initial commit

873b7bd0 · Emmanuel Jaep · 873b7bd0 · 873b7bd0 · 873b7bd0 · 873b7bd0
Commit 873b7bd0 authored 4 years ago by Emmanuel Jaep
--- a/.travis.yml
+++ b/.travis.yml
+---
+language: python
+python: "2.7"
+
+# Use the new container infrastructure
+sudo: false
+
+# Install ansible
+addons:
+  apt:
+    packages:
+    - python-pip
+
+install:
+  # Install ansible
+  - pip install ansible
+
+  # Check ansible version
+  - ansible --version
+
+  # Create ansible.cfg with correct roles_path
+  - printf '[defaults]\nroles_path=../' >ansible.cfg
+
+script:
+  # Basic role syntax check
+  - ansible-playbook tests/test.yml -i tests/inventory --syntax-check
+
+notifications:
+  webhooks: https://galaxy.ansible.com/api/v1/notifications/
\ No newline at end of file
--- a/README.md
+++ b/README.md
+STI-IT LDAP authentication
+==========================
+
+This roles sets up LDAP authentication at EPFL on Debian based machines.
+
+Requirements
+------------
+
+The role has been tested only on Ubuntu 18.04.
+
+Role Variables
+--------------
+
+There is only one configurable variable that can be used: `sssd_simple_group_access`
+This variable is used to update the `sssd.conf` in order to manage which LDAP group is allowed to authenticate on the machine.
+
+Dependencies
+------------
+
+No specific dependency.
+
+Example Playbook
+----------------
+
+Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
+
+```yml
+---
+- hosts: all
+  roles:
+    - sti_it.ldap_authentication
+  become: yes
+```
+
+License
+-------
+
+BSD
+
+Author Information
+------------------
+
+Emmanuel Jaep (emmanuel dot jaep at epfl dot ch).
--- a/defaults/main.yml
+++ b/defaults/main.yml
+---
+# defaults file for sti_it.ldap_authentication
+sssd_simple_group_access: sti_cluster_team
--- a/handlers/main.yml
+++ b/handlers/main.yml
+---
+# handlers file for sti_it.ldap_authentication
+- name: restart sssd
+  service:
+    name: sssd
+    state: restarted
--- a/meta/main.yml
+++ b/meta/main.yml
+galaxy_info:
+  author: Emmanuel Jaep
+  description: Simple role to activate LDAP authentication at EPFL
+  company: EPFL
+
+  # If the issue tracker for your role is not on github, uncomment the
+  # next line and provide a value
+  # issue_tracker_url: http://example.com/issue/tracker
+
+  # Choose a valid license ID from https://spdx.org - some suggested licenses:
+  # - BSD-3-Clause (default)
+  # - MIT
+  # - GPL-2.0-or-later
+  # - GPL-3.0-only
+  # - Apache-2.0
+  # - CC-BY-4.0
+  license: license (GPL-2.0-or-later, MIT, etc)
+
+  min_ansible_version: 2.1
+
+  # If this a Container Enabled role, provide the minimum Ansible Container version.
+  # min_ansible_container_version:
+
+  #
+  # Provide a list of supported platforms, and for each platform a list of versions.
+  # If you don't wish to enumerate all versions for a particular platform, use 'all'.
+  # To view available platforms and versions (or releases), visit:
+  # https://galaxy.ansible.com/api/v1/platforms/
+  #
+  # platforms:
+  # - name: Fedora
+  #   versions:
+  #   - all
+  #   - 25
+  # - name: SomePlatform
+  #   versions:
+  #   - all
+  #   - 1.0
+  #   - 7
+  #   - 99.99
+
+  galaxy_tags: []
+    # List tags for your role here, one per line. A tag is a keyword that describes
+    # and categorizes the role. Users find roles by searching for tags. Be sure to
+    # remove the '[]' above, if you add tags to this list.
+    #
+    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
+    #       Maximum 20 tags per role.
+
+dependencies: []
+  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
+  # if you add dependencies to this list.
--- a/tasks/main.yml
+++ b/tasks/main.yml
+---
+# tasks file for sti_it.ldap_authentication
+- name: install required packages
+  apt:
+    pkg:
+    - sssd
+    - libpam-sss
+    - libnss-sss
+    - sssd-tools
+    - autofs-ldap
+    - ldap-utils
+
+- name: make sure that the CA certs path exists
+  file:
+    path: /etc/openldap/cacerts
+    state: directory
+
+- name: download QuoVadis intermediate certificate
+  get_url:
+    dest: /etc/openldap/cacerts/quovadis.pem
+    url: https://rauth.epfl.ch/Quovadis_Root_CA_2.pem
+
+- name: generate sssd.conf
+  template:
+    src: sssd.conf
+    dest: /etc/sssd/sssd.conf
+    owner: root
+    group: root
+    mode: 0600
+  notify:
+    - restart sssd
+
+- name: generate autofs.conf
+  template:
+    src: autofs.conf
+    dest: /etc/autofs.conf
+    owner: root
+    group: root
+  notify:
+    - restart sssd
+
+- name: replace nis by ldap in /etc/nsswitch.conf
+  replace:
+    path: /etc/nsswitch.conf
+    regexp: 'nis'
+    replace: 'ldap'
+  notify:
+    - restart sssd
+
+- name: ensure that ldap automount is added to nsswitch.conf
+  lineinfile:
+    line: 'automount:      ldap'
+    path: /etc/nsswitch.conf
+    insertafter: EOF
+  notify:
+    - restart sssd
+
+- name: generate ldap.conf
+  template:
+    src: ldap.conf
+    dest: /etc/ldap/ldap.conf
+    owner: root
+    group: root
+  notify:
+    - restart sssd
+
+# As per documentation at https://docs.google.com/document/d/1sfBkcqaGm4M3U6_uqVWSZ1MxKvnH5FK1U4OXr_HDU-w/edit#heading=h.tdhi5uogtedq
+# and at https://help.ubuntu.com/community/LDAPClientAuthentication#Automatically_create_home_folders
+- name: automate the homedir creation process
+  template:
+    src: my_mkhomedir
+    dest: /usr/share/pam-configs/my_mkhomedir
+
+- name: activate the creation of the homedir
+  lineinfile:
+    line: 'session required        pam_mkhomedir.so umask=0022 skel=/etc/skel'
+    path: /etc/pam.d/common-session
+    insertafter: EOF
+  notify:
+    - restart sssd
--- a/templates/autofs.conf
+++ b/templates/autofs.conf
+#
+# Define default options for autofs.
+#
+# MASTER_MAP_NAME - default map name for the master map.
+#
+#
+MASTER_MAP_NAME="ou=auto.master,ou=automaps,o=epfl,c=ch"
+
+# TIMEOUT - set the default mount timeout (default 600).
+#
+TIMEOUT=300
+#
+# NEGATIVE_TIMEOUT - set the default negative timeout for
+# 		     failed mount attempts (default 60).
+#
+#NEGATIVE_TIMEOUT=60
+#
+# MOUNT_WAIT - time to wait for a response from mount(8).
+# 	       Setting this timeout can cause problems when
+# 	       mount would otherwise wait for a server that
+# 	       is temporarily unavailable, such as when it's
+# 	       restarting. The defailt of waiting for mount(8)
+# 	       usually results in a wait of around 3 minutes.
+#
+#MOUNT_WAIT=-1
+#
+# UMOUNT_WAIT - time to wait for a response from umount(8).
+#
+#UMOUNT_WAIT=12
+#
+# BROWSE_MODE - maps are browsable by default.
+#
+BROWSE_MODE="no"
+#
+# MOUNT_NFS_DEFAULT_PROTOCOL - specify the default protocol used by
+# 			       mount.nfs(8). Since we can't identify
+# 			       the default automatically we need to
+# 			       set it in our configuration.
+#
+#MOUNT_NFS_DEFAULT_PROTOCOL=3
+#
+# APPEND_OPTIONS - append to global options instead of replace.
+#
+#APPEND_OPTIONS="yes"
+#
+# LOGGING - set default log level "none", "verbose" or "debug"
+#
+#LOGGING="none"
+#
+# Define server URIs
+#
+# LDAP_URI - space seperated list of server uris of the form
+# 	     <proto>://<server>[/] where <proto> can be ldap
+# 	     or ldaps. The option can be given multiple times.
+# 	     Map entries that include a server name override
+# 	     this option.
+#
+#	     This configuration option can also be used to
+#	     request autofs lookup SRV RRs for a domain of
+#	     the form <proto>:///[<domain dn>]. Note that a
+#	     trailing "/" is not allowed when using this form.
+#	     If the domain dn is not specified the dns domain
+#	     name (if any) is used to construct the domain dn
+#	     for the SRV RR lookup. The server list returned
+#	     from an SRV RR lookup is refreshed according to
+#	     the minimum ttl found in the SRV RR records or
+#	     after one hour, whichever is less.
+#
+LDAP_URI="ldap://ldap.epfl.ch"
+#
+# LDAP__TIMEOUT - timeout value for the synchronous API  calls
+#		  (default is LDAP library default).
+#
+#LDAP_TIMEOUT=-1
+#
+# LDAP_NETWORK_TIMEOUT - set the network response timeout (default 8).
+#
+#LDAP_NETWORK_TIMEOUT=8
+#
+# Define base dn for map dn lookup.
+#
+# SEARCH_BASE - base dn to use for searching for map search dn.
+# 		Multiple entries can be given and they are checked
+# 		in the order they occur here.
+#
+SEARCH_BASE="o=epfl,c=ch"
+#
+# Define the LDAP schema to used for lookups
+#
+# If no schema is set autofs will check each of the schemas
+# below in the order given to try and locate an appropriate
+# basdn for lookups. If you want to minimize the number of
+# queries to the server set the values here.
+#
+#MAP_OBJECT_CLASS="nisMap"
+#ENTRY_OBJECT_CLASS="nisObject"
+#MAP_ATTRIBUTE="nisMapName"
+#ENTRY_ATTRIBUTE="cn"
+#VALUE_ATTRIBUTE="nisMapEntry"
+#
+# Other common LDAP nameing
+#
+MAP_OBJECT_CLASS="automountMap"
+ENTRY_OBJECT_CLASS="automount"
+MAP_ATTRIBUTE="ou"
+ENTRY_ATTRIBUTE="cn"
+VALUE_ATTRIBUTE="automountInformation"
+#
+#MAP_OBJECT_CLASS="automountMap"
+#ENTRY_OBJECT_CLASS="automount"
+#MAP_ATTRIBUTE="automountMapName"
+#ENTRY_ATTRIBUTE="automountKey"
+#VALUE_ATTRIBUTE="automountInformation"
+#
+# AUTH_CONF_FILE - set the default location for the SASL
+#			   authentication configuration file.
+#
+#AUTH_CONF_FILE="/etc/autofs_ldap_auth.conf"
+#
+# MAP_HASH_TABLE_SIZE - set the map cache hash table size.
+# 			Should be a power of 2 with a ratio roughly
+# 			between 1:10 and 1:20 for each map.
+#
+#MAP_HASH_TABLE_SIZE=1024
+#
+# General global options
+#
+#OPTIONS=""
+#
--- a/templates/ldap.conf
+++ b/templates/ldap.conf
+#
+# LDAP Defaults
+#
+
+# See ldap.conf(5) for details
+# This file should be world readable but not world writable.
+
+BASE      o=epfl,c=ch
+URI       ldap://scoldap.epfl.ch
+
+#SIZELIMIT	12
+#TIMELIMIT	15
+#DEREF		never
+
+# TLS certificates (needed for GnuTLS)
+TLS_CACERT	/etc/ssl/certs/ca-certificates.crt
--- a/templates/my_mkhomedir
+++ b/templates/my_mkhomedir
+Name: activate mkhomedir
+Default: yes
+Priority: 900
+Session-Type: Additional
+Session:
+        required                        pam_mkhomedir.so umask=0022 skel=/etc/skel
--- a/templates/sssd.conf
+++ b/templates/sssd.conf
+[domain/scoldap]
+#EPFL users/group only accounts, not automount
+#ldap_schema = rfc2307
+#ldap_group_object_class = posixGroup
+ldap_group_object_class = groupOfNames
+ldap_group_name = cn
+ldap_group_gid_number = gidNumber
+#ldap_group_member = memberuid
+enumerate = False
+cache_credentials = False
+krb5_realm = #
+ldap_search_base = o=epfl,c=ch
+id_provider = ldap
+auth_provider = ldap
+chpass_provider = ldap
+ldap_uri = ldap://scoldap.epfl.ch
+ldap_id_use_start_tls = True
+ldap_tls_cacertdir = /etc/openldap/cacerts
+access_provider = simple
+simple_allow_groups = {{ sssd_simple_group_access }}
+
+[domain/epfl]
+#EPFL users/groups/automount
+enumerate = False
+cache_credentials = False
+krb5_realm = #
+ldap_search_base = o=epfl,c=ch
+id_provider = ldap
+auth_provider = ldap
+chpass_provider = ldap
+ldap_uri = ldap://ldap.epfl.ch
+ldap_id_use_start_tls = True
+ldap_tls_cacertdir = /etc/openldap/cacerts
+access_provider = simple
+simple_allow_groups = {{ sssd_simple_group_access }}
+
+[sssd]
+services = nss, autofs, pam
+config_file_version = 2
+domains = scoldap,epfl
+
+[nss]
+
+[pam]
+
+[sudo]
+
+[autofs]
+
+[ssh]
--- a/tests/inventory
+++ b/tests/inventory
+localhost
+
--- a/tests/test.yml
+++ b/tests/test.yml
+---
+- hosts: localhost
+  remote_user: root
+  roles:
+    - sti_it.ldap_authentication
--- a/vars/main.yml
+++ b/vars/main.yml
+---
+# vars file for sti_it.ldap_authentication