Name: chef-sssd_ldap
Owner: University of Colorado Boulder
Description: Chef Cookbook to setup LDAP auth on RHEL systems using SSSD
Forked from: chef-cookbooks/sssd_ldap
Created: 2015-06-22 16:55:36.0
Updated: 2016-02-25 19:28:33.0
Pushed: 2016-09-15 23:23:21.0
Homepage: null
Size: 103
Language: Ruby
GitHub Committers
| User | Most Recent Commit | # Commits |
|---|
Other Committers
| User | Most Recent Commit | # Commits |
|---|
This cookbook installs SSSD and configures it for LDAP authentication. As part of the setup of SSSD it will also remove the NSCD package as NSCD is known to interfere with SSSD (https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/usingnscd-sssd.html).
Arbitrary key/value pairs may be added to the ['sssd_conf'] attribute object. These key/values will be expanded in the domain block of sssd.conf. This allows you to set any SSSD configuration value you want, not just ones provided by the attributes in this cookbook.
Attribute | Value | Comment
—————————————— | —————————————————————————— | ——————————————————————————————————————————————
['sssd_conf']['id_provider'] | 'ldap' |
['sssd_conf']['auth_provider'] | 'ldap' |
['sssd_conf']['chpass_provider'] | 'ldap' |
['sssd_conf']['sudo_provider'] | 'ldap' |
['sssd_conf']['enumerate'] | 'true' |
['sssd_conf']['cache_credentials'] | 'false' |
['sssd_conf']['ldap_schema'] | 'rfc2307bis' |
['sssd_conf']['ldap_uri'] | 'ldap://something.yourcompany.com' |
['sssd_conf']['ldap_search_base'] | 'dc=yourcompany,dc=com' |
['sssd_conf']['ldap_user_search_base'] | 'ou=People,dc=yourcompany,dc=com' |
['sssd_conf']['ldap_user_object_class'] | 'posixAccount' |
['sssd_conf']['ldap_user_name'] | 'uid' |
['sssd_conf']['override_homedir'] | nil |
['sssd_conf']['shell_fallback'] | '/bin/bash' |
['sssd_conf']['ldap_group_search_base'] | 'ou=Groups,dc=yourcompany,dc=com' |
['sssd_conf']['ldap_group_object_class'] | 'posixGroup' |
['sssd_conf']['ldap_id_use_start_tls'] | 'true' |
['sssd_conf']['ldap_tls_reqcert'] | 'never' |
['sssd_conf']['ldap_tls_cacert'] | '/etc/pki/tls/certs/ca-bundle.crt' or '/etc/ssl/certs/ca-certificates.crt' | defaults for RHEL and others respectively
['sssd_conf']['ldap_default_bind_dn'] | 'cn=bindaccount,dc=yourcompany,dc=com' | if you have a domain that doesn't require binding set this attributes to nil
['sssd_conf']['ldap_default_authtok'] | 'bind_password' | if you have a domain that doesn't require binding set this to nil
['authconfig_params'] | '--enablesssd --enablesssdauth --enablelocauthorize --update' |
['sssd_conf']['access_provider'] | nil | Should be set to 'ldap'
['sssd_conf']['ldap_access_filter'] | nil | Can use simple LDAP filter such as 'uid=abc123' or more expressive LDAP filters like '(&(objectClass=employee)(department=ITSupport))'
['sssd_conf']['min_id'] | '1' | default, used to ignore lower uid/gid's
['sssd_conf']['max_id'] | '0' | default, used to ignore higher uid/gid's
['ldap_sudo'] | false | Adds ldap enabled sudoers (true/false)
['ldap_ssh'] | false | Adds ldap enabled ssh keys (true/false)
['ldap_autofs'] | false | Adds ldap enabled autofs config (true/false)
If you manage your own CA then the easiest way to inject the certificate for system-wide use is as follows:
a.crt /etc/pki/ca-trust/source/anchors
te-ca-trust enable
te-ca-trust extract
a.crt /usr/local/share/ca-certificates
te-ca-certificates
Author: Tim Smith (tsmith@chef.io)
Copyright: 2013-2015, Limelight Networks, Inc.
Copyright: 2016, Chef Software, Inc.
nsed under the Apache License, Version 2.0 (the "License");
may not use this file except in compliance with the License.
may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
ss required by applicable law or agreed to in writing, software
ributed under the License is distributed on an "AS IS" BASIS,
OUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
the License for the specific language governing permissions and
tations under the License.