I've done the exact same thing. I set it up as one module that did the lot i.e. I include it in a node manifest and then that node is enabled for logging in via ldap. The file structure I had along with the important bits is below. I did it in a noddy way and just completely replace the pam.d stuff with the right files for our setup. All the machines have the same config so I didn't bother trying to use sed or augeas or whatever to change files on the box in place. Simple but it works. Note that I also use the homecheck.so pam module. Since enabling ldap allows anyone from the entire uni to log into the machine, I use homecheck coupled with controlling what home dirs I setup so that only users who have a home dir set up locally on the machine can log in. Our ldap server return something like /home/a/ab/abc123 for the homedir. On a machine I will then create symbolic links in /home such that /home/a/ab/abc123 actually points to /mn/nfs1/home/abc123. That redirection coupled with the homecheck pam module gives us an extra layer of security to lock down the boxes. I have the ad_login directory in /etc/puppet/modules. Here is the structure... ad_login/ ad_login/manifests ad_login/manifests/init.pp class ad_login { include ad_login::install, ad_login::config, ad_login::service } ad_login/manifests/service.pp class ad_login::service { # ensure sssd is running service { "sssd" : ensure => running, hasstatus => true, hasrestart => true, enable => true, require => Class["ad_login::config"], } } ad_login/manifests/install.pp class ad_login::install { # ensure package sssd is installed package { 'sssd': ensure => installed, } } ad_login/manifests/config.pp class ad_login::config { # get the correct sssd.conf in place file { "/etc/sssd/sssd.conf": mode => 600, owner => root, group => root, source => "puppet:///modules/ad_login/sssd.conf", require => Class["ad_login::install"], notify => Class["ad_login::service"], } # get the correct nssswitch in place file { "/etc/nsswitch.conf": mode => 644, owner => root, group => root, source => "puppet:///modules/ad_login/nsswitch.conf", } # get the correct pam.d files in place file { "/etc/pam.d/system-auth-ac": mode => 644, owner => root, group => root, source => "puppet:///modules/ad_login/system-auth-ac", } file { "/etc/pam.d/password-auth-ac": mode => 644, owner => root, group => root, source => "puppet:///modules/ad_login/password-auth-ac", } file { "/etc/pam.d/fingerprint-auth-ac": mode => 644, owner => root, group => root, source => "puppet:///modules/ad_login/fingerprint-auth-ac", } file { "/etc/pam.d/smartcard-auth-ac": mode => 644, owner => root, group => root, source => "puppet:///modules/ad_login/smartcard-auth-ac", } file { "/lib64/security/pam_homecheck.so": mode => 755, owner => root, group => root, source => "puppet:///modules/ad_login/pam_homecheck.so", } } ad_login/files ad_login/files/password-auth-ac ad_login/files/sssd.conf ad_login/files/nsswitch.conf ad_login/files/smartcard-auth-ac ad_login/files/pam_homecheck.so ad_login/files/fingerprint-auth-ac ad_login/files/system-auth-ac ad_login/README On 28/06/13 11:52, Chris Brew wrote: > Hi, > > Since we haven't yet constituted a Puppet Working Group I'll ask here. > > I've created puppet code to set up ldap authentication on an SL6 box and I'm trying to work out the best way to structure this into modules. > > It needs to touch various parts of the OS, setting up the sssd service, adding entries into various pam files, messing with nsswitch.conf, passwd, groups and shadow. > > Is it better to split this into separate modules say for sssd, pam, etc or keep everything in one big ldapauth module? > > Thanks, > Chris. >