ExternalMirrors
/
linux-formula
mirror of https://github.com/salt-formulas/salt-formula-linux
Watch 1
Star 0
Fork 1
Code Issues 0 Releases 8 Wiki Activity
Saltstack Official Linux Formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
615 Commits
26 Branches
Tree: 453ac048dd
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '453ac048dd'
${ noResults }
linux-formula/linux/system/auth.sls

193 lines
5.5KB
Raw Blame History 

  1. {%- from "linux/map.jinja" import auth with context %}

  2. 

  3. {%- if auth.enabled %}

  4.   {%- set pam_modules_enable = "" %}

  5.   {%- set pam_modules_disable = "" %}

  6.   {%- if grains.os_family == 'Debian' %}

  7. linux_auth_pam_packages:

  8.   pkg.installed:

  9.   - pkgs: [ 'libpam-runtime' ]

  10. 

  11. linux_auth_pam_add_profile:

  12.   file.managed:

  13.     - name: /usr/local/bin/pam-add-profile

  14.     - source: salt://linux/files/pam-add-profile

  15.     - mode: 755

  16.     - require:

  17.       - pkg: linux_auth_pam_packages

  18.   {%- endif %}

  19. 

  20.   {%- if auth.get('mkhomedir', {}).get('enabled', False) %}

  21.     {%- if grains.os_family == 'Debian' %}

  22.       {%- set pam_modules_enable = pam_modules_enable + ' mkhomedir' %}

  23. linux_auth_mkhomedir_debconf_package:

  24.   pkg.installed:

  25.   - pkgs: [ 'debconf-utils' ]

  26. 

  27. linux_auth_mkhomedir_config:

  28.   file.managed:

  29.     - name: /usr/share/pam-configs/mkhomedir

  30.     - source: salt://linux/files/mkhomedir

  31.     - template: jinja

  32. 

  33.     {%- endif %}

  34.   {%- else %}

  35.     {%- if grains.os_family == 'Debian' %}

  36.       {%- set pam_modules_disable = pam_modules_disable + ' mkhomedir' %}

  37.     {%- endif %}

  38.   {%- endif %}

  39. 

  40.   {%- if auth.get('ldap', {}).get('enabled', False) %}

  41.     {%- from "linux/map.jinja" import ldap with context %}

  42. 

  43.     {%- if grains.os_family == 'Debian' %}

  44.       {%- set pam_modules_enable = pam_modules_enable + ' ldap' %}

  45. 

  46. linux_auth_ldap_debconf_package:

  47.   pkg.installed:

  48.   - pkgs: [ 'debconf-utils' ]

  49. 

  50. linux_auth_debconf_libnss-ldapd:

  51.   debconf.set:

  52.     - name: libnss-ldapd

  53.     - data:

  54.         libnss-ldapd/nsswitch:

  55.           type: 'multiselect'

  56.           value: 'group, passwd, shadow'

  57.         libnss-ldapd/clean_nsswitch:

  58.           type: 'boolean'

  59.           value: 'false'

  60.     - require_in:

  61.       - pkg: linux_auth_ldap_packages

  62.     - require:

  63.       - pkg: linux_auth_ldap_debconf_package

  64. 

  65. linux_auth_debconf_libpam-ldapd:

  66.   debconf.set:

  67.     - name: libpam-ldapd

  68.     - data:

  69.         libpam-ldapd/enable_shadow:

  70.           type: 'boolean'

  71.           value: 'true'

  72.     {%- endif %}

  73.   {%- else %}

  74.     {%- if grains.os_family == 'Debian' %}

  75.       {%- set pam_modules_disable = pam_modules_disable + ' ldap' %}

  76.     {%- endif %}

  77.   {%- endif %}

  78. 

  79.   {#- Setup PAM profiles #}

  80.   {%- if grains.os_family == 'Debian' %}

  81.     {%- if auth.get('mkhomedir', {}).get('enabled', False) %}

  82. linux_auth_pam_add_profiles_mkhomedir_enable:

  83.   cmd.run:

  84.     - name: /usr/local/bin/pam-add-profile {{ pam_modules_enable }}

  85.     - unless: "[[ `grep -c pam_mkhomedir.so /etc/pam.d/common-session` -ne 0 ]]"

  86.     - require:

  87.       - file: linux_auth_pam_add_profile

  88. linux_auth_pam_add_profiles_mkhomedir_update:

  89.   cmd.wait:

  90.     - name: /usr/local/bin/pam-add-profile {{ pam_modules_enable }}

  91.     - watch:

