From 548cdd4adfdcefbe69e9e4869e6fbce84061b741 Mon Sep 17 00:00:00 2001
From: Jason Nagin <33561705+JasonN3@users.noreply.github.com>
Date: Tue, 10 Feb 2026 22:13:10 -0600
Subject: [PATCH 01/12] update for OIDC and update some references to OpenVox
---
.readme/footer.md | 6 +-
.readme/header.md | 4 +-
domain_join/manifests/init.pp | 186 ++++++++++++++---------
domain_join/templates/sssd.oidc.conf.erb | 20 +++
4 files changed, 140 insertions(+), 76 deletions(-)
create mode 100644 domain_join/templates/sssd.oidc.conf.erb
diff --git a/.readme/footer.md b/.readme/footer.md
index b799ea2..72e547a 100644
--- a/.readme/footer.md
+++ b/.readme/footer.md
@@ -2,13 +2,13 @@
### Option 1:
1. Clone the repo and use the modules
```bash
-git clone https://github.com/JasonN3/puppet_modules.git
+git clone https://github.com/JasonN3/openvox_modules.git
```
### Option 2:
-1. Edit your Puppetfile so r10k will clone the repo:
+1. Edit your Puppetfile so g10k will clone the repo:
```
mod 'github',
- :git => 'https://github.com/JasonN3/puppet_modules.git',
+ :git => 'https://github.com/JasonN3/openvox_modules.git',
:ref => 'main',
:install_path => 'git'
```
diff --git a/.readme/header.md b/.readme/header.md
index 4c1471b..2af4850 100644
--- a/.readme/header.md
+++ b/.readme/header.md
@@ -1,5 +1,5 @@
-# Puppet Modules
+# OpenVox Modules
## Description
-This is a collection of Puppet modules that I commonly use that make management of various Linux systems easier.
+This is a collection of OpenVox modules that I commonly use that make management of various Linux systems easier.
diff --git a/domain_join/manifests/init.pp b/domain_join/manifests/init.pp
index c826fe4..67690c2 100644
--- a/domain_join/manifests/init.pp
+++ b/domain_join/manifests/init.pp
@@ -43,27 +43,52 @@
# Configures a service to update the OS information on the AD object on startup
# @param enable_smartcard_ssh
# Enable smartcard authentication for SSH (Only seems to work on RHEL 8+)
+# @param oidc
+# Use OIDC for authentication
+# @param client_id
+# Client ID for OIDC authentication
+# @param client_secret
+# Optional secret for client
+# @param tenant_id
+# Tenant ID for Entra ID authentication
class domain_join (
- String $username,
- Sensitive[String] $sensitive_password,
- String $global_admins,
- String $global_ssh,
- String $local_admins,
- String $local_ssh,
- Boolean $global_nopasswd = false,
- Boolean $local_nopasswd = false,
- String $sssd_home = '/home',
- Optional[String] $override_domain = undef,
- Optional[String] $domain_short = undef,
- Optional[String] $dns_subdomain = undef,
- Boolean $dnsupdate = true,
- Optional[String] $file_header = undef,
- Array $time_servers = [],
- Boolean $configure_chrony = true,
- Enum['disabled', 'enabled', 'required', 'lock-on-removal'] $smartcard = 'disabled',
- Optional[Array[String]] $ad_trust = undef,
- Boolean $update_os_info = false,
- Boolean $enable_smartcard_ssh = false
+ Variant[{
+ String $username,
+ Sensitive[String] $sensitive_password,
+ String $global_admins,
+ String $global_ssh,
+ String $local_admins,
+ String $local_ssh,
+ Boolean $global_nopasswd = false,
+ Boolean $local_nopasswd = false,
+ String $sssd_home = '/home',
+ Optional[String] $override_domain = undef,
+ Optional[String] $domain_short = undef,
+ Optional[String] $dns_subdomain = undef,
+ Boolean $dnsupdate = true,
+ Optional[String] $file_header = undef,
+ Array $time_servers = [],
+ Boolean $configure_chrony = true,
+ Enum['disabled', 'enabled', 'required', 'lock-on-removal'] $smartcard = 'disabled',
+ Optional[Array[String]] $ad_trust = undef,
+ Boolean $update_os_info = false,
+ Boolean $enable_smartcard_ssh = false,
+ Enum[false] $oidc = false
+ },
+ {
+ Enum[true] $oidc = false,
+ String $client_id,
+ Optional[String] $client_secret,
+ String $tenant_id,
+ Optional[String] $override_domain = undef,
+ Optional[String] $file_header = undef,
+ Boolean $configure_chrony = true,
+ Optional[String] $domain_short = undef,
+ Array $time_servers = [],
+ }]
+
+
+
) {
if $override_domain {
$currdomain = $override_domain
@@ -83,7 +108,7 @@
} elsif $::file_header {
$file_header_local = $::file_header
} else {
- $file_header_local = 'This file is being maintained by Puppet. Do not edit.'
