├── .bin ├── clean_vault ├── diff_vault └── smudge_vault ├── .gitattributes ├── .gitconfig ├── .gitignore ├── .travis.yml ├── README.md ├── TODO.md ├── Vagrantfile ├── defaults └── main.yml ├── files └── pam_mkhomedir ├── handlers └── main.yml ├── meta └── main.yml ├── tasks └── main.yml ├── templates ├── ldap_sudo_groups.j2 ├── ldap_sudo_users.j2 ├── sssd.conf.j2 └── sudo_group.j2 ├── tests ├── group_vars │ └── all │ │ ├── main.yml │ │ └── secrets.yml ├── playbook.yml ├── roles │ └── system_ldap └── travis.yml └── vars ├── debian.yml ├── main.yml ├── redhat.yml └── ubuntu-14.04.yml /.bin/clean_vault: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Just print out the secrets file as-is if the password file doesn't exist 3 | if [ ! -r '.vault_password' ]; then 4 | cat 5 | exit 6 | fi 7 | 8 | CONTENT="$(cat)" 9 | # Store vault's stderr in RESULT and redirect encrypted stdout back to stdout 10 | { 11 | RESULT="$(echo "$CONTENT" | ansible-vault encrypt - --vault-password-file=.vault_password 2>&1 1>&$OUT)"; 12 | } {OUT}>&1 13 | 14 | if echo "$RESULT" | grep -qP "Encryption successful|^$"; then 15 | exit 16 | elif echo "$RESULT" | grep -q "ERROR! input is already encrypted"; then 17 | echo "$CONTENT" 18 | else 19 | # This should be unreachable, but just in case. 20 | echo "RESULT=$RESULT" >> .gitdebug 21 | echo "CONTENT=$CONTENT" >> .gitdebug 22 | exit 1 23 | fi 24 | -------------------------------------------------------------------------------- /.bin/diff_vault: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Just print out the secrets file as-is if the password file doesn't exist 3 | if [ ! -r '.vault_password' ]; then 4 | cat "$1" 5 | exit 6 | fi 7 | 8 | export PAGER='cat' 9 | CONTENT="$(ansible-vault view "$1" --vault-password-file=.vault_password 2>&1)" 10 | 11 | if echo "$CONTENT" | grep -q 'ERROR! input is not encrypted'; then 12 | cat "$1" 13 | else 14 | echo "$CONTENT" 15 | fi 16 | -------------------------------------------------------------------------------- /.bin/smudge_vault: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Just print out the secrets file as-is if the password file doesn't exist 3 | if [ ! -r '.vault_password' ]; then 4 | cat 5 | exit 6 | fi 7 | 8 | CONTENT="$(cat)" 9 | # Store vault's stderr in RESULT and redirect decrypted stdout back to stdout 10 | { 11 | RESULT="$(echo "$CONTENT" | ansible-vault decrypt - --vault-password-file=.vault_password 2>&1 1>&$OUT)"; 12 | } {OUT}>&1 13 | 14 | if echo "$RESULT" | grep -qP "Decryption successful|^$"; then 15 | exit 16 | elif echo "$RESULT" | grep -q "ERROR! input is not encrypted"; then 17 | echo "A secrets.yml file was committed in cleartext." 18 | echo "Please fix this before continuing." 19 | exit 1 20 | else 21 | # This should be unreachable, but just in case. 22 | echo "RESULT=$RESULT" >> .gitdebug 23 | echo "CONTENT=$CONTENT" >> .gitdebug 24 | exit 1 25 | fi 26 | -------------------------------------------------------------------------------- /.gitattributes: -------------------------------------------------------------------------------- 1 | secrets.yml diff=vault filter=vault 2 | -------------------------------------------------------------------------------- /.gitconfig: -------------------------------------------------------------------------------- 1 | [diff "vault"] 2 | textconv = .bin/diff_vault 3 | [filter "vault"] 4 | smudge = .bin/smudge_vault 5 | clean = .bin/clean_vault 6 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | .vagrant 2 | .vault_password 3 | 4 | .gitdebug 5 | -------------------------------------------------------------------------------- /.travis.yml: -------------------------------------------------------------------------------- 1 | --- 2 | language: python 3 | python: "2.7" 4 | 5 | # Use the new container infrastructure 6 | sudo: false 7 | 8 | # Install ansible 9 | addons: 10 | apt: 11 | packages: 12 | - python-pip 13 | 14 | env: 15 | global: 16 | - secure: "YP54FaEPVveTtCzlJG3YPuhxUFQvbVkr1L/AA9NM9rwFciwQcLtIXD9iljD17xzoXRwvooNW90eX8XMR2zkhqzU9C+n3kHw2iQVtAdbI1X59lGAXAT7WBMlU6auFsoVzkFibHxJ1W9R1o5JE2iTdDuR0UzQNaTgLn3Dgt7iOWzwNni3dmqdtbPXY7e5x+JhlKHOU53bGnLxFVmbTWzu0Z8ZDuVvh01azHdR0sj8KmC4c8A8atZU0f2f4YyG/26tx78U6RmNFyj2UTmOHRgOtcQVOzfadbI9gZuc1U5JIkS0FEwZYaJOMYhohAqp9Aumo+cuPVJCvjaEXrlvEe4DAJ6aFigT+JR6NY7w+fgoK57HTgC/y7chY30+34ggp+/0aWmXFqdDUbFWs9ovhf0hVL4AcU+31BWdrEmuJjXAGaGMSrdTYJpMFsnjIqe3bUimH1LEm4+wogD/poGSkRsv9R7j1OeQotVDaivRh6WOBdbXEw5HENczsBzD3TztN8A54UzvVnrMnoPI+aH2uvSm/5JVvqWzWEzZHIpep7lbTgRk/1yjxQk6mXDGtrd9uo4e7ZeEr3rBqtA6qI4VggugHIbLGtqQvINdV9fOnDB1sLlslLEIKfT8BLpnDncPYYVV0r0wyC5ySP+RX7nqsixX5oOR7a1UyXBBQ9D0CX3x7x0Y=" 17 | 18 | install: 19 | # Install ansible 20 | - pip install ansible 21 | 22 | # Check ansible version 23 | - ansible --version 24 | 25 | # Create ansible.cfg with correct roles_path 26 | - printf '[defaults]\nroles_path=../' >ansible.cfg 27 | 28 | before_script: 29 | - echo "$VAULT_PASSWORD" > .vault_password 30 | 31 | script: 32 | # Basic role syntax check 33 | - ansible-playbook tests/travis.yml -i localhost, --vault-password-file .vault_password --syntax-check 34 | 35 | notifications: 36 | webhooks: 37 | urls: 38 | - https://galaxy.ansible.com/api/v1/notifications/ 39 | - https://t2d.idolactiviti.es/notify 40 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | [![Build Status](https://travis-ci.org/lae/ansible-role-system_ldap.svg?branch=master)](https://travis-ci.org/lae/ansible-role-system_ldap) 2 | [![Galaxy Role](https://img.shields.io/badge/ansible--galaxy-system_ldap-blue.svg)](https://galaxy.ansible.com/lae/system_ldap/) 3 | 4 | lae.system_ldap 5 | ========= 6 | 7 | Install and configure SSSD for system-level LDAP authentication against an 8 | LDAP-enabled Active Directory server. 9 | 10 | ## Role Variables 11 | 12 | Read `defaults/main.yml` for a list of all configurable role variables. As the 13 | defaults should suffice for most users, we'll cover only the ones that need to 14 | be defined in this section. 15 | 16 | The following must be configured to communicate to your LDAP/AD server: 17 | 18 | |Variable|Example|Description| 19 | |--------|-------|-----------| 20 | |`system_ldap_domain`|`LDAP`|A label for sssd to use to identify this configuration/domain. 21 | |`system_ldap_search_base`|`OU=Idol Schools,DC=Aikatsu,DC=net`|The default base DN to use for performing LDAP user operations.| 22 | |`system_ldap_uris`|`- ldaps://ldap-tyo.example.aikatsu.net:636`
`- ldaps://ldap-ngo.example.aikatsu.net:636`|A list of URIs of the LDAP servers to which sssd should connect.| 23 | |`system_ldap_bind_dn`|`CN=Naoto Suzukawa,OU=Service Accounts,OU=Idol Schools,DC=Aikatsu,DC=net`|The default bind DN to use for performing LDAP operations.| 24 | |`system_ldap_bind_password`|`sunrise`|The authentication token of the default bind DN. Only clear text passwords are currently supported.| 25 | |`system_ldap_access_filter_groups`|`- CN=operations,OU=Security Groups,OU=Idol Schools,DC=Aikatsu,DC=net`|List of group DNs authorized to access the current host.| 26 | |`system_ldap_access_unix_groups`|`- operations`|Should effectively be the same as `system_ldap_access_filter_groups`, but using their UNIX group names (usually CN).| 27 | |`system_ldap_access_filter_users`|`- hoshimiya.ichigo`
