Merge pull request #9 from hellofresh/feature-user-group-search-base

PTII-289 Enable additional search_base options

Author: antonu17

README.md

@@ -16,6 +16,8 @@ Role Variables
 You can override variables in your group_vars
 
 - `sssd_ldap_search_base: dc=example,dc=org`
+- `sssd_ldap_user_search_base: see sssd-ldap man page`
+- `sssd_ldap_group_search_base: see sssd-ldap man page`
 - `sssd_ldap_uri: ldap://example.org`
 - `sssd_ldap_default_bind_dn: cn=manager,dc=example,dc=org`
 - `sssd_ldap_default_authtok: bind_password`

defaults/main.yml

@@ -6,3 +6,7 @@ sssd_ldap_default_authtok: bind_password
 sssd_ldap_user_ssh_public_key: sshPublicKey
 # If you need to override user's primary group you can use `sssd_ldap_override_gid` variable
 # sssd_ldap_override_gid: 500
+
+# The following variables can be defined:
+# sssd_ldap_user_search_base:
+# sssd_ldap_group_search_base:

molecule/default/molecule.yml

@@ -32,6 +32,7 @@ provisioner:
     group_vars:
       all:
         sssd_ldap_search_base: dc=example,dc=com
+        sssd_ldap_user_search_base: dc=example,dc=com?subtree?(uidNumber=5000)
         sssd_ldap_uri: ldap://localhost
         sssd_ldap_default_bind_dn: cn=Manager,dc=example,dc=com
         sssd_ldap_default_authtok: s3cr3t

molecule/default/prepare.yml

@@ -19,11 +19,11 @@
     - name: install python-ldap
       package:
         name: python-ldap
-    - name: Make sure we have an test user
+    - name: Make sure we have two test users
       ldap_entry:
         bind_dn: cn=Manager,dc=example,dc=com
         bind_pw: s3cr3t
-        dn: cn=test,dc=example,dc=com
+        dn: 'uid={{ item.uid }},dc=example,dc=com'
         objectClass:
           - top
           - person
@@ -32,15 +32,24 @@
           - organizationalPerson
           - ldapPublicKey
         attributes:
+          uid: "{{ item.uid }}"
+          uidNumber: "{{ item.uidNumber }}"
+          givenName: "{{ item.name }}"
+          sn: "{{ item.name }}"
+          cn: "{{ item.name }}"
+          loginShell: /bin/bash
+          homeDirectory: "/home/{{ item.uid }}"
+          sshPublicKey: "{{ item.sshPublicKey }}"
+          gidNumber: "{{ item.uidNumber }}"
+      with_items:
+        - name: Test
           uid: test
           uidNumber: 5000
-          givenName: Test
-          sn: Test
-          cn: Test
-          loginShell: /bin/bash
-          homeDirectory: /home/test
           sshPublicKey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDYaGyXcqdQUIxjPr3eqXro9X/2LrLH2o+OrFeGRB2u3WxigroynxD8vLjtG6qyYYtgnvR9+2usVhbNNS3QdF3G5wenCR4Zpk6VIYofQrBYmrzJG9Bsig3G4SgnGF2x4KimupjCdD4+1S9OMF/4GzQZdaLl2HkSTYE+6430FbSD8i3IdpbRI526X8q4njrTHgIYUtAVFTPSudZ/3fIzFpfNlWq5wy1CXCGc7aqmHECQzareeoAM5NfgrUkw7TFrKP/zelDkqpJ6pwYTWg2VZYmoXmh2o+ttWFatGzJPUoeU/r+SjMn4YvMunT+L6NIrbJQkXwB9i3upMx2bQcuPl0cl test-key
-          gidNumber: 5000
+        - name: Filtered
+          uid: filtered-test
+          uidNumber: 5001
+          sshPublicKey: ''
     - name: create /root/.ssh dir
       file:
         path: /root/.ssh

molecule/default/tests/test_default.py

@@ -20,6 +20,11 @@ def test_sssd_ldap_user(host):
     assert user.gid == 1
 
 
+def test_sssd_ldap_user_filtered(host):
+    user = host.user('filtered-test')
+    assert not user.exists
+
+
 def test_sssd_service_state(host):
     assert host.service('sssd').is_enabled
     assert host.service('sssd').is_running

templates/sssd.conf.j2

@@ -11,6 +11,12 @@ filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd
 id_provider = ldap
 auth_provider = ldap
 ldap_search_base = {{ sssd_ldap_search_base }}
+{% if sssd_ldap_user_search_base is defined %}
+ldap_user_search_base = {{ sssd_ldap_user_search_base }}
+{% endif %}
+{% if sssd_ldap_group_search_base is defined %}
+ldap_group_search_base = {{ sssd_ldap_group_search_base }}
+{% endif %}
 ldap_tls_reqcert = never
 ldap_uri = {{ sssd_ldap_uri }}
 enumerate = true