Make domjoin user and password configurable via inventory and join domain only when necessary

roles/lmn_sssd/defaults/main.yml

@@ -0,0 +1,2 @@
+---
+sssd_domjoin_user: global-admin

roles/lmn_sssd/tasks/main.yml

@@ -13,12 +13,23 @@
     mode: '0600'
   notify: Restart sssd
 
-  ## Either one of the variables is defined:
+- name: Check if the machine account password and the join are still valid
+  ansible.builtin.shell:
+    cmd: adcli testjoin -D {{ domain | upper }}
+  register: adcli_test_result
+  failed_when: false
+  changed_when: false
+
+  # If domjoin not valid:
 - name: Join the domain
   ansible.builtin.shell:
     cmd: >
-      echo "{{ ansible_cmdline.adpw | default('') + adpw.user_input | default('') }}" |
-      adcli join --stdin-password -U global-admin {{ domain | upper }}
-  when: >
-    ansible_cmdline.adpw | default('') | length > 0 or
-    adpw.user_input | default('') | length > 0
+      echo "{{ ad_passwd }}" | adcli join --stdin-password -U {{ ad_user }} {{ domain | upper }}
+  no_log: true
+  vars:
+    - ad_user: "{{ 'global-admin' if (adpw.user_input | default(ansible_cmdline.adpw) | default('') | length > 0) else sssd_domjoin_user }}"
+    - ad_passwd: "{{ adpw.user_input | default('') if  adpw.user_input | length > 0 else ansible_cmdline.adpw | default(sssd_domjoin_passwd) | default('') }}"
+  when:
+    - adpw.user_input | length > 0 or
+      ansible_cmdline.adpw | default(sssd_domjoin_passwd) | default('') | length > 0
+    - adcli_test_result.rc != 0