ldap van revspace, nog aanpassen

ldapclient/files/lets-encrypt-x1.pem

@@ -0,0 +1 @@
+../../../certs/lets-encrypt-x1.pem

ldapclient/files/lets-encrypt-x3-cross-signed.pem

@@ -0,0 +1 @@
+../../../certs/lets-encrypt-x3-cross-signed.pem

ldapclient/files/sub.class1.server.sha2.ca.pem

@@ -0,0 +1 @@
+../../../certs/sub.class1.server.sha2.ca.pem

ldapclient/handlers/main.yaml

@@ -0,0 +1,7 @@
+---
+
+- name: reload nslcd
+  service: name=nslcd state=restarted enabled=true
+  tags:
+    - ldapclient
+    - nslcd

ldapclient/tasks/main.yaml

@@ -0,0 +1,129 @@
+# LDAP Client role for Revspace LDAP
+# Tested on: Debian Stable
+
+---
+
+- name: Install LDAP client software
+  apt:
+    state: present
+    pkg:
+      - libpam-ldapd
+      - python3-ldap3
+  when: ansible_os_family == 'Debian'
+  tags:
+    - ldapclient
+    - apt
+
+- name: Enable pam_mkhomedir module
+  lineinfile:
+    dest: /etc/pam.d/common-account
+    line: "session    required   pam_mkhomedir.so skel=/etc/skel/ umask=0022"
+    regexp: "pam_mkhomedir.so"
+    insertafter: EOF
+  tags:
+    - ldapclient
+    - mkhomedir
+
+- name: Create login.group.allowed file
+  lineinfile:
+    dest: /etc/login.group.allowed
+    line: "board"
+    regexp: "^board$"
+    owner: "root"
+    group: "root"
+    mode: "0755"
+    create: true
+  with_items:
+    - "{{ login_groups | default('board') }}"
+  tags:
+    - ldapclient
+    - logingroups
+  when:
+    - logingroups is defined
+
+- name: Limit access to listed groups
+  lineinfile:
+    dest: /etc/pam.d/common-auth
+    line: 'auth required pam_listfile.so onerr=fail item=group sense=allow file=/etc/login.group.allowed'
+    insertbefore: EOF
+    owner: "root"
+    group: "root"
+    mode: "0644"
+    regexp: "pam_listfile.*login.group.allowed"
+  tags:
+    - ldapclient
+    - logingroups
+  when:
+    - logingroups is defined
+  notify:
+    - reload nslcd
+
+- name: Copy CA certificate
+  copy:
+    src: "{{ ldap_cafile }}"
+    dest: "/etc/ldap/{{ ldap_cafile }}"
+    owner: "root"
+    group: "root"
+    mode: "0644"
+
+- name: Template ldap.conf
+  template:
+    src: "{{ item }}.j2"
+    dest: "/etc/ldap/{{ item }}"
+    owner: "root"
+    group: "root"
+    mode: "0644"
+  with_items:
+    - ldap.conf
+  notify:
+    - reload nslcd
+
+- name: Template nslcd.conf
+  template:
+    src: "{{ item }}.j2"
+    dest: "/etc/{{ item }}"
+    owner: "root"
+    group: "root"
+    mode: "0644"
+  with_items:
+    - nslcd.conf
+  notify:
+    - reload nslcd
+
+- name: Update /etc/nsswitch.conf
+  lineinfile:
+    dest: /etc/nsswitch.conf
+    line: "{{ item }}:	compat ldap systemd"
+    regexp: "^{{ item }}"
+  with_items:
+    - passwd
+    - group
+    - shadow
+
+- name: Template nslcd.conf
+  template:
+    src: ssh-getkey-ldap.j2
+    dest: /usr/sbin/ssh-getkey-ldap
+    owner: "root"
+    group: "root"
+    mode: "0755"
+  with_items:
+    - ssh-getkey-ldap
+  tags:
+    - ssh-getkey-ldap
+
+- name: Update /etc/nsswitch.conf
+  lineinfile:
+    dest: /etc/nsswitch.conf
+    line: 'sudoers: ldap'
+    regexp: '^sudoers'
+    insertbefore: EOF"
+
+- name: Disable nscd service
+  service:
+    name: nscd
+    state: stopped
+    enabled: false
+  tags:
+    - ldapclient
+    - nscd

