diff --git a/linux_os/guide/services/sssd/sssd_certificate_verification/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_certificate_verification/ansible/shared.yml index 581302fa9b80..c193c9617278 100644 --- a/linux_os/guide/services/sssd/sssd_certificate_verification/ansible/shared.yml +++ b/linux_os/guide/services/sssd/sssd_certificate_verification/ansible/shared.yml @@ -5,17 +5,21 @@ # disruption = medium {{{ ansible_instantiate_variables("var_sssd_certificate_verification_digest_function") }}} -- name: Ensure that "certificate_verification" is not set in /etc/sssd/sssd.conf +{{% set sssd_conf = "/etc/sssd/sssd.conf" -%}} +{{% set sssd_conf_dir = "/etc/sssd/conf.d" -%}} +{{{ ansible_sssd_ensure_default_domain(sssd_conf, sssd_conf_dir) }}} + +- name: Ensure that "certificate_verification" is not set in {{{ sssd_conf }}} community.general.ini_file: - path: /etc/sssd/sssd.conf + path: {{{ sssd_conf }}} section: sssd option: certificate_verification state: absent mode: 0600 -- name: 'Ensure that "certificate_verification" is not set in /etc/sssd/conf.d/*.conf' +- name: 'Ensure that "certificate_verification" is not set in {{{ sssd_conf_dir }}}/*.conf' community.general.ini_file: - path: /etc/sssd/conf.d/*.conf + path: {{{ sssd_conf_dir }}}/*.conf section: sssd option: certificate_verification state: absent @@ -23,7 +27,7 @@ - name: Ensure that "certificate_verification" is set community.general.ini_file: - path: /etc/sssd/conf.d/certificate_verification.conf + path: {{{ sssd_conf_dir }}}/certificate_verification.conf section: sssd option: certificate_verification value: "ocsp_dgst={{ var_sssd_certificate_verification_digest_function }}" diff --git a/linux_os/guide/services/sssd/sssd_certificate_verification/bash/shared.sh b/linux_os/guide/services/sssd/sssd_certificate_verification/bash/shared.sh index 702a592e1e0b..307a26cec9b7 100644 --- a/linux_os/guide/services/sssd/sssd_certificate_verification/bash/shared.sh +++ b/linux_os/guide/services/sssd/sssd_certificate_verification/bash/shared.sh @@ -11,8 +11,12 @@ OLD_UMASK=$(umask) umask u=rw,go= -MAIN_CONF="/etc/sssd/conf.d/certificate_verification.conf" +SSSD_CONF="/etc/sssd/sssd.conf" +SSSD_CONF_DIR="/etc/sssd/conf.d" +{{{ bash_sssd_ensure_default_domain("$SSSD_CONF", "$SSSD_CONF_DIR") }}} -{{{ bash_ensure_ini_config("$MAIN_CONF /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf", "sssd", "certificate_verification", "ocsp_dgst=$var_sssd_certificate_verification_digest_function") }}} +MAIN_CONF="$SSSD_CONF_DIR/certificate_verification.conf" + +{{{ bash_ensure_ini_config("$MAIN_CONF $SSSD_CONF $SSSD_CONF_DIR/*.conf", "sssd", "certificate_verification", "ocsp_dgst=$var_sssd_certificate_verification_digest_function") }}} umask $OLD_UMASK diff --git a/linux_os/guide/services/sssd/sssd_enable_pam_services/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_enable_pam_services/ansible/shared.yml index 15554ace343a..63daad1ddc02 100644 --- a/linux_os/guide/services/sssd/sssd_enable_pam_services/ansible/shared.yml +++ b/linux_os/guide/services/sssd/sssd_enable_pam_services/ansible/shared.yml @@ -4,14 +4,18 @@ # complexity = low # disruption = medium -- name: {{{ rule_title }}} - Find all the conf files inside the /etc/sssd/conf.d/ directory +{{% set sssd_conf = "/etc/sssd/sssd.conf" -%}} +{{% set sssd_conf_dir = "/etc/sssd/conf.d" -%}} +{{{ ansible_sssd_ensure_default_domain(sssd_conf, sssd_conf_dir) }}} + +- name: {{{ rule_title }}} - Find all the conf files inside the {{{ sssd_conf_dir }}} directory ansible.builtin.find: paths: - - "/etc/sssd/conf.d/" + - "{{{ sssd_conf_dir }}}" patterns: "*.conf" register: sssd_conf_d_files -- name: {{{ rule_title }}} - Modify lines in files in the /etc/sssd/conf.d/ directory +- name: {{{ rule_title }}} - Modify lines in files in the {{{ sssd_conf_dir }}} directory ansible.builtin.replace: path: "{{ item }}" regexp: '^(\s*\[sssd\].