(#143) Added support for smartcard params for pam and ldap (#144)

* (#143) Added support for smartcard params for pam and ldap

Fixes #143

* Added releng stuff

Author: michael-riddle

CHANGELOG

@@ -1,3 +1,8 @@
+* Wed Apr 10 2024 Mike Riddle <[email protected]> - 7.10.0
+- Added the pam_cert_auth parameter to the pam service
+- Added the ldap_user_cert parameter to the ldap provider
+- Users can now specify ldap providers via hieradata using sssd::ldap_providers
+
 * Wed Nov 29 2023 Virus2500 <[email protected]> - 7.9.0
 - add domain option ldap_user_search_filter
 

REFERENCE.md

@@ -63,6 +63,19 @@ using an nscd module at the same time, which is the correct behavior.
 Full documentation of the parameters that map directly to SSSD
 configuration options can be found in the sssd.conf(5) man page.
 
+#### Examples
+
+##### sssd::provider::ldap in hieradata:
+
+```puppet
+sssd::ldap_providers:
+  ldap_users:
+    ldap_access_filter: 'memberOf=cn=allowedusers,ou=Groups,dc=example,dc=com'
+    ldap_chpass_uri: empty
+    ldap_access_order: 'expire'
+    etc...
+```
+
 #### Parameters
 
 The following parameters are available in the `sssd` class:
@@ -84,6 +97,7 @@ The following parameters are available in the `sssd` class:
 * [`user`](#-sssd--user)
 * [`default_domain_suffix`](#-sssd--default_domain_suffix)
 * [`override_space`](#-sssd--override_space)
+* [`ldap_providers`](#-sssd--ldap_providers)
 * [`enumerate_users`](#-sssd--enumerate_users)
 * [`include_svc_config`](#-sssd--include_svc_config)
 * [`cache_credentials`](#-sssd--cache_credentials)
@@ -231,6 +245,14 @@ Data type: `Optional[String[1]]`
 
 Default value: `undef`
 
+##### <a name="-sssd--ldap_providers"></a>`ldap_providers`
+
+Data type: `Hash`
+
+This allows users to set up ldap sssd::provider::ldap resources via hieradata
+
+Default value: `{}`
+
 ##### <a name="-sssd--enumerate_users"></a>`enumerate_users`
 
 Data type: `Boolean`
@@ -937,6 +959,7 @@ The following parameters are available in the `sssd::service::pam` class:
 * [`debug_level`](#-sssd--service--pam--debug_level)
 * [`debug_timestamps`](#-sssd--service--pam--debug_timestamps)
 * [`debug_microseconds`](#-sssd--service--pam--debug_microseconds)
+* [`pam_cert_auth`](#-sssd--service--pam--pam_cert_auth)
 * [`reconnection_retries`](#-sssd--service--pam--reconnection_retries)
 * [`command`](#-sssd--service--pam--command)
 * [`offline_credentials_expiration`](#-sssd--service--pam--offline_credentials_expiration)
@@ -980,6 +1003,14 @@ Data type: `Boolean`
 
 
 
+Default value: `false`
+
+##### <a name="-sssd--service--pam--pam_cert_auth"></a>`pam_cert_auth`
+
+Data type: `Boolean`
+
+
+
 Default value: `false`
 
 ##### <a name="-sssd--service--pam--reconnection_retries"></a>`reconnection_retries`
@@ -2735,6 +2766,7 @@ The following parameters are available in the `sssd::provider::ldap` defined typ
 * [`ldap_default_bind_dn`](#-sssd--provider--ldap--ldap_default_bind_dn)
 * [`ldap_default_authtok_type`](#-sssd--provider--ldap--ldap_default_authtok_type)
 * [`ldap_default_authtok`](#-sssd--provider--ldap--ldap_default_authtok)
+* [`ldap_user_cert`](#-sssd--provider--ldap--ldap_user_cert)
 * [`ldap_user_object_class`](#-sssd--provider--ldap--ldap_user_object_class)
 * [`ldap_user_name`](#-sssd--provider--ldap--ldap_user_name)
 * [`ldap_user_uid_number`](#-sssd--provider--ldap--ldap_user_uid_number)
@@ -2985,6 +3017,14 @@ Data type: `Optional[String[1]]`
 
 Default value: `simplib::lookup('simp_options::ldap::bind_pw', { 'default_value' => undef })`
 
+##### <a name="-sssd--provider--ldap--ldap_user_cert"></a>`ldap_user_cert`
+
+Data type: `Optional[String[1]]`
+
+
+
+Default value: `undef`
+
 ##### <a name="-sssd--provider--ldap--ldap_user_object_class"></a>`ldap_user_object_class`
 
