# # Cookbook Name:: mu-master # Recipe:: sssd # # Copyright:: Copyright (c) 2014 eGlobalTech, Inc., all rights reserved # # Licensed under the BSD-3 license (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License in the root of the project or at # # http://egt-labs.com/mu/LICENSE.html # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. include_recipe 'mu-master::firewall-holes' include_recipe "mu-master::389ds" package "sssd" package "sssd-ldap" package "sssd-client" package "nss-pam-ldapd" do action :remove end package "pam_ldap" do action :remove end package "dbus" service "messagebus" do action [:enable, :start] end package "nscd" service "nscd" do action [:disable, :stop] end package "oddjob-mkhomedir" execute "restorecon -r /usr/sbin" service "sshd" do action :nothing end # SELinux Policy for oddjobd and its interaction with syslogd cookbook_file "syslogd_oddjobd.pp" do path "#{Chef::Config[:file_cache_path]}/syslogd_oddjobd.pp" end execute "Add oddjobd and syslogd interaction to SELinux allow list" do command "/usr/sbin/semodule -i syslogd_oddjobd.pp" cwd Chef::Config[:file_cache_path] not_if "/usr/sbin/semodule -l | grep syslogd_oddjobd" notifies :restart, "service[oddjobd]", :delayed end service "oddjobd" do start_command "sh -x /etc/init.d/oddjobd start" if %w{redhat centos}.include?(node['platform']) && node['platform_version'].to_i == 6 # seems to actually work action [:enable, :start] end execute "/usr/sbin/authconfig --disablenis --disablecache --disablewinbind --disablewinbindauth --enablemkhomedir --disablekrb5 --enablesssd --enablesssdauth --enablelocauthorize --disableforcelegacy --disableldap --disableldapauth --updateall" do notifies :restart, "service[oddjobd]", :immediately notifies :reload, "service[sshd]", :delayed not_if "grep pam_sss.so /etc/pam.d/password-auth" end directory "/var/log/sssd" do mode 0750 recursive true end service "sssd" do action :nothing notifies :restart, "service[sshd]", :immediately end template "/etc/sssd/sssd.conf" do source "sssd.conf.erb" mode 0600 owner "root" group "root" notifies :restart, "service[sssd]", :immediately variables( :base_dn => $MU_CFG['ldap']['base_dn'], :user_ou => $MU_CFG['ldap']['user_ou'], :dcs => $MU_CFG['ldap']['dcs'] ) end service "sssd" do action [:enable, :start] notifies :restart, "service[sshd]", :immediately end