add kerberos role to ldap group still work in progress

playbooks/ldap.yml

@@ -23,3 +23,4 @@
   roles:
     - base
     - ldap/server
+    - kerberos/kdc

roles/kerberos/kdc/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: restart kdc
+  service:
+    name: krb5kdc
+    state: restarted

roles/kerberos/kdc/tasks/main.yml

@@ -0,0 +1,23 @@
+---
+- name: install packages
+  package:
+    name: "{{ item }}"
+    state: installed
+  with_items:
+    - krb5-server
+    - krb5-server-ldap
+
+- name: create kerberos config
+  template:
+    dest: /var/kerberos/krb5kdc/kdc.conf
+    src: kdc.conf.j2
+    mode: 0600
+    owner: root
+    group: "{{ ansible_wheel }}"
+  notify: restart kdc
+
+- name: enable kerberos service
+  service:
+    name: krb5kdc
+    state: running
+    enabled: true

roles/kerberos/kdc/templates/kdc.conf.j2

@@ -0,0 +1,30 @@
+[libdefaults]
+  default_realm = {{ kerberos_realm }}
+
+[logging]
+  kdc = SYSLOG
+  admin_server = SYSLOG
+
+[kdcdefaults]
+  # listen udp port on localhost only
+  kdc_listen = 127.0.0.1:88
+
+[realms]
+  {{ kerberos_realm }} = {
+    database_module = ldap.{{ kerberos_realm|lower() }}
+    key_stash_file = "/var/kerberos/krb5kdc/.k5.{{ kerberos_realm }}"
+    max_lifetime = 24h 0m 0s
+    max_renewable_life = 7d 0h 0m 0s
+    master_key_type = aes256-cts-hmac-sha1-96
+    supported_enctypes = aes256-cts-hmac-sha1-96:normal
+  }
+
+[dbmodules]
+  ldap.{{ kerberos_realm|lower() }} = {
+    db_library = kldap
+    ldap_kerberos_container_dn = "ou=System,{{ ldap_basedn }}"
+    ldap_kdc_dn = "uid=krb5kdc,cn=FOO.SH,ou=System,{{ ldap_basedn }}"
+    ldap_kadmind_dn = "uid=krb5kdc,cn=FOO.SH,ou=System,{{ ldap_basedn }}"
+    ldap_service_password_file = "/var/kerberos/krb5kdc/.k5.ldap.{{ kerberos_realm|lower() }}"
+    ldap_servers = "{% for item in ldap_server %}ldaps://{{ item }} {% endfor %}"
+  }