From ddb8ff11d33f3aac2090f48ad3a0c69d73bc1bed Mon Sep 17 00:00:00 2001 From: "Andreas B. Mundt" Date: Sat, 28 Nov 2020 09:23:44 +0100 Subject: [PATCH] Init fvs branch with LDAP auth and mk-homedir. --- kiosk_mkhome.yml | 23 +++++++++++ roles/fvs-client-mkhome/defaults/main.yml | 2 + roles/fvs-client-mkhome/handlers/main.yml | 8 ++++ roles/fvs-client-mkhome/tasks/main.yml | 40 +++++++++++++++++++ .../fvs-client-mkhome/templates/sssd.conf.j2 | 20 ++++++++++ 5 files changed, 93 insertions(+) create mode 100644 kiosk_mkhome.yml create mode 100644 roles/fvs-client-mkhome/defaults/main.yml create mode 100644 roles/fvs-client-mkhome/handlers/main.yml create mode 100644 roles/fvs-client-mkhome/tasks/main.yml create mode 100644 roles/fvs-client-mkhome/templates/sssd.conf.j2 diff --git a/kiosk_mkhome.yml b/kiosk_mkhome.yml new file mode 100644 index 0000000..1c53bd0 --- /dev/null +++ b/kiosk_mkhome.yml @@ -0,0 +1,23 @@ +--- +# This playbook deploys a kiosk-computer + +- name: apply configuration to the machines + hosts: all + remote_user: ansible + become: yes + vars: + auto_user: debi + wifi_ssid: "YOUR SSID HERE" + wifi_passwd: "YOUR WIFI-PW HERE" + extra_pkgs: + - webext-privacy-badger + - webext-ublock-origin + extra_pkgs_bpo: [] # [ libreoffice ] + + roles: + - up2date-debian + ## Choose either gnome or KDE: + - gnome + #- kde + - kiosk + - fvs-client-mkhome diff --git a/roles/fvs-client-mkhome/defaults/main.yml b/roles/fvs-client-mkhome/defaults/main.yml new file mode 100644 index 0000000..836e748 --- /dev/null +++ b/roles/fvs-client-mkhome/defaults/main.yml @@ -0,0 +1,2 @@ +basedn: "ou=Benutzer,ou=fvs,ou=SCHULEN,o=ml3" +ldap_server: ldap.steinbeisschule-reutlingen.de diff --git a/roles/fvs-client-mkhome/handlers/main.yml b/roles/fvs-client-mkhome/handlers/main.yml new file mode 100644 index 0000000..938f2c4 --- /dev/null +++ b/roles/fvs-client-mkhome/handlers/main.yml @@ -0,0 +1,8 @@ +- name: restart sssd + service: name=sssd state=restarted enabled=yes + listen: "restart sssd" + +- name: reload systemd + systemd: + daemon_reload: yes + listen: "reload systemd" diff --git a/roles/fvs-client-mkhome/tasks/main.yml b/roles/fvs-client-mkhome/tasks/main.yml new file mode 100644 index 0000000..c682836 --- /dev/null +++ b/roles/fvs-client-mkhome/tasks/main.yml @@ -0,0 +1,40 @@ +--- +- name: install needed packages + apt: + name: + - sssd-ldap + state: latest + +- name: add URI to ldap.conf + lineinfile: + dest: /etc/ldap/ldap.conf + line: "URI ldaps://{{ ldap_server }}/" + insertafter: "#URI.*" + +- name: add BASE to ldap.conf + lineinfile: + dest: /etc/ldap/ldap.conf + line: "BASE {{ basedn }}" + insertafter: "#BASE.*" + + #- name: enable pam_umask + # lineinfile: + # dest: /etc/pam.d/common-session + # line: "session optional pam_umask.so usergroups" + +- name: enable pam_mkhomedir.so + lineinfile: + dest: /etc/pam.d/common-session + line: "session optional pam_mkhomedir.so" + insertafter: "# end of pam-auth-update config" + + # command: /usr/sbin/pam-auth-update --enable mkhomedir + +## oddjob-mkhomedir works only with sec=sys for the NFSv4 share + +- name: provide identities from directory + template: + src: sssd.conf.j2 + dest: /etc/sssd/sssd.conf + mode: 0600 + notify: restart sssd diff --git a/roles/fvs-client-mkhome/templates/sssd.conf.j2 b/roles/fvs-client-mkhome/templates/sssd.conf.j2 new file mode 100644 index 0000000..394207a --- /dev/null +++ b/roles/fvs-client-mkhome/templates/sssd.conf.j2 @@ -0,0 +1,20 @@ +[sssd] +domains = LDAP +config_file_version = 2 +services = nss, pam + +[nss] +filter_groups = root +filter_users = root + +[pam] + +[domain/LDAP] +id_provider = ldap +ldap_uri = ldaps://{{ ldap_server }}/ +ldap_search_base = {{ basedn }} + +auth_provider = ldap +cache_credentials = true + +ldap_tls_reqcert = never