1
0
forked from infra/ansible

sssd: new role to replace ldap_pam (based on nslcd)

This commit is contained in:
Markus 2024-01-16 19:03:03 +01:00
parent c6db7e5805
commit d1682eb5f2
11 changed files with 53 additions and 96 deletions

View File

@ -137,10 +137,6 @@ nextcloud_dbname: owncloud
nextcloud_dbuser: owncloud
nextcloud_dbpass: "{{ vault_owncloud_dbpass }}"
nslcd_base_group: ou=groups,dc=binary-kitchen,dc=de
nslcd_base_shadow: ou=people,dc=binary-kitchen,dc=de
nslcd_base_passwd: ou=people,dc=binary-kitchen,dc=de
omm_domain: omm.binary.kitchen
pretalx_domain: fahrplan.eh21.easterhegg.eu
@ -176,6 +172,9 @@ slapd_root_hash: "{SSHA}OB75kTfH6JRyX0dA0fM8/8ldP89qyzb+"
slapd_root_pass: "{{ vault_slapd_root_pass }}"
slapd_san: ldap.binary.kitchen
sssd_base_group: ou=groups,dc=binary-kitchen,dc=de
sssd_base_user: ou=people,dc=binary-kitchen,dc=de
strichliste_domain: tschunk.binary.kitchen
strichliste_dbname: strichliste
strichliste_dbuser: strichliste

View File

@ -1,6 +0,0 @@
Name: Create home directory during login
Default: yes
Priority: 900
Session-Type: Additional
Session:
required pam_mkhomedir.so umask=0077 skel=/etc/skel

View File

@ -1,20 +0,0 @@
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: files ldap
group: files ldap
shadow: files ldap
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis

View File

@ -1,10 +0,0 @@
---
- name: Restart nscd
service: name=nscd state=restarted
- name: Restart nslcd
service: name=nslcd state=restarted
- name: Update pam-auth
shell: pam-auth-update --package libpam-modules 2>/dev/null

View File

@ -1,19 +0,0 @@
---
- name: Install nslcd
apt: name=nslcd
- name: Configure nslcd
template: src=nslcd.conf.j2 dest=/etc/nslcd.conf
notify: Restart nslcd
- name: Configure nsswitch
copy: src=nsswitch.conf dest=/etc/nsswitch.conf
notify: Restart nscd
- name: Configure PAM mkhomedir
copy: src=mkhomedir dest=/usr/share/pam-configs/mkhomedir mode=0644
notify: Update pam-auth
- name: Start the nslcd service
service: name=nslcd state=started enabled=yes

View File

@ -1,36 +0,0 @@
# /etc/nslcd.conf
# nslcd configuration file. See nslcd.conf(5)
# for details.
# The user and group nslcd should run as.
uid nslcd
gid nslcd
# The location at which the LDAP server(s) should be reachable.
uri {{ ldap_uri }}
# The search base that will be used for all queries.
base {{ ldap_base }}
# The LDAP protocol version to use.
#ldap_version 3
# The DN to bind with for normal lookups.
binddn {{ ldap_binddn }}
bindpw {{ ldap_bindpw }}
# The DN used for password modifications by root.
#rootpwmoddn cn=admin,dc=example,dc=com
# The search scope.
scope one
# Customize certain database lookups.
base group {{ nslcd_base_group }}
base passwd {{ nslcd_base_passwd }}
base shadow {{ nslcd_base_shadow }}
# SSL options
tls_reqcert demand
tls_cacertfile /etc/ssl/certs/ca-certificates.crt
tls_cacertdir /etc/ssl/certs

View File

@ -0,0 +1,7 @@
Name: Create home directory on login
Default: yes
Priority: 900
Session-Type: Additional
Session-Interactive-Only: yes
Session:
required pam_mkhomedir.so umask=0077 skel=/etc/skel

View File

@ -0,0 +1,7 @@
---
- name: Restart sssd
service: name=sssd state=restarted
- name: Update pam-auth
shell: pam-auth-update --enable mkhomedir

12
roles/sssd/tasks/main.yml Normal file
View File

@ -0,0 +1,12 @@
---
- name: Install sssd
apt: name=sssd
- name: Configure sssd
template: src=sssd.conf.j2 dest=/etc/sssd/sssd.conf mode=0600
notify: Restart sssd
- name: Configure PAM mkhomedir
copy: src=mkhomedir dest=/usr/share/pam-configs/mkhomedir mode=0644
notify: Update pam-auth

View File

@ -0,0 +1,23 @@
[sssd]
config_file_version = 2
domains = binary-kitchen.de
[domain/binary-kitchen.de]
auth_provider = ldap
chpass_provider = ldap
id_provider = ldap
cache_credentials = false
case_sensitive = true
enumerate = false
min_id = 10000
ldap_schema = rfc2307bis
ldap_default_authtok_type = password
ldap_default_bind_dn = {{ ldap_binddn }}
ldap_default_authtok = {{ ldap_bindpw }}
ldap_uri = {{ ldap_uri }}
ldap_search_base = {{ ldap_base }}
ldap_user_search_base = {{ sssd_base_user }}
ldap_group_search_base = {{ sssd_base_group }}
ldap_id_use_start_tls = true
ldap_tls_reqcert = demand
ldap_tls_cacertdir = /etc/ssl/certs

View File

@ -27,7 +27,7 @@
- name: Setup shell server
hosts: [sulis.binary.kitchen, oxygen.binary-kitchen.net]
roles:
- ldap_pam
- sssd
- member_sw
- name: Setup monitoring server