Add support for Enterprise options (zone joins, no local allow files, et...

README.markdown

@@ -84,7 +84,7 @@ Below is a list of optional options and the default values:
 * lockout\_bad\_count: the bad count that would cause a lockout
 * merge\_groups: merge local group setting 
 * group\_overrides: an array of group id overrides that are found in the /etc/centrifydc/group.ovr file
-
+* manage\_conf: manage the Centrify configuration file (default: false) - set to true for Centrify Express or if desiring to manage the Centrify conf outside of Centrify
 **centrify::ssh::config_entry**
 
 since version 1.0 there is a new paradigm introduced for editing centrify's sshd options, in previous versions there have only been a few sshd options that have been provided as params, Now there is a new type *centrify::ssh::config_entry*. This type will add or change any config option for the centrify sshd config file

lib/facter/centrify_facts.rb

@@ -0,0 +1,76 @@
+# Centrify facter facts
+require 'facter'
+
+# centrify mode
+Facter.add('centrify_mode') do
+  confine :kernel => :linux
+
+  setcode do
+    if File::executable?("/usr/bin/adinfo")
+      mode = Facter::Util::Resolution.exec("/usr/bin/adinfo -m")
+      mode.empty? ? 'null' : mode
+    else
+      'null'
+    end
+  end
+end
+
+# centrify domain controller
+Facter.add('centrify_dc') do
+  confine :kernel => :linux
+
+  setcode do
+    if File::executable?("/usr/bin/adinfo")
+      dc = Facter::Util::Resolution.exec('/usr/bin/adinfo -r')
+      dc.empty? ? 'null' : dc
+    else
+      nil
+    end
+  end
+end
+
+# centrify domain
+Facter.add('centrify_domain') do
+  confine :kernel => :linux
+
+  setcode do
+    if File::executable?("/usr/bin/adinfo")
+      domain = Facter::Util::Resolution.exec('/usr/bin/adinfo -d')
+      domain.empty? ? 'null' : domain
+    else
+      nil
+    end
+  end
+end
+
+
+# centrify zone
+Facter.add('centrify_zone') do
+  confine :kernel => :linux
+
+  setcode do
+    if File::executable?("/usr/bin/adinfo")
+      zone = Facter::Util::Resolution.exec('/usr/bin/adinfo -z')
+      zone.empty? ? 'null' : zone
+    else
+      nil
+    end
+  end
+end
+
+# centrify bind
+Facter.add('centrify_bind') do
+  confine :kernel => :linux
+
+  setcode do
+    if File::executable?("/usr/bin/adinfo")
+      result = Facter::Util::Resolution.exec('/usr/bin/adinfo -C | grep Cannot')
+      if result.nil?
+        'bad_result'
+      end
+      result.empty? ? true : false
+    else
+      nil
+    end
+  end
+end

manifests/config.pp

@@ -5,22 +5,27 @@
 #
 #
 class centrify::config {
-  $auth_servers = $centrify::auth_servers
-  $users_allow = $centrify::users_allow
-  $groups_allow = $centrify::groups_allow
-  $adjoin_domain = $centrify::adjoin_domain
-  $adjoin_server = $centrify::adjoin_server
-  $group_overrides = $centrify::group_overrides
+  $auth_servers           = $centrify::auth_servers
+  $users_allow            = $centrify::users_allow
+  $groups_allow           = $centrify::groups_allow
+  $adjoin_domain          = $centrify::adjoin_domain
+  $adjoin_server          = $centrify::adjoin_server
+  $adjoin_enterprise_zone = $centrify::adjoin_enterprise_zone
+  $local_allow            = $centrify::local_allow
+  $group_overrides        = $centrify::group_overrides
+  $manage_conf            = $centrify::manage_conf
 
-  # Error check for no auth servers
-  if size($auth_servers) == 0 {
-    fail('you must provide at least one auth server for this to work')
+  # Error check for no zone and no auth servers
+  if $adjoin_enterprise_zone == '' and size ($auth_servers) == 0 {
+      fail('you must provide either a zone or at least one auth server for this to work')
   }
 
-  # Error check for no users or groups allowed in the system
-  if size($users_allow) == 0 {
-    if size($groups_allow) ==0 {
-      fail('there are no users or groups to authenticate, this is not recommended')
+  # If using local allow files, error check for no users/groups allowed in the system
+  if $local_allow == true {
+    if size($users_allow) == 0 {
+      if size($groups_allow) ==0 {
+        fail('there are no users or groups to authenticate, this is not recommended')
+      }
     }
   }
 
@@ -34,33 +39,51 @@
     }
   }
 
-  # Error check if the join server is not given
-  if size($adjoin_server) == 0 {
-    fail('you must give an ad server name to join to')
+  # If not joing a zone, error check if the join server is not given
+  if $adjoin_enterprise_zone == '' {
+    if size($adjoin_server) == 0 {
+      fail('you must give an ad server name to join to')
+    }
   }
 
-  file {'/etc/centrifydc/centrifydc.conf':
-    owner   => 'root',
-    group   => 'root',
-    mode    => '0644',
-    content => template('centrify/centrifydc_config.erb'),
-    notify  => Class['centrify::service'],
+  if $manage_conf == true {
+    file {'/etc/centrifydc/centrifydc.conf':
+      owner   => 'root',
+      group   => 'root',
+      mode    => '0644',
+      content => template('centrify/centrifydc_config.erb'),
+      notify  => [ Class['centrify::service'], Service['centrify-ssh-service'], Service['centrify-dc-service'] ],
+    }
   }
 
-  file {'/etc/centrifydc/groups.allow':
-    owner   => 'root',
-    group   => 'root',
-    mode    => '0644',
-    content => template('centrify/groups_allow.erb'),
-    notify  => Class['centrify::service'],
+  if $local_allow == true {
+    file {'/etc/centrifydc/groups.allow':
+      owner   => 'root',
+      group   => 'root',
+      mode    => '0644',
+      content => template('centrify/groups_allow.erb'),
+      notify  => [ Class['centrify::service'], Service['centrify-ssh-service'], Service['centrify-dc-service'] ],
+    }
+  }
+  else {
+    file {'/etc/centrifydc/group.allow':
+      ensure => 'absent'
+    }
   }
 
-  file {'/etc/centrifydc/users.allow':
-    owner   => 'root',
-    group   => 'root',
-    mode    => '0644',
-    content => template('centrify/users_allow.erb'),
-    notify  => Class['centrify::service']
+  if $local_allow == true {
+    file {'/etc/centrifydc/users.allow':
+      owner   => 'root',
+      group   => 'root',
+      mode    => '0644',
+      content => template('centrify/users_allow.erb'),
+      notify  => [ Class['centrify::service'], Service['centrify-ssh-service'], Service['centrify-dc-service'] ],
+    }
+  }
+  else {
+    file {'/etc/centrifydc/users.allow':
+      ensure => 'absent'
+    }
   }
 
   if ! empty($group_overrides) {
@@ -69,14 +92,13 @@
       group   => 'root',
       mode    => '0644',
       content => template('centrify/group.ovr.erb'),
-      notify  => Class['centrify::service']
+      notify  => [ Class['centrify::service'], Service['centrify-ssh-service'], Service['centrify-dc-service'] ],
     }
   }
-
   else {
     file {'/etc/centrifydc/group.ovr':
       ensure => 'absent'
     }
   }
 
