From c793b470b0d7bbe82a3ee26c07d6d29c5d7425e3 Mon Sep 17 00:00:00 2001 From: irl Date: Sat, 20 Dec 2025 13:12:43 +0000 Subject: [PATCH] feat(baseline): enable sssd faillock, pwhistory and disable nullok --- roles/baseline/tasks/ipaclient.yml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/roles/baseline/tasks/ipaclient.yml b/roles/baseline/tasks/ipaclient.yml index e301e96..4bfbb34 100644 --- a/roles/baseline/tasks/ipaclient.yml +++ b/roles/baseline/tasks/ipaclient.yml @@ -10,13 +10,16 @@ register: _baseline_freeipa_authselect_status changed_when: false -- name: FreeIPA Client | PATCH | Apply authselect profile with sssd, sudo, and mkhomedir if not set - ansible.builtin.command: authselect select sssd with-sudo with-mkhomedir with-subid --force +- name: FreeIPA Client | PATCH | Apply authselect profile with sssd, sudo, and more if not set + ansible.builtin.command: authselect select sssd with-sudo with-mkhomedir with-subid with-faillock with-pwhistory without-nullok --force when: > 'Profile ID: sssd' not in _baseline_freeipa_authselect_status.stdout or 'with-sudo' not in _baseline_freeipa_authselect_status.stdout or 'with-mkhomedir' not in _baseline_freeipa_authselect_status.stdout or - 'with-subid' not in _baseline_freeipa_authselect_status.stdout + 'with-subid' not in _baseline_freeipa_authselect_status.stdout or + 'with-faillock' not in _baseline_freeipa_authselect_status.stdout or + 'with-pwhistory' not in _baseline_freeipa_authselect_status.stdout or + 'without-nullok' not in _baseline_freeipa_authselect_status.stdout - name: FreeIPA Client | PATCH | Enable oddjobd.service (for with-mkhomedir feature) ansible.builtin.systemd_service: