sssd
: This class allows you to install and configure SSSD. It will forcefully disable nscd which consequently prevents you from using an nscd modusssd::config
: Configuration class called from sssd. Sets up the[sssd]
section of '/etc/sssd/sssd.conf', and, optionally, a domain section for the IPAsssd::config::ipa_domain
: Configures SSSD for the IPA domain to which the host has joinedsssd::install
: Install the required packages for SSSDsssd::install::client
: Install the sssd-client packagesssd::pki
: Class: sssd::pki Uses the following sssd class parameters to copy certs into a directory for the sssd application $sssd::pki * If 'simp',sssd::service
: Control thesssd
servicesssd::service::autofs
: This class sets up the [autofs] section of /etc/sssd.conf. The class parameters map directly to SSSD configuration. Full documentation of tsssd::service::ifp
: This class sets up the [ifp] section of /etc/sssd.conf. The class parameters map directly to SSSD configuration. Full documentation of thessssd::service::nss
: This class sets up the [nss] section of /etc/sssd.conf. You may only have one of these per system. The class parameters map directly to SSSDsssd::service::pac
: This class sets up the [pac] section of /etc/sssd.conf. The class parameters map directly to SSSD configuration. Full documentation of thessssd::service::pam
sssd::service::ssh
: This class sets up the [ssh] section of /etc/sssd.conf. The class parameters map directly to SSSD configuration. Full documentation of thessssd::service::sudo
: This class sets up the [sudo] section of /etc/sssd.conf. The class parameters map directly to SSSD configuration. Full documentation of the
sssd::config::entry
: Add an entry to the /etc/sssd/conf.d directorysssd::domain
: Define: sssd::domain This define sets up a domain section of /etc/sssd.conf. This domain will be named after '$name' and should be listed insssd::provider::ad
: Set up the 'ad' (Active Directory) id_provider section of a particular domain.sssd::provider::files
: Configures the 'files' id_provider section of a particular domain.sssd::provider::ipa
: This define sets up the 'ipa' provider section of a particular domain. $name should be the name of the associated domain in sssd.conf. See ssssd::provider::krb5
: Define: sssd::provider::krb5 This define sets up the 'krb5' provider section of a particular domain. $name should be the name of the associasssd::provider::ldap
: Define: sssd::provider::ldap This define sets up the 'ldap' provider section of a particular domain. $name should be the name of the associa
sssd::supported_version
: Returnstrue
if the version of SSSD installed on the system is supported andfalse
otherwise. Assumes that the system is relatively
Sssd::ADDefaultRight
: List of valid types for AD Provider setting ad_gpo_default_rightSssd::AccessProvider
: List of valid SSSD domain access providersSssd::AuthProvider
: List of valid types for sssd domain authentication providerSssd::ChpassProvider
: List of valid types for sssd domain change password providerSssd::DebugLevel
: Integer[0-9] or 2 byte Hexidecimal (ex. 0x0201)Sssd::IdProvider
: List of valid type for sssd domain ID provider.Sssd::LdapAccessOrder
: List of valid values for ldap provider ldap_access_order settingSssd::LdapAccountExpirePol
: List of valid values for ldap provider ldap_account_expire_policy '' corresponds to the default value (empty) per sssd-ldap(5) man pageSssd::LdapDefaultAuthtok
: List of valid values for ldap provider default auth tokenSssd::LdapDeref
: List of valid values for ldap provider deref settingSssd::LdapSchema
: List of valid setting for ldap provider ldap_schema setting.Sssd::LdapTlsReqcert
: List of valid setting for ldap provider ldap_tls_reqcert.Sssd::Services
: List of available sssd services
This class allows you to install and configure SSSD.
It will forcefully disable nscd which consequently prevents you from using an nscd module at the same time, which is the correct behavior.
Full documentation of the parameters that map directly to SSSD configuration options can be found in the sssd.conf(5) man page.
sssd::ldap_providers:
ldap_users:
ldap_access_filter: 'memberOf=cn=allowedusers,ou=Groups,dc=example,dc=com'
ldap_chpass_uri: empty
ldap_access_order: 'expire'
etc...
The following parameters are available in the sssd
class:
authoritative
domains
debug_level
debug_timestamps
debug_microseconds
description
enable_files_domain
config_file_version
services
reconnection_retries
re_expression
full_name_format
try_inotify
krb5_rcache_dir
user
default_domain_suffix
override_space
ldap_providers
enumerate_users
include_svc_config
cache_credentials
min_id
auditd
pki
app_pki_cert_source
app_pki_dir
auto_add_ipa_domain
custom_config
Data type: Boolean
Whether or not to purge all unmanaged files from /etc/sssd/conf.d.
Default value: false
Data type: Array[String[1, 255]]
The sssd domains
to be managed.
Default value: []
Data type: Optional[Sssd::DebugLevel]
Default value: undef
Data type: Boolean
Default value: true
Data type: Boolean
Default value: false
Data type: Optional[String[1]]
Default value: undef
Data type: Boolean
Default value: true
Data type: Integer[1]
Default value: 2
Data type: Sssd::Services
Default value: ['nss','pam','ssh','sudo']
Data type: Integer[0]
Default value: 3
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[Boolean]
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Hash
This allows users to set up ldap sssd::provider::ldap resources via hieradata
Default value: {}
Data type: Boolean
Have SSSD list and cache all the users that it can find on the remote system
- Take care that you don't overwhelm your server if you enable this
Default value: false
Data type: Boolean
If set to true, config will loop through the services set in sssd:service and include the configuration section for it. At this time the service sections contain only the most common parameters used. If you need to set a param that is not included you can turn this off and create a custom manifest to add the section you need. If you simply want to change a setting that exists, use hiera.
