conf added

2025-10-30 18:01:11 +01:00 · 2024-12-11 16:35:32 +01:00
parent afc7817a81
commit 43dc4a8009
11 changed files with 565 additions and 0 deletions
--- a/roles/ldap_client/tasks/main.yml
+++ b/roles/ldap_client/tasks/main.yml
@@ -0,0 +1,149 @@
+- block:
+  - name: Install ldap packages
+    ansible.builtin.apt:
+      name: 
+        - libpam-ldapd
+        - ldap-utils
+        - libnss-ldapd
+  # - name: Reconfigure ldap base
+  #   ansible.builtin.lineinfile:
+  #     path: /etc/ldap.conf
+  #     regexp: "^base "
+  #     line: "base dc=sectorq,dc=eu"
+
+  # - name: Reconfigure ldap uri
+  #   ansible.builtin.lineinfile:
+  #     path: /etc/ldap.conf
+  #     regexp: "^uri ldap.*"
+  #     line: "uri ldaps://ldap-server.loc/"
+  # - name: Reconfigure ldap version
+  #   ansible.builtin.lineinfile:
+  #     path: /etc/ldap.conf
+  #     regexp: "^ldap_version.*"
+  #     line: "ldap_version 3"
+
+  # - name: Reconfigure ldap rootbinddn
+  #   ansible.builtin.lineinfile:
+  #     path: /etc/ldap.conf
+  #     regexp: "^rootbinddn.*"
+  #     line: "rootbinddn cn=admin,dc=sectorq,dc=eu"
+  - name: Reconfigure common-session
+    ansible.builtin.lineinfile:
+      path: /etc/pam.d/common-session
+      regexp: "^session optional pam_mkhomedir.so.*"
+      line: "session optional pam_mkhomedir.so skel=/etc/skel umask=077"
+  - name: Reconfigure common-session
+    ansible.builtin.lineinfile:
+      path: /etc/pam.d/common-session
+      regexp: "^session.*pam_ldap.so.*"
+      line: "session [success=ok default=ignore]     pam_ldap.so minimum_uid=1000"      
+  - name: Reconfigure common-password
+    ansible.builtin.lineinfile:
+      path: /etc/pam.d/common-password
+      regexp: "^password.*success=1 user_unknown=ignore default=die.*"
+      line: "password        [success=1 default=ignore]     pam_ldap.so minimum_uid=1000 try_first_pass"
+  - name: Reconfigure nsswitch passwd
+    ansible.builtin.lineinfile:
+      path: /etc/nsswitch.conf
+      regexp: "^passwd:.*"
+      line: "passwd:         compat systemd ldap"
+  - name: Reconfigure nsswitch group
+    ansible.builtin.lineinfile:
+      path: /etc/nsswitch.conf
+      regexp: "^group:.*"
+      line: "group:          compat systemd ldap"
+  - name: Reconfigure nsswitch shadow
+    ansible.builtin.lineinfile:
+      path: /etc/nsswitch.conf
+      regexp: "^shadow:.*"
+      line: "shadow:         compat ldap"
+
+  - name: Reconfigure nslcd uri
+    ansible.builtin.lineinfile:
+      path: /etc/nslcd.conf
+      regexp: "^uri ldap.*"
+      line: "uri ldap://192.168.77.101:2389/"
+
+
+  - name: Reconfigure ldap base
+    ansible.builtin.lineinfile:
+      path: /etc/nslcd.conf
+      regexp: "^base "
+      line: "base dc=sectorq,dc=eu"
+
+
+  - name: Reconfigure nslcd binddn
+    ansible.builtin.lineinfile:
+      path: /etc/nslcd.conf
+      regexp: "^binddn"
+      line: "binddn cn=jaydee,dc=users,dc=sectorq,dc=eu"
+      
+  - name: Reconfigure nslcd bindpw
+    ansible.builtin.lineinfile:
+      path: /etc/nslcd.conf
+      regexp: "^bindpw"
+      line: "bindpw {{ ldap_admin_password }}"
+  # - name: Reconfigure ldap base
+  #   ansible.builtin.lineinfile:
+  #     path: /etc/nslcd.conf
+  #     regexp: "^#ssl"
+  #     line: "ssl start_tls"
+  - name: Reconfigure nslcd tls_reqcert
+    ansible.builtin.lineinfile:
+      path: /etc/nslcd.conf
+      regexp: "^tls_reqcert"
+      line: "tls_reqcert allow"
+  - name: Restart nslcd service
+    ansible.builtin.service:
+      name: nslcd.service
+      state: restarted
+
+  - name: Creating a file with content
+    copy:
+      dest: "/usr/local/bin/fetchSSHKeysFromLDAP"
+      content: |
+        #!/usr/bin/bash
+        ldapsearch  -x '(&(objectClass=ldapPublicKey)(cn='"$1"'))' 'sshPublicKey' |     sed -n '/^ /{H;d};/sshPublicKey:/x;$g;s/\n *//g;s/sshPublicKey: //gp'  
+      mode: '0755'
+  - name: Reconfigure sshd
+    ansible.builtin.lineinfile:
+      path: /etc/ssh/sshd_config
+      regexp: "^#AuthorizedKeysCommand *"
+      line: "AuthorizedKeysCommand /usr/local/bin/fetchSSHKeysFromLDAP"
+
+  - name: Reconfigure sshd
+    ansible.builtin.lineinfile:
+      path: /etc/ssh/sshd_config
+      regexp: "^#AuthorizedKeysCommandUser *"
+      line: "AuthorizedKeysCommandUser root"
+  - name: Create a directory LDAP if it does not exist
+    ansible.builtin.file:
+      path: /etc/ldap/
+      state: directory
+      mode: '0755'
+  - name: Creating a file with content
+    copy:
+      dest: "/etc/ldap/ldap.conf"
+      content: |
+        #
+        # LDAP Defaults
+        #
+
+        # See ldap.conf(5) for details
+        # This file should be world readable but not world writable.
+
+        BASE    dc=sectorq,dc=eu
+        URI     ldap://192.168.77.101:2389
+
+        #SIZELIMIT      12
+        #TIMELIMIT      15
+        #DEREF          never
+
+        # TLS certificates (needed for GnuTLS)
+        TLS_CACERT      /etc/ssl/certs/ca-certificates.crt
+  
+  - name: Restart sshd service
+    ansible.builtin.service:
+      name: sshd.service
+      state: restarted
+  become: true