Configure pam to use ldap, configure nslcd.

README.md

@@ -12,6 +12,18 @@ The most important variables are listed below:
 ldap_uri: "ldap://ldap.example.org"
 ldap_base_dn: "dc=example,dc=org"
 ldap_tls_cacert: /etc/ssl/certs/ca-certificates.crt
+ldap_uri: "ldap://ldap.example.org"
+ldap_base_dn: "dc=example,dc=org"
+ldap_tls_deb_cacert: /etc/ssl/certs/ca-certificates.crt
+ldap_version: 3
+ldap_nss_ignoreusers: 'avahi,backup,bin,daemon,games,gnats,irc,libuuid,list,lp,mail,man,messagebus,munin,news,nslcd,proxy,root,rstudio-server,sshd,sync,sys,syslog,uucp,www-data'
+
+nslcd_ssl: True
+nslcd_tls_reqcert: 'demand'
+nslcd_search_scope: 'sub'
+nslcd_authenticated_bind: False
+nslcd_binddn: 'cn=anonymous,dc=example,dc=net'
+nslcd_bindpw: 'use a vault'
 ```
 
 Dependencies

defaults/main.yml

@@ -1,4 +1,46 @@
 ---
 ldap_uri: "ldap://ldap.example.org"
 ldap_base_dn: "dc=example,dc=org"
-ldap_tls_cacert: /etc/ssl/certs/ca-certificates.crt
+ldap_tls_deb_cacert: /etc/ssl/certs/ca-certificates.crt
+ldap_version: 3
+ldap_nss_ignoreusers: 'avahi,backup,bin,daemon,games,gnats,irc,libuuid,list,lp,mail,man,messagebus,munin,news,nslcd,proxy,root,rstudio-server,sshd,sync,sys,syslog,uucp,www-data'
+
+nslcd_install: False
+nslcd_ssl: True
+nslcd_tls_reqcert: 'demand'
+nslcd_search_scope: 'sub'
+nslcd_authenticated_bind: False
+nslcd_binddn: 'cn=anonymous,dc=example,dc=net'
+nslcd_bindpw: 'use a vault'
+
+# * ldap-auth-config/rootbindpw: (password omitted)
+# ldap-auth-config/bindpw: (password omitted)
+# ldap-auth-config/pam_password: md5
+# * ldap-auth-config/move-to-debconf: true
+# * ldap-auth-config/ldapns/ldap-server: ldapi:///
+# * ldap-auth-config/ldapns/base-dn: dc=example,dc=net
+# * ldap-auth-config/ldapns/ldap_version: 3
+# ldap-auth-config/override: true
+# * ldap-auth-config/dbrootlogin: true
+# * ldap-auth-config/rootbinddn: cn=manager,dc=example,dc=net
+# * ldap-auth-config/dblogin: false
+# ldap-auth-config/binddn: cn=proxyuser,dc=example,dc=net
+# ldap_client_deb_ldapscripts: False
+
+#   nslcd/ldap-bindpw: (password omitted)
+# * nslcd/ldap-base: dc=example,dc=net
+#   nslcd/ldap-sasl-mech:
+#   nslcd/ldap-sasl-realm:
+# * nslcd/ldap-reqcert: demand
+#   nslcd/ldap-sasl-authzid:
+#   nslcd/ldap-starttls: false
+#   nslcd/ldap-auth-type: none
+#   nslcd/ldap-sasl-krb5-ccname: /var/run/nslcd/nslcd.tkt
+#   nslcd/ldap-sasl-secprops:
+#   nslcd/ldap-sasl-authcid:
+# * nslcd/ldap-uris: ldapi:///
+#   nslcd/ldap-binddn:
+# * libnss-ldapd/nsswitch: passwd
+#   libnss-ldapd/clean_nsswitch: false
+
+

files/common-account

@@ -0,0 +1,26 @@
+#
+# /etc/pam.d/common-account - authorization settings common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of the authorization modules that define
+# the central access policy for use on the system.  The default is to
+# only deny service to users whose accounts are expired in /etc/shadow.
+#
+# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
+# To take advantage of this, it is recommended that you configure any
+# local modules either before or after the default block, and use
+# pam-auth-update to manage selection of other modules.  See
+# pam-auth-update(8) for details.
+#
+
+# here are the per-package modules (the "Primary" block)
+account	[success=1 new_authtok_reqd=done default=ignore]	pam_unix.so 
+# here's the fallback if no module succeeds
+account	requisite			pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+account	required			pam_permit.so
+# and here are more per-package modules (the "Additional" block)
+account	[success=ok new_authtok_reqd=done ignore=ignore user_unknown=ignore authinfo_unavail=ignore default=bad]	pam_ldap.so minimum_uid=1000
+# end of pam-auth-update config

files/common-auth

@@ -0,0 +1,27 @@
+#
+# /etc/pam.d/common-auth - authentication settings common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of the authentication modules that define
+# the central authentication scheme for use on the system
+# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
+# traditional Unix authentication mechanisms.