 Data type: `Optional[String[1]]`

manifests/init.pp

@@ -27,6 +27,16 @@
 # @param user
 # @param default_domain_suffix
 # @param override_space
+# @param ldap_providers
+#   This allows users to set up ldap sssd::provider::ldap resources via hieradata
+# @example sssd::provider::ldap in hieradata:
+#   sssd::ldap_providers:
+#     ldap_users:
+#       ldap_access_filter: 'memberOf=cn=allowedusers,ou=Groups,dc=example,dc=com'
+#       ldap_chpass_uri: empty
+#       ldap_access_order: 'expire'
+#       etc...
+#
 # @param enumerate_users
 #   Have SSSD list and cache all the users that it can find on the remote system
 #
@@ -100,6 +110,7 @@
   Optional[String[1]]           $user                  = undef,
   Optional[String[1]]           $default_domain_suffix = undef,
   Optional[String[1]]           $override_space        = undef,
+  Hash                          $ldap_providers        = {},
   Boolean                       $enable_files_domain   = true,
   Boolean                       $enumerate_users       = false,
   Boolean                       $cache_credentials     = true,
@@ -145,4 +156,10 @@
       content => '-w /etc/sssd/ -p wa -k CFG_sssd'
     }
   }
+
+  $ldap_providers.each |$key, $value| {
+    sssd::provider::ldap { $key:
+      * => $value,
+    }
+  }
 }

manifests/provider/ldap.pp

@@ -49,6 +49,7 @@
 # @param ldap_default_bind_dn
 # @param ldap_default_authtok_type
 # @param ldap_default_authtok
+# @param ldap_user_cert
 # @param ldap_user_object_class
 # @param ldap_user_name
 # @param ldap_user_uid_number
@@ -205,6 +206,7 @@
   Optional[String[1]]                   $ldap_default_bind_dn              = simplib::lookup('simp_options::ldap::bind_dn', { 'default_value' => undef }),
   Optional[Sssd::LdapDefaultAuthtok]    $ldap_default_authtok_type         = undef,
   Optional[String[1]]                   $ldap_default_authtok              = simplib::lookup('simp_options::ldap::bind_pw', { 'default_value' => undef }),
+  Optional[String[1]]                   $ldap_user_cert                    = undef,
   Optional[String[1]]                   $ldap_user_object_class            = undef,
   Optional[String[1]]                   $ldap_user_name                    = undef,
   Optional[String[1]]                   $ldap_user_uid_number              = undef,

manifests/service/pam.pp

@@ -9,6 +9,7 @@
 # @param debug_level
 # @param debug_timestamps
 # @param debug_microseconds
+# @param pam_cert_auth
 # @param reconnection_retries
 # @param command
 # @param offline_credentials_expiration
@@ -37,6 +38,7 @@
   Optional[Sssd::DebugLevel]   $debug_level                    = undef,
   Boolean                      $debug_timestamps               = true,
   Boolean                      $debug_microseconds             = false,
+  Boolean                      $pam_cert_auth                  = false,
   Integer                      $reconnection_retries           = 3,
   Optional[String]             $command                        = undef,
   Integer                      $offline_credentials_expiration = 0,

metadata.json

@@ -1,6 +1,6 @@
 {
   "name": "simp-sssd",
-  "version": "7.9.0",
+  "version": "7.10.0",
   "author": "SIMP Team",
   "summary": "Manages SSSD",
   "license": "Apache-2.0",

spec/classes/init_spec.rb

@@ -88,6 +88,22 @@
               .with_order(99999)
           }
         end
+
+        context 'with ldap provider' do
+          let(:params) {{
+            :ldap_providers => {
+              :test_provider => {
+                :ldap_access_filter => 'memberOf=cn=allowedusers,ou=Groups,dc=example,dc=com',
+              }
+            }
+          }}
+
+          it {
+            is_expected.to create_sssd__provider__ldap('test_provider').with( {
+              :ldap_access_filter => 'memberOf=cn=allowedusers,ou=Groups,dc=example,dc=com',
+            } )
+          }
+        end
       end
     end
   end

spec/defines/provider/ldap_spec.rb

@@ -104,6 +104,17 @@
           is_expected.to create_sssd__config__entry("puppet_provider_#{title}_ldap").with_content(expected)
         end
       end
+
+      context 'with ldap_user_cert set' do
+        let(:params) {{ :ldap_user_cert => 'userCertificate;binary' }}
+        
+        it { is_expected.to compile.with_all_deps }
+        it {
+          is_expected.to create_sssd__config__entry("puppet_provider_#{title}_ldap")
+            .with_content(%r(ldap_user_cert = userCertificate;binary))
+        }
+      end
+
       context 'with app_pki_ca_dir set' do
         let(:params) {{ :app_pki_ca_dir => '/path/to/ca' }}
 

templates/provider/ldap.erb

@@ -11,6 +11,7 @@
     'ldap_default_bind_dn',
     'ldap_default_authtok_type',
     'ldap_default_authtok',
+    'ldap_user_cert',
     'ldap_user_object_class',
     'ldap_user_name',
     'ldap_user_uid_number',

templates/service/pam.erb

@@ -28,3 +28,6 @@ pam_trusted_users = <%= @pam_trusted_users %>
 <% if @pam_public_domains -%>
 pam_public_domains = <%= @pam_public_domains %>
 <% end -%>
+<% if @pam_cert_auth -%>
+pam_cert_auth = True
+<% end -%>