`- nikaidou.yuzu`|List of usernames (passed to the filter `(sAMAccountName=%s)` by default) authorized to access the current host.| 28 | |`system_ldap_sudo_groups`|`- operations`|List of groups to configure to allow sudo usage on the current host.| 29 | |`system_ldap_sudo_users`|`- hoshimiya.ichigo`|List of users to configure to allow sudo usage on the current host.| 30 | |`system_ldap_allow_passwordauth_in_sshd`|`true`|Specifies whether to configure `sshd_config` to allow password authentication for authorized users. This is needed if your SSHD is configured to not allow password authentication by default. Defaults to `false`.| 31 | 32 | ## Example Playbook 33 | 34 | The following is typically what we use in a multi-tenant playbook: 35 | 36 | ``` 37 | --- 38 | - hosts: all 39 | user: ansible 40 | roles: 41 | - lae.system_ldap 42 | become: True 43 | ``` 44 | 45 | There is also an example playbook in the [test directory](tests/) 46 | 47 | ### Extended usage 48 | 49 | For this section, the playbook in the code block above is `system_ldap.yml`. 50 | Let's look at the following playbook layout: 51 | 52 | - system_ldap.yml 53 | - inventory 54 | - group_vars/ 55 | - all/ 56 | - main.yml 57 | - starlight/ 58 | - main.yml 59 | - host_vars/ 60 | - research-node01 61 | - roles/ 62 | - requirements.yml 63 | 64 | In this layout, we're typically able to group access control per hostgroup or 65 | per host. There are some variables that you likely want to set across all hosts, 66 | in `group_vars/all/main.yml` (or just `group_vars/all` if not using a directory): 67 | 68 | --- 69 | system_ldap_domain: aikatsu.net 70 | system_ldap_bind_dn: CN=Naoto Suzukawa,OU=Service Accounts,OU=Idol Schools,DC=Aikatsu,DC=net 71 | system_ldap_bind_password: sunrise 72 | system_ldap_search_base: OU=Idol Schools,DC=Aikatsu,DC=net 73 | system_ldap_uris: 74 | - ldaps://ldap-tyo.example.aikatsu.net:636 75 | - ldaps://ldap-ngo.example.aikatsu.net:636 76 | system_ldap_access_filter_groups: 77 | - CN=operations,OU=Security Groups,OU=Idol Schools,DC=Aikatsu,DC=net 78 | system_ldap_access_filter_users: [] 79 | system_ldap_access_unix_groups: 80 | - operations 81 | system_ldap_sudo_groups: 82 | - operations 83 | system_ldap_sudo_users: [] 84 | 85 | Here we're using a search user account and password (`system_ldap_bind_*`) to 86 | keep in sync with an LDAP server over SSL (with a failover LDAPS server), 87 | allowing an "operations" group to authenticate as well as root privileges. 88 | 89 | The `starlight` group's variables file may look like this: 90 | 91 | --- 92 | system_ldap_allow_passwordauth_in_sshd: true 93 | system_ldap_access_filter_users: 94 | - hoshimiya.ichigo 95 | system_ldap_sudo_users: 96 | - hoshimiya.ichigo 97 | 98 | This allows the user name `hoshimiya.ichigo` to login to the machines in the 99 | `starlight` hostgroup, as well as use sudo on them. The variables above are 100 | matched against the `sAMAccountName` value from your LDAP-enabled AD server for 101 | any users in the `system_ldap_search_base` group. 102 | 103 | You can also specify groups, but you will need to provide the full DN for the 104 | group filter variable. You'll also probably want to copy the group-related 105 | variables from `all`. For the other variables you can just use the CN. E.g: 106 | 107 | system_ldap_access_filter_groups: 108 | - CN=operations,OU=Security Groups,OU=Global,OU=Idol Schools,DC=Aikatsu,DC=net 109 | - CN=starlight-students,OU=Security Groups,OU=Starlight Academy,OU=Idol Schools,DC=Aikatsu,DC=net 110 | system_ldap_access_unix_groups: 111 | - operations 112 | - starlight-students 113 | system_ldap_sudo_groups: 114 | - operations 115 | 116 | Here we add a `starlight-students` LDAP group, but only allow them to login. 117 | 118 | Developing 119 | ---------- 120 | 121 | First clone and branch, or fork, this repo, make your changes, commit and submit 122 | a pull request. 123 | 124 | To keep track of ansible vault changes, include .gitconfig in your git config: 125 | 126 | echo -e "[include]\n\tpath = ../.gitconfig" >> .git/config 127 | 128 | Testing 129 | ------- 130 | 131 | vagrant box add debian/stretch64 132 | vagrant up 133 | vagrant provision 134 | 135 | License 136 | ------- 137 | 138 | MIT 139 | -------------------------------------------------------------------------------- /TODO.md: -------------------------------------------------------------------------------- 1 | - add tests for ubuntu 14, 16, debian 7 and 8, and centos 6 and 7 2 | -------------------------------------------------------------------------------- /Vagrantfile: -------------------------------------------------------------------------------- 1 | Vagrant.require_version ">= 1.7.0" 2 | 3 | Vagrant.configure(2) do |config| 4 | 5 | config.vm.box = "debian/stretch64" 6 | 7 | # Disable the new default behavior introduced in Vagrant 1.7, to 8 | # ensure that all Vagrant machines will use the same SSH key pair. 9 | # See https://github.com/mitchellh/vagrant/issues/5005 10 | config.ssh.insert_key = false 11 | 12 | config.vm.synced_folder ".", "/home/vagrant/sync/", disabled: true 13 | config.vm.synced_folder ".", "/vagrant/", disabled: true 14 | 15 | config.vm.provision "ansible" do |ansible| 16 | ansible.verbose = "v" 17 | ansible.playbook = "tests/playbook.yml" 18 | ansible.vault_password_file = ".vault_password" 19 | end 20 | end 21 | -------------------------------------------------------------------------------- /defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # defaults file for lae.system_ldap 3 | system_ldap_sudo_groups: [] 4 | system_ldap_sudo_users: [] 5 | system_ldap_allow_passwordauth_in_sshd: false 6 | # The following are used to populate sssd.conf (see templates/sssd.conf.j2) 7 | # Refer to `man sssd-ldap` (https://linux.die.net/man/5/sssd-ldap) for usage. 8 | system_ldap_domain: 9 | system_ldap_schema: ad 10 | system_ldap_krb5_realm: 11 | system_ldap_search_base: 12 | system_ldap_uris: [] 13 | system_ldap_bind_dn: 14 | system_ldap_bind_password: 15 | system_ldap_user_search_filter: "(&(objectClass=user)(objectClass=person)(uid=*))" 16 | system_ldap_group_search_filter: "(&(objectClass=group)(gidNumber=*))" 17 | system_ldap_user_search_base: 18 | system_ldap_group_search_base: 19 | system_ldap_access_filter_groups: [] 20 | system_ldap_access_unix_groups: [] 21 | system_ldap_access_filter_users: [] 22 | system_ldap_tls_reqcert: 23 | system_ldap_case_sensitive: false 24 | system_ldap_user_name: sAMAccountName 25 | system_ldap_user_principal: userPrincipalName 26 | system_ldap_user_gecos: title 27 | system_ldap_user_object_class: user 28 | system_ldap_group_name: cn 29 | system_ldap_group_object_class: group 30 | system_ldap_user_uid_number: uidNumber 31 | system_ldap_user_gid_number: gidNumber 32 | system_ldap_group_gid_number: gidNumber 33 | system_ldap_pwd_policy: none 34 | -------------------------------------------------------------------------------- /files/pam_mkhomedir: -------------------------------------------------------------------------------- 