---
- name: ldap - install
  package: name={{ item }}
  with_items:
  - nss-pam-ldapd

- name: ldap - /etc/nsswitch.conf
  template: dest=/etc/nsswitch.conf src=nsswitch.conf.j2 owner=root group=root mode=0644

- name: ldap - /etc/nslcd.conf
  template: dest=/etc/nslcd.conf src=nslcd.conf.j2 owner=root group=nslcd mode=0640
  notify: restart nslcd

- name: ldap - start nslcd
  service: name=nslcd enabled=yes state=started

- name: ldap - PAM
  pamd:
    name: "{{ item.name }}"
    type: "{{ item.type }}"
    new_type: "{{ item.type }}"
    control: required
    new_control: "{{ item.control }}"
    module_path: pam_unix.so
    new_module_path: "{{ item.module_path }}"
    module_arguments: "{{ item.module_arguments }}"
    state: "{{ item.state }}"
  with_items:
  - { name: system-auth, type: auth, control: sufficient, module_path: pam_ldap.so, module_arguments: minimum_uid=1000, state: before }
  - { name: system-auth, type: account, control: sufficient, module_path: pam_ldap.so, module_arguments: minimum_uid=1000, state: before }
  - { name: system-auth, type: password, control: sufficient, module_path: pam_ldap.so, module_arguments: minimum_uid=1000, state: before }
  - { name: system-auth, type: session, control: optional, module_path: pam_ldap.so, module_arguments: minimum_uid=1000, state: after }

- name: ldap - enable passwd change
  lineinfile:
    dest: /etc/pam.d/passwd
    line: "password        sufficient      pam_ldap.so"
    insertbefore: "^password"
    firstmatch: yes
    state: present

- name: ldap - sudoers ensure includedir
  lineinfile:
    dest: /etc/sudoers
    line: "#includedir /etc/sudoers.d"
    state: present
    validate: "/usr/sbin/visudo -cf %s"

- name: sudoers - create
  copy:
    content: "%admin ALL=(ALL) ALL"
    dest: "/etc/sudoers.d/admin"
    mode: 0440
    owner: root
    group: root
    validate: "/usr/sbin/visudo -cf %s"