Skip to content
/ puppet-profile_system_auth Public

NCSA Common Puppet Profiles - configure standard system authentication

1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

ncsa/puppet-profile_system_auth

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

66 Commits
.devcontainer
.devcontainer
 
 
.github/workflows
.github/workflows
 
 
.vscode
.vscode
 
 
data
data
 
 
lib/facter
lib/facter
 
 
manifests
manifests
 
 
spec
spec
 
 
templates
templates
 
 
.fixtures.yml
.fixtures.yml
 
 
.gitattributes
.gitattributes
 
 
.gitignore
.gitignore
 
 
.gitlab-ci.yml
.gitlab-ci.yml
 
 
.pdkignore
.pdkignore
 
 
.puppet-lint.rc
.puppet-lint.rc
 
 
.rspec
.rspec
 
 
.rubocop.yml
.rubocop.yml
 
 
.travis.yml
.travis.yml
 
 
.yamllint.yaml
.yamllint.yaml
 
 
.yardopts
.yardopts
 
 
CHANGELOG.md
CHANGELOG.md
 
 
Gemfile
Gemfile
 
 
README.md
README.md
 
 
REFERENCE.md
REFERENCE.md
 
 
Rakefile
Rakefile
 
 
appveyor.yml
appveyor.yml
 
 
hiera.yaml
hiera.yaml
 
 
metadata.json
metadata.json
 
 
pdk.yaml
pdk.yaml
 
 

Repository files navigation

profile_system_auth

pdk-validate yamllint

NCSA Common Puppet Profiles - configure standard system authentication

Description

This common puppet profile module configures standard system authentication as used by NCSA. It configures kerberos, ldap, sssd, su, and general authentication.

Dependencies

  • authselect (or authconfig for EL7)
  • kerberos client and NCSA's kerberos configuration
  • kerberos host key creation and renewal (optional)
  • ldap clients and NCSA's ldap configuration
  • sssd configuration

Usage

The goal is that no paramters are required to be set. The default paramters should work for most NCSA deployments out of the box.

But there are two sets of parameters you may desire to override.

Disabling Homedir Creation

If you do not want to enable automtic homedir creation when a user logs into a host, you will want to set profile_system_auth::config::enablemkhomedir = false. This defaults to true, but may not be desirable in some environments.

Creating and Updating Kerberos Hostkeys

NCSA allows createhost principals for projects. This allows for two automated tasks related to Kerberos hostkeys:

  • automated creation of Kerberos hostkeys of servers
  • renewal (and cleanup) of Kerberos hostkeys of servers

In order to support this, you need to request a createhost principal keytab for your project, then assign the base64 encoding of the keytab file to profile_system_auth::kerberos::createhostkeytab and the first part of the principal's username to profile_system_auth::kerberos::createhostuser parameters. NCSA staff can request a createhost principal by emailing [email protected]. They will provide you a principal username and either the keytab file for that user or a BASE64 encoding of that keytab.

The same sort of approach can be done if using Active Directory (AD) to create a computer object for your host and save its keytab locally. This can be configured by specifying the following paraters:

profile_system_auth::kerberos::ad_computers_ou      # AD OU FOR COMPUTER OBJECTS
profile_system_auth::kerberos::ad_createhostkeytab  # BASE64 ENCODING OF KRB5 CREATEHOST KEYTAB FILE
profile_system_auth::kerberos::ad_createhostuser    # AD CREATEHOST USER
profile_system_auth::kerberos::ad_domain            # AD DOMAIN

Reference

REFERENCE.md

About

NCSA Common Puppet Profiles - configure standard system authentication

Resources

Readme
Activity
Custom properties

Stars

1 star

Watchers

9 watching

Forks

0 forks
Report repository

Releases

18 tags

Packages

No packages published

Contributors 7

Languages