[sssd] Double ldap auth

group_vars/sssd.yml

@@ -0,0 +1,16 @@
+glob_sssd:
+  primary:
+    domain: tealc.adm.crans.org
+    servers:
+      - "{{ query('ldap','ip','tealc','adm') | ipv4 | first }}"
+      - "{{ query('ldap','ip','sam','adm') | ipv4 | first }}"
+      - "{{ query('ldap','ip','daniel','adm') | ipv4 | first }}"
+      - "{{ query('ldap','ip','jack','adm') | ipv4 | first }}"
+    base: "dc=crans,dc=org"
+  secondary:
+    domain: re2o-ldap.adm.crans.org
+    base: "dc=crans,dc=org"
+    bind:
+      dn: "cn=nslcd,ou=service-users,dc=crans,dc=org"
+      passwd: "{{ vault.ldap_nslcd_passwd }}"
+        

hosts

@@ -219,6 +219,9 @@ jack.adm.crans.org
 sputnik.adm.crans.org
 gulp.cachan-adm.crans.org
 
+[sssd]
+zamok-tmtc.adm.crans.org
+
 [thelounge]
 irc.adm.crans.org
 zamok.adm.crans.org
@@ -295,6 +298,8 @@ tracker.adm.crans.org
 vol447.adm.crans.org
 voyager.adm.crans.org
 yson-partou.adm.crans.org
+zamok-tmtc.adm.crans.org
+#unifi.adm.crans.org
 
 [crans_vm:children]
 routeurs_vm

roles/sssd/handlers/main.yml

@@ -0,0 +1,10 @@
+---
+- name: Restart nslcd service
+  service:
+    name: nslcd
+    state: restarted
+
+- name: Restart sssd service
+  service:
+    name: sssd
+    state: restarted

roles/sssd/tasks/main.yml

@@ -0,0 +1,43 @@
+---
+- name: Install sssd and nslcd
+  apt:
+    update_cache: true
+    name:
+      - sssd
+      - libnss-ldapd
+      - libpam-ldapd
+    state: present
+  register: apt_result
+  retries: 3
+  until: apt_result is succeeded
+
+- name: Configure sssd
+  template:
+    src: sssd/sssd.conf.j2
+    dest: /etc/sssd/sssd.conf
+    mode: 0600
+  notify: Restart sssd service
+
+- name: Configure nslcd for hosts
+  template:
+    src: nslcd.conf.j2
+    dest: /etc/nslcd.conf
+    mode: 0600
+  notify: Restart nslcd service
+
+- name: Configure NSS to use sss
+  lineinfile:
+    dest: /etc/nsswitch.conf
+    regexp: "^{{ item.name }}:"
+    line: "{{ item.name }}:		{{ item.db }}"
+  loop:
+    - {name: passwd, db: files systemd sss}
+    - {name: group, db: files systemd sss}
+    - {name: shadow, db: files sss}
+    - {name: networks, db: files ldap}
+    - {name: hosts, db: files ldap dns}
+
+- name: Configure PAM authentication
+  template:
+    src: pam.d/common-password.j2
+    dest: /etc/pam.d/common-password

roles/sssd/templates/nslcd.conf.j2

@@ -0,0 +1,34 @@
+{{ ansible_header | comment }}
+# /etc/nslcd.conf
+# nslcd configuration file. See nslcd.conf(5)
+# for details.
+
+# The user and group nslcd should run as.
+uid nslcd
+gid nslcd
+
+# The location at which the LDAP server(s) should be reachable.
+{% for server in sssd.primary.servers %}
+uri ldaps://{{ server }}/
+{% endfor %}
+
+# The search base that will be used for all queries.
+base {{ sssd.primary.base }}
+
+# The LDAP protocol version to use.
+#ldap_version 3
+
+# The DN to bind with for normal lookups.
+#binddn cn=annonymous,dc=example,dc=net
+#bindpw secret
+
+# The DN used for password modifications by root.
+#rootpwmoddn cn=admin,dc=example,dc=com
+
+# SSL options
+#ssl off
+tls_reqcert allow
+tls_cacertfile /etc/ssl/certs/ca-certificates.crt
+
+# The search scope.
+#scope sub

roles/sssd/templates/pam.d/common-password.j2

@@ -0,0 +1,37 @@
+{{ ansible_header | comment }}
+#
+# /etc/pam.d/common-password - password-related modules common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of modules that define the services to be
+# used to change user passwords.  The default is pam_unix.
+
+# Explanation of pam_unix options:
+#
+# The "sha512" option enables salted SHA512 passwords.  Without this option,
+# the default is Unix crypt.  Prior releases used the option "md5".
+#
+# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
+# login.defs.
+#
+# See the pam_unix manpage for other options.
+
+# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
+# To take advantage of this, it is recommended that you configure any
+# local modules either before or after the default block, and use
+# pam-auth-update to manage selection of other modules.  See
+# pam-auth-update(8) for details.
+
+# here are the per-package modules (the "Primary" block)
+password        requisite                       pam_pwquality.so retry=3
+password        [success=3 default=ignore]      pam_unix.so obscure use_authtok try_first_pass sha512
+password        sufficient                      pam_sss.so use_authtok
+password        [success=1 default=ignore]      pam_ldap.so minimum_uid=1000 try_first_pass
+# here's the fallback if no module succeeds
+password        requisite                       pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+password        required                        pam_permit.so
+# and here are more per-package modules (the "Additional" block)
+# end of pam-auth-update config

roles/sssd/templates/sssd/sssd.conf.j2

@@ -0,0 +1,31 @@
+{{ ansible_header | comment }}
+[sssd]
+config_file_version = 2
+services = nss, pam
+domains = {{ sssd.primary.domain }}, {{ sssd.secondary.domain }}
+
+[domain/{{ sssd.primary.domain }}]
+ldap_access_filter = (objectClass=posixAccount)
+enumerate = true
+id_provider = ldap
+auth_provider = ldap
+ldap_uri = ldaps://{{ sssd.primary.domain }}
+ldap_search_base = {{ sssd.primary.base }}
+{% if sssd.primary.bind is defined -%}
+ldap_default_bind_dn = {{ sssd.primary.bind.dn }}
+ldap_default_authtok = {{ sssd.primary.bind.passwd }}
+{% endif %}
+ldap_tls_reqcert = allow
+
+[domain/{{ sssd.secondary.domain }}]
+ldap_access_filter = (objectClass=posixAccount)
+enumerate = true
+id_provider = ldap
+auth_provider = ldap
+ldap_uri = ldaps://{{ sssd.secondary.domain }}
+ldap_search_base = {{ sssd.secondary.base }}
+{% if sssd.secondary.bind is defined -%}
+ldap_default_bind_dn = {{ sssd.secondary.bind.dn }}
+ldap_default_authtok = {{ sssd.secondary.bind.passwd }}
+{% endif %}
+ldap_tls_reqcert = allow