Default value: true
Data type: Boolean
Have SSSD cache the credentials of users that login to the system
Default value: true
Data type: Integer[0]
The lowest user ID that SSSD should recognize from the server.
Default value: 1
Data type: Boolean
Default value: simplib::lookup('simp_options::auditd', { 'default_value' => false})
Data type: Variant[Boolean,Enum['simp']]
- If 'simp', include SIMP's pki module and use pki::copy to manage application certs in /etc/pki/simp_apps/sssd/x509
- If true, do not include SIMP's pki module, but still use pki::copy to manage certs in /etc/pki/simp_apps/sssd/x509
- If false, do not include SIMP's pki module and do not use pki::copy
to manage certs. You will need to appropriately assign a subset of:
- app_pki_dir
- app_pki_key
- app_pki_cert
- app_pki_ca
- app_pki_ca_dir
Default value: simplib::lookup('simp_options::pki', { 'default_value' => false})
Data type: Stdlib::Absolutepath
-
If pki = 'simp' or true, this is the directory from which certs will be copied, via pki::copy. Defaults to /etc/pki/simp/x509.
-
If pki = false, this variable has no effect.
Default value: simplib::lookup('simp_options::pki::source', { 'default_value' => '/etc/pki/simp/x509'})
Data type: Stdlib::Absolutepath
This variable controls the basepath of $app_pki_key, $app_pki_cert, $app_pki_ca, $app_pki_ca_dir, and $app_pki_crl. It defaults to /etc/pki/simp_apps/sssd/x509.
Default value: '/etc/pki/simp_apps/sssd/x509'
Data type: Boolean
Whether to configure sssd for an IPA domain, when the host is joined to an IPA domain. When enabled, this feature helps to prevent user lockout for IPA-managed user accounts. Otherwise, you must configure the IPA domain yourself.
Default value: true
Data type: Optional[String[1]]
A configuration that will be added to /etc/sssd/conf.d/00_puppet_custom.conf without validation
Default value: undef
Configuration class called from sssd.
Sets up the [sssd]
section of '/etc/sssd/sssd.conf', and,
optionally, a domain section for the IPA domain to which the host
is joined. When the IPA domain is configured, the IPA domain is
automatically added to $domains
to generate the list of domains
in the [sssd]
section.
The following parameters are available in the sssd::config
class:
Data type: Boolean
Set to true
to purge unmanaged configuration files
Default value: pick(getvar("${module_name}::authoritative"), false)
Configures SSSD for the IPA domain to which the host has joined
Install the required packages for SSSD
The following parameters are available in the sssd::install
class:
Data type: Boolean
If true
, install the sssd
client
Default value: true
Data type: Boolean
If true
, install the 'sssd-tools' package for administrative
changes to the SSSD databases
Default value: true
Data type: String
Ensure setting for all packages installed by this module
Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' })
Install the sssd-client package
The following parameters are available in the sssd::install::client
class:
Data type: Any
Ensure setting for 'sssd-client' package
Default value: $::sssd::install::package_ensure
Class: sssd::pki
Uses the following sssd class parameters to copy certs into a directory for the sssd application
$sssd::pki
- If 'simp', include SIMP's pki module and use pki::copy to manage application certs in /etc/pki/simp_apps/sssd/x509
- If true, do not include SIMP's pki module, but still use pki::copy to manage certs in /etc/pki/simp_apps/sssd/x509
- If false, do not include SIMP's pki module and do not use pki::copy
to manage certs. You will need to appropriately assign a subset of:
- app_pki_dir
- app_pki_key
- app_pki_cert
- app_pki_ca
- app_pki_ca_dir
$ssd::app_pki_cert_source
-
If $sssd::pki = 'simp' or true, this is the directory from which certs will be copied, via pki::copy. Defaults to /etc/pki/simp/x509.
-
If $sssd::pki = false, this variable has no effect.
Control the sssd
service
The following parameters are available in the sssd::service
class:
Data type: Variant[String[1],Boolean]
The ensure
parameter of the service resource
Default value: sssd::supported_version()
Data type: Boolean
The enable
parameter of the service resource
Default value: sssd::supported_version()
This class sets up the [autofs] section of /etc/sssd.conf.
The class parameters map directly to SSSD configuration. Full documentation of these configuration options can be found in the sssd.conf(5) man page.
The following parameters are available in the sssd::service::autofs
class:
Data type: Optional[String]
Default value: undef
Data type: Optional[Sssd::DebugLevel]
Default value: undef
Data type: Boolean
Default value: true
Data type: Boolean
Default value: false
Data type: Optional[Integer]
Default value: undef
Data type: Optional[Hash]
If defined, this hash will be used to create the service section instead of the parameters. You must provide all options in the section you want to add. Each entry in the hash will be added as a simple init pair key = value under the section in the sssd.conf file. No error checking will be performed.
Default value: undef
This class sets up the [ifp] section of /etc/sssd.conf.
The class parameters map directly to SSSD configuration. Full documentation of these configuration options can be found in the sssd.conf(5) and sssd-ifp man pages.
The following parameters are available in the sssd::service::ifp
class:
description
debug_level
debug_timestamps
debug_microseconds
wildcard_limit
allowed_uids
user_attributes
custom_options
Data type: Optional[String]
Default value: undef
Data type: Optional[Sssd::Debuglevel]
Default value: undef
Data type: Boolean
Default value: true
Data type: Boolean
Default value: false
Data type: Optional[Integer[0]]
Default value: undef
Data type: Optional[Array[String[1]]]
Default value: undef
Data type: Optional[Array[String[1]]]
Default value: undef
Data type: Optional[Hash]
If defined, this hash will be used to create the service section instead of the parameters. You must provide all options in the section you want to add. Each entry in the hash will be added as a simple init pair key = value under the section in the sssd.conf file. No error checking will be performed.
