45 lines
1.7 KiB
YAML
45 lines
1.7 KiB
YAML
---
|
|
ad_auth: False
|
|
ad_domain: "{{ samba_domain }}"
|
|
ad_realm: "{{ samba_realm }}"
|
|
ad_admin: Administrator
|
|
ad_admin_pass: "{{ samba_dc_admin_pass }}"
|
|
ad_computer_ou:
|
|
ad_access_filter: "(|(memberOf=CN=Domain Admins,CN=Users,DC={{ ad_realm | regex_replace('\\.',',DC=') }})(memberOf=CN=Domain Admins,OU=Groups,DC={{ ad_realm | regex_replace('\\.',',DC=') }}))"
|
|
ad_enumerate: True
|
|
ad_default_shell: /bin/false
|
|
# If access control should evaluate domain GPO. Can be disabled, eforcing or permissive. See man sssd-ad
|
|
ad_gpo_access_control: permissive
|
|
|
|
# If set to True, ansible will re join the host to the domain
|
|
ad_force_join: False
|
|
|
|
# If set to True, ansible will restart sssd, even if it wouldn't be needed otherwise
|
|
ad_restart_sssd: False
|
|
|
|
# Set to false to disable dyndns update
|
|
ad_dyndns_update: True
|
|
|
|
# Set to false to disable private group
|
|
ad_private_groups: True
|
|
|
|
# sssd doesn't support cross forest approbations, but we can add the Linux box to the other domains
|
|
ad_trusted_domains: "{{ samba_trusted_domains | default([]) }}"
|
|
# ad_trusted_domains:
|
|
# - name: ad.other-domain.org
|
|
# admin_user: administrator
|
|
# admin_pass: s3cr3t.
|
|
|
|
ad_default_trusted_domain:
|
|
access_filter: "{{ ad_access_filter }}"
|
|
enumerate: "{{ ad_enumerate }}"
|
|
ldap_group_search_base: "{{ ad_ldap_group_search_base | default(False) }}"
|
|
ldap_user_search_base: "{{ ad_ldap_user_search_base | default(False) }}"
|
|
|
|
# You can define a custom search base, with a scope and a filter for groups:
|
|
# ad_ldap_group_search_base: CN=Users,dc=ad,dc=domain,dc=com?sub?(|(cn=Domain Users)(cn=Domain Admins))
|
|
# ad_ldap_user_search_base: OU=IT,DC=AD,DC=DOMAIN,DC=COM?sub
|
|
|
|
# You can set an attribute holding SSH keys of users
|
|
# ad_ldap_user_ssh_public_key: altSecurityIdentities
|