ipaclient_setup_sssd: Update and cleanup

ipaclient_setup_sssd is now using configure_sssd_conf from ipaclient/install/client.py instead. This simplified the module a lot and also adds more configuratino options for sssd. These are new config options supported by ipaclient_setup_sssd: ipaclient_no_sudo ipassd_fixed_primary ipassd_permit ipassd_enable_dns_updates ipassd_no_krb5_offline_passwords ipassd_preserve_sssd These variables have been added to ipaclient/defaults/main.yml.
2026-06-23 09:14:43 +00:00 · 2019-03-25 13:59:14 +01:00
parent c5ce754850
commit 2983d4e7b3
3 changed files with 83 additions and 174 deletions
--- a/roles/ipaclient/defaults/main.yml
+++ b/roles/ipaclient/defaults/main.yml
@@ -12,12 +12,18 @@ ipaclient_no_dns_lookup: no
 ipaclient_ssh_trust_dns: no
 ipaclient_no_ssh: no
 ipaclient_no_sshd: no
 ipaclient_no_sudo: no
 #ipaclient_no_dns_sshfp: no
 #ipaclient_force: no
 ipaclient_force_ntpd: no
 ipaclient_no_nisdomain: no
 ipaclient_configure_firefox: no
 ipahost_all_ip_addresses: no
 ipassd_fixed_primary: no
 ipassd_permit: no
 ipassd_enable_dns_updates: no
 ipassd_no_krb5_offline_passwords: no
 ipassd_preserve_sssd: no
 ### packages ###
 ipaclient_install_packages: yes
--- a/roles/ipaclient/library/ipaclient_setup_sssd.py
+++ b/roles/ipaclient/library/ipaclient_setup_sssd.py
@@ -30,10 +30,10 @@ ANSIBLE_METADATA = {
 DOCUMENTATION = '''
 ---
-module: ipaclient_setup_sssd
+module: ipaclient_setup_ssd
-short description: Configure sssd for IPA client
+short description: Setup sssd for IPA client
 description:
-  Configure sssd for IPA client
+  Setup sssd for IPA client
 options:
  servers:
    description: The FQDN of the IPA servers to connect to.
@@ -48,27 +48,33 @@ options:
  hostname:
    description: The hostname of the machine to join (FQDN).
    required: true
  services:
    description: The services that should be enabled in the ssd configuration.
    required: true
    type: list
  krb5_offline_passwords:
    description: Whether user passwords are stored when the server is offline.
    required: false
    type: bool
    default: no
  on_master:
    description: Whether the configuration is done on the master or not.
    required: false
    type: bool
    default: no
-  primary:
+  no_ssh:
-    description: Whether to use fixed server as primary IPA server.
+    description: Do not configure OpenSSH client
    required: false
    type: bool
    default: no
-  preserve_sssd:
+  no_sshd:
-    description: Preserve old SSSD configuration if possible.
+    description: Do not configure OpenSSH server
    required: false
    type: bool
    default: no
  no_sudo:
    description: Do not configure SSSD as data source for sudo
    required: false
    type: bool
    default: no
  all_ip_addresses:
    description: All routable IP addresses configured on any interface will be added to DNS.
    required: false
    type: bool
    default: no
  fixed_primary:
    description: Whether to use fixed server as primary IPA server.
    required: false
    type: bool
    default: no
@@ -77,13 +83,18 @@ options:
    required: false
    type: bool
    default: no
-  dns_updates:
+  enable_dns_updates:
    description: Configures the machine to attempt dns updates when the ip address changes.
    required: false
    type: bool
    default: no
-  all_ip_addresses:
+  preserve_sssd:
-    description: All routable IP addresses configured on any interface will be added to DNS.
+    description: Preserve old SSSD configuration if possible.
    required: false
    type: bool
    default: no
  no_krb5_offline_passwords:
    description: Whether user passwords are stored when the server is offline.
