From 2b0b7db0864e9b8f0967e19f0e6c374749c3f933 Mon Sep 17 00:00:00 2001
From: Denis Karpelevich <dkarpele@redhat.com>
Date: Mon, 7 Nov 2022 23:07:59 +0100
Subject: [PATCH] Add subid option to select the sssd profile with-subid.

This is an ansible-freeipa update for the freeipa RFE:
https://pagure.io/freeipa/issue/9159
"`ipa-client-install` should provide option to enable `subid: sss`
in `/etc/nsswitch.conf`".

This option allows to configure authselect with the sssd
profile + with-subid feature, in order to have SSSD setup as
a datasource for subid in /etc/nsswitch.conf.

The default behavior remains unchanged: without the option,
/etc/nsswitch.conf keeps the line subid: files

Signed-off-by: Denis Karpelevich <dkarpele@redhat.com>
---
 roles/ipaclient/README.md                     |  1 +
 roles/ipaclient/defaults/main.yml             |  1 +
 .../ipaclient/library/ipaclient_setup_nss.py  | 28 +++++++++++--------
 roles/ipaclient/tasks/install.yml             |  1 +
 roles/ipareplica/README.md                    |  1 +
 roles/ipaserver/README.md                     |  1 +
 6 files changed, 21 insertions(+), 12 deletions(-)

diff --git a/roles/ipaclient/README.md b/roles/ipaclient/README.md
index 9f3e733a..5a8fff83 100644
--- a/roles/ipaclient/README.md
+++ b/roles/ipaclient/README.md
@@ -183,6 +183,7 @@ Variable | Description | Required
 `ipaclient_no_ssh` | The bool value defines if OpenSSH client will be configured. `ipaclient_no_ssh` defaults to `no`. | no
 `ipaclient_no_sshd` | The bool value defines if OpenSSH server will be configured. `ipaclient_no_sshd` defaults to `no`. | no
 `ipaclient_no_sudo` | The bool value defines if SSSD will be configured as a data source for sudo. `ipaclient_no_sudo` defaults to `no`. | no
+`ipaclient_subid` | The bool value defines if SSSD will be configured as a data source for subid. `ipaclient_subid` defaults to `no`. | no
 `ipaclient_no_dns_sshfp` | The bool value defines if DNS SSHFP records will not be created automatically. `ipaclient_no_dns_sshfp` defaults to `no`. | no
 `ipaclient_force` | The bool value defines if settings will be forced even in the error case. `ipaclient_force` defaults to `no`. | no
 `ipaclient_force_ntpd` | The bool value defines if ntpd usage will be forced. This is not supported anymore and leads to a warning. `ipaclient_force_ntpd` defaults to `no`. | no
diff --git a/roles/ipaclient/defaults/main.yml b/roles/ipaclient/defaults/main.yml
index 3b13d11b..b6e912f2 100644
--- a/roles/ipaclient/defaults/main.yml
+++ b/roles/ipaclient/defaults/main.yml
@@ -13,6 +13,7 @@ ipaclient_ssh_trust_dns: no
 ipaclient_no_ssh: no
 ipaclient_no_sshd: no
 ipaclient_no_sudo: no
+ipaclient_subid: no
 ipaclient_no_dns_sshfp: no
 ipaclient_force: no
 ipaclient_force_ntpd: no
diff --git a/roles/ipaclient/library/ipaclient_setup_nss.py b/roles/ipaclient/library/ipaclient_setup_nss.py
index 3dc0dccb..a1430583 100644
--- a/roles/ipaclient/library/ipaclient_setup_nss.py
+++ b/roles/ipaclient/library/ipaclient_setup_nss.py
@@ -125,6 +125,10 @@ options:
     description: Do not configure SSSD as data source for sudo
     type: bool
     required: no
+  subid:
+    description: Configure SSSD as data source for subid
+    type: bool
+    required: no
   fixed_primary:
     description: Configure sssd to use fixed server as primary IPA server
     type: bool
@@ -208,6 +212,7 @@ def main():
             no_ssh=dict(required=False, type='bool'),
             no_sshd=dict(required=False, type='bool'),
             no_sudo=dict(required=False, type='bool'),
+            subid=dict(required=False, type='bool'),
             fixed_primary=dict(required=False, type='bool'),
             permit=dict(required=False, type='bool'),
             no_krb5_offline_passwords=dict(required=False, type='bool'),
@@ -251,6 +256,7 @@ def main():
     options.conf_sshd = not options.no_sshd
     options.no_sudo = module.params.get('no_sudo')
     options.conf_sudo = not options.no_sudo
+    options.subid = module.params.get('subid')
     options.primary = module.params.get('fixed_primary')
     options.permit = module.params.get('permit')
     options.no_krb5_offline_passwords = module.params.get(
@@ -430,19 +436,17 @@ def main():
             # Modify nsswitch/pam stack
             # pylint: disable=deprecated-method
             argspec = getargspec(tasks.modify_nsswitch_pam_stack)
+            the_options = {
+                "sssd": options.sssd,
+                "mkhomedir": options.mkhomedir,
+                "statestore": statestore,
+            }
             if "sudo" in argspec.args:
-                tasks.modify_nsswitch_pam_stack(
-                    sssd=options.sssd,
-                    mkhomedir=options.mkhomedir,
-                    statestore=statestore,
-                    sudo=options.conf_sudo
-                )
-            else:
-                tasks.modify_nsswitch_pam_stack(
-                    sssd=options.sssd,
-                    mkhomedir=options.mkhomedir,
-                    statestore=statestore
-                )
+                the_options["sudo"] = options.conf_sudo
+            if "subid" in argspec.args:
+                the_options["subid"] = options.subid
+
+            tasks.modify_nsswitch_pam_stack(**the_options)
 
