ypserver
Ansible role: ypserver
This role installs and configures the YP/NIS server that is part of OpenBSD and other BSD* operating systems. Currently, this role only supports OpenBSD, with the intent on adding FreeBSD and NetBSD in a near-future update.
Where applicable, this role refers to system documentation, e.g. the yp(8)
man page.
Requirements
Operation
No external roles and/or modules are required to use this role.
Testing & Development
For testing and development, this role depends on the following external tools:
- Vagrant (supporting either the VirtualBox or VMWare provider)
- VagrantCloud (specifically, the
generic/openbsd6
box)
Role Variables
Available variables are listed below, including their default values (see defaults/main.yml
).
All of these should be implemented. If you find they are not, please open an issue in the GitHub repository.
Required variables
The following variables need to be set when using the role.
ypserver_domain: ""
Required, must have a valid NIS domainname. This is the name of the NIS domain that you intend to configure.
ypserver_master: ""
Required, must list a reachable NIS master server for the domain.
ypserver_servers: []
Required, must list the set of NIS servers for the domain. This list must include the ypserver_master
server as well.
Note: if you only wish to setup slave servers (against an already existing master), ensure that the master is not part of the host group you apply this role to.
ypserver_serverinfo: {}
Required, but may be empty if the NIS servers for the domain can be found in DNS or /etc/hosts
.
If non-empty, this dictionary lists IPv4 and/or IPv6 addresses for the domain's servers. The role will then populate /etc/hosts
with the required lines. If servers cannot be reached or resolved, the NIS code will hang. See yp(8)
for more details.
The example below lists addresses for the master
and slave
servers in a dual-stack network.
ypserver_serverinfo:
master:
- "192.0.2.1"
- "2001:db8::111:1"
slave:
- "192.0.2.2"
- "2001:db8::111:2"
ypserver_ypservacl: {}
Required, if ypserver_set_ypserveracl
is set. This dictionary lists the rules for the ypserv.acl(5)
file. This ACL file allows to limit the access to the YP/NIS server to appropriate network ranges.
If ypserver_set_ypserveracl
is not set, this variable will create a securenet(5)
file instead which is a more limited format. Please ensure your rules take these limitations into account by checking against the applicable man pages.
Be sure to include your slave servers as well as clients that need to access YP/NIS. For example, if you want to allow your local host, the one slave server slave
and the 192.0.2.0/24
network clients, you would use:
ypserver_ypservacl:
- action: allow
type: host
host: "localhost"
- action: allow
type: host
host: "master"
- action: allow
type: host
host: "192.0.2.2"
tag: "slave"
- action: allow
type: net
host: "192.0.2.0"
mask: "255.255.255.0"
tag: "Clients"
- action: deny
type: all
Optional variables
ypserver_usedns: true
Specifies that the YP/NIS maps can use DNS for lookups of host names. Recommended to leave at true
. When set to false
, make sure that ypserver_serverinfo
and/or ypserver_set_hosts
are set correctly so that your NIS servers can be resolved.
ypserver_unsecure: false
Recommended to leave at false
when serving only OpenBSD or FreeBSD clients.
If set to true
, the passwd
maps will contain (encrypted) password entries. If all your YP/NIS /clients/ run OpenBSD or FreeBSD, you can safely set this variable to false
. For more information, see the OpenBSD FAQ. Please note that this setting does little to solve NIS' inherent insecurity.
ypserver_nopush: false
Recommended to leave at true
unless you need specific measures for updating maps on slave servers.
If set to true
, updated maps on the master will /not/ be automatically pushed to the slave servers. In that case, you will need to arrange the updates on slave servers in another way (e.g. using cron jobs or rsync).
ypserver_source_dir: '/etc'
The source directory for the maps served by the NIS domain. This directory needs to be present on the master server and contain the files referred to in the ypserver_source_maps
variable.
ypserver_source_maps:
passwd: 'master.passwd'
group: 'group'
This dict lists what maps the NIS domain master serves to clients and their source files. These files must exist on the master in the ypserver_source_dir
directory. For other supported maps, please see Makefile.yp(8)
.
ypserver_passwd_minuid: 1000
ypserver_passwd_maxuid: 32765
ypserver_group_mingid: 1000
ypserver_group_maxgid: 32765
These variables indicate the lower/upper bounds of usernames and groups to include in the NIS map. This prevents leaking system accounts into the maps.
Variables to support multiple YP/NIS domains on a server
This variable is intended to allow the hosting of multiple NIS domains on a server. This was not the originally intended use case, so if you find issues, please report this as an issue on GitHub.
ypserver_set_domainname: true
Recommended to leave at true
for the domain that is intended as your 'main' (default) domain name. Must be set to false
for other NIS domains that you want to host on the same server.
Additional settings
These variables are not required for role invocations and their defaults should be fine.
ypserver_set_hosts: false
If set to true
, the role adds the IP information for the NIS servers to the /etc/hosts
file. This is typically useful when the domain does not use DNS lookups (ypserver_usedns
set to false
). Note that this does require IP information for each NIS server in the ypserver_serverinfo
variable.
ypserver_set_yppasswdd: false
Enables the yppasswd
service, to allow users on the master server to change their password in the NIS maps. Note that recent versions of OpenBSD (as of 5.9) no longer have this functionality included.
ypserver_set_ypservacl: false
Creates an ACL file /var/yp/ypserv.acl
according to the ypserv.acl(5)
file instead of the securenet(5)
file. This ACL file allows to limit the access to the YP/NIS server to appropriate network ranges. Requires the ypserver_ypservacl
variable to be set appropriately.
ypserver_set_cronjob: true
Recommended to leave at true
unless you need/want other arrangements than those made by the role. Sets up a regular cron job for map updates on the domain and checks for missing maps on slave servers.
Job name | Interval | Note(s) |
---|---|---|
Update YP domain ypserver_ypdomain |
Every 15 minutes | On master server |
Update YP domain ypserver_ypdomain |
Every hour at :05 | On slave servers |
Internal variables
These variables are used in the role internally and are not intended for user modification. Change these at your own peril. Typically, they correspond to hard-coded values on the underlying operating system.
ypserver_ypdbdir: '/var/yp'
ypserver_ypdbdir_domain: "{{ ypserver_ypdbdir }}/{{ ypserver_domain }}"
ypserver_securenet: "{{ ypserver_ypdbdir }}/securenet"
Dependencies
None.
Example Playbook
Below is an example to create a simple YP//NIS domain with two servers, master
and slave
. The domain is called legacy
. The source files for the maps are located in /etc/legacy
.
---
- hosts: ypservers
roles:
- role: vnode.ypserver
vars:
ypserver_ypdomain: legacy
ypserver_master: master
ypserver_servers: "{{ groups['ypservers'] }}"
ypserver_source_dir: "/etc/{{ ypserver_domain }}"
License
MIT
Author Information
This role was created in 2020 by Rogier Krieger.