Default value: undef
This class sets up the [nss] section of /etc/sssd.conf. You may only have one of these per system.
The class parameters map directly to SSSD configuration. Full documentation of these configuration options can be found in the sssd.conf(5) man page.
The following parameters are available in the sssd::service::nss
class:
description
debug_level
debug_timestamps
debug_microseconds
reconnection_retries
fd_limit
command
enum_cache_timeout
entry_cache_nowait_percentage
entry_negative_timeout
filter_users
filter_groups
filter_users_in_groups
override_homedir
fallback_homedir
override_shell
vetoed_shells
default_shell
get_domains_timeout
memcache_timeout
user_attributes
custom_options
Data type: Optional[String]
Default value: undef
Data type: Optional[Sssd::DebugLevel]
Default value: undef
Data type: Boolean
Default value: true
Data type: Boolean
Default value: false
Data type: Integer
Default value: 3
Data type: Optional[Integer]
Default value: undef
Data type: Optional[String]
Default value: undef
Data type: Integer
Default value: 120
Data type: Integer
Default value: 0
Data type: Integer
Default value: 15
Data type: String
Default value: 'root'
Data type: String
Default value: 'root'
Data type: Boolean
Default value: true
Data type: Optional[String]
Default value: undef
Data type: Optional[String]
Default value: undef
Data type: Optional[String]
Default value: undef
Data type: Optional[String]
Default value: undef
Data type: Optional[String]
Default value: undef
Data type: Optional[Integer]
Default value: undef
Data type: Optional[Integer]
Default value: undef
Data type: Optional[String]
Default value: undef
Data type: Optional[Hash]
If defined, this hash will be used to create the service section instead of the parameters. You must provide all options in the section you want to add. Each entry in the hash will be added as a simple init pair key = value under the section in the sssd.conf file. No error checking will be performed.
Default value: undef
This class sets up the [pac] section of /etc/sssd.conf.
The class parameters map directly to SSSD configuration. Full documentation of these configuration options can be found in the sssd.conf(5) man page.
The following parameters are available in the sssd::service::pac
class:
Data type: Optional[String]
Default value: undef
Data type: Optional[Sssd::DebugLevel]
Default value: undef
Data type: Boolean
Default value: true
Data type: Boolean
Default value: false
Data type: Array[String]
Default value: []
Data type: Optional[Hash]
If defined, this hash will be used to create the service section instead of the parameters. You must provide all options in the section you want to add. Each entry in the hash will be added as a simple init pair key = value under the section in the sssd.conf file. No error checking will be performed.
Default value: undef
The sssd::service::pam class.
The following parameters are available in the sssd::service::pam
class:
description
debug_level
debug_timestamps
debug_microseconds
pam_cert_auth
reconnection_retries
command
offline_credentials_expiration
offline_failed_login_attempts
offline_failed_login_delay
pam_verbosity
pam_id_timeout
pam_pwd_expiration_warning
get_domains_timeout
pam_trusted_users
pam_public_domains
custom_options
Data type: Optional[String]
Default value: undef
Data type: Optional[Sssd::DebugLevel]
Default value: undef
Data type: Boolean
Default value: true
Data type: Boolean
Default value: false
Data type: Boolean
Default value: false
Data type: Integer
Default value: 3
Data type: Optional[String]
Default value: undef
Data type: Integer
Default value: 0
Data type: Integer
Default value: 3
Data type: Integer
Default value: 5
Data type: Integer
Default value: 1
Data type: Integer
Default value: 5
Data type: Integer
Default value: 7
Data type: Optional[Integer]
Default value: undef
Data type: Optional[String]
Default value: undef
Data type: Optional[String]
Default value: undef
Data type: Optional[Hash]
Default value: undef
This class sets up the [ssh] section of /etc/sssd.conf.
The class parameters map directly to SSSD configuration. Full documentation of these configuration options can be found in the sssd.conf(5) man page.
The following parameters are available in the sssd::service::ssh
class:
description
debug_level
debug_timestamps
debug_microseconds
ssh_hash_known_hosts
ssh_known_hosts_timeout
custom_options
Data type: Optional[String]
Default value: undef
Data type: Optional[Sssd::DebugLevel]
Default value: undef
Data type: Boolean
Default value: true
Data type: Boolean
Default value: false
Data type: Boolean
Default value: true
Data type: Optional[Integer]
Default value: undef
Data type: Optional[Hash]
If defined, this hash will be used to create the service section instead of the parameters. You must provide all options in the section you want to add. Each entry in the hash will be added as a simple init pair key = value under the section in the sssd.conf file. No error checking will be performed.
Default value: undef
This class sets up the [sudo] section of /etc/sssd.conf.
The class parameters map directly to SSSD configuration. Full documentation of these configuration options can be found in the sssd.conf(5) man page.
The following parameters are available in the sssd::service::sudo
class:
description
debug_level
debug_timestamps
debug_microseconds
sudo_threshold
sudo_timed
custom_options
Data type: Optional[String]
Default value: undef
Data type: Optional[Sssd::Debuglevel]
Default value: undef
Data type: Boolean
Default value: true
Data type: Boolean
Default value: false
Data type: Integer[1]
Default value: 50
Data type: Boolean
Default value: false
Data type: Optional[Hash]
If defined, this hash will be used to create the service section instead of the parameters. You must provide all options in the section you want to add. Each entry in the hash will be added as a simple init pair key = value under the section in the sssd.conf file. No error checking will be performed.
