ipaclient_setup_sssd: Update and cleanup

ipaclient_setup_sssd is now using configure_sssd_conf from ipaclient/install/client.py instead. This simplified the module a lot and also adds more configuratino options for sssd. These are new config options supported by ipaclient_setup_sssd: ipaclient_no_sudo ipassd_fixed_primary ipassd_permit ipassd_enable_dns_updates ipassd_no_krb5_offline_passwords ipassd_preserve_sssd These variables have been added to ipaclient/defaults/main.yml.

ipaclient_setup_sssd: Update and cleanup
2983d4e7 · Thomas Woerner · c5ce7548 · 2983d4e7 · 2983d4e7 · 2983d4e7
Commit 2983d4e7 authored 6 years ago by Thomas Woerner
--- a/roles/ipaclient/defaults/main.yml
+++ b/roles/ipaclient/defaults/main.yml
@@ -12,12 +12,18 @@ ipaclient_no_dns_lookup: no
 ipaclient_ssh_trust_dns: no
 ipaclient_no_ssh: no
 ipaclient_no_sshd: no
+ipaclient_no_sudo: no
 #ipaclient_no_dns_sshfp: no
 #ipaclient_force: no
 ipaclient_force_ntpd: no
 ipaclient_no_nisdomain: no
 ipaclient_configure_firefox: no
 ipahost_all_ip_addresses: no
+ipassd_fixed_primary: no
+ipassd_permit: no
+ipassd_enable_dns_updates: no
+ipassd_no_krb5_offline_passwords: no
+ipassd_preserve_sssd: no
 ### packages ###
 ipaclient_install_packages: yes
--- a/roles/ipaclient/library/ipaclient_setup_sssd.py
+++ b/roles/ipaclient/library/ipaclient_setup_sssd.py
@@ -30,10 +30,10 @@ ANSIBLE_METADATA = {
 DOCUMENTATION = '''
 ---
-module: ipaclient_setup_sssd
+module: ipaclient_setup_ssd
-short description: Configure sssd for IPA client
+short description: Setup sssd for IPA client
 description:
-  Configure sssd for IPA client
+  Setup sssd for IPA client
 options:
  servers:
    description: The FQDN of the IPA servers to connect to.
@@ -48,27 +48,33 @@ options:
  hostname:
    description: The hostname of the machine to join (FQDN).
    required: true
-  services:
+  on_master:
-    description: The services that should be enabled in the ssd configuration.
+    description: Whether the configuration is done on the master or not.
-    required: true
-    type: list
-  krb5_offline_passwords:
-    description: Whether user passwords are stored when the server is offline.
    required: false
    type: bool
    default: no
-  on_master:
+  no_ssh:
-    description: Whether the configuration is done on the master or not.
+    description: Do not configure OpenSSH client
    required: false
    type: bool
    default: no
-  primary:
+  no_sshd:
-    description: Whether to use fixed server as primary IPA server.
+    description: Do not configure OpenSSH server
    required: false
    type: bool
    default: no
-  preserve_sssd:
+  no_sudo:
-    description: Preserve old SSSD configuration if possible.
+    description: Do not configure SSSD as data source for sudo
+    required: false
+    type: bool
+    default: no
+  all_ip_addresses:
+    description: All routable IP addresses configured on any interface will be added to DNS.
+    required: false
+    type: bool
+    default: no
+  fixed_primary:
+    description: Whether to use fixed server as primary IPA server.
    required: false
    type: bool
    default: no
@@ -77,13 +83,18 @@ options:
    required: false
    type: bool
    default: no
-  dns_updates:
+  enable_dns_updates:
    description: Configures the machine to attempt dns updates when the ip address changes.
    required: false
    type: bool
    default: no
-  all_ip_addresses:
+  preserve_sssd:
-    description: All routable IP addresses configured on any interface will be added to DNS.
+    description: Preserve old SSSD configuration if possible.
+    required: false
+    type: bool
+    default: no
+  no_krb5_offline_passwords:
+    description: Whether user passwords are stored when the server is offline.
