[sssd] Manage pamd rules

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>

roles/sssd/tasks/main.yml

@@ -55,7 +55,68 @@
     - passwd
     - group
 
-- name: Configure PAM authentication
+- name: Override PAM rule priority for unix login to insert sssd login
-  template:
+  pamd:
-    src: pam.d/common-password.j2
+    # Standard Unix auth by default if available (for root)
-    dest: /etc/pam.d/common-password
+    name: common-auth
+    type: auth
+    control: '[success=2 default=ignore]'
+    new_control: '[success=3 default=ignore]'
+    module_path: pam_unix.so
+
+- name: Insert PAM SSS authentication rule
+  pamd:
+    name: common-auth
+    type: auth
+    control: '[success=3 default=ignore]'
+    module_path: pam_unix.so
+    new_type: auth
+    new_control: '[success=2 default=ignore]'
+    new_module_path: pam_sss.so
+    state: after
+
+- name: Update PAM arguments for SSS authentication
+  pamd:
+    name: common-auth
+    type: auth
+    module_path: pam_sss.so
+    control: '[success=2 default=ignore]'
+    module_arguments: 'use_first_pass'
+
+- name: Add PAM rule for SSS sessions
+  pamd:
+    name: common-session
+    type: session
+    control: required
+    module_path: pam_unix.so
+    new_type: session
+    new_control: optional
+    new_module_path: pam_sss.so
+    state: after
+
+- name: Override PAM rule priority for unix passwords
+  pamd:
+    name: common-password
+    type: password
+    control: '[success=2 default=ignore]'
+    new_control: '[success=3 default=ignore]'
+    module_path: pam_unix.so
+
+- name: Insert PAM SSS password rule
+  pamd:
+    name: common-password
+    type: password
+    control: '[success=3 default=ignore]'
+    module_path: pam_unix.so
+    new_type: password
+    new_control: '[success=2 default=ignore]'
+    new_module_path: pam_sss.so
+    state: after
+
+- name: Update PAM arguments for SSS authentication
+  pamd:
+    name: common-password
+    type: password
+    module_path: pam_sss.so
+    control: '[success=2 default=ignore]'
+    module_arguments: 'use_authtok'

roles/sssd/templates/pam.d/common-password.j2

@@ -1,37 +0,0 @@
-{{ ansible_header | comment }}
-#
-# /etc/pam.d/common-password - password-related modules common to all services
-#
-# This file is included from other service-specific PAM config files,
-# and should contain a list of modules that define the services to be
-# used to change user passwords.  The default is pam_unix.
-
-# Explanation of pam_unix options:
-#
-# The "sha512" option enables salted SHA512 passwords.  Without this option,
-# the default is Unix crypt.  Prior releases used the option "md5".
-#
-# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
-# login.defs.
-#
-# See the pam_unix manpage for other options.
-
-# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
-# To take advantage of this, it is recommended that you configure any
-# local modules either before or after the default block, and use
-# pam-auth-update to manage selection of other modules.  See
-# pam-auth-update(8) for details.
-
-# here are the per-package modules (the "Primary" block)
-password        requisite                       pam_pwquality.so retry=3
-password        [success=3 default=ignore]      pam_unix.so obscure use_authtok try_first_pass sha512
-password        sufficient                      pam_sss.so use_authtok
-password        [success=1 default=ignore]      pam_ldap.so minimum_uid=1000 try_first_pass
-# here's the fallback if no module succeeds
-password        requisite                       pam_deny.so
-# prime the stack with a positive return value if there isn't one already;
-# this avoids us returning an error just because nothing sets a success code
-# since the modules above will each just jump around
-password        required                        pam_permit.so
-# and here are more per-package modules (the "Additional" block)
-# end of pam-auth-update config