+ $file_header_local = 'This file is being maintained by OpenVox. Do not edit.'
}
# lint:endignore
@@ -139,9 +164,17 @@
package { 'samba-common':
ensure => installed,
}
- package { 'sssd':
- ensure => installed,
+ if $oidc {
+ package { 'sssd':
+ name => 'sssd-oidc',
+ ensure => installed,
+ }
+ } else {
+ package { 'sssd':
+ ensure => installed,
+ }
}
+
if $ad_trust != undef {
file { '/etc/sssd/pki':
@@ -167,41 +200,43 @@
}
}
- if($override_domain) {
- # lint:ignore:140chars
- $command = Sensitive("bash -c 'source /etc/os-release; echo -n \"${$sensitive_password.unwrap}\" | adcli join -H ${forced_fqdn} -D ${currdomain} -U \"${username}\" --stdin-password --os-name=\"\${NAME}\" --os-version=\"\${VERSION}\" --os-service-pack=\"\${VERSION_ID}\"'")
- # lint:endignore
- } else {
- # lint:ignore:140chars
- $command = Sensitive("bash -c 'source /etc/os-release; echo -n \"${$sensitive_password.unwrap}\" | adcli join -D ${currdomain} -U \"${username}\" --stdin-password --os-name=\"\${NAME}\" --os-version=\"\${VERSION}\" --os-service-pack=\"\${VERSION_ID}\"'")
- # lint:endignore
- }
+ unless $oidc {
+ if($override_domain) {
+ # lint:ignore:140chars
+ $command = Sensitive("bash -c 'source /etc/os-release; echo -n \"${$sensitive_password.unwrap}\" | adcli join -H ${forced_fqdn} -D ${currdomain} -U \"${username}\" --stdin-password --os-name=\"\${NAME}\" --os-version=\"\${VERSION}\" --os-service-pack=\"\${VERSION_ID}\"'")
+ # lint:endignore
+ } else {
+ # lint:ignore:140chars
+ $command = Sensitive("bash -c 'source /etc/os-release; echo -n \"${$sensitive_password.unwrap}\" | adcli join -D ${currdomain} -U \"${username}\" --stdin-password --os-name=\"\${NAME}\" --os-version=\"\${VERSION}\" --os-service-pack=\"\${VERSION_ID}\"'")
+ # lint:endignore
+ }
- exec { 'Join':
- command => $command,
- path => $facts['path'],
- notify => Service['sssd'],
- creates => '/etc/krb5.keytab',
- require => [
- Package['adcli'],
- Package['krb5-workstation'],
- Package['samba-common'],
- Package['samba-common-tools'],
- Package['sssd'],
- File['/etc/krb5.conf'],
- File['/etc/sssd/sssd.conf'],
- ],
- }
+ exec { 'Join':
+ command => $command,
+ path => $facts['path'],
+ notify => Service['sssd'],
+ creates => '/etc/krb5.keytab',
+ require => [
+ Package['adcli'],
+ Package['krb5-workstation'],
+ Package['samba-common'],
+ Package['samba-common-tools'],
+ Package['sssd'],
+ File['/etc/krb5.conf'],
+ File['/etc/sssd/sssd.conf'],
+ ],
+ }
- file { '/etc/systemd/system/update_adcli.service':
- ensure => file,
- content => template('domain_join/update_adcli.service.erb'),
- require => Exec['Join'],
- notify => Service['update_adcli'],
- }
+ file { '/etc/systemd/system/update_adcli.service':
+ ensure => file,
+ content => template('domain_join/update_adcli.service.erb'),
+ require => Exec['Join'],
+ notify => Service['update_adcli'],
+ }
- service { 'update_adcli':
- enable => true,
+ service { 'update_adcli':
+ enable => true,
+ }
}
file { '/etc/krb5.conf':
@@ -210,10 +245,15 @@
notify => Service['sssd'],
require => Package['krb5-workstation'],
}
+ if $oidc {
+ $sssd_src = 'domain_join/sssd.oidc.conf.erb'
+ } else {
+ $sssd_src = 'domain_join/sssd.conf.erb'
+ }
file { '/etc/sssd/sssd.conf':
ensure => file,
- content => template('domain_join/sssd.conf.erb'),
+ content => template($sssd_src),
owner => root,
group => root,
mode => '0400',
@@ -292,22 +332,26 @@
}
}
- case $smartcard {
- 'disabled': {
- $enable_smartcard = ''
- }
- 'enabled': {
- $enable_smartcard = 'with-smartcard'
- }
- 'required': {
- $enable_smartcard = 'with-smartcard-required'
- }
- 'lock-on-removal': {
- $enable_smartcard = 'with-smartcard-lock-on-removal'
- }
- default: {
- err('How??')
+ unless $oidc {
+ case $smartcard {
+ 'disabled': {
+ $enable_smartcard = ''
+ }
+ 'enabled': {
+ $enable_smartcard = 'with-smartcard'
+ }
+ 'required': {
+ $enable_smartcard = 'with-smartcard-required'
+ }
+ 'lock-on-removal': {
+ $enable_smartcard = 'with-smartcard-lock-on-removal'
+ }
+ default: {
+ err('How??')
+ }
}
+ } else {
+ $enable_smartcard = ''
}
exec { 'Enable SSSD Authentication':
diff --git a/domain_join/templates/sssd.oidc.conf.erb b/domain_join/templates/sssd.oidc.conf.erb
new file mode 100644
index 0000000..98ee1f1
--- /dev/null
+++ b/domain_join/templates/sssd.oidc.conf.erb
@@ -0,0 +1,20 @@
+[sssd]
+services = nss, pam
+domains = <%= @currdomain.upcase %>
+
+[domain/<%= @currdomain.upcase %>]
+id_provider = idp
+idp_type = entra_id
+idp_client_id = <%= @client_id %>
+<% if @client_secret -%>
+idp_client_secret = <%= @client_secret %>
+<% end -%>
+idp_token_endpoint = https://login.microsoftonline.com/<%= @tenant_id %>/oauth2/v2.0/token
+idp_device_auth_endpoint = https://login.microsoftonline.com/<%= @tenant_id %>/oauth2/v2.0/devicecode
+idp_userinfo_endpoint = https://graph.microsoft.com/v1.0/me
+idp_id_scope = https%3A%2F%2Fgraph.microsoft.com%2F.default
+idp_auth_scope = openid profile email
+
+[nss]
+default_shell = /bin/bash
+fallback_homedir = /home/%u
From 6eb63f4e1d6a4275362d019bedf08993dbe243dd Mon Sep 17 00:00:00 2001
From: Jason Nagin <33561705+JasonN3@users.noreply.github.com>
Date: Wed, 11 Feb 2026 04:36:48 +0000
Subject: [PATCH 02/12] gen readme and fix parameters
---
domain_join/README.md | 34 +++++++++++++++++--
domain_join/manifests/init.pp | 61 ++++++++++++++---------------------
2 files changed, 56 insertions(+), 39 deletions(-)
diff --git a/domain_join/README.md b/domain_join/README.md
index 91a8f03..e64bcb8 100644
--- a/domain_join/README.md
+++ b/domain_join/README.md
@@ -39,16 +39,20 @@ The following parameters are available in the `domain_join` class:
* [`ad_trust`](#ad_trust)
* [`update_os_info`](#update_os_info)
* [`enable_smartcard_ssh`](#enable_smartcard_ssh)
+* [`oidc`](#oidc)
+* [`client_id`](#client_id)
+* [`client_secret`](#client_secret)
+* [`tenant_id`](#tenant_id)
##### `username`
-Data type: `String`
+Data type: `Optional[String]`
The username used to domain join
##### `sensitive_password`
-Data type: `Sensitive[String]`
+Data type: `Optional[Sensitive[String]]`
The password used to domain join
@@ -190,3 +194,29 @@ Enable smartcard authentication for SSH (Only seems to work on RHEL 8+)
Default value: ``false``
+##### `oidc`
+
+Data type: `Boolean`
+
+Use OIDC for authentication
+
+Default value: ``false``
+
+##### `client_id`
+
+Data type: `Optional[String]`
+
+Client ID for OIDC authentication
+
+##### `client_secret`
+
+Data type: `Optional[String]`
+
+Optional secret for client
+
+##### `tenant_id`
+
+Data type: `Optional[String]`
+
+Tenant ID for Entra ID authentication
+