Default value: undef
Add an entry to the /etc/sssd/conf.d directory
The following parameters are available in the sssd::config::entry
defined type:
A unique name that will be used for generating the target filename
Should not be fully qualified
Data type: String
The content of the target file
Data type: Integer[0]
Default value: 50
Define: sssd::domain
This define sets up a domain section of /etc/sssd.conf. This domain will be named after '$name' and should be listed in your main sssd.conf if you wish to activate it.
You will need to call the associated provider segments to make this fully functional.
It is entirely possible to make a configuration file that is complete nonsense by failing to set the correct combinations of providers. See the SSSD documentation for details.
When you call the associated providers, you should be sure to name them based on the name of this domain.
Full documentation of the parameters that map directly to SSSD configuration options can be found in the sssd.conf(5) man page.
The following parameters are available in the sssd::domain
defined type:
name
id_provider
debug_level
debug_timestamps
debug_microseconds
description
min_id
max_id
enumerate
subdomain_enumerate
force_timeout
entry_cache_timeout
entry_cache_user_timeout
entry_cache_group_timeout
entry_cache_netgroup_timeout
entry_cache_service_timeout
entry_cache_sudo_timeout
entry_cache_autofs_timeout
entry_cache_ssh_host_timeout
refresh_expired_interval
cache_credentials
account_cache_expiration
pwd_expiration_warning
use_fully_qualified_names
ignore_group_members
access_provider
auth_provider
chpass_provider
sudo_provider
selinux_provider
subdomains_provider
autofs_provider
hostid_provider
re_expression
full_name_format
lookup_family_order
dns_resolver_timeout
dns_discovery_domain
override_gid
case_sensitive
proxy_fast_alias
realmd_tags
proxy_pam_target
proxy_lib_name
ldap_user_search_filter
ldap_referrals
timeout
ldap_network_timeout
ldap_opt_timeout
ldap_uri
ldap_page_size
ldap_id_use_start_tls
ldap_default_bind_dn
ldap_default_authtok_type
ldap_default_authtok
ldap_tls_reqcert
ldap_schema
ldap_user_search_base
ldap_user_object_class
ldap_access_order
ldap_account_expire_policy
ldap_force_upper_case_realm
krb5_realm
krb5_canonicalize
override_homedir
The name of the domain. This will be placed at [domain/$name] in the configuration file.
Data type: Sssd::IdProvider
Data type: Optional[Sssd::DebugLevel]
Default value: undef
Data type: Boolean
Default value: true
Data type: Boolean
Default value: false
Data type: Optional[String]
Default value: undef
Data type: Integer[0]
Default value: 1
Data type: Integer[0]
Default value: 0
Data type: Boolean
Default value: false
Data type: Boolean
Default value: false
Data type: Optional[Integer]
Default value: undef
Data type: Optional[Integer]
Default value: undef
Data type: Optional[Integer]
Default value: undef
Data type: Optional[Integer]
Default value: undef
Data type: Optional[Integer]
Default value: undef
Data type: Optional[Integer]
Default value: undef
Data type: Optional[Integer]
Default value: undef
Data type: Optional[Integer]
Default value: undef
Data type: Optional[Integer]
Default value: undef
Data type: Optional[Integer]
Default value: undef
Data type: Boolean
Default value: false
Data type: Integer[0]
Default value: 0
Data type: Optional[Integer[0]]
Default value: undef
Data type: Boolean
Default value: false
Data type: Boolean
Default value: true
Data type: Optional[Sssd::AccessProvider]
Default value: undef
Data type: Optional[Sssd::AuthProvider]
Default value: undef
Data type: Optional[Sssd::ChpassProvider]
Default value: undef
Data type: Optional[Enum['ldap', 'ipa','ad','none']]
Default value: undef
Data type: Optional[Enum['ipa', 'none']]
Default value: undef
Data type: Optional[Enum['ipa', 'ad','none']]
Default value: undef
Data type: Optional[Enum['ad', 'ldap', 'ipa','none']]
Default value: undef
Data type: Optional[Enum['ipa', 'none']]
Default value: undef
Data type: Optional[String]
Default value: undef
Data type: Optional[String]
Default value: undef
Data type: Optional[String]
Default value: undef
Data type: Integer[0]
Default value: 5
Data type: Optional[String]
Default value: undef
Data type: Optional[String]
Default value: undef
Data type: Variant[Boolean,Enum['preserving']]
Default value: true
Data type: Boolean
Default value: false
Data type: Optional[String]
Default value: undef
Data type: Optional[String]
Default value: undef
Data type: Optional[String]
Default value: undef
Data type: Optional[String]
Default value: undef
Data type: Optional[Boolean]
Default value: undef
Data type: Optional[Integer[0]]
Default value: undef
Data type: Optional[Integer[0]]
Default value: undef
Data type: Optional[Integer[0]]
Default value: undef
Data type: Optional[String]
Default value: undef
Data type: Optional[Integer[0]]
Default value: undef
Data type: Optional[Boolean]
Default value: undef
Data type: Optional[String]
Default value: undef
Data type: Optional[String]
Default value: undef
Data type: Optional[String]
Default value: undef
Data type: Optional[String]
Default value: undef
Data type: Optional[String]
Default value: undef
Data type: Optional[String]
Default value: undef
Data type: Optional[String]
Default value: undef
Data type: Optional[String]
Default value: undef
Data type: Optional[String]
Default value: undef
Data type: Optional[String]
Default value: undef
Data type: Optional[String]
Default value: undef
Data type: Optional[String]
Default value: undef
Data type: Optional[String]
Default value: undef
Data type: Optional[String]
Default value: undef
Data type: Optional[Boolean]
Default value: undef
Data type: Optional[String]
Default value: undef
Data type: Optional[Boolean]
Default value: undef
Data type: Optional[String]
Default value: undef
NOTE: You MUST connect the system to the domain prior to using this defined type.
