Add LDAP role for void lxc containers
This commit is contained in:
Daniel A. Maierhofer
3
roles/ldap/handlers/main.yml
Normal file
3
roles/ldap/handlers/main.yml
Normal file
@@ -0,0 +1,3 @@
|
|||||||
|
---
|
||||||
|
- name: restart nslcd
|
||||||
|
service: name=nslcd enabled=yes state=restarted
|
||||||
56
roles/ldap/tasks/ldap.yml
Normal file
56
roles/ldap/tasks/ldap.yml
Normal file
@@ -0,0 +1,56 @@
|
|||||||
|
---
|
||||||
|
- name: ldap - install
|
||||||
|
package: name={{ item }}
|
||||||
|
with_items:
|
||||||
|
- nss-pam-ldapd
|
||||||
|
|
||||||
|
- name: ldap - /etc/nsswitch.conf
|
||||||
|
template: dest=/etc/nsswitch.conf src=nsswitch.conf.j2 owner=root group=root mode=0644
|
||||||
|
|
||||||
|
- name: ldap - /etc/nslcd.conf
|
||||||
|
template: dest=/etc/nslcd.conf src=nslcd.conf.j2 owner=root group=nslcd mode=0640
|
||||||
|
notify: restart nslcd
|
||||||
|
|
||||||
|
- name: ldap - start nslcd
|
||||||
|
service: name=nslcd enabled=yes state=started
|
||||||
|
|
||||||
|
- name: ldap - PAM
|
||||||
|
pamd:
|
||||||
|
name: "{{ item.name }}"
|
||||||
|
type: "{{ item.type }}"
|
||||||
|
new_type: "{{ item.type }}"
|
||||||
|
control: required
|
||||||
|
new_control: "{{ item.control }}"
|
||||||
|
module_path: pam_unix.so
|
||||||
|
new_module_path: "{{ item.module_path }}"
|
||||||
|
module_arguments: "{{ item.module_arguments }}"
|
||||||
|
state: "{{ item.state }}"
|
||||||
|
with_items:
|
||||||
|
- { name: system-auth, type: auth, control: sufficient, module_path: pam_ldap.so, module_arguments: minimum_uid=1000, state: before }
|
||||||
|
- { name: system-auth, type: account, control: sufficient, module_path: pam_ldap.so, module_arguments: minimum_uid=1000, state: before }
|
||||||
|
- { name: system-auth, type: password, control: sufficient, module_path: pam_ldap.so, module_arguments: minimum_uid=1000, state: before }
|
||||||
|
- { name: system-auth, type: session, control: optional, module_path: pam_ldap.so, module_arguments: minimum_uid=1000, state: after }
|
||||||
|
|
||||||
|
- name: ldap - enable passwd change
|
||||||
|
lineinfile:
|
||||||
|
dest: /etc/pam.d/passwd
|
||||||
|
line: "password sufficient pam_ldap.so"
|
||||||
|
insertbefore: "^password"
|
||||||
|
firstmatch: yes
|
||||||
|
state: present
|
||||||
|
|
||||||
|
- name: ldap - sudoers ensure includedir
|
||||||
|
lineinfile:
|
||||||
|
dest: /etc/sudoers
|
||||||
|
line: "#includedir /etc/sudoers.d"
|
||||||
|
state: present
|
||||||
|
validate: "/usr/sbin/visudo -cf %s"
|
||||||
|
|
||||||
|
- name: sudoers - create
|
||||||
|
copy:
|
||||||
|
content: "%admin ALL=(ALL) ALL"
|
||||||
|
dest: "/etc/sudoers.d/admin"
|
||||||
|
mode: 0440
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
validate: "/usr/sbin/visudo -cf %s"
|
||||||
9
roles/ldap/templates/nslcd.conf.j2
Normal file
9
roles/ldap/templates/nslcd.conf.j2
Normal file
@@ -0,0 +1,9 @@
|
|||||||
|
# {{ ansible_managed }}
|
||||||
|
|
||||||
|
# See the manual page nslcd.conf(5) for more information.
|
||||||
|
|
||||||
|
uid nslcd
|
||||||
|
gid nslcd
|
||||||
|
|
||||||
|
uri ldap://gagarin.fet.htu.tuwien.ac.at/
|
||||||
|
base dc=fet,dc=htu,dc=tuwien,dc=ac,dc=at
|
||||||
17
roles/ldap/templates/nsswitch.conf.j2
Normal file
17
roles/ldap/templates/nsswitch.conf.j2
Normal file
@@ -0,0 +1,17 @@
|
|||||||
|
# {{ ansible_managed }}
|
||||||
|
|
||||||
|
# /etc/nsswitch.conf
|
||||||
|
#
|
||||||
|
# See nsswitch.conf(5) for information.
|
||||||
|
#
|
||||||
|
passwd: files ldap
|
||||||
|
group: files ldap
|
||||||
|
shadow: files ldap
|
||||||
|
|
||||||
|
hosts: files mdns mdns4_minimal mdns4 myhostname dns
|
||||||
|
networks: files
|
||||||
|
|
||||||
|
protocols: files
|
||||||
|
services: files
|
||||||
|
ethers: files
|
||||||
|
rpc: files
|
||||||
Reference in New Issue
Block a user