cellinfo
/
ansible.sssd
4
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

base: cellinfo:master
Branches Tags
cellinfo:master
cellinfo:v1.3.2
cellinfo:v1.3.1
cellinfo:v1.1.0
cellinfo:v1.2.0
cellinfo:v1.3.0
cellinfo:v1.2.2
cellinfo:v1.2.1
cellinfo:v1.2
cellinfo:v1.1.4
cellinfo:v1.1.3
cellinfo:v1.1.2
..
compare: cellinfo:v1.1.2
Branches Tags
cellinfo:master
cellinfo:v1.3.2
cellinfo:v1.3.1
cellinfo:v1.1.0
cellinfo:v1.2.0
cellinfo:v1.3.0
cellinfo:v1.2.2
cellinfo:v1.2.1
cellinfo:v1.2
cellinfo:v1.1.4
cellinfo:v1.1.3
cellinfo:v1.1.2

No commits in common. "master" and "v1.1.2" have entirely different histories.
master ... v1.1.2

7 changed files with 25 additions and 180 deletions
Show Stats Expand all files Collapse all files

53
CHANGELOG.md
View File

@ -1,56 +1,3 @@
## v1.3.2
### Enhancements
* Add a var to disable the role.
### Fix
* Use flatten to manage packages list.
## v1.3.1
### Enhancements
* Fix E405 Remote package tasks should have a retry.
* Fix E203 Most files should not contain tabs.
## v1.3.0
### Minor changes
* Give the correct path in comment to see ldap_default_authtok value.
* Use to_nice_json to manage packages list.
* flush_handlers don't support when statement.
* Works on Debian Buster.
## v1.2.2
### Enhancement
* Remove unwanted packages.
### Fix
* Set empty dependencies line to fix Galaxy warning.
## v1.2.1
### Enhancement
* Allow to override shell attribute.
## v1.2
### Enhancement
* nsswitch.conf is modified only is `sssd_nsswitch_manage` is set (fix #5).
### Fix
* Add `libpam-sss` and `libnss-sss` libraries for Debian (fix #6).
## v1.1.4
### Enhancement
* Add the possibility to flush the handlers to apply the new configuration.
## v1.1.3
### Enhancement
* `sssd_bind_password` is now used and can be directly set on a remote host.
## v1.1.2 ## v1.1.2

