From b5099fd4a9b3db9634278aeb23b57ffb4b8a7a8a Mon Sep 17 00:00:00 2001
From: Simon Bruder <simon@sbruder.de>
Date: Sat, 19 May 2018 22:40:17 +0000
Subject: [PATCH] add ldap

---
 packer/ansible/playbook.yml                   |  4 +++
 packer/ansible/roles/auth/files/mkhomedir     |  6 ++++
 packer/ansible/roles/auth/files/nsswitch.conf | 15 +++++++++
 packer/ansible/roles/auth/handlers/main.yml   | 14 ++++++++
 packer/ansible/roles/auth/tasks/ldap.yml      | 33 +++++++++++++++++++
 packer/ansible/roles/auth/tasks/main.yml      |  3 ++
 .../ansible/roles/auth/templates/ldap.conf.j2 |  6 ++++
 .../roles/auth/templates/nslcd.conf.j2        | 26 +++++++++++++++
 8 files changed, 107 insertions(+)
 create mode 100644 packer/ansible/roles/auth/files/mkhomedir
 create mode 100644 packer/ansible/roles/auth/files/nsswitch.conf
 create mode 100644 packer/ansible/roles/auth/handlers/main.yml
 create mode 100644 packer/ansible/roles/auth/tasks/ldap.yml
 create mode 100644 packer/ansible/roles/auth/templates/ldap.conf.j2
 create mode 100644 packer/ansible/roles/auth/templates/nslcd.conf.j2

diff --git a/packer/ansible/playbook.yml b/packer/ansible/playbook.yml
index 8b6c739..f803638 100644
--- a/packer/ansible/playbook.yml
+++ b/packer/ansible/playbook.yml
@@ -36,6 +36,10 @@
     auth:
       sudo:
         group: fablab
+      ldap:
+        protocol: ldap
+        server: ldap.fablab-nea.de
+        base: dc=ldap,dc=fablab-nea,dc=de
     l10n:
       keyboard:
         layout: de
diff --git a/packer/ansible/roles/auth/files/mkhomedir b/packer/ansible/roles/auth/files/mkhomedir
new file mode 100644
index 0000000..f1dfd66
--- /dev/null
+++ b/packer/ansible/roles/auth/files/mkhomedir
@@ -0,0 +1,6 @@
+Name: Create home directory during login
+Default: yes
+Priority: 900
+Session-Type: Additional
+Session:
+        required        pam_mkhomedir.so umask=0027 skel=/etc/skel
diff --git a/packer/ansible/roles/auth/files/nsswitch.conf b/packer/ansible/roles/auth/files/nsswitch.conf
new file mode 100644
index 0000000..043652a
--- /dev/null
+++ b/packer/ansible/roles/auth/files/nsswitch.conf
@@ -0,0 +1,15 @@
+passwd:         compat ldap
+group:          compat ldap
+shadow:         compat ldap
+gshadow:        files
+
+hosts:          files dns
+networks:       files ldap
+
+protocols:      db files
+services:       db files
+ethers:         db files
+rpc:            db files
+
+netgroup:       nis
+
diff --git a/packer/ansible/roles/auth/handlers/main.yml b/packer/ansible/roles/auth/handlers/main.yml
new file mode 100644
index 0000000..d1e48c6
--- /dev/null
+++ b/packer/ansible/roles/auth/handlers/main.yml
@@ -0,0 +1,14 @@
+---
+- name: restart nslcd
+  service:
+    name: nslcd
+    state: restarted
+  notify: restart nscd
+
+- name: restart nscd
+  service:
+    name: nscd
+    state: restarted
+
+- name: update pam
+  command: pam-auth-update --package
diff --git a/packer/ansible/roles/auth/tasks/ldap.yml b/packer/ansible/roles/auth/tasks/ldap.yml
new file mode 100644
index 0000000..aab6498
--- /dev/null
+++ b/packer/ansible/roles/auth/tasks/ldap.yml
@@ -0,0 +1,33 @@
+---
+- name: install ldap packages
+  apt:
+    name: "libnss-ldapd"
+    state: present
+
+- name: add ldap global config
+  template:
+    src: ldap.conf.j2
+    dest: /etc/ldap/ldap.conf
+
+- name: configure nsswitch
+  copy:
+    src: nsswitch.conf
+    dest: /etc/nsswitch.conf
+    owner: root
+    group: root
+    mode: '0640'
+
+- name: configure nslcd
+  template:
+    src: nslcd.conf.j2
+    dest: /etc/nslcd.conf
+    owner: root
+    group: root
+    mode: '0640'
+  notify: restart nslcd
+
+- name: add pam config for automated creation of the home directory
+  copy:
+    src: mkhomedir
+    dest: /usr/share/pam-configs/mkhomedir
+  notify: update pam
diff --git a/packer/ansible/roles/auth/tasks/main.yml b/packer/ansible/roles/auth/tasks/main.yml
index e13fe8d..84ac237 100644
--- a/packer/ansible/roles/auth/tasks/main.yml
+++ b/packer/ansible/roles/auth/tasks/main.yml
@@ -1,3 +1,6 @@
 ---
 - import_tasks: debug.yml
+- import_tasks: ldap.yml
+  tags:
+    - auth:ldap
 - import_tasks: sudo.yml
diff --git a/packer/ansible/roles/auth/templates/ldap.conf.j2 b/packer/ansible/roles/auth/templates/ldap.conf.j2
new file mode 100644
index 0000000..71964af
--- /dev/null
+++ b/packer/ansible/roles/auth/templates/ldap.conf.j2
@@ -0,0 +1,6 @@
+BASE	{{ auth.ldap.base }}
+URI	{{ auth.ldap.protocol }}://{{ auth.ldap.server }}
+
+#SIZELIMIT	12
+#TIMELIMIT	15
+#DEREF		never
diff --git a/packer/ansible/roles/auth/templates/nslcd.conf.j2 b/packer/ansible/roles/auth/templates/nslcd.conf.j2
new file mode 100644
index 0000000..518d7c5
--- /dev/null
+++ b/packer/ansible/roles/auth/templates/nslcd.conf.j2
@@ -0,0 +1,26 @@
+# The user and group nslcd should run as.
+uid nslcd
+gid nslcd
+
+# The location at which the LDAP server(s) should be reachable.
+uri {{ auth.ldap.protocol }}://{{ auth.ldap.server }}/
+
+# The search base that will be used for all queries.
+base {{ auth.ldap.base }}
+
+# The LDAP protocol version to use.
+#ldap_version 3
+
+# The DN to bind with for normal lookups.
+#binddn cn=annonymous,dc=example,dc=net
+#bindpw secret
+
+# The DN used for password modifications by root.
+#rootpwmoddn cn=admin,dc=example,dc=com
+
+# SSL options
+ssl start_tls
+#tls_reqcert never
+
+# The search scope.
+#scope sub