-
Notifications
You must be signed in to change notification settings - Fork 0
/
playbook-task-sync-users.yml
114 lines (99 loc) · 3.84 KB
/
playbook-task-sync-users.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
- name: Sync users
hosts: "mgmt.{{domain}}"
become: true
vars:
base_id: 32768
base_id_range: 32768
tasks:
# See https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/managing_idm_users_groups_hosts_and_access_control_rules/adjusting-id-ranges-manually_managing-users-groups-hosts
# If we don't do this, ipantsecurityidentifier won't be injected and not even `ipa config-mod --enable-sid --add-sids` won't fix it either.
- name: Ensure IPA ID Range for the local domain
freeipa.ansible_freeipa.ipaidrange:
ipaadmin_password: "{{ipa_password}}"
name: local_domain_id_range
base_id: "{{base_id}}"
range_size: "{{base_id_range}}"
rid_base: "{{base_id+200000}}"
secondary_rid_base: "{{base_id+100000000+200000}}"
- name: Restart dirsrv on IDM
ansible.builtin.systemd_service:
name: "dirsrv@{{domain|upper|replace('.','-')}}.service"
state: restarted
delegate_to: "idm.{{domain}}"
- name: Ensure IPA sudo/video group
freeipa.ansible_freeipa.ipagroup:
ipaadmin_password: "{{ipa_password}}"
groups:
- name: sudo
- name: video
- name: render
- name: Ensure IPA sudo rule
freeipa.ansible_freeipa.ipasudorule:
ipaadmin_password: "{{ipa_password}}"
name: sudo
group: sudo
cmdcat: all
hostcat: all
- name: Query uids
command: ipa --no-prompt user-find --raw
register: ipa_users
- name: Extract uids
set_fact:
existing_users: "{{ipa_users.stdout | regex_findall('(?<=uid: )\\S+')}}"
- name: "Find absent users"
set_fact:
users_to_delete: "{{existing_users | difference(users.keys()) | difference(['admin', 'root'])}}"
- name: Debug and print existing_users
debug:
msg: "Users: \n{{users_to_delete}}\nRun with --extra-vars=delete_users=true to delete these users"
when: delete_users is undefined
- name: "Drop absent users"
freeipa.ansible_freeipa.ipauser:
ipaadmin_password: "{{ipa_password}}"
name: "{{item}}"
state: absent
loop: "{{users_to_delete}}"
when: users_to_delete | length > 0 and delete_users | default(false) | bool
- name: "Import all users" # XXX Generate uid/gid via the same seed so that home directory permissions persist
freeipa.ansible_freeipa.ipauser:
ipaadmin_password: "{{ipa_password}}"
name: "{{item.key}}"
first: "{{item.value.first}}"
last: "{{item.value.last}}"
email: "{{item.value.email}}"
sshpubkey: "{{item.value.publickey}}"
uid: "{{range(base_id, base_id + base_id_range) | random(seed=item.key)}}"
gid: "{{range(base_id, base_id + base_id_range) | random(seed=item.key)}}"
state: present
update_password: on_create
loop: "{{users | dict2items}}"
- name: Ensure user sudo rules
freeipa.ansible_freeipa.ipagroup:
ipaadmin_password: "{{ipa_password}}"
name: sudo
action: member
user: "{{item.key}}"
loop: "{{users | dict2items}}"
when: item.value.groups is contains("sudo")
- name: Ensure user video group
freeipa.ansible_freeipa.ipagroup:
ipaadmin_password: "{{ipa_password}}"
name: video
action: member
user: "{{item.key}}"
loop: "{{users | dict2items}}"
when: item.value.groups is contains("video")
- name: Ensure user render group
freeipa.ansible_freeipa.ipagroup:
ipaadmin_password: "{{ipa_password}}"
name: render
action: member
user: "{{item.key}}"
loop: "{{users | dict2items}}"
when: item.value.groups is contains("render")
- name: Force update SSS
hosts: "mgmt.{{domain}}, login-*.{{domain}}"
become: true
tasks:
- name: Drop SSS cache
command: sss_cache -U