Commit 1636512c authored by klafyvel's avatar klafyvel

LDAP

parent 01bc294d
......@@ -81,5 +81,5 @@ Ce playbook réalise les opérations usuelles après une installation de machine
* Installation de ZSH; [v]
* Installation de Vim [v]
* Installation d'apticron; [v]
* Déploiement du motd Rézo.
* Déploiement du motd Rézo. [v]
[all:vars]
[gateways]
10.7.57.54
10.7.54.57
......@@ -11,3 +14,7 @@
[gitlab]
[federez]
[ldap_servers]
ldap.rezometz.org main=true
ldap-ro.rezometz.org
......@@ -4,8 +4,12 @@
# précisions.
---
- hosts: all
- hosts: gateways
remote_user: root
vars_prompt:
- name: ldap_password
prompt: "Enter ldap password"
private: yes
tasks:
- name: Upgrade the machine
apt:
......@@ -28,4 +32,6 @@
name: apticron
- include_role:
name: motd
- include_role:
name: ldap
passwd: compat ldap
group: compat ldap
shadow: compat ldap
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
sudoers: files ldap
- name: Install libnss-ldapd
apt:
name: libnss-ldapd,libpam-ldapd,nslcd
- name: Stop nscd service
service:
name: nscd
state: stopped
- name: Copy nsswitch.conf
copy:
dest: /etc/nsswitch.conf
src: nsswitch.conf
mode: 0640
- name: configure nslcd
template:
src: nslcd.conf.j2
dest: /etc/nslcd.conf
mode: 0640
- name: Restart nslcd service
service:
name: nslcd
state: restarted
- name: Start nscd service
service:
name: nscd
state: started
- name: Allow rezo group to ssh on the server
lineinfile:
dest: /etc/ssh/sshd_config
line: AllowGroups ssh rezo
- name: Add root to the ssh group
user:
name: root
group: ssh
append: yes
- name: Restart ssh
service:
name: ssh
state: restarted
- name: Create /home/ at first login
lineinfile:
dest: /etc/pam.d/common-session
line: session required pam_mkhomedir.so skel=/etc/skel umask=0022
- name: Set the adm group as admins
lineinfile:
path: /etc/sudoers
backup: yes
line: "%adm ALL=(ALL:ALL) ALL"
validate: visudo -q -c -f %s
# /etc/nslcd.conf
# nslcd configuration file. See nslcd.conf(5)
# for details.
# The user and group nslcd should run as.
uid nslcd
gid nslcd
# The location at which the LDAP server(s) should be reachable.
{% for server in groups["ldap_servers"] %}
uri ldap://{{server}}
{% endfor %}
# The search base that will be used for all queries.
base dc=ldap,dc=rezometz,dc=org
# The LDAP protocol version to use.
ldap_version 3
# The DN to bind with for normal lookups.
binddn cn=nssauth,ou=service-users,dc=ldap,dc=rezometz,dc=org
bindpw {{ldap_password}}
# The DN used for password modifications by root.
#rootpwmoddn cn=admin,dc=example,dc=com
# SSL options
ssl start_tls
tls_reqcert demand
tls_cacertfile /etc/ssl/certs/ca-certificates.crt
# The search scope.
#scope sub
base passwd cn=Utilisateurs,dc=ldap,dc=rezometz,dc=org
base shadow cn=Utilisateurs,dc=ldap,dc=rezometz,dc=org
base group ou=posix,ou=groups,dc=ldap,dc=rezometz,dc=org
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment