From 9fc02e7bef4f678ae2be364edde14207fda2c838 Mon Sep 17 00:00:00 2001
From: Timo Makinen <tmakinen@foo.sh>
Date: Mon, 10 Jun 2019 21:05:08 +0300
Subject: [PATCH] add role ldap/nss

---
 roles/ldap/nss/handlers/main.yml       | 11 +++++++
 roles/ldap/nss/tasks/main.yml          | 41 ++++++++++++++++++++++++++
 roles/ldap/nss/templates/nslcd.conf.j2 | 25 ++++++++++++++++
 3 files changed, 77 insertions(+)
 create mode 100644 roles/ldap/nss/handlers/main.yml
 create mode 100644 roles/ldap/nss/tasks/main.yml
 create mode 100644 roles/ldap/nss/templates/nslcd.conf.j2

diff --git a/roles/ldap/nss/handlers/main.yml b/roles/ldap/nss/handlers/main.yml
new file mode 100644
index 0000000..af7fa02
--- /dev/null
+++ b/roles/ldap/nss/handlers/main.yml
@@ -0,0 +1,11 @@
+---
+- name: restart nslcd
+  service:
+    name: nslcd
+    state: restarted
+  notify: reload nscd
+
+- name: reload nscd
+  service:
+    name: nscd
+    state: reloaded
diff --git a/roles/ldap/nss/tasks/main.yml b/roles/ldap/nss/tasks/main.yml
new file mode 100644
index 0000000..fb0e329
--- /dev/null
+++ b/roles/ldap/nss/tasks/main.yml
@@ -0,0 +1,41 @@
+---
+- name: install packages
+  package:
+    name: "{{ item }}"
+    state: installed
+  with_items:
+    - nscd
+    - nss-pam-ldapd
+
+- name: configure nsswitch to use ldap
+  lineinfile:
+    path: /etc/nsswitch.conf
+    regexp: "^{{ item }}:.*"
+    line: "{{ item }}: files ldap"
+  with_items:
+    - passwd
+    - shadow
+    - group
+
+- name: allow nslcd user to read host key
+  user:
+    name: nslcd
+    groups: hostkey
+
+- name: create nslcd config
+  template:
+    dest: /etc/nslcd.conf
+    src: nslcd.conf.j2
+    mode: 0600
+    owner: root
+    group: root
+  notify: restart nslcd
+
+- name: enable nslcd and nscd
+  service:
+    name: "{{ item }}"
+    enabled: true
+    state: started
+  with_items:
+    - nslcd
+    - nscd
diff --git a/roles/ldap/nss/templates/nslcd.conf.j2 b/roles/ldap/nss/templates/nslcd.conf.j2
new file mode 100644
index 0000000..2ec3895
--- /dev/null
+++ b/roles/ldap/nss/templates/nslcd.conf.j2
@@ -0,0 +1,25 @@
+uid nslcd
+gid ldap
+
+uri {% for server in ldap_server %}ldaps://{{ server }} {% endfor %}
+base {{ ldap_basedn }}
+
+# time out searches after 30 seconds
+timelimit 30
+# close idle connections after 10 minutes
+idle_timelimit 600
+# do not search group memberships for local users
+nss_initgroups_ignoreusers ALLLOCAL
+
+pagesize 500
+map group member uniqueMember
+
+# use ssl and verify server cert
+ssl on
+tls_reqcert demand
+tls_cacertfile {{ tls_bundle }}
+
+# use local host cert/key for authentication
+tls_key {{ tls_private }}/{{ inventory_hostname }}.key
+tls_cert {{ tls_certs }}/{{ inventory_hostname }}.crt
+sasl_mech EXTERNAL