---
- name: Install sssd and nslcd
  apt:
    update_cache: true
    name:
      - libnss-ldapd
      - libpam-ldapd
      - nslcd
      - sssd
    state: present
  register: apt_result
  retries: 3
  until: apt_result is succeeded

- name: Configure sssd
  template:
    src: sssd/sssd.conf.j2
    dest: /etc/sssd/sssd.conf
    mode: 0600
  notify: Restart sssd service

- name: Enable sssd socket activation
  systemd:
    name: sssd-{{ item }}
    enabled: true
  loop:
    - nss
    - pam

- name: Configure nslcd for hosts
  template:
    src: nslcd.conf.j2
    dest: /etc/nslcd.conf
    mode: 0600
  notify: Restart nslcd service

- name: Configure NSS to use sss
  lineinfile:
    dest: /etc/nsswitch.conf
    regexp: "^{{ item.name }}:"
    line: "{{ item.name }}:\t\t{{ item.db }}"
  loop:
    - { name: passwd, db: files systemd sss }
    - { name: group, db: files systemd sss }
    - { name: shadow, db: files sss }
    - { name: networks, db: files ldap }
    - { name: hosts, db: files ldap dns }

- name: Disable nscd cache
  lineinfile:
    dest: /etc/nscd.conf
    regex: "enable-cache\t\t{{ item }}"
    line: "\tenable-cache\t\t{{ item }}\t\tno"
  loop:
    - passwd
    - group

- name: Override PAM rule priority for unix login to insert sssd login
  pamd:
    # Standard Unix auth by default if available (for root)
    name: common-auth
    type: auth
    control: "[success=2 default=ignore]"
    new_control: "[success=3 default=ignore]"
    module_path: pam_unix.so

- name: Insert PAM SSS authentication rule
  pamd:
    name: common-auth
    type: auth
    control: "[success=3 default=ignore]"
    module_path: pam_unix.so
    new_type: auth
    new_control: "[success=2 default=ignore]"
    new_module_path: pam_sss.so
    state: after

- name: Update PAM arguments for SSS authentication
  pamd:
    name: common-auth
    type: auth
    module_path: pam_sss.so
    control: "[success=2 default=ignore]"
    module_arguments: use_first_pass

- name: Add PAM rule for SSS sessions
  pamd:
    name: common-session
    type: session
    control: required
    module_path: pam_unix.so
    new_type: session
    new_control: optional
    new_module_path: pam_sss.so
    state: after

- name: Override PAM rule priority for unix passwords
  pamd:
    name: common-password
    type: password
    control: "[success=2 default=ignore]"
    new_control: "[success=3 default=ignore]"
    module_path: pam_unix.so

- name: Insert PAM SSS password rule
  pamd:
    name: common-password
    type: password
    control: "[success=3 default=ignore]"
    module_path: pam_unix.so
    new_type: password
    new_control: "[success=2 default=ignore]"
    new_module_path: pam_sss.so
    state: after

- name: Update PAM arguments for SSS authentication
  pamd:
    name: common-password
    type: password
    module_path: pam_sss.so
    control: "[success=2 default=ignore]"
    module_arguments: use_authtok