129 lines
2.5 KiB
YAML
129 lines
2.5 KiB
YAML
# LDAP Client role for Revspace LDAP
|
|
# Tested on: Debian Stable
|
|
|
|
---
|
|
|
|
- name: Install LDAP client software
|
|
apt:
|
|
state: present
|
|
pkg:
|
|
- libpam-ldapd
|
|
- python3-ldap3
|
|
when: ansible_os_family == 'Debian'
|
|
tags:
|
|
- ldapclient
|
|
- apt
|
|
|
|
- name: Enable pam_mkhomedir module
|
|
lineinfile:
|
|
dest: /etc/pam.d/common-account
|
|
line: "session required pam_mkhomedir.so skel=/etc/skel/ umask=0022"
|
|
regexp: "pam_mkhomedir.so"
|
|
insertafter: EOF
|
|
tags:
|
|
- ldapclient
|
|
- mkhomedir
|
|
|
|
- name: Create login.group.allowed file
|
|
lineinfile:
|
|
dest: /etc/login.group.allowed
|
|
line: "board"
|
|
regexp: "^board$"
|
|
owner: "root"
|
|
group: "root"
|
|
mode: "0755"
|
|
create: true
|
|
with_items:
|
|
- "{{ login_groups | default('board') }}"
|
|
tags:
|
|
- ldapclient
|
|
- logingroups
|
|
when:
|
|
- logingroups is defined
|
|
|
|
- name: Limit access to listed groups
|
|
lineinfile:
|
|
dest: /etc/pam.d/common-auth
|
|
line: 'auth required pam_listfile.so onerr=fail item=group sense=allow file=/etc/login.group.allowed'
|
|
insertbefore: EOF
|
|
owner: "root"
|
|
group: "root"
|
|
mode: "0644"
|
|
regexp: "pam_listfile.*login.group.allowed"
|
|
tags:
|
|
- ldapclient
|
|
- logingroups
|
|
when:
|
|
- logingroups is defined
|
|
notify:
|
|
- reload nslcd
|
|
|
|
- name: Copy CA certificate
|
|
copy:
|
|
src: "{{ ldap_cafile }}"
|
|
dest: "/etc/ldap/{{ ldap_cafile }}"
|
|
owner: "root"
|
|
group: "root"
|
|
mode: "0644"
|
|
|
|
- name: Template ldap.conf
|
|
template:
|
|
src: "{{ item }}.j2"
|
|
dest: "/etc/ldap/{{ item }}"
|
|
owner: "root"
|
|
group: "root"
|
|
mode: "0644"
|
|
with_items:
|
|
- ldap.conf
|
|
notify:
|
|
- reload nslcd
|
|
|
|
- name: Template nslcd.conf
|
|
template:
|
|
src: "{{ item }}.j2"
|
|
dest: "/etc/{{ item }}"
|
|
owner: "root"
|
|
group: "root"
|
|
mode: "0644"
|
|
with_items:
|
|
- nslcd.conf
|
|
notify:
|
|
- reload nslcd
|
|
|
|
- name: Update /etc/nsswitch.conf
|
|
lineinfile:
|
|
dest: /etc/nsswitch.conf
|
|
line: "{{ item }}: compat ldap systemd"
|
|
regexp: "^{{ item }}"
|
|
with_items:
|
|
- passwd
|
|
- group
|
|
- shadow
|
|
|
|
- name: Template nslcd.conf
|
|
template:
|
|
src: ssh-getkey-ldap.j2
|
|
dest: /usr/sbin/ssh-getkey-ldap
|
|
owner: "root"
|
|
group: "root"
|
|
mode: "0755"
|
|
with_items:
|
|
- ssh-getkey-ldap
|
|
tags:
|
|
- ssh-getkey-ldap
|
|
|
|
- name: Update /etc/nsswitch.conf
|
|
lineinfile:
|
|
dest: /etc/nsswitch.conf
|
|
line: 'sudoers: ldap'
|
|
regexp: '^sudoers'
|
|
insertbefore: EOF"
|
|
|
|
- name: Disable nscd service
|
|
service:
|
|
name: nscd
|
|
state: stopped
|
|
enabled: false
|
|
tags:
|
|
- ldapclient
|
|
- nscd
|