Merge "Add sssd puppet plugin to generate sssd config data"

sysinv/sysinv/sysinv/setup.cfg

@@ -69,6 +69,7 @@ systemconfig.puppet_plugins =
     039_helm = sysinv.puppet.helm:HelmPuppet
     040_rook = sysinv.puppet.rook:RookPuppet
     041_certalarm = sysinv.puppet.certalarm:CertAlarmPuppet
+    042_sssd = sysinv.puppet.sssd:SssdPuppet
     099_service_parameter = sysinv.puppet.service_parameter:ServiceParamPuppet
 
 systemconfig.armada.manifest_ops =

sysinv/sysinv/sysinv/sysinv/puppet/ldap.py

@@ -1,8 +1,9 @@
 #
-# Copyright (c) 2017 Wind River Systems, Inc.
+# Copyright (c) 2017-2022 Wind River Systems, Inc.
 #
 # SPDX-License-Identifier: Apache-2.0
 #
+import keyring
 
 from passlib.hash import ldap_salted_sha1 as hash
 
@@ -19,6 +20,9 @@ class LdapPuppet(base.BasePuppet):
         password = self._generate_random_password()
         passhash = hash.encrypt(password)
 
+        # Store the ldapadmin password for client (such as sssd)
+        keyring.set_password('ldap', 'ldapadmin', password)
+
         return {
             'platform::ldap::params::admin_pw': password,
             'platform::ldap::params::admin_hashed_pw': passhash,

sysinv/sysinv/sysinv/sysinv/puppet/sssd.py

@@ -0,0 +1,67 @@
+#
+# Copyright (c) 2022 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+from sysinv.puppet import base
+
+
+class SssdPuppet(base.BasePuppet):
+    """Class to encapsulate puppet operations for sssd configuration"""
+
+    SERVICE_NAME = 'ldap'
+    SERVICE_USER = 'ldapadmin'
+
+    def get_secure_system_config(self):
+        config = {}
+        domains = {}
+
+        domains.update({'local': self._get_local_domain()})
+
+        config.update(
+            {
+                'platform::sssd::params::domains': domains,
+            })
+
+        return config
+
+    def _get_local_domain(self):
+        binding_pass = self._get_keyring_password(self.SERVICE_NAME,
+                self.SERVICE_USER)
+
+        # sssd support the debug levels (from sssd.conf manual page):
+        # 0, 0x0010: Fatal failures. Anything that would prevent SSSD
+        #            from starting up or causes it to cease running.
+        # 1, 0x0020: Critical failures. An error that doesn't kill
+        #            SSSD, but one that indicates that at least one
+        #            major feature is not going to work properly.
+        # 2, 0x0040: Serious failures. An error announcing that a
+        #            particular request or operation has failed.
+        # 3, 0x0080: Minor failures. These are the errors that would
+        #            percolate down to cause the operation failure
+        #            of 2.
+        # 4, 0x0100: Configuration settings.
+        # 5, 0x0200: Function data.
+        # 6, 0x0400: Trace messages for operation functions.
+        # 7, 0x1000: Trace messages for internal control functions.
+        # 8, 0x2000: Contents of function-internal variables that may
+        #            be interesting.
+        # 9, 0x4000: Extremely low-level tracing information.
+        # 10, 0x10000: Even more low-level libldb tracing information.
+        #              Almost never really required.
+        #
+        # Example: 0x3ff0, debug log includes level 0 to 8 messages.
+
+        domain_settings = {
+            'id_provider': 'ldap',
+            'ldap_uri': 'ldaps://controller/',
+            'ldap_tls_cacert': '/etc/ssl/certs/ca-certificates.crt',
+            'ldap_search_base': 'dc=cgcs,dc=local',
+            'ldap_default_bind_dn': 'CN=ldapadmin,DC=cgcs,DC=local',
+            'ldap_default_authtok_type': 'password',
+            'ldap_default_authtok': binding_pass,
+            'debug_level': '0x3ff0',
+        }
+
+        return domain_settings