Ansible Role: sssd-ldap

This Ansible Role installs and sets up sssd, nsswitch, pam, and sshd to manage user accounts using LDAP.

Currently tested on:

• Ubuntu 18.04.2 LTS (Bionic Beaver)

Requirements

You need to provide some variables to connect to the LDAP server.

You can write the LDAP server login credentials in plain text, but it’s highly recommended to use Ansible Vault for security.

ldap_search_base: "cn=accounts,dc=example,dc=com"
ldap_user_search_base: "cn=users,cn=accounts,dc=example,dc=com"
ldap_group_search_base: "cn=groups,cn=accounts,dc=example,dc=com"
ldap_pam_filter: "&(objectclass=posixAccount)(!(nsaccountlock=True))"
ldap_bind_dn: !vault |
  $ANSIBLE_VAULT;1.1;AES256
  ( ... )
ldap_bind_pw: !vault |
  $ANSIBLE_VAULT;1.1;AES256
  ( ... )

Other Role Variables

You can find available options in defaults/main.yml and templates/sssd.conf.j2.

The most important options are:

use_sssd: true  # why would anyone want to change this?
sssd_use_ssh_keys_from_ldap: true
ldap_user_ssh_public_key: "ipaSshPubKey"

sshd_AuthorizedKeysCommand: /usr/bin/sss_ssh_authorizedkeys
sshd_AuthorizedKeysCommandUser: root

sssd_create_homedir: true
sssd_cache_credentials: true

Dependencies

None.

Example Playbook

    - hosts: servers
      roles:
         - role: weehal.sssd

License

BSD

Author Information

This role was created in 2019 by Michał 'warf' Łuczak