Ansible role for LDAP DSEE configuration

• Intro
• Design
• Role code
• Playbook

Intro

Design

Role code

• defaults/main.yml

  --- # BASE DN base_dn: "dc=domain,dc=com" # Organization (o) o: "nl" # mail variables mail_server: "internal-router.domain.com" from_who: "zarko@domain.com" to_who: "zarko@domain.com" # certificate location, linux linux_certs_path: "/etc/openldap/cacerts/" # certificate location, solaris solaris_certs_path: "/var/ldap/"

• vars/main.yml

  --- # site specific ldap config (ex. SITE1 is dictionary name, ldap is key and its value is yes) SITE1: ldap: "yes" auto_direct: "ou=sfbay,o=nl,dc=domain,dc=com" auto_home: "ou=sfbay,o=nl,dc=domain,dc=com" auto_import: "ou=sfbay,o=nl,dc=domain,dc=com" auto_ws: "ou=sfbay,o=nl,dc=domain,dc=com" auto_workspace: "ou=it,o=nl,dc=domain,dc=com" auto_re: "ou=it,o=nl,dc=domain,dc=com" search_base_master: "ou=sfbay,o=nl,dc=domain,dc=com" search_base_slave1: "ou=sfbay,o=nl,dc=domain,dc=com" uri_s: "ldaps://ldap-srv1.domain.com ldaps://ldap-srv2.domain.com" uri: "ldap://sldap-srv1.domain.com ldap://ldap-srv2.domain.com" solaris_profile: "site1-tls" #ldap profile for solaris SITE2: # enter site2 info here # host specific config, in case host doesn't use site's config fqdn-1: ldap: "no"

• files
• here enter root and interediate certificates
• ol8_etc_authselect_custom_dsee_README

  Enable LDAP DSEE for system authentication, OL8

• templates
• auto.master.j2

  # {{ inventory_hostname }} # {{ site }} # {{ansible_facts.distribution}} {{ansible_facts.distribution_major_version}} /misc /etc/auto.misc /net -hosts /- ldap:automountMapName=auto_direct,"{{ lookup('vars', inventory_hostname, default=lookup('vars', site))['auto_direct'] }}" /home ldap:automountMapName=auto_home,"{{ lookup('vars', inventory_hostname, default=lookup('vars', site))['auto_home'] }}" /import ldap:automountMapName=auto_import,"{{ lookup('vars', inventory_hostname, default=lookup('vars', site))['auto_import'] }}" /workspace ldap:automountMapName=auto_workspace,"{{ lookup('vars', inventory_hostname, default=lookup('vars', site))['auto_workspace'] }}" /ws ldap:automountMapName=auto_ws,"{{ lookup('vars', inventory_hostname, default=lookup('vars', site))['auto_ws'] }}" /re ldap:automountMapName=auto_re,"{{ lookup('vars', inventory_hostname, default=lookup('vars', site))['auto_re'] }}"

• autofs.j2

  # {{ inventory_hostname }} # {{ site }} # {{ansible_facts.distribution}} {{ansible_facts.distribution_major_version}} {% if ansible_facts['distribution'] == "OracleLinux" and ansible_facts['distribution_major_version'] == "5" %} LDAP_URI="{{ lookup('vars', inventory_hostname, default=lookup('vars', site))['uri'] }}" {% else %} LDAP_URI="{{ lookup('vars', inventory_hostname, default=lookup('vars', site))['uri_s'] }}" {% endif %} SEARCH_BASE="{{ lookup('vars', inventory_hostname, default=lookup('vars', site))['search_base_master'] }}" SEARCH_BASE="{{ lookup('vars', inventory_hostname, default=lookup('vars', site))['search_base_slave1'] }}" TIMEOUT=300 BROWSE_MODE="yes" MOUNT_NFS_DEFAULT_PROTOCOL=3 MAP_OBJECT_CLASS="automountMap" ENTRY_OBJECT_CLASS="automount" MAP_ATTRIBUTE="automountMapName" ENTRY_ATTRIBUTE="automountKey" VALUE_ATTRIBUTE="automountInformation" USE_MISC_DEVICE="yes"

