Puppet module that can manage an IPA master, replicas and clients.
huit/puppet-ipa aims at the management and configuration of a complete IPA environment under Puppet control.
To start, an IPA master will be required as the beginning of the LDAP/Kerberos environment. IPA replicas can then be added for additional resiliancy.
IPA replica servers will automatically be configured with a replication agreement on the IPA master server.
All nodes added as clients will automatically be added to the IPA domain.
A cleanup parameter has been included to remove the IPA server or client packages from nodes.
The ability to use Exported resources and Stored Configuration enabled on the Puppet master.
puppetlabs/puppetlabs-firewall module.
puppetlabs/stdlib module.
Available parameters.
####master
Configures a server to be an IPA master LDAP/Kerberos node.
Defaults to 'false'.
####replica
Configures a server to be an IPA replica LDAP/Kerberos node.
Defaults to 'false'.
####client
Configures a server to be an IPA client.
Defaults to 'false'.
####cleanup
Removes IPA specific packages.
Defaults to 'false'.
####domain
Defines the LDAP domain.
Defaults to 'undef'.
####realm
Defines the Kerberos realm.
Defaults to 'undef'.
####adminpw
Defines the IPA administrative user password.
Defaults to 'undef'.
####dspw
Defines the IPA directory services password.
Defaults to 'undef'.
####otp
Defines an IPA client one-time-password.
Defaults to 'undef'.
####dns
Controls the option to configure a DNS zone with the IPA master setup.
Defaults to 'false'.
####forwarders
Defines an array of DNS forwarders to use when DNS is setup. An empty list will use the Root Nameservers.
Defaults to '[]'.
####loadbalance
Controls the option to include any additional hostnames to be used in a load balanced IPA client configuration.
Defaults to 'false'.
####ipaservers
Defines an array of additional hostnames to be used in a load balanced IPA client configuration.
Defaults to '[]'
####mkhomedir
Controls the option to create user home directories on first login.
Defaults to 'false'.
####ntp
Controls the option to configure NTP on a client.
Defaults to 'false'.
####kstart
Controls the installation of kstart.
Defaults to 'true'.
####desc
Controls the description entry of an IPA client.
Defaults to ''.
####locality
Controls the locality entry of an IPA client.
Defaults to ''.
####location
Controls the location entry of an IPA client.
Defaults to ''.
####sssdtools
Controls the installation of the SSSD tools package.
Defaults to 'true'.
####sssdtoolspkg
SSSD tools package.
Defaults to 'sssd-tools'
####sssd
Controls the option to start the SSSD service.
Defaults to 'true'.
####sudo
Controls the option to configure sudo in LDAP.
Defaults to 'false'.
####sudopw
Defines the sudo user bind password.
Defaults to 'undef'.
####debiansudopkg
Controls the installation of the Debian sudo-ldap package.
Defaults to 'true'.
####automount
Controls the option to configure automounter maps in LDAP.
Defaults to 'false'.
####autofs
Controls the option to start the autofs service and install the autofs package.
Defaults to 'false'.
####svrpkg
IPA server package.
Defaults to 'ipa-server'.
####clntpkg
IPA client package.
Defaults to 'ipa-client'.
####ldaputils
Controls the instalation of the LDAP utilities package.
Defaults to 'true'.
####ldaputilspkg
LDAP utilities package.
Defaults to 'openldap-clients'.
Here are a few simple usage examples. If you don't want to put your passwords in the clear, then use hiera/gpg.
IPA master:
node 'ipamaster.domain.name' {
class { 'ipa':
master => true, # Only one master per Puppet master
domain => 'domain.name',
realm => 'DOMAIN.NAME',
adminpw => 'somepasswd', # Cleartext example
dspw => hiera('some_passwd') # Using hiera
}
}
IPA replica:
node 'ipareplica1.domain.name' {
class { 'ipa':
replica => true, # Multiple replicas can be setup.
domain => 'domain.name',
realm => 'DOMAIN.NAME',
adminpw => 'somepasswd',
dspw => 'somepasswd',
otp => 'onetimepasswd'
}
}
Another IPA replica:
node 'ipareplica2.domain.name' {
class { 'ipa':
replica => true,
domain => 'domain.name',
realm => 'DOMAIN.NAME',
adminpw => hiera('some_passwd'),
dspw => hiera('some_passwd'),
otp => hiera('one_time_passwd')
}
}
IPA client:
node 'ipaclient.domain.name' {
class { 'ipa':
client => true,
domain => 'domain.name',
realm => 'DOMAIN.NAME',
loadbalance => true,
ipaservers => ['ipaloadbalanceddnsname.domain.name','ipamaster.domain.name','ipareplica1.domain.name','ipareplica2.domain.name'],
desc => 'This is an IPA client', # This string will show up the the description attribute of the computer account.
otp => hiera('one_time_passwd')
}
}
Cleanup parameter:
node 'ipawhatever.domain.name' {
class { 'ipa':
cleanup => true # Removes IPA completely. Mutually exclusive from master, replica and client parameters.
}
}
IPA master and replicas require a RedHat family OS.
Client configuration does not work with Ubuntu 8.04 and Ubuntu 10.04
huit/puppet-ipa - Puppet module that can manage an IPA master, replicas and clients.
Copyright (C) 2013 Harvard University Information Technology
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
Please report issues here.
For more information see https://github.com/huit/puppet-ipa.git