diff --git a/linux_os/guide/services/sssd/service_sssd_enabled/tests/common.sh b/linux_os/guide/services/sssd/service_sssd_enabled/tests/common.sh index 5c7272a3f8ec..f8696ffb5031 100644 --- a/linux_os/guide/services/sssd/service_sssd_enabled/tests/common.sh +++ b/linux_os/guide/services/sssd/service_sssd_enabled/tests/common.sh @@ -1,36 +1,19 @@ +#!/bin/bash +# packages = sssd + # sssd.service needs /etc/sssd/sssd.conf to start -if [ ! -f /etc/sssd/sssd.conf ]; then - cat << EOF > /etc/sssd/sssd.conf -[sssd] -config_file_version = 2 -services = nss, pam -domains = example.com +SSSD_CONF="/etc/sssd/sssd.conf" +SSSD_CONF_DIR="/etc/sssd/conf.d" +{{{ bash_sssd_ensure_default_config("$SSSD_CONF", "$SSSD_CONF_DIR") }}} -[domain/example.com] -{{%- if ('rhel' in product or 'ol' in families) and product not in ['ol8', 'ol9', 'rhel8', 'rhel9']%}} -id_provider = proxy -proxy_lib_name = files -local_auth_policy = only -{{%- else %}} -id_provider = files -access_provider = simple -simple_allow_users = user1, user2 +{{%- if ('rhel' in product or 'ol' in families) and product not in ['ol7', 'ol8', 'ol9', 'rhel8', 'rhel9']%}} +{{{ bash_ensure_ini_config("$SSSD_CONF $SSSD_CONF_DIR/*.conf", "pam", "pam_cert_auth", "True") }}} {{%- endif %}} -[nss] -filter_groups = root -filter_users = root - -[pam] -{{%- if ('rhel' in product or 'ol' in families) and product not in ['ol8', 'ol9', 'rhel8', 'rhel9']%}} -pam_cert_auth = True +{{%- if product in ["fedora"] or (('rhel' in product or 'ol' in families) and product not in ['ol7', 'ol8', 'ol9', 'rhel8', 'rhel9']) %}} +{{{ bash_package_install("sssd-proxy") }}} +authselect select sssd with-smartcard +chmod 0640 $SSSD_CONF +{{%- else %}} +chmod 0600 $SSSD_CONF {{%- endif %}} -EOF - {{%- if ('rhel' in product or 'ol' in families) and product not in ['ol8', 'ol9', 'rhel8', 'rhel9']%}} - dnf install sssd-proxy -y - authselect select sssd with-smartcard - chmod 0640 /etc/sssd/sssd.conf - {{%- else %}} - chmod 0600 /etc/sssd/sssd.conf - {{%- endif %}} -fi diff --git a/linux_os/guide/services/sssd/sssd_certificate_verification/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_certificate_verification/ansible/shared.yml index 581302fa9b80..a0e077a5456e 100644 --- a/linux_os/guide/services/sssd/sssd_certificate_verification/ansible/shared.yml +++ b/linux_os/guide/services/sssd/sssd_certificate_verification/ansible/shared.yml @@ -5,17 +5,28 @@ # disruption = medium {{{ ansible_instantiate_variables("var_sssd_certificate_verification_digest_function") }}} -- name: Ensure that "certificate_verification" is not set in /etc/sssd/sssd.conf +{{% set sssd_conf = "/etc/sssd/sssd.conf" -%}} +{{% set sssd_conf_dir = "/etc/sssd/conf.d" -%}} +{{{ ansible_sssd_ensure_default_config(sssd_conf, sssd_conf_dir, rule_title) }}} + +{{% if product in ["fedora"] or (('rhel' in product or 'ol' in families) and product not in ['ol7', 'ol8', 'ol9', 'rhel8', 'rhel9']) %}} +- name: "{{{ rule_title }}} - Install sssd-proxy for default domain" + ansible.builtin.package: + name: sssd-proxy + state: present +{{% endif %}} + +- name: Ensure that "certificate_verification" is not set in {{{ sssd_conf }}} community.general.ini_file: - path: /etc/sssd/sssd.conf + path: {{{ sssd_conf }}} section: sssd option: certificate_verification state: absent mode: 0600 -- name: 'Ensure that "certificate_verification" is not set in /etc/sssd/conf.d/*.conf' +- name: 'Ensure that "certificate_verification" is not set in {{{ sssd_conf_dir }}}/*.conf' community.general.ini_file: - path: /etc/sssd/conf.d/*.conf + path: {{{ sssd_conf_dir }}}/*.conf section: sssd option: certificate_verification state: absent @@ -23,7 +34,7 @@ - name: Ensure that "certificate_verification" is set community.general.ini_file: - path: /etc/sssd/conf.d/certificate_verification.conf + path: {{{ sssd_conf_dir }}}/certificate_verification.conf section: sssd option: certificate_verification value: "ocsp_dgst={{ var_sssd_certificate_verification_digest_function }}" diff --git a/linux_os/guide/services/sssd/sssd_certificate_verification/bash/shared.sh b/linux_os/guide/services/sssd/sssd_certificate_verification/bash/shared.sh index 702a592e1e0b..b736ebdc9a7c 100644 --- a/linux_os/guide/services/sssd/sssd_certificate_verification/bash/shared.sh +++ b/linux_os/guide/services/sssd/sssd_certificate_verification/bash/shared.sh @@ -11,8 +11,15 @@ OLD_UMASK=$(umask) umask u=rw,go= -MAIN_CONF="/etc/sssd/conf.d/certificate_verification.conf" +SSSD_CONF="/etc/sssd/sssd.conf" +SSSD_CONF_DIR="/etc/sssd/conf.d" +{{{ bash_sssd_ensure_default_config("$SSSD_CONF", "$SSSD_CONF_DIR") }}} +{{% if product in ["fedora"] or (('rhel' in product or 'ol' in families) and product not in ['ol7', 'ol8', 'ol9', 'rhel8', 'rhel9']) %}} +{{{ bash_package_install("sssd-proxy") }}} +{{% endif %}} -{{{ bash_ensure_ini_config("$MAIN_CONF /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf", "sssd", "certificate_verification", "ocsp_dgst=$var_sssd_certificate_verification_digest_function") }}} +MAIN_CONF="$SSSD_CONF_DIR/certificate_verification.conf" + +{{{ bash_ensure_ini_config("$MAIN_CONF $SSSD_CONF $SSSD_CONF_DIR/*.conf", "sssd", "certificate_verification", "ocsp_dgst=$var_sssd_certificate_verification_digest_function") }}} umask $OLD_UMASK diff --git a/linux_os/guide/services/sssd/sssd_certificate_verification/tests/correct_value.pass.sh b/linux_os/guide/services/sssd/sssd_certificate_verification/tests/correct_value.pass.sh index 24c19f44fdc2..68b6ef2dd61a 100644 --- a/linux_os/guide/services/sssd/sssd_certificate_verification/tests/correct_value.pass.sh +++ b/linux_os/guide/services/sssd/sssd_certificate_verification/tests/correct_value.pass.sh @@ -1,6 +1,4 @@ #!