Skip to content

Latest commit

 

History

History
749 lines (431 loc) · 22.4 KB

REFERENCE.md

File metadata and controls

749 lines (431 loc) · 22.4 KB
Raw

Reference

Table of Contents

Classes

Public Classes

Private Classes

  • easy_ipa::validate_params: Validates input configs from init.pp.

Defined types

Plans

Classes

easy_ipa

TODO: Allow creation of root zone for isolated networks -- https://www.freeipa.org/page/Howto/DNS_in_isolated_networks TODO: Class comments. TODO: Dependencies and metadata updates. TODO: Variable scope and passing. TODO: configurable admin username.

Parameters

The following parameters are available in the easy_ipa class:

manage

Data type: Boolean

(boolean) Manage easy_ipa with Puppet. Defaults to true. Setting this to to false is useful when a handful of hosts have unsupported operating systems and you'd rather exclude them from FreeIPA instead of including the others individually. Use this with a separate Hiera level (e.g. $::lsbdistcodename) for maximum convenience.

Default value: true

domain

Data type: Stdlib::Fqdn

(string) The name of the IPA domain to create or join.

ipa_role

Data type: Enum['client', 'master', 'replica']

(string) What role the node will be. Options are 'master', 'replica', and 'client'.

admin_password

Data type: Optional[String[8]]

(string) Password which will be assigned to the IPA account named 'admin'.

Default value: undef

directory_services_password

Data type: Optional[String[8]]

(string) Password which will be passed into the ipa setup's parameter named "--ds-password".

Default value: undef

allow_zone_overlap

Data type: Boolean

(boolean) if set to true, allow creating of (reverse) zone even if the zone is already resolvable. Using this option is discouraged as it result in later problems with domain name. You may have to use this, though, when migrating existing DNS domains to FreeIPA.

Default value: false

no_dnssec_validation

Data type: Boolean

(boolean) if set to true, DNSSEC validation is disabled.

Default value: false

client_install_ldaputils

Data type: Boolean

(boolean) If true, then the ldaputils packages are installed if ipa_role is set to client.

Default value: false

configure_dns_server

Data type: Boolean

(boolean) If true, then the parameter '--setup-dns' is passed to the IPA server installer. Also, triggers the install of the required dns server packages.

Default value: true

configure_replica_ca

Data type: Boolean

(boolean) If true, then the parameter '--setup-ca' is passed to the IPA replica installer.

Default value: false

configure_ntp

Data type: Boolean

(boolean) If false, then the parameter '--no-ntp' is passed to the IPA client and server installers.

Default value: true

configure_ssh

Data type: Boolean

(boolean) If false, then the parameter '--no-ssh' is passed to the IPA client and server installers.

Default value: true

configure_sshd

Data type: Boolean

(boolean) If false, then the parameter '--no-sshd' is passed to the IPA client and server installers.

Default value: true

custom_dns_forwarders

Data type: Array[String]

(array[string]) Each element in this array is prefixed with '--forwarder ' and passed to the IPA server installer.

Default value: []

domain_join_principal

Data type: String[1]

(string) The principal (usually username) used to join a client or replica to the IPA domain.

Default value: 'admin'

domain_join_password

Data type: Optional[String[1]]

(string) The password for the domain_join_principal.

Default value: undef

enable_dns_updates

Data type: Boolean

(boolean) If true, then the parameter '--enable-dns-updates' is passed to the IPA installer.

Default value: false

enable_hostname

Data type: Boolean

(boolean) If true, then the parameter '--hostname' is populated with the parameter 'ipa_server_fqdn' and passed to the IPA installer.

Default value: true

enable_ip_address

Data type: Boolean

(boolean) If true, then the parameter '--ip-address' is populated with the parameter 'ip_address' and passed to the IPA installer.

Default value: false

fixed_primary

Data type: Boolean

(boolean) If true, then the parameter '--fixed-primary' is passed to the IPA installer.

Default value: false

idstart

Data type: Integer[10000]

(integer) From the IPA man pages: "The starting user and group id number".

