lae.system_ldap

This role installs and sets up SSSD for LDAP authentication using an LDAP-enabled Active Directory server.

Role Variables

Check defaults/main.yml for all the variables you can change. Most users will find the default settings okay, but we'll explain the important ones here.

To connect to your LDAP/AD server, you need to set the following:

Example Playbook

Here’s a basic playbook that we use for many servers:

---
- hosts: all
  user: ansible
  roles:
    - lae.system_ldap
  become: True

You can find an example playbook in the test directory.

Extended Usage

Assuming we're working with a playbook called system_ldap.yml, here’s how the folder structure might look:

- system_ldap.yml
- inventory
- group_vars/
    - all/
        - main.yml
    - starlight/
        - main.yml
- host_vars/
    - research-node01
- roles/
    - requirements.yml

In this structure, you can control access for each group of hosts. If you have variables that apply to all hosts, you should place them in group_vars/all/main.yml (or just group_vars/all):

---
system_ldap_domain: aikatsu.net
system_ldap_bind_dn: CN=Naoto Suzukawa,OU=Service Accounts,OU=Idol Schools,DC=Aikatsu,DC=net
system_ldap_bind_password: sunrise
system_ldap_search_base: OU=Idol Schools,DC=Aikatsu,DC=net
system_ldap_uris:
  - ldaps://ldap-tyo.example.aikatsu.net:636
  - ldaps://ldap-ngo.example.aikatsu.net:636
system_ldap_access_filter_groups:
  - CN=operations,OU=Security Groups,OU=Idol Schools,DC=Aikatsu,DC=net
system_ldap_access_filter_users: []
system_ldap_access_unix_groups:
  - operations
system_ldap_sudo_groups:
  - operations
system_ldap_sudo_users: []

This example shows a user account and password setup to sync with an LDAP server securely. The "operations" group and root can also log in.

For a specific group called starlight, you may have:

---
system_ldap_allow_passwordauth_in_sshd: true
system_ldap_access_filter_users:
  - hoshimiya.ichigo
system_ldap_sudo_users:
  - hoshimiya.ichigo

This allows hoshimiya.ichigo to log in and use sudo on starlight group machines. Variables here match the sAMAccountName from your LDAP-enabled AD server.

You can specify groups as well, needing the full DN for the group filter. You might want to copy group-related variables from all:

system_ldap_access_filter_groups:
  - CN=operations,OU=Security Groups,OU=Global,OU=Idol Schools,DC=Aikatsu,DC=net
  - CN=starlight-students,OU=Security Groups,OU=Starlight Academy,OU=Idol Schools,DC=Aikatsu,DC=net
system_ldap_access_unix_groups:
  - operations
  - starlight-students
system_ldap_sudo_groups:
  - operations

Here we added the starlight-students LDAP group but only allowed them to log in.

Developing

To contribute, clone this repository, create a branch or fork, make your changes, and submit a pull request.

To track Ansible vault changes, add .gitconfig to your git config:

echo -e "[include]\n\tpath = ../.gitconfig" >> .git/config

Testing

To test, run:

vagrant box add debian/stretch64
vagrant up
vagrant provision

License

This project is licensed under the MIT License.