Any parameter not explicitly documented directly follows the documentation from sssd-ad(5).
- See also
- sssd-ad(5)
The following parameters are available in the sssd::provider::ad
defined type:
ad_domain
ad_enabled_domains
ad_servers
ad_backup_servers
ad_hostname
ad_enable_dns_sites
ad_access_filters
ad_site
ad_enable_gc
ad_gpo_access_control
ad_gpo_cache_timeout
ad_gpo_map_interactive
ad_gpo_map_remote_interactive
ad_gpo_map_network
ad_gpo_map_batch
ad_gpo_map_service
ad_gpo_map_permit
ad_gpo_map_deny
ad_gpo_default_right
ad_gpo_implicit_deny
ad_gpo_ignore_unreadable
ad_maximum_machine_account_password_age
ad_machine_account_password_renewal_opts
default_shell
dyndns_update
dyndns_ttl
dyndns_ifaces
dyndns_refresh_interval
dyndns_update_ptr
dyndns_force_tcp
dyndns_server
override_homedir
fallback_homedir
homedir_substring
krb5_realm
krb5_use_enterprise_principal
krb5_store_password_if_offline
krb5_confd_path
ldap_id_mapping
ldap_schema
ldap_idmap_range_min
ldap_idmap_range_max
ldap_idmap_range_size
ldap_idmap_default_domain_sid
ldap_idmap_default_domain
ldap_idmap_autorid_compat
ldap_idmap_helper_table_size
ldap_use_tokengroups
ldap_group_objectsid
ldap_user_objectsid
ldap_user_extra_attrs
ldap_user_ssh_public_key
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[Array[String[1],1]]
An explicit list of AD enabled domains
- An error will be raised if
ad_domain
is specified and not in this list
Default value: undef
Data type: Optional[Array[Variant[Simplib::Hostname, Enum['_srv_']]]]
A list of AD servers in failover order
- Ignored if
autodiscovery
is enabled
Default value: undef
Data type: Optional[Array[Simplib::Hostname,1]]
A list of AD backup servers in failover order
- Ignored if
autodiscovery
is enabled
Default value: undef
Data type: Optional[Simplib::Hostname]
Default value: undef
Data type: Optional[Boolean]
Default value: undef
Data type: Optional[Array[String[1],1]]
A list of access filters for the system
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[Boolean]
Default value: undef
Data type: Optional[Enum['disabled','enforcing','permissive']]
Default value: undef
Data type: Optional[Integer[1]]
Default value: undef
Data type: Optional[Array[String[1],1]]
Default value: undef
Data type: Optional[Array[String[1],1]]
Default value: undef
Data type: Optional[Array[String[1],1]]
Default value: undef
Data type: Optional[Array[String[1],1]]
Default value: undef
Data type: Optional[Array[String[1],1]]
Default value: undef
Data type: Optional[Array[String[1],1]]
Default value: undef
Data type: Optional[Array[String[1],1]]
Default value: undef
Data type: Optional[Sssd::ADDefaultRight]
Default value: undef
Data type: Optional[Boolean]
(new in sssd V2.0 and later)
Default value: undef
Data type: Optional[Boolean]
(new in sssd V2.0 and later)
Default value: undef
Data type: Optional[Integer[0]]
Default value: undef
Data type: Optional[Pattern['^\d+:\d+$']]
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Boolean
Default value: true
Data type: Optional[Integer]
Default value: undef
Data type: Optional[Array[String[1],1]]
List of interfaces whose IP Addresses should be used for dynamic DNS updates. Used for the dyndns_iface setting.
- Has no effect if
dyndns_update
is not set totrue
Default value: undef
Data type: Optional[Integer]
Default value: undef
Data type: Optional[Boolean]
Default value: undef
Data type: Optional[Boolean]
Default value: undef
Data type: Optional[Simplib::Hostname]
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[Stdlib::Absolutepath]
Default value: undef
Data type: Optional[String[1]]
Default value: $ad_domain
Data type: Optional[Boolean]
Default value: undef
Data type: Boolean
Default value: false
Data type: Optional[Variant[Enum['none'],Stdlib::Absolutepath]]
Default value: undef
Data type: Boolean
Default value: true
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[Integer[0]]
Default value: undef
Data type: Optional[Integer[1]]
Default value: undef
Data type: Optional[Integer[1]]
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[Boolean]
Default value: undef
Data type: Optional[Integer[1]]
Default value: undef
Data type: Boolean
Default value: true
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[String[1]]
Can be used to enable public key storage for ssh When used this way, set this param and param ldap_user_ssh_public_key to 'altSecurityIdentities'
Default value: undef
Data type: Optional[String[1]]
Can be used to enable public key storage for ssh When used this way, set this param and param ldap_user_extra_attrs to 'altSecurityIdentities'
Default value: undef
NOTE: This defined type has no effect on SSSD < 1.16.0
$name should be the name of the associated domain in sssd.conf.
This is not necessary for the file provider unless you want to use files other then /etc/passwd and /etc/group
See man 'sssd-files' for additional information.
The following parameters are available in the sssd::provider::files
defined type:
The name of the associated domain section in the configuration file.
