From b3a0d725611897e2aa1577cc64c58572703f9d21 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 14 Mar 2019 17:07:13 +0100
Subject: [PATCH 1/5] Create /etc/sssd/sssd/conf with correct permissions
Only owner of file should be able to access it.
---
.../sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml | 2 ++
.../sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml | 2 ++
.../services/sssd/sssd_enable_smartcards/ansible/shared.yml | 1 +
.../services/sssd/sssd_memcache_timeout/ansible/shared.yml | 1 +
.../sssd/sssd_offline_cred_expiration/ansible/shared.yml | 1 +
.../sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml | 1 +
6 files changed, 8 insertions(+)
diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml
index ecea440bf..171a3d1ac 100644
--- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml
+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml
@@ -18,6 +18,7 @@
path: /etc/sssd/sssd.conf
create: yes
line: "[domain/default]\nldap_tls_cacertdir = {{ var_sssd_ldap_tls_ca_dir }}\n"
+ mode: 0600
when: test_grep_domain.stdout == "" and @ANSIBLE_PLATFORM_CONDITION@
tags:
@ANSIBLE_TAGS@
@@ -28,6 +29,7 @@
regexp: '^\s*ldap_tls_cacertdir'
insertafter: '\s*\[domain\/[^]]*]'
line: 'ldap_tls_cacertdir = {{ var_sssd_ldap_tls_ca_dir }}'
+ mode: 0600
tags:
@ANSIBLE_TAGS@
@ANSIBLE_ENSURE_PLATFORM@
diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml
index 8941c953a..86915ae7d 100644
--- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml
+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml
@@ -26,6 +26,7 @@
lineinfile:
path: /etc/sssd/sssd.conf
line: "[domain/default]\nldap_id_use_start_tls = True\n"
+ mode: 0600
when: test_grep_domain.stdout == "" and @ANSIBLE_PLATFORM_CONDITION@
tags:
@ANSIBLE_TAGS@
@@ -36,6 +37,7 @@
regexp: '^\s*ldap_id_use_start_tls'
insertafter: '\s*\[domain\/[^]]*]'
line: 'ldap_id_use_start_tls = True'
+ mode: 0600
tags:
@ANSIBLE_TAGS@
@ANSIBLE_ENSURE_PLATFORM@
diff --git a/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml
index a42f8ec20..b4ec2b6a1 100644
--- a/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml
+++ b/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml
@@ -10,6 +10,7 @@
option: pam_cert_auth
value: true
create: yes
+ mode: 0600
tags:
@ANSIBLE_TAGS@
@ANSIBLE_ENSURE_PLATFORM@
diff --git a/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml
index 88abc9346..29d8bced6 100644
--- a/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml
+++ b/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml
@@ -12,6 +12,7 @@
option: memcache_timeout
value: "{{ var_sssd_memcache_timeout }}"
create: yes
+ mode: 0600
tags:
@ANSIBLE_TAGS@
@ANSIBLE_ENSURE_PLATFORM@
diff --git a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/ansible/shared.yml
index 01d8a94c2..e999417c6 100644
--- a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/ansible/shared.yml
+++ b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/ansible/shared.yml
@@ -10,6 +10,7 @@
option: offline_credentials_expiration
value: 1
create: yes
+ mode: 0600
tags:
@ANSIBLE_TAGS@
@ANSIBLE_ENSURE_PLATFORM@
diff --git a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml
index 6f9673f75..f4d4d11da 100644
--- a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml
+++ b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml
@@ -10,6 +10,7 @@
option: ssh_known_hosts_timeout
value: 86400
create: yes
+ mode: 0600
tags:
@ANSIBLE_TAGS@
@ANSIBLE_ENSURE_PLATFORM@
--
2.20.1
From be5a09c6dc83f16654022a0c006b210020a5ba7c Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 14 Mar 2019 17:12:39 +0100
Subject: [PATCH 2/5] Use ini_file to deal with sssd config file
Much simpler then lineinfile module
---
.../sssd_ldap_configure_tls_ca_dir/ansible/shared.yml | 11 ++++++-----
.../sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml | 11 ++++++-----
2 files changed, 12 insertions(+), 10 deletions(-)
diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml
index 171a3d1ac..1689e2b43 100644
--- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml
+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml
@@ -24,13 +24,14 @@
@ANSIBLE_TAGS@
- name: "Configure LDAPs path to CA directory"
- lineinfile:
+ ini_file:
path: /etc/sssd/sssd.conf
- regexp: '^\s*ldap_tls_cacertdir'
- insertafter: '\s*\[domain\/[^]]*]'
- line: 'ldap_tls_cacertdir = {{ var_sssd_ldap_tls_ca_dir }}'
