From f7694cd28bb127d9839ecc872bb1133c76b2fd2b Mon Sep 17 00:00:00 2001
From: Jonathan DeMasi <me@jthan.io>
Date: Sun, 25 Jan 2026 23:57:27 -0700
Subject: [PATCH] init ldap_client

---
 ansible/roles/ldap_client/defaults/main.yaml  |  0
 ansible/roles/ldap_client/handlers/main.yaml  |  5 +++
 .../roles/ldap_client/tasks/authselect.yaml   |  9 ++++
 ansible/roles/ldap_client/tasks/install.yaml  | 17 ++++++++
 ansible/roles/ldap_client/tasks/main.yaml     |  3 ++
 ansible/roles/ldap_client/tasks/nsswitch.yaml |  6 +++
 ansible/roles/ldap_client/tasks/sssd.yaml     | 15 +++++++
 .../ldap_client/tasks/templates/sssd.conf.j2  | 41 +++++++++++++++++++
 8 files changed, 96 insertions(+)
 create mode 100644 ansible/roles/ldap_client/defaults/main.yaml
 create mode 100644 ansible/roles/ldap_client/handlers/main.yaml
 create mode 100644 ansible/roles/ldap_client/tasks/authselect.yaml
 create mode 100644 ansible/roles/ldap_client/tasks/install.yaml
 create mode 100644 ansible/roles/ldap_client/tasks/main.yaml
 create mode 100644 ansible/roles/ldap_client/tasks/nsswitch.yaml
 create mode 100644 ansible/roles/ldap_client/tasks/sssd.yaml
 create mode 100644 ansible/roles/ldap_client/tasks/templates/sssd.conf.j2

diff --git a/ansible/roles/ldap_client/defaults/main.yaml b/ansible/roles/ldap_client/defaults/main.yaml
new file mode 100644
index 0000000..e69de29
diff --git a/ansible/roles/ldap_client/handlers/main.yaml b/ansible/roles/ldap_client/handlers/main.yaml
new file mode 100644
index 0000000..8121eba
--- /dev/null
+++ b/ansible/roles/ldap_client/handlers/main.yaml
@@ -0,0 +1,5 @@
+- name: restart sssd
+  service:
+    name: sssd
+    state: restarted
+
diff --git a/ansible/roles/ldap_client/tasks/authselect.yaml b/ansible/roles/ldap_client/tasks/authselect.yaml
new file mode 100644
index 0000000..09389e5
--- /dev/null
+++ b/ansible/roles/ldap_client/tasks/authselect.yaml
@@ -0,0 +1,9 @@
+- name: Check if authselect current is already using sssd
+  shell: 'authselect current | grep -Pzo "(?s)sssd.*?mkhomedir"'
+  register: grep_result
+  ignore_errors: true 
+
+- name: Run authselect
+  command: authselect select sssd with-mkhomedir
+  when: grep_result.rc != 0 
+
diff --git a/ansible/roles/ldap_client/tasks/install.yaml b/ansible/roles/ldap_client/tasks/install.yaml
new file mode 100644
index 0000000..5f59443
--- /dev/null
+++ b/ansible/roles/ldap_client/tasks/install.yaml
@@ -0,0 +1,17 @@
+- name: Install openldap client and other required packages
+  package:
+    name:
+      - openldap-clients
+      - sssd
+      - sssd-ldap
+      - oddjob-mkhomedir
+      - libsss_sudo
+    state: present
+  notify: restart sssd
+
+- name: Start and enable oddjobd
+  service:
+    name: oddjobd
+    state: started
+    enabled: true
+
diff --git a/ansible/roles/ldap_client/tasks/main.yaml b/ansible/roles/ldap_client/tasks/main.yaml
new file mode 100644
index 0000000..f1043dd
--- /dev/null
+++ b/ansible/roles/ldap_client/tasks/main.yaml
@@ -0,0 +1,3 @@
+- import_tasks: install.yaml
+- import_tasks: authselect.yaml
+- import_tasks: nsswitch.yaml
diff --git a/ansible/roles/ldap_client/tasks/nsswitch.yaml b/ansible/roles/ldap_client/tasks/nsswitch.yaml
new file mode 100644
index 0000000..8b769fe
--- /dev/null
+++ b/ansible/roles/ldap_client/tasks/nsswitch.yaml
@@ -0,0 +1,6 @@
+- name: Ensure nsswitch is looking to sssd for sudo
+  lineinfile:
+    path: /etc/nsswitch.conf
+    regexp: '^sudoers:'
+    line: 'sudoers: files sss'
+    backup: true
diff --git a/ansible/roles/ldap_client/tasks/sssd.yaml b/ansible/roles/ldap_client/tasks/sssd.yaml
new file mode 100644
index 0000000..673e771
--- /dev/null
+++ b/ansible/roles/ldap_client/tasks/sssd.yaml
@@ -0,0 +1,15 @@
+- name: Create sssd.conf
+  template:
+    src: templates/sssd.conf.j2
+    dest: /etc/sssd/sssd.conf
+    owner: root
+    group: sssd
+    mode: '0640'
+  notify: restart sssd
+
+- name: Start and enable sssd
+  service:
+    name: sssd
+    state: started
+    enabled: true
+
diff --git a/ansible/roles/ldap_client/tasks/templates/sssd.conf.j2 b/ansible/roles/ldap_client/tasks/templates/sssd.conf.j2
new file mode 100644
index 0000000..543efdb
--- /dev/null
+++ b/ansible/roles/ldap_client/tasks/templates/sssd.conf.j2
@@ -0,0 +1,41 @@
+[sssd]
+services = nss, pam, sudo, ssh
+domains = ldap
+
+[nss]
+#debug_level = 0x3ff0
+
+[pam]
+
+[domain/ldap]
+#debug_level = 0x3ff0
+id_provider = ldap
+auth_provider = ldap
+chpass_provider = ldap
+sudo_provider = ldap
+ldap_schema = rfc2307
+ldap_uri = ldap://ldap.home.jthan.io
+ldap_search_base = dc=ldap,dc=home,dc=jthan,dc=io
+ldap_sudo_search_base = ou=SUDOers,dc=ldap,dc=home,dc=jthan,dc=io
+ldap_id_use_start_tls = true
+ldap_tls_reqcert = demand
+ldap_user_object_class = posixAccount
+ldap_group_object_class = posixGroup
+ldap_user_uid_number = uidNumber
+ldap_user_gid_number = gidNumber
+ldap_user_home_directory = homeDirectory
+ldap_user_shell = loginShell
+ldap_user_ssh_public_key = sshPublicKey
+
+cache_credentials = true
+enumerate = false
+
+# Access control (optional)
+# ldap_access_filter = (memberOf=cn=linux-users,ou=groups,dc=example,dc=com)
+
+[sudo]
+#debug_level = 0x3ff0
+
+[ssh]
+#debug_level = 0x3ff0
+