diff --git a/ldap.yml b/ldap.yml new file mode 100644 index 00000000..e0972c26 --- /dev/null +++ b/ldap.yml @@ -0,0 +1,23 @@ +--- +# Plug LDAP on all servers +- hosts: all + vars: + # LDAP binding + ldap_base: 'dc=crans,dc=org' + ldap_master_ipv4: '10.128.0.11' #TODO + ldap_master_uri: "ldap://{{ ldap_master_ipv4 }}" + ldap_user_tree: "cn=Utilisateurs,{{ ldap_base }}" + ldap_nslcd_bind_dn: "cn=nslcd,ou=service-users,{{ ldap_base }}" + ldap_nslcd_passwd: "{{ vault_ldap_nslcd_passwd }}" + + # Scripts will tell users to go there to manage their account + intranet_url: 'https://intranet.crans.org/' + + # Users in that group will be able to `sudo` + sudo_group: 'sudoldap' #TODO + + # SSH keys for root account to use when LDAP is broken + ssh_pub_keys: "{{ vault_ssh_pub_keys }}" + roles: + - ldap-client + diff --git a/roles/ldap-client/handlers/main.yml b/roles/ldap-client/handlers/main.yml new file mode 100644 index 00000000..f0f3111b --- /dev/null +++ b/roles/ldap-client/handlers/main.yml @@ -0,0 +1,16 @@ +--- +- name: Reconfigure libnss-ldapd package + command: dpkg-reconfigure libnss-ldapd -f noninteractive + +- name: Restart nslcd service + service: + name: nslcd + state: restarted + +# Empty cache when nslcd is restarted +- name: Restart nscd service + service: + name: nscd + state: restarted + ignore_errors: true # Sometimes service do not exist + listen: Restart nslcd service diff --git a/roles/ldap-client/tasks/group_security.yml b/roles/ldap-client/tasks/group_security.yml new file mode 100644 index 00000000..c2ffa67e --- /dev/null +++ b/roles/ldap-client/tasks/group_security.yml @@ -0,0 +1,26 @@ +--- +# Filter SSH on groups +- name: Filter SSH on groups + lineinfile: + dest: /etc/ssh/sshd_config + regexp: ^AllowGroups + line: AllowGroups root sudoldap aurore ssh + state: present + +# To gain root access with ldap rights +- name: Install SUDO package + package: + name: sudo + state: present + register: package_result + retries: 3 + until: package_result is succeeded + +# Set sudo group +- name: Configure sudoers sudo group + lineinfile: + dest: /etc/sudoers + regexp: ^%{{ sudo_group }} + line: "%{{ sudo_group }} ALL=(ALL:ALL) ALL" + state: present + validate: /usr/sbin/visudo -cf %s diff --git a/roles/ldap-client/tasks/install_ldap.yml b/roles/ldap-client/tasks/install_ldap.yml new file mode 100644 index 00000000..cb9959c2 --- /dev/null +++ b/roles/ldap-client/tasks/install_ldap.yml @@ -0,0 +1,35 @@ +--- +# Install LDAP client packages +- name: Install LDAP client packages + apt: + update_cache: true + name: + - nslcd + - libnss-ldapd + - libpam-ldapd + - nscd # local cache + state: present + register: apt_result + retries: 3 + until: apt_result is succeeded + +# Configure /etc/nslcd.conf +- name: Configure nslcd LDAP credentials + template: + src: nslcd.conf.j2 + dest: /etc/nslcd.conf + mode: 0600 + notify: Restart nslcd service + +# Configure /etc/nsswitch.conf +- name: Configure NSS to use LDAP + lineinfile: + dest: /etc/nsswitch.conf + regexp: "^{{ item }}:" + line: "{{ item }}: files ldap" + loop: + - passwd + - group + - shadow + - sudoers + notify: Restart nslcd service diff --git a/roles/ldap-client/tasks/main.yml