Table of Contents

1. Overview
2. Module Description - A Puppet module for managing sssd
3. Setup - The basics of getting started with pupmod-simp-sssd
   • What pupmod-simp-sssd affects
   • Setup requirements
   • Beginning with pupmod-simp-sssd
4. Usage - Configuration options and additional functionality
5. Reference - An under-the-hood peek at what the module is doing and how
6. Limitations - OS compatibility, etc.
7. Development - Guide for contributing to the module

This is a SIMP module

This module is a component of the System Integrity Management Platform, a compliance-management framework built on Puppet.

If you find any issues, they can be submitted to our JIRA.

Please read our Contribution Guide and visit our developer wiki.

Module Description

This module installs, configures and manages SSSD. It is also cross compatible with simp/pki and simp/auditd.

It allows connection via krb5, ldap and local authentication.

simp/sssd also connects to autofs, nss, pac, pam, ssh, and sudo.

Setup

What simp sssd affects

Files managed by simp/sssd:

• /etc/sssd/sssd.conf
• /etc/init.d/sssd
• (Optional) /etc/sssd/pki with simp/pki enabled

Services and operations managed or affected:

• sssd (running)
• nscd (stopped)

Packages installed by simp/pki:

• sssd (latest by default)

Setup Requirements

Hiera values to use additional SIMP compontents:

To enable PKI

enable_pki: true
use_simp_pki: true

Beginning with SIMP SSSD

The following will install and manage the service for SSSD, but will include no providers or affected services

include ::sssd

or

classes:
  - sssd

Usage

User Providers

I want to use local users

class sssd::provider::local {'localusers':
  default_shell  => '/bin/bash',
  base_directory => '/home',
  create_homedir => true,
  remove_homedir => true,
  homedir_umask  => '0037',
  skel_dir       => '/etc/skel/user',
  mail_dir       => '/etc/mailbox',
  userdel_cmd    => '/bin/userdel',
}

I want to use LDAP users

Please see sssd::provider::ldap for all available LDAP options

I want to use Kerberos

This will provide a basic connection to Kerberos

sssd::provider::krb5 {'kerberos':
  krb5_server    => 'my.kerberos.server',
  krb5_realm     => 'mykrbrealm',
  krb5_password  => hiera('use_eyaml'),
}

Services

The following services can be managed by simp/sssd:

• autofs
• nss
• pac
• pam
• ssh
• sudo

Please see sssd::service:: for more options on configuration

Reference

Public Classes

• sssd
• sssd::domain
• sssd::service
• sssd::install
• sssd::install::client
• sssd::provider::krb5
• sssd::provider::ldap
• sssd::provider::local
• sssd::service::autofs
• sssd::service::nss
• sssd::service::pac
• sssd::service::pam
• sssd::service::ssh
• sssd::service::sudo

Private Classes

• sssd::config::pki

Limitations

This module is only designed to work in RHEL or CentOS 6 and 7. Any other operating systems have not been tested and results cannot be guaranteed.

Development

Please see the SIMP Contribution Guidelines.

General developer documentation can be found on Confluence. Visit the project homepage on GitHub, chat with us on our HipChat, and look at our issues on JIRA.