+#
+# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
+# To take advantage of this, it is recommended that you configure any
+# local modules either before or after the default block, and use
+# pam-auth-update to manage selection of other modules.  See
+# pam-auth-update(8) for details.
+
+# here are the per-package modules (the "Primary" block)
+auth	[success=2 default=ignore]	pam_unix.so nullok_secure
+auth	[success=1 default=ignore]	pam_ldap.so minimum_uid=1000 use_first_pass
+# here's the fallback if no module succeeds
+auth	requisite			pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+auth	required			pam_permit.so
+# and here are more per-package modules (the "Additional" block)
+auth	optional			pam_cap.so 
+# end of pam-auth-update config

files/common-password

@@ -0,0 +1,34 @@
+#
+# /etc/pam.d/common-password - password-related modules common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of modules that define the services to be
+# used to change user passwords.  The default is pam_unix.
+
+# Explanation of pam_unix options:
+#
+# The "sha512" option enables salted SHA512 passwords.  Without this option,
+# the default is Unix crypt.  Prior releases used the option "md5".
+#
+# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
+# login.defs.
+#
+# See the pam_unix manpage for other options.
+
+# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
+# To take advantage of this, it is recommended that you configure any
+# local modules either before or after the default block, and use
+# pam-auth-update to manage selection of other modules.  See
+# pam-auth-update(8) for details.
+
+# here are the per-package modules (the "Primary" block)
+password	[success=2 default=ignore]	pam_unix.so obscure sha512
+password	[success=1 default=ignore]	pam_ldap.so minimum_uid=1000 try_first_pass
+# here's the fallback if no module succeeds
+password	requisite			pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+password	required			pam_permit.so
+# and here are more per-package modules (the "Additional" block)
+# end of pam-auth-update config

files/common-session

@@ -0,0 +1,31 @@
+#
+# /etc/pam.d/common-session - session-related modules common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of modules that define tasks to be performed
+# at the start and end of sessions of *any* kind (both interactive and
+# non-interactive).
+#
+# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
+# To take advantage of this, it is recommended that you configure any
+# local modules either before or after the default block, and use
+# pam-auth-update to manage selection of other modules.  See
+# pam-auth-update(8) for details.
+
+# here are the per-package modules (the "Primary" block)
+session	[default=1]			pam_permit.so
+# here's the fallback if no module succeeds
+session	requisite			pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+session	required			pam_permit.so
+# The pam_umask module will set the umask according to the system default in
+# /etc/login.defs and user settings, solving the problem of different
+# umask settings with different shells, display managers, remote sessions etc.
+# See "man pam_umask".
+session optional			pam_umask.so
+# and here are more per-package modules (the "Additional" block)
+session	required	pam_unix.so 
+session	[success=ok default=ignore]	pam_ldap.so minimum_uid=1000
+# end of pam-auth-update config

files/common-session-noninteractive

@@ -0,0 +1,31 @@
+#
+# /etc/pam.d/common-session-noninteractive - session-related modules
+# common to all non-interactive services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of modules that define tasks to be performed
+# at the start and end of all non-interactive sessions.
+#
+# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
+# To take advantage of this, it is recommended that you configure any
+# local modules either before or after the default block, and use
+# pam-auth-update to manage selection of other modules.  See
+# pam-auth-update(8) for details.
+
+# here are the per-package modules (the "Primary" block)
+session	[default=1]			pam_permit.so
+# here's the fallback if no module succeeds
+session	requisite			pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+session	required			pam_permit.so
+# The pam_umask module will set the umask according to the system default in
+# /etc/login.defs and user settings, solving the problem of different
+# umask settings with different shells, display managers, remote sessions etc.
+# See "man pam_umask".
