Hey! Recently along with Sanderv32 we have been trying to get LDAP authentication working on Redhat machines. I must admit that we have spent some quite looking for more structured and decent information how to get this working. However up to our surprise information were completely inaccurate or outdated.
So without big delays we have decided to tackle this challenge using Ansible. Of course first attempts were just to get the idea working. As we were moving our playbook were growing to reach stage at which we could deploy LDAP authentication mechanism to all of our RedHat 7 systems
Below is the output of the runbook being used:
- name: "LDAP Authentication | Install the required packages"
yum: >
name="{{item}}"
state=present
with_items:
- "nss-pam-ldapd"
- "oddjob"
- "oddjob-mkhomedir"
tags:
- "ldap"
- "packages"
- "packages_ldap"
- name: "LDAP Authentication | Ensure services are running"
service:
name={{item}}
enabled=yes
state=started
with_items:
- "nscd"
- "nslcd"
- "oddjobd"
register: services_ldap
tags:
- "ldap"
- "services_ldap"
- name: "Debug | Display results"
debug: msg="{{services_ldap.results}}"
tags:
- "ldap"
- name: "LDAP Authentication | Enable LDAP PAM modules"
command: "authconfig --enableldap --enableldapauth --enablemkhomedir --update"
tags:
- "ldap"
- name: "LDAP Authentication | Adding configuration templates"
template: >
src="templates/{{item}}.j2"
dest="/etc/{{item}}"
with_items:
- "nslcd.conf"
tags:
- "ldap"
- "repository"
- "repository_ldap"
notify:
- restart services ldap
And associated handler
---
- name: "restart services ldap"
service: >
name="{{item.name}}"
state=restarted
with_items: services_ldap.results
tags:
- "ldap"
- "services_ldap"
In the above I have highlighted the part which we use to template NLSCD config file. The file contents are completely overwritten so make sure you adjust it to your needs.
This template has been used to connect to Active Directory with dedicated bind user and modified pagesize ( so our results are not trimmed )
# {{ ansible_managed }}
uid nslcd
gid ldap
uri {{ ldap.uri }}
base {{ ldap.basedn }}
binddn {{ ldap.binduser }}
bindpw {{ ldap.binduserpw }}
scope sub
tls_reqcert allow
pagesize 10000
referrals off
idle_timelimit 800
filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
map passwd uid sAMAccountName
map passwd homeDirectory unixHomeDirectory
map passwd gecos displayName
map passwd loginShell "/bin/bash"
filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
map shadow uid sAMAccountName
map shadow shadowLastChange pwdLastSet
filter group (objectClass=group)
ssl no
tls_cacertdir /etc/openldap/cacerts
Thats it folks! If it would not work with you please leave some comments as this is used to make sure we have means of using LDAP auth on Linux boxes