diff --git a/domain_join/manifests/init.pp b/domain_join/manifests/init.pp
index 67690c2..5ae2ed0 100644
--- a/domain_join/manifests/init.pp
+++ b/domain_join/manifests/init.pp
@@ -52,43 +52,30 @@
# @param tenant_id
# Tenant ID for Entra ID authentication
class domain_join (
- Variant[{
- String $username,
- Sensitive[String] $sensitive_password,
- String $global_admins,
- String $global_ssh,
- String $local_admins,
- String $local_ssh,
- Boolean $global_nopasswd = false,
- Boolean $local_nopasswd = false,
- String $sssd_home = '/home',
- Optional[String] $override_domain = undef,
- Optional[String] $domain_short = undef,
- Optional[String] $dns_subdomain = undef,
- Boolean $dnsupdate = true,
- Optional[String] $file_header = undef,
- Array $time_servers = [],
- Boolean $configure_chrony = true,
- Enum['disabled', 'enabled', 'required', 'lock-on-removal'] $smartcard = 'disabled',
- Optional[Array[String]] $ad_trust = undef,
- Boolean $update_os_info = false,
- Boolean $enable_smartcard_ssh = false,
- Enum[false] $oidc = false
- },
- {
- Enum[true] $oidc = false,
- String $client_id,
- Optional[String] $client_secret,
- String $tenant_id,
- Optional[String] $override_domain = undef,
- Optional[String] $file_header = undef,
- Boolean $configure_chrony = true,
- Optional[String] $domain_short = undef,
- Array $time_servers = [],
- }]
-
-
-
+ Optional[String] $username,
+ Optional[Sensitive[String]] $sensitive_password,
+ String $global_admins,
+ String $global_ssh,
+ String $local_admins,
+ String $local_ssh,
+ Boolean $global_nopasswd = false,
+ Boolean $local_nopasswd = false,
+ String $sssd_home = '/home',
+ Optional[String] $override_domain = undef,
+ Optional[String] $domain_short = undef,
+ Optional[String] $dns_subdomain = undef,
+ Boolean $dnsupdate = true,
+ Optional[String] $file_header = undef,
+ Array $time_servers = [],
+ Boolean $configure_chrony = true,
+ Enum['disabled', 'enabled', 'required', 'lock-on-removal'] $smartcard = 'disabled',
+ Optional[Array[String]] $ad_trust = undef,
+ Boolean $update_os_info = false,
+ Boolean $enable_smartcard_ssh = false,
+ Boolean $oidc = false,
+ Optional[String] $client_id,
+ Optional[String] $client_secret,
+ Optional[String] $tenant_id
) {
if $override_domain {
$currdomain = $override_domain
From 9aa91304ff8dfb93f94853fc4c1cd4b3e758742e Mon Sep 17 00:00:00 2001
From: Jason Nagin <33561705+JasonN3@users.noreply.github.com>
Date: Wed, 11 Feb 2026 04:38:59 +0000
Subject: [PATCH 03/12] update main readme
---
README.md | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/README.md b/README.md
index ce0dd42..b0ed290 100644
--- a/README.md
+++ b/README.md
@@ -1,7 +1,7 @@
-# Puppet Modules
+# OpenVox Modules
## Description
-This is a collection of Puppet modules that I commonly use that make management of various Linux systems easier.
+This is a collection of OpenVox modules that I commonly use that make management of various Linux systems easier.
