sssd installation changes in login_node and control_plane

Signed-off-by: abhishek-sa1 <abhishek.sa3@dell.com>

control_plane/roles/control_plane_security/files/temp_sssd.conf

@@ -0,0 +1,68 @@
+#
+# sssd.conf
+# Generated by 389 Directory Server - dsidm
+#
+# For more details see man sssd.conf and man sssd-ldap
+# Be sure to review the content of this file to ensure it is secure and correct
+# in your environment.
+
+[domain/ldap]
+# Uncomment this for more verbose logging.
+# debug_level=3
+
+# Cache hashes of user authentication for offline auth.
+cache_credentials = True
+id_provider = ldap
+auth_provider = ldap
+access_provider = ldap
+chpass_provider = ldap
+ldap_schema = rfc2307
+ldap_search_base = dc=omnia,dc=test
+ldap_uri = ldapi://%2fvar%2frun%2fslapd-ldap1.socket
+# If you have DNS SRV records, you can use the following instead. This derives
+# from your ldap_search_base.
+# ldap_uri = _srv_
+
+ldap_tls_reqcert = demand
+# To use cacert dir, place *.crt files in this path then run:
+# /usr/bin/openssl rehash /etc/openldap/certs
+# or (for older versions of openssl)
+# /usr/bin/c_rehash /etc/openldap/certs
+ldap_tls_cacertdir = /etc/openldap/certs
+
+# Path to the cacert
+# ldap_tls_cacert = /etc/openldap/certs/ca.crt
+
+# Only users who match this filter can login and authorise to this machine. Note
+# that users who do NOT match, will still have their uid/gid resolve, but they
+# can't login.
+ldap_access_filter = (memberOf=cn=server_admins,ou=groups,dc=omnia,dc=test)
+
+enumerate = false
+access_provider = ldap
+ldap_user_member_of = memberof
+ldap_user_gecos = cn
+ldap_user_uuid = nsUniqueId
+ldap_group_uuid = nsUniqueId
+# This is really important as it allows SSSD to respect nsAccountLock
+ldap_account_expire_policy = rhds
+ldap_access_order = filter, expire
+# Setup for ssh keys
+# Inside /etc/ssh/sshd_config add the lines:
+#   AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
+#   AuthorizedKeysCommandUser nobody
+# You can test with the command: sss_ssh_authorizedkeys <username>
+ldap_user_ssh_public_key = nsSshPublicKey
+
+# This prevents an issue where the Directory is recursively walked on group
+# and user look ups. It makes the client faster and more responsive in almost
+# every scenario.
+ignore_group_members = False
+
+[sssd]
+services = nss, pam, ssh, sudo
+config_file_version = 2
+
+domains = ldap
+[nss]
+homedir_substring = /home

control_plane/roles/control_plane_security/tasks/install_389ds.yml

@@ -39,13 +39,18 @@
   failed_when: false
   no_log: true
   register: ds389_status_authentication
- 
+
+- name: Gathering service facts
+  service_facts:
+
 - name: Modify ds389_status
   set_fact:
     ds389_status: true
   when: 
     - ds389_status_authentication.rc == 0
     - ds389_pwpolicy_search_key in ds389_pwpolicy_check.stdout
+    - "'sssd.service' in ansible_facts.services"
+    - sssd_install_search_key in ansible_facts.services['sssd.service'].state
 
 - block:
     - name: Install 389-ds
@@ -53,17 +58,25 @@
         name: "{{ ds389_packages }}"
         state: present 
 
+    - name: Check ldap instance is running or not
+      command: dsctl {{ ldap_instance }} status
+      changed_when: false
+      failed_when: false
+      register: ldap1_status
+
     - name: Create the ldap1.inf file
       copy:
         src: "{{ role_path }}/files/temp_ldap1.inf"
         dest: "{{ ldap1_config_path }}"
-        mode: "{{ file_mode }}"       
+        mode: "{{ file_mode }}"
+      when: ldap1_search_key in ldap1_status.stdout       
 
     - name: Configure ldap1.inf with domain name
       lineinfile:
         path: "{{ ldap1_config_path }}"
         regexp: "^suffix = dc=omnia,dc=test"
         line: "suffix = dc={{ domain_name.split('.')[0] }},dc={{ domain_name.split('.')[1] }}"
+      when: ldap1_search_key in ldap1_status.stdout
 
