diff options
Diffstat (limited to 'roles/ssh-ldap/tasks/main.yml')
| -rw-r--r-- | roles/ssh-ldap/tasks/main.yml | 44 |
1 files changed, 35 insertions, 9 deletions
diff --git a/roles/ssh-ldap/tasks/main.yml b/roles/ssh-ldap/tasks/main.yml index 8e78309e..c348b948 100644 --- a/roles/ssh-ldap/tasks/main.yml +++ b/roles/ssh-ldap/tasks/main.yml @@ -3,21 +3,25 @@ service_facts: - name: Install packages - apt: pkg={{item}} update_cache=yes - with_items: + apt: + name: "{{packages}}" + update_cache: yes + vars: + packages: - libnss-db - libpam-ccreds - nss-updatedb - - python-ldap - - git + - python3-ldap - name: Install libnss-ldapd for systemd-logind - when: ansible_distribution == 'Debian' and ansible_lsb.major_release|int >= 9 + when: ansible_distribution == 'Debian' and ansible_lsb.major_release|int == 9 apt: pkg: libnss-ldapd +# We should drop this 'when' and yank the above task when Deb 9 is removed +# from our server fleet. - name: Install libnss-ldap - when: ansible_distribution != 'Debian' or ansible_lsb.major_release|int < 9 + when: ansible_distribution != 'Debian' and ansible_lsb.major_release|int != 9 apt: pkg: libnss-ldap @@ -26,7 +30,7 @@ # to make it easy to manage in one place - name: LDAP symlinks for Debian systems when: ansible_distribution == 'Debian' - file: src=/srv/linaro-git-tools/linaro_ldap.conf dest=/etc/{{item}} state=link force=yes owner=root + file: src=/srv/linaro-git-tools/linaro_ldap.conf dest=/etc/{{item}} state=link force=yes with_items: - pam_ldap.conf - libnss-ldap.conf @@ -35,7 +39,7 @@ - name: LDAP symlinks for Ubuntu systems when: ansible_distribution == 'Ubuntu' - file: src=/srv/linaro-git-tools/linaro_ldap.conf dest=/etc/{{item}} state=link force=yes owner=root + file: src=/srv/linaro-git-tools/linaro_ldap.conf dest=/etc/{{item}} state=link force=yes with_items: - ldap.conf notify: @@ -51,6 +55,18 @@ when: "(not ansible_check_mode) and ('unscd' in services)" service: name=unscd enabled=no state=stopped +# Debian 10 uses nslcd for local LDAP caching, so let's get that setup +# if it's present on the server. +- name: Configure nslcd if installed + template: src=nslcd.conf dest=/etc/nslcd.conf mode=0640 + group=nslcd owner=root + when: "('nslcd' in services)" + +# Make sure nslcd is running +- name: Enable nslcd if installed + when: "(not ansible_check_mode) and ('nslcd' in services)" + service: name=nslcd enabled=yes state=started + - name: See if offline LDAP cache exists stat: path=/var/lib/misc/group.db notify: @@ -68,7 +84,10 @@ - name: Enable mkhomedir debconf selection debconf: name=libpam-runtime question='libpam-runtime/profiles' vtype='multiselect' - value='mkhomedir, ccreds-save, unix, ldap, ccreds-check' + value='ccreds-save, unix, ldap, systemd, mkhomedir, ccreds-check, capability' + +- name: hack around PAM + file: path=/var/lib/pam/seen state=absent notify: - update-pam @@ -77,6 +96,13 @@ notify: - restart-sshd +- name: Disable ec2-instance-connect if AWS + file: + path: /lib/systemd/system/ssh.service.d/ec2-instance-connect.conf + state: absent + notify: + - systemd-reload + - name: Add cron job for syncing with LDAP template: src=cron.d dest=/etc/cron.d/ldap-sync |