Merge "Add "sys_protected" argument to LDAP playbook"

examples/manage-local-ldap-account/inventory-EXAMPLE

@@ -15,14 +15,14 @@
 # file. Then run the ansible-playbook command with --ask-vault-pass parameter:
 #
 # ansible-playbook --inventory inventory-secure --ask-vault-pass \
-# --extra-vars='user_id=JohnDoo' \
+# --extra-vars='user_id=JohnDoe' \
 # /usr/share/ansible/stx-ansible/playbooks/manage_local_ldap_account.yml
 #
 # If you wish to use different values for password_change_period and
 # password_warning_period parameters follow the sample below:
 #
 # ansible-playbook --inventory inventory-secure --ask-vault-pass \
-# --extra-vars='user_id=JohnDoo password_change_period=120 \
+# --extra-vars='user_id=JohnDoe password_change_period=120 \
 # password_warning_period=1' \
 # /usr/share/ansible/stx-ansible/playbooks/manage_local_ldap_account.yml
 #
@@ -30,7 +30,14 @@
 # variable to yes:
 #
 # ansible-playbook --inventory inventory-secure --ask-vault-pass \
-# --extra-vars='user_id=JohnDoo sudo_permission=yes' \
+# --extra-vars='user_id=JohnDoe sudo_permission=yes' \
+# /usr/share/ansible/stx-ansible/playbooks/manage_local_ldap_account.yml
+#
+# If you wish to add users to sys_protected group, set sys_protected
+# variable to yes:
+#
+# ansible-playbook --inventory inventory-secure --ask-vault-pass \
+# --extra-vars='user_id=JohnDoe sys_protected=yes' \
 # /usr/share/ansible/stx-ansible/playbooks/manage_local_ldap_account.yml
 #
 # If you wish to delete an existing user account (e.g. na-admin):
@@ -45,4 +52,4 @@ ansible_password=<my-common-sysadmin-password>
 ansible_become_pass=<my-common-sysadmin-password>
 
 [systemcontroller]
-systemcontroller-0 ansible_host=127.0.0.1
+systemcontroller-0 ansible_host=127.0.0.1

playbookconfig/src/playbooks/manage_local_ldap_account.yml

@@ -114,6 +114,10 @@
     set_fact:
       in_sudo_permission: "{{ true if sudo_permission is defined and sudo_permission | bool else false }}"
 
+  - name: Set sys_protected flag fact upfront
+    set_fact:
+      in_sys_protected: "{{ true if sys_protected is defined and sys_protected | bool else false }}"
+
 - hosts: systemcontroller
   gather_facts: no
 

playbookconfig/src/playbooks/roles/manage-local-ldap-account/common/add-hosts/tasks/main.yml

@@ -14,6 +14,7 @@
     ansible_ssh_common_args:
       '-o ProxyCommand="sshpass -p {{ ansible_password }} ssh -W [%h]:%p -q {{ ansible_user }}@{{ ansible_host }}"'
     in_sudo_permission: "{{ in_sudo_permission }}"
+    in_sys_protected: "{{ in_sys_protected }}"
     in_mode: "{{ in_mode }}"
     in_user_password: "{{ in_user_password if in_mode == 'create' else '' }}"
     in_user_role: "{{ in_user_role if in_mode == 'create' else '' }}"

playbookconfig/src/playbooks/roles/manage-local-ldap-account/create-account/tasks/main.yml

@@ -18,9 +18,13 @@
     set_fact:
       sudo_param: "{{ '--sudo' if in_sudo_permission else '' }}"
 
+  - name: Set sys_protected_param if external variable sys_protected is true
+    set_fact:
+      sys_protected_param: "{{ '--secondgroup sys_protected' if in_sys_protected else '' }}"
+
   - name: Create LDAP user {{ in_user_id }}
     shell: >-
-      ldapusersetup -u {{ in_user_id }} {{ sudo_param }} --secondgroup sys_protected --passmax
+      ldapusersetup -u {{ in_user_id }} {{ sudo_param }} {{ sys_protected_param }} --passmax
       {{ password_change_period }} --passwarning {{ password_warning_period }}
     become: yes
 

playbookconfig/src/playbooks/roles/manage-local-ldap-account/create-keystone-account/tasks/main.yml

@@ -69,6 +69,11 @@
   become: yes
   when: in_sudo_permission
 
+- name: Add LDAP user to 'sys_protected' group
+  command: usermod -a -G sys_protected {{ in_user_id }}
+  become: yes
+  when: in_sys_protected
+
 - name: Retrieve LDAP user groups
   command: groups {{ in_user_id }}
   register: user_groups