ADD new file ubuntu2024, sssd2024 update main

tasks/main.yml

@@ -3,7 +3,7 @@
 - include: ubuntu.yml tags=debian
   when: ansible_distribution == "Ubuntu" and ansible_distribution_major_version == "18"
 
-- include: ubuntu.yml tags=debian
+- include: ubuntu2004.yml tags=debian
   when: ansible_distribution == "Ubuntu" and ansible_distribution_major_version == "20"
 
 - include: centos.yml tags=centos

tasks/ubuntu2024.yml

+---
+# tasks file for sti_it.ldap_authentication
+- name: install required packages
+  apt:
+    name: "{{ item }}"
+    update_cache: yes
+    state: present
+  loop:
+    - sssd
+    - libpam-sss
+    - libnss-sss
+    - sssd-tools
+    - autofs-ldap
+    - ldap-utils
+
+
+- name: make sure that the CA certs path exists
+  file:
+    path: /etc/openldap/cacerts
+    state: directory
+
+- name: download Digicert intermediate certificate
+  get_url:
+    dest: /etc/openldap/cacerts/digicert.pem
+    url: https://rauth.epfl.ch/Digicert_TLS_RSA_SHA256_2020_CA1.pem
+
+- name: generate sssd.conf
+  template:
+    src: sssd2024.conf
+    dest: /etc/sssd/sssd.conf
+    owner: root
+    group: root
+    mode: 0600
+  notify:
+    - restart sssd
+
+# - name: generate autofs.conf
+#   template:
+#     src: autofs.conf
+#     dest: /etc/autofs.conf
+#     owner: root
+#     group: root
+#   notify:
+#     - restart sssd
+
+- name: replace nis by ldap in /etc/nsswitch.conf
+  replace:
+    path: /etc/nsswitch.conf
+    regexp: 'nis'
+    replace: 'ldap'
+  notify:
+    - restart sssd
+
+
+
+
+# - name: ensure that ldap automount is added to nsswitch.conf
+#   lineinfile:
+#     line: 'automount:      ldap'
+#     path: /etc/nsswitch.conf
+#     insertafter: EOF
+#   notify:
+#     - restart sssd
+
+- name: generate ldap.conf for Debian
+  template:
+    src: ldap.conf
+    dest: /etc/ldap/ldap.conf
+    owner: root
+    group: root
+  notify:
+    - restart sssd
+
+# As per documentation at https://docs.google.com/document/d/1sfBkcqaGm4M3U6_uqVWSZ1MxKvnH5FK1U4OXr_HDU-w/edit#heading=h.tdhi5uogtedq
+# and at https://help.ubuntu.com/community/LDAPClientAuthentication#Automatically_create_home_folders
+- name: automate the homedir creation process for Debian
+  template:
+    src: my_mkhomedir
+    dest: /usr/share/pam-configs/my_mkhomedir
+
+- name: activate the creation of the homedir
+  lineinfile:
+    line: 'session required        pam_mkhomedir.so umask=0022 skel=/etc/skel'
+    path: /etc/pam.d/common-session
+    insertafter: EOF
+  notify:
+    - restart sssd

templates/sssd2024.conf

+[domain/scoldap]
+#EPFL users/group only accounts, not automount
+#ldap_schema = rfc2307
+#ldap_group_object_class = posixGroup
+ldap_group_object_class = groupOfNames
+ldap_group_name = cn
+ldap_group_gid_number = gidNumber
+#ldap_group_member = memberuid
+enumerate = False
+cache_credentials = False
+krb5_realm = #
+ldap_search_base = o=epfl,c=ch
+id_provider = ldap
+auth_provider = ldap
+chpass_provider = ldap
+ldap_uri = ldap://scoldap.epfl.ch
+ldap_id_use_start_tls = True
+ldap_tls_cacertdir = /etc/openldap/cacerts
+access_provider = simple
+simple_allow_groups = {{ sssd_simple_group_access }}
+
+[domain/epfl]
+#EPFL users/groups/automount
+ldap_group_object_class = groupOfNames
+ldap_group_name = cn
+ldap_group_gid_number = gidNumber
+ldap_group_member = memberUid
+enumerate = False
+cache_credentials = False
+krb5_realm = #
+ldap_search_base = o=epfl,c=ch
+id_provider = ldap
+auth_provider = ldap
+chpass_provider = ldap
+ldap_uri = ldap://ldap.epfl.ch
+ldap_id_use_start_tls = True
+ldap_tls_cacertdir = /etc/openldap/cacerts
+access_provider = simple
+simple_allow_groups = {{ sssd_simple_group_access }}
+
+[sssd]
+# services = nss, autofs, pam
+# services = nss, pam
+config_file_version = 2
+domains = scoldap,epfl
+
+[nss]
+
+[pam]
+
+[sudo]
+
+[autofs]
+
+[ssh]