Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Add SSSD parameters support #76

Merged
merged 8 commits into from
Jan 10, 2024
Merged

feat: Add SSSD parameters support #76

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
2e6426c
feat: Add SSSD parameters support
seb2020 Jan 2, 2024
02bedbc
ci: fix ansible-lint 2.16 and ansible-test 2.16 issues
richm Dec 15, 2023
a8b5479
feat: Add SSSD parameters support
seb2020 Jan 8, 2024
ba91674
feat: Add SSSD parameters support
seb2020 Jan 2, 2024
4ee989b
feat: Add SSSD parameters support
seb2020 Jan 8, 2024
9fe6d3e
Merge branch 'add_sssd_standard_options' of https://github.com/seb202…
seb2020 Jan 9, 2024
63cf417
feat: Add SSSD parameters support
seb2020 Jan 9, 2024
745dd91
remove space and correct variable
seb2020 Jan 9, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 12 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -204,6 +204,18 @@ Useful if some specific configuration like --user-principal=host/name@REALM or -
See man realm for details.
Example: ad_integration_join_parameters: "--user-principal host/[email protected]"

#### ad_integration_sssd_settings

A list of setting to be included into the `[sssd]` section
of the sssd.conf file. See sssd.conf man pages for details.
Example:

```yaml
ad_integration_sssd_settings:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be defined in defaults/main.yml like this:

# A list of custom setting to be included into the [sssd] section
# of the sssd.conf file. The list will be composed of two entry:
# - key: "configuration_name"
#   value: "configuration_value"
ad_integration_sssd_settings: []

That should solve the test failures related to "undefined variable"

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have updated the commit

- key: "configuration_name"
value: "configuration_value"
```

#### ad_integration_sssd_custom_settings

A list of custom setting to be included into the `[domain/$REALM]` section
Expand Down
14 changes: 14 additions & 0 deletions tasks/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -197,6 +197,20 @@
changed_when: not __realm_join_output.stderr is
search("Already joined to this domain")

- name: Configure SSSD settings
community.general.ini_file:
path: /etc/sssd/sssd.conf
state: "{{ item.state | default('present') }}"
section: "sssd"
option: "{{ item.key }}"
value: "{{ item.value }}"
create: true
owner: root
group: root
mode: u=rw,g=,o=
loop: "{{ ad_integration_sssd_settings }}"
notify: Handler for ad_integration to restart services
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we're going to need two separate handlers - one for realmd and one for sssd - it looks like there are cases where changes are made to config files that need realmd to be restarted but not sssd, and vice versa. Also, are there cases where a change to sssd.conf will require a restart of both realmd and sssd?

Yes, we could just restart both services every time anything changes, but I would strongly prefer not to restart services unnecessarily.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi,
I can be better to do two handlers. I can look if you want. Should I do this in the same PR as this one ?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi, I can be better to do two handlers. I can look if you want. Should I do this in the same PR as this one ?

Yes, please

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi,
I have updated the PR. I have try to squash to have only 1 commit but I didn't make it.


Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do any of these sssd settings need to be set, and sssd restarted, before trying to join to the AD domain? The task name: Run realm join command? Do any of these sssd settings also require realmd to be restarted, or otherwise notified (e.g. like a SIGHUP)? @jakub-vavra-cz @justin-stephenson wdyt?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do any of these sssd settings need to be set, and sssd restarted, before trying to join to the AD domain?

No, SSSD only gets involved after the system is joined to the domain. realm join creates a sssd.conf, so SSSD config changes should be made only after the realm join is performed or they will likely be overwritten.

realmd restart is not needed, SSSD restart is enough.

- name: Configure dynamic DNS updates
community.general.ini_file:
path: /etc/sssd/sssd.conf
Expand Down
72 changes: 72 additions & 0 deletions tests/tests_sssd_settings.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,72 @@
# SPDX-License-Identifier: MIT
---

- name: Ensure that the role configures dynamic dns
hosts: all,!ad
gather_facts: false # test that role works in this case
vars:
ad_integration_realm: sample-realm.com
__ad_integration_test_sssd_config_only: true
ad_integration_sssd_settings:
- key: reconnection_retries
seb2020 marked this conversation as resolved.
Show resolved Hide resolved
value: 5
- key: default_domain_suffix
value: addomain.xyz

tasks:
- name: Test - Run the system role with bogus vars
include_role:
name: linux-system-roles.ad_integration

- name: Check SSSD settings
community.general.ini_file:
path: /etc/sssd/sssd.conf
state: "{{ item.state | default('present') }}"
section: sssd
option: "{{ item.key }}"
value: "{{ item.value }}"
create: true
owner: root
group: root
mode: u=rw,g=,o=
loop: "{{ ad_integration_sssd_settings }}"
register: __result
failed_when: __result is changed

- name: Search /var/log/sssd/sssd.log for [sss_ini_call_validators]
command: >-
grep -i sss_ini_call_validators /var/log/sssd/sssd.log
register: sssd_log
changed_when: false
failed_when: false

- name: Fail if signature found
fail:
msg: Appears to be an unsupported option in /etc/sssd/sssd.conf
when: sssd_log.stdout | length > 0

- name: Test - Re-Build a list of settings with state=absent
set_fact:
update_list: "{{ ad_integration_sssd_settings |
map('combine', {'state': 'absent'}) | list }}"

- name: Test - Re-run the system role to remove vars
include_role:
name: linux-system-roles.ad_integration
vars:
ad_integration_sssd_custom_settings: "{{ update_list }}"
seb2020 marked this conversation as resolved.
Show resolved Hide resolved

- name: Check custom SSSD settings
community.general.ini_file:
path: /etc/sssd/sssd.conf
state: "{{ item.state | default('present') }}"
section: sssd
option: "{{ item.key }}"
value: "{{ item.value }}"
create: true
owner: root
group: root
mode: u=rw,g=,o=
loop: "{{ update_list }}"
register: __result
failed_when: __result is changed