caseraw.ansible_role_ad_membership

Panoramica Versioni Approfondimenti

Ansible Role for Active Directory Membership

This role helps manage the membership of a Windows Active Directory (AD) for managed hosts.

Ansible Role for Active Directory Membership

License

MIT / BSD

Author Information

Created and maintained by: Kasra Amirsarvari
Author on Ansible Galaxy: https://galaxy.ansible.com/caseraw
User on Dockerhub: https://hub.docker.com/u/caseraw

Requirements

A package manager should be set up with the right sources and repositories.
The user running this role must have permissions to:
- Install and remove packages.
- Edit configuration files like /etc/krb5.conf and /etc/sssd/sssd.conf.
- Manage systemd services for realmd, sssd, and addjobd.
Network access to the Windows Domain Controller must be available.

Dependencies

None

Compatibility

Works with the following operating systems:

CentOS 7
CentOS 8
RHEL 7.x
RHEL 8.x

Role Variables

Variable Name	Description
role_ad_membership_sa_username	Username for the AD service account (encrypted).
role_ad_membership_sa_password	Password for the AD service account (encrypted).
role_ad_membership_required_packages	Packages that need to be installed.
role_ad_membership_use_discovered_domain_controller	Use the AD controller found based on the domain?
role_ad_membership_ad_controller_random_selection	Randomly pick an AD controller or use the first one?
role_ad_membership_ad_controllers	A list of AD controllers.
role_ad_membership_computer_ou	The AD Organizational Unit to put the Computer object in.
role_ad_membership_ou_user_search_base	The AD Organizational Unit to search for users.
role_ad_membership_netbios_max_length	Maximum length for Netbios hostname.
role_ad_membership_leave_ad	Leave the AD and remove the Computer object from the OU?
role_ad_membership_allowed_group_list	Combined list of allowed group lists.
role_ad_membership_allowed_group_list_default	Default list of allowed groups.
role_ad_membership_molecule_dummy	Placeholder to skip the entire playbook.

Example Playbook

---
- name: Manage AD membership for a Windows host
  become: True
  gather_facts: True
  vars_files:
    - /path/to/vault/file.yml
  tasks:
    - import_role:
        name: ansible_role_ad_membership
      vars:
        role_ad_membership_required_packages:
          - openldap-clients
          - krb5-workstation
          - krb5-libs
          - adcli
          - realmd
          - authconfig
          - samba-client
          - samba-common
          - samba-common-tools
          - sssd
          - sssd-ad
          - sssd-krb5
          - oddjob
          - oddjob-mkhomedir
        role_ad_membership_use_global_domain_controller: False
        role_ad_membership_ad_controller_random_selection: False
        role_ad_membership_ad_controllers:
          - ad1.example.com
          - ad2.example.com
        role_ad_membership_computer_ou: OU=Servers,DC=example,DC=com
        role_ad_membership_netbios_max_length: 15
        role_ad_membership_leave_ad: False
        role_ad_membership_allowed_group_list_default:
          - Special-Group-01
          - super_special_group_01
        role_ad_membership_allowed_group_list_something:
          - Special-Group-02
          - super_special_group_02
        role_ad_membership_allowed_group_list_something_else:
          - Special-Group-03
          - super_special_group_03

...

Useful Shell Commands

Find the AD controller and domain details.

dig -t SRV _ldap._tcp.ad.example.com
dig -t SRV _ldap._tcp.dc._msdcs.ad.example.com

Additional Documentation Resources

For more details about sssd and how to use it, check these links:

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/sssd-integration-intro

Testing with Molecule

This role is tested locally using Molecule. The configuration can be found at: molecule/default. Molecule tests are run using the docker driver on Dockerhub images made for this:

For complex configurations, you might need a full OS instead of a minimal container. In such cases, use Molecule's Vagrant driver with the libvirt provider. Your Molecule driver and platform configuration could look like:

driver:
  name: vagrant
  provider:
    name: libvirt
platforms:
  - name: ansible_role_ad_membership-ansible-molecule-centos-7
    box: centos/7
    memory: 1024
    cpus: 1

CI/CD with Travis CI

This role uses Travis CI for online testing with Molecule and sends notifications to import the role into Ansible Galaxy once tests pass. The Travis CI configuration file is located in the root of the Ansible role as .travis.yml.

Useful Links

GitHub repository: https://github.com/Caseraw/ansible_role_ad_membership
Travis CI build status: https://travis-ci.org/Caseraw/ansible_role_ad_membership
Ansible Galaxy role: https://galaxy.ansible.com/caseraw/ansible_role_ad_membership

Informazioni sul progetto

Manage membership of managed host with Windows AD.

role active activedirectory ad directory domain join member membership windows

Installa

ansible-galaxy install caseraw.ansible_role_ad_membership

GitHub repository

2 stelle

0 fork

0 problemi aperti

Licenza

Unknown

Download

515

Proprietario

Kasra

DevOps | RHCA | Red Hat Accelerator