From c6ec15d569f158f6477630a62af5eddc23f972b3 Mon Sep 17 00:00:00 2001
From: Alexandre Iooss <erdnaxe@crans.org>
Date: Thu, 18 Apr 2019 13:26:05 +0200
Subject: [PATCH] Remove sudo part of LDAP role

---
 ldap.yml                                   |  7 +++++
 roles/ldap-client/tasks/group_security.yml | 24 ---------------
 roles/ldap-client/tasks/install_ldap.yml   |  1 -
 roles/ldap-client/tasks/main.yml           | 11 +++++--
 roles/ldap-client/templates/nslcd.conf.j2  |  4 +--
 roles/ldap-client/templates/sudoers.j2     | 34 ----------------------
 6 files changed, 17 insertions(+), 64 deletions(-)
 delete mode 100644 roles/ldap-client/tasks/group_security.yml
 delete mode 100644 roles/ldap-client/templates/sudoers.j2

diff --git a/ldap.yml b/ldap.yml
index 3f613fff..08a890fa 100644
--- a/ldap.yml
+++ b/ldap.yml
@@ -13,6 +13,9 @@
     ldap_nslcd_bind_dn: "cn=nslcd,ou=service-users,{{ ldap_base }}"
     ldap_nslcd_passwd: "{{ vault_ldap_nslcd_passwd }}"
 
+    # Group permissions
+    ssh_allow_groups: ssh nounou apprenti cableur root
+
     # Scripts will tell users to go there to manage their account
     intranet_url: 'https://intranet.crans.org/'
 
@@ -20,3 +23,7 @@
     ssh_pub_keys: "{{ vault_ssh_pub_keys }}"
   roles:
     - ldap-client
+
+# Deploy LDAP replica
+- hosts: odlyd.adm.crans.org,soyouz.adm.crans.org,fy.adm.crans.org,thot.adm.crans.org
+  roles: []  # TODO
diff --git a/roles/ldap-client/tasks/group_security.yml b/roles/ldap-client/tasks/group_security.yml
deleted file mode 100644
index 08fb426c..00000000
--- a/roles/ldap-client/tasks/group_security.yml
+++ /dev/null
@@ -1,24 +0,0 @@
----
-# Filter SSH on groups
-- name: Filter SSH on groups
-  lineinfile:
-    dest: /etc/ssh/sshd_config
-    regexp: ^AllowGroups
-    line: AllowGroups ssh nounou apprenti cableur root
-    state: present
-
-# To gain root access with ldap rights
-- name: Install SUDO package
-  package:
-    name: sudo
-    state: present
-  register: package_result
-  retries: 3
-  until: package_result is succeeded
-
-# Set sudo group
-- name: Configure sudoers sudo group
-  template:
-    src: sudoers.j2
-    dest: /etc/sudoers
-    mode: 0440
diff --git a/roles/ldap-client/tasks/install_ldap.yml b/roles/ldap-client/tasks/install_ldap.yml
index cb9959c2..5e8dae38 100644
--- a/roles/ldap-client/tasks/install_ldap.yml
+++ b/roles/ldap-client/tasks/install_ldap.yml
@@ -31,5 +31,4 @@
     - passwd
     - group
     - shadow
-    - sudoers
   notify: Restart nslcd service
diff --git a/roles/ldap-client/tasks/main.yml b/roles/ldap-client/tasks/main.yml
index 7b79d34d..110ce8ac 100644
--- a/roles/ldap-client/tasks/main.yml
+++ b/roles/ldap-client/tasks/main.yml
@@ -2,12 +2,17 @@
 # Install and configure main LDAP tools
 - include_tasks: install_ldap.yml
 
-# Filter who can access server and sudo on groups
-- include_tasks: group_security.yml
-
 # Some userland scripts specific to LDAP install
 - include_tasks: userland_scripts.yml
 
+# Filter SSH on groups
+- name: Filter SSH on groups
+  lineinfile:
+    dest: /etc/ssh/sshd_config
+    regexp: ^AllowGroups
+    line: "AllowGroups {{ ssh_allow_groups }}"
+    state: present
+
 # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=568577
 - name: Ensure home directories are created upon login
   lineinfile:
diff --git a/roles/ldap-client/templates/nslcd.conf.j2 b/roles/ldap-client/templates/nslcd.conf.j2
index 0a8c813c..594a6384 100644
--- a/roles/ldap-client/templates/nslcd.conf.j2
+++ b/roles/ldap-client/templates/nslcd.conf.j2
@@ -14,8 +14,8 @@ uri {{ ldap_master_uri }}
 
 # The search base that will be used for all queries.
 base {{ ldap_base }}
-base passwd cn=Utilisateurs,{{ ldap_base }}
-base shadow cn=Utilisateurs,{{ ldap_base }}
+base passwd {{ ldap_user_tree }}
+base shadow {{ ldap_user_tree }}
 base group ou=posix,ou=groups,{{ ldap_base }}
 
 # The LDAP protocol version to use.
diff --git a/roles/ldap-client/templates/sudoers.j2 b/roles/ldap-client/templates/sudoers.j2
deleted file mode 100644
index 8eb1b8f2..00000000
--- a/roles/ldap-client/templates/sudoers.j2
+++ /dev/null
@@ -1,34 +0,0 @@
-# {{ ansible_managed }}
-#
-# This file MUST be edited with the 'visudo' command as root.
-#
-# Please consider adding local content in /etc/sudoers.d/ instead of
-# directly modifying this file.
-#
-# See the man page for details on how to write a sudoers file.
-#
-Defaults        env_keep += "DARCS_EMAIL EDITOR PYTHONIOENCODING GIT_*"
-Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
-Defaults        passprompt_override
-Defaults        passprompt="[sudo] password for %p on %h: "
-
-# Host alias specification
-
-# User alias specification
-User_Alias      NOUNOUS= %nounou
-User_Alias      CABLEUR= %cableur
-User_Alias      ANCIEN= %ancien
-User_Alias      IMPRIMEURS= %imprimeurs
-User_Alias      BUREAU= %bureau
-
-Runas_Alias     USERS= %users
-
-# Cmnd alias specification
-
-# User privilege specification
-root    ALL=(ALL:ALL) ALL
-NOUNOUS    ALL=(ALL:ALL) ALL
-
-# See sudoers(5) for more information on "#include" directives:
-
-#includedir /etc/sudoers.d