Puppet Class: ipa

Defined in:
manifests/init.pp

Summary

Manages IPA masters, replicas and clients.

Overview

TODO: Allow creation of root zone for isolated networks – www.freeipa.org/page/Howto/DNS_in_isolated_networks TODO: Class comments. TODO: Dependencies and metadata updates. TODO: Variable scope and passing. TODO: configurable admin username.

Parameters:

  • domain (Stdlib::Fqdn)

    (string) The name of the IPA domain to create or join.

  • ipa_role (Enum['client', 'master', 'replica'])

    (string) What role the node will be. Options are ‘master’, ‘replica’, and ‘client’.

  • admin_password (Optional[Variant[Sensitive[String[8]],String[8]]]) (defaults to: undef)

    (string) Password which will be assigned to the IPA account named ‘admin’.

  • directory_services_password (Optional[Variant[Sensitive[String[8]],String[8]]]) (defaults to: undef)

    (string) Password which will be passed into the ipa setup’s parameter named “–ds-password”.

  • allow_zone_overlap (Boolean) (defaults to: false)

    (boolean) if set to true, allow creating of (reverse) zone even if the zone is already

    resolvable. Using this option is discouraged as it result in later problems with
domain name. You may have to use this, though, when migrating existing DNS
domains to FreeIPA.
  • no_dnssec_validation (Boolean) (defaults to: false)

    (boolean) if set to true, DNSSEC validation is disabled.

  • configure_dns_server (Boolean) (defaults to: true)

    (boolean) If true, then the parameter ‘–setup-dns’ is passed to the IPA server installer.

    Also, triggers the install of the required dns server packages.
  • configure_replica_ca (Boolean) (defaults to: false)

    (boolean) If true, then the parameter ‘–setup-ca’ is passed to the IPA replica installer.

  • configure_ntp (Boolean) (defaults to: true)

    (boolean) If false, then the parameter ‘–no-ntp’ is passed to the IPA client and server

    installers.
  • configure_ssh (Boolean) (defaults to: true)

    (boolean) If false, then the parameter ‘–no-ssh’ is passed to the IPA client and server

    installers.
  • configure_sshd (Boolean) (defaults to: true)

    (boolean) If false, then the parameter ‘–no-sshd’ is passed to the IPA client and server

    installers.
  • custom_dns_forwarders (Array[String]) (defaults to: [])

    (array) Each element in this array is prefixed with ‘–forwarder ’

    and passed to the IPA server installer.
  • domain_join_principal (Variant[Sensitive[String[1]],String[1]]) (defaults to: 'admin')

    (string) The principal (usually username) used to join a client or replica to the IPA domain.

  • domain_join_password (Optional[Variant[Sensitive[String[1]],String[1]]]) (defaults to: $directory_services_password)

    (string) The password for the domain_join_principal.

  • enable_dns_updates (Boolean) (defaults to: false)

    (boolean) If true, then the parameter ‘–enable-dns-updates’ is passed to the IPA installer.

  • enable_hostname (Boolean) (defaults to: true)

    (boolean) If true, then the parameter ‘–hostname’ is populated with the parameter ‘ipa_server_fqdn’

    and passed to the IPA installer.
  • enable_ip_address (Boolean) (defaults to: false)

    (boolean) If true, then the parameter ‘–ip-address’ is populated with the parameter ‘ip_address’

    and passed to the IPA installer.
  • fixed_primary (Boolean) (defaults to: false)

    (boolean) If true, then the parameter ‘–fixed-primary’ is passed to the IPA installer.

  • idstart (Integer[10000]) (defaults to: (fqdn_rand('10737') + 10000)

    (integer) From the IPA man pages: “The starting user and group id number”.

  • idmax (Optional[Variant[Integer,Undef]]) (defaults to: undef)

    (integer) From the IPA man pages: “The max value for the IDs range (default: idstart+199999)”.

  • ip_address (Optional[Stdlib::IP::Address]) (defaults to: undef)

    (string) IP address to pass to the IPA installer.

  • ipa_server_fqdn (String) (defaults to: fact('networking.fqdn'))

    (string) Actual fqdn of the IPA server or client.

