Getting started¶

Example inventory
Example playbook
Ansible tags
Other resources

Example inventory ¶

To enable the sssd service on a host, you need to add it to the [debops_service_sssd] Ansible inventory group. The host should also be configured with base LDAP support via the debops.ldap role (see its documentation for more details):

[debops_service_ldap]
hostname

[debops_service_sssd]
hostname

A common case is configuration of LDAP authentication in the entire cluster of hosts. You can enable debops.sssd role on all DebOps hosts in the Ansible inventory at once:

[debops_all_hosts]
hostname1
hostname2

[debops_service_sssd:children]
debops_all_hosts

The sssd service can also be installed and configured by other playbooks, for example bootstrap-sss.yml. In such cases the custom playbook will configure the sssd service on a host, but the role playbook will not work on a host automatically; you will have to include that host in the [debops_service_sssd] Ansible inventory group via one of the methods above to be able to change the service configuration.

Example playbook ¶

If you are using this role without DebOps, here's an example Ansible playbook that uses the debops.sssd role:

---
# SPDX-License-Identifier: GPL-3.0-only

- name: Manage sssd service
  collections: [ 'debops.debops', 'debops.roles01',
                 'debops.roles02', 'debops.roles03' ]
  hosts: [ 'debops_service_sssd' ]
  become: True

  environment: '{{ inventory__environment | d({})
                   | combine(inventory__group_environment | d({}))
                   | combine(inventory__host_environment  | d({})) }}'

  roles:

    - role: python
      tags: [ 'role::python', 'skip::python', 'role::ldap' ]
      python__dependent_packages3:
        - '{{ ldap__python__dependent_packages3 }}'
      python__dependent_packages2:
        - '{{ ldap__python__dependent_packages2 }}'

    - role: ldap
      tags: [ 'role::ldap', 'skip::ldap' ]
      ldap__dependent_tasks:
        - '{{ sssd__ldap__dependent_tasks }}'

    - role: sssd
      tags: [ 'role::sssd', 'skip::sssd' ]

    - role: nsswitch
      tags: [ 'role::nsswitch', 'skip::nsswitch' ]
      nsswitch__dependent_services:
        - '{{ sssd__nsswitch__dependent_services }}'

Ansible tags ¶

You can use Ansible --tags or --skip-tags parameters to limit what tasks are performed during Ansible run. This can be used after host is first configured to speed up playbook execution, when you are sure that most of the configuration has not been changed.

Available role tags:

role::sssd: Main role tag, should be used in the playbook to execute all of the role tasks as well as role dependencies.

Other resources ¶

List of other useful resources related to the debops.sssd Ansible role:

Manual pages: sssd.conf(5) (and subsystem man pages such as sssd-ldap(5) and sssd-krb5(5))
The website of the SSSD Project
LDAP support in DebOps: client-side, server-side
Configuring SSSD in the Red Hat Enterprise Linux 7 Guide
Understanding SSSD in the Red Hat Enterprise Linux 8 Guide
LDAP authentication documentation in the Arch Wiki
Debian LDAP Portal page in the Debian Wiki

Getting started¶

Example inventory¶

Example playbook¶

Ansible tags¶

Other resources¶

Example inventory ¶

Example playbook ¶

Ansible tags ¶

Other resources ¶