258 lines
6.7 KiB
YAML
258 lines
6.7 KiB
YAML
---
|
|
- hosts: auth1
|
|
tasks:
|
|
- name: setup networking
|
|
import_role:
|
|
name: ../roles/network_setup
|
|
vars:
|
|
ipv4_addr: "{{ auth1_ipv4_addr }}"
|
|
- name: mount NFS
|
|
import_role:
|
|
name: ../roles/nfs_setup
|
|
# LDAP
|
|
- name: install LDAP packages
|
|
apt:
|
|
name: "{{ item }}"
|
|
loop:
|
|
- slapd
|
|
- ldap-utils
|
|
- ldapvi
|
|
- libnss-ldapd
|
|
- nscd
|
|
- sudo-ldap
|
|
- name: copy slapd.conf
|
|
template:
|
|
src: ldap/slapd.conf.j2
|
|
dest: /etc/ldap/slapd.conf
|
|
owner: openldap
|
|
group: openldap
|
|
notify: restart slapd
|
|
- name: move slapd.d directory
|
|
command:
|
|
cmd: mv /etc/ldap/slapd.d /etc/ldap/slapd.d.bak
|
|
removes: /etc/ldap/slapd.d
|
|
notify: restart slapd
|
|
- name: copy sudo.schema
|
|
copy:
|
|
remote_src: yes
|
|
src: /usr/share/doc/sudo-ldap/schema.OpenLDAP
|
|
dest: /etc/ldap/schema/sudo.schema
|
|
owner: openldap
|
|
group: openldap
|
|
notify: restart slapd
|
|
- name: copy other schemas
|
|
copy:
|
|
src: "ldap/{{ item }}"
|
|
dest: "/etc/ldap/schema/{{ item }}"
|
|
owner: openldap
|
|
group: openldap
|
|
loop:
|
|
- rfc2307bis.schema
|
|
- csc.schema
|
|
notify: restart slapd
|
|
- name: make sure slapd is running
|
|
systemd:
|
|
name: slapd
|
|
state: started
|
|
- name: determine if cn=config is present
|
|
command: ldapsearch -LLLQ -Y EXTERNAL -H ldapi:/// -b cn=config -s base
|
|
ignore_errors: yes
|
|
register: cn_config_cmd
|
|
- name: stop slapd
|
|
systemd:
|
|
name: slapd
|
|
state: stopped
|
|
when: cn_config_cmd.rc == 0
|
|
- name: purge old slapd database
|
|
shell: rm /var/lib/ldap/*
|
|
when: cn_config_cmd.rc == 0
|
|
notify: restart slapd
|
|
- name: copy DB_CONFIG
|
|
copy:
|
|
remote_src: yes
|
|
src: /usr/share/slapd/DB_CONFIG
|
|
dest: /var/lib/ldap/DB_CONFIG
|
|
owner: openldap
|
|
group: openldap
|
|
notify: restart slapd
|
|
- name: copy ldap.conf
|
|
template:
|
|
src: ldap/ldap.conf.j2
|
|
dest: /etc/ldap/ldap.conf
|
|
notify:
|
|
- restart nslcd
|
|
- restart nscd
|
|
- name: add SUDOERS_BASE to ldap.conf
|
|
lineinfile:
|
|
path: /etc/ldap/ldap.conf
|
|
line: "SUDOERS_BASE ou=SUDOers,{{ ldap_base }}"
|
|
- name: add member->uniqueMember map
|
|
lineinfile:
|
|
line: map group member uniqueMember
|
|
path: /etc/nslcd.conf
|
|
notify: restart nslcd
|
|
- name: copy nsswitch.conf
|
|
copy:
|
|
src: ldap/nsswitch.conf
|
|
dest: /etc/nsswitch.conf
|
|
notify: restart nslcd
|
|
- name: specify URI in nslcd.conf
|
|
replace:
|
|
path: /etc/nslcd.conf
|
|
regexp: '^uri .*$'
|
|
replace: "uri ldap://ldap1.{{ base_domain }}"
|
|
notify: restart nslcd
|
|
- name: disable mail_badpass for sudo
|
|
replace:
|
|
path: /etc/sudoers
|
|
regexp: "^(Defaults\\s+mail_badpass)$"
|
|
replace: "#\\1"
|
|
- meta: flush_handlers
|
|
- name: copy LDIF data
|
|
template:
|
|
src: ldap/data.ldif.j2
|
|
dest: /etc/ldap/data.ldif
|
|
- name: load LDIF data
|
|
shell: ldapadd -c -f /etc/ldap/data.ldif -Y EXTERNAL -H ldapi:/// || true
|
|
# Kerberos
|
|
- name: install Kerberos packages
|
|
apt:
|
|
name: "{{ item }}"
