commit 4de5a9b758d77af5eb69467744d15a85f3c99f5e Author: Patrick Neff Date: Sun Jan 23 00:38:23 2022 +0100 initial commit diff --git a/defaults/main.yml b/defaults/main.yml new file mode 100644 index 0000000..c480082 --- /dev/null +++ b/defaults/main.yml @@ -0,0 +1,12 @@ +ldap_uris: [] +ldap_search_base: DC=example,DC=com +ldap_bind_dn: "UID=rd-only,CN=users,{{ ldap_search_base }}" +ldap_bind_password: "rd-only" +ldap_cert: ldap-ca.pem +ldap_admins: + - "memberof=CN=admins,CN=groups,{{ ldap_search_base }}" +ldap_shell_users: + - "memberof=CN=shell,CN=groups,{{ ldap_search_base }}" +ldap_mail_users: + - "memberof=CN=mail,CN=groups,{{ ldap_search_base }}" +ldap_users: "{{ ldap_admins + ldap_shell_users }}" diff --git a/handlers/main.yml b/handlers/main.yml new file mode 100644 index 0000000..bb9e242 --- /dev/null +++ b/handlers/main.yml @@ -0,0 +1,18 @@ +--- +- name: restart_sssd + tags: sssd + service: + name: sssd + state: restarted + +- name: restart_nslcd + tags: nslcd + service: + name: nslcd + state: restarted + +- name: restart_nscd + tags: nscd + service: + name: nscd + state: restarted diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..40a4ec1 --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,76 @@ +- name: system | ldap auth + block: + - name: Load OS specific variables. + tags: ldap + ansible.builtin.include_vars: + file: "os_{{ os_distribution }}.yml" + + - name: Install packages. + tags: ldap,packages,ldap-auth + ansible.builtin.package: + state: present + name: + - "{{ package_libnss_ldapd }}" + - libsss-sudo + - sssd + + - name: Create config directories. + tags: ldap,ldap-auth + ansible.builtin.file: + state: directory + owner: root + group: root + mode: 0755 + path: "{{ item }}" + with_items: + - /etc/sssd + - /etc/ldap + + - name: Copy config files. + tags: ldap,ldap-auth + ansible.builtin.copy: + owner: root + group: root + mode: 0644 + src: "{{ item.src }}" + dest: "{{ item.dest }}" + with_items: + - src: nscd.conf + dest: /etc/nscd.conf + - src: nsswitch.conf + dest: /etc/nsswitch.conf + - src: "ldap/{{ ldap_cert }}" + dest: "/etc/ldap/{{ ldap_cert }}" + notify: + - restart_nscd + + - name: Create config files from templates. + tags: ldap + template: + owner: root + group: root + mode: 0600 + src: "{{ item.src }}" + dest: "{{ item.dest }}" + with_items: + - src: sssd/sssd.conf + dest: /etc/sssd/sssd.conf + - src: nslcd.conf + dest: /etc/nslcd.conf + - src: ldap/ldap.conf + dest: /etc/ldap/ldap.conf + notify: + - restart_nslcd + - restart_sssd + + - name: Enable services. + ansible.builtin.service: + name: "{{ item }}" + enabled: yes + with_items: + - nslcd + - nscd + - sssd + + when: + - ldap_uris | length > 0 diff --git a/templates/ldap.conf b/templates/ldap.conf new file mode 100644 index 0000000..50a400a --- /dev/null +++ b/templates/ldap.conf @@ -0,0 +1,16 @@ +# +# LDAP Defaults +# + +# See ldap.conf(5) for details +# This file should be world readable but not world writable. + +BASE {{ ldap_search_base }} +URI {{ ldap_uris | join(' ') }} + +#SIZELIMIT 12 +#TIMELIMIT 15 +#DEREF never + +# TLS certificates (needed for GnuTLS) +TLS_CACERT /etc/ldap/{{ ldap_cert }} diff --git a/templates/nslcd.conf b/templates/nslcd.conf new file mode 100644 index 0000000..2227dca --- /dev/null +++ b/templates/nslcd.conf @@ -0,0 +1,38 @@ +# /etc/nslcd.conf +# nslcd configuration file. See nslcd.conf(5) +# for details. + +# The user and group nslcd should run as. +uid nslcd +gid nslcd + +# The location at which the LDAP server(s) should be reachable. +{% for server in ldap_uris %} +uri {{ server }} +{% endfor %} + +# The search base that will be used for all queries. +base {{ ldap_search_base }} + +# The LDAP protocol version to use. +#ldap_version 3 + +# The DN to bind with for normal lookups. +#binddn cn=annonymous,dc=example,dc=net +#bindpw secret +binddn {{ ldap_bind_dn }} +bindpw {{ ldap_bind_password }} + +# The DN used for password modifications by root. +#rootpwmoddn cn=admin,dc=example,dc=com + +# SSL options +#ssl off +tls_reqcert demand +tls_cacertfile /etc/ldap/{{ ldap_cert }} + +# The search scope. +#scope sub + +filter passwd (&(objectClass=shadowAccount)(|({{ ldap_users | join(')(') }}))) +filter group (&(objectClass=univentionGroup)(|({{ ldap_users | join(')(') }}))) diff --git a/templates/sssd.conf b/templates/sssd.conf new file mode 100644 index 0000000..f53e578 --- /dev/null +++ b/templates/sssd.conf @@ -0,0 +1,27 @@ +[sssd] +services = nss, pam, sudo +config_file_version = 2 +domains = LDAP + +[domain/LDAP] +cache_credentials = true + +id_provider = ldap +auth_provider = ldap +sudo_provider = ldap + +ldap_uri = {{ ldap_uris | join(',') }} +ldap_default_bind_dn = {{ ldap_bind_dn }} +ldap_default_authtok = {{ ldap_bind_password }} +ldap_default_authtok_type = password +ldap_tls_cacert = /etc/ldap/{{ ldap_cert }} + +ldap_search_base = {{ ldap_search_base }} +ldap_user_search_base = {{ ldap_search_base }}?subtree?(|({{ ldap_users | join(')(')}})) +ldap_sudo_search_base = {{ ldap_search_base }}?subtree?(|({{ ldap_admins | join(')(')}})) +ldap_group_search_base = {{ ldap_search_base }} +ldap_id_use_start_tls = true +ldap_id_mapping = false +use_fully_qualified_names = false + +enumerate = true diff --git a/vars/os_Arch.yml b/vars/os_Arch.yml new file mode 100644 index 0000000..1654c5e --- /dev/null +++ b/vars/os_Arch.yml @@ -0,0 +1 @@ +package_libnss_ldapd: nss-pam-ldapd diff --git a/vars/os_Debian.yml b/vars/os_Debian.yml new file mode 100644 index 0000000..c2a8bfb --- /dev/null +++ b/vars/os_Debian.yml @@ -0,0 +1 @@ +package_libnss_ldapd: libnss-ldapd diff --git a/vars/os_Raspbian.yml b/vars/os_Raspbian.yml new file mode 100644 index 0000000..c2a8bfb --- /dev/null +++ b/vars/os_Raspbian.yml @@ -0,0 +1 @@ +package_libnss_ldapd: libnss-ldapd