1 | Name: Create home directory during login 2 | Default: yes 3 | Priority: 900 4 | Session-Type: Additional 5 | Session: 6 | required pam_mkhomedir.so umask=0077 skel=/etc/skel 7 | 8 | -------------------------------------------------------------------------------- /handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # handlers file for ansible-role-system_ldap 3 | - name: restart sssd 4 | service: 5 | name: sssd 6 | state: restarted 7 | 8 | - name: run pam auth update 9 | shell: pam-auth-update --package 10 | 11 | - name: restart sshd 12 | service: 13 | name: "{{ system_ldap_ssh_service }}" 14 | state: restarted 15 | -------------------------------------------------------------------------------- /meta/main.yml: -------------------------------------------------------------------------------- 1 | galaxy_info: 2 | author: Musee Ullah 3 | description: Install and configure SSSD for system-level LDAP authentication 4 | company: FireEye, Inc. 5 | license: MIT 6 | min_ansible_version: 2.0 7 | platforms: 8 | - name: EL 9 | versions: 10 | - 6 11 | - 7 12 | - name: Ubuntu 13 | versions: 14 | - trusty 15 | - utopic 16 | - vivid 17 | - name: Debian 18 | versions: 19 | - jessie 20 | - wheezy 21 | galaxy_tags: 22 | - authentication 23 | dependencies: [] 24 | -------------------------------------------------------------------------------- /tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # tasks file for ansible-role-system_ldap 3 | - name: "Gather OS specific variables" 4 | include_vars: "{{ item }}" 5 | with_first_found: 6 | - "{{ ansible_distribution|lower }}-{{ ansible_distribution_version }}.yml" 7 | - "{{ ansible_distribution|lower }}.yml" 8 | - "{{ ansible_os_family|lower }}.yml" 9 | 10 | - name: Install sssd, sssd-ldap, and sudo 11 | package: 12 | name: "{{ item }}" 13 | state: latest 14 | with_items: "{{ system_ldap_packages }}" 15 | 16 | - name: Copy SSSD configuration file 17 | template: 18 | src: sssd.conf.j2 19 | dest: /etc/sssd/sssd.conf 20 | mode: 0600 21 | backup: yes 22 | owner: root 23 | group: root 24 | notify: 25 | - restart sssd 26 | 27 | - name: Query SSSD in nsswitch.conf 28 | replace: 29 | dest: /etc/nsswitch.conf 30 | regexp: '^({{ item }}(?!.*\bsss\b).*)$' 31 | replace: '\1 sss' 32 | backup: yes 33 | with_items: 34 | - passwd 35 | - shadow 36 | - group 37 | - services 38 | - netgroup 39 | - automount 40 | 41 | - name: Don't query SSSD for sudoers in nsswitch.conf 42 | replace: 43 | dest: /etc/nsswitch.conf 44 | regexp: '^(sudoers.*)(\bsss)(\b.*)$' 45 | replace: '\1 \3' 46 | backup: yes 47 | 48 | - name: Query SSSD in pam.d/password-auth 49 | lineinfile: 50 | dest: /etc/pam.d/password-auth 51 | insertbefore: "{{ item.before }}" 52 | regexp: "{{ item.regexp }}" 53 | line: "{{ item.line }}" 54 | state: present 55 | with_items: 56 | - { before: "^auth.*pam_deny.so", 57 | regexp: "^auth.*pam_sss.so", 58 | line: "auth sufficient pam_sss.so use_first_pass" } 59 | - { before: "", 60 | regexp: "^account.*pam_unix.so", 61 | line: "account required pam_unix.so broken_shadow" } 62 | - { before: "^account.*pam_permit.so", 63 | regexp: "^account.*pam.sss.so", 64 | line: "account [default=bad success=ok user_unknown=ignore] pam_sss.so" } 65 | - { before: "^password.*pam_deny.so", 66 | regexp: "^password.*pam_sss.so", 67 | line: "password sufficient pam_sss.so use_authtok" } 68 | - { before: "^session.*pam_succeed_if.so", 69 | regexp: "^session.*pam_.*mkhomedir.so", 70 | line: "session optional pam_oddjob_mkhomedir.so umask=0077" } 71 | - { before: EOF, 72 | regexp: "^session.