Getting started¶
Support for libuser
library¶
The role uses the libuser
library, supported by the group
and user
Ansible modules, to manage the UNIX groups and accounts present on the hosts.
The library is used to ensure that the groups and accounts created locally on
the host that uses the LDAP directory as the user/group database have UID/GID
values in the correct ranges, thus avoiding collisions with the LDAP directory
UID/GID ranges. Without the libuser
these local groups and accounts would
be created in the LDAP UID/GID ranges, since the normal UNIX user management
tools pick the next UID/GID based on the contents of the getent
output, and
not from the local user and group databases.
This behaviour can be controlled using the item.local
parameter, which by
default is enabled and shouldn't be specified directly unless you want to
override the use of the libuser
library for some reason. Due to issues with
the Ansible modules, additional UNIX groups are managed using normal UNIX tools
instead of their libuser
equivalents.
LDAP integration¶
The role checks if the LDAP support has been configured on a host, via the
debops.ldap. If LDAP support is enabled, local UNIX groups, local UNIX
accounts and their home directory names will have the _
prefix prepended to
them, to avoid clashes with the LDAP-based groups and accounts. This is
controlled by the system_users__prefix
variable.
LDAP support also affects the default home directory paths. By default home
directories will be put in /home
; with LDAP support enabled that will
change to /var/local
, to avoid clashes with remote filesystems that
might be mounted at the /home
path, for example via NFS.
Example inventory¶
The debops.system_users
Ansible role is included by default in the
common.yml
DebOps playbook; you don't need to do anything to have it
executed. It's also included in the bootstrap.yml
and
bootstrap-ldap.yml
playbooks to create sysadmin accounts during host
bootstrapping.
If you don’t want to let debops.system_users
manage user accounts, you can
disable it with the following setting in your inventory:
system_users__enabled: False
Example playbook¶
If you are using this role without DebOps, here's an example Ansible playbook
that uses the debops.system_users
role:
---
- name: Manage local users and groups
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debops_all_hosts', 'debops_service_system_users' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
roles:
- role: libuser
tags: [ 'role::libuser', 'skip::libuser' ]
- role: system_users
tags: [ 'role::system_users', 'skip::system_users' ]
Ansible tags¶
You can use Ansible --tags
or --skip-tags
parameters to limit what
tasks are performed during Ansible run. This can be used after host is first
configured to speed up playbook execution, when you are sure that most of the
configuration has not been changed.
Common role tags:
role::system_users
- Main role tag, should be used in the playbook to execute all of the role tasks as well as role dependencies.
skip::system_users
- Main role tag, should be used in the playbook to skip all of the role tasks.
skip::check
- Used in specific tasks that might break in the Ansible
--check
mode on first run of the role on a host, but not subsequent runs. It can be used to skip these tasks in such case.
You can see full list of available role tags by executing the command:
debops service/system_users --list-tags