diff --git a/README.md b/README.md index 20580e8..73173ca 100644 --- a/README.md +++ b/README.md @@ -204,6 +204,18 @@ Useful if some specific configuration like --user-principal=host/name@REALM or - See man realm for details. Example: ad_integration_join_parameters: "--user-principal host/client007@EXAMPLE.COM" +#### ad_integration_sssd_settings + +A list of setting to be included into the `[sssd]` section +of the sssd.conf file. See sssd.conf man pages for details. +Example: + +```yaml +ad_integration_sssd_settings: + - key: "configuration_name" + value: "configuration_value" +``` + #### ad_integration_sssd_custom_settings A list of custom setting to be included into the `[domain/$REALM]` section diff --git a/defaults/main.yml b/defaults/main.yml index ba10678..770c4c8 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -131,6 +131,12 @@ ad_dyndns_server: null # Useful for passing things like --user-principal etc. ad_integration_join_parameters: "" +# A list of setting to be included into the [sssd] section +# of the sssd.conf file. The list will be composed of two entry: +# - key: "configuration_name" +# value: "configuration_value" +ad_integration_sssd_settings: [] + # A list of custom setting to be included into the [domain/] section # of the sssd.conf file. The list will be composed of two entry: # - key: "configuration_name" diff --git a/handlers/main.yml b/handlers/main.yml index 4563f29..e53e74c 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -6,3 +6,10 @@ state: restarted loop: "{{ __ad_integration_services }}" when: not __ad_integration_test_sssd_config_only | default(false) + +- name: Handler for ad_integration to restart services - sssd + ansible.builtin.service: + name: "{{ item }}" + state: restarted + loop: "{{ __ad_integration_services_sssd }}" + when: not __ad_integration_test_sssd_config_only | default(false) diff --git a/tasks/main.yml b/tasks/main.yml index 433c6fc..385e287 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -197,6 +197,20 @@ changed_when: not __realm_join_output.stderr is search("Already joined to this domain") +- name: Configure SSSD settings + community.general.ini_file: + path: /etc/sssd/sssd.conf + state: "{{ item.state | default('present') }}" + section: "sssd" + option: "{{ item.key }}" + value: "{{ item.value }}" + create: true + owner: root + group: root + mode: u=rw,g=,o= + loop: "{{ ad_integration_sssd_settings }}" + notify: Handler for ad_integration to restart services - sssd + - name: Configure dynamic DNS updates community.general.ini_file: path: /etc/sssd/sssd.conf @@ -237,7 +251,7 @@ - ad_dyndns_update | bool - item.value is not none - item.value != '' - notify: Handler for ad_integration to restart services + notify: Handler for ad_integration to restart services - sssd - name: Configure custom SSSD settings community.general.ini_file: @@ -251,7 +265,7 @@ group: root mode: u=rw,g=,o= loop: "{{ ad_integration_sssd_custom_settings }}" - notify: Handler for ad_integration to restart services + notify: Handler for ad_integration to restart services - sssd # If dyndns_iface and/or dyndns_server previously had a configured value but are # now being set to `none` or `''`, remove the options form sssd.conf so sssd @@ -273,4 +287,4 @@ when: - ad_dyndns_update | bool - item.value is none or item.value == '' - notify: Handler for ad_integration to restart services + notify: Handler for ad_integration to restart services - sssd diff --git a/tests/tests_sssd_settings.yml b/tests/tests_sssd_settings.yml new file mode 100644 index 0000000..223bcaf --- /dev/null +++ b/tests/tests_sssd_settings.yml @@ -0,0 +1,72 @@ +# SPDX-License-Identifier: MIT +--- + +- name: Ensure that the role configures dynamic dns + hosts: all,!ad + gather_facts: false # test that role works in this case + vars: + ad_integration_realm: sample-realm.com + __ad_integration_test_sssd_config_only: true + ad_integration_sssd_settings: + - key: reconnection_retries + value: 5 + - key: default_domain_suffix + value: addomain.xyz + + tasks: + - name: Test - Run the system role with bogus vars + include_role: + name: linux-system-roles.ad_integration + + - name: Check SSSD settings + community.general.ini_file: + path: /etc/sssd/sssd.conf + state: "{{ item.state | default('present') }}" + section: sssd + option: "{{ item.key }}" + value: "{{ item.value }}" + create: true + owner: root + group: root + mode: u=rw,g=,o= + loop: "{{ ad_integration_sssd_settings }}" + register: __result + failed_when: __result is changed + + - name: Search /var/log/sssd/sssd.log for [sss_ini_call_validators] + command: >- + grep -i sss_ini_call_validators /var/log/sssd/sssd.log + register: sssd_log + changed_when: false + failed_when: false + + - name: Fail if signature found + fail: + msg: Appears to be an unsupported option in /etc/sssd/sssd.conf + when: sssd_log.stdout | length > 0 + + - name: Test - Re-Build a list of settings with state=absent + set_fact: + update_list: "{{ ad_integration_sssd_settings | + map('combine', {'state': 'absent'}) | list }}" + + - name: Test - Re-run the system role to remove vars + include_role: + name: linux-system-roles.ad_integration + vars: + ad_integration_sssd_settings: "{{ update_list }}" + + - name: Check custom SSSD settings + community.general.ini_file: + path: /etc/sssd/sssd.conf + state: "{{ item.state | default('present') }}" + section: sssd + option: "{{ item.key }}" + value: "{{ item.value }}" + create: true + owner: root + group: root + mode: u=rw,g=,o= + loop: "{{ update_list }}" + register: __result + failed_when: __result is changed diff --git a/vars/main.yml b/vars/main.yml index 488a4b6..e7b77cb 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -10,6 +10,7 @@ __ad_integration_packages: - realmd - PackageKit __ad_integration_services: [realmd] +__ad_integration_services_sssd: [sssd] # ansible_facts required by the role __ad_integration_required_facts: - distribution