Update git.ipr domain

Update meta informations.

CHANGELOG.md

@@ -1,3 +1,68 @@
+## v1.3.2
+
+### Enhancements
+
+* Add a var to disable the role.
+
+### Fix
+* Use flatten to manage packages list.
+
+## v1.3.1
+
+### Enhancements
+* Fix E405 Remote package tasks should have a retry.
+* Fix E203 Most files should not contain tabs.
+
+## v1.3.0
+
+### Minor changes
+* Give the correct path in comment to see ldap_default_authtok value.
+* Use to_nice_json to manage packages list.
+* flush_handlers don't support when statement.
+* Works on Debian Buster.
+
+## v1.2.2
+
+### Enhancement
+* Remove unwanted packages.
+
+### Fix
+* Set empty dependencies line to fix Galaxy warning.
+
+## v1.2.1
+
+### Enhancement
+* Allow to override shell attribute.
+
+## v1.2
+
+### Enhancement
+* nsswitch.conf is modified only is `sssd_nsswitch_manage` is set (fix #5).
+
+### Fix
+* Add `libpam-sss` and `libnss-sss` libraries for Debian (fix #6).
+
+## v1.1.4
+
+### Enhancement
+* Add the possibility to flush the handlers to apply the new configuration.
+
+## v1.1.3
+
+### Enhancement
+* `sssd_bind_password` is now used and can be directly set on a remote host.
+
+## v1.1.2
+
+### Fix
+* For Debian Stretch ensure to also install `ca-certificates` (fix #2).
+* Ensure to add only one time the sudoers line in `/etc/nsswitch.conf` file (fix #3).
+* Ensure to restart `systemd-logind` to avoid 'Failed to create session' error (fix #4).
+
+## v1.1.1
+
+### Fix
+* Remove `sss` directive for `sudoers` in `/etc/nsswitch.conf` file (#1).
 
 ## v1.1
 

README.md

@@ -17,19 +17,28 @@ Highly inspired by [Lae's system_ldap role][lae sssd galaxy] with minors updates
 
 ## Role Variables
 
+* **sssd__deploy_state**: The desired state this role should achieve [default : `present`].
 * **sssd_pkg_state** : State of new sssd packages [default : `latest`].
+* **sssd__unwanted_packages_state** : State of unwanted packages that might interfer with SSSD [default : `absent`].
 * **sssd_conf_manage** : If SSSD configuration should be managed with this role [default : `true`].
 * **sssd_main_conf_path** : Path to set main SSSD's configuration [default : `/etc/sssd/sssd.conf`].
 * **sssd_main_conf_tpl** : Template used to generate the previous config file [default : `etc/sssd/sssd.conf.j2`].
 * **sssd_mkhomedir** : If home directories should be created at login [default : `true`].
 * **sssd_home_path** : Path where home directories are stored [default : `/home`].
+* **sssd_shell** : Path to the default shell to use [default : `/bin/bash`].
+* **sssd_shell_override** : If shell should be override with the previous value [default : `False`].
+* **sssd_sudoers_ldap** : If sudo must look to `sss` the list of sudoers [default : `false`].
+* **sssd_nsswitch_manage** : If nsswitch should be managed by the role [default : `false`].
 * **sssd_service_name** : SSSD's service name [default : `sssd`].
+* **sssd_flush_handlers** : If handlers need to be applied at the end of the role [default : `False`].
 
 ### OS Specific Variables
 
 Please see default value by Operating System file in [vars][vars directory] directory.
 
 * **sssd_pkg_list** : The list of packages to install to provide `sssd`.
+  * Be careful, `sssd` may need additional packages to be able to establish a TLS connection to a LDAP/AD/… server (such as `ca-certificates`,…).
+* **sssd__unwanted_packages_list** : The list of packages to remove.
 
 ## Example Playbook
 
@@ -51,15 +60,24 @@ sssd_search_base: 'ou=People,dc=domain,dc=tld
 sssd_bind_dn: 'cn=sssd_user,ou=apps,dc=domain,dc=tld'
 ```
 
-  * Then you also need to enter the `bind_dn_password` on the remote host (`/etc/sssd/conf.d/sssd_domain.conf`|`/etc/sssd/conf.d/dotld.conf`).
+  * Then you also need to enter the `bind_dn_password` on the remote host (`/etc/sssd/conf.d/sssd_domain.conf`|`/etc/sssd/conf.d/dotld.conf`). If you want to define `bind_dn_password` in a playbook, please be sure to use [Vault][ansible vault] (or any other tool) to cipher your data !
+
+* If you have some other role that need a working sssd configuration, you may want to apply the new configuration :
+
+``` yml
+sssd_flush_handlers: True
+```
 
 ## Configuration
 
 This role will :
 * Install needed packages to provide `sssd`.
+* Remove packages that might interfer with `sssd` for authentication.
 * Manage the default `sssd` configuration file (`/etc/sssd/sssd.conf`).
-* Create an additionnal configuration file to only store the bind_password (`/etc/sssd/conf.d/domain.bind.conf`).
+* Create an additional configuration file to only store the bind_password (`/etc/sssd/conf.d/domain.bind.conf`).
+* Remove `sss` directive for `sudoers` in `/etc/nsswitch.conf` file if `sssd_nsswitch_manage` is set.
 * Manage `sssd` service.
+* Restart `systemd-logind` service.
 
 ## Development
 
@@ -80,8 +98,9 @@ Jérémy Gardais
 * [IPR][ipr website] (Institut de Physique de Rennes)
 
 [vars directory]: ./vars
+[ansible vault]: http://docs.ansible.com/ansible/latest/vault.html
 [gogs to github hook]: https://stackoverflow.com/a/21998477
-[sssd source]: https://git.ipr.univ-rennes1.fr/cellinfo/ansible.sssd
+[sssd source]: https://git.ipr.univ-rennes.fr/cellinfo/ansible.sssd
 [sssd github]: https://github.com/ipr-cnrs/sssd
 [wtfpl website]: http://www.wtfpl.net/about/
 [ipr website]: https://ipr.univ-rennes1.fr/

defaults/main.yml

@@ -1,7 +1,59 @@
 ---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
 
-# Package
+# ipr-cnrs.netdata default variables [[[
+# ======================================
+
+# Packages and installation [[[
+# -----------------------------
+
+# .. envvar:: sssd_pkg_state [[[
+#
+# State of the packages to install. Possible options :
+#
+# ``latest``
+#   Default. Ensure those packages are in the latest state.
+#
+# ``absent``
+#   Default. Ensure to remove those packages.
+#
+# ``present``
+#   Ensure to install those packages.
+#
 sssd_pkg_state: 'latest'
+                                                                       # ]]]
+# .. envvar:: sssd__unwanted_packages_state [[[
+#
+# State of the unwanted packages. Possible options :
+#
+# ``absent``
+#   Default. Ensure to remove those packages.
+#
+# ``present``
+#   Ensure to install those packages.
+#
+# ``latest``
+#   Ensure those packages are in the latest state.
+#
+# ``Anything else``
+#   The packages will not be touch.
+#
+sssd__unwanted_packages_state: 'absent'
+                                                                       # ]]]
+# .. envvar:: sssd__deploy_state [[[
+#
+# What is the desired state which this role should achieve ? Possible options :
+#
+# ``present``
+#   Default. Ensure that sssd is installed and configured as requested.
+#
+# ``absent``
+#   TODO: Ensure that sssd is uninstalled and it's configuration is removed.
+#
+sssd__deploy_state: 'present'
+                                                                   # ]]]
+                                                                   # ]]]
+
 
 # Configuration
 sssd_conf_manage: true
@@ -9,6 +61,10 @@ sssd_main_conf_path: '/etc/sssd/sssd.conf'
 sssd_main_conf_tpl: 'etc/sssd/sssd.conf.j2'
 sssd_mkhomedir: true
 sssd_home_path: '/home'
+sssd_shell: '/bin/bash'
+sssd_shell_override: False
+
+sssd_sudoers_ldap: false
 
 # LDAP info
 sssd_domain: ''
@@ -18,5 +74,9 @@ sssd_search_base: ''
 sssd_bind_dn: ''
 sssd_bind_password: ''
 
+# nsswitch configuration
+sssd_nsswitch_manage: false
+
 # Service
 sssd_service_name: 'sssd'
+sssd_flush_handlers: False

handlers/main.yml

@@ -4,3 +4,8 @@
   service:
     name: '{{ sssd_service_name }}'
     state: restarted
+
+- name: restart logind
+  service:
+    name: systemd-logind
+    state: restarted

meta/main.yml

@@ -1,22 +1,19 @@
+---
+
+dependencies: []
+
 galaxy_info:
   author: "Jérémy Gardais"
   description: "Manage LDAP authentication with SSSD (System Security Services Daemon)."
   license: WTFPL
   company: IPR
-  issue_tracker_url: https://git.ipr.univ-rennes1.fr/cellinfo/ansible.sssd/issues
-  min_ansible_version: 2.2
+  issue_tracker_url: https://git.ipr.univ-rennes.fr/cellinfo/ansible.sssd/issues
+  min_ansible_version: 2.7
   platforms:
   - name: Debian
     versions:
     - stretch
-  #- name: opensuse
-  #  versions:
-  #  - all
-  #  - 12.1
-  #  - 12.2
-  #  - 12.3
-  #  - 13.1
-  #  - 13.2
+    - buster
   galaxy_tags:
     - system
     - authentication

tasks/main.yml

@@ -1,6 +1,9 @@
 ---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
 # tasks file for ansible-role-sssd
 
+# Load vars [[[1
 - name: Load specific OS vars
   include_vars: "{{ item }}"
   with_first_found:
@@ -8,12 +11,39 @@
     - "{{ ansible_distribution|lower }}.yml"
     - "{{ ansible_os_family|lower }}.yml"
 
-# Packages
+# Manage packages [[[1
 - name: Install sssd
   package:
     name: "{{ item }}"
-    state: "{{ sssd_pkg_state }}"
-  with_items: "{{ sssd_pkg_list }}"
+    state: 'present'
+  with_flattened:
+    - '{{ sssd_pkg_list | flatten }}'
+  register: sssd_pkg_result
+  until: sssd_pkg_result is success
+  when: (sssd__deploy_state == "present")
+
+- name: Remove unwanted packages
+  package:
+    name: "{{ item }}"
+    state: "{{ sssd__unwanted_packages_state }}"
+  with_flattened:
+    - '{{ sssd__unwanted_packages_list | flatten }}'
+  register: sssd_remove_result
+  until: sssd_remove_result is success
+  when: (sssd__deploy_state == "present")
+
+# Manage configuration [[[1
+## Update nsswitch.conf
+- name: CONFIG sudoers nsswitch.conf
+  lineinfile:
+    dest: /etc/nsswitch.conf
+    state: present
+    regexp: '^sudoers:'
+    line: 'sudoers:        files'
+    owner: root
+    group: root
+    mode: 0644
+  when: (sssd__deploy_state == "present") and (not sssd_sudoers_ldap and sssd_nsswitch_manage)
 
 # Configuration file
 - name: CONFIG sssd.conf
@@ -24,9 +54,10 @@
     owner: root
     group: root
     backup: true
-  when: sssd_conf_manage
+  when: (sssd__deploy_state == "present") and (sssd_conf_manage)
   notify:
     - restart sssd
+    - restart logind
 
 - name: "CONFIG conf.d/{{ sssd_domain }}.conf"
   blockinfile:
@@ -40,14 +71,19 @@
     content: |
       [domain/{{ sssd_domain }}]
       #ldap_default_authtok = password for {{ sssd_bind_dn }} after END BLOCK
-  when: sssd_conf_manage
+      {% if sssd_bind_password %}ldap_default_authtok = {{ sssd_bind_password }}{% endif %}
+  when: (sssd__deploy_state == "present") and (sssd_conf_manage)
   notify:
     - restart sssd
+    - restart logind
 
 - name: Ensure home directories are created upon login with pam
   lineinfile:
     dest: /etc/pam.d/common-account
     regexp: 'pam_mkhomedir\.so'
-    line: "session	required			pam_mkhomedir.so	umask=0022	skel=/etc/skel/	silent"
+    line: "session required                        pam_mkhomedir.so        umask=0022      skel=/etc/skel/ silent"
     state: present
-  when: sssd_mkhomedir
+  when: (sssd__deploy_state == "present") and (sssd_mkhomedir)
+
+- name: Flush handlers to be able to use SSSD authentication
+  meta: flush_handlers

templates/etc/sssd/sssd.conf.j2

@@ -1,4 +1,4 @@
-# {{ ansible_managed }} }
+# {{ ansible_managed }}
 [sssd]
 config_file_version = 2
 services = nss, pam, autofs
@@ -22,7 +22,7 @@ ldap_tls_reqcert = never
 ldap_search_base = {{ sssd_search_base }}
 ldap_default_bind_dn = {{ sssd_bind_dn }}
 ldap_default_authtok_type = password
-#ldap_default_authtok = ... # See conf.d/default.bind.conf
+#ldap_default_authtok = ... # See conf.d/{{ sssd_domain }}.conf
 cache_credentials = True
 entry_cache_timeout = 5400
 
@@ -34,6 +34,9 @@ entry_cache_timeout = 5400
 
 {# mapping/attribute configuration #}
 override_homedir = {{ sssd_home_path }}/%u
+{% if sssd_shell_override %}
+override_shell = {{ sssd_shell }}
+{% endif %}
 
 krb5_realm = #
 

vars/debian.yml

@@ -1,4 +1,12 @@
 ---
 # vars file for Debian-based distros
 sssd_pkg_list:
+  - ca-certificates
+  - libpam-sss
+  - libnss-sss
   - sssd
+
+sssd__unwanted_packages_list:
+  - libnss-ldap
+  - nscd
+  - nslcd