Fixes #35832 - set default_domain_suffix in sssd.conf

Author: adamruzicka

manifests/config.pp

@@ -246,16 +246,22 @@
         $sssd_ldap_user_extra_attrs = join(unique(pick($sssd['ldap_user_extra_attrs'], []) + ['email:mail', 'lastname:sn', 'firstname:givenname']), ', ')
         $sssd_allowed_uids = join(unique(pick($sssd['allowed_uids'], []) + [$apache::user, 'root']), ', ')
         $sssd_user_attributes = join(unique(pick($sssd['user_attributes'], []) + ['+email', '+firstname', '+lastname']), ', ')
+        $sssd_ifp_extra_attributes = [
+          "set target[.=~regexp('domain/.*')]/ldap_user_extra_attrs '${sssd_ldap_user_extra_attrs}'",
+          "set target[.='sssd']/services '${sssd_services}'",
+          'set target[.=\'ifp\'] \'ifp\'',
+          "set target[.='ifp']/allowed_uids '${sssd_allowed_uids}'",
+          "set target[.='ifp']/user_attributes '${sssd_user_attributes}'",
+        ]
+
+        $sssd_changes = $sssd_ifp_extra_attributes + ($foreman::ipa_sssd_default_realm ? {
+            undef => [],
+            default => ["set target[.='sssd']/default_domain_suffix '${$foreman::ipa_sssd_default_realm}'"],
+        })
 
         augeas { 'sssd-ifp-extra-attributes':
           context => '/files/etc/sssd/sssd.conf',
-          changes => [
-            "set target[.=~regexp('domain/.*')]/ldap_user_extra_attrs '${sssd_ldap_user_extra_attrs}'",
-            "set target[.='sssd']/services '${sssd_services}'",
-            'set target[.=\'ifp\'] \'ifp\'',
-            "set target[.='ifp']/allowed_uids '${sssd_allowed_uids}'",
-            "set target[.='ifp']/user_attributes '${sssd_user_attributes}'",
-          ],
+          changes => $sssd_changes,
           notify  => Service['sssd'],
         }
       }

manifests/init.pp

@@ -132,6 +132,9 @@
 # $ipa_manage_sssd::              If ipa_authentication is true, should the installer manage SSSD? You can disable it
 #                                 if you use another module for SSSD configuration
 #
+# $ipa_sssd_default_realm::       If ipa_manage_sssd is true, set default_domain_suffix option in sssd configuration to this value
+#                                 to allow logging in without having to provide the domain name.
+#
 # $websockets_encrypt::           Whether to encrypt websocket connections
 #
 # $websockets_ssl_key::           SSL key file to use when encrypting websocket connections
@@ -260,6 +263,7 @@
   Boolean $gssapi_local_name = true,
   String $pam_service = 'foreman',
   Boolean $ipa_manage_sssd = true,
+  Optional[String] $ipa_sssd_default_realm = undef,
   Boolean $websockets_encrypt = true,
   Optional[Stdlib::Absolutepath] $websockets_ssl_key = undef,
   Optional[Stdlib::Absolutepath] $websockets_ssl_cert = undef,