add basic ad-auth role

ad-auth/files/nsswitch.conf

+# /etc/nsswitch.conf
+#
+# Example configuration of GNU Name Service Switch functionality.
+# If you have the `glibc-doc-reference' and `info' packages installed, try:
+# `info libc "Name Service Switch"' for information about this file.
+
+hosts:          files dns
+networks:       files
+
+protocols:      db files
+services:       db files
+ethers:         db files
+rpc:            db files
+
+netgroup:       nis
+passwd:		compat ldap
+group: 		compat ldap
+shadow:		compat ldap
+gshadow:	files

ad-auth/handlers/main.yml

+---
+# file: roles/ad-auth/handlers/main.yml
+
+- name: restart nslcd
+  service: name=nslcd state=restarted
+
+- name: restart nscd
+  service: name=nscd state=restarted
+
+- name: clear nscd caches
+  command: nscd -i passwd group

ad-auth/tasks/kerberos.yml

+---
+# file: roles/ad-auth/tasks/kerberos.yml
+
+- name: ensure kerberos is installed
+  apt: name=krb5-user,krb5-clients state=latest
+  tags: kerberos packages
+
+- name: configure kerberos
+  template: src=krb5.conf.j2 dest=/etc/krb5.conf owner=root group=root mode=0644
+  tags: kerberos config

ad-auth/tasks/ldap.yml

+---
+# file: roles/ad-auth/tasks/ldap.yml
+
+- name: ensure old libnss-ldap and libnss-pam are not installed
+  apt: name=libnss-ldap,libpam-ldap state=absent
+  tags: packages clean ldap
+  
+- name: ensure ldap NSS and PAM modules are installed
+  apt: name=libnss-ldapd,libpam-ldapd,ldap-utils state=latest
+  tags: ldap packages
+
+- name: ensure proper global ldap configuration
+  template: src=ldap.conf.j2 dest=/etc/ldap/ldap.conf owner=root group=root mode=0644
+  tags: ldap config

ad-auth/tasks/main.yml

+---
+# file: roles/ad-auth/tasks/main.yml
+
+tasks:
+  - include: ldap.yml
+  - include: nslcd.yml
+  - include: nscd.yml
+  - include: kerberos.yml

ad-auth/tasks/nscd.yml

+---
+# file: roles/ad-auth/tasks/nscd.yml
+
+- name: ensure nscd is installed
+  apt: name=nscd state=latest
+  tags: nscd packages
+
+- name: ensure proper nscd configuration
+  copy: src=nsswitch.conf dest=/etc/nsswitch.conf owner=root group=root mode=0644
+  notify:
+    - restart nscd
+    - clear nscd caches
+  tags: nscd config
+
+- name: ensure nscd is running
+  service: name=nscd state=running enabled=yes
+  tags: nscd service

ad-auth/tasks/nslcd.yml

+---
+# file: roles/ad-auth/tasks/nslcd.yml
+
+- name: ensure nslcd is installed
+  apt: name=nslcd state=latest
+  tags: nslcd packages
+
+- name: ensure proper nslcd configuration
+  template: src=nslcd.conf.j2 dest=/etc/nslcd.conf owner=root group=nslcd mode=0640
+  notify:
+    - restart nslcd
+  tags: nslcd config
+
+- name: ensure nslcd is running and enabled
+  service: name=nslcd state=running enabled=yes
+  tags: nslcd service

ad-auth/templates/krb5.conf.j2

+## TODO
+[libdefaults]
+default_realm = FSMPI.RWTH-AACHEN.DE
+dns_lookup_realm = false
+dns_lookup_kdc = true
+forwardable = true
+
+[domain_realm]
+.fsmpi.rwth-aachen.de = FSMPI.RWTH-AACHEN.DE
+fsmpi.rwth-aachen.de = FSMPI.RWTH-AACHEN.DE
+

ad-auth/templates/ldap.conf.j2

+## TODO
+#
+# LDAP Defaults
+#
+
+# See ldap.conf(5) for details
+# This file should be world readable but not world writable.
+
+BASE	dc=fsmpi,dc=rwth-aachen,dc=de
+URI	ldaps://rumo.fsmpi.rwth-aachen.de
+
+#SIZELIMIT	12
+#TIMELIMIT	15
+#DEREF		never
+
+TLS_CACERT	/etc/ssl/certs/rwth_chain.pem

ad-auth/templates/nslcd.conf.j2

+## TODO
+# /etc/nslcd.conf
+# nslcd configuration file. See nslcd.conf(5)
+# for details.
+
+# The user and group nslcd should run as.
+uid nslcd
+gid nslcd
+
+# The location at which the LDAP server(s) should be reachable.
+uri ldaps://rumo.fsmpi.rwth-aachen.de/
+
+# The search base that will be used for all queries.
+base dc=fsmpi,dc=rwth-aachen,dc=de
+
+# The LDAP protocol version to use.
+#ldap_version 3
+
+# The DN to bind with for normal lookups.
+#binddn cn=annonymous,dc=example,dc=net
+#bindpw secret
+
+# The DN used for password modifications by root.
+#rootpwmoddn cn=admin,dc=example,dc=com
+
+# SSL options
+#ssl off
+tls_cacertfile /etc/ssl/certs/rwth_chain.pem
+tls_reqcert demand
+
+# The search scope.
+#scope sub
+