ansible.sssd/tasks/main.yml

---
# .. vim: foldmarker=[[[,]]]:foldmethod=marker

# tasks file for ansible-role-sssd

# Load vars [[[1
- name: Load specific OS vars
  include_vars: "{{ item }}"
  with_first_found:
    - "{{ ansible_distribution|lower }}-{{ ansible_distribution_version }}.yml"
    - "{{ ansible_distribution|lower }}.yml"
    - "{{ ansible_os_family|lower }}.yml"

# Manage packages [[[1
- name: Install sssd
  package:
    name: "{{ item }}"
    state: 'present'
  with_flattened:
    - '{{ sssd_pkg_list | to_nice_json }}'
  register: sssd_pkg_result
  until: sssd_pkg_result is success
  when: (sssd__deploy_state == "present")

- name: Remove unwanted packages
  package:
    name: "{{ item }}"
    state: "{{ sssd__unwanted_packages_state }}"
  with_flattened:
    - '{{ sssd__unwanted_packages_list | to_nice_json }}'
  register: sssd_remove_result
  until: sssd_remove_result is success
  when: (sssd__deploy_state == "present")

# Manage configuration [[[1
## Update nsswitch.conf
- name: CONFIG sudoers nsswitch.conf
  lineinfile:
    dest: /etc/nsswitch.conf
    state: present
    regexp: '^sudoers:'
    line: 'sudoers:        files'
    owner: root
    group: root
    mode: 0644
  when: (sssd__deploy_state == "present") and (not sssd_sudoers_ldap and sssd_nsswitch_manage)

# Configuration file
- name: CONFIG sssd.conf
  template:
    src: "{{ sssd_main_conf_tpl }}"
    dest: "{{ sssd_main_conf_path }}"
    mode: 0600
    owner: root
    group: root
    backup: true
  when: (sssd__deploy_state == "present") and (sssd_conf_manage)
  notify:
    - restart sssd
    - restart logind

- name: "CONFIG conf.d/{{ sssd_domain }}.conf"
  blockinfile:
    state: present
    create: yes
    mode: 0600
    owner: root
    group: root
    insertbefore: BOF
    dest: "/etc/sssd/conf.d/{{ sssd_domain }}.conf"
    content: |
      [domain/{{ sssd_domain }}]
      #ldap_default_authtok = password for {{ sssd_bind_dn }} after END BLOCK
      {% if sssd_bind_password %}ldap_default_authtok = {{ sssd_bind_password }}{% endif %}
  when: (sssd__deploy_state == "present") and (sssd_conf_manage)
  notify:
    - restart sssd
    - restart logind

- name: Ensure home directories are created upon login with pam
  lineinfile:
    dest: /etc/pam.d/common-account
    regexp: 'pam_mkhomedir\.so'
    line: "session required                        pam_mkhomedir.so        umask=0022      skel=/etc/skel/ silent"
    state: present
  when: (sssd__deploy_state == "present") and (sssd_mkhomedir)

- name: Flush handlers to be able to use SSSD authentication
  meta: flush_handlers
Create a specific repo for sssd role. 2017-07-18 14:23:07 +02:00			`---`
Add a var to disable the role 2019-03-12 14:07:31 +01:00			`# .. vim: foldmarker=[[[,]]]:foldmethod=marker`

Create a specific repo for sssd role. 2017-07-18 14:23:07 +02:00			`# tasks file for ansible-role-sssd`

Add a var to disable the role 2019-03-12 14:07:31 +01:00			`# Load vars [[[1`
Create a specific repo for sssd role. 2017-07-18 14:23:07 +02:00			`- name: Load specific OS vars`
			`include_vars: "{{ item }}"`
			`with_first_found:`
			`- "{{ ansible_distribution\|lower }}-{{ ansible_distribution_version }}.yml"`
			`- "{{ ansible_distribution\|lower }}.yml"`
			`- "{{ ansible_os_family\|lower }}.yml"`

