Commit 51e29a4c authored by Simone Piccardi's avatar Simone Piccardi
Browse files

reworked ldap roles, added veyon configurations, tested

parent e1ea2aed
Pipeline #350 failed with stage
in 30 seconds
# Copyright (C) 2017 Progetto Fuss <info@fuss.bz.it>
# Simone Piccardi <piccardi@truelite.it>
# Christopher R. Gabriel <cgabriel@truelite.it>
# Elena Grandi <elena@truelite.it>,
#
......@@ -22,12 +23,15 @@
with_items:
- libpam-cracklib
- ldap-utils
- name: Remove packages that require preseeding
apt:
state: absent
purge: yes
name: libnss-ldapd
when: ldap_server is defined and ldap_base is defined
# Do not remove
#- name: Remove packages that require preseeding
# apt:
# state: absent
# purge: yes
# name: libnss-ldapd
# when: ldap_server is defined and ldap_base is defined
- name: Preseed libnss-ldapd for NSS switch service to configure
debconf:
name: libnss-ldapd
......@@ -35,6 +39,7 @@
value: group, passwd, shadow
vtype: multiselect
when: ldap_server is defined and ldap_base is defined
- name: Preseed nslcd LDAP server URI
debconf:
name: nslcd
......@@ -42,6 +47,7 @@
value: "{{ ldap_server }}"
vtype: string
when: ldap_server is defined and ldap_base is defined
- name: Preseed debconf LDAP base DN
debconf:
name: nslcd
......@@ -49,6 +55,7 @@
value: "{{ ldap_base }}"
vtype: string
when: ldap_server is defined and ldap_base is defined
- name: Preseed nslcd not to check certificates
debconf:
name: nslcd
......@@ -56,6 +63,7 @@
value: "never"
vtype: select
when: ldap_server is defined and ldap_base is defined
- name: Install ldap packages
include: "{{includes}}/install-package-apt.yml"
with_items:
......@@ -64,6 +72,7 @@
- unscd
- nslcd,libpam-ldapd,libnss-ldapd
when: ldap_server is defined and ldap_base is defined
- name: Configure nslcd
template:
src: nslcd.conf
......@@ -72,12 +81,14 @@
when: ldap_server is defined and ldap_base is defined
notify:
- restart nslcd
- name: Configure nsswitch
template:
src: nsswitch.conf
dest: /etc/nsswitch.conf
backup: yes
when: ldap_server is defined and ldap_base is defined
- name: Configure ldap in /etc/ldap/ldap.conf
template:
dest: /etc/ldap/ldap.conf
......@@ -85,6 +96,7 @@
backup: yes
mode: 0644
when: ldap_server is defined and ldap_base is defined
- name: Check that nslcd is currently running
# it is needed by the rest of the fuss client; if it wasn't changed there is
# no need to restart it, so we leave the restart above as a handler
......
......@@ -8,7 +8,7 @@
#BASE dc=example,dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
BASE {{ ldap_base }}
URI ldap://{{ ldap_server }}
URI ldaps://{{ ldap_server }}
#SIZELIMIT 12
#TIMELIMIT 15
......@@ -16,4 +16,4 @@ URI ldap://{{ ldap_server }}
# TLS certificates (needed for GnuTLS)
TLS_CACERT /etc/ssl/certs/ca-certificates.crt
TLS_REQCERT never
# /etc/nslcd.conf
# nslcd configuration file. See nslcd.conf(5)
# for details.
# The user and group nslcd should run as.
uid nslcd
uid nslcd
gid nslcd
# The location at which the LDAP server(s) should be reachable.
uri ldaps://{{ ldap_server }}/
uri ldaps://{{ ldap_server }}
# The search base that will be used for all queries.
base {{ ldap_base }}
# The LDAP protocol version to use.
ldap_version 3
#ldap_version 3
# The DN to bind with for normal lookups.
#binddn cn=annonymous,dc=example,dc=net
#bindpw secret
# The DN used for password modifications by root.
#rootpwmoddn cn=admin,dc=example,dc=com
# SSL options
ssl on
#ssl off
tls_reqcert never
tls_cacertfile /etc/ssl/certs/ca-certificates.crt
# The search scope.
scope sub
#scope sub
passwd: compat ldap
group: compat ldap
shadow: compat ldap
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
passwd: files systemd ldap
group: files systemd ldap
shadow: files ldap
gshadow: files
hosts: files mdns4_minimal [NOTFOUND=return] dns
networks: files
protocols: db files
......
......@@ -91,4 +91,10 @@
mode: 0640
owner: root
group: veyon-master
- name: check permissions on /usr/bin/veyon-master
file:
path: /usr/bin/veyon-master
mode: 0750
owner: root
group: veyon-master
......@@ -9,6 +9,7 @@ fuss-client (11.0.1) UNRELEASED; urgency=medium
[ Simone Piccardi ]
* Ensure nslcd is running on veyon role
* Make ldap role idempotent avoiding reinstalling
-- Elena Grandi <elena@truelite.it> Mon, 30 May 2022 10:43:45 +0200
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment