From b5099fd4a9b3db9634278aeb23b57ffb4b8a7a8a Mon Sep 17 00:00:00 2001
From: Simon Bruder <simon@sbruder.de>
Date: Sat, 19 May 2018 22:40:17 +0000
Subject: [PATCH 1/2] add ldap

---
 packer/ansible/playbook.yml                   |  4 +++
 packer/ansible/roles/auth/files/mkhomedir     |  6 ++++
 packer/ansible/roles/auth/files/nsswitch.conf | 15 +++++++++
 packer/ansible/roles/auth/handlers/main.yml   | 14 ++++++++
 packer/ansible/roles/auth/tasks/ldap.yml      | 33 +++++++++++++++++++
 packer/ansible/roles/auth/tasks/main.yml      |  3 ++
 .../ansible/roles/auth/templates/ldap.conf.j2 |  6 ++++
 .../roles/auth/templates/nslcd.conf.j2        | 26 +++++++++++++++
 8 files changed, 107 insertions(+)
 create mode 100644 packer/ansible/roles/auth/files/mkhomedir
 create mode 100644 packer/ansible/roles/auth/files/nsswitch.conf
 create mode 100644 packer/ansible/roles/auth/handlers/main.yml
 create mode 100644 packer/ansible/roles/auth/tasks/ldap.yml
 create mode 100644 packer/ansible/roles/auth/templates/ldap.conf.j2
 create mode 100644 packer/ansible/roles/auth/templates/nslcd.conf.j2

diff --git a/packer/ansible/playbook.yml b/packer/ansible/playbook.yml
index 8b6c739..f803638 100644
--- a/packer/ansible/playbook.yml
+++ b/packer/ansible/playbook.yml
@@ -36,6 +36,10 @@
     auth:
       sudo:
         group: fablab
+      ldap:
+        protocol: ldap
+        server: ldap.fablab-nea.de
+        base: dc=ldap,dc=fablab-nea,dc=de
     l10n:
       keyboard:
         layout: de
diff --git a/packer/ansible/roles/auth/files/mkhomedir b/packer/ansible/roles/auth/files/mkhomedir
new file mode 100644
index 0000000..f1dfd66
--- /dev/null
+++ b/packer/ansible/roles/auth/files/mkhomedir
@@ -0,0 +1,6 @@
+Name: Create home directory during login
+Default: yes
+Priority: 900
+Session-Type: Additional
+Session:
+        required        pam_mkhomedir.so umask=0027 skel=/etc/skel
diff --git a/packer/ansible/roles/auth/files/nsswitch.conf b/packer/ansible/roles/auth/files/nsswitch.conf
new file mode 100644
index 0000000..043652a
--- /dev/null
+++ b/packer/ansible/roles/auth/files/nsswitch.conf
@@ -0,0 +1,15 @@
+passwd:         compat ldap
+group:          compat ldap
+shadow:         compat ldap
+gshadow:        files
+
+hosts:          files dns
+networks:       files ldap
+
+protocols:      db files
+services:       db files
+ethers:         db files
+rpc:            db files
+
+netgroup:       nis
+
diff --git a/packer/ansible/roles/auth/handlers/main.yml b/packer/ansible/roles/auth/handlers/main.yml
new file mode 100644
index 0000000..d1e48c6
--- /dev/null
+++ b/packer/ansible/roles/auth/handlers/main.yml
@@ -0,0 +1,14 @@
+---
+- name: restart nslcd
