|
 |
0d5c10 |
From b3a0d725611897e2aa1577cc64c58572703f9d21 Mon Sep 17 00:00:00 2001
|
|
|
0d5c10 |
From: Watson Sato <wsato@redhat.com>
|
|
|
0d5c10 |
Date: Thu, 14 Mar 2019 17:07:13 +0100
|
|
|
0d5c10 |
Subject: [PATCH 1/5] Create /etc/sssd/sssd/conf with correct permissions
|
|
|
0d5c10 |
|
|
|
0d5c10 |
Only owner of file should be able to access it.
|
|
|
0d5c10 |
---
|
|
|
0d5c10 |
.../sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml | 2 ++
|
|
|
0d5c10 |
.../sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml | 2 ++
|
|
|
0d5c10 |
.../services/sssd/sssd_enable_smartcards/ansible/shared.yml | 1 +
|
|
|
0d5c10 |
.../services/sssd/sssd_memcache_timeout/ansible/shared.yml | 1 +
|
|
|
0d5c10 |
.../sssd/sssd_offline_cred_expiration/ansible/shared.yml | 1 +
|
|
|
0d5c10 |
.../sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml | 1 +
|
|
|
0d5c10 |
6 files changed, 8 insertions(+)
|
|
|
0d5c10 |
|
|
|
0d5c10 |
diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml
|
|
|
0d5c10 |
index ecea440bf..171a3d1ac 100644
|
|
|
0d5c10 |
--- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml
|
|
|
0d5c10 |
+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml
|
|
|
0d5c10 |
@@ -18,6 +18,7 @@
|
|
|
0d5c10 |
path: /etc/sssd/sssd.conf
|
|
|
0d5c10 |
create: yes
|
|
|
0d5c10 |
line: "[domain/default]\nldap_tls_cacertdir = {{ var_sssd_ldap_tls_ca_dir }}\n"
|
|
|
0d5c10 |
+ mode: 0600
|
|
|
0d5c10 |
when: test_grep_domain.stdout == "" and @ANSIBLE_PLATFORM_CONDITION@
|
|
|
0d5c10 |
tags:
|
|
|
0d5c10 |
@ANSIBLE_TAGS@
|
|
|
0d5c10 |
@@ -28,6 +29,7 @@
|
|
|
0d5c10 |
regexp: '^\s*ldap_tls_cacertdir'
|
|
|
0d5c10 |
insertafter: '\s*\[domain\/[^]]*]'
|
|
|
0d5c10 |
line: 'ldap_tls_cacertdir = {{ var_sssd_ldap_tls_ca_dir }}'
|
|
|
0d5c10 |
+ mode: 0600
|
|
|
0d5c10 |
tags:
|
|
|
0d5c10 |
@ANSIBLE_TAGS@
|
|
|
0d5c10 |
@ANSIBLE_ENSURE_PLATFORM@
|
|
|
0d5c10 |
diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml
|
|
|
0d5c10 |
index 8941c953a..86915ae7d 100644
|
|
|
0d5c10 |
--- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml
|
|
|
0d5c10 |
+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml
|
|
|
0d5c10 |
@@ -26,6 +26,7 @@
|
|
|
0d5c10 |
lineinfile:
|
|
|
0d5c10 |
path: /etc/sssd/sssd.conf
|
|
|
0d5c10 |
line: "[domain/default]\nldap_id_use_start_tls = True\n"
|
|
|
0d5c10 |
+ mode: 0600
|
|
|
0d5c10 |
when: test_grep_domain.stdout == "" and @ANSIBLE_PLATFORM_CONDITION@
|
|
|
0d5c10 |
tags:
|
|
|
0d5c10 |
@ANSIBLE_TAGS@
|
|
|
0d5c10 |
@@ -36,6 +37,7 @@
|
|
|
0d5c10 |
regexp: '^\s*ldap_id_use_start_tls'
|
|
|
0d5c10 |
insertafter: '\s*\[domain\/[^]]*]'
|
|
|
0d5c10 |
line: 'ldap_id_use_start_tls = True'
|
|
|
0d5c10 |
+ mode: 0600
|
|
|
0d5c10 |
tags:
|
|
|
0d5c10 |
@ANSIBLE_TAGS@
|
|
|
0d5c10 |
@ANSIBLE_ENSURE_PLATFORM@
|
|
|
0d5c10 |
diff --git a/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml
|
|
|
0d5c10 |
index a42f8ec20..b4ec2b6a1 100644
|
|
|
0d5c10 |
--- a/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml
|
|
|
0d5c10 |
+++ b/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml
|
|
|
0d5c10 |
@@ -10,6 +10,7 @@
|
|
|
0d5c10 |
option: pam_cert_auth
|
|
|
0d5c10 |
value: true
|
|
|
0d5c10 |
create: yes
|
|
|
0d5c10 |
+ mode: 0600
|
|
|
0d5c10 |
tags:
|
|
|
0d5c10 |
@ANSIBLE_TAGS@
|
|
|
0d5c10 |
@ANSIBLE_ENSURE_PLATFORM@
|
|
|
0d5c10 |
diff --git a/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml
|
|
|
0d5c10 |
index 88abc9346..29d8bced6 100644
|
|
|
0d5c10 |
--- a/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml
|
|
|
0d5c10 |
+++ b/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml
|
|
|
0d5c10 |
@@ -12,6 +12,7 @@
|
|
|
0d5c10 |
option: memcache_timeout
|
|
|
0d5c10 |
value: "{{ var_sssd_memcache_timeout }}"
|
|
|
0d5c10 |
create: yes
|
|
|
0d5c10 |
+ mode: 0600
|
|
|
0d5c10 |
tags:
|
|
|
0d5c10 |
@ANSIBLE_TAGS@
|
|
|
0d5c10 |
@ANSIBLE_ENSURE_PLATFORM@
|
|
|
0d5c10 |
diff --git a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/ansible/shared.yml
|
|
|
0d5c10 |
index 01d8a94c2..e999417c6 100644
|
|
|
0d5c10 |
--- a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/ansible/shared.yml
|
|
|
0d5c10 |
+++ b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/ansible/shared.yml
|
|
|
0d5c10 |
@@ -10,6 +10,7 @@
|
|
|
0d5c10 |
option: offline_credentials_expiration
|
|
|
0d5c10 |
value: 1
|
|
|
0d5c10 |
create: yes
|
|
|
0d5c10 |
+ mode: 0600
|
|
|
0d5c10 |
tags:
|
|
|
0d5c10 |
@ANSIBLE_TAGS@
|
|
|
0d5c10 |
@ANSIBLE_ENSURE_PLATFORM@
|
|
|
0d5c10 |
diff --git a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml
|
|
|
0d5c10 |
index 6f9673f75..f4d4d11da 100644
|
|
|
0d5c10 |
--- a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml
|
|
|
0d5c10 |
+++ b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml
|
|
|
0d5c10 |
@@ -10,6 +10,7 @@
|
|
|
0d5c10 |
option: ssh_known_hosts_timeout
|
|
|
0d5c10 |
value: 86400
|
|
|
0d5c10 |
create: yes
|
|
|
0d5c10 |
+ mode: 0600
|
|
|
0d5c10 |
tags:
|
|
|
0d5c10 |
@ANSIBLE_TAGS@
|
|
|
0d5c10 |
@ANSIBLE_ENSURE_PLATFORM@
|
|
|
0d5c10 |
--
|
|
|
0d5c10 |
2.20.1
|
|
|
0d5c10 |
|
|
|
0d5c10 |
|
|
|
0d5c10 |
From be5a09c6dc83f16654022a0c006b210020a5ba7c Mon Sep 17 00:00:00 2001
|
|
|
0d5c10 |
From: Watson Sato <wsato@redhat.com>
|
|
|
0d5c10 |
Date: Thu, 14 Mar 2019 17:12:39 +0100
|
|
|
0d5c10 |
Subject: [PATCH 2/5] Use ini_file to deal with sssd config file
|
|
|
0d5c10 |
|
|
|
0d5c10 |
Much simpler then lineinfile module
|
|
|
0d5c10 |
---
|
|
|
0d5c10 |
.../sssd_ldap_configure_tls_ca_dir/ansible/shared.yml | 11 ++++++-----
|
|
|
0d5c10 |
.../sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml | 11 ++++++-----
|
|
|
0d5c10 |
2 files changed, 12 insertions(+), 10 deletions(-)
|
|
|
0d5c10 |
|
|
|
0d5c10 |
diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml
|
|
|
0d5c10 |
index 171a3d1ac..1689e2b43 100644
|
|
|
0d5c10 |
--- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml
|
|
|
0d5c10 |
+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml
|
|
|
0d5c10 |
@@ -24,13 +24,14 @@
|
|
|
0d5c10 |
@ANSIBLE_TAGS@
|
|
|
0d5c10 |
|
|
|
0d5c10 |
- name: "Configure LDAPs path to CA directory"
|
|
|
0d5c10 |
- lineinfile:
|
|
|
0d5c10 |
+ ini_file:
|
|
|
0d5c10 |
path: /etc/sssd/sssd.conf
|
|
|
0d5c10 |
- regexp: '^\s*ldap_tls_cacertdir'
|
|
|
0d5c10 |
- insertafter: '\s*\[domain\/[^]]*]'
|
|
|
0d5c10 |
- line: 'ldap_tls_cacertdir = {{ var_sssd_ldap_tls_ca_dir }}'
|
|
|
0d5c10 |
+ section: "{{ test_grep_domain.stdout | regex_replace('\\[(.*)\\]','\\1') }}"
|
|
|
0d5c10 |
+ option: ldap_tls_cacertdir
|
|
|
0d5c10 |
+ value: "{{ var_sssd_ldap_tls_ca_dir }}"
|
|
|
0d5c10 |
+ create: yes
|
|
|
0d5c10 |
mode: 0600
|
|
|
0d5c10 |
+ when: test_grep_domain.stdout == "" and @ANSIBLE_PLATFORM_CONDITION@
|
|
|
0d5c10 |
tags:
|
|
|
0d5c10 |
@ANSIBLE_TAGS@
|
|
|
0d5c10 |
- @ANSIBLE_ENSURE_PLATFORM@
|
|
|
0d5c10 |
|
|
|
0d5c10 |
diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml
|
|
|
0d5c10 |
index 86915ae7d..dbf546013 100644
|
|
|
0d5c10 |
--- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml
|
|
|
0d5c10 |
+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml
|
|
|
0d5c10 |
@@ -32,12 +32,13 @@
|
|
|
0d5c10 |
@ANSIBLE_TAGS@
|
|
|
0d5c10 |
|
|
|
0d5c10 |
- name: "Configure LDAP to use STARTTLS"
|
|
|
0d5c10 |
- lineinfile:
|
|
|
0d5c10 |
+ ini_file:
|
|
|
0d5c10 |
path: /etc/sssd/sssd.conf
|
|
|
0d5c10 |
- regexp: '^\s*ldap_id_use_start_tls'
|
|
|
0d5c10 |
- insertafter: '\s*\[domain\/[^]]*]'
|
|
|
0d5c10 |
- line: 'ldap_id_use_start_tls = True'
|
|
|
0d5c10 |
+ section: "{{ test_grep_domain.stdout | regex_replace('[(.*)]','\\1') }}"
|
|
|
0d5c10 |
+ option: ldap_id_use_start_tls
|
|
|
0d5c10 |
+ value: true
|
|
|
0d5c10 |
+ create: yes
|
|
|
0d5c10 |
mode: 0600
|
|
|
0d5c10 |
+ when: test_grep_domain.stdout == "" and @ANSIBLE_PLATFORM_CONDITION@
|
|
|
0d5c10 |
tags:
|
|
|
0d5c10 |
@ANSIBLE_TAGS@
|
|
|
0d5c10 |
- @ANSIBLE_ENSURE_PLATFORM@
|
|
|
0d5c10 |
--
|
|
|
0d5c10 |
2.20.1
|
|
|
0d5c10 |
|
|
|
0d5c10 |
|
|
|
0d5c10 |
From 857818d224c97e9cda954b76126b2cd8055901fa Mon Sep 17 00:00:00 2001
|
|
|
0d5c10 |
From: Watson Sato <wsato@redhat.com>
|
|
|
0d5c10 |
Date: Thu, 14 Mar 2019 17:13:30 +0100
|
|
|
0d5c10 |
Subject: [PATCH 3/5] Use variable for ssh timeout
|
|
|
0d5c10 |
|
|
|
0d5c10 |
---
|
|
|
0d5c10 |
.../sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml | 4 +++-
|
|
|
0d5c10 |
1 file changed, 3 insertions(+), 1 deletion(-)
|
|
|
0d5c10 |
|
|
|
0d5c10 |
