gecos, + Optional[String[1]] $ldap_user_home_directory, + Optional[String[1]] $ldap_user_shell, + Optional[String[1]] $ldap_user_uuid, + Optional[String[1]] $ldap_user_objectsid, + Optional[String[1]] $ldap_user_modify_timestamp, + Optional[String[1]] $ldap_user_shadow_last_change, + Optional[String[1]] $ldap_user_shadow_min, + Optional[String[1]] $ldap_user_shadow_max, + Optional[String[1]] $ldap_user_shadow_warning, + Optional[String[1]] $ldap_user_shadow_inactive, + Optional[String[1]] $ldap_user_shadow_expire, + Optional[String[1]] $ldap_user_krb_last_pwd_change, + Optional[String[1]] $ldap_user_krb_password_expiration, + Optional[String[1]] $ldap_user_ad_account_expires, + Optional[String[1]] $ldap_user_ad_user_account_control, + Optional[String[1]] $ldap_ns_account_lock, + Optional[String[1]] $ldap_user_nds_login_disabled, + Optional[String[1]] $ldap_user_nds_login_expiration_time, + Optional[String[1]] $ldap_user_nds_login_allowed_time_map, + Optional[String[1]] $ldap_user_principal, + Optional[Array[String[1],1]] $ldap_user_extra_attrs, + Optional[String[1]] $ldap_user_ssh_public_key, + Boolean $ldap_force_upper_case_realm, + Optional[Integer[0]] $ldap_enumeration_refresh_timeout, + Optional[Integer[0]] $ldap_purge_cache_timeout, + Optional[String[1]] $ldap_user_fullname, + Optional[String[1]] $ldap_user_member_of, + Optional[String[1]] $ldap_user_authorized_service, + Optional[String[1]] $ldap_user_authorized_host, + Optional[String[1]] $ldap_group_object_class, + Optional[String[1]] $ldap_group_name, + Optional[String[1]] $ldap_group_gid_number, + Optional[String[1]] $ldap_group_member, + Optional[String[1]] $ldap_group_uuid, + Optional[String[1]] $ldap_group_objectsid, + Optional[String[1]] $ldap_group_modify_timestamp, + Optional[Integer] $ldap_group_type, + Optional[Integer] $ldap_group_nesting_level, + Boolean $ldap_groups_use_matching_rule_in_chain, + Boolean $ldap_initgroups_use_matching_rule_in_chain, + Boolean $ldap_use_tokengroups, + Optional[String[1]] $ldap_netgroup_object_class, + Optional[String[1]] $ldap_netgroup_name, + Optional[String[1]] $ldap_netgroup_member, + Optional[String[1]] $ldap_netgroup_triple, + Optional[String[1]] $ldap_netgroup_uuid, + Optional[String[1]] $ldap_netgroup_modify_timestamp, + Optional[String[1]] $ldap_service_name, + Optional[String[1]] $ldap_service_port, + Optional[String[1]] $ldap_service_proto, + Optional[String[1]] $ldap_service_search_base, + Optional[Integer[0]] $ldap_search_timeout, + Optional[Integer[0]] $ldap_enumeration_search_timeout, + Optional[Integer[0]] $ldap_network_timeout, + Optional[Integer[0]] $ldap_opt_timeout, + Optional[Integer[0]] $ldap_connection_expire_timeout, + Optional[Integer[0]] $ldap_page_size, + Boolean $ldap_disable_paging, + Boolean $ldap_disable_range_retrieval, + Optional[Integer] $ldap_sasl_minssf, + Optional[Integer[0]] $ldap_deref_threshold, + Sssd::LdapTlsReqcert $ldap_tls_reqcert, + Optional[String[1]] $ldap_tls_cacert, + Optional[Stdlib::Absolutepath] $app_pki_ca_dir, + Optional[Stdlib::Absolutepath] $app_pki_key, + Optional[Stdlib::Absolutepath] $app_pki_cert, + Boolean $strip_128_bit_ciphers, + Array[String[1]] $ldap_tls_cipher_suite, + Boolean $ldap_id_use_start_tls, + Boolean $ldap_id_mapping, + Optional[Integer[0]] $ldap_min_id, + Optional[Integer[0]] $ldap_max_id, + Optional[String[1]] $ldap_sasl_mech, + Optional[String[1]] $ldap_sasl_authid, + Optional[String[1]] $ldap_sasl_realm, + Boolean $ldap_sasl_canonicalize, + Optional[Stdlib::Absolutepath] $ldap_krb5_keytab, + Boolean $ldap_krb5_init_creds, + Optional[Integer] $ldap_krb5_ticket_lifetime, + Optional[Array[String[1],1]] $krb5_server, + Optional[Array[String[1],1]] $krb5_backup_server, + Optional[String[1]] $krb5_realm, + Boolean $krb5_canonicalize, + Boolean $krb5_use_kdcinfo, + Sssd::LdapAccountExpirePol $ldap_account_expire_policy, + Enum['none','shadow','mit_kerberos'] $ldap_pwd_policy, + Boolean $ldap_referrals, + Optional[String[1]] $ldap_dns_service_name, + Optional[String[1]] $ldap_chpass_dns_service_name, + Optional[String[1]] $ldap_access_filter, + Sssd::LdapAccessOrder $ldap_access_order, + Optional[String[1]] $ldap_pwdlockout_dn, + Optional[Sssd::LdapDeref] $ldap_deref, + Optional[String[1]] $ldap_sudorule_object_class, + Optional[String[1]] $ldap_sudorule_name, + Optional[String[1]] $ldap_sudorule_command, + Optional[String[1]] $ldap_sudorule_host, + Optional[String[1]] $ldap_sudorule_user, + Optional[String[1]] $ldap_sudorule_option, + Optional[String[1]] $ldap_sudorule_runasuser, + Optional[String[1]] $ldap_sudorule_runasgroup, + Optional[String[1]] $ldap_sudorule_notbefore, + Optional[String[1]] $ldap_sudorule_notafter, + Optional[String[1]] $ldap_sudorule_order, + Optional[Integer[0]] $ldap_sudo_full_refresh_interval, + Optional[Integer[0]] $ldap_sudo_smart_refresh_interval, + Boolean $ldap_sudo_use_host_filter, + Optional[Array[String[1],1]] $ldap_sudo_hostnames, + Optional[Array[String[1],1]] $ldap_sudo_ip, + Boolean $ldap_sudo_include_netgroups, + Boolean $ldap_sudo_include_regexp, + Optional[String[1]] $ldap_autofs_map_master_name, + Optional[String[1]] $ldap_autofs_map_object_class, + Optional[String[1]] $ldap_autofs_map_name, + Optional[String[1]] $ldap_autofs_entry_object_class, + Optional[String[1]] $ldap_autofs_entry_key, + Optional[String[1]] $ldap_autofs_entry_value, +# Be careful with the following options! + Optional[String[1]] $ldap_netgroup_search_base, + Optional[String[1]] $ldap_user_search_base, + Optional[String[1]] $ldap_group_search_base, + Optional[String[1]] $ldap_sudo_search_base, + Optional[String[1]] $ldap_autofs_search_base, +# Advanced Configuration - Read the man page + Optional[Integer[0]] $ldap_idmap_range_min, + Optional[Integer[0]] $ldap_idmap_range_max, + Optional[Integer[0]] $ldap_idmap_range_size, + Optional[String[1]] $ldap_idmap_default_domain_sid, + Optional[String[1]] $ldap_idmap_default_domain, + Boolean $ldap_idmap_autorid_compat, + Boolean $client_tls, +| -%> +[domain/<%= $title %>] +# sssd::provider::ldap +<% +# Simply too many options to make it more confusing than this... + _string_params = [ + 'debug_level', + 'debug_timestamps', + 'debug_microseconds', + 'ldap_search_base', + 'ldap_schema', + 'ldap_default_bind_dn', + 'ldap_default_authtok_type', + 'ldap_default_authtok', + 'ldap_user_cert', + 'ldap_user_object_class', + 'ldap_user_name', + 'ldap_user_uid_number', + 'ldap_user_gid_number', + 'ldap_user_gecos', + 'ldap_user_home_directory', + 'ldap_user_shell', + 'ldap_user_uuid', + 'ldap_user_objectsid', + 'ldap_user_modify_timestamp', + 'ldap_user_shadow_last_change', + 'ldap_user_shadow_min', + 'ldap_user_shadow_max', + 'ldap_user_shadow_warning', + 'ldap_user_shadow_inactive', + 'ldap_user_shadow_expire', + 'ldap_user_krb_last_pwd_change', + 'ldap_user_krb_password_expiration', + 'ldap_user_ad_account_expires', + 'ldap_user_ad_user_account_control', + 'ldap_ns_account_lock', + 'ldap_user_nds_login_disabled', + 'ldap_user_nds_login_expiration_time', + 'ldap_user_nds_login_allowed_time_map', + 'ldap_user_principal', + 'ldap_user_ssh_public_key', + 'ldap_force_upper_case_realm', + 'ldap_enumeration_refresh_timeout', + 'ldap_purge_cache_timeout', + 'ldap_user_fullname', + 'ldap_user_member_of', + 'ldap_user_authorized_service', + 'ldap_user_authorized_host', + 'ldap_group_object_class', + 'ldap_group_name', + 'ldap_group_gid_number', + 'ldap_group_member', + 'ldap_group_uuid', + 'ldap_group_objectsid', + 'ldap_group_modify_timestamp', + 'ldap_group_type', + 'ldap_group_nesting_level', + 'ldap_use_tokengroups', + 'ldap_netgroup_object_class', + 'ldap_netgroup_name', + 'ldap_netgroup_member', + 'ldap_netgroup_triple', + 'ldap_netgroup_uuid', + 'ldap_netgroup_modify_timestamp', + 'ldap_service_name', + 'ldap_service_port', + 'ldap_service_proto', + 'ldap_service_search_base', + 'ldap_search_timeout', + 'ldap_enumeration_search_timeout', + 'ldap_network_timeout', + 'ldap_opt_timeout', + 'ldap_connection_expire_timeout', + 'ldap_page_size', + 'ldap_disable_paging', + 'ldap_disable_range_retrieval', + 'ldap_sasl_minssf', + 'ldap_deref_threshold', + 'ldap_tls_reqcert', + 'ldap_tls_cacert', + 'ldap_tls_cacertdir', + 'ldap_tls_cert', + 'ldap_tls_key', + 'ldap_id_use_start_tls', + 'ldap_id_mapping', + 'ldap_min_id', + 'ldap_max_id', + 'ldap_sasl_mech', + 'ldap_sasl_authid', + 'ldap_sasl_realm', + 'ldap_sasl_canonicalize', + 'ldap_krb5_keytab', + 'ldap_krb5_init_creds', + 'ldap_krb5_ticket_lifetime', + 'krb5_realm', + 'krb5_canonicalize', + 'krb5_use_kdcinfo', + 'ldap_pwd_policy', + 'ldap_referrals', + 'ldap_dns_service_name', + 'ldap_chpass_dns_service_name', + 'ldap_chpass_update_last_change', + 'ldap_access_filter', + '_ldap_account_expire_policy', + 'ldap_pwdlockout_dn', + 'ldap_deref', + 'ldap_sudorule_object_class', + 'ldap_sudorule_name', + 'ldap_sudorule_command', + 'ldap_sudorule_host', + 'ldap_sudorule_user', + 'ldap_sudorule_option', + 'ldap_sudorule_runasuser', + 'ldap_sudorule_runasgroup', + 'ldap_sudorule_notbefore', + 'ldap_sudorule_notafter', + 'ldap_sudorule_order', + 'ldap_sudo_full_refresh_interval', + 'ldap_sudo_smart_refresh_interval', + 'ldap_sudo_use_host_filter', + 'ldap_sudo_include_netgroups ', + 'ldap_sudo_include_regexp', + 'ldap_autofs_map_master_name', + 'ldap_autofs_map_object_class', + 'ldap_autofs_map_name', + 'ldap_autofs_entry_object_class', + 'ldap_autofs_entry_key', + 'ldap_autofs_entry_value', + 'ldap_netgroup_search_base', + 'ldap_user_search_base', + 'ldap_group_search_base', + 'ldap_sudo_search_base', + 'ldap_autofs_search_base', + 'ldap_idmap_range_min', + 'ldap_idmap_range_max', + 'ldap_idmap_range_size', + 'ldap_idmap_default_domain_sid', + 'ldap_idmap_default_domain', + 'ldap_idmap_autorid_compat' + ] + + #options only available in sssd v1 (the version used prior to el8) + _string_params_v1 = [ + 'ldap_groups_use_matching_rule_in_chain', + 'ldap_initgroups_use_matching_rule_in_chain', + ] + + _array_params = { + 'ldap_uri' => ',', + 'ldap_backup_uri' => ',', + 'ldap_chpass_uri' => ',', + 'ldap_chpass_backup_uri' => ',', + 'ldap_user_extra_attrs' => ',', + 'ldap_tls_cipher_suite' => ':', + 'ldap_access_order' => ',', + 'ldap_sudo_hostnames' => ' ', + 'ldap_sudo_ip' => ' ', + 'krb5_server' => ',', + 'krb5_backup_server' => ',' + } + + if $facts['sssd_version'] =~ Undef { + if $facts['os']['release']['major'] < '8' + $_sssd_major_version = 1 + else + $_sssd_major_version = 2 + } + else + $_sssd_major_version = Integer($facts['sssd_version'].split('.').first) + } + + _output = [] + _string_params.each do |param| + value = eval(%(@#{param})) + + # Make sure to distinguish between nil and false, as we may need to + # set a parameter to false in this config! + unless value =~ Undef { + _output << %(#{param.sub(/^_/,'')} = #{value}) + } + } + + # if os < el8 add in params used in sssd V1 only + if $_sssd_major_version < 2 + _string_params_v1.each do |param| + value = eval(%(@#{param})) + unless value =~ Undef { + _output << %(#{param.sub(/^_/,'')} = #{value}) + } + } + } + + _array_params.keys.each do |param| + value = eval(%(@#{param})) + + if value && !value.empty? + _output << %(#{param.sub(/^_/,'')} = #{Array(value).uniq.join(_array_params[param])}) + } + } +-%> +<%= _output.sort.join("\n") %> diff --git a/templates/provider/ldap.erb b/templates/provider/ldap.erb deleted file mode 100644 index aa95bd6..0000000 --- a/templates/provider/ldap.erb +++ /dev/null @@ -1,200 +0,0 @@ -[domain/<%= @title %>] -# sssd::provider::ldap -<% -# Simply too many options to make it more confusing than this... - _string_params = [ - 'debug_level', - 'debug_timestamps', - 'debug_microseconds', - 'ldap_search_base', - 'ldap_schema', - 'ldap_default_bind_dn', - 'ldap_default_authtok_type', - 'ldap_default_authtok', - 'ldap_user_cert', - 'ldap_user_object_class', - 'ldap_user_name', - 'ldap_user_uid_number', - 'ldap_user_gid_number', - 'ldap_user_gecos', - 'ldap_user_home_directory', - 'ldap_user_shell', - 'ldap_user_uuid', - 'ldap_user_objectsid', - 'ldap_user_modify_timestamp', - 'ldap_user_shadow_last_change', - 'ldap_user_shadow_min', - 'ldap_user_shadow_max', - 'ldap_user_shadow_warning', - 'ldap_user_shadow_inactive', - 'ldap_user_shadow_expire', - 'ldap_user_krb_last_pwd_change', - 'ldap_user_krb_password_expiration', - 'ldap_user_ad_account_expires', - 'ldap_user_ad_user_account_control', - 'ldap_ns_account_lock', - 'ldap_user_nds_login_disabled', - 'ldap_user_nds_login_expiration_time', - 'ldap_user_nds_login_allowed_time_map', - 'ldap_user_principal', - 'ldap_user_ssh_public_key', - 'ldap_force_upper_case_realm', - 'ldap_enumeration_refresh_timeout', - 'ldap_purge_cache_timeout', - 'ldap_user_fullname', - 'ldap_user_member_of', - 'ldap_user_authorized_service', - 'ldap_user_authorized_host', - 'ldap_group_object_class', - 'ldap_group_name', - 'ldap_group_gid_number', - 'ldap_group_member', - 'ldap_group_uuid', - 'ldap_group_objectsid', - 'ldap_group_modify_timestamp', - 'ldap_group_type', - 'ldap_group_nesting_level', - 'ldap_use_tokengroups', - 'ldap_netgroup_object_class', - 'ldap_netgroup_name', - 'ldap_netgroup_member', - 'ldap_netgroup_triple', - 'ldap_netgroup_uuid', - 'ldap_netgroup_modify_timestamp', - 'ldap_service_name', - 'ldap_service_port', - 'ldap_service_proto', - 'ldap_service_search_base', - 'ldap_search_timeout', - 'ldap_enumeration_search_timeout', - 'ldap_network_timeout', - 'ldap_opt_timeout', - 'ldap_connection_expire_timeout', - 'ldap_page_size', - 'ldap_disable_paging', - 'ldap_disable_range_retrieval', - 'ldap_sasl_minssf', - 'ldap_deref_threshold', - 'ldap_tls_reqcert', - 'ldap_tls_cacert', - 'ldap_tls_cacertdir', - 'ldap_tls_cert', - 'ldap_tls_key', - 'ldap_id_use_start_tls', - 'ldap_id_mapping', - 'ldap_min_id', - 'ldap_max_id', - 'ldap_sasl_mech', - 'ldap_sasl_authid', - 'ldap_sasl_realm', - 'ldap_sasl_canonicalize', - 'ldap_krb5_keytab', - 'ldap_krb5_init_creds', - 'ldap_krb5_ticket_lifetime', - 'krb5_realm', - 'krb5_canonicalize', - 'krb5_use_kdcinfo', - 'ldap_pwd_policy', - 'ldap_referrals', - 'ldap_dns_service_name', - 'ldap_chpass_dns_service_name', - 'ldap_chpass_update_last_change', - 'ldap_access_filter', - '_ldap_account_expire_policy', - 'ldap_pwdlockout_dn', - 'ldap_deref', - 'ldap_sudorule_object_class', - 'ldap_sudorule_name', - 'ldap_sudorule_command', - 'ldap_sudorule_host', - 'ldap_sudorule_user', - 'ldap_sudorule_option', - 'ldap_sudorule_runasuser', - 'ldap_sudorule_runasgroup', - 'ldap_sudorule_notbefore', - 'ldap_sudorule_notafter', - 'ldap_sudorule_order', - 'ldap_sudo_full_refresh_interval', - 'ldap_sudo_smart_refresh_interval', - 'ldap_sudo_use_host_filter', - 'ldap_sudo_include_netgroups ', - 'ldap_sudo_include_regexp', - 'ldap_autofs_map_master_name', - 'ldap_autofs_map_object_class', - 'ldap_autofs_map_name', - 'ldap_autofs_entry_object_class', - 'ldap_autofs_entry_key', - 'ldap_autofs_entry_value', - 'ldap_netgroup_search_base', - 'ldap_user_search_base', - 'ldap_group_search_base', - 'ldap_sudo_search_base', - 'ldap_autofs_search_base', - 'ldap_idmap_range_min', - 'ldap_idmap_range_max', - 'ldap_idmap_range_size', - 'ldap_idmap_default_domain_sid', - 'ldap_idmap_default_domain', - 'ldap_idmap_autorid_compat' - ] - - #options only available in sssd v1 (the version used prior to el8) - _string_params_v1 = [ - 'ldap_groups_use_matching_rule_in_chain', - 'ldap_initgroups_use_matching_rule_in_chain', - ] - - _array_params = { - 'ldap_uri' => ',', - 'ldap_backup_uri' => ',', - 'ldap_chpass_uri' => ',', - 'ldap_chpass_backup_uri' => ',', - 'ldap_user_extra_attrs' => ',', - 'ldap_tls_cipher_suite' => ':', - 'ldap_access_order' => ',', - 'ldap_sudo_hostnames' => ' ', - 'ldap_sudo_ip' => ' ', - 'krb5_server' => ',', - 'krb5_backup_server' => ',' - } - - if @facts['sssd_version'].nil? - if @facts['os']['release']['major'] < '8' - _sssd_major_version = 1 - else - _sssd_major_version = 2 - end - else - _sssd_major_version = @facts['sssd_version'].split('.').first.to_i - end - - _output = [] - _string_params.each do |param| - value = eval(%(@#{param})) - - # Make sure to distinguish between nil and false, as we may need to - # set a parameter to false in this config! - unless value.nil? - _output << %(#{param.sub(/^_/,'')} = #{value.to_s}) - end - end - - # if os < el8 add in params used in sssd V1 only - if _sssd_major_version < 2 - _string_params_v1.each do |param| - value = eval(%(@#{param})) - unless value.nil? - _output << %(#{param.sub(/^_/,'')} = #{value.to_s}) - end - end - end - - _array_params.keys.each do |param| - value = eval(%(@#{param})) - - if value && !value.empty? - _output << %(#{param.sub(/^_/,'')} = #{Array(value).uniq.join(_array_params[param])}) - end - end --%> -<%= _output.sort.join("\n") %> diff --git a/templates/service/autofs.epp b/templates/service/autofs.epp new file mode 100644 index 0000000..3b1bb6b --- /dev/null +++ b/templates/service/autofs.epp @@ -0,0 +1,22 @@ +<% | + Optional[String] $description, + Optional[Sssd::DebugLevel] $debug_level, + Boolean $debug_timestamps, + Boolean $debug_microseconds, + Optional[Integer] $autofs_negative_timeout, + Optional[Hash] $custom_options, +| -%> + +# sssd::service::autofs +[autofs] +<% if $description { -%> +description = <%= $description %> +<% } -%> +<% if $debug_level { -%> +debug_level = <%= $debug_level %> +<% } -%> +debug_timestamps = <%= $debug_timestamps %> +debug_microseconds = <%= $debug_microseconds %> +<% if $autofs_negative_timeout { -%> +autofs_negative_timeout = <%= $autofs_negative_timeout %> +<% } -%> diff --git a/templates/service/autofs.erb b/templates/service/autofs.erb deleted file mode 100644 index e3729bc..0000000 --- a/templates/service/autofs.erb +++ /dev/null @@ -1,14 +0,0 @@ - -# sssd::service::autofs -[autofs] -<% if @description -%> -description = <%= @description %> -<% end -%> -<% if @debug_level -%> -debug_level = <%= @debug_level.to_s %> -<% end -%> -debug_timestamps = <%= @debug_timestamps.to_s %> -debug_microseconds = <%= @debug_microseconds.to_s %> -<% if @autofs_negative_timeout -%> -autofs_negative_timeout = <%= @autofs_negative_timeout.to_s %> -<% end -%> diff --git a/templates/service/ifp.epp b/templates/service/ifp.epp new file mode 100644 index 0000000..0c851cf --- /dev/null +++ b/templates/service/ifp.epp @@ -0,0 +1,28 @@ +<% | + Optional[String] $description, + Optional[Sssd::Debuglevel] $debug_level, + Boolean $debug_timestamps, + Boolean $debug_microseconds, + Optional[Integer[0]] $wildcard_limit, + Optional[Array[String[1]]] $allowed_uids, + Optional[Array[String[1]]] $user_attributes, +| -%> +# sssd::service::ifp +[ifp] +<% if $description { -%> +description = <%= $description %> +<% } -%> +<% if $debug_level { -%> +debug_level = <%= $debug_level %> +<% } -%> +debug_timestamps = <%= $debug_timestamps %> +debug_microseconds = <%= $debug_microseconds %> +<% if $allowed_uids { -%> +allowed_uids = <%= $allowed_uids.join(', ') %> +<% } -%> +<% if $user_attributes { -%> +user_attributes = <%= $user_attributes.join(', ') %> +<% } -%> +<% if $wildcard_limit { -%> +wildcard_limit = <%= $wildcard_limit %> +<% } -%> diff --git a/templates/service/ifp.erb b/templates/service/ifp.erb deleted file mode 100644 index e3ee5e6..0000000 --- a/templates/service/ifp.erb +++ /dev/null @@ -1,19 +0,0 @@ -# sssd::service::ifp -[ifp] -<% if @description -%> -description = <%= @description %> -<% end -%> -<% if @debug_level -%> -debug_level = <%= @debug_level %> -<% end -%> -debug_timestamps = <%= @debug_timestamps.to_s %> -debug_microseconds = <%= @debug_microseconds.to_s %> -<% if @allowed_uids -%> -allowed_uids = <%= @allowed_uids.join(', ') %> -<% end -%> -<% if @user_attributes -%> -user_attributes = <%= @user_attributes.join(', ') %> -<% end -%> -<% if @wildcard_limit -%> -wildcard_limit = <%= @wildcard_limit.to_s %> -<% end -%> diff --git a/templates/service/nss.epp b/templates/service/nss.epp new file mode 100644 index 0000000..4a31156 --- /dev/null +++ b/templates/service/nss.epp @@ -0,0 +1,68 @@ +<% | + Optional[String] $description, + Optional[Sssd::DebugLevel] $debug_level, + Boolean $debug_timestamps, + Boolean $debug_microseconds, + Integer $reconnection_retries, + Optional[Integer] $fd_limit, + Optional[String] $command, + Integer $enum_cache_timeout, + Integer $entry_cache_nowait_percentage, + Integer $entry_negative_timeout, + String $filter_users, + String $filter_groups, + Boolean $filter_users_in_groups, + Optional[String] $override_homedir, + Optional[String] $fallback_homedir, + Optional[String] $override_shell, + Optional[String] $vetoed_shells, + Optional[String] $default_shell, + Optional[Integer] $get_domains_timeout, + Optional[Integer] $memcache_timeout, + Optional[String] $user_attributes, +| -%> + +# sssd::service::nss +[nss] +<% if $description { -%> +description = <%= $description %> +<% } -%> +<% if $debug_level { -%> +debug_level = <%= $debug_level %> +<% } -%> +debug_timestamps = <%= $debug_timestamps %> +debug_microseconds = <%= $debug_microseconds %> +reconnection_retries = <%= $reconnection_retries %> +<% if $command { -%> +command = <%= $command %> +<% } -%> +enum_cache_timeout = <%= $enum_cache_timeout %> +entry_cache_nowait_percentage = <%= $entry_cache_nowait_percentage %> +entry_negative_timeout = <%= $entry_negative_timeout %> +filter_users = <%= $filter_users %> +filter_groups = <%= $filter_groups %> +filter_users_in_groups = <%= $filter_users_in_groups %> +<% if $override_homedir { -%> +override_homedir = <%= $override_homedir %> +<% } -%> +<% if $fallback_homedir { -%> +fallback_homedir = <%= $fallback_homedir %> +<% } -%> +<% if $override_shell { -%> +override_shell = <%= $override_shell %> +<% } -%> +<% if $vetoed_shells { -%> +vetoed_shells = <%= $vetoed_shells%> +<% } -%> +<% if $default_shell { -%> +default_shell = <%= $default_shell %> +<% } -%> +<% if $get_domains_timeout { -%> +get_domains_timeout = <%= $get_domains_timeout %> +<% } -%> +<% if $memcache_timeout { -%> +memcache_timeout = <%= $memcache_timeout %> +<% } -%> +<% if $user_attributes { -%> +user_attributes = <%= $user_attributes %> +<% } -%> diff --git a/templates/service/nss.erb b/templates/service/nss.erb deleted file mode 100644 index 6404cc3..0000000 --- a/templates/service/nss.erb +++ /dev/null @@ -1,45 +0,0 @@ - -# sssd::service::nss -[nss] -<% if @description -%> -description = <%= @description %> -<% end -%> -<% if @debug_level -%> -debug_level = <%= @debug_level %> -<% end -%> -debug_timestamps = <%= @debug_timestamps.to_s %> -debug_microseconds = <%= @debug_microseconds.to_s %> -reconnection_retries = <%= @reconnection_retries.to_s %> -<% if @command -%> -command = <%= @command %> -<% end -%> -enum_cache_timeout = <%= @enum_cache_timeout.to_s %> -entry_cache_nowait_percentage = <%= @entry_cache_nowait_percentage.to_s %> -entry_negative_timeout = <%= @entry_negative_timeout.to_s %> -filter_users = <%= @filter_users %> -filter_groups = <%= @filter_groups %> -filter_users_in_groups = <%= @filter_users_in_groups.to_s %> -<% if @override_homedir -%> -override_homedir = <%= @override_homedir %> -<% end -%> -<% if @fallback_homedir -%> -fallback_homedir = <%= @fallback_homedir %> -<% end -%> -<% if @override_shell -%> -override_shell = <%= @override_shell %> -<% end -%> -<% if @vetoed_shells -%> -vetoed_shells = <%= @vetoed_shells%> -<% end -%> -<% if @default_shell -%> -default_shell = <%= @default_shell %> -<% end -%> -<% if @get_domains_timeout -%> -get_domains_timeout = <%= @get_domains_timeout.to_s %> -<% end -%> -<% if @memcache_timeout -%> -memcache_timeout = <%= @memcache_timeout.to_s %> -<% end -%> -<% if @user_attributes -%> -user_attributes = <%= @user_attributes %> -<% end -%> diff --git a/templates/service/pac.epp b/templates/service/pac.epp new file mode 100644 index 0000000..7233f25 --- /dev/null +++ b/templates/service/pac.epp @@ -0,0 +1,22 @@ +<% | + Optional[String] $description, + Optional[Sssd::DebugLevel] $debug_level, + Boolean $debug_timestamps, + Boolean $debug_microseconds, + Array[String] $allowed_uids, + Optional[Hash] $custom_options, +| -%> + +# sssd::service::pac +[pac] +<% if $description { -%> +description = <%= $description %> +<% } -%> +<% if $debug_level { -%> +debug_level = <%= $debug_level %> +<% } -%> +debug_timestamps = <%= $debug_timestamps %> +debug_microseconds = <%= $debug_microseconds %> +<% unless $allowed_uids.empty { -%> +allowed_uids = <%= Array($allowed_uids).join(',') %> +<% } -%> diff --git a/templates/service/pac.erb b/templates/service/pac.erb deleted file mode 100644 index 74fe9fb..0000000 --- a/templates/service/pac.erb +++ /dev/null @@ -1,14 +0,0 @@ - -# sssd::service::pac -[pac] -<% if @description -%> -description = <%= @description %> -<% end -%> -<% if @debug_level -%> -debug_level = <%= @debug_level %> -<% end -%> -debug_timestamps = <%= @debug_timestamps.to_s %> -debug_microseconds = <%= @debug_microseconds.to_s %> -<% unless @allowed_uids.empty? -%> -allowed_uids = <%= Array(@allowed_uids).join(',') %> -<% end -%> diff --git a/templates/service/pam.epp b/templates/service/pam.epp new file mode 100644 index 0000000..74204fe --- /dev/null +++ b/templates/service/pam.epp @@ -0,0 +1,51 @@ +<% | + Optional[String] $description, + Optional[Sssd::DebugLevel] $debug_level, + Boolean $debug_timestamps, + Boolean $debug_microseconds, + Boolean $pam_cert_auth, + Integer $reconnection_retries, + Optional[String] $command, + Integer $offline_credentials_expiration, + Integer $offline_failed_login_attempts, + Integer $offline_failed_login_delay, + Integer $pam_verbosity, + Integer $pam_id_timeout, + Integer $pam_pwd_expiration_warning, + Optional[Integer] $get_domains_timeout, + Optional[String] $pam_trusted_users, + Optional[String] $pam_public_domains, +| -%> + +# sssd::service::pam +[pam] +<% if $description { -%> +description = <%= $description %> +<% } -%> +<% if $debug_level { -%> +debug_level = <%= $debug_level %> +<% } -%> +debug_timestamps = <%= $debug_timestamps %> +debug_microseconds = <%= $debug_microseconds %> +reconnection_retries = <%= $reconnection_retries %> +<% if $command { -%> +command = <%= $command %> +<% } -%> +offline_credentials_expiration = <%= $offline_credentials_expiration %> +offline_failed_login_attempts = <%= $offline_failed_login_attempts %> +offline_failed_login_delay = <%= $offline_failed_login_delay %> +pam_verbosity = <%= $pam_verbosity %> +pam_id_timeout = <%= $pam_id_timeout %> +pam_pwd_expiration_warning = <%= $pam_pwd_expiration_warning %> +<% if $get_domains_timeout { -%> +get_domains_timeout = <%= $get_domains_timeout %> +<% } -%> +<% if $pam_trusted_users { -%> +pam_trusted_users = <%= $pam_trusted_users %> +<% } -%> +<% if $pam_public_domains { -%> +pam_public_domains = <%= $pam_public_domains %> +<% } -%> +<% if $pam_cert_auth { -%> +pam_cert_auth = True +<% } -%> diff --git a/templates/service/pam.erb b/templates/service/pam.erb deleted file mode 100644 index d141c2e..0000000 --- a/templates/service/pam.erb +++ /dev/null @@ -1,33 +0,0 @@ - -# sssd::service::pam -[pam] -<% if @description -%> -description = <%= @description %> -<% end -%> -<% if @debug_level -%> -debug_level = <%= @debug_level %> -<% end -%> -debug_timestamps = <%= @debug_timestamps.to_s %> -debug_microseconds = <%= @debug_microseconds.to_s %> -reconnection_retries = <%= @reconnection_retries.to_s %> -<% if @command -%> -command = <%= @command %> -<% end -%> -offline_credentials_expiration = <%= @offline_credentials_expiration.to_s %> -offline_failed_login_attempts = <%= @offline_failed_login_attempts.to_s %> -offline_failed_login_delay = <%= @offline_failed_login_delay.to_s %> -pam_verbosity = <%= @pam_verbosity.to_s %> -pam_id_timeout = <%= @pam_id_timeout.to_s %> -pam_pwd_expiration_warning = <%= @pam_pwd_expiration_warning.to_s %> -<% if @get_domains_timeout -%> -get_domains_timeout = <%= @get_domains_timeout.to_s %> -<% end -%> -<% if @pam_trusted_users -%> -pam_trusted_users = <%= @pam_trusted_users %> -<% end -%> -<% if @pam_public_domains -%> -pam_public_domains = <%= @pam_public_domains %> -<% end -%> -<% if @pam_cert_auth -%> -pam_cert_auth = True -<% end -%> diff --git a/templates/service/ssh.epp b/templates/service/ssh.epp new file mode 100644 index 0000000..84e31bc --- /dev/null +++ b/templates/service/ssh.epp @@ -0,0 +1,23 @@ +<% | + Optional[String] $description, + Optional[Sssd::DebugLevel] $debug_level, + Boolean $debug_timestamps, + Boolean $debug_microseconds, + Boolean $ssh_hash_known_hosts, + Optional[Integer] $ssh_known_hosts_timeout, +| -%> + +# sssd::service::ssh +[ssh] +<% if $description { -%> +description = <%= $description %> +<% } -%> +<% if $debug_level { -%> +debug_level = <%= $debug_level %> +<% } -%> +debug_timestamps = <%= $debug_timestamps %> +debug_microseconds = <%= $debug_microseconds %> +ssh_hash_known_hosts = <%= $ssh_hash_known_hosts %> +<% if $ssh_known_hosts_timeout { -%> +ssh_known_hosts_timeout = <%= $ssh_known_hosts_timeout %> +<% } -%> diff --git a/templates/service/ssh.erb b/templates/service/ssh.erb deleted file mode 100644 index 0b6748d..0000000 --- a/templates/service/ssh.erb +++ /dev/null @@ -1,15 +0,0 @@ - -# sssd::service::ssh -[ssh] -<% if @description -%> -description = <%= @description %> -<% end -%> -<% if @debug_level -%> -debug_level = <%= @debug_level %> -<% end -%> -debug_timestamps = <%= @debug_timestamps.to_s %> -debug_microseconds = <%= @debug_microseconds.to_s %> -ssh_hash_known_hosts = <%= @ssh_hash_known_hosts.to_s %> -<% if @ssh_known_hosts_timeout -%> -ssh_known_hosts_timeout = <%= @ssh_known_hosts_timeout.to_s %> -<% end -%> diff --git a/templates/service/sudo.epp b/templates/service/sudo.epp new file mode 100644 index 0000000..ac06a70 --- /dev/null +++ b/templates/service/sudo.epp @@ -0,0 +1,20 @@ +<% | + Optional[String] $description, + Optional[Sssd::Debuglevel] $debug_level, + Boolean $debug_timestamps, + Boolean $debug_microseconds, + Boolean $sudo_timed, + Integer[1] $sudo_threshold, +| -%> + +# sssd::service::sudo +[sudo] +<% if $description { -%> +description = <%= $description %> +<% } -%> +<% if $debug_level { -%> +debug_level = <%= $debug_level %> +<% } -%> +debug_timestamps = <%= $debug_timestamps %> +debug_microseconds = <%= $debug_microseconds %> +sudo_timed = <%= $sudo_timed %> diff --git a/templates/service/sudo.erb b/templates/service/sudo.erb deleted file mode 100644 index f934386..0000000 --- a/templates/service/sudo.erb +++ /dev/null @@ -1,12 +0,0 @@ - -# sssd::service::sudo -[sudo] -<% if @description -%> -description = <%= @description %> -<% end -%> -<% if @debug_level -%> -debug_level = <%= @debug_level %> -<% end -%> -debug_timestamps = <%= @debug_timestamps.to_s %> -debug_microseconds = <%= @debug_microseconds.to_s %> -sudo_timed = <%= @sudo_timed.to_s %> diff --git a/templates/sssd.conf.epp b/templates/sssd.conf.epp new file mode 100644 index 0000000..c61427f --- /dev/null +++ b/templates/sssd.conf.epp @@ -0,0 +1,63 @@ +<% | + Optional[String] $_description, + Optional[Array[String]] $_services, + Optional[Array[String]] $_domains, + String $_config_file_version, + Integer[0] $_reconnection_retries, + Optional[String] $_re_expression, + Optional[String] $_full_name_format, + Optional[Boolean] $_try_inotify, + Optional[String] $_krb5_rcache_dir, + Optional[String] $_user, + Optional[String] $_default_domain_suffix, + Optional[String] $_override_space, + Optional[Boolean] $_enable_files_domain, + Optional[Sssd::DebugLevel] $_debug_level, + Boolean $_debug_timestamps, + Boolean $_debug_microseconds, +| -%> +# sssd::config +[sssd] +<% + # sudo has to be started by the socket + unless Array($_services).empty { +-%> +services = <%= (Array($_services) - ['sudo']).join(',') %> +<% } -%> +<% if $_description { -%> +description = <%= $_description %> +<% } -%> +<% unless $_domains.empty { -%> +domains = <%= Array($_domains).join(', ') %> +<% } -%> +config_file_version = <%= $_config_file_version %> +reconnection_retries = <%= $_reconnection_retries %> +<% if $_re_expression { -%> +re_expression = <%= $_re_expression %> +<% } -%> +<% if $_full_name_format { -%> +full_name_format = <%= $_full_name_format %> +<% } -%> +<% unless $_try_inotify =~ Undef { -%> +try_inotify = <%= $_try_inotify %> +<% } -%> +<% if $_krb5_rcache_dir { -%> +krb5_rcache_dir = <%= $_krb5_rcache_dir %> +<% } -%> +<% if $_user { -%> +user = <%= $_user %> +<% } -%> +<% if $_default_domain_suffix { -%> +default_domain_suffix = <%= $_default_domain_suffix %> +<% } -%> +<% if $_override_space { -%> +override_space = <%= $_override_space %> +<% } -%> +<% unless $_enable_files_domain =~ Undef { -%> +enable_files_domain = <%= $_enable_files_domain %> +<% } -%> +<% unless $_debug_level =~ Undef { -%> +debug_level = <%= $_debug_level %> +<% } -%> +debug_timestamps = <%= $_debug_timestamps %> +debug_microseconds = <%= $_debug_microseconds %> diff --git a/templates/sssd.conf.erb b/templates/sssd.conf.erb deleted file mode 100644 index 52c4200..0000000 --- a/templates/sssd.conf.erb +++ /dev/null @@ -1,45 +0,0 @@ -# sssd::config -[sssd] -<% - # sudo has to be started by the socket - unless Array(@_services).empty? --%> -services = <%= (Array(@_services) - ['sudo']).join(',') %> -<% end -%> -<% if @_description -%> -description = <%= @_description %> -<% end -%> -<% unless @_domains.empty? -%> -domains = <%= Array(@_domains).join(', ') %> -<% end -%> -config_file_version = <%= @_config_file_version.to_s %> -reconnection_retries = <%= @_reconnection_retries.to_s %> -<% if @_re_expression -%> -re_expression = <%= @_re_expression %> -<% end -%> -<% if @_full_name_format -%> -full_name_format = <%= @_full_name_format %> -<% end -%> -<% unless @_try_inotify.nil? -%> -try_inotify = <%= @_try_inotify.to_s %> -<% end -%> -<% if @_krb5_rcache_dir -%> -krb5_rcache_dir = <%= @_krb5_rcache_dir %> -<% end -%> -<% if @_user -%> -user = <%= @_user %> -<% end -%> -<% if @_default_domain_suffix -%> -default_domain_suffix = <%= @_default_domain_suffix %> -<% end -%> -<% if @_override_space-%> -override_space = <%= @_override_space%> -<% end -%> -<% unless @_enable_files_domain.nil? -%> -enable_files_domain = <%= @_enable_files_domain %> -<% end -%> -<% unless @_debug_level.nil? -%> -debug_level = <%= @_debug_level %> -<% end -%> -debug_timestamps = <%= @_debug_timestamps.to_s %> -debug_microseconds = <%= @_debug_microseconds.to_s %> From e38c244588d8d1349f65248a1d93b458dfe61947 Mon Sep 17 00:00:00 2001 From: Steven Pritchard Date: Fri, 19 Sep 2025 11:32:31 -0500 Subject: [PATCH 03/25] Formatting fix --- manifests/provider/ipa.pp | 58 +++++++++++++++++++-------------------- 1 file changed, 29 insertions(+), 29 deletions(-) diff --git a/manifests/provider/ipa.pp b/manifests/provider/ipa.pp index a2cff7e..5041c24 100644 --- a/manifests/provider/ipa.pp +++ b/manifests/provider/ipa.pp @@ -86,35 +86,35 @@ content => epp( "${module_name}/provider/ipa.epp", { - 'ipa_domain' => $ipa_domain, - 'ipa_server' => $ipa_server, - 'ipa_backup_server' => $ipa_backup_server, - 'ipa_enable_dns_sites' => $ipa_enable_dns_sites, - 'ipa_hostname' => $ipa_hostname, - 'ipa_server_mode' => $ipa_server_mode, - 'dyndns_auth' => $dyndns_auth, - 'dyndns_force_tcp' => $dyndns_force_tcp, - 'dyndns_iface' => $dyndns_iface, - 'dyndns_refresh_interval' => $dyndns_refresh_interval, - 'dyndns_server' => $dyndns_server, - 'dyndns_ttl' => $dyndns_ttl, - 'dyndns_update' => $dyndns_update, - 'dyndns_update_ptr' => $dyndns_update_ptr, - 'ipa_automount_location' => $ipa_automount_location, - 'ipa_hbac_refresh' => $ipa_hbac_refresh, - 'ipa_hbac_search_base' => $ipa_hbac_search_base, - 'ipa_hbac_selinux' => $ipa_hbac_selinux, - 'ipa_host_search_base' => $ipa_host_search_base, - 'ipa_master_domains_search_base' => $ipa_master_domains_search_base, - 'ipa_selinux_search_base' => $ipa_selinux_search_base, - 'ipa_subdomains_search_base' => $ipa_subdomains_search_base, - 'ipa_views_search_base' => $ipa_views_search_base, - 'krb5_confd_path' => $krb5_confd_path, - 'krb5_realm' => $krb5_realm, - 'krb5_store_password_if_offline' => $krb5_store_password_if_offline, - 'ldap_tls_cacert' => $ldap_tls_cacert, - 'ldap_tls_cipher_suite' => $ldap_tls_cipher_suite, - 'use_service_discovery' => $use_service_discovery, + 'ipa_domain' => $ipa_domain, + 'ipa_server' => $ipa_server, + 'ipa_backup_server' => $ipa_backup_server, + 'ipa_enable_dns_sites' => $ipa_enable_dns_sites, + 'ipa_hostname' => $ipa_hostname, + 'ipa_server_mode' => $ipa_server_mode, + 'dyndns_auth' => $dyndns_auth, + 'dyndns_force_tcp' => $dyndns_force_tcp, + 'dyndns_iface' => $dyndns_iface, + 'dyndns_refresh_interval' => $dyndns_refresh_interval, + 'dyndns_server' => $dyndns_server, + 'dyndns_ttl' => $dyndns_ttl, + 'dyndns_update' => $dyndns_update, + 'dyndns_update_ptr' => $dyndns_update_ptr, + 'ipa_automount_location' => $ipa_automount_location, + 'ipa_hbac_refresh' => $ipa_hbac_refresh, + 'ipa_hbac_search_base' => $ipa_hbac_search_base, + 'ipa_hbac_selinux' => $ipa_hbac_selinux, + 'ipa_host_search_base' => $ipa_host_search_base, + 'ipa_master_domains_search_base' => $ipa_master_domains_search_base, + 'ipa_selinux_search_base' => $ipa_selinux_search_base, + 'ipa_subdomains_search_base' => $ipa_subdomains_search_base, + 'ipa_views_search_base' => $ipa_views_search_base, + 'krb5_confd_path' => $krb5_confd_path, + 'krb5_realm' => $krb5_realm, + 'krb5_store_password_if_offline' => $krb5_store_password_if_offline, + 'ldap_tls_cacert' => $ldap_tls_cacert, + 'ldap_tls_cipher_suite' => $ldap_tls_cipher_suite, + 'use_service_discovery' => $use_service_discovery, } ), } From 2b83a889919d7d5c884bf9d37f243d5f985c0df2 Mon Sep 17 00:00:00 2001 From: Steven Pritchard Date: Tue, 23 Sep 2025 13:49:23 -0500 Subject: [PATCH 04/25] Syntax fixes --- templates/provider/ad.epp | 20 ++++---- templates/provider/ldap.epp | 96 ++++++++++++++++--------------------- 2 files changed, 50 insertions(+), 66 deletions(-) diff --git a/templates/provider/ad.epp b/templates/provider/ad.epp index b3b1d7c..5b884e0 100644 --- a/templates/provider/ad.epp +++ b/templates/provider/ad.epp @@ -69,7 +69,7 @@ ad_backup_server = <%= $ad_backup_servers.join(', ') %> <% if $ad_hostname { -%> ad_hostname = <%= $ad_hostname %> <% } -%> -<% unless $ad_enable_dns_sites.nil? -%> +<% unless $ad_enable_dns_sites =~ Undef { -%> ad_enable_dns_sites = <%= $ad_enable_dns_sites %> <% } -%> <% if $ad_access_filters { -%> @@ -78,7 +78,7 @@ ad_access_filter = <%= $ad_access_filters.join('?') %> <% if $ad_site { -%> ad_site = <%= $ad_site %> <% } -%> -<% unless $ad_enable_gc.nil? -%> +<% unless $ad_enable_gc =~ Undef { -%> ad_enable_gc = <%= $ad_enable_gc %> <% } -%> <% if $ad_gpo_access_control { -%> @@ -111,10 +111,10 @@ ad_gpo_map_deny = <%= $ad_gpo_map_deny.join(', ') %> <% if $ad_gpo_default_right { -%> ad_gpo_default_right = <%= $ad_gpo_default_right %> <% } -%> -<% unless $ad_gpo_implicit_deny.nil? -%> +<% unless $ad_gpo_implicit_deny =~ Undef { -%> ad_gpo_implicit_deny = <%= $ad_gpo_implicit_deny %> <% } -%> -<% unless $ad_gpo_ignore_unreadable.nil? -%> +<% unless $ad_gpo_ignore_unreadable =~ Undef { -%> ad_gpo_ignore_unreadable = <%= $ad_gpo_ignore_unreadable %> <% } -%> <% if $ad_maximum_machine_account_password_age { -%> @@ -126,7 +126,7 @@ ad_machine_account_password_renewal_opts = <%= $ad_machine_account_password_rene <% if $default_shell { -%> default_shell = <%= $default_shell %> <% } -%> -<% unless $dyndns_update.nil? -%> +<% unless $dyndns_update =~ Undef { -%> dyndns_update = <%= $dyndns_update %> <% } -%> <% if $dyndns_update { -%> @@ -139,10 +139,10 @@ dyndns_iface = <%= $dyndns_ifaces.join(', ') %> <% if $dyndns_refresh_interval { -%> dyndns_refresh_interval = <%= $dyndns_refresh_interval %> <% } -%> -<% unless $dyndns_update_ptr.nil? -%> +<% unless $dyndns_update_ptr =~ Undef { -%> dyndns_update_ptr = <%= $dyndns_update_ptr %> <% } -%> -<% unless $dyndns_force_tcp.nil? -%> +<% unless $dyndns_force_tcp =~ Undef { -%> dyndns_force_tcp = <%= $dyndns_force_tcp %> <% } -%> <% if $dyndns_server { -%> @@ -164,10 +164,10 @@ krb5_realm = <%= $krb5_realm %> <% if $krb5_confd_path { -%> krb5_confd_path = <%= $krb5_confd_path %> <% } -%> -<% unless $krb5_use_enterprise_principal.nil? -%> +<% unless $krb5_use_enterprise_principal =~ Undef { -%> krb5_use_enterprise_principal = <%= $krb5_use_enterprise_principal %> <% } -%> -<% unless $krb5_store_password_if_offline.nil? -%> +<% unless $krb5_store_password_if_offline =~ Undef { -%> krb5_store_password_if_offline = <%= $krb5_store_password_if_offline %> <% } -%> ldap_id_mapping = <%= $ldap_id_mapping %> @@ -190,7 +190,7 @@ ldap_idmap_default_domain_sid = <%= $ldap_idmap_default_domain_sid %> <% if $ldap_idmap_default_domain { -%> ldap_idmap_default_domain = <%= $ldap_idmap_default_domain %> <% } -%> -<% unless $ldap_idmap_autorid_compat.nil? -%> +<% unless $ldap_idmap_autorid_compat =~ Undef { -%> ldap_idmap_autorid_compat = <%= $ldap_idmap_autorid_compat %> <% } -%> <% if $ldap_idmap_helper_table_size { -%> diff --git a/templates/provider/ldap.epp b/templates/provider/ldap.epp index f670035..292fde1 100644 --- a/templates/provider/ldap.epp +++ b/templates/provider/ldap.epp @@ -153,8 +153,18 @@ [domain/<%= $title %>] # sssd::provider::ldap <% -# Simply too many options to make it more confusing than this... - _string_params = [ + if $facts['sssd_version'] =~ Undef { + if $facts['os']['release']['major'] < '8' { + $sssd_major_version = 1 + } else { + $sssd_major_version = 2 + } + } else { + $sssd_major_version = Integer($facts['sssd_version'].split('.').first) + } + + # Simply too many options to make it more confusing than this... + $output = [ 'debug_level', 'debug_timestamps', 'debug_microseconds', @@ -288,65 +298,39 @@ 'ldap_idmap_default_domain_sid', 'ldap_idmap_default_domain', 'ldap_idmap_autorid_compat' - ] - - #options only available in sssd v1 (the version used prior to el8) - _string_params_v1 = [ - 'ldap_groups_use_matching_rule_in_chain', - 'ldap_initgroups_use_matching_rule_in_chain', - ] - - _array_params = { - 'ldap_uri' => ',', - 'ldap_backup_uri' => ',', - 'ldap_chpass_uri' => ',', - 'ldap_chpass_backup_uri' => ',', - 'ldap_user_extra_attrs' => ',', - 'ldap_tls_cipher_suite' => ':', - 'ldap_access_order' => ',', - 'ldap_sudo_hostnames' => ' ', - 'ldap_sudo_ip' => ' ', - 'krb5_server' => ',', - 'krb5_backup_server' => ',' - } - - if $facts['sssd_version'] =~ Undef { - if $facts['os']['release']['major'] < '8' - $_sssd_major_version = 1 - else - $_sssd_major_version = 2 - } - else - $_sssd_major_version = Integer($facts['sssd_version'].split('.').first) - } - - _output = [] - _string_params.each do |param| - value = eval(%(@#{param})) + ] + (($sssd_major_version < 2) ? { + true => [ + # options only available in sssd v1 (the version used prior to el8) + 'ldap_groups_use_matching_rule_in_chain', + 'ldap_initgroups_use_matching_rule_in_chain', + ], + default=> [], + }).map |$param| { + $value = getvar($param) # Make sure to distinguish between nil and false, as we may need to # set a parameter to false in this config! - unless value =~ Undef { - _output << %(#{param.sub(/^_/,'')} = #{value}) + unless $value =~ Undef { + "${$param.sub(/^_/, '')} = ${value}" } - } - - # if os < el8 add in params used in sssd V1 only - if $_sssd_major_version < 2 - _string_params_v1.each do |param| - value = eval(%(@#{param})) - unless value =~ Undef { - _output << %(#{param.sub(/^_/,'')} = #{value}) - } - } - } - - _array_params.keys.each do |param| - value = eval(%(@#{param})) + } + { + 'ldap_uri' => ',', + 'ldap_backup_uri' => ',', + 'ldap_chpass_uri' => ',', + 'ldap_chpass_backup_uri' => ',', + 'ldap_user_extra_attrs' => ',', + 'ldap_tls_cipher_suite' => ':', + 'ldap_access_order' => ',', + 'ldap_sudo_hostnames' => ' ', + 'ldap_sudo_ip' => ' ', + 'krb5_server' => ',', + 'krb5_backup_server' => ',' + }.map |$param, $separator| { + $value = getvar($param) - if value && !value.empty? - _output << %(#{param.sub(/^_/,'')} = #{Array(value).uniq.join(_array_params[param])}) + if $value and !$value.empty { + "${$param.sub(/^_/, '')} = ${Array($value).uniq.join($separator) }" } } -%> -<%= _output.sort.join("\n") %> +<%= $output.sort.join("\n") %> From 70100146f9eedc0690dfefafb1416eff917b14a2 Mon Sep 17 00:00:00 2001 From: Steven Pritchard Date: Tue, 23 Sep 2025 13:50:50 -0500 Subject: [PATCH 05/25] More cleanup --- templates/provider/ldap.epp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/provider/ldap.epp b/templates/provider/ldap.epp index 292fde1..8e6d0d1 100644 --- a/templates/provider/ldap.epp +++ b/templates/provider/ldap.epp @@ -329,7 +329,7 @@ $value = getvar($param) if $value and !$value.empty { - "${$param.sub(/^_/, '')} = ${Array($value).uniq.join($separator) }" + "${$param.sub(/^_/, '')} = ${Array($value).uniq.join($separator)}" } } -%> From 8f849c4b86c6dd8b19edbdec24a23788e8bd029a Mon Sep 17 00:00:00 2001 From: Steven Pritchard Date: Tue, 23 Sep 2025 14:28:00 -0500 Subject: [PATCH 06/25] Filter out invalid entries --- templates/provider/ldap.epp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/provider/ldap.epp b/templates/provider/ldap.epp index 8e6d0d1..4f82314 100644 --- a/templates/provider/ldap.epp +++ b/templates/provider/ldap.epp @@ -333,4 +333,4 @@ } } -%> -<%= $output.sort.join("\n") %> +<%= $output.filter |$item| { $item =~ String[1] }.sort.join("\n") %> From 7ea0bdc8b70fad2560a245eba80efdaafc7ace25 Mon Sep 17 00:00:00 2001 From: Steven Pritchard Date: Tue, 23 Sep 2025 16:59:31 -0500 Subject: [PATCH 07/25] Additional cleanup --- .puppet-lint.rc | 1 - manifests/config/entry.pp | 10 ++++++---- manifests/config/ipa_domain.pp | 5 ++--- manifests/domain.pp | 5 +++-- manifests/init.pp | 6 +++--- manifests/install.pp | 6 +++--- manifests/install/client.pp | 6 +++--- manifests/pki.pp | 5 ++--- manifests/provider/files.pp | 2 +- manifests/provider/krb5.pp | 7 +++---- manifests/service.pp | 6 +++--- templates/domain.epp | 2 +- templates/provider/ipa.epp | 6 +++++- templates/provider/ldap.epp | 22 ++++++++++------------ templates/sssd.conf.epp | 2 +- 15 files changed, 46 insertions(+), 45 deletions(-) diff --git a/.puppet-lint.rc b/.puppet-lint.rc index eb56769..77a1e10 100644 --- a/.puppet-lint.rc +++ b/.puppet-lint.rc @@ -8,7 +8,6 @@ --relative --no-class_inherits_from_params_class-check --no-140chars-check ---no-trailing_comma-check --no-params-empty-string-assignment-check # This is here because the code can't handle lookups in parameters and SIMP # modules have a LOT of those diff --git a/manifests/config/entry.pp b/manifests/config/entry.pp index c55ebaf..76643dc 100644 --- a/manifests/config/entry.pp +++ b/manifests/config/entry.pp @@ -7,11 +7,13 @@ # # @param content # The content of the target file +# @param order +# The order in which the file should be processed # -define sssd::config::entry( +define sssd::config::entry ( String $content, - Integer[0] $order = 50 -){ + Integer[0] $order = 50, +) { assert_private() if $title =~ /\// { @@ -28,6 +30,6 @@ group => 'root', mode => '0600', content => $content, - notify => Class["${module_name}::service"] + notify => Class["${module_name}::service"], } } diff --git a/manifests/config/ipa_domain.pp b/manifests/config/ipa_domain.pp index c1d3a25..5d7a75c 100644 --- a/manifests/config/ipa_domain.pp +++ b/manifests/config/ipa_domain.pp @@ -18,13 +18,12 @@ autofs_provider => 'ipa', min_id => $sssd::min_id, enumerate => $sssd::enumerate_users, - cache_credentials => $sssd::cache_credentials + cache_credentials => $sssd::cache_credentials, } sssd::provider::ipa { $_ipa_domain: ipa_domain => $_ipa_domain, - ipa_server => [ $_ipa_server ] + ipa_server => [$_ipa_server], } } } - diff --git a/manifests/domain.pp b/manifests/domain.pp index 90c04a6..3679fd7 100644 --- a/manifests/domain.pp +++ b/manifests/domain.pp @@ -121,7 +121,7 @@ Optional[String] $proxy_pam_target = undef, Optional[String] $proxy_lib_name = undef, Optional[String] $ldap_user_search_filter = undef, - Optional[Hash] $custom_options = undef + Optional[Hash] $custom_options = undef, ) { sssd::config::entry { "puppet_domain_${name}": content => epp( @@ -171,7 +171,8 @@ 'proxy_pam_target' => $proxy_pam_target, 'proxy_lib_name' => $proxy_lib_name, 'ldap_user_search_filter' => $ldap_user_search_filter, + 'custom_options' => $custom_options, }, - ) + ), } } diff --git a/manifests/init.pp b/manifests/init.pp index 2bfa27a..491fb1e 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -121,7 +121,7 @@ Stdlib::Absolutepath $app_pki_cert_source = simplib::lookup('simp_options::pki::source', { 'default_value' => '/etc/pki/simp/x509'}), Stdlib::Absolutepath $app_pki_dir = '/etc/pki/simp_apps/sssd/x509', Boolean $auto_add_ipa_domain = true, - Optional[String[1]] $custom_config = undef + Optional[String[1]] $custom_config = undef, ) { include 'sssd::install' include 'sssd::config' @@ -135,7 +135,7 @@ if $custom_config { sssd::config::entry { 'puppet_custom': content => $custom_config, - order => 99999 + order => 99999, } } @@ -153,7 +153,7 @@ include 'auditd' auditd::rule { 'sssd': - content => '-w /etc/sssd/ -p wa -k CFG_sssd' + content => '-w /etc/sssd/ -p wa -k CFG_sssd', } } diff --git a/manifests/install.pp b/manifests/install.pp index 70fd48c..341cfd7 100644 --- a/manifests/install.pp +++ b/manifests/install.pp @@ -15,7 +15,7 @@ class sssd::install ( Boolean $install_client = true, Boolean $install_user_tools = true, - String $package_ensure = simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' }) + String $package_ensure = simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' }), ) { assert_private() @@ -24,12 +24,12 @@ } package { ['sssd', 'sssd-dbus']: - ensure => $package_ensure + ensure => $package_ensure, } if $install_user_tools { package { 'sssd-tools': - ensure => $package_ensure + ensure => $package_ensure, } } } diff --git a/manifests/install/client.pp b/manifests/install/client.pp index be07d71..1ab635b 100644 --- a/manifests/install/client.pp +++ b/manifests/install/client.pp @@ -6,9 +6,9 @@ # @author https://github.com/simp/pupmod-simp-sssd/graphs/contributors # class sssd::install::client ( - $ensure = $::sssd::install::package_ensure -){ + String $ensure = $sssd::install::package_ensure +) { package { 'sssd-client': - ensure => $ensure + ensure => $ensure, } } diff --git a/manifests/pki.pp b/manifests/pki.pp index 64355f8..8ce096a 100644 --- a/manifests/pki.pp +++ b/manifests/pki.pp @@ -22,8 +22,7 @@ # # * If $sssd::pki = false, this variable has no effect. # -class sssd::pki -{ +class sssd::pki { assert_private() include "${module_name}::service" @@ -32,7 +31,7 @@ pki::copy { 'sssd' : source => $sssd::app_pki_cert_source, pki => $sssd::pki, - notify => Class["${module_name}::service"] + notify => Class["${module_name}::service"], } } } diff --git a/manifests/provider/files.pp b/manifests/provider/files.pp index 7d95224..2d93cef 100644 --- a/manifests/provider/files.pp +++ b/manifests/provider/files.pp @@ -19,7 +19,7 @@ # define sssd::provider::files ( Optional[Array[Stdlib::Absolutepath]] $passwd_files = undef, - Optional[Array[Stdlib::Absolutepath]] $group_files = undef + Optional[Array[Stdlib::Absolutepath]] $group_files = undef, ) { sssd::config::entry { "puppet_provider_${name}_files": content => epp( diff --git a/manifests/provider/krb5.pp b/manifests/provider/krb5.pp index bd7e398..2d647b1 100644 --- a/manifests/provider/krb5.pp +++ b/manifests/provider/krb5.pp @@ -28,8 +28,8 @@ # @author https://github.com/simp/pupmod-simp-sssd/graphs/contributors # define sssd::provider::krb5 ( - Optional[Simplib::Host] $krb5_server = undef, String $krb5_realm, + Optional[Simplib::Host] $krb5_server = undef, Optional[Sssd::DebugLevel] $debug_level = undef, Boolean $debug_timestamps = true, Boolean $debug_microseconds = false, @@ -43,9 +43,8 @@ Optional[String] $krb5_renewable_lifetime = undef, Optional[String] $krb5_lifetime = undef, Integer $krb5_renew_interval = 0, - Optional[Enum['never','try','demand']] $krb5_use_fast = undef + Optional[Enum['never','try','demand']] $krb5_use_fast = undef, ) { - sssd::config::entry { "puppet_provider_${name}_krb5": content => epp( "${module_name}/provider/krb5", @@ -68,6 +67,6 @@ 'krb5_renew_interval' => $krb5_renew_interval, 'krb5_use_fast' => $krb5_use_fast, }, - ) + ), } } diff --git a/manifests/service.pp b/manifests/service.pp index e3b4821..7185607 100644 --- a/manifests/service.pp +++ b/manifests/service.pp @@ -10,14 +10,14 @@ # class sssd::service ( Variant[String[1],Boolean] $ensure = sssd::supported_version(), - Boolean $enable = sssd::supported_version() -){ + Boolean $enable = sssd::supported_version(), +) { assert_private() service { 'sssd': ensure => $ensure, enable => $enable, hasrestart => true, - hasstatus => true + hasstatus => true, } } diff --git a/templates/domain.epp b/templates/domain.epp index d7ca2b0..f6349de 100644 --- a/templates/domain.epp +++ b/templates/domain.epp @@ -154,6 +154,6 @@ proxy_pam_target = <%= $proxy_pam_target %> <% if $proxy_lib_name { -%> proxy_lib_name = <%= $proxy_lib_name %> <% } -%> -<% $custom_options.each |$opt, $value| { -%> +<% $custom_options.lest || { {} }.each |$opt, $value| { -%> <%= $opt %> = <%= $value %> <% } -%> diff --git a/templates/provider/ipa.epp b/templates/provider/ipa.epp index 0ddb6ed..c14582c 100644 --- a/templates/provider/ipa.epp +++ b/templates/provider/ipa.epp @@ -32,7 +32,11 @@ [domain/<%= $title %>] # sssd::provider::ipa ipa_domain = <%= $ipa_domain %> -ipa_server = <%= $_ipa_server.join(',') %> +<% if $use_service_discovery { -%> +ipa_server = _srv_,<%= $ipa_server.join(',') %> +<% } else { -%> +ipa_server = <%= $ipa_server.join(',') %> +<% } -%> <% unless $ipa_backup_server =~ Undef { -%> ipa_backup_server = <%= $ipa_backup_server.join(',') %> <% } -%> diff --git a/templates/provider/ldap.epp b/templates/provider/ldap.epp index 4f82314..a9dbaf5 100644 --- a/templates/provider/ldap.epp +++ b/templates/provider/ldap.epp @@ -81,9 +81,9 @@ Optional[Integer[0]] $ldap_deref_threshold, Sssd::LdapTlsReqcert $ldap_tls_reqcert, Optional[String[1]] $ldap_tls_cacert, - Optional[Stdlib::Absolutepath] $app_pki_ca_dir, - Optional[Stdlib::Absolutepath] $app_pki_key, - Optional[Stdlib::Absolutepath] $app_pki_cert, + Optional[Stdlib::Absolutepath] $ldap_tls_cacertdir, + Optional[Stdlib::Absolutepath] $ldap_tls_key, + Optional[Stdlib::Absolutepath] $ldap_tls_cert, Boolean $strip_128_bit_ciphers, Array[String[1]] $ldap_tls_cipher_suite, Boolean $ldap_id_use_start_tls, @@ -153,14 +153,12 @@ [domain/<%= $title %>] # sssd::provider::ldap <% - if $facts['sssd_version'] =~ Undef { - if $facts['os']['release']['major'] < '8' { - $sssd_major_version = 1 - } else { - $sssd_major_version = 2 - } + if $facts['sssd_version'] =~ String[1] { + $sssd_major_version = Integer($facts['sssd_version'].split(/\./)[0]) + } elsif $facts['os']['release']['major'] < '8' { + $sssd_major_version = 1 } else { - $sssd_major_version = Integer($facts['sssd_version'].split('.').first) + $sssd_major_version = 2 } # Simply too many options to make it more confusing than this... @@ -311,7 +309,7 @@ # Make sure to distinguish between nil and false, as we may need to # set a parameter to false in this config! unless $value =~ Undef { - "${$param.sub(/^_/, '')} = ${value}" + "${$param.regsubst(/^_/, '')} = ${value}" } } + { 'ldap_uri' => ',', @@ -329,7 +327,7 @@ $value = getvar($param) if $value and !$value.empty { - "${$param.sub(/^_/, '')} = ${Array($value).uniq.join($separator)}" + "${$param.regsubst(/^_/, '')} = ${Array($value).unique.join($separator)}" } } -%> diff --git a/templates/sssd.conf.epp b/templates/sssd.conf.epp index c61427f..21daed3 100644 --- a/templates/sssd.conf.epp +++ b/templates/sssd.conf.epp @@ -2,7 +2,7 @@ Optional[String] $_description, Optional[Array[String]] $_services, Optional[Array[String]] $_domains, - String $_config_file_version, + Integer[1] $_config_file_version, Integer[0] $_reconnection_retries, Optional[String] $_re_expression, Optional[String] $_full_name_format, From c59dbb904df6baf7779377aeb73c722839dc1402 Mon Sep 17 00:00:00 2001 From: Steven Pritchard Date: Wed, 24 Sep 2025 10:12:53 -0500 Subject: [PATCH 08/25] Additional cleanup and fix tests --- REFERENCE.md | 15 +- manifests/provider/ad.pp | 1 + manifests/provider/files.pp | 1 + manifests/provider/ipa.pp | 1 + manifests/provider/ldap.pp | 501 ++++++++++++++++++++++++----------- manifests/service/autofs.pp | 1 + manifests/service/pac.pp | 1 + templates/provider/ad.epp | 1 + templates/provider/files.epp | 1 + templates/provider/ipa.epp | 1 + templates/provider/ldap.epp | 333 +---------------------- 11 files changed, 366 insertions(+), 491 deletions(-) diff --git a/REFERENCE.md b/REFERENCE.md index b8f2f2a..568173c 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -436,11 +436,11 @@ The following parameters are available in the `sssd::install::client` class: ##### `ensure` -Data type: `Any` +Data type: `String` Ensure setting for 'sssd-client' package -Default value: `$::sssd::install::package_ensure` +Default value: `$sssd::install::package_ensure` ### `sssd::pki` @@ -1302,7 +1302,7 @@ The content of the target file Data type: `Integer[0]` - +The order in which the file should be processed Default value: `50` @@ -1729,6 +1729,10 @@ Default value: `undef` Data type: `Optional[String]` + + +Default value: `undef` + ##### `custom_options` Data type: `Optional[Hash]` @@ -1736,9 +1740,8 @@ Data type: `Optional[Hash]` If defined, this hash will be used to create the service section instead of the parameters. You must provide all options in the section you want to add. Each entry in the hash will be -added as a simple init pair -key = value -under the section in the sssd.conf file. +added as a simple init pair key = value under the section in +the sssd.conf file. No error checking will be performed. Default value: `undef` diff --git a/manifests/provider/ad.pp b/manifests/provider/ad.pp index 3863fa6..306652d 100644 --- a/manifests/provider/ad.pp +++ b/manifests/provider/ad.pp @@ -154,6 +154,7 @@ content => epp( "${module_name}/provider/ad.epp", { + 'title' => $title, 'ad_domain' => $ad_domain, 'ad_enabled_domains' => $ad_enabled_domains, 'ad_servers' => $ad_servers, diff --git a/manifests/provider/files.pp b/manifests/provider/files.pp index 2d93cef..2189a15 100644 --- a/manifests/provider/files.pp +++ b/manifests/provider/files.pp @@ -25,6 +25,7 @@ content => epp( "${module_name}/provider/files.epp", { + 'title' => $title, 'passwd_files' => $passwd_files, 'group_files' => $group_files, } diff --git a/manifests/provider/ipa.pp b/manifests/provider/ipa.pp index 5041c24..9c03f91 100644 --- a/manifests/provider/ipa.pp +++ b/manifests/provider/ipa.pp @@ -86,6 +86,7 @@ content => epp( "${module_name}/provider/ipa.epp", { + 'title' => $title, 'ipa_domain' => $ipa_domain, 'ipa_server' => $ipa_server, 'ipa_backup_server' => $ipa_backup_server, diff --git a/manifests/provider/ldap.pp b/manifests/provider/ldap.pp index 7f0f5a8..626cb17 100644 --- a/manifests/provider/ldap.pp +++ b/manifests/provider/ldap.pp @@ -357,176 +357,367 @@ } if $app_pki_ca_dir { - $ldap_tls_cacertdir = $app_pki_ca_dir + $_ldap_tls_cacertdir = $app_pki_ca_dir } elsif $client_tls { - $ldap_tls_cacertdir = "${sssd::app_pki_dir}/cacerts" + $_ldap_tls_cacertdir = "${sssd::app_pki_dir}/cacerts" + } else { + $_ldap_tls_cacertdir = undef } if $app_pki_key { - $ldap_tls_key = $app_pki_key + $_ldap_tls_key = $app_pki_key } elsif $client_tls { - $ldap_tls_key = "${sssd::app_pki_dir}/private/${$facts['networking']['fqdn']}.pem" + $_ldap_tls_key = "${sssd::app_pki_dir}/private/${$facts['networking']['fqdn']}.pem" + } else { + $_ldap_tls_key = undef } if $app_pki_cert { - $ldap_tls_cert = $app_pki_cert + $_ldap_tls_cert = $app_pki_cert } elsif $client_tls { - $ldap_tls_cert = "${sssd::app_pki_dir}/public/${$facts['networking']['fqdn']}.pub" + $_ldap_tls_cert = "${sssd::app_pki_dir}/public/${$facts['networking']['fqdn']}.pub" + } else { + $_ldap_tls_cert = undef } + # Determine SSSD major version + if $facts['sssd_version'] =~ String[1] { + $sssd_major_version = Integer($facts['sssd_version'].split(/\./)[0]) + } elsif $facts['os']['release']['major'] < '8' { + $sssd_major_version = 1 + } else { + $sssd_major_version = 2 + } + + # Build configuration content + $simple_params = [ + 'debug_level', + 'debug_timestamps', + 'debug_microseconds', + 'ldap_search_base', + 'ldap_schema', + 'ldap_default_bind_dn', + 'ldap_default_authtok_type', + 'ldap_default_authtok', + 'ldap_user_cert', + 'ldap_user_object_class', + 'ldap_user_name', + 'ldap_user_uid_number', + 'ldap_user_gid_number', + 'ldap_user_gecos', + 'ldap_user_home_directory', + 'ldap_user_shell', + 'ldap_user_uuid', + 'ldap_user_objectsid', + 'ldap_user_modify_timestamp', + 'ldap_user_shadow_last_change', + 'ldap_user_shadow_min', + 'ldap_user_shadow_max', + 'ldap_user_shadow_warning', + 'ldap_user_shadow_inactive', + 'ldap_user_shadow_expire', + 'ldap_user_krb_last_pwd_change', + 'ldap_user_krb_password_expiration', + 'ldap_user_ad_account_expires', + 'ldap_user_ad_user_account_control', + 