IPA-tuura: configure sssd ourselves

Signed-off-by: Aurélien Bompard <aurelien@bompard.org>

playbooks/groups/ipatuura.yml

@@ -49,12 +49,6 @@
      when: env != "staging"}
   - mod_wsgi
   - ipa/client
-  # - role: keytab/service
-  #   owner_user: apache
-  #   owner_group: apache
-  #   service: HTTP
-  #   #host: "ipatuura{{ env_suffix }}.fedoraproject.org"
-  #   host: "{{ ansible_fqdn }}"
   - ipatuura
 
   pre_tasks:

roles/ipatuura/tasks/main.yml

@@ -240,13 +240,33 @@
   tags:
   - ipatuura
 
-- name: Copy the domain template file
+# - name: Copy the domain template file
+#   ansible.builtin.template:
+#     src: domain.json.j2
+#     dest: /etc/ipa-tuura/domain.json
+#     owner: root
+#     group: root
+#     # Contains a password
+#     mode: 0600
+#   tags:
+#   - ipatuura
+
+- name: Copy the sssd config file
   ansible.builtin.template:
-    src: domain.json.j2
-    dest: /etc/ipa-tuura/domain.json
+    src: sssd.conf.j2
+    dest: /etc/sssd/sssd.conf
+    owner: root
+    group: sssd
+    mode: "0640"
+  tags:
+  - ipatuura
+
+- name: Copy the domain data file
+  ansible.builtin.template:
+    src: db_domain.json.j2
+    dest: /etc/ipa-tuura/db_domain.json
     owner: root
     group: root
-    # Contains a password
     mode: 0600
   tags:
   - ipatuura
@@ -274,17 +294,18 @@
   - ipatuura
   - selinux
 
-- name: Allow HTTPd to run ipa-client-install
-  community.general.sefcontext:
-    target: "/var/log/ipaclient-.*\\.log"
-    setype: httpd_sys_content_rw_t
-    state: present
-  tags:
-  - ipatuura
-  - selinux
+# - name: Allow HTTPd to run ipa-client-install
+#   community.general.sefcontext:
+#     target: "/var/log/ipaclient-.*\\.log"
+#     setype: httpd_sys_content_rw_t
+#     state: present
+#   tags:
+#   - ipatuura
+#   - selinux
 
 - name: Apply SELinux changes
-  ansible.builtin.command: restorecon -irv /srv/ /var/log/ipaclient*
+  #ansible.builtin.command: restorecon -irv /srv/ /var/log/ipaclient*
+  ansible.builtin.command: restorecon -irv /srv/
   register: restorecon_output
   changed_when: restorecon_output.stdout is defined and restorecon_output.stdout | length > 0
   tags:
@@ -305,21 +326,40 @@
   - httpd_can_network_connect_db
   # Allow usage of PAM
   - httpd_mod_auth_pam
-  - httpd_setrlimit
+  # - httpd_setrlimit
   # - httpd_tmp_exec
   tags:
   - ipatuura
   - selinux
 
-- name: Add a SELinux module for other SELinux permissions for IPA-tuura
-  import_role:
-    name: selinux/module
-  vars:
-    policy_file: files/local-ipatuura.te
-    policy_name: local-ipatuura
-  tags:
-  - ipatuura
-  - selinux
+# - name: Add a SELinux module for other SELinux permissions for IPA-tuura
+#   import_role:
+#     name: selinux/module
+#   vars:
+#     policy_file: files/local-ipatuura.te
+#     policy_name: local-ipatuura
+#   tags:
+#   - ipatuura
+#   - selinux
+
+
+# Keytabs
+
+- name: Create a keytab for Apache
+  import_role: keytab/service
+  owner_user: apache
+  owner_group: apache
+  service: ipatuura
+  host: "{{ ansible_fqdn }}"
+  kt_location: /var/lib/ipa/ipatuura/service.keytab
+
+- name: Create a keytab for IPA-tuura
+  import_role: keytab/service
+  owner_user: apache
+  owner_group: apache
+  service: HTTP
+  host: "{{ ansible_fqdn }}"
+  kt_location: /var/lib/ipatuura/httpd.keytab
 
 #
 # Final setup

roles/ipatuura/templates/db_domain.json.j2

@@ -0,0 +1 @@
+[{"model": "domains.domain", "pk": 1, "fields": {"name": "{{env_prefix}}fedoraproject.org", "description": "IPA Integration Domain", "integration_domain_url": "https://{{ipa_server}}", "client_id": "admin", "client_secret": "not-the-actual-secret", "keycloak_hostname": "keycloak.apps.ocp{{env_suffix}}.fedoraproject.org", "id_provider": "ipa", "user_extra_attrs": "mail:mail, sn:sn, givenname:givenname, fullname:name, fasTimeZone:timezone, fasLocale:locale, fasIRCNick:chatnick, fasWebsiteURL:website, fasGPGKeyId:gpg_keyid, ipaSshPubKey:ssh_key, fasIsPrivate:privacy", "user_object_classes": "fasUser", "users_dn": "cn=users,cn=accounts,{{ipa_basedn}}", "ldap_tls_cacert": "/etc/ipa/ca.crt"}}]

roles/ipatuura/templates/sssd.conf.j2

@@ -0,0 +1,47 @@
+[domain/{{ env_prefix }}fedoraproject.org]
+id_provider = ipa
+dns_discovery_domain = {{ env_prefix }}fedoraproject.org
+ipa_server = _srv_, {{ ipa_server }}
+ipa_domain = {{ env_prefix }}fedoraproject.org
+ipa_hostname = {{ ansible_fqdn }}
+auth_provider = ipa
+chpass_provider = ipa
+access_provider = ipa
+cache_credentials = True
+ldap_tls_cacert = /etc/ipa/ca.crt
+krb5_store_password_if_offline = True
+ldap_deref_threshold = 0
+sudo_provider = ipa
+autofs_provider = ipa
+subdomains_provider = ipa
+session_provider = ipa
+hostid_provider = ipa
+# IPA-tuura needs these attributes to forward them to applications
+ldap_user_extra_attrs = mail, street, locality, st, postalCode, telephoneNumber, givenname, sn, fasTimeZone, fasLocale, fasIRCNick, fasGPGKeyId, fasCreationTime, fasStatusNote, fasRHBZEmail, fasGitHubUsername, fasGitLabUsername, fasWebsiteURL, fasIsPrivate, fasPronoun, ipaSshPubKey
+
+[sssd]
+services = nss, pam, ssh, sudo, ifp
+domains = {{ env_prefix }}fedoraproject.org
+
+[nss]
+homedir_substring = /home
+
+[pam]
+
+[sudo]
+
+[autofs]
+
+[ssh]
+
+[pac]
+
+[ifp]
+# Allow IPA-tuura to request user attributes
+allowed_uids = apache, sssd, root
+# Ipsilon needs these attributes to forward them to applications
+user_attributes = +mail, +street, +locality, +st, +postalCode, +telephoneNumber, +givenname, +sn, +fasTimeZone, +fasLocale, +fasIRCNick, +fasGPGKeyId, +fasCreationTime, +fasStatusNote, +fasRHBZEmail, +fasGitHubUsername, +fasGitLabUsername, +fasWebsiteURL, +fasIsPrivate, +fasPronoun, +ipaSshPubKey
+
+[secrets]
+
+[session_recording]