Salt Formula for sssd

The existing options out there were insufficient and/or too messy for my needs.

Your other options as best I can tell are:
https://github.com/gsyt/salt-sssd
https://github.com/Spark-Networks/salt-sssd-formula

GitHub Release

The full formula and basic README/pillar.example is now available via,

https://github.com/colin-stubbs/salt-formula-sssd

At this point the code is still the documentation.


Deployment and configuration

The single state sssd can deploy the packages, configuration and enable/start the service.

A package list will always be installed; however to enable configuration and service management ensure the following pillar options are set to True as they are False by default:

sssd:
  service:
    manage: True
  config:
    manage: True

The sssd.conf file is the principle file that's managed. Full configuration of all content based on pillar occurs like so,

# /etc/sssd/sssd.conf
#
# WARNING: This file is managed by Salt Stack.
#

{% for section_name, section_arguments in config.items() -%}
[{{ section_name}}]
{% for argument, value in section_arguments.items() -%}
{{ argument }} = {{ value }}
{% endfor %}
{% endfor %}
# EOF

Using sssd for system auth

Given I only use RedHat/CentOS/Fedora I've neglected to bother adding support for Debian/Ubuntu. Feel free to add it and issue a pull request.

The sssd.sysauth state can be used to run an authconfig --enablesssd --enablesssdauth --updateall command that will modify the system's PAM based auth configuration. If you're manually managing /etc/pam.d/file content (or using another distro) you'll need to work out how to update the configruation appropriately appropriately.

Arguments to authconfig are optionally configured using pillar sssd.sysauth.updateall_args; be sure you understand what you're doing if modifying.

Using this state is optional; be sure to include it to systems which need it.

NOTE: sssd.sysauth includes sssd as it considers the service to be a dependency.


SSH public key auth integration

You need to ensure the following is set in sshd_config: 'AuthorizedKeysCommand'

Example minimal pillar configuration if using a state based on https://github.com/saltstack-formulas/openssh-formula,

sshd_config:
  PubkeyAuthentication: 'yes'
  AuthorizedKeysCommand: '/usr/bin/sss_ssh_authorizedkeys %u'
  AuthorizedKeysCommandUser: 'nobody'

Example

The following pillar configuration works with JumpCloud's LDAP service,

sssd:
  lookup:
    pkgs:
      - sssd
      - sssd-common
      - sssd-client
      - sssd-tools
    locations:
      config_file: '/etc/sssd/sssd.conf'
  service:
    manage: True
  config:
    manage: True
    ca_certificates: |
      -----BEGIN CERTIFICATE-----
      MIIEADCCAuigAwIBAgIBADANBgkqhkiG9w0BAQUFADBjMQswCQYDVQQGEwJVUzEh
      MB8GA1UEChMYVGhlIEdvIERhZGR5IEdyb3VwLCBJbmMuMTEwLwYDVQQLEyhHbyBE
      YWRkeSBDbGFzcyAyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA0MDYyOTE3
      MDYyMFoXDTM0MDYyOTE3MDYyMFowYzELMAkGA1UEBhMCVVMxITAfBgNVBAoTGFRo
      ZSBHbyBEYWRkeSBHcm91cCwgSW5jLjExMC8GA1UECxMoR28gRGFkZHkgQ2xhc3Mg
      MiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCCASAwDQYJKoZIhvcNAQEBBQADggEN
      ADCCAQgCggEBAN6d1+pXGEmhW+vXX0iG6r7d/+TvZxz0ZWizV3GgXne77ZtJ6XCA
      PVYYYwhv2vLM0D9/AlQiVBDYsoHUwHU9S3/Hd8M+eKsaA7Ugay9qK7HFiH7Eux6w
      wdhFJ2+qN1j3hybX2C32qRe3H3I2TqYXP2WYktsqbl2i/ojgC95/5Y0V4evLOtXi
      EqITLdiOr18SPaAIBQi2XKVlOARFmR6jYGB0xUGlcmIbYsUfb18aQr4CUWWoriMY
      avx4A6lNf4DD+qta/KFApMoZFv6yyO9ecw3ud72a9nmYvLEHZ6IVDd2gWMZEewo+
      YihfukEHU1jPEX44dMX4/7VpkI+EdOqXG68CAQOjgcAwgb0wHQYDVR0OBBYEFNLE
      sNKR1EwRcbNhyz2h/t2oatTjMIGNBgNVHSMEgYUwgYKAFNLEsNKR1EwRcbNhyz2h
      /t2oatTjoWekZTBjMQswCQYDVQQGEwJVUzEhMB8GA1UEChMYVGhlIEdvIERhZGR5
      IEdyb3VwLCBJbmMuMTEwLwYDVQQLEyhHbyBEYWRkeSBDbGFzcyAyIENlcnRpZmlj
      YXRpb24gQXV0aG9yaXR5ggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQAD
      ggEBADJL87LKPpH8EsahB4yOd6AzBhRckB4Y9wimPQoZ+YeAEW5p5JYXMP80kWNy
      OO7MHAGjHZQopDH2esRU1/blMVgDoszOYtuURXO1v0XJJLXVggKtI3lpjbi2Tc7P
      TMozI+gciKqdi0FuFskg5YmezTvacPd+mSYgFFQlq25zheabIZ0KbIIOqPjCDPoQ
      HmyW74cNxA9hi63ugyuV+I6ShHI56yDqg+2DzZduCLzrTia2cyvk0/ZM/iZx4mER
      dEr/VxqHD3VILs9RaRegAhJhldXRQLIQTO7ErBBDpqWeCtWVYpoNz4iCxTIM5Cuf
      ReYNnyicsbkqWletNw+vHX/bvZ8=
      -----END CERTIFICATE-----
    options:
      sssd:
        config_file_version: 2
        services: 'nss, pam, ssh'
        domains: 'jumpcloud'
      'domain/jumpcloud':
        debug_level: 2
        id_provider: ldap
        enumerate: 'true'
        auth_provider: 'ldap'
        cache_credentials: 'true'
        ldap_uri: 'ldaps://ldap.jumpcloud.com:636'
        ldap_search_base: 'o=ORG_ID,dc=jumpcloud,dc=com'
        ldap_default_bind_dn: 'uid=service-account,ou=Users,o=ORG_ID,dc=jumpcloud,dc=com'
        ldap_default_authtok: 'PLAINTEXT_PASSWORD'
        ldap_user_ssh_public_key: sshKey
        ldap_tls_cacert: '/etc/sssd/certs/ca-certificates.crt'
        sudo_provider: none

