---
- name: Install ldap package (Debian-like)
  apt:
    pkg:
      - libpam-ldapd
      - libnss-ldapd
      - ldap-utils
      - nscd
    state: present
    update_cache: true
    cache_valid_time: 36000
  when: ansible_os_family == "Debian"

- name: Install ldap package (RedHat-like)
  yum:
    name:
      - pam_ldap
      - nss-pam-ldapd
      - openldap-clients
      - nscd
    state: present
  when: ansible_os_family == "RedHat"

- name: Disable SELinux on  (RedHat-like)
  selinux:
    state: disabled
  when: ansible_os_family == "RedHat"

- name: Remove dist configs  (RedHat-like)
  file:
    path: /etc/nslcd.conf
    state: absent
  when: ansible_os_family == "RedHat"

- name: Backup dist configs (Debian-like)
  command: mv /etc/nslcd.conf /etc/nslcd_dist.conf
  when: ansible_os_family == "Debian"

- name: Create config files  (RedHat-like)
  file:
    src: /etc/openldap/ldap.conf
    dest: /etc/nslcd.conf
    state: link
  when: ansible_os_family == "RedHat"

- name: Create config files (Debian-like)
  file:
    src: /etc/ldap/ldap.conf
    dest: /etc/nslcd.conf
    state: link
  when: ansible_os_family == "Debian"

- name: Create ldap.conf file  (RedHat-like)
  template:
    src: ldap.conf.j2
    dest: "/etc/openldap/ldap.conf"
    mode: 0440
    owner: root
    group: root
  when: ansible_os_family == "RedHat"

- name: Create ldap.conf file (Debian-like)
  template:
    src: ldap.conf.j2
    dest: "/etc/ldap/ldap.conf"
    mode: 0440
    owner: root
    group: root
  when: ansible_os_family == "Debian"

- name: Edit nsswitch.conf  (RedHat-like)
  copy:
    src: "{{ role_path }}/files/nsswitch.conf.RedHat"
    dest: /etc/nsswitch.conf
    backup: true
  when: ansible_os_family == "RedHat"


- name: Edit nsswitch.conf (Debian-like)
  copy:
    src: "{{ role_path }}/files/nsswitch.conf.Debian"
    dest: /etc/nsswitch.conf
    backup: true
  when: ansible_os_family == "Debian"
  notify:
    - restart nslcd

- name: Create get_ldap_ssh_key.sh bash script
  template:
    src: get_ldap_ssh_key.sh.j2
    dest: "/usr/bin/get_ldap_ssh_key.sh"
    mode: 0755
    owner: root
    group: root

- name: Update pam.d (Debian-like)
  pamd:
    name: common-account
    type: account
    control: "required"
    module_path: pam_permit.so
    new_type: account
    new_control: "[success=ok new_authtok_reqd=done ignore=ignore user_unknown=ignore authinfo_unavail=ignore default=bad]"
    new_module_path: pam_ldap.so
    module_arguments: 'minimum_uid=500'
    state: after
  when: ansible_os_family == "Debian"

- name: Update pam.d (Debian-like)
  pamd:
    name: common-auth
    type: auth
    control: "[success=2 default=ignore]"
    module_path: pam_unix.so
    new_type: auth
    new_control: "[success=1 default=ignore]"
    new_module_path: pam_ldap.so
    module_arguments: 'minimum_uid=500 use_first_pass'
    state: after
  when: ansible_os_family == "Debian"

- name: Update pam.d (Debian-like)
  pamd:
    name: common-password
    type: password
    control: "[success=2 default=ignore]"
    module_path: pam_unix.so
    new_type: password
    new_control: "[success=1 default=ignore]"
    new_module_path: pam_ldap.so
    module_arguments: 'minimum_uid=500 use_first_pass'
    state: after
  when: ansible_os_family == "Debian"

- name: Update pam.d (Debian-like)
  pamd:
    name: common-session
    type: session
    control: "required"
    module_path: pam_unix.so
    new_type: session
    new_control: "[success=ok default=ignore]"
    new_module_path: pam_ldap.so
    module_arguments: 'minimum_uid=500'
    state: after
  when: ansible_os_family == "Debian"

- name: Update pam.d (Debian-like)
  pamd:
    name: common-session
    type: session
    control: "required"
    module_path: pam_permit.so
    new_type: session
    new_control: optional
    new_module_path: pam_mkhomedir.so
    module_arguments: 'skel=/etc/skel/'
    state: after
  when: ansible_os_family == "Debian"

- name: Update pam.d  (RedHat-like)
  pamd:
    name: system-auth-ac
    type: session
    control: "required"
    module_path: pam_unix.so
    new_type: session
    new_control: "[success=ok default=ignore]"
    new_module_path: pam_ldap.so
    module_arguments: 'minimum_uid=500'
    state: after
  when: ansible_os_family == "RedHat"

- name: Update pam.d  (RedHat-like)
  pamd:
    name: system-auth-ac
    type: session
    control: "[success=ok default=ignore]"
    module_path: pam_ldap.so
    new_type: session
    new_control: "optional"
    new_module_path: pam_ldap.so
    state: after
  when: ansible_os_family == "RedHat"

- name: Update pam.d  (RedHat-like)
  pamd:
    name: password-auth-ac
    type: session
    control: "required"
    module_path: pam_unix.so
    new_type: session
    new_control: "[success=ok default=ignore]"
    new_module_path: pam_ldap.so
    module_arguments: 'minimum_uid=500'
    state: after
  when: ansible_os_family == "RedHat"