*(?:\n\s*[^[\s].*)*\n\s*services\s*=(?!.*\bpam\b).*)$' @@ -20,22 +24,22 @@ register: modify_lines_sssd_conf_d_files when: sssd_conf_d_files.matched is defined and sssd_conf_d_files.matched >= 1 -- name: {{{ rule_title }}} - Find /etc/sssd/sssd.conf +- name: {{{ rule_title }}} - Find {{{ sssd_conf }}} ansible.builtin.stat: - path: /etc/sssd/sssd.conf + path: {{{ sssd_conf }}} register: sssd_conf_file -- name: {{{ rule_title }}} - Modify lines in /etc/sssd/sssd.conf +- name: {{{ rule_title }}} - Modify lines in {{{ sssd_conf }}} ansible.builtin.replace: - path: "/etc/sssd/sssd.conf" + path: "{{{ sssd_conf }}}" regexp: '^(\s*\[sssd\].*(?:\n\s*[^[\s].*)*\n\s*services\s*=(?!.*\bpam\b).*)$' replace: '\1,pam' register: modify_lines_sssd_conf_file when: sssd_conf_file.stat.exists -- name: {{{ rule_title }}} - Find services key in /etc/sssd/sssd.conf +- name: {{{ rule_title }}} - Find services key in {{{ sssd_conf }}} ansible.builtin.replace: - path: "/etc/sssd/sssd.conf" + path: "{{{ sssd_conf }}}" regexp: '^\s*\[sssd\][^\[\]]*?(?:\n(?!\[)[^\n]*?services\s*=)+' replace: '' changed_when: false @@ -43,9 +47,9 @@ register: sssd_conf_file_services when: sssd_conf_file.stat.exists -- name: {{{ rule_title }}} - Insert entry to /etc/sssd/sssd.conf +- name: {{{ rule_title }}} - Insert entry to {{{ sssd_conf }}} community.general.ini_file: - path: /etc/sssd/sssd.conf + path: {{{ sssd_conf }}} section: sssd option: services value: pam diff --git a/linux_os/guide/services/sssd/sssd_enable_pam_services/bash/shared.sh b/linux_os/guide/services/sssd/sssd_enable_pam_services/bash/shared.sh index 51e6b835d6ac..1557eaa4b459 100644 --- a/linux_os/guide/services/sssd/sssd_enable_pam_services/bash/shared.sh +++ b/linux_os/guide/services/sssd/sssd_enable_pam_services/bash/shared.sh @@ -8,16 +8,13 @@ OLD_UMASK=$(umask) umask u=rw,go= SSSD_CONF="/etc/sssd/sssd.conf" -SSSD_CONF_DIR="/etc/sssd/conf.d/*.conf" +SSSD_CONF_DIR="/etc/sssd/conf.d" +{{{ bash_sssd_ensure_default_domain("$SSSD_CONF", "$SSSD_CONF_DIR") }}} -if [ ! -f "$SSSD_CONF" ] && [ ! -f "$SSSD_CONF_DIR" ]; then - mkdir -p /etc/sssd - touch "$SSSD_CONF" -fi # Flag to check if there is already services with pam service_already_exist=false -for f in $SSSD_CONF $SSSD_CONF_DIR; do +for f in $SSSD_CONF $SSSD_CONF_DIR/*.conf; do if [ ! -e "$f" ]; then continue fi @@ -39,7 +36,7 @@ done # If there was no service in [sssd], add it to first config if [ "$service_already_exist" = false ]; then - for f in $SSSD_CONF $SSSD_CONF_DIR; do + for f in $SSSD_CONF $SSSD_CONF_DIR/*.conf; do cat << EOF >> "$f" [sssd] services = pam diff --git a/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml index f4aad1aa1138..00f92124163a 100644 --- a/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml +++ b/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml @@ -3,44 +3,26 @@ # strategy = configure # complexity = low # disruption = medium -- name: "Test for domain group" - ansible.builtin.command: grep '^\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf - register: test_grep_domain - failed_when: false - changed_when: False - check_mode: no - -- name: "Add default domain group (if no domain