Default value: (fqdn_rand('10737') + 10000

gssapi_no_negotiate

Data type: Variant[Pattern,Undef]

(pattern) Suppress setting Negotiate headers based on BrowserMatch. Not sending these headers is useful to work around browsers that do not handle them properly (and incorrectly show authentication popups to users). Example: "Windows". Default undef.

Default value: undef

idmax

Data type: Variant[Integer,Undef]

(integer) From the IPA man pages: "The max value for the IDs range (default: idstart+199999)".

Default value: undef

install_autofs

Data type: Boolean

(boolean) If true, then the autofs packages are installed.

Default value: false

install_epel

Data type: Boolean

(boolean) If true, then the epel repo is installed. The epel repo is usually required for sssd packages.

Default value: true

install_kstart

Data type: Boolean

(boolean) If true, then the kstart packages are installed.

Default value: true

install_sssdtools

Data type: Boolean

(boolean) If true, then the sssdtools packages are installed.

Default value: true

install_ipa_client

Data type: Boolean

(boolean) If true, then the IPA client packages are installed if the parameter 'ipa_role' is set to 'client'.

Default value: true

install_ipa_server

Data type: Boolean

(boolean) If true, then the IPA server packages are installed if the parameter 'ipa_role' is not set to 'client'.

Default value: true

install_sssd

Data type: Boolean

(boolean) If true, then the sssd packages are installed.

Default value: true

ip_address

Data type: Optional[Stdlib::IP::Address]

(string) IP address to pass to the IPA installer.

Default value: undef

ipa_server_fqdn

Data type: String

(string) Actual fqdn of the IPA server or client.

Default value: $facts['networking']['fqdn']

ipa_master_fqdn

Data type: Optional[Stdlib::Fqdn]

(string) FQDN of the server to use for a client or replica domain join.

Default value: undef

manage_host_entry

Data type: Boolean

(boolean) If true, then a host entry is created using the parameters 'ipa_server_fqdn' and 'ip_address'.

Default value: false

mkhomedir

Data type: Boolean

(boolean) If true, then the parameter '--mkhomedir' is passed to the IPA server and client installers.

Default value: true

no_ui_redirect

Data type: Boolean

(boolean) If true, then the parameter '--no-ui-redirect' is passed to the IPA server installer.

Default value: false

realm

Data type: Optional[Stdlib::Fqdn]

(string) The name of the IPA realm to create or join.

Default value: undef

server_install_ldaputils

Data type: Boolean

(boolean) If true, then the ldaputils packages are installed if ipa_role is not set to client.

Default value: true

webui_disable_kerberos

Data type: Boolean

Disable webui kerberos.

Default value: false

webui_enable_proxy

Data type: Boolean

(boolean) If true, then httpd is configured to act as a reverse proxy for the IPA Web UI. This allows for the Web UI to be accessed from different ports and hostnames than the default.

Default value: false

webui_force_https

Data type: Boolean

(boolean) If true, then /etc/httpd/conf.d/ipa-rewrite.conf is modified to force all connections to https. This is necessary to allow the WebUI to be accessed behind a reverse proxy when using nonstandard ports.

Default value: false

webui_proxy_external_fqdn

Data type: String

(string) The public or external FQDN used to access the IPA Web UI behind the reverse proxy.

Default value: 'localhost'

webui_proxy_https_port

Data type: String

(integer) The HTTPS port to use for the reverse proxy. Cannot be 443.

Default value: '8440'

adjust_login_defs

Data type: Boolean

(boolean) Adjust UID_MAX and GID_MAX in login.defs. Without this newer server installers fail. Default false.

Default value: false

easy_ipa::config::admin_user

Manage admin user

easy_ipa::config::webui

Configures port and redirect overrides for the IPA server web UI.

easy_ipa::install

Manage easy_ipa install

easy_ipa::install::autofs

Manage autofs

easy_ipa::install::client

Manage ipa client

easy_ipa::install::client::debian

This code is needed as the --mkhomedir parameter passed to ipa-client-install does not configure PAM even though it does install the required packages.

