debops.sssd default variables

APT packages

sssd__base_packages

List of APT packages required for LDAP lookups via NSS and PAM.

sssd__base_packages:
  - [ 'sssd', 'libnss-sss', 'libsss-sudo', 'libpam-sss' ]
sssd__packages

List of additional APT packages to install with sssd package.

sssd__packages: []

UNIX environment

sssd__mkhomedir_umask

Default umask for new home directories created by the pam_mkhomedir PAM module.

sssd__mkhomedir_umask: '{{ ansible_local.core.homedir_umask | d("0027") }}'

LDAP environment

sssd__ldap_enabled

Enable or disable integration with the LDAP directory. The integration is enabled automatically when the debops.ldap environment is configured on the host.

sssd__ldap_enabled: '{{ ansible_local.ldap.enabled
                        if (ansible_local | d() and ansible_local.ldap | d() and
                            ansible_local.ldap.enabled is defined)
                        else False }}'
sssd__ldap_base_dn

The base Distinguished Name which should be used to create Distinguished Names of the LDAP directory objects, defined as a YAML list. If this variable is empty, /etc/sssd/sssd.conf configuration file will not be generated.

sssd__ldap_base_dn: '{{ ansible_local.ldap.base_dn | d([]) }}'
sssd__ldap_device_dn

The Distinguished Name of the current host LDAP object, defined as a YAML list. It will be used as a base for the sssd service account LDAP object. If the list is empty, the role will not create the account LDAP object automatically.

sssd__ldap_device_dn: '{{ ansible_local.ldap.device_dn | d([]) }}'
sssd__ldap_self_rdn

The Relative Distinguished Name of the account LDAP object used by the sssd service to access the LDAP directory.

sssd__ldap_self_rdn: 'uid=sssd'
sssd__ldap_self_object_classes

List of the LDAP object classes which will be used to create the LDAP object used by the sssd service to access the LDAP directory.

sssd__ldap_self_object_classes: [ 'account', 'simpleSecurityObject' ]
sssd__ldap_self_attributes

YAML dictionary that defines the attributes of the LDAP object used by the sssd service to access the LDAP directory.

sssd__ldap_self_attributes:
  uid: '{{ sssd__ldap_self_rdn.split("=")[1] }}'
  userPassword: '{{ sssd__ldap_bindpw }}'
  host: '{{ [ansible_fqdn, ansible_hostname] | unique }}'
  description: 'Account used by the "sssd" service to access the LDAP directory'
sssd__ldap_binddn

The Distinguished Name of the account LDAP object used by the sssd service to bind to the LDAP directory.

sssd__ldap_binddn: '{{ ([sssd__ldap_self_rdn] + sssd__ldap_device_dn) | join(",") }}'
sssd__ldap_bindpw

The password stored in the account LDAP object used by the sssd service to bind to the LDAP directory.

sssd__ldap_bindpw: '{{ (lookup("password", secret + "/ldap/credentials/"
                               + sssd__ldap_binddn | to_uuid + ".password length=32"))
                       if sssd__ldap_enabled | bool
                       else "" }}'
sssd__ldap_posix_urns

List of LDAP search filters which are derived from URN-like patterns defined for a given host in the debops.ldap role. See Host-based access control for more details.

sssd__ldap_posix_urns: '{{ (ansible_local.ldap.urn_patterns
                            if (ansible_local.ldap.urn_patterns | d())
                            else [])
                           | map("regex_replace", "^(.*)$", "(host=posix:urn:\1)")
                           | list }}'
sssd__ldap_host_filter

The LDAP filter used in passwd and group filters to control the access to UNIX environment on specific hosts or domains.

sssd__ldap_host_filter: '(|
                           (host=posix:all)
                           (host=posix:{{ ansible_fqdn }})
                           (host=posix:\2a.{{ ansible_domain }})
                           {{ sssd__ldap_posix_urns | join(" ") }}
                         )'

Service configuration

These variables define the contents of the /etc/sssd/sssd.conf configuration file. See sssd__configuration for more details, and sssd.conf(5) together with the service-specific man pages (such as sssd-ldap(5) and sssd-krb5(5)) for possible configuration parameters.

sssd__default_configuration

The default sssd configuration options defined by the role.

sssd__default_configuration:

  - section: 'sssd'
    title: 'Global directives'
    options:

      - name: 'config_file_version'
        comment: 'Indicates the syntax of the config file, SSSD 0.6.0 and later uses version 2'
        value: 2

