internet/ansible-freeipa
4
0
Fork 0
mirror of https://github.com/freeipa/ansible-freeipa.git synced 2026-03-26 21:33:05 +00:00
Code Issues Projects Releases Wiki Activity
Files
91c4b83311a5ddde2d7a7396574d6bc54be81a44
ansible-freeipa/roles/ipasmartcard_client/tasks/main.yml
Rafael Guterres Jeffman 91c4b83311 Configure yamllint to be compatible with ansible-lint 
Current version of ansible-list pre-commit hook required changes in the
ansible-freeipa yamllint configuration and these changes triggered
issues in the current playbooks on roles and tests.

This patch adds the required changes to yaml lint configuration and
fixes the affected playbooks.

Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
2025-01-31 11:32:59 -03:00

177 lines
5.9 KiB
YAML
Raw Blame History

---
# tasks file for ipasmartcard_client role
- name: Uninstall smartcard client
ansible.builtin.fail:
msg: "Uninstalling smartcard for IPA is not supported"
when: state|default('present') == 'absent'
- name: Import variables specific to distribution
ansible.builtin.include_vars: "{{ item }}"
with_first_found:
- "vars/{{ ansible_facts['distribution'] }}-{{ ansible_facts['distribution_version'] }}.yml"
- "vars/{{ ansible_facts['distribution'] }}-{{ ansible_facts['distribution_major_version'] }}.yml"
- "vars/{{ ansible_facts['distribution'] }}.yml"
# os_family is used as a fallback for distros which are not currently
# supported, but are based on a supported distro family. For example,
# Oracle, Rocky, Alma and Alibaba linux, which are all "RedHat" based.
- "vars/{{ ansible_facts['os_family'] }}-{{ ansible_facts['distribution_version'] }}.yml"
- "vars/{{ ansible_facts['os_family'] }}-{{ ansible_facts['distribution_major_version'] }}.yml"
- "vars/{{ ansible_facts['os_family'] }}.yml"
# If neither distro nor family is supported, try a default configuration.
- "vars/default.yml"
- name: Client configuration
block:
# CA CERTS
# Use "ipasmartcard_server_ca_certs"
- name: Use "ipasmartcard_server_ca_certs"
ansible.builtin.set_fact:
ipasmartcard_client_ca_certs: "{{ ipasmartcard_server_ca_certs }}"
when: ipasmartcard_client_ca_certs is not defined and
ipasmartcard_server_ca_certs is defined
# Fail on empty "ipasmartcard_client_ca_certs"
- name: Fail on empty "ipasmartcard_client_ca_certs"
ansible.builtin.fail:
msg: "No CA certs given in 'ipasmartcard_client_ca_certs'"
when: ipasmartcard_client_ca_certs is not defined or
ipasmartcard_client_ca_certs | length < 1
# Validate ipasmartcard_client_ca_certs
- name: Validate CA certs "{{ ipasmartcard_client_ca_certs }}"
ipasmartcard_client_validate_ca_certs:
ca_cert_files: "{{ ipasmartcard_client_ca_certs }}"
register: result_validate_ca_certs
# INSTALL needed packages: opensc, dconf and krb5-pkinit-openssl
- name: Ensure needed packages are installed
ansible.builtin.package:
name: "{{ ipasmartcard_client_packages }}"
state: present
# REMOVE pam_pkcs11
- name: Ensure pam_pkcs11 is missing
ansible.builtin.package:
name: "{{ ipasmartcard_client_remove_pam_pkcs11_packages }}"
state: absent
# KINIT
- name: Set default principal if not given
ansible.builtin.set_fact:
ipaadmin_principal: admin
when: ipaadmin_principal is undefined
- name: Authenticate using kinit with password for "{{ ipaadmin_principal }}"
ansible.builtin.command: kinit "{{ ipaadmin_principal }}"
args:
stdin: "{{ ipaadmin_password }}"
when: ipaadmin_password is defined
- name: Authenticate using kinit with keytab for "{{ ipaadmin_principal }}"
ansible.builtin.command: kinit -kt "{{ ipaadmin_keytab }}" "{{ ipaadmin_principal }}"
when: ipaadmin_keytab is defined
# Enable and start smartcard daemon
- name: Enable and start smartcard daemon
ansible.builtin.service:
name: pcscd
enabled: true
state: started
# GET VARS FROM IPA
- name: Get VARS from IPA
ipasmartcard_client_get_vars:
register: ipasmartcard_client_vars
# Add pkcs11 module to systemwide db
- name: Add pkcs11 module to systemwide db
ansible.builtin.script: ipasmartcard_client_add_pkcs11_module_to_systemwide_db.sh
"{{ ipasmartcard_client_vars.NSS_DB_DIR }}"
# Ensure /etc/sssd/pki exists
- name: Prepare for authselect
when: ipasmartcard_client_vars.USE_AUTHSELECT
block:
- name: Ensure /etc/sssd/pki exists
ansible.builtin.file:
path: /etc/sssd/pki
state: directory
mode: "0711"
- name: Ensure /etc/sssd/pki/sssd_auth_ca_db.pem is absent
ansible.builtin.file:
path: /etc/sssd/pki/sssd_auth_ca_db.pem
state: absent
# Upload smartcard CA certificates to systemwide db
- name: Upload smartcard CA certificates to systemwide db
ansible.builtin.script: ipasmartcard_client_add_ca_to_systemwide_db.sh
"{{ item }}"
"{{ ipasmartcard_client_vars.NSS_DB_DIR }}"
with_items: "{{ result_validate_ca_certs.ca_cert_files }}"
# Newer version of sssd use OpenSSL and read the CA certs
# from /etc/sssd/pki/sssd_auth_ca_db.pem
- name: Add CA certs to /etc/sssd/pki/sssd_auth_ca_db.pem
ansible.builtin.script: ipasmartcard_client_add_ca_to_sssd_auth_ca_db.sh
"{{ item }}"
/etc/sssd/pki/sssd_auth_ca_db.pem
with_items: "{{ result_validate_ca_certs.ca_cert_files }}"
when: ipasmartcard_client_vars.USE_AUTHSELECT
# Update ipa CA certificate store
- name: Update ipa CA certificate store
ansible.builtin.command: ipa-certupdate
# Run authselect or authconfig to configure smartcard auth
- name: Use authselect to enable Smart Card authentication
ansible.builtin.command: authselect enable-feature with-smartcard
when: ipasmartcard_client_vars.USE_AUTHSELECT
- name: Use authconfig to enable Smart Card authentication
ansible.builtin.command: authconfig --enablesssd --enablesssdauth --enablesmartcard --smartcardmodule=sssd --smartcardaction=1 --updateall
when: not ipasmartcard_client_vars.USE_AUTHSELECT
# Set pam_cert_auth=True in /etc/sssd/sssd.conf
- name: Store NSS OCSP upgrade state
ansible.builtin.command: "{{ ipasmartcard_client_vars.python_interpreter }}"
args:
stdin: |
from SSSDConfig import SSSDConfig
c = SSSDConfig()
c.import_config()
c.set("pam", "pam_cert_auth", "True")
c.write()
when: ipasmartcard_client_vars.USE_AUTHSELECT
# Restart sssd
- name: Restart sssd
ansible.builtin.service:
name: sssd
state: restarted
### ALWAYS ###
always:
- name: Destroy Kerberos tickets
ansible.builtin.command: kdestroy -A
Reference in New Issue View Git Blame Copy Permalink