Currently Ubuntu 14.04/16.04 and Debian 8/9 are supported.

easy_ipa::install::client::manual

"Manual" configuration of hosts which don't have the freeipa-client package.

easy_ipa::install::server

Manage IPA server install

easy_ipa::install::server::master

Manage primary server

easy_ipa::install::server::replica

Manage replica install

easy_ipa::install::sssd

Manage sssd install

easy_ipa::monit::server

Monitor FreeIPA server processes using monit

This class depends on puppetfinland-monit module

Parameters

The following parameters are available in the easy_ipa::monit::server class:

email

Data type: String

Email address to send notifications to. Defaults to top-scope variable $::servermonitor.

Default value: $facts['servermonitor']

easy_ipa::named

fragments.

This is only supposed to work on RHEL/CentOS.

easy_ipa::packetfilter::server

Install packet filtering rules for FreeIPA.

Parameters

The following parameters are available in the easy_ipa::packetfilter::server class:

allow_address_ipv4

Data type: Variant[Stdlib::IP::Address::V4,Array[Stdlib::IP::Address::V4]]

IPv4 address to allow access from.

Default value: '127.0.0.1'

allow_address_ipv6

Data type: Variant[Stdlib::IP::Address::V6,Array[Stdlib::IP::Address::V6]]

IPv6 address to allow access from.

Default value: '::1'

easy_ipa::params

Traditionally this file would be used to abstract away operating system differences. Right now the main purpose is to prevent easy_ipa classes from causing havoc (e.g. partial configurations) on unsupported operating systems by failing early rather than later.

Defined types

easy_ipa::backup

Backup FreeIPA from cron

Parameters

The following parameters are available in the easy_ipa::backup defined type:

title

The resource title is used as part of the the name for the cronjob.

type

Data type: Enum['full','data']

Backup type. Either 'full' (offline) or 'data' (online).

timestamp

Data type: Boolean

Keep the default timestamp in the backup directory. Valid values are true (default) and false. Set this to false if you have and external system (e.g. bacula) that fetches the backups periodically and handles versioning on its own.

Default value: true

monthday

Data type: Variant[Array[String], Array[Integer[1-31]], String, Integer[1-31]]

Standard parameter for the cron resource.

Default value: '*'

weekday

Data type: Variant[Array[String], Array[Integer[0-7]], String, Integer[0-7]]

Standard parameter for the cron resource.

Default value: '*'

hour

Data type: Variant[Array[String], Array[Integer[0-23]], String, Integer[0-23]]

Standard parameter for the cron resource.

minute

Data type: Variant[Array[String], Array[Integer[0-59]], String, Integer[0-59]]

Standard parameter for the cron resource

email

Data type: String

Email to send cron notifications to. Defaults to $::servermonitor.

Default value: $facts['servermonitor']

easy_ipa::config::named

Add custom named.conf fragment.

Parameters

The following parameters are available in the easy_ipa::config::named defined type:

basename

Data type: String

(string) Basename of the configuration fragment, without the ".conf" at the end. Defaults to $title.

Default value: $title

content

Data type: String

(string) The value to pass to the File resource's "content" parameter. For example template('profile/templates/tsig-key.erb').

notify_named

Data type: Boolean

(boolean) Whether to restart named-pkcs11 on config changes. Defaults to false.

Default value: false

easy_ipa::helpers::flushcache

Manage cache flushing

Plans

easy_ipa::update_host_keys

Useful when real keys and keys in IPA device account have gone out of sync, e.g. due to rebuilding the server from a snapshot.

This gets a kerberos ticket from the IPA server first, then gathers the SSH keys from IPA clients from their SSH facts, then runs appropriate "ipa host-mod" commands for each IPA client on the IPA server.

Note that it is assumed that the IPA client host name is equal to the $::fqdn fact.

Parameters

The following parameters are available in the easy_ipa::update_host_keys plan:

ipa_clients

Data type: TargetSpec

One of more IPA clients whose host keys to puload

ipa_server

Data type: TargetSpec

A host which has the "ipa" tools installed. Not necessarily an IPA server.

ipa_user

Data type: String

An IPA user with permission to run "ipa host-mod".

ipa_password

Data type: String

IPA user's password

noop

Data type: Boolean

If true then only imulate what would be done

Default value: true