'ldap_ns_account_lock', + 'ldap_user_nds_login_disabled', + 'ldap_user_nds_login_expiration_time', + 'ldap_user_nds_login_allowed_time_map', + 'ldap_user_principal', + 'ldap_user_ssh_public_key', + 'ldap_force_upper_case_realm', + 'ldap_enumeration_refresh_timeout', + 'ldap_purge_cache_timeout', + 'ldap_user_fullname', + 'ldap_user_member_of', + 'ldap_user_authorized_service', + 'ldap_user_authorized_host', + 'ldap_group_object_class', + 'ldap_group_name', + 'ldap_group_gid_number', + 'ldap_group_member', + 'ldap_group_uuid', + 'ldap_group_objectsid', + 'ldap_group_modify_timestamp', + 'ldap_group_type', + 'ldap_group_nesting_level', + 'ldap_use_tokengroups', + 'ldap_netgroup_object_class', + 'ldap_netgroup_name', + 'ldap_netgroup_member', + 'ldap_netgroup_triple', + 'ldap_netgroup_uuid', + 'ldap_netgroup_modify_timestamp', + 'ldap_service_name', + 'ldap_service_port', + 'ldap_service_proto', + 'ldap_service_search_base', + 'ldap_search_timeout', + 'ldap_enumeration_search_timeout', + 'ldap_network_timeout', + 'ldap_opt_timeout', + 'ldap_connection_expire_timeout', + 'ldap_page_size', + 'ldap_disable_paging', + 'ldap_disable_range_retrieval', + 'ldap_sasl_minssf', + 'ldap_deref_threshold', + 'ldap_tls_reqcert', + 'ldap_tls_cacert', + 'ldap_tls_cacertdir', + 'ldap_tls_cert', + 'ldap_tls_key', + 'ldap_id_use_start_tls', + 'ldap_id_mapping', + 'ldap_min_id', + 'ldap_max_id', + 'ldap_sasl_mech', + 'ldap_sasl_authid', + 'ldap_sasl_realm', + 'ldap_sasl_canonicalize', + 'ldap_krb5_keytab', + 'ldap_krb5_init_creds', + 'ldap_krb5_ticket_lifetime', + 'krb5_realm', + 'krb5_canonicalize', + 'krb5_use_kdcinfo', + 'ldap_pwd_policy', + 'ldap_referrals', + 'ldap_dns_service_name', + 'ldap_chpass_dns_service_name', + 'ldap_chpass_update_last_change', + 'ldap_access_filter', + 'ldap_pwdlockout_dn', + 'ldap_deref', + 'ldap_sudorule_object_class', + 'ldap_sudorule_name', + 'ldap_sudorule_command', + 'ldap_sudorule_host', + 'ldap_sudorule_user', + 'ldap_sudorule_option', + 'ldap_sudorule_runasuser', + 'ldap_sudorule_runasgroup', + 'ldap_sudorule_notbefore', + 'ldap_sudorule_notafter', + 'ldap_sudorule_order', + 'ldap_sudo_full_refresh_interval', + 'ldap_sudo_smart_refresh_interval', + 'ldap_sudo_use_host_filter', + 'ldap_sudo_include_netgroups ', + 'ldap_sudo_include_regexp', + 'ldap_autofs_map_master_name', + 'ldap_autofs_map_object_class', + 'ldap_autofs_map_name', + 'ldap_autofs_entry_object_class', + 'ldap_autofs_entry_key', + 'ldap_autofs_entry_value', + 'ldap_netgroup_search_base', + 'ldap_user_search_base', + 'ldap_group_search_base', + 'ldap_sudo_search_base', + 'ldap_autofs_search_base', + 'ldap_idmap_range_min', + 'ldap_idmap_range_max', + 'ldap_idmap_range_size', + 'ldap_idmap_default_domain_sid', + 'ldap_idmap_default_domain', + 'ldap_idmap_autorid_compat', + ] + + # Add version-specific parameters + if versioncmp(String($sssd_major_version), '2') < 0 { + $version_specific_params = [ + 'ldap_groups_use_matching_rule_in_chain', + 'ldap_initgroups_use_matching_rule_in_chain', + ] + } else { + $version_specific_params = [] + } + + # Create a hash of all parameters for easier access + $param_values = { + 'debug_level' => $debug_level, + 'debug_timestamps' => $debug_timestamps, + 'debug_microseconds' => $debug_microseconds, + 'ldap_search_base' => $ldap_search_base, + 'ldap_schema' => $ldap_schema, + 'ldap_default_bind_dn' => $ldap_default_bind_dn, + 'ldap_default_authtok_type' => $ldap_default_authtok_type, + 'ldap_default_authtok' => $ldap_default_authtok, + 'ldap_user_cert' => $ldap_user_cert, + 'ldap_user_object_class' => $ldap_user_object_class, + 'ldap_user_name' => $ldap_user_name, + 'ldap_user_uid_number' => $ldap_user_uid_number, + 'ldap_user_gid_number' => $ldap_user_gid_number, + 'ldap_user_gecos' => $ldap_user_gecos, + 'ldap_user_home_directory' => $ldap_user_home_directory, + 'ldap_user_shell' => $ldap_user_shell, + 'ldap_user_uuid' => $ldap_user_uuid, + 'ldap_user_objectsid' => $ldap_user_objectsid, + 'ldap_user_modify_timestamp' => $ldap_user_modify_timestamp, + 'ldap_user_shadow_last_change' => $ldap_user_shadow_last_change, + 'ldap_user_shadow_min' => $ldap_user_shadow_min, + 'ldap_user_shadow_max' => $ldap_user_shadow_max, + 'ldap_user_shadow_warning' => $ldap_user_shadow_warning, + 'ldap_user_shadow_inactive' => $ldap_user_shadow_inactive, + 'ldap_user_shadow_expire' => $ldap_user_shadow_expire, + 'ldap_user_krb_last_pwd_change' => $ldap_user_krb_last_pwd_change, + 'ldap_user_krb_password_expiration' => $ldap_user_krb_password_expiration, + 'ldap_user_ad_account_expires' => $ldap_user_ad_account_expires, + 'ldap_user_ad_user_account_control' => $ldap_user_ad_user_account_control, + 'ldap_ns_account_lock' => $ldap_ns_account_lock, + 'ldap_user_nds_login_disabled' => $ldap_user_nds_login_disabled, + 'ldap_user_nds_login_expiration_time' => $ldap_user_nds_login_expiration_time, + 'ldap_user_nds_login_allowed_time_map' => $ldap_user_nds_login_allowed_time_map, + 'ldap_user_principal' => $ldap_user_principal, + 'ldap_user_ssh_public_key' => $ldap_user_ssh_public_key, + 'ldap_force_upper_case_realm' => $ldap_force_upper_case_realm, + 'ldap_enumeration_refresh_timeout' => $ldap_enumeration_refresh_timeout, + 'ldap_purge_cache_timeout' => $ldap_purge_cache_timeout, + 'ldap_user_fullname' => $ldap_user_fullname, + 'ldap_user_member_of' => $ldap_user_member_of, + 'ldap_user_authorized_service' => $ldap_user_authorized_service, + 'ldap_user_authorized_host' => $ldap_user_authorized_host, + 'ldap_group_object_class' => $ldap_group_object_class, + 'ldap_group_name' => $ldap_group_name, + 'ldap_group_gid_number' => $ldap_group_gid_number, + 'ldap_group_member' => $ldap_group_member, + 'ldap_group_uuid' => $ldap_group_uuid, + 'ldap_group_objectsid' => $ldap_group_objectsid, + 'ldap_group_modify_timestamp' => $ldap_group_modify_timestamp, + 'ldap_group_type' => $ldap_group_type, + 'ldap_group_nesting_level' => $ldap_group_nesting_level, + 'ldap_use_tokengroups' => $ldap_use_tokengroups, + 'ldap_netgroup_object_class' => $ldap_netgroup_object_class, + 'ldap_netgroup_name' => $ldap_netgroup_name, + 'ldap_netgroup_member' => $ldap_netgroup_member, + 'ldap_netgroup_triple' => $ldap_netgroup_triple, + 'ldap_netgroup_uuid' => $ldap_netgroup_uuid, + 'ldap_netgroup_modify_timestamp' => $ldap_netgroup_modify_timestamp, + 'ldap_service_name' => $ldap_service_name, + 'ldap_service_port' => $ldap_service_port, + 'ldap_service_proto' => $ldap_service_proto, + 'ldap_service_search_base' => $ldap_service_search_base, + 'ldap_search_timeout' => $ldap_search_timeout, + 'ldap_enumeration_search_timeout' => $ldap_enumeration_search_timeout, + 'ldap_network_timeout' => $ldap_network_timeout, + 'ldap_opt_timeout' => $ldap_opt_timeout, + 'ldap_connection_expire_timeout' => $ldap_connection_expire_timeout, + 'ldap_page_size' => $ldap_page_size, + 'ldap_disable_paging' => $ldap_disable_paging, + 'ldap_disable_range_retrieval' => $ldap_disable_range_retrieval, + 'ldap_sasl_minssf' => $ldap_sasl_minssf, + 'ldap_deref_threshold' => $ldap_deref_threshold, + 'ldap_tls_reqcert' => $ldap_tls_reqcert, + 'ldap_tls_cacert' => $ldap_tls_cacert, + 'ldap_tls_cacertdir' => $_ldap_tls_cacertdir, + 'ldap_tls_cert' => $_ldap_tls_cert, + 'ldap_tls_key' => $_ldap_tls_key, + 'ldap_id_use_start_tls' => $ldap_id_use_start_tls, + 'ldap_id_mapping' => $ldap_id_mapping, + 'ldap_min_id' => $ldap_min_id, + 'ldap_max_id' => $ldap_max_id, + 'ldap_sasl_mech' => $ldap_sasl_mech, + 'ldap_sasl_authid' => $ldap_sasl_authid, + 'ldap_sasl_realm' => $ldap_sasl_realm, + 'ldap_sasl_canonicalize' => $ldap_sasl_canonicalize, + 'ldap_krb5_keytab' => $ldap_krb5_keytab, + 'ldap_krb5_init_creds' => $ldap_krb5_init_creds, + 'ldap_krb5_ticket_lifetime' => $ldap_krb5_ticket_lifetime, + 'krb5_realm' => $krb5_realm, + 'krb5_canonicalize' => $krb5_canonicalize, + 'krb5_use_kdcinfo' => $krb5_use_kdcinfo, + 'ldap_pwd_policy' => $ldap_pwd_policy, + 'ldap_referrals' => $ldap_referrals, + 'ldap_dns_service_name' => $ldap_dns_service_name, + 'ldap_chpass_dns_service_name' => $ldap_chpass_dns_service_name, + 'ldap_chpass_update_last_change' => $ldap_chpass_update_last_change, + 'ldap_access_filter' => $ldap_access_filter, + 'ldap_pwdlockout_dn' => $ldap_pwdlockout_dn, + 'ldap_deref' => $ldap_deref, + 'ldap_sudorule_object_class' => $ldap_sudorule_object_class, + 'ldap_sudorule_name' => $ldap_sudorule_name, + 'ldap_sudorule_command' => $ldap_sudorule_command, + 'ldap_sudorule_host' => $ldap_sudorule_host, + 'ldap_sudorule_user' => $ldap_sudorule_user, + 'ldap_sudorule_option' => $ldap_sudorule_option, + 'ldap_sudorule_runasuser' => $ldap_sudorule_runasuser, + 'ldap_sudorule_runasgroup' => $ldap_sudorule_runasgroup, + 'ldap_sudorule_notbefore' => $ldap_sudorule_notbefore, + 'ldap_sudorule_notafter' => $ldap_sudorule_notafter, + 'ldap_sudorule_order' => $ldap_sudorule_order, + 'ldap_sudo_full_refresh_interval' => $ldap_sudo_full_refresh_interval, + 'ldap_sudo_smart_refresh_interval' => $ldap_sudo_smart_refresh_interval, + 'ldap_sudo_use_host_filter' => $ldap_sudo_use_host_filter, + 'ldap_sudo_include_netgroups ' => $ldap_sudo_include_netgroups, + 'ldap_sudo_include_regexp' => $ldap_sudo_include_regexp, + 'ldap_autofs_map_master_name' => $ldap_autofs_map_master_name, + 'ldap_autofs_map_object_class' => $ldap_autofs_map_object_class, + 'ldap_autofs_map_name' => $ldap_autofs_map_name, + 'ldap_autofs_entry_object_class' => $ldap_autofs_entry_object_class, + 'ldap_autofs_entry_key' => $ldap_autofs_entry_key, + 'ldap_autofs_entry_value' => $ldap_autofs_entry_value, + 'ldap_netgroup_search_base' => $ldap_netgroup_search_base, + 'ldap_user_search_base' => $ldap_user_search_base, + 'ldap_group_search_base' => $ldap_group_search_base, + 'ldap_sudo_search_base' => $ldap_sudo_search_base, + 'ldap_autofs_search_base' => $ldap_autofs_search_base, + 'ldap_idmap_range_min' => $ldap_idmap_range_min, + 'ldap_idmap_range_max' => $ldap_idmap_range_max, + 'ldap_idmap_range_size' => $ldap_idmap_range_size, + 'ldap_idmap_default_domain_sid' => $ldap_idmap_default_domain_sid, + 'ldap_idmap_default_domain' => $ldap_idmap_default_domain, + 'ldap_idmap_autorid_compat' => $ldap_idmap_autorid_compat, + 'ldap_groups_use_matching_rule_in_chain' => $ldap_groups_use_matching_rule_in_chain, + 'ldap_initgroups_use_matching_rule_in_chain' => $ldap_initgroups_use_matching_rule_in_chain, + } + + # Process simple parameters + $simple_config_lines = ($simple_params + $version_specific_params).filter |$param| { + $param_values[$param] != undef + }.map |$param| { + "${param} = ${$param_values[$param]}" + } + + # Handle special case for ldap_account_expire_policy + $account_expire_line = $_ldap_account_expire_policy ? { + undef => [], + default => ["ldap_account_expire_policy = ${_ldap_account_expire_policy}"], + } + + # Process array parameters with custom separators + $array_params = { + 'ldap_uri' => { 'value' => $ldap_uri, 'separator' => ',' }, + 'ldap_backup_uri' => { 'value' => $ldap_backup_uri, 'separator' => ',' }, + 'ldap_chpass_uri' => { 'value' => $ldap_chpass_uri, 'separator' => ',' }, + 'ldap_chpass_backup_uri' => { 'value' => $ldap_chpass_backup_uri, 'separator' => ',' }, + 'ldap_user_extra_attrs' => { 'value' => $ldap_user_extra_attrs, 'separator' => ',' }, + 'ldap_tls_cipher_suite' => { 'value' => $ldap_tls_cipher_suite, 'separator' => ':' }, + 'ldap_access_order' => { 'value' => $ldap_access_order, 'separator' => ',' }, + 'ldap_sudo_hostnames' => { 'value' => $ldap_sudo_hostnames, 'separator' => ' ' }, + 'ldap_sudo_ip' => { 'value' => $ldap_sudo_ip, 'separator' => ' ' }, + 'krb5_server' => { 'value' => $krb5_server, 'separator' => ',' }, + 'krb5_backup_server' => { 'value' => $krb5_backup_server, 'separator' => ',' }, + } + + $array_config_lines = $array_params.filter |$param, $config| { + $config['value'] != undef and !$config['value'].empty + }.map |$param, $config| { + "${param} = ${Array($config['value']).unique.join($config['separator'])}" + } + + # Combine all configuration lines and sort them + $all_config_lines = ($simple_config_lines + $account_expire_line + $array_config_lines).sort + $content = $all_config_lines.join("\n") + sssd::config::entry { "puppet_provider_${title}_ldap": content => epp( "${module_name}/provider/ldap.epp", { - 'debug_level' => $debug_level, - 'debug_timestamps' => $debug_timestamps, - 'debug_microseconds' => $debug_microseconds, - 'ldap_uri' => $ldap_uri, - 'ldap_backup_uri' => $ldap_backup_uri, - 'ldap_chpass_uri' => $ldap_chpass_uri, - 'ldap_chpass_backup_uri' => $ldap_chpass_backup_uri, - 'ldap_chpass_update_last_change' => $ldap_chpass_update_last_change, - 'ldap_search_base' => $ldap_search_base, - 'ldap_schema' => $ldap_schema, - 'ldap_default_bind_dn' => $ldap_default_bind_dn, - 'ldap_default_authtok_type' => $ldap_default_authtok_type, - 'ldap_default_authtok' => $ldap_default_authtok, - 'ldap_user_cert' => $ldap_user_cert, - 'ldap_user_object_class' => $ldap_user_object_class, - 'ldap_user_name' => $ldap_user_name, - 'ldap_user_uid_number' => $ldap_user_uid_number, - 'ldap_user_gid_number' => $ldap_user_gid_number, - 'ldap_user_gecos' => $ldap_user_gecos, - 'ldap_user_home_directory' => $ldap_user_home_directory, - 'ldap_user_shell' => $ldap_user_shell, - 'ldap_user_uuid' => $ldap_user_uuid, - 'ldap_user_objectsid' => $ldap_user_objectsid, - 'ldap_user_modify_timestamp' => $ldap_user_modify_timestamp, - 'ldap_user_shadow_last_change' => $ldap_user_shadow_last_change, - 'ldap_user_shadow_min' => $ldap_user_shadow_min, - 'ldap_user_shadow_max' => $ldap_user_shadow_max, - 'ldap_user_shadow_warning' => $ldap_user_shadow_warning, - 'ldap_user_shadow_inactive' => $ldap_user_shadow_inactive, - 'ldap_user_shadow_expire' => $ldap_user_shadow_expire, - 'ldap_user_krb_last_pwd_change' => $ldap_user_krb_last_pwd_change, - 'ldap_user_krb_password_expiration' => $ldap_user_krb_password_expiration, - 'ldap_user_ad_account_expires' => $ldap_user_ad_account_expires, - 'ldap_user_ad_user_account_control' => $ldap_user_ad_user_account_control, - 'ldap_ns_account_lock' => $ldap_ns_account_lock, - 'ldap_user_nds_login_disabled' => $ldap_user_nds_login_disabled, - 'ldap_user_nds_login_expiration_time' => $ldap_user_nds_login_expiration_time, - 'ldap_user_nds_login_allowed_time_map' => $ldap_user_nds_login_allowed_time_map, - 'ldap_user_principal' => $ldap_user_principal, - 'ldap_user_extra_attrs' => $ldap_user_extra_attrs, - 'ldap_user_ssh_public_key' => $ldap_user_ssh_public_key, - 'ldap_force_upper_case_realm' => $ldap_force_upper_case_realm, - 'ldap_enumeration_refresh_timeout' => $ldap_enumeration_refresh_timeout, - 'ldap_purge_cache_timeout' => $ldap_purge_cache_timeout, - 'ldap_user_fullname' => $ldap_user_fullname, - 'ldap_user_member_of' => $ldap_user_member_of, - 'ldap_user_authorized_service' => $ldap_user_authorized_service, - 'ldap_user_authorized_host' => $ldap_user_authorized_host, - 'ldap_group_object_class' => $ldap_group_object_class, - 'ldap_group_name' => $ldap_group_name, - 'ldap_group_gid_number' => $ldap_group_gid_number, - 'ldap_group_member' => $ldap_group_member, - 'ldap_group_uuid' => $ldap_group_uuid, - 'ldap_group_objectsid' => $ldap_group_objectsid, - 'ldap_group_modify_timestamp' => $ldap_group_modify_timestamp, - 'ldap_group_type' => $ldap_group_type, - 'ldap_group_nesting_level' => $ldap_group_nesting_level, - 'ldap_groups_use_matching_rule_in_chain' => $ldap_groups_use_matching_rule_in_chain, - 'ldap_initgroups_use_matching_rule_in_chain' => $ldap_initgroups_use_matching_rule_in_chain, - 'ldap_use_tokengroups' => $ldap_use_tokengroups, - 'ldap_netgroup_object_class' => $ldap_netgroup_object_class, - 'ldap_netgroup_name' => $ldap_netgroup_name, - 'ldap_netgroup_member' => $ldap_netgroup_member, - 'ldap_netgroup_triple' => $ldap_netgroup_triple, - 'ldap_netgroup_uuid' => $ldap_netgroup_uuid, - 'ldap_netgroup_modify_timestamp' => $ldap_netgroup_modify_timestamp, - 'ldap_service_name' => $ldap_service_name, - 'ldap_service_port' => $ldap_service_port, - 'ldap_service_proto' => $ldap_service_proto, - 'ldap_service_search_base' => $ldap_service_search_base, - 'ldap_search_timeout' => $ldap_search_timeout, - 'ldap_enumeration_search_timeout' => $ldap_enumeration_search_timeout, - 'ldap_network_timeout' => $ldap_network_timeout, - 'ldap_opt_timeout' => $ldap_opt_timeout, - 'ldap_connection_expire_timeout' => $ldap_connection_expire_timeout, - 'ldap_page_size' => $ldap_page_size, - 'ldap_disable_paging' => $ldap_disable_paging, - 'ldap_disable_range_retrieval' => $ldap_disable_range_retrieval, - 'ldap_sasl_minssf' => $ldap_sasl_minssf, - 'ldap_deref_threshold' => $ldap_deref_threshold, - 'ldap_tls_reqcert' => $ldap_tls_reqcert, - 'ldap_tls_cacert' => $ldap_tls_cacert, - 'ldap_tls_cacertdir' => $ldap_tls_cacertdir, - 'ldap_tls_key' => $ldap_tls_key, - 'ldap_tls_cert' => $ldap_tls_cert, - 'strip_128_bit_ciphers' => $strip_128_bit_ciphers, - 'ldap_tls_cipher_suite' => $ldap_tls_cipher_suite, - 'ldap_id_use_start_tls' => $ldap_id_use_start_tls, - 'ldap_id_mapping' => $ldap_id_mapping, - 'ldap_min_id' => $ldap_min_id, - 'ldap_max_id' => $ldap_max_id, - 'ldap_sasl_mech' => $ldap_sasl_mech, - 'ldap_sasl_authid' => $ldap_sasl_authid, - 'ldap_sasl_realm' => $ldap_sasl_realm, - 'ldap_sasl_canonicalize' => $ldap_sasl_canonicalize, - 'ldap_krb5_keytab' => $ldap_krb5_keytab, - 'ldap_krb5_init_creds' => $ldap_krb5_init_creds, - 'ldap_krb5_ticket_lifetime' => $ldap_krb5_ticket_lifetime, - 'krb5_server' => $krb5_server, - 'krb5_backup_server' => $krb5_backup_server, - 'krb5_realm' => $krb5_realm, - 'krb5_canonicalize' => $krb5_canonicalize, - 'krb5_use_kdcinfo' => $krb5_use_kdcinfo, - 'ldap_account_expire_policy' => $_ldap_account_expire_policy, - 'ldap_pwd_policy' => $ldap_pwd_policy, - 'ldap_referrals' => $ldap_referrals, - 'ldap_dns_service_name' => $ldap_dns_service_name, - 'ldap_chpass_dns_service_name' => $ldap_chpass_dns_service_name, - 'ldap_access_filter' => $ldap_access_filter, - 'ldap_access_order' => $ldap_access_order, - 'ldap_pwdlockout_dn' => $ldap_pwdlockout_dn, - 'ldap_deref' => $ldap_deref, - 'ldap_sudorule_object_class' => $ldap_sudorule_object_class, - 'ldap_sudorule_name' => $ldap_sudorule_name, - 'ldap_sudorule_command' => $ldap_sudorule_command, - 'ldap_sudorule_host' => $ldap_sudorule_host, - 'ldap_sudorule_user' => $ldap_sudorule_user, - 'ldap_sudorule_option' => $ldap_sudorule_option, - 'ldap_sudorule_runasuser' => $ldap_sudorule_runasuser, - 'ldap_sudorule_runasgroup' => $ldap_sudorule_runasgroup, - 'ldap_sudorule_notbefore' => $ldap_sudorule_notbefore, - 'ldap_sudorule_notafter' => $ldap_sudorule_notafter, - 'ldap_sudorule_order' => $ldap_sudorule_order, - 'ldap_sudo_full_refresh_interval' => $ldap_sudo_full_refresh_interval, - 'ldap_sudo_smart_refresh_interval' => $ldap_sudo_smart_refresh_interval, - 'ldap_sudo_use_host_filter' => $ldap_sudo_use_host_filter, - 'ldap_sudo_hostnames' => $ldap_sudo_hostnames, - 'ldap_sudo_ip' => $ldap_sudo_ip, - 'ldap_sudo_include_netgroups' => $ldap_sudo_include_netgroups, - 'ldap_sudo_include_regexp' => $ldap_sudo_include_regexp, - 'ldap_autofs_map_master_name' => $ldap_autofs_map_master_name, - 'ldap_autofs_map_object_class' => $ldap_autofs_map_object_class, - 'ldap_autofs_map_name' => $ldap_autofs_map_name, - 'ldap_autofs_entry_object_class' => $ldap_autofs_entry_object_class, - 'ldap_autofs_entry_key' => $ldap_autofs_entry_key, - 'ldap_autofs_entry_value' => $ldap_autofs_entry_value, - 'ldap_netgroup_search_base' => $ldap_netgroup_search_base, - 'ldap_user_search_base' => $ldap_user_search_base, - 'ldap_group_search_base' => $ldap_group_search_base, - 'ldap_sudo_search_base' => $ldap_sudo_search_base, - 'ldap_autofs_search_base' => $ldap_autofs_search_base, - 'ldap_idmap_range_min' => $ldap_idmap_range_min, - 'ldap_idmap_range_max' => $ldap_idmap_range_max, - 'ldap_idmap_range_size' => $ldap_idmap_range_size, - 'ldap_idmap_default_domain_sid' => $ldap_idmap_default_domain_sid, - 'ldap_idmap_default_domain' => $ldap_idmap_default_domain, - 'ldap_idmap_autorid_compat' => $ldap_idmap_autorid_compat, - 'client_tls' => $client_tls, - } + 'title' => $title, + 'content' => $content, + }, ), } } diff --git a/manifests/service/autofs.pp b/manifests/service/autofs.pp index a1dd0a0..9de14c2 100644 --- a/manifests/service/autofs.pp +++ b/manifests/service/autofs.pp @@ -45,6 +45,7 @@ 'debug_timestamps' => $debug_timestamps, 'debug_microseconds' => $debug_microseconds, 'autofs_negative_timeout' => $autofs_negative_timeout, + 'custom_options' => $custom_options, }, ) } diff --git a/manifests/service/pac.pp b/manifests/service/pac.pp index 020b9e4..875c944 100644 --- a/manifests/service/pac.pp +++ b/manifests/service/pac.pp @@ -44,6 +44,7 @@ 'debug_timestamps' => $debug_timestamps, 'debug_microseconds' => $debug_microseconds, 'allowed_uids' => $allowed_uids, + 'custom_options' => $custom_options, }, ) } diff --git a/templates/provider/ad.epp b/templates/provider/ad.epp index 5b884e0..74a693c 100644 --- a/templates/provider/ad.epp +++ b/templates/provider/ad.epp @@ -1,4 +1,5 @@ <% | + String $title, Optional[String[1]] $ad_domain, Optional[Array[String[1],1]] $ad_enabled_domains, Optional[Array[Variant[Simplib::Hostname, Enum['_srv_']]]] $ad_servers, diff --git a/templates/provider/files.epp b/templates/provider/files.epp index 5203731..bc12d04 100644 --- a/templates/provider/files.epp +++ b/templates/provider/files.epp @@ -1,4 +1,5 @@ <% | + String $title, Optional[Array[Stdlib::Absolutepath]] $passwd_files, Optional[Array[Stdlib::Absolutepath]] $group_files, | -%> diff --git a/templates/provider/ipa.epp b/templates/provider/ipa.epp index c14582c..3516149 100644 --- a/templates/provider/ipa.epp +++ b/templates/provider/ipa.epp @@ -1,4 +1,5 @@ <% | + String $title, String[1] $ipa_domain, Array[Simplib::Host] $ipa_server, Optional[Array[Simplib::Host]] $ipa_backup_server, diff --git a/templates/provider/ldap.epp b/templates/provider/ldap.epp index a9dbaf5..939f1f3 100644 --- a/templates/provider/ldap.epp +++ b/templates/provider/ldap.epp @@ -1,334 +1,7 @@ <% | - Optional[Sssd::DebugLevel] $debug_level, - Optional[Boolean] $debug_timestamps, - Boolean $debug_microseconds, - Optional[Array[Simplib::URI,1]] $ldap_uri, - Optional[Array[Simplib::URI,1]] $ldap_backup_uri, - Optional[Array[Simplib::URI,1]] $ldap_chpass_uri, - Optional[Array[Simplib::URI,1]] $ldap_chpass_backup_uri, - Boolean $ldap_chpass_update_last_change, - Optional[String[1]] $ldap_search_base, - Sssd::LdapSchema $ldap_schema, - Optional[String[1]] $ldap_default_bind_dn, - Optional[Sssd::LdapDefaultAuthtok] $ldap_default_authtok_type, - Optional[String[1]] $ldap_default_authtok, - Optional[String[1]] $ldap_user_cert, - Optional[String[1]] $ldap_user_object_class, - Optional[String[1]] $ldap_user_name, - Optional[String[1]] $ldap_user_uid_number, - Optional[String[1]] $ldap_user_gid_number, - Optional[String[1]] $ldap_user_gecos, - Optional[String[1]] $ldap_user_home_directory, - Optional[String[1]] $ldap_user_shell, - Optional[String[1]] $ldap_user_uuid, - Optional[String[1]] $ldap_user_objectsid, - Optional[String[1]] $ldap_user_modify_timestamp, - Optional[String[1]] $ldap_user_shadow_last_change, - Optional[String[1]] $ldap_user_shadow_min, - Optional[String[1]] $ldap_user_shadow_max, - Optional[String[1]] $ldap_user_shadow_warning, - Optional[String[1]] $ldap_user_shadow_inactive, - Optional[String[1]] $ldap_user_shadow_expire, - Optional[String[1]] $ldap_user_krb_last_pwd_change, - Optional[String[1]] $ldap_user_krb_password_expiration, - Optional[String[1]] $ldap_user_ad_account_expires, - Optional[String[1]] $ldap_user_ad_user_account_control, - Optional[String[1]] $ldap_ns_account_lock, - Optional[String[1]] $ldap_user_nds_login_disabled, - Optional[String[1]] $ldap_user_nds_login_expiration_time, - Optional[String[1]] $ldap_user_nds_login_allowed_time_map, - Optional[String[1]] $ldap_user_principal, - Optional[Array[String[1],1]] $ldap_user_extra_attrs, - Optional[String[1]] $ldap_user_ssh_public_key, - Boolean $ldap_force_upper_case_realm, - Optional[Integer[0]] $ldap_enumeration_refresh_timeout, - Optional[Integer[0]] $ldap_purge_cache_timeout, - Optional[String[1]] $ldap_user_fullname, - Optional[String[1]] $ldap_user_member_of, - Optional[String[1]] $ldap_user_authorized_service, - Optional[String[1]] $ldap_user_authorized_host, - Optional[String[1]] $ldap_group_object_class, - Optional[String[1]] $ldap_group_name, - Optional[String[1]] $ldap_group_gid_number, - Optional[String[1]] $ldap_group_member, - Optional[String[1]] $ldap_group_uuid, - Optional[String[1]] $ldap_group_objectsid, - Optional[String[1]] $ldap_group_modify_timestamp, - Optional[Integer] $ldap_group_type, - Optional[Integer] $ldap_group_nesting_level, - Boolean $ldap_groups_use_matching_rule_in_chain, - Boolean $ldap_initgroups_use_matching_rule_in_chain, - Boolean $ldap_use_tokengroups, - Optional[String[1]] $ldap_netgroup_object_class, - Optional[String[1]] $ldap_netgroup_name, - Optional[String[1]] $ldap_netgroup_member, - Optional[String[1]] $ldap_netgroup_triple, - Optional[String[1]] $ldap_netgroup_uuid, - Optional[String[1]] $ldap_netgroup_modify_timestamp, - Optional[String[1]] $ldap_service_name, - Optional[String[1]] $ldap_service_port, - Optional[String[1]] $ldap_service_proto, - Optional[String[1]] $ldap_service_search_base, - Optional[Integer[0]] $ldap_search_timeout, - Optional[Integer[0]] $ldap_enumeration_search_timeout, - Optional[Integer[0]] $ldap_network_timeout, - Optional[Integer[0]] $ldap_opt_timeout, - Optional[Integer[0]] $ldap_connection_expire_timeout, - Optional[Integer[0]] $ldap_page_size, - Boolean $ldap_disable_paging, - Boolean $ldap_disable_range_retrieval, - Optional[Integer] $ldap_sasl_minssf, - Optional[Integer[0]] $ldap_deref_threshold, - Sssd::LdapTlsReqcert $ldap_tls_reqcert, - Optional[String[1]] $ldap_tls_cacert, - Optional[Stdlib::Absolutepath] $ldap_tls_cacertdir, - Optional[Stdlib::Absolutepath] $ldap_tls_key, - Optional[Stdlib::Absolutepath] $ldap_tls_cert, - Boolean $strip_128_bit_ciphers, - Array[String[1]] $ldap_tls_cipher_suite, - Boolean $ldap_id_use_start_tls, - Boolean $ldap_id_mapping, - Optional[Integer[0]] $ldap_min_id, - Optional[Integer[0]] $ldap_max_id, - Optional[String[1]] $ldap_sasl_mech, - Optional[String[1]] $ldap_sasl_authid, - Optional[String[1]] $ldap_sasl_realm, - Boolean $ldap_sasl_canonicalize, - Optional[Stdlib::Absolutepath] $ldap_krb5_keytab, - Boolean $ldap_krb5_init_creds, - Optional[Integer] $ldap_krb5_ticket_lifetime, - Optional[Array[String[1],1]] $krb5_server, - Optional[Array[String[1],1]] $krb5_backup_server, - Optional[String[1]] $krb5_realm, - Boolean $krb5_canonicalize, - Boolean $krb5_use_kdcinfo, - Sssd::LdapAccountExpirePol $ldap_account_expire_policy, - Enum['none','shadow','mit_kerberos'] $ldap_pwd_policy, - Boolean $ldap_referrals, - Optional[String[1]] $ldap_dns_service_name, - Optional[String[1]] $ldap_chpass_dns_service_name, - Optional[String[1]] $ldap_access_filter, - Sssd::LdapAccessOrder $ldap_access_order, - Optional[String[1]] $ldap_pwdlockout_dn, - Optional[Sssd::LdapDeref] $ldap_deref, - Optional[String[1]] $ldap_sudorule_object_class, - Optional[String[1]] $ldap_sudorule_name, - Optional[String[1]] $ldap_sudorule_command, - Optional[String[1]] $ldap_sudorule_host, - Optional[String[1]] $ldap_sudorule_user, - Optional[String[1]] $ldap_sudorule_option, - Optional[String[1]] $ldap_sudorule_runasuser, - Optional[String[1]] $ldap_sudorule_runasgroup, - Optional[String[1]] $ldap_sudorule_notbefore, - Optional[String[1]] $ldap_sudorule_notafter, - Optional[String[1]] $ldap_sudorule_order, - Optional[Integer[0]] $ldap_sudo_full_refresh_interval, - Optional[Integer[0]] $ldap_sudo_smart_refresh_interval, - Boolean $ldap_sudo_use_host_filter, - Optional[Array[String[1],1]] $ldap_sudo_hostnames, - Optional[Array[String[1],1]] $ldap_sudo_ip, - Boolean $ldap_sudo_include_netgroups, - Boolean $ldap_sudo_include_regexp, - Optional[String[1]] $ldap_autofs_map_master_name, - Optional[String[1]] $ldap_autofs_map_object_class, - Optional[String[1]] $ldap_autofs_map_name, - Optional[String[1]] $ldap_autofs_entry_object_class, - Optional[String[1]] $ldap_autofs_entry_key, - Optional[String[1]] $ldap_autofs_entry_value, -# Be careful with the following options! - Optional[String[1]] $ldap_netgroup_search_base, - Optional[String[1]] $ldap_user_search_base, - Optional[String[1]] $ldap_group_search_base, - Optional[String[1]] $ldap_sudo_search_base, - Optional[String[1]] $ldap_autofs_search_base, -# Advanced Configuration - Read the man page - Optional[Integer[0]] $ldap_idmap_range_min, - Optional[Integer[0]] $ldap_idmap_range_max, - Optional[Integer[0]] $ldap_idmap_range_size, - Optional[String[1]] $ldap_idmap_default_domain_sid, - Optional[String[1]] $ldap_idmap_default_domain, - Boolean $ldap_idmap_autorid_compat, - Boolean $client_tls, + String[1] $title, + String[1] $content, | -%> [domain/<%= $title %>] # sssd::provider::ldap -<% - if $facts['sssd_version'] =~ String[1] { - $sssd_major_version = Integer($facts['sssd_version'].split(/\./)[0]) - } elsif $facts['os']['release']['major'] < '8' { - $sssd_major_version = 1 - } else { - $sssd_major_version = 2 - } - - # Simply too many options to make it more confusing than this... - $output = [ - 'debug_level', - 'debug_timestamps', - 'debug_microseconds', - 'ldap_search_base', - 'ldap_schema', - 'ldap_default_bind_dn', - 'ldap_default_authtok_type', - 'ldap_default_authtok', - 'ldap_user_cert', - 'ldap_user_object_class', - 'ldap_user_name', - 'ldap_user_uid_number', - 'ldap_user_gid_number', - 'ldap_user_gecos', - 'ldap_user_home_directory', - 'ldap_user_shell', - 'ldap_user_uuid', - 'ldap_user_objectsid', - 'ldap_user_modify_timestamp', - 'ldap_user_shadow_last_change', - 'ldap_user_shadow_min', - 'ldap_user_shadow_max', - 'ldap_user_shadow_warning', - 'ldap_user_shadow_inactive', - 'ldap_user_shadow_expire', - 'ldap_user_krb_last_pwd_change', - 'ldap_user_krb_password_expiration', - 'ldap_user_ad_account_expires', - 'ldap_user_ad_user_account_control', - 'ldap_ns_account_lock', - 'ldap_user_nds_login_disabled', - 'ldap_user_nds_login_expiration_time', - 'ldap_user_nds_login_allowed_time_map', - 'ldap_user_principal', - 'ldap_user_ssh_public_key', - 'ldap_force_upper_case_realm', - 'ldap_enumeration_refresh_timeout', - 'ldap_purge_cache_timeout', - 'ldap_user_fullname', - 'ldap_user_member_of', - 'ldap_user_authorized_service', - 'ldap_user_authorized_host', - 'ldap_group_object_class', - 'ldap_group_name', - 'ldap_group_gid_number', - 'ldap_group_member', - 'ldap_group_uuid', - 'ldap_group_objectsid', - 'ldap_group_modify_timestamp', - 'ldap_group_type', - 'ldap_group_nesting_level', - 'ldap_use_tokengroups', - 'ldap_netgroup_object_class', - 'ldap_netgroup_name', - 'ldap_netgroup_member', - 'ldap_netgroup_triple', - 'ldap_netgroup_uuid', - 'ldap_netgroup_modify_timestamp', - 'ldap_service_name', - 'ldap_service_port', - 'ldap_service_proto', - 'ldap_service_search_base', - 'ldap_search_timeout', - 'ldap_enumeration_search_timeout', - 'ldap_network_timeout', - 'ldap_opt_timeout', - 'ldap_connection_expire_timeout', - 'ldap_page_size', - 'ldap_disable_paging', - 'ldap_disable_range_retrieval', - 'ldap_sasl_minssf', - 'ldap_deref_threshold', - 'ldap_tls_reqcert', - 'ldap_tls_cacert', - 'ldap_tls_cacertdir', - 'ldap_tls_cert', - 'ldap_tls_key', - 'ldap_id_use_start_tls', - 'ldap_id_mapping', - 'ldap_min_id', - 'ldap_max_id', - 'ldap_sasl_mech', - 'ldap_sasl_authid', - 'ldap_sasl_realm', - 'ldap_sasl_canonicalize', - 'ldap_krb5_keytab', - 'ldap_krb5_init_creds', - 'ldap_krb5_ticket_lifetime', - 'krb5_realm', - 'krb5_canonicalize', - 'krb5_use_kdcinfo', - 'ldap_pwd_policy', - 'ldap_referrals', - 'ldap_dns_service_name', - 'ldap_chpass_dns_service_name', - 'ldap_chpass_update_last_change', - 'ldap_access_filter', - '_ldap_account_expire_policy', - 'ldap_pwdlockout_dn', - 'ldap_deref', - 'ldap_sudorule_object_class', - 'ldap_sudorule_name', - 'ldap_sudorule_command', - 'ldap_sudorule_host', - 'ldap_sudorule_user', - 'ldap_sudorule_option', - 'ldap_sudorule_runasuser', - 'ldap_sudorule_runasgroup', - 'ldap_sudorule_notbefore', - 'ldap_sudorule_notafter', - 'ldap_sudorule_order', - 'ldap_sudo_full_refresh_interval', - 'ldap_sudo_smart_refresh_interval', - 'ldap_sudo_use_host_filter', - 'ldap_sudo_include_netgroups ', - 'ldap_sudo_include_regexp', - 'ldap_autofs_map_master_name', - 'ldap_autofs_map_object_class', - 'ldap_autofs_map_name', - 'ldap_autofs_entry_object_class', - 'ldap_autofs_entry_key', - 'ldap_autofs_entry_value', - 'ldap_netgroup_search_base', - 'ldap_user_search_base', - 'ldap_group_search_base', - 'ldap_sudo_search_base', - 'ldap_autofs_search_base', - 'ldap_idmap_range_min', - 'ldap_idmap_range_max', - 'ldap_idmap_range_size', - 'ldap_idmap_default_domain_sid', - 'ldap_idmap_default_domain', - 'ldap_idmap_autorid_compat' - ] + (($sssd_major_version < 2) ? { - true => [ - # options only available in sssd v1 (the version used prior to el8) - 'ldap_groups_use_matching_rule_in_chain', - 'ldap_initgroups_use_matching_rule_in_chain', - ], - default=> [], - }).map |$param| { - $value = getvar($param) - - # Make sure to distinguish between nil and false, as we may need to - # set a parameter to false in this config! - unless $value =~ Undef { - "${$param.regsubst(/^_/, '')} = ${value}" - } - } + { - 'ldap_uri' => ',', - 'ldap_backup_uri' => ',', - 'ldap_chpass_uri' => ',', - 'ldap_chpass_backup_uri' => ',', - 'ldap_user_extra_attrs' => ',', - 'ldap_tls_cipher_suite' => ':', - 'ldap_access_order' => ',', - 'ldap_sudo_hostnames' => ' ', - 'ldap_sudo_ip' => ' ', - 'krb5_server' => ',', - 'krb5_backup_server' => ',' - }.map |$param, $separator| { - $value = getvar($param) - - if $value and !