Manage LDAP authentication with SSSD (System Security Services Daemon).
Highly inspired by Lae's system_ldap role with minors updates (test only on Debian 9 and maybe on OpenSuse).
- sssd__deploy_state: The desired state this role should achieve [default :
present]. - sssd_pkg_state : State of new sssd packages [default :
latest]. - sssd__unwanted_packages_state : State of unwanted packages that might interfer with SSSD [default :
absent]. - sssd_conf_manage : If SSSD configuration should be managed with this role [default :
true]. - sssd_main_conf_path : Path to set main SSSD's configuration [default :
/etc/sssd/sssd.conf]. - sssd_main_conf_tpl : Template used to generate the previous config file [default :
etc/sssd/sssd.conf.j2]. - sssd_mkhomedir : If home directories should be created at login [default :
true]. - sssd_home_path : Path where home directories are stored [default :
/home]. - sssd_shell : Path to the default shell to use [default :
/bin/bash]. - sssd_shell_override : If shell should be override with the previous value [default :
False]. - sssd_sudoers_ldap : If sudo must look to
sssthe list of sudoers [default :false]. - sssd_nsswitch_manage : If nsswitch should be managed by the role [default :
false]. - sssd_service_name : SSSD's service name [default :
sssd]. - sssd_flush_handlers : If handlers need to be applied at the end of the role [default :
False].
Please see default value by Operating System file in vars directory.
- sssd_pkg_list : The list of packages to install to provide
sssd.- Be careful,
sssdmay need additional packages to be able to establish a TLS connection to a LDAP/AD/… server (such asca-certificates,…).
- Be careful,
- sssd__unwanted_packages_list : The list of packages to remove.
- Use defaults vars :
- hosts: serverXYZ
roles:
- role: ipr-cnrs.sssd- With a
group_vars/serverxyz.ymlfile :
sssd_domain: 'dotld'
sssd_uris:
- ldap://ldap.domain.tld
sssd_search_base: 'ou=People,dc=domain,dc=tld
sssd_bind_dn: 'cn=sssd_user,ou=apps,dc=domain,dc=tld'-
Then you also need to enter the
bind_dn_passwordon the remote host (/etc/sssd/conf.d/sssd_domain.conf|/etc/sssd/conf.d/dotld.conf). If you want to definebind_dn_passwordin a playbook, please be sure to use Vault (or any other tool) to cipher your data ! -
If you have some other role that need a working sssd configuration, you may want to apply the new configuration :
sssd_flush_handlers: TrueThis role will :
- Install needed packages to provide
sssd. - Remove packages that might interfer with
sssdfor authentication. - Manage the default
sssdconfiguration file (/etc/sssd/sssd.conf). - Create an additional configuration file to only store the bind_password (
/etc/sssd/conf.d/domain.bind.conf). - Remove
sssdirective forsudoersin/etc/nsswitch.conffile ifsssd_nsswitch_manageis set. - Manage
sssdservice. - Restart
systemd-logindservice.
This source code comes from our Gogs instance and the Github repo exist just to be able to send the role to Ansible Galaxy…
But feel free to send issue/PR here :)
Thanks to this hook, Github automatically got updates from our Gogs instance :)
Jérémy Gardais
- Source : on IPR's Gogs
- IPR (Institut de Physique de Rennes)