initial commit

2022-01-23 00:38:23 +01:00 · 2022-01-23 00:38:23 +01:00 · 4de5a9b758
commit 4de5a9b758
9 changed files with 190 additions and 0 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -0,0 +1,12 @@
+ldap_uris: []
+ldap_search_base: DC=example,DC=com
+ldap_bind_dn: "UID=rd-only,CN=users,{{ ldap_search_base }}"
+ldap_bind_password: "rd-only"
+ldap_cert: ldap-ca.pem
+ldap_admins:
+  - "memberof=CN=admins,CN=groups,{{ ldap_search_base }}"
+ldap_shell_users:
+  - "memberof=CN=shell,CN=groups,{{ ldap_search_base }}"
+ldap_mail_users:
+  - "memberof=CN=mail,CN=groups,{{ ldap_search_base }}"
+ldap_users: "{{ ldap_admins + ldap_shell_users }}"
--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -0,0 +1,18 @@
+---
+- name: restart_sssd
+  tags: sssd
+  service:
+    name: sssd
+    state: restarted
+
+- name: restart_nslcd
+  tags: nslcd
+  service:
+    name: nslcd
+    state: restarted
+
+- name: restart_nscd
+  tags: nscd
+  service:
+    name: nscd
+    state: restarted
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -0,0 +1,76 @@
+- name: system | ldap auth
+  block:
+    - name: Load OS specific variables.
+      tags: ldap
+      ansible.builtin.include_vars:
+        file: "os_{{ os_distribution }}.yml"
+
+    - name: Install packages.
+      tags: ldap,packages,ldap-auth
+      ansible.builtin.package:
+        state: present
+        name:
+          - "{{ package_libnss_ldapd }}"
+          - libsss-sudo
+          - sssd
+
+    - name: Create config directories.
+      tags: ldap,ldap-auth
+      ansible.builtin.file:
+        state: directory
+        owner: root
+        group: root
+        mode: 0755
+        path: "{{ item }}"
+      with_items:
+        - /etc/sssd
+        - /etc/ldap
+
+    - name: Copy config files.
+      tags: ldap,ldap-auth
+      ansible.builtin.copy:
+        owner: root
+        group: root
+        mode: 0644
+        src: "{{ item.src }}"
+        dest: "{{ item.dest }}"
+      with_items:
+        - src: nscd.conf
+          dest: /etc/nscd.conf
+        - src: nsswitch.conf
+          dest: /etc/nsswitch.conf
+        - src: "ldap/{{ ldap_cert }}"
+          dest: "/etc/ldap/{{ ldap_cert }}"
+      notify:
+        - restart_nscd
+
+    - name: Create config files from templates.
+      tags: ldap
+      template:
+        owner: root
+        group: root
+        mode: 0600
+        src: "{{ item.src }}"
+        dest: "{{ item.dest }}"
+      with_items:
+        - src: sssd/sssd.conf
+          dest: /etc/sssd/sssd.conf
+        - src: nslcd.conf
+          dest: /etc/nslcd.conf
+        - src: ldap/ldap.conf
+          dest: /etc/ldap/ldap.conf
+      notify:
+        - restart_nslcd
+        - restart_sssd
+
+    - name: Enable services.
+      ansible.builtin.service:
+        name: "{{ item }}"
+        enabled: yes
+      with_items:
+        - nslcd
+        - nscd
+        - sssd
+
+  when:
+    - ldap_uris | length > 0
--- a/templates/ldap.conf
+++ b/templates/ldap.conf
@ -0,0 +1,16 @@
+#
+# LDAP Defaults
+#
+
+# See ldap.conf(5) for details
+# This file should be world readable but not world writable.
+
+BASE	{{ ldap_search_base }}
+URI	{{ ldap_uris | join(' ') }}
+
+#SIZELIMIT	12
+#TIMELIMIT	15
+#DEREF		never
+
+# TLS certificates (needed for GnuTLS)
+TLS_CACERT	/etc/ldap/{{ ldap_cert }}
--- a/templates/nslcd.conf
+++ b/templates/nslcd.conf
@ -0,0 +1,38 @@
+# /etc/nslcd.conf
+# nslcd configuration file. See nslcd.conf(5)
+# for details.
+
+# The user and group nslcd should run as.
+uid nslcd
+gid nslcd
+
+# The location at which the LDAP server(s) should be reachable.
+{% for server in ldap_uris %}
+uri {{ server }}
+{% endfor %}
+
+# The search base that will be used for all queries.
+base {{ ldap_search_base }}
+
+# The LDAP protocol version to use.
+#ldap_version 3
+
+# The DN to bind with for normal lookups.
+#binddn cn=annonymous,dc=example,dc=net
+#bindpw secret
+binddn {{ ldap_bind_dn }}
+bindpw {{ ldap_bind_password }}
+
+# The DN used for password modifications by root.
+#rootpwmoddn cn=admin,dc=example,dc=com
+
+# SSL options
+#ssl off
+tls_reqcert demand
+tls_cacertfile /etc/ldap/{{ ldap_cert }}
+
+# The search scope.
+#scope sub
+
+filter passwd (&(objectClass=shadowAccount)(|({{ ldap_users | join(')(') }})))
+filter group (&(objectClass=univentionGroup)(|({{ ldap_users | join(')(') }})))
--- a/templates/sssd.conf
+++ b/templates/sssd.conf
@ -0,0 +1,27 @@
+[sssd]
+services = nss, pam, sudo
+config_file_version = 2
+domains = LDAP
+
+[domain/LDAP]
+cache_credentials = true
+
+id_provider = ldap
+auth_provider = ldap
+sudo_provider = ldap
+
+ldap_uri = {{ ldap_uris | join(',') }}
+ldap_default_bind_dn = {{ ldap_bind_dn }}
+ldap_default_authtok = {{ ldap_bind_password }}
+ldap_default_authtok_type = password
+ldap_tls_cacert = /etc/ldap/{{ ldap_cert }}
+
+ldap_search_base = {{ ldap_search_base }}
+ldap_user_search_base = {{ ldap_search_base }}?subtree?(|({{ ldap_users | join(')(')}}))
+ldap_sudo_search_base = {{ ldap_search_base }}?subtree?(|({{ ldap_admins | join(')(')}}))
+ldap_group_search_base = {{ ldap_search_base }}
+ldap_id_use_start_tls = true
+ldap_id_mapping = false
+use_fully_qualified_names = false
+
+enumerate = true
--- a/vars/os_Arch.yml
+++ b/vars/os_Arch.yml
@ -0,0 +1 @@
+package_libnss_ldapd: nss-pam-ldapd
--- a/vars/os_Debian.yml
+++ b/vars/os_Debian.yml
@ -0,0 +1 @@
+package_libnss_ldapd: libnss-ldapd
--- a/vars/os_Raspbian.yml
+++ b/vars/os_Raspbian.yml
@ -0,0 +1 @@
+package_libnss_ldapd: libnss-ldapd