Update to 2021-12-01 19:13

roles/sssd_ldap_auth/defaults/main.yml

@@ -0,0 +1,17 @@
+---
+ldap_auth: true
+ldap_schema: rfc2307
+ldap_modules:
+  - pam
+  - nss
+  - sudo
+  - autofs
+ldap_user_object_class: inetOrgPerson
+ldap_base: dc=domain,dc=org
+ldap_user_base: ou=Users
+ldap_group_base: ou=Groups
+ldap_sudo_base: ou=sudoers
+ldap_autofs_base: ou=autofs
+ldap_user_shell: loginShell
+ldap_access_filter: objectClass=inetOrgPerson
+# ldap_tls_ca_cert: /etc/pki/tls/cert.pem

roles/sssd_ldap_auth/handlers/main.yml

@@ -0,0 +1,6 @@
+---
+- name: restart sssd
+  service: name=sssd state=restarted enabled=yes
+
+- name: restart oddjobd
+  service: name=oddjobd state=restarted

roles/sssd_ldap_auth/tasks/install_Debian.yml

@@ -0,0 +1,19 @@
+---
+
+- name: Install sssd and the needed tools
+  apt:
+    name:
+      - sssd
+      - libnss-sss
+      - libpam-sss
+      - ca-certificates
+  tags: auth
+
+- name: Install oddjob-mkhomedir
+  apt:
+    name:
+      - oddjob-mkhomedir
+  when: ansible_distribution_major_version is version('9', '>=')
+  notify: restart oddjobd
+  tags: auth
+

roles/sssd_ldap_auth/tasks/install_RedHat.yml

@@ -0,0 +1,9 @@
+---
+
+- name: Install sssd and the needed tools
+  yum:
+    name:
+      - sssd
+      - oddjob-mkhomedir
+      - authconfig
+  tags: auth

roles/sssd_ldap_auth/tasks/main.yml

@@ -0,0 +1,42 @@
+---
+
+- include: install_{{ ansible_os_family }}.yml
+
+- name: Deploy sssd config
+  template: src=sssd.conf.j2 dest=/etc/sssd/sssd.conf owner=root group=root mode=0600
+  register: sssd_config
+  notify: restart sssd
+  tags: auth
+
+  # On el8 for example, sssd is already installed and running on a default setup
+  # so we need to restart it now, so users are available (for eg, ssh authorized_keys setup)
+  # We can't rely on the handler, because it would only run at the end of the playbook
+- name: Restart sssd if needed
+  service: name=sssd state=restarted
+  when: sssd_config.changed
+  tags: auth
+
+- name: Ensure nsswitch is using sssd
+  lineinfile:
+    dest: /etc/nsswitch.conf
+    regexp: "{{ item.regexp }}"
+    line: "{{ item.line }}"
+  with_items:
+    - regexp: '^passwd:.*'
+      line: 'passwd:     files sss'
+    - regexp: '^shadow:.*'
+      line: 'shadow:     files sss'
+    - regexp: '^group:.*'
+      line: 'group:      files sss'
+  tags: auth
+
+- name: Start and enable sssd service
+  service: name=sssd state=started enabled=True
+  tags: auth
+
+- name: Start oddjobd
+  service: name=oddjobd state=started enabled=True
+  when: ansible_distribution != 'Debian' or ansible_distribution_major_version is version('9', '>=')
+  tags: auth
+
+- include: pam_{{ ansible_os_family }}.yml

roles/sssd_ldap_auth/tasks/pam_Debian.yml

@@ -0,0 +1,10 @@
+---
+
+- name: Deploy pam config
+  template: src=deb_pam_common_{{ item }}.j2 dest=/etc/pam.d/common-{{ item }}
+  with_items:
+    - account
+    - auth
+    - password
+    - session
+  tags: auth

roles/sssd_ldap_auth/tasks/pam_RedHat.yml

@@ -0,0 +1,13 @@
+---
+
+- name: Check if authconfig needs to update pam config
+  command: "grep -P '^auth\\s+sufficient\\s+pam_sss.so' /etc/pam.d/system-auth"
+  register: auth_sss_done
+  changed_when: False
+  failed_when: False
+  tags: auth
+
+- name: Configure authentication with authconfig
+  command: authconfig --enablemkhomedir --enablesssd --enablesssdauth --update
+  when: auth_sss_done.rc != 0
+  tags: auth

roles/sssd_ldap_auth/templates/deb_pam_common_account.j2

@@ -0,0 +1,5 @@
+account     required      pam_unix.so
+account     sufficient    pam_localuser.so
+account     sufficient    pam_succeed_if.so uid < 1000 quiet
+account     [success=1 new_authtok_reqd=done default=ignore] pam_sss.so
+account     required      pam_permit.so

roles/sssd_ldap_auth/templates/deb_pam_common_auth.j2

@@ -0,0 +1,4 @@
+auth    [success=2 default=ignore]      pam_unix.so nullok_secure
+auth    [success=1 default=ignore]      pam_sss.so use_first_pass
+auth    requisite                       pam_deny.so
+auth    required                        pam_permit.so

roles/sssd_ldap_auth/templates/deb_pam_common_password.j2

@@ -0,0 +1,4 @@
+password        sufficient                      pam_sss.so
+password        [success=1 default=ignore]      pam_unix.so obscure try_first_pass sha512
+password        requisite                       pam_deny.so
+password        required                        pam_permit.so

roles/sssd_ldap_auth/templates/deb_pam_common_session.j2

@@ -0,0 +1,10 @@
+session [default=1]   pam_permit.so
+session requisite     pam_deny.so
+session required      pam_permit.so
+{% if ansible_distribution_major_version is version('9', '>=') %}
+session optional      pam_oddjob_mkhomedir.so skel=/etc/skel umask=0077
+{% else %}
+session optional      pam_mkhomedir.so skel=/etc/skel umask=0077
+{% endif %}
+session optional      pam_sss.so
+session required      pam_unix.so

roles/sssd_ldap_auth/templates/sssd.conf.j2

@@ -0,0 +1,37 @@
+[sssd]
+config_file_version = 2
+services = {{ ldap_modules|join(', ') }}
+domains = LDAP
+
+[nss]
+
+[pam]
+
+[sudo]
+
+[autofs]
+
+[domain/LDAP]
+id_provider = ldap
+auth_provider = ldap
+ldap_schema = {{ ldap_schema }}
+ldap_uri = {{ ldap_uri }}
+ldap_default_bind_dn = {{ ldap_bind_dn }}
+ldap_default_authtok = {{ ldap_bind_pass }}
+ldap_default_authtok_type = password
+ldap_search_base = {{ ldap_base }}
+ldap_user_search_base = {{ ldap_user_base }},{{ ldap_base }}
+ldap_group_search_base = {{ ldap_group_base }},{{ ldap_base }}
+ldap_sudo_search_base = {{ ldap_sudo_base }},{{ ldap_base }}
+ldap_autofs_search_base = {{ ldap_autofs_base }},{{ ldap_base }}
+ldap_user_object_class = {{ ldap_user_object_class }}
+ldap_user_gecos = cn
+ldap_tls_reqcert = hard
+ldap_id_use_start_tls = true
+ldap_tls_cacert = {{ ldap_tls_ca_cert | default((ansible_os_family == 'Debian') | ternary('/etc/ssl/certs/ca-certificates.crt','/etc/pki/tls/cert.pem')) }}
+ldap_user_shell = {{ ldap_user_shell }}
+cache_credentials = true
+enumerate = true
+access_provider = ldap
+ldap_access_filter = {{ ldap_access_filter }}
+