sasl: Do not run saslauthd as root on centos/fedora/rhel
This commit is contained in:
parent
6b4ab40c93
commit
15bb080b46
1 changed files with 33 additions and 1 deletions
|
|
@ -39,6 +39,10 @@ class sasl::client {
|
||||||
#
|
#
|
||||||
# For ldap authentication, see ldap::client for required global variables.
|
# For ldap authentication, see ldap::client for required global variables.
|
||||||
#
|
#
|
||||||
|
# When using kerberos5 mech on CentOS, Fedora or RedHat system
|
||||||
|
# the saslauthd is ran as saslauth user and uses host/$FQDN from
|
||||||
|
# /etc/saslauthd.keytab for authentication.
|
||||||
|
#
|
||||||
class sasl::saslauthd {
|
class sasl::saslauthd {
|
||||||
|
|
||||||
require sasl::client
|
require sasl::client
|
||||||
|
|
@ -55,6 +59,7 @@ class sasl::saslauthd {
|
||||||
changes => "set MECH ldap",
|
changes => "set MECH ldap",
|
||||||
notify => Service["saslauthd"],
|
notify => Service["saslauthd"],
|
||||||
}
|
}
|
||||||
|
$user = "saslauth"
|
||||||
}
|
}
|
||||||
"openbsd": {
|
"openbsd": {
|
||||||
Service["saslauthd"] {
|
Service["saslauthd"] {
|
||||||
|
|
@ -87,9 +92,12 @@ class sasl::saslauthd {
|
||||||
"centos","fedora","redhat": {
|
"centos","fedora","redhat": {
|
||||||
augeas { "set-saslauthd-mech":
|
augeas { "set-saslauthd-mech":
|
||||||
context => "/files/etc/sysconfig/saslauthd",
|
context => "/files/etc/sysconfig/saslauthd",
|
||||||
changes => "set MECH kerberos5",
|
changes => [ "set MECH kerberos5",
|
||||||
|
"set KRB5_KTNAME '\"/etc/saslauthd.keytab\"'",
|
||||||
|
"set @export KRB5_KTNAME", ],
|
||||||
notify => Service["saslauthd"],
|
notify => Service["saslauthd"],
|
||||||
}
|
}
|
||||||
|
$user = "saslauth"
|
||||||
}
|
}
|
||||||
"openbsd": {
|
"openbsd": {
|
||||||
Service["saslauthd"] {
|
Service["saslauthd"] {
|
||||||
|
|
@ -118,6 +126,30 @@ class sasl::saslauthd {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if $user {
|
||||||
|
case $::operatingsystem {
|
||||||
|
"centos","fedora","redhat": {
|
||||||
|
file { "/var/run/saslauthd":
|
||||||
|
ensure => directory,
|
||||||
|
mode => "0755",
|
||||||
|
owner => $user,
|
||||||
|
group => $user,
|
||||||
|
before => Service["saslauthd"],
|
||||||
|
}
|
||||||
|
augeas { "set-saslauthd-user":
|
||||||
|
context => "/files/etc/sysconfig/saslauthd",
|
||||||
|
changes => "set DAEMONOPTS '\"--user ${user}\"'",
|
||||||
|
notify => Service["saslauthd"],
|
||||||
|
}
|
||||||
|
}
|
||||||
|
default: {
|
||||||
|
fail("Running saslauthd as non root not supported on ${::operatingsystem}")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
$user = "root"
|
||||||
|
}
|
||||||
|
|
||||||
service { "saslauthd":
|
service { "saslauthd":
|
||||||
ensure => running,
|
ensure => running,
|
||||||
enable => true,
|
enable => true,
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue