- block: - name: include vault ansible.builtin.include_vars: file: jaydee.yml - name: Install ldap packages ansible.builtin.apt: name: - libpam-ldapd - ldap-utils - libnss-ldapd # - name: Reconfigure ldap base # ansible.builtin.lineinfile: # path: /etc/ldap.conf # regexp: "^base " # line: "base dc=sectorq,dc=eu" # - name: Reconfigure ldap uri # ansible.builtin.lineinfile: # path: /etc/ldap.conf # regexp: "^uri ldap.*" # line: "uri ldaps://ldap-server.loc/" # - name: Reconfigure ldap version # ansible.builtin.lineinfile: # path: /etc/ldap.conf # regexp: "^ldap_version.*" # line: "ldap_version 3" # - name: Reconfigure ldap rootbinddn # ansible.builtin.lineinfile: # path: /etc/ldap.conf # regexp: "^rootbinddn.*" # line: "rootbinddn cn=admin,dc=sectorq,dc=eu" - name: Reconfigure common-session ansible.builtin.lineinfile: path: /etc/pam.d/common-session regexp: "^session optional pam_mkhomedir.so.*" line: "session optional pam_mkhomedir.so skel=/etc/skel umask=077" - name: Reconfigure common-session ansible.builtin.lineinfile: path: /etc/pam.d/common-session regexp: "^session.*pam_ldap.so.*" line: "session [success=ok default=ignore] pam_ldap.so minimum_uid=1000" - name: Reconfigure common-password ansible.builtin.lineinfile: path: /etc/pam.d/common-password regexp: "^password.*success=1 user_unknown=ignore default=die.*" line: "password [success=1 default=ignore] pam_ldap.so minimum_uid=1000 try_first_pass" - name: Reconfigure nsswitch passwd ansible.builtin.lineinfile: path: /etc/nsswitch.conf regexp: "^passwd:.*" line: "passwd: compat systemd ldap" - name: Reconfigure nsswitch group ansible.builtin.lineinfile: path: /etc/nsswitch.conf regexp: "^group:.*" line: "group: compat systemd ldap" - name: Reconfigure nsswitch shadow ansible.builtin.lineinfile: path: /etc/nsswitch.conf regexp: "^shadow:.*" line: "shadow: compat ldap" - name: Reconfigure nslcd uri ansible.builtin.lineinfile: path: /etc/nslcd.conf regexp: "^uri ldap.*" line: "uri ldap://192.168.77.101:2389/" - name: Reconfigure ldap base ansible.builtin.lineinfile: path: /etc/nslcd.conf regexp: "^base " line: "base dc=sectorq,dc=eu" - name: Reconfigure nslcd binddn ansible.builtin.lineinfile: path: /etc/nslcd.conf regexp: "^binddn" line: "binddn cn=ldapservice,ou=users,dc=sectorq,dc=eu" - name: Reconfigure nslcd bindpw ansible.builtin.lineinfile: path: /etc/nslcd.conf regexp: "^bindpw" line: "bindpw {{ ldap_admin_password }}" # - name: Reconfigure ldap base # ansible.builtin.lineinfile: # path: /etc/nslcd.conf # regexp: "^#ssl" # line: "ssl start_tls" - name: Reconfigure nslcd tls_reqcert ansible.builtin.lineinfile: path: /etc/nslcd.conf regexp: "^tls_reqcert" line: "tls_reqcert allow" - name: Restart nslcd service ansible.builtin.service: name: nslcd.service state: restarted - name: Creating a file with content copy: dest: "/usr/local/bin/fetchSSHKeysFromLDAP" content: | #!/usr/bin/bash ldapsearch -x -H ldap://192.168.77.101:2389 -D 'cn=ldapservice,ou=users,DC=sectorq,DC=eu' -w {{ ldap_admin_password }} '(&(objectClass=person)(cn='"$1"'))' 'sshPublicKey' | sed -n '/^ /{H;d};/sshPublicKey:/x;$g;s/\n *//g;s/sshPublicKey: //gp' owner: root group: root mode: '0700' - name: Reconfigure sshd ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: "^#AuthorizedKeysCommand *" line: "AuthorizedKeysCommand /usr/local/bin/fetchSSHKeysFromLDAP" - name: Reconfigure sshd ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: "^#AuthorizedKeysCommandUser *" line: "AuthorizedKeysCommandUser root" - name: Create a directory LDAP if it does not exist ansible.builtin.file: path: /etc/ldap/ state: directory mode: '0755' - name: Creating a file with content copy: dest: "/etc/ldap/ldap.conf" content: | # # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. BASE dc=sectorq,dc=eu URI ldap://192.168.77.101:2389 #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never # TLS certificates (needed for GnuTLS) TLS_CACERT /etc/ssl/certs/ca-certificates.crt - name: Restart sshd service ansible.builtin.service: name: ssh state: restarted become: true