--- - hosts: auth1 tasks: - name: setup networking import_role: name: ../roles/network_setup vars: ipv4_addr: "{{ auth1_ipv4_addr }}" - name: mount NFS import_role: name: ../roles/nfs_setup # LDAP - name: install LDAP packages apt: name: "{{ item }}" loop: - slapd - ldap-utils - ldapvi - libnss-ldapd - nscd - sudo-ldap - name: copy slapd.conf template: src: ldap/slapd.conf.j2 dest: /etc/ldap/slapd.conf owner: openldap group: openldap notify: restart slapd - name: move slapd.d directory command: cmd: mv /etc/ldap/slapd.d /etc/ldap/slapd.d.bak removes: /etc/ldap/slapd.d notify: restart slapd - name: copy sudo.schema copy: remote_src: yes src: /usr/share/doc/sudo-ldap/schema.OpenLDAP dest: /etc/ldap/schema/sudo.schema owner: openldap group: openldap notify: restart slapd - name: copy other schemas copy: src: "ldap/{{ item }}" dest: "/etc/ldap/schema/{{ item }}" owner: openldap group: openldap loop: - rfc2307bis.schema - csc.schema notify: restart slapd - name: make sure slapd is running systemd: name: slapd state: started - name: determine if cn=config is present command: ldapsearch -LLLQ -Y EXTERNAL -H ldapi:/// -b cn=config -s base ignore_errors: yes register: cn_config_cmd - name: stop slapd systemd: name: slapd state: stopped when: cn_config_cmd.rc == 0 - name: purge old slapd database shell: rm /var/lib/ldap/* when: cn_config_cmd.rc == 0 notify: restart slapd - name: copy DB_CONFIG copy: remote_src: yes src: /usr/share/slapd/DB_CONFIG dest: /var/lib/ldap/DB_CONFIG owner: openldap group: openldap notify: restart slapd - name: copy ldap.conf template: src: ldap/ldap.conf.j2 dest: /etc/ldap/ldap.conf notify: - restart nslcd - restart nscd - name: add SUDOERS_BASE to ldap.conf lineinfile: path: /etc/ldap/ldap.conf line: "SUDOERS_BASE ou=SUDOers,{{ ldap_base }}" - name: add member->uniqueMember map lineinfile: line: map group member uniqueMember path: /etc/nslcd.conf notify: restart nslcd - name: copy nsswitch.conf copy: src: ldap/nsswitch.conf dest: /etc/nsswitch.conf notify: restart nslcd - name: specify URI in nslcd.conf replace: path: /etc/nslcd.conf regexp: '^uri .*$' replace: "uri ldap://ldap1.{{ base_domain }}" notify: restart nslcd - name: disable mail_badpass for sudo replace: path: /etc/sudoers regexp: "^(Defaults\\s+mail_badpass)$" replace: "#\\1" - meta: flush_handlers - name: copy LDIF data template: src: ldap/data.ldif.j2 dest: /etc/ldap/data.ldif - name: load LDIF data shell: ldapadd -c -f /etc/ldap/data.ldif -Y EXTERNAL -H ldapi:/// || true # Kerberos - name: install Kerberos packages apt: name: "{{ item }}" loop: - krb5-admin-server - krb5-user - libpam-krb5 - libsasl2-modules-gssapi-mit - sasl2-bin - name: override systemd services for Kerberos import_role: name: ../roles/systemd_workarounds vars: services: [ "krb5-admin-server", "krb5-kdc" ] - name: copy krb5.conf template: src: kerberos/krb5.conf.j2 dest: /etc/krb5.conf notify: - restart kadmin - name: copy kdc.conf template: src: kerberos/kdc.conf.j2 dest: /etc/krb5kdc/kdc.conf notify: - restart kdc - name: copy kadm5.acl copy: src: kerberos/kadm5.acl dest: /etc/krb5kdc/kadm5.acl notify: - restart kdc - name: create new realm command: cmd: krb5_newrealm # This is the KDC database master key stdin: | krb5 krb5 creates: /var/lib/krb5kdc/principal - meta: flush_handlers - name: add default policy command: cmd: kadmin.local stdin: | addpol -minlength 4 default - name: add sysadmin principal command: cmd: kadmin.local stdin: | addprinc sysadmin/admin krb5 krb5 # TODO: add more users - name: add user principals command: cmd: kadmin.local stdin: | addprinc {{ item }} krb5 krb5 loop: - ctdalek - regular1 - name: add host principals command: cmd: kadmin.local stdin: | addprinc -randkey host/auth1.{{ base_domain }} addprinc -randkey ldap/auth1.{{ base_domain }} - name: copy keytab to host command: cmd: kadmin.local stdin: | ktadd host/auth1.{{ base_domain }} ktadd ldap/auth1.{{ base_domain }} - name: create keytab group group: name: keytab - name: allow users in keytab group to read keytab file: path: /etc/krb5.keytab group: keytab mode: 0640 - name: add openldap user to necessary groups user: name: openldap groups: - keytab - sasl notify: - restart slapd - name: create /usr/lib/sasl2/slapd.conf copy: content: | mech_list: plain login gssapi external pwcheck_method: saslauthd dest: /usr/lib/sasl2/slapd.conf notify: - restart slapd - name: add config for saslauthd replace: path: /etc/default/saslauthd regexp: "^{{ item.key }}=.*$" replace: "{{ item.key }}={{ item.value }}" loop: - key: START value: 'yes' - key: MECHANISMS value: '"kerberos5"' notify: - restart saslauthd - name: add miscellaneous auth-related configs import_role: name: ../roles/auth_setup handlers: - name: restart slapd systemd: name: slapd state: restarted - name: restart nslcd systemd: name: nslcd state: restarted - name: restart nscd systemd: name: nscd state: restarted - name: restart kadmin systemd: name: krb5-admin-server state: restarted - name: restart kdc systemd: name: krb5-kdc state: restarted - name: restart saslauthd systemd: name: saslauthd state: restarted