it-team/lmn-client
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Implement posix group for all users in LDAP.

Browse source
This commit is contained in:
Andreas B. Mundt 2019-12-01 18:21:24 +01:00
parent 43cb4dcf13
commit 8c896c90e6
2 changed files with 36 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
roles/ldap/tasks/main.yml
View file

@ -92,6 +92,16 @@
bind_dn: "cn=admin,{{ basedn }}" bind_dn: "cn=admin,{{ basedn }}"
bind_pw: "{{ ldap_admin_pwd['content'] | b64decode | replace('\n', '') }}" bind_pw: "{{ ldap_admin_pwd['content'] | b64decode | replace('\n', '') }}"
- name: add group for all ldapusers
ldap_entry:
dn: "cn=ldapuser,ou=groups,{{ basedn }}"
objectClass:
- posixGroup
attributes:
gidNumber: 18000
bind_dn: "cn=admin,{{ basedn }}"
bind_pw: "{{ ldap_admin_pwd['content'] | b64decode | replace('\n', '') }}"
- name: provide simple script to manage ldap/kdc - name: provide simple script to manage ldap/kdc
template: template:
src: debian-lan.j2 src: debian-lan.j2
@ -128,6 +138,15 @@
bind_pw: "{{ ldap_admin_pwd['content'] | b64decode | replace('\n', '') }}" bind_pw: "{{ ldap_admin_pwd['content'] | b64decode | replace('\n', '') }}"
when: foo_pwd is defined and foo_pwd | length > 0 when: foo_pwd is defined and foo_pwd | length > 0
- name: add dummy user foo to group ldapuser
ldap_attr:
dn: "cn=ldapuser,ou=groups,{{ basedn }}"
name: memberUid
values: foo
bind_dn: "cn=admin,{{ basedn }}"
bind_pw: "{{ ldap_admin_pwd['content'] | b64decode | replace('\n', '') }}"
when: foo_pwd is defined and foo_pwd | length > 0
- name: allow ldap service in firewalld - name: allow ldap service in firewalld
firewalld: firewalld:
zone: internal zone: internal

17
roles/ldap/templates/debian-lan.j2
View file

@ -123,6 +123,14 @@ dn: cn=${id},ou=groups,$BASEDN
objectClass: posixGroup objectClass: posixGroup
gidNumber: ${gidNumber} gidNumber: ${gidNumber}
################################## ##################################
EOF
cat <<EOF | ldapmodify -H ldapi:/// -D "$LDAPADMIN" -w "$ADPASSWD" | sed '/^$/d'
############## LDIF ##############
dn: cn=ldapuser,ou=groups,$BASEDN
add: memberUid
memberUid: ${id}
##################################
EOF EOF
if [ $KRB5 ] ; then if [ $KRB5 ] ; then
@ -132,6 +140,7 @@ EOF
echo "uidNumber: ${uidNumber} gidNumber: ${gidNumber}" echo "uidNumber: ${uidNumber} gidNumber: ${gidNumber}"
cp -r /etc/skel ${HOMES}/${id} cp -r /etc/skel ${HOMES}/${id}
chown -R ${uidNumber}:${gidNumber} ${HOMES}/${id} chown -R ${uidNumber}:${gidNumber} ${HOMES}/${id}
#chmod -R o= ${HOMES}/${id}
ls -nld ${HOMES}/${id} ls -nld ${HOMES}/${id}
fi fi
fi fi
@ -150,6 +159,14 @@ del-user(){
ldapdelete -v -H ldapi:/// -D "$LDAPADMIN" -w "$ADPASSWD" "uid=${id},ou=people,$BASEDN" "cn=${id},ou=groups,$BASEDN" 2>&1 \ ldapdelete -v -H ldapi:/// -D "$LDAPADMIN" -w "$ADPASSWD" "uid=${id},ou=people,$BASEDN" "cn=${id},ou=groups,$BASEDN" 2>&1 \
| sed '/ldap_initialize/d' | sed '/ldap_initialize/d'
cat <<EOF | ldapmodify -H ldapi:/// -D "$LDAPADMIN" -w "$ADPASSWD" | sed '/^$/d'
############## LDIF ##############
dn: cn=ldapuser,ou=groups,$BASEDN
delete: memberUid
memberUid: ${id}
##################################
EOF
if [ -d ${HOMES}/${id} ] ; then if [ -d ${HOMES}/${id} ] ; then
KEEPDIR="${HOMES}/rm_$(date '+%Y%m%d')_${id}" KEEPDIR="${HOMES}/rm_$(date '+%Y%m%d')_${id}"
mv ${HOMES}/${id} "${KEEPDIR}" mv ${HOMES}/${id} "${KEEPDIR}"