+  service:
+    name: nslcd
+    state: restarted
+  notify: restart nscd
+
+- name: restart nscd
+  service:
+    name: nscd
+    state: restarted
+
+- name: update pam
+  command: pam-auth-update --package
diff --git a/packer/ansible/roles/auth/tasks/ldap.yml b/packer/ansible/roles/auth/tasks/ldap.yml
new file mode 100644
index 0000000..aab6498
--- /dev/null
+++ b/packer/ansible/roles/auth/tasks/ldap.yml
@@ -0,0 +1,33 @@
+---
+- name: install ldap packages
+  apt:
+    name: "libnss-ldapd"
+    state: present
+
+- name: add ldap global config
+  template:
+    src: ldap.conf.j2
+    dest: /etc/ldap/ldap.conf
+
+- name: configure nsswitch
+  copy:
+    src: nsswitch.conf
+    dest: /etc/nsswitch.conf
+    owner: root
+    group: root
+    mode: '0640'
+
+- name: configure nslcd
+  template:
+    src: nslcd.conf.j2
+    dest: /etc/nslcd.conf
+    owner: root
+    group: root
+    mode: '0640'
+  notify: restart nslcd
+
+- name: add pam config for automated creation of the home directory
+  copy:
+    src: mkhomedir
+    dest: /usr/share/pam-configs/mkhomedir
+  notify: update pam
diff --git a/packer/ansible/roles/auth/tasks/main.yml b/packer/ansible/roles/auth/tasks/main.yml
index e13fe8d..84ac237 100644
--- a/packer/ansible/roles/auth/tasks/main.yml
+++ b/packer/ansible/roles/auth/tasks/main.yml
@@ -1,3 +1,6 @@
 ---
 - import_tasks: debug.yml
+- import_tasks: ldap.yml
+  tags:
+    - auth:ldap
 - import_tasks: sudo.yml
diff --git a/packer/ansible/roles/auth/templates/ldap.conf.j2 b/packer/ansible/roles/auth/templates/ldap.conf.j2
new file mode 100644
index 0000000..71964af
--- /dev/null
+++ b/packer/ansible/roles/auth/templates/ldap.conf.j2
@@ -0,0 +1,6 @@
+BASE	{{ auth.ldap.base }}
+URI	{{ auth.ldap.protocol }}://{{ auth.ldap.server }}
+
+#SIZELIMIT	12
+#TIMELIMIT	15
+#DEREF		never
diff --git a/packer/ansible/roles/auth/templates/nslcd.conf.j2 b/packer/ansible/roles/auth/templates/nslcd.conf.j2
new file mode 100644
index 0000000..518d7c5
--- /dev/null
+++ b/packer/ansible/roles/auth/templates/nslcd.conf.j2
@@ -0,0 +1,26 @@
+# The user and group nslcd should run as.
+uid nslcd
+gid nslcd
+
+# The location at which the LDAP server(s) should be reachable.
+uri {{ auth.ldap.protocol }}://{{ auth.ldap.server }}/
+
+# The search base that will be used for all queries.
+base {{ auth.ldap.base }}
+
+# The LDAP protocol version to use.
+#ldap_version 3
+
+# The DN to bind with for normal lookups.
+#binddn cn=annonymous,dc=example,dc=net
+#bindpw secret
+
+# The DN used for password modifications by root.
+#rootpwmoddn cn=admin,dc=example,dc=com
+
+# SSL options
+ssl start_tls
+#tls_reqcert never
+
+# The search scope.
+#scope sub
-- 
2.51.2


