Puppet Class: freeipa

Defined in:
manifests/init.pp

Summary

Manages IPA masters, replicas and clients.

Overview

Parameters

Examples:

class {'freeipa':
    ipa_role                    => 'master',
    domain                      => 'example.lan',
    ipa_server_fqdn             => 'ipa-server-1.example.lan',
    puppet_admin_password       => 'vagrant123',
    directory_services_password => 'vagrant123',
    install_ipa_server          => true,
    ip_address                  => '10.10.10.35',
    enable_ip_address           => true,
    enable_hostname             => true,
    manage_host_entry           => true,
    install_epel                => true,
    ipa_master_fqdn             => 'ipa-server-1.example.lan',
}

Parameters:

  • domain (Stdlib::Fqdn)

    The name of the IPA domain to create or join.

  • ipa_role (Enum['master','replica','client'])

    What role the node will be.

  • puppet_admin_password (String[8])

    Password which will be assigned to the IPA account named ‘admin` and used by Puppet.

  • directory_services_password (String[8])

    Password which will be passed into the ipa setup’s parameter named ‘–ds-password`.

  • autofs_package_name (String) (defaults to: 'autofs')

    Name of the autofs package to install if enabled.

  • client_install_ldaputils (Boolean) (defaults to: false)

    If true, then the ldaputils packages are installed if ipa_role is set to client.

  • configure_dns_server (Boolean) (defaults to: true)

    If true, then install and configure an integrated DNS server, create DNS zone specified by ‘domain`, and fill it with service records necessary for IPA deployment.

  • configure_ntp (Boolean) (defaults to: true)

    If false, then do not configure NTP.

  • custom_dns_forwarders (Array[String]) (defaults to: [])

    Each element in this array is prefixed with ‘–forwarder` and passed to the IPA server installer.

  • principal_usedto_joindomain (String) (defaults to: 'admin')

    The principal (usually username) used to join a client or replica to the IPA domain.

  • password_usedto_joindomain (String) (defaults to: $puppet_admin_password)

    The password for the domain_join_principal.

  • enable_hostname (Boolean) (defaults to: true)

    If true, then the installer flag ‘–hostname` is populated with the parameter `ipa_server_fqdn` and passed to the IPA installer.

  • enable_ip_address (Boolean) (defaults to: false)

    If true, then the installer flag ‘–ip-address` is populated with the parameter `ip_address` and passed to the IPA installer.

  • fixed_primary (Boolean) (defaults to: false)

    If true, on client it configure SSSD to use a fixed server as the primary IPA server. The default behavior of client is to use DNS SRV records to determine the primary server to use.

  • idstart (Integer[10000]) (defaults to: 10000)

    From the IPA man pages: “The starting user and group id number”.

  • install_autofs (Boolean) (defaults to: false)

    If true, then the autofs packages are installed.

  • install_epel (Boolean) (defaults to: true)

    If true, then the epel repo is installed. The epel repo is usually required for sssd packages.

  • install_sssdtools (Boolean) (defaults to: true)

    If true, then the sssdtools packages are installed.

  • ipa_client_package_name (String) (defaults to: $facts['os']['family'] ? { 'Debian' => 'freeipa-client', default => 'ipa-client')

    Name of the IPA client package.

  • ipa_server_package_name (String) (defaults to: 'ipa-server')

    Name of the IPA server package.

  • install_ipa_client (Boolean) (defaults to: true)

    If true, then the IPA client packages are installed if the parameter ‘ipa_role` is set to `client`.

  • install_ipa_server (Boolean) (defaults to: true)

    If true, then the IPA server packages are installed if the parameter ‘ipa_role` is not set to `client`.

  • install_sssd (Boolean) (defaults to: true)

    If true, then the sssd packages are installed.

  • ip_address (Stdlib::IP::Address)

    The IP address of this server. If this address does not match the address the host resolves to and ‘configure_dns_server` is not `true`, the installation will fail.