Data type: Optional[Array[Stdlib::Absolutepath]]
Default value: undef
Data type: Optional[Array[Stdlib::Absolutepath]]
Default value: undef
This define sets up the 'ipa' provider section of a particular domain. $name should be the name of the associated domain in sssd.conf.
See sssd-ipa.conf(5) for additional information.
Regarding: POODLE - CVE-2014-3566
The tls_cipher_suite variable is set to HIGH:-SSLv2 by default because OpenLDAP cannot set the SSL provider natively. By default, it will run TLSv1 but cannot handle TLSv1.2 therefore the SSLv3 ciphers cannot be eliminated. Take care to ensure that your clients only connect with TLSv1 if possible.
The following parameters are available in the sssd::provider::ipa
defined type:
name
ipa_domain
ipa_server
ipa_backup_server
ipa_enable_dns_sites
ipa_hostname
ipa_server_mode
dyndns_auth
dyndns_force_tcp
dyndns_iface
dyndns_refresh_interval
dyndns_server
dyndns_ttl
dyndns_update
dyndns_update_ptr
ipa_automount_location
ipa_hbac_refresh
ipa_hbac_search_base
ipa_hbac_selinux
ipa_host_search_base
ipa_master_domains_search_base
ipa_selinux_search_base
ipa_subdomains_search_base
ipa_views_search_base
krb5_confd_path
krb5_realm
krb5_store_password_if_offline
ldap_tls_cacert
ldap_tls_cipher_suite
use_service_discovery
Data type: String[1]
Data type: Array[Simplib::Host]
Data type: Optional[Array[Simplib::Host]]
Default value: undef
Data type: Boolean
Default value: false
Data type: Simplib::Hostname
Default value: $facts['networking']['fqdn']
Data type: Boolean
Default value: false
Data type: Enum['none','GSS-TSIG']
Default value: 'GSS-TSIG'
Data type: Optional[Boolean]
Default value: undef
Data type: Optional[Array[String[1]]]
Default value: undef
Data type: Optional[Integer[0]]
Default value: undef
Data type: Optional[Simplib::Host]
Default value: undef
Data type: Optional[Integer[0]]
Default value: undef
Data type: Boolean
Default value: true
Data type: Optional[Boolean]
Default value: undef
Data type: Optional[String]
Default value: undef
Data type: Optional[Integer[0]]
Default value: undef
Data type: Optional[String]
Default value: undef
Data type: Optional[Integer[0]]
Default value: undef
Data type: Optional[String]
Default value: undef
Data type: Optional[String]
Default value: undef
Data type: Optional[String]
Default value: undef
Data type: Optional[String]
Default value: undef
Data type: Optional[String]
Default value: undef
Data type: Optional[Stdlib::AbsolutePath]
Default value: undef
Data type: Optional[String]
Default value: undef
Data type: Boolean
Default value: true
Data type: Stdlib::AbsolutePath
Default value: '/etc/ipa/ca.crt'
Data type: Array[String]
Default value: ['HIGH','-SSLv2']
Data type: Boolean
Whether to add 'srv' to the list of IPA servers, thereby enabling service discovery of these servers
Default value: true
Define: sssd::provider::krb5
This define sets up the 'krb5' provider section of a particular domain. $name should be the name of the associated domain in sssd.conf.
See sssd-krb5.conf(5) for additional information.
The following parameters are available in the sssd::provider::krb5
defined type:
name
krb5_server
krb5_realm
debug_level
debug_timestamps
debug_microseconds
krb5_kpasswd
krb5_ccachedir
krb5_ccname_template
krb5_auth_timeout
krb5_validate
krb5_keytab
krb5_store_password_if_offline
krb5_renewable_lifetime
krb5_lifetime
krb5_renew_interval
krb5_use_fast
The name of the associated domain section in the configuration file.
Data type: Optional[Simplib::Host]
Default value: undef
Data type: String
Data type: Optional[Sssd::DebugLevel]
Default value: undef
Data type: Boolean
Default value: true
Data type: Boolean
Default value: false
Data type: Optional[String]
Default value: undef
Data type: Optional[Stdlib::Absolutepath]
Default value: undef
Data type: Optional[Stdlib::Absolutepath]
Default value: undef
Data type: Integer
Default value: 15
Data type: Boolean
Default value: false
Data type: Optional[Stdlib::Absolutepath]
Default value: undef
Data type: Boolean
Default value: false
Data type: Optional[String]
Default value: undef
Data type: Optional[String]
Default value: undef
Data type: Integer
Default value: 0
Data type: Optional[Enum['never','try','demand']]
Default value: undef
Define: sssd::provider::ldap
This define sets up the 'ldap' provider section of a particular domain. $name should be the name of the associated domain in sssd.conf.
Configuration notes:
-
See sssd-ldap.conf(5) for additional information.
-
Be careful with the following configuration:
- ldap_netgroup_search_base
- ldap_user_search_base
- ldap_group_search_base
- ldap_sudo_search_base
- ldap_autofs_search_base
-
Be sure to read the man page for the following advanced configuration:
- ldap_idmap_range_min
- ldap_idmap_range_max
- ldap_idmap_range_size
- ldap_idmap_default_domain_sid
- ldap_idmap_default_domain
- ldap_idmap_autorid_compat
Regarding: POODLE - CVE-2014-3566
The tls_cipher_suite variable is set to HIGH:-SSLv2 by default because OpenLDAP cannot set the SSL provider natively. By default, it will run TLSv1 but cannot handle TLSv1.2 therefore the SSLv3 ciphers cannot be eliminated. Take care to ensure that your clients only connect with TLSv1 if possible.