  • ipa_master_fqdn (Optional[Stdlib::Fqdn]) (defaults to: undef)

    (string) FQDN of the server to use for a client or replica domain join.

  • mkhomedir (Boolean) (defaults to: true)

    (boolean) If true, then the parameter ‘–mkhomedir’ is passed to the IPA server and client installers.

  • no_ui_redirect (Boolean) (defaults to: false)

    (boolean) If true, then the parameter ‘–no-ui-redirect’ is passed to the IPA server installer.

  • realm (Optional[Stdlib::Fqdn]) (defaults to: undef)

    (string) The name of the IPA realm to create or join.

  • adjust_login_defs (Boolean) (defaults to: false)

    (boolean) Adjust UID_MAX and GID_MAX in login.defs. Without this newer server installers fail. Default false.



100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
 
# File 'manifests/init.pp', line 100

class ipa (
  Stdlib::Fqdn $domain,
  Enum['client', 'master', 'replica'] $ipa_role,
  Optional[Variant[Sensitive[String[8]],String[8]]] $admin_password              = undef,
  Optional[Variant[Sensitive[String[8]],String[8]]] $directory_services_password = undef,
  Boolean $allow_zone_overlap                                                    = false,
  Boolean $no_dnssec_validation                                                  = false,
  Boolean $configure_dns_server                                                  = true,
  Boolean $configure_replica_ca                                                  = false,
  Boolean $configure_ntp                                                         = true,
  Boolean $configure_ssh                                                         = true,
  Boolean $configure_sshd                                                        = true,
  Array[String] $custom_dns_forwarders                                           = [],
  Variant[Sensitive[String[1]],String[1]]  $domain_join_principal                = 'admin',
  Optional[Variant[Sensitive[String[1]],String[1]]] $domain_join_password        = $directory_services_password,
  Boolean $enable_dns_updates                                                    = false,
  Boolean $enable_hostname                                                       = true,
  Boolean $enable_ip_address                                                     = false,
  Boolean $fixed_primary                                                         = false,
  Integer[10000] $idstart                                                        = (fqdn_rand('10737') + 10000),
  Optional[Variant[Integer,Undef]] $idmax                                                  = undef,
  Optional[Stdlib::IP::Address] $ip_address                                      = undef,
  String $ipa_server_fqdn                                                        = fact('networking.fqdn'),
  Optional[Stdlib::Fqdn] $ipa_master_fqdn                                        = undef,
  Boolean $mkhomedir                                                             = true,
  Boolean $no_ui_redirect                                                        = false,
  Optional[Stdlib::Fqdn] $realm                                                  = undef,
  Boolean $adjust_login_defs                                                     = false,
) {
  if $ipa::idmax and $ipa::idmax < $ipa::idstart {
    fail('Parameter "idmax" must be an integer greater than parameter "idstart".')
  }

  $final_realm = $realm ? {
    undef   => upcase($domain),
    default => $realm,
  }

  if $ipa_role == 'client' {
    $final_configure_dns_server = false
  } else {
    $final_configure_dns_server = $configure_dns_server
  }

  $opt_no_ssh = $configure_ssh ? {
    true    => '',
    default => '--no-ssh',
  }

  $opt_no_sshd = $configure_sshd ? {
    true    => '',
    default => '--no-sshd',
  }

  if $ipa::adjust_login_defs {
    $uid_max_value = $ipa::idstart -1
    $gid_max_value = $ipa::idstart -1

    file_line {
      default:
        path    => '/etc/login.defs',
        replace => true,
      ;
      'adjust uid max':
        line  => "UID_MAX\t${uid_max_value}",
        match => '^UID_MAX.*$',
      ;
      'adjust gid max':
        line  => "GID_MAX\t${gid_max_value}",
        match => '^GID_MAX.*$',
      ;
    }
  }

  if $ipa::ipa_role == 'master' or $ipa::ipa_role == 'replica' {
    contain 'ipa::server'
  } elsif $ipa::ipa_role == 'client' {
    contain 'ipa::client'
  }
}