From ec238c1abb6d1692b3df5ef6029304ef5a37a041 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Sun, 14 Apr 2019 11:05:02 +0200 Subject: [PATCH] Crans adpatation --- ldap.yml | 8 ++--- roles/ldap-client/tasks/group_security.yml | 9 +++--- roles/ldap-client/templates/nslcd.conf.j2 | 8 ++++- roles/ldap-client/templates/sudoers.j2 | 34 ++++++++++++++++++++++ 4 files changed, 49 insertions(+), 10 deletions(-) create mode 100644 roles/ldap-client/templates/sudoers.j2 diff --git a/ldap.yml b/ldap.yml index 8024d1f1..3f613fff 100644 --- a/ldap.yml +++ b/ldap.yml @@ -4,7 +4,10 @@ vars: # LDAP binding ldap_base: 'dc=crans,dc=org' - ldap_master_ipv4: '10.128.0.11' # TODO + ldap_master_ipv4: '10.231.136.19' + ldap_local_replica_uri: + - "ldpa://10.231.136.38" + - "ldpa://10.231.136.4" ldap_master_uri: "ldap://{{ ldap_master_ipv4 }}" ldap_user_tree: "cn=Utilisateurs,{{ ldap_base }}" ldap_nslcd_bind_dn: "cn=nslcd,ou=service-users,{{ ldap_base }}" @@ -13,9 +16,6 @@ # Scripts will tell users to go there to manage their account intranet_url: 'https://intranet.crans.org/' - # Users in that group will be able to `sudo` - sudo_group: 'sudoldap' # TODO - # SSH keys for root account to use when LDAP is broken ssh_pub_keys: "{{ vault_ssh_pub_keys }}" roles: diff --git a/roles/ldap-client/tasks/group_security.yml b/roles/ldap-client/tasks/group_security.yml index c2ffa67e..1fae4b1e 100644 --- a/roles/ldap-client/tasks/group_security.yml +++ b/roles/ldap-client/tasks/group_security.yml @@ -18,9 +18,8 @@ # Set sudo group - name: Configure sudoers sudo group - lineinfile: + template: + src: sudoers.j2 dest: /etc/sudoers - regexp: ^%{{ sudo_group }} - line: "%{{ sudo_group }} ALL=(ALL:ALL) ALL" - state: present - validate: /usr/sbin/visudo -cf %s + mode: 0440 + validate: /usr/sbin/visudo -cf %s diff --git a/roles/ldap-client/templates/nslcd.conf.j2 b/roles/ldap-client/templates/nslcd.conf.j2 index db05bdc3..0a8c813c 100644 --- a/roles/ldap-client/templates/nslcd.conf.j2 +++ b/roles/ldap-client/templates/nslcd.conf.j2 @@ -21,6 +21,12 @@ base group ou=posix,ou=groups,{{ ldap_base }} # The LDAP protocol version to use. ldap_version 3 +# Time limit to wait for an answer +timelimit 5 + +# Time limit to wait for a bind +bind_timelimit 5 + # The DN to bind with for normal lookups. binddn {{ ldap_nslcd_bind_dn }} bindpw {{ ldap_nslcd_passwd }} @@ -30,7 +36,7 @@ bindpw {{ ldap_nslcd_passwd }} # SSL options #ssl off -#tls_reqcert never +tls_reqcert allow tls_cacertfile /etc/ssl/certs/ca-certificates.crt # The search scope. diff --git a/roles/ldap-client/templates/sudoers.j2 b/roles/ldap-client/templates/sudoers.j2 new file mode 100644 index 00000000..8eb1b8f2 --- /dev/null +++ b/roles/ldap-client/templates/sudoers.j2 @@ -0,0 +1,34 @@ +# {{ ansible_managed }} +# +# This file MUST be edited with the 'visudo' command as root. +# +# Please consider adding local content in /etc/sudoers.d/ instead of +# directly modifying this file. +# +# See the man page for details on how to write a sudoers file. +# +Defaults env_keep += "DARCS_EMAIL EDITOR PYTHONIOENCODING GIT_*" +Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" +Defaults passprompt_override +Defaults passprompt="[sudo] password for %p on %h: " + +# Host alias specification + +# User alias specification +User_Alias NOUNOUS= %nounou +User_Alias CABLEUR= %cableur +User_Alias ANCIEN= %ancien +User_Alias IMPRIMEURS= %imprimeurs +User_Alias BUREAU= %bureau + +Runas_Alias USERS= %users + +# Cmnd alias specification + +# User privilege specification +root ALL=(ALL:ALL) ALL +NOUNOUS ALL=(ALL:ALL) ALL + +# See sudoers(5) for more information on "#include" directives: + +#includedir /etc/sudoers.d