Puppet Class: krb5::kdc
- Inherits:
- krb5
- Inherited by:
-
krb5::kdc::config
krb5::kdc::install
krb5::kdc::auto_keytabs
- Defined in:
- manifests/kdc.pp
Summary
The necessary structure to manage the Kerberos 5 KDC on a given system.Overview
The variables used here can be found in “kdc.conf(5)“.
Any variable not covered here can be managed using file resources.
68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 |
# File 'manifests/kdc.pp', line 68
class krb5::kdc (
Simplib::Netlist $trusted_nets = simplib::lookup('simp_options::trusted_nets', { 'default_value' => ['127.0.0.1', '::1'] }),
Stdlib::Absolutepath $config_dir = '/var/kerberos/krb5kdc/kdc.conf.simp.d',
Boolean $ldap = $krb5::ldap,
Boolean $firewall = $krb5::firewall,
Boolean $haveged = $krb5::haveged,
Boolean $auto_initialize = true,
String $auto_realm = $facts['networking']['domain'],
String $auto_management_principal = 'puppet_auto',
Boolean $auto_generate_host_keytabs = true
) inherits krb5 {
simplib::assert_metadata($module_name)
if $haveged { include 'haveged' }
contain 'krb5::kdc::install'
contain 'krb5::kdc::config'
contain 'krb5::kdc::service'
Class['krb5'] -> Class['krb5::kdc']
Class['krb5::kdc::install'] ~> Class['krb5::kdc::config']
Class['krb5::kdc::install'] ~> Class['krb5::kdc::service']
Class['krb5::kdc::config'] ~> Class['krb5::kdc::service']
# Hackery for a broken SELinux policy in EL7
contain 'krb5::kdc::selinux_hotfix'
Class['krb5::kdc::config'] -> Class['krb5::kdc::selinux_hotfix']
if $auto_initialize {
krb5::kdc::realm { $auto_realm:
initialize => $auto_initialize,
auto_principal => $auto_management_principal
}
# Unfortunate, but we need to make sure that we don't conflict with an
# existing declaration of this realm from the client delcaration.
# While there are rare cases where you don't want a KDC to be its own
# client, they do exist given the nature of cross-realm trust capabilites.
if !defined(Krb5::Setting::Realm[$auto_realm]) {
krb5::setting::realm { $auto_realm:
admin_server => $facts['networking']['fqdn']
}
}
Class['krb5::kdc::config'] -> Krb5::Kdc::Realm[$auto_realm]
Krb5::Kdc::Realm[$auto_realm] ~> Class['krb5::kdc::service']
if $haveged {
Class['haveged'] -> Krb5::Kdc::Realm[$auto_realm]
}
}
if $auto_generate_host_keytabs {
include 'krb5::kdc::auto_keytabs'
Class['krb5::kdc::service'] -> Class['krb5::kdc::auto_keytabs']
}
# Ensure that all settings are applied prior to the KDC starting
#
# This has to be separated due to the same setting code being used on the
# server and client.
Krb5::Setting <| |> ~> Class['krb5::kdc::service']
}
|