Getting started
Support for libuser library
The role uses the libuser library, supported by the group and user
Ansible modules, to manage the UNIX groups and accounts present on the hosts.
The library is used to ensure that the groups and accounts created locally on
the host that uses the LDAP directory as the user/group database have UID/GID
values in the correct ranges, thus avoiding collisions with the LDAP directory
UID/GID ranges. Without the libuser these local groups and accounts would
be created in the LDAP UID/GID ranges, since the normal UNIX user management
tools pick the next UID/GID based on the contents of the getent output, and
not from the local user and group databases.
This behaviour can be controlled using the item.local parameter, which by
default is enabled and shouldn't be specified directly unless you want to
override the use of the libuser library for some reason. Due to issues with
the Ansible modules, additional UNIX groups are managed using normal UNIX tools
instead of their libuser equivalents.
Example inventory
The debops.users Ansible role is included by default in the
common.yml DebOps playbook; you don't need to do anything to have it
executed.
If you don’t want to let debops.users manage user accounts, you can disable
it with the following setting in your inventory:
users__enabled: False
Example playbook
If you are using this role without DebOps, here's an example Ansible playbook
that uses the debops.users role:
---
- name: Manage local users and groups
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debops_all_hosts', 'debops_service_users' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
roles:
- role: libuser
tags: [ 'role::libuser', 'skip::libuser' ]
- role: users
tags: [ 'role::users', 'skip::users' ]