      - name: 'domains'
        comment: 'A domain is a label for a source of user information, sssd supports multiple domains'
        value: 'default'

      - name: 'services'
        comment: 'Services to offer (nss, pam, sudo, autofs, ssh, pac, ifp)'
        value: [ 'nss', 'pam', 'sudo', 'ssh' ]
        state: '{{ "present" if ansible_distribution_release in ["stretch", "buster", "bionic"] else "ignore" }}'

      - name: 'debug_level'
        comment: |
          Note that debug level is a bitmap and only applies to a given section
          of the config file, so you might want to set it in other sections as
          well if you want to enable debugging (see sssd.conf(5)).
        value: '0x0770'
        state: 'comment'

  - section: 'nss'
    title: 'Name Service Switch directives'
    options:

      - name: 'filter_users'
        comment: 'Users which should be excluded from being fetched via sss (default: root)'
        value: 'root'
        state: 'comment'

      - name: 'filter_groups'
        comment: 'Groups which should be excluded from being fetched via sss (default: root)'
        value: 'root'
        state: 'comment'

  - section: 'pam'
    title: 'Pluggable Authentication Modules directives'
    options:

      - name: 'offline_credentials_expiration'
        comment: 'How long should offline logins be allowed (in days since last successful online login, default: 0 - no limit)'
        value: 0
        state: 'comment'

      - name: 'offline_failed_login_attempts'
        comment: 'How many failed offline login attempts are allowed'
        value: 5

      - name: 'offline_failed_login_delay'
        comment: 'Delay (in minutes) between login attempts after offline_failed_login_attempts has been reached'
        value: 1

  - section: 'sudo'
    title: 'Sudo directives'
    options:

      - name: 'sudo_timed'
        comment: 'Whether to evaluate the sudoNotBefore and sudoNotAfter attributes'
        value: False
        state: 'comment'

  - section: 'ssh'
    title: 'Secure SHell directives'
    options:

      - name: 'ssh_hash_known_hosts'
        comment: 'Whether to hash the managed known_hosts file'
        value: True
        state: 'comment'

      - name: 'ssh_known_hosts_timeout'
        comment: 'How many seconds to keep a host in the managed known_hosts file'
        value: 180
        state: 'comment'

  - section: 'domain/default'
    title: 'Default domain directives'
    options:

      - name: 'id_provider'
        comment: |
          The identification provider to use for the domain. Possible providers
          include e.g. ldap, ipa and ad (see the corresponding sssd-* man pages).
        value: 'ldap'

      - name: 'auth_provider'
        comment: |
          The authentication provider to use for the domain. Possible providers
          include e.g. ldap, krb5, ipa and ad (see the corresponding sssd-* man
          pages).
        value: 'ldap'

      - name: 'chpass_provider'
        comment: |
          The password change provider to use for the domain. Possible providers
          include e.g. ldap, krb5, ipa and ad (see the corresponding sssd-* man
          pages).
        value: 'ldap'

      - name: 'sudo_provider'
        comment: |
          The SUDO rules provider to use for the domain. Possible providers
          include e.g. ldap, ipa and ad (see the corresponding sssd-* man
          pages).
        value: 'ldap'

      - name: 'access_provider'
        comment: |
          The access control provider to use for the domain. Possible providers
          include e.g. permit, deny, ldap, ipa, ad and simple (see the
          corresponding sssd-* man pages).
        value: 'ldap'

      - name: 'ldap_access_order'
        comment: |
          SSSD has builtin support for checking authorizedServices and host
          attributes, but it looks for "*" rather than "all" or "posix:all"
          as in DebOps, and it also only checks the attributes for posixAccount
          and not posixGroup entries, therefore the authorized_service and host
          checks cannot be enabled by default.
        value: 'pwd_expire_policy_renew'

      - name: 'ldap_uri'
        comment: 'The location at which the LDAP server(s) should be reachable.'
        value: '{{ ansible_local.ldap.uri | d("") }}'

      - name: 'ldap_default_bind_dn'
        comment: 'The DN to bind with for normal lookups.'
        value: '{{ sssd__ldap_binddn }}'

      - name: 'ldap_default_authtok'
        value: '{{ sssd__ldap_bindpw }}'

      - name: 'ldap_schema'
        comment: 'Specifies the schema used on the LDAP server (rfc2307, rfc2307bis, ipa, ad)'
        value: 'rfc2307bis'

