home-server/roles/ldap/tasks/main.yml

180 lines
5.6 KiB
YAML

---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
### UPSTREAM BEGIN ⇒ ###
- name: pull prerequisites from upstream
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=upstream.yml
vars:
msg: OpenLDAP client
### ⇐ UPSTREAM BEGIN ###
- name: install packages
package:
name: "{{item}}"
state: present
with_items:
- python-ldap
- openldap
- nss-pam-ldapd
### UPSTREAM END ⇒ ###
- name: merge upstream
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=merge.yml
vars:
msg: OpenLDAP client
### ⇐ UPSTREAM END ###
- name: manage users and groups in LDAP
lineinfile:
path: /etc/nsswitch.conf
backrefs: true
regexp: '^{{item}}:((?:(?!ldap).)*\s)?(files|compat)(\s(?:(?!ldap).)*)?$'
line: '{{item}}:\1\2 ldap\3'
with_items:
- passwd
- group
- name: let the LDAP domain be known for logins
lineinfile:
path: /etc/nslcd.conf
regexp: '^{{item.key}}(?!\s+(?:passwd|shadow))\s'
line: '{{item.key}} {{item.value}}'
with_dict:
base: "{{ldap_root}}"
uri: 'ldapi://%2Frun%2Fshared_sockets%2Fldapi/'
notify:
- restart nslcd.service
- name: customize LDAP URI for user logins
lineinfile:
path: /etc/nslcd.conf
regexp: '^#?base\s+{{item}}\s'
line: 'base {{item}} ou=Users,{{ldap_root}}'
with_items:
- passwd
- shadow
notify:
- restart nslcd.service
- name: filter LDAP accounts that can login
lineinfile:
path: /etc/nslcd.conf
regexp: '^filter\s+{{item}}\s'
line: 'filter {{item}} (objectClass=shadowAccount)'
insertafter: '^base\s+shadow\s'
with_items:
- shadow
- passwd
notify:
- restart nslcd.service
- name: let the LDAP domain be known for lookups
lineinfile:
path: /etc/openldap/ldap.conf
regexp: '^#?{{item.key}}\s'
line: '{{item.key}} {{item.value}}'
with_dict:
BASE: "{{ldap_root}}"
URI: 'ldapi://%2Frun%2Fshared_sockets%2Fldapi/'
notify:
- restart nslcd.service
- name: enable nslcd.service
systemd:
daemon_reload: true
name: nslcd.service
enabled: true
- meta: flush_handlers
# https://github.com/ansible/ansible/issues/20582
# - name: configure PAM for LDAP
# lineinfile:
# path: '/etc/pam.d/{{item.file}}'
# regexp: '^{{item.name}}\s.*ldap'
# line: '{{item.name}}{{item.pad}}sufficient pam_ldap.so'
# insertbefore: '^{{item.name}}\s.*required'
# with_items:
# - {file: 'system-auth', name: 'auth', pad: ' '}
# - {file: 'system-auth', name: 'account', pad: ' '}
# - {file: 'system-auth', name: 'password', pad: ' '}
# - {file: 'su-l', name: 'auth', pad: ' '}
# - {file: 'su-l', name: 'account', pad: ' '}
# - {file: 'su-l', name: 'session', pad: ' '}
# - {file: 'su', name: 'auth', pad: ' '}
# - {file: 'su', name: 'account', pad: ' '}
# - {file: 'su', name: 'session', pad: ' '}
# - {file: 'passwd', name: 'password', pad: ' '}
# - {file: 'sudo', name: 'auth', pad: ' '}
- name: configure PAM for LDAP
lineinfile:
path: '/etc/pam.d/{{item.file}}'
regexp: '^{{item.name}}\s.*ldap'
line: '{{item.name}}{{item.pad}}sufficient pam_ldap.so'
insertafter: '{{item.after}}'
with_items:
- {file: 'system-auth', name: 'auth', pad: ' ', after: '^#%PAM'}
- {file: 'system-auth', name: 'account', pad: ' ', after: '^auth'}
- {file: 'system-auth', name: 'password', pad: ' ', after: '^account'}
- {file: 'su-l', name: 'auth', pad: ' ', after: '^auth.*pam_rootok\.so'}
- {file: 'su-l', name: 'account', pad: ' ', after: '^auth'}
- {file: 'su-l', name: 'session', pad: ' ', after: '^account'}
- {file: 'su', name: 'auth', pad: ' ', after: '^auth.*pam_rootok\.so'}
- {file: 'su', name: 'account', pad: ' ', after: '^auth'}
- {file: 'su', name: 'session', pad: ' ', after: '^account'}
- {file: 'passwd', name: 'password', pad: ' ', after: '#%PAM'}
- {file: 'sudo', name: 'auth', pad: ' ', after: '#%PAM'}
- name: configure PAM for the session
lineinfile:
path: /etc/pam.d/system-auth
regexp: '^session\s.*ldap'
line: 'session optional pam_ldap.so'
insertafter: '^session.*required'
- name: configure PAM for su/sudo
lineinfile:
path: '/etc/pam.d/{{item}}'
backrefs: true
regexp: '^(auth\s+required\s+pam_unix.so(?:(?!(?:try|use)_first_pass).)*)$'
line: '\1 try_first_pass'
with_items:
- 'su-l'
- 'su'
- 'sudo'
- name: configure PAM for automatic home-folder creation (login)
lineinfile:
path: /etc/pam.d/system-login
regexp: '^session\s+required\s+pam_mkhomedir.so'
line: 'session required pam_mkhomedir.so skel=/etc/skel umask=0022'
insertbefore: EOF
- name: configure PAM for automatic home-folder creation (su)
lineinfile:
path: '/etc/pam.d/{{item}}'
regexp: '^session\s+required\s+pam_mkhomedir.so'
line: |
session required pam_mkhomedir.so skel=/etc/skel umask=0022
insertbefore: '^session\s+sufficient\s+pam_ldap.so'
with_items:
- 'su-l'
- 'su'
- name: configure LDAP for sudo
lineinfile:
path: /etc/openldap/ldap.conf
regexp: '^sudoers_base\s'
line: "sudoers_base ou=SUDOers,{{ldap_root}}"
### LOCAL COMMIT ⇒ ###
- name: commit local changes
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=local.yml
vars:
msg: OpenLDAP client
### ⇐ LOCAL COMMIT ###
- meta: flush_handlers