sssd ubuntu fix

Author: anoopna

playbooks/roles/sssd/tasks/debian.yml

@@ -16,6 +16,17 @@
     group: 'root'
     mode: '0600'
   notify: restart sssd
+  when: not pam | bool
+
+- name: Add configuration file to /etc/sssd/sssd.conf
+  template:
+    src: 'sssd_ubuntu.conf.j2'
+    dest: '/etc/sssd/sssd.conf'
+    owner: 'root'
+    group: 'root'
+    mode: '0600'
+  notify: restart sssd
+  when: pam | bool
 
 - name: Copy CA certificate
   copy:

playbooks/roles/sssd/templates/sssd.conf.j2

@@ -1,7 +1,17 @@
 [sssd]
+
 config_file_version = 2
+services = nss, pam
 domains = cluster
 
+[nss]
+filter_users = root
+entry_negative_timeout = 5
+
+[pam]
+pam_verbosity = 2
+pam_account_expired_message = 'Your account has expired. Please contact a system administrator'
+
 [domain/cluster]
 ldap_schema = rfc2307bis
 id_provider = ldap
@@ -16,4 +26,4 @@ ldap_network_timeout = 30
 ldap_access_order = expire
 ldap_access_filter = (&(objectclass=inetOrgPerson))
 ldap_account_expire_policy = shadow
-enumerate = true
+enumerate = true

playbooks/roles/sssd/templates/sssd_ubuntu.conf.j2

@@ -0,0 +1,19 @@
+[sssd]
+config_file_version = 2
+domains = cluster
+
+[domain/cluster]
+ldap_schema = rfc2307bis
+id_provider = ldap
+auth_provider = ldap
+access_provider = ldap
+chpass_provider = ldap
+cache_credentials = true
+entry_cache_timeout = 600
+ldap_uri = ldaps://{{ hostvars[groups['bastion'][0]]['ansible_fqdn'] }}
+ldap_search_base = dc=local
+ldap_network_timeout = 30
+ldap_access_order = expire
+ldap_access_filter = (&(objectclass=inetOrgPerson))
+ldap_account_expire_policy = shadow
+enumerate = true