    required: false
    type: bool
    default: no
@@ -98,32 +109,15 @@ EXAMPLES = '''
    domain: example.com
    realm: EXAMPLE.COM
    hostname: client1.example.com
-    services: ["ssh", "sudo"]
+    no_krb5_offline_passwords: yes
    cache_credentials: yes
    krb5_offline_passwords: yes
 '''
 RETURN = '''
 '''
 import os
 import sys
 import tempfile
 import SSSDConfig
 from ansible.module_utils.basic import AnsibleModule
 from ansible.module_utils.ansible_ipa_client import *
 def sssd_enable_service(module, sssdconfig, service):
    try:
        sssdconfig.new_service(service)
    except SSSDConfig.ServiceAlreadyExists:
        pass
    except SSSDConfig.ServiceNotRecognizedError:
        module.fail_json(
            msg="Unable to activate the %s service in SSSD config." % service)
    sssdconfig.activate_service(service)
 def main():
    module = AnsibleModule(
        argument_spec = dict(
@@ -131,149 +125,54 @@ def main():
            domain=dict(required=True),
            realm=dict(required=True),
            hostname=dict(required=True),
            services=dict(required=True, type='list'),
            krb5_offline_passwords=dict(required=False, type='bool'),
            on_master=dict(required=False, type='bool'),
-            primary=dict(required=False, type='bool'),
+            no_ssh=dict(required=False, type='bool'),
-            preserve_sssd=dict(required=False, type='bool'),
+            no_sshd=dict(required=False, type='bool'),
-            permit=dict(required=False, type='bool'),
+            no_sudo=dict(required=False, type='bool'),
            dns_updates=dict(required=False, type='bool'),
            all_ip_addresses=dict(required=False, type='bool'),
            fixed_primary=dict(required=False, type='bool'),
            permit=dict(required=False, type='bool'),
            enable_dns_updates=dict(required=False, type='bool'),
            preserve_sssd=dict(required=False, type='bool'),
            no_krb5_offline_passwords=dict(required=False, type='bool'),
        ),
        supports_check_mode = True,
    )
    #ansible_log = AnsibleModuleLog(module, logger)
    #options.set_logger(ansible_log)
    module._ansible_debug = True
-    cli_servers = module.params.get('servers')
+    cli_server = module.params.get('servers')
    cli_domain = module.params.get('domain')
    cli_realm = module.params.get('realm')
-    client_hostname = module.params.get('hostname')
+    hostname = module.params.get('hostname')
-    services = module.params.get('services')
+    options.on_master = module.params.get('on_master')
-    krb5_offline_passwords = module.params.get('krb5_offline_passwords')
+
-    on_master = module.params.get('on_master')
+    options.no_ssh = module.params.get('no_ssh')
-    primary = module.params.get('primary')
+    options.conf_ssh = not options.no_ssh
-    preserve_sssd = module.params.get('preserve_sssd')
+    options.no_sshd = module.params.get('no_sshd')
-    permit = module.params.get('permit')
+    options.conf_sshd = not options.no_sshd
-    dns_updates = module.params.get('dns_updates')
+    options.no_sudo = module.params.get('no_sudo')
-    all_ip_addresses = module.params.get('all_ip_addresses')
+    options.conf_sudo = not options.no_sudo
    options.all_ip_addresses = module.params.get('all_ip_addresses')
    options.primary = module.params.get('fixed_primary')
    options.permit = module.params.get('permit')
    options.dns_updates = module.params.get('enable_dns_updates')
    options.preserve_sssd = module.params.get('preserve_sssd')
    options.no_krb5_offline_passwords = module.params.get(
        'krb5_offline_passwords')
    options.krb5_offline_passwords = not options.no_krb5_offline_passwords
    fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE)
-    client_domain = client_hostname[client_hostname.find(".")+1:]
+    client_domain = hostname[hostname.find(".")+1:]
-    try:
+    if configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server,
-        sssdconfig = SSSDConfig.SSSDConfig()
+                           options, client_domain, hostname):
-        sssdconfig.import_config()
+        module.fail_json("configure_sssd_conf failed")
-    except Exception as e:
+    logger.info("Configured /etc/sssd/sssd.conf")
        if os.path.exists(paths.SSSD_CONF) and preserve_sssd:
            # SSSD config is in place but we are unable to read it
            # In addition, we are instructed to preserve it
            # This all means we can't use it and have to bail out
            module.fail_json(
                msg="SSSD config exists but cannot be parsed: %s" % str(e))
        # SSSD configuration does not exist or we are not asked to preserve it,
        # create new one
        # We do make new SSSDConfig instance because IPAChangeConf-derived
        # classes have no means to reset their state and ParseError exception
        # could come due to parsing error from older version which cannot be
        # upgraded anymore, leaving sssdconfig instance practically unusable
        # Note that we already backed up sssd.conf before going into this
        # routine
        if isinstance(e, IOError):
            pass
        else:
            # It was not IOError so it must have been parsing error
            module.fail_json(msg="Unable to parse existing SSSD config.")