From af42dc63800d6cb905e6371512428b04f5856209 Mon Sep 17 00:00:00 2001
From: Simon Bruder <simon@sbruder.de>
Date: Sat, 19 May 2018 22:40:45 +0000
Subject: [PATCH 2/2] FIXME: add self signed cert

---
 packer/ansible/roles/auth/files/ldapca.pem    | 23 +++++++++++++++++++
 packer/ansible/roles/auth/tasks/ldap.yml      |  6 +++++
 .../ansible/roles/auth/templates/ldap.conf.j2 |  4 ++++
 .../roles/auth/templates/nslcd.conf.j2        |  2 ++
 4 files changed, 35 insertions(+)
 create mode 100644 packer/ansible/roles/auth/files/ldapca.pem

diff --git a/packer/ansible/roles/auth/files/ldapca.pem b/packer/ansible/roles/auth/files/ldapca.pem
new file mode 100644
index 0000000..e3ab2d4
--- /dev/null
+++ b/packer/ansible/roles/auth/files/ldapca.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIID5jCCAs6gAwIBAgIJAPtqBuTAclYRMA0GCSqGSIb3DQEBCwUAMIGHMQswCQYD
+VQQGEwJERTEQMA4GA1UECAwHQmF2YXJpYTEWMBQGA1UEBwwNQmFkIFdpbmRzaGVp
+bTETMBEGA1UECgwKRmFiTGFiIE5FQTEWMBQGA1UEAwwNZmFibGFiLW5lYS5kZTEh
+MB8GCSqGSIb3DQEJARYSaW5mb0BmYWJsYWItbmVhLmRlMB4XDTE4MDUxNzE3NDIz
+OFoXDTI4MDIxNDE3NDIzOFowgYcxCzAJBgNVBAYTAkRFMRAwDgYDVQQIDAdCYXZh
+cmlhMRYwFAYDVQQHDA1CYWQgV2luZHNoZWltMRMwEQYDVQQKDApGYWJMYWIgTkVB
+MRYwFAYDVQQDDA1mYWJsYWItbmVhLmRlMSEwHwYJKoZIhvcNAQkBFhJpbmZvQGZh
+YmxhYi1uZWEuZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDD8ldQ
+/azjfG6yUPi86f9adQxy4kV/MjSu+VViHILPBYwByB9FpJ9vp6kpTZpWpRk1NHqS
+YYc4MwYNo/bi2hO+b6ZP3D5OGnLdud6X0zHAH9751Svw/4y9CY5a/WrAp/TND7M0
+wpi7SpyMJdJpuPGa53s6hGjIfcFwpF4TJD3UJJZsXghsOsKpq13JRiERZ1BGOJJD
+HPzr6BdWdH40IakNa7PS+ZFdHJ2qTTBinZIjc4lOe5WRK6ZmAB5kZpv3h8vxgpqu
+E6c0IlBu8U+0yQXdxhw98xJ5jwknANROaEWSBqR8tD1LAIARAEbTYWmkmdULnPz3
+Kq86PzZ9ac/vh86TAgMBAAGjUzBRMB0GA1UdDgQWBBRESu5pvADeGZ5BRGep+5g0
+OkulezAfBgNVHSMEGDAWgBRESu5pvADeGZ5BRGep+5g0OkulezAPBgNVHRMBAf8E
+BTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCF5nZ/FORMg9ug+kAWTT4NQMt7YALg
+VCYWg34xWLU7Tk9O6yAoa5O+SABYXIr0oNU7mdqZPeOKTNpOQOeg1RyXB74g3wrP
+gKRjbG3vWG53FLuNfeEhC0hC1ThFy2mXsIvgW0Q+29PoCeipT8Q62/UDx4CZkZBO
+uVJ+jjl7WH/MJJWMJXCxDvqyM12MqlLCkfxiVnRD5XNHRRoVK3gHI07FVnTVEjIb
+SQCsn1DtCJG27xbizLuf1ipYwLvLm+zPKBs6pVqqT6oDbgltaDqzg1dvAZuk4XX8
+DcW65+UEiDe7xXmYUREj0E7FvCNHNY2xZPHGEUUbIOvNZmj836gS1/fR
+-----END CERTIFICATE-----
diff --git a/packer/ansible/roles/auth/tasks/ldap.yml b/packer/ansible/roles/auth/tasks/ldap.yml
index aab6498..dd8926e 100644
--- a/packer/ansible/roles/auth/tasks/ldap.yml
+++ b/packer/ansible/roles/auth/tasks/ldap.yml
@@ -4,6 +4,12 @@
     name: "libnss-ldapd"
     state: present
 
+# TODO: remove this step and switch to Let’s encrypt
+- name: add ldap ca cert
+  copy:
+    src: ldapca.pem
+    dest: /etc/ssl/certs/ldapca.pem
+
 - name: add ldap global config
   template:
     src: ldap.conf.j2
diff --git a/packer/ansible/roles/auth/templates/ldap.conf.j2 b/packer/ansible/roles/auth/templates/ldap.conf.j2
index 71964af..5a83fd4 100644
--- a/packer/ansible/roles/auth/templates/ldap.conf.j2
+++ b/packer/ansible/roles/auth/templates/ldap.conf.j2
@@ -4,3 +4,7 @@ URI	{{ auth.ldap.protocol }}://{{ auth.ldap.server }}
 #SIZELIMIT	12
 #TIMELIMIT	15
 #DEREF		never
+
+# TLS certificates
+# TODO: replace/omit to use system bundle and Let’s encrypt
+TLS_CACERT	/etc/ssl/certs/ldapca.pem
diff --git a/packer/ansible/roles/auth/templates/nslcd.conf.j2 b/packer/ansible/roles/auth/templates/nslcd.conf.j2
index 518d7c5..63f0010 100644
--- a/packer/ansible/roles/auth/templates/nslcd.conf.j2
+++ b/packer/ansible/roles/auth/templates/nslcd.conf.j2
@@ -21,6 +21,8 @@ base {{ auth.ldap.base }}
 # SSL options
 ssl start_tls
 #tls_reqcert never
+# TODO: replace with system bundle for Let’s encrypt usage
+tls_cacertfile /etc/ssl/certs/ldapca.pem
 
 # The search scope.
 #scope sub
-- 
2.51.2