Commit acaede4d authored by Scott Barthelemy's avatar Scott Barthelemy

Update README, REFERENCE and init.pp about humanadmins and the puppet admin

parent 13b7b3ab
Pipeline #2625 passed with stages
in 29 minutes and 30 seconds
......@@ -39,15 +39,19 @@ This module requires :
## Usage
### puppet_admin/humanadmins
To ensure that desired state described in code is applied on the node, we need puppet to log in kerberos. So Puppet uses a fixed account admin to do this. It is possible to set the password of this account with parameter freeipa:: puppet_admin_password. The real humans administrators are are managed with Hash freeipa::humanadmins.
### Example usage:
Creating an IPA master, with the WebUI proxied to `https://localhost:8440`.
Creating an IPA master, with the WebUI proxied to `https://localhost:8440` and two admins foo and bar.
```puppet
class {'freeipa':
ipa_role => 'master',
domain => 'example.lan',
ipa_server_fqdn => 'ipa-server-1.example.lan',
admin_password => 'vagrant123',
puppet_admin_password => 'vagrant123',
directory_services_password => 'vagrant123',
install_ipa_server => true,
ip_address => '10.10.10.35',
......@@ -58,6 +62,7 @@ class {'freeipa':
webui_disable_kerberos => true,
webui_enable_proxy => true,
webui_force_https => true,
humanadmins => { foo => { password => 'secret123', ensure => 'present'}, bar => { password => 'secret123', ensure => 'present'} },
}
```
......
......@@ -6,6 +6,7 @@
**Classes**
* [`freeipa`](#freeipa): Manages IPA masters, replicas and clients.
* [`freeipa::config::humanadmins`](#freeipaconfighumanadmins): This class manages admin accounts. It will create/give rights to any admin accounts missing. It will delete accounts set in Hiera to be deleted.
* [`freeipa::config::krbinit`](#freeipaconfigkrbinit): Configures admin user
* [`freeipa::config::webui`](#freeipaconfigwebui): Configures port and redirect overrides for the IPA server web UI.
* [`freeipa::install`](#freeipainstall): Installs the packages needed for servers and clients
......@@ -43,7 +44,7 @@ class {'freeipa':
ipa_role => 'master',
domain => 'example.lan',
ipa_server_fqdn => 'ipa-server-1.example.lan',
admin_password => 'vagrant123',
puppet_admin_password => 'vagrant123',
directory_services_password => 'vagrant123',
install_ipa_server => true,
ip_address => '10.10.10.35',
......@@ -54,6 +55,7 @@ class {'freeipa':
webui_disable_kerberos => true,
webui_enable_proxy => true,
webui_force_https => true,
humanadmins => { foo => { password => 'secret123', ensure => 'present'}, bar => { password => 'secret123', ensure => 'present'} },
}
```
......@@ -73,7 +75,7 @@ Data type: `Enum['master','replica','client']`
What role the node will be. Options are 'master', 'replica', and 'client'.
##### `admin_password`
##### `puppet_admin_password`
Data type: `String[8]`
......@@ -139,7 +141,7 @@ Data type: `String`
The password for the domain_join_principal.
Default value: $directory_services_password
Default value: $puppet_admin_password
##### `enable_hostname`
......@@ -377,6 +379,40 @@ The HTTPS port to use for the reverse proxy. Cannot be 443.
Default value: '8440'
##### `humanadmins`
Data type: `Freeipa::Humanadmins`
Hash of admin accounts in freeipa (name, password, present/absent)
Options:
* **Hash** `Enum['username','password','ensure']`: :admin Hash containing infos for one admin
* **String** `1`: :password Admin's password
* **String** `1`: :ensure Parameter to know set if the admin should exists or not (used to delete admins). Values accepted in module are 'present'/'absent'
Default value: {}
##### `enable_manage_admins`
Data type: `Boolean`
Default value: `true`
### freeipa::config::humanadmins
This class manages admin accounts. It will create/give rights to any admin accounts missing. It will delete accounts set in Hiera to be deleted.
#### Examples
#####
```puppet
include freeipa::config::humanadmins
```
### freeipa::config::krbinit
Configures admin user
......
......@@ -17,14 +17,14 @@
# webui_disable_kerberos => true,
# webui_enable_proxy => true,
# webui_force_https => true,
# admins => [ 'admin', 'admin2' ],
# humanadmins => { foo => { password => 'secret123', ensure => 'present'}, bar => { password => 'secret123', ensure => 'present'} },
# }
#
# Parameters
# ----------
# @param domain The name of the IPA domain to create or join.
# @param ipa_role What role the node will be. Options are 'master', 'replica', and 'client'.
# @param admin_password Password which will be assigned to the IPA account named 'admin'.
# @param puppet_admin_password Password which will be assigned to the IPA account named 'admin'.
# @param directory_services_password Password which will be passed into the ipa setup's parameter named "--ds-password".
# @param autofs_package_name Name of the autofs package to install if enabled.
# @param client_install_ldaputils If true, then the ldaputils packages are installed if ipa_role is set to client.
......@@ -70,8 +70,10 @@
# This is necessary to allow the WebUI to be accessed behind a reverse proxy when using nonstandard ports.
# @param webui_proxy_external_fqdn The public or external FQDN used to access the IPA Web UI behind the reverse proxy.
# @param webui_proxy_https_port The HTTPS port to use for the reverse proxy. Cannot be 443.
# @param $admins The list of admin accounts in freeipa. (The list of users who belong to admins group)
#
# @param humanadmins Hash of admin accounts in freeipa (name, password, present/absent)
# @option humanadmins Hash[Enum['username','password','ensure'], String[1]] :admin Hash containing infos for one admin
# @option humanadmins String[1] :password Admin's password
# @option humanadmins String[1] :ensure Parameter to know set if the admin should exists or not (used to delete admins). Values accepted in module are 'present'/'absent'
#
class freeipa (
Stdlib::Fqdn $domain,
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment