From 0a85cd22ff4b57d1ad835bb3e76ba708f00b7b4f Mon Sep 17 00:00:00 2001
From: Yohann D'ANELLO <ynerant@crans.org>
Date: Mon, 24 May 2021 19:30:20 +0200
Subject: [PATCH] Connexion au serveur LDAP

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
---
 group_vars/all/all.yml                    |  4 ++
 plays/base.yml                            |  1 +
 plays/ldap-client.yml                     |  7 ++++
 roles/ldap-client/README.md               | 10 +++++
 roles/ldap-client/handlers/main.yml       | 16 ++++++++
 roles/ldap-client/tasks/main.yml          | 50 +++++++++++++++++++++++
 roles/ldap-client/templates/nslcd.conf.j2 | 38 +++++++++++++++++
 7 files changed, 126 insertions(+)
 create mode 100755 plays/ldap-client.yml
 create mode 100644 roles/ldap-client/README.md
 create mode 100644 roles/ldap-client/handlers/main.yml
 create mode 100644 roles/ldap-client/tasks/main.yml
 create mode 100644 roles/ldap-client/templates/nslcd.conf.j2

diff --git a/group_vars/all/all.yml b/group_vars/all/all.yml
index f319f07..bff276b 100644
--- a/group_vars/all/all.yml
+++ b/group_vars/all/all.yml
@@ -17,6 +17,10 @@ ansible_header: |
 
     +++++++++++++++++++++++++++++++++++++++++++++++++++
 
+glob_ldap:
+  servers:
+    - 172.16.42.1
+  base: 'dc=ynerant,dc=fr'
 
 
 pass:
diff --git a/plays/base.yml b/plays/base.yml
index fa0786f..4a65a1a 100755
--- a/plays/base.yml
+++ b/plays/base.yml
@@ -3,6 +3,7 @@
 
 - import_playbook: apt.yml
 - import_playbook: ntp.yml
+- import_playbook: ldap-client.yml
 
 - hosts: all
   roles:
diff --git a/plays/ldap-client.yml b/plays/ldap-client.yml
new file mode 100755
index 0000000..edc96e0
--- /dev/null
+++ b/plays/ldap-client.yml
@@ -0,0 +1,7 @@
+#!/usr/bin/env ansible-playbook
+---
+- hosts: debian
+  vars:
+    ldap: '{{ glob_ldap | combine(loc_ldap | default({})) }}'
+  roles:
+    - ldap-client
diff --git a/roles/ldap-client/README.md b/roles/ldap-client/README.md
new file mode 100644
index 0000000..55811ba
--- /dev/null
+++ b/roles/ldap-client/README.md
@@ -0,0 +1,10 @@
+# LDAP-CLIENT
+
+Configure un client ldap pour les utilisateurs
+
+## VARS
+
+ldap:
+  - local: si le serveur est installé en local
+  - servers: la liste des servers ldap a contacté
+  - base: le search term du ldap
diff --git a/roles/ldap-client/handlers/main.yml b/roles/ldap-client/handlers/main.yml
new file mode 100644
index 0000000..f0f3111
--- /dev/null
+++ b/roles/ldap-client/handlers/main.yml
@@ -0,0 +1,16 @@
+---
+- name: Reconfigure libnss-ldapd package
+  command: dpkg-reconfigure libnss-ldapd -f noninteractive
+
+- name: Restart nslcd service
+  service:
+    name: nslcd
+    state: restarted
+
+# Empty cache when nslcd is restarted
+- name: Restart nscd service
+  service:
+    name: nscd
+    state: restarted
+  ignore_errors: true  # Sometimes service do not exist
+  listen: Restart nslcd service
diff --git a/roles/ldap-client/tasks/main.yml b/roles/ldap-client/tasks/main.yml
new file mode 100644
index 0000000..42f3d78
--- /dev/null
+++ b/roles/ldap-client/tasks/main.yml
@@ -0,0 +1,50 @@
+---
+# Install LDAP client packages
+- name: Install LDAP client packages
+  apt:
+    update_cache: true
+    name:
+      - libnss-ldapd
+      - libpam-ldapd
+    state: present
+  register: apt_result
+  retries: 3
+  until: apt_result is succeeded
+
+# Configure /etc/nslcd.conf
+- name: Configure nslcd
+  template:
+    src: nslcd.conf.j2
+    dest: /etc/nslcd.conf
+    mode: 0600
+  notify: Restart nslcd service
+
+# Configure /etc/nsswitch.conf
+- name: Configure NSS to use LDAP
+  lineinfile:
+    dest: /etc/nsswitch.conf
+    regexp: "^{{ item }}"
+    line: "{{ item }}         files systemd ldap"
+  loop:
+    - "passwd:"
+    - "group: "
+  notify: Restart nslcd service
+
+- name: Configure NSS to use LDAP
+  lineinfile:
+    dest: /etc/nsswitch.conf
+    regexp: "^{{ item }}"
+    line: "{{ item }}       files ldap"
+  loop:
+    - "shadow:  "
+    - "networks:"
+  notify: Restart nslcd service
+
+- name: Configure NSS to use LDAP
+  lineinfile:
+    dest: /etc/nsswitch.conf
+    regexp: "^{{ item }}"
+    line: "{{ item }}          files ldap dns"
+  loop:
+    - "hosts:"
+  notify: Restart nslcd service
diff --git a/roles/ldap-client/templates/nslcd.conf.j2 b/roles/ldap-client/templates/nslcd.conf.j2
new file mode 100644
index 0000000..7a94583
--- /dev/null
+++ b/roles/ldap-client/templates/nslcd.conf.j2
@@ -0,0 +1,38 @@
+{{ ansible_header | comment }}
+# /etc/nslcd.conf
+# nslcd configuration file. See nslcd.conf(5)
+# for details.
+
+# The user and group nslcd should run as.
+uid nslcd
+gid nslcd
+
+# The location at which the LDAP server(s) should be reachable.
+{% if 'slapd' in group_names %}
+uri ldapi:///
+{% else %}
+{% for server in ldap.servers %}
+uri ldaps://{{ server }}/
+{% endfor %}
+{% endif %}
+
+# The search base that will be used for all queries.
+base {{ ldap.base }}
+
+# The LDAP protocol version to use.
+#ldap_version 3
+
+# The DN to bind with for normal lookups.
+#binddn cn=annonymous,dc=example,dc=net
+#bindpw secret
+
+# The DN used for password modifications by root.
+#rootpwmoddn cn=admin,dc=example,dc=com
+
+# SSL options
+#ssl off
+tls_reqcert allow
+tls_cacertfile /etc/ssl/certs/ca-certificates.crt
+
+# The search scope.
+#scope sub