From eccbc254fef38f0b3d14cb663bf58b88d0d146d4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Gardais=20J=C3=A9r=C3=A9my?=
 <jeremy.gardais@univ-rennes1.fr>
Date: Tue, 18 Jul 2017 14:23:07 +0200
Subject: [PATCH] Create a specific repo for sssd role.

---
 README.md                       | 75 +++++++++++++++++++++++++++++++++
 defaults/main.yml               | 22 ++++++++++
 handlers/main.yml               |  6 +++
 tasks/main.yml                  | 53 +++++++++++++++++++++++
 templates/etc/sssd/sssd.conf.j2 | 56 ++++++++++++++++++++++++
 vars/debian.yml                 |  4 ++
 6 files changed, 216 insertions(+)
 create mode 100644 README.md
 create mode 100644 defaults/main.yml
 create mode 100644 handlers/main.yml
 create mode 100644 tasks/main.yml
 create mode 100644 templates/etc/sssd/sssd.conf.j2
 create mode 100644 vars/debian.yml

diff --git a/README.md b/README.md
new file mode 100644
index 0000000..a821457
--- /dev/null
+++ b/README.md
@@ -0,0 +1,75 @@
+# SSSD
+
+1. [Overview](#overview)
+2. [Role Variables](#role-variables)
+     * [OS Specific Variables](#os-specific-variables)
+3. [Example Playbook](#example-playbook)
+4. [Configuration](#configuration)
+5. [License](#license)
+6. [Author Information](#author-information)
+
+## Overview
+
+Manage LDAP authentication with **SSSD** (System Security Services Daemon).
+
+Highly inspired by [Lae's system_ldap role][lae sssd galaxy] with minors updates (test only on Debian 9 and maybe on OpenSuse).
+
+## Role Variables
+
+* **sssd_pkg_state** : State of new sssd packages [default : `latest`].
+* **sssd_conf_manage** : If SSSD configuration should be managed with this role [default : `true`].
+* **sssd_main_conf_path** : Path to set main SSSD's configuration [default : `/etc/sssd/sssd.conf`].
+* **sssd_main_conf_tpl** : Template used to generate the previous config file [default : `etc/sssd/sssd.conf.j2`].
+* **sssd_mkhomedir** : If home directories should be created at login [default : `true`].
+* **sssd_home_path** : Path where home directories are stored [default : `/home`].
+* **sssd_service_name** : SSSD's service name [default : `sssd`].
+
+### OS Specific Variables
+
+Please see default value by Operating System file in `vars/` directory.
+
+* **sssd_pkg_list** : The list of packages to install to provide `sssd`.
+
+## Example Playbook
+
+* Use defaults vars :
+
+``` yml
+- hosts: serverXYZ
+  roles:
+    - role: ipr.sssd
+```
+
+* With a `group_vars/serverxyz.yml` file :
+
+``` yml
+sssd_domain: 'dotld'
+sssd_uris:
+  - ldap://ldap.domain.tld
+sssd_search_base: 'ou=People,dc=domain,dc=tld
+sssd_bind_dn: 'cn=sssd_user,ou=apps,dc=domain,dc=tld'
+```
+
+  * Then you also need to enter the `bind_dn_password` on the remote host (`/etc/sssd/conf.d/sssd_domain.conf`|`/etc/sssd/conf.d/dotld.conf`).
+
+## Configuration
+
+This role will :
+* Install needed packages to provide `sssd`.
+* Manage the default `sssd` configuration file (`/etc/sssd/sssd.conf`).
+* Create an additionnal configuration file to only store the bind_password (`/etc/sssd/conf.d/domain.bind.conf`).
+* Manage `sssd` service.
+
+## License
+
+[WTFPL][wtfpl website]
+
+## Author Information
+
+Jérémy Gardais
+* Source : …
+* [IPR][ipr website] (Institut de Physique de Rennes)
+
+[wtfpl website]: http://www.wtfpl.net/about/
+[ipr website]: https://ipr.univ-rennes1.fr/
+[lae sssd galaxy]: https://galaxy.ansible.com/lae/system_ldap/
diff --git a/defaults/main.yml b/defaults/main.yml
new file mode 100644
index 0000000..50849c4
--- /dev/null
+++ b/defaults/main.yml
@@ -0,0 +1,22 @@
+---
+
+# Package
+sssd_pkg_state: 'latest'
+
+# Configuration
+sssd_conf_manage: true
+sssd_main_conf_path: '/etc/sssd/sssd.conf'
+sssd_main_conf_tpl: 'etc/sssd/sssd.conf.j2'
+sssd_mkhomedir: true
+sssd_home_path: '/home/'
+
+# LDAP info
+sssd_domain: ''
+sssd_schema: 'rfc2307bis'
+sssd_uris: []
+sssd_search_base: ''
+sssd_bind_dn: ''
+sssd_bind_password: ''
+
+# Service
+sssd_service_name: 'sssd'
diff --git a/handlers/main.yml b/handlers/main.yml
new file mode 100644
index 0000000..9edff38
--- /dev/null
+++ b/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+# Handlers file for ipr.sssd
+- name: restart sssd
+  service:
+    name: '{{ sssd_service_name }}'
+    state: restarted
diff --git a/tasks/main.yml b/tasks/main.yml
new file mode 100644
index 0000000..73252e0
--- /dev/null
+++ b/tasks/main.yml
@@ -0,0 +1,53 @@
+---
+# tasks file for ansible-role-sssd
+
+- name: Load specific OS vars
+  include_vars: "{{ item }}"
+  with_first_found:
+    - "{{ ansible_distribution|lower }}-{{ ansible_distribution_version }}.yml"
+    - "{{ ansible_distribution|lower }}.yml"
+    - "{{ ansible_os_family|lower }}.yml"
+
+# Packages
+- name: Install sssd
+  package:
+    name: "{{ item }}"
+    state: "{{ sssd_pkg_state }}"
+  with_items: "{{ sssd_pkg_list }}"
+
+# Configuration file
+- name: CONFIG sssd.conf
+  template:
+    src: "{{ sssd_main_conf_tpl }}"
+    dest: "{{ sssd_main_conf_path }}"
+    mode: 0600
+    owner: root
+    group: root
+    backup: true
+  when: sssd_conf_manage
+  notify:
+    - restart sssd
+
+- name: "CONFIG conf.d/{{ sssd_domain }}.conf"
+  blockinfile:
+    state: present
+    create: yes
+    mode: 0600
+    owner: root
+    group: root
+    insertbefore: BOF
+    dest: "/etc/sssd/conf.d/{{ sssd_domain }}.conf"
+    content: |
+      [domain/{{ sssd_domain }}]
+      #ldap_default_authtok = password for {{ sssd_bind_dn }} after END BLOCK
+  when: sssd_conf_manage
+  notify:
+    - restart sssd
+
+- name: Ensure home directories are created upon login with pam
+  lineinfile:
+    dest: /etc/pam.d/common-account
+    regexp: 'pam_mkhomedir\.so'
+    line: "session	required			pam_mkhomedir.so	umask=0022	skel=/etc/skel/	silent"
+    state: present
+  when: sssd_mkhomedir
diff --git a/templates/etc/sssd/sssd.conf.j2 b/templates/etc/sssd/sssd.conf.j2
new file mode 100644
index 0000000..32903ed
--- /dev/null
+++ b/templates/etc/sssd/sssd.conf.j2
@@ -0,0 +1,56 @@
+# {{ ansible_managed }} }
+[sssd]
+config_file_version = 2
+services = nss, pam, autofs
+domains = {{ sssd_domain }}
+
+[domain/{{ sssd_domain }}]
+id_provider = ldap
+auth_provider = ldap
+chpass_provider = ldap
+#access_provider = ldap
+autofs_provider = ldap
+
+{# connection configuration #}
+ldap_schema = {{ sssd_schema }}
+ldap_uri = {{ sssd_uris | join(',') }}
+ldap_tls_cacertdir = /etc/ssl/certs
+ldap_id_use_start_tls = True
+ldap_tls_reqcert = never
+
+{# search configuration #}
+ldap_search_base = {{ sssd_search_base }}
+ldap_default_bind_dn = {{ sssd_bind_dn }}
+ldap_default_authtok_type = password
+#ldap_default_authtok = ... # See conf.d/default.bind.conf
+cache_credentials = True
+entry_cache_timeout = 5400
+
+## Filter
+# LDAP
+#access_provider = ldap
+#ldap_access_order = filter
+#ldap_access_filter = (memberof=cn=groupeA,ou=Groupes,dc=domain,dc=tld)
+
+{# mapping/attribute configuration #}
+override_homedir = {{ sssd_home_path }}/%u
+
+krb5_realm = #
+
+# Simple
+#access_provider = simple
+#simple_allow_groups = groupeA,ou=Groupes,dc=domain,dc=tld
+
+ldap_user_uuid = entryuuid
+ldap_group_uuid = entryuuid
+enumerate = False
+
+
+[nss]
+
+filter_groups = root
+filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd
+homedir_substring = /home
+
+[pam]
+reconnection_retries = 3
diff --git a/vars/debian.yml b/vars/debian.yml
new file mode 100644
index 0000000..bbda19f
--- /dev/null
+++ b/vars/debian.yml
@@ -0,0 +1,4 @@
+---
+# vars file for Debian-based distros
+sssd_pkg_list:
+  - sssd