diff --git a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml
|
|
|
0d5c10 |
index f4d4d11da..8f3d0029c 100644
|
|
|
0d5c10 |
--- a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml
|
|
|
0d5c10 |
+++ b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml
|
|
|
0d5c10 |
@@ -3,12 +3,14 @@
|
|
|
0d5c10 |
# strategy = unknown
|
|
|
0d5c10 |
# complexity = low
|
|
|
0d5c10 |
# disruption = medium
|
|
|
0d5c10 |
+- (xccdf-var sshd_idle_timeout_value)
|
|
|
0d5c10 |
+
|
|
|
0d5c10 |
- name: "Configure SSSD to Expire SSH Known Hosts"
|
|
|
0d5c10 |
ini_file:
|
|
|
0d5c10 |
dest: /etc/sssd/sssd.conf
|
|
|
0d5c10 |
section: ssh
|
|
|
0d5c10 |
option: ssh_known_hosts_timeout
|
|
|
0d5c10 |
- value: 86400
|
|
|
0d5c10 |
+ value: "{{ sshd_idle_timeout_value }}"
|
|
|
0d5c10 |
create: yes
|
|
|
0d5c10 |
mode: 0600
|
|
|
0d5c10 |
tags:
|
|
|
0d5c10 |
--
|
|
|
0d5c10 |
2.20.1
|
|
|
0d5c10 |
|
|
|
0d5c10 |
|
|
|
0d5c10 |
From 4192b0982084c057b594acc508a5e3dc66549d60 Mon Sep 17 00:00:00 2001
|
|
|
0d5c10 |
From: Watson Sato <wsato@redhat.com>
|
|
|
0d5c10 |
Date: Thu, 14 Mar 2019 17:23:30 +0100
|
|
|
0d5c10 |
Subject: [PATCH 4/5] Add minimal functional default/domain
|
|
|
0d5c10 |
|
|
|
0d5c10 |
Add domain and its required keys with default value for sssd service to
|
|
|
0d5c10 |
start
|
|
|
0d5c10 |
---
|
|
|
0d5c10 |
.../ansible/shared.yml | 10 ++++++++--
|
|
|
0d5c10 |
.../sssd_ldap_start_tls/ansible/shared.yml | 12 ++++++++++--
|
|
|
0d5c10 |
.../sssd_enable_smartcards/ansible/shared.yml | 18 ++++++++++++++++++
|
|
|
0d5c10 |
.../sssd_memcache_timeout/ansible/shared.yml | 19 +++++++++++++++++++
|
|
|
0d5c10 |
.../ansible/shared.yml | 19 +++++++++++++++++++
|
|
|
0d5c10 |
.../ansible/shared.yml | 19 +++++++++++++++++++
|
|
|
0d5c10 |
6 files changed, 93 insertions(+), 4 deletions(-)
|
|
|
0d5c10 |
|
|
|
0d5c10 |
diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml
|
|
|
0d5c10 |
index 1689e2b43..fe1a9ac07 100644
|
|
|
0d5c10 |
--- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml
|
|
|
0d5c10 |
+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml
|
|
|
0d5c10 |
@@ -14,11 +14,17 @@
|
|
|
0d5c10 |
@ANSIBLE_ENSURE_PLATFORM@
|
|
|
0d5c10 |
|
|
|
0d5c10 |
- name: "Add default domain group and set CA directory (if no domain there)"
|
|
|
0d5c10 |
- lineinfile:
|
|
|
0d5c10 |
+ ini_file:
|
|
|
0d5c10 |
path: /etc/sssd/sssd.conf
|
|
|
0d5c10 |
+ section: "{{ item.section }}"
|
|
|
0d5c10 |
+ option: "{{ item.option }}"
|
|
|
0d5c10 |
+ value: "{{ item.value }}"
|
|
|
0d5c10 |
create: yes
|
|
|
0d5c10 |
- line: "[domain/default]\nldap_tls_cacertdir = {{ var_sssd_ldap_tls_ca_dir }}\n"
|
|
|
0d5c10 |
mode: 0600
|
|
|
0d5c10 |
+ with_items:
|
|
|
0d5c10 |
+ - { section: sssd, option: domains, value: default}
|
|
|
0d5c10 |
+ - { section: domain/default, option: id_provider, value: files }
