refactor the system ldap role

we will create a system ldap role which can be used to bind vms to
active directory
and sftp role and/or playbook can incorporate this role

roles/system_ldap/README.md

@@ -1,71 +1,30 @@
-Role Name
-=========
+# Ansible Role: sssd_ad
 
-Configures an endpoint to use [SSSD](https://ubuntu.com/server/docs/service-sssd) to connect to Princeton Active Directory
+This Ansible role configures an Ubuntu Jammy (22.04) machine to authenticate against an Active Directory domain using SSSD (System Security Services Daemon).
 
-Requirements
-------------
+## Requirements
 
-One will need access to [OIT AD Machine Registration Tool](https://tools.princeton.edu/Dept/) This allows you to register a new name for AD
+- Ansible 2.9 or higher
+- An Ubuntu Jammy (22.04) target machine
+- Access to an Active Directory domain controller
+- An AD user with permissions to join machines to the domain
 
-When the playbook is run the first time, it will fail until you add the following manual steps.
+## Role Variables
 
-```zsh
-sudo realm discover pu.win.princeton.edu
-sudo realm join -U doas-libsftp pu.win.princeton.edu
-```
+| Variable | Description |
+|---|---|
+| `ad_domain` | The name of your Active Directory domain (e.g., example.com) |
+| `ad_domain_controller` | The hostname or IP address of your domain controller |
+| `ad_admin_user` | An Active Directory user with permissions to join machines to the domain |
+| `ad_test_user` | A test user in your Active Directory domain |
 
-The password for the step above can be found by looking in the LastPass Vault:
+## Dependencies
 
-```zsh
-lpass ls | grep doas-libsftp
-lpass show <results_from_above> --password | pbcopy
+None
 
-```
+## Example Playbook
 
-Enable mkhomedir with the steps below:
-
-```zsh
-sudo bash -c "cat > /usr/share/pam-configs/mkhomedir" <<EOF
-Name: activate mkhomedir
-Default: yes
-Priority: 900
-Session-Type: Additional
-Session:
-        required                        pam_mkhomedir.so umask=0022 skel=/etc/skel
-EOF
-```
-Then activate with
-
-```zsh
-sudo pam-auth-update
-```
-
-
-Role Variables
---------------
-
-
-Dependencies
-------------
-
-- [roles/common](roles/common)
-
-Example Playbook
-----------------
-
-To allow a new user to log in run
-
-```zsh
-ansible-playbook -v playbooks/lib_sftp.yml -e [email protected] -t add_sftp_user
-```
-
-License
--------
-
-BSD
-
-Author Information
-------------------
-
-An optional section for the role authors to include contact information, or a website (HTML is not allowed).
+```yaml
+- hosts: your_ubuntu_servers
+  roles:
+    - sssd_ad

roles/system_ldap/defaults/main.yml

@@ -1,26 +1,6 @@
 ---
 # defaults file for system_ldap
-#
-sssd_pkg_state: "latest"
-sssd__unwanted_packages_state: "absent"
-sssd__deploy_state: "present"
-
-# Configuration
-sssd_mkhomedir: true
-sssd_home_path: "/home"
-sssd_shell: "/bin/bash"
-sssd_shell_override: false
-
-auth_rule_one: "{{ omit }}"
-auth_rule_two: "{{ omit }}"
-auth_rule_three: "{{ omit }}"
-auth_rule_dev: "{{ omit }}"
-
-sssd_sudoers_ldap: false
-
-# Service
-sssd_service_name: "sssd"
-sssd_flush_handlers: false
-
-# user
-almasftp_user_password: "$6$gfh/f8sNL6WvgI.R$Jwk1s.2sWeItL54G7oz7Qp2C.qvLknMLeWBhzycZXaGLFd6Q/bxkSIbv/Hp8qmkJw.WI/gVzzpziuaSl5KRal."
+ad_domain: "pu.win.princeton.edu"
+ad_test_user: "{{ omit }}"
+ad_domain_controller: "pu.win.princeton.edu"
+ad_admin_user: "{{ omit }}"

roles/system_ldap/handlers/main.yml

@@ -1,12 +1,2 @@
 ---
 # handlers file for system_ldap
-#
-- name: restart sssd
-  service:
-    name: "{{ sssd_service_name }}"
-    state: restarted
-
-- name: restart sshd
-  service:
-    name: sshd
-    state: restarted

roles/system_ldap/meta/main.yml

@@ -1,7 +1,9 @@
 ---
 galaxy_info:
-  author: Princeton University Library
-  description: sssd
+  role_name: system_ldap
+  company: Princeton University Library
+  description: System_LDAP
+  author: pulibrary
 
   license: MIT
 
@@ -10,6 +12,6 @@ galaxy_info:
   platforms:
     - name: Ubuntu
       versions:
-        - 18.04
+        - jammy
 dependencies:
-  - role: "common"
+  - role: common

roles/system_ldap/molecule/default/converge.yml

@@ -5,11 +5,11 @@
     - running_on_server: false
   become: true
   pre_tasks:
-    - name: update cache
-      apt:
+    - name: Update cache
+      ansible.builtin.apt:
         update_cache: true
         cache_valid_time: 600
   tasks:
     - name: "Include system_ldap"
-      include_role:
+      ansible.builtin.include_role:
         name: system_ldap

roles/system_ldap/molecule/default/molecule.yml

@@ -9,8 +9,8 @@ lint: |
   ansible-lint
 platforms:
   - name: instance
-    image: "quay.io/pulibrary/jammy-ansible:latest"
-    command: ""
+    image: "ghcr.io/pulibrary/pul_containers:jammy_multi"
+    command: "sleep infinity"
     volumes:
       - /sys/fs/cgroup:/sys/fs/cgroup:ro
     privileged: true

roles/system_ldap/molecule/default/verify.yml

@@ -3,17 +3,14 @@
   hosts: all
   gather_facts: false
   tasks:
-  - name: check sssd package status
-    package:
-      name: "{{ item }}"
-      state: present
-    check_mode: true
-    register: pkg_status
-    loop:
-      - sssd
-      - sssd-ldap
-
-  - name: test for sssd packages
-    assert:
-      that:
-        - not pkg_status.changed
+    - name: System_ldap | Verify packages are installed
+      ansible.builtin.apt:
+        name:
+          - adcli
+          - krb5-user
+          - libnss-sss
+          - libpam-sss
+          - sssd
+          - sssd-tools
+        state: present
+      changed_when: false