180 lines
5.6 KiB
YAML
180 lines
5.6 KiB
YAML
---
|
|
# The home-server project produces a multi-purpose setup using Ansible.
|
|
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
|
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
|
|
|
### UPSTREAM BEGIN ⇒ ###
|
|
- name: pull prerequisites from upstream
|
|
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=upstream.yml
|
|
vars:
|
|
msg: OpenLDAP client
|
|
### ⇐ UPSTREAM BEGIN ###
|
|
|
|
- name: install packages
|
|
package:
|
|
name: "{{item}}"
|
|
state: present
|
|
with_items:
|
|
- python-ldap
|
|
- openldap
|
|
- nss-pam-ldapd
|
|
|
|
### UPSTREAM END ⇒ ###
|
|
- name: merge upstream
|
|
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=merge.yml
|
|
vars:
|
|
msg: OpenLDAP client
|
|
### ⇐ UPSTREAM END ###
|
|
|
|
- name: manage users and groups in LDAP
|
|
lineinfile:
|
|
path: /etc/nsswitch.conf
|
|
backrefs: true
|
|
regexp: '^{{item}}:((?:(?!ldap).)*\s)?(files|compat)(\s(?:(?!ldap).)*)?$'
|
|
line: '{{item}}:\1\2 ldap\3'
|
|
with_items:
|
|
- passwd
|
|
- group
|
|
|
|
- name: let the LDAP domain be known for logins
|
|
lineinfile:
|
|
path: /etc/nslcd.conf
|
|
regexp: '^{{item.key}}(?!\s+(?:passwd|shadow))\s'
|
|
line: '{{item.key}} {{item.value}}'
|
|
with_dict:
|
|
base: "{{ldap_root}}"
|
|
uri: 'ldapi://%2Frun%2Fshared_sockets%2Fldapi/'
|
|
notify:
|
|
- restart nslcd.service
|
|
|
|
- name: customize LDAP URI for user logins
|
|
lineinfile:
|
|
path: /etc/nslcd.conf
|
|
regexp: '^#?base\s+{{item}}\s'
|
|
line: 'base {{item}} ou=Users,{{ldap_root}}'
|
|
with_items:
|
|
- passwd
|
|
- shadow
|
|
notify:
|
|
- restart nslcd.service
|
|
|
|
- name: filter LDAP accounts that can login
|
|
lineinfile:
|
|
path: /etc/nslcd.conf
|
|
regexp: '^filter\s+{{item}}\s'
|
|
line: 'filter {{item}} (objectClass=shadowAccount)'
|
|
insertafter: '^base\s+shadow\s'
|
|
with_items:
|
|
- shadow
|
|
- passwd
|
|
notify:
|
|
- restart nslcd.service
|
|
|
|
- name: let the LDAP domain be known for lookups
|
|
lineinfile:
|
|
path: /etc/openldap/ldap.conf
|
|
regexp: '^#?{{item.key}}\s'
|
|
line: '{{item.key}} {{item.value}}'
|
|
with_dict:
|
|
BASE: "{{ldap_root}}"
|
|
URI: 'ldapi://%2Frun%2Fshared_sockets%2Fldapi/'
|
|
notify:
|
|
- restart nslcd.service
|
|
|
|
- name: enable nslcd.service
|
|
systemd:
|
|
daemon_reload: true
|
|
name: nslcd.service
|
|
enabled: true
|
|
|
|
- meta: flush_handlers
|
|
|
|
# https://github.com/ansible/ansible/issues/20582
|
|
# - name: configure PAM for LDAP
|
|
# lineinfile:
|
|
# path: '/etc/pam.d/{{item.file}}'
|
|
# regexp: '^{{item.name}}\s.*ldap'
|
|
# line: '{{item.name}}{{item.pad}}sufficient pam_ldap.so'
|
|
# insertbefore: '^{{item.name}}\s.*required'
|
|
# with_items:
|
|
# - {file: 'system-auth', name: 'auth', pad: ' '}
|
|
# - {file: 'system-auth', name: 'account', pad: ' '}
|
|
# - {file: 'system-auth', name: 'password', pad: ' '}
|
