Crans adpatation

2019-04-14 11:05:02 +02:00 · 2019-04-14 11:05:02 +02:00 · ec238c1abb
parent 5564f48e0d
commit ec238c1abb
4 changed files with 49 additions and 10 deletions
--- a/ldap.yml
+++ b/ldap.yml
@ -4,7 +4,10 @@
  vars:
    # LDAP binding
    ldap_base: 'dc=crans,dc=org'
-    ldap_master_ipv4: '10.128.0.11'  # TODO
+    ldap_master_ipv4: '10.231.136.19'
+    ldap_local_replica_uri:
+      - "ldpa://10.231.136.38"
+      - "ldpa://10.231.136.4"
    ldap_master_uri: "ldap://{{ ldap_master_ipv4 }}"
    ldap_user_tree: "cn=Utilisateurs,{{ ldap_base }}"
    ldap_nslcd_bind_dn: "cn=nslcd,ou=service-users,{{ ldap_base }}"
@ -13,9 +16,6 @@
    # Scripts will tell users to go there to manage their account
    intranet_url: 'https://intranet.crans.org/'

-    # Users in that group will be able to `sudo`
-    sudo_group: 'sudoldap'  # TODO
-
    # SSH keys for root account to use when LDAP is broken
    ssh_pub_keys: "{{ vault_ssh_pub_keys }}"
  roles:
--- a/roles/ldap-client/tasks/group_security.yml
+++ b/roles/ldap-client/tasks/group_security.yml
@ -18,9 +18,8 @@

 # Set sudo group
 - name: Configure sudoers sudo group
-  lineinfile:
+  template:
+    src: sudoers.j2
    dest: /etc/sudoers
-    regexp: ^%{{ sudo_group }}
-    line: "%{{ sudo_group }} ALL=(ALL:ALL) ALL"
-    state: present
+    mode: 0440
  validate: /usr/sbin/visudo -cf %s
--- a/roles/ldap-client/templates/nslcd.conf.j2
+++ b/roles/ldap-client/templates/nslcd.conf.j2
@ -21,6 +21,12 @@ base group ou=posix,ou=groups,{{ ldap_base }}
 # The LDAP protocol version to use.
 ldap_version 3

+# Time limit to wait for an answer
+timelimit 5
+
+# Time limit to wait for a bind
+bind_timelimit 5
+
 # The DN to bind with for normal lookups.
 binddn {{ ldap_nslcd_bind_dn }}
 bindpw {{ ldap_nslcd_passwd }}
@ -30,7 +36,7 @@ bindpw {{ ldap_nslcd_passwd }}

 # SSL options
 #ssl off
-#tls_reqcert never
+tls_reqcert allow
 tls_cacertfile /etc/ssl/certs/ca-certificates.crt

 # The search scope.
--- a/roles/ldap-client/templates/sudoers.j2
+++ b/roles/ldap-client/templates/sudoers.j2
@ -0,0 +1,34 @@
+# {{ ansible_managed }}
+#
+# This file MUST be edited with the 'visudo' command as root.
+#
+# Please consider adding local content in /etc/sudoers.d/ instead of
+# directly modifying this file.
+#
+# See the man page for details on how to write a sudoers file.
+#
+Defaults        env_keep += "DARCS_EMAIL EDITOR PYTHONIOENCODING GIT_*"
+Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+Defaults        passprompt_override
+Defaults        passprompt="[sudo] password for %p on %h: "
+
+# Host alias specification
+
+# User alias specification
+User_Alias      NOUNOUS= %nounou
+User_Alias      CABLEUR= %cableur
+User_Alias      ANCIEN= %ancien
+User_Alias      IMPRIMEURS= %imprimeurs
+User_Alias      BUREAU= %bureau
+
+Runas_Alias     USERS= %users
+
+# Cmnd alias specification
+
+# User privilege specification
+root    ALL=(ALL:ALL) ALL
+NOUNOUS    ALL=(ALL:ALL) ALL
+
+# See sudoers(5) for more information on "#include" directives:
+
+#includedir /etc/sudoers.d