mono-infrastructure/ansible/playbooks/tasks/authentication.yml

70 lines
2.0 KiB
YAML
Raw Permalink Normal View History

2020-12-12 12:39:37 +00:00
---
# Configures PAM and SSSD post-ipa client installation. It is recommended that
# that we use a custom authselect profile and build it out from there.
2020-12-12 19:58:00 +00:00
- name: Enterprise Linux 7 PAM Configuration
copy:
src: "etc/pam.d/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}-system-auth-ac"
dest: "{{ item }}"
owner: root
group: root
2020-12-12 21:02:53 +00:00
mode: '0644'
loop:
2020-12-12 19:58:00 +00:00
- /etc/pam.d/system-auth-ac
- /etc/pam.d/password-auth-ac
when:
- ansible_facts['os_family'] == 'RedHat'
- ansible_facts['distribution_major_version'] == '7'
- name: Enterprise Linux 8 PAM Configuration
block:
- name: Ensure Custom Profile is removed
file:
path: /etc/authselect/custom/sssd-rocky
2020-12-12 21:02:53 +00:00
state: absent
2020-12-12 19:58:00 +00:00
- name: Create custom authselect profile based on sssd
command: >
/usr/bin/authselect create-profile sssd-rocky
--base-on sssd
--symlink-dconf
--symlink-meta
--symlink=postlogin
--symlink=smartcard-auth
--symlink=fingerprint-auth
2020-12-12 21:02:53 +00:00
changed_when: false
2020-12-12 19:58:00 +00:00
- name: Override system-auth and password-auth
copy:
2021-01-21 22:05:35 +00:00
src: "etc/authselect/custom/sssd-rocky/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}-system-auth"
2020-12-12 19:58:00 +00:00
dest: "{{ item }}"
owner: root
group: root
2020-12-12 21:02:53 +00:00
mode: '0644'
loop:
2021-01-21 22:05:35 +00:00
- /etc/authselect/custom/sssd-rocky/system-auth
- /etc/authselect/custom/sssd-rocky/password-auth
2020-12-12 19:58:00 +00:00
- name: Select New Profile
command: >
2021-01-21 22:05:35 +00:00
/usr/bin/authselect select custom/sssd-rocky
2020-12-12 19:58:00 +00:00
without-nullok
with-faillock
with-mkhomedir
with-sudo
--force
2020-12-12 21:02:53 +00:00
changed_when: false
2020-12-12 19:58:00 +00:00
- name: Apply new settings
command: /usr/bin/authselect apply-changes
2020-12-12 21:02:53 +00:00
changed_when: false
2020-12-12 19:58:00 +00:00
- name: Enable oddjobd
service:
name: oddjobd
state: started
enabled: true
2020-12-12 21:02:53 +00:00
when:
- ansible_facts['os_family'] == 'RedHat'
- ansible_facts['distribution_major_version'] == '8'
...