there)" - community.general.ini_file: - path: /etc/sssd/sssd.conf - section: "{{ item.section }}" - option: "{{ item.option }}" - value: "{{ item.value }}" - create: yes - mode: 0600 - with_items: - - { section: sssd, option: domains, value: default} - - { section: domain/default, option: id_provider, value: files } - when: - - test_grep_domain.stdout is defined - - test_grep_domain.stdout | length < 1 +{{% set sssd_conf = "/etc/sssd/sssd.conf" -%}} +{{% set sssd_conf_dir = "/etc/sssd/conf.d" -%}} +{{{ ansible_sssd_ensure_default_domain(sssd_conf, sssd_conf_dir) }}} - name: "Enable Smartcards in SSSD" community.general.ini_file: - dest: /etc/sssd/sssd.conf + dest: {{{ sssd_conf }}} section: pam option: pam_cert_auth value: 'True' create: yes mode: 0600 -- name: Find all the conf files inside /etc/sssd/conf.d/ +- name: Find all the conf files inside {{{ sssd_conf_dir }}} ansible.builtin.find: - paths: "/etc/sssd/conf.d/" + paths: "{{{ sssd_conf_dir }}}" patterns: "*.conf" register: sssd_conf_d_files -- name: Fix pam_cert_auth configuration in /etc/sssd/conf.d/ +- name: Fix pam_cert_auth configuration in {{{ sssd_conf_dir }}} ansible.builtin.replace: path: "{{ item.path }}" regexp: '[^#]*pam_cert_auth.*' diff --git a/linux_os/guide/services/sssd/sssd_enable_smartcards/bash/shared.sh b/linux_os/guide/services/sssd/sssd_enable_smartcards/bash/shared.sh index 604cc82302c9..f8ab3fd23a79 100644 --- a/linux_os/guide/services/sssd/sssd_enable_smartcards/bash/shared.sh +++ b/linux_os/guide/services/sssd/sssd_enable_smartcards/bash/shared.sh @@ -9,7 +9,11 @@ OLD_UMASK=$(umask) umask u=rw,go= -{{{ bash_ensure_ini_config("/etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf", "pam", "pam_cert_auth", "True") }}} +SSSD_CONF="/etc/sssd/sssd.conf" +SSSD_CONF_DIR="/etc/sssd/conf.d" +{{{ bash_sssd_ensure_default_domain("$SSSD_CONF", "$SSSD_CONF_DIR") }}} + +{{{ bash_ensure_ini_config("$SSSD_CONF $SSSD_CONF_DIR/*.conf", "pam", "pam_cert_auth", "True") }}} umask $OLD_UMASK diff --git a/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/sssd_parameter_false.fail.sh b/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/sssd_parameter_false.fail.sh index 0b3d08ccae84..ef8b70ec73d6 100644 --- a/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/sssd_parameter_false.fail.sh +++ b/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/sssd_parameter_false.fail.sh @@ -2,6 +2,10 @@ # packages = sssd # platform = multi_platform_fedora,Oracle Linux 7,Red Hat Virtualization 4,multi_platform_ubuntu +{{% if product in ["fedora", "ol8", "ol9"] or 'rhel' in product %}} +authselect select sssd --force +{{% endif %}} + SSSD_FILE="/etc/sssd/sssd.conf" echo "[pam]" > $SSSD_FILE echo "pam_cert_auth = False" >> $SSSD_FILE diff --git a/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/sssd_parameter_missing.fail.sh b/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/sssd_parameter_missing.fail.sh index 440a5ce07a74..09f30744a7f9 100644 --- a/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/sssd_parameter_missing.fail.sh +++ b/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/sssd_parameter_missing.fail.sh @@ -2,5 +2,9 @@ # packages = sssd # platform = multi_platform_fedora,Oracle Linux 7,Red Hat Virtualization 4,multi_platform_ubuntu +{{% if product in ["fedora", "ol8", "ol9"] or 'rhel' in product %}} +authselect select sssd --force +{{% endif %}} + SSSD_FILE="/etc/sssd/sssd.conf" echo "[pam]" > $SSSD_FILE diff --git a/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/sssd_parameter_missing_file.fail.sh