-}
+}

manifests/init.pp

@@ -24,21 +24,31 @@
   $ssh_service_enable     = $centrify::params::ssh_service_enable,
   $ssh_service_ensure     = $centrify::params::ssh_service_ensure,
   $auth_servers           = $centrify::params::auth_servers,
+  $local_allow            = $centrify::params::local_allow,
   $group_overrides        = $centrify::params::group_overrides,
   $groups_allow           = $centrify::params::groups_allow,
   $users_allow            = $centrify::params::users_allow,
   $adjoin_user            = $centrify::params::adjoin_user,
   $adjoin_password        = $centrify::params::adjoin_password,
   $adjoin_domain          = $centrify::params::adjoin_domain,
   $adjoin_server          = $centrify::params::adjoin_server,
+  $adjoin_enterprise_zone = $centrify::params::adjoin_enterprise_zone,
+  $adjoin_container       = $centrify::params::adjoin_container,
+  $adjoin_force           = $centrify::params::adjoin_force,
   $private_group          = $centrify::params::private_group,
   $primary_gid            = $centrify::params::primary_gid,
   $auto_join              = $centrify::params::auto_join,
+  $cache_flush_int        = $centrify::params::cache_flush_int,
+  $cache_obj_life         = $centrify::params::cache_obj_life,
+  $log_buffer             = $centrify::params::log_buffer,
   $maximum_password_age   = $centrify::params::maximum_password_age,
   $minimum_password_age   = $centrify::params::minimum_password_age,
+  $password_warn          = $centrify::params::password_warn,
   $lockout_duration       = $centrify::params::lockout_duration,
   $lockout_bad_count      = $centrify::params::lockout_bad_count,
+  $sntp_enabled           = $centrify::params::sntp_enabled,
   $merge_groups           = $centrify::params::merge_groups,
+  $manage_conf            = $centrify::params::manage_conf,
 ) inherits centrify::params {
 
   # validate parameters
@@ -53,33 +63,39 @@
   validate_bool($ssh_service_enable)
   validate_string($ssh_service_ensure)
   validate_array($auth_servers)
+  validate_bool($local_allow)
   validate_array($group_overrides)
   validate_array($groups_allow)
   validate_array($users_allow)
   validate_string($adjoin_user)
   validate_string($adjoin_password)
   validate_string($adjoin_domain)
   validate_string($adjoin_server)
+  validate_string($adjoin_enterprise_zone)
+  validate_string($adjoin_container)
+  validate_bool($adjoin_force)
   validate_bool($private_group)
   validate_string($primary_gid)
   validate_bool($auto_join)
-  validate_string($maximum_password_age)
-  validate_string($minimum_password_age)
-  validate_string($lockout_duration)
-  validate_string($lockout_bad_count)
+  validate_integer($cache_flush_int)
+  validate_integer($cache_obj_life)
+  validate_bool($log_buffer)
+  validate_integer($maximum_password_age)
+  validate_integer($minimum_password_age)
+  validate_integer($password_warn)
+  validate_integer($lockout_duration)
+  validate_integer($lockout_bad_count)
+  validate_bool($sntp_enabled)
   validate_bool($merge_groups)
+  validate_bool($manage_conf)
 
   # include classes for install, config and services
   include '::centrify::install'
   include '::centrify::config'
   include '::centrify::service'
 
-  # set anchors for begin and end
-  anchor { '::centrify::begin': }
-  anchor { '::centrify::end': }
-
   # ordering of class execution
-  Anchor ['::centrify::begin'] -> Class ['::centrify::install'] ->
+  anchor { 'centrify_begin': } -> Class['::centrify::install'] ->
   Class['::centrify::config'] ~> Class['::centrify::service'] ->
-  Anchor['::centrify::end']
+  anchor { 'centrify_end': }
 }

manifests/params.pp

@@ -27,19 +27,29 @@
   $ssh_service_enable     = true
   $ssh_service_ensure     = 'running'
   $auth_servers           = []
+  $local_allow            = true
   $group_overrides        = []
   $groups_allow           = []
   $users_allow            = []
   $adjoin_user            = ''
   $adjoin_password        = ''
   $adjoin_domain          = ''
   $adjoin_server          = ''
+  $adjoin_enterprise_zone = ''
+  $adjoin_container       = ''
+  $adjoin_force           = false
   $private_group          = true
   $primary_gid            = ''
   $auto_join              = true
+  $cache_flush_int        = '24'
+  $cache_obj_life         = '24'
+  $log_buffer             = false
   $maximum_password_age   = '90'
   $minimum_password_age   = '1'
+  $password_warn          = '14'
   $lockout_duration       = '30'
   $lockout_bad_count      = '0'
+  $sntp_enabled           = false
   $merge_groups           = false
+  $manage_conf            = true
 }