cookbook 'sssd_ldap', '= 3.1.0'
sssd_ldap
(30) Versions
3.1.0
-
Follow21
Sets up SSSD for LDAP on Ubuntu and RHEL systems
cookbook 'sssd_ldap', '= 3.1.0', :supermarket
knife supermarket install sssd_ldap
knife supermarket download sssd_ldap
sssd_ldap Cookbook
This cookbook installs SSSD and configures it for LDAP authentication. As part of the setup of SSSD it will also remove the NSCD package as NSCD is known to interfere with SSSD (https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/usingnscd-sssd.html).
Requirements
Platforms
- Redhat
- Centos
- Amazon
- Scientific
- Oracle
- Ubuntu
- Debian
Chef
- Chef 11+
Cookbooks
- none
Attributes
Arbitrary key/value pairs may be added to the ['sssd_conf']
attribute object. These key/values will be expanded in the domain block of sssd.conf
. This allows you to set any SSSD configuration value you want, not just ones provided by the attributes in this cookbook.
Attribute | Value | Comment |
---|---|---|
['sssd_conf']['id_provider'] |
'ldap' |
|
['sssd_conf']['auth_provider'] |
'ldap' |
|
['sssd_conf']['chpass_provider'] |
'ldap' |
|
['sssd_conf']['sudo_provider'] |
'ldap' |
|
['sssd_conf']['enumerate'] |
'true' |
|
['sssd_conf']['cache_credentials'] |
'false' |
|
['sssd_conf']['ldap_schema'] |
'rfc2307bis' |
|
['sssd_conf']['ldap_uri'] |
'ldap://something.yourcompany.com' |
|
['sssd_conf']['ldap_search_base'] |
'dc=yourcompany,dc=com' |
|
['sssd_conf']['ldap_user_search_base'] |
'ou=People,dc=yourcompany,dc=com' |
|
['sssd_conf']['ldap_user_object_class'] |
'posixAccount' |
|
['sssd_conf']['ldap_user_name'] |
'uid' |
|
['sssd_conf']['override_homedir'] |
nil |
|
['sssd_conf']['shell_fallback'] |
'/bin/bash' |
|
['sssd_conf']['ldap_group_search_base'] |
'ou=Groups,dc=yourcompany,dc=com' |
|
['sssd_conf']['ldap_group_object_class'] |
'posixGroup' |
|
['sssd_conf']['ldap_id_use_start_tls'] |
'true' |
|
['sssd_conf']['ldap_tls_reqcert'] |
'never' |
|
['sssd_conf']['ldap_tls_cacert'] |
'/etc/pki/tls/certs/ca-bundle.crt' or '/etc/ssl/certs/ca-certificates.crt'
|
defaults for RHEL and others respectively |
['sssd_conf']['ldap_default_bind_dn'] |
'cn=bindaccount,dc=yourcompany,dc=com' |
if you have a domain that doesn't require binding set this attributes to nil |
['sssd_conf']['ldap_default_authtok'] |
'bind_password' |
if you have a domain that doesn't require binding set this to nil |
['authconfig_params'] |
'--enablesssd --enablesssdauth --enablelocauthorize --update' |
|
['sssd_conf']['access_provider'] |
nil |
Should be set to 'ldap'
|
['sssd_conf']['ldap_access_filter'] |
nil |
Can use simple LDAP filter such as 'uid=abc123' or more expressive LDAP filters like '(&(objectClass=employee)(department=ITSupport))'
|
['sssd_conf']['min_id'] |
'1' |
default, used to ignore lower uid/gid's |
['sssd_conf']['max_id'] |
'0' |
default, used to ignore higher uid/gid's |
['ldap_sudo'] |
false |
Adds ldap enabled sudoers (true/false) |
['ldap_ssh'] |
false |
Adds ldap enabled ssh keys (true/false) |
['ldap_autofs'] |
false |
Adds ldap enabled autofs config (true/false) |
Recipes
- default: Installs and configures sssd daemon
CA Certificates
If you manage your own CA then the easiest way to inject the certificate for system-wide use is as follows:
RHEL
cp ca.crt /etc/pki/ca-trust/source/anchors
update-ca-trust enable
update-ca-trust extract
Debian
cp ca.crt /usr/local/share/ca-certificates
update-ca-certificates
License & Authors
Author: Tim Smith - (tsmith84@gmail.com)
Copyright: 2013-2015, Limelight Networks, Inc.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Dependent cookbooks
This cookbook has no specified dependencies.
Contingent cookbooks
There are no cookbooks that are contingent upon this one.
CHANGELOG for sssd_ldap
This file is used to list changes made in each version of sssd_ldap.
3.1.0 (2016-04-27)
- Added back support for RHEL 5 by making sure not to enable the sudo service on RHEL < 6 as the package is too old
- Switched Test Kitchen testing in Travis CI to kitchen-dokken
- Added support for Ubuntu 15.10+ by removing the hardcoded Upstart service provider on Ubuntu 13.10 or later. Chef 12 can auto determine the provider to use
- Added testing on Fedora 23 / Debian 8 / Ubuntu 16.04 / CentOS 5 in Travis CI
3.0.1 (2015-12-24):
- Added 2 new attributes for enabling autofs and ssh support, both of which default to false
- nil values for config options are now skipped in the config to prevent bad configs from being written out
- Added test kitchen integration testing in Travis CI
3.0.0 (2015-10-22):
- BREAKING: All config file attributes have been moved into the
node['sssd_ldap']['sssd_conf']
hash. You can add any key value config items to this by just adding to the hash. - Add test kitchen config. Example:
node['sssd_ldap']['sssd_conf']['something'] = true
- Update Travis to run unit/lint testing via ChefDK instead of Gems and to run kitchen-docker for integration testing
- Use the standard Chef rubocop config
- Update development deps to the latest in the Gemfile
- Require at least Chef 11
2.0.0:
- BREAKING: Change default['sssd_ldap']['ldap_tls_cacertdir'] to default['sssd_ldap']['ldap_tls_cacert'] and use per platform value
- BREAKING: default['sssd_ldap']['ldap_sudo'] is a boolean value now not a string
- BREAKING: nsswitch.conf is no longer templated, but edited inline instead
- BREAKING: NSCD package is now removed instead of stopping the service
- Debian support added
- ldap_group_name added to sssd.confg via default['sssd_ldap']['ldap_group_name'] attribute
- source_url and issues_url added to the metadata
- sssd is always restarted after templating the config now
- Chefspec unit tests added
- Use standard chef .gitignore file
- Update rules in the .rubocop.yml file
- Have Travis test on Ruby 2.2 and remove 1.9 from testing
- Add a Berksfile
- Update Gemfile deps and break out into groups
- Add a license file
- Add cookbook version badge to the readme
- Additional files added to the chefignore file
1.0.2:
- Added support for min_id / max_id
- Added support for conditional sudoers
- Added attributes to the Readme
- Updated Rubocop to 0.27
1.0.0:
- Switch modes to be strings not ints
- Remove duplicate reference to the config template
- Add shell_fallback attribute
- Support Ubuntu 13.04 and later with Upstart
- Allow authenticating to servers that don't require binding
0.1.6:
- Supports Ubuntu
0.1.5:
- Added some more configurable attributes
0.1.0:
- Initial release of sssd_ldap
Foodcritic Metric
3.1.0 passed this metric
3.1.0 passed this metric