             if hasattr(paths, "AUTHSELECT") and paths.AUTHSELECT is not None:
                 # authselect is used
diff --git a/roles/ipaclient/tasks/install.yml b/roles/ipaclient/tasks/install.yml
index fa33f89a..e76842fc 100644
--- a/roles/ipaclient/tasks/install.yml
+++ b/roles/ipaclient/tasks/install.yml
@@ -378,6 +378,7 @@
         no_ssh: "{{ ipaclient_no_ssh }}"
         no_sshd: "{{ ipaclient_no_sshd }}"
         no_sudo: "{{ ipaclient_no_sudo }}"
+        subid: "{{ ipaclient_subid }}"
         fixed_primary: "{{ ipassd_fixed_primary
                            | default(ipasssd_fixed_primary) }}"
         permit: "{{ ipassd_permit | default(ipasssd_permit) }}"
diff --git a/roles/ipareplica/README.md b/roles/ipareplica/README.md
index a32ddb15..8d70b45b 100644
--- a/roles/ipareplica/README.md
+++ b/roles/ipareplica/README.md
@@ -200,6 +200,7 @@ Variable | Description | Required
 `ipaclient_no_ssh` | The bool value defines if OpenSSH client will be configured. (bool, default: false) | no
 `ipaclient_no_sshd` | The bool value defines if OpenSSH server will be configured. (bool, default: false) | no
 `ipaclient_no_sudo` | The bool value defines if SSSD will be configured as a data source for sudo. (bool, default: false) | no
+`ipaclient_subid` | The bool value defines if SSSD will be configured as a data source for subid. (bool, default: false) | no
 `ipaclient_no_dns_sshfp` | The bool value defines if DNS SSHFP records will not be created automatically. (bool, default: false) | no
 
 Certificate system Variables
diff --git a/roles/ipaserver/README.md b/roles/ipaserver/README.md
index a9254ec5..18317fb9 100644
--- a/roles/ipaserver/README.md
+++ b/roles/ipaserver/README.md
@@ -252,6 +252,7 @@ Variable | Description | Required
 `ipaclient_no_ssh` | The bool value defines if OpenSSH client will be configured. `ipaclient_no_ssh` defaults to `no`. | no
 `ipaclient_no_sshd` | The bool value defines if OpenSSH server will be configured. `ipaclient_no_sshd` defaults to `no`. | no
 `ipaclient_no_sudo` | The bool value defines if SSSD will be configured as a data source for sudo. `ipaclient_no_sudo` defaults to `no`. | no
+`ipaclient_subid` | The bool value defines if SSSD will be configured as a data source for subid. `ipaclient_subid` defaults to `no`. | no
 `ipaclient_no_dns_sshfp` | The bool value defines if DNS SSHFP records will not be created automatically. `ipaclient_no_dns_sshfp` defaults to `no`. | no
 
 Certificate system Variables
-- 
GitLab