internet/ansible-freeipa
4
0
Fork 0
mirror of https://github.com/freeipa/ansible-freeipa.git synced 2026-03-26 21:33:05 +00:00
Code Issues Projects Releases Wiki Activity

Add subid option to select the sssd profile with-subid.

Browse Source 
This is an ansible-freeipa update for the freeipa RFE:
https://pagure.io/freeipa/issue/9159
"`ipa-client-install` should provide option to enable `subid: sss`
in `/etc/nsswitch.conf`".

This option allows to configure authselect with the sssd
profile + with-subid feature, in order to have SSSD setup as
a datasource for subid in /etc/nsswitch.conf.

The default behavior remains unchanged: without the option,
/etc/nsswitch.conf keeps the line subid: files

Signed-off-by: Denis Karpelevich <dkarpele@redhat.com>
This commit is contained in:
Denis Karpelevich
2022-11-07 23:07:59 +01:00
parent 87afc56ee6
commit 2b0b7db086
6 changed files with 21 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
roles/ipaclient/README.md
View File

@@ -183,6 +183,7 @@ Variable | Description | Required
`ipaclient_no_ssh` | The bool value defines if OpenSSH client will be configured. `ipaclient_no_ssh` defaults to `no`. | no
`ipaclient_no_sshd` | The bool value defines if OpenSSH server will be configured. `ipaclient_no_sshd` defaults to `no`. | no
`ipaclient_no_sudo` | The bool value defines if SSSD will be configured as a data source for sudo. `ipaclient_no_sudo` defaults to `no`. | no
`ipaclient_subid` | The bool value defines if SSSD will be configured as a data source for subid. `ipaclient_subid` defaults to `no`. | no
`ipaclient_no_dns_sshfp` | The bool value defines if DNS SSHFP records will not be created automatically. `ipaclient_no_dns_sshfp` defaults to `no`. | no
`ipaclient_force` | The bool value defines if settings will be forced even in the error case. `ipaclient_force` defaults to `no`. | no
`ipaclient_force_ntpd` | The bool value defines if ntpd usage will be forced. This is not supported anymore and leads to a warning. `ipaclient_force_ntpd` defaults to `no`. | no

1
roles/ipaclient/defaults/main.yml
View File

@@ -13,6 +13,7 @@ ipaclient_ssh_trust_dns: no
ipaclient_no_ssh: no
ipaclient_no_sshd: no
ipaclient_no_sudo: no
ipaclient_subid: no
ipaclient_no_dns_sshfp: no
ipaclient_force: no
ipaclient_force_ntpd: no

28
roles/ipaclient/library/ipaclient_setup_nss.py
View File

@@ -125,6 +125,10 @@ options:
description: Do not configure SSSD as data source for sudo
type: bool
required: no
subid:
description: Configure SSSD as data source for subid
type: bool
required: no
fixed_primary:
description: Configure sssd to use fixed server as primary IPA server
type: bool
@@ -208,6 +212,7 @@ def main():
no_ssh=dict(required=False, type='bool'),
no_sshd=dict(required=False, type='bool'),
no_sudo=dict(required=False, type='bool'),
subid=dict(required=False, type='bool'),
fixed_primary=dict(required=False, type='bool'),
permit=dict(required=False, type='bool'),
no_krb5_offline_passwords=dict(required=False, type='bool'),
@@ -251,6 +256,7 @@ def main():
options.conf_sshd = not options.no_sshd
options.no_sudo = module.params.get('no_sudo')
options.conf_sudo = not options.no_sudo
options.subid = module.params.get('subid')
options.primary = module.params.get('fixed_primary')
options.permit = module.params.get('permit')
options.no_krb5_offline_passwords = module.params.get(
@@ -430,19 +436,17 @@ def main():
# Modify nsswitch/pam stack
# pylint: disable=deprecated-method
argspec = getargspec(tasks.modify_nsswitch_pam_stack)
the_options = {
"sssd": options.sssd,
"mkhomedir": options.mkhomedir,
"statestore": statestore,
}
if "sudo" in argspec.args:
tasks.modify_nsswitch_pam_stack(
sssd=options.sssd,
mkhomedir=options.mkhomedir,
statestore=statestore,
sudo=options.conf_sudo
)
else:
tasks.modify_nsswitch_pam_stack(
sssd=options.sssd,
mkhomedir=options.mkhomedir,
statestore=statestore
)
the_options["sudo"] = options.conf_sudo
if "subid" in argspec.args:
the_options["subid"] = options.subid
tasks.modify_nsswitch_pam_stack(**the_options)
if hasattr(paths, "AUTHSELECT") and paths.AUTHSELECT is not None:
# authselect is used

1
roles/ipaclient/tasks/install.yml
View File

@@ -378,6 +378,7 @@
no_ssh: "{{ ipaclient_no_ssh }}"
no_sshd: "{{ ipaclient_no_sshd }}"
no_sudo: "{{ ipaclient_no_sudo }}"
subid: "{{ ipaclient_subid }}"
fixed_primary: "{{ ipassd_fixed_primary
| default(ipasssd_fixed_primary) }}"
permit: "{{ ipassd_permit | default(ipasssd_permit) }}"

1
roles/ipareplica/README.md
View File

@@ -200,6 +200,7 @@ Variable | Description | Required
`ipaclient_no_ssh` | The bool value defines if OpenSSH client will be configured. (bool, default: false) | no
`ipaclient_no_sshd` | The bool value defines if OpenSSH server will be configured. (bool, default: false) | no
`ipaclient_no_sudo` | The bool value defines if SSSD will be configured as a data source for sudo. (bool, default: false) | no
`ipaclient_subid` | The bool value defines if SSSD will be configured as a data source for subid. (bool, default: false) | no
`ipaclient_no_dns_sshfp` | The bool value defines if DNS SSHFP records will not be created automatically. (bool, default: false) | no
Certificate system Variables

1
roles/ipaserver/README.md
View File

@@ -252,6 +252,7 @@ Variable | Description | Required
`ipaclient_no_ssh` | The bool value defines if OpenSSH client will be configured. `ipaclient_no_ssh` defaults to `no`. | no
`ipaclient_no_sshd` | The bool value defines if OpenSSH server will be configured. `ipaclient_no_sshd` defaults to `no`. | no
`ipaclient_no_sudo` | The bool value defines if SSSD will be configured as a data source for sudo. `ipaclient_no_sudo` defaults to `no`. | no
`ipaclient_subid` | The bool value defines if SSSD will be configured as a data source for subid. `ipaclient_subid` defaults to `no`. | no
`ipaclient_no_dns_sshfp` | The bool value defines if DNS SSHFP records will not be created automatically. `ipaclient_no_dns_sshfp` defaults to `no`. | no
Certificate system Variables