manage sssd.conf tuning

freeipa / ansible-freeipa

Ansible roles and modules for FreeIPA

GNU General Public License v3.0

491 stars 231 forks source link

manage sssd.conf tuning #188

Open knowtown opened 4 years ago

knowtown commented 4 years ago

Is there a way to manage sssd.conf tuning options with this role. For example, to insert cache_timeout changes and other recommendations from the tuning guide (https://access.redhat.com/articles/2133801) Or even copy a template sssd.conf file? It appears that the role overwrites any sssd.conf file that is in place without making a backup or appending changes to the existing file. So looking for a way to insert or preserve sssd.conf tuning options with this role.

knowtown commented 4 years ago

looks like https://github.com/CSCfi/ansible-role-sssd does most of what we need so we may end up doing this after the freeipa client install. Would be nice to merge some of these settings to take care of all of the sssd tuning options in the freeipa roles/playbooks.

RobVerduijn commented 4 years ago

Why not simply loop over the ini_file task ?

name: tune sssd hosts: localhost remote_user: root gather_facts: false vars: sssd_tunables:
- section: domain/ipa.domain option: subdomain_inherit value: ignore_group_members, ldap_purge_cache_timeout path: /etc/sssd/sssd.conf
- section: domain/ipa.domain option: ignore_group_members value: 'true' path: /etc/sssd/sssd.conf

tasks:

name: tune sssd ini_file: section: '{{ item.section'}} option: '{{item.option}}' value: '{{item.value}}' path: '{{ item.path}}' loop: '{{ sssd_tunables}}'

t-woerner commented 4 years ago

At the moment there is no way to manage additional sssd options while deploying the server, replica or clients. For now this can only be done after deployment.

jnm27 commented 3 years ago

Having to configure sssd on top of freeipa's configuration is not idempotent...