diff --git a/ad-auth/files/sudo/admin b/ad-auth/files/sudo/admin new file mode 100644 index 0000000000000000000000000000000000000000..56838a907ae44c9e0a36c8efdda54d8ed7e48a60 --- /dev/null +++ b/ad-auth/files/sudo/admin @@ -0,0 +1 @@ +%admin ALL=(ALL:ALL) ALL diff --git a/ad-auth/tasks/main.yml b/ad-auth/tasks/main.yml index 3d4abef8dc5e0e49ff07bca7d112aef75907f6ca..3ebf584b6baec5187ecbebd695bec402aaa5fc73 100644 --- a/ad-auth/tasks/main.yml +++ b/ad-auth/tasks/main.yml @@ -6,3 +6,4 @@ tasks: - include: nslcd.yml - include: nscd.yml - include: kerberos.yml + - include: sudo.yml diff --git a/ad-auth/tasks/sudo.yml b/ad-auth/tasks/sudo.yml new file mode 100644 index 0000000000000000000000000000000000000000..761d91b36a8f9a44d261b71a853a1804613f8f16 --- /dev/null +++ b/ad-auth/tasks/sudo.yml @@ -0,0 +1,10 @@ +--- +# file: roles/ad-auth/tasks/sudo.yml + +- name: ensure users of group admin are in the sudoers + copy: src=sudo/admin dest=/etc/sudoers.d/admin owner=root group=root mode=0440 + tags: sudo config + +- name: check whole sudo config + command: visudo -q -c -f /etc/sudoers + tags: sudo test diff --git a/ad-auth/templates/ldap.conf.j2 b/ad-auth/templates/ldap.conf.j2 index 4a815c5edd635d3d76443b5203c92d102ec0d9a0..3ac0530739ade88aaa796ce4924cb85e3f472fdc 100644 --- a/ad-auth/templates/ldap.conf.j2 +++ b/ad-auth/templates/ldap.conf.j2 @@ -1,4 +1,3 @@ -## TODO # # LDAP Defaults # @@ -6,11 +5,11 @@ # See ldap.conf(5) for details # This file should be world readable but not world writable. -BASE dc=fsmpi,dc=rwth-aachen,dc=de -URI ldaps://rumo.fsmpi.rwth-aachen.de +BASE {{ authbase }} +URI ldaps://{{ authserver }} #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never -TLS_CACERT /etc/ssl/certs/rwth_chain.pem +TLS_CACERT {{ authcacert }} diff --git a/ad-auth/templates/nslcd.conf.j2 b/ad-auth/templates/nslcd.conf.j2 index de34bdc4103f9cc4f714426164178825e967cacf..5675aebabdcd8b71df552b1dee930ef3fe49bd3c 100644 --- a/ad-auth/templates/nslcd.conf.j2 +++ b/ad-auth/templates/nslcd.conf.j2 @@ -1,4 +1,3 @@ -## TODO # /etc/nslcd.conf # nslcd configuration file. See nslcd.conf(5) # for details. @@ -8,10 +7,10 @@ uid nslcd gid nslcd # The location at which the LDAP server(s) should be reachable. -uri ldaps://rumo.fsmpi.rwth-aachen.de/ +uri ldaps://{{ authserver }} # The search base that will be used for all queries. -base dc=fsmpi,dc=rwth-aachen,dc=de +base {{ authbase }} # The LDAP protocol version to use. #ldap_version 3 @@ -25,7 +24,7 @@ base dc=fsmpi,dc=rwth-aachen,dc=de # SSL options #ssl off -tls_cacertfile /etc/ssl/certs/rwth_chain.pem +tls_cacertfile {{ authcacert }} tls_reqcert demand # The search scope.