     - name: Configure ldap1.inf with directory manager password
       lineinfile:
@@ -71,12 +84,7 @@
         regexp: "^root_password = password"
         line: "root_password = {{ ms_directory_manager_password }}"
       no_log: true
-
-    - name: Check ldap instance is running or not
-      command: dsctl {{ ldap_instance }} status
-      changed_when: false
-      failed_when: false
-      register: ldap1_status
+      when: ldap1_search_key in ldap1_status.stdout
 
     - name: Creating 389 directory server instance
       shell: dscreate -v from-file {{ ldap1_config_path }} | tee {{ ldap1_output_path }}
@@ -132,24 +140,28 @@
         src: "{{ role_path }}/files/temp_krb5.conf"
         dest: "{{ kerberos_conf_path }}"
         mode: "{{ file_mode }}"
+      when: not principal_status.stat.exists      
 
     - name: Configure kerberos conf file with domain name
       replace:
         path: "{{ kerberos_conf_path }}"
         regexp: "omnia.test"
         replace: "{{ domain_name }}"
+      when: not principal_status.stat.exists
 
     - name: Configure kerberos conf file with realm name
       replace:
         path: "{{ kerberos_conf_path }}"
         regexp: "OMNIA.TEST"
         replace: "{{ realm_name }}"
+      when: not principal_status.stat.exists
 
     - name: Configure kerberos conf file with hostname
       replace:
         path: "{{ kerberos_conf_path }}"
         regexp: "hostname"
         replace: "{{ short_hostname.stdout }}"
+      when: not principal_status.stat.exists
 
     - block:
         - name: Setting up the kerberos database
@@ -191,7 +203,47 @@
       shell: set -o pipefail && echo {{ ms_kerberos_admin_password }} | kinit admin
       no_log: true
       changed_when: false
-    
+
+    - name: Install sssd packages
+      zypper:
+        name: "{{ sssd_packages }}"
+        state: present
+      
+    - name: Stop and disable nscd
+      systemd:
+        name: nscd
+        state: stopped
+        enabled: no
+      when: "'nscd.service' in ansible_facts.services"
+
+    - name: Check admin group in 389-ds
+      command: dsidm {{ ldap_instance }} group list
+      register: check_admin_group
+      changed_when: false
+
+    - name: Create admin group in 389-ds
+      shell: set -o pipefail && echo {{ admin_group_name }} |  dsidm {{ ldap_instance }} group create
+      changed_when: true
+      when: admin_group_name not in check_admin_group.stdout
+
+    - name: Create the sssd.conf file
+      copy:
+        src: "{{ role_path }}/files/temp_sssd.conf"
+        dest: "{{ sssd_config_path }}"
+        mode: "{{ sssd_file_mode }}"       
+
+    - name: Configure sssd.conf with domain name
+      replace:
+        path: "{{ sssd_config_path }}"
+        regexp: "dc=omnia,dc=test"
+        replace: "dc={{ domain_name.split('.')[0] }},dc={{ domain_name.split('.')[1] }}"
+
+    - name: Start sssd service
+      systemd:
+        name: sssd
+        state: started
+        enabled: yes
+
     - name: Configure password policy in 389-ds
       command: dsconf -w {{ ms_directory_manager_password }} -D "cn=Directory Manager" ldap://{{ server_hostname_ms }} pwpolicy set --pwdlockoutduration {{ lockout_duration }} --pwdmaxfailures {{ max_failures }} --pwdresetfailcount {{ failure_reset_interval }}
       no_log: true

control_plane/roles/control_plane_security/vars/main.yml

@@ -86,6 +86,7 @@ ds389_packages:
   - python3-argcomplete
 ldap1_search_key: "No such instance"
 ds389_pwpolicy_search_key: "passwordlockoutduration: {{ lockout_duration }}"
+sssd_install_search_key: running
 ldap1_config_path: "{{ role_path }}/files/ldap1.inf"
 ldap_instance: ldap1
 ldap1_output_path: /var/log/ldap1_output.txt
@@ -100,6 +101,12 @@ kerberos_packages:
 kerberos_principal_path: /var/lib/kerberos/krb5kdc/principal
 kerberos_conf_path: /etc/krb5.conf
 kerberos_env_path: /usr/lib/mit/sbin/
+sssd_packages:
+  - sssd
+  - sssd-ldap
+admin_group_name: server_admins
+sssd_file_mode: 0600
+sssd_config_path: /etc/sssd/sssd.conf
 
