all demo

ansible/playbook/roles/ldap-auth/tasks/main.yml

@@ -0,0 +1,356 @@
+---
+- name: Install ldap package (Debian-like)
+  apt:
+    pkg:
+      - libpam-ldapd
+      - libnss-ldapd
+      - ldap-utils
+      - nscd
+    state: present
+    update_cache: true
+    cache_valid_time: 36000
+  when: ansible_os_family == "Debian"
+
+- name: Install ldap package (RedHat-like)
+  yum:
+    name:
+      - pam_ldap
+      - nss-pam-ldapd
+      - openldap-clients
+      - nscd
+    state: present
+  when: ansible_os_family == "RedHat"
+
+- name: Disable SELinux on  (RedHat-like)
+  selinux:
+    state: disabled
+  when: ansible_os_family == "RedHat"
+
+- name: Remove dist configs  (RedHat-like)
+  file:
+    path: /etc/nslcd.conf
+    state: absent
+  when: ansible_os_family == "RedHat"
+
+- name: Backup dist configs (Debian-like)
+  command: mv /etc/nslcd.conf /etc/nslcd_dist.conf
+  when: ansible_os_family == "Debian"
+
+- name: Create config files  (RedHat-like)
+  file:
+    src: /etc/openldap/ldap.conf
+    dest: /etc/nslcd.conf
+    state: link
+  when: ansible_os_family == "RedHat"
+
+- name: Create config files (Debian-like)
+  file:
+    src: /etc/ldap/ldap.conf
+    dest: /etc/nslcd.conf
+    state: link
+  when: ansible_os_family == "Debian"
+
+- name: Create ldap.conf file  (RedHat-like)
+  template:
+    src: ldap.conf.j2
+    dest: "/etc/openldap/ldap.conf"
+    mode: 0440
+    owner: root
+    group: root
+  when: ansible_os_family == "RedHat"
+
+- name: Create ldap.conf file (Debian-like)
+  template:
+    src: ldap.conf.j2
+    dest: "/etc/ldap/ldap.conf"
+    mode: 0440
+    owner: root
+    group: root
+  when: ansible_os_family == "Debian"
+
+- name: Edit nsswitch.conf  (RedHat-like)
+  copy:
+    src: "{{ role_path }}/files/nsswitch.conf.RedHat"
+    dest: /etc/nsswitch.conf
+    backup: true
+  when: ansible_os_family == "RedHat"
+
+
+- name: Edit nsswitch.conf (Debian-like)
+  copy:
+    src: "{{ role_path }}/files/nsswitch.conf.Debian"
+    dest: /etc/nsswitch.conf
+    backup: true
+  when: ansible_os_family == "Debian"
+  notify:
+    - restart nslcd
+
+- name: Create get_ldap_ssh_key.sh bash script
+  template:
+    src: get_ldap_ssh_key.sh.j2
+    dest: "/usr/bin/get_ldap_ssh_key.sh"
+    mode: 0755
+    owner: root
+    group: root
+
+- name: Update pam.d (Debian-like)
+  pamd:
+    name: common-account
+    type: account
+    control: "required"
+    module_path: pam_permit.so
+    new_type: account
+    new_control: "[success=ok new_authtok_reqd=done ignore=ignore user_unknown=ignore authinfo_unavail=ignore default=bad]"
+    new_module_path: pam_ldap.so
+    module_arguments: 'minimum_uid=500'
+    state: after
+  when: ansible_os_family == "Debian"
+
+- name: Update pam.d (Debian-like)
+  pamd:
+    name: common-auth
+    type: auth
+    control: "[success=2 default=ignore]"
+    module_path: pam_unix.so
+    new_type: auth
+    new_control: "[success=1 default=ignore]"
+    new_module_path: pam_ldap.so
+    module_arguments: 'minimum_uid=500 use_first_pass'
+    state: after
+  when: ansible_os_family == "Debian"
+
+- name: Update pam.d (Debian-like)
+  pamd:
+    name: common-password
+    type: password
+    control: "[success=2 default=ignore]"
+    module_path: pam_unix.so
+    new_type: password
+    new_control: "[success=1 default=ignore]"
+    new_module_path: pam_ldap.so
