add role ldap/nss

roles/ldap/nss/handlers/main.yml

@@ -0,0 +1,11 @@
+---
+- name: restart nslcd
+  service:
+    name: nslcd
+    state: restarted
+  notify: reload nscd
+
+- name: reload nscd
+  service:
+    name: nscd
+    state: reloaded

roles/ldap/nss/tasks/main.yml

@@ -0,0 +1,41 @@
+---
+- name: install packages
+  package:
+    name: "{{ item }}"
+    state: installed
+  with_items:
+    - nscd
+    - nss-pam-ldapd
+
+- name: configure nsswitch to use ldap
+  lineinfile:
+    path: /etc/nsswitch.conf
+    regexp: "^{{ item }}:.*"
+    line: "{{ item }}: files ldap"
+  with_items:
+    - passwd
+    - shadow
+    - group
+
+- name: allow nslcd user to read host key
+  user:
+    name: nslcd
+    groups: hostkey
+
+- name: create nslcd config
+  template:
+    dest: /etc/nslcd.conf
+    src: nslcd.conf.j2
+    mode: 0600
+    owner: root
+    group: root
+  notify: restart nslcd
+
+- name: enable nslcd and nscd
+  service:
+    name: "{{ item }}"
+    enabled: true
+    state: started
+  with_items:
+    - nslcd
+    - nscd

roles/ldap/nss/templates/nslcd.conf.j2

@@ -0,0 +1,25 @@
+uid nslcd
+gid ldap
+
+uri {% for server in ldap_server %}ldaps://{{ server }} {% endfor %}
+base {{ ldap_basedn }}
+
+# time out searches after 30 seconds
+timelimit 30
+# close idle connections after 10 minutes
+idle_timelimit 600
+# do not search group memberships for local users
+nss_initgroups_ignoreusers ALLLOCAL
+
+pagesize 500
+map group member uniqueMember
+
+# use ssl and verify server cert
+ssl on
+tls_reqcert demand
+tls_cacertfile {{ tls_bundle }}
+
+# use local host cert/key for authentication
+tls_key {{ tls_private }}/{{ inventory_hostname }}.key
+tls_cert {{ tls_certs }}/{{ inventory_hostname }}.crt
+sasl_mech EXTERNAL