Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Add sssd custom settings #64

Merged
merged 23 commits into from
Nov 10, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
23 commits
Select commit Hold shift + click to select a range
1bd1044
implement linting suggestions
brakkioris Nov 2, 2023
a0eb074
implement task to add custo sssd settings
brakkioris Nov 2, 2023
a7c00e4
add default and info in readme.md for ad_integration_sssd_custom_sett…
brakkioris Nov 2, 2023
bf40bba
add test for sssd custom settings
brakkioris Nov 6, 2023
86eaafa
Update tests/tests_sssd_custom_setttings.yml
brakkio86 Nov 9, 2023
b377f2f
Update tests/tests_sssd_custom_setttings.yml
brakkio86 Nov 9, 2023
7a9c4f5
change sssd custom settings with remove option
brakkioris Nov 9, 2023
a793824
Update tasks/main.yml
brakkio86 Nov 9, 2023
8c920c6
Update README.md with lint suggestion
brakkio86 Nov 9, 2023
f9d4f17
Update README.md
brakkio86 Nov 9, 2023
0464237
Update README.md
brakkio86 Nov 9, 2023
12801ba
Update README.md
brakkio86 Nov 9, 2023
1e42624
Update README.md
brakkio86 Nov 9, 2023
db693cf
Update README.md
brakkio86 Nov 9, 2023
6f86803
Update README.md
brakkio86 Nov 9, 2023
e65dfb6
Update tests/tests_sssd_custom_setttings.yml
brakkio86 Nov 10, 2023
4f387e9
Update tests/tests_sssd_custom_setttings.yml
brakkio86 Nov 10, 2023
c46f14e
Update tests/tests_sssd_custom_setttings.yml
brakkio86 Nov 10, 2023
48a610c
Update tests/tests_sssd_custom_setttings.yml
brakkio86 Nov 10, 2023
5cb903b
Update tests/tests_sssd_custom_setttings.yml
brakkio86 Nov 10, 2023
83cf730
Update tests/tests_sssd_custom_setttings.yml
brakkio86 Nov 10, 2023
5a679da
Revert double commit tests_sssd_custom_setttings.yml
brakkio86 Nov 10, 2023
835b95a
Add check in handler
brakkio86 Nov 10, 2023
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 12 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -207,6 +207,18 @@ Useful if some specific configuration like --user-principal=host/name@REALM or -
See man realm for details.
Example: ad_integration_join_parameters: "--user-principal host/[email protected]"

#### ad_integration_sssd_custom_settings

A list of custom setting to be included into the `[domain/$REALM]` section
of the sssd.conf file. See sssd.conf man pages for details.
Example:
brakkio86 marked this conversation as resolved.
Show resolved Hide resolved

```yaml
ad_integration_sssd_custom_settings:
- key: "configuration_name"
value: "configuration_value"
```

## Example Playbook

The following is an example playbook to setup direct Active Directory integration with AD domain `domain.example.com`, the join will be performed with user Administrator using the vault stored password. Prior to the join, the crypto policy for AD SUPPORT with RC4 encryption allowed will be set.
Expand Down
6 changes: 6 additions & 0 deletions defaults/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -130,3 +130,9 @@ ad_dyndns_server: null
# Any additional parameters passed to realm join command
# Useful for passing things like --user-principal etc.
ad_integration_join_parameters: ""

# A list of custom setting to be included into the [domain/<REALM>] section
# of the sssd.conf file. The list will be composed of two entry:
# - key: "configuration_name"
# value: "configuration_value"
ad_integration_sssd_custom_settings: []
3 changes: 2 additions & 1 deletion handlers/main.yml
Original file line number Diff line number Diff line change
@@ -1,7 +1,8 @@
# SPDX-License-Identifier: MIT
---
- name: Handler for ad_integration to restart services
service:
ansible.builtin.service:
name: "{{ item }}"
state: restarted
loop: "{{ __ad_integration_services }}"
when: not __ad_integration_test_sssd_config_only | default(false)
20 changes: 17 additions & 3 deletions tasks/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -196,7 +196,7 @@
search("Already joined to this domain")

- name: Configure dynamic DNS updates
ini_file:
community.general.ini_file:
path: /etc/sssd/sssd.conf
state: present
section: "domain/{{ ad_integration_realm | lower }}"
Expand All @@ -205,7 +205,7 @@
create: true
owner: root
group: root
mode: 0600
mode: u=rw,g=,o=
loop:
- key: dyndns_update
value: "{{ ad_dyndns_update | string }}"
Expand Down Expand Up @@ -237,6 +237,20 @@
- item.value != ''
notify: Handler for ad_integration to restart services

- name: Configure custom SSSD settings
community.general.ini_file:
path: /etc/sssd/sssd.conf
state: "{{ item.state | default('present') }}"
section: "domain/{{ ad_integration_realm | lower }}"
option: "{{ item.key }}"
value: "{{ item.value }}"
create: true
owner: root
group: root
mode: u=rw,g=,o=
loop: "{{ ad_integration_sssd_custom_settings }}"
notify: Handler for ad_integration to restart services

# If dyndns_iface and/or dyndns_server previously had a configured value but are
# now being set to `none` or `''`, remove the options form sssd.conf so sssd
# will determine the default values.
Expand All @@ -248,7 +262,7 @@
option: "{{ item.key }}"
owner: root
group: root
mode: 0600
mode: u=rw,g=,o=
loop:
- key: dyndns_iface
value: "{{ '' if ad_dyndns_iface is none else ad_dyndns_iface }}"
Expand Down
96 changes: 96 additions & 0 deletions tests/tests_sssd_custom_setttings.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,96 @@
# SPDX-License-Identifier: MIT
---

- name: Ensure that the role configures dynamic dns
hosts: all,!ad
gather_facts: false # test that role works in this case
vars:
ad_integration_realm: sample-realm.com
__ad_integration_test_sssd_config_only: true
ad_integration_sssd_custom_settings:
brakkio86 marked this conversation as resolved.
Show resolved Hide resolved
- key: "auth_provider_test"
value: "ad"
- key: "override_shell_test"
value: "/bin/bash"

tasks:
- name: Test - Run the system role with bogus vars
ansible.builtin.include_role:
name: linux-system-roles.ad_integration

- name: Test - Verify sssd.conf custom settings were written
block:
- name: Copy sssd.conf file from host to local /tmp/
ansible.builtin.fetch:
src: /etc/sssd/sssd.conf
dest: /tmp/
flat: true
changed_when: false
- name: Assert sssd.conf options were written
ansible.builtin.assert:
that:
- "{{ lookup('ini', item.key, section='domain/' +
ad_integration_realm | lower, file='/tmp/sssd.conf') | tojson }}
== {{ item.value | tojson }}"
loop: "{{ ad_integration_sssd_custom_settings }}"
- name: Remove /tmp/sssd.conf
ansible.builtin.file:
path: /tmp/sssd.conf
state: absent
changed_when: false

- name: Test - Check sssd.log for unsupported options
block:
- name: Search /var/log/sssd/sssd.log for [sss_ini_call_validators]
# noqa: command-instead-of-shell
ansible.builtin.command: |
grep -i sss_ini_call_validators /var/log/sssd/sssd.log
register: sssd_log
changed_when: false
failed_when: false
- name: Fail if signature found
ansible.builtin.fail:
msg: Appears to be an unsupported option in /etc/sssd/sssd.conf
when: sssd_log.stdout | length > 0

- name: Test - Re-Build a list of settings with state=absent
ansible.builtin.set_fact:
update_list: "{{ update_list + update }}"
loop: "{{ ad_integration_sssd_custom_settings }}"
loop_control:
index_var: idx
vars:
update_list: []
update:
- key: "{{ item['key'] }}"
value: "{{ item['value'] }}"
state: absent

- name: Test - Re-run the system role to remove vars
block:
- name: Rerun system role
ansible.builtin.include_role:
name: linux-system-roles.ad_integration
vars:
ad_integration_sssd_custom_settings: "{{ update_list }}"

- name: Test - Verify sssd.conf options were removed
block:
- name: Copy sssd.conf file from host to local /tmp/
ansible.builtin.fetch:
src: /etc/sssd/sssd.conf
dest: /tmp/
flat: true
changed_when: false
- name: Assert sssd.conf options were removed
ansible.builtin.assert:
that:
- "{{ lookup('ini', item.key, default='removed',
section='domain/' + ad_integration_realm | lower,
file='/tmp/sssd.conf') | tojson }} == {{ 'removed' | tojson }}"
loop: "{{ ad_integration_sssd_custom_settings }}"
- name: Remove /tmp/sssd.conf
ansible.builtin.file:
path: /tmp/sssd.conf
state: absent
changed_when: false
Loading