add sssd

5 files changed, 89 insertions, 1 deletions

diff --git a/galaxy.yml b/galaxy.yml
index fe48a4f..cd584f0 100644
--- a/galaxy.yml
+++ b/galaxy.yml
@@ -1,6 +1,6 @@
 namespace: kompetenzbolzen
 name: stuff
-version: 0.0.4
+version: 0.1.0
 readme: README.md
 authors:
 - Jonas Gunz <himself@jonasgunz.de>
diff --git a/roles/sssd/defaults/main.yml b/roles/sssd/defaults/main.yml
new file mode 100644
index 0000000..381bb74
--- /dev/null
+++ b/roles/sssd/defaults/main.yml
@@ -0,0 +1,10 @@
+---
+sssd_ldap:
+  host: 'ldaps://ldap.example.com'
+  start_tls: False
+  bind_dn: 'cn=sssd,dc=example,dc=com'
+  bind_pw: 'password'
+  base_dn: 'dc=example,dc=com'
+  user_dn: 'ou=users,dc=example,dc=com'
+  group_dn: 'ou=groups,dc=example,dc=com'
+  access_filter: '&(objectClass=posixAccount)'
diff --git a/roles/sssd/handlers/main.yml b/roles/sssd/handlers/main.yml
new file mode 100644
index 0000000..ac65088
--- /dev/null
+++ b/roles/sssd/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+- name: Restart sssd
+  systemd:
+    name: sssd
+    state: restarted
+  become: yes
diff --git a/roles/sssd/tasks/main.yml b/roles/sssd/tasks/main.yml
new file mode 100644
index 0000000..b50cac6
--- /dev/null
+++ b/roles/sssd/tasks/main.yml
@@ -0,0 +1,38 @@
+---
+- name: Install packages
+  apt:
+    name:
+      - sssd
+      - libpam-sss
+      - libnss-sss
+    update_cache: yes
+  become: yes
+
+- name: Install SSSD Config file
+  template:
+    src: sssd.conf.j2
+    dest: /etc/sssd/sssd.conf
+    mode: '600'
+  become: yes
+  notify: Restart sssd
+
+- name: Create LDAP Config dir
+  file:
+    path: /etc/ldap
+    state: directory
+  become: yes
+
+- name: Install ldap.conf
+  copy:
+    content: 'TLS_CACERT      /etc/ssl/certs/ca-certificates.crt'
+    dest: /etc/ldap/ldap.conf
+  become: yes
+  notify: Restart sssd
+
+- name: Auto-create Homedir
+  lineinfile:
+    path: /etc/pam.d/common-session
+    regex: '^session required pam_mkhomedir\.so'
+    line: 'session required pam_mkhomedir.so skel=/etc/skel/ umask=0022'
+    insertafter: '^session optional pam_sss\.so'
+  become: yes
diff --git a/roles/sssd/templates/sssd.conf.j2 b/roles/sssd/templates/sssd.conf.j2
new file mode 100644
index 0000000..c6ae86f
--- /dev/null
+++ b/roles/sssd/templates/sssd.conf.j2
@@ -0,0 +1,34 @@
+# vi: ft=conf
+# This file is managed by Ansible. Do not change.
+
+[sssd]
+services = nss, pam
+config_file_version = 2
+domains = default
+
+[nss]
+override_shell = /bin/bash
+
+[pam]
+offline_credentials_expiration = 60
+
+[domain/default]
+id_provider = ldap
+auth_provider = ldap
+chpass_provider = ldap
+cache_credentials = True
+access_provider = simple
+
+ldap_id_use_start_tls = {{ sssd_ldap.start_tls }}
+ldap_tls_reqcert = demand
+
+ldap_search_base = {{ sssd_ldap.base_dn }}
+ldap_group_search_base = {{ sssd_ldap.group_dn }}
+ldap_user_search_base = {{ sssd_ldap.user_dn }}
+ldap_access_filter = {{ sssd_ldap.access_filter }}
+
+ldap_uri = {{ sssd_ldap.host }}
+ldap_default_bind_dn = {{ sssd_ldap.bind_dn }}
+ldap_default_authtok = {{ sssd_ldap.bind_pw }}
+ldap_search_timeout = 50
+ldap_network_timeout = 60