ldap van revspace, nog aanpassen

2025-04-30 21:42:38 +02:00 · 2025-04-30 21:42:38 +02:00 · a74ef0de9a
commit a74ef0de9a
parent 4870960b45
32 changed files with 964 additions and 0 deletions
--- a/roles/ldapclient/tasks/main.yaml
+++ b/roles/ldapclient/tasks/main.yaml
@ -0,0 +1,129 @@
+# LDAP Client role for Revspace LDAP
+# Tested on: Debian Stable
+
+---
+
+- name: Install LDAP client software
+  apt:
+    state: present
+    pkg:
+      - libpam-ldapd
+      - python3-ldap3
+  when: ansible_os_family == 'Debian'
+  tags:
+    - ldapclient
+    - apt
+
+- name: Enable pam_mkhomedir module
+  lineinfile:
+    dest: /etc/pam.d/common-account
+    line: "session    required   pam_mkhomedir.so skel=/etc/skel/ umask=0022"
+    regexp: "pam_mkhomedir.so"
+    insertafter: EOF
+  tags:
+    - ldapclient
+    - mkhomedir
+
+- name: Create login.group.allowed file
+  lineinfile:
+    dest: /etc/login.group.allowed
+    line: "board"
+    regexp: "^board$"
+    owner: "root"
+    group: "root"
+    mode: "0755"
+    create: true
+  with_items:
+    - "{{ login_groups | default('board') }}"
+  tags:
+    - ldapclient
+    - logingroups
+  when:
+    - logingroups is defined
+
+- name: Limit access to listed groups
+  lineinfile:
+    dest: /etc/pam.d/common-auth
+    line: 'auth required pam_listfile.so onerr=fail item=group sense=allow file=/etc/login.group.allowed'
+    insertbefore: EOF
+    owner: "root"
+    group: "root"
+    mode: "0644"
+    regexp: "pam_listfile.*login.group.allowed"
+  tags:
+    - ldapclient
+    - logingroups
+  when:
+    - logingroups is defined
+  notify:
+    - reload nslcd
+
+- name: Copy CA certificate
+  copy:
+    src: "{{ ldap_cafile }}"
+    dest: "/etc/ldap/{{ ldap_cafile }}"
+    owner: "root"
+    group: "root"
+    mode: "0644"
+
+- name: Template ldap.conf
+  template:
+    src: "{{ item }}.j2"
+    dest: "/etc/ldap/{{ item }}"
+    owner: "root"
+    group: "root"
+    mode: "0644"
+  with_items:
+    - ldap.conf
+  notify:
+    - reload nslcd
+
+- name: Template nslcd.conf
+  template:
+    src: "{{ item }}.j2"
+    dest: "/etc/{{ item }}"
+    owner: "root"
+    group: "root"
+    mode: "0644"
+  with_items:
+    - nslcd.conf
+  notify:
+    - reload nslcd
+
+- name: Update /etc/nsswitch.conf
+  lineinfile:
+    dest: /etc/nsswitch.conf
+    line: "{{ item }}:	compat ldap systemd"
+    regexp: "^{{ item }}"
+  with_items:
+    - passwd
+    - group
+    - shadow
+
+- name: Template nslcd.conf
+  template:
+    src: ssh-getkey-ldap.j2
+    dest: /usr/sbin/ssh-getkey-ldap
+    owner: "root"
+    group: "root"
+    mode: "0755"
+  with_items:
+    - ssh-getkey-ldap
+  tags:
+    - ssh-getkey-ldap
+
+- name: Update /etc/nsswitch.conf
+  lineinfile:
+    dest: /etc/nsswitch.conf
+    line: 'sudoers: ldap'
+    regexp: '^sudoers'
+    insertbefore: EOF"
+
+- name: Disable nscd service
+  service:
+    name: nscd
+    state: stopped
+    enabled: false
+  tags:
+    - ldapclient
+    - nscd