$value.empty { - "${$param.regsubst(/^_/, '')} = ${Array($value).unique.join($separator)}" - } - } --%> -<%= $output.filter |$item| { $item =~ String[1] }.sort.join("\n") %> +<%= $content %> From 879b7399750d36b565e37f5a3c165380ca9b016c Mon Sep 17 00:00:00 2001 From: Steven Pritchard Date: Wed, 24 Sep 2025 10:34:26 -0500 Subject: [PATCH 09/25] Refactor AD template --- manifests/provider/ad.pp | 284 ++++++++++++++++++++++++++++++-------- templates/provider/ad.epp | 212 +--------------------------- 2 files changed, 229 insertions(+), 267 deletions(-) diff --git a/manifests/provider/ad.pp b/manifests/provider/ad.pp index 306652d..c085015 100644 --- a/manifests/provider/ad.pp +++ b/manifests/provider/ad.pp @@ -150,64 +150,232 @@ Optional[String[1]] $ldap_user_extra_attrs = undef, Optional[String[1]] $ldap_user_ssh_public_key = undef, ) { - sssd::config::entry { "puppet_provider_${name}_ad": - content => epp( - "${module_name}/provider/ad.epp", - { - 'title' => $title, - 'ad_domain' => $ad_domain, - 'ad_enabled_domains' => $ad_enabled_domains, - 'ad_servers' => $ad_servers, - 'ad_backup_servers' => $ad_backup_servers, - 'ad_hostname' => $ad_hostname, - 'ad_enable_dns_sites' => $ad_enable_dns_sites, - 'ad_access_filters' => $ad_access_filters, - 'ad_site' => $ad_site, - 'ad_enable_gc' => $ad_enable_gc, - 'ad_gpo_access_control' => $ad_gpo_access_control, - 'ad_gpo_cache_timeout' => $ad_gpo_cache_timeout, - 'ad_gpo_map_interactive' => $ad_gpo_map_interactive, - 'ad_gpo_map_remote_interactive' => $ad_gpo_map_remote_interactive, - 'ad_gpo_map_network' => $ad_gpo_map_network, - 'ad_gpo_map_batch' => $ad_gpo_map_batch, - 'ad_gpo_map_service' => $ad_gpo_map_service, - 'ad_gpo_map_permit' => $ad_gpo_map_permit, - 'ad_gpo_map_deny' => $ad_gpo_map_deny, - 'ad_gpo_default_right' => $ad_gpo_default_right, - 'ad_gpo_implicit_deny' => $ad_gpo_implicit_deny, - 'ad_gpo_ignore_unreadable' => $ad_gpo_ignore_unreadable, - 'ad_maximum_machine_account_password_age' => $ad_maximum_machine_account_password_age, - 'ad_machine_account_password_renewal_opts' => $ad_machine_account_password_renewal_opts, - 'default_shell' => $default_shell, - 'dyndns_update' => $dyndns_update, - 'dyndns_ttl' => $dyndns_ttl, - 'dyndns_ifaces' => $dyndns_ifaces, - 'dyndns_refresh_interval' => $dyndns_refresh_interval, - 'dyndns_update_ptr' => $dyndns_update_ptr, - 'dyndns_force_tcp' => $dyndns_force_tcp, - 'dyndns_server' => $dyndns_server, - 'override_homedir' => $override_homedir, - 'fallback_homedir' => $fallback_homedir, - 'homedir_substring' => $homedir_substring, - 'krb5_realm' => $krb5_realm, - 'krb5_confd_path' => $krb5_confd_path, - 'krb5_use_enterprise_principal' => $krb5_use_enterprise_principal, - 'krb5_store_password_if_offline' => $krb5_store_password_if_offline, - 'ldap_id_mapping' => $ldap_id_mapping, - 'ldap_schema' => $ldap_schema, - 'ldap_idmap_range_min' => $ldap_idmap_range_min, - 'ldap_idmap_range_max' => $ldap_idmap_range_max, - 'ldap_idmap_range_size' => $ldap_idmap_range_size, - 'ldap_idmap_default_domain_sid' => $ldap_idmap_default_domain_sid, - 'ldap_idmap_default_domain' => $ldap_idmap_default_domain, - 'ldap_idmap_autorid_compat' => $ldap_idmap_autorid_compat, - 'ldap_idmap_helper_table_size' => $ldap_idmap_helper_table_size, - 'ldap_use_tokengroups' => $ldap_use_tokengroups, - 'ldap_group_objectsid' => $ldap_group_objectsid, - 'ldap_user_objectsid' => $ldap_user_objectsid, - 'ldap_user_extra_attrs' => $ldap_user_extra_attrs, - 'ldap_user_ssh_public_key' => $ldap_user_ssh_public_key, - } + # Create parameter hash for easier access + $param_values = { + 'ad_domain' => $ad_domain, + 'ad_enabled_domains' => $ad_enabled_domains, + 'ad_servers' => $ad_servers, + 'ad_backup_servers' => $ad_backup_servers, + 'ad_hostname' => $ad_hostname, + 'ad_enable_dns_sites' => $ad_enable_dns_sites, + 'ad_access_filters' => $ad_access_filters, + 'ad_site' => $ad_site, + 'ad_enable_gc' => $ad_enable_gc, + 'ad_gpo_access_control' => $ad_gpo_access_control, + 'ad_gpo_cache_timeout' => $ad_gpo_cache_timeout, + 'ad_gpo_map_interactive' => $ad_gpo_map_interactive, + 'ad_gpo_map_remote_interactive' => $ad_gpo_map_remote_interactive, + 'ad_gpo_map_network' => $ad_gpo_map_network, + 'ad_gpo_map_batch' => $ad_gpo_map_batch, + 'ad_gpo_map_service' => $ad_gpo_map_service, + 'ad_gpo_map_permit' => $ad_gpo_map_permit, + 'ad_gpo_map_deny' => $ad_gpo_map_deny, + 'ad_gpo_default_right' => $ad_gpo_default_right, + 'ad_gpo_implicit_deny' => $ad_gpo_implicit_deny, + 'ad_gpo_ignore_unreadable' => $ad_gpo_ignore_unreadable, + 'ad_maximum_machine_account_password_age' => $ad_maximum_machine_account_password_age, + 'ad_machine_account_password_renewal_opts' => $ad_machine_account_password_renewal_opts, + 'default_shell' => $default_shell, + 'override_homedir' => $override_homedir, + 'fallback_homedir' => $fallback_homedir, + 'homedir_substring' => $homedir_substring, + 'krb5_realm' => $krb5_realm, + 'krb5_confd_path' => $krb5_confd_path, + 'krb5_use_enterprise_principal' => $krb5_use_enterprise_principal, + 'krb5_store_password_if_offline' => $krb5_store_password_if_offline, + 'ldap_id_mapping' => $ldap_id_mapping, + 'ldap_schema' => $ldap_schema, + 'ldap_idmap_range_min' => $ldap_idmap_range_min, + 'ldap_idmap_range_max' => $ldap_idmap_range_max, + 'ldap_idmap_range_size' => $ldap_idmap_range_size, + 'ldap_idmap_default_domain_sid' => $ldap_idmap_default_domain_sid, + 'ldap_idmap_default_domain' => $ldap_idmap_default_domain, + 'ldap_idmap_autorid_compat' => $ldap_idmap_autorid_compat, + 'ldap_idmap_helper_table_size' => $ldap_idmap_helper_table_size, + 'ldap_use_tokengroups' => $ldap_use_tokengroups, + 'ldap_group_objectsid' => $ldap_group_objectsid, + 'ldap_user_objectsid' => $ldap_user_objectsid, + 'ldap_user_extra_attrs' => $ldap_user_extra_attrs, + 'ldap_user_ssh_public_key' => $ldap_user_ssh_public_key, + } + + # Build configuration lines array (order matches expected test output) + $ad_domain_line = $ad_domain ? { undef => [], default => ["ad_domain = ${ad_domain}"] } + $ad_enabled_domains_line = $ad_enabled_domains ? { undef => [], default => ["ad_enabled_domains = ${ad_enabled_domains.join(', ')}"] } + + $ad_server_lines = $ad_servers ? { + undef => [], + default => ["ad_server = ${ad_servers.join(', ')}"] + ($ad_backup_servers ? { undef => [], default => ["ad_backup_server = ${ad_backup_servers.join(', ')}"] }) + } + + $ad_hostname_line = $ad_hostname ? { undef => [], default => ["ad_hostname = ${ad_hostname}"] } + $ad_enable_dns_sites_line = $ad_enable_dns_sites ? { undef => [], default => ["ad_enable_dns_sites = ${ad_enable_dns_sites}"] } + $ad_access_filters_line = $ad_access_filters ? { undef => [], default => ["ad_access_filter = ${ad_access_filters.join('?')}"] } + $ad_site_line = $ad_site ? { undef => [], default => ["ad_site = ${ad_site}"] } + $ad_enable_gc_line = $ad_enable_gc ? { undef => [], default => ["ad_enable_gc = ${ad_enable_gc}"] } + + # GPO parameters + $ad_gpo_access_control_line = $ad_gpo_access_control ? { undef => [], default => ["ad_gpo_access_control = ${ad_gpo_access_control}"] } + $ad_gpo_cache_timeout_line = $ad_gpo_cache_timeout ? { undef => [], default => ["ad_gpo_cache_timeout = ${ad_gpo_cache_timeout}"] } + $ad_gpo_map_interactive_line = $ad_gpo_map_interactive ? { undef => [], default => ["ad_gpo_map_interactive = ${ad_gpo_map_interactive.join(', ')}"] } + $ad_gpo_map_remote_interactive_line = $ad_gpo_map_remote_interactive ? { undef => [], default => ["ad_gpo_map_remote_interactive = ${ad_gpo_map_remote_interactive.join(', ')}"] } + $ad_gpo_map_network_line = $ad_gpo_map_network ? { undef => [], default => ["ad_gpo_map_network = ${ad_gpo_map_network.join(', ')}"] } + $ad_gpo_map_batch_line = $ad_gpo_map_batch ? { undef => [], default => ["ad_gpo_map_batch = ${ad_gpo_map_batch.join(', ')}"] } + $ad_gpo_map_service_line = $ad_gpo_map_service ? { undef => [], default => ["ad_gpo_map_service = ${ad_gpo_map_service.join(', ')}"] } + $ad_gpo_map_permit_line = $ad_gpo_map_permit ? { undef => [], default => ["ad_gpo_map_permit = ${ad_gpo_map_permit.join(', ')}"] } + $ad_gpo_map_deny_line = $ad_gpo_map_deny ? { undef => [], default => ["ad_gpo_map_deny = ${ad_gpo_map_deny.join(', ')}"] } + $ad_gpo_default_right_line = $ad_gpo_default_right ? { undef => [], default => ["ad_gpo_default_right = ${ad_gpo_default_right}"] } + $ad_gpo_implicit_deny_line = $ad_gpo_implicit_deny ? { undef => [], default => ["ad_gpo_implicit_deny = ${ad_gpo_implicit_deny}"] } + $ad_gpo_ignore_unreadable_line = $ad_gpo_ignore_unreadable ? { undef => [], default => ["ad_gpo_ignore_unreadable = ${ad_gpo_ignore_unreadable}"] } + + # Machine account parameters + $ad_maximum_machine_account_password_age_line = $ad_maximum_machine_account_password_age ? { undef => [], default => ["ad_maximum_machine_account_password_age = ${ad_maximum_machine_account_password_age}"] } + $ad_machine_account_password_renewal_opts_line = $ad_machine_account_password_renewal_opts ? { undef => [], default => ["ad_machine_account_password_renewal_opts = ${ad_machine_account_password_renewal_opts}"] } + + # General parameters + $default_shell_line = $default_shell ? { undef => [], default => ["default_shell = ${default_shell}"] } + + # Dynamic DNS parameters + $dyndns_update_line = $dyndns_update ? { undef => [], default => ["dyndns_update = ${dyndns_update}"] } + $dyndns_conditional_lines = $dyndns_update ? { + true => ( + ($dyndns_ttl ? { undef => [], default => ["dyndns_ttl = ${dyndns_ttl}"] }) + + ($dyndns_ifaces ? { undef => [], default => ["dyndns_iface = ${dyndns_ifaces.join(', ')}"] }) + + ($dyndns_refresh_interval ? { undef => [], default => ["dyndns_refresh_interval = ${dyndns_refresh_interval}"] }) + + ($dyndns_update_ptr ? { undef => [], default => ["dyndns_update_ptr = ${dyndns_update_ptr}"] }) + + ($dyndns_force_tcp ? { undef => [], default => ["dyndns_force_tcp = ${dyndns_force_tcp}"] }) + + ($dyndns_server ? { undef => [], default => ["dyndns_server = ${dyndns_server}"] }) ), + default => [] + } + + # Home directory parameters + $override_homedir_line = $override_homedir ? { undef => [], default => ["override_homedir = ${override_homedir}"] } + $homedir_substring_line = $homedir_substring ? { undef => [], default => ["homedir_substring = ${homedir_substring}"] } + $fallback_homedir_line = $fallback_homedir ? { undef => [], default => ["fallback_homedir = ${fallback_homedir}"] } + + # Kerberos parameters + $krb5_realm_line = $krb5_realm ? { undef => [], default => ["krb5_realm = ${krb5_realm}"] } + $krb5_confd_path_line = $krb5_confd_path ? { undef => [], default => ["krb5_confd_path = ${krb5_confd_path}"] } + $krb5_use_enterprise_principal_line = $krb5_use_enterprise_principal ? { undef => [], default => ["krb5_use_enterprise_principal = ${krb5_use_enterprise_principal}"] } + $krb5_store_password_if_offline_line = $krb5_store_password_if_offline ? { undef => [], default => ["krb5_store_password_if_offline = ${krb5_store_password_if_offline}"] } + + # LDAP ID mapping (always present) + $ldap_id_mapping_line = ["ldap_id_mapping = ${ldap_id_mapping}"] + $ldap_idmap_conditional_lines = $ldap_id_mapping ? { + true => ( + ($ldap_schema ? { undef => [], default => ["ldap_schema = ${ldap_schema}"] }) + + ($ldap_idmap_range_min ? { undef => [], default => ["ldap_idmap_range_min = ${ldap_idmap_range_min}"] }) + + ($ldap_idmap_range_max ? { undef => [], default => ["ldap_idmap_range_max = ${ldap_idmap_range_max}"] }) + + ($ldap_idmap_range_size ? { undef => [], default => ["ldap_idmap_range_size = ${ldap_idmap_range_size}"] }) + + ($ldap_idmap_default_domain_sid ? { undef => [], default => ["ldap_idmap_default_domain_sid = ${ldap_idmap_default_domain_sid}"] }) + + ($ldap_idmap_default_domain ? { undef => [], default => ["ldap_idmap_default_domain = ${ldap_idmap_default_domain}"] }) + + ($ldap_idmap_autorid_compat ? { undef => [], default => ["ldap_idmap_autorid_compat = ${ldap_idmap_autorid_compat}"] }) + + ($ldap_idmap_helper_table_size ? { undef => [], default => ["ldap_idmap_helper_table_size = ${ldap_idmap_helper_table_size}"] }) + ), + default => [] + } + + # LDAP parameters (always present) + $ldap_use_tokengroups_line = ["ldap_use_tokengroups = ${ldap_use_tokengroups}"] + $ldap_group_objectsid_line = $ldap_group_objectsid ? { undef => [], default => ["ldap_group_objectsid = ${ldap_group_objectsid}"] } + $ldap_user_objectsid_line = $ldap_user_objectsid ? { undef => [], default => ["ldap_user_objectsid = ${ldap_user_objectsid}"] } + $ldap_user_extra_attrs_line = $ldap_user_extra_attrs ? { undef => [], default => ["ldap_user_extra_attrs = ${ldap_user_extra_attrs}"] } + $ldap_user_ssh_public_key_line = $ldap_user_ssh_public_key ? { undef => [], default => ["ldap_user_ssh_public_key = ${ldap_user_ssh_public_key}"] } + + # Combine all lines in order + $config_lines = ( + $ad_domain_line + + $ad_enabled_domains_line + + $ad_server_lines + + $ad_hostname_line + + $ad_enable_dns_sites_line + + $ad_access_filters_line + + $ad_site_line + + $ad_enable_gc_line + + $ad_gpo_access_control_line + + $ad_gpo_cache_timeout_line + + $ad_gpo_map_interactive_line + + $ad_gpo_map_remote_interactive_line + + $ad_gpo_map_network_line + + $ad_gpo_map_batch_line + + $ad_gpo_map_service_line + + $ad_gpo_map_permit_line + + $ad_gpo_map_deny_line + + $ad_gpo_default_right_line + + $ad_gpo_implicit_deny_line + + $ad_gpo_ignore_unreadable_line + + $ad_maximum_machine_account_password_age_line + + $ad_machine_account_password_renewal_opts_line + + $default_shell_line + + $dyndns_update_line + + $dyndns_conditional_lines + + $override_homedir_line + + $homedir_substring_line + + $fallback_homedir_line + + $krb5_realm_line + + $krb5_confd_path_line + + $krb5_use_enterprise_principal_line + + $krb5_store_password_if_offline_line + + $ldap_id_mapping_line + + $ldap_idmap_conditional_lines + + $ldap_use_tokengroups_line + + $ldap_group_objectsid_line + + $ldap_user_objectsid_line + + $ldap_user_extra_attrs_line + + $ldap_user_ssh_public_key_line + ) + + # Boolean parameters that should always be output + $boolean_params = { + 'dyndns_update' => $dyndns_update, + 'krb5_store_password_if_offline' => $krb5_store_password_if_offline, + 'ldap_id_mapping' => $ldap_id_mapping, + 'ldap_use_tokengroups' => $ldap_use_tokengroups, + } + + # Optional boolean parameters (only output if not undef) + $optional_boolean_params = { + 'ad_enable_dns_sites' => $ad_enable_dns_sites, + 'ad_enable_gc' => $ad_enable_gc, + 'ad_gpo_implicit_deny' => $ad_gpo_implicit_deny, + 'ad_gpo_ignore_unreadable' => $ad_gpo_ignore_unreadable, + 'krb5_use_enterprise_principal' => $krb5_use_enterprise_principal, + 'ldap_idmap_autorid_compat' => $ldap_idmap_autorid_compat, + } + + # Array parameters with different separators and special handling + $array_params = { + 'ad_enabled_domains' => { 'value' => $ad_enabled_domains, 'separator' => ', ' }, + 'ad_servers' => { 'value' => $ad_servers, 'separator' => ', ', 'param_name' => 'ad_server' }, + 'ad_backup_servers' => { 'value' => $ad_backup_servers, 'separator' => ', ', 'param_name' => 'ad_backup_server' }, + 'ad_access_filters' => { 'value' => $ad_access_filters, 'separator' => '?', 'param_name' => 'ad_access_filter' }, + 'ad_gpo_map_interactive' => { 'value' => $ad_gpo_map_interactive, 'separator' => ', ' }, + 'ad_gpo_map_remote_interactive' => { 'value' => $ad_gpo_map_remote_interactive, 'separator' => ', ' }, + 'ad_gpo_map_network' => { 'value' => $ad_gpo_map_network, 'separator' => ', ' }, + 'ad_gpo_map_batch' => { 'value' => $ad_gpo_map_batch, 'separator' => ', ' }, + 'ad_gpo_map_service' => { 'value' => $ad_gpo_map_service, 'separator' => ', ' }, + 'ad_gpo_map_permit' => { 'value' => $ad_gpo_map_permit, 'separator' => ', ' }, + 'ad_gpo_map_deny' => { 'value' => $ad_gpo_map_deny, 'separator' => ', ' }, + } + + # DynDNS parameters (only included if dyndns_update is true) + $dyndns_params = { + 'dyndns_ttl' => $dyndns_ttl, + 'dyndns_ifaces' => $dyndns_ifaces, # Special case: array with param_name 'dyndns_iface' + 'dyndns_refresh_interval' => $dyndns_refresh_interval, + 'dyndns_update_ptr' => $dyndns_update_ptr, + 'dyndns_force_tcp' => $dyndns_force_tcp, + 'dyndns_server' => $dyndns_server, + } + + # Join all configuration lines + $content = $config_lines.join("\n") + + sssd::config::entry { "puppet_provider_${name}_ad": + content => epp("${module_name}/provider/ad.epp", { + 'title' => $title, + 'content' => $content, + }), } } diff --git a/templates/provider/ad.epp b/templates/provider/ad.epp index 74a693c..fb2710b 100644 --- a/templates/provider/ad.epp +++ b/templates/provider/ad.epp @@ -1,213 +1,7 @@ <% | - String $title, - Optional[String[1]] $ad_domain, - Optional[Array[String[1],1]] $ad_enabled_domains, - Optional[Array[Variant[Simplib::Hostname, Enum['_srv_']]]] $ad_servers, - Optional[Array[Simplib::Hostname,1]] $ad_backup_servers, - Optional[Simplib::Hostname] $ad_hostname, - Optional[Boolean] $ad_enable_dns_sites, - Optional[Array[String[1],1]] $ad_access_filters, - Optional[String[1]] $ad_site, - Optional[Boolean] $ad_enable_gc, - Optional[Enum['disabled','enforcing','permissive']] $ad_gpo_access_control, - Optional[Integer[1]] $ad_gpo_cache_timeout, - Optional[Array[String[1],1]] $ad_gpo_map_interactive, - Optional[Array[String[1],1]] $ad_gpo_map_remote_interactive, - Optional[Array[String[1],1]] $ad_gpo_map_network, - Optional[Array[String[1],1]] $ad_gpo_map_batch, - Optional[Array[String[1],1]] $ad_gpo_map_service, - Optional[Array[String[1],1]] $ad_gpo_map_permit, - Optional[Array[String[1],1]] $ad_gpo_map_deny, - Optional[Sssd::ADDefaultRight] $ad_gpo_default_right, - Optional[Boolean] $ad_gpo_implicit_deny, - Optional[Boolean] $ad_gpo_ignore_unreadable, - Optional[Integer[0]] $ad_maximum_machine_account_password_age, - Optional[Pattern['^\d+:\d+$']] $ad_machine_account_password_renewal_opts, - Optional[String[1]] $default_shell, - Boolean $dyndns_update, - Optional[Integer] $dyndns_ttl, - Optional[Array[String[1],1]] $dyndns_ifaces, - Optional[Integer] $dyndns_refresh_interval, - Optional[Boolean] $dyndns_update_ptr, - Optional[Boolean] $dyndns_force_tcp, - Optional[Simplib::Hostname] $dyndns_server, - Optional[String[1]] $override_homedir, - Optional[String[1]] $fallback_homedir, - Optional[Stdlib::Absolutepath] $homedir_substring, - Optional[String[1]] $krb5_realm, - Optional[Variant[Enum['none'],Stdlib::Absolutepath]] $krb5_confd_path, - Optional[Boolean] $krb5_use_enterprise_principal, - Boolean $krb5_store_password_if_offline, - Boolean $ldap_id_mapping, - Optional[String[1]] $ldap_schema, - Optional[Integer[0]] $ldap_idmap_range_min, - Optional[Integer[1]] $ldap_idmap_range_max, - Optional[Integer[1]] $ldap_idmap_range_size, - Optional[String[1]] $ldap_idmap_default_domain_sid, - Optional[String[1]] $ldap_idmap_default_domain, - Optional[Boolean] $ldap_idmap_autorid_compat, - Optional[Integer[1]] $ldap_idmap_helper_table_size, - Boolean $ldap_use_tokengroups, - Optional[String[1]] $ldap_group_objectsid, - Optional[String[1]] $ldap_user_objectsid, - Optional[String[1]] $ldap_user_extra_attrs, - Optional[String[1]] $ldap_user_ssh_public_key, + String[1] $title, + String[1] $content, | -%> [domain/<%= $title %>] # sssd::provider::ad -<% if $ad_domain { -%> -ad_domain = <%= $ad_domain %> -<% } -%> -<% if $ad_enabled_domains { -%> -ad_enabled_domains = <%= $ad_enabled_domains.join(', ') %> -<% } -%> -<% if $ad_servers { -%> -ad_server = <%= $ad_servers.join(', ') %> -<% if $ad_backup_servers { -%> -ad_backup_server = <%= $ad_backup_servers.join(', ') %> -<% } -%> -<% } -%> -<% if $ad_hostname { -%> -ad_hostname = <%= $ad_hostname %> -<% } -%> -<% unless $ad_enable_dns_sites =~ Undef { -%> -ad_enable_dns_sites = <%= $ad_enable_dns_sites %> -<% } -%> -<% if $ad_access_filters { -%> -ad_access_filter = <%= $ad_access_filters.join('?') %> -<% } -%> -<% if $ad_site { -%> -ad_site = <%= $ad_site %> -<% } -%> -<% unless $ad_enable_gc =~ Undef { -%> -ad_enable_gc = <%= $ad_enable_gc %> -<% } -%> -<% if $ad_gpo_access_control { -%> -ad_gpo_access_control = <%= $ad_gpo_access_control %> -<% } -%> -<% if $ad_gpo_cache_timeout { -%> -ad_gpo_cache_timeout = <%= $ad_gpo_cache_timeout %> -<% } -%> -<% if $ad_gpo_map_interactive { -%> -ad_gpo_map_interactive = <%= $ad_gpo_map_interactive.join(', ') %> -<% } -%> -<% if $ad_gpo_map_remote_interactive { -%> -ad_gpo_map_remote_interactive = <%= $ad_gpo_map_remote_interactive.join(', ') %> -<% } -%> -<% if $ad_gpo_map_network { -%> -ad_gpo_map_network = <%= $ad_gpo_map_network.join(', ') %> -<% } -%> -<% if $ad_gpo_map_batch { -%> -ad_gpo_map_batch = <%= $ad_gpo_map_batch.join(', ') %> -<% } -%> -<% if $ad_gpo_map_service { -%> -ad_gpo_map_service = <%= $ad_gpo_map_service.join(', ') %> -<% } -%> -<% if $ad_gpo_map_permit { -%> -ad_gpo_map_permit = <%= $ad_gpo_map_permit.join(', ') %> -<% } -%> -<% if $ad_gpo_map_deny { -%> -ad_gpo_map_deny = <%= $ad_gpo_map_deny.join(', ') %> -<% } -%> -<% if $ad_gpo_default_right { -%> -ad_gpo_default_right = <%= $ad_gpo_default_right %> -<% } -%> -<% unless $ad_gpo_implicit_deny =~ Undef { -%> -ad_gpo_implicit_deny = <%= $ad_gpo_implicit_deny %> -<% } -%> -<% unless $ad_gpo_ignore_unreadable =~ Undef { -%> -ad_gpo_ignore_unreadable = <%= $ad_gpo_ignore_unreadable %> -<% } -%> -<% if $ad_maximum_machine_account_password_age { -%> -ad_maximum_machine_account_password_age = <%= $ad_maximum_machine_account_password_age %> -<% } -%> -<% if $ad_machine_account_password_renewal_opts { -%> -ad_machine_account_password_renewal_opts = <%= $ad_machine_account_password_renewal_opts %> -<% } -%> -<% if $default_shell { -%> -default_shell = <%= $default_shell %> -<% } -%> -<% unless $dyndns_update =~ Undef { -%> -dyndns_update = <%= $dyndns_update %> -<% } -%> -<% if $dyndns_update { -%> -<% if $dyndns_ttl { -%> -dyndns_ttl = <%= $dyndns_ttl %> -<% } -%> -<% if $dyndns_ifaces { -%> -dyndns_iface = <%= $dyndns_ifaces.join(', ') %> -<% } -%> -<% if $dyndns_refresh_interval { -%> -dyndns_refresh_interval = <%= $dyndns_refresh_interval %> -<% } -%> -<% unless $dyndns_update_ptr =~ Undef { -%> -dyndns_update_ptr = <%= $dyndns_update_ptr %> -<% } -%> -<% unless $dyndns_force_tcp =~ Undef { -%> -dyndns_force_tcp = <%= $dyndns_force_tcp %> -<% } -%> -<% if $dyndns_server { -%> -dyndns_server = <%= $dyndns_server %> -<% } -%> -<% } -%> -<% if $override_homedir { -%> -override_homedir = <%= $override_homedir %> -<% } -%> -<% if $homedir_substring { -%> -homedir_substring = <%= $homedir_substring %> -<% } -%> -<% if $fallback_homedir { -%> -fallback_homedir = <%= $fallback_homedir %> -<% } -%> -<% if $krb5_realm { -%> -krb5_realm = <%= $krb5_realm %> -<% } -%> -<% if $krb5_confd_path { -%> -krb5_confd_path = <%= $krb5_confd_path %> -<% } -%> -<% unless $krb5_use_enterprise_principal =~ Undef { -%> -krb5_use_enterprise_principal = <%= $krb5_use_enterprise_principal %> -<% } -%> -<% unless $krb5_store_password_if_offline =~ Undef { -%> -krb5_store_password_if_offline = <%= $krb5_store_password_if_offline %> -<% } -%> -ldap_id_mapping = <%= $ldap_id_mapping %> -<% if $ldap_id_mapping { -%> -<% if $ldap_schema { -%> -ldap_schema = <%= $ldap_schema %> -<% } -%> -<% if $ldap_idmap_range_min { -%> -ldap_idmap_range_min = <%= $ldap_idmap_range_min %> -<% } -%> -<% if $ldap_idmap_range_max { -%> -ldap_idmap_range_max = <%= $ldap_idmap_range_max %> -<% } -%> -<% if $ldap_idmap_range_size { -%> -ldap_idmap_range_size = <%= $ldap_idmap_range_size %> -<% } -%> -<% if $ldap_idmap_default_domain_sid { -%> -ldap_idmap_default_domain_sid = <%= $ldap_idmap_default_domain_sid %> -<% } -%> -<% if $ldap_idmap_default_domain { -%> -ldap_idmap_default_domain = <%= $ldap_idmap_default_domain %> -<% } -%> -<% unless $ldap_idmap_autorid_compat =~ Undef { -%> -ldap_idmap_autorid_compat = <%= $ldap_idmap_autorid_compat %> -<% } -%> -<% if $ldap_idmap_helper_table_size { -%> -ldap_idmap_helper_table_size = <%= $ldap_idmap_helper_table_size %> -<% } -%> -<% } -%> -ldap_use_tokengroups = <%= $ldap_use_tokengroups %> -<% if $ldap_group_objectsid { -%> -ldap_group_objectsid = <%= $ldap_group_objectsid %> -<% } -%> -<% if $ldap_user_objectsid { -%> -ldap_user_objectsid = <%= $ldap_user_objectsid %> -<% } -%> -<% if $ldap_user_extra_attrs { -%> -ldap_user_extra_attrs = <%= $ldap_user_extra_attrs %> -<% } -%> -<% if $ldap_user_ssh_public_key { -%> -ldap_user_ssh_public_key = <%= $ldap_user_ssh_public_key %> -<% } -%> +<%= $content %> From aba8a8abd211332e45d7c0ba4286e96c72c610d5 Mon Sep 17 00:00:00 2001 From: Steven Pritchard Date: Wed, 24 Sep 2025 10:54:40 -0500 Subject: [PATCH 10/25] Refactor domain template --- manifests/domain.pp | 179 +++++++++++++++++++++++++++++++------------ templates/domain.epp | 158 +------------------------------------- 2 files changed, 132 insertions(+), 205 deletions(-) diff --git a/manifests/domain.pp b/manifests/domain.pp index 3679fd7..da2e480 100644 --- a/manifests/domain.pp +++ b/manifests/domain.pp @@ -123,56 +123,135 @@ Optional[String] $ldap_user_search_filter = undef, Optional[Hash] $custom_options = undef, ) { + # Build configuration lines in order (matching expected test output) + # Debug settings + $debug_level_line = $debug_level ? { undef => [], default => ["debug_level = ${debug_level}"] } + $debug_timestamps_line = ["debug_timestamps = ${debug_timestamps}"] + $debug_microseconds_line = ["debug_microseconds = ${debug_microseconds}"] + + # Description and basic settings + $description_line = $description ? { undef => [], default => ["description = ${description}"] } + $min_id_line = ["min_id = ${min_id}"] + $max_id_line = ["max_id = ${max_id}"] + $enumerate_line = ["enumerate = ${enumerate}"] + + # Subdomain and timeout settings + $subdomain_enumerate_line = $subdomain_enumerate ? { false => [], default => ["subdomain_enumerate = ${subdomain_enumerate}"] } + $force_timeout_line = $force_timeout ? { undef => [], default => ["force_timeout = ${force_timeout}"] } + + # Entry cache timeout settings + $entry_cache_timeout_line = $entry_cache_timeout ? { undef => [], default => ["entry_cache_timeout = ${entry_cache_timeout}"] } + $entry_cache_user_timeout_line = $entry_cache_user_timeout ? { undef => [], default => ["entry_cache_user_timeout = ${entry_cache_user_timeout}"] } + $entry_cache_group_timeout_line = $entry_cache_group_timeout ? { undef => [], default => ["entry_cache_group_timeout = ${entry_cache_group_timeout}"] } + $entry_cache_netgroup_timeout_line = $entry_cache_netgroup_timeout ? { undef => [], default => ["entry_cache_netgroup_timeout = ${entry_cache_netgroup_timeout}"] } + $entry_cache_service_timeout_line = $entry_cache_service_timeout ? { undef => [], default => ["entry_cache_service_timeout = ${entry_cache_service_timeout}"] } + $entry_cache_sudo_timeout_line = $entry_cache_sudo_timeout ? { undef => [], default => ["entry_cache_sudo_timeout = ${entry_cache_sudo_timeout}"] } + $entry_cache_autofs_timeout_line = $entry_cache_autofs_timeout ? { undef => [], default => ["entry_cache_autofs_timeout = ${entry_cache_autofs_timeout}"] } + $entry_cache_ssh_host_timeout_line = $entry_cache_ssh_host_timeout ? { undef => [], default => ["entry_cache_ssh_host_timeout = ${entry_cache_ssh_host_timeout}"] } + $refresh_expired_interval_line = $refresh_expired_interval ? { undef => [], default => ["refresh_expired_interval = ${refresh_expired_interval}"] } + + # Cache settings + $cache_credentials_line = ["cache_credentials = ${cache_credentials}"] + $account_cache_expiration_line = ["account_cache_expiration = ${account_cache_expiration}"] + $pwd_expiration_warning_line = $pwd_expiration_warning ? { undef => [], default => ["pwd_expiration_warning = ${pwd_expiration_warning}"] } + + # Naming settings + $use_fully_qualified_names_line = ["use_fully_qualified_names = ${use_fully_qualified_names}"] + $ignore_group_members_line = ["ignore_group_members = ${ignore_group_members}"] + + # Provider settings (id_provider is required, others optional) + $id_provider_line = ["id_provider = ${id_provider}"] + $auth_provider_line = $auth_provider ? { undef => [], default => ["auth_provider = ${auth_provider}"] } + $access_provider_line = $access_provider ? { undef => [], default => ["access_provider = ${access_provider}"] } + $chpass_provider_line = $chpass_provider ? { undef => [], default => ["chpass_provider = ${chpass_provider}"] } + $sudo_provider_line = $sudo_provider ? { undef => [], default => ["sudo_provider = ${sudo_provider}"] } + $selinux_provider_line = $selinux_provider ? { undef => [], default => ["selinux_provider = ${selinux_provider}"] } + $subdomains_provider_line = $subdomains_provider ? { undef => [], default => ["subdomains_provider = ${subdomains_provider}"] } + $autofs_provider_line = $autofs_provider ? { undef => [], default => ["autofs_provider = ${autofs_provider}"] } + $hostid_provider_line = $hostid_provider ? { undef => [], default => ["hostid_provider = ${hostid_provider}"] } + + # Pattern and formatting settings + $re_expression_line = $re_expression ? { undef => [], default => ["re_expression = ${re_expression}"] } + $full_name_format_line = $full_name_format ? { undef => [], default => ["full_name_format = ${full_name_format}"] } + $lookup_family_order_line = $lookup_family_order ? { undef => [], default => ["lookup_family_order = ${lookup_family_order}"] } + + # DNS settings + $dns_resolver_timeout_line = ["dns_resolver_timeout = ${dns_resolver_timeout}"] + $dns_discovery_domain_line = $dns_discovery_domain ? { undef => [], default => ["dns_discovery_domain = ${dns_discovery_domain}"] } + + # Override and case sensitivity settings + $override_gid_line = $override_gid ? { undef => [], default => ["override_gid = ${override_gid}"] } + $case_sensitive_line = ["case_sensitive = ${case_sensitive}"] + $proxy_fast_alias_line = ["proxy_fast_alias = ${proxy_fast_alias}"] + + # Optional provider-specific settings + $realmd_tags_line = $realmd_tags ? { undef => [], default => ["realmd_tags = ${realmd_tags}"] } + $ldap_user_search_filter_line = $ldap_user_search_filter ? { undef => [], default => ["ldap_user_search_filter = ${ldap_user_search_filter}"] } + $proxy_pam_target_line = $proxy_pam_target ? { undef => [], default => ["proxy_pam_target = ${proxy_pam_target}"] } + $proxy_lib_name_line = $proxy_lib_name ? { undef => [], default => ["proxy_lib_name = ${proxy_lib_name}"] } + + # Custom options processing + $custom_options_lines = $custom_options ? { + undef => [], + default => $custom_options.keys.sort.map |$opt| { "${opt} = ${custom_options[$opt]}" } + } + + # Combine all lines in order + $config_lines = ( + $debug_level_line + + $debug_timestamps_line + + $debug_microseconds_line + + $description_line + + $min_id_line + + $max_id_line + + $enumerate_line + + $subdomain_enumerate_line + + $force_timeout_line + + $entry_cache_timeout_line + + $entry_cache_user_timeout_line + + $entry_cache_group_timeout_line + + $entry_cache_netgroup_timeout_line + + $entry_cache_service_timeout_line + + $entry_cache_sudo_timeout_line + + $entry_cache_autofs_timeout_line + + $entry_cache_ssh_host_timeout_line + + $refresh_expired_interval_line + + $cache_credentials_line + + $account_cache_expiration_line + + $pwd_expiration_warning_line + + $use_fully_qualified_names_line + + $ignore_group_members_line + + $id_provider_line + + $auth_provider_line + + $access_provider_line + + $chpass_provider_line + + $sudo_provider_line + + $selinux_provider_line + + $subdomains_provider_line + + $autofs_provider_line + + $hostid_provider_line + + $re_expression_line + + $full_name_format_line + + $lookup_family_order_line + + $dns_resolver_timeout_line + + $dns_discovery_domain_line + + $override_gid_line + + $case_sensitive_line + + $proxy_fast_alias_line + + $realmd_tags_line + + $ldap_user_search_filter_line + + $proxy_pam_target_line + + $proxy_lib_name_line + + $custom_options_lines + ) + + # Join all configuration lines + $content = $config_lines.join("\n") + sssd::config::entry { "puppet_domain_${name}": - content => epp( - 'sssd/domain.epp', - { - 'id_provider' => $id_provider, - 'debug_level' => $debug_level, - 'debug_timestamps' => $debug_timestamps, - 'debug_microseconds' => $debug_microseconds, - 'description' => $description, - 'min_id' => $min_id, - 'max_id' => $max_id, - 'enumerate' => $enumerate, - 'subdomain_enumerate' => $subdomain_enumerate, - 'force_timeout' => $force_timeout, - 'entry_cache_timeout' => $entry_cache_timeout, - 'entry_cache_user_timeout' => $entry_cache_user_timeout, - 'entry_cache_group_timeout' => $entry_cache_group_timeout, - 'entry_cache_netgroup_timeout' => $entry_cache_netgroup_timeout, - 'entry_cache_service_timeout' => $entry_cache_service_timeout, - 'entry_cache_sudo_timeout' => $entry_cache_sudo_timeout, - 'entry_cache_autofs_timeout' => $entry_cache_autofs_timeout, - 'entry_cache_ssh_host_timeout' => $entry_cache_ssh_host_timeout, - 'refresh_expired_interval' => $refresh_expired_interval, - 'cache_credentials' => $cache_credentials, - 'account_cache_expiration' => $account_cache_expiration, - 'pwd_expiration_warning' => $pwd_expiration_warning, - 'use_fully_qualified_names' => $use_fully_qualified_names, - 'ignore_group_members' => $ignore_group_members, - 'access_provider' => $access_provider, - 'auth_provider' => $auth_provider, - 'chpass_provider' => $chpass_provider, - 'sudo_provider' => $sudo_provider, - 'selinux_provider' => $selinux_provider, - 'subdomains_provider' => $subdomains_provider, - 'autofs_provider' => $autofs_provider, - 'hostid_provider' => $hostid_provider, - 're_expression' => $re_expression, - 'full_name_format' => $full_name_format, - 'lookup_family_order' => $lookup_family_order, - 'dns_resolver_timeout' => $dns_resolver_timeout, - 'dns_discovery_domain' => $dns_discovery_domain, - 'override_gid' => $override_gid, - 'case_sensitive' => $case_sensitive, - 'proxy_fast_alias' => $proxy_fast_alias, - 'realmd_tags' => $realmd_tags, - 'proxy_pam_target' => $proxy_pam_target, - 'proxy_lib_name' => $proxy_lib_name, - 'ldap_user_search_filter' => $ldap_user_search_filter, - 'custom_options' => $custom_options, - }, - ), + content => epp('sssd/domain.epp', { + 'name' => $name, + 'content' => $content, + }), } } diff --git a/templates/domain.epp b/templates/domain.epp index f6349de..e1eb2a2 100644 --- a/templates/domain.epp +++ b/templates/domain.epp @@ -1,159 +1,7 @@ <% | - Sssd::IdProvider $id_provider, - Optional[Sssd::DebugLevel] $debug_level, - Boolean $debug_timestamps, - Boolean $debug_microseconds, - Optional[String] $description, - Integer[0] $min_id, - Integer[0] $max_id, - Boolean $enumerate, - Boolean $subdomain_enumerate, - Optional[Integer] $force_timeout, - Optional[Integer] $entry_cache_timeout, - Optional[Integer] $entry_cache_user_timeout, - Optional[Integer] $entry_cache_group_timeout, - Optional[Integer] $entry_cache_netgroup_timeout, - Optional[Integer] $entry_cache_service_timeout, - Optional[Integer] $entry_cache_sudo_timeout, - Optional[Integer] $entry_cache_autofs_timeout, - Optional[Integer] $entry_cache_ssh_host_timeout, - Optional[Integer] $refresh_expired_interval, - Boolean $cache_credentials, - Integer[0] $account_cache_expiration, - Optional[Integer[0]] $pwd_expiration_warning, - Boolean $use_fully_qualified_names, - Boolean $ignore_group_members, - Optional[Sssd::AccessProvider] $access_provider, - Optional[Sssd::AuthProvider] $auth_provider, - Optional[Sssd::ChpassProvider] $chpass_provider, - Optional[Enum['ldap', 'ipa','ad','none']] $sudo_provider, - Optional[Enum['ipa', 'none']] $selinux_provider, - Optional[Enum['ipa', 'ad','none']] $subdomains_provider, - Optional[Enum['ad', 'ldap', 'ipa','none']] $autofs_provider, - Optional[Enum['ipa', 'none']] $hostid_provider, - Optional[String] $re_expression, - Optional[String] $full_name_format, - Optional[String] $lookup_family_order, - Integer[0] $dns_resolver_timeout, - Optional[String] $dns_discovery_domain, - Optional[String] $override_gid, - Variant[Boolean,Enum['preserving']] $case_sensitive, - Boolean $proxy_fast_alias, - Optional[String] $realmd_tags, - Optional[String] $proxy_pam_target, - Optional[String] $proxy_lib_name, - Optional[String] $ldap_user_search_filter, - Optional[Hash] $custom_options, + String[1] $name, + String[1] $content, | -%> - # sssd::domain <%= $name %> [domain/<%= $name %>] -<% if $debug_level { -%> -debug_level = <%= $debug_level %> -<% } -%> -debug_timestamps = <%= $debug_timestamps %> -debug_microseconds = <%= $debug_microseconds %> -<% if $description { -%> -description = <%= $description %> -<% } -%> -min_id = <%= $min_id %> -max_id = <%= $max_id %> -enumerate = <%= $enumerate %> -<% if $subdomain_enumerate { -%> -subdomain_enumerate = <%= $subdomain_enumerate %> -<% } -%> -<% if $force_timeout { -%> -force_timeout = <%= $force_timeout %> -<% } -%> -<% if $entry_cache_timeout { -%> -entry_cache_timeout = <%= $entry_cache_timeout %> -<% } -%> -<% if $entry_cache_user_timeout { -%> -entry_cache_user_timeout = <%= $entry_cache_user_timeout %> -<% } -%> -<% if $entry_cache_group_timeout { -%> -entry_cache_group_timeout = <%= $entry_cache_group_timeout %> -<% } -%> -<% if $entry_cache_netgroup_timeout { -%> -entry_cache_netgroup_timeout = <%= $entry_cache_netgroup_timeout %> -<% } -%> -<% if $entry_cache_service_timeout { -%> -entry_cache_service_timeout = <%= $entry_cache_service_timeout %> -<% } -%> -<% if $entry_cache_sudo_timeout { -%> -entry_cache_sudo_timeout = <%= $entry_cache_sudo_timeout %> -<% } -%> -<% if $entry_cache_autofs_timeout { -%> -entry_cache_autofs_timeout = <%= $entry_cache_autofs_timeout %> -<% } -%> -<% if $entry_cache_ssh_host_timeout { -%> -entry_cache_ssh_host_timeout = <%= $entry_cache_ssh_host_timeout %> -<% } -%> -<% if $refresh_expired_interval { -%> -refresh_expired_interval = <%= $refresh_expired_interval %> -<% } -%> -cache_credentials = <%= $cache_credentials %> -account_cache_expiration = <%= $account_cache_expiration %> -<% if $pwd_expiration_warning { -%> -pwd_expiration_warning = <%= $pwd_expiration_warning %> -<% } -%> -use_fully_qualified_names = <%= $use_fully_qualified_names %> -ignore_group_members = <%= $ignore_group_members %> -id_provider = <%= $id_provider %> -<% if $auth_provider { -%> -auth_provider = <%= $auth_provider %> -<% } -%> -<% if $access_provider { -%> -access_provider = <%= $access_provider %> -<% } -%> -<% if $chpass_provider { -%> -chpass_provider = <%= $chpass_provider %> -<% } -%> -<% if $sudo_provider { -%> -sudo_provider = <%= $sudo_provider %> -<% } -%> -<% if $selinux_provider { -%> -selinux_provider = <%= $selinux_provider %> -<% } -%> -<% if $subdomains_provider { -%> -subdomains_provider = <%= $subdomains_provider %> -<% } -%> -<% if $autofs_provider { -%> -autofs_provider = <%= $autofs_provider %> -<% } -%> -<% if $hostid_provider { -%> -hostid_provider = <%= $hostid_provider %> -<% } -%> -<% if $re_expression { -%> -re_expression = <%= $re_expression %> -<% } -%> -<% if $full_name_format { -%> -full_name_format = <%= $full_name_format %> -<% } -%> -<% if $lookup_family_order { -%> -lookup_family_order = <%= $lookup_family_order %> -<% } -%> -dns_resolver_timeout = <%= $dns_resolver_timeout %> -<% if $dns_discovery_domain { -%> -dns_discovery_domain = <%= $dns_discovery_domain %> -<% } -%> -<% if $override_gid { -%> -override_gid = <%= $override_gid %> -<% } -%> -case_sensitive = <%= $case_sensitive %> -proxy_fast_alias = <%= $proxy_fast_alias %> -<% if $realmd_tags { -%> -realmd_tags = <%= $realmd_tags %> -<% } -%> -<% if $ldap_user_search_filter { -%> -ldap_user_search_filter = <%= $ldap_user_search_filter %> -<% } -%> -<% if $proxy_pam_target { -%> -proxy_pam_target = <%= $proxy_pam_target %> -<% } -%> -<% if $proxy_lib_name { -%> -proxy_lib_name = <%= $proxy_lib_name %> -<% } -%> -<% $custom_options.lest || { {} }.each |$opt, $value| { -%> -<%= $opt %> = <%= $value %> -<% } -%> +<%= $content %> From 1d215ea47691a8c15678d82cbc96f5635d680bf5 Mon Sep 17 00:00:00 2001 From: Steven Pritchard Date: Wed, 24 Sep 2025 11:01:41 -0500 Subject: [PATCH 11/25] Refactor ipa and nss templates --- manifests/provider/ipa.pp | 125 +++++++++++++++++++++++++------------ manifests/service/nss.pp | 92 +++++++++++++++++++-------- templates/provider/ipa.epp | 101 +----------------------------- templates/service/nss.epp | 66 +------------------- 4 files changed, 157 insertions(+), 227 deletions(-) diff --git a/manifests/provider/ipa.pp b/manifests/provider/ipa.pp index 9c03f91..8262816 100644 --- a/manifests/provider/ipa.pp +++ b/manifests/provider/ipa.pp @@ -75,48 +75,93 @@ Array[String] $ldap_tls_cipher_suite = ['HIGH','-SSLv2'], Boolean $use_service_discovery = true, ) { - if $use_service_discovery { - $_ipa_server = ['_srv_'] + $ipa_server - } - else { - $_ipa_server = $ipa_server + # Build configuration lines in order (matching expected test output) + # IPA domain configuration (required) + $ipa_domain_line = ["ipa_domain = ${ipa_domain}"] + + # IPA server configuration with service discovery logic + $ipa_server_line = $use_service_discovery ? { + true => ["ipa_server = _srv_,${ipa_server.join(',')}"], + false => ["ipa_server = ${ipa_server.join(',')}"] } + # IPA backup server configuration (optional) + $ipa_backup_server_line = $ipa_backup_server ? { undef => [], default => ["ipa_backup_server = ${ipa_backup_server.join(',')}"] } + + # IPA boolean settings (required) + $ipa_enable_dns_sites_line = ["ipa_enable_dns_sites = ${ipa_enable_dns_sites}"] + $ipa_hostname_line = ["ipa_hostname = ${ipa_hostname}"] + $ipa_server_mode_line = ["ipa_server_mode = ${ipa_server_mode}"] + + # Dynamic DNS settings + $dyndns_auth_line = ["dyndns_auth = ${dyndns_auth}"] + $dyndns_force_tcp_line = $dyndns_force_tcp ? { undef => [], default => ["dyndns_force_tcp = ${dyndns_force_tcp}"] } + $dyndns_iface_line = $dyndns_iface ? { undef => [], default => ["dyndns_iface = ${dyndns_iface.join(',')}"] } + $dyndns_refresh_interval_line = $dyndns_refresh_interval ? { undef => [], default => ["dyndns_refresh_interval = ${dyndns_refresh_interval}"] } + $dyndns_server_line = $dyndns_server ? { undef => [], default => ["dyndns_server = ${dyndns_server}"] } + $dyndns_ttl_line = $dyndns_ttl ? { undef => [], default => ["dyndns_ttl = ${dyndns_ttl}"] } + $dyndns_update_line = ["dyndns_update = ${dyndns_update}"] + $dyndns_update_ptr_line = $dyndns_update_ptr ? { undef => [], default => ["dyndns_update_ptr = ${dyndns_update_ptr}"] } + + # IPA-specific optional settings + $ipa_automount_location_line = $ipa_automount_location ? { undef => [], default => ["ipa_automount_location = ${ipa_automount_location}"] } + $ipa_hbac_refresh_line = $ipa_hbac_refresh ? { undef => [], default => ["ipa_hbac_refresh = ${ipa_hbac_refresh}"] } + $ipa_hbac_search_base_line = $ipa_hbac_search_base ? { undef => [], default => ["ipa_hbac_search_base = ${ipa_hbac_search_base}"] } + $ipa_hbac_selinux_line = $ipa_hbac_selinux ? { undef => [], default => ["ipa_hbac_selinux = ${ipa_hbac_selinux}"] } + $ipa_host_search_base_line = $ipa_host_search_base ? { undef => [], default => ["ipa_host_search_base = ${ipa_host_search_base}"] } + $ipa_master_domains_search_base_line = $ipa_master_domains_search_base ? { undef => [], default => ["ipa_master_domains_search_base = ${ipa_master_domains_search_base}"] } + $ipa_selinux_search_base_line = $ipa_selinux_search_base ? { undef => [], default => ["ipa_selinux_search_base = ${ipa_selinux_search_base}"] } + $ipa_subdomains_search_base_line = $ipa_subdomains_search_base ? { undef => [], default => ["ipa_subdomains_search_base = ${ipa_subdomains_search_base}"] } + $ipa_views_search_base_line = $ipa_views_search_base ? { undef => [], default => ["ipa_views_search_base = ${ipa_views_search_base}"] } + + # Kerberos settings + $krb5_confd_path_line = $krb5_confd_path ? { undef => [], default => ["krb5_confd_path = ${krb5_confd_path}"] } + $krb5_realm_line = $krb5_realm ? { undef => [], default => ["krb5_realm = ${krb5_realm}"] } + $krb5_store_password_if_offline_line = ["krb5_store_password_if_offline = ${krb5_store_password_if_offline}"] + + # LDAP TLS settings (required) + $ldap_tls_cacert_line = ["ldap_tls_cacert = ${ldap_tls_cacert}"] + $ldap_tls_cipher_suite_line = ["ldap_tls_cipher_suite = ${ldap_tls_cipher_suite.join(':')}"] + + # Combine all lines in order + $config_lines = ( + $ipa_domain_line + + $ipa_server_line + + $ipa_backup_server_line + + $ipa_enable_dns_sites_line + + $ipa_hostname_line + + $ipa_server_mode_line + + $dyndns_auth_line + + $dyndns_force_tcp_line + + $dyndns_iface_line + + $dyndns_refresh_interval_line + + $dyndns_server_line + + $dyndns_ttl_line + + $dyndns_update_line + + $dyndns_update_ptr_line + + $ipa_automount_location_line + + $ipa_hbac_refresh_line + + $ipa_hbac_search_base_line + + $ipa_hbac_selinux_line + + $ipa_host_search_base_line + + $ipa_master_domains_search_base_line + + $ipa_selinux_search_base_line + + $ipa_subdomains_search_base_line + + $ipa_views_search_base_line + + $krb5_confd_path_line + + $krb5_realm_line + + $krb5_store_password_if_offline_line + + $ldap_tls_cacert_line + + $ldap_tls_cipher_suite_line + ) + + # Join all configuration lines + $content = $config_lines.join("\n") + sssd::config::entry { "puppet_provider_${name}_ipa": - content => epp( - "${module_name}/provider/ipa.epp", - { - 'title' => $title, - 'ipa_domain' => $ipa_domain, - 'ipa_server' => $ipa_server, - 'ipa_backup_server' => $ipa_backup_server, - 'ipa_enable_dns_sites' => $ipa_enable_dns_sites, - 'ipa_hostname' => $ipa_hostname, - 'ipa_server_mode' => $ipa_server_mode, - 'dyndns_auth' => $dyndns_auth, - 'dyndns_force_tcp' => $dyndns_force_tcp, - 'dyndns_iface' => $dyndns_iface, - 'dyndns_refresh_interval' => $dyndns_refresh_interval, - 'dyndns_server' => $dyndns_server, - 'dyndns_ttl' => $dyndns_ttl, - 'dyndns_update' => $dyndns_update, - 'dyndns_update_ptr' => $dyndns_update_ptr, - 'ipa_automount_location' => $ipa_automount_location, - 'ipa_hbac_refresh' => $ipa_hbac_refresh, - 'ipa_hbac_search_base' => $ipa_hbac_search_base, - 'ipa_hbac_selinux' => $ipa_hbac_selinux, - 'ipa_host_search_base' => $ipa_host_search_base, - 'ipa_master_domains_search_base' => $ipa_master_domains_search_base, - 'ipa_selinux_search_base' => $ipa_selinux_search_base, - 'ipa_subdomains_search_base' => $ipa_subdomains_search_base, - 'ipa_views_search_base' => $ipa_views_search_base, - 'krb5_confd_path' => $krb5_confd_path, - 'krb5_realm' => $krb5_realm, - 'krb5_store_password_if_offline' => $krb5_store_password_if_offline, - 'ldap_tls_cacert' => $ldap_tls_cacert, - 'ldap_tls_cipher_suite' => $ldap_tls_cipher_suite, - 'use_service_discovery' => $use_service_discovery, - } - ), + content => epp("${module_name}/provider/ipa.epp", { + 'title' => $title, + 'content' => $content, + }), } } diff --git a/manifests/service/nss.pp b/manifests/service/nss.pp index 4bdbb45..c3c2a6e 100644 --- a/manifests/service/nss.pp +++ b/manifests/service/nss.pp @@ -62,6 +62,7 @@ Optional[Hash] $custom_options = undef, ) { if $custom_options { + # Use custom options template for backwards compatibility $_content = epp( "${module_name}/service/custom_options.epp", { @@ -70,32 +71,73 @@ }, ) } else { - $_content = epp( - "${module_name}/service/nss.epp", - { - 'description' => $description, - 'debug_level' => $debug_level, - 'debug_timestamps' => $debug_timestamps, - 'debug_microseconds' => $debug_microseconds, - 'reconnection_retries' => $reconnection_retries, - 'fd_limit' => $fd_limit, - 'command' => $command, - 'enum_cache_timeout' => $enum_cache_timeout, - 'entry_cache_nowait_percentage' => $entry_cache_nowait_percentage, - 'entry_negative_timeout' => $entry_negative_timeout, - 'filter_users' => $filter_users, - 'filter_groups' => $filter_groups, - 'filter_users_in_groups' => $filter_users_in_groups, - 'override_homedir' => $override_homedir, - 'fallback_homedir' => $fallback_homedir, - 'override_shell' => $override_shell, - 'vetoed_shells' => $vetoed_shells, - 'default_shell' => $default_shell, - 'get_domains_timeout' => $get_domains_timeout, - 'memcache_timeout' => $memcache_timeout, - 'user_attributes' => $user_attributes, - }, + # Build configuration lines in order (matching expected test output) + # Debug settings + $description_line = $description ? { undef => [], default => ["description = ${description}"] } + $debug_level_line = $debug_level ? { undef => [], default => ["debug_level = ${debug_level}"] } + $debug_timestamps_line = ["debug_timestamps = ${debug_timestamps}"] + $debug_microseconds_line = ["debug_microseconds = ${debug_microseconds}"] + + # Connection settings + $reconnection_retries_line = ["reconnection_retries = ${reconnection_retries}"] + $fd_limit_line = $fd_limit ? { undef => [], default => ["fd_limit = ${fd_limit}"] } + $command_line = $command ? { undef => [], default => ["command = ${command}"] } + + # Cache settings + $enum_cache_timeout_line = ["enum_cache_timeout = ${enum_cache_timeout}"] + $entry_cache_nowait_percentage_line = ["entry_cache_nowait_percentage = ${entry_cache_nowait_percentage}"] + $entry_negative_timeout_line = ["entry_negative_timeout = ${entry_negative_timeout}"] + + # Filter settings + $filter_users_line = ["filter_users = ${filter_users}"] + $filter_groups_line = ["filter_groups = ${filter_groups}"] + $filter_users_in_groups_line = ["filter_users_in_groups = ${filter_users_in_groups}"] + + # Home directory settings + $override_homedir_line = $override_homedir ? { undef => [], default => ["override_homedir = ${override_homedir}"] } + $fallback_homedir_line = $fallback_homedir ? { undef => [], default => ["fallback_homedir = ${fallback_homedir}"] } + + # Shell settings + $override_shell_line = $override_shell ? { undef => [], default => ["override_shell = ${override_shell}"] } + $vetoed_shells_line = $vetoed_shells ? { undef => [], default => ["vetoed_shells = ${vetoed_shells}"] } + $default_shell_line = $default_shell ? { undef => [], default => ["default_shell = ${default_shell}"] } + + # Timeout and attribute settings + $get_domains_timeout_line = $get_domains_timeout ? { undef => [], default => ["get_domains_timeout = ${get_domains_timeout}"] } + $memcache_timeout_line = $memcache_timeout ? { undef => [], default => ["memcache_timeout = ${memcache_timeout}"] } + $user_attributes_line = $user_attributes ? { undef => [], default => ["user_attributes = ${user_attributes}"] } + + # Combine all lines in order + $config_lines = ( + $description_line + + $debug_level_line + + $debug_timestamps_line + + $debug_microseconds_line + + $reconnection_retries_line + + $fd_limit_line + + $command_line + + $enum_cache_timeout_line + + $entry_cache_nowait_percentage_line + + $entry_negative_timeout_line + + $filter_users_line + + $filter_groups_line + + $filter_users_in_groups_line + + $override_homedir_line + + $fallback_homedir_line + + $override_shell_line + + $vetoed_shells_line + + $default_shell_line + + $get_domains_timeout_line + + $memcache_timeout_line + + $user_attributes_line ) + + # Join all configuration lines + $content = $config_lines.join("\n") + + $_content = epp("${module_name}/service/nss.epp", { + 'content' => $content, + }) } sssd::config::entry { 'puppet_service_nss': diff --git a/templates/provider/ipa.epp b/templates/provider/ipa.epp index 3516149..7bf1b65 100644 --- a/templates/provider/ipa.epp +++ b/templates/provider/ipa.epp @@ -1,102 +1,7 @@ <% | - String $title, - String[1] $ipa_domain, - Array[Simplib::Host] $ipa_server, - Optional[Array[Simplib::Host]] $ipa_backup_server, - Boolean $ipa_enable_dns_sites, - Simplib::Hostname $ipa_hostname, - Boolean $ipa_server_mode, - Enum['none','GSS-TSIG'] $dyndns_auth, - Optional[Boolean] $dyndns_force_tcp, - Optional[Array[String[1]]] $dyndns_iface, - Optional[Integer[0]] $dyndns_refresh_interval, - Optional[Simplib::Host] $dyndns_server, - Optional[Integer[0]] $dyndns_ttl, - Boolean $dyndns_update, - Optional[Boolean] $dyndns_update_ptr, - Optional[String] $ipa_automount_location, - Optional[Integer[0]] $ipa_hbac_refresh, - Optional[String] $ipa_hbac_search_base, - Optional[Integer[0]] $ipa_hbac_selinux, - Optional[String] $ipa_host_search_base, - Optional[String] $ipa_master_domains_search_base, - Optional[String] $ipa_selinux_search_base, - Optional[String] $ipa_subdomains_search_base, - Optional[String] $ipa_views_search_base, - Optional[Stdlib::AbsolutePath] $krb5_confd_path, - Optional[String] $krb5_realm, - Boolean $krb5_store_password_if_offline, - Stdlib::AbsolutePath $ldap_tls_cacert, - Array[String] $ldap_tls_cipher_suite, - Boolean $use_service_discovery, + String[1] $title, + String[1] $content, | -%> [domain/<%= $title %>] # sssd::provider::ipa -ipa_domain = <%= $ipa_domain %> -<% if $use_service_discovery { -%> -ipa_server = _srv_,<%= $ipa_server.join(',') %> -<% } else { -%> -ipa_server = <%= $ipa_server.join(',') %> -<% } -%> -<% unless $ipa_backup_server =~ Undef { -%> -ipa_backup_server = <%= $ipa_backup_server.join(',') %> -<% } -%> -ipa_enable_dns_sites = <%= $ipa_enable_dns_sites %> -ipa_hostname = <%= $ipa_hostname %> -ipa_server_mode = <%= $ipa_server_mode %> -dyndns_auth = <%= $dyndns_auth %> -<% unless $dyndns_force_tcp =~ Undef { -%> -dyndns_force_tcp = <%= $dyndns_force_tcp %> -<% } -%> -<% unless $dyndns_iface =~ Undef { -%> -dyndns_iface = <%= $dyndns_iface.join(',') %> -<% } -%> -<% unless $dyndns_refresh_interval =~ Undef { -%> -dyndns_refresh_interval = <%= $dyndns_refresh_interval %> -<% } -%> -<% unless $dyndns_server =~ Undef { -%> -dyndns_server = <%= $dyndns_server %> -<% } -%> -<% unless $dyndns_ttl =~ Undef { -%> -dyndns_ttl = <%= $dyndns_ttl %> -<% } -%> -dyndns_update = <%= $dyndns_update %> -<% unless $dyndns_update_ptr =~ Undef { -%> -dyndns_update_ptr = <%= $dyndns_update_ptr %> -<% } -%> -<% unless $ipa_automount_location =~ Undef { -%> -ipa_automount_location = <%= $ipa_automount_location %> -<% } -%> -<% unless $ipa_hbac_refresh =~ Undef { -%> -ipa_hbac_refresh = <%= $ipa_hbac_refresh %> -<% } -%> -<% unless $ipa_hbac_search_base =~ Undef { -%> -ipa_hbac_search_base = <%= $ipa_hbac_search_base %> -<% } -%> -<% unless $ipa_hbac_selinux =~ Undef { -%> -ipa_hbac_selinux = <%= $ipa_hbac_selinux %> -<% } -%> -<% unless $ipa_host_search_base =~ Undef { -%> -ipa_host_search_base = <%= $ipa_host_search_base %> -<% } -%> -<% unless $ipa_master_domains_search_base =~ Undef { -%> -ipa_master_domains_search_base = <%= $ipa_master_domains_search_base %> -<% } -%> -<% unless $ipa_selinux_search_base =~ Undef { -%> -ipa_selinux_search_base = <%= $ipa_selinux_search_base %> -<% } -%> -<% unless $ipa_subdomains_search_base =~ Undef { -%> -ipa_subdomains_search_base = <%= $ipa_subdomains_search_base %> -<% } -%> -<% unless $ipa_views_search_base =~ Undef { -%> -ipa_views_search_base = <%= $ipa_views_search_base %> -<% } -%> -<% unless $krb5_confd_path =~ Undef { -%> -krb5_confd_path = <%= $krb5_confd_path %> -<% } -%> -<% unless $krb5_realm =~ Undef { -%> -krb5_realm = <%= $krb5_realm %> -<% } -%> -krb5_store_password_if_offline = <%= $krb5_store_password_if_offline %> -ldap_tls_cacert = <%= $ldap_tls_cacert %> -ldap_tls_cipher_suite = <%= $ldap_tls_cipher_suite.join(':') %> +<%= $content %> diff --git a/templates/service/nss.epp b/templates/service/nss.epp index 4a31156..4460ba6 100644 --- a/templates/service/nss.epp +++ b/templates/service/nss.epp @@ -1,68 +1,6 @@ <% | - Optional[String] $description, - Optional[Sssd::DebugLevel] $debug_level, - Boolean $debug_timestamps, - Boolean $debug_microseconds, - Integer $reconnection_retries, - Optional[Integer] $fd_limit, - Optional[String] $command, - Integer $enum_cache_timeout, - Integer $entry_cache_nowait_percentage, - Integer $entry_negative_timeout, - String $filter_users, - String $filter_groups, - Boolean $filter_users_in_groups, - Optional[String] $override_homedir, - Optional[String] $fallback_homedir, - Optional[String] $override_shell, - Optional[String] $vetoed_shells, - Optional[String] $default_shell, - Optional[Integer] $get_domains_timeout, - Optional[Integer] $memcache_timeout, - Optional[String] $user_attributes, + String[1] $content, | -%> - # sssd::service::nss [nss] -<% if $description { -%> -description = <%= $description %> -<% } -%> -<% if $debug_level { -%> -debug_level = <%= $debug_level %> -<% } -%> -debug_timestamps = <%= $debug_timestamps %> -debug_microseconds = <%= $debug_microseconds %> -reconnection_retries = <%= $reconnection_retries %> -<% if $command { -%> -command = <%= $command %> -<% } -%> -enum_cache_timeout = <%= $enum_cache_timeout %> -entry_cache_nowait_percentage = <%= $entry_cache_nowait_percentage %> -entry_negative_timeout = <%= $entry_negative_timeout %> -filter_users = <%= $filter_users %> -filter_groups = <%= $filter_groups %> -filter_users_in_groups = <%= $filter_users_in_groups %> -<% if $override_homedir { -%> -override_homedir = <%= $override_homedir %> -<% } -%> -<% if $fallback_homedir { -%> -fallback_homedir = <%= $fallback_homedir %> -<% } -%> -<% if $override_shell { -%> -override_shell = <%= $override_shell %> -<% } -%> -<% if $vetoed_shells { -%> -vetoed_shells = <%= $vetoed_shells%> -<% } -%> -<% if $default_shell { -%> -default_shell = <%= $default_shell %> -<% } -%> -<% if $get_domains_timeout { -%> -get_domains_timeout = <%= $get_domains_timeout %> -<% } -%> -<% if $memcache_timeout { -%> -memcache_timeout = <%= $memcache_timeout %> -<% } -%> -<% if $user_attributes { -%> -user_attributes = <%= $user_attributes %> -<% } -%> +<%= $content %> From b7ebd93b3e287f7bfbeeb4d43777c3380c9eda78 Mon Sep 17 00:00:00 2001 From: Steven Pritchard Date: Wed, 24 Sep 2025 11:11:34 -0500 Subject: [PATCH 