Commit 7d95e25c authored by Lars Beckers's avatar Lars Beckers
Browse files

add basic ad-auth role

parents
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
passwd: compat ldap
group: compat ldap
shadow: compat ldap
gshadow: files
---
# file: roles/ad-auth/handlers/main.yml
- name: restart nslcd
service: name=nslcd state=restarted
- name: restart nscd
service: name=nscd state=restarted
- name: clear nscd caches
command: nscd -i passwd group
---
# file: roles/ad-auth/tasks/kerberos.yml
- name: ensure kerberos is installed
apt: name=krb5-user,krb5-clients state=latest
tags: kerberos packages
- name: configure kerberos
template: src=krb5.conf.j2 dest=/etc/krb5.conf owner=root group=root mode=0644
tags: kerberos config
---
# file: roles/ad-auth/tasks/ldap.yml
- name: ensure old libnss-ldap and libnss-pam are not installed
apt: name=libnss-ldap,libpam-ldap state=absent
tags: packages clean ldap
- name: ensure ldap NSS and PAM modules are installed
apt: name=libnss-ldapd,libpam-ldapd,ldap-utils state=latest
tags: ldap packages
- name: ensure proper global ldap configuration
template: src=ldap.conf.j2 dest=/etc/ldap/ldap.conf owner=root group=root mode=0644
tags: ldap config
---
# file: roles/ad-auth/tasks/main.yml
tasks:
- include: ldap.yml
- include: nslcd.yml
- include: nscd.yml
- include: kerberos.yml
---
# file: roles/ad-auth/tasks/nscd.yml
- name: ensure nscd is installed
apt: name=nscd state=latest
tags: nscd packages
- name: ensure proper nscd configuration
copy: src=nsswitch.conf dest=/etc/nsswitch.conf owner=root group=root mode=0644
notify:
- restart nscd
- clear nscd caches
tags: nscd config
- name: ensure nscd is running
service: name=nscd state=running enabled=yes
tags: nscd service
---
# file: roles/ad-auth/tasks/nslcd.yml
- name: ensure nslcd is installed
apt: name=nslcd state=latest
tags: nslcd packages
- name: ensure proper nslcd configuration
template: src=nslcd.conf.j2 dest=/etc/nslcd.conf owner=root group=nslcd mode=0640
notify:
- restart nslcd
tags: nslcd config
- name: ensure nslcd is running and enabled
service: name=nslcd state=running enabled=yes
tags: nslcd service
## TODO
[libdefaults]
default_realm = FSMPI.RWTH-AACHEN.DE
dns_lookup_realm = false
dns_lookup_kdc = true
forwardable = true
[domain_realm]
.fsmpi.rwth-aachen.de = FSMPI.RWTH-AACHEN.DE
fsmpi.rwth-aachen.de = FSMPI.RWTH-AACHEN.DE
## TODO
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
BASE dc=fsmpi,dc=rwth-aachen,dc=de
URI ldaps://rumo.fsmpi.rwth-aachen.de
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
TLS_CACERT /etc/ssl/certs/rwth_chain.pem
## TODO
# /etc/nslcd.conf
# nslcd configuration file. See nslcd.conf(5)
# for details.
# The user and group nslcd should run as.
uid nslcd
gid nslcd
# The location at which the LDAP server(s) should be reachable.
uri ldaps://rumo.fsmpi.rwth-aachen.de/
# The search base that will be used for all queries.
base dc=fsmpi,dc=rwth-aachen,dc=de
# The LDAP protocol version to use.
#ldap_version 3
# The DN to bind with for normal lookups.
#binddn cn=annonymous,dc=example,dc=net
#bindpw secret
# The DN used for password modifications by root.
#rootpwmoddn cn=admin,dc=example,dc=com
# SSL options
#ssl off
tls_cacertfile /etc/ssl/certs/rwth_chain.pem
tls_reqcert demand
# The search scope.
#scope sub
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment