cellinfo
/
ansible.sssd
2
0
Fork 0
Code Issues Pull Requests Releases Activity
ansible.sssd/README.md

107 lines
4.3 KiB
Markdown
Raw Normal View History

Create a specific repo for sssd role.
2017-07-18 14:23:07 +02:00
# SSSD
1. [Overview](#overview)
2. [Role Variables](#role-variables)
* [OS Specific Variables](#os-specific-variables)
3. [Example Playbook](#example-playbook)
4. [Configuration](#configuration)
Update doc.
2017-07-19 19:34:43 +02:00
5. [Development](#development)
Create a specific repo for sssd role.
2017-07-18 14:23:07 +02:00
5. [License](#license)
6. [Author Information](#author-information)
## Overview
Manage LDAP authentication with **SSSD** (System Security Services Daemon).
Highly inspired by [Lae's system_ldap role][lae sssd galaxy] with minors updates (test only on Debian 9 and maybe on OpenSuse).
## Role Variables
* **sssd_pkg_state**: State of new sssd packages [default: `latest`].
Remove unwanted packages Such as libnss-ldap, nscd,…
2018-04-12 11:40:34 +02:00
* **sssd__unwanted_packages_state**: State of unwanted packages that might interfer with SSSD [default: `absent`].
Create a specific repo for sssd role.
2017-07-18 14:23:07 +02:00
* **sssd_conf_manage**: If SSSD configuration should be managed with this role [default: `true`].
* **sssd_main_conf_path**: Path to set main SSSD's configuration [default: `/etc/sssd/sssd.conf`].
* **sssd_main_conf_tpl**: Template used to generate the previous config file [default: `etc/sssd/sssd.conf.j2`].
* **sssd_mkhomedir**: If home directories should be created at login [default: `true`].
* **sssd_home_path**: Path where home directories are stored [default: `/home`].
Allow to override shell attribute
2018-02-07 16:04:28 +01:00
* **sssd_shell**: Path to the default shell to use [default: `/bin/bash`].
* **sssd_shell_override**: If shell should be override with the previous value [default: `False`].
Remove `sss` directive for `sudoers` in `/etc/nsswitch.conf` file (#1).
2017-08-21 16:27:36 +02:00
* **sssd_sudoers_ldap**: If sudo must look to `sss` the list of sudoers [default: `false`].
nsswitch.conf is modified only is `sssd_nsswitch_manage` is set (fix #5).
2018-01-29 16:11:49 +01:00
* **sssd_nsswitch_manage**: If nsswitch should be managed by the role [default: `false`].
Create a specific repo for sssd role.
2017-07-18 14:23:07 +02:00
* **sssd_service_name**: SSSD's service name [default: `sssd`].
Add the possibility to flush the handlers to apply the new configuration. Some of my role need a working sssd config, so with `sssd_flush_handlers` parameter the new config can be apply before run the next roles.
2017-09-27 18:45:44 +02:00
* **sssd_flush_handlers**: If handlers need to be applied at the end of the role [default: `False`].
Create a specific repo for sssd role.
2017-07-18 14:23:07 +02:00
### OS Specific Variables
Update doc.
2017-07-19 19:34:43 +02:00
Please see default value by Operating System file in [vars][vars directory] directory.
Create a specific repo for sssd role.
2017-07-18 14:23:07 +02:00
* **sssd_pkg_list**: The list of packages to install to provide `sssd`.
For Debian Stretch ensure to also install `ca-certificates` (fix #2).
2017-09-06 15:59:45 +02:00
* Be careful, `sssd` may need additional packages to be able to establish a TLS connection to a LDAP/AD/… server (such as `ca-certificates`,…).
Remove unwanted packages Such as libnss-ldap, nscd,…
2018-04-12 11:40:34 +02:00
* **sssd__unwanted_packages_list**: The list of packages to remove.
Create a specific repo for sssd role.
2017-07-18 14:23:07 +02:00
## Example Playbook
* Use defaults vars:
``` yml
- hosts: serverXYZ
roles:
Rename ipr.sssd to ipr-cnrs.sssd.
2017-07-18 16:21:35 +02:00
- role: ipr-cnrs.sssd
Create a specific repo for sssd role.
2017-07-18 14:23:07 +02:00
```
* With a `group_vars/serverxyz.yml` file:
``` yml
sssd_domain: 'dotld'
sssd_uris:
- ldap://ldap.domain.tld
sssd_search_base: 'ou=People,dc=domain,dc=tld
sssd_bind_dn: 'cn=sssd_user,ou=apps,dc=domain,dc=tld'
```
`sssd_bind_password` is now used and can be directly set on a remote host.
2017-09-18 15:29:59 +02:00
* Then you also need to enter the `bind_dn_password` on the remote host (`/etc/sssd/conf.d/sssd_domain.conf`|`/etc/sssd/conf.d/dotld.conf`). If you want to define `bind_dn_password` in a playbook, please be sure to use [Vault][ansible vault] (or any other tool) to cipher your data!
Create a specific repo for sssd role.
2017-07-18 14:23:07 +02:00
Add the possibility to flush the handlers to apply the new configuration. Some of my role need a working sssd config, so with `sssd_flush_handlers` parameter the new config can be apply before run the next roles.
2017-09-27 18:45:44 +02:00
* If you have some other role that need a working sssd configuration, you may want to apply the new configuration:
``` yml
sssd_flush_handlers: True
```
Create a specific repo for sssd role.
2017-07-18 14:23:07 +02:00
## Configuration
This role will:
* Install needed packages to provide `sssd`.
Remove unwanted packages Such as libnss-ldap, nscd,…
2018-04-12 11:40:34 +02:00
* Remove packages that might interfer with `sssd` for authentication.
Create a specific repo for sssd role.
2017-07-18 14:23:07 +02:00
* Manage the default `sssd` configuration file (`/etc/sssd/sssd.conf`).
For Debian Stretch ensure to also install `ca-certificates` (fix #2).
2017-09-06 15:59:45 +02:00
* Create an additional configuration file to only store the bind_password (`/etc/sssd/conf.d/domain.bind.conf`).
nsswitch.conf is modified only is `sssd_nsswitch_manage` is set (fix #5).
2018-01-29 16:11:49 +01:00
* Remove `sss` directive for `sudoers` in `/etc/nsswitch.conf` file if `sssd_nsswitch_manage` is set.
Create a specific repo for sssd role.
2017-07-18 14:23:07 +02:00
* Manage `sssd` service.
Ensure to restart `systemd-logind` to avoid 'Failed to create session' error (fix #4).
2017-09-08 09:15:05 +02:00
* Restart `systemd-logind` service.
Create a specific repo for sssd role.
2017-07-18 14:23:07 +02:00
Update doc.
2017-07-19 19:34:43 +02:00
## Development
This source code comes from our [Gogs instance][sssd source] and the [Github repo][sssd github] exist just to be able to send the role to Ansible Galaxy…
But feel free to send issue/PR here :)
Thanks to this [hook][gogs to github hook], Github automatically got updates from our [Gogs instance][sssd source] :)
Create a specific repo for sssd role.
2017-07-18 14:23:07 +02:00
## License
[WTFPL][wtfpl website]
## Author Information
Jérémy Gardais
Add source URL.
2017-07-18 14:33:47 +02:00
* Source: [on IPR's Gogs][sssd source]
Create a specific repo for sssd role.
2017-07-18 14:23:07 +02:00
* [IPR][ipr website] (Institut de Physique de Rennes)
Update doc.
2017-07-19 19:34:43 +02:00
[vars directory]: ./vars
`sssd_bind_password` is now used and can be directly set on a remote host.
2017-09-18 15:29:59 +02:00
[ansible vault]: http://docs.ansible.com/ansible/latest/vault.html
Update doc.
2017-07-19 19:34:43 +02:00
[gogs to github hook]: https://stackoverflow.com/a/21998477
Add source URL.
2017-07-18 14:33:47 +02:00
[sssd source]: https://git.ipr.univ-rennes1.fr/cellinfo/ansible.sssd
Update doc.
2017-07-19 19:34:43 +02:00
[sssd github]: https://github.com/ipr-cnrs/sssd
Create a specific repo for sssd role.
2017-07-18 14:23:07 +02:00
[wtfpl website]: http://www.wtfpl.net/about/
[ipr website]: https://ipr.univ-rennes1.fr/
[lae sssd galaxy]: https://galaxy.ansible.com/lae/system_ldap/