2020-12-12 12:39:37 +00:00
|
|
|
---
|
|
|
|
# Configures PAM and SSSD post-ipa client installation. It is recommended that
|
|
|
|
# that we use a custom authselect profile and build it out from there.
|
2020-12-12 19:58:00 +00:00
|
|
|
- name: Enterprise Linux 7 PAM Configuration
|
|
|
|
copy:
|
|
|
|
src: "etc/pam.d/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}-system-auth-ac"
|
|
|
|
dest: "{{ item }}"
|
|
|
|
owner: root
|
|
|
|
group: root
|
2020-12-12 21:02:53 +00:00
|
|
|
mode: '0644'
|
|
|
|
loop:
|
2020-12-12 19:58:00 +00:00
|
|
|
- /etc/pam.d/system-auth-ac
|
|
|
|
- /etc/pam.d/password-auth-ac
|
|
|
|
when:
|
|
|
|
- ansible_facts['os_family'] == 'RedHat'
|
|
|
|
- ansible_facts['distribution_major_version'] == '7'
|
|
|
|
|
|
|
|
- name: Enterprise Linux 8 PAM Configuration
|
|
|
|
block:
|
|
|
|
- name: Ensure Custom Profile is removed
|
|
|
|
file:
|
|
|
|
path: /etc/authselect/custom/sssd-rocky
|
2020-12-12 21:02:53 +00:00
|
|
|
state: absent
|
2020-12-12 19:58:00 +00:00
|
|
|
|
|
|
|
- name: Create custom authselect profile based on sssd
|
|
|
|
command: >
|
|
|
|
/usr/bin/authselect create-profile sssd-rocky
|
|
|
|
--base-on sssd
|
|
|
|
--symlink-dconf
|
|
|
|
--symlink-meta
|
|
|
|
--symlink=postlogin
|
|
|
|
--symlink=smartcard-auth
|
|
|
|
--symlink=fingerprint-auth
|
2020-12-12 21:02:53 +00:00
|
|
|
changed_when: false
|
2020-12-12 19:58:00 +00:00
|
|
|
|
|
|
|
- name: Override system-auth and password-auth
|
|
|
|
copy:
|
|
|
|
src: "etc/authselect/custom/sssd-aoc/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}-system-auth"
|
|
|
|
dest: "{{ item }}"
|
|
|
|
owner: root
|
|
|
|
group: root
|
2020-12-12 21:02:53 +00:00
|
|
|
mode: '0644'
|
|
|
|
loop:
|
2020-12-12 19:58:00 +00:00
|
|
|
- /etc/authselect/custom/sssd-aoc/system-auth
|
|
|
|
- /etc/authselect/custom/sssd-aoc/password-auth
|
|
|
|
|
|
|
|
- name: Select New Profile
|
|
|
|
command: >
|
|
|
|
/usr/bin/authselect select custom/sssd-aoc
|
|
|
|
without-nullok
|
|
|
|
with-faillock
|
|
|
|
with-mkhomedir
|
|
|
|
with-sudo
|
|
|
|
--force
|
2020-12-12 21:02:53 +00:00
|
|
|
changed_when: false
|
2020-12-12 19:58:00 +00:00
|
|
|
|
|
|
|
- name: Apply new settings
|
|
|
|
command: /usr/bin/authselect apply-changes
|
2020-12-12 21:02:53 +00:00
|
|
|
changed_when: false
|
2020-12-12 19:58:00 +00:00
|
|
|
|
|
|
|
- name: Enable oddjobd
|
|
|
|
service:
|
|
|
|
name: oddjobd
|
|
|
|
state: started
|
2020-12-12 21:42:03 +00:00
|
|
|
enabled: true
|
2020-12-12 21:02:53 +00:00
|
|
|
when:
|
|
|
|
- ansible_facts['os_family'] == 'RedHat'
|
|
|
|
- ansible_facts['distribution_major_version'] == '8'
|