b/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/sssd_parameter_missing_file.fail.sh index 7b93f6c17f03..566dd7911a9c 100644 --- a/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/sssd_parameter_missing_file.fail.sh +++ b/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/sssd_parameter_missing_file.fail.sh @@ -2,5 +2,9 @@ # packages = sssd # platform = multi_platform_fedora,Oracle Linux 7,Red Hat Virtualization 4,multi_platform_ubuntu +{{% if product in ["fedora", "ol8", "ol9"] or 'rhel' in product %}} +authselect select sssd --force +{{% endif %}} + SSSD_FILE="/etc/sssd/sssd.conf" rm -f $SSSD_FILE diff --git a/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/sssd_parameter_true.pass.sh b/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/sssd_parameter_true.pass.sh index 825939c31846..f4121a49cdbc 100644 --- a/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/sssd_parameter_true.pass.sh +++ b/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/sssd_parameter_true.pass.sh @@ -5,3 +5,9 @@ SSSD_FILE="/etc/sssd/sssd.conf" echo "[pam]" > $SSSD_FILE echo "pam_cert_auth = True" >> $SSSD_FILE + +{{% if product in ["fedora", "ol8", "ol9"] or 'rhel' in product %}} +authselect select sssd --force +authselect enable-feature with-smartcard +authselect apply-changes +{{% endif %}} diff --git a/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml index 06a314e4eabe..81a6c7693f0d 100644 --- a/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml +++ b/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml @@ -5,31 +5,13 @@ # disruption = medium {{{ ansible_instantiate_variables("var_sssd_memcache_timeout") }}} -- name: "Test for domain group" - ansible.builtin.command: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf - register: test_grep_domain - failed_when: false - changed_when: False - check_mode: no - -- name: "Add default domain group (if no domain there)" - community.general.ini_file: - path: /etc/sssd/sssd.conf - section: "{{ item.section }}" - option: "{{ item.option }}" - value: "{{ item.value }}" - create: yes - mode: 0600 - with_items: - - { section: sssd, option: domains, value: default} - - { section: domain/default, option: id_provider, value: files } - when: - - test_grep_domain.stdout is defined - - test_grep_domain.stdout | length < 1 +{{% set sssd_conf = "/etc/sssd/sssd.conf" -%}} +{{% set sssd_conf_dir = "/etc/sssd/conf.d" -%}} +{{{ ansible_sssd_ensure_default_domain(sssd_conf, sssd_conf_dir) }}} - name: "Configure SSSD's Memory Cache to Expire" community.general.ini_file: - dest: /etc/sssd/sssd.conf + dest: {{{ sssd_conf }}} section: nss option: memcache_timeout value: "{{ var_sssd_memcache_timeout }}" diff --git a/linux_os/guide/services/sssd/sssd_memcache_timeout/bash/shared.sh b/linux_os/guide/services/sssd/sssd_memcache_timeout/bash/shared.sh index 0399c1e6b87b..26e23766456d 100644 --- a/linux_os/guide/services/sssd/sssd_memcache_timeout/bash/shared.sh +++ b/linux_os/guide/services/sssd/sssd_memcache_timeout/bash/shared.sh @@ -7,6 +7,10 @@ OLD_UMASK=$(umask) umask u=rw,go= -{{{ bash_ensure_ini_config("/etc/sssd/sssd.conf", "nss", "memcache_timeout", "$var_sssd_memcache_timeout") }}} +SSSD_CONF="/etc/sssd/sssd.conf" +SSSD_CONF_DIR="/etc/sssd/conf.d" +{{{ bash_sssd_ensure_default_domain("$SSSD_CONF", "$SSSD_CONF_DIR") }}} + +{{{ bash_ensure_ini_config("$SSSD_CONF", "nss", "memcache_timeout", "$var_sssd_memcache_timeout") }}} umask $OLD_UMASK diff --git a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/ansible/shared.yml index 2e033c641f34..f4788cd04ded 100644 --- a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/ansible/shared.yml +++ b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/ansible/shared.yml @@ -3,44 +3,26 @@ # strategy = configure # complexity = low # disruption = medium -- name: "Test for domain group" - ansible.builtin.command: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf - register: test_grep_domain - failed_when: false - changed_when: False - check_mode: no - -- name: "Add default domain group (if no domain there)" - community.general.ini_file: - path: /etc/sssd/sssd.conf - section: "{{ item.section }}" - option: "{{ item.option }}" - value: "{{ item.value }}" - create: yes - mode: 0600 - with_items: - - { section: sssd, option: domains, value: default} - - { section: domain/default, option: id_provider, value: files } - when: - - test_grep_domain.stdout is defined - - test_grep_domain.stdout | length < 1 +{{% set sssd_conf = "/etc/sssd/sssd.conf" -%}} +{{% set sssd_conf_dir = "/etc/sssd/conf.d" -%}} +{{{ ansible_sssd_ensure_default_domain(sssd_conf, sssd_conf_dir) }}} - name: "Configure SSD to Expire Offline Credentials" community.general.ini_file: - dest: /etc/sssd/sssd.conf + dest: {{{ sssd_conf }}} section: pam option: offline_credentials_expiration value: 1 create: yes mode: 0600 -- name: Find all the conf files inside /etc/sssd/conf.d/ +- name: Find all the conf files inside {{{ sssd_conf_dir }}} ansible.builtin.find: - paths: "/etc/sssd/conf.d/" + paths: "{{{ sssd_conf_dir }}}" patterns: "*.conf" register: sssd_conf_d_files -- name: Fix offline_credentials_expiration configuration in /etc/sssd/conf.d/ +- name: Fix offline_credentials_expiration configuration in {{{ sssd_conf_dir }}} ansible.builtin.replace: path: "{{ item.path }}" regexp: '[^#]*offline_credentials_expiration.*' diff --git a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/bash/shared.sh b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/bash/shared.sh index 56f331125679..6b685df6d04e 100644 --- a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/bash/shared.sh +++ b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/bash/shared.sh @@ -9,6 +9,10 @@ OLD_UMASK=$(umask) umask u=rw,go= -{{{ bash_ensure_ini_config("/etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf", "pam", "offline_credentials_expiration", "1") }}} +SSSD_CONF="/etc/sssd/sssd.conf" +SSSD_CONF_DIR="/etc/sssd/conf.d" +{{{ bash_sssd_ensure_default_domain("$SSSD_CONF", "$SSSD_CONF_DIR") }}} + +{{{ bash_ensure_ini_config("$SSSD_CONF $SSSD_CONF_DIR/*.conf", "pam", "offline_credentials_expiration", "1") }}} umask $OLD_UMASK diff --git a/linux_os/guide/services/sssd/sssd_run_as_sssd_user/bash/shared.sh b/linux_os/guide/services/sssd/sssd_run_as_sssd_user/bash/shared.sh index 4c619f87c82c..9cc42537bf7b 100644 --- a/linux_os/guide/services/sssd/sssd_run_as_sssd_user/bash/shared.sh +++ b/linux_os/guide/services/sssd/sssd_run_as_sssd_user/bash/shared.sh @@ -1,12 +1,16 @@ # platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_almalinux -MAIN_CONF="/etc/sssd/conf.d/ospp.conf" - # sssd configuration files must be created with 600 permissions if they don't exist # otherwise the sssd module fails to start OLD_UMASK=$(umask) umask u=rw,go= -{{{ bash_ensure_ini_config("$MAIN_CONF /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf", "sssd", "user", "sssd") }}} +SSSD_CONF="/etc/sssd/sssd.conf" +SSSD_CONF_DIR="/etc/sssd/conf.d" +{{{ bash_sssd_ensure_default_domain("$SSSD_CONF", "$SSSD_CONF_DIR") }}} + +MAIN_CONF="$SSSD_CONF_DIR/ospp.conf" + +{{{ bash_ensure_ini_config("$MAIN_CONF $SSSD_CONF $SSSD_CONF_DIR/*.conf", "sssd", "user", "sssd") }}} umask $OLD_UMASK diff --git a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml index e0ac1cb3a92b..2d6d426c7053 100644 --- a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml +++ b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml @@ -5,31 +5,13 @@ # disruption = medium {{{ ansible_instantiate_variables("var_sssd_ssh_known_hosts_timeout") }}} -- name: "Test for domain group" - ansible.builtin.command: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf - register: test_grep_domain - failed_when: false - changed_when: False - check_mode: no - -- name: "Add default domain group (if no domain there)" - community.general.ini_file: - path: /etc/sssd/sssd.conf - section: "{{ item.section }}" - option: "{{ item.option }}" - value: "{{ item.value }}" - create: yes - mode: 0600 - with_items: - - { section: sssd, option: domains, value: default} - - { section: domain/default, option: id_provider, value: files } - when: - - test_grep_domain.stdout is defined - - test_grep_domain.stdout | length < 1 +{{% set sssd_conf = "/etc/sssd/sssd.conf" -%}} +{{% set sssd_conf_dir = "/etc/sssd/conf.d" -%}} +{{{ ansible_sssd_ensure_default_domain(sssd_conf, sssd_conf_dir) }}} - name: "Configure SSSD to Expire SSH Known Hosts" community.general.ini_file: - dest: /etc/sssd/sssd.conf + dest: {{{ sssd_conf }}} section: ssh option: ssh_known_hosts_timeout value: "{{ var_sssd_ssh_known_hosts_timeout }}" diff --git a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/bash/shared.sh b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/bash/shared.sh index 01254fa6f799..5ab47f37bb79 100644 --- a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/bash/shared.sh +++ b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/bash/shared.sh @@ -7,6 +7,10 @@ OLD_UMASK=$(umask) umask u=rw,go= -{{{ bash_ensure_ini_config("/etc/sssd/sssd.conf", "ssh", "ssh_known_hosts_timeout", "$var_sssd_ssh_known_hosts_timeout") }}} +SSSD_CONF="/etc/sssd/sssd.conf" +SSSD_CONF_DIR="/etc/sssd/conf.d" +{{{ bash_sssd_ensure_default_domain("$SSSD_CONF", "$SSSD_CONF_DIR") }}} + +{{{ bash_ensure_ini_config("$SSSD_CONF", "ssh", "ssh_known_hosts_timeout", "$var_sssd_ssh_known_hosts_timeout") }}} umask $OLD_UMASK diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja index 4ef924893f5f..dc66775e7892 100644 --- a/shared/macros/10-ansible.jinja +++ b/shared/macros/10-ansible.jinja @@ -806,6 +806,56 @@ The following macro remediates Audit syscall rule in :code:`/etc/audit/audit.rul {{%- endmacro %}} +{{# + Ensure a default domain is configured in sssd.conf so that sssd can start. + Without at least one enabled domain, sssd exits with "No domain is enabled". + Expects sssd_conf and sssd_conf_dir Jinja variables to be defined by the caller + via {{% set sssd_conf = "..." %}} and {{% set sssd_conf_dir = "..." %}}. + +:param sssd_conf: Path to the main sssd configuration file +:type sssd_conf: str +:param sssd_conf_dir: Path to the sssd conf.d drop-in directory +:type sssd_conf_dir: str +#}} +{{% macro ansible_sssd_ensure_default_domain(sssd_conf, sssd_conf_dir) -%}} +- name: "Test for domain group in main config" + ansible.builtin.command: grep '^\s*\[domain\/[^]]*]' {{{ sssd_conf }}} + register: test_grep_domain + failed_when: false + changed_when: false + check_mode: no + +- name: "Test for domain group in conf.d" + ansible.builtin.shell: grep -rs '^\s*\[domain\/[^]]*]' {{{ sssd_conf_dir }}}/*.conf 2>/dev/null + register: test_grep_domain_conf_d + failed_when: false + changed_when: false + check_mode: no + +- name: "Add default domain group (if no domain there)" + community.general.ini_file: + path: {{{ sssd_conf }}} + section: "{{ item.section }}" + option: "{{ item.option }}" + value: "{{ item.value }}" + create: yes + mode: 0600 + with_items: + - { section: sssd, option: domains, value: default} +{{% if ('rhel' in product or 'ol' in families) and product not in ['ol8', 'ol9', 'rhel8', 'rhel9'] %}} + - { section: domain/default, option: id_provider, value: proxy } + - { section: domain/default, option: proxy_lib_name, value: files } +{{% else %}} + - { section: domain/default, option: id_provider, value: files } +{{% endif %}} + when: + - test_grep_domain.stdout is defined + - test_grep_domain.stdout | length < 1 + - test_grep_domain_conf_d.stdout is defined + - test_grep_domain_conf_d.stdout | length < 1 +{{%- endmacro %}} + + {{% macro ansible_ini_file_set(filename, section, key, value, description="", no_extra_spaces=False) -%}} - name: "{{{ description if description else ("Set '" + key + "' to '" + value + "' in the [" + section + "] section of '" + filename + "'") }}}" community.general.ini_file: diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja index 49ad72ecbb40..ff228c0a1d72 100644 --- a/shared/macros/10-bash.jinja +++ b/shared/macros/10-bash.jinja @@ -1515,6 +1515,46 @@ done {{%- endmacro %}} +{{# + Ensure a default domain is configured in sssd.conf so that sssd can start. + Without at least one enabled domain, sssd exits with "No domain is enabled". + Must be called inside a umask block (umask u=rw,go=) set by the caller. + +:param sssd_conf: Shell variable referencing the main sssd configuration file (e.g. "$SSSD_CONF") +:type sssd_conf: str +:param sssd_conf_dir: Shell variable referencing the sssd conf.d drop-in directory (e.g. "$SSSD_CONF_DIR") +:type sssd_conf_dir: str +#}} +{{% macro bash_sssd_ensure_default_domain(sssd_conf, sssd_conf_dir) -%}} +mkdir -p "$(dirname "{{{ sssd_conf }}}")" +if [ ! -f "{{{ sssd_conf }}}" ]; then + touch "{{{ sssd_conf }}}" +fi +if ! grep -qsrP '^\s*\[domain/' "{{{ sssd_conf }}}" "{{{ sssd_conf_dir }}}"/*.conf 2>/dev/null; then +{{% if ('rhel' in product or 'ol' in families) and product not in ['ol8', 'ol9', 'rhel8', 'rhel9'] -%}} + cat >> "{{{ sssd_conf }}}" << EOF + +[sssd] +domains = default + +[domain/default] +id_provider = proxy +proxy_lib_name = files +EOF +{{% else -%}} + cat >> "{{{ sssd_conf }}}" << EOF + +[sssd] +domains = default + +[domain/default] +id_provider = files +EOF +{{% endif -%}} +fi +{{%- endmacro %}} + + {{# Check whether or not a package is installed. #}} @@ -2279,13 +2319,14 @@ for f in $(echo -n "{{{ files }}}"); do # find key in section and change value if grep -qzosP "(?m)^[[:space:]]*\[{{{ section }}}\]([^\n\[]*\n+)+?[[:space:]]*{{{ key }}}" "$f"; then - if ! grep -qzosP "(?m)^[[:space:]]*{{{ key }}}[[:space:]]*=[[:space:]]*{{{ value }}}" "$f"; then {{% if no_quotes %}} sed -i "/^[[:space:]]*{{{ key }}}/s/\([[:blank:]]*=[[:blank:]]*\).*/\1{{{ value | replace("/", "\/") }}}/" "$f" {{% else %}} sed -i '/^[[:space:]]*{{{ key }}}/s/\([[:blank:]]*=[[:blank:]]*\).*/\1"{{{ value | replace("/", "\/") }}}"/' "$f" {{% endif %}} - fi + + # remove duplicate key lines, keep only the first occurrence + sed -i '0,/^[[:space:]]*{{{ key }}}[[:blank:]]*=/b; /^[[:space:]]*{{{ key }}}[[:blank:]]*=/d' "$f" found=true