82 lines
2.0 KiB
YAML
82 lines
2.0 KiB
YAML
---
|
|
|
|
- name: Install sssd
|
|
apt:
|
|
name: sssd
|
|
cache_valid_time: 3600
|
|
notify:
|
|
- Start sssd
|
|
|
|
- name: Remove unecessary authentication packages
|
|
apt:
|
|
name: '{{ item }}'
|
|
state: absent
|
|
with_items:
|
|
- libpam-ldapd
|
|
- libpam-ldap
|
|
- nscd
|
|
- nslcd
|
|
|
|
- name: Install authentication packages
|
|
apt:
|
|
name: '{{ item }}'
|
|
cache_valid_time: 3600
|
|
with_items:
|
|
- sssd-tools
|
|
- krb5-user
|
|
- ldap-utils
|
|
- kstart
|
|
- sudo
|
|
- libpam-csc
|
|
|
|
- name: Configure sssd
|
|
copy:
|
|
src: sssd.conf
|
|
dest: /etc/sssd/sssd.conf
|
|
mode: 0600
|
|
owner: root
|
|
group: root
|
|
notify:
|
|
- Restart sssd
|
|
|
|
- name: Configure PAM (syscom)
|
|
when: '"syscom" in group_names'
|
|
blockinfile:
|
|
dest: /etc/pam.d/common-account
|
|
block: |
|
|
# only allow system accounts and members of the systems committee
|
|
account [success=2 default=ignore] pam_succeed_if.so quiet uid < 10000
|
|
account [success=1 default=ignore] pam_succeed_if.so quiet user ingroup syscom
|
|
account required pam_deny.so
|
|
|
|
- name: Configure PAM (general)
|
|
when: '"syscom" not in group_names'
|
|
blockinfile:
|
|
dest: /etc/pam.d/common-account
|
|
block: |
|
|
# Allow system accounts and members of the systems committee,
|
|
# otherwise only allow current CSC members.
|
|
account [success=2 default=ignore] pam_succeed_if.so quiet uid < 10000
|
|
account [success=1 default=ignore] pam_succeed_if.so quiet user ingroup syscom
|
|
account required pam_csc.so
|
|
|
|
- name: Copy authentication configuration
|
|
copy:
|
|
src: '{{ item.src }}'
|
|
dest: '{{ item.dest }}'
|
|
with_items:
|
|
- src: krb5.conf
|
|
dest: /etc/krb5.conf
|
|
- src: ldap.conf
|
|
dest: /etc/ldap/ldap.conf
|
|
- src: k5login
|
|
dest: /root/.k5login
|
|
- src: GlobalSign_Intermediate_Root_SHA256_G2.pem
|
|
dest: /etc/ssl/certs/GlobalSign_Intermediate_Root_SHA256_G2
|
|
|
|
- name: Copy user scripts
|
|
copy:
|
|
src: become_club
|
|
dest: /usr/local/bin/become_club
|
|
mode: 0755
|