This is a very opinionated role to configure sssd for LDAP authentication against OpenLDAP or Active Directory on RedHat-based systems.
Supported platforms:
- RHEL / AlmaLinux / Oracle Linux 8, 9, 10
- Amazon Linux 2023
This role will install and configure sssd to support a single domain with basic LDAP authentication over TLS. It configures PAM to use sssd for all compatible services
(via authselect), and configures OpenSSH server to source SSH public keys from LDAP via sssd. It bakes in CIS Level 1 compliance for the systems it touches.
Requires Ansible 2.10 or later.
At a minimum, you must define the following vars:
sssdldap_ldap_urisssdldap_bind_dnsssdldap_bind_pwsssdldap_search_base
Their usage is documented in the defaults file.
If using TLS, you must ensure your system already trusts the LDAP TLS certificate in-use. The easiest way to do this is via the system-wide trust store; alternatively
you can point sssd at a different trusted certificate file with the var sssdldap_cacert.