b/roles/ldap-client/tasks/main.yml new file mode 100644 index 00000000..8e4031a7 --- /dev/null +++ b/roles/ldap-client/tasks/main.yml @@ -0,0 +1,24 @@ +--- +# Install and configure main LDAP tools +- include_tasks: install_ldap.yml + +# Filter who can access server and sudo on groups +- include_tasks: group_security.yml + +# Some userland scripts specific to LDAP install +- include_tasks: userland_scripts.yml + +# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=568577 +- name: Ensure home directories are created upon login + lineinfile: + dest: /etc/pam.d/common-account + regexp: 'pam_mkhomedir\.so' + line: "session required pam_mkhomedir.so skel=/etc/skel/ umask=0077" + +# If LDAP crashes +- name: Install SSH keys for root account + authorized_key: + user: root + key: "{{ ssh_pub_keys }}" + state: present + exclusive: True diff --git a/roles/ldap-client/tasks/userland_scripts.yml b/roles/ldap-client/tasks/userland_scripts.yml new file mode 100644 index 00000000..fa41780b --- /dev/null +++ b/roles/ldap-client/tasks/userland_scripts.yml @@ -0,0 +1,17 @@ +--- +# Disable passwd and chsh +- name: Copy passwd and chsh scripts + template: + src: "{{ item }}.j2" + dest: /usr/local/bin/{{ item }} + mode: 0755 + loop: + - chsh + - passwd + +# We do not want password change this way +- name: Symlink chsh.ldap to chsh + file: + src: /usr/local/bin/chsh + dest: /usr/local/bin/chsh.ldap + state: link diff --git a/roles/ldap-client/templates/chsh.j2 b/roles/ldap-client/templates/chsh.j2 new file mode 100644 index 00000000..9e6f30f3 --- /dev/null +++ b/roles/ldap-client/templates/chsh.j2 @@ -0,0 +1,3 @@ +#!/bin/sh +# {{ ansible_managed }} +echo "Pour changer votre shell,\nAllez sur l'intranet : {{intranet_url}}" diff --git a/roles/ldap-client/templates/nslcd.conf.j2 b/roles/ldap-client/templates/nslcd.conf.j2 new file mode 100644 index 00000000..db05bdc3 --- /dev/null +++ b/roles/ldap-client/templates/nslcd.conf.j2 @@ -0,0 +1,38 @@ +# {{ ansible_managed }} + +# The user and group nslcd should run as. +uid nslcd +gid nslcd + +# The location at which the LDAP server(s) should be reachable. +{% if ldap_local_replica_uri is defined %} +{% for uri in ldap_local_replica_uri %} +uri {{ uri }} +{% endfor %} +{% endif %} +uri {{ ldap_master_uri }} + +# The search base that will be used for all queries. +base {{ ldap_base }} +base passwd cn=Utilisateurs,{{ ldap_base }} +base shadow cn=Utilisateurs,{{ ldap_base }} +base group ou=posix,ou=groups,{{ ldap_base }} + +# The LDAP protocol version to use. +ldap_version 3 + +# The DN to bind with for normal lookups. +binddn {{ ldap_nslcd_bind_dn }} +bindpw {{ ldap_nslcd_passwd }} + +# The DN used for password modifications by root. +#rootpwmoddn cn=admin,dc=example,dc=com + +# SSL options +#ssl off +#tls_reqcert never +tls_cacertfile /etc/ssl/certs/ca-certificates.crt + +# The search scope. +#scope sub + diff --git a/roles/ldap-client/templates/passwd.j2 b/roles/ldap-client/templates/passwd.j2 new file mode 100644 index 00000000..d7ce14d7 --- /dev/null +++ b/roles/ldap-client/templates/passwd.j2 @@ -0,0 +1,3 @@ +#!/bin/sh +# {{ ansible_managed }} +echo "Pour changer votre mot de passe,\nAllez sur l'intranet : {{intranet_url}}"