21
README.md
View File

@ -17,20 +17,14 @@ Highly inspired by [Lae's system_ldap role][lae sssd galaxy] with minors updates
## Role Variables ## Role Variables
* **sssd__deploy_state**: The desired state this role should achieve [default: `present`].
* **sssd_pkg_state**: State of new sssd packages [default: `latest`]. * **sssd_pkg_state**: State of new sssd packages [default: `latest`].
* **sssd__unwanted_packages_state**: State of unwanted packages that might interfer with SSSD [default: `absent`].
* **sssd_conf_manage**: If SSSD configuration should be managed with this role [default: `true`]. * **sssd_conf_manage**: If SSSD configuration should be managed with this role [default: `true`].
* **sssd_main_conf_path**: Path to set main SSSD's configuration [default: `/etc/sssd/sssd.conf`]. * **sssd_main_conf_path**: Path to set main SSSD's configuration [default: `/etc/sssd/sssd.conf`].
* **sssd_main_conf_tpl**: Template used to generate the previous config file [default: `etc/sssd/sssd.conf.j2`]. * **sssd_main_conf_tpl**: Template used to generate the previous config file [default: `etc/sssd/sssd.conf.j2`].
* **sssd_mkhomedir**: If home directories should be created at login [default: `true`]. * **sssd_mkhomedir**: If home directories should be created at login [default: `true`].
* **sssd_home_path**: Path where home directories are stored [default: `/home`]. * **sssd_home_path**: Path where home directories are stored [default: `/home`].
* **sssd_shell**: Path to the default shell to use [default: `/bin/bash`].
* **sssd_shell_override**: If shell should be override with the previous value [default: `False`].
* **sssd_sudoers_ldap**: If sudo must look to `sss` the list of sudoers [default: `false`]. * **sssd_sudoers_ldap**: If sudo must look to `sss` the list of sudoers [default: `false`].
* **sssd_nsswitch_manage**: If nsswitch should be managed by the role [default: `false`].
* **sssd_service_name**: SSSD's service name [default: `sssd`]. * **sssd_service_name**: SSSD's service name [default: `sssd`].
* **sssd_flush_handlers**: If handlers need to be applied at the end of the role [default: `False`].
### OS Specific Variables ### OS Specific Variables
@ -38,7 +32,6 @@ Please see default value by Operating System file in [vars][vars directory] dire
* **sssd_pkg_list**: The list of packages to install to provide `sssd`. * **sssd_pkg_list**: The list of packages to install to provide `sssd`.
* Be careful, `sssd` may need additional packages to be able to establish a TLS connection to a LDAP/AD/… server (such as `ca-certificates`,…). * Be careful, `sssd` may need additional packages to be able to establish a TLS connection to a LDAP/AD/… server (such as `ca-certificates`,…).
* **sssd__unwanted_packages_list**: The list of packages to remove.
## Example Playbook ## Example Playbook
@ -60,22 +53,15 @@ sssd_search_base: 'ou=People,dc=domain,dc=tld
sssd_bind_dn: 'cn=sssd_user,ou=apps,dc=domain,dc=tld' sssd_bind_dn: 'cn=sssd_user,ou=apps,dc=domain,dc=tld'
``` ```
* Then you also need to enter the `bind_dn_password` on the remote host (`/etc/sssd/conf.d/sssd_domain.conf`|`/etc/sssd/conf.d/dotld.conf`). If you want to define `bind_dn_password` in a playbook, please be sure to use [Vault][ansible vault] (or any other tool) to cipher your data! * Then you also need to enter the `bind_dn_password` on the remote host (`/etc/sssd/conf.d/sssd_domain.conf`|`/etc/sssd/conf.d/dotld.conf`).
* If you have some other role that need a working sssd configuration, you may want to apply the new configuration:
``` yml
sssd_flush_handlers: True
```
## Configuration ## Configuration
This role will: This role will:
* Install needed packages to provide `sssd`. * Install needed packages to provide `sssd`.
* Remove packages that might interfer with `sssd` for authentication.
* Manage the default `sssd` configuration file (`/etc/sssd/sssd.conf`). * Manage the default `sssd` configuration file (`/etc/sssd/sssd.conf`).
* Create an additional configuration file to only store the bind_password (`/etc/sssd/conf.d/domain.bind.conf`). * Create an additional configuration file to only store the bind_password (`/etc/sssd/conf.d/domain.bind.conf`).
* Remove `sss` directive for `sudoers` in `/etc/nsswitch.conf` file if `sssd_nsswitch_manage` is set. * Remove `sss` directive for `sudoers` in `/etc/nsswitch.conf` file.
* Manage `sssd` service. * Manage `sssd` service.
* Restart `systemd-logind` service. * Restart `systemd-logind` service.
@ -98,9 +84,8 @@ Jérémy Gardais
* [IPR][ipr website] (Institut de Physique de Rennes) * [IPR][ipr website] (Institut de Physique de Rennes)
[vars directory]: ./vars [vars directory]: ./vars
[ansible vault]: http://docs.ansible.com/ansible/latest/vault.html
[gogs to github hook]: https://stackoverflow.com/a/21998477 [gogs to github hook]: https://stackoverflow.com/a/21998477
[sssd source]: https://git.ipr.univ-rennes.fr/cellinfo/ansible.sssd [sssd source]: https://git.ipr.univ-rennes1.fr/cellinfo/ansible.sssd
[sssd github]: https://github.com/ipr-cnrs/sssd [sssd github]: https://github.com/ipr-cnrs/sssd
[wtfpl website]: http://www.wtfpl.net/about/ [wtfpl website]: http://www.wtfpl.net/about/
[ipr website]: https://ipr.univ-rennes1.fr/ [ipr website]: https://ipr.univ-rennes1.fr/

60
defaults/main.yml
View File

@ -1,59 +1,7 @@
--- ---
# .. vim: foldmarker=[[[,]]]:foldmethod=marker
# ipr-cnrs.netdata default variables [[[ # Package
# ======================================
# Packages and installation [[[
# -----------------------------
# .. envvar:: sssd_pkg_state [[[
#
# State of the packages to install. Possible options:
#
# ``latest``
# Default. Ensure those packages are in the latest state.
#
# ``absent``
# Default. Ensure to remove those packages.
#
# ``present``
# Ensure to install those packages.
#
sssd_pkg_state: 'latest' sssd_pkg_state: 'latest'
# ]]]
# .. envvar:: sssd__unwanted_packages_state [[[
#
# State of the unwanted packages. Possible options:
#
# ``absent``
# Default. Ensure to remove those packages.
#
# ``present``
# Ensure to install those packages.
#
# ``latest``
# Ensure those packages are in the latest state.
#
# ``Anything else``
# The packages will not be touch.
#
sssd__unwanted_packages_state: 'absent'
# ]]]
# .. envvar:: sssd__deploy_state [[[
#
# What is the desired state which this role should achieve? Possible options:
#
# ``present``
# Default. Ensure that sssd is installed and configured as requested.
#
# ``absent``
# TODO: Ensure that sssd is uninstalled and it's configuration is removed.
#
sssd__deploy_state: 'present'
# ]]]
# ]]]
# Configuration # Configuration
sssd_conf_manage: true sssd_conf_manage: true
@ -61,8 +9,6 @@ sssd_main_conf_path: '/etc/sssd/sssd.conf'
sssd_main_conf_tpl: 'etc/sssd/sssd.conf.j2' sssd_main_conf_tpl: 'etc/sssd/sssd.conf.j2'
sssd_mkhomedir: true sssd_mkhomedir: true
sssd_home_path: '/home' sssd_home_path: '/home'
sssd_shell: '/bin/bash'
sssd_shell_override: False
sssd_sudoers_ldap: false sssd_sudoers_ldap: false
@ -74,9 +20,5 @@ sssd_search_base: ''
sssd_bind_dn: '' sssd_bind_dn: ''
sssd_bind_password: '' sssd_bind_password: ''
# nsswitch configuration
sssd_nsswitch_manage: false
# Service # Service
sssd_service_name: 'sssd' sssd_service_name: 'sssd'
sssd_flush_handlers: False

17
meta/main.yml
View File

@ -1,19 +1,22 @@
---
dependencies: []
galaxy_info: galaxy_info:
author: "Jérémy Gardais" author: "Jérémy Gardais"
description: "Manage LDAP authentication with SSSD (System Security Services Daemon)." description: "Manage LDAP authentication with SSSD (System Security Services Daemon)."
license: WTFPL license: WTFPL
company: IPR company: IPR
issue_tracker_url: https://git.ipr.univ-rennes.fr/cellinfo/ansible.sssd/issues issue_tracker_url: https://git.ipr.univ-rennes1.fr/cellinfo/ansible.sssd/issues
min_ansible_version: 2.7 min_ansible_version: 2.2
platforms: platforms:
- name: Debian - name: Debian
versions: versions:
- stretch - stretch
- buster #- name: opensuse
# versions:
# - all
# - 12.1
# - 12.2
# - 12.3
# - 13.1
# - 13.2
galaxy_tags: galaxy_tags:
- system - system
- authentication - authentication

38
tasks/main.yml
View File

@ -1,9 +1,6 @@
--- ---
