humanadmins.pp 1.95 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
# @summary This class manages admin accounts. It will create/give rights to any admin accounts missing. It will delete accounts set in Hiera to be deleted.
#
# @example
#   include freeipa::config::humanadmins
class freeipa::config::humanadmins {

  # Get domain in shape for ldappasswd
  $dc_domain_split = regsubst($freeipa::domain, '([^.]+)\.*', 'dc=\1,', 'G')
  $dc = regsubst($dc_domain_split, ',$', '')


  # Loop through $human_admins
  $freeipa::humanadmins.each | String $adminname, Hash[Enum['password','ensure'], String] $adminsettings | {
    $_ensure_admin = $adminsettings['ensure'] ? {
      Undef   => 'present',
      default =>  assert_type(Enum['present','absent'], $adminsettings['ensure']),
    }
    case $_ensure_admin {
      'present': {
        exec { "Create ${adminname} account":
21
          command => "kinit admin -k -t /home/admin/admin.keytab; ipa user-add ${adminname} --first=${adminname} --last=${adminname} ",
22 23 24
          unless  => "ipa user-show ${adminname} | grep login",
        }
        -> exec { "Add ${adminname} account to admins group in FreeIPA":
25
          command => "kinit admin -k -t /home/admin/admin.keytab; ipa group-add-member admins --users=${adminname}",
26 27 28 29
          unless  => "ipa group-show admins | grep ${adminname}",
        }
        -> exec { "Update ${adminname} password":
          command => "ldappasswd -Z -H ldap://localhost -x -D \"cn=Directory Manager\" -w ${freeipa::directory_services_password} -s ${adminsettings['password']} \"uid=${adminname},cn=users,cn=accounts,${dc}\"",
30
          unless  => "echo \"${adminsettings['password']}\" | kinit ${adminname}"
31 32 33 34
        }
      }
      'absent': {
        exec { "Delete ${adminname} account":
35 36
          command => "kinit admin -k -t /home/admin/admin.keytab; ipa user-del ${adminname}",
          onlyif  => "kinit admin -k -t /home/admin/admin.keytab; ipa user-show ${adminname}",
37 38 39 40 41 42
        }
      }
      default: { fail("unexpected value ${adminsettings['ensure']}") }
    }
  }
}