|  | ||
|---|---|---|
| defaults | ||
| handlers | ||
| meta | ||
| tasks | ||
| templates/etc/sssd | ||
| vars | ||
| CHANGELOG.md | ||
| README.md | ||
		
			
				
				README.md
			
		
		
			
			
				
				
			
		
	
	SSSD
Overview
Manage LDAP authentication with SSSD (System Security Services Daemon).
Highly inspired by Lae's system_ldap role with minors updates (test only on Debian 9 and maybe on OpenSuse).
Role Variables
- sssd__deploy_state: The desired state this role should achieve [default : present].
- sssd_pkg_state : State of new sssd packages [default : latest].
- sssd__unwanted_packages_state : State of unwanted packages that might interfer with SSSD [default : absent].
- sssd_conf_manage : If SSSD configuration should be managed with this role [default : true].
- sssd_main_conf_path : Path to set main SSSD's configuration [default : /etc/sssd/sssd.conf].
- sssd_main_conf_tpl : Template used to generate the previous config file [default : etc/sssd/sssd.conf.j2].
- sssd_mkhomedir : If home directories should be created at login [default : true].
- sssd_home_path : Path where home directories are stored [default : /home].
- sssd_shell : Path to the default shell to use [default : /bin/bash].
- sssd_shell_override : If shell should be override with the previous value [default : False].
- sssd_sudoers_ldap : If sudo must look to sssthe list of sudoers [default :false].
- sssd_nsswitch_manage : If nsswitch should be managed by the role [default : false].
- sssd_service_name : SSSD's service name [default : sssd].
- sssd_flush_handlers : If handlers need to be applied at the end of the role [default : False].
OS Specific Variables
Please see default value by Operating System file in vars directory.
- sssd_pkg_list : The list of packages to install to provide sssd.- Be careful, sssdmay need additional packages to be able to establish a TLS connection to a LDAP/AD/… server (such asca-certificates,…).
 
- Be careful, 
- sssd__unwanted_packages_list : The list of packages to remove.
Example Playbook
- Use defaults vars :
- hosts: serverXYZ
  roles:
    - role: ipr-cnrs.sssd
- With a group_vars/serverxyz.ymlfile :
sssd_domain: 'dotld'
sssd_uris:
  - ldap://ldap.domain.tld
sssd_search_base: 'ou=People,dc=domain,dc=tld
sssd_bind_dn: 'cn=sssd_user,ou=apps,dc=domain,dc=tld'
- 
Then you also need to enter the bind_dn_passwordon the remote host (/etc/sssd/conf.d/sssd_domain.conf|/etc/sssd/conf.d/dotld.conf). If you want to definebind_dn_passwordin a playbook, please be sure to use Vault (or any other tool) to cipher your data !
- 
If you have some other role that need a working sssd configuration, you may want to apply the new configuration : 
sssd_flush_handlers: True
Configuration
This role will :
- Install needed packages to provide sssd.
- Remove packages that might interfer with sssdfor authentication.
- Manage the default sssdconfiguration file (/etc/sssd/sssd.conf).
- Create an additional configuration file to only store the bind_password (/etc/sssd/conf.d/domain.bind.conf).
- Remove sssdirective forsudoersin/etc/nsswitch.conffile ifsssd_nsswitch_manageis set.
- Manage sssdservice.
- Restart systemd-logindservice.
Development
This source code comes from our Gogs instance and the Github repo exist just to be able to send the role to Ansible Galaxy…
But feel free to send issue/PR here :)
Thanks to this hook, Github automatically got updates from our Gogs instance :)
License
Author Information
Jérémy Gardais
- Source : on IPR's Gogs
- IPR (Institut de Physique de Rennes)