    required: false
    type: bool
    default: no
@@ -98,32 +109,15 @@ EXAMPLES = '''
    domain: example.com
    realm: EXAMPLE.COM
    hostname: client1.example.com
-    services: ["ssh", "sudo"]
+    no_krb5_offline_passwords: yes
-    cache_credentials: yes
-    krb5_offline_passwords: yes
 '''
 RETURN = '''
 '''
-import os
-import sys
-import tempfile
-import SSSDConfig
 from ansible.module_utils.basic import AnsibleModule
 from ansible.module_utils.ansible_ipa_client import *
-def sssd_enable_service(module, sssdconfig, service):
-    try:
-        sssdconfig.new_service(service)
-    except SSSDConfig.ServiceAlreadyExists:
-        pass
-    except SSSDConfig.ServiceNotRecognizedError:
-        module.fail_json(
-            msg="Unable to activate the %s service in SSSD config." % service)
-    sssdconfig.activate_service(service)
 def main():
    module = AnsibleModule(
        argument_spec = dict(
@@ -131,149 +125,54 @@ def main():
            domain=dict(required=True),
            realm=dict(required=True),
            hostname=dict(required=True),
-            services=dict(required=True, type='list'),
-            krb5_offline_passwords=dict(required=False, type='bool'),
            on_master=dict(required=False, type='bool'),
-            primary=dict(required=False, type='bool'),
+            no_ssh=dict(required=False, type='bool'),
-            preserve_sssd=dict(required=False, type='bool'),
+            no_sshd=dict(required=False, type='bool'),
-            permit=dict(required=False, type='bool'),
+            no_sudo=dict(required=False, type='bool'),
-            dns_updates=dict(required=False, type='bool'),
            all_ip_addresses=dict(required=False, type='bool'),
+            fixed_primary=dict(required=False, type='bool'),
+            permit=dict(required=False, type='bool'),
+            enable_dns_updates=dict(required=False, type='bool'),
+            preserve_sssd=dict(required=False, type='bool'),
+            no_krb5_offline_passwords=dict(required=False, type='bool'),
        ),
        supports_check_mode = True,
    )
+    #ansible_log = AnsibleModuleLog(module, logger)
+    #options.set_logger(ansible_log)
    module._ansible_debug = True
-    cli_servers = module.params.get('servers')
+    cli_server = module.params.get('servers')
    cli_domain = module.params.get('domain')
    cli_realm = module.params.get('realm')
-    client_hostname = module.params.get('hostname')
+    hostname = module.params.get('hostname')
-    services = module.params.get('services')
+    options.on_master = module.params.get('on_master')
-    krb5_offline_passwords = module.params.get('krb5_offline_passwords')
-    on_master = module.params.get('on_master')
+    options.no_ssh = module.params.get('no_ssh')
-    primary = module.params.get('primary')
+    options.conf_ssh = not options.no_ssh
-    preserve_sssd = module.params.get('preserve_sssd')
+    options.no_sshd = module.params.get('no_sshd')
-    permit = module.params.get('permit')
+    options.conf_sshd = not options.no_sshd
-    dns_updates = module.params.get('dns_updates')
+    options.no_sudo = module.params.get('no_sudo')
-    all_ip_addresses = module.params.get('all_ip_addresses')
+    options.conf_sudo = not options.no_sudo
+    options.all_ip_addresses = module.params.get('all_ip_addresses')
+    options.primary = module.params.get('fixed_primary')
+    options.permit = module.params.get('permit')
+    options.dns_updates = module.params.get('enable_dns_updates')
+    options.preserve_sssd = module.params.get('preserve_sssd')
+    options.no_krb5_offline_passwords = module.params.get(
+        'krb5_offline_passwords')
+    options.krb5_offline_passwords = not options.no_krb5_offline_passwords
    fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE)
-    client_domain = client_hostname[client_hostname.find(".")+1:]
+    client_domain = hostname[hostname.find(".")+1:]
-    try:
-        sssdconfig = SSSDConfig.SSSDConfig()
-        sssdconfig.import_config()
-    except Exception as e:
-        if os.path.exists(paths.SSSD_CONF) and preserve_sssd:
-            # SSSD config is in place but we are unable to read it
-            # In addition, we are instructed to preserve it
-            # This all means we can't use it and have to bail out
-            module.fail_json(
-                msg="SSSD config exists but cannot be parsed: %s" % str(e))
-        # SSSD configuration does not exist or we are not asked to preserve it,
-        # create new one
-        # We do make new SSSDConfig instance because IPAChangeConf-derived
-        # classes have no means to reset their state and ParseError exception
-        # could come due to parsing error from older version which cannot be
-        # upgraded anymore, leaving sssdconfig instance practically unusable
-        # Note that we already backed up sssd.conf before going into this
-        # routine
-        if isinstance(e, IOError):
-            pass
-        else:
-            # It was not IOError so it must have been parsing error
-            module.fail_json(msg="Unable to parse existing SSSD config.")