- name: Update pam.d  (RedHat-like)
  pamd:
    name: password-auth-ac
    type: session
    control: "[success=ok default=ignore]"
    module_path: pam_ldap.so
    new_type: session
    new_control: "optional"
    new_module_path: pam_ldap.so
    state: after
  when: ansible_os_family == "RedHat"

- name: Update pam.d  (RedHat-like)
  pamd:
    name: postlogin-ac
    type: session
    control: "optional"
    module_path: pam_lastlog.so
    new_type: session
    new_control: optional
    new_module_path: pam_mkhomedir.so
    module_arguments: 'skel=/etc/skel/'
    state: after
  when: ansible_os_family == "RedHat"

- name: Update nscd.conf
  lineinfile:
    path: /etc/nscd.conf
    regexp: "^reload-count"
    line: 'reload-count            unlimited'

- name: Update nscd.conf
  lineinfile:
    path: /etc/nscd.conf
    regexp: '^positive-time-to-live   passwd'
    line: 'positive-time-to-live   passwd          2592000'

- name: Update nscd.conf
  lineinfile:
    path: /etc/nscd.conf
    regexp: '^positive-time-to-live   group'
    line: "positive-time-to-live   passwd          2592000"


- name: Update sudoes users for sd-tpivi group
  lineinfile:
    path: /etc/sudoers
    line: "%sd-tpivi       ALL=(ALL)       NOPASSWD: ALL"
    state: present

- name: Update sudoes users for sd-devel-321 group
  lineinfile:
    path: /etc/sudoers
    line: "%sd-devel-321       ALL=(administrator,postgres,mssql,oinstall,nausd4)       NOPASSWD: ALL"
    state: present

- name: Update sudoes users for sd-devel-322 group
  lineinfile:
    path: /etc/sudoers
    line: "%sd-devel-322       ALL=(administrator,postgres,mssql,oinstall,nausd4)       NOPASSWD: ALL"
    state: present

- name: Update sudoes users for sd-devel-323 group
  lineinfile:
    path: /etc/sudoers
    line: "%sd-devel-323       ALL=(administrator,postgres,mssql,oinstall,nausd4)       NOPASSWD: ALL"
    state: present

- name: Update sudoes users for sd-devel-324 group
  lineinfile:
    path: /etc/sudoers
    line: "%sd-devel-324       ALL=(administrator,postgres,mssql,oinstall,nausd4)       NOPASSWD: ALL"
    state: present

- name: Update sudoes users for sd-devel-325 group
  lineinfile:
    path: /etc/sudoers
    line: "%sd-devel-325       ALL=(administrator,postgres,mssql,oinstall,nausd4)       NOPASSWD: ALL"
    state: present

- name: Update sudoes users for sd-devel-326 group
  lineinfile:
    path: /etc/sudoers
    line: "%sd-devel-326       ALL=(administrator,postgres,mssql,oinstall,nausd4)       NOPASSWD: ALL"
    state: present

- name: Update sudoes users for sd-devel-327 group
  lineinfile:
    path: /etc/sudoers
    line: "%sd-devel-327       ALL=(administrator,postgres,mssql,oinstall,nausd4)       NOPASSWD: ALL"
    state: present

- name: Update sudoes users for sd-devel-328 group
  lineinfile:
    path: /etc/sudoers
    line: "%sd-devel-328       ALL=(administrator,postgres,mssql,oinstall,nausd4)       NOPASSWD: ALL"
    state: present

- name: Update sudoes users for sd-devel-329 group
  lineinfile:
    path: /etc/sudoers
    line: "%sd-devel-329       ALL=(administrator,postgres,mssql,oinstall,nausd4)       NOPASSWD: ALL"
    state: present

- name: Update sudoes users for sd-devel-329 group
  lineinfile:
    path: /etc/sudoers
    line: "%sd-devel-353       ALL=(administrator,postgres,mssql,oinstall,nausd4)       NOPASSWD: ALL"
    state: present

- name: Update sshd_config for AuthorizedKeysCommand
  lineinfile:
    path: /etc/ssh/sshd_config
    line: "AuthorizedKeysCommand /usr/bin/get_ldap_ssh_key.sh"
    state: present

- name: Update sshd_config for AuthorizedKeysCommandUser
  lineinfile:
    path: /etc/ssh/sshd_config
    line: "AuthorizedKeysCommandUser nobody"
    state: present

- name: Update sshd_config for AuthorizedKeysCommandUser
  lineinfile:
    path: /etc/ssh/sshd_config
    line: "AllowGroups sd-all root administrator postgres mssql oinstall ansible nausd4"
    state: present

- name: Update sshd.conf PermitRootLogin
  lineinfile:
    path: /etc/ssh/sshd_config
    regexp: "^PermitRootLogin"
    line: 'PermitRootLogin No'

- name: Update sshd.conf Match All
  lineinfile:
    path: /etc/ssh/sshd_config
    regexp: '^#Match User'
    insertbefore: '^AuthorizedKeysCommand /usr/bin/get_ldap_ssh_key.sh'
    line: 'Match All'

- name: Update sshd.conf PasswordAuthentication no
  lineinfile:
    path: /etc/ssh/sshd_config
    regexp: '^#Match User'
    insertbefore: '^Match All'
    line: '    PasswordAuthentication no'

- name: Update sshd.conf Match User administrator,oracle,postgres,mssql,nausd4,ansible
  lineinfile:
    path: /etc/ssh/sshd_config
    regexp: '^#Match User'
    insertbefore: '^    PasswordAuthentication no'
    line: 'Match User administrator,oracle,postgres,mssql,nausd4,ansible'
  notify:
    - restart sshd
    - restart nscd
    - restart nslcd