12/25] Refactor sssd.conf template --- manifests/config.pp | 84 ++++++++++++++++++++++++++++++----------- templates/sssd.conf.epp | 61 +----------------------------- 2 files changed, 65 insertions(+), 80 deletions(-) diff --git a/manifests/config.pp b/manifests/config.pp index 913adf2..d321d0a 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -68,31 +68,73 @@ } } + # Build configuration lines in order (matching expected test output) + # Services configuration - sudo has to be started by the socket + $filtered_services = Array($_services) - ['sudo'] + $services_line = $_services.empty ? { + true => [], + false => $filtered_services.empty ? { true => [], false => ["services = ${filtered_services.join(',')}"] } + } + + # Basic configuration + $description_line = $_description ? { undef => [], default => ["description = ${_description}"] } + + # Domains configuration + $domains_line = $_domains.empty ? { true => [], false => ["domains = ${Array($_domains).join(', ')}"] } + + # Required configuration parameters + $config_file_version_line = ["config_file_version = ${_config_file_version}"] + $reconnection_retries_line = ["reconnection_retries = ${_reconnection_retries}"] + + # Optional string parameters + $re_expression_line = $_re_expression ? { undef => [], default => ["re_expression = ${_re_expression}"] } + $full_name_format_line = $_full_name_format ? { undef => [], default => ["full_name_format = ${_full_name_format}"] } + + # Optional boolean parameters (special undef checking) + $try_inotify_line = $_try_inotify ? { undef => [], default => ["try_inotify = ${_try_inotify}"] } + $enable_files_domain_line = $_enable_files_domain ? { undef => [], default => ["enable_files_domain = ${_enable_files_domain}"] } + + # Optional directory and user parameters + $krb5_rcache_dir_line = $_krb5_rcache_dir ? { undef => [], default => ["krb5_rcache_dir = ${_krb5_rcache_dir}"] } + $user_line = $_user ? { undef => [], default => ["user = ${_user}"] } + $default_domain_suffix_line = $_default_domain_suffix ? { undef => [], default => ["default_domain_suffix = ${_default_domain_suffix}"] } + $override_space_line = $_override_space ? { undef => [], default => ["override_space = ${_override_space}"] } + + # Debug configuration + $debug_level_line = $_debug_level ? { undef => [], default => ["debug_level = ${_debug_level}"] } + $debug_timestamps_line = ["debug_timestamps = ${_debug_timestamps}"] + $debug_microseconds_line = ["debug_microseconds = ${_debug_microseconds}"] + + # Combine all lines in order + $config_lines = ( + $services_line + + $description_line + + $domains_line + + $config_file_version_line + + $reconnection_retries_line + + $re_expression_line + + $full_name_format_line + + $try_inotify_line + + $krb5_rcache_dir_line + + $user_line + + $default_domain_suffix_line + + $override_space_line + + $enable_files_domain_line + + $debug_level_line + + $debug_timestamps_line + + $debug_microseconds_line + ) + + # Join all configuration lines + $content = $config_lines.join("\n") + file { '/etc/sssd/sssd.conf': owner => 'root', group => 'root', mode => '0600', - content => epp( - "${module_name}/sssd.conf.epp", - { - '_domains' => $_domains, - '_debug_level' => $_debug_level, - '_debug_timestamps' => $_debug_timestamps, - '_debug_microseconds' => $_debug_microseconds, - '_description' => $_description, - '_enable_files_domain' => $_enable_files_domain, - '_config_file_version' => $_config_file_version, - '_services' => $_services, - '_reconnection_retries' => $_reconnection_retries, - '_re_expression' => $_re_expression, - '_full_name_format' => $_full_name_format, - '_try_inotify' => $_try_inotify, - '_krb5_rcache_dir' => $_krb5_rcache_dir, - '_user' => $_user, - '_default_domain_suffix' => $_default_domain_suffix, - '_override_space' => $_override_space, - }, - ), + content => epp("${module_name}/sssd.conf.epp", { + 'content' => $content, + }), notify => Class["${module_name}::service"], } } diff --git a/templates/sssd.conf.epp b/templates/sssd.conf.epp index 21daed3..c25b7a8 100644 --- a/templates/sssd.conf.epp +++ b/templates/sssd.conf.epp @@ -1,63 +1,6 @@ <% | - Optional[String] $_description, - Optional[Array[String]] $_services, - Optional[Array[String]] $_domains, - Integer[1] $_config_file_version, - Integer[0] $_reconnection_retries, - Optional[String] $_re_expression, - Optional[String] $_full_name_format, - Optional[Boolean] $_try_inotify, - Optional[String] $_krb5_rcache_dir, - Optional[String] $_user, - Optional[String] $_default_domain_suffix, - Optional[String] $_override_space, - Optional[Boolean] $_enable_files_domain, - Optional[Sssd::DebugLevel] $_debug_level, - Boolean $_debug_timestamps, - Boolean $_debug_microseconds, + String[1] $content, | -%> # sssd::config [sssd] -<% - # sudo has to be started by the socket - unless Array($_services).empty { --%> -services = <%= (Array($_services) - ['sudo']).join(',') %> -<% } -%> -<% if $_description { -%> -description = <%= $_description %> -<% } -%> -<% unless $_domains.empty { -%> -domains = <%= Array($_domains).join(', ') %> -<% } -%> -config_file_version = <%= $_config_file_version %> -reconnection_retries = <%= $_reconnection_retries %> -<% if $_re_expression { -%> -re_expression = <%= $_re_expression %> -<% } -%> -<% if $_full_name_format { -%> -full_name_format = <%= $_full_name_format %> -<% } -%> -<% unless $_try_inotify =~ Undef { -%> -try_inotify = <%= $_try_inotify %> -<% } -%> -<% if $_krb5_rcache_dir { -%> -krb5_rcache_dir = <%= $_krb5_rcache_dir %> -<% } -%> -<% if $_user { -%> -user = <%= $_user %> -<% } -%> -<% if $_default_domain_suffix { -%> -default_domain_suffix = <%= $_default_domain_suffix %> -<% } -%> -<% if $_override_space { -%> -override_space = <%= $_override_space %> -<% } -%> -<% unless $_enable_files_domain =~ Undef { -%> -enable_files_domain = <%= $_enable_files_domain %> -<% } -%> -<% unless $_debug_level =~ Undef { -%> -debug_level = <%= $_debug_level %> -<% } -%> -debug_timestamps = <%= $_debug_timestamps %> -debug_microseconds = <%= $_debug_microseconds %> +<%= $content %> From 09e9f9b5249b1fd8e9dae80e1afe697d5887d624 Mon Sep 17 00:00:00 2001 From: Steven Pritchard Date: Wed, 24 Sep 2025 12:18:08 -0500 Subject: [PATCH 13/25] Refactor krb5 template --- manifests/provider/krb5.pp | 110 ++++++++++++++++++++++++++++++------ templates/provider/krb5.epp | 57 ++----------------- 2 files changed, 97 insertions(+), 70 deletions(-) diff --git a/manifests/provider/krb5.pp b/manifests/provider/krb5.pp index 2d647b1..a30d31e 100644 --- a/manifests/provider/krb5.pp +++ b/manifests/provider/krb5.pp @@ -45,27 +45,103 @@ Integer $krb5_renew_interval = 0, Optional[Enum['never','try','demand']] $krb5_use_fast = undef, ) { + # Build configuration content for the Kerberos provider + $_content = [ + '# sssd::provider::krb5', + ] + + # Add conditional parameters if defined in the correct order + if $debug_level { + $_debug_level_entries = ["debug_level = ${debug_level}"] + } else { + $_debug_level_entries = [] + } + + $_debug_timestamps_entries = $debug_timestamps ? { + true => ['debug_timestamps = true'], + false => ['debug_timestamps = false'], + } + + $_debug_microseconds_entries = $debug_microseconds ? { + true => ['debug_microseconds = true'], + false => ['debug_microseconds = false'], + } + + if $krb5_server { + $_krb5_server_entries = ["krb5_server = ${krb5_server}"] + } else { + $_krb5_server_entries = [] + } + + $_krb5_realm_entries = ["krb5_realm = ${krb5_realm}"] + + if $krb5_kpasswd { + $_krb5_kpasswd_entries = ["krb5_kpasswd = ${krb5_kpasswd}"] + } else { + $_krb5_kpasswd_entries = [] + } + + if $krb5_ccachedir { + $_krb5_ccachedir_entries = ["krb5_ccachedir = ${krb5_ccachedir}"] + } else { + $_krb5_ccachedir_entries = [] + } + + if $krb5_ccname_template { + $_krb5_ccname_template_entries = ["krb5_ccname_template = ${krb5_ccname_template}"] + } else { + $_krb5_ccname_template_entries = [] + } + + $_krb5_auth_timeout_entries = ["krb5_auth_timeout = ${krb5_auth_timeout}"] + + $_krb5_validate_entries = $krb5_validate ? { + true => ['krb5_validate = true'], + false => ['krb5_validate = false'], + } + + if $krb5_keytab { + $_krb5_keytab_entries = ["krb5_keytab = ${krb5_keytab}"] + } else { + $_krb5_keytab_entries = [] + } + + $_krb5_store_password_if_offline_entries = $krb5_store_password_if_offline ? { + true => ['krb5_store_password_if_offline = true'], + false => ['krb5_store_password_if_offline = false'], + } + + if $krb5_renewable_lifetime { + $_krb5_renewable_lifetime_entries = ["krb5_renewable_lifetime = ${krb5_renewable_lifetime}"] + } else { + $_krb5_renewable_lifetime_entries = [] + } + + if $krb5_lifetime { + $_krb5_lifetime_entries = ["krb5_lifetime = ${krb5_lifetime}"] + } else { + $_krb5_lifetime_entries = [] + } + + $_krb5_renew_interval_entries = ["krb5_renew_interval = ${krb5_renew_interval}"] + + if $krb5_use_fast { + $_krb5_use_fast_entries = ["krb5_use_fast = ${krb5_use_fast}"] + } else { + $_krb5_use_fast_entries = [] + } + + # Combine all configuration entries in the expected order + $_all_entries = $_content + $_debug_level_entries + $_debug_timestamps_entries + $_debug_microseconds_entries + $_krb5_server_entries + $_krb5_realm_entries + $_krb5_kpasswd_entries + $_krb5_ccachedir_entries + $_krb5_ccname_template_entries + $_krb5_auth_timeout_entries + $_krb5_validate_entries + $_krb5_keytab_entries + $_krb5_store_password_if_offline_entries + $_krb5_renewable_lifetime_entries + $_krb5_lifetime_entries + $_krb5_renew_interval_entries + $_krb5_use_fast_entries + + $_final_content = $_all_entries.join("\n") + sssd::config::entry { "puppet_provider_${name}_krb5": content => epp( "${module_name}/provider/krb5", { - 'domain' => $title, - 'krb5_server' => $krb5_server, - 'krb5_realm' => $krb5_realm, - 'debug_level' => $debug_level, - 'debug_timestamps' => $debug_timestamps, - 'debug_microseconds' => $debug_microseconds, - 'krb5_kpasswd' => $krb5_kpasswd, - 'krb5_ccachedir' => $krb5_ccachedir, - 'krb5_ccname_template' => $krb5_ccname_template, - 'krb5_auth_timeout' => $krb5_auth_timeout, - 'krb5_validate' => $krb5_validate, - 'krb5_keytab' => $krb5_keytab, - 'krb5_store_password_if_offline' => $krb5_store_password_if_offline, - 'krb5_renewable_lifetime' => $krb5_renewable_lifetime, - 'krb5_lifetime' => $krb5_lifetime, - 'krb5_renew_interval' => $krb5_renew_interval, - 'krb5_use_fast' => $krb5_use_fast, + 'title' => "domain/${title}", + 'content' => $_final_content, }, ), } diff --git a/templates/provider/krb5.epp b/templates/provider/krb5.epp index 141422e..0133269 100644 --- a/templates/provider/krb5.epp +++ b/templates/provider/krb5.epp @@ -1,55 +1,6 @@ <%- | - String $domain, - Optional[Simplib::Host] $krb5_server = undef, - String $krb5_realm, - Optional[Sssd::DebugLevel] $debug_level = undef, - Boolean $debug_timestamps = true, - Boolean $debug_microseconds = false, - Optional[String] $krb5_kpasswd = undef, - Optional[Stdlib::Absolutepath] $krb5_ccachedir = undef, - Optional[Stdlib::Absolutepath] $krb5_ccname_template = undef, - Integer $krb5_auth_timeout = 15, - Boolean $krb5_validate = false, - Optional[Stdlib::Absolutepath] $krb5_keytab = undef, - Boolean $krb5_store_password_if_offline = false, - Optional[String] $krb5_renewable_lifetime = undef, - Optional[String] $krb5_lifetime = undef, - Integer $krb5_renew_interval = 0, - Optional[Enum['never','try','demand']] $krb5_use_fast = undef + String $title, + String $content, | -%> -[domain/<%= $domain %>] -# sssd::provider::krb5 -<% if $debug_level { -%> -debug_level = <%= $debug_level %> -<% } -%> -debug_timestamps = <%= $debug_timestamps %> -debug_microseconds = <%= $debug_microseconds %> -<% if $krb5_server { -%> -krb5_server = <%= $krb5_server %> -<% } -%> -krb5_realm = <%= $krb5_realm %> -<% if $krb5_kpasswd { -%> -krb5_kpasswd = <%= $krb5_kpasswd %> -<% } -%> -<% if $krb5_ccachedir { -%> -krb5_ccachedir = <%= $krb5_ccachedir %> -<% } -%> -<% if $krb5_ccname_template { -%> -krb5_ccname_template = <%= $krb5_ccname_template %> -<% } -%> -krb5_auth_timeout = <%= $krb5_auth_timeout %> -krb5_validate = <%= $krb5_validate %> -<% if $krb5_keytab { -%> -krb5_keytab = <%= $krb5_keytab %> -<% } -%> -krb5_store_password_if_offline = <%= $krb5_store_password_if_offline %> -<% if $krb5_renewable_lifetime { -%> -krb5_renewable_lifetime = <%= $krb5_renewable_lifetime %> -<% } -%> -<% if $krb5_lifetime { -%> -krb5_lifetime = <%= $krb5_lifetime %> -<% } -%> -krb5_renew_interval = <%= $krb5_renew_interval %> -<% if $krb5_use_fast { -%> -krb5_use_fast = <%= $krb5_use_fast %> -<% } -%> +[<%= $title %>] +<%= $content %> From 526885199d0327f15745abcae27094de17fb0641 Mon Sep 17 00:00:00 2001 From: Steven Pritchard Date: Wed, 24 Sep 2025 12:21:35 -0500 Subject: [PATCH 14/25] Refactor pam template --- manifests/service/pam.pp | 88 ++++++++++++++++++++++++++++++++------- templates/service/pam.epp | 52 ++--------------------- 2 files changed, 75 insertions(+), 65 deletions(-) diff --git a/manifests/service/pam.pp b/manifests/service/pam.pp index d6d9082..50795da 100644 --- a/manifests/service/pam.pp +++ b/manifests/service/pam.pp @@ -61,25 +61,81 @@ }, ) } else { + # Build configuration content for the PAM service + $_base_content = [ + '# sssd::service::pam', + ] + + # Add conditional parameters if defined + if $description { + $_description_entries = ["description = ${description}"] + } else { + $_description_entries = [] + } + + if $debug_level { + $_debug_level_entries = ["debug_level = ${debug_level}"] + } else { + $_debug_level_entries = [] + } + + $_debug_timestamps_entries = $debug_timestamps ? { + true => ['debug_timestamps = true'], + false => ['debug_timestamps = false'], + } + + $_debug_microseconds_entries = $debug_microseconds ? { + true => ['debug_microseconds = true'], + false => ['debug_microseconds = false'], + } + + $_reconnection_retries_entries = ["reconnection_retries = ${reconnection_retries}"] + + if $command { + $_command_entries = ["command = ${command}"] + } else { + $_command_entries = [] + } + + $_offline_credentials_expiration_entries = ["offline_credentials_expiration = ${offline_credentials_expiration}"] + $_offline_failed_login_attempts_entries = ["offline_failed_login_attempts = ${offline_failed_login_attempts}"] + $_offline_failed_login_delay_entries = ["offline_failed_login_delay = ${offline_failed_login_delay}"] + $_pam_verbosity_entries = ["pam_verbosity = ${pam_verbosity}"] + $_pam_id_timeout_entries = ["pam_id_timeout = ${pam_id_timeout}"] + $_pam_pwd_expiration_warning_entries = ["pam_pwd_expiration_warning = ${pam_pwd_expiration_warning}"] + + if $get_domains_timeout { + $_get_domains_timeout_entries = ["get_domains_timeout = ${get_domains_timeout}"] + } else { + $_get_domains_timeout_entries = [] + } + + if $pam_trusted_users { + $_pam_trusted_users_entries = ["pam_trusted_users = ${pam_trusted_users}"] + } else { + $_pam_trusted_users_entries = [] + } + + if $pam_public_domains { + $_pam_public_domains_entries = ["pam_public_domains = ${pam_public_domains}"] + } else { + $_pam_public_domains_entries = [] + } + + $_pam_cert_auth_entries = $pam_cert_auth ? { + true => ['pam_cert_auth = True'], + false => [], + } + + # Combine all configuration entries in the expected order + $_all_entries = $_base_content + $_description_entries + $_debug_level_entries + $_debug_timestamps_entries + $_debug_microseconds_entries + $_reconnection_retries_entries + $_command_entries + $_offline_credentials_expiration_entries + $_offline_failed_login_attempts_entries + $_offline_failed_login_delay_entries + $_pam_verbosity_entries + $_pam_id_timeout_entries + $_pam_pwd_expiration_warning_entries + $_get_domains_timeout_entries + $_pam_trusted_users_entries + $_pam_public_domains_entries + $_pam_cert_auth_entries + + $_final_content = $_all_entries.join("\n") + $_content = epp( "${module_name}/service/pam.epp", { - 'description' => $description, - 'debug_level' => $debug_level, - 'debug_timestamps' => $debug_timestamps, - 'debug_microseconds' => $debug_microseconds, - 'pam_cert_auth' => $pam_cert_auth, - 'reconnection_retries' => $reconnection_retries, - 'command' => $command, - 'offline_credentials_expiration' => $offline_credentials_expiration, - 'offline_failed_login_attempts' => $offline_failed_login_attempts, - 'offline_failed_login_delay' => $offline_failed_login_delay, - 'pam_verbosity' => $pam_verbosity, - 'pam_id_timeout' => $pam_id_timeout, - 'pam_pwd_expiration_warning' => $pam_pwd_expiration_warning, - 'get_domains_timeout' => $get_domains_timeout, - 'pam_trusted_users' => $pam_trusted_users, - 'pam_public_domains' => $pam_public_domains, + 'content' => $_final_content, }, ) } diff --git a/templates/service/pam.epp b/templates/service/pam.epp index 74204fe..733a648 100644 --- a/templates/service/pam.epp +++ b/templates/service/pam.epp @@ -1,51 +1,5 @@ -<% | - Optional[String] $description, - Optional[Sssd::DebugLevel] $debug_level, - Boolean $debug_timestamps, - Boolean $debug_microseconds, - Boolean $pam_cert_auth, - Integer $reconnection_retries, - Optional[String] $command, - Integer $offline_credentials_expiration, - Integer $offline_failed_login_attempts, - Integer $offline_failed_login_delay, - Integer $pam_verbosity, - Integer $pam_id_timeout, - Integer $pam_pwd_expiration_warning, - Optional[Integer] $get_domains_timeout, - Optional[String] $pam_trusted_users, - Optional[String] $pam_public_domains, +<%- | + String $content, | -%> - -# sssd::service::pam [pam] -<% if $description { -%> -description = <%= $description %> -<% } -%> -<% if $debug_level { -%> -debug_level = <%= $debug_level %> -<% } -%> -debug_timestamps = <%= $debug_timestamps %> -debug_microseconds = <%= $debug_microseconds %> -reconnection_retries = <%= $reconnection_retries %> -<% if $command { -%> -command = <%= $command %> -<% } -%> -offline_credentials_expiration = <%= $offline_credentials_expiration %> -offline_failed_login_attempts = <%= $offline_failed_login_attempts %> -offline_failed_login_delay = <%= $offline_failed_login_delay %> -pam_verbosity = <%= $pam_verbosity %> -pam_id_timeout = <%= $pam_id_timeout %> -pam_pwd_expiration_warning = <%= $pam_pwd_expiration_warning %> -<% if $get_domains_timeout { -%> -get_domains_timeout = <%= $get_domains_timeout %> -<% } -%> -<% if $pam_trusted_users { -%> -pam_trusted_users = <%= $pam_trusted_users %> -<% } -%> -<% if $pam_public_domains { -%> -pam_public_domains = <%= $pam_public_domains %> -<% } -%> -<% if $pam_cert_auth { -%> -pam_cert_auth = True -<% } -%> +<%= $content %> From 638757114ff48516eb8f6fad06ac0f71649b8522 Mon Sep 17 00:00:00 2001 From: Steven Pritchard Date: Wed, 24 Sep 2025 12:25:31 -0500 Subject: [PATCH 15/25] Refactor ifp template --- manifests/service/ifp.pp | 60 ++++++++++++++++++++++++++++++++++----- templates/service/ifp.epp | 30 ++------------------ 2 files changed, 56 insertions(+), 34 deletions(-) diff --git a/manifests/service/ifp.pp b/manifests/service/ifp.pp index 0356c43..f170410 100644 --- a/manifests/service/ifp.pp +++ b/manifests/service/ifp.pp @@ -42,16 +42,62 @@ }, ) } else { + # Build configuration content for the IFP service + $_base_content = [ + '# sssd::service::ifp', + '[ifp]', + ] + + # Add conditional parameters if defined + if $description { + $_description_entries = ["description = ${description}"] + } else { + $_description_entries = [] + } + + if $debug_level { + $_debug_level_entries = ["debug_level = ${debug_level}"] + } else { + $_debug_level_entries = [] + } + + $_debug_timestamps_entries = $debug_timestamps ? { + true => ['debug_timestamps = true'], + false => ['debug_timestamps = false'], + } + + $_debug_microseconds_entries = $debug_microseconds ? { + true => ['debug_microseconds = true'], + false => ['debug_microseconds = false'], + } + + if $allowed_uids { + $_allowed_uids_entries = ["allowed_uids = ${allowed_uids.join(', ')}"] + } else { + $_allowed_uids_entries = [] + } + + if $user_attributes { + $_user_attributes_entries = ["user_attributes = ${user_attributes.join(', ')}"] + } else { + $_user_attributes_entries = [] + } + + if $wildcard_limit { + $_wildcard_limit_entries = ["wildcard_limit = ${wildcard_limit}"] + } else { + $_wildcard_limit_entries = [] + } + + # Combine all configuration entries in the expected order + $_all_entries = $_base_content + $_description_entries + $_debug_level_entries + $_debug_timestamps_entries + $_debug_microseconds_entries + $_allowed_uids_entries + $_user_attributes_entries + $_wildcard_limit_entries + + $_final_content = $_all_entries.join("\n") + $_content = epp( "${module_name}/service/ifp.epp", { - 'description' => $description, - 'debug_level' => $debug_level, - 'debug_timestamps' => $debug_timestamps, - 'debug_microseconds' => $debug_microseconds, - 'wildcard_limit' => $wildcard_limit, - 'allowed_uids' => $allowed_uids, - 'user_attributes' => $user_attributes, + 'content' => $_final_content, }, ) } diff --git a/templates/service/ifp.epp b/templates/service/ifp.epp index 0c851cf..ad8d681 100644 --- a/templates/service/ifp.epp +++ b/templates/service/ifp.epp @@ -1,28 +1,4 @@ -<% | - Optional[String] $description, - Optional[Sssd::Debuglevel] $debug_level, - Boolean $debug_timestamps, - Boolean $debug_microseconds, - Optional[Integer[0]] $wildcard_limit, - Optional[Array[String[1]]] $allowed_uids, - Optional[Array[String[1]]] $user_attributes, +<%- | + String $content, | -%> -# sssd::service::ifp -[ifp] -<% if $description { -%> -description = <%= $description %> -<% } -%> -<% if $debug_level { -%> -debug_level = <%= $debug_level %> -<% } -%> -debug_timestamps = <%= $debug_timestamps %> -debug_microseconds = <%= $debug_microseconds %> -<% if $allowed_uids { -%> -allowed_uids = <%= $allowed_uids.join(', ') %> -<% } -%> -<% if $user_attributes { -%> -user_attributes = <%= $user_attributes.join(', ') %> -<% } -%> -<% if $wildcard_limit { -%> -wildcard_limit = <%= $wildcard_limit %> -<% } -%> +<%= $content %> From e922db3def947cb02edce8d14ca9c4b814de7d14 Mon Sep 17 00:00:00 2001 From: Steven Pritchard Date: Wed, 24 Sep 2025 12:38:56 -0500 Subject: [PATCH 16/25] Refactor ssh template --- manifests/service/ssh.pp | 52 ++++++++++++++++++++++++++++++++++----- templates/service/ssh.epp | 25 +++---------------- 2 files changed, 49 insertions(+), 28 deletions(-) diff --git a/manifests/service/ssh.pp b/manifests/service/ssh.pp index 6cf0a17..f33305d 100644 --- a/manifests/service/ssh.pp +++ b/manifests/service/ssh.pp @@ -39,15 +39,55 @@ }, ) } else { + # Build configuration content for the SSH service + $_base_content = [ + '# sssd::service::ssh', + '[ssh]', + ] + + # Add conditional parameters if defined + if $description { + $_description_entries = ["description = ${description}"] + } else { + $_description_entries = [] + } + + if $debug_level { + $_debug_level_entries = ["debug_level = ${debug_level}"] + } else { + $_debug_level_entries = [] + } + + $_debug_timestamps_entries = $debug_timestamps ? { + true => ['debug_timestamps = true'], + false => ['debug_timestamps = false'], + } + + $_debug_microseconds_entries = $debug_microseconds ? { + true => ['debug_microseconds = true'], + false => ['debug_microseconds = false'], + } + + $_ssh_hash_known_hosts_entries = $ssh_hash_known_hosts ? { + true => ['ssh_hash_known_hosts = true'], + false => ['ssh_hash_known_hosts = false'], + } + + if $ssh_known_hosts_timeout { + $_ssh_known_hosts_timeout_entries = ["ssh_known_hosts_timeout = ${ssh_known_hosts_timeout}"] + } else { + $_ssh_known_hosts_timeout_entries = [] + } + + # Combine all configuration entries in the expected order + $_all_entries = $_base_content + $_description_entries + $_debug_level_entries + $_debug_timestamps_entries + $_debug_microseconds_entries + $_ssh_hash_known_hosts_entries + $_ssh_known_hosts_timeout_entries + + $_final_content = $_all_entries.join("\n") + $_content = epp( "${module_name}/service/ssh.epp", { - 'description' => $description, - 'debug_level' => $debug_level, - 'debug_timestamps' => $debug_timestamps, - 'debug_microseconds' => $debug_microseconds, - 'ssh_hash_known_hosts' => $ssh_hash_known_hosts, - 'ssh_known_hosts_timeout' => $ssh_known_hosts_timeout, + 'content' => $_final_content, }, ) } diff --git a/templates/service/ssh.epp b/templates/service/ssh.epp index 84e31bc..ad8d681 100644 --- a/templates/service/ssh.epp +++ b/templates/service/ssh.epp @@ -1,23 +1,4 @@ -<% | - Optional[String] $description, - Optional[Sssd::DebugLevel] $debug_level, - Boolean $debug_timestamps, - Boolean $debug_microseconds, - Boolean $ssh_hash_known_hosts, - Optional[Integer] $ssh_known_hosts_timeout, +<%- | + String $content, | -%> - -# sssd::service::ssh -[ssh] -<% if $description { -%> -description = <%= $description %> -<% } -%> -<% if $debug_level { -%> -debug_level = <%= $debug_level %> -<% } -%> -debug_timestamps = <%= $debug_timestamps %> -debug_microseconds = <%= $debug_microseconds %> -ssh_hash_known_hosts = <%= $ssh_hash_known_hosts %> -<% if $ssh_known_hosts_timeout { -%> -ssh_known_hosts_timeout = <%= $ssh_known_hosts_timeout %> -<% } -%> +<%= $content %> From 7f33dbde101a8f3d829f2d35eedeba2fe1cf2f6e Mon Sep 17 00:00:00 2001 From: Steven Pritchard Date: Wed, 24 Sep 2025 12:42:20 -0500 Subject: [PATCH 17/25] Refactor pac template --- manifests/service/pac.pp | 47 ++++++++++++++++++++++++++++++++++----- templates/service/pac.epp | 24 +++----------------- 2 files changed, 44 insertions(+), 27 deletions(-) diff --git a/manifests/service/pac.pp b/manifests/service/pac.pp index 875c944..6b3554e 100644 --- a/manifests/service/pac.pp +++ b/manifests/service/pac.pp @@ -36,15 +36,50 @@ }, ) } else { + # Build configuration content for the PAC service + $_base_content = [ + '# sssd::service::pac', + '[pac]', + ] + + # Add conditional parameters if defined + if $description { + $_description_entries = ["description = ${description}"] + } else { + $_description_entries = [] + } + + if $debug_level { + $_debug_level_entries = ["debug_level = ${debug_level}"] + } else { + $_debug_level_entries = [] + } + + $_debug_timestamps_entries = $debug_timestamps ? { + true => ['debug_timestamps = true'], + false => ['debug_timestamps = false'], + } + + $_debug_microseconds_entries = $debug_microseconds ? { + true => ['debug_microseconds = true'], + false => ['debug_microseconds = false'], + } + + if !$allowed_uids.empty { + $_allowed_uids_entries = ["allowed_uids = ${allowed_uids.join(',')}"] + } else { + $_allowed_uids_entries = [] + } + + # Combine all configuration entries in the expected order + $_all_entries = $_base_content + $_description_entries + $_debug_level_entries + $_debug_timestamps_entries + $_debug_microseconds_entries + $_allowed_uids_entries + + $_final_content = $_all_entries.join("\n") + $_content = epp( "${module_name}/service/pac.epp", { - 'description' => $description, - 'debug_level' => $debug_level, - 'debug_timestamps' => $debug_timestamps, - 'debug_microseconds' => $debug_microseconds, - 'allowed_uids' => $allowed_uids, - 'custom_options' => $custom_options, + 'content' => $_final_content, }, ) } diff --git a/templates/service/pac.epp b/templates/service/pac.epp index 7233f25..ad8d681 100644 --- a/templates/service/pac.epp +++ b/templates/service/pac.epp @@ -1,22 +1,4 @@ -<% | - Optional[String] $description, - Optional[Sssd::DebugLevel] $debug_level, - Boolean $debug_timestamps, - Boolean $debug_microseconds, - Array[String] $allowed_uids, - Optional[Hash] $custom_options, +<%- | + String $content, | -%> - -# sssd::service::pac -[pac] -<% if $description { -%> -description = <%= $description %> -<% } -%> -<% if $debug_level { -%> -debug_level = <%= $debug_level %> -<% } -%> -debug_timestamps = <%= $debug_timestamps %> -debug_microseconds = <%= $debug_microseconds %> -<% unless $allowed_uids.empty { -%> -allowed_uids = <%= Array($allowed_uids).join(',') %> -<% } -%> +<%= $content %> From ed6ef1f3db41ae766065d8f9b1469951c21604e7 Mon Sep 17 00:00:00 2001 From: Steven Pritchard Date: Wed, 24 Sep 2025 12:44:53 -0500 Subject: [PATCH 18/25] Refactor autofs template --- manifests/service/autofs.pp | 47 +++++++++++++++++++++++++++++++----- templates/service/autofs.epp | 24 +++--------------- 2 files changed, 44 insertions(+), 27 deletions(-) diff --git a/manifests/service/autofs.pp b/manifests/service/autofs.pp index 9de14c2..ecd5d05 100644 --- a/manifests/service/autofs.pp +++ b/manifests/service/autofs.pp @@ -37,15 +37,50 @@ }, ) } else { + # Build configuration content for the AutoFS service + $_base_content = [ + '# sssd::service::autofs', + '[autofs]', + ] + + # Add conditional parameters if defined + if $description { + $_description_entries = ["description = ${description}"] + } else { + $_description_entries = [] + } + + if $debug_level { + $_debug_level_entries = ["debug_level = ${debug_level}"] + } else { + $_debug_level_entries = [] + } + + $_debug_timestamps_entries = $debug_timestamps ? { + true => ['debug_timestamps = true'], + false => ['debug_timestamps = false'], + } + + $_debug_microseconds_entries = $debug_microseconds ? { + true => ['debug_microseconds = true'], + false => ['debug_microseconds = false'], + } + + if $autofs_negative_timeout { + $_autofs_negative_timeout_entries = ["autofs_negative_timeout = ${autofs_negative_timeout}"] + } else { + $_autofs_negative_timeout_entries = [] + } + + # Combine all configuration entries in the expected order + $_all_entries = $_base_content + $_description_entries + $_debug_level_entries + $_debug_timestamps_entries + $_debug_microseconds_entries + $_autofs_negative_timeout_entries + + $_final_content = $_all_entries.join("\n") + $_content = epp( "${module_name}/service/autofs.epp", { - 'description' => $description, - 'debug_level' => $debug_level, - 'debug_timestamps' => $debug_timestamps, - 'debug_microseconds' => $debug_microseconds, - 'autofs_negative_timeout' => $autofs_negative_timeout, - 'custom_options' => $custom_options, + 'content' => $_final_content, }, ) } diff --git a/templates/service/autofs.epp b/templates/service/autofs.epp index 3b1bb6b..ad8d681 100644 --- a/templates/service/autofs.epp +++ b/templates/service/autofs.epp @@ -1,22 +1,4 @@ -<% | - Optional[String] $description, - Optional[Sssd::DebugLevel] $debug_level, - Boolean $debug_timestamps, - Boolean $debug_microseconds, - Optional[Integer] $autofs_negative_timeout, - Optional[Hash] $custom_options, +<%- | + String $content, | -%> - -# sssd::service::autofs -[autofs] -<% if $description { -%> -description = <%= $description %> -<% } -%> -<% if $debug_level { -%> -debug_level = <%= $debug_level %> -<% } -%> -debug_timestamps = <%= $debug_timestamps %> -debug_microseconds = <%= $debug_microseconds %> -<% if $autofs_negative_timeout { -%> -autofs_negative_timeout = <%= $autofs_negative_timeout %> -<% } -%> +<%= $content %> From f096fa79ae7a49a5311a30afde3c49cbd8c6733c Mon Sep 17 00:00:00 2001 From: Steven Pritchard Date: Wed, 24 Sep 2025 12:47:22 -0500 Subject: [PATCH 19/25] Refactor sudo template --- manifests/service/sudo.pp | 46 +++++++++++++++++++++++++++++++++----- templates/service/sudo.epp | 22 +++--------------- 2 files changed, 43 insertions(+), 25 deletions(-) diff --git a/manifests/service/sudo.pp b/manifests/service/sudo.pp index eb978fa..20ad229 100644 --- a/manifests/service/sudo.pp +++ b/manifests/service/sudo.pp @@ -40,15 +40,49 @@ }, ) } else { + # Build configuration content for the SUDO service + $_base_content = [ + '# sssd::service::sudo', + '[sudo]', + ] + + # Add conditional parameters if defined + if $description { + $_description_entries = ["description = ${description}"] + } else { + $_description_entries = [] + } + + if $debug_level { + $_debug_level_entries = ["debug_level = ${debug_level}"] + } else { + $_debug_level_entries = [] + } + + $_debug_timestamps_entries = $debug_timestamps ? { + true => ['debug_timestamps = true'], + false => ['debug_timestamps = false'], + } + + $_debug_microseconds_entries = $debug_microseconds ? { + true => ['debug_microseconds = true'], + false => ['debug_microseconds = false'], + } + + $_sudo_timed_entries = $sudo_timed ? { + true => ['sudo_timed = true'], + false => ['sudo_timed = false'], + } + + # Combine all configuration entries in the expected order + $_all_entries = $_base_content + $_description_entries + $_debug_level_entries + $_debug_timestamps_entries + $_debug_microseconds_entries + $_sudo_timed_entries + + $_final_content = $_all_entries.join("\n") + $_content = epp( "${module_name}/service/sudo.epp", { - 'description' => $description, - 'debug_level' => $debug_level, - 'debug_timestamps' => $debug_timestamps, - 'debug_microseconds' => $debug_microseconds, - 'sudo_timed' => $sudo_timed, - 'sudo_threshold' => $sudo_threshold, + 'content' => $_final_content, }, ) } diff --git a/templates/service/sudo.epp b/templates/service/sudo.epp index ac06a70..ad8d681 100644 --- a/templates/service/sudo.epp +++ b/templates/service/sudo.epp @@ -1,20 +1,4 @@ -<% | - Optional[String] $description, - Optional[Sssd::Debuglevel] $debug_level, - Boolean $debug_timestamps, - Boolean $debug_microseconds, - Boolean $sudo_timed, - Integer[1] $sudo_threshold, +<%- | + String $content, | -%> - -# sssd::service::sudo -[sudo] -<% if $description { -%> -description = <%= $description %> -<% } -%> -<% if $debug_level { -%> -debug_level = <%= $debug_level %> -<% } -%> -debug_timestamps = <%= $debug_timestamps %> -debug_microseconds = <%= $debug_microseconds %> -sudo_timed = <%= $sudo_timed %> +<%= $content %> From bf02294839d26f465713997304fd0c1fab833f4b Mon Sep 17 00:00:00 2001 From: Steven Pritchard Date: Wed, 24 Sep 2025 12:51:52 -0500 Subject: [PATCH 20/25] Refactor files template --- manifests/provider/files.pp | 28 +++++++++++++++++++++++++--- templates/provider/files.epp | 17 +++++------------ 2 files changed, 30 insertions(+), 15 deletions(-) diff --git a/manifests/provider/files.pp b/manifests/provider/files.pp index 2189a15..b14875f 100644 --- a/manifests/provider/files.pp +++ b/manifests/provider/files.pp @@ -21,13 +21,35 @@ Optional[Array[Stdlib::Absolutepath]] $passwd_files = undef, Optional[Array[Stdlib::Absolutepath]] $group_files = undef, ) { + # Build configuration content for the Files provider + $_content = [ + '# sssd::provider::files', + ] + + # Add conditional parameters if defined + if $passwd_files and !