Connexion au serveur LDAP

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
2021-05-24 19:30:20 +02:00 · 2021-05-24 19:30:20 +02:00 · 0a85cd22ff
commit 0a85cd22ff
parent a8c4bf141b
7 changed files with 126 additions and 0 deletions
--- a/group_vars/all/all.yml
+++ b/group_vars/all/all.yml
@ -17,6 +17,10 @@ ansible_header: |

    +++++++++++++++++++++++++++++++++++++++++++++++++++

+glob_ldap:
+  servers:
+    - 172.16.42.1
+  base: 'dc=ynerant,dc=fr'


 pass:
--- a/plays/base.yml
+++ b/plays/base.yml
@ -3,6 +3,7 @@

 - import_playbook: apt.yml
 - import_playbook: ntp.yml
+- import_playbook: ldap-client.yml

 - hosts: all
  roles:
--- a/plays/ldap-client.yml
+++ b/plays/ldap-client.yml
@ -0,0 +1,7 @@
+#!/usr/bin/env ansible-playbook
+---
+- hosts: debian
+  vars:
+    ldap: '{{ glob_ldap | combine(loc_ldap | default({})) }}'
+  roles:
+    - ldap-client
--- a/roles/ldap-client/README.md
+++ b/roles/ldap-client/README.md
@ -0,0 +1,10 @@
+# LDAP-CLIENT
+
+Configure un client ldap pour les utilisateurs
+
+## VARS
+
+ldap:
+  - local: si le serveur est installé en local
+  - servers: la liste des servers ldap a contacté
+  - base: le search term du ldap
--- a/roles/ldap-client/handlers/main.yml
+++ b/roles/ldap-client/handlers/main.yml
@ -0,0 +1,16 @@
+---
+- name: Reconfigure libnss-ldapd package
+  command: dpkg-reconfigure libnss-ldapd -f noninteractive
+
+- name: Restart nslcd service
+  service:
+    name: nslcd
+    state: restarted
+
+# Empty cache when nslcd is restarted
+- name: Restart nscd service
+  service:
+    name: nscd
+    state: restarted
+  ignore_errors: true  # Sometimes service do not exist
+  listen: Restart nslcd service
--- a/roles/ldap-client/tasks/main.yml
+++ b/roles/ldap-client/tasks/main.yml
@ -0,0 +1,50 @@
+---
+# Install LDAP client packages
+- name: Install LDAP client packages
+  apt:
+    update_cache: true
+    name:
+      - libnss-ldapd
+      - libpam-ldapd
+    state: present
+  register: apt_result
+  retries: 3
+  until: apt_result is succeeded
+
+# Configure /etc/nslcd.conf
+- name: Configure nslcd
+  template:
+    src: nslcd.conf.j2
+    dest: /etc/nslcd.conf
+    mode: 0600
+  notify: Restart nslcd service
+
+# Configure /etc/nsswitch.conf
+- name: Configure NSS to use LDAP
+  lineinfile:
+    dest: /etc/nsswitch.conf
+    regexp: "^{{ item }}"
+    line: "{{ item }}         files systemd ldap"
+  loop:
+    - "passwd:"
+    - "group: "
+  notify: Restart nslcd service
+
+- name: Configure NSS to use LDAP
+  lineinfile:
+    dest: /etc/nsswitch.conf
+    regexp: "^{{ item }}"
+    line: "{{ item }}       files ldap"
+  loop:
+    - "shadow:  "
+    - "networks:"
+  notify: Restart nslcd service
+
+- name: Configure NSS to use LDAP
+  lineinfile:
+    dest: /etc/nsswitch.conf
+    regexp: "^{{ item }}"
+    line: "{{ item }}          files ldap dns"
+  loop:
+    - "hosts:"
+  notify: Restart nslcd service
--- a/roles/ldap-client/templates/nslcd.conf.j2
+++ b/roles/ldap-client/templates/nslcd.conf.j2
@ -0,0 +1,38 @@
+{{ ansible_header | comment }}
+# /etc/nslcd.conf
+# nslcd configuration file. See nslcd.conf(5)
+# for details.
+
+# The user and group nslcd should run as.
+uid nslcd
+gid nslcd
+
+# The location at which the LDAP server(s) should be reachable.
+{% if 'slapd' in group_names %}
+uri ldapi:///
+{% else %}
+{% for server in ldap.servers %}
+uri ldaps://{{ server }}/
+{% endfor %}
+{% endif %}
+
+# The search base that will be used for all queries.
+base {{ ldap.base }}
+
+# The LDAP protocol version to use.
+#ldap_version 3
+
+# The DN to bind with for normal lookups.
+#binddn cn=annonymous,dc=example,dc=net
+#bindpw secret
+
+# The DN used for password modifications by root.
+#rootpwmoddn cn=admin,dc=example,dc=com
+
+# SSL options
+#ssl off
+tls_reqcert allow
+tls_cacertfile /etc/ssl/certs/ca-certificates.crt
+
+# The search scope.
+#scope sub