From d1682eb5f233c55fbb1f8e1f33aac6f9bb854feb Mon Sep 17 00:00:00 2001 From: Markus Hauschild Date: Tue, 16 Jan 2024 19:03:03 +0100 Subject: [PATCH] sssd: new role to replace ldap_pam (based on nslcd) --- group_vars/all/vars.yml | 7 +++-- roles/ldap_pam/files/mkhomedir | 6 ----- roles/ldap_pam/files/nsswitch.conf | 20 -------------- roles/ldap_pam/handlers/main.yml | 10 ------- roles/ldap_pam/tasks/main.yml | 19 -------------- roles/ldap_pam/templates/nslcd.conf.j2 | 36 -------------------------- roles/sssd/files/mkhomedir | 7 +++++ roles/sssd/handlers/main.yml | 7 +++++ roles/sssd/tasks/main.yml | 12 +++++++++ roles/sssd/templates/sssd.conf.j2 | 23 ++++++++++++++++ site.yml | 2 +- 11 files changed, 53 insertions(+), 96 deletions(-) delete mode 100644 roles/ldap_pam/files/mkhomedir delete mode 100644 roles/ldap_pam/files/nsswitch.conf delete mode 100644 roles/ldap_pam/handlers/main.yml delete mode 100644 roles/ldap_pam/tasks/main.yml delete mode 100644 roles/ldap_pam/templates/nslcd.conf.j2 create mode 100644 roles/sssd/files/mkhomedir create mode 100644 roles/sssd/handlers/main.yml create mode 100644 roles/sssd/tasks/main.yml create mode 100644 roles/sssd/templates/sssd.conf.j2 diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index 2f8c253..ccf9445 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -137,10 +137,6 @@ nextcloud_dbname: owncloud nextcloud_dbuser: owncloud nextcloud_dbpass: "{{ vault_owncloud_dbpass }}" -nslcd_base_group: ou=groups,dc=binary-kitchen,dc=de -nslcd_base_shadow: ou=people,dc=binary-kitchen,dc=de -nslcd_base_passwd: ou=people,dc=binary-kitchen,dc=de - omm_domain: omm.binary.kitchen pretalx_domain: fahrplan.eh21.easterhegg.eu @@ -176,6 +172,9 @@ slapd_root_hash: "{SSHA}OB75kTfH6JRyX0dA0fM8/8ldP89qyzb+" slapd_root_pass: "{{ vault_slapd_root_pass }}" slapd_san: ldap.binary.kitchen +sssd_base_group: ou=groups,dc=binary-kitchen,dc=de +sssd_base_user: ou=people,dc=binary-kitchen,dc=de + strichliste_domain: tschunk.binary.kitchen strichliste_dbname: strichliste strichliste_dbuser: strichliste diff --git a/roles/ldap_pam/files/mkhomedir b/roles/ldap_pam/files/mkhomedir deleted file mode 100644 index dcadf93..0000000 --- a/roles/ldap_pam/files/mkhomedir +++ /dev/null @@ -1,6 +0,0 @@ -Name: Create home directory during login -Default: yes -Priority: 900 -Session-Type: Additional -Session: - required pam_mkhomedir.so umask=0077 skel=/etc/skel diff --git a/roles/ldap_pam/files/nsswitch.conf b/roles/ldap_pam/files/nsswitch.conf deleted file mode 100644 index 8f60129..0000000 --- a/roles/ldap_pam/files/nsswitch.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/nsswitch.conf -# -# Example configuration of GNU Name Service Switch functionality. -# If you have the `glibc-doc-reference' and `info' packages installed, try: -# `info libc "Name Service Switch"' for information about this file. - -passwd: files ldap -group: files ldap -shadow: files ldap -gshadow: files - -hosts: files dns -networks: files - -protocols: db files -services: db files -ethers: db files -rpc: db files - -netgroup: nis diff --git a/roles/ldap_pam/handlers/main.yml b/roles/ldap_pam/handlers/main.yml deleted file mode 100644 index 0dea959..0000000 --- a/roles/ldap_pam/handlers/main.