From b3a0d725611897e2aa1577cc64c58572703f9d21 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Thu, 14 Mar 2019 17:07:13 +0100 Subject: [PATCH 1/5] Create /etc/sssd/sssd/conf with correct permissions Only owner of file should be able to access it. --- .../sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml | 2 ++ .../sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml | 2 ++ .../services/sssd/sssd_enable_smartcards/ansible/shared.yml | 1 + .../services/sssd/sssd_memcache_timeout/ansible/shared.yml | 1 + .../sssd/sssd_offline_cred_expiration/ansible/shared.yml | 1 + .../sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml | 1 + 6 files changed, 8 insertions(+) diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml index ecea440bf..171a3d1ac 100644 --- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml +++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml @@ -18,6 +18,7 @@ path: /etc/sssd/sssd.conf create: yes line: "[domain/default]\nldap_tls_cacertdir = {{ var_sssd_ldap_tls_ca_dir }}\n" + mode: 0600 when: test_grep_domain.stdout == "" and @ANSIBLE_PLATFORM_CONDITION@ tags: @ANSIBLE_TAGS@ @@ -28,6 +29,7 @@ regexp: '^\s*ldap_tls_cacertdir' insertafter: '\s*\[domain\/[^]]*]' line: 'ldap_tls_cacertdir = {{ var_sssd_ldap_tls_ca_dir }}' + mode: 0600 tags: @ANSIBLE_TAGS@ @ANSIBLE_ENSURE_PLATFORM@ diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml index 8941c953a..86915ae7d 100644 --- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml +++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml @@ -26,6 +26,7 @@ lineinfile: path: /etc/sssd/sssd.conf line: "[domain/default]\nldap_id_use_start_tls = True\n" + mode: 0600 when: test_grep_domain.stdout == "" and @ANSIBLE_PLATFORM_CONDITION@ tags: @ANSIBLE_TAGS@ @@ -36,6 +37,7 @@ regexp: '^\s*ldap_id_use_start_tls' insertafter: '\s*\[domain\/[^]]*]' line: 'ldap_id_use_start_tls = True' + mode: 0600 tags: @ANSIBLE_TAGS@ @ANSIBLE_ENSURE_PLATFORM@ diff --git a/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml index a42f8ec20..b4ec2b6a1 100644 --- a/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml +++ b/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml @@ -10,6 +10,7 @@ option: pam_cert_auth value: true create: yes + mode: 0600 tags: @ANSIBLE_TAGS@ @ANSIBLE_ENSURE_PLATFORM@ diff --git a/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml index 88abc9346..29d8bced6 100644 --- a/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml +++ b/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml @@ -12,6 +12,7 @@ option: memcache_timeout value: "{{ var_sssd_memcache_timeout }}" create: yes + mode: 0600 tags: @ANSIBLE_TAGS@ @ANSIBLE_ENSURE_PLATFORM@ diff --git a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/ansible/shared.yml index 01d8a94c2..e999417c6 100644 --- a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/ansible/shared.yml +++ b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/ansible/shared.yml @@ -10,6 +10,7 @@ option: offline_credentials_expiration value: 1 create: yes + mode: 0600 tags: @ANSIBLE_TAGS@ @ANSIBLE_ENSURE_PLATFORM@ diff --git a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml index 6f9673f75..f4d4d11da 100644 --- a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml +++ b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml @@ -10,6 +10,7 @@ option: ssh_known_hosts_timeout value: 86400 create: yes + mode: 0600 tags: @ANSIBLE_TAGS@ @ANSIBLE_ENSURE_PLATFORM@ -- 2.20.1 From be5a09c6dc83f16654022a0c006b210020a5ba7c Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Thu, 14 Mar 2019 17:12:39 +0100 Subject: [PATCH 2/5] Use ini_file to deal with sssd config file Much simpler then lineinfile module --- .../sssd_ldap_configure_tls_ca_dir/ansible/shared.yml | 11 ++++++----- .../sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml | 11 ++++++----- 2 files changed, 12 insertions(+), 10 deletions(-) diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml index 171a3d1ac..1689e2b43 100644 --- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml +++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml @@ -24,13 +24,14 @@ @ANSIBLE_TAGS@ - name: "Configure LDAPs path to CA directory" - lineinfile: + ini_file: path: /etc/sssd/sssd.conf - regexp: '^\s*ldap_tls_cacertdir' - insertafter: '\s*\[domain\/[^]]*]' - line: 'ldap_tls_cacertdir = {{ var_sssd_ldap_tls_ca_dir }}' + section: "{{ test_grep_domain.stdout | regex_replace('\\[(.