REFERENCE.md

Reference

Table of Contents

Classes

• sasl: Installs and manages Cyrus SASL.
• sasl::authd: Installs and manages the SASL saslauthd daemon.
• sasl::authd::config
• sasl::authd::install
• sasl::authd::service
• sasl::config
• sasl::install
• sasl::params

Defined types

• sasl::application: Installs per-application SASL authentication configuration.

Data types

• SASL::Authd::Mechanism
• SASL::Auxprop
• SASL::HostPort
• SASL::Mech

Classes

sasl

Installs and manages Cyrus SASL.

• See also
  • puppet_classes::sasl::authd
    • ::sasl::authd
  • puppet_defined_types::sasl::application
    • ::sasl::application

Examples

Declaring the class

include ::sasl

Parameters

The following parameters are available in the sasl class.

application_directory

Data type: Stdlib::Absolutepath

Per-application configuration directory, usually /etc/sasl2 or /usr/lib/sasl2.

Default value: $::sasl::params::application_directory

package_name

Data type: String

The name of the core package.

Default value: $::sasl::params::package_name

auxprop_packages

Data type: Hash[SASL::Auxprop, String]

Hash of Auxiliary Property plugins mapped to the package that provides them.

Default value: $::sasl::params::auxprop_packages

mech_packages

Data type: Hash[SASL::Mech, String]

Hash of authentication mechanisms mapped to the package that provides them.

Default value: $::sasl::params::mech_packages

sasl::authd

Installs and manages the SASL saslauthd daemon.

• See also
  • puppet_classes::sasl
    • ::sasl
  • puppet_defined_types::sasl::application
    • ::sasl::application

Examples

Declaring the class using PAM mechanism

include ::sasl
class { '::sasl::authd':
  mechanism => 'pam',
}

Declaring the class using LDAP mechanism

include ::sasl
class { '::sasl::authd':
  mechanism           => 'ldap',
  ldap_auth_method    => 'bind',
  ldap_search_base    => 'ou=people,dc=example,dc=com',
  ldap_servers        => ['ldap://ldap.example.com'],
  ldap_start_tls      => true,
  ldap_tls_cacert_dir => '/etc/pki/tls/certs',
  ldap_tls_ciphers    => 'AES256',
}

Declaring the class using IMAP mechanism

include ::sasl
class { '::sasl::authd':
  mechanism   => 'rimap',
  imap_server => 'imap.example.com',
}

Parameters

The following parameters are available in the sasl::authd class.

mechanism

Data type: SASL::Authd::Mechanism

The mechanism saslauthd uses to test the user credentials.

threads

Data type: Integer[1]

Maximum number of concurrent threads to use.

Default value: $::sasl::params::saslauthd_threads

package_name

Data type: String

The name of the package.

Default value: $::sasl::params::saslauthd_package

service_name

Data type: String

The name of the service.

Default value: $::sasl::params::saslauthd_service

socket

Data type: Stdlib::Absolutepath

Path to the socket used for communication.

Default value: $::sasl::params::saslauthd_socket

hasstatus

Data type: Boolean

If the service supports querying the running status or not.

Default value: $::sasl::params::saslauthd_hasstatus

ldap_conf_file

Data type: Optional[Stdlib::Absolutepath]

Path to the configuration file for LDAP configuration, usually /etc/saslauthd.conf.

Default value: $::sasl::params::saslauthd_ldap_conf_file

ldap_auth_method

Data type: Optional[Enum['bind', 'custom', 'fastbind']]

How to authenticate with the LDAP server.

Default value: undef

ldap_bind_dn

Data type: Optional[Bodgitlib::LDAP::DN]

Distinguished name used to bind to the LDAP server.

Default value: undef

ldap_bind_pw

Data type: Optional[String]

Password used to bind with.

Default value: undef

ldap_default_domain

Data type: Optional[String]

Default value: undef

ldap_default_realm

Data type: Optional[String]

Default value: undef

ldap_deref

Data type: Optional[Enum['search', 'find', 'always', 'never']]

Default value: undef

ldap_filter

Data type: Optional[Bodgitlib::LDAP::Filter]

Search filter to apply when searching for users.