$passwd_files.empty { + $_passwd_files_entries = ["passwd_files = ${passwd_files.join(', ')}"] + } else { + $_passwd_files_entries = [] + } + + if $group_files and !$group_files.empty { + $_group_files_entries = ["group_files = ${group_files.join(', ')}"] + } else { + $_group_files_entries = [] + } + + # Combine all configuration entries + $_all_entries = $_content + $_passwd_files_entries + $_group_files_entries + + $_final_content = $_all_entries.join("\n") + sssd::config::entry { "puppet_provider_${name}_files": content => epp( "${module_name}/provider/files.epp", { - 'title' => $title, - 'passwd_files' => $passwd_files, - 'group_files' => $group_files, + 'title' => "domain/${title}", + 'content' => $_final_content, } ), } diff --git a/templates/provider/files.epp b/templates/provider/files.epp index bc12d04..0133269 100644 --- a/templates/provider/files.epp +++ b/templates/provider/files.epp @@ -1,13 +1,6 @@ -<% | - String $title, - Optional[Array[Stdlib::Absolutepath]] $passwd_files, - Optional[Array[Stdlib::Absolutepath]] $group_files, +<%- | + String $title, + String $content, | -%> -[domain/<%= $title %>] -# sssd::provider::files -<% if $passwd_files and ! $passwd_files.empty { -%> -passwd_files = <%= $passwd_files.join(', ') %> -<% } -%> -<% if $group_files and ! $group_files.empty { -%> -group_files = <%= $group_files.join(', ') %> -<% } -%> +[<%= $title %>] +<%= $content %> From bd4bec0632ddee5f9bb7aa38b57ea3ba4e4dd54b Mon Sep 17 00:00:00 2001 From: Steven Pritchard Date: Wed, 24 Sep 2025 14:59:20 -0500 Subject: [PATCH 21/25] Refactor to use common templates --- manifests/config.pp | 4 ++-- manifests/domain.pp | 6 +++--- manifests/provider/ad.pp | 6 +++--- manifests/provider/files.pp | 4 ++-- manifests/provider/ipa.pp | 8 ++++---- manifests/provider/krb5.pp | 4 ++-- manifests/provider/ldap.pp | 8 ++++---- manifests/service/autofs.pp | 4 ++-- manifests/service/ifp.pp | 4 ++-- manifests/service/nss.pp | 10 +++++++--- manifests/service/pac.pp | 4 ++-- manifests/service/pam.pp | 5 +++-- manifests/service/ssh.pp | 4 ++-- manifests/service/sudo.pp | 4 ++-- templates/{sssd.conf.epp => content_only.epp} | 4 +--- templates/domain.epp | 7 ------- templates/{provider/ad.epp => generic.epp} | 5 ++--- templates/provider/files.epp | 6 ------ templates/provider/ipa.epp | 7 ------- templates/provider/krb5.epp | 6 ------ templates/provider/ldap.epp | 7 ------- templates/service/autofs.epp | 4 ---- templates/service/ifp.epp | 4 ---- templates/service/nss.epp | 6 ------ templates/service/pac.epp | 4 ---- templates/service/pam.epp | 5 ----- templates/service/ssh.epp | 4 ---- templates/service/sudo.epp | 4 ---- 28 files changed, 43 insertions(+), 105 deletions(-) rename templates/{sssd.conf.epp => content_only.epp} (61%) delete mode 100644 templates/domain.epp rename templates/{provider/ad.epp => generic.epp} (56%) delete mode 100644 templates/provider/files.epp delete mode 100644 templates/provider/ipa.epp delete mode 100644 templates/provider/krb5.epp delete mode 100644 templates/provider/ldap.epp delete mode 100644 templates/service/autofs.epp delete mode 100644 templates/service/ifp.epp delete mode 100644 templates/service/nss.epp delete mode 100644 templates/service/pac.epp delete mode 100644 templates/service/pam.epp delete mode 100644 templates/service/ssh.epp delete mode 100644 templates/service/sudo.epp diff --git a/manifests/config.pp b/manifests/config.pp index d321d0a..459c02d 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -132,8 +132,8 @@ owner => 'root', group => 'root', mode => '0600', - content => epp("${module_name}/sssd.conf.epp", { - 'content' => $content, + content => epp("${module_name}/content_only.epp", { + 'content' => "# sssd::config\n[sssd]\n${content}", }), notify => Class["${module_name}::service"], } diff --git a/manifests/domain.pp b/manifests/domain.pp index da2e480..ad7350b 100644 --- a/manifests/domain.pp +++ b/manifests/domain.pp @@ -249,9 +249,9 @@ $content = $config_lines.join("\n") sssd::config::entry { "puppet_domain_${name}": - content => epp('sssd/domain.epp', { - 'name' => $name, - 'content' => $content, + content => epp("${module_name}/generic", { + 'title' => "domain/${name}", + 'content' => "# sssd::domain ${name}\n${content}", }), } } diff --git a/manifests/provider/ad.pp b/manifests/provider/ad.pp index c085015..7c6d552 100644 --- a/manifests/provider/ad.pp +++ b/manifests/provider/ad.pp @@ -373,9 +373,9 @@ $content = $config_lines.join("\n") sssd::config::entry { "puppet_provider_${name}_ad": - content => epp("${module_name}/provider/ad.epp", { - 'title' => $title, - 'content' => $content, + content => epp("${module_name}/generic.epp", { + 'title' => "domain/${title}", + 'content' => "# sssd::provider::ad\n${content}", }), } } diff --git a/manifests/provider/files.pp b/manifests/provider/files.pp index b14875f..9317e65 100644 --- a/manifests/provider/files.pp +++ b/manifests/provider/files.pp @@ -42,11 +42,11 @@ # Combine all configuration entries $_all_entries = $_content + $_passwd_files_entries + $_group_files_entries - $_final_content = $_all_entries.join("\n") + $_final_content = "${_all_entries.join("\n")}" sssd::config::entry { "puppet_provider_${name}_files": content => epp( - "${module_name}/provider/files.epp", + "${module_name}/generic.epp", { 'title' => "domain/${title}", 'content' => $_final_content, diff --git a/manifests/provider/ipa.pp b/manifests/provider/ipa.pp index 8262816..8b8e053 100644 --- a/manifests/provider/ipa.pp +++ b/manifests/provider/ipa.pp @@ -156,12 +156,12 @@ ) # Join all configuration lines - $content = $config_lines.join("\n") + $_final_content = $config_lines.join("\n") sssd::config::entry { "puppet_provider_${name}_ipa": - content => epp("${module_name}/provider/ipa.epp", { - 'title' => $title, - 'content' => $content, + content => epp("${module_name}/generic.epp", { + 'title' => "domain/${title}", + 'content' => "# sssd::provider::ipa\n${_final_content}", }), } } diff --git a/manifests/provider/krb5.pp b/manifests/provider/krb5.pp index a30d31e..eb25d3d 100644 --- a/manifests/provider/krb5.pp +++ b/manifests/provider/krb5.pp @@ -134,11 +134,11 @@ # Combine all configuration entries in the expected order $_all_entries = $_content + $_debug_level_entries + $_debug_timestamps_entries + $_debug_microseconds_entries + $_krb5_server_entries + $_krb5_realm_entries + $_krb5_kpasswd_entries + $_krb5_ccachedir_entries + $_krb5_ccname_template_entries + $_krb5_auth_timeout_entries + $_krb5_validate_entries + $_krb5_keytab_entries + $_krb5_store_password_if_offline_entries + $_krb5_renewable_lifetime_entries + $_krb5_lifetime_entries + $_krb5_renew_interval_entries + $_krb5_use_fast_entries - $_final_content = $_all_entries.join("\n") + $_final_content = "${_all_entries.join("\n")}" sssd::config::entry { "puppet_provider_${name}_krb5": content => epp( - "${module_name}/provider/krb5", + "${module_name}/generic.epp", { 'title' => "domain/${title}", 'content' => $_final_content, diff --git a/manifests/provider/ldap.pp b/manifests/provider/ldap.pp index 626cb17..3718846 100644 --- a/manifests/provider/ldap.pp +++ b/manifests/provider/ldap.pp @@ -709,14 +709,14 @@ # Combine all configuration lines and sort them $all_config_lines = ($simple_config_lines + $account_expire_line + $array_config_lines).sort - $content = $all_config_lines.join("\n") + $content = "${all_config_lines.join("\n")}" sssd::config::entry { "puppet_provider_${title}_ldap": content => epp( - "${module_name}/provider/ldap.epp", + "${module_name}/generic.epp", { - 'title' => $title, - 'content' => $content, + 'title' => "domain/${title}", + 'content' => "# sssd::provider::ldap\n${content}", }, ), } diff --git a/manifests/service/autofs.pp b/manifests/service/autofs.pp index ecd5d05..7f71fb6 100644 --- a/manifests/service/autofs.pp +++ b/manifests/service/autofs.pp @@ -75,10 +75,10 @@ # Combine all configuration entries in the expected order $_all_entries = $_base_content + $_description_entries + $_debug_level_entries + $_debug_timestamps_entries + $_debug_microseconds_entries + $_autofs_negative_timeout_entries - $_final_content = $_all_entries.join("\n") + $_final_content = "${_all_entries.join("\n")}" $_content = epp( - "${module_name}/service/autofs.epp", + "${module_name}/content_only.epp", { 'content' => $_final_content, }, diff --git a/manifests/service/ifp.pp b/manifests/service/ifp.pp index f170410..a406d8a 100644 --- a/manifests/service/ifp.pp +++ b/manifests/service/ifp.pp @@ -92,10 +92,10 @@ # Combine all configuration entries in the expected order $_all_entries = $_base_content + $_description_entries + $_debug_level_entries + $_debug_timestamps_entries + $_debug_microseconds_entries + $_allowed_uids_entries + $_user_attributes_entries + $_wildcard_limit_entries - $_final_content = $_all_entries.join("\n") + $_final_content = "${_all_entries.join("\n")}" $_content = epp( - "${module_name}/service/ifp.epp", + "${module_name}/content_only.epp", { 'content' => $_final_content, }, diff --git a/manifests/service/nss.pp b/manifests/service/nss.pp index c3c2a6e..c66cbca 100644 --- a/manifests/service/nss.pp +++ b/manifests/service/nss.pp @@ -135,9 +135,13 @@ # Join all configuration lines $content = $config_lines.join("\n") - $_content = epp("${module_name}/service/nss.epp", { - 'content' => $content, - }) + $_content = epp( + "${module_name}/generic.epp", + { + 'title' => 'nss', + 'content' => "# sssd::service::nss\n${content}", + }, + ) } sssd::config::entry { 'puppet_service_nss': diff --git a/manifests/service/pac.pp b/manifests/service/pac.pp index 6b3554e..81eeb96 100644 --- a/manifests/service/pac.pp +++ b/manifests/service/pac.pp @@ -74,10 +74,10 @@ # Combine all configuration entries in the expected order $_all_entries = $_base_content + $_description_entries + $_debug_level_entries + $_debug_timestamps_entries + $_debug_microseconds_entries + $_allowed_uids_entries - $_final_content = $_all_entries.join("\n") + $_final_content = "${_all_entries.join("\n")}" $_content = epp( - "${module_name}/service/pac.epp", + "${module_name}/content_only.epp", { 'content' => $_final_content, }, diff --git a/manifests/service/pam.pp b/manifests/service/pam.pp index 50795da..ebf335d 100644 --- a/manifests/service/pam.pp +++ b/manifests/service/pam.pp @@ -130,11 +130,12 @@ # Combine all configuration entries in the expected order $_all_entries = $_base_content + $_description_entries + $_debug_level_entries + $_debug_timestamps_entries + $_debug_microseconds_entries + $_reconnection_retries_entries + $_command_entries + $_offline_credentials_expiration_entries + $_offline_failed_login_attempts_entries + $_offline_failed_login_delay_entries + $_pam_verbosity_entries + $_pam_id_timeout_entries + $_pam_pwd_expiration_warning_entries + $_get_domains_timeout_entries + $_pam_trusted_users_entries + $_pam_public_domains_entries + $_pam_cert_auth_entries - $_final_content = $_all_entries.join("\n") + $_final_content = "${_all_entries.join("\n")}" $_content = epp( - "${module_name}/service/pam.epp", + "${module_name}/generic.epp", { + 'title' => 'pam', 'content' => $_final_content, }, ) diff --git a/manifests/service/ssh.pp b/manifests/service/ssh.pp index f33305d..3decc07 100644 --- a/manifests/service/ssh.pp +++ b/manifests/service/ssh.pp @@ -82,10 +82,10 @@ # Combine all configuration entries in the expected order $_all_entries = $_base_content + $_description_entries + $_debug_level_entries + $_debug_timestamps_entries + $_debug_microseconds_entries + $_ssh_hash_known_hosts_entries + $_ssh_known_hosts_timeout_entries - $_final_content = $_all_entries.join("\n") + $_final_content = "${_all_entries.join("\n")}" $_content = epp( - "${module_name}/service/ssh.epp", + "${module_name}/content_only.epp", { 'content' => $_final_content, }, diff --git a/manifests/service/sudo.pp b/manifests/service/sudo.pp index 20ad229..3df4b19 100644 --- a/manifests/service/sudo.pp +++ b/manifests/service/sudo.pp @@ -77,10 +77,10 @@ # Combine all configuration entries in the expected order $_all_entries = $_base_content + $_description_entries + $_debug_level_entries + $_debug_timestamps_entries + $_debug_microseconds_entries + $_sudo_timed_entries - $_final_content = $_all_entries.join("\n") + $_final_content = "${_all_entries.join("\n")}" $_content = epp( - "${module_name}/service/sudo.epp", + "${module_name}/content_only.epp", { 'content' => $_final_content, }, diff --git a/templates/sssd.conf.epp b/templates/content_only.epp similarity index 61% rename from templates/sssd.conf.epp rename to templates/content_only.epp index c25b7a8..801da5a 100644 --- a/templates/sssd.conf.epp +++ b/templates/content_only.epp @@ -1,6 +1,4 @@ -<% | +<%- | String[1] $content, | -%> -# sssd::config -[sssd] <%= $content %> diff --git a/templates/domain.epp b/templates/domain.epp deleted file mode 100644 index e1eb2a2..0000000 --- a/templates/domain.epp +++ /dev/null @@ -1,7 +0,0 @@ -<% | - String[1] $name, - String[1] $content, -| -%> -# sssd::domain <%= $name %> -[domain/<%= $name %>] -<%= $content %> diff --git a/templates/provider/ad.epp b/templates/generic.epp similarity index 56% rename from templates/provider/ad.epp rename to templates/generic.epp index fb2710b..98d50de 100644 --- a/templates/provider/ad.epp +++ b/templates/generic.epp @@ -1,7 +1,6 @@ -<% | +<%- | String[1] $title, String[1] $content, | -%> -[domain/<%= $title %>] -# sssd::provider::ad +[<%= $title %>] <%= $content %> diff --git a/templates/provider/files.epp b/templates/provider/files.epp deleted file mode 100644 index 0133269..0000000 --- a/templates/provider/files.epp +++ /dev/null @@ -1,6 +0,0 @@ -<%- | - String $title, - String $content, -| -%> -[<%= $title %>] -<%= $content %> diff --git a/templates/provider/ipa.epp b/templates/provider/ipa.epp deleted file mode 100644 index 7bf1b65..0000000 --- a/templates/provider/ipa.epp +++ /dev/null @@ -1,7 +0,0 @@ -<% | - String[1] $title, - String[1] $content, -| -%> -[domain/<%= $title %>] -# sssd::provider::ipa -<%= $content %> diff --git a/templates/provider/krb5.epp b/templates/provider/krb5.epp deleted file mode 100644 index 0133269..0000000 --- a/templates/provider/krb5.epp +++ /dev/null @@ -1,6 +0,0 @@ -<%- | - String $title, - String $content, -| -%> -[<%= $title %>] -<%= $content %> diff --git a/templates/provider/ldap.epp b/templates/provider/ldap.epp deleted file mode 100644 index 939f1f3..0000000 --- a/templates/provider/ldap.epp +++ /dev/null @@ -1,7 +0,0 @@ -<% | - String[1] $title, - String[1] $content, -| -%> -[domain/<%= $title %>] -# sssd::provider::ldap -<%= $content %> diff --git a/templates/service/autofs.epp b/templates/service/autofs.epp deleted file mode 100644 index ad8d681..0000000 --- a/templates/service/autofs.epp +++ /dev/null @@ -1,4 +0,0 @@ -<%- | - String $content, -| -%> -<%= $content %> diff --git a/templates/service/ifp.epp b/templates/service/ifp.epp deleted file mode 100644 index ad8d681..0000000 --- a/templates/service/ifp.epp +++ /dev/null @@ -1,4 +0,0 @@ -<%- | - String $content, -| -%> -<%= $content %> diff --git a/templates/service/nss.epp b/templates/service/nss.epp deleted file mode 100644 index 4460ba6..0000000 --- a/templates/service/nss.epp +++ /dev/null @@ -1,6 +0,0 @@ -<% | - String[1] $content, -| -%> -# sssd::service::nss -[nss] -<%= $content %> diff --git a/templates/service/pac.epp b/templates/service/pac.epp deleted file mode 100644 index ad8d681..0000000 --- a/templates/service/pac.epp +++ /dev/null @@ -1,4 +0,0 @@ -<%- | - String $content, -| -%> -<%= $content %> diff --git a/templates/service/pam.epp b/templates/service/pam.epp deleted file mode 100644 index 733a648..0000000 --- a/templates/service/pam.epp +++ /dev/null @@ -1,5 +0,0 @@ -<%- | - String $content, -| -%> -[pam] -<%= $content %> diff --git a/templates/service/ssh.epp b/templates/service/ssh.epp deleted file mode 100644 index ad8d681..0000000 --- a/templates/service/ssh.epp +++ /dev/null @@ -1,4 +0,0 @@ -<%- | - String $content, -| -%> -<%= $content %> diff --git a/templates/service/sudo.epp b/templates/service/sudo.epp deleted file mode 100644 index ad8d681..0000000 --- a/templates/service/sudo.epp +++ /dev/null @@ -1,4 +0,0 @@ -<%- | - String $content, -| -%> -<%= $content %> From b1b22240e10afe0d9788ce0d878b393a7996699d Mon Sep 17 00:00:00 2001 From: Steven Pritchard Date: Wed, 24 Sep 2025 15:22:50 -0500 Subject: [PATCH 22/25] Drop redundant content_only template --- manifests/config.pp | 6 ++---- manifests/service/autofs.pp | 9 +-------- manifests/service/ifp.pp | 9 +-------- manifests/service/pac.pp | 9 +-------- manifests/service/ssh.pp | 9 +-------- manifests/service/sudo.pp | 9 +-------- templates/content_only.epp | 4 ---- 7 files changed, 7 insertions(+), 48 deletions(-) delete mode 100644 templates/content_only.epp diff --git a/manifests/config.pp b/manifests/config.pp index 459c02d..b852bc6 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -126,15 +126,13 @@ ) # Join all configuration lines - $content = $config_lines.join("\n") + $content = "# sssd::config\n[sssd]\n${$config_lines.join("\n")}\n" file { '/etc/sssd/sssd.conf': owner => 'root', group => 'root', mode => '0600', - content => epp("${module_name}/content_only.epp", { - 'content' => "# sssd::config\n[sssd]\n${content}", - }), + content => $content, notify => Class["${module_name}::service"], } } diff --git a/manifests/service/autofs.pp b/manifests/service/autofs.pp index 7f71fb6..8bd5b66 100644 --- a/manifests/service/autofs.pp +++ b/manifests/service/autofs.pp @@ -75,14 +75,7 @@ # Combine all configuration entries in the expected order $_all_entries = $_base_content + $_description_entries + $_debug_level_entries + $_debug_timestamps_entries + $_debug_microseconds_entries + $_autofs_negative_timeout_entries - $_final_content = "${_all_entries.join("\n")}" - - $_content = epp( - "${module_name}/content_only.epp", - { - 'content' => $_final_content, - }, - ) + $_content = "${_all_entries.join("\n")}\n" } sssd::config::entry { 'puppet_service_autofs': diff --git a/manifests/service/ifp.pp b/manifests/service/ifp.pp index a406d8a..6316d4c 100644 --- a/manifests/service/ifp.pp +++ b/manifests/service/ifp.pp @@ -92,14 +92,7 @@ # Combine all configuration entries in the expected order $_all_entries = $_base_content + $_description_entries + $_debug_level_entries + $_debug_timestamps_entries + $_debug_microseconds_entries + $_allowed_uids_entries + $_user_attributes_entries + $_wildcard_limit_entries - $_final_content = "${_all_entries.join("\n")}" - - $_content = epp( - "${module_name}/content_only.epp", - { - 'content' => $_final_content, - }, - ) + $_content = "${_all_entries.join("\n")}\n" } sssd::config::entry { 'puppet_service_ifp': diff --git a/manifests/service/pac.pp b/manifests/service/pac.pp index 81eeb96..59e9cf2 100644 --- a/manifests/service/pac.pp +++ b/manifests/service/pac.pp @@ -74,14 +74,7 @@ # Combine all configuration entries in the expected order $_all_entries = $_base_content + $_description_entries + $_debug_level_entries + $_debug_timestamps_entries + $_debug_microseconds_entries + $_allowed_uids_entries - $_final_content = "${_all_entries.join("\n")}" - - $_content = epp( - "${module_name}/content_only.epp", - { - 'content' => $_final_content, - }, - ) + $_content = "${_all_entries.join("\n")}\n" } sssd::config::entry { 'puppet_service_pac': diff --git a/manifests/service/ssh.pp b/manifests/service/ssh.pp index 3decc07..8ba41ee 100644 --- a/manifests/service/ssh.pp +++ b/manifests/service/ssh.pp @@ -82,14 +82,7 @@ # Combine all configuration entries in the expected order $_all_entries = $_base_content + $_description_entries + $_debug_level_entries + $_debug_timestamps_entries + $_debug_microseconds_entries + $_ssh_hash_known_hosts_entries + $_ssh_known_hosts_timeout_entries - $_final_content = "${_all_entries.join("\n")}" - - $_content = epp( - "${module_name}/content_only.epp", - { - 'content' => $_final_content, - }, - ) + $_content = "${_all_entries.join("\n")}\n" } sssd::config::entry { 'puppet_service_ssh': diff --git a/manifests/service/sudo.pp b/manifests/service/sudo.pp index 3df4b19..cfa8359 100644 --- a/manifests/service/sudo.pp +++ b/manifests/service/sudo.pp @@ -77,14 +77,7 @@ # Combine all configuration entries in the expected order $_all_entries = $_base_content + $_description_entries + $_debug_level_entries + $_debug_timestamps_entries + $_debug_microseconds_entries + $_sudo_timed_entries - $_final_content = "${_all_entries.join("\n")}" - - $_content = epp( - "${module_name}/content_only.epp", - { - 'content' => $_final_content, - }, - ) + $_content = "${_all_entries.join("\n")}\n" } sssd::config::entry { 'puppet_service_sudo': diff --git a/templates/content_only.epp b/templates/content_only.epp deleted file mode 100644 index 801da5a..0000000 --- a/templates/content_only.epp +++ /dev/null @@ -1,4 +0,0 @@ -<%- | - String[1] $content, -| -%> -<%= $content %> From 9556bc810a327c8a14404ff482cf49ef21f0fc59 Mon Sep 17 00:00:00 2001 From: Steven Pritchard Date: Wed, 24 Sep 2025 15:31:06 -0500 Subject: [PATCH 23/25] Bump to next major version --- CHANGELOG | 2 +- metadata.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index 84bd019..2e141d7 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,4 +1,4 @@ -* Tue Sep 23 2025 Steven Pritchard - 7.14.0 +* Tue Sep 23 2025 Steven Pritchard - 8.0.0 - Migrate ERB templates to EPP (#152) * Wed Jun 11 2025 Chris Tessmer - 7.13.1 diff --git a/metadata.json b/metadata.json index 0fc29c3..015ad55 100644 --- a/metadata.json +++ b/metadata.json @@ -1,6 +1,6 @@ { "name": "simp-sssd", - "version": "7.14.0", + "version": "8.0.0", "author": "SIMP Team", "summary": "Manages SSSD", "license": "Apache-2.0", From 2dfeb76b92a0d77fc422e16e2e1e6502b6746318 Mon Sep 17 00:00:00 2001 From: Steven Pritchard Date: Thu, 25 Sep 2025 13:04:33 -0500 Subject: [PATCH 24/25] Refactor to be more consistent --- manifests/provider/files.pp | 32 +++---- manifests/provider/krb5.pp | 143 +++++++++++-------------------- manifests/service/autofs.pp | 60 ++++++------- manifests/service/ifp.pp | 76 +++++++--------- manifests/service/pac.pp | 60 ++++++------- manifests/service/pam.pp | 119 +++++++++++-------------- manifests/service/ssh.pp | 67 ++++++--------- manifests/service/sudo.pp | 61 ++++++------- spec/classes/service/ifp_spec.rb | 4 +- 9 files changed, 247 insertions(+), 375 deletions(-) diff --git a/manifests/provider/files.pp b/manifests/provider/files.pp index 9317e65..2400794 100644 --- a/manifests/provider/files.pp +++ b/manifests/provider/files.pp @@ -21,35 +21,25 @@ Optional[Array[Stdlib::Absolutepath]] $passwd_files = undef, Optional[Array[Stdlib::Absolutepath]] $group_files = undef, ) { - # Build configuration content for the Files provider - $_content = [ - '# sssd::provider::files', - ] + # Build configuration lines in order (matching expected test output) + $passwd_files_line = ($passwd_files and !$passwd_files.empty) ? { true => ["passwd_files = ${passwd_files.join(', ')}"], false => [] } + $group_files_line = ($group_files and !$group_files.empty) ? { true => ["group_files = ${group_files.join(', ')}"], false => [] } - # Add conditional parameters if defined - if $passwd_files and !$passwd_files.empty { - $_passwd_files_entries = ["passwd_files = ${passwd_files.join(', ')}"] - } else { - $_passwd_files_entries = [] - } - - if $group_files and !$group_files.empty { - $_group_files_entries = ["group_files = ${group_files.join(', ')}"] - } else { - $_group_files_entries = [] - } - - # Combine all configuration entries - $_all_entries = $_content + $_passwd_files_entries + $_group_files_entries + # Combine all lines in order + $config_lines = ( + $passwd_files_line + + $group_files_line + ) - $_final_content = "${_all_entries.join("\n")}" + # Join all configuration lines + $content = "${(['# sssd::provider::files'] + $config_lines).join("\n")}" sssd::config::entry { "puppet_provider_${name}_files": content => epp( "${module_name}/generic.epp", { 'title' => "domain/${title}", - 'content' => $_final_content, + 'content' => $content, } ), } diff --git a/manifests/provider/krb5.pp b/manifests/provider/krb5.pp index eb25d3d..990ba83 100644 --- a/manifests/provider/krb5.pp +++ b/manifests/provider/krb5.pp @@ -45,103 +45,64 @@ Integer $krb5_renew_interval = 0, Optional[Enum['never','try','demand']] $krb5_use_fast = undef, ) { - # Build configuration content for the Kerberos provider - $_content = [ - '# sssd::provider::krb5', - ] - - # Add conditional parameters if defined in the correct order - if $debug_level { - $_debug_level_entries = ["debug_level = ${debug_level}"] - } else { - $_debug_level_entries = [] - } - - $_debug_timestamps_entries = $debug_timestamps ? { - true => ['debug_timestamps = true'], - false => ['debug_timestamps = false'], - } - - $_debug_microseconds_entries = $debug_microseconds ? { - true => ['debug_microseconds = true'], - false => ['debug_microseconds = false'], - } - - if $krb5_server { - $_krb5_server_entries = ["krb5_server = ${krb5_server}"] - } else { - $_krb5_server_entries = [] - } - - $_krb5_realm_entries = ["krb5_realm = ${krb5_realm}"] - - if $krb5_kpasswd { - $_krb5_kpasswd_entries = ["krb5_kpasswd = ${krb5_kpasswd}"] - } else { - $_krb5_kpasswd_entries = [] - } - - if $krb5_ccachedir { - $_krb5_ccachedir_entries = ["krb5_ccachedir = ${krb5_ccachedir}"] - } else { - $_krb5_ccachedir_entries = [] - } - - if $krb5_ccname_template { - $_krb5_ccname_template_entries = ["krb5_ccname_template = ${krb5_ccname_template}"] - } else { - $_krb5_ccname_template_entries = [] - } - - $_krb5_auth_timeout_entries = ["krb5_auth_timeout = ${krb5_auth_timeout}"] - - $_krb5_validate_entries = $krb5_validate ? { - true => ['krb5_validate = true'], - false => ['krb5_validate = false'], - } - - if $krb5_keytab { - $_krb5_keytab_entries = ["krb5_keytab = ${krb5_keytab}"] - } else { - $_krb5_keytab_entries = [] - } - - $_krb5_store_password_if_offline_entries = $krb5_store_password_if_offline ? { - true => ['krb5_store_password_if_offline = true'], - false => ['krb5_store_password_if_offline = false'], - } - - if $krb5_renewable_lifetime { - $_krb5_renewable_lifetime_entries = ["krb5_renewable_lifetime = ${krb5_renewable_lifetime}"] - } else { - $_krb5_renewable_lifetime_entries = [] - } - - if $krb5_lifetime { - $_krb5_lifetime_entries = ["krb5_lifetime = ${krb5_lifetime}"] - } else { - $_krb5_lifetime_entries = [] - } - - $_krb5_renew_interval_entries = ["krb5_renew_interval = ${krb5_renew_interval}"] - - if $krb5_use_fast { - $_krb5_use_fast_entries = ["krb5_use_fast = ${krb5_use_fast}"] - } else { - $_krb5_use_fast_entries = [] - } - - # Combine all configuration entries in the expected order - $_all_entries = $_content + $_debug_level_entries + $_debug_timestamps_entries + $_debug_microseconds_entries + $_krb5_server_entries + $_krb5_realm_entries + $_krb5_kpasswd_entries + $_krb5_ccachedir_entries + $_krb5_ccname_template_entries + $_krb5_auth_timeout_entries + $_krb5_validate_entries + $_krb5_keytab_entries + $_krb5_store_password_if_offline_entries + $_krb5_renewable_lifetime_entries + $_krb5_lifetime_entries + $_krb5_renew_interval_entries + $_krb5_use_fast_entries - - $_final_content = "${_all_entries.join("\n")}" + # Build configuration lines in order (matching expected test output) + # Debug settings + $debug_level_line = $debug_level ? { undef => [], default => ["debug_level = ${debug_level}"] } + $debug_timestamps_line = ["debug_timestamps = ${debug_timestamps}"] + $debug_microseconds_line = ["debug_microseconds = ${debug_microseconds}"] + + # Kerberos server settings + $krb5_server_line = $krb5_server ? { undef => [], default => ["krb5_server = ${krb5_server}"] } + $krb5_realm_line = ["krb5_realm = ${krb5_realm}"] + $krb5_kpasswd_line = $krb5_kpasswd ? { undef => [], default => ["krb5_kpasswd = ${krb5_kpasswd}"] } + + # Cache settings + $krb5_ccachedir_line = $krb5_ccachedir ? { undef => [], default => ["krb5_ccachedir = ${krb5_ccachedir}"] } + $krb5_ccname_template_line = $krb5_ccname_template ? { undef => [], default => ["krb5_ccname_template = ${krb5_ccname_template}"] } + + # Authentication settings + $krb5_auth_timeout_line = ["krb5_auth_timeout = ${krb5_auth_timeout}"] + $krb5_validate_line = ["krb5_validate = ${krb5_validate}"] + $krb5_keytab_line = $krb5_keytab ? { undef => [], default => ["krb5_keytab = ${krb5_keytab}"] } + $krb5_store_password_if_offline_line = ["krb5_store_password_if_offline = ${krb5_store_password_if_offline}"] + + # Lifetime settings + $krb5_renewable_lifetime_line = $krb5_renewable_lifetime ? { undef => [], default => ["krb5_renewable_lifetime = ${krb5_renewable_lifetime}"] } + $krb5_lifetime_line = $krb5_lifetime ? { undef => [], default => ["krb5_lifetime = ${krb5_lifetime}"] } + $krb5_renew_interval_line = ["krb5_renew_interval = ${krb5_renew_interval}"] + + # Advanced settings + $krb5_use_fast_line = $krb5_use_fast ? { undef => [], default => ["krb5_use_fast = ${krb5_use_fast}"] } + + # Combine all lines in order + $config_lines = ( + $debug_level_line + + $debug_timestamps_line + + $debug_microseconds_line + + $krb5_server_line + + $krb5_realm_line + + $krb5_kpasswd_line + + $krb5_ccachedir_line + + $krb5_ccname_template_line + + $krb5_auth_timeout_line + + $krb5_validate_line + + $krb5_keytab_line + + $krb5_store_password_if_offline_line + + $krb5_renewable_lifetime_line + + $krb5_lifetime_line + + $krb5_renew_interval_line + + $krb5_use_fast_line + ) + + # Join all configuration lines + $content = $config_lines.join("\n") sssd::config::entry { "puppet_provider_${name}_krb5": content => epp( "${module_name}/generic.epp", { 'title' => "domain/${title}", - 'content' => $_final_content, + 'content' => "# sssd::provider::krb5\n${content}", }, ), } diff --git a/manifests/service/autofs.pp b/manifests/service/autofs.pp index 8bd5b66..34a55b3 100644 --- a/manifests/service/autofs.pp +++ b/manifests/service/autofs.pp @@ -37,45 +37,35 @@ }, ) } else { - # Build configuration content for the AutoFS service - $_base_content = [ - '# sssd::service::autofs', - '[autofs]', - ] + # Build configuration lines in order (matching expected test output) + # Debug settings + $description_line = $description ? { undef => [], default => ["description = ${description}"] } + $debug_level_line = $debug_level ? { undef => [], default => ["debug_level = ${debug_level}"] } + $debug_timestamps_line = ["debug_timestamps = ${debug_timestamps}"] + $debug_microseconds_line = ["debug_microseconds = ${debug_microseconds}"] - # Add conditional parameters if defined - if $description { - $_description_entries = ["description = ${description}"] - } else { - $_description_entries = [] - } + # AutoFS-specific settings + $autofs_negative_timeout_line = $autofs_negative_timeout ? { undef => [], default => ["autofs_negative_timeout = ${autofs_negative_timeout}"] } - if $debug_level { - $_debug_level_entries = ["debug_level = ${debug_level}"] - } else { - $_debug_level_entries = [] - } - - $_debug_timestamps_entries = $debug_timestamps ? { - true => ['debug_timestamps = true'], - false => ['debug_timestamps = false'], - } - - $_debug_microseconds_entries = $debug_microseconds ? { - true => ['debug_microseconds = true'], - false => ['debug_microseconds = false'], - } - - if $autofs_negative_timeout { - $_autofs_negative_timeout_entries = ["autofs_negative_timeout = ${autofs_negative_timeout}"] - } else { - $_autofs_negative_timeout_entries = [] - } + # Combine all lines in order + $config_lines = ( + $description_line + + $debug_level_line + + $debug_timestamps_line + + $debug_microseconds_line + + $autofs_negative_timeout_line + ) - # Combine all configuration entries in the expected order - $_all_entries = $_base_content + $_description_entries + $_debug_level_entries + $_debug_timestamps_entries + $_debug_microseconds_entries + $_autofs_negative_timeout_entries + # Join all configuration lines + $content = $config_lines.join("\n") - $_content = "${_all_entries.join("\n")}\n" + $_content = epp( + "${module_name}/generic.epp", + { + 'title' => 'autofs', + 'content' => "# sssd::service::autofs\n${content}", + }, + ) } sssd::config::entry { 'puppet_service_autofs': diff --git a/manifests/service/ifp.pp b/manifests/service/ifp.pp index 6316d4c..8bbf7dc 100644 --- a/manifests/service/ifp.pp +++ b/manifests/service/ifp.pp @@ -42,57 +42,39 @@ }, ) } else { - # Build configuration content for the IFP service - $_base_content = [ - '# sssd::service::ifp', - '[ifp]', - ] + # Build configuration lines in order (matching expected test output) + # Debug settings + $description_line = $description ? { undef => [], default => ["description = ${description}"] } + $debug_level_line = $debug_level ? { undef => [], default => ["debug_level = ${debug_level}"] } + $debug_timestamps_line = ["debug_timestamps = ${debug_timestamps}"] + $debug_microseconds_line = ["debug_microseconds = ${debug_microseconds}"] - # Add conditional parameters if defined - if $description { - $_description_entries = ["description = ${description}"] - } else { - $_description_entries = [] - } + # IFP-specific settings + $allowed_uids_line = $allowed_uids ? { undef => [], default => ["allowed_uids = ${allowed_uids.join(', ')}"] } + $user_attributes_line = $user_attributes ? { undef => [], default => ["user_attributes = ${user_attributes.join(', ')}"] } + $wildcard_limit_line = $wildcard_limit ? { undef => [], default => ["wildcard_limit = ${wildcard_limit}"] } - if $debug_level { - $_debug_level_entries = ["debug_level = ${debug_level}"] - } else { - $_debug_level_entries = [] - } - - $_debug_timestamps_entries = $debug_timestamps ? { - true => ['debug_timestamps = true'], - false => ['debug_timestamps = false'], - } - - $_debug_microseconds_entries = $debug_microseconds ? { - true => ['debug_microseconds = true'], - false => ['debug_microseconds = false'], - } - - if $allowed_uids { - $_allowed_uids_entries = ["allowed_uids = ${allowed_uids.join(', ')}"] - } else { - $_allowed_uids_entries = [] - } - - if $user_attributes { - $_user_attributes_entries = ["user_attributes = ${user_attributes.join(', ')}"] - } else { - $_user_attributes_entries = [] - } - - if $wildcard_limit { - $_wildcard_limit_entries = ["wildcard_limit = ${wildcard_limit}"] - } else { - $_wildcard_limit_entries = [] - } + # Combine all lines in order + $config_lines = ( + $description_line + + $debug_level_line + + $debug_timestamps_line + + $debug_microseconds_line + + $allowed_uids_line + + $user_attributes_line + + $wildcard_limit_line + ) - # Combine all configuration entries in the expected order - $_all_entries = $_base_content + $_description_entries + $_debug_level_entries + $_debug_timestamps_entries + $_debug_microseconds_entries + $_allowed_uids_entries + $_user_attributes_entries + $_wildcard_limit_entries + # Join all configuration lines + $content = $config_lines.join("\n") - $_content = "${_all_entries.join("\n")}\n" + $_content = epp( + "${module_name}/generic.epp", + { + 'title' => 'ifp', + 'content' => "# sssd::service::ifp\n${content}", + }, + ) } sssd::config::entry { 'puppet_service_ifp': diff --git a/manifests/service/pac.pp b/manifests/service/pac.pp index 59e9cf2..ed763a4 100644 --- a/manifests/service/pac.pp +++ b/manifests/service/pac.pp @@ -36,45 +36,35 @@ }, ) } else { - # Build configuration content for the PAC service - $_base_content = [ - '# sssd::service::pac', - '[pac]', - ] + # Build configuration lines in order (matching expected test output) + # Debug settings + $description_line = $description ? { undef => [], default => ["description = ${description}"] } + $debug_level_line = $debug_level ? { undef => [], default => ["debug_level = ${debug_level}"] } + $debug_timestamps_line = ["debug_timestamps = ${debug_timestamps}"] + $debug_microseconds_line = ["debug_microseconds = ${debug_microseconds}"] - # Add conditional parameters if defined - if $description { - $_description_entries = ["description = ${description}"] - } else { - $_description_entries = [] - } + # PAC-specific settings + $allowed_uids_line = $allowed_uids.empty ? { true => [], false => ["allowed_uids = ${allowed_uids.join(',')}"] } - if $debug_level { - $_debug_level_entries = ["debug_level = ${debug_level}"] - } else { - $_debug_level_entries = [] - } - - $_debug_timestamps_entries = $debug_timestamps ? { - true => ['debug_timestamps = true'], - false => ['debug_timestamps = false'], - } - - $_debug_microseconds_entries = $debug_microseconds ? { - true => ['debug_microseconds = true'], - false => ['debug_microseconds = false'], - } - - if !$allowed_uids.empty { - $_allowed_uids_entries = ["allowed_uids = ${allowed_uids.join(',')}"] - } else { - $_allowed_uids_entries = [] - } + # Combine all lines in order + $config_lines = ( + $description_line + + $debug_level_line + + $debug_timestamps_line + + $debug_microseconds_line + + $allowed_uids_line + ) - # Combine all configuration entries in the expected order - $_all_entries = $_base_content + $_description_entries + $_debug_level_entries + $_debug_timestamps_entries + $_debug_microseconds_entries + $_allowed_uids_entries + # Join all configuration lines + $content = $config_lines.join("\n") - $_content = "${_all_entries.join("\n")}\n" + $_content = epp( + "${module_name}/generic.epp", + { + 'title' => 'pac', + 'content' => "# sssd::service::pac\n${content}", + }, + ) } sssd::config::entry { 'puppet_service_pac': diff --git a/manifests/service/pam.pp b/manifests/service/pam.pp index ebf335d..ccd638e 100644 --- a/manifests/service/pam.pp +++ b/manifests/service/pam.pp @@ -61,82 +61,61 @@ }, ) } else { - # Build configuration content for the PAM service - $_base_content = [ - '# sssd::service::pam', - ] - - # Add conditional parameters if defined - if $description { - $_description_entries = ["description = ${description}"] - } else { - $_description_entries = [] - } - - if $debug_level { - $_debug_level_entries = ["debug_level = ${debug_level}"] - } else { - $_debug_level_entries = [] - } - - $_debug_timestamps_entries = $debug_timestamps ? { - true => ['debug_timestamps = true'], - false => ['debug_timestamps = false'], - } - - $_debug_microseconds_entries = $debug_microseconds ? { - true => ['debug_microseconds = true'], - false => ['debug_microseconds = false'], - } - - $_reconnection_retries_entries = ["reconnection_retries = ${reconnection_retries}"] - - if $command { - $_command_entries = ["command = ${command}"] - } else { - $_command_entries = [] - } - - $_offline_credentials_expiration_entries = ["offline_credentials_expiration = ${offline_credentials_expiration}"] - $_offline_failed_login_attempts_entries = ["offline_failed_login_attempts = ${offline_failed_login_attempts}"] - $_offline_failed_login_delay_entries = ["offline_failed_login_delay = ${offline_failed_login_delay}"] - $_pam_verbosity_entries = ["pam_verbosity = ${pam_verbosity}"] - $_pam_id_timeout_entries = ["pam_id_timeout = ${pam_id_timeout}"] - $_pam_pwd_expiration_warning_entries = ["pam_pwd_expiration_warning = ${pam_pwd_expiration_warning}"] - - if $get_domains_timeout { - $_get_domains_timeout_entries = ["get_domains_timeout = ${get_domains_timeout}"] - } else { - $_get_domains_timeout_entries = [] - } - - if $pam_trusted_users { - $_pam_trusted_users_entries = ["pam_trusted_users = ${pam_trusted_users}"] - } else { - $_pam_trusted_users_entries = [] - } - - if $pam_public_domains { - $_pam_public_domains_entries = ["pam_public_domains = ${pam_public_domains}"] - } else { - $_pam_public_domains_entries = [] - } - - $_pam_cert_auth_entries = $pam_cert_auth ? { - true => ['pam_cert_auth = True'], - false => [], - } - - # Combine all configuration entries in the expected order - $_all_entries = $_base_content + $_description_entries + $_debug_level_entries + $_debug_timestamps_entries + $_debug_microseconds_entries + $_reconnection_retries_entries + $_command_entries + $_offline_credentials_expiration_entries + $_offline_failed_login_attempts_entries + $_offline_failed_login_delay_entries + $_pam_verbosity_entries + $_pam_id_timeout_entries + $_pam_pwd_expiration_warning_entries + $_get_domains_timeout_entries + $_pam_trusted_users_entries + $_pam_public_domains_entries + $_pam_cert_auth_entries + # Build configuration lines in order (matching expected test output) + # Debug settings + $description_line = $description ? { undef => [], default => ["description = ${description}"] } + $debug_level_line = $debug_level ? { undef => [], default => ["debug_level = ${debug_level}"] } + $debug_timestamps_line = ["debug_timestamps = ${debug_timestamps}"] + $debug_microseconds_line = ["debug_microseconds = ${debug_microseconds}"] + + # Connection settings + $reconnection_retries_line = ["reconnection_retries = ${reconnection_retries}"] + $command_line = $command ? { undef => [], default => ["command = ${command}"] } + + # Offline settings + $offline_credentials_expiration_line = ["offline_credentials_expiration = ${offline_credentials_expiration}"] + $offline_failed_login_attempts_line = ["offline_failed_login_attempts = ${offline_failed_login_attempts}"] + $offline_failed_login_delay_line = ["offline_failed_login_delay = ${offline_failed_login_delay}"] + + # PAM-specific settings + $pam_verbosity_line = ["pam_verbosity = ${pam_verbosity}"] + $pam_id_timeout_line = ["pam_id_timeout = ${pam_id_timeout}"] + $pam_pwd_expiration_warning_line = ["pam_pwd_expiration_warning = ${pam_pwd_expiration_warning}"] + $pam_cert_auth_line = $pam_cert_auth ? { true => ['pam_cert_auth = True'], false => [] } + + # Optional settings + $get_domains_timeout_line = $get_domains_timeout ? { undef => [], default => ["get_domains_timeout = ${get_domains_timeout}"] } + $pam_trusted_users_line = $pam_trusted_users ? { undef => [], default => ["pam_trusted_users = ${pam_trusted_users}"] } + $pam_public_domains_line = $pam_public_domains ? { undef => [], default => ["pam_public_domains = ${pam_public_domains}"] } + + # Combine all lines in order + $config_lines = ( + $description_line + + $debug_level_line + + $debug_timestamps_line + + $debug_microseconds_line + + $reconnection_retries_line + + $command_line + + $offline_credentials_expiration_line + + $offline_failed_login_attempts_line + + $offline_failed_login_delay_line + + $pam_verbosity_line + + $pam_id_timeout_line + + $pam_pwd_expiration_warning_line + + $get_domains_timeout_line + + $pam_trusted_users_line + + $pam_public_domains_line + + $pam_cert_auth_line + ) - $_final_content = "${_all_entries.join("\n")}" + # Join all configuration lines + $content = $config_lines.join("\n") $_content = epp( "${module_name}/generic.epp", { 'title' => 'pam', - 'content' => $_final_content, + 'content' => "# sssd::service::pam\n${content}", }, ) } diff --git a/manifests/service/ssh.pp b/manifests/service/ssh.pp index 8ba41ee..568073b 100644 --- a/manifests/service/ssh.pp +++ b/manifests/service/ssh.pp @@ -39,50 +39,37 @@ }, ) } else { - # Build configuration content for the SSH service - $_base_content = [ - '# sssd::service::ssh', - '[ssh]', - ] + # Build configuration lines in order (matching expected test output) + # Debug settings + $description_line = $description ? { undef => [], default => ["description = ${description}"] } + $debug_level_line = $debug_level ? { undef => [], default => ["debug_level = ${debug_level}"] } + $debug_timestamps_line = ["debug_timestamps = ${debug_timestamps}"] + $debug_microseconds_line = ["debug_microseconds = ${debug_microseconds}"] - # Add conditional parameters if defined - if $description { - $_description_entries = ["description = ${description}"] - } else { - $_description_entries = [] - } + # SSH-specific settings + $ssh_hash_known_hosts_line = ["ssh_hash_known_hosts = ${ssh_hash_known_hosts}"] + $ssh_known_hosts_timeout_line = $ssh_known_hosts_timeout ? { undef => [], default => ["ssh_known_hosts_timeout = ${ssh_known_hosts_timeout}"] } - if $debug_level { - $_debug_level_entries = ["debug_level = ${debug_level}"] - } else { - $_debug_level_entries = [] - } - - $_debug_timestamps_entries = $debug_timestamps ? { - true => ['debug_timestamps = true'], - false => ['debug_timestamps = false'], - } - - $_debug_microseconds_entries = $debug_microseconds ? { - true => ['debug_microseconds = true'], - false => ['debug_microseconds = false'], - } - - $_ssh_hash_known_hosts_entries = $ssh_hash_known_hosts ? { - true => ['ssh_hash_known_hosts = true'], - false => ['ssh_hash_known_hosts = false'], - } - - if $ssh_known_hosts_timeout { - $_ssh_known_hosts_timeout_entries = ["ssh_known_hosts_timeout = ${ssh_known_hosts_timeout}"] - } else { - $_ssh_known_hosts_timeout_entries = [] - } + # Combine all lines in order + $config_lines = ( + $description_line + + $debug_level_line + + $debug_timestamps_line + + $debug_microseconds_line + + $ssh_hash_known_hosts_line + + $ssh_known_hosts_timeout_line + ) - # Combine all configuration entries in the expected order - $_all_entries = $_base_content + $_description_entries + $_debug_level_entries + $_debug_timestamps_entries + $_debug_microseconds_entries + $_ssh_hash_known_hosts_entries + $_ssh_known_hosts_timeout_entries + # Join all configuration lines + $content = $config_lines.join("\n") - $_content = "${_all_entries.join("\n")}\n" + $_content = epp( + "${module_name}/generic.epp", + { + 'title' => 'ssh', + 'content' => "# sssd::service::ssh\n${content}", + }, + ) } sssd::config::entry { 'puppet_service_ssh': diff --git a/manifests/service/sudo.pp b/manifests/service/sudo.pp index cfa8359..2d153da 100644 --- a/manifests/service/sudo.pp +++ b/manifests/service/sudo.pp @@ -40,44 +40,37 @@ }, ) } else { - # Build configuration content for the SUDO service - $_base_content = [ - '# sssd::service::sudo', - '[sudo]', - ] + # Build configuration lines in order (matching expected test output) + # Debug settings + $description_line = $description ? { undef => [], default => ["description = ${description}"] } + $debug_level_line = $debug_level ? { undef => [], default => ["debug_level = ${debug_level}"] } + $debug_timestamps_line = ["debug_timestamps = ${debug_timestamps}"] + $debug_microseconds_line = ["debug_microseconds = ${debug_microseconds}"] - # Add conditional parameters if defined - if $description { - $_description_entries = ["description = ${description}"] - } else { - $_description_entries = [] - } + # Sudo-specific settings + $sudo_threshold_line = ["sudo_threshold = ${sudo_threshold}"] + $sudo_timed_line = ["sudo_timed = ${sudo_timed}"] - if $debug_level { - $_debug_level_entries = ["debug_level = ${debug_level}"] - } else { - $_debug_level_entries = [] - } - - $_debug_timestamps_entries = $debug_timestamps ? { - true => ['debug_timestamps = true'], - false => ['debug_timestamps = false'], - } - - $_debug_microseconds_entries = $debug_microseconds ? { - true => ['debug_microseconds = true'], - false => ['debug_microseconds = false'], - } - - $_sudo_timed_entries = $sudo_timed ? { - true => ['sudo_timed = true'], - false => ['sudo_timed = false'], - } + # Combine all lines in order + $config_lines = ( + $description_line + + $debug_level_line + + $debug_timestamps_line + + $debug_microseconds_line + + $sudo_threshold_line + + $sudo_timed_line + ) - # Combine all configuration entries in the expected order - $_all_entries = $_base_content + $_description_entries + $_debug_level_entries + $_debug_timestamps_entries + $_debug_microseconds_entries + $_sudo_timed_entries + # Join all configuration lines + $content = $config_lines.join("\n") - $_content = "${_all_entries.join("\n")}\n" + $_content = epp( + "${module_name}/generic.epp", + { + 'title' => 'sudo', + 'content' => "# sssd::service::sudo\n${content}", + }, + ) } sssd::config::entry { 'puppet_service_sudo': diff --git a/spec/classes/service/ifp_spec.rb b/spec/classes/service/ifp_spec.rb index 974a935..8b2c41f 100644 --- a/spec/classes/service/ifp_spec.rb +++ b/spec/classes/service/ifp_spec.rb @@ -8,8 +8,8 @@ context 'with default params' do expected = <<~EXPECTED - # sssd::service::ifp [ifp] + # sssd::service::ifp debug_timestamps = true debug_microseconds = false EXPECTED @@ -29,8 +29,8 @@ end expected = <<~EXPECTED - # sssd::service::ifp [ifp] + # sssd::service::ifp debug_timestamps = true debug_microseconds = false allowed_uids = me, you From d6f30ec3d9a0135c0527eddc19ba650b762c27df Mon Sep 17 00:00:00 2001 From: Steven Pritchard Date: Thu, 25 Sep 2025 14:09:20 -0500 Subject: [PATCH 25/25] Refactor to be more consistent --- manifests/config.pp | 10 ++++++++-- manifests/domain.pp | 11 +++++++---- manifests/provider/ad.pp | 11 +++++++---- manifests/provider/files.pp | 2 +- manifests/provider/ipa.pp | 11 +++++++---- manifests/provider/krb5.pp | 4 ++-- manifests/provider/ldap.pp | 4 ++-- manifests/service/autofs.pp | 4 ++-- manifests/service/ifp.pp | 4 ++-- manifests/service/nss.pp | 4 ++-- manifests/service/pac.pp | 4 ++-- manifests/service/pam.pp | 4 ++-- manifests/service/ssh.pp | 4 ++-- manifests/service/sudo.pp | 4 ++-- spec/classes/config_spec.rb | 6 +++--- 15 files changed, 51 insertions(+), 36 deletions(-) diff --git a/manifests/config.pp b/manifests/config.pp index b852bc6..190bd72 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -126,13 +126,19 @@ ) # Join all configuration lines - $content = "# sssd::config\n[sssd]\n${$config_lines.join("\n")}\n" + $content = (['# sssd::config'] + $config_lines).join("\n") file { '/etc/sssd/sssd.conf': owner => 'root', group => 'root', mode => '0600', - content => $content, + content => epp( + "${module_name}/generic.epp", + { + 'title' => 'sssd', + 'content' => $content, + }, + ), notify => Class["${module_name}::service"], } } diff --git a/manifests/domain.pp b/manifests/domain.pp index ad7350b..33dd92f 100644 --- a/manifests/domain.pp +++ b/manifests/domain.pp @@ -246,12 +246,15 @@ ) # Join all configuration lines - $content = $config_lines.join("\n") + $content = (["# sssd::domain ${name}"] + $config_lines).join("\n") sssd::config::entry { "puppet_domain_${name}": - content => epp("${module_name}/generic", { + content => epp( + "${module_name}/generic", + { 'title' => "domain/${name}", - 'content' => "# sssd::domain ${name}\n${content}", - }), + 'content' => $content, + }, + ), } } diff --git a/manifests/provider/ad.pp b/manifests/provider/ad.pp index 7c6d552..1b3a9e9 100644 --- a/manifests/provider/ad.pp +++ b/manifests/provider/ad.pp @@ -370,12 +370,15 @@ } # Join all configuration lines - $content = $config_lines.join("\n") + $content = (['# sssd::provider::ad'] + $config_lines).join("\n") sssd::config::entry { "puppet_provider_${name}_ad": - content => epp("${module_name}/generic.epp", { + content => epp( + "${module_name}/generic.epp", + { 'title' => "domain/${title}", - 'content' => "# sssd::provider::ad\n${content}", - }), + 'content' => $content, + }, + ), } } diff --git a/manifests/provider/files.pp b/manifests/provider/files.pp index 2400794..e93c6f8 100644 --- a/manifests/provider/files.pp +++ b/manifests/provider/files.pp @@ -32,7 +32,7 @@ ) # Join all configuration lines - $content = "${(['# sssd::provider::files'] + $config_lines).join("\n")}" + $content = (['# sssd::provider::files'] + $config_lines).join("\n") sssd::config::entry { "puppet_provider_${name}_files": content => epp( diff --git a/manifests/provider/ipa.pp b/manifests/provider/ipa.pp index 8b8e053..eeec5aa 100644 --- a/manifests/provider/ipa.pp +++ b/manifests/provider/ipa.pp @@ -156,12 +156,15 @@ ) # Join all configuration lines - $_final_content = $config_lines.join("\n") + $content = (['# sssd::provider::ipa'] + $config_lines).join("\n") sssd::config::entry { "puppet_provider_${name}_ipa": - content => epp("${module_name}/generic.epp", { + content => epp( + "${module_name}/generic.epp", + { 'title' => "domain/${title}", - 'content' => "# sssd::provider::ipa\n${_final_content}", - }), + 'content' => $content, + }, + ), } } diff --git a/manifests/provider/krb5.pp b/manifests/provider/krb5.pp index 990ba83..dff9494 100644 --- a/manifests/provider/krb5.pp +++ b/manifests/provider/krb5.pp @@ -95,14 +95,14 @@ ) # Join all configuration lines - $content = $config_lines.join("\n") + $content = (['# sssd::provider::krb5'] + $config_lines).join("\n") sssd::config::entry { "puppet_provider_${name}_krb5": content => epp( "${module_name}/generic.epp", { 'title' => "domain/${title}", - 'content' => "# sssd::provider::krb5\n${content}", + 'content' => $content, }, ), } diff --git a/manifests/provider/ldap.pp b/manifests/provider/ldap.pp index 3718846..ca5ed97 100644 --- a/manifests/provider/ldap.pp +++ b/manifests/provider/ldap.pp @@ -709,14 +709,14 @@ # Combine all configuration lines and sort them $all_config_lines = ($simple_config_lines + $account_expire_line + $array_config_lines).sort - $content = "${all_config_lines.join("\n")}" + $content = (['# sssd::provider::ldap'] + $all_config_lines).join("\n") sssd::config::entry { "puppet_provider_${title}_ldap": content => epp( "${module_name}/generic.epp", { 'title' => "domain/${title}", - 'content' => "# sssd::provider::ldap\n${content}", + 'content' => $content, }, ), } diff --git a/manifests/service/autofs.pp b/manifests/service/autofs.pp index 34a55b3..49c9862 100644 --- a/manifests/service/autofs.pp +++ b/manifests/service/autofs.pp @@ -57,13 +57,13 @@ ) # Join all configuration lines - $content = $config_lines.join("\n") + $content = (['# sssd::service::autofs'] + $config_lines).join("\n") $_content = epp( "${module_name}/generic.epp", { 'title' => 'autofs', - 'content' => "# sssd::service::autofs\n${content}", + 'content' => $content, }, ) } diff --git a/manifests/service/ifp.pp b/manifests/service/ifp.pp index 8bbf7dc..fe25232 100644 --- a/manifests/service/ifp.pp +++ b/manifests/service/ifp.pp @@ -66,13 +66,13 @@ ) # Join all configuration lines - $content = $config_lines.join("\n") + $content = (['# sssd::service::ifp'] + $config_lines).join("\n") $_content = epp( "${module_name}/generic.epp", { 'title' => 'ifp', - 'content' => "# sssd::service::ifp\n${content}", + 'content' => $content, }, ) } diff --git a/manifests/service/nss.pp b/manifests/service/nss.pp index c66cbca..110091b 100644 --- a/manifests/service/nss.pp +++ b/manifests/service/nss.pp @@ -133,13 +133,13 @@ ) # Join all configuration lines - $content = $config_lines.join("\n") + $content = (['# sssd::service::nss'] + $config_lines).join("\n") $_content = epp( "${module_name}/generic.epp", { 'title' => 'nss', - 'content' => "# sssd::service::nss\n${content}", + 'content' => $content, }, ) } diff --git a/manifests/service/pac.pp b/manifests/service/pac.pp index ed763a4..3f1cb50 100644 --- a/manifests/service/pac.pp +++ b/manifests/service/pac.pp @@ -56,13 +56,13 @@ ) # Join all configuration lines - $content = $config_lines.join("\n") + $content = (['# sssd::service::pac'] + $config_lines).join("\n") $_content = epp( "${module_name}/generic.epp", { 'title' => 'pac', - 'content' => "# sssd::service::pac\n${content}", + 'content' => $content, }, ) } diff --git a/manifests/service/pam.pp b/manifests/service/pam.pp index ccd638e..08df0a9 100644 --- a/manifests/service/pam.pp +++ b/manifests/service/pam.pp @@ -109,13 +109,13 @@ ) # Join all configuration lines - $content = $config_lines.join("\n") + $content = (['# sssd::service::pam'] + $config_lines).join("\n") $_content = epp( "${module_name}/generic.epp", { 'title' => 'pam', - 'content' => "# sssd::service::pam\n${content}", + 'content' => $content, }, ) } diff --git a/manifests/service/ssh.pp b/manifests/service/ssh.pp index 568073b..b32ae29 100644 --- a/manifests/service/ssh.pp +++ b/manifests/service/ssh.pp @@ -61,13 +61,13 @@ ) # Join all configuration lines - $content = $config_lines.join("\n") + $content = (['# sssd::service::ssh'] + $config_lines).join("\n") $_content = epp( "${module_name}/generic.epp", { 'title' => 'ssh', - 'content' => "# sssd::service::ssh\n${content}", + 'content' => $content, }, ) } diff --git a/manifests/service/sudo.pp b/manifests/service/sudo.pp index 2d153da..5e1d6f6 100644 --- a/manifests/service/sudo.pp +++ b/manifests/service/sudo.pp @@ -62,13 +62,13 @@ ) # Join all configuration lines - $content = $config_lines.join("\n") + $content = (['# sssd::service::sudo'] + $config_lines).join("\n") $_content = epp( "${module_name}/generic.epp", { 'title' => 'sudo', - 'content' => "# sssd::service::sudo\n${content}", + 'content' => $content, }, ) } diff --git a/spec/classes/config_spec.rb b/spec/classes/config_spec.rb index 19782c5..f1ca511 100644 --- a/spec/classes/config_spec.rb +++ b/spec/classes/config_spec.rb @@ -1,8 +1,8 @@ require 'spec_helper' default_content = <<~EOM - # sssd::config [sssd] + # sssd::config services = nss,pam,ssh config_file_version = 2 reconnection_retries = 3 @@ -12,8 +12,8 @@ EOM default_content_with_domains = <<~EOM - # sssd::config [sssd] + # sssd::config services = nss,pam,ssh domains = FILE, LDAP config_file_version = 2 @@ -25,8 +25,8 @@ default_content_with_ipa_domain = default_content_with_domains.gsub('FILE, LDAP', 'FILE, LDAP, ipa.example.com') default_content_plus_optional = <<~EOM - # sssd::config [sssd] + # sssd::config services = nss,pam,ssh description = sssd section description domains = FILE, LDAP