sssd: new role to replace ldap_pam (based on nslcd)

2024-01-16 19:03:03 +01:00 · 2024-01-16 19:03:03 +01:00 · d1682eb5f2
commit d1682eb5f2
parent c6db7e5805
11 changed files with 53 additions and 96 deletions
--- a/group_vars/all/vars.yml
+++ b/group_vars/all/vars.yml
@ -137,10 +137,6 @@ nextcloud_dbname: owncloud
 nextcloud_dbuser: owncloud
 nextcloud_dbpass: "{{ vault_owncloud_dbpass }}"
 nslcd_base_group: ou=groups,dc=binary-kitchen,dc=de
 nslcd_base_shadow: ou=people,dc=binary-kitchen,dc=de
 nslcd_base_passwd: ou=people,dc=binary-kitchen,dc=de
 omm_domain: omm.binary.kitchen
 pretalx_domain: fahrplan.eh21.easterhegg.eu
@ -176,6 +172,9 @@ slapd_root_hash: "{SSHA}OB75kTfH6JRyX0dA0fM8/8ldP89qyzb+"
 slapd_root_pass: "{{ vault_slapd_root_pass }}"
 slapd_san: ldap.binary.kitchen
 sssd_base_group: ou=groups,dc=binary-kitchen,dc=de
 sssd_base_user: ou=people,dc=binary-kitchen,dc=de
 strichliste_domain: tschunk.binary.kitchen
 strichliste_dbname: strichliste
 strichliste_dbuser: strichliste
--- a/roles/ldap_pam/files/mkhomedir
+++ b/roles/ldap_pam/files/mkhomedir
@ -1,6 +0,0 @@
 Name: Create home directory during login
 Default: yes
 Priority: 900
 Session-Type: Additional
 Session:
 	required	pam_mkhomedir.so umask=0077 skel=/etc/skel
--- a/roles/ldap_pam/files/nsswitch.conf
+++ b/roles/ldap_pam/files/nsswitch.conf
@ -1,20 +0,0 @@
 # /etc/nsswitch.conf
 #
 # Example configuration of GNU Name Service Switch functionality.
 # If you have the `glibc-doc-reference' and `info' packages installed, try:
 # `info libc "Name Service Switch"' for information about this file.
 passwd:         files ldap
 group:          files ldap
 shadow:         files ldap
 gshadow:        files
 hosts:          files dns
 networks:       files
 protocols:      db files
 services:       db files
 ethers:         db files
 rpc:            db files
 netgroup:       nis
--- a/roles/ldap_pam/handlers/main.yml
+++ b/roles/ldap_pam/handlers/main.yml
@ -1,10 +0,0 @@
 ---
 - name: Restart nscd
  service: name=nscd state=restarted
 - name: Restart nslcd
  service: name=nslcd state=restarted
 - name: Update pam-auth
  shell: pam-auth-update --package libpam-modules 2>/dev/null
--- a/roles/ldap_pam/tasks/main.yml
+++ b/roles/ldap_pam/tasks/main.yml
@ -1,19 +0,0 @@
 ---
 - name: Install nslcd
  apt: name=nslcd
 - name: Configure nslcd
  template: src=nslcd.conf.j2 dest=/etc/nslcd.conf
  notify: Restart nslcd
 - name: Configure nsswitch
  copy: src=nsswitch.conf dest=/etc/nsswitch.conf
  notify: Restart nscd
 - name: Configure PAM mkhomedir
  copy: src=mkhomedir dest=/usr/share/pam-configs/mkhomedir mode=0644
  notify: Update pam-auth
 - name: Start the nslcd service
  service: name=nslcd state=started enabled=yes
--- a/roles/ldap_pam/templates/nslcd.conf.j2
+++ b/roles/ldap_pam/templates/nslcd.conf.j2
@ -1,36 +0,0 @@
 # /etc/nslcd.conf
 # nslcd configuration file. See nslcd.conf(5)
 # for details.
 # The user and group nslcd should run as.
 uid nslcd
 gid nslcd
 # The location at which the LDAP server(s) should be reachable.
 uri {{ ldap_uri }}
 # The search base that will be used for all queries.
 base {{ ldap_base }}
 # The LDAP protocol version to use.
 #ldap_version 3
 # The DN to bind with for normal lookups.
 binddn {{ ldap_binddn }}
 bindpw {{ ldap_bindpw }}
 # The DN used for password modifications by root.
 #rootpwmoddn cn=admin,dc=example,dc=com
 # The search scope.
 scope one
 # Customize certain database lookups.
 base group  {{ nslcd_base_group }}
 base passwd {{ nslcd_base_passwd }}
 base shadow {{ nslcd_base_shadow }}
 # SSL options
 tls_reqcert demand
 tls_cacertfile /etc/ssl/certs/ca-certificates.crt
 tls_cacertdir /etc/ssl/certs
--- a/roles/sssd/files/mkhomedir
+++ b/roles/sssd/files/mkhomedir
@ -0,0 +1,7 @@
 Name: Create home directory on login
 Default: yes
 Priority: 900
 Session-Type: Additional
 Session-Interactive-Only: yes
 Session:
 	required			pam_mkhomedir.so umask=0077 skel=/etc/skel
--- a/roles/sssd/handlers/main.yml
+++ b/roles/sssd/handlers/main.yml
@ -0,0 +1,7 @@
 ---
 - name: Restart sssd
  service: name=sssd state=restarted
 - name: Update pam-auth
  shell: pam-auth-update --enable mkhomedir
--- a/roles/sssd/tasks/main.yml
+++ b/roles/sssd/tasks/main.yml
@ -0,0 +1,12 @@
 ---
 - name: Install sssd
  apt: name=sssd
 - name: Configure sssd
  template: src=sssd.conf.j2 dest=/etc/sssd/sssd.conf mode=0600
  notify: Restart sssd
 - name: Configure PAM mkhomedir
  copy: src=mkhomedir dest=/usr/share/pam-configs/mkhomedir mode=0644
  notify: Update pam-auth
--- a/roles/sssd/templates/sssd.conf.j2
+++ b/roles/sssd/templates/sssd.conf.j2
@ -0,0 +1,23 @@
 [sssd]
 config_file_version = 2
 domains = binary-kitchen.de
 [domain/binary-kitchen.de]
 auth_provider = ldap
 chpass_provider = ldap
 id_provider = ldap
 cache_credentials = false
 case_sensitive = true
 enumerate = false
 min_id = 10000
 ldap_schema = rfc2307bis
 ldap_default_authtok_type = password
 ldap_default_bind_dn = {{ ldap_binddn }}
 ldap_default_authtok =  {{ ldap_bindpw }}
 ldap_uri = {{ ldap_uri }}
 ldap_search_base = {{ ldap_base }}
 ldap_user_search_base = {{ sssd_base_user }}
 ldap_group_search_base = {{ sssd_base_group }}
 ldap_id_use_start_tls = true
 ldap_tls_reqcert = demand
 ldap_tls_cacertdir = /etc/ssl/certs
--- a/site.yml
+++ b/site.yml
@ -27,7 +27,7 @@
 - name: Setup shell server
  hosts: [sulis.binary.kitchen, oxygen.binary-kitchen.net]
  roles:
-  - ldap_pam
+  - sssd
  - member_sw
 - name: Setup monitoring server