-        module.log("New SSSD config will be created")
-        sssdconfig = SSSDConfig.SSSDConfig()
-        sssdconfig.new_config()
-    try:
-        domain = sssdconfig.new_domain(cli_domain)
-    except SSSDConfig.DomainAlreadyExistsError:
-        module.log("Domain %s is already configured in existing SSSD "
-                   "config, creating a new one." % cli_domain)
-        sssdconfig = SSSDConfig.SSSDConfig()
-        sssdconfig.new_config()
-        domain = sssdconfig.new_domain(cli_domain)
-    if on_master:
-        sssd_enable_service(module, sssdconfig, 'ifp')
-    if (("ssh" in services and os.path.isfile(paths.SSH_CONFIG)) or
-        ("sshd" in services and os.path.isfile(paths.SSHD_CONFIG))):
-        sssd_enable_service(module, sssdconfig, 'ssh')
-    if "sudo" in services:
-        sssd_enable_service(module, sssdconfig, 'sudo')
-        configure_nsswitch_database(fstore, 'sudoers', ['sss'],
-                                    default_value=['files'])
-    domain.add_provider('ipa', 'id')
-    # add discovery domain if client domain different from server domain
-    # do not set this config in server mode (#3947)
-    if not on_master and cli_domain != client_domain:
-        domain.set_option('dns_discovery_domain', cli_domain)
-    if not on_master:
-        if primary:
-            domain.set_option('ipa_server', ', '.join(cli_servers))
-        else:
-            domain.set_option('ipa_server',
-                              '_srv_, %s' % ', '.join(cli_servers))
-    else:
-        domain.set_option('ipa_server_mode', 'True')
-        # the master should only use itself for Kerberos
-        domain.set_option('ipa_server', cli_servers[0])
-        # increase memcache timeout to 10 minutes when in server mode
-        try:
-            nss_service = sssdconfig.get_service('nss')
-        except SSSDConfig.NoServiceError:
-            nss_service = sssdconfig.new_service('nss')
-        nss_service.set_option('memcache_timeout', 600)
-        sssdconfig.save_service(nss_service)
-    domain.set_option('ipa_domain', cli_domain)
-    domain.set_option('ipa_hostname', client_hostname)
-    if cli_domain.lower() != cli_realm.lower():
-        domain.set_option('krb5_realm', cli_realm)
-    # Might need this if /bin/hostname doesn't return a FQDN
-    # domain.set_option('ipa_hostname', 'client.example.com')
-    domain.add_provider('ipa', 'auth')
-    domain.add_provider('ipa', 'chpass')
-    if not permit:
-        domain.add_provider('ipa', 'access')
-    else:
-        domain.add_provider('permit', 'access')
-    domain.set_option('cache_credentials', True)
-    # SSSD will need TLS for checking if ipaMigrationEnabled attribute is set
-    # Note that SSSD will force StartTLS because the channel is later used for
-    # authentication as well if password migration is enabled. Thus set
-    # the option unconditionally.
-    domain.set_option('ldap_tls_cacert', paths.IPA_CA_CRT)
-    if dns_updates:
-        domain.set_option('dyndns_update', True)
-        if all_ip_addresses:
-            domain.set_option('dyndns_iface', '*')
-        else:
-            iface = get_server_connection_interface(cli_servers[0])
-            domain.set_option('dyndns_iface', iface)
-    if krb5_offline_passwords:
-        domain.set_option('krb5_store_password_if_offline', True)
-    domain.set_active(True)
-    sssdconfig.save_domain(domain)
+    if configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server,
-    sssdconfig.write(paths.SSSD_CONF)
+                           options, client_domain, hostname):
+        module.fail_json("configure_sssd_conf failed")
+    logger.info("Configured /etc/sssd/sssd.conf")
    module.exit_json(changed=True)

--- a/roles/ipaclient/tasks/install.yml
+++ b/roles/ipaclient/tasks/install.yml
@@ -216,13 +216,17 @@
      domain: "{{ result_ipaclient_test.domain }}"
      realm: "{{ result_ipaclient_test.realm }}"
      hostname: "{{ result_ipaclient_test.hostname }}"
-      services: ["ssh", "sudo"]
-      krb5_offline_passwords: yes
      on_master: "{{ ipaclient_on_master }}"
-      #primary: no
+      no_ssh: "{{ ipaclient_no_ssh }}"
-      #permit: no
+      no_sshd: "{{ ipaclient_no_sshd }}"
-      #dns_updates: no
+      no_sudo: "{{ ipaclient_no_sudo }}"
-      #all_ip_addresses: no
+      all_ip_addresses: "{{ ipahost_all_ip_addresses }}"
+      fixed_primary: "{{ ipassd_fixed_primary }}"
+      permit: "{{ ipassd_permit }}"
+      enable_dns_updates: "{{ ipassd_enable_dns_updates }}"
+      preserve_sssd: "{{ ipassd_preserve_sssd }}"
+      no_krb5_offline_passwords: "{{ ipassd_no_krb5_offline_passwords }}"
  - name: Install - Configure krb5 for IPA realm "{{ result_ipaclient_test.realm }} <= 4.4"
    include_role: