123 lines
2.8 KiB
YAML
123 lines
2.8 KiB
YAML
---
|
|
- name: Install sssd and nslcd
|
|
apt:
|
|
update_cache: true
|
|
name:
|
|
- libnss-ldapd
|
|
- libpam-ldapd
|
|
- nslcd
|
|
- sssd
|
|
state: present
|
|
register: apt_result
|
|
retries: 3
|
|
until: apt_result is succeeded
|
|
|
|
- name: Configure sssd
|
|
template:
|
|
src: sssd/sssd.conf.j2
|
|
dest: /etc/sssd/sssd.conf
|
|
mode: 0600
|
|
notify: Restart sssd service
|
|
|
|
- name: Enable sssd socket activation
|
|
systemd:
|
|
name: "sssd-{{ item }}"
|
|
enabled: true
|
|
loop:
|
|
- nss
|
|
- pam
|
|
|
|
- name: Configure nslcd for hosts
|
|
template:
|
|
src: nslcd.conf.j2
|
|
dest: /etc/nslcd.conf
|
|
mode: 0600
|
|
notify: Restart nslcd service
|
|
|
|
- name: Configure NSS to use sss
|
|
lineinfile:
|
|
dest: /etc/nsswitch.conf
|
|
regexp: "^{{ item.name }}:"
|
|
line: "{{ item.name }}: {{ item.db }}"
|
|
loop:
|
|
- {name: passwd, db: files systemd sss}
|
|
- {name: group, db: files systemd sss}
|
|
- {name: shadow, db: files sss}
|
|
- {name: networks, db: files ldap}
|
|
- {name: hosts, db: files ldap dns}
|
|
|
|
- name: Disable nscd cache
|
|
lineinfile:
|
|
dest: /etc/nscd.conf
|
|
regex: "enable-cache\t\t{{ item }}"
|
|
line: "\tenable-cache\t\t{{ item }}\t\tno"
|
|
loop:
|
|
- passwd
|
|
- group
|
|
|
|
- name: Override PAM rule priority for unix login to insert sssd login
|
|
pamd:
|
|
# Standard Unix auth by default if available (for root)
|
|
name: common-auth
|
|
type: auth
|
|
control: '[success=2 default=ignore]'
|
|
new_control: '[success=3 default=ignore]'
|
|
module_path: pam_unix.so
|
|
|
|
- name: Insert PAM SSS authentication rule
|
|
pamd:
|
|
name: common-auth
|
|
type: auth
|
|
control: '[success=3 default=ignore]'
|
|
module_path: pam_unix.so
|
|
new_type: auth
|
|
new_control: '[success=2 default=ignore]'
|
|
new_module_path: pam_sss.so
|
|
state: after
|
|
|
|
- name: Update PAM arguments for SSS authentication
|
|
pamd:
|
|
name: common-auth
|
|
type: auth
|
|
module_path: pam_sss.so
|
|
control: '[success=2 default=ignore]'
|
|
module_arguments: 'use_first_pass'
|
|
|
|
- name: Add PAM rule for SSS sessions
|
|
pamd:
|
|
name: common-session
|
|
type: session
|
|
control: required
|
|
module_path: pam_unix.so
|
|
new_type: session
|
|
new_control: optional
|
|
new_module_path: pam_sss.so
|
|
state: after
|
|
|
|
- name: Override PAM rule priority for unix passwords
|
|
pamd:
|
|
name: common-password
|
|
type: password
|
|
control: '[success=2 default=ignore]'
|
|
new_control: '[success=3 default=ignore]'
|
|
module_path: pam_unix.so
|
|
|
|
- name: Insert PAM SSS password rule
|
|
pamd:
|
|
name: common-password
|
|
type: password
|
|
control: '[success=3 default=ignore]'
|
|
module_path: pam_unix.so
|
|
new_type: password
|
|
new_control: '[success=2 default=ignore]'
|
|
new_module_path: pam_sss.so
|
|
state: after
|
|
|
|
- name: Update PAM arguments for SSS authentication
|
|
pamd:
|
|
name: common-password
|
|
type: password
|
|
module_path: pam_sss.so
|
|
control: '[success=2 default=ignore]'
|
|
module_arguments: 'use_authtok'
|