---
## Modules list
@@ -16,13 +16,13 @@ Configires the node to use client/host certificates from Hashicorp Vault
### Option 1:
1. Clone the repo and use the modules
```bash
-git clone https://github.com/JasonN3/puppet_modules.git
+git clone https://github.com/JasonN3/openvox_modules.git
```
### Option 2:
-1. Edit your Puppetfile so r10k will clone the repo:
+1. Edit your Puppetfile so g10k will clone the repo:
```
mod 'github',
- :git => 'https://github.com/JasonN3/puppet_modules.git',
+ :git => 'https://github.com/JasonN3/openvox_modules.git',
:ref => 'main',
:install_path => 'git'
```
From d6c5b77dfb77b761651058dc6026cd9c4e793645 Mon Sep 17 00:00:00 2001
From: Jason Nagin <33561705+JasonN3@users.noreply.github.com>
Date: Wed, 11 Feb 2026 04:42:56 +0000
Subject: [PATCH 04/12] fixes
---
domain_join/manifests/init.pp | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/domain_join/manifests/init.pp b/domain_join/manifests/init.pp
index 5ae2ed0..fdd54c4 100644
--- a/domain_join/manifests/init.pp
+++ b/domain_join/manifests/init.pp
@@ -73,9 +73,9 @@
Boolean $update_os_info = false,
Boolean $enable_smartcard_ssh = false,
Boolean $oidc = false,
- Optional[String] $client_id,
- Optional[String] $client_secret,
- Optional[String] $tenant_id
+ Optional[String] $client_id = undef,
+ Optional[String] $client_secret = undef,
+ Optional[String] $tenant_id = undef
) {
if $override_domain {
$currdomain = $override_domain
@@ -161,7 +161,6 @@
ensure => installed,
}
}
-
if $ad_trust != undef {
file { '/etc/sssd/pki':
From cb5d4ed3498af25f3a81349ad2ac053af3da2d61 Mon Sep 17 00:00:00 2001
From: Jason Nagin <33561705+JasonN3@users.noreply.github.com>
Date: Wed, 11 Feb 2026 04:45:30 +0000
Subject: [PATCH 05/12] update readme
---
domain_join/README.md | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/domain_join/README.md b/domain_join/README.md
index e64bcb8..ff5fdb4 100644
--- a/domain_join/README.md
+++ b/domain_join/README.md
@@ -208,15 +208,21 @@ Data type: `Optional[String]`
Client ID for OIDC authentication
+Default value: ``undef``
+
##### `client_secret`
Data type: `Optional[String]`
Optional secret for client
+Default value: ``undef``
+
##### `tenant_id`
Data type: `Optional[String]`
Tenant ID for Entra ID authentication
+Default value: ``undef``
+
From a998a4adb06e2e113dae41b5084f4b90bd5425cf Mon Sep 17 00:00:00 2001
From: Jason Nagin <33561705+JasonN3@users.noreply.github.com>
Date: Wed, 11 Feb 2026 04:58:42 +0000
Subject: [PATCH 06/12] fixes
---
domain_join/README.md | 6 +++++-
domain_join/manifests/init.pp | 8 ++++----
domain_join/templates/sssd.oidc.conf.erb | 3 ++-
3 files changed, 11 insertions(+), 6 deletions(-)
diff --git a/domain_join/README.md b/domain_join/README.md
index ff5fdb4..e9ae86e 100644
--- a/domain_join/README.md
+++ b/domain_join/README.md
@@ -50,12 +50,16 @@ Data type: `Optional[String]`
The username used to domain join
+Default value: ``undef``
+
##### `sensitive_password`
Data type: `Optional[Sensitive[String]]`
The password used to domain join
+Default value: ``undef``
+
##### `global_admins`
Data type: `String`
@@ -212,7 +216,7 @@ Default value: ``undef``
##### `client_secret`
-Data type: `Optional[String]`
+Data type: `Optional[Sensitive[String]]`
Optional secret for client
diff --git a/domain_join/manifests/init.pp b/domain_join/manifests/init.pp
index fdd54c4..dcd57e8 100644
--- a/domain_join/manifests/init.pp
+++ b/domain_join/manifests/init.pp
@@ -52,8 +52,8 @@
# @param tenant_id
# Tenant ID for Entra ID authentication
class domain_join (
- Optional[String] $username,
- Optional[Sensitive[String]] $sensitive_password,
+ Optional[String] $username = undef,
+ Optional[Sensitive[String]] $sensitive_password = undef,
String $global_admins,
String $global_ssh,
String $local_admins,
@@ -74,7 +74,7 @@
Boolean $enable_smartcard_ssh = false,
Boolean $oidc = false,
Optional[String] $client_id = undef,
- Optional[String] $client_secret = undef,
+ Optional[Sensitive[String]] $client_secret = undef,
Optional[String] $tenant_id = undef
) {
if $override_domain {
@@ -153,7 +153,7 @@
}
if $oidc {
package { 'sssd':
- name => 'sssd-oidc',
+ name => 'sssd-idp',
ensure => installed,
}
} else {
diff --git a/domain_join/templates/sssd.oidc.conf.erb b/domain_join/templates/sssd.oidc.conf.erb
index 98ee1f1..15fa382 100644
--- a/domain_join/templates/sssd.oidc.conf.erb
+++ b/domain_join/templates/sssd.oidc.conf.erb
@@ -7,13 +7,14 @@ id_provider = idp
idp_type = entra_id
idp_client_id = <%= @client_id %>
<% if @client_secret -%>
-idp_client_secret = <%= @client_secret %>
+idp_client_secret = <%= @client_secret.call('unwrap') %>
<% end -%>
idp_token_endpoint = https://login.microsoftonline.com/<%= @tenant_id %>/oauth2/v2.0/token
idp_device_auth_endpoint = https://login.microsoftonline.com/<%= @tenant_id %>/oauth2/v2.0/devicecode
idp_userinfo_endpoint = https://graph.microsoft.com/v1.0/me
idp_id_scope = https%3A%2F%2Fgraph.microsoft.com%2F.default
idp_auth_scope = openid profile email
+override_homedir = <%= @sssd_home -%>/%u
[nss]
default_shell = /bin/bash
From 996135ef98d413d0e90888274262aad435e4302d Mon Sep 17 00:00:00 2001
From: Jason Nagin <33561705+JasonN3@users.noreply.github.com>
Date: Wed, 11 Feb 2026 05:04:27 +0000
Subject: [PATCH 07/12] add validation
---
domain_join/manifests/init.pp | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/domain_join/manifests/init.pp b/domain_join/manifests/init.pp
index dcd57e8..c3d5be6 100644
--- a/domain_join/manifests/init.pp
+++ b/domain_join/manifests/init.pp
@@ -77,6 +77,24 @@
Optional[Sensitive[String]] $client_secret = undef,
Optional[String] $tenant_id = undef
) {
+ if $oidc {
+ if !$client_id {
+ fail('domain_join: client_id must be provided when oidc is enabled')
+ }
+ if !$client_secret {
+ fail('domain_join: client_secret must be provided when oidc is enabled')
+ }
+ if !$tenant_id {
+ fail('domain_join: tenant_id must be provided when oidc is enabled')
+ }
+ } else {
+ if !username {
+ fail('domain_join: username must be provided when oidc is disbled')
+ }
+ if !sensitive_password {
+ fail('domain_join: sensitive_password must be provided when oidc is disbled')
+ }
+ }
if $override_domain {
$currdomain = $override_domain
# This is only used if $override_domain is defined
From 9d0246a2bd89fe2354669f36ee4155529707bba2 Mon Sep 17 00:00:00 2001
From: Jason Nagin <33561705+JasonN3@users.noreply.github.com>
Date: Wed, 11 Feb 2026 05:15:32 +0000
Subject: [PATCH 08/12] use notify instead of subscribe
---
domain_join/manifests/init.pp | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/domain_join/manifests/init.pp b/domain_join/manifests/init.pp
index c3d5be6..b88d9fc 100644
--- a/domain_join/manifests/init.pp
+++ b/domain_join/manifests/init.pp
@@ -218,7 +218,10 @@
exec { 'Join':
command => $command,
path => $facts['path'],
- notify => Service['sssd'],
+ notify => [
+ Service['sssd'],
+ Exec['Enable SSSD Authentication']
+ ],
creates => '/etc/krb5.keytab',
require => [
Package['adcli'],
@@ -360,9 +363,6 @@
exec { 'Enable SSSD Authentication':
command => "${enablesssd} ${enable_smartcard}",
- subscribe => [
- Exec['Join'],
- ],
path => $facts['path'],
refreshonly => true,
require => [
From a23e35726b80a315442cbd01231cf03f7f98d76b Mon Sep 17 00:00:00 2001
From: Jason Nagin <33561705+JasonN3@users.noreply.github.com>
Date: Wed, 11 Feb 2026 05:23:02 +0000
Subject: [PATCH 09/12] don't require secret
---
domain_join/manifests/init.pp | 11 ++++-------
1 file changed, 4 insertions(+), 7 deletions(-)
diff --git a/domain_join/manifests/init.pp b/domain_join/manifests/init.pp
index b88d9fc..520ac00 100644
--- a/domain_join/manifests/init.pp
