57 lines
1.9 KiB
YAML
57 lines
1.9 KiB
YAML
---
|
|
- name: ldap - install
|
|
package: name={{ item }}
|
|
with_items:
|
|
- nss-pam-ldapd
|
|
|
|
- name: ldap - /etc/nsswitch.conf
|
|
template: dest=/etc/nsswitch.conf src=nsswitch.conf.j2 owner=root group=root mode=0644
|
|
|
|
- name: ldap - /etc/nslcd.conf
|
|
template: dest=/etc/nslcd.conf src=nslcd.conf.j2 owner=root group=nslcd mode=0640
|
|
notify: restart nslcd
|
|
|
|
- name: ldap - start nslcd
|
|
service: name=nslcd enabled=yes state=started
|
|
|
|
- name: ldap - PAM
|
|
pamd:
|
|
name: "{{ item.name }}"
|
|
type: "{{ item.type }}"
|
|
new_type: "{{ item.type }}"
|
|
control: required
|
|
new_control: "{{ item.control }}"
|
|
module_path: pam_unix.so
|
|
new_module_path: "{{ item.module_path }}"
|
|
module_arguments: "{{ item.module_arguments }}"
|
|
state: "{{ item.state }}"
|
|
with_items:
|
|
- { name: system-auth, type: auth, control: sufficient, module_path: pam_ldap.so, module_arguments: minimum_uid=1000, state: before }
|
|
- { name: system-auth, type: account, control: sufficient, module_path: pam_ldap.so, module_arguments: minimum_uid=1000, state: before }
|
|
- { name: system-auth, type: password, control: sufficient, module_path: pam_ldap.so, module_arguments: minimum_uid=1000, state: before }
|
|
- { name: system-auth, type: session, control: optional, module_path: pam_ldap.so, module_arguments: minimum_uid=1000, state: after }
|
|
|
|
- name: ldap - enable passwd change
|
|
lineinfile:
|
|
dest: /etc/pam.d/passwd
|
|
line: "password sufficient pam_ldap.so"
|
|
insertbefore: "^password"
|
|
firstmatch: yes
|
|
state: present
|
|
|
|
- name: ldap - sudoers ensure includedir
|
|
lineinfile:
|
|
dest: /etc/sudoers
|
|
line: "#includedir /etc/sudoers.d"
|
|
state: present
|
|
validate: "/usr/sbin/visudo -cf %s"
|
|
|
|
- name: sudoers - create
|
|
copy:
|
|
content: "%admin ALL=(ALL) ALL"
|
|
dest: "/etc/sudoers.d/admin"
|
|
mode: 0440
|
|
owner: root
|
|
group: root
|
|
validate: "/usr/sbin/visudo -cf %s"
|