diff --git a/packer/ansible/playbook.yml b/packer/ansible/playbook.yml index 8b6c739..f803638 100644 --- a/packer/ansible/playbook.yml +++ b/packer/ansible/playbook.yml @@ -36,6 +36,10 @@ auth: sudo: group: fablab + ldap: + protocol: ldap + server: ldap.fablab-nea.de + base: dc=ldap,dc=fablab-nea,dc=de l10n: keyboard: layout: de diff --git a/packer/ansible/roles/auth/files/ldapca.pem b/packer/ansible/roles/auth/files/ldapca.pem new file mode 100644 index 0000000..e3ab2d4 --- /dev/null +++ b/packer/ansible/roles/auth/files/ldapca.pem @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIID5jCCAs6gAwIBAgIJAPtqBuTAclYRMA0GCSqGSIb3DQEBCwUAMIGHMQswCQYD +VQQGEwJERTEQMA4GA1UECAwHQmF2YXJpYTEWMBQGA1UEBwwNQmFkIFdpbmRzaGVp +bTETMBEGA1UECgwKRmFiTGFiIE5FQTEWMBQGA1UEAwwNZmFibGFiLW5lYS5kZTEh +MB8GCSqGSIb3DQEJARYSaW5mb0BmYWJsYWItbmVhLmRlMB4XDTE4MDUxNzE3NDIz +OFoXDTI4MDIxNDE3NDIzOFowgYcxCzAJBgNVBAYTAkRFMRAwDgYDVQQIDAdCYXZh +cmlhMRYwFAYDVQQHDA1CYWQgV2luZHNoZWltMRMwEQYDVQQKDApGYWJMYWIgTkVB +MRYwFAYDVQQDDA1mYWJsYWItbmVhLmRlMSEwHwYJKoZIhvcNAQkBFhJpbmZvQGZh +YmxhYi1uZWEuZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDD8ldQ +/azjfG6yUPi86f9adQxy4kV/MjSu+VViHILPBYwByB9FpJ9vp6kpTZpWpRk1NHqS +YYc4MwYNo/bi2hO+b6ZP3D5OGnLdud6X0zHAH9751Svw/4y9CY5a/WrAp/TND7M0 +wpi7SpyMJdJpuPGa53s6hGjIfcFwpF4TJD3UJJZsXghsOsKpq13JRiERZ1BGOJJD +HPzr6BdWdH40IakNa7PS+ZFdHJ2qTTBinZIjc4lOe5WRK6ZmAB5kZpv3h8vxgpqu +E6c0IlBu8U+0yQXdxhw98xJ5jwknANROaEWSBqR8tD1LAIARAEbTYWmkmdULnPz3 +Kq86PzZ9ac/vh86TAgMBAAGjUzBRMB0GA1UdDgQWBBRESu5pvADeGZ5BRGep+5g0 +OkulezAfBgNVHSMEGDAWgBRESu5pvADeGZ5BRGep+5g0OkulezAPBgNVHRMBAf8E +BTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCF5nZ/FORMg9ug+kAWTT4NQMt7YALg +VCYWg34xWLU7Tk9O6yAoa5O+SABYXIr0oNU7mdqZPeOKTNpOQOeg1RyXB74g3wrP +gKRjbG3vWG53FLuNfeEhC0hC1ThFy2mXsIvgW0Q+29PoCeipT8Q62/UDx4CZkZBO +uVJ+jjl7WH/MJJWMJXCxDvqyM12MqlLCkfxiVnRD5XNHRRoVK3gHI07FVnTVEjIb +SQCsn1DtCJG27xbizLuf1ipYwLvLm+zPKBs6pVqqT6oDbgltaDqzg1dvAZuk4XX8 +DcW65+UEiDe7xXmYUREj0E7FvCNHNY2xZPHGEUUbIOvNZmj836gS1/fR +-----END CERTIFICATE----- diff --git a/packer/ansible/roles/auth/files/mkhomedir b/packer/ansible/roles/auth/files/mkhomedir new file mode 100644 index 0000000..f1dfd66 --- /dev/null +++ b/packer/ansible/roles/auth/files/mkhomedir @@ -0,0 +1,6 @@ +Name: Create home directory during login +Default: yes +Priority: 900 +Session-Type: Additional +Session: + required pam_mkhomedir.so umask=0027 skel=/etc/skel diff --git a/packer/ansible/roles/auth/files/nsswitch.conf b/packer/ansible/roles/auth/files/nsswitch.conf new file mode 100644 index 0000000..043652a --- /dev/null +++ b/packer/ansible/roles/auth/files/nsswitch.conf @@ -0,0 +1,15 @@ +passwd: compat ldap +group: compat ldap +shadow: compat ldap +gshadow: files + +hosts: files dns +networks: files ldap + +protocols: db files +services: db files +ethers: db files +rpc: db files + +netgroup: nis + diff --git a/packer/ansible/roles/auth/handlers/main.yml b/packer/ansible/roles/auth/handlers/main.yml new file mode 100644 index 0000000..d1e48c6 --- /dev/null +++ b/packer/ansible/roles/auth/handlers/main.yml @@ -0,0 +1,14 @@ +--- +- name: restart nslcd + service: + name: nslcd + state: restarted + notify: restart nscd + +- name: restart nscd + service: + name: nscd + state: restarted + +- name: update pam + command: pam-auth-update --package diff --git a/packer/ansible/roles/auth/tasks/ldap.yml b/packer/ansible/roles/auth/tasks/ldap.yml new file mode 100644 index 0000000..dd8926e --- /dev/null +++ b/packer/ansible/roles/auth/tasks/ldap.yml @@ -0,0 +1,39 @@ +--- +- name: install ldap packages + apt: + name: "libnss-ldapd" + state: present + +# TODO: remove this step and switch to Let’s encrypt +- name: add ldap ca cert + copy: + src: ldapca.pem + dest: /etc/ssl/certs/ldapca.pem + +- name: add ldap global config + template: + src: ldap.conf.j2 + dest: /etc/ldap/ldap.conf + +- name: configure nsswitch + copy: + src: nsswitch.conf + dest: /etc/nsswitch.conf + owner: root + group: root + mode: '0640' + +- name: configure nslcd + template: + src: nslcd.conf.j2 + dest: /etc/nslcd.conf + owner: root + group: root + mode: '0640' + notify: restart nslcd + +- name: add pam config for automated creation of the home directory + copy: + src: mkhomedir + dest: /usr/share/pam-configs/mkhomedir + notify: update pam diff --git a/packer/ansible/roles/auth/tasks/main.yml b/packer/ansible/roles/auth/tasks/main.yml index e13fe8d..84ac237 100644 --- a/packer/ansible/roles/auth/tasks/main.yml +++ b/packer/ansible/roles/auth/tasks/main.yml @@ -1,3 +1,6 @@ --- - import_tasks: debug.yml +- import_tasks: ldap.yml + tags: + - auth:ldap - import_tasks: sudo.yml diff --git a/packer/ansible/roles/auth/templates/ldap.conf.j2 b/packer/ansible/roles/auth/templates/ldap.conf.j2 new file mode 100644 index 0000000..5a83fd4 --- /dev/null +++ b/packer/ansible/roles/auth/templates/ldap.conf.j2 @@ -0,0 +1,10 @@ +BASE {{ auth.ldap.base }} +URI {{ auth.ldap.protocol }}://{{ auth.ldap.server }} + +#SIZELIMIT 12 +#TIMELIMIT 15 +#DEREF never + +# TLS certificates +# TODO: replace/omit to use system bundle and Let’s encrypt +TLS_CACERT /etc/ssl/certs/ldapca.pem diff --git a/packer/ansible/roles/auth/templates/nslcd.conf.j2 b/packer/ansible/roles/auth/templates/nslcd.conf.j2 new file mode 100644 index 0000000..63f0010 --- /dev/null +++ b/packer/ansible/roles/auth/templates/nslcd.conf.j2 @@ -0,0 +1,28 @@ +# The user and group nslcd should run as. +uid nslcd +gid nslcd + +# The location at which the LDAP server(s) should be reachable. +uri {{ auth.ldap.protocol }}://{{ auth.ldap.server }}/ + +# The search base that will be used for all queries. +base {{ auth.ldap.base }} + +# The LDAP protocol version to use. +#ldap_version 3 + +# The DN to bind with for normal lookups. +#binddn cn=annonymous,dc=example,dc=net +#bindpw secret + +# The DN used for password modifications by root. +#rootpwmoddn cn=admin,dc=example,dc=com + +# SSL options +ssl start_tls +#tls_reqcert never +# TODO: replace with system bundle for Let’s encrypt usage +tls_cacertfile /etc/ssl/certs/ldapca.pem + +# The search scope. +#scope sub