+session optional			pam_umask.so
+# and here are more per-package modules (the "Additional" block)
+session	required	pam_unix.so 
+session	[success=ok default=ignore]	pam_ldap.so minimum_uid=1000
+# end of pam-auth-update config

files/ldap-auth-config

@@ -0,0 +1,13 @@
+#
+# Clients should be able to authenticate with this profile if following
+# Network Authentication in the Ubuntu Server guide.  Please note that
+# these settings are not suitable for sometimes disconnected (eg laptop)
+# systems.  The example is taken from LDAPClientAuthentication at:
+# https://help.ubuntu.com/community/LDAPClientAuthentication
+# 
+[lac_ldap]
+nss_passwd=passwd: files ldap
+nss_group=group: files ldap
+nss_shadow=shadow: files ldap
+nss_netgroup=netgroup: nis
+

files/nsswitch.conf

@@ -0,0 +1,14 @@
+passwd:         compat ldap
+group:          compat
+shadow:         compat ldap
+
+hosts:          files dns
+networks:       files
+
+protocols:      db files
+services:       db files
+ethers:         db files
+rpc:            db files
+
+netgroup:       nis
+

handlers/main.yml

@@ -1,2 +1,7 @@
 ---
-# handlers file for ansible-role-template
+- name: Restart the NSLCD service
+  service: name=nslcd state=restarted
+
+- name: Restart the NSCD service
+  service: name=nscd state=restarted
+  

tasks/ldapclient-deb.yml

@@ -0,0 +1,28 @@
+---
+- name: ldap client utilities
+  block:
+  - name: Install the ldap utilities
+    apt: pkg={{ ldap_client_deb_packages }} state=present
+
+  tags: ldap_client
+
+- name: ldapscripts
+  block:
+  - name: Install the ldapscripts package
+    apt: pkg=ldapscripts state=present
+
+  - name: Write the ldap client configuration file
+    template: src=ldap.conf.j2 dest=/etc/ldap/ldap.conf mode=444 owner=root group=root
+
+  - name: set the ldapscripts.conf uri
+    action: configfile path=/etc/ldapscripts/ldapscripts.conf key=SERVER value='{{ ldap_uri }}' syntax=shell
+
+  - name: set the ldapscripts.conf bind dn
+    action: configfile path=/etc/ldapscripts/ldapscripts.conf key=BINDDN value='cn=admin,{{ ldap_base_dn }}' syntax=shell
+      
+  - name: set the ldapscripts.conf dn suffix
+    action: configfile path=/etc/ldapscripts/ldapscripts.conf key=SUFFIX value='{{ ldap_base_dn }}' syntax=shell
+
+  when: ldap_client_deb_ldapscripts
+  tags: [ 'ldap_client', 'ldap_ldapscripts' ]
+      

tasks/main.yml

@@ -1,33 +1,6 @@
 ---
-- name: Install the ldap utilities
-  apt: pkg={{ item }} state={{ pkg_state }}
-  with_items:
-    - ldapscripts
-    - libpam-ldap
-  tags: ldap-client
+- import_tasks: ldapclient-deb.yml
+  when: ansible_distribution_file_variety == "Debian"
+- import_tasks: nslcd-deb.yml
+  when: ansible_distribution_file_variety == "Debian"
 
-- name: Write the ldap client configuration file
-  template: src=ldap.conf-old.j2 dest=/etc/ldap.conf mode=444 owner=root group=root
-  when: is_ubuntu_less_than_trusty
-  tags: ldap-client
-
-- name: Write the ldap client configuration file
-  template: src=ldap.conf.j2 dest=/etc/ldap/ldap.conf mode=444 owner=root group=root
-  when: is_trusty
-  tags: ldap-client
-
-- name: set the ldapscripts.conf uri
-  action: configfile path=/etc/ldapscripts/ldapscripts.conf key=SERVER value='{{ ldap_uri }}' syntax=shell
-  when: is_trusty
-  tags: ldap-client
-
-- name: set the ldapscripts.conf bind dn
-  action: configfile path=/etc/ldapscripts/ldapscripts.conf key=BINDDN value='cn=admin,{{ ldap_base_dn }}' syntax=shell
-  when: is_trusty
-  tags: ldap-client
-    
-- name: set the ldapscripts.conf dn suffix
-  action: configfile path=/etc/ldapscripts/ldapscripts.conf key=SUFFIX value='{{ ldap_base_dn }}' syntax=shell
-  when: is_trusty
-  tags: ldap-client
-    

tasks/nslcd-deb.yml

@@ -0,0 +1,47 @@
+---
+- block:
+    - name: Install the packages required to enable the LDAP PAM authentication
+      apt: pkg={{ nslcd_deb_pkgs }} state=present update_cache=yes cache_valid_time=1800
+
+    - name: Install the pam ldap configuration. We cannot use the debian tools, they are broken on ubuntu in non interactive mode
