mirror of
https://gitlab.sectorq.eu/jaydee/ansible.git
synced 2025-10-31 02:11:10 +01:00
154 lines
4.8 KiB
YAML
Executable File
154 lines
4.8 KiB
YAML
Executable File
- block:
|
|
- name: include vault
|
|
ansible.builtin.include_vars:
|
|
file: jaydee.yml
|
|
- name: Install ldap packages
|
|
ansible.builtin.apt:
|
|
name:
|
|
- libpam-ldapd
|
|
- ldap-utils
|
|
- libnss-ldapd
|
|
# - name: Reconfigure ldap base
|
|
# ansible.builtin.lineinfile:
|
|
# path: /etc/ldap.conf
|
|
# regexp: "^base "
|
|
# line: "base dc=sectorq,dc=eu"
|
|
|
|
# - name: Reconfigure ldap uri
|
|
# ansible.builtin.lineinfile:
|
|
# path: /etc/ldap.conf
|
|
# regexp: "^uri ldap.*"
|
|
# line: "uri ldaps://ldap-server.loc/"
|
|
# - name: Reconfigure ldap version
|
|
# ansible.builtin.lineinfile:
|
|
# path: /etc/ldap.conf
|
|
# regexp: "^ldap_version.*"
|
|
# line: "ldap_version 3"
|
|
|
|
# - name: Reconfigure ldap rootbinddn
|
|
# ansible.builtin.lineinfile:
|
|
# path: /etc/ldap.conf
|
|
# regexp: "^rootbinddn.*"
|
|
# line: "rootbinddn cn=admin,dc=sectorq,dc=eu"
|
|
- name: Reconfigure common-session
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/pam.d/common-session
|
|
regexp: "^session optional pam_mkhomedir.so.*"
|
|
line: "session optional pam_mkhomedir.so skel=/etc/skel umask=077"
|
|
- name: Reconfigure common-session
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/pam.d/common-session
|
|
regexp: "^session.*pam_ldap.so.*"
|
|
line: "session [success=ok default=ignore] pam_ldap.so minimum_uid=1000"
|
|
- name: Reconfigure common-password
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/pam.d/common-password
|
|
regexp: "^password.*success=1 user_unknown=ignore default=die.*"
|
|
line: "password [success=1 default=ignore] pam_ldap.so minimum_uid=1000 try_first_pass"
|
|
- name: Reconfigure nsswitch passwd
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/nsswitch.conf
|
|
regexp: "^passwd:.*"
|
|
line: "passwd: compat systemd ldap"
|
|
- name: Reconfigure nsswitch group
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/nsswitch.conf
|
|
regexp: "^group:.*"
|
|
line: "group: compat systemd ldap"
|
|
- name: Reconfigure nsswitch shadow
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/nsswitch.conf
|
|
regexp: "^shadow:.*"
|
|
line: "shadow: compat ldap"
|
|
|
|
- name: Reconfigure nslcd uri
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/nslcd.conf
|
|
regexp: "^uri ldap.*"
|
|
line: "uri ldap://192.168.77.101:2389/"
|
|
|
|
|
|
- name: Reconfigure ldap base
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/nslcd.conf
|
|
regexp: "^base "
|
|
line: "base dc=sectorq,dc=eu"
|
|
|
|
|
|
- name: Reconfigure nslcd binddn
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/nslcd.conf
|
|
regexp: "^binddn"
|
|
line: "binddn cn=ldapservice,ou=users,dc=sectorq,dc=eu"
|
|
|
|
- name: Reconfigure nslcd bindpw
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/nslcd.conf
|
|
regexp: "^bindpw"
|
|
line: "bindpw {{ ldap_admin_password }}"
|
|
# - name: Reconfigure ldap base
|
|
# ansible.builtin.lineinfile:
|
|
# path: /etc/nslcd.conf
|
|
# regexp: "^#ssl"
|
|
# line: "ssl start_tls"
|
|
- name: Reconfigure nslcd tls_reqcert
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/nslcd.conf
|
|
regexp: "^tls_reqcert"
|
|
line: "tls_reqcert allow"
|
|
- name: Restart nslcd service
|
|
ansible.builtin.service:
|
|
name: nslcd.service
|
|
state: restarted
|
|
|
|
- name: Creating a file with content
|
|
copy:
|
|
dest: "/usr/local/bin/fetchSSHKeysFromLDAP"
|
|
content: |
|
|
#!/usr/bin/bash
|
|
ldapsearch -x -H ldap://192.168.77.101:2389 -D 'cn=ldapservice,ou=users,DC=sectorq,DC=eu' -w {{ ldap_admin_password }} '(&(objectClass=person)(cn='"$1"'))' 'sshPublicKey' | sed -n '/^ /{H;d};/sshPublicKey:/x;$g;s/\n *//g;s/sshPublicKey: //gp'
|
|
owner: root
|
|
group: root
|
|
mode: '0700'
|
|
- name: Reconfigure sshd
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: "^#AuthorizedKeysCommand *"
|
|
line: "AuthorizedKeysCommand /usr/local/bin/fetchSSHKeysFromLDAP"
|
|
|
|
- name: Reconfigure sshd
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: "^#AuthorizedKeysCommandUser *"
|
|
line: "AuthorizedKeysCommandUser root"
|
|
- name: Create a directory LDAP if it does not exist
|
|
ansible.builtin.file:
|
|
path: /etc/ldap/
|
|
state: directory
|
|
mode: '0755'
|
|
- name: Creating a file with content
|
|
copy:
|
|
dest: "/etc/ldap/ldap.conf"
|
|
content: |
|
|
#
|
|
# LDAP Defaults
|
|
#
|
|
|
|
# See ldap.conf(5) for details
|
|
# This file should be world readable but not world writable.
|
|
|
|
BASE dc=sectorq,dc=eu
|
|
URI ldap://192.168.77.101:2389
|
|
|
|
#SIZELIMIT 12
|
|
#TIMELIMIT 15
|
|
#DEREF never
|
|
|
|
# TLS certificates (needed for GnuTLS)
|
|
TLS_CACERT /etc/ssl/certs/ca-certificates.crt
|
|
|
|
- name: Restart sshd service
|
|
ansible.builtin.service:
|
|
name: ssh
|
|
state: restarted
|
|
become: true |