  • ipa_server_fqdn (Stdlib::Fqdn) (defaults to: $facts['networking']['fqdn'])

    Actual fqdn of the IPA server being configured.

  • ldaputils_package_name (String) (defaults to: $facts['os']['family'] ? { 'Debian' => 'ldap-utils', default => 'openldap-clients')

    Name of the ldaputils package.

  • ipa_master_fqdn (Stdlib::Fqdn)

    FQDN of the server to use for a client or replica domain join.

  • manage_host_entry (Boolean) (defaults to: false)

    If true, then a host entry is created using the parameters ‘ipa_server_fqdn` and `ip_address`.

  • mkhomedir (Boolean) (defaults to: true)

    If true, on client configure PAM to create a users home directory if it does not exist.

  • webui_redirect (Boolean) (defaults to: true)

    If true, then web requests to URL root / will be redirected to webui example.com/ipa/ui.

  • realm (Stdlib::Fqdn) (defaults to: upcase($domain))

    The name of the IPA realm to create or join.

  • server_install_ldaputils (Boolean) (defaults to: true)

    If true, then the ldaputils packages are installed if ipa_role is not set to client.

  • sssd_package_name (String) (defaults to: 'sssd-common')

    Name of the sssd package.

  • sssdtools_package_name (String) (defaults to: 'sssd-tools')

    Name of the sssdtools package.

  • install_ca (Boolean) (defaults to: true)

    If true, install and configure a CA even on replica.



68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
 
# File 'manifests/init.pp', line 68

class freeipa (
  Stdlib::Fqdn                         $domain,
  Enum['master','replica','client']    $ipa_role,
  String[8]                            $puppet_admin_password,
  String[8]                            $directory_services_password,
  Stdlib::IP::Address                  $ip_address,
  Stdlib::Fqdn                         $ipa_master_fqdn,
  Stdlib::Fqdn                         $realm                          = upcase($domain),
  String                               $autofs_package_name            = 'autofs',
  Boolean                              $client_install_ldaputils       = false,
  Boolean                              $configure_dns_server           = true,
  Boolean                              $configure_ntp                  = true,
  Array[String]                        $custom_dns_forwarders          = [],
  String                               $principal_usedto_joindomain    = 'admin',
  String                               $password_usedto_joindomain     = $puppet_admin_password,
  Boolean                              $enable_hostname                = true,
  Boolean                              $enable_ip_address              = false,
  Boolean                              $fixed_primary                  = false,
  Integer[10000]                       $idstart                        = 10000,
  Boolean                              $install_autofs                 = false,
  Boolean                              $install_epel                   = true,
  Boolean                              $install_sssdtools              = true,
  String                               $ipa_client_package_name        = $facts['os']['family'] ? {
    'Debian' => 'freeipa-client',
    default  => 'ipa-client',
  },
  String                               $ipa_server_package_name        = 'ipa-server',
  Boolean                              $install_ipa_client             = true,
  Boolean                              $install_ipa_server             = true,
  Boolean                              $install_sssd                   = true,
  Boolean                              $install_ca                     = true,
  Stdlib::Fqdn                         $ipa_server_fqdn                = $facts['networking']['fqdn'],
  String                               $ldaputils_package_name         = $facts['os']['family'] ? {
    'Debian' => 'ldap-utils',
    default  => 'openldap-clients',
  },
  Boolean                              $manage_host_entry              = false,
  Boolean                              $mkhomedir                      = true,
  Boolean                              $webui_redirect                 = true,
  Boolean                              $server_install_ldaputils       = true,
  String                               $sssd_package_name              = 'sssd-common',
  String                               $sssdtools_package_name         = 'sssd-tools',
) {

  if $facts['kernel'] != 'Linux' or $facts['osfamily'] == 'Windows' {
    fail('This module is only supported on Linux.')
  }

  if $ipa_role == 'client' {
    $final_configure_dns_server = false
  } else {
    $final_configure_dns_server = $configure_dns_server
  }

  include freeipa::install

}