improved Readme, add debian 11 and sssd_auth_cache for laptops

7296ee29 · Edward Andò · 58b8b8c4 · 7296ee29 · 7296ee29 · 7296ee29
Commit 7296ee29 authored 2 years ago by Edward Andò
--- a/README.md
+++ b/README.md
 STI-IT LDAP authentication
 ==========================

-This roles sets up LDAP authentication at EPFL on Debian based machines.
+This entire repository contains (is...) a single ansible role.
+This role sets up LDAP authentication at EPFL on Ubuntu and Debian machines for a given "group" as defined in https://groups.epfl.ch

-Requirements
------------

-The role has been tested only on Ubuntu 18.04.
+Supported distributions
+------------------------
+
+The ansible role has been tested on:
+  - Ubuntu 18.04
+  - Ubuntu 20.04
+  - Ubuntu 22.04
+  - Debian 11
+
+If you want to try/implement this on other (similar systems) look inside `tasks/`
+

 Role Variables
 --------------

-There is only one configurable variable that can be used: `sssd_simple_group_access`
+There is one main configurable variable to be set in `defaults/main.yml` that can be used: `sssd_simple_group_access`.
+In the example it is "sti_cluster_team" which is a group defined in https://groups.epfl.ch (with LDAP and AD option) and must correspond to "sti_cluster_team_AppGrpU" on Active Directory.
 This variable is used to update the `sssd.conf` in order to manage which LDAP group is allowed to authenticate on the machine.

-Dependencies
------------
+There is a secondary variable `sssd_auth_cache` that can be set to True for laptops to enable caching of credentials to allow authentication when out of the EPFL network.
+

-No specific dependency.

-Example Playbook
+Using this role
 ----------------

-Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
+To use this role you should clone this repository:
+
+```bash
+git clone https://gitlab.epfl.ch/sti-cluster/ansible_ldap_authentication.git
+```
+
+This will obviously create a folder called `ansible_ldap_authentication` which contains this ansible role.
+You should then create an ansible playbook, let's say `playbook.yml` at the same level as the folder that calls the role:

 ```yml
 ---
- hosts: all
+- name: use ansible_ldap_authentication role playbook
+  hosts: all
+  user: root
+  become: true
  roles:
-    - sti_it.ldap_authentication
-  become: yes
+    - role: ansible_ldap_authentication
 ```

+This requires you to have set up hosts in `/etc/ansible/hosts` typically.
+You can then run the playbook:
+
+
+```bash
+ansible-playbook playbook.yaml -k
+```
+(`-k` only needed if you haven't exported root's SSH key for passwordless login)
+
+
 License
 -------

 BSD

+
 Author Information
 ------------------

 Emmanuel Jaep (emmanuel dot jaep at epfl dot ch).
+Contibutions from Edward Andò (EPFL Center for Imaging)
--- a/defaults/main.yml
+++ b/defaults/main.yml
 ---
 # defaults file for sti_it.ldap_authentication
+# This should be a "group" (with LDAP and AD option activated) as defined in https://groups.epfl.ch
 sssd_simple_group_access: sti_cluster_team
+
+# This is probably useful only for laptops that need
+#   to be able to authenticate when out of the EPFL network
+sssd_auth_cache: False
--- a/tasks/debian11.yml
+++ b/tasks/debian11.yml
+---
+# tasks file for sti_it.ldap_authentication
+- name: install required packages
+  apt:
+    name: "{{ item }}"
+    update_cache: yes
+    state: present
+  loop:
+    - sssd
+    - libpam-sss
+    - libnss-sss
+    - sssd-tools
+    - autofs-ldap
+    - ldap-utils
+
+
+- name: make sure that the CA certs path exists
+  file:
+    path: /etc/openldap/cacerts
+    state: directory
+
+- name: download Digicert intermediate certificate
+  get_url:
+    dest: /etc/openldap/cacerts/digicert.pem
+    url: https://rauth.epfl.ch/Digicert_TLS_RSA_SHA256_2020_CA1.pem
+
+- name: generate sssd.conf
+  template:
+    src: sssd.conf
+    dest: /etc/sssd/sssd.conf
+    owner: root
+    group: root
+    mode: 0600
+  notify:
+    - restart sssd
+
+# - name: generate autofs.conf
+#   template:
+#     src: autofs.conf
+#     dest: /etc/autofs.conf
+#     owner: root
+#     group: root
+#   notify:
+#     - restart sssd
+
+#- name: replace nis by ldap in /etc/nsswitch.conf
+  #replace:
+    #path: /etc/nsswitch.conf
+    #regexp: 'nis'
+    #replace: 'ldap'
+  #notify:
+    #- restart sssd
+
+
+
+
+# - name: ensure that ldap automount is added to nsswitch.conf
+#   lineinfile:
+#     line: 'automount:      ldap'
+#     path: /etc/nsswitch.conf
+#     insertafter: EOF
+#   notify:
+#     - restart sssd
+
+- name: generate ldap.conf for Debian
+  template:
+    src: ldap.conf
+    dest: /etc/ldap/ldap.conf
+    owner: root
+    group: root
+  notify:
+    - restart sssd
+
+# As per documentation at https://docs.google.com/document/d/1sfBkcqaGm4M3U6_uqVWSZ1MxKvnH5FK1U4OXr_HDU-w/edit#heading=h.tdhi5uogtedq
+# and at https://help.ubuntu.com/community/LDAPClientAuthentication#Automatically_create_home_folders
+- name: automate the homedir creation process for Debian
+  template:
+    src: my_mkhomedir
+    dest: /usr/share/pam-configs/my_mkhomedir
+
+- name: activate the creation of the homedir
+  lineinfile:
+    line: 'session required        pam_mkhomedir.so umask=0022 skel=/etc/skel'
+    path: /etc/pam.d/common-session
+    insertafter: EOF
+  notify:
+    - restart sssd
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -6,5 +6,12 @@
 - include: ubuntu2004.yml tags=debian
  when: ansible_distribution == "Ubuntu" and ansible_distribution_major_version == "20"

+# 2004 code tested and seems to work for ubuntu 22.04
+- include: ubuntu2004.yml tags=debian
+  when: ansible_distribution == "Ubuntu" and ansible_distribution_major_version == "22"
+
+- include: debian11.yml tags=debian
+  when: ansible_distribution == "Debian" and ansible_distribution_major_version == "11"
+
 - include: centos.yml tags=centos
  when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "7"
--- a/templates/sssd.conf
+++ b/templates/sssd.conf
@@ -7,7 +7,7 @@ ldap_group_name = cn
 ldap_group_gid_number = gidNumber
 #ldap_group_member = memberuid
 enumerate = False
-cache_credentials = False
+cache_credentials = {{ sssd_simple_group_access }}
 krb5_realm = #
 ldap_search_base = o=epfl,c=ch
 id_provider = ldap
@@ -26,7 +26,7 @@ ldap_group_name = cn
 ldap_group_gid_number = gidNumber
 ldap_group_member = memberUid
 enumerate = False
-cache_credentials = False
+cache_credentials = {{ sssd_simple_group_access }}
 krb5_realm = #
 ldap_search_base = o=epfl,c=ch
 id_provider = ldap

--- a/templates/sssd2004.conf
+++ b/templates/sssd2004.conf
@@ -7,7 +7,7 @@ ldap_group_name = cn
 ldap_group_gid_number = gidNumber
 #ldap_group_member = memberuid
 enumerate = False
-cache_credentials = False
+cache_credentials = {{ sssd_simple_group_access }}
 krb5_realm = #
 ldap_search_base = o=epfl,c=ch
 id_provider = ldap
@@ -26,7 +26,7 @@ ldap_group_name = cn
 ldap_group_gid_number = gidNumber
 ldap_group_member = memberUid
 enumerate = False
-cache_credentials = False
+cache_credentials = {{ sssd_simple_group_access }}
 krb5_realm = #
 ldap_search_base = o=epfl,c=ch
 id_provider = ldap

--- a/templates/sssdDebian11.conf
+++ b/templates/sssdDebian11.conf
+[domain/scoldap]
+#EPFL users/group only accounts, not automount
+#ldap_schema = rfc2307
+#ldap_group_object_class = posixGroup
+ldap_group_object_class = groupOfNames
+ldap_group_name = cn
+ldap_group_gid_number = gidNumber
+#ldap_group_member = memberuid
+enumerate = False
+cache_credentials = {{ sssd_auth_cache }}
+krb5_realm = #
+ldap_search_base = o=epfl,c=ch
+id_provider = ldap
+auth_provider = ldap
+chpass_provider = ldap
+ldap_uri = ldap://scoldap.epfl.ch
+ldap_id_use_start_tls = True
+ldap_tls_cacertdir = /etc/openldap/cacerts
+access_provider = simple
+simple_allow_groups = {{ sssd_simple_group_access }}
+
+[domain/epfl]
+#EPFL users/groups/automount
+ldap_group_object_class = groupOfNames
+ldap_group_name = cn
+ldap_group_gid_number = gidNumber
+ldap_group_member = memberUid
+enumerate = False
+cache_credentials = {{ sssd_auth_cache }}
+krb5_realm = #
+ldap_search_base = o=epfl,c=ch
+id_provider = ldap
+auth_provider = ldap
+chpass_provider = ldap
+ldap_uri = ldap://ldap.epfl.ch
+ldap_id_use_start_tls = True
+ldap_tls_cacertdir = /etc/openldap/cacerts
+access_provider = simple
+simple_allow_groups = {{ sssd_simple_group_access }}
+
+[sssd]
+# services = nss, autofs, pam
+# services = nss, pam
+config_file_version = 2
+domains = scoldap,epfl
+
+[nss]
+
+[pam]
+
+[sudo]
+
+[autofs]
+
+[ssh]