/bin/bash # packages = sssd-common -mkdir -p /etc/sssd/conf.d -touch /etc/sssd/sssd.conf -echo -e "[sssd]\ncertificate_verification = ocsp_dgst=sha1" >> /etc/sssd/sssd.conf +{{{ bash_ensure_ini_config("/etc/sssd/sssd.conf", "sssd", "certificate_verification", "ocsp_dgst=sha1") }}} diff --git a/linux_os/guide/services/sssd/sssd_certificate_verification/tests/wrong_value.fail.sh b/linux_os/guide/services/sssd/sssd_certificate_verification/tests/wrong_value.fail.sh index 93f363edc047..e485be28e39a 100644 --- a/linux_os/guide/services/sssd/sssd_certificate_verification/tests/wrong_value.fail.sh +++ b/linux_os/guide/services/sssd/sssd_certificate_verification/tests/wrong_value.fail.sh @@ -1,6 +1,4 @@ #!/bin/bash # packages = sssd-common -mkdir -p /etc/sssd/conf.d -touch /etc/sssd/sssd.conf -echo -e "[sssd]\ncertificate_verification = ocsp_dgst=sha256" >> /etc/sssd/sssd.conf +{{{ bash_ensure_ini_config("/etc/sssd/sssd.conf", "sssd", "certificate_verification", "ocsp_dgst=sha256") }}} diff --git a/linux_os/guide/services/sssd/sssd_certificate_verification/tests/wrong_value_not_default.fail.sh b/linux_os/guide/services/sssd/sssd_certificate_verification/tests/wrong_value_not_default.fail.sh index b085429ef874..532aaa293710 100644 --- a/linux_os/guide/services/sssd/sssd_certificate_verification/tests/wrong_value_not_default.fail.sh +++ b/linux_os/guide/services/sssd/sssd_certificate_verification/tests/wrong_value_not_default.fail.sh @@ -2,7 +2,5 @@ # packages = sssd-common # variables = var_sssd_certificate_verification_digest_function=sha512 -mkdir -p /etc/sssd/conf.d -touch /etc/sssd/sssd.conf -echo -e "[sssd]\ncertificate_verification = ocsp_dgst=sha256" >> /etc/sssd/sssd.conf +{{{ bash_ensure_ini_config("/etc/sssd/sssd.conf", "sssd", "certificate_verification", "ocsp_dgst=sha256") }}} diff --git a/linux_os/guide/services/sssd/sssd_enable_pam_services/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_enable_pam_services/ansible/shared.yml index 15554ace343a..88e965e1009f 100644 --- a/linux_os/guide/services/sssd/sssd_enable_pam_services/ansible/shared.yml +++ b/linux_os/guide/services/sssd/sssd_enable_pam_services/ansible/shared.yml @@ -4,14 +4,25 @@ # complexity = low # disruption = medium -- name: {{{ rule_title }}} - Find all the conf files inside the /etc/sssd/conf.d/ directory +{{% set sssd_conf = "/etc/sssd/sssd.conf" -%}} +{{% set sssd_conf_dir = "/etc/sssd/conf.d" -%}} +{{{ ansible_sssd_ensure_default_config(sssd_conf, sssd_conf_dir, rule_title) }}} + +{{% if product in ["fedora"] or (('rhel' in product or 'ol' in families) and product not in ['ol7', 'ol8', 'ol9', 'rhel8', 'rhel9']) %}} +- name: "{{{ rule_title }}} - Install sssd-proxy for default domain" + ansible.builtin.package: + name: sssd-proxy + state: present +{{% endif %}} + +- name: {{{ rule_title }}} - Find all the conf files inside the {{{ sssd_conf_dir }}} directory ansible.builtin.find: paths: - - "/etc/sssd/conf.d/" + - "{{{ sssd_conf_dir }}}" patterns: "*.conf" register: sssd_conf_d_files -- name: {{{ rule_title }}} - Modify lines in files in the /etc/sssd/conf.d/ directory +- name: {{{ rule_title }}} - Modify lines in files in the {{{ sssd_conf_dir }}} directory ansible.builtin.replace: path: "{{ item }}" regexp: '^(\s*\[sssd\].*(?:\n\s*[^[\s].*)*\n\s*services\s*=(?!.*\bpam\b).*)$' @@ -20,22 +31,22 @@ register: modify_lines_sssd_conf_d_files when: sssd_conf_d_files.matched is defined and sssd_conf_d_files.matched >= 1 -- name: {{{ rule_title }}} - Find /etc/sssd/sssd.conf +- name: {{{ rule_title }}} - Find {{{ sssd_conf }}} ansible.builtin.stat: - path: /etc/sssd/sssd.conf + path: {{{ sssd_conf }}} register: sssd_conf_file -- name: {{{ rule_title }}} - Modify lines in /etc/sssd/sssd.conf +- name: {{{ rule_title }}} - Modify lines in {{{ sssd_conf }}} ansible.builtin.replace: - path: "/etc/sssd/sssd.conf" + path: "{{{ sssd_conf }}}" regexp: '^(\s*\[sssd\].*(?:\n\s*[^[\s].*)*\n\s*services\s*=(?!.*\bpam\b).*)$' replace: '\1,pam' register: modify_lines_sssd_conf_file when: sssd_conf_file.stat.exists -- name: {{{ rule_title }}} - Find services key in /etc/sssd/sssd.conf +- name: {{{ rule_title }}} - Find services key in {{{ sssd_conf }}} ansible.builtin.replace: - path: "/etc/sssd/sssd.conf" + path: "{{{ sssd_conf }}}" regexp: '^\s*\[sssd\][^\[\]]*?(?:\n(?!\[)[^\n]*?services\s*=)+' replace: '' changed_when: false @@ -43,9 +54,9 @@ register: sssd_conf_file_services when: sssd_conf_file.stat.exists -- name: {{{ rule_title }}} - Insert entry to /etc/sssd/sssd.conf +- name: {{{ rule_title }}} - Insert entry to {{{ sssd_conf }}} community.general.ini_file: - path: /etc/sssd/sssd.conf + path: {{{ sssd_conf }}} section: sssd option: services value: pam diff --git a/linux_os/guide/services/sssd/sssd_enable_pam_services/bash/shared.sh b/linux_os/guide/services/sssd/sssd_enable_pam_services/bash/shared.sh index 51e6b835d6ac..7c9ca552e316 100644 --- a/linux_os/guide/services/sssd/sssd_enable_pam_services/bash/shared.sh +++ b/linux_os/guide/services/sssd/sssd_enable_pam_services/bash/shared.sh @@ -1,23 +1,21 @@ # platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_ol,multi_platform_almalinux,multi_platform_ubuntu - # sssd configuration files must be created with 600 permissions if they don't exist # otherwise the sssd module fails to start OLD_UMASK=$(umask) umask u=rw,go= SSSD_CONF="/etc/sssd/sssd.conf" -SSSD_CONF_DIR="/etc/sssd/conf.d/*.conf" - -if [ ! -f "$SSSD_CONF" ] && [ ! -f "$SSSD_CONF_DIR" ]; then - mkdir -p /etc/sssd - touch "$SSSD_CONF" -fi +SSSD_CONF_DIR="/etc/sssd/conf.d" +{{{ bash_sssd_ensure_default_config("$SSSD_CONF", "$SSSD_CONF_DIR") }}} +{{% if product in ["fedora"] or (('rhel' in product or 'ol' in families) and product not in ['ol7', 'ol8', 'ol9', 'rhel8', 'rhel9']) %}} +{{{ bash_package_install("sssd-proxy") }}} +{{% endif %}} # Flag to check if there is already services with pam service_already_exist=false -for f in $SSSD_CONF $SSSD_CONF_DIR; do +for f in $SSSD_CONF $SSSD_CONF_DIR/*.conf; do if [ ! -e "$f" ]; then continue fi @@ -39,13 +37,7 @@ done # If there was no service in [sssd], add it to first config if [ "$service_already_exist" = false ]; then - for f in $SSSD_CONF $SSSD_CONF_DIR; do - cat << EOF >> "$f" -[sssd] -services = pam -EOF - break - done +{{{ bash_ensure_ini_config("$SSSD_CONF $SSSD_CONF_DIR/*.conf", "sssd", "services", "pam") }}} fi umask $OLD_UMASK diff --git a/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml index f4aad1aa1138..ff7b91c1fefd 100644 --- a/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml +++ b/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml @@ -3,44 +3,33 @@ # strategy = configure # complexity = low # disruption = medium -- name: "Test for domain group" - ansible.builtin.command: grep '^\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf - register: test_grep_domain - failed_when: false - changed_when: False - check_mode: no +{{% set sssd_conf = "/etc/sssd/sssd.conf" -%}} +{{% set sssd_conf_dir = "/etc/sssd/conf.d" -%}} +{{{ ansible_sssd_ensure_default_config(sssd_conf, sssd_conf_dir, rule_title) }}} -- name: "Add default domain group (if no domain there)" - community.general.ini_file: - path: /etc/sssd/sssd.conf - section: "{{ item.section }}" - option: "{{ item.option }}" - value: "{{ item.value }}" - create: yes - mode: 0600 - with_items: - - { section: sssd, option: domains, value: default} - - { section: domain/default, option: id_provider, value: files } - when: - - test_grep_domain.stdout is defined - - test_grep_domain.stdout | length < 1 +{{% if product in ["fedora"] or (('rhel' in product or 'ol' in families) and product not in ['ol7', 'ol8', 'ol9', 'rhel8', 'rhel9']) %}} +- name: "{{{ rule_title }}} - Install sssd-proxy for default domain" + ansible.builtin.package: + name: sssd-proxy + state: present +{{% endif %}} - name: "Enable Smartcards in SSSD" community.general.ini_file: - dest: /etc/sssd/sssd.conf + dest: {{{ sssd_conf }}} section: pam option: pam_cert_auth value: 'True' create: yes mode: 0600 -- name: Find all the conf files inside /etc/sssd/conf.d/ +- name: Find all the conf files inside {{{ sssd_conf_dir }}} ansible.builtin.find: - paths: "/etc/sssd/conf.d/" + paths: "{{{ sssd_conf_dir }}}" patterns: "*.conf" register: sssd_conf_d_files -- name: Fix pam_cert_auth configuration in /etc/sssd/conf.d/ +- name: Fix pam_cert_auth configuration in {{{ sssd_conf_dir }}} ansible.builtin.replace: path: "{{ item.path }}" regexp: '[^#]*pam_cert_auth.*' diff --git a/linux_os/guide/services/sssd/sssd_enable_smartcards/bash/shared.sh b/linux_os/guide/services/sssd/sssd_enable_smartcards/bash/shared.sh index 604cc82302c9..6bc2656c4173 100644 --- a/linux_os/guide/services/sssd/sssd_enable_smartcards/bash/shared.sh +++ b/linux_os/guide/services/sssd/sssd_enable_smartcards/bash/shared.sh @@ -9,7 +9,14 @@ OLD_UMASK=$(umask) umask u=rw,go= -{{{ bash_ensure_ini_config("/etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf", "pam", "pam_cert_auth", "True") }}} +SSSD_CONF="/etc/sssd/sssd.conf" +SSSD_CONF_DIR="/etc/sssd/conf.d" +{{{ bash_sssd_ensure_default_config("$SSSD_CONF", "$SSSD_CONF_DIR") }}} +{{% if product in ["fedora"] or (('rhel' in product or 'ol' in families) and product not in ['ol7', 'ol8', 'ol9', 'rhel8', 'rhel9']) %}} +{{{ bash_package_install("sssd-proxy") }}} +{{% endif %}} + +{{{ bash_ensure_ini_config("$SSSD_CONF $SSSD_CONF_DIR/*.conf", "pam", "pam_cert_auth", "True") }}} umask $OLD_UMASK diff --git a/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_modified_pam.fail.sh b/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_modified_pam.fail.sh index 20d721658163..12763ece2e7b 100644 --- a/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_modified_pam.fail.sh +++ b/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_modified_pam.fail.sh @@ -4,8 +4,7 @@ # remediation = none SSSD_FILE="/etc/sssd/sssd.conf" -echo "[pam]" > $SSSD_FILE -echo "pam_cert_auth = True" >> $SSSD_FILE +{{{ bash_ensure_ini_config("$SSSD_FILE", "pam", "pam_cert_auth", "True") }}} authselect select sssd --force diff --git a/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_smartcard_disabled.fail.sh b/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_smartcard_disabled.fail.sh index ba800bceaf85..f6da8de63180 100644 --- a/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_smartcard_disabled.fail.sh +++ b/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_smartcard_disabled.fail.sh @@ -3,8 +3,7 @@ # platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,multi_platform_rhel SSSD_FILE="/etc/sssd/sssd.conf" -echo "[pam]" > $SSSD_FILE -echo "pam_cert_auth = True" >> $SSSD_FILE +{{{ bash_ensure_ini_config("$SSSD_FILE", "pam", "pam_cert_auth", "True") }}} authselect select sssd --force authselect disable-feature with-smartcard diff --git a/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_smartcard_enabled.pass.sh b/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_smartcard_enabled.pass.sh index afd575dd8e29..1314bd377a13 100644 --- a/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_smartcard_enabled.pass.sh +++ b/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_smartcard_enabled.pass.sh @@ -3,8 +3,7 @@ # platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,multi_platform_rhel SSSD_FILE="/etc/sssd/sssd.conf" -echo "[pam]" > $SSSD_FILE -echo "pam_cert_auth = True" >> $SSSD_FILE +{{{ bash_ensure_ini_config("$SSSD_FILE", "pam", "pam_cert_auth", "True") }}} authselect select sssd --force authselect enable-feature with-smartcard diff --git a/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_smartcard_enabled_conf_d.pass.sh b/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_smartcard_enabled_conf_d.pass.sh index 05ecf8a8adb2..28bcbfd53af7 100644 --- a/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_smartcard_enabled_conf_d.pass.sh +++ b/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_smartcard_enabled_conf_d.pass.sh @@ -3,8 +3,7 @@ # platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,multi_platform_rhel SSSD_FILE="/etc/sssd/conf.d/unused.conf" -echo "[pam]" > $SSSD_FILE -echo "pam_cert_auth = True" >> $SSSD_FILE +{{{ bash_ensure_ini_config("$SSSD_FILE", "pam", "pam_cert_auth", "True") }}} authselect select sssd --force authselect enable-feature with-smartcard diff --git a/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_smartcard_enabled_lower.pass.sh b/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_smartcard_enabled_lower.pass.sh index 9758d9bdafc8..e69a6771e95e 100644 --- a/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_smartcard_enabled_lower.pass.sh +++ b/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_smartcard_enabled_lower.pass.sh @@ -3,8 +3,7 @@ # platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,multi_platform_rhel SSSD_FILE="/etc/sssd/sssd.conf" -echo "[pam]" > $SSSD_FILE -echo "pam_cert_auth = true" >> $SSSD_FILE +{{{ bash_ensure_ini_config("$SSSD_FILE", "pam", "pam_cert_auth", "true") }}} authselect select sssd --force authselect enable-feature with-smartcard diff --git a/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_sssd_parameter_false.fail.sh b/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_sssd_parameter_false.fail.sh index eb58f3dcf79b..dfea779efbd8 100644 --- a/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_sssd_parameter_false.fail.sh +++ b/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_sssd_parameter_false.fail.sh @@ -3,8 +3,7 @@ # platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,multi_platform_rhel SSSD_FILE="/etc/sssd/sssd.conf" -echo "[pam]" > $SSSD_FILE -echo "pam_cert_auth = False" >> $SSSD_FILE +{{{ bash_ensure_ini_config("$SSSD_FILE", "pam", "pam_cert_auth", "False") }}} authselect select sssd --force authselect enable-feature with-smartcard diff --git a/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_sssd_parameter_false_conf_d.fail.sh b/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_sssd_parameter_false_conf_d.fail.sh index 262abd2761a3..f3a9aa4aca40 100644 --- a/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_sssd_parameter_false_conf_d.fail.sh +++ b/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_sssd_parameter_false_conf_d.fail.sh @@ -3,8 +3,7 @@ # platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,multi_platform_rhel SSSD_FILE="/etc/sssd/conf.d/unused.conf" -echo "[pam]" > $SSSD_FILE -echo "pam_cert_auth = False" >> $SSSD_FILE +{{{ bash_ensure_ini_config("$SSSD_FILE", "pam", "pam_cert_auth", "False") }}} authselect select sssd --force authselect enable-feature with-smartcard diff --git a/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/sssd_parameter_false.fail.sh b/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/sssd_parameter_false.fail.sh index 0b3d08ccae84..f3287508a538 100644 --- a/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/sssd_parameter_false.fail.sh +++ b/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/sssd_parameter_false.fail.sh @@ -2,6 +2,10 @@ # packages = sssd # platform = multi_platform_fedora,Oracle Linux 7,Red Hat Virtualization 4,multi_platform_ubuntu -SSSD_FILE="/etc/sssd/sssd.conf" -echo "[pam]" > $SSSD_FILE -echo "pam_cert_auth = False" >> $SSSD_FILE +{{% if product in ["fedora", "ol8", "ol9"] or 'rhel' in product %}} +authselect select sssd --force +{{% endif %}} + +SSSD_CONF="/etc/sssd/sssd.conf" +SSSD_CONF_DIR="/etc/sssd/conf.d" +{{{ bash_ensure_ini_config("$SSSD_CONF $SSSD_CONF_DIR/*.conf", "pam", "pam_cert_auth", "False") }}} diff --git a/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/sssd_parameter_missing.fail.sh b/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/sssd_parameter_missing.fail.sh index 440a5ce07a74..09f30744a7f9 100644 --- a/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/sssd_parameter_missing.fail.sh +++ b/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/sssd_parameter_missing.fail.sh @@ -2,5 +2,9 @@ # packages = sssd # platform = multi_platform_fedora,Oracle Linux 7,Red Hat Virtualization 4,multi_platform_ubuntu +{{% if product in ["fedora", "ol8", "ol9"] or 'rhel' in product %}} +authselect select sssd --force +{{% endif %}} + SSSD_FILE="/etc/sssd/sssd.conf" echo "[pam]" > $SSSD_FILE diff --git a/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/sssd_parameter_missing_file.fail.sh b/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/sssd_parameter_missing_file.fail.sh index 7b93f6c17f03..566dd7911a9c 100644 --- a/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/sssd_parameter_missing_file.fail.sh +++ b/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/sssd_parameter_missing_file.fail.sh @@ -2,5 +2,9 @@ # packages = sssd # platform = multi_platform_fedora,Oracle Linux 7,Red Hat Virtualization 4,multi_platform_ubuntu +{{% if product in ["fedora", "ol8", "ol9"] or 'rhel' in product %}} +authselect select sssd --force +{{% endif %}} + SSSD_FILE="/etc/sssd/sssd.conf" rm -f $SSSD_FILE diff --git a/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/sssd_parameter_true.pass.sh b/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/sssd_parameter_true.pass.sh index 825939c31846..ed83dd5a1eb1 100644 --- a/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/sssd_parameter_true.pass.sh +++ b/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/sssd_parameter_true.pass.sh @@ -3,5 +3,10 @@ # platform = multi_platform_fedora,Oracle Linux 7,Red Hat Virtualization 4,multi_platform_ubuntu SSSD_FILE="/etc/sssd/sssd.conf" -echo "[pam]" > $SSSD_FILE -echo "pam_cert_auth = True" >> $SSSD_FILE +{{{ bash_ensure_ini_config("$SSSD_FILE", "pam", "pam_cert_auth", "True") }}} + +{{% if product in ["fedora", "ol8", "ol9"] or 'rhel' in product %}} +authselect select sssd --force +authselect enable-feature with-smartcard +authselect apply-changes +{{% endif %}} diff --git a/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml index 06a314e4eabe..7054502e27f6 100644 --- a/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml +++ b/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml @@ -5,31 +5,20 @@ # disruption = medium {{{ ansible_instantiate_variables("var_sssd_memcache_timeout") }}} -- name: "Test for domain group" - ansible.builtin.command: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf - register: test_grep_domain - failed_when: false - changed_when: False - check_mode: no +{{% set sssd_conf = "/etc/sssd/sssd.conf" -%}} +{{% set sssd_conf_dir = "/etc/sssd/conf.d" -%}} +{{{ ansible_sssd_ensure_default_config(sssd_conf, sssd_conf_dir, rule_title) }}} -- name: "Add default domain group (if no domain there)" - community.general.ini_file: - path: /etc/sssd/sssd.conf - section: "{{ item.section }}" - option: "{{ item.option }}" - value: "{{ item.value }}" - create: yes - mode: 0600 - with_items: - - { section: sssd, option: domains, value: default} - - { section: domain/default, option: id_provider, value: files } - when: - - test_grep_domain.stdout is defined - - test_grep_domain.stdout | length < 1 +{{% if product in ["fedora"] or (('rhel' in product or 'ol' in families) and product not in ['ol7', 'ol8', 'ol9', 'rhel8', 'rhel9']) %}} +- name: "{{{ rule_title }}} - Install sssd-proxy for default domain" + ansible.builtin.package: + name: sssd-proxy + state: present +{{% endif %}} - name: "Configure SSSD's Memory Cache to Expire" community.general.ini_file: - dest: /etc/sssd/sssd.conf + dest: {{{ sssd_conf }}} section: nss option: memcache_timeout value: "{{ var_sssd_memcache_timeout }}" diff --git a/linux_os/guide/services/sssd/sssd_memcache_timeout/bash/shared.sh b/linux_os/guide/services/sssd/sssd_memcache_timeout/bash/shared.sh index 0399c1e6b87b..3ac43014621c 100644 --- a/linux_os/guide/services/sssd/sssd_memcache_timeout/bash/shared.sh +++ b/linux_os/guide/services/sssd/sssd_memcache_timeout/bash/shared.sh @@ -7,6 +7,13 @@ OLD_UMASK=$(umask) umask u=rw,go= -{{{ bash_ensure_ini_config("/etc/sssd/sssd.conf", "nss", "memcache_timeout", "$var_sssd_memcache_timeout") }}} +SSSD_CONF="/etc/sssd/sssd.conf" +SSSD_CONF_DIR="/etc/sssd/conf.d" +{{{ bash_sssd_ensure_default_config("$SSSD_CONF", "$SSSD_CONF_DIR") }}} +{{% if product in ["fedora"] or (('rhel' in product or 'ol' in families) and product not in ['ol7', 'ol8', 'ol9', 'rhel8', 'rhel9']) %}} +{{{ bash_package_install("sssd-proxy") }}} +{{% endif %}} + +{{{ bash_ensure_ini_config("$SSSD_CONF", "nss", "memcache_timeout", "$var_sssd_memcache_timeout") }}} umask $OLD_UMASK diff --git a/linux_os/guide/services/sssd/sssd_memcache_timeout/tests/correct_value.pass.sh b/linux_os/guide/services/sssd/sssd_memcache_timeout/tests/correct_value.pass.sh index 31025ac6edb9..35c5bcc33753 100644 --- a/linux_os/guide/services/sssd/sssd_memcache_timeout/tests/correct_value.pass.sh +++ b/linux_os/guide/services/sssd/sssd_memcache_timeout/tests/correct_value.pass.sh @@ -7,6 +7,4 @@ SSSD_CONF="/etc/sssd/sssd.conf" TIMEOUT="180" systemctl enable sssd -mkdir -p /etc/sssd -touch $SSSD_CONF -echo -e "[nss]\nmemcache_timeout = $TIMEOUT" >> $SSSD_CONF +{{{ bash_ensure_ini_config("$SSSD_CONF", "nss", "memcache_timeout", "$TIMEOUT") }}} diff --git a/linux_os/guide/services/sssd/sssd_memcache_timeout/tests/wrong_value.fail.sh b/linux_os/guide/services/sssd/sssd_memcache_timeout/tests/wrong_value.fail.sh index 18b897f7f8d6..3dbc8a3b5ef7 100644 --- a/linux_os/guide/services/sssd/sssd_memcache_timeout/tests/wrong_value.fail.sh +++ b/linux_os/guide/services/sssd/sssd_memcache_timeout/tests/wrong_value.fail.sh @@ -8,6 +8,4 @@ SSSD_CONF="/etc/sssd/sssd.conf" TIMEOUT="99999" systemctl enable sssd -mkdir -p /etc/sssd -touch $SSSD_CONF -echo -e "[nss]\nmemcache_timeout = $TIMEOUT" >> $SSSD_CONF +{{{ bash_ensure_ini_config("$SSSD_CONF", "nss", "memcache_timeout", "$TIMEOUT") }}} diff --git a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/ansible/shared.yml index 2e033c641f34..fa6afae265f7 100644 --- a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/ansible/shared.yml +++ b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/ansible/shared.yml @@ -3,44 +3,33 @@ # strategy = configure # complexity = low # disruption = medium -- name: "Test for domain group" - ansible.builtin.command: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf - register: test_grep_domain - failed_when: false - changed_when: False - check_mode: no +{{% set sssd_conf = "/etc/sssd/sssd.conf" -%}} +{{% set sssd_conf_dir = "/etc/sssd/conf.d" -%}} +{{{ ansible_sssd_ensure_default_config(sssd_conf, sssd_conf_dir, rule_title) }}} -- name: "Add default domain group (if no domain there)" - community.general.ini_file: - path: /etc/sssd/sssd.conf - section: "{{ item.section }}" - option: "{{ item.option }}" - value: "{{ item.value }}" - create: yes - mode: 0600 - with_items: - - { section: sssd, option: domains, value: default} - - { section: domain/default, option: id_provider, value: files } - when: - - test_grep_domain.stdout is defined - - test_grep_domain.stdout | length < 1 +{{% if product in ["fedora"] or (('rhel' in product or 'ol' in families) and product not in ['ol7', 'ol8', 'ol9', 'rhel8', 'rhel9']) %}} +- name: "{{{ rule_title }}} - Install sssd-proxy for default domain" + ansible.builtin.package: + name: sssd-proxy + state: present +{{% endif %}} - name: "Configure SSD to Expire Offline Credentials" community.general.ini_file: - dest: /etc/sssd/sssd.conf + dest: {{{ sssd_conf }}} section: pam option: offline_credentials_expiration value: 1 create: yes mode: 0600 -- name: Find all the conf files inside /etc/sssd/conf.d/ +- name: Find all the conf files inside {{{ sssd_conf_dir }}} ansible.builtin.find: - paths: "/etc/sssd/conf.d/" + paths: "{{{ sssd_conf_dir }}}" patterns: "*.conf" register: sssd_conf_d_files -- name: Fix offline_credentials_expiration configuration in /etc/sssd/conf.d/ +- name: Fix offline_credentials_expiration configuration in {{{ sssd_conf_dir }}} ansible.builtin.replace: path: "{{ item.path }}" regexp: '[^#]*offline_credentials_expiration.