Initial LDAP client role

ldap.yml

@@ -0,0 +1,23 @@
+---
+# Plug LDAP on all servers
+- hosts: all
+  vars:
+    # LDAP binding
+    ldap_base: 'dc=crans,dc=org'
+    ldap_master_ipv4: '10.128.0.11'  #TODO
+    ldap_master_uri: "ldap://{{ ldap_master_ipv4 }}"
+    ldap_user_tree: "cn=Utilisateurs,{{ ldap_base }}"
+    ldap_nslcd_bind_dn: "cn=nslcd,ou=service-users,{{ ldap_base }}"
+    ldap_nslcd_passwd: "{{ vault_ldap_nslcd_passwd }}"
+
+    # Scripts will tell users to go there to manage their account
+    intranet_url: 'https://intranet.crans.org/'
+
+    # Users in that group will be able to `sudo`
+    sudo_group: 'sudoldap'  #TODO
+
+    # SSH keys for root account to use when LDAP is broken
+    ssh_pub_keys: "{{ vault_ssh_pub_keys }}"
+  roles:
+    - ldap-client
+

roles/ldap-client/handlers/main.yml

@@ -0,0 +1,16 @@
+---
+- name: Reconfigure libnss-ldapd package
+  command: dpkg-reconfigure libnss-ldapd -f noninteractive
+
+- name: Restart nslcd service
+  service:
+    name: nslcd
+    state: restarted
+
+# Empty cache when nslcd is restarted
+- name: Restart nscd service
+  service:
+    name: nscd
+    state: restarted
+  ignore_errors: true  # Sometimes service do not exist
+  listen: Restart nslcd service

roles/ldap-client/tasks/group_security.yml

@@ -0,0 +1,26 @@
+---
+# Filter SSH on groups
+- name: Filter SSH on groups
+  lineinfile:
+    dest: /etc/ssh/sshd_config
+    regexp: ^AllowGroups
+    line: AllowGroups root sudoldap aurore ssh
+    state: present
+
+# To gain root access with ldap rights
+- name: Install SUDO package
+  package:
+    name: sudo
+    state: present
+  register: package_result
+  retries: 3
+  until: package_result is succeeded
+
+# Set sudo group
+- name: Configure sudoers sudo group
+  lineinfile:
+    dest: /etc/sudoers
+    regexp: ^%{{ sudo_group }}
+    line: "%{{ sudo_group }} ALL=(ALL:ALL) ALL"
+    state: present
+    validate: /usr/sbin/visudo -cf %s

roles/ldap-client/tasks/install_ldap.yml

@@ -0,0 +1,35 @@
+---
+# Install LDAP client packages
+- name: Install LDAP client packages
+  apt:
+    update_cache: true
+    name:
+      - nslcd
+      - libnss-ldapd
+      - libpam-ldapd
+      - nscd  # local cache
+    state: present
+  register: apt_result
+  retries: 3
+  until: apt_result is succeeded
+
+# Configure /etc/nslcd.conf
+- name: Configure nslcd LDAP credentials
+  template:
+    src: nslcd.conf.j2
+    dest: /etc/nslcd.conf
+    mode: 0600
+  notify: Restart nslcd service
+
+# Configure /etc/nsswitch.conf
+- name: Configure NSS to use LDAP
+  lineinfile:
+    dest: /etc/nsswitch.conf
+    regexp: "^{{ item }}:"
+    line: "{{ item }}: files ldap"
+  loop:
+    - passwd
+    - group
+    - shadow
+    - sudoers
+  notify: Restart nslcd service

roles/ldap-client/tasks/main.yml

@@ -0,0 +1,24 @@
+---
+# Install and configure main LDAP tools
+- include_tasks: install_ldap.yml
+
+# Filter who can access server and sudo on groups
+- include_tasks: group_security.yml
+
+# Some userland scripts specific to LDAP install
+- include_tasks: userland_scripts.yml
+
+# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=568577
+- name: Ensure home directories are created upon login
+  lineinfile:
+    dest: /etc/pam.d/common-account
+    regexp: 'pam_mkhomedir\.so'
+    line: "session required pam_mkhomedir.so skel=/etc/skel/ umask=0077"
+
+# If LDAP crashes
+- name: Install SSH keys for root account
+  authorized_key:
+    user: root
+    key: "{{ ssh_pub_keys }}"
+    state: present
+    exclusive: True

roles/ldap-client/tasks/userland_scripts.yml

@@ -0,0 +1,17 @@
+---
+# Disable passwd and chsh
+- name: Copy passwd and chsh scripts
+  template:
+    src: "{{ item }}.j2"
+    dest: /usr/local/bin/{{ item }}
+    mode: 0755
+  loop:
+    - chsh
+    - passwd
+
+# We do not want password change this way
+- name: Symlink chsh.ldap to chsh
+  file:
+    src: /usr/local/bin/chsh
+    dest: /usr/local/bin/chsh.ldap
+    state: link

roles/ldap-client/templates/chsh.j2

@@ -0,0 +1,3 @@
+#!/bin/sh
+# {{ ansible_managed }}
+echo "Pour changer votre shell,\nAllez sur l'intranet : {{intranet_url}}"

roles/ldap-client/templates/nslcd.conf.j2

@@ -0,0 +1,38 @@
+# {{ ansible_managed }}
+
+# The user and group nslcd should run as.
+uid nslcd
+gid nslcd
+
+# The location at which the LDAP server(s) should be reachable.
+{% if ldap_local_replica_uri is defined %}
+{% for uri in ldap_local_replica_uri %}
+uri {{ uri }}
+{% endfor %}
+{% endif %}
+uri {{ ldap_master_uri }}
+
+# The search base that will be used for all queries.
+base {{ ldap_base }}
+base passwd cn=Utilisateurs,{{ ldap_base }}
+base shadow cn=Utilisateurs,{{ ldap_base }}
+base group ou=posix,ou=groups,{{ ldap_base }}
+
+# The LDAP protocol version to use.
+ldap_version 3
+
+# The DN to bind with for normal lookups.
+binddn {{ ldap_nslcd_bind_dn }}
+bindpw {{ ldap_nslcd_passwd }}
+
+# The DN used for password modifications by root.
+#rootpwmoddn cn=admin,dc=example,dc=com
+
+# SSL options
+#ssl off
+#tls_reqcert never
+tls_cacertfile /etc/ssl/certs/ca-certificates.crt
+
+# The search scope.
+#scope sub
+

roles/ldap-client/templates/passwd.j2

@@ -0,0 +1,3 @@
+#!/bin/sh
+# {{ ansible_managed }}
+echo "Pour changer votre mot de passe,\nAllez sur l'intranet : {{intranet_url}}"