chef - [chef] Re: new cookbook: authconfig for RHEL/CentOS/compat

Subscribers: 1946
Owners
Bryan McLellan
Joshua Timberman
Nathen Harvey
Seth Chisamore
Serdar Sutay

Subscribe
Unsubscribe
Info
Archive

Post

RSS
Shared documents

General discussion about Chef

[chef] Re: new cookbook: authconfig for RHEL/CentOS/compat

From: RILINDO FOSTER < >
To:
Subject: [chef] Re: new cookbook: authconfig for RHEL/CentOS/compat
Date: Sat, 21 Jan 2012 17:24:00 -0500

Testing it out, I set the attributes as such in a recipe file:

stardust:recipes rilindo$ more ldapauthtls.rb
node.override['authconfig']['sssd']['enable'] = true
node.override['authconfig']['ldap']['enable'] = true
node.override['authconfig']['ldap']['tls'] = true
node.override['authconfig']['ldap']['server'] = 'kerberos.example.com'
node.override['authconfig']['ldap']['basedn'] = 'dc=example,dc=com'
node.override['authconfig']['ldap']['auth'] = true
node.override['authconfig']['ldap']['cacerturl'] = 'http://192.168.15.100/mirrors/ks/keys/cacert.pem'

And added it in:

stardust:recipes rilindo$ knife node run_list add ldaptls "recipe[authconfig::ldapauthtls]"
run_list:
   recipe[chef-client]
   recipe[ohai]
   recipe[authconfig::ldapauthtls]

And restarted chef-client on my test node. So far, it didn't set the configs as intended.

Perhaps it is my inexperience with chef getting in the way, but is this the right way to set it up?

- Rilindo

On Jan 21, 2012, at 12:45 PM, Jesse Campbell wrote:

I was looking for a cookbook to manage ldap configuration on centos
6.1 vms that I'd spun up, as well as our other 300-odd centos 5.5 vms.

First looked at the openldap cookbook and wasn't terribly impressed...
it has lots of dependencies on debian locations of things that I'd
have to mess about with to make it work with centos.

Authconfig is a built-in CLI for managing auth configuration, be it
for ldap, winbind, kerberos, nis, etc. It automagically updates all of
the required files, using the new SSSD subsystem on EL6 systems.
Rather than reinventing that wheel, I decided to take advantage of the
built-in and call out to it from chef.

There was no method i found for telling authconfig to pull the
configuration from a file, so instead I build out an arguments list
from node attributes. If the file changes, it will re-run authconfig,
so it is idempotent.
The defaults follow what came on a bare centos 6.1 system, but should
work with others.

Current issue:
the functionality to tell winbind to join a domain is not included, it
seemed to need an admin user specified, and likely would prompt for a
password. Not having a domain server to test against, I did not have
any way to find out.

http://community.opscode.com/cookbooks/authconfig

I have only tested this on CentOS 6 so far, but would appreciate if
anyone else tries it to let me know if it works, or bugs they run
into...

Thanks!
-Jesse

[chef] new cookbook: authconfig for RHEL/CentOS/compat, Jesse Campbell, 01/21/2012
- [chef] Re: new cookbook: authconfig for RHEL/CentOS/compat, RILINDO FOSTER, 01/21/2012
  - [chef] Re: Re: new cookbook: authconfig for RHEL/CentOS/compat, Jesse Campbell, 01/21/2012
    - [chef] Re: Re: Re: new cookbook: authconfig for RHEL/CentOS/compat, RILINDO FOSTER, 01/21/2012
      - [chef] Re: Re: Re: Re: new cookbook: authconfig for RHEL/CentOS/compat, Jesse Campbell, 01/21/2012
        
        [chef] Re: new cookbook: authconfig for RHEL/CentOS/compat, RILINDO FOSTER, 01/21/2012
        
        [chef] Re: Re: new cookbook: authconfig for RHEL/CentOS/compat, Jesse Campbell, 01/21/2012
        
        [chef] Re: Re: Re: new cookbook: authconfig for RHEL/CentOS/compat, RILINDO FOSTER, 01/21/2012
        [chef] Re: new cookbook: authconfig for RHEL/CentOS/compat, RILINDO FOSTER, 01/21/2012