Skip to content

Latest commit

 

History

History
317 lines (189 loc) · 6.74 KB

README.md

File metadata and controls

317 lines (189 loc) · 6.74 KB

IPA Puppet module

Overview

Puppet module that can manage an IPA master, replicas and clients.

huit/puppet-ipa aims at the management and configuration of a complete IPA environment under Puppet control.

To start, an IPA master will be required as the beginning of the LDAP/Kerberos environment. IPA replicas can then be added for additional resiliancy.

Please note, a load balanced configuration is not handled by this module, additional configuration is required if load balancing client communication or a VIP is to be used.

IPA replica servers will automatically be configured with a replication agreement on the IPA master server.

All nodes added as clients will automatically be added to the IPA domain.

A cleanup parameter has been included to remove the IPA server or client packages from nodes.

Dependencies

The ability to use Exported resources and Stored Configuration enabled on the Puppet master.

puppetlabs/puppetlabs-firewall module.

puppetlabs/stdlib module.

Usage

Available parameters.

####master

Configures a server to be an IPA master LDAP/Kerberos node.

Defaults to 'false'.

####replica

Configures a server to be an IPA replica LDAP/Kerberos node.

Defaults to 'false'.

####client

Configures a server to be an IPA client.

Defaults to 'false'.

####cleanup

Removes IPA specific packages.

Defaults to 'false'.

####domain

Defines the LDAP domain.

Defaults to 'undef'.

####realm

Defines the Kerberos realm.

Defaults to 'undef'.

####adminpw

Defines the IPA administrative user password.

Defaults to 'undef'.

####dspw

Defines the IPA directory services password.

Defaults to 'undef'.

####otp

Defines an IPA client one-time-password.

Defaults to 'undef'.

####dns

Controls the option to configure a DNS zone with the IPA master setup.

Defaults to 'false'.

####loadbalance

Controls the option to include any additional hostnames to be used in a load balanced IPA client configuration.

Defaults to 'false'.

####ipaservers

Defines an array of additional hostnames to be used in a load balanced IPA client configuration.

Defaults to '[]'

####mkhomedir

Controls the option to create user home directories on first login.

Defaults to 'false'.

####ntp

Controls the option to configure NTP on a client.

Defaults to 'false'.

####kstart

Controls the installation of kstart.

Defaults to 'true'.

####desc

Controls the description entry of an IPA client.

Defaults to ''.

####locality

Controls the locality entry of an IPA client.

Defaults to ''.

####location

Controls the location entry of an IPA client.

Defaults to ''.

####sssdtools

Controls the installation of the SSSD tools package.

Defaults to 'true'.

####sssdtoolspkg

SSSD tools package.

Defaults to 'sssd-tools'

####sssd

Controls the option to start the SSSD service.

Defaults to 'true'.

####sudo

Controls the option to configure sudo in LDAP.

Defaults to 'false'.

####sudopw

Defines the sudo user bind password.

Defaults to 'undef'.

####debiansudopkg

Controls the installation of the Debian sudo-ldap package.

Defaults to 'true'.

####automount

Controls the option to configure automounter maps in LDAP.

Defaults to 'false'.

####autofs

Controls the option to start the autofs service.

Defaults to 'false'.

####svrpkg

IPA server package.

Defaults to 'ipa-server'.

####clntpkg

IPA client package.

Defaults to 'ipa-client'.

####ldaputils

Controls the instalation of the LDAP utilities package.

Defaults to 'true'.

####ldaputilspkg

LDAP utilities package.

Defaults to 'openldap-clients'.

Usage examples

Here are a few simple usage examples. If you don't want to put your passwords in the clear, then use hiera/gpg.

IPA master:

    node 'ipamaster.domain.name' {
      class { 'ipa':
        master  => true, # Only one master per Puppet master
        domain  => 'domain.name',
        realm   => 'DOMAIN.NAME',
        adminpw => 'somepasswd', # Cleartext example
        dspw    => hiera('some_passwd') # Using hiera
      }
    }

IPA replica:

    node 'ipareplica1.domain.name' {
      class { 'ipa':
        replica => true, # Multiple replicas can be setup.
        domain  => 'domain.name',
        realm   => 'DOMAIN.NAME',
        adminpw => 'somepasswd',
        dspw    => 'somepasswd',
        otp     => 'onetimepasswd'
      }
    }

Another IPA replica:

    node 'ipareplica2.domain.name' {
      class { 'ipa':
        replica => true,
        domain  => 'domain.name',
        realm   => 'DOMAIN.NAME',
        adminpw => hiera('some_passwd'),
        dspw    => hiera('some_passwd'), 
        otp     => hiera('one_time_passwd')
      }
    }

IPA client:

    node 'ipaclient.domain.name' {
      class { 'ipa':
        client      => true,
        domain      => 'domain.name',
        realm       => 'DOMAIN.NAME',
        loadbalance => true,
        ipaservers  => ['ipaloadbalanceddnsname.domain.name','ipamaster.domain.name','ipareplica1.domain.name','ipareplica2.domain.name'],
        desc        => 'This is an IPA client', # This string will show up the the description attribute of the computer account.
        otp         => hiera('one_time_passwd')
      }
    }

Cleanup parameter:

    node 'ipawhatever.domain.name' {
      class { 'ipa':
        cleanup => true # Removes IPA completely. Mutually exclusive from master, replica and client parameters.
      }
    }

Limitations

IPA master and replicas require a RedHat family OS.

Client configuration does not work with Ubuntu 8.04 and Ubuntu 10.04

License

huit/puppet-ipa - Puppet module that can manage an IPA master, replicas and clients.

Copyright (C) 2013 Harvard University Information Technology

This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program.  If not, see <http://www.gnu.org/licenses/>.

Support

Please report issues here.

For more information see https://github.com/huit/puppet-ipa.git