initial commit

2022-01-23 00:38:23 +01:00 · 2022-01-23 00:38:23 +01:00 · 4de5a9b758
commit 4de5a9b758
9 changed files with 190 additions and 0 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -0,0 +1,12 @@
 ldap_uris: []
 ldap_search_base: DC=example,DC=com
 ldap_bind_dn: "UID=rd-only,CN=users,{{ ldap_search_base }}"
 ldap_bind_password: "rd-only"
 ldap_cert: ldap-ca.pem
 ldap_admins:
  - "memberof=CN=admins,CN=groups,{{ ldap_search_base }}"
 ldap_shell_users:
  - "memberof=CN=shell,CN=groups,{{ ldap_search_base }}"
 ldap_mail_users:
  - "memberof=CN=mail,CN=groups,{{ ldap_search_base }}"
 ldap_users: "{{ ldap_admins + ldap_shell_users }}"
--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -0,0 +1,18 @@
 ---
 - name: restart_sssd
  tags: sssd
  service:
    name: sssd
    state: restarted
 - name: restart_nslcd
  tags: nslcd
  service:
    name: nslcd
    state: restarted
 - name: restart_nscd
  tags: nscd
  service:
    name: nscd
    state: restarted
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -0,0 +1,76 @@
 - name: system | ldap auth
  block:
    - name: Load OS specific variables.
      tags: ldap
      ansible.builtin.include_vars:
        file: "os_{{ os_distribution }}.yml"
    - name: Install packages.
      tags: ldap,packages,ldap-auth
      ansible.builtin.package:
        state: present
        name:
          - "{{ package_libnss_ldapd }}"
          - libsss-sudo
          - sssd
    - name: Create config directories.
      tags: ldap,ldap-auth
      ansible.builtin.file:
        state: directory
        owner: root
        group: root
        mode: 0755
        path: "{{ item }}"
      with_items:
        - /etc/sssd
        - /etc/ldap
    - name: Copy config files.
      tags: ldap,ldap-auth
      ansible.builtin.copy:
        owner: root
        group: root
        mode: 0644
        src: "{{ item.src }}"
        dest: "{{ item.dest }}"
      with_items:
        - src: nscd.conf
          dest: /etc/nscd.conf
        - src: nsswitch.conf
          dest: /etc/nsswitch.conf
        - src: "ldap/{{ ldap_cert }}"
          dest: "/etc/ldap/{{ ldap_cert }}"
      notify:
        - restart_nscd
    - name: Create config files from templates.
      tags: ldap
      template:
        owner: root
        group: root
        mode: 0600
        src: "{{ item.src }}"
        dest: "{{ item.dest }}"
      with_items:
        - src: sssd/sssd.conf
          dest: /etc/sssd/sssd.conf
        - src: nslcd.conf
          dest: /etc/nslcd.conf
        - src: ldap/ldap.conf
          dest: /etc/ldap/ldap.conf
      notify:
        - restart_nslcd
        - restart_sssd
    - name: Enable services.
      ansible.builtin.service:
        name: "{{ item }}"
        enabled: yes
      with_items:
        - nslcd
        - nscd
        - sssd
  when:
    - ldap_uris | length > 0
--- a/templates/ldap.conf
+++ b/templates/ldap.conf
@ -0,0 +1,16 @@
 #
 # LDAP Defaults
 #
 # See ldap.conf(5) for details
 # This file should be world readable but not world writable.
 BASE	{{ ldap_search_base }}
 URI	{{ ldap_uris | join(' ') }}
 #SIZELIMIT	12
 #TIMELIMIT	15
 #DEREF		never
 # TLS certificates (needed for GnuTLS)
 TLS_CACERT	/etc/ldap/{{ ldap_cert }}
--- a/templates/nslcd.conf
+++ b/templates/nslcd.conf
@ -0,0 +1,38 @@
 # /etc/nslcd.conf
 # nslcd configuration file. See nslcd.conf(5)
 # for details.
 # The user and group nslcd should run as.
 uid nslcd
 gid nslcd
 # The location at which the LDAP server(s) should be reachable.
 {% for server in ldap_uris %}
 uri {{ server }}
 {% endfor %}
 # The search base that will be used for all queries.
 base {{ ldap_search_base }}
 # The LDAP protocol version to use.
 #ldap_version 3
 # The DN to bind with for normal lookups.
 #binddn cn=annonymous,dc=example,dc=net
 #bindpw secret
 binddn {{ ldap_bind_dn }}
 bindpw {{ ldap_bind_password }}
 # The DN used for password modifications by root.
 #rootpwmoddn cn=admin,dc=example,dc=com
 # SSL options
 #ssl off
 tls_reqcert demand
 tls_cacertfile /etc/ldap/{{ ldap_cert }}
 # The search scope.
 #scope sub
 filter passwd (&(objectClass=shadowAccount)(|({{ ldap_users | join(')(') }})))
 filter group (&(objectClass=univentionGroup)(|({{ ldap_users | join(')(') }})))
--- a/templates/sssd.conf
+++ b/templates/sssd.conf
@ -0,0 +1,27 @@
 [sssd]
 services = nss, pam, sudo
 config_file_version = 2
 domains = LDAP
 [domain/LDAP]
 cache_credentials = true
 id_provider = ldap
 auth_provider = ldap
 sudo_provider = ldap
 ldap_uri = {{ ldap_uris | join(',') }}
 ldap_default_bind_dn = {{ ldap_bind_dn }}
 ldap_default_authtok = {{ ldap_bind_password }}
 ldap_default_authtok_type = password
 ldap_tls_cacert = /etc/ldap/{{ ldap_cert }}
 ldap_search_base = {{ ldap_search_base }}
 ldap_user_search_base = {{ ldap_search_base }}?subtree?(|({{ ldap_users | join(')(')}}))
 ldap_sudo_search_base = {{ ldap_search_base }}?subtree?(|({{ ldap_admins | join(')(')}}))
 ldap_group_search_base = {{ ldap_search_base }}
 ldap_id_use_start_tls = true
 ldap_id_mapping = false
 use_fully_qualified_names = false
 enumerate = true
--- a/vars/os_Arch.yml
+++ b/vars/os_Arch.yml
@ -0,0 +1 @@
 package_libnss_ldapd: nss-pam-ldapd
--- a/vars/os_Debian.yml
+++ b/vars/os_Debian.yml
@ -0,0 +1 @@
 package_libnss_ldapd: libnss-ldapd
--- a/vars/os_Raspbian.yml
+++ b/vars/os_Raspbian.yml
@ -0,0 +1 @@
 package_libnss_ldapd: libnss-ldapd