From 71dbabd5fdaa73595c05b69163bf5e297dfaf175 Mon Sep 17 00:00:00 2001 From: Elyse Salberg Date: Tue, 6 Jan 2015 17:17:15 -0500 Subject: [PATCH 01/10] Add support for Enterprise options (zone joins, no local allow files, etc.) - Modify template, add more parameters, update adjoin logic - Add extra parameter options for template values - cache_flush_int, cache_obj_life, log_buffer; add unix_chkpwd to nss.program.ignore - Add adinfo facts - Clean up line feeds in dzdo.env_delete comment --- lib/facter/centrify_facts.rb | 57 +++++++++++++++++++++ manifests/config.pp | 77 +++++++++++++++++----------- manifests/init.pp | 18 +++++++ manifests/params.pp | 9 ++++ manifests/service.pp | 89 +++++++++++++++++++++------------ templates/centrifydc_config.erb | 25 +++++---- 6 files changed, 201 insertions(+), 74 deletions(-) create mode 100755 lib/facter/centrify_facts.rb diff --git a/lib/facter/centrify_facts.rb b/lib/facter/centrify_facts.rb new file mode 100755 index 0000000..b161ff4 --- /dev/null +++ b/lib/facter/centrify_facts.rb @@ -0,0 +1,57 @@ +# Centrify facter facts +require 'facter' + +# centrify_connected: true/nil +Facter.add('centrify_connected') do + confine :kernel => :linux + + setcode do + connected = nil + if File::executable?("/usr/bin/adinfo") + connected = Facter::Util::Resolution.exec("/usr/bin/adinfo -m") + if connected == connected + connected = true + end + end + connected + end +end + +# centrify domain controller +Facter.add('centrify_dc') do + confine :centrify_connected => true + + setcode do + dc = Facter::Util::Resolution.exec('/usr/bin/adinfo -r') + dc.nil? ? nil : dc + end +end + +# centrify domain +Facter.add('centrify_domain') do + confine :centrify_connected => true + + setcode do + domain = Facter::Util::Resolution.exec('/usr/bin/adinfo -d') + domain.nil? ? nil : domain + end +end + +# centrify mode +Facter.add('centrify_mode') do + + setcode do + mode = Facter::Util::Resolution.exec('/usr/bin/adinfo -m') + mode.nil? ? nil : mode + end +end + +# centrify zone +Facter.add('centrify_zone') do + confine :centrify_connected => true + + setcode do + zone = Facter::Util::Resolution.exec('/usr/bin/adinfo -z') + zone.nil? ? nil : zone + end +end diff --git a/manifests/config.pp b/manifests/config.pp index 2c8f343..af90db4 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -5,22 +5,26 @@ # # class centrify::config { - $auth_servers = $centrify::auth_servers - $users_allow = $centrify::users_allow - $groups_allow = $centrify::groups_allow - $adjoin_domain = $centrify::adjoin_domain - $adjoin_server = $centrify::adjoin_server + $auth_servers = $centrify::auth_servers + $users_allow = $centrify::users_allow + $groups_allow = $centrify::groups_allow + $adjoin_domain = $centrify::adjoin_domain + $adjoin_server = $centrify::adjoin_server + $adjoin_zone = $centrify::adjoin_zone + $local_allow = $centrify::local_allow $group_overrides = $centrify::group_overrides - # Error check for no auth servers - if size($auth_servers) == 0 { - fail('you must provide at least one auth server for this to work') + # Error check for no zone and no auth servers + if $adjoin_zone == '' and size ($auth_servers) == 0 { + fail('you must provide either a zone or at least one auth server for this to work') } - # Error check for no users or groups allowed in the system - if size($users_allow) == 0 { - if size($groups_allow) ==0 { - fail('there are no users or groups to authenticate, this is not recommended') + # If using local allow files, error check for no users/groups allowed in the system + if $local_allow == true { + if size($users_allow) == 0 { + if size($groups_allow) ==0 { + fail('there are no users or groups to authenticate, this is not recommended') + } } } @@ -34,9 +38,11 @@ } } - # Error check if the join server is not given - if size($adjoin_server) == 0 { - fail('you must give an ad server name to join to') + # If not joing a zone, error check if the join server is not given + if $adjoin_zone == '' { + if size($adjoin_server) == 0 { + fail('you must give an ad server name to join to') + } } file {'/etc/centrifydc/centrifydc.conf': @@ -47,20 +53,34 @@ notify => Class['centrify::service'], } - file {'/etc/centrifydc/groups.allow': - owner => 'root', - group => 'root', - mode => '0644', - content => template('centrify/groups_allow.erb'), - notify => Class['centrify::service'], + if $local_allow == true { + file {'/etc/centrifydc/groups.allow': + owner => 'root', + group => 'root', + mode => '0644', + content => template('centrify/groups_allow.erb'), + notify => Class['centrify::service'], + } + } + else { + file {'/etc/centrifydc/group.allow': + ensure => 'absent' + } } - file {'/etc/centrifydc/users.allow': - owner => 'root', - group => 'root', - mode => '0644', - content => template('centrify/users_allow.erb'), - notify => Class['centrify::service'] + if $local_allow == true { + file {'/etc/centrifydc/users.allow': + owner => 'root', + group => 'root', + mode => '0644', + content => template('centrify/users_allow.erb'), + notify => Class['centrify::service'] + } + } + else { + file {'/etc/centrifydc/users.allow': + ensure => 'absent' + } } if ! empty($group_overrides) { @@ -72,11 +92,10 @@ notify => Class['centrify::service'] } } - else { file {'/etc/centrifydc/group.ovr': ensure => 'absent' } } -} \ No newline at end of file +} diff --git a/manifests/init.pp b/manifests/init.pp index bb75744..bf07bef 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -24,6 +24,7 @@ $ssh_service_enable = $centrify::params::ssh_service_enable, $ssh_service_ensure = $centrify::params::ssh_service_ensure, $auth_servers = $centrify::params::auth_servers, + $local_allow = $centrify::params::local_allow, $group_overrides = $centrify::params::group_overrides, $groups_allow = $centrify::params::groups_allow, $users_allow = $centrify::params::users_allow, @@ -31,13 +32,21 @@ $adjoin_password = $centrify::params::adjoin_password, $adjoin_domain = $centrify::params::adjoin_domain, $adjoin_server = $centrify::params::adjoin_server, + $adjoin_zone = $centrify::params::adjoin_zone, + $adjoin_container = $centrify::params::adjoin_container, + $adjoin_force = $centrify::params::adjoin_force, $private_group = $centrify::params::private_group, $primary_gid = $centrify::params::primary_gid, $auto_join = $centrify::params::auto_join, + $cache_flush_int = $centrify::params::cache_flush_int, + $cache_obj_life = $centrify::params::cache_obj_life, + $log_buffer = $centrify::params::log_buffer, $maximum_password_age = $centrify::params::maximum_password_age, $minimum_password_age = $centrify::params::minimum_password_age, + $password_warn = $centrify::params::password_warn, $lockout_duration = $centrify::params::lockout_duration, $lockout_bad_count = $centrify::params::lockout_bad_count, + $sntp_enabled = $centrify::params::sntp_enabled, $merge_groups = $centrify::params::merge_groups, ) inherits centrify::params { @@ -53,6 +62,7 @@ validate_bool($ssh_service_enable) validate_string($ssh_service_ensure) validate_array($auth_servers) + validate_bool($local_allow) validate_array($group_overrides) validate_array($groups_allow) validate_array($users_allow) @@ -60,13 +70,21 @@ validate_string($adjoin_password) validate_string($adjoin_domain) validate_string($adjoin_server) + validate_string($adjoin_zone) + validate_string($adjoin_container) + validate_bool($adjoin_force) validate_bool($private_group) validate_string($primary_gid) validate_bool($auto_join) + validate_string($cache_flush_int) + validate_string($cache_obj_life) + validate_bool($log_buffer) validate_string($maximum_password_age) validate_string($minimum_password_age) + validate_string($password_warn) validate_string($lockout_duration) validate_string($lockout_bad_count) + validate_bool($sntp_enabled) validate_bool($merge_groups) # include classes for install, config and services diff --git a/manifests/params.pp b/manifests/params.pp index 1862bf6..9ed89fe 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -27,6 +27,7 @@ $ssh_service_enable = true $ssh_service_ensure = 'running' $auth_servers = [] + $local_allow = true $group_overrides = [] $groups_allow = [] $users_allow = [] @@ -34,12 +35,20 @@ $adjoin_password = '' $adjoin_domain = '' $adjoin_server = '' + $adjoin_zone = '' + $adjoin_container = '' + $adjoin_force = false $private_group = true $primary_gid = '' $auto_join = true + $cache_flush_int = '24' + $cache_obj_life = '24' + $log_buffer = false $maximum_password_age = '90' $minimum_password_age = '1' + $password_warn = '14' $lockout_duration = '30' $lockout_bad_count = '0' + $sntp_enabled = false $merge_groups = false } diff --git a/manifests/service.pp b/manifests/service.pp index 3cf9a87..832ddcc 100644 --- a/manifests/service.pp +++ b/manifests/service.pp @@ -6,17 +6,32 @@ # # class centrify::service { - $auto_join = $centrify::auto_join - $dc_service_ensure = $centrify::dc_service_ensure + $auto_join = $centrify::auto_join + $dc_service_ensure = $centrify::dc_service_ensure $ssh_service_ensure = $centrify::ssh_service_ensure - $adjoin_server = $centrify::adjoin_server - $adjoin_password = $centrify::adjoin_password - $adjoin_domain = $centrify::adjoin_domain - $adjoin_user = $centrify::adjoin_user + $adjoin_server = $centrify::adjoin_server + $adjoin_password = $centrify::adjoin_password + $adjoin_domain = $centrify::adjoin_domain + $adjoin_user = $centrify::adjoin_user + $adjoin_zone = $centrify::adjoin_zone + $adjoin_container = $centrify::adjoin_container + $adjoin_force = $centrify::adjoin_force $ssh_service_enable = $centrify::ssh_service_enable - $ssh_service_name = $centrify::ssh_service_name - $dc_service_name = $centrify::dc_service_name - $dc_service_enable = $centrify::dc_service_enable + $ssh_service_name = $centrify::ssh_service_name + $dc_service_name = $centrify::dc_service_name + $dc_service_enable = $centrify::dc_service_enable + $local_allow = $centrify::local_allow + + if $local_allow == true { + $config = [File['/etc/centrifydc/centrifydc.conf'], + File['/etc/centrifydc/groups.allow'], + File['/etc/centrifydc/users.allow'], + ] + } + else { + $config = [File['/etc/centrifydc/centrifydc.conf'], + ] + } if $auto_join { @@ -32,12 +47,24 @@ fail('ssh_service_ensure parameter must be running or stopped') } - # ad-join - exec { 'adjoin': - path => '/usr/bin:/usr/sbin:/bin', - command => "adjoin -w -u ${adjoin_user} -s ${adjoin_server} -p ${adjoin_password} ${adjoin_domain}", - unless => "adinfo -d | grep ${adjoin_domain}", - refreshonly => true, + # ad-join workstation + exec { 'adjoin workstation': + path => '/usr/bin:/usr/sbin:/bin', + command => "adjoin -w -u ${adjoin_user} -s ${adjoin_server} -p ${adjoin_password} ${adjoin_domain}", + onlyif => ['test `adinfo -d | wc -l` -eq 0', + "test '${adjoin_zone}' = ''" + ], + logoutput => true, + } + + # ad-join zone + exec { 'adjoin zone': + path => '/usr/bin:/usr/sbin:/bin', + command => "adjoin -u ${adjoin_user} -p ${adjoin_password} -c ${adjoin_container} -z ${adjoin_zone} -n ${::fqdn} -f ${adjoin_domain}", + onlyif => ['test `adinfo -d | wc -l` -eq 0', + "test '${adjoin_zone}' != ''" + ], + logoutput => true, } #adflush @@ -47,35 +74,33 @@ refreshonly => true, } - service {'centrify-ssh-service': + service {'centrify-ssh-service': ensure => $ssh_service_ensure, name => $ssh_service_name, hasrestart => true, hasstatus => true, enable => $ssh_service_enable, - subscribe => [ - File['/etc/centrifydc/centrifydc.conf'], - File['/etc/centrifydc/groups.allow'], - File['/etc/centrifydc/users.allow'], - ], - notify => Exec['adflush'], - } + subscribe => $config, + notify => Exec['adflush'], + } - service {'centrify-dc-service': + service {'centrify-dc-service': ensure => $dc_service_ensure, name => $dc_service_name, hasrestart => true, hasstatus => true, enable => $dc_service_enable, - subscribe => [ - File['/etc/centrifydc/centrifydc.conf'], - File['/etc/centrifydc/groups.allow'], - File['/etc/centrifydc/users.allow'], - ], + subscribe => $config, notify => Exec['adflush'], } - Exec['adjoin'] -> Service['centrify-dc-service'] -> - Service['centrify-ssh-service'] -> Exec['adflush'] + if $adjoin_zone != '' { + Exec['adjoin zone'] -> Service['centrify-dc-service'] -> + Service['centrify-ssh-service'] -> Exec['adflush'] + } + else { + Exec['adjoin workstation'] -> Service['centrify-dc-service'] -> + Service['centrify-ssh-service'] -> Exec['adflush'] + } } -} \ No newline at end of file +} diff --git a/templates/centrifydc_config.erb b/templates/centrifydc_config.erb index 0b034c3..75dadcc 100644 --- a/templates/centrifydc_config.erb +++ b/templates/centrifydc_config.erb @@ -236,8 +236,8 @@ pam.allow.override: root # -> "Manage login filters" # # You may also specify a file name with a list of users in the file -pam.allow.users: file:/etc/centrifydc/users.allow -pam.allow.groups: file:/etc/centrifydc/groups.allow +<% if @local_allow %>pam.allow.users: file:/etc/centrifydc/users.allow +pam.allow.groups: file:/etc/centrifydc/groups.allow <% end %> ## pam.allow.users: jdoe krusty ## pam.allow.groups: smokeallow # pam.deny.users: jcool @@ -480,13 +480,13 @@ adclient.clients.socket2: /var/centrifydc/daemon2 # How often should adclient flush it's entire cache. 