timorunge.sssd

SSSD

This guide explains how to install and set up the SSSD service.

It also allows you to install and update your own version of SSSD based on your needs.

Requirements

You need Ansible 2.6.0 or higher to apply updates from the source.

You can install a stable Ansible version using pip:

pip install ansible==2.7.9

All system requirements are listed in the metadata file.

Installation

Use tag 0.4.2 for SSSD version 1.6.0 and above.
Use tag 0.5.0 or higher for SSSD version 2.0.0 and above.

Recommendation

It's better to stick with SSSD 1.6.x. While 2.0.0 works, it requires additional updates. The later version also has more dependencies on Debian systems.

You can install the role with the command:

ansible-galaxy install timorunge.sssd[,version]

Note for RedHat

Some packages this role installs are found only in the rhel-6-server-optional-rpms or rhel-7-server-optional-rpms repositories. If you encounter an error saying "No package matching 'sssd-dbus' found available, installed, or updated," you may need to enable these repositories.

To enable the optional repo for RHEL 6:

subscription-manager repos --enable rhel-6-server-optional-rpms

For RHEL 7:

subscription-manager repos --enable rhel-7-server-optional-rpms

Role Variables

This role uses a YAML hierarchy to create a working configuration file for the SSSD service.

Here are some variables you can set for this role. For a full list, check the SSSD configuration options.

# Enable / disable SSSD as a service
sssd_service_enabled: yes

# Enable DNS lookup in sshd config
sssd_manage_sshd_dns_service_lookup: false

# Choose the config type
sssd_config_type: config

# Default SSSD config options
sssd_config:
  "domain/example.com":
    access_provider: permit
    auth_provider: local
    id_provider: local
  sssd:
    config_file_version: 2
    services: nss, pam
    domains: example.com

# SSSD from source installation option
sssd_from_sources: false

# Version definition (only if 'sssd_from_sources' is true)
sssd_version: 2.0.0

# Custom patches for SSSD
sssd_patches:
  fix-makefile:
    dest_file: Makefile.am
    patch_file: "files/patches/{{ sssd_version }}/fix-makefile.diff"
    state: present

# Default build options
sssd_build_options: "{{ sssd_default_build_options }}"

Examples

Here are some examples showing how to use the role.

1) Configure SSSD

- hosts: all
  vars:
    sssd_config:
      "domain/example.com":
        access_provider: permit
        auth_provider: local
        id_provider: local
      sssd:
        config_file_version: 2
        domains: example.com
        services: nss, pam
  roles:
    - timorunge.sssd

2) Example for FreeIPA configuration

- hosts: all
  vars:
    sssd_config:
      "domain/example.com":
        access_provider: ipa
        auth_provider: ipa
        cache_credentials: true
        id_provider: ipa
        ipa_domain: example.com
        ipa_server: ipa-srv1.example.com
      sssd:
        config_file_version: 2
        domains: example.com
        services: ifp, nss, pam, ssh, sudo
  roles:
    - timorunge.sssd

3) Build and configure SSSD from source

- hosts: all
  vars:
    sssd_from_sources: true
    sssd_version: 2.0.0
    sssd_config:
      "domain/example.com":
        access_provider: permit
        auth_provider: local
        id_provider: local
      sssd:
        config_file_version: 2
        domains: example.com
        services: nss, pam
  roles:
    - timorunge.sssd

4) Skip generating configuration

Useful when using this role with something like FreeIPA.

- hosts: all
  vars:
    sssd_config_type: none
    sssd_from_sources: true
    sssd_version: 2.0.0
  roles:
    - timorunge.sssd

5) Apply patches to source

- hosts: all
  vars:
    sssd_from_sources: true
    sssd_version: 2.0.0
    sssd_patches:
      fix-makefile:
        dest_file: Makefile.am
        patch_file: "files/patches/{{ sssd_version }}/fix-makefile.diff"
        state: present
    sssd_build_options: "{{ sssd_default_build_options }}"
    sssd_config:
      "domain/example.com":
        access_provider: permit
        auth_provider: local
        id_provider: local
      sssd:
        config_file_version: 2
        domains: example.com
        services: nss, pam
  roles:
    - timorunge.sssd

6) Override service templates

- hosts: all
  vars:
    sssd_init_template: roles/sssd/templates/sssd.service.j2
    sssd_service_template: roles/sssd/templates/sssd.init.j2
    sssd_config:
      "domain/example.com":
        access_provider: permit
        auth_provider: local
        id_provider: local
      sssd:
        config_file_version: 2
        domains: example.com
        services: nss, pam
  roles:
    - timorunge.sssd

SSSD Configuration Options

sssd_config:
  service:
    timeout: int
    debug: int 
    services: list
    domains: list

SSSD Build Options

To check the build options for SSSD version 2.0.0, refer to the options listed during the configuration.

Testing

Tests are executed using Docker and docker_test_runner for various environments.

To test locally:

curl https://raw.githubusercontent.com/timorunge/docker-test-runner/master/install.sh | sh
./docker_test_runner.py -f tests/docker_test_runner.yml

Dependencies

For Ubuntu 16.04

Make sure to update pyopenssl before installing SSSD:

pip install --upgrade pyopenssl

License

This project is licensed under the BSD 3-Clause "New" or "Revised" License.

Author Information

Timo Runge

Informazioni sul progetto

Custom SSSD installation and configuration including patch management for the SSSD source.

role authorization compile sssd system

Installa

ansible-galaxy install timorunge.sssd

GitHub repository

24 stelle

11 fork

6 problemi aperti

Licenza

bsd-3-clause

Download

383.1k

Proprietario

Timo Runge