sssd

Table of Contents

1. Description

2. Setup - The basics of getting started with sssd

   • Beginning with sssd

3. Usage - Configuration options and additional functionality

4. Reference - An under-the-hood peek at what the module is doing and how

5. Limitations - OS compatibility, etc.

6. Development - Guide for contributing to the module

Description

This module will install the SSSD packages, configure any services and domains, and optionally configure the D-Bus system service.

CentOS, RHEL, Scientific and Oracle Enterprise Linux is supported using Puppet 5 or later.

Setup

Beginning with sssd

You need to configure at least one domain for SSSD to start up so the bare minimum would be:

include ::sssd
::sssd::domain { 'example.com':
  id_provider => 'ldap',
  ...
}

Usage

Configure SSSD to use LDAP for NSS:

class { '::sssd':
  domains  => {
    'example.com' => {
      'id_provider'           => 'ldap',
      'ldap_schema'           => 'rfc2307',
      'ldap_uri'              => ['ldap://192.0.2.1'],
      'ldap_search_base'      => 'dc=example,dc=com',
      'ldap_tls_reqcert'      => 'never',
      'ldap_id_use_start_tls' => false,
      'ldap_default_bind_dn'  => 'cn=Manager,dc=example,dc=com',
      'ldap_default_authtok'  => 'secret',
    },
  },
  services => {
    'nss' => {},
  },
}

class { '::nsswitch':
  passwd => ['files', 'sss'],
  shadow => ['files', 'sss'],
  group  => ['files', 'sss'],
}

Class['::sssd'] -> Class['::nsswitch']

Extend the above example to also make the SSSD data available over D-Bus:

include ::dbus
include ::sssd
::sssd::service { 'nss': }
::sssd::domain { 'example.com':
  id_provider           => 'ldap',
  ldap_schema           => 'rfc2307',
  ldap_uri              => ['ldap://192.0.2.1'],
  ldap_search_base      => 'dc=example,dc=com',
  ldap_tls_reqcert      => 'never',
  ldap_id_use_start_tls => false,
  ldap_default_bind_dn  => 'cn=Manager,dc=example,dc=com',
  ldap_default_authtok  => 'secret',
}
include ::sssd::dbus

class { '::nsswitch':
  passwd => ['files', 'sss'],
  shadow => ['files', 'sss'],
  group  => ['files', 'sss'],
}

Class['::sssd'] -> Class['::nsswitch']

Reference

The reference documentation is generated with puppet-strings and the latest version of the documentation is hosted at bodgit.github.io/puppet-sssd/ and available also in the REFERENCE.md.

Limitations

This module takes the (somewhat laborious) approach of creating parameters for each sssd.conf setting rather than just pass in a large hash of settings which should result in more control.

Any setting that accepts the boolean TRUE/FALSE values is mapped to a native Puppet boolean type. Any multi-valued setting accepts an array of values.

Currently almost all parameters are optional, the only mandatory parameter is that of the identity provider (id_provider) for the sssd::domain defined type. This may change in the future if the logic becomes more obvious.

This module has been built on and tested against Puppet 5 and higher.

The module has been tested on:

• Red Hat/CentOS Enterprise Linux 6/7

Development

The module relies on PDK and has both rspec-puppet and beaker-rspec tests. Run them with:

$ bundle exec rake spec
$ PUPPET_INSTALL_TYPE=agent PUPPET_INSTALL_VERSION=x.y.z bundle exec rake beaker:<nodeset>

Please log issues or pull requests at github.