Jeremy Gardais
3e6ca56057
Some of my role need a working sssd config, so with `sssd_flush_handlers` parameter the new config can be apply before run the next roles. |
||
---|---|---|
defaults | ||
handlers | ||
meta | ||
tasks | ||
templates/etc/sssd | ||
vars | ||
CHANGELOG.md | ||
README.md |
README.md
SSSD
Overview
Manage LDAP authentication with SSSD (System Security Services Daemon).
Highly inspired by Lae's system_ldap role with minors updates (test only on Debian 9 and maybe on OpenSuse).
Role Variables
- sssd_pkg_state : State of new sssd packages [default :
latest
]. - sssd_conf_manage : If SSSD configuration should be managed with this role [default :
true
]. - sssd_main_conf_path : Path to set main SSSD's configuration [default :
/etc/sssd/sssd.conf
]. - sssd_main_conf_tpl : Template used to generate the previous config file [default :
etc/sssd/sssd.conf.j2
]. - sssd_mkhomedir : If home directories should be created at login [default :
true
]. - sssd_home_path : Path where home directories are stored [default :
/home
]. - sssd_sudoers_ldap : If sudo must look to
sss
the list of sudoers [default :false
]. - sssd_service_name : SSSD's service name [default :
sssd
]. - sssd_flush_handlers : If handlers need to be applied at the end of the role [default :
False
].
OS Specific Variables
Please see default value by Operating System file in vars directory.
- sssd_pkg_list : The list of packages to install to provide
sssd
.- Be careful,
sssd
may need additional packages to be able to establish a TLS connection to a LDAP/AD/… server (such asca-certificates
,…).
- Be careful,
Example Playbook
- Use defaults vars :
- hosts: serverXYZ
roles:
- role: ipr-cnrs.sssd
- With a
group_vars/serverxyz.yml
file :
sssd_domain: 'dotld'
sssd_uris:
- ldap://ldap.domain.tld
sssd_search_base: 'ou=People,dc=domain,dc=tld
sssd_bind_dn: 'cn=sssd_user,ou=apps,dc=domain,dc=tld'
-
Then you also need to enter the
bind_dn_password
on the remote host (/etc/sssd/conf.d/sssd_domain.conf
|/etc/sssd/conf.d/dotld.conf
). If you want to definebind_dn_password
in a playbook, please be sure to use Vault (or any other tool) to cipher your data ! -
If you have some other role that need a working sssd configuration, you may want to apply the new configuration :
sssd_flush_handlers: True
Configuration
This role will :
- Install needed packages to provide
sssd
. - Manage the default
sssd
configuration file (/etc/sssd/sssd.conf
). - Create an additional configuration file to only store the bind_password (
/etc/sssd/conf.d/domain.bind.conf
). - Remove
sss
directive forsudoers
in/etc/nsswitch.conf
file. - Manage
sssd
service. - Restart
systemd-logind
service.
Development
This source code comes from our Gogs instance and the Github repo exist just to be able to send the role to Ansible Galaxy…
But feel free to send issue/PR here :)
Thanks to this hook, Github automatically got updates from our Gogs instance :)
License
Author Information
Jérémy Gardais
- Source : on IPR's Gogs
- IPR (Institut de Physique de Rennes)