Application against an already configured system will touch/attempt the following,

$ salt 'host.example.tld' state.apply sssd.sysauth
host.example.tld:
----------
          ID: sssd
    Function: pkg.installed
      Result: True
     Comment: All specified packages are already installed
     Started: 11:57:15.687209
    Duration: 1984.11 ms
     Changes:
----------
          ID: /etc/sssd/sssd.conf
    Function: file.managed
      Result: True
     Comment: File /etc/sssd/sssd.conf is in the correct state
     Started: 11:57:17.672514
    Duration: 114.505 ms
     Changes:
----------
          ID: /etc/sssd/certs
    Function: file.directory
      Result: True
     Comment: Directory /etc/sssd/certs is in the correct state
              Directory /etc/sssd/certs updated
     Started: 11:57:17.787158
    Duration: 1.695 ms
     Changes:
----------
          ID: /etc/sssd/certs/ca-certificates.crt
    Function: file.managed
      Result: True
     Comment: File /etc/sssd/certs/ca-certificates.crt is in the correct state
     Started: 11:57:17.789107
    Duration: 1.084 ms
     Changes:
----------
          ID: service-sssd
    Function: service.running
        Name: sssd
      Result: True
     Comment: The service sssd is already running
     Started: 11:57:17.790792
    Duration: 36.43 ms
     Changes:
----------
          ID: sssd-sysauth-req-authconfig
    Function: pkg.installed
        Name: authconfig
      Result: True
     Comment: All specified packages are already installed
     Started: 11:57:17.827378
    Duration: 0.51 ms
     Changes:
----------
          ID: authconfig_updateall
    Function: cmd.run
        Name: authconfig --enablesssd --enablesssdauth --disableldap --disableldapauth --enablemkhomedir --updateall
      Result: True
     Comment: unless execution succeeded
     Started: 11:57:17.829209
    Duration: 206.829 ms
     Changes:

Summary for host.example.tld
------------
Succeeded: 7
Failed:    0
------------
Total states run:     7
Total run time:   2.345 s
$

JumpCloud

For more information about JumpCloud's service head here,

https://support.jumpcloud.com/customer/portal/articles/2439911-using-jumpcloud-s-ldap-as-a-service

I'm in no way affiliated beyond using their services. They still feel very new and startupy but have a great service offering already.

Author image
About Colin Stubbs
Brisbane, Queensland, Australia
Space monkey meat popsicle with technology and noise addictions.