ansible.sssd/README.md

4.4 KiB
Raw Permalink Blame History

SSSD

  1. Overview
  2. Role Variables
  3. Example Playbook
  4. Configuration
  5. Development
  6. License
  7. Author Information

Overview

Manage LDAP authentication with SSSD (System Security Services Daemon).

Highly inspired by Lae's system_ldap role with minors updates (test only on Debian 9 and maybe on OpenSuse).

Role Variables

  • sssd__deploy_state: The desired state this role should achieve [default: present].
  • sssd_pkg_state: State of new sssd packages [default: latest].
  • sssd__unwanted_packages_state: State of unwanted packages that might interfer with SSSD [default: absent].
  • sssd_conf_manage: If SSSD configuration should be managed with this role [default: true].
  • sssd_main_conf_path: Path to set main SSSD's configuration [default: /etc/sssd/sssd.conf].
  • sssd_main_conf_tpl: Template used to generate the previous config file [default: etc/sssd/sssd.conf.j2].
  • sssd_mkhomedir: If home directories should be created at login [default: true].
  • sssd_home_path: Path where home directories are stored [default: /home].
  • sssd_shell: Path to the default shell to use [default: /bin/bash].
  • sssd_shell_override: If shell should be override with the previous value [default: False].
  • sssd_sudoers_ldap: If sudo must look to sss the list of sudoers [default: false].
  • sssd_nsswitch_manage: If nsswitch should be managed by the role [default: false].
  • sssd_service_name: SSSD's service name [default: sssd].
  • sssd_flush_handlers: If handlers need to be applied at the end of the role [default: False].

OS Specific Variables

Please see default value by Operating System file in vars directory.

  • sssd_pkg_list: The list of packages to install to provide sssd.
    • Be careful, sssd may need additional packages to be able to establish a TLS connection to a LDAP/AD/… server (such as ca-certificates,…).
  • sssd__unwanted_packages_list: The list of packages to remove.

Example Playbook

  • Use defaults vars:
- hosts: serverXYZ
  roles:
    - role: ipr-cnrs.sssd
  • With a group_vars/serverxyz.yml file:
sssd_domain: 'dotld'
sssd_uris:
  - ldap://ldap.domain.tld
sssd_search_base: 'ou=People,dc=domain,dc=tld
sssd_bind_dn: 'cn=sssd_user,ou=apps,dc=domain,dc=tld'
  • Then you also need to enter the bind_dn_password on the remote host (/etc/sssd/conf.d/sssd_domain.conf|/etc/sssd/conf.d/dotld.conf). If you want to define bind_dn_password in a playbook, please be sure to use Vault (or any other tool) to cipher your data!

  • If you have some other role that need a working sssd configuration, you may want to apply the new configuration:

sssd_flush_handlers: True

Configuration

This role will:

  • Install needed packages to provide sssd.
  • Remove packages that might interfer with sssd for authentication.
  • Manage the default sssd configuration file (/etc/sssd/sssd.conf).
  • Create an additional configuration file to only store the bind_password (/etc/sssd/conf.d/domain.bind.conf).
  • Remove sss directive for sudoers in /etc/nsswitch.conf file if sssd_nsswitch_manage is set.
  • Manage sssd service.
  • Restart systemd-logind service.

Development

This source code comes from our Gogs instance and the Github repo exist just to be able to send the role to Ansible Galaxy…

But feel free to send issue/PR here :)

Thanks to this hook, Github automatically got updates from our Gogs instance :)

License

WTFPL

Author Information

Jérémy Gardais