0 means never. # -adclient.cache.flush.interval: 24 +adclient.cache.flush.interval: <%= @cache_flush_int %> # # How many hours will a regular object live in the cache, regardless of # expiration time? Default is forever. # -adclient.cache.object.lifetime: 24 +adclient.cache.object.lifetime: <%= @cache_obj_life %> # # How often should the daemon clean up the cache, looking for old objects, @@ -715,7 +715,7 @@ ord:pam.password.confirm.mesg: Confirm new password: # -> "Security Options" # -> "Interactive Logon: Prompt user to change password before expiration" # -pam.password.expiry.warn: 14 +pam.password.expiry.warn: <%= @password_warn %> # # What to do if, when a user is logging in, PAM discovers that the user's AD @@ -1531,7 +1531,7 @@ w password length,\nlack of complexity or a minimum age for the current password # -> "Enable SNTP client" # # If true, adclient will keep the system clock in sync with the domain. -# adclient.sntp.enabled: true +adclient.sntp.enabled: <%= @sntp_enabled %> # # The interval between sntp clock updates. The value is the base 2 @@ -1921,9 +1921,7 @@ w password length,\nlack of complexity or a minimum age for the current password # as root. This list can be replaced using dzdo.env_delete as in the # following example. # -# dzdo.env_delete: IFS,CDPATH,LOCALDOMAIN,RES_OPTIONS,HOSTALIASES, NLSPATH,PATH_LOCALE,LD_*,_RLD*,TERMINFO,TERMINFO_DIRS, TERMPATH,TERMCAP,ENV,BASH_ENV,PS4,GLOBIGN -ORE,SHELLOPTS, JAVA_TOOL_OPTIONS,PERLIO_DEBUG,PERLLIB,PERL5LIB, PERL5OPT,PERL5DB,FPATH,NULLCMD,READNULLCMD,ZDOTDIR, TMPPREFIX,PYTHONHOME,PYTHONPATH,PYTHONINSPECT,R -UBYLIB, RUBYOPT,KRB5_CONFIG,KRB5_KTNAME,VAR_ACE,USR_ACE,DLC_ACE, SHLIB_PATH, LDR_*,LIBPATH,DYLD_* +# dzdo.env_delete: IFS,CDPATH,LOCALDOMAIN,RES_OPTIONS,HOSTALIASES,NLSPATH,PATH_LOCALE,LD_*,_RLD*,TERMINFO,TERMINFO_DIRS,TERMPATH,TERMCAP,ENV,BASH_ENV,PS4,GLOBIGNORE,SHELLOPTS,JAVA_TOOL_OPTIONS,PERLIO_DEBUG,PERLLIB,PERL5LIB,PERL5OPT,PERL5DB,FPATH,NULLCMD,READNULLCMD,ZDOTDIR,TMPPREFIX,PYTHONHOME,PYTHONPATH,PYTHONINSPECT,RUBYLIB,RUBYOPT,KRB5_CONFIG,KRB5_KTNAME,VAR_ACE,USR_ACE,DLC_ACE,SHLIB_PATH,LDR_*,LIBPATH,DYLD_* # # @@ -2254,8 +2252,7 @@ nss.nobody.gid: 99 # Don't call Centrify group or user iteration for these programs # This helps prevent adding local users and groups that conflict with # DirectControl users in AD -nss.program.ignore: useradd,adduser,groupadd,addgroup,userdel,groupdel,usermod,groupmod,chfn,chsh,chpasswd,gpasswd,pwconv,pwunconv,grpconv,grpunconv,redhat-config- -users +nss.program.ignore: useradd,adduser,groupadd,addgroup,userdel,groupdel,usermod,groupmod,chfn,chsh,chpasswd,gpasswd,pwconv,pwunconv,grpconv,grpunconv,redhat-config-users,unix_chkpwd nss.shell.nologin: /sbin/nologin @@ -2490,5 +2487,7 @@ nss.runtime.defaultvalue.var.domain: $DOMAIN # You must restart adclient to have this take effect. # # auto.schema.search.return.max: 1000 -<% @auth_servers.each do |as| %> dns.dc.<%= @adjoin_domain%>: <%= as %> -<% end %> \ No newline at end of file +<% if @merge_groups %>adclient.local.group.merge: true <% else %># adclient.local.group.merge: false <% end %> +<% if @auth_servers %><% @auth_servers.each do |as| %> dns.dc.<%= @adjoin_domain%>: <%= as %> +<% end %><% end %> +<% if @log_buffer %>logger.memory.enable.buffer: true<% end %> From 32ab085e647959a914e1300ab9e1aeb13a1c2842 Mon Sep 17 00:00:00 2001 From: Elyse Salberg Date: Tue, 24 Feb 2015 13:37:58 -0500 Subject: [PATCH 02/10] refactor centrify facts to eliminate redundant centrify_connected and return null values --- lib/facter/centrify_facts.rb | 52 +++++++++++++++++++----------------- 1 file changed, 27 insertions(+), 25 deletions(-) diff --git a/lib/facter/centrify_facts.rb b/lib/facter/centrify_facts.rb index b161ff4..c36f63f 100755 --- a/lib/facter/centrify_facts.rb +++ b/lib/facter/centrify_facts.rb @@ -1,57 +1,59 @@ # Centrify facter facts require 'facter' -# centrify_connected: true/nil -Facter.add('centrify_connected') do +# centrify mode +Facter.add('centrify_mode') do confine :kernel => :linux setcode do - connected = nil if File::executable?("/usr/bin/adinfo") - connected = Facter::Util::Resolution.exec("/usr/bin/adinfo -m") - if connected == connected - connected = true - end + mode = Facter::Util::Resolution.exec("/usr/bin/adinfo -m") + mode.empty? ? 'null' : mode + else + 'null' end - connected end end # centrify domain controller Facter.add('centrify_dc') do - confine :centrify_connected => true + confine :kernel => :linux setcode do - dc = Facter::Util::Resolution.exec('/usr/bin/adinfo -r') - dc.nil? ? nil : dc + if File::executable?("/usr/bin/adinfo") + dc = Facter::Util::Resolution.exec('/usr/bin/adinfo -r') + dc.empty? ? 'null' : dc + else + nil + end end end # centrify domain Facter.add('centrify_domain') do - confine :centrify_connected => true + confine :kernel => :linux setcode do - domain = Facter::Util::Resolution.exec('/usr/bin/adinfo -d') - domain.nil? ? nil : domain + if File::executable?("/usr/bin/adinfo") + domain = Facter::Util::Resolution.exec('/usr/bin/adinfo -d') + domain.empty? ? 'null' : domain + else + nil + end end end -# centrify mode -Facter.add('centrify_mode') do - - setcode do - mode = Facter::Util::Resolution.exec('/usr/bin/adinfo -m') - mode.nil? ? nil : mode - end -end # centrify zone Facter.add('centrify_zone') do - confine :centrify_connected => true + confine :kernel => :linux setcode do - zone = Facter::Util::Resolution.exec('/usr/bin/adinfo -z') - zone.nil? ? nil : zone + if File::executable?("/usr/bin/adinfo") + zone = Facter::Util::Resolution.exec('/usr/bin/adinfo -z') + zone.empty? ? 'null' : zone + else + nil + end end end From 9db113e86cacd81160ddf397194c46217d74e84e Mon Sep 17 00:00:00 2001 From: Elyse Salberg Date: Thu, 16 Apr 2015 11:38:36 -0400 Subject: [PATCH 03/10] Update adjoin_zone to adjoin_enterprise_zone; do not copy conf file for enterprise servers (zone set) --- manifests/config.pp | 36 ++++++++++++++++--------------- manifests/init.pp | 4 ++-- manifests/params.pp | 2 +- manifests/service.pp | 50 ++++++++++++++++++++++---------------------- 4 files changed, 47 insertions(+), 45 deletions(-) diff --git a/manifests/config.pp b/manifests/config.pp index af90db4..e24f05e 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -5,17 +5,17 @@ # # class centrify::config { - $auth_servers = $centrify::auth_servers - $users_allow = $centrify::users_allow - $groups_allow = $centrify::groups_allow - $adjoin_domain = $centrify::adjoin_domain - $adjoin_server = $centrify::adjoin_server - $adjoin_zone = $centrify::adjoin_zone - $local_allow = $centrify::local_allow - $group_overrides = $centrify::group_overrides + $auth_servers = $centrify::auth_servers + $users_allow = $centrify::users_allow + $groups_allow = $centrify::groups_allow + $adjoin_domain = $centrify::adjoin_domain + $adjoin_server = $centrify::adjoin_server + $adjoin_enterprise_zone = $centrify::adjoin_enterprise_zone + $local_allow = $centrify::local_allow + $group_overrides = $centrify::group_overrides # Error check for no zone and no auth servers - if $adjoin_zone == '' and size ($auth_servers) == 0 { + if $adjoin_enterprise_zone == '' and size ($auth_servers) == 0 { fail('you must provide either a zone or at least one auth server for this to work') } @@ -39,18 +39,20 @@ } # If not joing a zone, error check if the join server is not given - if $adjoin_zone == '' { + if $adjoin_enterprise_zone == '' { if size($adjoin_server) == 0 { fail('you must give an ad server name to join to') } } - - file {'/etc/centrifydc/centrifydc.conf': - owner => 'root', - group => 'root', - mode => '0644', - content => template('centrify/centrifydc_config.erb'), - notify => Class['centrify::service'], + # If using an Enterprise zone, let Centrify manage the conf file + if $adjoin_enterprise_zone == '' { + file {'/etc/centrifydc/centrifydc.conf': + owner => 'root', + group => 'root', + mode => '0644', + content => template('centrify/centrifydc_config.erb'), + notify => Class['centrify::service'], + } } if $local_allow == true { diff --git a/manifests/init.pp b/manifests/init.pp index bf07bef..5d56a1f 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -32,7 +32,7 @@ $adjoin_password = $centrify::params::adjoin_password, $adjoin_domain = $centrify::params::adjoin_domain, $adjoin_server = $centrify::params::adjoin_server, - $adjoin_zone = $centrify::params::adjoin_zone, + $adjoin_enterprise_zone = $centrify::params::adjoin_enterprise_zone, $adjoin_container = $centrify::params::adjoin_container, $adjoin_force = $centrify::params::adjoin_force, $private_group = $centrify::params::private_group, @@ -70,7 +70,7 @@ validate_string($adjoin_password) validate_string($adjoin_domain) validate_string($adjoin_server) - validate_string($adjoin_zone) + validate_string($adjoin_enterprise_zone) validate_string($adjoin_container) validate_bool($adjoin_force) validate_bool($private_group) diff --git a/manifests/params.pp b/manifests/params.pp index 9ed89fe..43ae994 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -35,7 +35,7 @@ $adjoin_password = '' $adjoin_domain = '' $adjoin_server = '' - $adjoin_zone = '' + $adjoin_enterprise_zone = '' $adjoin_container = '' $adjoin_force = false $private_group = true diff --git a/manifests/service.pp b/manifests/service.pp index 832ddcc..c74cb42 100644 --- a/manifests/service.pp +++ b/manifests/service.pp @@ -6,21 +6,21 @@ # # class centrify::service { - $auto_join = $centrify::auto_join - $dc_service_ensure = $centrify::dc_service_ensure - $ssh_service_ensure = $centrify::ssh_service_ensure - $adjoin_server = $centrify::adjoin_server - $adjoin_password = $centrify::adjoin_password - $adjoin_domain = $centrify::adjoin_domain - $adjoin_user = $centrify::adjoin_user - $adjoin_zone = $centrify::adjoin_zone - $adjoin_container = $centrify::adjoin_container - $adjoin_force = $centrify::adjoin_force - $ssh_service_enable = $centrify::ssh_service_enable - $ssh_service_name = $centrify::ssh_service_name - $dc_service_name = $centrify::dc_service_name - $dc_service_enable = $centrify::dc_service_enable - $local_allow = $centrify::local_allow + $auto_join = $centrify::auto_join + $dc_service_ensure = $centrify::dc_service_ensure + $ssh_service_ensure = $centrify::ssh_service_ensure + $adjoin_server = $centrify::adjoin_server + $adjoin_password = $centrify::adjoin_password + $adjoin_domain = $centrify::adjoin_domain + $adjoin_user = $centrify::adjoin_user + $adjoin_enterprise_zone = $centrify::adjoin_enterprise_zone + $adjoin_container = $centrify::adjoin_container + $adjoin_force = $centrify::adjoin_force + $ssh_service_enable = $centrify::ssh_service_enable + $ssh_service_name = $centrify::ssh_service_name + $dc_service_name = $centrify::dc_service_name + $dc_service_enable = $centrify::dc_service_enable + $local_allow = $centrify::local_allow if $local_allow == true { $config = [File['/etc/centrifydc/centrifydc.conf'], @@ -47,22 +47,22 @@ fail('ssh_service_ensure parameter must be running or stopped') } - # ad-join workstation - exec { 'adjoin workstation': + # adjoin Centrify Express + exec { 'adjoin Centrify Express': path => '/usr/bin:/usr/sbin:/bin', command => "adjoin -w -u ${adjoin_user} -s ${adjoin_server} -p ${adjoin_password} ${adjoin_domain}", onlyif => ['test `adinfo -d | wc -l` -eq 0', - "test '${adjoin_zone}' = ''" + "test '${adjoin_enterprise_zone}' = ''" ], logoutput => true, } - # ad-join zone - exec { 'adjoin zone': + # adjoin Centrify Enterprise + exec { 'adjoin Centrify Enterprise': path => '/usr/bin:/usr/sbin:/bin', - command => "adjoin -u ${adjoin_user} -p ${adjoin_password} -c ${adjoin_container} -z ${adjoin_zone} -n ${::fqdn} -f ${adjoin_domain}", + command => "adjoin -u ${adjoin_user} -p ${adjoin_password} -c ${adjoin_container} -z ${adjoin_enterprise_zone} -n ${::fqdn} -f ${adjoin_domain}", onlyif => ['test `adinfo -d | wc -l` -eq 0', - "test '${adjoin_zone}' != ''" + "test '${adjoin_enterprise_zone}' != ''" ], logoutput => true, } @@ -94,12 +94,12 @@ notify => Exec['adflush'], } - if $adjoin_zone != '' { - Exec['adjoin zone'] -> Service['centrify-dc-service'] -> + if $adjoin_enterprise_zone != '' { + Exec['adjoin Centrify Enterprise'] -> Service['centrify-dc-service'] -> Service['centrify-ssh-service'] -> Exec['adflush'] } else { - Exec['adjoin workstation'] -> Service['centrify-dc-service'] -> + Exec['adjoin Centrify Express'] -> Service['centrify-dc-service'] -> Service['centrify-ssh-service'] -> Exec['adflush'] } } From 3d949160202c9dfdf0d34eacd584d476df4354c9 Mon Sep 17 00:00:00 2001 From: Elyse Salberg Date: Wed, 22 Apr 2015 16:25:24 -0400 Subject: [PATCH 04/10] Change subscribes to notify to handle case where centrifydc.conf isn't being managed --- manifests/config.pp | 8 ++++---- manifests/service.pp | 13 ------------- 2 files changed, 4 insertions(+), 17 deletions(-) diff --git a/manifests/config.pp b/manifests/config.pp index e24f05e..ab206e5 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -51,7 +51,7 @@ group => 'root', mode => '0644', content => template('centrify/centrifydc_config.erb'), - notify => Class['centrify::service'], + notify => [ Class['centrify::service'], Service['centrify-ssh-service'], Service['centrify-dc-service'] ], } } @@ -61,7 +61,7 @@ group => 'root', mode => '0644', content => template('centrify/groups_allow.erb'), - notify => Class['centrify::service'], + notify => [ Class['centrify::service'], Service['centrify-ssh-service'], Service['centrify-dc-service'] ], } } else { @@ -76,7 +76,7 @@ group => 'root', mode => '0644', content => template('centrify/users_allow.erb'), - notify => Class['centrify::service'] + notify => [ Class['centrify::service'], Service['centrify-ssh-service'], Service['centrify-dc-service'] ], } } else { @@ -91,7 +91,7 @@ group => 'root', mode => '0644', content => template('centrify/group.ovr.erb'), - notify => Class['centrify::service'] + notify => [ Class['centrify::service'], Service['centrify-ssh-service'], Service['centrify-dc-service'] ], } } else { diff --git a/manifests/service.pp b/manifests/service.pp index c74cb42..3479c5b 100644 --- a/manifests/service.pp +++ b/manifests/service.pp @@ -22,17 +22,6 @@ $dc_service_enable = $centrify::dc_service_enable $local_allow = $centrify::local_allow - if $local_allow == true { - $config = [File['/etc/centrifydc/centrifydc.conf'], - File['/etc/centrifydc/groups.allow'], - File['/etc/centrifydc/users.allow'], - ] - } - else { - $config = [File['/etc/centrifydc/centrifydc.conf'], - ] - } - if $auto_join { notice('running with auto_join enabled') @@ -80,7 +69,6 @@ hasrestart => true, hasstatus => true, enable => $ssh_service_enable, - subscribe => $config, notify => Exec['adflush'], } @@ -90,7 +78,6 @@ hasrestart => true, hasstatus => true, enable => $dc_service_enable, - subscribe => $config, notify => Exec['adflush'], } From 4c7af41ffe0a6fd05439d0f6b0e9cf003d73da24 Mon Sep 17 00:00:00 2001 From: Elyse Salberg Date: Thu, 9 Jul 2015 14:29:08 -0400 Subject: [PATCH 05/10] Add manage_conf parameter; switch conf file from being disabled for all Centrify Enterprise --- README.markdown | 2 +- manifests/config.pp | 5 +++-- manifests/init.pp | 2 ++ manifests/params.pp | 1 + 4 files changed, 7 insertions(+), 3 deletions(-) diff --git a/README.markdown b/README.markdown index bc7adaf..c60d798 100644 --- a/README.markdown +++ b/README.markdown @@ -84,7 +84,7 @@ Below is a list of optional options and the default values: * lockout\_bad\_count: the bad count that would cause a lockout * merge\_groups: merge local group setting * group\_overrides: an array of group id overrides that are found in the /etc/centrifydc/group.ovr file - +* manage\_conf: manage the Centrify configuration file (default: false) - set to true for Centrify Express or if desiring to manage the Centrify conf outside of Centrify **centrify::ssh::config_entry** since version 1.0 there is a new paradigm introduced for editing centrify's sshd options, in previous versions there have only been a few sshd options that have been provided as params, Now there is a new type *centrify::ssh::config_entry*. This type will add or change any config option for the centrify sshd config file diff --git a/manifests/config.pp b/manifests/config.pp index ab206e5..82cb716 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -13,6 +13,7 @@ $adjoin_enterprise_zone = $centrify::adjoin_enterprise_zone $local_allow = $centrify::local_allow $group_overrides = $centrify::group_overrides + $manage_conf = $centrify::manage_conf # Error check for no zone and no auth servers if $adjoin_enterprise_zone == '' and size ($auth_servers) == 0 { @@ -44,8 +45,8 @@ fail('you must give an ad server name to join to') } } - # If using an Enterprise zone, let Centrify manage the conf file - if $adjoin_enterprise_zone == '' { + + if $manage_conf == true { file {'/etc/centrifydc/centrifydc.conf': owner => 'root', group => 'root', diff --git a/manifests/init.pp b/manifests/init.pp index 5d56a1f..3a9b4c3 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -48,6 +48,7 @@ $lockout_bad_count = $centrify::params::lockout_bad_count, $sntp_enabled = $centrify::params::sntp_enabled, $merge_groups = $centrify::params::merge_groups, + $manage_conf = $centrify::params::manage_conf, ) inherits centrify::params { # validate parameters @@ -86,6 +87,7 @@ validate_string($lockout_bad_count) validate_bool($sntp_enabled) validate_bool($merge_groups) + validate_bool($manage_conf) # include classes for install, config and services include '::centrify::install' diff --git a/manifests/params.pp b/manifests/params.pp index 43ae994..ef9a059 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -51,4 +51,5 @@ $lockout_bad_count = '0' $sntp_enabled = false $merge_groups = false + $manage_conf = false } From 7acb4b391f50353d4d5e5389ccb99918b138e321 Mon Sep 17 00:00:00 2001 From: Elyse Salberg Date: Thu, 21 Jul 2016 14:54:31 -0400 Subject: [PATCH 06/10] Switch default of manage_conf to true (backwards compatibility); update anchors for 2016.2.0 --- manifests/init.pp | 8 ++------ manifests/params.pp | 2 +- 2 files changed, 3 insertions(+), 7 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index 3a9b4c3..bcd8ded 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -94,12 +94,8 @@ include '::centrify::config' include '::centrify::service' - # set anchors for begin and end - anchor { '::centrify::begin': } - anchor { '::centrify::end': } - # ordering of class execution - Anchor ['::centrify::begin'] -> Class ['::centrify::install'] -> + anchor { 'centrify_begin': } -> Class ['::centrify::install'] -> Class['::centrify::config'] ~> Class['::centrify::service'] -> - Anchor['::centrify::end'] + anchor { 'centrify_end': } } diff --git a/manifests/params.pp b/manifests/params.pp index ef9a059..afe4e16 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -51,5 +51,5 @@ $lockout_bad_count = '0' $sntp_enabled = false $merge_groups = false - $manage_conf = false + $manage_conf = true } From 4952b21e42989dc201d8d4a21dd59f167e8e0789 Mon Sep 17 00:00:00 2001 