Add a var to disable the role 2019-03-12 14:07:31 +01:00			`# Manage packages [[[1`
Create a specific repo for sssd role. 2017-07-18 14:23:07 +02:00			`- name: Install sssd`
			`package:`
			`name: "{{ item }}"`
Add a var to disable the role 2019-03-12 14:07:31 +01:00			`state: 'present'`
Use to_nice_json to manage packages list 2019-01-10 16:39:55 +01:00			`with_flattened:`
			`- '{{ sssd_pkg_list \| to_nice_json }}'`
Fix E405 Remote package tasks should have a retry 2019-02-26 13:38:28 +01:00			`register: sssd_pkg_result`
			`until: sssd_pkg_result is success`
Add a var to disable the role 2019-03-12 14:07:31 +01:00			`when: (sssd__deploy_state == "present")`
Create a specific repo for sssd role. 2017-07-18 14:23:07 +02:00
Remove unwanted packages Such as libnss-ldap, nscd,… 2018-04-12 11:40:34 +02:00			`- name: Remove unwanted packages`
			`package:`
			`name: "{{ item }}"`
			`state: "{{ sssd__unwanted_packages_state }}"`
Use to_nice_json to manage packages list 2019-01-10 16:39:55 +01:00			`with_flattened:`
			`- '{{ sssd__unwanted_packages_list \| to_nice_json }}'`
Fix E405 Remote package tasks should have a retry 2019-02-26 13:38:28 +01:00			`register: sssd_remove_result`
			`until: sssd_remove_result is success`
Add a var to disable the role 2019-03-12 14:07:31 +01:00			`when: (sssd__deploy_state == "present")`
Remove unwanted packages Such as libnss-ldap, nscd,… 2018-04-12 11:40:34 +02:00
Add a var to disable the role 2019-03-12 14:07:31 +01:00			`# Manage configuration [[[1`
			`## Update nsswitch.conf`
Remove `sss` directive for `sudoers` in `/etc/nsswitch.conf` file (#1). 2017-08-21 16:27:36 +02:00			`- name: CONFIG sudoers nsswitch.conf`
			`lineinfile:`
			`dest: /etc/nsswitch.conf`
Ensure to add only one time the sudoers line in `/etc/nsswitch.conf` file (fix #3). 2017-09-07 13:46:52 +02:00			`state: present`
			`regexp: '^sudoers:'`
Remove `sss` directive for `sudoers` in `/etc/nsswitch.conf` file (#1). 2017-08-21 16:27:36 +02:00			`line: 'sudoers: files'`
Ensure to add only one time the sudoers line in `/etc/nsswitch.conf` file (fix #3). 2017-09-07 13:46:52 +02:00			`owner: root`
			`group: root`
			`mode: 0644`
Add a var to disable the role 2019-03-12 14:07:31 +01:00			`when: (sssd__deploy_state == "present") and (not sssd_sudoers_ldap and sssd_nsswitch_manage)`
Remove `sss` directive for `sudoers` in `/etc/nsswitch.conf` file (#1). 2017-08-21 16:27:36 +02:00
Create a specific repo for sssd role. 2017-07-18 14:23:07 +02:00			`# Configuration file`
			`- name: CONFIG sssd.conf`
			`template:`
			`src: "{{ sssd_main_conf_tpl }}"`
			`dest: "{{ sssd_main_conf_path }}"`
			`mode: 0600`
			`owner: root`
			`group: root`
			`backup: true`
Add a var to disable the role 2019-03-12 14:07:31 +01:00			`when: (sssd__deploy_state == "present") and (sssd_conf_manage)`
Create a specific repo for sssd role. 2017-07-18 14:23:07 +02:00			`notify:`
			`- restart sssd`
Ensure to restart `systemd-logind` to avoid 'Failed to create session' error (fix #4). 2017-09-08 09:15:05 +02:00			`- restart logind`
Create a specific repo for sssd role. 2017-07-18 14:23:07 +02:00
			`- name: "CONFIG conf.d/{{ sssd_domain }}.conf"`
			`blockinfile:`
			`state: present`
			`create: yes`
			`mode: 0600`
			`owner: root`
			`group: root`
			`insertbefore: BOF`
			`dest: "/etc/sssd/conf.d/{{ sssd_domain }}.conf"`
			`content: \|`
			`[domain/{{ sssd_domain }}]`
			`#ldap_default_authtok = password for {{ sssd_bind_dn }} after END BLOCK`
Remove useless whitespace. 2017-09-18 15:51:09 +02:00			`{% if sssd_bind_password %}ldap_default_authtok = {{ sssd_bind_password }}{% endif %}`
Add a var to disable the role 2019-03-12 14:07:31 +01:00			`when: (sssd__deploy_state == "present") and (sssd_conf_manage)`
Create a specific repo for sssd role. 2017-07-18 14:23:07 +02:00			`notify:`
			`- restart sssd`
Ensure to restart `systemd-logind` to avoid 'Failed to create session' error (fix #4). 2017-09-08 09:15:05 +02:00			`- restart logind`
Create a specific repo for sssd role. 2017-07-18 14:23:07 +02:00
			`- name: Ensure home directories are created upon login with pam`
			`lineinfile:`
			`dest: /etc/pam.d/common-account`
			`regexp: 'pam_mkhomedir\.so'`
Fix E203 Most files should not contain tabs 2019-02-26 13:39:24 +01:00			`line: "session required pam_mkhomedir.so umask=0022 skel=/etc/skel/ silent"`
Create a specific repo for sssd role. 2017-07-18 14:23:07 +02:00			`state: present`
Add a var to disable the role 2019-03-12 14:07:31 +01:00			`when: (sssd__deploy_state == "present") and (sssd_mkhomedir)`
Add the possibility to flush the handlers to apply the new configuration. Some of my role need a working sssd config, so with `sssd_flush_handlers` parameter the new config can be apply before run the next roles. 2017-09-27 18:45:44 +02:00
flush_handlers don't support when statement 2019-02-26 13:29:47 +01:00			`- name: Flush handlers to be able to use SSSD authentication`
			`meta: flush_handlers`