• etc_authselect_custom_dsee_password-auth.j2

  # {{ inventory_hostname }} # {{ site }} # {{ansible_facts.distribution}} {{ansible_facts.distribution_major_version}} auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so # if /etc/logingroups exists, users not in /etc/passwd must be in groups listed account requisite pam_listfile.so item=group sense=allow file=/etc/logingroups onerr=succeed account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_ldap.so

• etc_authselect_custom_dsee_system-auth.j2

  # {{ inventory_hostname }} # {{ site }} # {{ansible_facts.distribution}} {{ansible_facts.distribution_major_version}} auth required pam_env.so auth required pam_faildelay.so delay=2000000 auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_ldap.so

• etc_ldap.conf.j2

  # {{ inventory_hostname }} # {{ site }} # {{ansible_facts.distribution}} {{ansible_facts.distribution_major_version}} uri {{ lookup('vars', inventory_hostname, default=lookup('vars', site))['uri_s'] }} binddn cn=ldap_admin,ou=adminusers,{{ base_dn }} bindpw admin-password ssl on tls_reqcert allow base {{ base_dn }} scope sub referrals no nss_base passwd {{ base_dn }} nss_base shadow {{ base_dn }} nss_base group ou=groups,{{ base_dn }} nss_base netgroup ou=netgroup,{{ base_dn }} nss_base aliases ou=aliases,ou=it,o={{ o }},{{ base_dn }} pam_password crypt

• etc_openldap.conf.j2

  # {{ inventory_hostname }} # {{ site }} # {{ansible_facts.distribution}} {{ansible_facts.distribution_major_version}} TLS_CACERTDIR /etc/openldap/cacerts BASE {{ base_dn }} TLS_REQCERT allow REFERRALS no {% if ansible_facts['distribution'] == "OracleLinux" and ansible_facts['distribution_major_version'] == "5" %} URI {{ lookup('vars', inventory_hostname, default=lookup('vars', site))['uri'] }} {% else %} URI {{ lookup('vars', inventory_hostname, default=lookup('vars', site))['uri_s'] }} SASL_NOCANON on {% endif %}

• etc_sysconfig_authconfig_ol5.j2

  # {{ inventory_hostname }} # {{ site }} # {{ansible_facts.distribution}} {{ansible_facts.distribution_major_version}} FORCESMARTCARD=no PASSWDALGORITHM=md5 USECRACKLIB=yes USEDB=no USEHESIOD=no USEKERBEROS=no USELDAPAUTH=yes USELDAP=no USELOCAUTHORIZE=no USEMKHOMEDIR=no USENIS=no USEPAMACCESS=no USEPASSWDQC=no USESHADOW=yes USESMARTCARD=no USESMBAUTH=no USESSSDAUTH=no USESSSD=no USESYSNETAUTH=no USEWINBINDAUTH=no USEWINBIND=no

• etc_sysconfig_authconfig_ol6.j2

  # {{ inventory_hostname }} # {{ site }} # {{ansible_facts.distribution}} {{ansible_facts.distribution_major_version}} CACHECREDENTIALS=yes FORCELEGACY=yes FORCESMARTCARD=no IPADOMAINJOINED=no IPAV2NONTP=no PASSWDALGORITHM=md5 USECRACKLIB=yes USEDB=no USEFPRINTD=yes USEHESIOD=no USEIPAV2=no USEKERBEROS=no USELDAPAUTH=yes USELDAP=yes USELOCAUTHORIZE=yes USEMKHOMEDIR=yes USENIS=no USEPAMACCESS=no USEPASSWDQC=no USESHADOW=yes USESMARTCARD=no USESSSDAUTH=no USESSSD=no USESYSNETAUTH=no USEWINBINDAUTH=no USEWINBIND=no