Advanced Configuration - Read the man page
The following parameters are available in the sssd::provider::ldap
defined type:
name
strip_128_bit_ciphers
client_tls
debug_level
debug_timestamps
debug_microseconds
ldap_uri
ldap_backup_uri
ldap_chpass_uri
ldap_chpass_backup_uri
ldap_chpass_update_last_change
ldap_search_base
ldap_schema
ldap_default_bind_dn
ldap_default_authtok_type
ldap_default_authtok
ldap_user_cert
ldap_user_object_class
ldap_user_name
ldap_user_uid_number
ldap_user_gid_number
ldap_user_gecos
ldap_user_home_directory
ldap_user_shell
ldap_user_uuid
ldap_user_objectsid
ldap_user_modify_timestamp
ldap_user_shadow_last_change
ldap_user_shadow_min
ldap_user_shadow_max
ldap_user_shadow_warning
ldap_user_shadow_inactive
ldap_user_shadow_expire
ldap_user_krb_last_pwd_change
ldap_user_krb_password_expiration
ldap_user_ad_account_expires
ldap_user_ad_user_account_control
ldap_ns_account_lock
ldap_user_nds_login_disabled
ldap_user_nds_login_expiration_time
ldap_user_nds_login_allowed_time_map
ldap_user_principal
ldap_user_extra_attrs
ldap_user_ssh_public_key
ldap_force_upper_case_realm
ldap_enumeration_refresh_timeout
ldap_purge_cache_timeout
ldap_user_fullname
ldap_user_member_of
ldap_user_authorized_service
ldap_user_authorized_host
ldap_group_object_class
ldap_group_name
ldap_group_gid_number
ldap_group_member
ldap_group_uuid
ldap_group_objectsid
ldap_group_modify_timestamp
ldap_group_type
ldap_group_nesting_level
ldap_groups_use_matching_rule_in_chain
ldap_initgroups_use_matching_rule_in_chain
ldap_use_tokengroups
ldap_netgroup_object_class
ldap_netgroup_name
ldap_netgroup_member
ldap_netgroup_triple
ldap_netgroup_uuid
ldap_netgroup_modify_timestamp
ldap_service_name
ldap_service_port
ldap_service_proto
ldap_service_search_base
ldap_search_timeout
ldap_enumeration_search_timeout
ldap_network_timeout
ldap_opt_timeout
ldap_connection_expire_timeout
ldap_page_size
ldap_disable_paging
ldap_disable_range_retrieval
ldap_sasl_minssf
ldap_deref_threshold
ldap_tls_reqcert
ldap_tls_cacert
app_pki_ca_dir
app_pki_key
app_pki_cert
strip_128_bit_ciphers
ldap_tls_cipher_suite
ldap_id_use_start_tls
ldap_id_mapping
ldap_min_id
ldap_max_id
ldap_sasl_mech
ldap_sasl_authid
ldap_sasl_realm
ldap_sasl_canonicalize
ldap_krb5_keytab
ldap_krb5_init_creds
ldap_krb5_ticket_lifetime
krb5_server
krb5_backup_server
krb5_realm
krb5_canonicalize
krb5_use_kdcinfo
ldap_pwd_policy
ldap_referrals
ldap_dns_service_name
ldap_chpass_dns_service_name
ldap_access_filter
ldap_account_expire_policy
ldap_access_order
ldap_pwdlockout_dn
ldap_deref
ldap_sudorule_object_class
ldap_sudorule_name
ldap_sudorule_command
ldap_sudorule_host
ldap_sudorule_user
ldap_sudorule_option
ldap_sudorule_runasuser
ldap_sudorule_runasgroup
ldap_sudorule_notbefore
ldap_sudorule_notafter
ldap_sudorule_order
ldap_sudo_full_refresh_interval
ldap_sudo_smart_refresh_interval
ldap_sudo_use_host_filter
ldap_sudo_hostnames
ldap_sudo_ip
ldap_sudo_include_netgroups
ldap_sudo_include_regexp
ldap_autofs_map_master_name
ldap_autofs_map_object_class
ldap_autofs_map_name
ldap_autofs_entry_object_class
ldap_autofs_entry_key
ldap_autofs_entry_value
ldap_netgroup_search_base
ldap_user_search_base
ldap_group_search_base
ldap_sudo_search_base
ldap_autofs_search_base
ldap_idmap_range_min
ldap_idmap_range_max
ldap_idmap_range_size
ldap_idmap_default_domain_sid
ldap_idmap_default_domain
ldap_idmap_autorid_compat
The name of the associated domain section in the configuration file
Data type: Boolean
DEPRECATED - EL6-only - Will be removed in a future release
Default value: true
Data type: Boolean
Set to false to disable setting up client-side TLS
Default value: true
Data type: Optional[Sssd::DebugLevel]
Default value: undef
Data type: Optional[Boolean]
Default value: undef
Data type: Boolean
Default value: false
Data type: Optional[Array[Simplib::URI,1]]
Default value: simplib::lookup('simp_options::ldap::uri', { 'default_value' => undef })
Data type: Optional[Array[Simplib::URI,1]]
Default value: undef
Data type: Optional[Array[Simplib::URI,1]]
Default value: undef
Data type: Optional[Array[Simplib::URI,1]]
Default value: undef
Data type: Boolean
Default value: true
Data type: Optional[String[1]]
Default value: simplib::lookup('simp_options::ldap::base_dn', { 'default_value' => undef })
Data type: Sssd::LdapSchema
Default value: 'rfc2307'
Data type: Optional[String[1]]
Default value: simplib::lookup('simp_options::ldap::bind_dn', { 'default_value' => undef })
Data type: Optional[Sssd::LdapDefaultAuthtok]
Default value: undef
Data type: Optional[String[1]]
Default value: simplib::lookup('simp_options::ldap::bind_pw', { 'default_value' => undef })
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[Array[String[1],1]]
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Boolean
Default value: false
Data type: Optional[Integer[0]]
Default value: undef
Data type: Optional[Integer[0]]
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[Integer]
Default value: undef
Data type: Optional[Integer]
Default value: undef
Data type: Boolean
