From 8b41211346125f90583af5e12f2f816e86409011 Mon Sep 17 00:00:00 2001 From: Markus Hauschild Date: Mon, 4 Jan 2016 20:05:08 +0100 Subject: [PATCH] Add ldap-client role. --- roles/ldap-client/files/ldap.crt | 33 +++++++++++++++++++++ roles/ldap-client/files/mkhomedir | 6 ++++ roles/ldap-client/handlers/main.yml | 7 +++++ roles/ldap-client/tasks/main.yml | 19 ++++++++++++ roles/ldap-client/templates/nslcd.conf.j2 | 35 +++++++++++++++++++++++ roles/ldap-client/vars/main.yml | 9 ++++++ 6 files changed, 109 insertions(+) create mode 100644 roles/ldap-client/files/ldap.crt create mode 100644 roles/ldap-client/files/mkhomedir create mode 100644 roles/ldap-client/handlers/main.yml create mode 100644 roles/ldap-client/tasks/main.yml create mode 100644 roles/ldap-client/templates/nslcd.conf.j2 create mode 100644 roles/ldap-client/vars/main.yml diff --git a/roles/ldap-client/files/ldap.crt b/roles/ldap-client/files/ldap.crt new file mode 100644 index 0000000..d961296 --- /dev/null +++ b/roles/ldap-client/files/ldap.crt @@ -0,0 +1,33 @@ +-----BEGIN CERTIFICATE----- +MIIFuTCCA6GgAwIBAgIJANVP+EmgIyEFMA0GCSqGSIb3DQEBCwUAMHMxCzAJBgNV +BAYTAkRFMRAwDgYDVQQIDAdCYXZhcmlhMRMwEQYDVQQHDApSZWdlbnNidXJnMRww +GgYDVQQKDBNCaW5hcnkgS2l0Y2hlbiBlLlYuMR8wHQYDVQQDDBZCaW5hcnkgS2l0 +Y2hlbiBSb290IENBMB4XDTE1MDUyMjA3MDcyN1oXDTI1MDUxOTA3MDcyN1owczEL +MAkGA1UEBhMCREUxEDAOBgNVBAgMB0JhdmFyaWExEzARBgNVBAcMClJlZ2Vuc2J1 +cmcxHDAaBgNVBAoME0JpbmFyeSBLaXRjaGVuIGUuVi4xHzAdBgNVBAMMFkJpbmFy +eSBLaXRjaGVuIFJvb3QgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC +AQCwBmbxYSdTH+Ti2UdjpLRbSjA4uMRjJpVus0IviOtjr5nbfx/uA4b+UuhU0FS6 +69vjuBeheu85SCQLZVA3If2qttlBNPvW8/WzQtmHqAK4jMGTIeD5PNH75bhIafMu +LWz5nRcagWoKVeumi9dhFofuoO6uSv1BdSbwK3gYkt5guKl5Pio9HITSFP961ndQ +n6dBLPvy4m+pJ6MZxhzaQIvxRr9uVRJieHH9Yl/CQcl2d1YQ24/KNiFFdF2NPyKE ++eFl8UWl/6sHS8tqLwhs4qeJCL1ir/1bjr8mZigflBE4mwtuV8EDF0pWWOyYehii +NLcS3LfLzv25N9mwhwGMJqLTDihtkcBCNx3c2qFrri1MvXy/KFrHKh2jt9pvgYDX +M2+g+tm+aWXfylu6k1GOIByT5ALktUzhfwuxk0SdplZNUqSfu1DccvxP9hbtSZPP +EnARbcTD/wOCSDj+nSG8scUIo3pNHddh0zx+W16kwBoNGHJX+g7vkMJikvYlHo2i +6CRdx47MknCgj/jQSPlajxAH5zzDcABbFRoRKh/esDEeGaKMKVyKJJFlx4CmHQ53 +zc/jV3VjQo5yL1v3YUYllccZeXmGQb5UJoSRfpE+mvO9+EYAxWLydswNeQI1f1r8 +CTWlD4tT0gooZzGKpw58Zp3IacXIzjDT5Ri2xfB+Oo4WaQIDAQABo1AwTjAdBgNV +HQ4EFgQU7MXazC3sn6xTIDkKtBv4AvYcob0wHwYDVR0jBBgwFoAU7MXazC3sn6xT +IDkKtBv4AvYcob0wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAq/fD +BfaVi1KjRANxHKXmADqN0UpSdVoB2qKsj9nJ07fdS38rUqA+QjU+zmCufVkmMxKf +es3qZz5fOHkVHAiOt65XWFtYK62JByr4LomLDVDWSM4BmbU4aB8ix9ZPOr+NmB4B +QX99w0aMknO/ohVQ7InubgsXMaKA8kggCtpBQkfwcF2ntIGvyeuPJYwAWG19iH4a +uAvOdgyDCuta6UI5UPCdYdArFv3hn6+ht60tMdxo1qq9KUlyqZ3AX1Xd4+krLlCI +Kp+qfcyJ1igD5wT50egOAvc9SydFaXgAUIjt3oY5YYvP+MWmVMI107jl4jfMnQeI +G5qIEy9luhrjqJaHfLHyT10IaU/uZB7ZvZx7ElIo1YlTlIcMU8Wg6CJponDh/1aw +PbQhtuzk60N5905zDnpSHJSa91JcpVsLPv2ykQfimA8HNH2xS7ORXUJzwvEB1vhM +KnGMQB0px7HQtTTCKcDFeqZXygi4nXNygrp+swnO869jV4e6ReeV/RB7nxjd307J +gpRdtBbIambnFP74nJUhRk/60VlCDz92f+CTosHM6rdlOxFyX69cZZhoCFU5u4wF +ODqfxRzNJPhChozXcciAcLfhx89x0ob92XQenzZzFtylDvUAskhdhTMFLKGHstH7 +Q8Xr0jNYp5PaGNC5m+m9ngLYe6GzxGol7dLJElc= +-----END CERTIFICATE----- diff --git a/roles/ldap-client/files/mkhomedir b/roles/ldap-client/files/mkhomedir new file mode 100644 index 0000000..dcadf93 --- /dev/null +++ b/roles/ldap-client/files/mkhomedir @@ -0,0 +1,6 @@ +Name: Create home directory during login +Default: yes +Priority: 900 +Session-Type: Additional +Session: + required pam_mkhomedir.so umask=0077 skel=/etc/skel diff --git a/roles/ldap-client/handlers/main.yml b/roles/ldap-client/handlers/main.yml new file mode 100644 index 0000000..053af19 --- /dev/null +++ b/roles/ldap-client/handlers/main.yml @@ -0,0 +1,7 @@ +--- + +- name: restart nslcd + service: name=nslcd state=restarted + +- name: update pam-auth + shell: pam-auth-update --package libpam-modules 2>/dev/null diff --git a/roles/ldap-client/tasks/main.yml b/roles/ldap-client/tasks/main.yml new file mode 100644 index 0000000..ccbe290 --- /dev/null +++ b/roles/ldap-client/tasks/main.yml @@ -0,0 +1,19 @@ +--- + +- name: Install nslcd + apt: name=nslcd state=present + +- name: Configure nslcd + template: src=nslcd.conf.j2 dest=/etc/nslcd.conf + notify: restart nslcd + +- name: Copy LDAP Certificates + copy: src=ldap.crt dest=/etc/ssl/ldap.crt mode=0644 + notify: restart nslcd + +- name: Configure PAM mkhomedir + copy: src=mkhomedir dest=/usr/share/pam-configs/mkhomedir mode=0644 + notify: update pam-auth + +- name: Start the nslcd service + service: name=nslcd state=started enabled=yes diff --git a/roles/ldap-client/templates/nslcd.conf.j2 b/roles/ldap-client/templates/nslcd.conf.j2 new file mode 100644 index 0000000..be04fca --- /dev/null +++ b/roles/ldap-client/templates/nslcd.conf.j2 @@ -0,0 +1,35 @@ +# /etc/nslcd.conf +# nslcd configuration file. See nslcd.conf(5) +# for details. + +# The user and group nslcd should run as. +uid nslcd +gid nslcd + +# The location at which the LDAP server(s) should be reachable. +uri {{ nslcd_uri }} + +# The search base that will be used for all queries. +base {{ nslcd_base }} + +# The LDAP protocol version to use. +#ldap_version 3 + +# The DN to bind with for normal lookups. +binddn {{ nslcd_binddn }} +bindpw {{ nslcd_bindpw }} + +# The DN used for password modifications by root. +#rootpwmoddn cn=admin,dc=example,dc=com + +# The search scope. +scope one + +# Customize certain database lookups. +base group {{ nslcd_base_group }} +base passwd {{ nslcd_base_passwd }} +base shadow {{ nslcd_base_shadow }} + +# SSL options +tls_reqcert demand +tls_cacertfile /etc/ssl/ldap.crt diff --git a/roles/ldap-client/vars/main.yml b/roles/ldap-client/vars/main.yml new file mode 100644 index 0000000..cae9d71 --- /dev/null +++ b/roles/ldap-client/vars/main.yml @@ -0,0 +1,9 @@ +--- + +nslcd_uri: ldaps://ldap.binary.kitchen/ +nslcd_base: dc=binary-kitchen,dc=de +nslcd_binddn: cn=Services,ou=Roles,dc=binary-kitchen,dc=de +nslcd_bindpw: svcpwd +nslcd_base_group: ou=Groups,dc=binary-kitchen,dc=de +nslcd_base_shadow: ou=Users,dc=binary-kitchen,dc=de +nslcd_base_passwd: ou=Users,dc=binary-kitchen,dc=de