+    module_arguments: 'minimum_uid=500 use_first_pass'
+    state: after
+  when: ansible_os_family == "Debian"
+
+- name: Update pam.d (Debian-like)
+  pamd:
+    name: common-session
+    type: session
+    control: "required"
+    module_path: pam_unix.so
+    new_type: session
+    new_control: "[success=ok default=ignore]"
+    new_module_path: pam_ldap.so
+    module_arguments: 'minimum_uid=500'
+    state: after
+  when: ansible_os_family == "Debian"
+
+- name: Update pam.d (Debian-like)
+  pamd:
+    name: common-session
+    type: session
+    control: "required"
+    module_path: pam_permit.so
+    new_type: session
+    new_control: optional
+    new_module_path: pam_mkhomedir.so
+    module_arguments: 'skel=/etc/skel/'
+    state: after
+  when: ansible_os_family == "Debian"
+
+- name: Update pam.d  (RedHat-like)
+  pamd:
+    name: system-auth-ac
+    type: session
+    control: "required"
+    module_path: pam_unix.so
+    new_type: session
+    new_control: "[success=ok default=ignore]"
+    new_module_path: pam_ldap.so
+    module_arguments: 'minimum_uid=500'
+    state: after
+  when: ansible_os_family == "RedHat"
+
+- name: Update pam.d  (RedHat-like)
+  pamd:
+    name: system-auth-ac
+    type: session
+    control: "[success=ok default=ignore]"
+    module_path: pam_ldap.so
+    new_type: session
+    new_control: "optional"
+    new_module_path: pam_ldap.so
+    state: after
+  when: ansible_os_family == "RedHat"
+
+- name: Update pam.d  (RedHat-like)
+  pamd:
+    name: password-auth-ac
+    type: session
+    control: "required"
+    module_path: pam_unix.so
+    new_type: session
+    new_control: "[success=ok default=ignore]"
+    new_module_path: pam_ldap.so
+    module_arguments: 'minimum_uid=500'
+    state: after
+  when: ansible_os_family == "RedHat"
+
+- name: Update pam.d  (RedHat-like)
+  pamd:
+    name: password-auth-ac
+    type: session
+    control: "[success=ok default=ignore]"
+    module_path: pam_ldap.so
+    new_type: session
+    new_control: "optional"
+    new_module_path: pam_ldap.so
+    state: after
+  when: ansible_os_family == "RedHat"
+
+- name: Update pam.d  (RedHat-like)
+  pamd:
+    name: postlogin-ac
+    type: session
+    control: "optional"
+    module_path: pam_lastlog.so
+    new_type: session
+    new_control: optional
+    new_module_path: pam_mkhomedir.so
+    module_arguments: 'skel=/etc/skel/'
+    state: after
+  when: ansible_os_family == "RedHat"
+
+- name: Update nscd.conf
+  lineinfile:
+    path: /etc/nscd.conf
+    regexp: "^reload-count"
+    line: 'reload-count            unlimited'
+
+- name: Update nscd.conf
+  lineinfile:
+    path: /etc/nscd.conf
+    regexp: '^positive-time-to-live   passwd'
+    line: 'positive-time-to-live   passwd          2592000'
+
+- name: Update nscd.conf
+  lineinfile:
+    path: /etc/nscd.conf
+    regexp: '^positive-time-to-live   group'
+    line: "positive-time-to-live   passwd          2592000"
+
+
+- name: Update sudoes users for sd-tpivi group
+  lineinfile:
+    path: /etc/sudoers
+    line: "%sd-tpivi       ALL=(ALL)       NOPASSWD: ALL"
+    state: present
+
+- name: Update sudoes users for sd-devel-321 group
+  lineinfile:
+    path: /etc/sudoers
+    line: "%sd-devel-321       ALL=(administrator,postgres,mssql,oinstall,nausd4)       NOPASSWD: ALL"
+    state: present
+
+- name: Update sudoes users for sd-devel-322 group
+  lineinfile:
+    path: /etc/sudoers
+    line: "%sd-devel-322       ALL=(administrator,postgres,mssql,oinstall,nausd4)       NOPASSWD: ALL"
+    state: present
+
+- name: Update sudoes users for sd-devel-323 group
+  lineinfile:
+    path: /etc/sudoers
+    line: "%sd-devel-323       ALL=(administrator,postgres,mssql,oinstall,nausd4)       NOPASSWD: ALL"
+    state: present
+
+- name: Update sudoes users for sd-devel-324 group
+  lineinfile:
+    path: /etc/sudoers
+    line: "%sd-devel-324       ALL=(administrator,postgres,mssql,oinstall,nausd4)       NOPASSWD: ALL"
+    state: present
+
+- name: Update sudoes users for sd-devel-325 group
+  lineinfile:
+    path: /etc/sudoers
+    line: "%sd-devel-325       ALL=(administrator,postgres,mssql,oinstall,nausd4)       NOPASSWD: ALL"
+    state: present
+
+- name: Update sudoes users for sd-devel-326 group
+  lineinfile:
+    path: /etc/sudoers
+    line: "%sd-devel-326       ALL=(administrator,postgres,mssql,oinstall,nausd4)       NOPASSWD: ALL"
+    state: present
+
+- name: Update sudoes users for sd-devel-327 group
+  lineinfile:
+    path: /etc/sudoers
+    line: "%sd-devel-327       ALL=(administrator,postgres,mssql,oinstall,nausd4)       NOPASSWD: ALL"
+    state: present
+
+- name: Update sudoes users for sd-devel-328 group
+  lineinfile:
+    path: /etc/sudoers
+    line: "%sd-devel-328       ALL=(administrator,postgres,mssql,oinstall,nausd4)       NOPASSWD: ALL"
+    state: present
+
+- name: Update sudoes users for sd-devel-329 group
+  lineinfile:
+    path: /etc/sudoers
+    line: "%sd-devel-329       ALL=(administrator,postgres,mssql,oinstall,nausd4)       NOPASSWD: ALL"
+    state: present
+
+- name: Update sudoes users for sd-devel-329 group
+  lineinfile:
+    path: /etc/sudoers
+    line: "%sd-devel-353       ALL=(administrator,postgres,mssql,oinstall,nausd4)       NOPASSWD: ALL"
+    state: present
+
+- name: Update sshd_config for AuthorizedKeysCommand
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    line: "AuthorizedKeysCommand /usr/bin/get_ldap_ssh_key.sh"
+    state: present
+
+- name: Update sshd_config for AuthorizedKeysCommandUser
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    line: "AuthorizedKeysCommandUser nobody"
+    state: present
+
+- name: Update sshd_config for AuthorizedKeysCommandUser
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    line: "AllowGroups sd-all root administrator postgres mssql oinstall ansible nausd4"
+    state: present
+
+- name: Update sshd.conf PermitRootLogin
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: "^PermitRootLogin"
+    line: 'PermitRootLogin No'
+
+- name: Update sshd.conf Match All
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: '^#Match User'
+    insertbefore: '^AuthorizedKeysCommand /usr/bin/get_ldap_ssh_key.sh'
+    line: 'Match All'
+
+- name: Update sshd.conf PasswordAuthentication no
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: '^#Match User'
+    insertbefore: '^Match All'
+    line: '    PasswordAuthentication no'
+
+- name: Update sshd.conf Match User administrator,oracle,postgres,mssql,nausd4,ansible
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: '^#Match User'
+    insertbefore: '^    PasswordAuthentication no'
+    line: 'Match User administrator,oracle,postgres,mssql,nausd4,ansible'
+  notify:
+    - restart sshd
+    - restart nscd
+    - restart nslcd