 # Usage: restrict_nonessentials.yml
 service_status: ['enabled','alias','static','indirect','enabled-runtime','active','inactive']

roles/login_node/files/temp_sssd.conf

@@ -0,0 +1,68 @@
+#
+# sssd.conf
+# Generated by 389 Directory Server - dsidm
+#
+# For more details see man sssd.conf and man sssd-ldap
+# Be sure to review the content of this file to ensure it is secure and correct
+# in your environment.
+
+[domain/ldap]
+# Uncomment this for more verbose logging.
+# debug_level=3
+
+# Cache hashes of user authentication for offline auth.
+cache_credentials = True
+id_provider = ldap
+auth_provider = ldap
+access_provider = ldap
+chpass_provider = ldap
+ldap_schema = rfc2307
+ldap_search_base = dc=omnia,dc=test
+ldap_uri = ldapi://%2fvar%2frun%2fslapd-ldap1.socket
+# If you have DNS SRV records, you can use the following instead. This derives
+# from your ldap_search_base.
+# ldap_uri = _srv_
+
+ldap_tls_reqcert = demand
+# To use cacert dir, place *.crt files in this path then run:
+# /usr/bin/openssl rehash /etc/openldap/certs
+# or (for older versions of openssl)
+# /usr/bin/c_rehash /etc/openldap/certs
+ldap_tls_cacertdir = /etc/openldap/certs
+
+# Path to the cacert
+# ldap_tls_cacert = /etc/openldap/certs/ca.crt
+
+# Only users who match this filter can login and authorise to this machine. Note
+# that users who do NOT match, will still have their uid/gid resolve, but they
+# can't login.
+ldap_access_filter = (memberOf=cn=server_admins,ou=groups,dc=omnia,dc=test)
+
+enumerate = false
+access_provider = ldap
+ldap_user_member_of = memberof
+ldap_user_gecos = cn
+ldap_user_uuid = nsUniqueId
+ldap_group_uuid = nsUniqueId
+# This is really important as it allows SSSD to respect nsAccountLock
+ldap_account_expire_policy = rhds
+ldap_access_order = filter, expire
+# Setup for ssh keys
+# Inside /etc/ssh/sshd_config add the lines:
+#   AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
+#   AuthorizedKeysCommandUser nobody
+# You can test with the command: sss_ssh_authorizedkeys <username>
+ldap_user_ssh_public_key = nsSshPublicKey
+
+# This prevents an issue where the Directory is recursively walked on group
+# and user look ups. It makes the client faster and more responsive in almost
+# every scenario.
+ignore_group_members = False
+
+[sssd]
+services = nss, pam, ssh, sudo
+config_file_version = 2
+
+domains = ldap
+[nss]
+homedir_substring = /home

roles/login_node/tasks/install_389ds.yml

@@ -49,13 +49,18 @@
   failed_when: false
   no_log: true
   register: ds389_status_authentication
- 
+
+- name: Gathering service facts
+  service_facts:
+
 - name: Modify ds389_status
   set_fact:
     ds389_status: true
   when: 
     - ds389_status_authentication.rc == 0
     - ldap1_install_search_key in ldap1_status.stdout.split(' ')[3]
+    - "'sssd.service' in ansible_facts.services"
+    - sssd_install_search_key in ansible_facts.services['sssd.service'].state
 
 - block:
     - name: Install 389-ds
@@ -63,17 +68,25 @@
         name: "{{ ds389_packages }}"
         state: present 
 
+    - name: Check ldap instance is running or not
+      command: dsctl {{ ldap_instance }} status
+      changed_when: false
+      failed_when: false
+      register: ldap1_status
+
     - name: Create the ldap1.inf file
       copy:
         src: "{{ role_path }}/files/temp_ldap1.inf"
         dest: "{{ ldap1_config_path }}"
-        mode: "{{ file_mode }}"       
+        mode: "{{ file_mode }}"
+      when: ldap1_search_key in ldap1_status.stdout       
 
     - name: Configure ldap1.inf with domain name
       lineinfile:
         path: "{{ ldap1_config_path }}"
         regexp: "^suffix = dc=omnia,dc=test"
         line: "suffix = dc={{ domain_name.split('.')[0] }},dc={{ domain_name.split('.')[1] }}"
+      when: ldap1_search_key in ldap1_status.stdout
 