+ section: "{{ test_grep_domain.stdout | regex_replace('\\[(.*)\\]','\\1') }}"
+ option: ldap_tls_cacertdir
+ value: "{{ var_sssd_ldap_tls_ca_dir }}"
+ create: yes
mode: 0600
+ when: test_grep_domain.stdout == "" and @ANSIBLE_PLATFORM_CONDITION@
tags:
@ANSIBLE_TAGS@
- @ANSIBLE_ENSURE_PLATFORM@
diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml
index 86915ae7d..dbf546013 100644
--- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml
+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml
@@ -32,12 +32,13 @@
@ANSIBLE_TAGS@
- name: "Configure LDAP to use STARTTLS"
- lineinfile:
+ ini_file:
path: /etc/sssd/sssd.conf
- regexp: '^\s*ldap_id_use_start_tls'
- insertafter: '\s*\[domain\/[^]]*]'
- line: 'ldap_id_use_start_tls = True'
+ section: "{{ test_grep_domain.stdout | regex_replace('[(.*)]','\\1') }}"
+ option: ldap_id_use_start_tls
+ value: true
+ create: yes
mode: 0600
+ when: test_grep_domain.stdout == "" and @ANSIBLE_PLATFORM_CONDITION@
tags:
@ANSIBLE_TAGS@
- @ANSIBLE_ENSURE_PLATFORM@
--
2.20.1
From 857818d224c97e9cda954b76126b2cd8055901fa Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 14 Mar 2019 17:13:30 +0100
Subject: [PATCH 3/5] Use variable for ssh timeout
---
.../sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml
index f4d4d11da..8f3d0029c 100644
--- a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml
+++ b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml
@@ -3,12 +3,14 @@
# strategy = unknown
# complexity = low
# disruption = medium
+- (xccdf-var sshd_idle_timeout_value)
+
- name: "Configure SSSD to Expire SSH Known Hosts"
ini_file:
dest: /etc/sssd/sssd.conf
section: ssh
option: ssh_known_hosts_timeout
- value: 86400
+ value: "{{ sshd_idle_timeout_value }}"
create: yes
mode: 0600
tags:
--
2.20.1
From 4192b0982084c057b594acc508a5e3dc66549d60 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 14 Mar 2019 17:23:30 +0100
Subject: [PATCH 4/5] Add minimal functional default/domain
Add domain and its required keys with default value for sssd service to
start
---
.../ansible/shared.yml | 10 ++++++++--
.../sssd_ldap_start_tls/ansible/shared.yml | 12 ++++++++++--
.../sssd_enable_smartcards/ansible/shared.yml | 18 ++++++++++++++++++
.../sssd_memcache_timeout/ansible/shared.yml | 19 +++++++++++++++++++
.../ansible/shared.yml | 19 +++++++++++++++++++
.../ansible/shared.yml | 19 +++++++++++++++++++
6 files changed, 93 insertions(+), 4 deletions(-)
diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml
index 1689e2b43..fe1a9ac07 100644
--- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml
+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml
@@ -14,11 +14,17 @@
@ANSIBLE_ENSURE_PLATFORM@
- name: "Add default domain group and set CA directory (if no domain there)"
- lineinfile:
+ ini_file:
path: /etc/sssd/sssd.conf
+ section: "{{ item.section }}"
+ option: "{{ item.option }}"
+ value: "{{ item.value }}"
create: yes
- line: "[domain/default]\nldap_tls_cacertdir = {{ var_sssd_ldap_tls_ca_dir }}\n"
mode: 0600
+ with_items:
+ - { section: sssd, option: domains, value: default}
+ - { section: domain/default, option: id_provider, value: files }
+ - { section: domain/default, option: ldap_tls_cacertdir, value: "{{ var_sssd_ldap_tls_ca_dir }}" }
when: test_grep_domain.stdout == "" and @ANSIBLE_PLATFORM_CONDITION@
tags:
@ANSIBLE_TAGS@
diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml
index dbf546013..9ebc53e0f 100644
--- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml
+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml
@@ -23,10 +23,18 @@
@ANSIBLE_ENSURE_PLATFORM@
- name: "Add default domain group and use STARTTLS (if no domain there)"
- lineinfile:
+ ini_file:
path: /etc/sssd/sssd.conf
- line: "[domain/default]\nldap_id_use_start_tls = True\n"
+ section: domain/default
+ section: "{{ item.section }}"
+ option: "{{ item.option }}"
+ value: "{{ item.value }}"
+ create: yes
mode: 0600
+ with_items:
+ - { section: sssd, option: domains, value: default}
+ - { section: domain/default, option: id_provider, value: files }
+ - { section: domain/default, option: ldap_id_use_start_tls, value: true}
when: test_grep_domain.stdout == "" and @ANSIBLE_PLATFORM_CONDITION@
tags:
@ANSIBLE_TAGS@
diff --git a/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml
index b4ec2b6a1..f6dbdf429 100644
--- a/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml
+++ b/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml
@@ -3,6 +3,24 @@
# strategy = configure
# complexity = low
# disruption = medium
+- name: "Test for domain group"
+ shell: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf
+ register: test_grep_domain
+ ignore_errors: yes
+ changed_when: False
+
+- name: "Add default domain group (if no domain there)"
+ ini_file:
+ path: /etc/sssd/sssd.conf
+ section: "{{ item.section }}"
+ option: "{{ item.option }}"
+ value: "{{ item.value }}"
+ create: yes
+ mode: 0600
+ with_items:
+ - { section: sssd, option: domains, value: default}
+ - { section: domain/default, option: id_provider, value: files }
+ when: test_grep_domain.stdout == ""
- name: "Enable Smartcards in SSSD"
ini_file:
dest: /etc/sssd/sssd.conf
diff --git a/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml
index 29d8bced6..3cf2af44e 100644
--- a/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml
+++ b/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml
@@ -5,6 +5,25 @@
# disruption = medium
- (xccdf-var var_sssd_memcache_timeout)
+- name: "Test for domain group"
+ shell: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf
+ register: test_grep_domain
+ ignore_errors: yes
+ changed_when: False
+
+- name: "Add default domain group (if no domain there)"
+ ini_file:
+ path: /etc/sssd/sssd.conf
+ section: "{{ item.section }}"
+ option: "{{ item.option }}"
+ value: "{{ item.value }}"
+ create: yes
+ mode: 0600
+ with_items:
+ - { section: sssd, option: domains, value: default}
+ - { section: domain/default, option: id_provider, value: files }
+ when: test_grep_domain.stdout == ""
+
- name: "Configure SSSD's Memory Cache to Expire"
ini_file:
dest: /etc/sssd/sssd.conf
diff --git a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/ansible/shared.yml
index e999417c6..f2cddfd2a 100644
--- a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/ansible/shared.yml
+++ b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/ansible/shared.yml
@@ -3,6 +3,25 @@
# strategy = configure
# complexity = low
# disruption = medium
+- name: "Test for domain group"
+ shell: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf
+ register: test_grep_domain
+ ignore_errors: yes
+ changed_when: False
+
+- name: "Add default domain group (if no domain there)"
+ ini_file:
+ path: /etc/sssd/sssd.conf
+ section: "{{ item.section }}"
+ option: "{{ item.option }}"
+ value: "{{ item.value }}"
+ create: yes
+ mode: 0600
+ with_items:
+ - { section: sssd, option: domains, value: default}
+ - { section: domain/default, option: id_provider, value: files }
+ when: test_grep_domain.stdout == ""
+
- name: "Configure SSD to Expire Offline Credentials"
ini_file:
dest: /etc/sssd/sssd.conf
diff --git a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml
index 8f3d0029c..61bd79856 100644
--- a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml
+++ b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml
@@ -5,6 +5,25 @@
# disruption = medium
- (xccdf-var sshd_idle_timeout_value)
+- name: "Test for domain group"
+ shell: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf
+ register: test_grep_domain
+ ignore_errors: yes
+ changed_when: False
+
+- name: "Add default domain group (if no domain there)"
+ ini_file:
+ path: /etc/sssd/sssd.conf
+ section: "{{ item.section }}"
+ option: "{{ item.option }}"
+ value: "{{ item.value }}"
+ create: yes
+ mode: 0600
+ with_items:
+ - { section: sssd, option: domains, value: default}
+ - { section: domain/default, option: id_provider, value: files }
+ when: test_grep_domain.stdout == ""
+
- name: "Configure SSSD to Expire SSH Known Hosts"
ini_file:
dest: /etc/sssd/sssd.conf
--
2.20.1
From 48a230730a07d8a496c5cfe050934f24e031818a Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 15 Mar 2019 11:42:39 +0100
Subject: [PATCH 5/5] Escape square brackes in regex_replace
---
.../sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml
index 9ebc53e0f..d0ecf8590 100644
--- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml
+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml
@@ -42,7 +42,7 @@
- name: "Configure LDAP to use STARTTLS"
ini_file:
path: /etc/sssd/sssd.conf
- section: "{{ test_grep_domain.stdout | regex_replace('[(.*)]','\\1') }}"
+ section: "{{ test_grep_domain.stdout | regex_replace('\\[(.*)\\]','\\1') }}"
option: ldap_id_use_start_tls
value: true
create: yes
--
2.20.1