2022-02-27 03:19:20 +00:00
|
|
|
---
|
|
|
|
# Configures PAM and SSSD post-ipa client installation. It is recommended that
|
|
|
|
# that we use a custom authselect profile and build it out from there.
|
|
|
|
- name: Enterprise Linux 8+ PAM Configuration
|
2023-04-22 01:28:46 +00:00
|
|
|
when:
|
|
|
|
- ansible_facts['os_family'] == 'RedHat'
|
2023-08-14 06:25:05 +00:00
|
|
|
- (ansible_facts['distribution'] == 'Rocky') or
|
|
|
|
(ansible_facts['distribution'] == 'Fedora') or
|
|
|
|
(ansible_facts['distribution'] == 'RedHat') or
|
|
|
|
(ansible_facts['distribution'] == 'OracleLinux')
|
2022-02-27 03:19:20 +00:00
|
|
|
block:
|
|
|
|
- name: Ensure Custom Profile is removed
|
2022-03-28 05:01:23 +00:00
|
|
|
ansible.builtin.file:
|
2022-02-27 03:19:20 +00:00
|
|
|
path: /etc/authselect/custom/sssd-rocky
|
|
|
|
state: absent
|
|
|
|
|
|
|
|
- name: Create custom authselect profile based on sssd
|
2023-04-22 01:28:46 +00:00
|
|
|
ansible.builtin.command: >
|
2022-02-27 03:19:20 +00:00
|
|
|
/usr/bin/authselect create-profile sssd-rocky
|
|
|
|
--base-on sssd
|
|
|
|
--symlink-dconf
|
|
|
|
--symlink-meta
|
|
|
|
--symlink=postlogin
|
|
|
|
--symlink=smartcard-auth
|
|
|
|
--symlink=fingerprint-auth
|
|
|
|
changed_when: false
|
|
|
|
|
|
|
|
- name: Override system-auth and password-auth
|
2022-03-28 05:01:23 +00:00
|
|
|
ansible.builtin.copy:
|
2022-02-27 03:19:20 +00:00
|
|
|
src: "etc/authselect/custom/sssd-rocky/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}-system-auth"
|
|
|
|
dest: "{{ item }}"
|
|
|
|
owner: root
|
|
|
|
group: root
|
|
|
|
mode: '0644'
|
|
|
|
loop:
|
|
|
|
- /etc/authselect/custom/sssd-rocky/system-auth
|
|
|
|
- /etc/authselect/custom/sssd-rocky/password-auth
|
|
|
|
|
|
|
|
- name: Select New Profile
|
2023-04-22 01:28:46 +00:00
|
|
|
ansible.builtin.command: >
|
2022-02-27 03:19:20 +00:00
|
|
|
/usr/bin/authselect select custom/sssd-rocky
|
|
|
|
without-nullok
|
|
|
|
with-faillock
|
|
|
|
with-mkhomedir
|
|
|
|
with-sudo
|
|
|
|
--force
|
|
|
|
changed_when: false
|
|
|
|
|
|
|
|
- name: Apply new settings
|
2023-04-22 01:28:46 +00:00
|
|
|
ansible.builtin.command: /usr/bin/authselect apply-changes
|
2022-02-27 03:19:20 +00:00
|
|
|
changed_when: false
|
|
|
|
|
|
|
|
- name: Enable oddjobd
|
2022-03-28 05:01:23 +00:00
|
|
|
ansible.builtin.service:
|
2022-02-27 03:19:20 +00:00
|
|
|
name: oddjobd
|
|
|
|
state: started
|
|
|
|
enabled: true
|
|
|
|
...
|