|
|
|
0d5c10 |
+ - { section: domain/default, option: ldap_tls_cacertdir, value: "{{ var_sssd_ldap_tls_ca_dir }}" }
|
|
|
0d5c10 |
when: test_grep_domain.stdout == "" and @ANSIBLE_PLATFORM_CONDITION@
|
|
|
0d5c10 |
tags:
|
|
|
0d5c10 |
@ANSIBLE_TAGS@
|
|
|
0d5c10 |
diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml
|
|
|
0d5c10 |
index dbf546013..9ebc53e0f 100644
|
|
|
0d5c10 |
--- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml
|
|
|
0d5c10 |
+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml
|
|
|
0d5c10 |
@@ -23,10 +23,18 @@
|
|
|
0d5c10 |
@ANSIBLE_ENSURE_PLATFORM@
|
|
|
0d5c10 |
|
|
|
0d5c10 |
- name: "Add default domain group and use STARTTLS (if no domain there)"
|
|
|
0d5c10 |
- lineinfile:
|
|
|
0d5c10 |
+ ini_file:
|
|
|
0d5c10 |
path: /etc/sssd/sssd.conf
|
|
|
0d5c10 |
- line: "[domain/default]\nldap_id_use_start_tls = True\n"
|
|
|
0d5c10 |
+ section: domain/default
|
|
|
0d5c10 |
+ section: "{{ item.section }}"
|
|
|
0d5c10 |
+ option: "{{ item.option }}"
|
|
|
0d5c10 |
+ value: "{{ item.value }}"
|
|
|
0d5c10 |
+ create: yes
|
|
|
0d5c10 |
mode: 0600
|
|
|
0d5c10 |
+ with_items:
|
|
|
0d5c10 |
+ - { section: sssd, option: domains, value: default}
|
|
|
0d5c10 |
+ - { section: domain/default, option: id_provider, value: files }
|
|
|
0d5c10 |
+ - { section: domain/default, option: ldap_id_use_start_tls, value: true}
|
|
|
0d5c10 |
when: test_grep_domain.stdout == "" and @ANSIBLE_PLATFORM_CONDITION@
|
|
|
0d5c10 |
tags:
|
|
|
0d5c10 |
@ANSIBLE_TAGS@
|
|
|
0d5c10 |
diff --git a/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml
|
|
|
0d5c10 |
index b4ec2b6a1..f6dbdf429 100644
|
|
|
0d5c10 |
--- a/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml
|
|
|
0d5c10 |
+++ b/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml
|
|
|
0d5c10 |
@@ -3,6 +3,24 @@
|
|
|
0d5c10 |
# strategy = configure
|
|
|
0d5c10 |
# complexity = low
|
|
|
0d5c10 |
# disruption = medium
|
|
|
0d5c10 |
+- name: "Test for domain group"
|
|
|
0d5c10 |
+ shell: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf
|
|
|
0d5c10 |
+ register: test_grep_domain
|
|
|
0d5c10 |
+ ignore_errors: yes
|
|
|
0d5c10 |
+ changed_when: False
|
|
|
0d5c10 |
+
|
|
|
0d5c10 |
+- name: "Add default domain group (if no domain there)"
|
|
|
0d5c10 |
+ ini_file:
|
|
|
0d5c10 |
+ path: /etc/sssd/sssd.conf
|
|
|
0d5c10 |
+ section: "{{ item.section }}"
|
|
|
0d5c10 |
+ option: "{{ item.option }}"
|
|
|
0d5c10 |
+ value: "{{ item.value }}"
|
|
|
0d5c10 |
+ create: yes
|
|
|
0d5c10 |
+ mode: 0600
|
|
|
0d5c10 |
+ with_items:
|
|
|
0d5c10 |
+ - { section: sssd, option: domains, value: default}
|
|
|
0d5c10 |
+ - { section: domain/default, option: id_provider, value: files }
|
|
|
0d5c10 |
+ when: test_grep_domain.stdout == ""
|
|
|
0d5c10 |
- name: "Enable Smartcards in SSSD"
