ansible-ops-management/tasks/authentication.yml

59 lines
1.8 KiB
YAML
Raw Normal View History

2022-02-27 03:19:20 +00:00
---
# Configures PAM and SSSD post-ipa client installation. It is recommended that
# that we use a custom authselect profile and build it out from there.
- name: Enterprise Linux 8+ PAM Configuration
2023-04-22 01:28:46 +00:00
when:
- ansible_facts['os_family'] == 'RedHat'
2023-08-14 06:25:05 +00:00
- (ansible_facts['distribution'] == 'Rocky') or
(ansible_facts['distribution'] == 'Fedora') or
(ansible_facts['distribution'] == 'RedHat') or
(ansible_facts['distribution'] == 'OracleLinux')
2022-02-27 03:19:20 +00:00
block:
- name: Ensure Custom Profile is removed
2022-03-28 05:01:23 +00:00
ansible.builtin.file:
2022-02-27 03:19:20 +00:00
path: /etc/authselect/custom/sssd-rocky
state: absent
- name: Create custom authselect profile based on sssd
2023-04-22 01:28:46 +00:00
ansible.builtin.command: >
2022-02-27 03:19:20 +00:00
/usr/bin/authselect create-profile sssd-rocky
--base-on sssd
--symlink-dconf
--symlink-meta
--symlink=postlogin
--symlink=smartcard-auth
--symlink=fingerprint-auth
changed_when: false
- name: Override system-auth and password-auth
2022-03-28 05:01:23 +00:00
ansible.builtin.copy:
2022-02-27 03:19:20 +00:00
src: "etc/authselect/custom/sssd-rocky/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}-system-auth"
dest: "{{ item }}"
owner: root
group: root
mode: '0644'
loop:
- /etc/authselect/custom/sssd-rocky/system-auth
- /etc/authselect/custom/sssd-rocky/password-auth
- name: Select New Profile
2023-04-22 01:28:46 +00:00
ansible.builtin.command: >
2022-02-27 03:19:20 +00:00
/usr/bin/authselect select custom/sssd-rocky
without-nullok
with-faillock
with-mkhomedir
with-sudo
--force
changed_when: false
- name: Apply new settings
2023-04-22 01:28:46 +00:00
ansible.builtin.command: /usr/bin/authselect apply-changes
2022-02-27 03:19:20 +00:00
changed_when: false
- name: Enable oddjobd
2022-03-28 05:01:23 +00:00
ansible.builtin.service:
2022-02-27 03:19:20 +00:00
name: oddjobd
state: started
enabled: true
...