*pam_sss.so", 73 | line: "session optional pam_sss.so" } 74 | when: ansible_os_family == 'RedHat' 75 | 76 | - name: Query SSSD in pam.d/system-auth 77 | lineinfile: 78 | dest: /etc/pam.d/system-auth 79 | insertbefore: "{{ item.before }}" 80 | regexp: "{{ item.regexp }}" 81 | line: "{{ item.line }}" 82 | state: present 83 | with_items: 84 | - { before: "^auth.*pam_deny.so", 85 | regexp: "^auth.*pam_sss.so", 86 | line: "auth sufficient pam_sss.so use_first_pass" } 87 | - { before: "", 88 | regexp: "^account.*pam_unix.so", 89 | line: "account required pam_unix.so broken_shadow" } 90 | - { before: "^account.*pam_permit.so", 91 | regexp: "^account.*pam.sss.so", 92 | line: "account [default=bad success=ok user_unknown=ignore] pam_sss.so" } 93 | - { before: "^password.*pam_deny.so", 94 | regexp: "^password.*pam_sss.so", 95 | line: "password sufficient pam_sss.so use_authtok" } 96 | - { before: "^session.*pam_succeed_if.so", 97 | regexp: "^session.*pam_.*mkhomedir.so", 98 | line: "session optional pam_oddjob_mkhomedir.so umask=0077" } 99 | - { before: EOF, 100 | regexp: "^session.*pam_sss.so", 101 | line: "session optional pam_sss.so" } 102 | when: ansible_os_family == 'RedHat' 103 | 104 | - name: Ensure home directories are created upon login on Debian 105 | lineinfile: 106 | dest: /etc/pam.d/common-account 107 | regexp: 'pam_mkhomedir\.so' 108 | line: "session required pam_mkhomedir.so skel=/etc/skel/ umask=0022" 109 | state: present 110 | when: ansible_os_family == 'Debian' 111 | 112 | - name: Start and enable auth services 113 | service: 114 | name: "{{ item }}" 115 | state: started 116 | enabled: yes 117 | with_items: "{{ system_ldap_services }}" 118 | 119 | - name: Add LDAP users to sudoers 120 | template: 121 | src: ldap_sudo_users.j2 122 | dest: "/etc/sudoers.d/ldap_sudo_users" 123 | validate: "visudo -cf %s" 124 | 125 | - name: Add LDAP groups to sudoers 126 | template: 127 | src: ldap_sudo_groups.j2 128 | dest: "/etc/sudoers.d/ldap_sudo_groups" 129 | validate: "visudo -cf %s" 130 | 131 | - name: Add pam_mkhomedir for Debian machines 132 | copy: 133 | src: pam_mkhomedir 134 | dest: /usr/share/pam-configs/mkhomedir 135 | when: ansible_os_family == "Debian" 136 | notify: 137 | - run pam auth update 138 | 139 | - name: Allow/Disallow password authentication in SSHD config for users 140 | blockinfile: 141 | dest: /etc/ssh/sshd_config 142 | marker: "# {mark} ANSIBLE SYSTEM LDAP USER BLOCK" 143 | block: | 144 | Match user {{ system_ldap_access_filter_users | join(",") }} 145 | PasswordAuthentication yes 146 | validate: "/usr/sbin/sshd -T -f '%s'" 147 | state: "{{ 'present' if system_ldap_allow_passwordauth_in_sshd and system_ldap_access_filter_users else 'absent' }}" 148 | notify: 149 | - restart sshd 150 | 151 | - name: Allow/Disallow password authentication in SSHD config for groups 152 | blockinfile: 153 | dest: /etc/ssh/sshd_config 154 | marker: "# {mark} ANSIBLE SYSTEM LDAP GROUP BLOCK" 155 | block: | 156 | Match group "{{ system_ldap_access_unix_groups | join(",") }}" 157 | PasswordAuthentication yes 158 | validate: "/usr/sbin/sshd -T -f '%s'" 159 | state: "{{ 'present' if system_ldap_allow_passwordauth_in_sshd and system_ldap_access_unix_groups else 'absent' }}" 160 | notify: 161 | - restart sshd 162 | -------------------------------------------------------------------------------- /templates/ldap_sudo_groups.j2: -------------------------------------------------------------------------------- 1 | #{{ ansible_managed }} 2 | {% for group in system_ldap_sudo_groups %} 3 | %{{ group | replace(" ", "\ ") }} ALL=(ALL:ALL) ALL 4 | {% endfor %} 5 | -------------------------------------------------------------------------------- /templates/ldap_sudo_users.j2: -------------------------------------------------------------------------------- 1 | #{{ ansible_managed }} 2 | {% for user in system_ldap_sudo_users %} 3 | {{ user }} ALL=(ALL:ALL) ALL 4 | {% endfor %} 5 | -------------------------------------------------------------------------------- /templates/sssd.conf.j2: -------------------------------------------------------------------------------- 1 | # {{ ansible_managed }} 2 | {# one domain, no reason for multiple at time of writing #} 3 | [domain/{{ system_ldap_domain }}] 4 | id_provider = ldap 5 | auth_provider = ldap 6 | chpass_provider = ldap 7 | autofs_provider = ldap 8 | 9 | {# connection configuration #} 10 | ldap_schema = {{ system_ldap_schema }} 11 | ldap_uri = {{ system_ldap_uris | join(',') }} 12 | ldap_tls_cacertdir = /etc/ssl/certs 13 | ldap_tls_cacert = /etc/ssl/certs/{{ system_ldap_cacert }} 14 | ldap_id_use_start_tls = True 15 | 16 | {# search configuration #} 17 | ldap_search_base = {{ system_ldap_search_base }} 18 | ldap_default_bind_dn = {{ system_ldap_bind_dn }} 19 | ldap_default_authtok_type = password 20 | ldap_default_authtok = {{ system_ldap_bind_password }} 21 | cache_credentials = True 22 | ldap_referrals = False 23 | 24 | {# filter configuration #} 25 | {% if system_ldap_group_search_filter %} 26 | ldap_group_search_filter = {{ system_ldap_group_search_filter }} 27 | {% endif %} 28 | {% if system_ldap_user_search_filter %} 29 | ldap_user_search_filter = {{ system_ldap_user_search_filter }} 30 | {% endif %} 31 | {% if system_ldap_group_search_base %} 32 | ldap_group_search_base = {{ system_ldap_group_search_base }} 33 | {% endif %} 34 | {% if system_ldap_user_search_base %} 35 | ldap_user_search_base = {{ system_ldap_user_search_base }} 36 | {% endif %} 37 | 38 | ldap_access_filter = (&(!(userAccountControl:1.2.840.113556.1.4.803:=2))(|{{ system_ldap_access_filter_groups | map('regex_replace', '^(?P.*)$', '(memberOf=\\g)') | join('') }}{{ system_ldap_access_filter_users | map('regex_replace', '^(?P.*)$', '(sAMAccountName=\\g)') | join('') }})) 39 | 40 | {# mapping/attribute configuration #} 41 | case_sensitive = {{ system_ldap_case_sensitive }} 42 | ldap_user_name = {{ system_ldap_user_name }} 43 | ldap_user_principal = {{ system_ldap_user_principal }} 44 | ldap_user_gecos = {{ system_ldap_user_gecos }} 45 | ldap_user_object_class = {{ system_ldap_user_object_class }} 46 | ldap_group_name = {{ system_ldap_group_name }} 47 | ldap_group_object_class = {{ system_ldap_group_object_class }} 48 | ldap_user_uid_number = {{ system_ldap_user_uid_number }} 49 | ldap_user_gid_number = {{ system_ldap_user_gid_number }} 50 | ldap_group_gid_number = {{ system_ldap_group_gid_number }} 51 | ldap_pwd_policy = {{ system_ldap_pwd_policy }} 52 | default_shell = /bin/bash 53 | override_homedir = /home/%u 54 | 55 | krb5_realm = {{ system_ldap_krb5_realm | default(system_ldap_domain, true) }} 56 | 57 | {% if system_ldap_tls_reqcert %} 58 | ldap_tls_reqcert = {{ system_ldap_tls_reqcert }} 59 | {% endif %} 60 | 61 | [sssd] 62 | services = nss, pam, autofs 63 | config_file_version = 2 64 | 65 | domains = {{ system_ldap_domain }} 66 | 67 | [nss] 68 | homedir_substring = /home 69 | 70 | [pam] 71 | 72 | [sudo] 73 | 74 | [autofs] 75 | 76 | [ssh] 77 | 78 | [pac] 79 | 80 | [ifp] 81 | 82 | -------------------------------------------------------------------------------- /templates/sudo_group.j2: -------------------------------------------------------------------------------- 1 | %{{ item }} ALL=(ALL:ALL) ALL 2 | -------------------------------------------------------------------------------- /tests/group_vars/all/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | system_ldap_domain: FIREEYE.COM 3 | system_ldap_search_base: OU=Locations,DC=FireEye,DC=com 4 | system_ldap_uris: 5 | - ldaps://srv-ussc-dc01e.fireeye.com:636 6 | - ldaps://srv-ussc-dc02e.fireeye.com:636 7 | system_ldap_bind_dn: cn=MalwareResearch_LDAP,OU=Service Accounts,OU=Menlo Park,dc=FireEye,dc=com 8 | system_ldap_access_filter_groups: 9 | - CN=FireEye-All,OU=Security Groups,OU=Milpitas,OU=United States,OU=Locations,DC=FireEye,DC=com 10 | system_ldap_sudo_groups: 11 | - felabs_ops 12 | system_ldap_sudo_users: 13 | - musee.ullah 14 | -------------------------------------------------------------------------------- /tests/group_vars/all/secrets.yml: -------------------------------------------------------------------------------- 1 | $ANSIBLE_VAULT;1.1;AES256 2 | 32373664616165326137336430363934393937623230666130386364353965343036663661363366 3 | 6666363231353065373264323437303064393838336633620a626534323830643361336463623961 4 | 65356332653564353539393932306166623863613564633937373431386537376135623333643565 5 | 3536623665363839310a303561363761383032313964323664346263346537623334333630383835 6 | 36306338313834373764356464663138646633363463633033316239613331306666616237363732 7 | 6434363462363966363435373862323262343862393538613364 8 | -------------------------------------------------------------------------------- /tests/playbook.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - hosts: all 3 | remote_user: vagrant 4 | roles: 5 | - system_ldap 6 | become: True 7 | -------------------------------------------------------------------------------- /tests/roles/system_ldap: -------------------------------------------------------------------------------- 1 | ../../ -------------------------------------------------------------------------------- /tests/travis.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - hosts: all 3 | remote_user: root 4 | roles: 5 | - ansible-role-system_ldap 6 | -------------------------------------------------------------------------------- /vars/debian.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # vars file for Debian-based distros 3 | system_ldap_packages: 4 | - sssd 5 | - sssd-ldap 6 | - sudo 7 | system_ldap_services: 8 | - sssd 9 | system_ldap_cacert: ca-certificates.crt 10 | -------------------------------------------------------------------------------- /vars/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # vars file for ansible-role-system_ldap 3 | system_ldap_ssh_service: sshd 4 | -------------------------------------------------------------------------------- /vars/redhat.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # vars file for RedHat-based distros 3 | system_ldap_packages: 4 | - sssd 5 | - sssd-ldap 6 | - sudo 7 | - oddjob-mkhomedir 8 | system_ldap_services: 9 | - sssd 10 | - messagebus 11 | - oddjobd 12 | system_ldap_cacert: ca-bundle.crt 13 | -------------------------------------------------------------------------------- /vars/ubuntu-14.04.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # vars file for Debian-based distros 3 | system_ldap_packages: 4 | - sssd 5 | - sssd-ldap 6 | - sudo 7 | system_ldap_services: 8 | - sssd 9 | system_ldap_cacert: ca-certificates.crt 10 | system_ldap_ssh_service: ssh 11 | --------------------------------------------------------------------------------