|
|
|
0d5c10 |
ini_file:
|
|
|
0d5c10 |
dest: /etc/sssd/sssd.conf
|
|
|
0d5c10 |
diff --git a/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml
|
|
|
0d5c10 |
index 29d8bced6..3cf2af44e 100644
|
|
|
0d5c10 |
--- a/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml
|
|
|
0d5c10 |
+++ b/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml
|
|
|
0d5c10 |
@@ -5,6 +5,25 @@
|
|
|
0d5c10 |
# disruption = medium
|
|
|
0d5c10 |
- (xccdf-var var_sssd_memcache_timeout)
|
|
|
0d5c10 |
|
|
|
0d5c10 |
+- name: "Test for domain group"
|
|
|
0d5c10 |
+ shell: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf
|
|
|
0d5c10 |
+ register: test_grep_domain
|
|
|
0d5c10 |
+ ignore_errors: yes
|
|
|
0d5c10 |
+ changed_when: False
|
|
|
0d5c10 |
+
|
|
|
0d5c10 |
+- name: "Add default domain group (if no domain there)"
|
|
|
0d5c10 |
+ ini_file:
|
|
|
0d5c10 |
+ path: /etc/sssd/sssd.conf
|
|
|
0d5c10 |
+ section: "{{ item.section }}"
|
|
|
0d5c10 |
+ option: "{{ item.option }}"
|
|
|
0d5c10 |
+ value: "{{ item.value }}"
|
|
|
0d5c10 |
+ create: yes
|
|
|
0d5c10 |
+ mode: 0600
|
|
|
0d5c10 |
+ with_items:
|
|
|
0d5c10 |
+ - { section: sssd, option: domains, value: default}
|
|
|
0d5c10 |
+ - { section: domain/default, option: id_provider, value: files }
|
|
|
0d5c10 |
+ when: test_grep_domain.stdout == ""
|
|
|
0d5c10 |
+
|
|
|
0d5c10 |
- name: "Configure SSSD's Memory Cache to Expire"
|
|
|
0d5c10 |
ini_file:
|
|
|
0d5c10 |
dest: /etc/sssd/sssd.conf
|
|
|
0d5c10 |
diff --git a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/ansible/shared.yml
|
|
|
0d5c10 |
index e999417c6..f2cddfd2a 100644
|
|
|
0d5c10 |
--- a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/ansible/shared.yml
|
|
|
0d5c10 |
+++ b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/ansible/shared.yml
|
|
|
0d5c10 |
@@ -3,6 +3,25 @@
|
|
|
0d5c10 |
# strategy = configure
|
|
|
0d5c10 |
# complexity = low
|
|
|
0d5c10 |
# disruption = medium
|
|
|
0d5c10 |
+- name: "Test for domain group"
|
|
|
0d5c10 |
+ shell: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf
|
|
|
0d5c10 |
+ register: test_grep_domain
|
|
|
0d5c10 |
+ ignore_errors: yes
|
|
|
0d5c10 |
+ changed_when: False
|
|
|
0d5c10 |
+
|
|
|
0d5c10 |
+- name: "Add default domain group (if no domain there)"
|
|
|
0d5c10 |
+ ini_file:
|
|
|
0d5c10 |
+ path: /etc/sssd/sssd.conf
|
|
|
0d5c10 |
+ section: "{{ item.section }}"
|
|
|
0d5c10 |
+ option: "{{ item.option }}"
|
|
|
0d5c10 |
+ value: "{{ item.value }}"
|
|
|
0d5c10 |
+ create: yes
|
|
|
0d5c10 |
+ mode: 0600
|
|
|
0d5c10 |
+ with_items:
|
|
|
0d5c10 |
+ - { section: sssd, option: domains, value: default}
|
|
|
0d5c10 |
+ - { section: domain/default, option: id_provider, value: files }
|
|
|
0d5c10 |
+ when: test_grep_domain.stdout == ""
|
|
|
0d5c10 |
+
|
|
|
0d5c10 |