• etc_sysconfig_authconfig_ol7.j2

  # {{ inventory_hostname }} # {{ site }} # {{ansible_facts.distribution}} {{ansible_facts.distribution_major_version}} CACHECREDENTIALS=yes FAILLOCKARGS="deny=4 unlock_time=1200" FORCELEGACY=yes FORCESMARTCARD=no IPADOMAINJOINED=no IPAV2NONTP=no PASSWDALGORITHM=md5 USEDB=no USEECRYPTFS=no USEFAILLOCK=no USEFPRINTD=no USEHESIOD=no USEIPAV2=no USEKERBEROS=no USELDAPAUTH=yes USELDAP=yes USELOCAUTHORIZE=yes USEMKHOMEDIR=no USENIS=no USEPAMACCESS=no USEPASSWDQC=no USEPWQUALITY=yes USESHADOW=yes USESMARTCARD=no USESSSDAUTH=no USESSSD=no USESYSNETAUTH=no USEWINBINDAUTH=no USEWINBIND=no WINBINDKRB5=no

• nslcd.conf.j2

  # {{ inventory_hostname }} # {{ site }} # {{ansible_facts.distribution}} {{ansible_facts.distribution_major_version}} uri {{ lookup('vars', inventory_hostname, default=lookup('vars', site))['uri_s'] }} binddn cn=ldap-admin,ou=adminusers,{{ base_dn }} bindpw admin-passwd ssl on tls_reqcert allow base {{ base_dn }} scope sub referrals no base passwd {{ base_dn }} scope passwd sub base shadow {{ base_dn }} scope shadow sub base group ou=groups,{{ base_dn }} scope group one base netgroup ou=netgroup,{{ base_dn }} scope netgroup one base aliases ou=aliases,ou=it,o={{ o }},{{ base_dn }} scope aliases one # fix for : nslcd ldap_result() failed: Administrative limit exceeded idle_timelimit 250

• nsswitch.conf-no-ldap.j2

  # {{ inventory_hostname }} # {{ site }} # {{ansible_facts.distribution}} {{ansible_facts.distribution_major_version}} passwd: files shadow: files group: files hosts: files dns bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files netgroup: nisplus publickey: nisplus automount: files nisplus aliases: files nisplus sudoers: files

• nsswitch.conf.j2

  # {{ inventory_hostname }} # {{ site }} # {{ansible_facts.distribution}} {{ansible_facts.distribution_major_version}} passwd: files ldap shadow: files ldap group: files ldap hosts: files dns bootparams: files ethers: files netmasks: files networks: files protocols: files rpc: files services: files netgroup: files ldap publickey: files automount: files ldap aliases: files ldap sudoers: files ldap

• pam_ldap.conf.j2

  # {{ inventory_hostname }} # {{ site }} # {{ansible_facts.distribution}} {{ansible_facts.distribution_major_version}} uri {{ lookup('vars', inventory_hostname, default=lookup('vars', site))['uri_s'] }} binddn cn=ldap-admin,ou=adminusers,{{ base_dn }} bindpw admin-passwd ssl on tls_checkpeer no base {{ base_dn }} scope sub referrals no pam_password crypt

• tasks
• install_certs.yml

  - name: Find certificates on Ansible controller, local action local_action: module: find paths: "{{ role_path }}/files" file_type: file use_regex: yes pattern: ".*.pem$" register: certs - debug: # good for troubleshoot and find type of variable msg: - "certs variable is {{ certs | type_debug}}" - "certs.files is {{ certs.files | type_debug }}" - "My cert is {{ item.path }}" with_items: "{{ certs.files }}" # this is list - name: Certs install on Linux block: - name: Manage path "{{ linux_certs_path }}" file: path: "{{ linux_certs_path }}" state: directory owner: root group: root mode: '0755' - name: Copy root and intermediate certs for Linux copy: src: "{{ item.path }}" dest: "{{ linux_certs_path }}" owner: root group: root mode: '0644' with_items: "{{ certs.files }}" when: ansible_facts['distribution'] == "OracleLinux" or ansible_facts['distribution'] == "Oracle" - name: Certs install on Solaris block: - name: Manage path "{{ solaris_certs_path }}" file: path: "{{ solaris_certs_path }}" state: directory owner: root group: root mode: '0755' - name: Copy root and intermediate certs for Solaris copy: src: "{{ item.path }}" dest: "{{ solaris_certs_path }}" owner: root group: root mode: '0644' with_items: "{{ certs.files }}" - name: Add certs in NSS database command: certutil -A -n {{ item.path | basename }} -i /var/ldap/{{ item.path | basename }} -a -t CT -d {{ solaris_certs_path }} with_items: "{{ certs.files }}" changed_when: false when: ansible_facts['distribution'] == "Solaris"