|
|
loop:
|
|
- krb5-admin-server
|
|
- krb5-user
|
|
- libpam-krb5
|
|
- libsasl2-modules-gssapi-mit
|
|
- sasl2-bin
|
|
- name: override systemd services for Kerberos
|
|
import_role:
|
|
name: ../roles/systemd_workarounds
|
|
vars:
|
|
services: [ "krb5-admin-server", "krb5-kdc" ]
|
|
- name: copy krb5.conf
|
|
template:
|
|
src: kerberos/krb5.conf.j2
|
|
dest: /etc/krb5.conf
|
|
notify:
|
|
- restart kadmin
|
|
- name: copy kdc.conf
|
|
template:
|
|
src: kerberos/kdc.conf.j2
|
|
dest: /etc/krb5kdc/kdc.conf
|
|
notify:
|
|
- restart kdc
|
|
- name: copy kadm5.acl
|
|
copy:
|
|
src: kerberos/kadm5.acl
|
|
dest: /etc/krb5kdc/kadm5.acl
|
|
notify:
|
|
- restart kdc
|
|
- name: create new realm
|
|
command:
|
|
cmd: krb5_newrealm
|
|
# This is the KDC database master key
|
|
stdin: |
|
|
krb5
|
|
krb5
|
|
creates: /var/lib/krb5kdc/principal
|
|
- meta: flush_handlers
|
|
- name: add default policy
|
|
command:
|
|
cmd: kadmin.local
|
|
stdin: |
|
|
addpol -minlength 4 default
|
|
- name: add sysadmin principal
|
|
command:
|
|
cmd: kadmin.local
|
|
stdin: |
|
|
addprinc sysadmin/admin
|
|
krb5
|
|
krb5
|
|
# TODO: add more users
|
|
- name: add user principals
|
|
command:
|
|
cmd: kadmin.local
|
|
stdin: |
|
|
addprinc {{ item }}
|
|
krb5
|
|
krb5
|
|
loop:
|
|
- ctdalek
|
|
- regular1
|
|
- name: add host principals
|
|
command:
|
|
cmd: kadmin.local
|
|
stdin: |
|
|
addprinc -randkey host/auth1.{{ base_domain }}
|
|
addprinc -randkey ldap/auth1.{{ base_domain }}
|
|
- name: copy keytab to host
|
|
command:
|
|
cmd: kadmin.local
|
|
stdin: |
|
|
ktadd host/auth1.{{ base_domain }}
|
|
ktadd ldap/auth1.{{ base_domain }}
|
|
- name: create keytab group
|
|
group:
|
|
name: keytab
|
|
- name: allow users in keytab group to read keytab
|
|
file:
|
|
path: /etc/krb5.keytab
|
|
group: keytab
|
|
mode: 0640
|
|
- name: add openldap user to necessary groups
|
|
user:
|
|
name: openldap
|
|
groups:
|
|
- keytab
|
|
- sasl
|
|
notify:
|
|
- restart slapd
|
|
- name: create /usr/lib/sasl2/slapd.conf
|
|
copy:
|
|
content: |
|
|
mech_list: plain login gssapi external
|
|
pwcheck_method: saslauthd
|
|
dest: /usr/lib/sasl2/slapd.conf
|
|
notify:
|
|
- restart slapd
|
|
- name: add config for saslauthd
|
|
replace:
|
|
path: /etc/default/saslauthd
|
|
regexp: "^{{ item.key }}=.*$"
|
|
replace: "{{ item.key }}={{ item.value }}"
|
|
loop:
|
|
- key: START
|
|
value: 'yes'
|
|
- key: MECHANISMS
|
|
value: '"kerberos5"'
|
|
notify:
|
|
- restart saslauthd
|
|
- name: add miscellaneous auth-related configs
|
|
import_role:
|
|
name: ../roles/auth_setup
|
|
handlers:
|
|
- name: restart slapd
|
|
systemd:
|
|
name: slapd
|
|
state: restarted
|
|
- name: restart nslcd
|
|
systemd:
|
|
name: nslcd
|
|
state: restarted
|
|
- name: restart nscd
|
|
systemd:
|
|
name: nscd
|
|
state: restarted
|
|
- name: restart kadmin
|
|
systemd:
|
|
name: krb5-admin-server
|
|
state: restarted
|
|
- name: restart kdc
|
|
systemd:
|
|
name: krb5-kdc
|
|
state: restarted
|
|
- name: restart saslauthd
|
|
systemd:
|
|
name: saslauthd
|
|
state: restarted
|