|
# - {file: 'su-l', name: 'auth', pad: ' '}
|
|
# - {file: 'su-l', name: 'account', pad: ' '}
|
|
# - {file: 'su-l', name: 'session', pad: ' '}
|
|
# - {file: 'su', name: 'auth', pad: ' '}
|
|
# - {file: 'su', name: 'account', pad: ' '}
|
|
# - {file: 'su', name: 'session', pad: ' '}
|
|
# - {file: 'passwd', name: 'password', pad: ' '}
|
|
# - {file: 'sudo', name: 'auth', pad: ' '}
|
|
|
|
- name: configure PAM for LDAP
|
|
lineinfile:
|
|
path: '/etc/pam.d/{{item.file}}'
|
|
regexp: '^{{item.name}}\s.*ldap'
|
|
line: '{{item.name}}{{item.pad}}sufficient pam_ldap.so'
|
|
insertafter: '{{item.after}}'
|
|
with_items:
|
|
- {file: 'system-auth', name: 'auth', pad: ' ', after: '^#%PAM'}
|
|
- {file: 'system-auth', name: 'account', pad: ' ', after: '^auth'}
|
|
- {file: 'system-auth', name: 'password', pad: ' ', after: '^account'}
|
|
- {file: 'su-l', name: 'auth', pad: ' ', after: '^auth.*pam_rootok\.so'}
|
|
- {file: 'su-l', name: 'account', pad: ' ', after: '^auth'}
|
|
- {file: 'su-l', name: 'session', pad: ' ', after: '^account'}
|
|
- {file: 'su', name: 'auth', pad: ' ', after: '^auth.*pam_rootok\.so'}
|
|
- {file: 'su', name: 'account', pad: ' ', after: '^auth'}
|
|
- {file: 'su', name: 'session', pad: ' ', after: '^account'}
|
|
- {file: 'passwd', name: 'password', pad: ' ', after: '#%PAM'}
|
|
- {file: 'sudo', name: 'auth', pad: ' ', after: '#%PAM'}
|
|
|
|
- name: configure PAM for the session
|
|
lineinfile:
|
|
path: /etc/pam.d/system-auth
|
|
regexp: '^session\s.*ldap'
|
|
line: 'session optional pam_ldap.so'
|
|
insertafter: '^session.*required'
|
|
|
|
- name: configure PAM for su/sudo
|
|
lineinfile:
|
|
path: '/etc/pam.d/{{item}}'
|
|
backrefs: true
|
|
regexp: '^(auth\s+required\s+pam_unix.so(?:(?!(?:try|use)_first_pass).)*)$'
|
|
line: '\1 try_first_pass'
|
|
with_items:
|
|
- 'su-l'
|
|
- 'su'
|
|
- 'sudo'
|
|
|
|
- name: configure PAM for automatic home-folder creation (login)
|
|
lineinfile:
|
|
path: /etc/pam.d/system-login
|
|
regexp: '^session\s+required\s+pam_mkhomedir.so'
|
|
line: 'session required pam_mkhomedir.so skel=/etc/skel umask=0022'
|
|
insertbefore: EOF
|
|
|
|
- name: configure PAM for automatic home-folder creation (su)
|
|
lineinfile:
|
|
path: '/etc/pam.d/{{item}}'
|
|
regexp: '^session\s+required\s+pam_mkhomedir.so'
|
|
line: |
|
|
session required pam_mkhomedir.so skel=/etc/skel umask=0022
|
|
insertbefore: '^session\s+sufficient\s+pam_ldap.so'
|
|
with_items:
|
|
- 'su-l'
|
|
- 'su'
|
|
|
|
- name: configure LDAP for sudo
|
|
lineinfile:
|
|
path: /etc/openldap/ldap.conf
|
|
regexp: '^sudoers_base\s'
|
|
line: "sudoers_base ou=SUDOers,{{ldap_root}}"
|
|
|
|
### LOCAL COMMIT ⇒ ###
|
|
- name: commit local changes
|
|
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=local.yml
|
|
vars:
|
|
msg: OpenLDAP client
|
|
### ⇐ LOCAL COMMIT ###
|
|
- meta: flush_handlers
|