*)\\]','\\1') }}" + option: ldap_tls_cacertdir + value: "{{ var_sssd_ldap_tls_ca_dir }}" + create: yes mode: 0600 + when: test_grep_domain.stdout == "" and @ANSIBLE_PLATFORM_CONDITION@ tags: @ANSIBLE_TAGS@ - @ANSIBLE_ENSURE_PLATFORM@ diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml index 86915ae7d..dbf546013 100644 --- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml +++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml @@ -32,12 +32,13 @@ @ANSIBLE_TAGS@ - name: "Configure LDAP to use STARTTLS" - lineinfile: + ini_file: path: /etc/sssd/sssd.conf - regexp: '^\s*ldap_id_use_start_tls' - insertafter: '\s*\[domain\/[^]]*]' - line: 'ldap_id_use_start_tls = True' + section: "{{ test_grep_domain.stdout | regex_replace('[(.*)]','\\1') }}" + option: ldap_id_use_start_tls + value: true + create: yes mode: 0600 + when: test_grep_domain.stdout == "" and @ANSIBLE_PLATFORM_CONDITION@ tags: @ANSIBLE_TAGS@ - @ANSIBLE_ENSURE_PLATFORM@ -- 2.20.1 From 857818d224c97e9cda954b76126b2cd8055901fa Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Thu, 14 Mar 2019 17:13:30 +0100 Subject: [PATCH 3/5] Use variable for ssh timeout --- .../sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml index f4d4d11da..8f3d0029c 100644 --- a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml +++ b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml @@ -3,12 +3,14 @@ # strategy = unknown # complexity = low # disruption = medium +- (xccdf-var sshd_idle_timeout_value) + - name: "Configure SSSD to Expire SSH Known Hosts" ini_file: dest: /etc/sssd/sssd.conf section: ssh option: ssh_known_hosts_timeout - value: 86400 + value: "{{ sshd_idle_timeout_value }}" create: yes mode: 0600 tags: -- 2.20.1 From 4192b0982084c057b594acc508a5e3dc66549d60 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Thu, 14 Mar 2019 17:23:30 +0100 Subject: [PATCH 4/5] Add minimal functional default/domain Add domain and its required keys with default value for sssd service to start --- .../ansible/shared.yml | 10 ++++++++-- .../sssd_ldap_start_tls/ansible/shared.yml | 12 ++++++++++-- .../sssd_enable_smartcards/ansible/shared.yml | 18 ++++++++++++++++++ .../sssd_memcache_timeout/ansible/shared.yml | 19 +++++++++++++++++++ .../ansible/shared.yml | 19 +++++++++++++++++++ .../ansible/shared.yml | 19 +++++++++++++++++++ 6 files changed, 93 insertions(+), 4 deletions(-) diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml index 1689e2b43..fe1a9ac07 100644 --- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml +++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml @@ -14,11 +14,17 @@ @ANSIBLE_ENSURE_PLATFORM@ - name: "Add default domain group and set CA directory (if no domain there)" - lineinfile: + ini_file: path: /etc/sssd/sssd.conf + section: "{{ item.section }}" + option: "{{ item.option }}" + value: "{{ item.value }}" create: yes - line: "[domain/default]\nldap_tls_cacertdir = {{ var_sssd_ldap_tls_ca_dir }}\n" mode: 0600 + with_items: + - { section: sssd, option: domains, value: default} + - { section: domain/default, option: id_provider, value: files } + - { section: domain/default, option: ldap_tls_cacertdir, value: "{{ var_sssd_ldap_tls_ca_dir }}" } when: test_grep_domain.stdout == "" and @ANSIBLE_PLATFORM_CONDITION@ tags: @ANSIBLE_TAGS@ diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml index dbf546013..9ebc53e0f 100644 --- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml +++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml @@ -23,10 +23,18 @@ @ANSIBLE_ENSURE_PLATFORM@ - name: "Add default domain group and use STARTTLS (if no domain there)" - lineinfile: + ini_file: path: /etc/sssd/sssd.conf - line: "[domain/default]\nldap_id_use_start_tls = True\n" + section: domain/default + section: "{{ item.section }}" + option: "{{ item.option }}" + value: "{{ item.value }}" + create: yes mode: 0600 + with_items: + - { section: sssd, option: domains, value: default} + - { section: domain/default, option: id_provider, value: files } + - { section: domain/default, option: ldap_id_use_start_tls, value: true} when: test_grep_domain.stdout == "" and @ANSIBLE_PLATFORM_CONDITION@ tags: @ANSIBLE_TAGS@ diff --git a/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml index b4ec2b6a1..f6dbdf429 100644 --- a/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml +++ b/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml @@ -3,6 +3,24 @@ # strategy = configure # complexity = low # disruption = medium +- name: "Test for domain group" + shell: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf + register: test_grep_domain + ignore_errors: yes + changed_when: False + +- name: "Add default domain group (if no domain there)" + ini_file: + path: /etc/sssd/sssd.conf + section: "{{ item.section }}" + option: "{{ item.option }}" + value: "{{ item.value }}" + create: yes + mode: 0600 + with_items: + - { section: sssd, option: domains, value: default} + - { section: domain/default, option: id_provider, value: files } + when: test_grep_domain.stdout == "" - name: "Enable Smartcards in SSSD" ini_file: dest: /etc/sssd/sssd.conf diff --git a/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml index 29d8bced6..3cf2af44e 100644 --- a/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml +++ b/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml @@ -5,6 +5,25 @@ # disruption = medium - (xccdf-var var_sssd_memcache_timeout) +- name: "Test for domain group" + shell: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf + register: test_grep_domain + ignore_errors: yes + changed_when: False + +- name: "Add default domain group (if no domain there)" + ini_file: + path: /etc/sssd/sssd.conf + section: "{{ item.section }}" + option: "{{ item.option }}" + value: "{{ item.value }}" + create: yes + mode: 0600 + with_items: + - { section: sssd, option: domains, value: default} + - { section: domain/default, option: id_provider, value: files } + when: test_grep_domain.stdout == "" + - name: "Configure SSSD's Memory Cache to Expire" ini_file: dest: /etc/sssd/sssd.conf diff --git a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/ansible/shared.yml index e999417c6..f2cddfd2a 100644 --- a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/ansible/shared.yml +++ b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/ansible/shared.yml @@ -3,6 +3,25 @@ # strategy = configure # complexity = low # disruption = medium +- name: "Test for domain group" + shell: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf + register: test_grep_domain + ignore_errors: yes + changed_when: False + +- name: "Add default domain group (if no domain there)" + ini_file: + path: /etc/sssd/sssd.conf + section: "{{ item.section }}" + option: "{{ item.option }}" + value: "{{ item.value }}" + create: yes + mode: 0600 + with_items: + - { section: sssd, option: domains, value: default} + - { section: domain/default, option: id_provider, value: files } + when: test_grep_domain.stdout == "" + - name: "Configure SSD to Expire Offline Credentials" ini_file: dest: /etc/sssd/sssd.conf diff --git a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml index 8f3d0029c..61bd79856 100644 --- a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml +++ b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml @@ -5,6 +5,25 @@ # disruption = medium - (xccdf-var sshd_idle_timeout_value) +- name: "Test for domain group" + shell: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf + register: test_grep_domain + ignore_errors: yes + changed_when: False + +- name: "Add default domain group (if no domain there)" + ini_file: + path: /etc/sssd/sssd.conf + section: "{{ item.section }}" + option: "{{ item.option }}" + value: "{{ item.value }}" + create: yes + mode: 0600 + with_items: + - { section: sssd, option: domains, value: default} + - { section: domain/default, option: id_provider, value: files } + when: test_grep_domain.stdout == "" + - name: "Configure SSSD to Expire SSH Known Hosts" ini_file: dest: /etc/sssd/sssd.conf -- 2.20.1 From 48a230730a07d8a496c5cfe050934f24e031818a Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Fri, 15 Mar 2019 11:42:39 +0100 Subject: [PATCH 5/5] Escape square brackes in regex_replace --- .../sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml index 9ebc53e0f..d0ecf8590 100644 --- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml +++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml @@ -42,7 +42,7 @@ - name: "Configure LDAP to use STARTTLS" ini_file: path: /etc/sssd/sssd.conf - section: "{{ test_grep_domain.stdout | regex_replace('[(.*)]','\\1') }}" + section: "{{ test_grep_domain.stdout | regex_replace('\\[(.*)\\]','\\1') }}" option: ldap_id_use_start_tls value: true create: yes -- 2.20.1