     - name: Configure ldap1.inf with directory manager password
       lineinfile:
@@ -81,12 +94,9 @@
         regexp: "^root_password = password"
         line: "root_password = {{ directory_manager_password }}"
       no_log: true
+      when: ldap1_search_key in ldap1_status.stdout
 
-    - name: Check ldap instance is running or not
-      command: dsctl {{ ldap_instance }} status
-      changed_when: false
-      failed_when: false
-      register: ldap1_status
+    
 
     - name: Creating 389 directory server instance
       shell: dscreate -v from-file {{ ldap1_config_path }} | tee {{ ldap1_output_path }}
@@ -154,24 +164,28 @@
         src: "{{ role_path }}/files/temp_krb5.conf"
         dest: "{{ kerberos_conf_path }}"
         mode: "{{ file_mode }}"
+      when: not principal_status.stat.exists
 
     - name: Configure kerberos conf file with domain name
       replace:
         path: "{{ kerberos_conf_path }}"
         regexp: "omnia.test"
         replace: "{{ domain_name }}"
+      when: not principal_status.stat.exists
 
     - name: Configure kerberos conf file with realm name
       replace:
         path: "{{ kerberos_conf_path }}"
         regexp: "OMNIA.TEST"
         replace: "{{ realm_name }}"
+      when: not principal_status.stat.exists
 
     - name: Configure kerberos conf file with hostname
       replace:
         path: "{{ kerberos_conf_path }}"
         regexp: "hostname"
         replace: "{{ server_hostname_short }}"
+      when: not principal_status.stat.exists
 
     - block:
         - name: Setting up the kerberos database
@@ -213,6 +227,46 @@
       shell: set -o pipefail && echo {{ kerberos_admin_password }} | kinit {{ ipa_admin_username }}
       no_log: true
       changed_when: false
+
+    - name: Install sssd packages
+      zypper:
+        name: "{{ sssd_packages }}"
+        state: present
+      
+    - name: Stop and disable nscd
+      systemd:
+        name: nscd
+        state: stopped
+        enabled: no
+      when: "'nscd.service' in ansible_facts.services"
+
+    - name: Check admin group in 389-ds
+      command: dsidm {{ ldap_instance }} group list
+      register: check_admin_group
+      changed_when: false
+
+    - name: Create admin group in 389-ds
+      shell: set -o pipefail && echo {{ admin_group_name }} |  dsidm {{ ldap_instance }} group create
+      changed_when: true
+      when: admin_group_name not in check_admin_group.stdout
+
+    - name: Create the sssd.conf file
+      copy:
+        src: "{{ role_path }}/files/temp_sssd.conf"
+        dest: "{{ sssd_config_path }}"
+        mode: "{{ sssd_file_mode }}"       
+
+    - name: Configure sssd.conf with domain name
+      replace:
+        path: "{{ sssd_config_path }}"
+        regexp: "dc=omnia,dc=test"
+        replace: "dc={{ domain_name.split('.')[0] }},dc={{ domain_name.split('.')[1] }}"
+
+    - name: Start sssd service
+      systemd:
+        name: sssd
+        state: started
+        enabled: yes
   when: not ds389_status
 
 - name: Configure password policy in 389-ds

roles/login_node/vars/main.yml

@@ -72,6 +72,7 @@ ds389_packages:
 ldap1_search_key: "No such instance"
 ds389_pwpolicy_search_key: "passwordlockoutduration: {{ lockout_duration }}"
 ldap1_install_search_key: running
+sssd_install_search_key: running
 ldap1_config_path: "/root/ldap1.inf"
 ldap_instance: ldap1
 ldap1_output_path: /var/log/ldap1_output.txt
@@ -86,6 +87,12 @@ kerberos_packages:
 kerberos_principal_path: /var/lib/kerberos/krb5kdc/principal
 kerberos_conf_path: /etc/krb5.conf
 kerberos_env_path: /usr/lib/mit/sbin/
+sssd_packages:
+  - sssd
+  - sssd-ldap
+admin_group_name: server_admins
+sssd_file_mode: 0600
+sssd_config_path: /etc/sssd/sssd.conf
 
 # Usage: restrict_nonessentials.yml
 service_status: ['enabled','alias','static','indirect','enabled-runtime','active','inactive']