ldapclient/templates/ldap.conf.j2

@@ -0,0 +1,28 @@
+# {{ ansible_managed }}
+#
+# LDAP Defaults
+#
+
+# See ldap.conf(5) for details
+# This file should be world readable but not world writable.
+
+BASE    {{ldap_base}}
+URI     {{ldap_uri}}
+
+#SIZELIMIT  12
+#TIMELIMIT  15
+#DEREF      never
+
+# TLS certificates (needed for GnuTLS)
+TLS_CACERT /etc/ldap/{{ldap_cafile}}
+#TLS_CIPHER_SUITE {{ldap_cipher_suite}}
+TLS_PROTOCOL_MIN 3.3
+TLS_REQCERT demand
+TLS_CRLCHECK none
+
+# Sudo settings
+SUDOERS_BASE ou=SUDOers,{{ldap_base}}
+#SUDOERS_SEARCH_FILTER objectClass=sudoRole
+SUDOERS_TIMED yes
+#SUDOERS_DEBUG 1
+

ldapclient/templates/nslcd.conf.j2

@@ -0,0 +1,35 @@
+# {{ ansible_managed }}
+# /etc/nslcd.conf
+# nslcd configuration file. See nslcd.conf(5)
+# for details.
+
+# The user and group nslcd should run as.
+uid nslcd
+gid nslcd
+
+# The location at which the LDAP server(s) should be reachable.
+#uri ldap://ldap.space.revspace.nl/
+uri {{ldap_uri}}
+
+# The search base that will be used for all queries.
+base {{ldap_base}}
+
+# The LDAP protocol version to use.
+#ldap_version 3
+
+# The DN to bind with for normal lookups.
+#binddn cn=annonymous,dc=example,dc=net
+#bindpw secret
+
+# The DN used for password modifications by root.
+#rootpwmoddn cn=admin,dc=example,dc=com
+
+# SSL options
+ssl on
+tls_reqcert demand
+tls_cacertfile /etc/ssl/certs/ca-certificates.crt
+#tls_ciphers {{ldap_cipher_suite}}
+
+# The search scope.
+#scope sub
+

ldapclient/templates/ssh-getkey-ldap.j2

@@ -0,0 +1,33 @@
+#!/usr/bin/python3
+# {{ansible_managed}}
+
+from ldap3 import Server, Connection, NONE, SUBTREE
+import sys
+
+try:
+    uid=str(sys.argv[1])
+except:
+    print("No user specified")
+    exit(1)
+
+if ( uid == "root" ):
+    exit(0)
+
+s = Server('{{ ldap_uri }}', get_info=NONE)
+c = Connection(s)
+if not c.bind():
+    print('error in bind', c.result)
+    exit(1)
+
+c.search(search_base = 'ou=People,{{ ldap_base }}',
+        search_filter = '(uid=' + uid + ')',
+        search_scope = SUBTREE,
+        attributes = ['sshPublicKey'],
+        time_limit = 2,
+        paged_size = 5)
+
+keys = c.response[0]['raw_attributes']['sshPublicKey']
+
+for x in range(len(keys)):
+    print( keys[x].decode('ascii') )
+

ldapclient/vars/main.yaml

@@ -0,0 +1,7 @@
+---
+
+ldap_base:      dc=space,dc=revspace,dc=nl
+ldap_server:    ldap.space.revspace.nl
+ldap_uri:       ldaps://{{ ldap_server }}:636
+ldap_cafile:    lets-encrypt-x1.pem
+ldap_cipher_suite:  "SECURE256:!AES-128-CBC:!ARCFOUR-128:!CAMELLIA-128-CBC:!3DES-CBC:!CAMELLIA-128-CBC"