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- - -- name: Restart nscd - service: name=nscd state=restarted - -- name: Restart nslcd - service: name=nslcd state=restarted - -- name: Update pam-auth - shell: pam-auth-update --package libpam-modules 2>/dev/null diff --git a/roles/ldap_pam/tasks/main.yml b/roles/ldap_pam/tasks/main.yml deleted file mode 100644 index d8bf523..0000000 --- a/roles/ldap_pam/tasks/main.yml +++ /dev/null @@ -1,19 +0,0 @@ ---- - -- name: Install nslcd - apt: name=nslcd - -- name: Configure nslcd - template: src=nslcd.conf.j2 dest=/etc/nslcd.conf - notify: Restart nslcd - -- name: Configure nsswitch - copy: src=nsswitch.conf dest=/etc/nsswitch.conf - notify: Restart nscd - -- name: Configure PAM mkhomedir - copy: src=mkhomedir dest=/usr/share/pam-configs/mkhomedir mode=0644 - notify: Update pam-auth - -- name: Start the nslcd service - service: name=nslcd state=started enabled=yes diff --git a/roles/ldap_pam/templates/nslcd.conf.j2 b/roles/ldap_pam/templates/nslcd.conf.j2 deleted file mode 100644 index f67a84a..0000000 --- a/roles/ldap_pam/templates/nslcd.conf.j2 +++ /dev/null @@ -1,36 +0,0 @@ -# /etc/nslcd.conf -# nslcd configuration file. See nslcd.conf(5) -# for details. - -# The user and group nslcd should run as. -uid nslcd -gid nslcd - -# The location at which the LDAP server(s) should be reachable. -uri {{ ldap_uri }} - -# The search base that will be used for all queries. -base {{ ldap_base }} - -# The LDAP protocol version to use. -#ldap_version 3 - -# The DN to bind with for normal lookups. -binddn {{ ldap_binddn }} -bindpw {{ ldap_bindpw }} - -# The DN used for password modifications by root. -#rootpwmoddn cn=admin,dc=example,dc=com - -# The search scope. -scope one - -# Customize certain database lookups. -base group {{ nslcd_base_group }} -base passwd {{ nslcd_base_passwd }} -base shadow {{ nslcd_base_shadow }} - -# SSL options -tls_reqcert demand -tls_cacertfile /etc/ssl/certs/ca-certificates.crt -tls_cacertdir /etc/ssl/certs diff --git a/roles/sssd/files/mkhomedir b/roles/sssd/files/mkhomedir new file mode 100644 index 0000000..8a6363a --- /dev/null +++ b/roles/sssd/files/mkhomedir @@ -0,0 +1,7 @@ +Name: Create home directory on login +Default: yes +Priority: 900 +Session-Type: Additional +Session-Interactive-Only: yes +Session: + required pam_mkhomedir.so umask=0077 skel=/etc/skel diff --git a/roles/sssd/handlers/main.yml b/roles/sssd/handlers/main.yml new file mode 100644 index 0000000..1042d12 --- /dev/null +++ b/roles/sssd/handlers/main.yml @@ -0,0 +1,7 @@ +--- + +- name: Restart sssd + service: name=sssd state=restarted + +- name: Update pam-auth + shell: pam-auth-update --enable mkhomedir diff --git a/roles/sssd/tasks/main.yml b/roles/sssd/tasks/main.yml new file mode 100644 index 0000000..87ed0bf --- /dev/null +++ b/roles/sssd/tasks/main.yml @@ -0,0 +1,12 @@ +--- + +- name: Install sssd + apt: name=sssd + +- name: Configure sssd + template: src=sssd.conf.j2 dest=/etc/sssd/sssd.conf mode=0600 + notify: Restart sssd + +- name: Configure PAM mkhomedir + copy: src=mkhomedir dest=/usr/share/pam-configs/mkhomedir mode=0644 + notify: Update pam-auth diff --git a/roles/sssd/templates/sssd.conf.j2 b/roles/sssd/templates/sssd.conf.j2 new file mode 100644 index 0000000..8b9eec7 --- /dev/null +++ b/roles/sssd/templates/sssd.conf.j2 @@ -0,0 +1,23 @@ +[sssd] +config_file_version = 2 +domains = binary-kitchen.de + +[domain/binary-kitchen.de] +auth_provider = ldap +chpass_provider = ldap +id_provider = ldap +cache_credentials = false +case_sensitive = true +enumerate = false +min_id = 10000 +ldap_schema = rfc2307bis +ldap_default_authtok_type = password +ldap_default_bind_dn = {{ ldap_binddn }} +ldap_default_authtok = {{ ldap_bindpw }} +ldap_uri = {{ ldap_uri }} +ldap_search_base = {{ ldap_base }} +ldap_user_search_base = {{ sssd_base_user }} +ldap_group_search_base = {{ sssd_base_group }} +ldap_id_use_start_tls = true +ldap_tls_reqcert = demand +ldap_tls_cacertdir = /etc/ssl/certs diff --git a/site.yml b/site.yml index 4726281..26f0010 100644 --- a/site.yml +++ b/site.yml @@ -27,7 +27,7 @@ - name: Setup shell server hosts: [sulis.binary.kitchen, oxygen.binary-kitchen.net] roles: - - ldap_pam + - sssd - member_sw - name: Setup monitoring server