An ansible role which installs files necessary to configure SSSD for authentication, authorization and making the other changes for providing home directories over NFSv4.
The use of this role is intended to be gated based on site-specific variables (discussed below) which define LDAP and NFS related information. The author defines these variables by adding specific machines to an inventory group, then using a file under group_vars to set these variables. While presently not doing so, this will allow setting up multiple realms having their own authentication and home directories, such as for development, a group of bastion servers providing a specific service, etc.
This role has been developed using Ansible 2.6, and presently only works with RHEL/CentOS 6.x and 7.x, along with Fedora 29.
NOTE: Adjustments will need to be made to use this with RHEL, as well as when RHEL/CentOS 8 is released, perhaps switching to including the preparation tasks based on yum vs. dnf, or by using the combination of distribution name/version instead of just the name.
This role uses variables which are broken down into two separate groups: those for the role in general, and those specific to a given user realm.
The following variables are defined in defaults/main.yml
.
ca_trusted_dir: /etc/pki/ca-trust/source/anchors
The directory where CA root certificates are placed when adding them to the trust databases.
ca_update_command: update-ca-trust
The command which is run to rebuild the trust databases with any CA root certificates which we have added.
ldap_dir: /etc/openldap/
The directory where we place the ldap.conf file.
sssd_conf_dir: /etc/sssd/conf.d/
The directory where we will place all our SSSD configuration snippets.
autofs_daemon: autofs
The name of the autofs service/daemon.
autofs_service_state: started
What the initial state of the initial state of the autofs service is
to be when installed. The recommended values are either started
or
stopped
.
autofs_service_enabled: true
Whether the autofs service is to be enabled: true
or false
.
autofs_restarted_state: restarted
The autofs state when configuration changes are made. The recommended
values are either restarted
or reloaded
.
idmapd_daemon: nfs-idmapd
The name of the idmapd service/daemon, which handles mapping the remote user IDs to local IDs.
idmapd_service_state: started
What the initial state of the initial state of the idmapd service is
to be when installed. The recommended values are either started
or
stopped
.
idmapd_service_enabled: true
Whether the idmapd service is to be enabled: true
or false
.
idmapd_restarted_state: restarted
The idmapd state when configuration changes are made. The recommended
values are either restarted
or reloaded
sssd_daemon: sssd
The name of the sssd service/daemon.
sssd_service_state: started
What the initial state of the initial state of the sssd service is to
be when installed. The recommended values are either started
or
stopped
.
sssd_service_enabled: true
Whether the sssd service is to be enabled: true
or false
.
sssd_restarted_state: restarted
The sssd state when configuration changes are made. The recommended
values are either restarted
or reloaded
.
nfs_nobody_user: nobody
The username to which root or unmapped users are mapped to during ID
mapping. Used in templates/idmapd.conf.j2
when producing the
idmapd.conf configuration file.
nfs_nobody_group: nobody
The group to which root/wheel or unmapped groups are mapped during ID
mapping. Used in templates/idmapd.conf.j2
when producing the
idmapd.conf configuration file.
Additionally, the following variables must also be defined through either the site, host or group variables files.
nfs_home_server: filer
The name of the server from which home directories are mounted. Used
in templates/auto.home.j2
when producing the home directory autofs
map.
nfs_domain: example.com
The domain for NFS, used by the idmapd process. Used in
templates/idmapd.conf.j2
when producing the idmapd.conf
configuration file.
nfs_ldap_server: ldap.example.com
The LDAP server used by the idmapd process. Used in
templates/idmapd.conf.j2
when producing the idmapd.conf
configuration file.
nfs_ldap_base: dc=example,dc=com
The LDAP DN used as the base while doing the idmapd process. Used in
templates/idmapd.conf.j2
when producing the idmapd.conf
configuration file.
None.
See defaults/playbook.yml
This software is open-sourced software licensed under the Apache 2.0 license.
This role was created 2019 March 22 by Douglas Needham.