*' diff --git a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/bash/shared.sh b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/bash/shared.sh index 56f331125679..7312ca6b3bcf 100644 --- a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/bash/shared.sh +++ b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/bash/shared.sh @@ -9,6 +9,13 @@ OLD_UMASK=$(umask) umask u=rw,go= -{{{ bash_ensure_ini_config("/etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf", "pam", "offline_credentials_expiration", "1") }}} +SSSD_CONF="/etc/sssd/sssd.conf" +SSSD_CONF_DIR="/etc/sssd/conf.d" +{{{ bash_sssd_ensure_default_config("$SSSD_CONF", "$SSSD_CONF_DIR") }}} +{{% if product in ["fedora"] or (('rhel' in product or 'ol' in families) and product not in ['ol7', 'ol8', 'ol9', 'rhel8', 'rhel9']) %}} +{{{ bash_package_install("sssd-proxy") }}} +{{% endif %}} + +{{{ bash_ensure_ini_config("$SSSD_CONF $SSSD_CONF_DIR/*.conf", "pam", "offline_credentials_expiration", "1") }}} umask $OLD_UMASK diff --git a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/tests/cache_credentials_false.pass.sh b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/tests/cache_credentials_false.pass.sh index 7bf7526b9890..af8e4fb8a8a1 100644 --- a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/tests/cache_credentials_false.pass.sh +++ b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/tests/cache_credentials_false.pass.sh @@ -4,6 +4,5 @@ # platform = Oracle Linux 8,Red Hat Enterprise Linux 8 source common.sh -echo -e "[pam]\noffline_credentials_expiration = 2" >> $SSSD_CONF - -echo -e "[domain/EXAMPLE]\ncache_credentials = false" >> $SSSD_CONF +{{{ bash_ensure_ini_config("$SSSD_CONF", "pam", "offline_credentials_expiration", "2") }}} +{{{ bash_ensure_ini_config("$SSSD_CONF", "domain/EXAMPLE", "cache_credentials", "false") }}} diff --git a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/tests/correct_value.pass.sh b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/tests/correct_value.pass.sh index e0a0d2bf345d..bd91f8f9d4e4 100644 --- a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/tests/correct_value.pass.sh +++ b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/tests/correct_value.pass.sh @@ -3,6 +3,5 @@ source common.sh -echo -e "[pam]\noffline_credentials_expiration = 1" >> $SSSD_CONF - -echo -e "[domain/EXAMPLE]\ncache_credentials = true" >> $SSSD_CONF +{{{ bash_ensure_ini_config("$SSSD_CONF", "pam", "offline_credentials_expiration", "1") }}} +{{{ bash_ensure_ini_config("$SSSD_CONF", "domain/EXAMPLE", "cache_credentials", "true") }}} diff --git a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/tests/correct_value_conf_d.pass.sh b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/tests/correct_value_conf_d.pass.sh index 6c41a9f1a3b5..b25e0a5db2cb 100644 --- a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/tests/correct_value_conf_d.pass.sh +++ b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/tests/correct_value_conf_d.pass.sh @@ -7,7 +7,6 @@ source common.sh SSSD_CONF_D_FILE="/etc/sssd/conf.d/unused.conf" +{{{ bash_ensure_ini_config("$SSSD_CONF_D_FILE", "pam", "offline_credentials_expiration", "1") }}} -echo -e "[pam]\noffline_credentials_expiration = 1" >> $SSSD_CONF_D_FILE - -echo -e "[domain/EXAMPLE]\ncache_credentials = true" >> $SSSD_CONF +{{{ bash_ensure_ini_config("$SSSD_CONF", "domain/EXAMPLE", "cache_credentials", "true") }}} diff --git a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/tests/correct_value_dropin.pass.sh b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/tests/correct_value_dropin.pass.sh index 88eb4681ad17..9e3415b2a0e5 100644 --- a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/tests/correct_value_dropin.pass.sh +++ b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/tests/correct_value_dropin.pass.sh @@ -8,6 +8,5 @@ source common.sh export SSSD_CONF=/etc/sssd/conf.d/cac.conf -echo -e "[pam]\noffline_credentials_expiration = 1" >> $SSSD_CONF - -echo -e "[domain/EXAMPLE]\ncache_credentials = true" >> $SSSD_CONF +{{{ bash_ensure_ini_config("$SSSD_CONF", "pam", "offline_credentials_expiration", "1") }}} +{{{ bash_ensure_ini_config("$SSSD_CONF", "domain/EXAMPLE", "cache_credentials", "true") }}} diff --git a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/tests/wrong_value.fail.sh b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/tests/wrong_value.fail.sh index 1abb9bf19767..c9a40eb51100 100644 --- a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/tests/wrong_value.fail.sh +++ b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/tests/wrong_value.fail.sh @@ -3,6 +3,5 @@ source common.sh -echo -e "[pam]\noffline_credentials_expiration = 0" >> $SSSD_CONF - -echo -e "[domain/EXAMPLE]\ncache_credentials = true" >> $SSSD_CONF +{{{ bash_ensure_ini_config("$SSSD_CONF", "pam", "offline_credentials_expiration", "0") }}} +{{{ bash_ensure_ini_config("$SSSD_CONF", "domain/EXAMPLE", "cache_credentials", "true") }}} diff --git a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/tests/wrong_value_conf_d.fail.sh b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/tests/wrong_value_conf_d.fail.sh index eab3590a95f1..1dc7b5b25404 100644 --- a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/tests/wrong_value_conf_d.fail.sh +++ b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/tests/wrong_value_conf_d.fail.sh @@ -8,6 +8,5 @@ source common.sh SSSD_CONF_D_FILE="/etc/sssd/conf.d/unused.conf" -echo -e "[pam]\noffline_credentials_expiration = 0" >> $SSSD_CONF_D_FILE - -echo -e "[domain/EXAMPLE]\ncache_credentials = true" >> $SSSD_CONF +{{{ bash_ensure_ini_config("$SSSD_CONF_D_FILE", "pam", "offline_credentials_expiration", "0") }}} +{{{ bash_ensure_ini_config("$SSSD_CONF", "domain/EXAMPLE", "cache_credentials", "true") }}} diff --git a/linux_os/guide/services/sssd/sssd_run_as_sssd_user/bash/shared.sh b/linux_os/guide/services/sssd/sssd_run_as_sssd_user/bash/shared.sh index 4c619f87c82c..13839f05b06a 100644 --- a/linux_os/guide/services/sssd/sssd_run_as_sssd_user/bash/shared.sh +++ b/linux_os/guide/services/sssd/sssd_run_as_sssd_user/bash/shared.sh @@ -1,12 +1,19 @@ # platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_almalinux -MAIN_CONF="/etc/sssd/conf.d/ospp.conf" - # sssd configuration files must be created with 600 permissions if they don't exist # otherwise the sssd module fails to start OLD_UMASK=$(umask) umask u=rw,go= -{{{ bash_ensure_ini_config("$MAIN_CONF /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf", "sssd", "user", "sssd") }}} +SSSD_CONF="/etc/sssd/sssd.conf" +SSSD_CONF_DIR="/etc/sssd/conf.d" +{{{ bash_sssd_ensure_default_config("$SSSD_CONF", "$SSSD_CONF_DIR") }}} +{{% if product in ["fedora"] or (('rhel' in product or 'ol' in families) and product not in ['ol7', 'ol8', 'ol9', 'rhel8', 'rhel9']) %}} +{{{ bash_package_install("sssd-proxy") }}} +{{% endif %}} + +MAIN_CONF="$SSSD_CONF_DIR/ospp.conf" + +{{{ bash_ensure_ini_config("$MAIN_CONF $SSSD_CONF $SSSD_CONF_DIR/*.conf", "sssd", "user", "sssd", remove_wrong_entries=true) }}} umask $OLD_UMASK diff --git a/linux_os/guide/services/sssd/sssd_run_as_sssd_user/tests/correct_value.pass.sh b/linux_os/guide/services/sssd/sssd_run_as_sssd_user/tests/correct_value.pass.sh index 328b273baefa..c8b1eeeba85c 100644 --- a/linux_os/guide/services/sssd/sssd_run_as_sssd_user/tests/correct_value.pass.sh +++ b/linux_os/guide/services/sssd/sssd_run_as_sssd_user/tests/correct_value.pass.sh @@ -5,6 +5,4 @@ # We will configure user to be sssd systemctl enable sssd -mkdir -p /etc/sssd/conf.d -echo -e "[sssd]\nuser = sssd" >> /etc/sssd/conf.d/ospp.conf -chmod 600 /etc/sssd/conf.d/ospp.conf +{{{ bash_ensure_ini_config("/etc/sssd/conf.d/ospp.conf", "sssd", "user", "sssd") }}} diff --git a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml index e0ac1cb3a92b..0b87f4a1df56 100644 --- a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml +++ b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml @@ -5,31 +5,20 @@ # disruption = medium {{{ ansible_instantiate_variables("var_sssd_ssh_known_hosts_timeout") }}} -- name: "Test for domain group" - ansible.builtin.command: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf - register: test_grep_domain - failed_when: false - changed_when: False - check_mode: no +{{% set sssd_conf = "/etc/sssd/sssd.conf" -%}} +{{% set sssd_conf_dir = "/etc/sssd/conf.d" -%}} +{{{ ansible_sssd_ensure_default_config(sssd_conf, sssd_conf_dir, rule_title) }}} -- name: "Add default domain group (if no domain there)" - community.general.ini_file: - path: /etc/sssd/sssd.conf - section: "{{ item.section }}" - option: "{{ item.option }}" - value: "{{ item.value }}" - create: yes - mode: 0600 - with_items: - - { section: sssd, option: domains, value: default} - - { section: domain/default, option: id_provider, value: files } - when: - - test_grep_domain.stdout is defined - - test_grep_domain.stdout | length < 1 +{{% if product in ["fedora"] or (('rhel' in product or 'ol' in families) and product not in ['ol7', 'ol8', 'ol9', 'rhel8', 'rhel9']) %}} +- name: "{{{ rule_title }}} - Install sssd-proxy for default domain" + ansible.builtin.package: + name: sssd-proxy + state: present +{{% endif %}} - name: "Configure SSSD to Expire SSH Known Hosts" community.general.ini_file: - dest: /etc/sssd/sssd.conf + dest: {{{ sssd_conf }}} section: ssh option: ssh_known_hosts_timeout value: "{{ var_sssd_ssh_known_hosts_timeout }}" diff --git a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/bash/shared.sh b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/bash/shared.sh index 01254fa6f799..93fa193af6e6 100644 --- a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/bash/shared.sh +++ b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/bash/shared.sh @@ -7,6 +7,13 @@ OLD_UMASK=$(umask) umask u=rw,go= -{{{ bash_ensure_ini_config("/etc/sssd/sssd.conf", "ssh", "ssh_known_hosts_timeout", "$var_sssd_ssh_known_hosts_timeout") }}} +SSSD_CONF="/etc/sssd/sssd.conf" +SSSD_CONF_DIR="/etc/sssd/conf.d" +{{{ bash_sssd_ensure_default_config("$SSSD_CONF", "$SSSD_CONF_DIR") }}} +{{% if product in ["fedora"] or (('rhel' in product or 'ol' in families) and product not in ['ol7', 'ol8', 'ol9', 'rhel8', 'rhel9']) %}} +{{{ bash_package_install("sssd-proxy") }}} +{{% endif %}} + +{{{ bash_ensure_ini_config("$SSSD_CONF", "ssh", "ssh_known_hosts_timeout", "$var_sssd_ssh_known_hosts_timeout") }}} umask $OLD_UMASK diff --git a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/tests/correct_value.pass.sh b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/tests/correct_value.pass.sh index 7cd6bdbb5449..da1f93f14525 100644 --- a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/tests/correct_value.pass.sh +++ b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/tests/correct_value.pass.sh @@ -7,6 +7,4 @@ SSSD_CONF="/etc/sssd/sssd.conf" TIMEOUT="180" systemctl enable sssd -mkdir -p /etc/sssd -touch $SSSD_CONF -echo -e "[ssh]\nssh_known_hosts_timeout = $TIMEOUT" >> $SSSD_CONF +{{{ bash_ensure_ini_config("$SSSD_CONF", "ssh", "ssh_known_hosts_timeout", "$TIMEOUT") }}} diff --git a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/tests/wrong_value.fail.sh b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/tests/wrong_value.fail.sh index 857f6393cc56..85ed7c1840a9 100644 --- a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/tests/wrong_value.fail.sh +++ b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/tests/wrong_value.fail.sh @@ -8,6 +8,4 @@ SSSD_CONF="/etc/sssd/sssd.conf" TIMEOUT="99999" systemctl enable sssd -mkdir -p /etc/sssd -touch $SSSD_CONF -echo -e "[ssh]\nssh_known_hosts_timeout = $TIMEOUT" >> $SSSD_CONF +{{{ bash_ensure_ini_config("$SSSD_CONF", "ssh", "ssh_known_hosts_timeout", "$TIMEOUT") }}} diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja index 4ef924893f5f..5a92133e46dd 100644 --- a/shared/macros/10-ansible.jinja +++ b/shared/macros/10-ansible.jinja @@ -806,6 +806,62 @@ The following macro remediates Audit syscall rule in :code:`/etc/audit/audit.rul {{%- endmacro %}} +{{# + Ensure a default domain is configured in sssd.conf so that sssd can start + +:param sssd_conf: Path to the main sssd configuration file +:type sssd_conf: str +:param sssd_conf_dir: Path to the sssd conf.d drop-in directory +:type sssd_conf_dir: str +:param rule_title: Rule title used as prefix in Ansible task names +:type rule_title: str +#}} +{{% macro ansible_sssd_ensure_default_config(sssd_conf, sssd_conf_dir, rule_title) -%}} +- name: "{{{ rule_title }}} - Ensure sssd config directory exists" + ansible.builtin.file: + path: "{{{ sssd_conf.rsplit('/', 1)[0] }}}" + state: directory + mode: '0755' + +- name: "{{{ rule_title }}} - Test for domain group in main config" + ansible.builtin.command: grep '^\s*\[domain\/[^]]*]' {{{ sssd_conf }}} + register: test_grep_domain + failed_when: false + changed_when: false + check_mode: false + +- name: "{{{ rule_title }}} - Test for domain group in conf.d" + ansible.builtin.shell: grep -rs '^\s*\[domain\/[^]]*]' {{{ sssd_conf_dir }}}/*.conf 2>/dev/null + register: test_grep_domain_conf_d + failed_when: false + changed_when: false + check_mode: false + +- name: "{{{ rule_title }}} - Add default domain group (if no domain there)" + community.general.ini_file: + path: {{{ sssd_conf }}} + section: "{{ item.section }}" + option: "{{ item.option }}" + value: "{{ item.value }}" + create: true + mode: 0600 + with_items: + - { section: sssd, option: domains, value: default} +{{% if product in ["fedora"] or (('rhel' in product or 'ol' in families) and product not in ['ol7', 'ol8', 'ol9', 'rhel8', 'rhel9']) %}} + - { section: domain/default, option: id_provider, value: proxy } + - { section: domain/default, option: proxy_lib_name, value: files } + - { section: domain/default, option: local_auth_policy, value: only } +{{% else %}} + - { section: domain/default, option: id_provider, value: files } +{{% endif %}} + when: + - test_grep_domain.stdout is defined + - test_grep_domain.stdout | length < 1 + - test_grep_domain_conf_d.stdout is defined + - test_grep_domain_conf_d.stdout | length < 1 +{{%- endmacro %}} + + {{% macro ansible_ini_file_set(filename, section, key, value, description="", no_extra_spaces=False) -%}} - name: "{{{ description if description else ("Set '" + key + "' to '" + value + "' in the [" + section + "] section of '" + filename + "'") }}}" community.general.ini_file: diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja index 49ad72ecbb40..2fc5e3894c25 100644 --- a/shared/macros/10-bash.jinja +++ b/shared/macros/10-bash.jinja @@ -1515,6 +1515,36 @@ done {{%- endmacro %}} +{{# + Ensure a default domain is configured in sssd.conf so that sssd can start + +:param sssd_conf: main sssd configuration file +:type sssd_conf: str +:param sssd_conf_dir: sssd conf.d drop-in directory +:type sssd_conf_dir: str +#}} +{{% macro bash_sssd_ensure_default_config(sssd_conf, sssd_conf_dir) -%}} +mkdir -p "$(dirname "{{{ sssd_conf }}}")" +if [ ! -f "{{{ sssd_conf }}}" ]; then + touch "{{{ sssd_conf }}}" +fi +if ! grep -qsrP '^\s*\[domain\/[^]]*]' "{{{ sssd_conf }}}" "{{{ sssd_conf_dir }}}"/*.conf 2>/dev/null; then + {{{ bash_ensure_ini_config(sssd_conf, "sssd", "domains", "default") }}} + cat >> "{{{ sssd_conf }}}" << EOF + +[domain/default] +{{% if product in ["fedora"] or (('rhel' in product or 'ol' in families) and product not in ['ol7', 'ol8', 'ol9', 'rhel8', 'rhel9']) -%}} +id_provider = proxy +proxy_lib_name = files +local_auth_policy = only +{{% else -%}} +id_provider = files +{{% endif -%}} +EOF +fi +{{%- endmacro %}} + + {{# Check whether or not a package is installed. #}} @@ -2266,9 +2296,11 @@ Example macro invocation(s):: :type key: str :param value: value :type value: str +:param remove_wrong_entries: if true, remove entries in [section] where key has a different value +:type remove_wrong_entries: bool #}} -{{% macro bash_ensure_ini_config(files, section, key, value, no_quotes=true) -%}} +{{% macro bash_ensure_ini_config(files, section, key, value, no_quotes=true, remove_wrong_entries=false) -%}} found=false # set value in all files if they contain section or key @@ -2298,6 +2330,15 @@ for f in $(echo -n "{{{ files }}}"); do {{% endif %}} found=true fi + +{{% if remove_wrong_entries %}} + # within [{{{ section }}}], remove entries where {{{ key }}} has wrong value +{{% if no_quotes %}} + sed -i "/^[[:space:]]*\[{{{ section }}}\]/,/^[[:space:]]*\[/{/^[[:space:]]*{{{ key }}}[[:blank:]]*=/{ /=[[:blank:]]*{{{ value | replace("/", "\/") }}}/!d }}" "$f" +{{% else %}} + sed -i '/^[[:space:]]*\[{{{ section }}}\]/,/^[[:space:]]*\[/{/^[[:space:]]*{{{ key }}}[[:blank:]]*=/{ /=[[:blank:]]*"{{{ value | replace("/", "\/") }}}"/!d }}' "$f" +{{% endif %}} +{{% endif %}} done # if section not in any file, append section with key = value to FIRST file in files parameter