We have a cluster of nodes whose configuration is maintained by Puppet. Puppet ensures that sssd is installed via:

service { 'sssd':
   ensure  => running,
   enable  => true,
   require => Package[$libsss_sudo_package],
}

However, a default sssd.conf is used; I cannot find a modifiable template. A concrete example of a generated sssd.conf from a particular node in the cluster is as follows:

[domain/example.com]

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = example.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = host-1.muskrat.local
chpass_provider = ipa
ipa_server = _srv_, ipa-server.example.com
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
services = nss, sudo, pam, ssh

domains = example.com
[nss]
homedir_substring = /home

[pam]

[sudo]

[autofs]

[ssh]

[pac]

[ifp]

Every sssd.conf is different because the parameter ipa_hostname varies on each host. So, I can't just define an "sssd" module and use a fixed sssd.conf.

In Puppet, how may I ensure that a particular line gets added to a particular section of an existing sssd.conf?

Specifically, I want to disable hashing of /var/lib/sss/pubconf/known_hosts by adding this line to the [ssh] section of sssd.conf:

[ssh]
ssh_hash_known_hosts = false

How may I do so in Puppet?