Hey! Recently along with Sanderv32 we have been trying to get LDAP authentication working on Redhat machines. I must admit that we have spent some quite looking for more structured and decent information how to get this working. However up to our surprise information were completely inaccurate or outdated.
So without big delays we have decided to tackle this challenge using Ansible. Of course first attempts were just to get the idea working. As we were moving our playbook were growing to reach stage at which we could deploy LDAP authentication mechanism to all of our RedHat 7 systems
Below is the output of the runbook being used:
- name: "LDAP Authentication | Install the required packages" yum: > name="{{item}}" state=present with_items: - "nss-pam-ldapd" - "oddjob" - "oddjob-mkhomedir" tags: - "ldap" - "packages" - "packages_ldap" - name: "LDAP Authentication | Ensure services are running" service: name={{item}} enabled=yes state=started with_items: - "nscd" - "nslcd" - "oddjobd" register: services_ldap tags: - "ldap" - "services_ldap" - name: "Debug | Display results" debug: msg="{{services_ldap.results}}" tags: - "ldap" - name: "LDAP Authentication | Enable LDAP PAM modules" command: "authconfig --enableldap --enableldapauth --enablemkhomedir --update" tags: - "ldap" - name: "LDAP Authentication | Adding configuration templates" template: > src="templates/{{item}}.j2" dest="/etc/{{item}}" with_items: - "nslcd.conf" tags: - "ldap" - "repository" - "repository_ldap" notify: - restart services ldap
And associated handler
--- - name: "restart services ldap" service: > name="{{item.name}}" state=restarted with_items: services_ldap.results tags: - "ldap" - "services_ldap"
In the above I have highlighted the part which we use to template NLSCD config file. The file contents are completely overwritten so make sure you adjust it to your needs.
This template has been used to connect to Active Directory with dedicated bind user and modified pagesize ( so our results are not trimmed )
# {{ ansible_managed }} uid nslcd gid ldap uri {{ ldap.uri }} base {{ ldap.basedn }} binddn {{ ldap.binduser }} bindpw {{ ldap.binduserpw }} scope sub tls_reqcert allow pagesize 10000 referrals off idle_timelimit 800 filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*)) map passwd uid sAMAccountName map passwd homeDirectory unixHomeDirectory map passwd gecos displayName map passwd loginShell "/bin/bash" filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*)) map shadow uid sAMAccountName map shadow shadowLastChange pwdLastSet filter group (objectClass=group) ssl no tls_cacertdir /etc/openldap/cacerts
Thats it folks! If it would not work with you please leave some comments as this is used to make sure we have means of using LDAP auth on Linux boxes