Remove sudo part of LDAP role

ldap.yml

@@ -13,6 +13,9 @@
     ldap_nslcd_bind_dn: "cn=nslcd,ou=service-users,{{ ldap_base }}"
     ldap_nslcd_passwd: "{{ vault_ldap_nslcd_passwd }}"
 
+    # Group permissions
+    ssh_allow_groups: ssh nounou apprenti cableur root
+
     # Scripts will tell users to go there to manage their account
     intranet_url: 'https://intranet.crans.org/'
 
@@ -20,3 +23,7 @@
     ssh_pub_keys: "{{ vault_ssh_pub_keys }}"
   roles:
     - ldap-client
+
+# Deploy LDAP replica
+- hosts: odlyd.adm.crans.org,soyouz.adm.crans.org,fy.adm.crans.org,thot.adm.crans.org
+  roles: []  # TODO

roles/ldap-client/tasks/group_security.yml

@@ -1,24 +0,0 @@
----
-# Filter SSH on groups
-- name: Filter SSH on groups
-  lineinfile:
-    dest: /etc/ssh/sshd_config
-    regexp: ^AllowGroups
-    line: AllowGroups ssh nounou apprenti cableur root
-    state: present
-
-# To gain root access with ldap rights
-- name: Install SUDO package
-  package:
-    name: sudo
-    state: present
-  register: package_result
-  retries: 3
-  until: package_result is succeeded
-
-# Set sudo group
-- name: Configure sudoers sudo group
-  template:
-    src: sudoers.j2
-    dest: /etc/sudoers
-    mode: 0440

roles/ldap-client/tasks/install_ldap.yml

@@ -31,5 +31,4 @@
     - passwd
     - group
     - shadow
-    - sudoers
   notify: Restart nslcd service

roles/ldap-client/tasks/main.yml

@@ -2,12 +2,17 @@
 # Install and configure main LDAP tools
 - include_tasks: install_ldap.yml
 
-# Filter who can access server and sudo on groups
-- include_tasks: group_security.yml
-
 # Some userland scripts specific to LDAP install
 - include_tasks: userland_scripts.yml
 
+# Filter SSH on groups
+- name: Filter SSH on groups
+  lineinfile:
+    dest: /etc/ssh/sshd_config
+    regexp: ^AllowGroups
+    line: "AllowGroups {{ ssh_allow_groups }}"
+    state: present
+
 # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=568577
 - name: Ensure home directories are created upon login
   lineinfile:

roles/ldap-client/templates/nslcd.conf.j2

@@ -14,8 +14,8 @@ uri {{ ldap_master_uri }}
 
 # The search base that will be used for all queries.
 base {{ ldap_base }}
-base passwd cn=Utilisateurs,{{ ldap_base }}
-base shadow cn=Utilisateurs,{{ ldap_base }}
+base passwd {{ ldap_user_tree }}
+base shadow {{ ldap_user_tree }}
 base group ou=posix,ou=groups,{{ ldap_base }}
 
 # The LDAP protocol version to use.

roles/ldap-client/templates/sudoers.j2

@@ -1,34 +0,0 @@
-# {{ ansible_managed }}
-#
-# This file MUST be edited with the 'visudo' command as root.
-#
-# Please consider adding local content in /etc/sudoers.d/ instead of
-# directly modifying this file.
-#
-# See the man page for details on how to write a sudoers file.
-#
-Defaults        env_keep += "DARCS_EMAIL EDITOR PYTHONIOENCODING GIT_*"
-Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
-Defaults        passprompt_override
-Defaults        passprompt="[sudo] password for %p on %h: "
-
-# Host alias specification
-
-# User alias specification
-User_Alias      NOUNOUS= %nounou
-User_Alias      CABLEUR= %cableur
-User_Alias      ANCIEN= %ancien
-User_Alias      IMPRIMEURS= %imprimeurs
-User_Alias      BUREAU= %bureau
-
-Runas_Alias     USERS= %users
-
-# Cmnd alias specification
-
-# User privilege specification
-root    ALL=(ALL:ALL) ALL
-NOUNOUS    ALL=(ALL:ALL) ALL
-
-# See sudoers(5) for more information on "#include" directives:
-
-#includedir /etc/sudoers.d