# .. vim: foldmarker=[[[,]]]:foldmethod=marker
# tasks file for ansible-role-sssd # tasks file for ansible-role-sssd
# Load vars [[[1
- name: Load specific OS vars - name: Load specific OS vars
include_vars: "{{ item }}" include_vars: "{{ item }}"
with_first_found: with_first_found:
@ -11,29 +8,14 @@
- "{{ ansible_distribution|lower }}.yml" - "{{ ansible_distribution|lower }}.yml"
- "{{ ansible_os_family|lower }}.yml" - "{{ ansible_os_family|lower }}.yml"
# Manage packages [[[1 # Packages
- name: Install sssd - name: Install sssd
package: package:
name: "{{ item }}" name: "{{ item }}"
state: 'present' state: "{{ sssd_pkg_state }}"
with_flattened: with_items: "{{ sssd_pkg_list }}"
- '{{ sssd_pkg_list | flatten }}'
register: sssd_pkg_result
until: sssd_pkg_result is success
when: (sssd__deploy_state == "present")
- name: Remove unwanted packages # Update nsswitch.conf
package:
name: "{{ item }}"
state: "{{ sssd__unwanted_packages_state }}"
with_flattened:
- '{{ sssd__unwanted_packages_list | flatten }}'
register: sssd_remove_result
until: sssd_remove_result is success
when: (sssd__deploy_state == "present")
# Manage configuration [[[1
## Update nsswitch.conf
- name: CONFIG sudoers nsswitch.conf - name: CONFIG sudoers nsswitch.conf
lineinfile: lineinfile:
dest: /etc/nsswitch.conf dest: /etc/nsswitch.conf
@ -43,7 +25,7 @@
owner: root owner: root
group: root group: root
mode: 0644 mode: 0644
when: (sssd__deploy_state == "present") and (not sssd_sudoers_ldap and sssd_nsswitch_manage) when: not sssd_sudoers_ldap
# Configuration file # Configuration file
- name: CONFIG sssd.conf - name: CONFIG sssd.conf
@ -54,7 +36,7 @@
owner: root owner: root
group: root group: root
backup: true backup: true
when: (sssd__deploy_state == "present") and (sssd_conf_manage) when: sssd_conf_manage
notify: notify:
- restart sssd - restart sssd
- restart logind - restart logind
@ -71,8 +53,7 @@
content: | content: |
[domain/{{ sssd_domain }}] [domain/{{ sssd_domain }}]
#ldap_default_authtok = password for {{ sssd_bind_dn }} after END BLOCK #ldap_default_authtok = password for {{ sssd_bind_dn }} after END BLOCK
{% if sssd_bind_password %}ldap_default_authtok = {{ sssd_bind_password }}{% endif %} when: sssd_conf_manage
when: (sssd__deploy_state == "present") and (sssd_conf_manage)
notify: notify:
- restart sssd - restart sssd
- restart logind - restart logind
@ -83,7 +64,4 @@
regexp: 'pam_mkhomedir\.so' regexp: 'pam_mkhomedir\.so'
line: "session required pam_mkhomedir.so umask=0022 skel=/etc/skel/ silent" line: "session required pam_mkhomedir.so umask=0022 skel=/etc/skel/ silent"
state: present state: present
when: (sssd__deploy_state == "present") and (sssd_mkhomedir) when: sssd_mkhomedir
- name: Flush handlers to be able to use SSSD authentication
meta: flush_handlers

7
templates/etc/sssd/sssd.conf.j2
View File

@ -1,4 +1,4 @@
# {{ ansible_managed }} # {{ ansible_managed }} }
[sssd] [sssd]
config_file_version = 2 config_file_version = 2
services = nss, pam, autofs services = nss, pam, autofs
@ -22,7 +22,7 @@ ldap_tls_reqcert = never
ldap_search_base = {{ sssd_search_base }} ldap_search_base = {{ sssd_search_base }}
ldap_default_bind_dn = {{ sssd_bind_dn }} ldap_default_bind_dn = {{ sssd_bind_dn }}
ldap_default_authtok_type = password ldap_default_authtok_type = password
#ldap_default_authtok = ... # See conf.d/{{ sssd_domain }}.conf #ldap_default_authtok = ... # See conf.d/default.bind.conf
cache_credentials = True cache_credentials = True
entry_cache_timeout = 5400 entry_cache_timeout = 5400
@ -34,9 +34,6 @@ entry_cache_timeout = 5400
{# mapping/attribute configuration #} {# mapping/attribute configuration #}
override_homedir = {{ sssd_home_path }}/%u override_homedir = {{ sssd_home_path }}/%u
{% if sssd_shell_override %}
override_shell = {{ sssd_shell }}
{% endif %}
krb5_realm = # krb5_realm = #

7
vars/debian.yml
View File

@ -2,11 +2,4 @@
# vars file for Debian-based distros # vars file for Debian-based distros
sssd_pkg_list: sssd_pkg_list:
- ca-certificates - ca-certificates
- libpam-sss
- libnss-sss
- sssd - sssd
sssd__unwanted_packages_list:
- libnss-ldap
- nscd
- nslcd