Default value: false
Data type: Boolean
Default value: false
Data type: Boolean
Default value: false
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[Integer[0]]
Default value: undef
Data type: Optional[Integer[0]]
Default value: undef
Data type: Optional[Integer[0]]
Default value: undef
Data type: Optional[Integer[0]]
Default value: undef
Data type: Optional[Integer[0]]
Default value: undef
Data type: Optional[Integer[0]]
Default value: undef
Data type: Boolean
Default value: false
Data type: Boolean
Default value: false
Data type: Optional[Integer]
Default value: undef
Data type: Optional[Integer[0]]
Default value: undef
Data type: Sssd::LdapTlsReqcert
Default value: 'demand'
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[Stdlib::Absolutepath]
Default value: undef
Data type: Optional[Stdlib::Absolutepath]
Default value: undef
Data type: Optional[Stdlib::Absolutepath]
Default value: undef
Default value: true
Data type: Array[String[1]]
Default value: ['HIGH','-SSLv2']
Data type: Boolean
Default value: true
Data type: Boolean
Default value: false
Data type: Optional[Integer[0]]
Default value: undef
Data type: Optional[Integer[0]]
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Boolean
Default value: false
Data type: Optional[Stdlib::Absolutepath]
Default value: undef
Data type: Boolean
Default value: true
Data type: Optional[Integer]
Default value: undef
Data type: Optional[Array[String[1],1]]
Default value: undef
Data type: Optional[Array[String[1],1]]
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Boolean
Default value: false
Data type: Boolean
Default value: true
Data type: Enum['none','shadow','mit_kerberos']
Default value: ($ldap_account_expire_policy == 'shadow') ? { true => 'shadow', default => 'none'
Data type: Boolean
Default value: true
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Sssd::LdapAccountExpirePol
Set this to '' when you want to omit this configuration in order to use the system default.
Default value: 'shadow'
Data type: Sssd::LdapAccessOrder
Default value: ['expire','lockout','ppolicy','pwd_expire_policy_renew']
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[Sssd::LdapDeref]
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[Integer[0]]
Default value: undef
Data type: Optional[Integer[0]]
Default value: undef
Data type: Boolean
Default value: true
Data type: Optional[Array[String[1],1]]
Default value: undef
Data type: Optional[Array[String[1],1]]
Default value: undef
Data type: Boolean
Default value: true
Data type: Boolean
Default value: true
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[Integer[0]]
Default value: undef
Data type: Optional[Integer[0]]
Default value: undef
Data type: Optional[Integer[0]]
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Boolean
Default value: false
Type: Puppet Language
Returns true
if the version of SSSD installed on the system is supported
and false
otherwise.
Assumes that the system is relatively modern and therefore, supported by default
Returns true
if the version of SSSD installed on the system is supported
and false
otherwise.
Assumes that the system is relatively modern and therefore, supported by default
Returns: Boolean
List of valid types for AD Provider setting ad_gpo_default_right
Alias of Enum['interactive', 'remote_interactive', 'network', 'batch', 'service', 'permit', 'deny']
List of valid SSSD domain access providers
Alias of Enum['permit', 'deny', 'ldap', 'ipa', 'ad', 'simple']
List of valid types for sssd domain authentication provider
Alias of Enum['ldap', 'krb5', 'ipa', 'ad', 'proxy', 'files', 'none']
List of valid types for sssd domain change password provider
Alias of Enum['ldap', 'krb5', 'ipa', 'ad', 'proxy', 'none']
Integer[0-9] or 2 byte Hexidecimal (ex. 0x0201)
Alias of Variant[Integer[0,9], Pattern[/0x\h{4}$/]]
List of valid type for sssd domain ID provider.
Alias of Enum['proxy', 'ldap', 'ipa', 'ad', 'files']
List of valid values for ldap provider ldap_access_order setting
Alias of
Array[Enum[
'filter',
'lockout',
'ppolicy', # Only available in sssd >= 1.14.0
'expire',
'pwd_expire_policy_reject', # Only available in sssd >= 1.14.0
'pwd_expire_policy_warn', # Only available in sssd >= 1.14.0
'pwd_expire_policy_renew', # Only available in sssd >= 1.14.0
'authorized_service',
'host'
]]
List of valid values for ldap provider ldap_account_expire_policy '' corresponds to the default value (empty) per sssd-ldap(5) man page
Alias of Enum['', 'shadow', 'ad', 'rhds', 'ipa', '389ds', 'nds']
List of valid values for ldap provider default auth token
Alias of Enum['password', 'obfuscated_password']
List of valid values for ldap provider deref setting
Alias of Enum['never', 'searching', 'finding', 'always']
List of valid setting for ldap provider ldap_schema setting.
Alias of Enum['rfc2307', 'rfc2307bis', 'IPA', 'AD']
List of valid setting for ldap provider ldap_tls_reqcert.
Alias of Enum['never', 'allow', 'try', 'demand', 'hard']
List of available sssd services
Alias of Array[Enum['nss','pam','sudo','autofs','ssh','pac','ifp']]