reworked ldap roles, added veyon configurations, tested

ansible/roles/ldap/tasks/main.yml

 # Copyright (C) 2017 Progetto Fuss <info@fuss.bz.it>
+#                    Simone Piccardi  <piccardi@truelite.it>
 #                    Christopher R. Gabriel <cgabriel@truelite.it>
 #                    Elena Grandi <elena@truelite.it>,
 #
@@ -22,12 +23,15 @@
   with_items:
       - libpam-cracklib
       - ldap-utils
-- name: Remove packages that require preseeding
-  apt:
-      state: absent
-      purge: yes
-      name: libnss-ldapd
-  when: ldap_server is defined and ldap_base is defined
+
+# Do not remove
+#- name: Remove packages that require preseeding
+#  apt:
+#      state: absent
+#      purge: yes
+#      name: libnss-ldapd
+#  when: ldap_server is defined and ldap_base is defined
+  
 - name: Preseed libnss-ldapd for NSS switch service to configure
   debconf:
       name: libnss-ldapd
@@ -35,6 +39,7 @@
       value: group, passwd, shadow
       vtype: multiselect
   when: ldap_server is defined and ldap_base is defined
+  
 - name: Preseed nslcd LDAP server URI
   debconf:
       name: nslcd
@@ -42,6 +47,7 @@
       value: "{{ ldap_server }}"
       vtype: string
   when: ldap_server is defined and ldap_base is defined
+  
 - name: Preseed debconf LDAP base DN
   debconf:
       name: nslcd
@@ -49,6 +55,7 @@
       value: "{{ ldap_base }}"
       vtype: string
   when: ldap_server is defined and ldap_base is defined
+  
 - name: Preseed nslcd not to check certificates
   debconf:
       name: nslcd
@@ -56,6 +63,7 @@
       value: "never"
       vtype: select
   when: ldap_server is defined and ldap_base is defined
+  
 - name: Install ldap packages
   include: "{{includes}}/install-package-apt.yml"
   with_items:
@@ -64,6 +72,7 @@
       - unscd
       - nslcd,libpam-ldapd,libnss-ldapd
   when: ldap_server is defined and ldap_base is defined
+  
 - name: Configure nslcd
   template:
       src: nslcd.conf
@@ -72,12 +81,14 @@
   when: ldap_server is defined and ldap_base is defined
   notify:
       - restart nslcd
+
 - name: Configure nsswitch
   template:
       src: nsswitch.conf
       dest: /etc/nsswitch.conf
       backup: yes
   when: ldap_server is defined and ldap_base is defined
+  
 - name: Configure ldap in /etc/ldap/ldap.conf
   template:
       dest: /etc/ldap/ldap.conf
@@ -85,6 +96,7 @@
       backup: yes
       mode: 0644
   when: ldap_server is defined and ldap_base is defined
+  
 - name: Check that nslcd is currently running
   # it is needed by the rest of the fuss client; if it wasn't changed there is
   # no need to restart it, so we leave the restart above as a handler

ansible/roles/ldap/templates/ldap.conf

@@ -8,7 +8,7 @@
 #BASE	dc=example,dc=com
 #URI	ldap://ldap.example.com ldap://ldap-master.example.com:666
 BASE    {{ ldap_base }}
-URI     ldap://{{ ldap_server }}
+URI     ldaps://{{ ldap_server }}
 
 #SIZELIMIT	12
 #TIMELIMIT	15
@@ -16,4 +16,4 @@ URI     ldap://{{ ldap_server }}
 
 # TLS certificates (needed for GnuTLS)
 TLS_CACERT      /etc/ssl/certs/ca-certificates.crt
-
+TLS_REQCERT     never

ansible/roles/ldap/templates/nslcd.conf

 # /etc/nslcd.conf
 # nslcd configuration file. See nslcd.conf(5)
 # for details.
-           
+
 # The user and group nslcd should run as.
-uid nslcd  
+uid nslcd
 gid nslcd
-        
+
 # The location at which the LDAP server(s) should be reachable.
-uri ldaps://{{ ldap_server }}/
+uri ldaps://{{ ldap_server }}
 
 # The search base that will be used for all queries.
 base {{ ldap_base }}
 
 # The LDAP protocol version to use.
-ldap_version 3
+#ldap_version 3
+
+# The DN to bind with for normal lookups.
+#binddn cn=annonymous,dc=example,dc=net
+#bindpw secret
+
+# The DN used for password modifications by root.
+#rootpwmoddn cn=admin,dc=example,dc=com
 
 # SSL options
-ssl on
+#ssl off
 tls_reqcert never
+tls_cacertfile /etc/ssl/certs/ca-certificates.crt
 
 # The search scope.
-scope sub
+#scope sub
+

ansible/roles/ldap/templates/nsswitch.conf

-passwd:         compat ldap
-group:          compat ldap
-shadow:         compat ldap
+# /etc/nsswitch.conf
+#
+# Example configuration of GNU Name Service Switch functionality.
+# If you have the `glibc-doc-reference' and `info' packages installed, try:
+# `info libc "Name Service Switch"' for information about this file.
 
-hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4
+passwd:         files systemd ldap
+group:          files systemd ldap
+shadow:         files ldap
+gshadow:        files
+
+hosts:          files mdns4_minimal [NOTFOUND=return] dns
 networks:       files
 
 protocols:      db files

ansible/roles/veyon/tasks/main.yml

@@ -91,4 +91,10 @@
       mode: 0640
       owner: root
       group: veyon-master
-      
+
+- name: check permissions on /usr/bin/veyon-master
+  file:
+      path: /usr/bin/veyon-master
+      mode: 0750
+      owner: root
+      group: veyon-master

debian/changelog

@@ -9,6 +9,7 @@ fuss-client (11.0.1) UNRELEASED; urgency=medium
 
   [ Simone Piccardi ]
   * Ensure nslcd is running on veyon role
+  * Make ldap role idempotent avoiding reinstalling
 
  -- Elena Grandi <elena@truelite.it>  Mon, 30 May 2022 10:43:45 +0200