• main.yml

  --- # tasks file for ldap-dsee - name: Gather facts setup: - name: Determine Yes or No for {{ inventory_hostname }} debug: msg: "{{ lookup('vars', inventory_hostname, default=lookup('vars', site))['ldap'] }}" - name: No LDAP DSEE configuration include_tasks: no-ldap-client.yml when: lookup('vars', inventory_hostname, default=lookup('vars', site))['ldap'] == "no" - name: LDAP DSEE configuration block: - name: LDAP DSEE configuration for OL5 include_tasks: ol5.yml # only with old ansible/python when: ansible_facts['distribution'] == "OracleLinux" and ansible_facts['distribution_major_version'] == "5" - name: LDAP DSEE configuration for OL6/OVS3 include_tasks: ol6.yml when: ( ansible_facts['distribution'] == "OracleLinux" and ansible_facts['distribution_major_version'] == "6" ) or ( ansible_facts['distribution'] == "Oracle" and ansible_facts['distribution_major_version'] == "3" ) - name: LDAP DSEE configuration for OL7 include_tasks: ol7.yml when: ansible_facts['distribution'] == "OracleLinux" and ansible_facts['distribution_major_version'] == "7" - name: LDAP DSEE configuration for OL8 include_tasks: ol8.yml when: ansible_facts['distribution'] == "OracleLinux" and ansible_facts['distribution_major_version'] >= "8" - name: LDAP DSEE configuration for Solaris11 include_tasks: solaris11.yml when: ansible_facts['distribution'] == "Solaris" when: lookup('vars', inventory_hostname, default=lookup('vars', site))['ldap'] == "yes"

• no-ldap-client.yml

  - name: Setup NO LDAP configuration block: - debug: msg: "The host {{ inventory_hostname }} should not be LDAP DSEE client" - name: Stop services nslcd, nscd service: name: "{{ item }}" state: stopped enabled: no with_list: - nslcd # local LDAP name service daemon - nscd # name service cache daemon register: result failed_when: "result is failed and not 'Could not find the requested service' in result.msg" - name: Create /etc/nsswitch.conf for no-ldap client from template template: src: nsswitch.conf-no-ldap.j2 dest: /etc/nsswitch.conf owner: root group: root mode: 0644 backup: yes rescue: - name: Send report about failure mail: host: "{{ mail_server }}" from: "{{ from_who }}" to: "{{ to_who }}" subject: '[Ansible *{{ role_name }}* role]: failed task *{{ ansible_failed_task.name }}*' body: | Role *{{ role_name }}* failed on {{ inventory_hostname }} {{ ansible_distribution }} {{ ansible_distribution_major_version }} [Failed task]: {{ ansible_failed_task.name }} [Failed result]: {{ ansible_failed_result }}

• not-supported-linux.yml

  - debug: msg: "Unsupported Linux"

