From 7da0637616a3307a2eef7b5e15f9f3ca486484d5 Mon Sep 17 00:00:00 2001
From: Rich Megginson <rmeggins@redhat.com>
Date: Wed, 10 Jan 2024 14:56:07 -0700
Subject: [PATCH] feat: add ad_integration_preserve_authselect_profile

Feature: Add ad_integration_preserve_authselect_profile as a boolean
parameter.

Reason: Users need to be able to remove the `authselect` command from
`sssd-enable-logins` to avoid overwriting previous PAM/nsswitch changes,
until [RHEL-5101](https://issues.redhat.com/browse/RHEL-5101) is addressed.

Result: Users can use the ad_integration role with PAM/nsswitch changes.

Signed-off-by: Rich Megginson <rmeggins@redhat.com>
---
 README.md                | 7 +++++++
 defaults/main.yml        | 5 +++++
 templates/realmd.conf.j2 | 5 +++++
 3 files changed, 17 insertions(+)

diff --git a/README.md b/README.md
index 73173ca..f7ee16b 100644
--- a/README.md
+++ b/README.md
@@ -228,6 +228,13 @@ ad_integration_sssd_custom_settings:
     value: "configuration_value"
 ```
 
+#### ad_integration_preserve_authselect_profile
+
+This is a boolean, default is `false`.  If `true`, configure realmd.conf to
+remove the `authselect` command from `sssd-enable-logins` to avoid overwriting
+previous PAM/nsswitch changes, until
+[RHEL-5101](https://issues.redhat.com/browse/RHEL-5101) is addressed.
+
 ## Example Playbook
 
 The following is an example playbook to setup direct Active Directory integration with AD domain `domain.example.com`, the join will be performed with user Administrator using the vault stored password. Prior to the join, the crypto policy for AD SUPPORT with RC4 encryption allowed will be set.
diff --git a/defaults/main.yml b/defaults/main.yml
index 770c4c8..899784e 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -142,3 +142,8 @@ ad_integration_sssd_settings: []
 # - key: "configuration_name"
 #   value: "configuration_value"
 ad_integration_sssd_custom_settings: []
+
+# If `true`, configure realmd.conf to remove the `authselect` command from
+# `sssd-enable-logins` to avoid overwriting previous PAM/nsswitch changes, until
+# https://issues.redhat.com/browse/RHEL-5101 is addressed.
+ad_integration_preserve_authselect_profile: false
diff --git a/templates/realmd.conf.j2 b/templates/realmd.conf.j2
index 178114a..6682c0d 100644
--- a/templates/realmd.conf.j2
+++ b/templates/realmd.conf.j2
@@ -10,3 +10,8 @@ automatic-id-mapping = {{ ad_integration_auto_id_mapping }}
 {% if ad_integration_computer_ou %}
 computer-ou = {{ ad_integration_computer_ou }}
 {% endif %}
+{% if ad_integration_preserve_authselect_profile %}
+[commands]
+sssd-enable-logins = /usr/bin/sh -c "/usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service"
+sssd-disable-logins = /bin/true
+{% endif %}