# LDAP Client role for Revspace LDAP
# Tested on: Debian Stable

---

- name: Install LDAP client software
  apt:
    state: present
    pkg:
      - libpam-ldapd
      - python3-ldap3
  when: ansible_os_family == 'Debian'
  tags:
    - ldapclient
    - apt

- name: Enable pam_mkhomedir module
  lineinfile:
    dest: /etc/pam.d/common-account
    line: "session    required   pam_mkhomedir.so skel=/etc/skel/ umask=0022"
    regexp: "pam_mkhomedir.so"
    insertafter: EOF
  tags:
    - ldapclient
    - mkhomedir

- name: Create login.group.allowed file
  lineinfile:
    dest: /etc/login.group.allowed
    line: "board"
    regexp: "^board$"
    owner: "root"
    group: "root"
    mode: "0755"
    create: true
  with_items:
    - "{{ login_groups | default('board') }}"
  tags:
    - ldapclient
    - logingroups
  when:
    - logingroups is defined

- name: Limit access to listed groups
  lineinfile:
    dest: /etc/pam.d/common-auth
    line: 'auth required pam_listfile.so onerr=fail item=group sense=allow file=/etc/login.group.allowed'
    insertbefore: EOF
    owner: "root"
    group: "root"
    mode: "0644"
    regexp: "pam_listfile.*login.group.allowed"
  tags:
    - ldapclient
    - logingroups
  when:
    - logingroups is defined
  notify:
    - reload nslcd

- name: Copy CA certificate
  copy:
    src: "{{ ldap_cafile }}"
    dest: "/etc/ldap/{{ ldap_cafile }}"
    owner: "root"
    group: "root"
    mode: "0644"

- name: Template ldap.conf
  template:
    src: "{{ item }}.j2"
    dest: "/etc/ldap/{{ item }}"
    owner: "root"
    group: "root"
    mode: "0644"
  with_items:
    - ldap.conf
  notify:
    - reload nslcd

- name: Template nslcd.conf
  template:
    src: "{{ item }}.j2"
    dest: "/etc/{{ item }}"
    owner: "root"
    group: "root"
    mode: "0644"
  with_items:
    - nslcd.conf
  notify:
    - reload nslcd

- name: Update /etc/nsswitch.conf
  lineinfile:
    dest: /etc/nsswitch.conf
    line: "{{ item }}:	compat ldap systemd"
    regexp: "^{{ item }}"
  with_items:
    - passwd
    - group
    - shadow

- name: Template nslcd.conf
  template:
    src: ssh-getkey-ldap.j2
    dest: /usr/sbin/ssh-getkey-ldap
    owner: "root"
    group: "root"
    mode: "0755"
  with_items:
    - ssh-getkey-ldap
  tags:
    - ssh-getkey-ldap

- name: Update /etc/nsswitch.conf
  lineinfile:
    dest: /etc/nsswitch.conf
    line: 'sudoers: ldap'
    regexp: '^sudoers'
    insertbefore: EOF"

- name: Disable nscd service
  service:
    name: nscd
    state: stopped
    enabled: false
  tags:
    - ldapclient
    - nscd