• ol5.yml

  - name: OL5 DSEE LDAP configuration block: #- name: Install required RPMs # Problem https://github.com/ansible/ansible/issues/30518 # yum: # name: "{{ rpms }}" # vars: # rpms: # - nss_ldap # - openldap # - openldap-clients # - autofs # - authconfig # state: present - name: Stop, Disable sssd service: name: sssd state: stopped enabled: no register: result failed_when: "result is failed and not 'Could not find the requested service' in result.msg" - name: Create /etc/nsswitch.conf from template template: src: nsswitch.conf.j2 dest: /etc/nsswitch.conf owner: root group: root mode: 0644 backup: yes - name: Create /etc/ldap.conf from template template: src: etc_ldap.conf.j2 dest: /etc/ldap.conf owner: root group: root mode: 0644 backup: yes #- name: Configure system authentication resources # raw: >- # This is parsed without a trailing \n after --kickstart # authconfig --disablenis --enableshadow --enableldapauth # --enableldaptls --ldapserver=ldap-server --ldapbasedn={{ base_dn }} # --update --kickstart - name: Create OL5 /etc/sysconfig/authconfig from template template: src: etc_sysconfig_authconfig_ol5.j2 dest: /etc/sysconfig/authconfig backup: yes - name: Create /etc/openldap/ldap.conf from template template: src: etc_openldap_ldap.conf.j2 dest: /etc/openldap/ldap.conf owner: root group: root mode: 0640 backup: yes - name: Create /etc/sysconfig/autofs from template template: src: autofs.j2 dest: /etc/sysconfig/autofs owner: root group: root mode: 0644 backup: yes - name: Adjust usetlsd in /etc/autofs_ldap_auth.conf replace: path: /etc/autofs_ldap_auth.conf regexp: 'usetls=.*' replace: 'usetls="yes"' - name: Adjust tlsrequired in /etc/autofs_ldap_auth.conf replace: path: /etc/autofs_ldap_auth.conf regexp: 'tlsrequired=.*' replace: 'tlsrequired="no"' - name: Adjust authrequired in /etc/autofs_ldap_auth.conf replace: path: /etc/autofs_ldap_auth.conf regexp: 'authrequired=.*' replace: 'authrequired="no"' - name: Create /etc/auto.master from template template: src: auto.master.j2 dest: /etc/auto.master owner: root group: root mode: 0644 backup: yes - name: Install certificates include_tasks: install_certs.yml #- name: Clear Name Service Cache Daemon # raw: "nscd -i group ; nscd -i passwd" - name: Start nscd, autofs service: name: "{{ item }}" state: started enabled: yes with_list: - nscd - autofs #- name: Check, list group 'crm' members # raw: "ldapsearch -x -LLL -s sub \"(cn=crm)\" memberUid" # register: result #- debug: # msg: "{{ result }}" rescue: - name: Send report about failure mail: host: "{{ mail_server }}" from: "{{ from_who }}" to: "{{ to_who }}" subject: '[Ansible *{{ role_name }}* role]: failed task *{{ ansible_failed_task.name }}*' body: | Role *{{ role_name }}* failed on {{ inventory_hostname }} {{ ansible_distribution }} {{ ansible_distribution_major_version }} [Failed task]: {{ ansible_failed_task.name }} [Failed result]: {{ ansible_failed_result }}

• ol6.yml

  - name: OL6 DSEE LDAP configuration block: - name: Install required rpms yum: name: "{{ rpms }}" vars: rpms: - nss-pam-ldapd - pam_ldap - apr-util-ldap - openldap - nscd - openldap-clients - autofs - authconfig state: present - name: Stop, Disable sssd service: name: sssd state: stopped enabled: no register: result failed_when: "result is failed and not 'Could not find the requested service' in result.msg" - name: Create /etc/nsswitch.conf from template template: src: nsswitch.conf.j2 dest: /etc/nsswitch.conf owner: root group: root mode: 0644 backup: yes #- name: Configure system authentication resources # raw: >- # this is parsed without \n after --kickstart # authconfig --disablenis --passalgo=md5 --enableldapauth --enableldaptls # --enableforcelegacy --enableldap --ldapserver=ldap-srv # --ldapbasedn={{ base_dn }} --update --kickstart - name: Create OL6 /etc/sysconfig/authconfig from template template: src: etc_sysconfig_authconfig_ol6.j2 dest: /etc/sysconfig/authconfig backup: yes - name: Create /etc/pam_ldap.conf from template template: src: pam_ldap.conf.j2 dest: /etc/pam_ldap.conf owner: root group: root mode: 0644 backup: yes - name: Create /etc/nslcd.conf from template template: src: nslcd.conf.j2 dest: /etc/nslcd.conf owner: root group: root mode: 0640 backup: yes - name: Create /etc/openldap/ldap.conf from template template: src: etc_openldap_ldap.conf.j2 dest: /etc/openldap/ldap.conf owner: root group: root mode: 0640 backup: yes - name: Create /etc/sysconfig/autofs from template template: src: autofs.j2 dest: /etc/sysconfig/autofs owner: root group: root mode: 0644 backup: yes - name: Adjust usetlsd in /etc/autofs_ldap_auth.conf replace: path: /etc/autofs_ldap_auth.conf regexp: 'usetls=.*' replace: 'usetls="no"' - name: Adjust tlsrequired in /etc/autofs_ldap_auth.conf replace: path: /etc/autofs_ldap_auth.conf regexp: 'tlsrequired=.*' replace: 'tlsrequired="no"' - name: Adjust authrequired in /etc/autofs_ldap_auth.conf replace: path: /etc/autofs_ldap_auth.conf regexp: 'authrequired=.*' replace: 'authrequired="no"' - name: Create /etc/auto.master from template template: src: auto.master.j2 dest: /etc/auto.master owner: root group: root mode: 0644 backup: yes - name: Install certificates include_tasks: install_certs.yml - name: Start nslcd, nscd, autofs service: name: "{{ item }}" state: started enabled: yes with_list: - nslcd - nscd - autofs #- name: Clear Name Service Cache Daemon # raw: "nscd -i group ; nscd -i passwd" #- name: Check, list group 'crm' members # raw: "ldapsearch -x -LLL -s sub \"(cn=crm)\" memberUid" # register: result #- debug: # msg: "{{ result }}" rescue: - name: Send report about failure mail: host: "{{ mail_server }}" from: "{{ from_who }}" to: "{{ to_who }}" subject: '[Ansible *{{ role_name }}* role]: failed task *{{ ansible_failed_task.name }}*' body: | Role *{{ role_name }}* failed on {{ inventory_hostname }} {{ ansible_distribution }} {{ ansible_distribution_major_version }} [Failed task]: {{ ansible_failed_task.name }} [Failed result]: {{ ansible_failed_result }}

• ol7.yml

  - name: OL7 DSEE LDAP configuration block: - name: Install required rpms yum: name: "{{ rpms }}" vars: rpms: - nss-pam-ldapd - openldap - nscd - openldap-clients - autofs - authconfig state: present - name: Stop, Disable sssd service: name: sssd state: stopped enabled: no register: result failed_when: "result is failed and not 'Could not find the requested service' in result.msg" - name: Create /etc/nsswitch.conf from template template: src: nsswitch.conf.j2 dest: /etc/nsswitch.conf owner: root group: root mode: 0644 backup: yes #- name: Configure system authentication resources # raw: >- # this is parsed without \n after --kickstart # authconfig --disablenis --passalgo=md5 --enableldapauth --enableldaptls # --enableforcelegacy --enableldap --disablesssd --ldapserver=ldap-srv # --ldapbasedn={{ base_dn }} --update --kickstart - name: Create OL7 /etc/sysconfig/authconfig from template template: src: etc_sysconfig_authconfig_ol7.j2 dest: /etc/sysconfig/authconfig backup: yes - name: Create /etc/nslcd.conf from template template: src: nslcd.conf.j2 dest: /etc/nslcd.conf owner: root group: root mode: 0640 backup: yes - name: Create /etc/openldap/ldap.conf from template template: src: etc_openldap_ldap.conf.j2 dest: /etc/openldap/ldap.conf owner: root group: root mode: 0640 backup: yes - name: Create /etc/sysconfig/autofs from template template: src: autofs.j2 dest: /etc/sysconfig/autofs owner: root group: root mode: 0644 backup: yes - name: Adjust usetlsd in /etc/autofs_ldap_auth.conf replace: path: /etc/autofs_ldap_auth.conf regexp: 'usetls=.*' replace: 'usetls="no"' - name: Adjust tlsrequired in /etc/autofs_ldap_auth.conf replace: path: /etc/autofs_ldap_auth.conf regexp: 'tlsrequired=.*' replace: 'tlsrequired="no"' - name: Adjust authrequired in /etc/autofs_ldap_auth.conf replace: path: /etc/autofs_ldap_auth.conf regexp: 'authrequired=.*' replace: 'authrequired="no"' - name: Create /etc/auto.master from template template: src: auto.master.j2 dest: /etc/auto.master owner: root group: root mode: 0644 backup: yes - name: Install certificates include_tasks: install_certs.yml - name: Start nslcd, nscd, autofs service: name: "{{ item }}" state: started enabled: yes with_list: - nslcd - nscd - autofs #- name: Clear Name Service Cache Daemon # raw: "nscd -i group ; nscd -i passwd" #- name: Check, list group 'crm' members # raw: "ldapsearch -x -LLL -s sub \"(cn=crm)\" memberUid" # register: result #- debug: # msg: "{{ result }}" rescue: - name: Send report about failure mail: host: "{{ mail_server }}" from: "{{ from_who }}" to: "{{ to_who }}" subject: '[Ansible *{{ role_name }}* role]: failed task *{{ ansible_failed_task.name }}*' body: | Role *{{ role_name }}* failed on {{ inventory_hostname }} {{ ansible_distribution }} {{ ansible_distribution_major_version }} [Failed task]: {{ ansible_failed_task.name }} [Failed result]: {{ ansible_failed_result }}

• ol8.yml

  - name: OL8 DSEE LDAP configuration block: - name: Install required rpms dnf: name: - nss-pam-ldapd - openldap - openldap-clients - nscd - autofs - authselect state: present - name: Stop, Disable sssd service: name: sssd state: stopped enabled: no register: result failed_when: "result is failed and not 'Could not find the requested service' in result.msg" - name: authselect, create dsee profile # https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/configuring_authentication_and_authorization_in_rhel/index command: cmd: authselect create-profile dsee --trace --debug creates: /etc/authselect/custom/dsee register: result failed_when: "result is failed and not 'Profile \"dsee\" already exist at' in result.stderr" - name: Adding README for dsee profile copy: src: ol8_etc_authselect_custom_dsee_README dest: /etc/authselect/custom/dsee/README owner: root group: root mode: 0644 backup: yes - name: Create /etc/authselect/custom/dsee/nsswitch.conf from template template: src: nsswitch.conf.j2 dest: /etc/authselect/custom/dsee/nsswitch.conf owner: root group: root mode: 0644 backup: yes - name: Create /etc/authselect/custom/dsee/password-auth from template template: src: etc_authselect_custom_dsee_password-auth.j2 dest: /etc/authselect/custom/dsee/password-auth owner: root group: root mode: 0644 backup: yes - name: Create /etc/authselect/custom/dsee/system-auth from template template: src: etc_authselect_custom_dsee_system-auth.j2 dest: /etc/authselect/custom/dsee/system-auth owner: root group: root mode: 0644 backup: yes #- name: authselect, select dsee profile # raw: authselect select custom/dsee --force --trace --debug - name: Create symbolic link /etc/nsswitch.conf file: src: /etc/authselect/custom/dsee/nsswitch.conf dest: /etc/nsswitch.conf owner: root group: root state: link force: yes - name: Create /etc/nslcd.conf from template template: src: nslcd.conf.j2 dest: /etc/nslcd.conf owner: root group: root mode: 0640 backup: yes - name: Create /etc/openldap/ldap.conf from template template: src: etc_openldap_ldap.conf.j2 dest: /etc/openldap/ldap.conf owner: root group: root mode: 0640 backup: yes - name: Create /etc/sysconfig/autofs from template template: src: autofs.j2 dest: /etc/sysconfig/autofs owner: root group: root mode: 0644 backup: yes - name: Adjust usetlsd in /etc/autofs_ldap_auth.conf replace: path: /etc/autofs_ldap_auth.conf regexp: 'usetls=.*' replace: 'usetls="no"' - name: Adjust tlsrequired in /etc/autofs_ldap_auth.conf replace: path: /etc/autofs_ldap_auth.conf regexp: 'tlsrequired=.*' replace: 'tlsrequired="no"' - name: Adjust authrequired in /etc/autofs_ldap_auth.conf replace: path: /etc/autofs_ldap_auth.conf regexp: 'authrequired=.*' replace: 'authrequired="no"' - name: Create /etc/auto.master from template template: src: auto.master.j2 dest: /etc/auto.master owner: root group: root mode: 0644 backup: yes - name: Install certificates include_tasks: install_certs.yml - name: Start nslcd, nscd, autofs service: name: "{{ item }}" state: started enabled: yes with_list: - nslcd - nscd - autofs #- name: Clear Name Service Cache Daemon # raw: "nscd -i group ; nscd -i passwd" #- name: Check, list group 'crm' members # raw: "ldapsearch -x -LLL -s sub \"(cn=crm)\" memberUid" # register: result #- debug: # msg: "{{ result }}" rescue: - name: Send report about failure mail: host: "{{ mail_server }}" from: "{{ from_who }}" to: "{{ to_who }}" subject: '[Ansible *{{ role_name }}* role]: failed task *{{ ansible_failed_task.name }}*' body: | Role *{{ role_name }}* failed on {{ inventory_hostname }} {{ ansible_distribution }} {{ ansible_distribution_major_version }} [Failed task]: {{ ansible_failed_task.name }} [Failed result]: {{ ansible_failed_result }}

• solaris11.yml

  - name: Solaris 11 DSEE LDAP configuration block: - name: Ping check ping: - name: Manager required packages == 11.4 # list all files in a package: "pkg contents -t file ldap" # find a package owning a file: "pkg search -l -H -o pkg.name /usr/sbin/ldapclient" pkg5: name: - system/library/ldap - system/network/ldap # ldap client state: present when: ansible_facts['distribution_version'] == "11.4" - name: Manager required packages <= 11.3 pkg5: name: - naming/ldap - system/network/nis # ldap client state: present when: ansible_facts['distribution_version'] <= "11.3" - name: Install certificates include_tasks: install_certs.yml - name: List Solaris ldap profiles shell: "/usr/bin/ldapsearch -Te -x -h you-ldap-server -b ou=profile,dc=dom,dc=com objectclass=DUAConfigProfile | grep ^dn" changed_when: false register: list_profiles - debug: msg: "{{ list_profiles }}" - name: Get current profile shell: "ldapclient list | grep NS_LDAP_PROFILE | awk '{print $2}'" changed_when: false register: current_profile - debug: msg: - "current_profile type: {{ current_profile | type_debug}}" - "current_profile.stdout type: {{ current_profile.stdout | type_debug}}" - "current_profile.stdout value: {{ current_profile.stdout }}" - "Playbook's profile: {{ lookup('vars', inventory_hostname, default=lookup('vars', site))['solaris_profile'] }}" - name: Configure client by using profile {{ lookup('vars', inventory_hostname, default=lookup('vars', site))['solaris_profile'] }} command: "ldapclient init -a domainname=domain.com -a proxyDN='cn=ldap-admin,ou=adminusers,dc=domain,dc=com' -a proxyPassword=admin-passwd -a certificatePath={{ solaris_certs_path }} -a profilename={{ lookup('vars', inventory_hostname, default=lookup('vars', site))['solaris_profile'] }} your-ldap-server" #changed_when: false when: "current_profile.stdout != lookup('vars', inventory_hostname, default=lookup('vars', site))['solaris_profile']" rescue: - name: Send report about failure mail: host: "{{ mail_server }}" from: "{{ from_who }}" to: "{{ to_who }}" subject: '[Ansible *{{ role_name }}* role]: failed task *{{ ansible_failed_task.name }}*' body: | Role *{{ role_name }}* failed on {{ inventory_hostname }} {{ ansible_distribution }} {{ ansible_distribution_major_version }} [Failed task]: {{ ansible_failed_task.name }} [Failed result]: {{ ansible_failed_result }}

Playbook

---
- name: LDAP DSEE config for linux, playbook
  hosts: all
  gather_facts: false
  become: yes
  roles:
    - role: ldap-dsee
...

ansible-playbook -i inventory-file ldap.ymp