+      copy: src={{ item }} dest=/etc/pam.d/{{ item }}
+      with_items: '{{ nslcd_ldap_map_common }}'
+      notify:
+        - Restart the NSLCD service
+        - Restart the NSCD service
+
+    - name: Create the ldap-auth-config directory
+      file: dest=/etc/auth-client-config/profile.d state=directory
+      notify:
+        - Restart the NSLCD service
+        - Restart the NSCD service
+
+    - name: Install the ldap-auth-config file
+      copy: src=ldap-auth-config dest=/etc/auth-client-config/profile.d/ldap-auth-config
+      notify:
+        - Restart the NSLCD service
+        - Restart the NSCD service
+
+    - name: Install the nsswitch.conf file
+      copy: src=nsswitch.conf dest=/etc/nsswitch.conf
+      notify:
+        - Restart the NSLCD service
+        - Restart the NSCD service
+
+    - name: Install the nslcd configuration
+      template: src=nslcd.conf.j2 dest=/etc/nslcd.conf mode=0640 owner=root group=nslcd
+      notify:
+        - Restart the NSLCD service
+        - Restart the NSCD service
+      tags: [ 'ldap_client', 'nslcd', 'nslcd_conf' ]
+
+    - name: Install a script that checks if the ldap authentication is working, and if not it restarts the ns(l)cd daemons
+      copy: src=check_ldap_users dest=/usr/local/bin/check_ldap_users owner=root group=root mode=0555
+      tags: [ 'smartgears', 'r_connector', 'tomcat', 'r_connector_check_ldap' ]
+
+    - name: Add a cron job that runs the ldap users check script
+      cron: name="check ldap users" job="/usr/local/bin/check_ldap_users" state=present user=root
+      tags: [ 'smartgears', 'r_connector', 'tomcat', 'r_connector_check_ldap' ]
+
+  when: nslcd_install
+  tags: [ 'ldap_client', 'nslcd' ]

templates/ldap.conf-old.j2

@@ -1,11 +0,0 @@
-# The distinguished name of the search base.
-BASE {{ ldap_base_dn }}
-
-# Another way to specify your LDAP server is to provide an
-URI {{ ldap_uri }}
-
-# The LDAP version to use (defaults to 3
-# if supported by client library)
-ldap_version 3
-
-nss_initgroups_ignoreusers avahi,backup,bin,daemon,games,gnats,irc,libuuid,list,lp,mail,man,messagebus,munin,news,nslcd,proxy,root,rstudio-server,sshd,sync,sys,syslog,uucp,www-data

templates/ldap.conf.j2

@@ -6,9 +6,9 @@ URI {{ ldap_uri }}
 
 # The LDAP version to use (defaults to 3
 # if supported by client library)
-ldap_version 3
+ldap_version {{ ldap_version }}
 
-nss_initgroups_ignoreusers avahi,backup,bin,daemon,games,gnats,irc,libuuid,list,lp,mail,man,messagebus,munin,news,nslcd,proxy,root,rstudio-server,sshd,sync,sys,syslog,uucp,www-data
+nss_initgroups_ignoreusers {{ ldap_nss_ignoreusers }}
 
 # TLS certificates (needed for GnuTLS)
-TLS_CACERT         {{ ldap_tls_cacert }}
+TLS_CACERT         {{ ldap_tls_deb_cacert }}

templates/nslcd.conf.j2

@@ -0,0 +1,36 @@
+# /etc/nslcd.conf
+# nslcd configuration file. See nslcd.conf(5)
+# for details.
+
+# The user and group nslcd should run as.
+uid nslcd
+gid nslcd
+
+# The location at which the LDAP server(s) should be reachable.
+uri {{ ldap_uri }}
+
+# The search base that will be used for all queries.
+base {{ ldap_base }}
+
+# The LDAP protocol version to use.
+ldap_version 3
+tls_cacertdir /etc/ssl/certs
+tls_cacertfile {{ r_connector_nslcd_cafile }}
+
+{% if nslcd_authenticated_bind %}
+# The DN to bind with for normal lookups.
+binddn {{ nslcd_binddn }}
+bindpw {{ nslcd_bindpw }}
+{% endif %}
+
+# The DN used for password modifications by root.
+#rootpwmoddn cn=admin,dc=example,dc=com
+
+# SSL options
+ssl {{ nslcd_ssl }}
+tls_reqcert {{ nslcd_tls_reqcert }}
+
+# The search scope.
+#scope {{ nslcd_search_scope }}
+
+bind_timelimit 120

vars/main.yml

@@ -1,2 +1,17 @@
 ---
-# vars file for ansible-role-template
+ldap_client_deb_packages:
+  - libpam-ldap
+
+nslcd_install: False
+nslcd_deb_pkgs:
+  - ldap-utils
+  - nslcd
+  - libnss-ldapd
+  - nscd
+
+nslcd_ldap_map_common:
+  - common-account
+  - common-auth
+  - common-password
+  - common-session
+  - common-session-noninteractive