+++ b/domain_join/manifests/init.pp
@@ -81,18 +81,15 @@
if !$client_id {
fail('domain_join: client_id must be provided when oidc is enabled')
}
- if !$client_secret {
- fail('domain_join: client_secret must be provided when oidc is enabled')
- }
if !$tenant_id {
fail('domain_join: tenant_id must be provided when oidc is enabled')
}
} else {
- if !username {
- fail('domain_join: username must be provided when oidc is disbled')
+ if !$username {
+ fail('domain_join: username must be provided when oidc is disabled')
}
- if !sensitive_password {
- fail('domain_join: sensitive_password must be provided when oidc is disbled')
+ if !$sensitive_password {
+ fail('domain_join: sensitive_password must be provided when oidc is disabled')
}
}
if $override_domain {
From 8d5eab893a0c20993845cc78f4a3d5f5464a4558 Mon Sep 17 00:00:00 2001
From: Jason Nagin <33561705+JasonN3@users.noreply.github.com>
Date: Wed, 11 Feb 2026 07:58:28 -0600
Subject: [PATCH 10/12] ensure enable sssd auth is called even if it's oidc
joined
---
domain_join/manifests/init.pp | 10 +++++-----
domain_join/spec/classes/domain_join_spec.rb | 2 +-
2 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/domain_join/manifests/init.pp b/domain_join/manifests/init.pp
index 520ac00..beea6ae 100644
--- a/domain_join/manifests/init.pp
+++ b/domain_join/manifests/init.pp
@@ -168,8 +168,8 @@
}
if $oidc {
package { 'sssd':
- name => 'sssd-idp',
ensure => installed,
+ name => 'sssd-idp',
}
} else {
package { 'sssd':
@@ -261,7 +261,7 @@
owner => root,
group => root,
mode => '0400',
- notify => Service['sssd'],
+ notify => [ Service['sssd'], Exec['Enable SSSD Authentication'] ]
require => Package['sssd'],
}
@@ -336,7 +336,9 @@
}
}
- unless $oidc {
+ if $oidc {
+ $enable_smartcard = ''
+ } else {
case $smartcard {
'disabled': {
$enable_smartcard = ''
@@ -354,8 +356,6 @@
err('How??')
}
}
- } else {
- $enable_smartcard = ''
}
exec { 'Enable SSSD Authentication':
diff --git a/domain_join/spec/classes/domain_join_spec.rb b/domain_join/spec/classes/domain_join_spec.rb
index 6e85ef5..f603fdb 100644
--- a/domain_join/spec/classes/domain_join_spec.rb
+++ b/domain_join/spec/classes/domain_join_spec.rb
@@ -15,7 +15,7 @@
'global_ssh' => 'EXAMPLE Linux SSH Users',
'local_admins' => 'EXAMPLE %HOSTNAME% Admins',
'local_ssh' => 'EXAMPLE %HOSTNAME% SSH Users',
- 'file_header' => 'Puppet managed'
+ 'file_header' => 'OpenVox managed'
}
}
From 71ef38c3d040dbd6f399b41da4dbd79a041caee1 Mon Sep 17 00:00:00 2001
From: Jason Nagin <33561705+JasonN3@users.noreply.github.com>
Date: Wed, 11 Feb 2026 08:01:04 -0600
Subject: [PATCH 11/12] fix syntax
---
domain_join/manifests/init.pp | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/domain_join/manifests/init.pp b/domain_join/manifests/init.pp
index beea6ae..fb11dda 100644
--- a/domain_join/manifests/init.pp
+++ b/domain_join/manifests/init.pp
@@ -261,7 +261,7 @@
owner => root,
group => root,
mode => '0400',
- notify => [ Service['sssd'], Exec['Enable SSSD Authentication'] ]
+ notify => [ Service['sssd'], Exec['Enable SSSD Authentication'] ],
require => Package['sssd'],
}
From 09b07d7149b5b250d3e5650cf21cc13b524d552c Mon Sep 17 00:00:00 2001
From: Jason Nagin <33561705+JasonN3@users.noreply.github.com>
Date: Wed, 11 Feb 2026 08:12:00 -0600
Subject: [PATCH 12/12] formatting
---
domain_join/manifests/init.pp | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/domain_join/manifests/init.pp b/domain_join/manifests/init.pp
index fb11dda..3dcec10 100644
--- a/domain_join/manifests/init.pp
+++ b/domain_join/manifests/init.pp
@@ -261,7 +261,10 @@
owner => root,
group => root,
mode => '0400',
- notify => [ Service['sssd'], Exec['Enable SSSD Authentication'] ],
+ notify => [
+ Service['sssd'],
+ Exec['Enable SSSD Authentication']
+ ],
require => Package['sssd'],
}