init ldap_client

ansible/roles/ldap_client/handlers/main.yaml

@@ -0,0 +1,5 @@
+- name: restart sssd
+  service:
+    name: sssd
+    state: restarted
+

ansible/roles/ldap_client/tasks/authselect.yaml

@@ -0,0 +1,9 @@
+- name: Check if authselect current is already using sssd
+  shell: 'authselect current | grep -Pzo "(?s)sssd.*?mkhomedir"'
+  register: grep_result
+  ignore_errors: true 
+
+- name: Run authselect
+  command: authselect select sssd with-mkhomedir
+  when: grep_result.rc != 0 
+

ansible/roles/ldap_client/tasks/install.yaml

@@ -0,0 +1,17 @@
+- name: Install openldap client and other required packages
+  package:
+    name:
+      - openldap-clients
+      - sssd
+      - sssd-ldap
+      - oddjob-mkhomedir
+      - libsss_sudo
+    state: present
+  notify: restart sssd
+
+- name: Start and enable oddjobd
+  service:
+    name: oddjobd
+    state: started
+    enabled: true
+

ansible/roles/ldap_client/tasks/main.yaml

@@ -0,0 +1,3 @@
+- import_tasks: install.yaml
+- import_tasks: authselect.yaml
+- import_tasks: nsswitch.yaml

ansible/roles/ldap_client/tasks/nsswitch.yaml

@@ -0,0 +1,6 @@
+- name: Ensure nsswitch is looking to sssd for sudo
+  lineinfile:
+    path: /etc/nsswitch.conf
+    regexp: '^sudoers:'
+    line: 'sudoers: files sss'
+    backup: true

ansible/roles/ldap_client/tasks/sssd.yaml

@@ -0,0 +1,15 @@
+- name: Create sssd.conf
+  template:
+    src: templates/sssd.conf.j2
+    dest: /etc/sssd/sssd.conf
+    owner: root
+    group: sssd
+    mode: '0640'
+  notify: restart sssd
+
+- name: Start and enable sssd
+  service:
+    name: sssd
+    state: started
+    enabled: true
+

ansible/roles/ldap_client/tasks/templates/sssd.conf.j2

@@ -0,0 +1,41 @@
+[sssd]
+services = nss, pam, sudo, ssh
+domains = ldap
+
+[nss]
+#debug_level = 0x3ff0
+
+[pam]
+
+[domain/ldap]
+#debug_level = 0x3ff0
+id_provider = ldap
+auth_provider = ldap
+chpass_provider = ldap
+sudo_provider = ldap
+ldap_schema = rfc2307
+ldap_uri = ldap://ldap.home.jthan.io
+ldap_search_base = dc=ldap,dc=home,dc=jthan,dc=io
+ldap_sudo_search_base = ou=SUDOers,dc=ldap,dc=home,dc=jthan,dc=io
+ldap_id_use_start_tls = true
+ldap_tls_reqcert = demand
+ldap_user_object_class = posixAccount
+ldap_group_object_class = posixGroup
+ldap_user_uid_number = uidNumber
+ldap_user_gid_number = gidNumber
+ldap_user_home_directory = homeDirectory
+ldap_user_shell = loginShell
+ldap_user_ssh_public_key = sshPublicKey
+
+cache_credentials = true
+enumerate = false
+
+# Access control (optional)
+# ldap_access_filter = (memberOf=cn=linux-users,ou=groups,dc=example,dc=com)
+
+[sudo]
+#debug_level = 0x3ff0
+
+[ssh]
+#debug_level = 0x3ff0
+