I've done the exact same thing.
I set it up as one module that did the lot i.e. I include it in a node
manifest and then that node is enabled for logging in via ldap.
The file structure I had along with the important bits is below. I did
it in a noddy way and just completely replace the pam.d stuff with the
right files for our setup. All the machines have the same config so I
didn't bother trying to use sed or augeas or whatever to change files on
the box in place. Simple but it works.
Note that I also use the homecheck.so pam module. Since enabling ldap
allows anyone from the entire uni to log into the machine, I use
homecheck coupled with controlling what home dirs I setup so that only
users who have a home dir set up locally on the machine can log in.
Our ldap server return something like /home/a/ab/abc123 for the homedir.
On a machine I will then create symbolic links in /home such that
/home/a/ab/abc123 actually points to /mn/nfs1/home/abc123.
That redirection coupled with the homecheck pam module gives us an extra
layer of security to lock down the boxes.
I have the ad_login directory in /etc/puppet/modules. Here is the
structure...
ad_login/
ad_login/manifests
ad_login/manifests/init.pp
class ad_login {
include ad_login::install, ad_login::config, ad_login::service
}
ad_login/manifests/service.pp
class ad_login::service {
# ensure sssd is running
service { "sssd" :
ensure => running,
hasstatus => true,
hasrestart => true,
enable => true,
require => Class["ad_login::config"],
}
}
ad_login/manifests/install.pp
class ad_login::install {
# ensure package sssd is installed
package { 'sssd':
ensure => installed,
}
}
ad_login/manifests/config.pp
class ad_login::config {
# get the correct sssd.conf in place
file { "/etc/sssd/sssd.conf":
mode => 600,
owner => root,
group => root,
source => "puppet:///modules/ad_login/sssd.conf",
require => Class["ad_login::install"],
notify => Class["ad_login::service"],
}
# get the correct nssswitch in place
file { "/etc/nsswitch.conf":
mode => 644,
owner => root,
group => root,
source => "puppet:///modules/ad_login/nsswitch.conf",
}
# get the correct pam.d files in place
file { "/etc/pam.d/system-auth-ac":
mode => 644,
owner => root,
group => root,
source => "puppet:///modules/ad_login/system-auth-ac",
}
file { "/etc/pam.d/password-auth-ac":
mode => 644,
owner => root,
group => root,
source => "puppet:///modules/ad_login/password-auth-ac",
}
file { "/etc/pam.d/fingerprint-auth-ac":
mode => 644,
owner => root,
group => root,
source => "puppet:///modules/ad_login/fingerprint-auth-ac",
}
file { "/etc/pam.d/smartcard-auth-ac":
mode => 644,
owner => root,
group => root,
source => "puppet:///modules/ad_login/smartcard-auth-ac",
}
file { "/lib64/security/pam_homecheck.so":
mode => 755,
owner => root,
group => root,
source => "puppet:///modules/ad_login/pam_homecheck.so",
}
}
ad_login/files
ad_login/files/password-auth-ac
ad_login/files/sssd.conf
ad_login/files/nsswitch.conf
ad_login/files/smartcard-auth-ac
ad_login/files/pam_homecheck.so
ad_login/files/fingerprint-auth-ac
ad_login/files/system-auth-ac
ad_login/README
On 28/06/13 11:52, Chris Brew wrote:
> Hi,
>
> Since we haven't yet constituted a Puppet Working Group I'll ask here.
>
> I've created puppet code to set up ldap authentication on an SL6 box and I'm trying to work out the best way to structure this into modules.
>
> It needs to touch various parts of the OS, setting up the sssd service, adding entries into various pam files, messing with nsswitch.conf, passwd, groups and shadow.
>
> Is it better to split this into separate modules say for sssd, pam, etc or keep everything in one big ldapauth module?
>
> Thanks,
> Chris.
>
|