-1

I'm trying to update the sssd.conf file on about 200 servers with a standardized configuration file, however, there is one possible exception to the standard. Most servers will have a config that looks like this:

[domain/domainname.local]
id_provider = ad
access_provider = simple
simple_allow_groups = unixsystemsadmins, datacenteradmins, sysengineeringadmins, webgroup
default_shell = /bin/bash
fallback_homedir = /export/home/%u
debug_level = 0
ldap_id_mapping = false
case_sensitive = false
cache_credentials = true
dyndns_update = true
dyndns_refresh_interval = 43200
dyndns_update_ptr = true
dyndns_ttl = 3600
ad_use_ldaps = True

[sssd]
services = nss, pam
config_file_version = 2
domains = domainname.local

[nss]

[pam]

However, on some servers, there's an additional line after simple_allow_groups called simple_allow_users, and each server that has this line has it configured for specific users to be allowed to connect without being a member of an LDAP group.

My objective is to replace the sssd.conf file on all servers, but not to remove this simple_allow_users line, if it exists. I looked into lineinfile and blockinfile, but neither of these seems to really handle this exception. I'm thinking I'm going to have to check the file for the existance of the line, store it to a variable, push the new file, and then add the line back, using the variable afterwards, but I'm not entirely sure if this is the best way to handle it. Any suggestions on the best way to accomplish what I'm looking to do?

Thanks!

Jon
  • 19
  • 7
  • Simple overview to put you on track: 1) `fetch` or `slurp` the existing file from the target server 2) look for the line in the fetched/slurped file and register the result if ti exists 3) push a template back to the server containing your content + the line if it exists. Edit your question with your attempt and the problems you are facing to make it working as desired. – Zeitounator Dec 16 '20 at 23:43

2 Answers2

0

I would do the following

  1. See if the simple_allow_users exists in the current sssd.conf file
  2. Change your model configuration to add the current value of the line simple_allow_users is exists
  3. overwrite the sssd.conf file with the new content

You can use jinja2 conditional to achieve step 2 https://jinja2docs.readthedocs.io/

I beleive the above tasks will solve what you need, just remember to test on a simngle host and backup the original file just for good measure ;-)

- shell:
    grep 'simple_allow_users' {{ sssd_conf_path }}
  vars:
    sssd_conf_path: /etc/sssd.conf
  register: grep_result


- set_fact:
    configuration_template: |
      [domain/domainname.local]
      id_provider = ad
      access_provider = simple
      simple_allow_groups = unixsystemsadmins, datacenteradmins, sysengineeringadmins, webgroup
      {% if 'simple_allow_users' in grep_result.stdout %}
      {{ grep_result.stdout.rstrip() }}
      {% endif %}
      default_shell = /bin/bash
      ..... Rest of your config file

- copy:
    content: "{{ configuration_template }}"
    dest: "{{ sssd_conf_path }}"
    vars:
      sssd_conf_path: /etc/sssd.conf
Henrique Capozzi
  • 136
  • 1
  • 8
0

I used Zeitounator's tip, along with this question Only check whether a line present in a file (ansible)

This is what I came up with:

*as it turns out, the simple_allow_groups are being changed after the systems are deployed (thanks for telling the admins about that, you guys... /snark for the people messing with my config files)

---
- name: Get Remote SSSD Config
  become: true
  slurp:
    src: /etc/sssd/sssd.conf
  register: slurpsssd

- name: Set simple_allow_users if exists
  set_fact:
    simpleallowusers: "{{ linetomatch }}"
  loop: "{{ file_lines }}"
  loop_control:
    loop_var: linetomatch
  vars:
    - decode_content: "{{ slurpsssd['content'] | b64decode }}"
    - file_lines: "{{ decode_content.split('\n') }}"
  when: '"simple_allow_users" in linetomatch'

- name: Set simple_allow_groups
  set_fact:
    simpleallowgroups: "{{ linetomatch }}"
  loop: "{{ file_lines }}"
  loop_control:
    loop_var: linetomatch
  vars:
    - decode_content: "{{ slurpsssd['content'] | b64decode }}"
    - file_lines: "{{ decode_content.split('\n') }}"
  when: '"simple_allow_groups" in linetomatch'

- name: Install SSSD Config
  copy:
    src: etc/sssd/sssd.conf
    dest: /etc/sssd/sssd.conf
    owner: root
    group: root
    mode: 0600
    backup: yes
  become: true


- name: Add simple_allow_users back to file if it existed
  lineinfile:
    path: /etc/sssd/sssd.conf
    line: "{{ simpleallowusers }}"
    insertafter: "^simple_allow_groups"
  when: simpleallowusers is defined
  become: true

- name: Replace simple allow groups with existing values
  lineinfile:
    path: /etc/sssd/sssd.conf
    line: "{{ simpleallowgroups }}"
    regexp: "^simple_allow_groups"
    backrefs: true
  when: simpleallowgroups is defined
  become: true
Jon
  • 19
  • 7