---
ad_auth: False
ad_domain: "{{ samba_domain }}"
ad_realm: "{{ samba_realm }}"
ad_admin: Administrator
ad_admin_pass: "{{ samba_dc_admin_pass }}"
ad_computer_ou: 
ad_access_filter: "(|(memberOf=CN=Domain Admins,CN=Users,DC={{ ad_realm | regex_replace('\\.',',DC=') }})(memberOf=CN=Domain Admins,OU=Groups,DC={{ ad_realm | regex_replace('\\.',',DC=') }}))"
ad_enumerate: True
ad_default_shell: /bin/false
# If access control should evaluate domain GPO. Can be disabled, eforcing or permissive. See man sssd-ad
ad_gpo_access_control: permissive

# If set to True, ansible will re join the host to the domain
ad_force_join: False

# Set to false to disable dyndns update
ad_dyndns_update: True

# Set to false to disable private group
ad_private_groups: True

# sssd doesn't support cross forest approbations, but we can add the Linux box to the other domains
ad_trusted_domains: "{{ samba_trusted_domains | default([]) }}"
# ad_trusted_domains:
#   - name: ad.other-domain.org
#     admin_user: administrator
#     admin_pass: s3cr3t.

ad_default_trusted_domain:
  access_filter: "{{ ad_access_filter }}"
  enumerate: "{{ ad_enumerate }}"
  ldap_group_search_base: "{{ ad_ldap_group_search_base | default(False) }}"
  ldap_user_search_base: "{{ ad_ldap_user_search_base | default(False) }}"

# You can define a custom search base, with a scope and a filter for groups:
# ad_ldap_group_search_base: CN=Users,dc=ad,dc=domain,dc=com?sub?(|(cn=Domain Users)(cn=Domain Admins))
# ad_ldap_user_search_base: OU=IT,DC=AD,DC=DOMAIN,DC=COM?sub