Hi,
Thanks, everyone.
I did have a look around at other sssd/ldap modules before coding my own but none of the ones I found seemed to support the compat ns functionality we use heavily (even augeas borks at it). Also I wanted to jump into puppet at the deep end and set something up using puppet, hiera and augeas
Coding up the module wasn't the hard part indeed I've now got two versions of it, one monolithic and one split into sssd, pam, and auth modules with more classes and sub classes that you can shake a quite large stick at. That was what prompted the question, as I went through a process of roughly:
"I should move the sssd config into its own class."
"But what if someday we want to used sssd but not with ldap?"
"Hmmm, better have sss::config::ldap then"
For more or less everything and ended up with a bunch of almost empty top level classes and rather a lot of n-th level classes, which seemed a bit inelegant but sounds like the "correct"(tm) solution.
Yours,
Chris.
> -----Original Message-----
> From: Testbed Support for GridPP member institutes [mailto:TB-
> [log in to unmask]] On Behalf Of Steve Traylen
> Sent: 01 July 2013 09:23
> To: [log in to unmask]
> Subject: Re: Puppet Style Question
>
>
> On Jul 1, 2013, at 9:03 AM, Alessandra Forti wrote:
>
> > Hi,
> >
> > if you need to reuse the sssd, pam etc code in other places they are better
> off in their own module. I'd even check if there is anything written that can
> be used for those services.
> >
> > cheers
> > alessandra
> >
>
> sssd vs pam vs kerberos is a pain. Individual modules may make sense for
> sure but they are so intertwined with one another for a particular site it's
> hard to be generic.
>
> I attach our sssd module which will for sure not just work. It was very early
> module containing quite frankly experimentation that is now already legacy..
> There is an open ticket here to re-factor it one day.
>
>
>
>
>
> Something it does do which I recommend is separating the pam.d/* files that
> authconfig maintains and those that puppet maintains.
>
> You can look on lxplus for the end result
>
> system-auth is symlink to system-auth-puppet which is maintained with
> puppet and this file includes system-auth-ac which is the one that authconfig
> maintains. See man authconfig for the "symlink" trick.
>
>
>
>
>
> >
> >
> > On 28/06/2013 11:52, Chris Brew wrote:
> >> Hi,
> >>
> >> Since we haven't yet constituted a Puppet Working Group I'll ask here.
> >>
> >> I've created puppet code to set up ldap authentication on an SL6 box and
> I'm trying to work out the best way to structure this into modules.
> >>
> >> It needs to touch various parts of the OS, setting up the sssd service,
> adding entries into various pam files, messing with nsswitch.conf, passwd,
> groups and shadow.
> >>
> >> Is it better to split this into separate modules say for sssd, pam, etc or
> keep everything in one big ldapauth module?
> >>
> >> Thanks,
> >> Chris.
> >>
> >
> >
> > --
> > Facts aren't facts if they come from the wrong people. (Paul Krugman)
>
--
Scanned by iCritical.
|