sssd: new role to replace ldap_pam (based on nslcd)

2024-01-16 19:03:03 +01:00 · 2024-01-16 19:03:03 +01:00 · d1682eb5f2
commit d1682eb5f2
parent c6db7e5805
11 changed files with 53 additions and 96 deletions
--- a/group_vars/all/vars.yml
+++ b/group_vars/all/vars.yml
@ -137,10 +137,6 @@ nextcloud_dbname: owncloud
 nextcloud_dbuser: owncloud
 nextcloud_dbpass: "{{ vault_owncloud_dbpass }}"

-nslcd_base_group: ou=groups,dc=binary-kitchen,dc=de
-nslcd_base_shadow: ou=people,dc=binary-kitchen,dc=de
-nslcd_base_passwd: ou=people,dc=binary-kitchen,dc=de
-
 omm_domain: omm.binary.kitchen

 pretalx_domain: fahrplan.eh21.easterhegg.eu
@ -176,6 +172,9 @@ slapd_root_hash: "{SSHA}OB75kTfH6JRyX0dA0fM8/8ldP89qyzb+"
 slapd_root_pass: "{{ vault_slapd_root_pass }}"
 slapd_san: ldap.binary.kitchen

+sssd_base_group: ou=groups,dc=binary-kitchen,dc=de
+sssd_base_user: ou=people,dc=binary-kitchen,dc=de
+
 strichliste_domain: tschunk.binary.kitchen
 strichliste_dbname: strichliste
 strichliste_dbuser: strichliste
--- a/roles/ldap_pam/files/mkhomedir
+++ b/roles/ldap_pam/files/mkhomedir
@ -1,6 +0,0 @@
-Name: Create home directory during login
-Default: yes
-Priority: 900
-Session-Type: Additional
-Session:
-	required	pam_mkhomedir.so umask=0077 skel=/etc/skel
--- a/roles/ldap_pam/files/nsswitch.conf
+++ b/roles/ldap_pam/files/nsswitch.conf
@ -1,20 +0,0 @@
-# /etc/nsswitch.conf
-#
-# Example configuration of GNU Name Service Switch functionality.
-# If you have the `glibc-doc-reference' and `info' packages installed, try:
-# `info libc "Name Service Switch"' for information about this file.
-
-passwd:         files ldap
-group:          files ldap
-shadow:         files ldap
-gshadow:        files
-
-hosts:          files dns
-networks:       files
-
-protocols:      db files
-services:       db files
-ethers:         db files
-rpc:            db files
-
-netgroup:       nis
--- a/roles/ldap_pam/handlers/main.yml
+++ b/roles/ldap_pam/handlers/main.yml
@ -1,10 +0,0 @@
---
-
- name: Restart nscd
-  service: name=nscd state=restarted
-
- name: Restart nslcd
-  service: name=nslcd state=restarted
-
- name: Update pam-auth
-  shell: pam-auth-update --package libpam-modules 2>/dev/null
--- a/roles/ldap_pam/tasks/main.yml
+++ b/roles/ldap_pam/tasks/main.yml
@ -1,19 +0,0 @@
---
-
- name: Install nslcd
-  apt: name=nslcd
-
- name: Configure nslcd
-  template: src=nslcd.conf.j2 dest=/etc/nslcd.conf
-  notify: Restart nslcd
-
- name: Configure nsswitch
-  copy: src=nsswitch.conf dest=/etc/nsswitch.conf
-  notify: Restart nscd
-
- name: Configure PAM mkhomedir
-  copy: src=mkhomedir dest=/usr/share/pam-configs/mkhomedir mode=0644
-  notify: Update pam-auth
-
- name: Start the nslcd service
-  service: name=nslcd state=started enabled=yes
--- a/roles/ldap_pam/templates/nslcd.conf.j2
+++ b/roles/ldap_pam/templates/nslcd.conf.j2
@ -1,36 +0,0 @@
-# /etc/nslcd.conf
-# nslcd configuration file. See nslcd.conf(5)
-# for details.
-
-# The user and group nslcd should run as.
-uid nslcd
-gid nslcd
-
-# The location at which the LDAP server(s) should be reachable.
-uri {{ ldap_uri }}
-
-# The search base that will be used for all queries.
-base {{ ldap_base }}
-
-# The LDAP protocol version to use.
-#ldap_version 3
-
-# The DN to bind with for normal lookups.
-binddn {{ ldap_binddn }}
-bindpw {{ ldap_bindpw }}
-
-# The DN used for password modifications by root.
-#rootpwmoddn cn=admin,dc=example,dc=com
-
-# The search scope.
-scope one
-
-# Customize certain database lookups.
-base group  {{ nslcd_base_group }}
-base passwd {{ nslcd_base_passwd }}
-base shadow {{ nslcd_base_shadow }}
-
-# SSL options
-tls_reqcert demand
-tls_cacertfile /etc/ssl/certs/ca-certificates.crt
-tls_cacertdir /etc/ssl/certs
--- a/roles/sssd/files/mkhomedir
+++ b/roles/sssd/files/mkhomedir
@ -0,0 +1,7 @@
+Name: Create home directory on login
+Default: yes
+Priority: 900
+Session-Type: Additional
+Session-Interactive-Only: yes
+Session:
+	required			pam_mkhomedir.so umask=0077 skel=/etc/skel
--- a/roles/sssd/handlers/main.yml
+++ b/roles/sssd/handlers/main.yml
@ -0,0 +1,7 @@
+---
+
+- name: Restart sssd
+  service: name=sssd state=restarted
+
+- name: Update pam-auth
+  shell: pam-auth-update --enable mkhomedir
--- a/roles/sssd/tasks/main.yml
+++ b/roles/sssd/tasks/main.yml
@ -0,0 +1,12 @@
+---
+
+- name: Install sssd
+  apt: name=sssd
+
+- name: Configure sssd
+  template: src=sssd.conf.j2 dest=/etc/sssd/sssd.conf mode=0600
+  notify: Restart sssd
+
+- name: Configure PAM mkhomedir
+  copy: src=mkhomedir dest=/usr/share/pam-configs/mkhomedir mode=0644
+  notify: Update pam-auth
--- a/roles/sssd/templates/sssd.conf.j2
+++ b/roles/sssd/templates/sssd.conf.j2
@ -0,0 +1,23 @@
+[sssd]
+config_file_version = 2
+domains = binary-kitchen.de
+
+[domain/binary-kitchen.de]
+auth_provider = ldap
+chpass_provider = ldap
+id_provider = ldap
+cache_credentials = false
+case_sensitive = true
+enumerate = false
+min_id = 10000
+ldap_schema = rfc2307bis
+ldap_default_authtok_type = password
+ldap_default_bind_dn = {{ ldap_binddn }}
+ldap_default_authtok =  {{ ldap_bindpw }}
+ldap_uri = {{ ldap_uri }}
+ldap_search_base = {{ ldap_base }}
+ldap_user_search_base = {{ sssd_base_user }}
+ldap_group_search_base = {{ sssd_base_group }}
+ldap_id_use_start_tls = true
+ldap_tls_reqcert = demand
+ldap_tls_cacertdir = /etc/ssl/certs
--- a/site.yml
+++ b/site.yml
@ -27,7 +27,7 @@
 - name: Setup shell server
  hosts: [sulis.binary.kitchen, oxygen.binary-kitchen.net]
  roles:
-  - ldap_pam
+  - sssd
  - member_sw

 - name: Setup monitoring server