ansible.sssd/README.md

101 lines
3.8 KiB
Markdown
Raw Permalink Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# SSSD
1. [Overview](#overview)
2. [Role Variables](#role-variables)
* [OS Specific Variables](#os-specific-variables)
3. [Example Playbook](#example-playbook)
4. [Configuration](#configuration)
5. [Development](#development)
5. [License](#license)
6. [Author Information](#author-information)
## Overview
Manage LDAP authentication with **SSSD** (System Security Services Daemon).
Highly inspired by [Lae's system_ldap role][lae sssd galaxy] with minors updates (test only on Debian 9 and maybe on OpenSuse).
## Role Variables
* **sssd_pkg_state**: State of new sssd packages [default: `latest`].
* **sssd_conf_manage**: If SSSD configuration should be managed with this role [default: `true`].
* **sssd_main_conf_path**: Path to set main SSSD's configuration [default: `/etc/sssd/sssd.conf`].
* **sssd_main_conf_tpl**: Template used to generate the previous config file [default: `etc/sssd/sssd.conf.j2`].
* **sssd_mkhomedir**: If home directories should be created at login [default: `true`].
* **sssd_home_path**: Path where home directories are stored [default: `/home`].
* **sssd_sudoers_ldap**: If sudo must look to `sss` the list of sudoers [default: `false`].
* **sssd_service_name**: SSSD's service name [default: `sssd`].
* **sssd_flush_handlers**: If handlers need to be applied at the end of the role [default: `False`].
### OS Specific Variables
Please see default value by Operating System file in [vars][vars directory] directory.
* **sssd_pkg_list**: The list of packages to install to provide `sssd`.
* Be careful, `sssd` may need additional packages to be able to establish a TLS connection to a LDAP/AD/… server (such as `ca-certificates`,…).
## Example Playbook
* Use defaults vars:
``` yml
- hosts: serverXYZ
roles:
- role: ipr-cnrs.sssd
```
* With a `group_vars/serverxyz.yml` file:
``` yml
sssd_domain: 'dotld'
sssd_uris:
- ldap://ldap.domain.tld
sssd_search_base: 'ou=People,dc=domain,dc=tld
sssd_bind_dn: 'cn=sssd_user,ou=apps,dc=domain,dc=tld'
```
* Then you also need to enter the `bind_dn_password` on the remote host (`/etc/sssd/conf.d/sssd_domain.conf`|`/etc/sssd/conf.d/dotld.conf`). If you want to define `bind_dn_password` in a playbook, please be sure to use [Vault][ansible vault] (or any other tool) to cipher your data!
* If you have some other role that need a working sssd configuration, you may want to apply the new configuration:
``` yml
sssd_flush_handlers: True
```
## Configuration
This role will:
* Install needed packages to provide `sssd`.
* Manage the default `sssd` configuration file (`/etc/sssd/sssd.conf`).
* Create an additional configuration file to only store the bind_password (`/etc/sssd/conf.d/domain.bind.conf`).
* Remove `sss` directive for `sudoers` in `/etc/nsswitch.conf` file.
* Manage `sssd` service.
* Restart `systemd-logind` service.
## Development
This source code comes from our [Gogs instance][sssd source] and the [Github repo][sssd github] exist just to be able to send the role to Ansible Galaxy…
But feel free to send issue/PR here :)
Thanks to this [hook][gogs to github hook], Github automatically got updates from our [Gogs instance][sssd source] :)
## License
[WTFPL][wtfpl website]
## Author Information
Jérémy Gardais
* Source: [on IPR's Gogs][sssd source]
* [IPR][ipr website] (Institut de Physique de Rennes)
[vars directory]: ./vars
[ansible vault]: http://docs.ansible.com/ansible/latest/vault.html
[gogs to github hook]: https://stackoverflow.com/a/21998477
[sssd source]: https://git.ipr.univ-rennes1.fr/cellinfo/ansible.sssd
[sssd github]: https://github.com/ipr-cnrs/sssd
[wtfpl website]: http://www.wtfpl.net/about/
[ipr website]: https://ipr.univ-rennes1.fr/
[lae sssd galaxy]: https://galaxy.ansible.com/lae/system_ldap/