Brian Alcorn

data codes through eyeglasses

Ansible SSSD simple_allow_users

This article discusses managing the ‘simple_allow_users’ inside /etc/sssd/sssd.conf on RHEL systems, focusing on the common role implementation using Ansible. It covers importing variables, formatting the output, updating sssd.conf, and restarting the SSSD service. This approach helps restrict LDAP user logins.

Brian Alcorn
2–3 minutes
, , , , , , , , ,

I have a scenario where I need to manage SSSD – specifically ‘simple_allow_users’ inside /etc/sssd/sssd.conf on RHEL 9. Depending on your needs, this could also be leveraged in RHEL 7 and RHEL 8 as well. Because of our Linux user provisioning process, we have to manage SSSD at a common and a per-application level. This article will discuss the common role implementation. I hope to post later about merging the common and per-application roles’ simple_allow_users.

For more detail about setting up an Ansible directory structure, follow this link.

In the common role inside main.yml we implement the following code (I’ll break it down further later):

- name: Import commons simple_allow_users variables
  ansible.builtin.include_vars:
    file: common_simple_allow_users.yml
- name: Add users to SSSD simple_allow_users string
  ansible.builtin.set_fact:
    simple_allow_users: "{{ lookup('community.general.merge_variables', 'common_simple_allow_users') | to_yaml | regex_replace('\\[|\\]|\\\n ', '') }}"
  when:
    - ansible_facts['os_family'] == 'RedHat' and ansible_facts  ['distribution_major_version'] >= '9'
- name: Test Ouput
  ansible.builtin.debug:
    msg: " {{ simple_allow_users }}"
  when:
    - ansible_facts['os_family'] == 'RedHat' and ansible_facts  ['distribution_major_version'] >= '9'
- name: Add simple_allow_users value to sssd.conf
  ansible.builtin.lineinfile:
    path: /etc/sssd/sssd.conf
    regexp: '^simple_allow_users = '
    line: 'simple_allow_users = {{ simple_allow_users }}'
  notify: Restart SSSD
  when:
    - ansible_facts['os_family'] == 'RedHat' and ansible_facts  ['distribution_major_version'] >= '9'

The first task imports the common_simple_allow_users.yml vars file from common as follows:

---
common_simple_allow_users:
  - 'user1'
  - 'user2'
  - 'user3'

The second task took me several hours to work through, as I needed the list from common_simple_allow_users to output a certain way for the sssd.conf file to be properly formatted:

- name: Add users to SSSD simple_allow_users string
  ansible.builtin.set_fact:
    simple_allow_users: "{{ lookup('community.general.merge_variables', 'common_simple_allow_users') | to_yaml | regex_replace('\\[|\\]|\\\n ', '') }}"
  when:
    - ansible_facts['os_family'] == 'RedHat' and ansible_facts  ['distribution_major_version'] >= '9'

Note the community.general.merge_variables collection being called to merge items from common_simple_allow_users variable list. Piping this into “to_yaml” gives output that needs some additional cleanup, hence piping into regex_replace(‘\[|\]|\\n ‘, ”). which FINALLY gives me the output of user1, user2 without additional symbols cluttering the ansible fact.

The next task is optional, as it simply outputs the fact in a human readable format on the Ansible output, which was actually quite helpful while working through the formatting issues.

- name: Test Ouput
  ansible.builtin.debug:
    msg: " {{ simple_allow_users }}"
  when:
    - ansible_facts['os_family'] == 'RedHat' and ansible_facts  ['distribution_major_version'] >= '9'

The final task takes the created Ansible fact “simple_allow_users” and creates/replaces the line we need in sssd.conf:

- name: Add simple_allow_users value to sssd.conf
  ansible.builtin.lineinfile:
    path: /etc/sssd/sssd.conf
    regexp: '^simple_allow_users = '
    line: 'simple_allow_users = {{ simple_allow_users }}'
  notify: Restart SSSD
  when:
    - ansible_facts['os_family'] == 'RedHat' and ansible_facts  ['distribution_major_version'] >= '9'

Following all this, in the handlers/main.yml file of the common role, you create the following handler for sssd, so if the line in sssd.conf is change, the sssd service is restarted.

- name: Restart SSSD
    service:
      name: sssd
      state: restarted

This is one possible solution for managing the simple_allow_users field in /etc/sssd.conf, and restarting sssd if the line is change or created so that you can restrict by username which LDAP users are able to login to your servers. You could also leverage this same approach, substituting simple_allow_groups, if you have LDAP groups that you would like to use instead. Our current implementation isn’t as robust, hence the approach outlined here.

Have you run into similar situation? How did you solve for your scenario? Do you see anywhere I can improve the process I’ve outlined here? If you’re looking for more Ansible content, check out this post.

Trending