From: Elyse Salberg Date: Thu, 21 Jul 2016 15:09:02 -0400 Subject: [PATCH 07/10] Fix validations for numbers --- manifests/init.pp | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index bcd8ded..92b683f 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -77,14 +77,14 @@ validate_bool($private_group) validate_string($primary_gid) validate_bool($auto_join) - validate_string($cache_flush_int) - validate_string($cache_obj_life) + validate_integer($cache_flush_int) + validate_integer($cache_obj_life) validate_bool($log_buffer) - validate_string($maximum_password_age) - validate_string($minimum_password_age) - validate_string($password_warn) - validate_string($lockout_duration) - validate_string($lockout_bad_count) + validate_integer($maximum_password_age) + validate_integer($minimum_password_age) + validate_integer($password_warn) + validate_integer($lockout_duration) + validate_integer($lockout_bad_count) validate_bool($sntp_enabled) validate_bool($merge_groups) validate_bool($manage_conf) @@ -95,7 +95,7 @@ include '::centrify::service' # ordering of class execution - anchor { 'centrify_begin': } -> Class ['::centrify::install'] -> + anchor { 'centrify_begin': } -> Class['::centrify::install'] -> Class['::centrify::config'] ~> Class['::centrify::service'] -> anchor { 'centrify_end': } } From c5a9e4f60cbd9d30e48e62a5985d56d559752826 Mon Sep 17 00:00:00 2001 From: Elyse Salberg Date: Wed, 3 Aug 2016 17:31:13 -0400 Subject: [PATCH 08/10] Add adlicense command before adjoin for Enterprise --- manifests/service.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/service.pp b/manifests/service.pp index 3479c5b..43312b5 100644 --- a/manifests/service.pp +++ b/manifests/service.pp @@ -49,7 +49,7 @@ # adjoin Centrify Enterprise exec { 'adjoin Centrify Enterprise': path => '/usr/bin:/usr/sbin:/bin', - command => "adjoin -u ${adjoin_user} -p ${adjoin_password} -c ${adjoin_container} -z ${adjoin_enterprise_zone} -n ${::fqdn} -f ${adjoin_domain}", + command => "adlicense -l && adjoin -u ${adjoin_user} -p ${adjoin_password} -c ${adjoin_container} -z ${adjoin_enterprise_zone} -n ${::fqdn} -f ${adjoin_domain}", onlyif => ['test `adinfo -d | wc -l` -eq 0', "test '${adjoin_enterprise_zone}' != ''" ], From 12436cbde9a87c5ae769c75050816950230c1893 Mon Sep 17 00:00:00 2001 From: Elyse Salberg Date: Tue, 16 Aug 2016 22:21:20 -0400 Subject: [PATCH 09/10] quote mode to fix Puppet4 deprecation --- manifests/user/home_dir.pp | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/manifests/user/home_dir.pp b/manifests/user/home_dir.pp index cda5144..840f768 100644 --- a/manifests/user/home_dir.pp +++ b/manifests/user/home_dir.pp @@ -14,10 +14,10 @@ # main home directory if $ensure == 'present' { file {"/home/${name}": - ensure => 'directory', - owner => $sid, - group => $sid, - mode => 0600, + ensure => 'directory', + owner => $sid, + group => $sid, + mode => '0600', } # bashrc file @@ -26,7 +26,7 @@ ensure => 'present', owner => $sid, group => $sid, - mode => 0740, + mode => '0740', source => $bashrc_file, require => File["/home/${name}"], } @@ -43,7 +43,7 @@ ensure => 'directory', owner => $sid, group => $sid, - mode => 0600, + mode => '0600', require => File["/home/${name}"], } @@ -53,7 +53,7 @@ ensure => 'present', owner => $sid, group => $sid, - mode => 0744, + mode => '0744', source => $ssh_public_key, require => File["/home/${name}/.ssh"], } @@ -69,7 +69,7 @@ ensure => 'present', owner => $sid, group => $sid, - mode => 0744, + mode => '0744', source => $ssh_private_key, require => File["/home/${name}/.ssh"], } @@ -85,7 +85,7 @@ ensure => 'present', owner => $sid, group => $sid, - mode => 0744, + mode => '0744', source => $authorized_keys, require => File["/home/${name}/.ssh"], } @@ -114,4 +114,4 @@ fail("Unknown value for ensure ${ensure}") } } -} \ No newline at end of file +} From d86d57ece56e3ccb4032846ec11a428e1efebe55 Mon Sep 17 00:00:00 2001 From: Elyse Salberg Date: Wed, 23 Oct 2019 18:12:26 -0400 Subject: [PATCH 10/10] Check centrify bind --- lib/facter/centrify_facts.rb | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/lib/facter/centrify_facts.rb b/lib/facter/centrify_facts.rb index c36f63f..9666a46 100755 --- a/lib/facter/centrify_facts.rb +++ b/lib/facter/centrify_facts.rb @@ -57,3 +57,20 @@ end end end + +# centrify bind +Facter.add('centrify_bind') do + confine :kernel => :linux + + setcode do + if File::executable?("/usr/bin/adinfo") + result = Facter::Util::Resolution.exec('/usr/bin/adinfo -C | grep Cannot') + if result.nil? + 'bad_result' + end + result.empty? ? true : false + else + nil + end + end +end