feat: Add SSSD parameters support (#76)

Enhancement: Add variable for setting configuration variable inside the [sssd] section of the sssd.conf file Reason: In my use case, I need to set some additional option like `default_domain_suffix` to be present inside the [sssd] section. This role doesn't have a variable for doing that. You can only set inside `[domain/YOURDOMAIN]` Result: You can use the variable `ad_integration_sssd_settings` to set some extra paremters like documented in https://linux.die.net/man/5/sssd.conf Issue Tracker Tickets (Jira or BZ if any): N/A P.S : It's my first PR. Be kind with me 😉 --------- Signed-off-by: Rich Megginson <[email protected]> Signed-off-by: Girard Sebastien <[email protected]> Signed-off-by: Sebastien Girard <[email protected]> Co-authored-by: Rich Megginson <[email protected]>
linux-system-roles · Jan 10, 2024 · c1085b0 · c1085b0
1 parent 992bf48
commit c1085b0
Show file tree

Hide file tree

Showing 6 changed files with 115 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -204,6 +204,18 @@ Useful if some specific configuration like --user-principal=host/name@REALM or -
 See man realm for details.
 Example: ad_integration_join_parameters: "--user-principal host/client0[email protected]"
 
+#### ad_integration_sssd_settings
+
+A list of setting to be included into the `[sssd]` section
+of the sssd.conf file. See sssd.conf man pages for details.
+Example:
+
+```yaml
+ad_integration_sssd_settings:
+  - key: "configuration_name"
+    value: "configuration_value"
+```
+
 #### ad_integration_sssd_custom_settings
 
 A list of custom setting to be included into the `[domain/$REALM]` section

diff --git a/defaults/main.yml b/defaults/main.yml
@@ -131,6 +131,12 @@ ad_dyndns_server: null
 # Useful for passing things like --user-principal etc.
 ad_integration_join_parameters: ""
 
+# A list of setting to be included into the [sssd] section
+# of the sssd.conf file. The list will be composed of two entry:
+# - key: "configuration_name"
+#   value: "configuration_value"
+ad_integration_sssd_settings: []
+
 # A list of custom setting to be included into the [domain/<REALM>] section
 # of the sssd.conf file. The list will be composed of two entry:
 # - key: "configuration_name"

diff --git a/handlers/main.yml b/handlers/main.yml
@@ -6,3 +6,10 @@
     state: restarted
   loop: "{{ __ad_integration_services }}"
   when: not __ad_integration_test_sssd_config_only | default(false)
+
+- name: Handler for ad_integration to restart services - sssd
+  ansible.builtin.service:
+    name: "{{ item }}"
+    state: restarted
+  loop: "{{ __ad_integration_services_sssd }}"
+  when: not __ad_integration_test_sssd_config_only | default(false)
diff --git a/tasks/main.yml b/tasks/main.yml
@@ -197,6 +197,20 @@
   changed_when: not __realm_join_output.stderr is
     search("Already joined to this domain")
 
+- name: Configure SSSD settings
+  community.general.ini_file:
+    path: /etc/sssd/sssd.conf
+    state: "{{ item.state | default('present') }}"
+    section: "sssd"
+    option: "{{ item.key }}"
+    value: "{{ item.value }}"
+    create: true
+    owner: root
+    group: root
+    mode: u=rw,g=,o=
+  loop: "{{ ad_integration_sssd_settings }}"
+  notify: Handler for ad_integration to restart services - sssd
+
 - name: Configure dynamic DNS updates
   community.general.ini_file:
     path: /etc/sssd/sssd.conf
@@ -237,7 +251,7 @@
     - ad_dyndns_update | bool
     - item.value is not none
     - item.value != ''
-  notify: Handler for ad_integration to restart services
+  notify: Handler for ad_integration to restart services - sssd
 
 - name: Configure custom SSSD settings
   community.general.ini_file:
@@ -251,7 +265,7 @@
     group: root
     mode: u=rw,g=,o=
   loop: "{{ ad_integration_sssd_custom_settings }}"
-  notify: Handler for ad_integration to restart services
+  notify: Handler for ad_integration to restart services - sssd
 
 # If dyndns_iface and/or dyndns_server previously had a configured value but are
 # now being set to `none` or `''`, remove the options form sssd.conf so sssd
@@ -273,4 +287,4 @@
   when:
     - ad_dyndns_update | bool
     - item.value is none or item.value == ''
-  notify: Handler for ad_integration to restart services
+  notify: Handler for ad_integration to restart services - sssd
diff --git a/tests/tests_sssd_settings.yml b/tests/tests_sssd_settings.yml
@@ -0,0 +1,72 @@
+# SPDX-License-Identifier: MIT
+---
+
+- name: Ensure that the role configures dynamic dns
+  hosts: all,!ad
+  gather_facts: false  # test that role works in this case
+  vars:
+    ad_integration_realm: sample-realm.com
+    __ad_integration_test_sssd_config_only: true
+    ad_integration_sssd_settings:
+      - key: reconnection_retries
+        value: 5
+      - key: default_domain_suffix
+        value: addomain.xyz
+
+  tasks:
+    - name: Test - Run the system role with bogus vars
+      include_role:
+        name: linux-system-roles.ad_integration
+
+    - name: Check SSSD settings
+      community.general.ini_file:
+        path: /etc/sssd/sssd.conf
+        state: "{{ item.state | default('present') }}"
+        section: sssd
+        option: "{{ item.key }}"
+        value: "{{ item.value }}"
+        create: true
+        owner: root
+        group: root
+        mode: u=rw,g=,o=
+      loop: "{{ ad_integration_sssd_settings }}"
+      register: __result
+      failed_when: __result is changed
+
+    - name: Search /var/log/sssd/sssd.log for [sss_ini_call_validators]
+      command: >-
+        grep -i sss_ini_call_validators /var/log/sssd/sssd.log
+      register: sssd_log
+      changed_when: false
+      failed_when: false
+
+    - name: Fail if signature found
+      fail:
+        msg: Appears to be an unsupported option in /etc/sssd/sssd.conf
+      when: sssd_log.stdout | length > 0
+
+    - name: Test - Re-Build a list of settings with state=absent
+      set_fact:
+        update_list: "{{ ad_integration_sssd_settings |
+          map('combine', {'state': 'absent'}) | list }}"
+
+    - name: Test - Re-run the system role to remove vars
+      include_role:
+        name: linux-system-roles.ad_integration
+      vars:
+        ad_integration_sssd_settings: "{{ update_list }}"
+
+    - name: Check custom SSSD settings
+      community.general.ini_file:
+        path: /etc/sssd/sssd.conf
+        state: "{{ item.state | default('present') }}"
+        section: sssd
+        option: "{{ item.key }}"
+        value: "{{ item.value }}"
+        create: true
+        owner: root
+        group: root
+        mode: u=rw,g=,o=
+      loop: "{{ update_list }}"
+      register: __result
+      failed_when: __result is changed
diff --git a/vars/main.yml b/vars/main.yml
@@ -10,6 +10,7 @@ __ad_integration_packages:
   - realmd
   - PackageKit
 __ad_integration_services: [realmd]
+__ad_integration_services_sssd: [sssd]
 # ansible_facts required by the role
 __ad_integration_required_facts:
   - distribution