        module.log("New SSSD config will be created")
        sssdconfig = SSSDConfig.SSSDConfig()
        sssdconfig.new_config()
    try:
        domain = sssdconfig.new_domain(cli_domain)
    except SSSDConfig.DomainAlreadyExistsError:
        module.log("Domain %s is already configured in existing SSSD "
                   "config, creating a new one." % cli_domain)
        sssdconfig = SSSDConfig.SSSDConfig()
        sssdconfig.new_config()
        domain = sssdconfig.new_domain(cli_domain)
    if on_master:
        sssd_enable_service(module, sssdconfig, 'ifp')
    if (("ssh" in services and os.path.isfile(paths.SSH_CONFIG)) or
        ("sshd" in services and os.path.isfile(paths.SSHD_CONFIG))):
        sssd_enable_service(module, sssdconfig, 'ssh')
    if "sudo" in services:
        sssd_enable_service(module, sssdconfig, 'sudo')
        configure_nsswitch_database(fstore, 'sudoers', ['sss'],
                                    default_value=['files'])
    domain.add_provider('ipa', 'id')
    # add discovery domain if client domain different from server domain
    # do not set this config in server mode (#3947)
    if not on_master and cli_domain != client_domain:
        domain.set_option('dns_discovery_domain', cli_domain)
    if not on_master:
        if primary:
            domain.set_option('ipa_server', ', '.join(cli_servers))
        else:
            domain.set_option('ipa_server',
                              '_srv_, %s' % ', '.join(cli_servers))
    else:
        domain.set_option('ipa_server_mode', 'True')
        # the master should only use itself for Kerberos
        domain.set_option('ipa_server', cli_servers[0])
        # increase memcache timeout to 10 minutes when in server mode
        try:
            nss_service = sssdconfig.get_service('nss')
        except SSSDConfig.NoServiceError:
            nss_service = sssdconfig.new_service('nss')
        nss_service.set_option('memcache_timeout', 600)
        sssdconfig.save_service(nss_service)
    domain.set_option('ipa_domain', cli_domain)
    domain.set_option('ipa_hostname', client_hostname)
    if cli_domain.lower() != cli_realm.lower():
        domain.set_option('krb5_realm', cli_realm)
    # Might need this if /bin/hostname doesn't return a FQDN
    # domain.set_option('ipa_hostname', 'client.example.com')
    domain.add_provider('ipa', 'auth')
    domain.add_provider('ipa', 'chpass')
    if not permit:
        domain.add_provider('ipa', 'access')
    else:
        domain.add_provider('permit', 'access')
    domain.set_option('cache_credentials', True)
    # SSSD will need TLS for checking if ipaMigrationEnabled attribute is set
    # Note that SSSD will force StartTLS because the channel is later used for
    # authentication as well if password migration is enabled. Thus set
    # the option unconditionally.
    domain.set_option('ldap_tls_cacert', paths.IPA_CA_CRT)
    if dns_updates:
        domain.set_option('dyndns_update', True)
        if all_ip_addresses:
            domain.set_option('dyndns_iface', '*')
        else:
            iface = get_server_connection_interface(cli_servers[0])
            domain.set_option('dyndns_iface', iface)
    if krb5_offline_passwords:
        domain.set_option('krb5_store_password_if_offline', True)
    domain.set_active(True)
    sssdconfig.save_domain(domain)
    sssdconfig.write(paths.SSSD_CONF)
    module.exit_json(changed=True)
--- a/roles/ipaclient/tasks/install.yml
+++ b/roles/ipaclient/tasks/install.yml
@@ -216,13 +216,17 @@
      domain: "{{ result_ipaclient_test.domain }}"
      realm: "{{ result_ipaclient_test.realm }}"
      hostname: "{{ result_ipaclient_test.hostname }}"
      services: ["ssh", "sudo"]
      krb5_offline_passwords: yes
      on_master: "{{ ipaclient_on_master }}"
-      #primary: no
+      no_ssh: "{{ ipaclient_no_ssh }}"
-      #permit: no
+      no_sshd: "{{ ipaclient_no_sshd }}"
-      #dns_updates: no
+      no_sudo: "{{ ipaclient_no_sudo }}"
-      #all_ip_addresses: no
+      all_ip_addresses: "{{ ipahost_all_ip_addresses }}"
      fixed_primary: "{{ ipassd_fixed_primary }}"
      permit: "{{ ipassd_permit }}"
      enable_dns_updates: "{{ ipassd_enable_dns_updates }}"
      preserve_sssd: "{{ ipassd_preserve_sssd }}"
      no_krb5_offline_passwords: "{{ ipassd_no_krb5_offline_passwords }}"
  - name: Install - Configure krb5 for IPA realm "{{ result_ipaclient_test.realm }} <= 4.4"
    include_role: