From 77b42f82b26299a525052c5dcebcbaaef3cf1d50 Mon Sep 17 00:00:00 2001 From: Jonas Gunz Date: Thu, 9 Sep 2021 21:57:57 +0200 Subject: add sssd --- roles/sssd/defaults/main.yml | 10 ++++++++++ roles/sssd/handlers/main.yml | 6 ++++++ roles/sssd/tasks/main.yml | 38 ++++++++++++++++++++++++++++++++++++++ roles/sssd/templates/sssd.conf.j2 | 34 ++++++++++++++++++++++++++++++++++ 4 files changed, 88 insertions(+) create mode 100644 roles/sssd/defaults/main.yml create mode 100644 roles/sssd/handlers/main.yml create mode 100644 roles/sssd/tasks/main.yml create mode 100644 roles/sssd/templates/sssd.conf.j2 (limited to 'roles/sssd') diff --git a/roles/sssd/defaults/main.yml b/roles/sssd/defaults/main.yml new file mode 100644 index 0000000..381bb74 --- /dev/null +++ b/roles/sssd/defaults/main.yml @@ -0,0 +1,10 @@ +--- +sssd_ldap: + host: 'ldaps://ldap.example.com' + start_tls: False + bind_dn: 'cn=sssd,dc=example,dc=com' + bind_pw: 'password' + base_dn: 'dc=example,dc=com' + user_dn: 'ou=users,dc=example,dc=com' + group_dn: 'ou=groups,dc=example,dc=com' + access_filter: '&(objectClass=posixAccount)' diff --git a/roles/sssd/handlers/main.yml b/roles/sssd/handlers/main.yml new file mode 100644 index 0000000..ac65088 --- /dev/null +++ b/roles/sssd/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: Restart sssd + systemd: + name: sssd + state: restarted + become: yes diff --git a/roles/sssd/tasks/main.yml b/roles/sssd/tasks/main.yml new file mode 100644 index 0000000..b50cac6 --- /dev/null +++ b/roles/sssd/tasks/main.yml @@ -0,0 +1,38 @@ +--- +- name: Install packages + apt: + name: + - sssd + - libpam-sss + - libnss-sss + update_cache: yes + become: yes + +- name: Install SSSD Config file + template: + src: sssd.conf.j2 + dest: /etc/sssd/sssd.conf + mode: '600' + become: yes + notify: Restart sssd + +- name: Create LDAP Config dir + file: + path: /etc/ldap + state: directory + become: yes + +- name: Install ldap.conf + copy: + content: 'TLS_CACERT /etc/ssl/certs/ca-certificates.crt' + dest: /etc/ldap/ldap.conf + become: yes + notify: Restart sssd + +- name: Auto-create Homedir + lineinfile: + path: /etc/pam.d/common-session + regex: '^session required pam_mkhomedir\.so' + line: 'session required pam_mkhomedir.so skel=/etc/skel/ umask=0022' + insertafter: '^session optional pam_sss\.so' + become: yes diff --git a/roles/sssd/templates/sssd.conf.j2 b/roles/sssd/templates/sssd.conf.j2 new file mode 100644 index 0000000..c6ae86f --- /dev/null +++ b/roles/sssd/templates/sssd.conf.j2 @@ -0,0 +1,34 @@ +# vi: ft=conf +# This file is managed by Ansible. Do not change. + +[sssd] +services = nss, pam +config_file_version = 2 +domains = default + +[nss] +override_shell = /bin/bash + +[pam] +offline_credentials_expiration = 60 + +[domain/default] +id_provider = ldap +auth_provider = ldap +chpass_provider = ldap +cache_credentials = True +access_provider = simple + +ldap_id_use_start_tls = {{ sssd_ldap.start_tls }} +ldap_tls_reqcert = demand + +ldap_search_base = {{ sssd_ldap.base_dn }} +ldap_group_search_base = {{ sssd_ldap.group_dn }} +ldap_user_search_base = {{ sssd_ldap.user_dn }} +ldap_access_filter = {{ sssd_ldap.access_filter }} + +ldap_uri = {{ sssd_ldap.host }} +ldap_default_bind_dn = {{ sssd_ldap.bind_dn }} +ldap_default_authtok = {{ sssd_ldap.bind_pw }} +ldap_search_timeout = 50 +ldap_network_timeout = 60 -- cgit v1.2.3