Default value: undef

ldap_group_attr

Data type: Optional[String]

Default value: undef

ldap_group_dn

Data type: Optional[Bodgitlib::LDAP::DN]

Default value: undef

ldap_group_filter

Data type: Optional[Bodgitlib::LDAP::Filter]

Search filter to apply when searching for groups.

Default value: undef

ldap_group_match_method

Data type: Optional[Enum['attr', 'filter']]

Default value: undef

ldap_group_search_base

Data type: Optional[Bodgitlib::LDAP::DN]

Base used for searching for group entries.

Default value: undef

ldap_group_scope

Data type: Optional[Bodgitlib::LDAP::Scope]

Search scope used when searching for group entries.

Default value: undef

ldap_password

Data type: Optional[String]

Default value: undef

ldap_password_attr

Data type: Optional[String]

Default value: undef

ldap_referrals

Data type: Optional[Boolean]

Default value: undef

ldap_restart

Data type: Optional[Boolean]

Default value: undef

ldap_id

Data type: Optional[String]

Default value: undef

ldap_authz_id

Data type: Optional[String]

Default value: undef

ldap_mech

Data type: Optional[String]

Default value: undef

ldap_realm

Data type: Optional[String]

Default value: undef

ldap_scope

Data type: Optional[Bodgitlib::LDAP::Scope]

Search scope used when searching for user entries.

Default value: undef

ldap_search_base

Data type: Optional[Bodgitlib::LDAP::DN]

Base used for searching for user entries.

Default value: undef

ldap_servers

Data type: Optional[Array[Bodgitlib::LDAP::URI::Simple, 1]]

List of LDAP URI's to query.

Default value: undef

ldap_start_tls

Data type: Optional[Boolean]

Whether to use SSL/TLS.

Default value: undef

ldap_time_limit

Data type: Optional[Integer[0]]

Search time limit.

Default value: undef

ldap_timeout

Data type: Optional[Integer[0]]

Timeout when connecting to LDAP server.

Default value: undef

ldap_tls_check_peer

Data type: Optional[Boolean]

Whether to verify the LDAP server certificate.

Default value: undef

ldap_tls_cacert_file

Data type: Optional[Stdlib::Absolutepath]

Path to CA certificate.

Default value: undef

ldap_tls_cacert_dir

Data type: Optional[Stdlib::Absolutepath]

Path to directory of CA certificates.

Default value: undef

ldap_tls_ciphers

Data type: Optional[String]

A list of accepted ciphers to use.

Default value: undef

ldap_tls_cert

Data type: Optional[Stdlib::Absolutepath]

Path to client certificate.

Default value: undef

ldap_tls_key

Data type: Optional[Stdlib::Absolutepath]

Path to client key.

Default value: undef

ldap_use_sasl

Data type: Optional[Boolean]

Whether to use SASL with LDAP.

Default value: undef

ldap_version

Data type: Optional[Integer[2, 3]]

The LDAP protocol version to use, either 2 or 3.

Default value: undef

imap_server

Data type: Optional[SASL::HostPort]

IMAP server to use, either specify a hostname/IP address or hostname/IP address and port tuple.

Default value: undef

sasl::authd::config

The sasl::authd::config class.

sasl::authd::install

The sasl::authd::install class.

sasl::authd::service

The sasl::authd::service class.

sasl::config

The sasl::config class.

sasl::install

The sasl::install class.

sasl::params

The sasl::params class.

Defined types

sasl::application

Installs per-application SASL authentication configuration.

• See also
  • puppet_classes::sasl
    • ::sasl
  • puppet_classes::sasl::authd
    • ::sasl::authd

Examples

Configure Postfix for DIGEST-MD5 and CRAM-MD5 authentication using the sasldb backend

include ::sasl
::sasl::application { 'smtpd':
  pwcheck_method => 'auxprop',
  auxprop_plugin => 'sasldb',
  mech_list      => ['digest-md5', 'cram-md5'],
}

Configure Postfix for PLAIN and LOGIN authentication using the saslauthd backend which itself is using LDAP+STARTTLS

include ::sasl
class { '::sasl::authd':
  mechanism           => 'ldap',
  ldap_auth_method    => 'bind',
  ldap_search_base    => 'ou=people,dc=example,dc=com',
  ldap_servers        => ['ldap://ldap.example.com'],
  ldap_start_tls      => true,
  ldap_tls_cacert_dir => '/etc/pki/tls/certs',
  ldap_tls_ciphers    => 'AES256',
}
::sasl::application { 'smtpd':
  pwcheck_method => 'saslauthd',
  mech_list      => ['plain', 'login'],
}

Parameters

The following parameters are available in the sasl::application defined type.

pwcheck_method

Data type: Enum['auxprop', 'saslauthd']

The password check method.

mech_list

Data type: Array[SASL::Mech, 1]

The authentication mechanisms to offer/support.

application

Data type: String

The name of the application.

Default value: $title

auxprop_plugin

Data type: Optional[SASL::Auxprop]

If the pwcheck_method is auxprop then the name of the plugin to use.

Default value: undef

ldapdb_uri

Data type: Optional[Array[Bodgitlib::LDAP::URI::Simple, 1]]

List of LDAP URI's to query.

Default value: undef

ldapdb_id

Data type: Optional[String]

SASL ID to use to authenticate with LDAP.

Default value: undef

ldapdb_mech

Data type: Optional[String]

SASL mechanism to use with LDAP.

Default value: undef

ldapdb_pw

Data type: Optional[String]

Password to use with LDAP.

Default value: undef

ldapdb_rc

Data type: Optional[Stdlib::Absolutepath]

Path to separate LDAP configuration file.

Default value: undef

ldapdb_starttls

Data type: Optional[Enum['try', 'demand']]

Whether to attempt STARTTLS or not.

Default value: undef

sasldb_path

Data type: Optional[Stdlib::Absolutepath]

Path to local SASL database.

Default value: undef

sql_engine

Data type: Optional[Enum['mysql', 'pgsql', 'sqlite']]

Which SQL engine to use.

Default value: undef

sql_hostnames

Data type: Optional[Array[SASL::HostPort, 1]]

List of database servers to use.

Default value: undef

sql_user

Data type: Optional[String]

Database user to use.

Default value: undef

sql_passwd

Data type: Optional[String]

Password of database user.

Default value: undef

sql_database

Data type: Optional[String]

Name of the database.

Default value: undef

sql_select

Data type: Optional[String]

SQL query used with SELECT operations.

Default value: undef

sql_insert

Data type: Optional[String]

SQL statement used with INSERT operations.

Default value: undef

sql_update

Data type: Optional[String]

SQL statement used with UPDATE operations.

Default value: undef

sql_usessl

Data type: Optional[Boolean]

Whether to use SSL or not.

Default value: undef

Data types

SASL::Authd::Mechanism

The SASL::Authd::Mechanism data type.

• Since 2.0.0

Alias of Enum['getpwent', 'httpform', 'kerberos5', 'ldap', 'pam', 'rimap', 'sasldb', 'shadow']

SASL::Auxprop

The SASL::Auxprop data type.

• Since 2.0.0

Alias of Enum['ldapdb', 'sasldb', 'sql']

SASL::HostPort

The SASL::HostPort data type.

• Since 2.0.0

Alias of Variant[Variant[Bodgitlib::Hostname, Stdlib::IP::Address::V4::NoSubnet], Tuple[Variant[Bodgitlib::Hostname, Stdlib::IP::Address::V4::NoSubnet], Bodgitlib::Port]]

SASL::Mech

The SASL::Mech data type.

• Since 2.0.0

Alias of Enum['anonymous', 'cram-md5', 'digest-md5', 'login', 'ntlm', 'plain', 'external']