  92.       - file: linux_auth_mkhomedir_config

  93.     - require:

  94.       - file: linux_auth_pam_add_profile

  95.       {%- if auth.get('ldap', {}).get('enabled', False) %}

  96.       - pkg: linux_auth_ldap_packages

  97.       {%- endif %}

  98.     {%- else %}

  99. linux_auth_pam_remove_profiles_mkhomedir:

  100.   cmd.run:

  101.     - name: /usr/sbin/pam-auth-update --remove {{ pam_modules_disable }}

  102.     - onlyif: "[[ `grep -c pam_mkhomedir.so /etc/pam.d/common-session` -ne 0 ]]"

  103.     - require:

  104.       - pkg: linux_auth_pam_packages

  105.     {%- endif %}

  106. 

  107.     {%- if auth.get('ldap', {}).get('enabled', False) %}

  108. linux_auth_pam_add_profiles_ldap:

  109.   cmd.run:

  110.     - name: /usr/local/bin/pam-add-profile {{ pam_modules_enable }}

  111.     - unless: "[[ `debconf-get-selections | grep libpam-runtime/profiles | grep -c ldap` -ne 0 ]]"

  112.     - require:

  113.       - file: linux_auth_pam_add_profile

  114.       - pkg: linux_auth_ldap_packages

  115.     {%- else %}

  116. linux_auth_pam_remove_profiles_ldap:

  117.   cmd.run:

  118.     - name: /usr/sbin/pam-auth-update --remove {{ pam_modules_disable }}

  119.     - onlyif: "[[ `debconf-get-selections | grep libpam-runtime/profiles | grep -c ldap` -ne 0 ]]"

  120.     - require:

  121.       - pkg: linux_auth_pam_packages

  122.     {%- endif %}

  123. 

  124.   {%- elif grains.os_family == 'RedHat' %}

  125.     {%- if auth.get('mkhomedir', {}).get('enabled', False) %}

  126. linux_auth_config_enable_mkhomedir:

  127.   cmd.run:

  128.     - name: "authconfig --enablemkhomedir --update"

  129.     - require:

  130.       {%- if auth.get('ldap', {}).get('enabled', False) %}

  131.       - pkg: linux_auth_ldap_packages

  132.       {%- endif %}

  133.     {%- else %}

  134. linux_auth_config_disable_mkhomedir:

  135.   cmd.run:

  136.     - name: "authconfig --disablemkhomedir --update"

  137.     - require:

  138.       - pkg: linux_auth_ldap_packages

  139.     {%- endif %}

  140.     {%- if auth.get('ldap', {}).get('enabled', False) %}

  141. linux_auth_config_enable_ldap:

  142.   cmd.run:

  143.     - name: "authconfig --enableldap --enableldapauth --update"

  144.     - require:

  145.       {%- if auth.get('ldap', {}).get('enabled', False) %}

  146.       - pkg: linux_auth_ldap_packages

  147.       {%- endif %}

  148.     {%- else %}

  149. linux_auth_config_disable_ldap:

  150.   cmd.run:

  151.     - name: "authconfig --disableldap --disableldapauth --update"

  152.     - require:

  153.       - pkg: linux_auth_ldap_packages

  154.     {%- endif %}

  155.   {%- endif %}

  156. 

  157.   {%- if auth.get('ldap', {}).get('enabled', False) %}

  158. 

  159. linux_auth_nsswitch_config_file:

  160.   file.managed:

  161.   - name: /etc/nsswitch.conf

  162.   - source: salt://linux/files/nsswitch.conf

  163.   - template: jinja

  164.   - mode: 644

  165.   - require:

  166.     - pkg: linux_auth_ldap_packages

  167.   - watch_in:

  168.     - service: linux_auth_nslcd_service

  169. 

  170. linux_auth_ldap_packages:

  171.   pkg.installed:

  172.   - pkgs: {{ ldap.pkgs }}

  173. 

  174. linux_auth_nslcd_config_file:

  175.   file.managed:

  176.   - name: /etc/nslcd.conf

  177.   - source: salt://linux/files/nslcd.conf

  178.   - template: jinja

  179.   - mode: 600

  180.   - require:

  181.     - pkg: linux_auth_ldap_packages

  182.   - watch_in:

  183.     - service: linux_auth_nslcd_service

  184. 

  185. linux_auth_nslcd_service:

  186.   service.running:

  187.   - enable: true

  188.   - name: nslcd

  189. 

  190.   {%- endif %}

  191. 

  192. {%- endif %}