Active Directory & sssd
This is the ubuntu noble (ubuntu 24.04 LTS) active directory join role initialy written by Niklaus Kappeler (CxS).
Todos/Role Enhancement
- [ ] Securing it --> is it possible to enable dns-sec to pervent dns man in the middles?
Requirements
Role Variables
| Name | Type | Default value | Purpose | Comment | Role |
|---|---|---|---|---|---|
| active_directory_conf | Boolean | false | true/false switch to en/disable ad role | noble_active_directory | |
| active_directory_join_passwd | String | "" | join pwd of ad-join-user (per env)See variable below, where the ad-join-user is defined | noble_active_directory | |
| active_directory_join_user | String | "" | join user for ad-join (per env)The ad-join-user should normally be defined in the all group_vars | noble_active_directory | |
| support_contact | String | "" | support contact (like CxS Ticketsystem), used in custom-defined account_expired/locked_message | has to be defined, if not allready over "all.yml" group_vars | multirole |
| active_directory_sssd_net_lookup_family_order | String | ipv4_only | AD dns lookup setting, default is to prefer IPv4, then fall back to IPv6 | must be set to ipv6_only in IPv6 only networks.In dual stack networks, ipv4 or ipv6_only dns lookup are valid.So, possible options are:ipv4_onlyipv6_onlyPlease do not use:ipv4_firstipv6_firstit results in failing sssd connection, since the dns entrys are always lockable for both protocols in the ETH network | noble_active_directory |
| active_directory_sssd_ldap_id_mapping | Boolean | false | Specifies that SSSD should attempt to map user and group IDs from the ldap_user_objectsid and ldap_group_objectsid attributes instead of relying on ldap_user_uid_number and ldap_group_gid_number. | noble_active_directory | |
| active_directory_sssd_ignore_group_members | Boolean | true | ignore nested groups | noble_active_directory | |
| active_directory_sssd_override_homedir | String | /home/%u | home dir path, to enable proper search path for ssh-keys etc. | noble_active_directory | |
| active_directory_sssd_default_shell | String | /bin/bash | set default login shell | noble_active_directory | |
| active_directory_sssd_override_shell | String | /bin/bash | force override login shell, overwrites the (if set) default from the AD-userobject | to be disscussed @noble_hackaton | noble_active_directory |
| active_directory_sssd_pam_account_expired_message | String | "Account expired, please contact {{support_contact}}" | pam_account_expired_message override to set custom account expired message | noble_active_directory | |
| active_directory_sssd_pam_account_locked_message | String | "Account locked, please contact {{support_contact}}" | pam_account_locked_message override to set custom account locked message | noble_active_directory | |
| active_directory_conf_disable | Boolean | false | config to ensure host is not (realm leave) configured to the AD | noble_active_directory | |
| active_directory_master_key_type | String | aes256-cts-hmac-sha1-96 | Krb5.conf enforce cipher suites | noble_active_directory | |
| active_directory_supported_enctypes | String | aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal -des -rc4 | Krb5.conf enforce cipher suites & disable unsafe cipher suites | noble_active_directory | |
| active_directory_default_tkt_enctypes | String | aes256-cts-hmac-sha1-96 | Krb5.conf enforce cipher suites | noble_active_directory | |
| active_directory_default_tgs_enctypes | String | aes256-cts-hmac-sha1-96 | Krb5.conf enforce cipher suites | noble_active_directory | |
| allow_logon_groups | String | "" | logon groups which are allowed to login | multirole | |
| allow_logon_users | String | "" | logon users which are allowed to login | multirole | |
| active_directory_exclude_user_lookup | String | "" | users, which should be excluded from lookup in NSS database. For example postgres | multirole |
Dependencies
None
Example Playbook
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
- hosts: all
roles:
- { role: noble_active_directory, tags: ["noble", "security", "sec", "ad", "active_dir", "active_directory", "ldap"] }
License
BSD
Author Information
Maintainer: Niklaus (Niggi) Kappeler
Support-Contact: servicedesk-linux@id.ethz.ch