      - name: 'ldap_pwd_policy'
        comment: |
          Which policy should be used to evaluate password expiration
          (none, shadow, mit_kerberos). Note that if you enable this, users
          without shadowAccount attributes *will* be denied access.
        value: 'shadow'
        state: 'comment'

      - name: 'ldap_connection_expire_timeout'
        comment: |
          The idle timelimit for connections with the LDAP server. This should be
          lower than the server's olcIdleTimeout (default: 900).
        value: 600

      - name: 'min_id'
        comment: |
          First valid UID/GID number expected to be in the LDAP directory.
          UIDs/GIDs lower than this value will be ignored.
        value: '{{ ansible_local.ldap.uid_gid_min | d("10000") }}'

      - name: 'max_id'
        comment: |
          Last valid UID/GID number expected to be in the LDAP directory.
          UIDs/GIDs higher than this value will be ignored (0 = no limit).
        value: '{{ ansible_local.ldap.uid_gid_max | d("0") }}'

      - name: 'cache_credentials'
        comment: |
          Whether user credentials should also be cached (in hashed form) in a
          local cache in order to allow offline logins (see also the
          "offline_credentials_expiration" parameter in the [pam] section).
        value: True

      - name: 'enumerate'
        comment: |
          Enumeration means that sssd will download and cache ALL users and
          groups from the remote server. This means that they will be available
          in case of sudden network outages, etc, but is not suitable for
          large environments.
        value: False

      - name: 'ldap_enumeration_refresh_timeout'
        comment: 'Specifies how often re-enumeration should be performed (in seconds).'
        value: 300

      - name: 'ldap_id_use_start_tls'
        comment: 'SSL options'
        value: '{{ True
                  if (ansible_local | d() and ansible_local.ldap | d() and
                      (ansible_local.ldap.start_tls | d()) | bool)
                  else False }}'

      - name: 'ldap_tls_reqcert'
        value: 'demand'

      - name: 'ldap_tls_cacert'
        value: '/etc/ssl/certs/ca-certificates.crt'

      - name: 'ldap_group_name'
        comment: |
          Use the 'gid' attribute instead of 'cn' as the POSIX group name.
        value: 'gid'

      - name: 'ldap_search_base'
        comment: |
          The search base that will be used for queries. "ldap_search_base"
          defines the default search base which will be used unless a more
          specific "ldap_*_search_base" has been defined.
          Format: search_base[?scope?[filter][?search_base?scope?[filter]]*]
        value: '{{ sssd__ldap_base_dn | join(",") }}'

      - name: 'ldap_user_search_base'
        value: '{{ sssd__ldap_base_dn | join(",") + "?subtree?" + sssd__ldap_host_filter }}'

      - name: 'ldap_group_search_base'
        value: '{{ sssd__ldap_base_dn | join(",") + "?subtree?" + sssd__ldap_host_filter }}'

      - name: 'ldap_sudo_search_base'
        value: '{{ sssd__ldap_base_dn | join(",") + "?subtree?" + "" }}'
        state: 'comment'
sssd__configuration

The sssd configuration options defined on all hosts in the Ansible inventory.

sssd__configuration: []
sssd__group_configuration

The sssd configuration options defined on hosts in a specific Ansible inventory group.

sssd__group_configuration: []
sssd__host_configuration

The sssd configuration options defined on specific hosts in the Ansible inventory.

sssd__host_configuration: []
sssd__combined_configuration

The variable that combines other sssd configuration options and is used in the role template.

sssd__combined_configuration: '{{ sssd__default_configuration
                                   + sssd__configuration
                                   + sssd__group_configuration
                                   + sssd__host_configuration }}'

Configuration for other Ansible roles

sssd__ldap__dependent_tasks

Configuration for the debops.ldap Ansible role.

sssd__ldap__dependent_tasks:

  - name: 'Create sssd account for {{ sssd__ldap_device_dn | join(",") }}'
    dn: '{{ sssd__ldap_binddn }}'
    objectClass: '{{ sssd__ldap_self_object_classes }}'
    attributes: '{{ sssd__ldap_self_attributes }}'
    no_log: '{{ debops__no_log | d(True) }}'
    state: '{{ "present"
               if ((ansible_local.ldap.posix_enabled | d()) | bool and
                   sssd__ldap_device_dn | d())
               else "ignore" }}'
sssd__nsswitch__dependent_services

Configuration for the debops.nsswitch Ansible role.

sssd__nsswitch__dependent_services: [ 'sss' ]