- name: "Configure SSD to Expire Offline Credentials"
|
|
|
0d5c10 |
ini_file:
|
|
|
0d5c10 |
dest: /etc/sssd/sssd.conf
|
|
|
0d5c10 |
diff --git a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml
|
|
|
0d5c10 |
index 8f3d0029c..61bd79856 100644
|
|
|
0d5c10 |
--- a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml
|
|
|
0d5c10 |
+++ b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml
|
|
|
0d5c10 |
@@ -5,6 +5,25 @@
|
|
|
0d5c10 |
# disruption = medium
|
|
|
0d5c10 |
- (xccdf-var sshd_idle_timeout_value)
|
|
|
0d5c10 |
|
|
|
0d5c10 |
+- name: "Test for domain group"
|
|
|
0d5c10 |
+ shell: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf
|
|
|
0d5c10 |
+ register: test_grep_domain
|
|
|
0d5c10 |
+ ignore_errors: yes
|
|
|
0d5c10 |
+ changed_when: False
|
|
|
0d5c10 |
+
|
|
|
0d5c10 |
+- name: "Add default domain group (if no domain there)"
|
|
|
0d5c10 |
+ ini_file:
|
|
|
0d5c10 |
+ path: /etc/sssd/sssd.conf
|
|
|
0d5c10 |
+ section: "{{ item.section }}"
|
|
|
0d5c10 |
+ option: "{{ item.option }}"
|
|
|
0d5c10 |
+ value: "{{ item.value }}"
|
|
|
0d5c10 |
+ create: yes
|
|
|
0d5c10 |
+ mode: 0600
|
|
|
0d5c10 |
+ with_items:
|
|
|
0d5c10 |
+ - { section: sssd, option: domains, value: default}
|
|
|
0d5c10 |
+ - { section: domain/default, option: id_provider, value: files }
|
|
|
0d5c10 |
+ when: test_grep_domain.stdout == ""
|
|
|
0d5c10 |
+
|
|
|
0d5c10 |
- name: "Configure SSSD to Expire SSH Known Hosts"
|
|
|
0d5c10 |
ini_file:
|
|
|
0d5c10 |
dest: /etc/sssd/sssd.conf
|
|
|
0d5c10 |
--
|
|
|
0d5c10 |
2.20.1
|
|
|
0d5c10 |
|
|
|
0d5c10 |
|
|
|
0d5c10 |
From 48a230730a07d8a496c5cfe050934f24e031818a Mon Sep 17 00:00:00 2001
|
|
|
0d5c10 |
From: Watson Sato <wsato@redhat.com>
|
|
|
0d5c10 |
Date: Fri, 15 Mar 2019 11:42:39 +0100
|
|
|
0d5c10 |
Subject: [PATCH 5/5] Escape square brackes in regex_replace
|
|
|
0d5c10 |
|
|
|
0d5c10 |
---
|
|
|
0d5c10 |
.../sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml | 2 +-
|
|
|
0d5c10 |
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
0d5c10 |
|
|
|
0d5c10 |
diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml
|
|
|
0d5c10 |
index 9ebc53e0f..d0ecf8590 100644
|
|
|
0d5c10 |
--- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml
|
|
|
0d5c10 |
+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml
|
|
|
0d5c10 |
@@ -42,7 +42,7 @@
|
|
|
0d5c10 |
- name: "Configure LDAP to use STARTTLS"
|
|
|
0d5c10 |
ini_file:
|
|
|
0d5c10 |
path: /etc/sssd/sssd.conf
|
|
|
0d5c10 |
- section: "{{ test_grep_domain.stdout | regex_replace('[(.*)]','\\1') }}"
|
|
|
0d5c10 |
+ section: "{{ test_grep_domain.stdout | regex_replace('\\[(.*)\\]','\\1') }}"
|
|
|
0d5c10 |
option: ldap_id_use_start_tls
|
|
|
0d5c10 |
value: true
|
|
|
0d5c10 |
create: yes
|
|
|
0d5c10 |
--
|
|
|
0d5c10 |
2.20.1
|
|
|
0d5c10 |
|