If you are using GitLab outside of the ILL, then you will need to use HTTPS and not SSH for clone/push/pull operations. SSH will work normally if you are using the VPN.

Commit b6ca1a4c authored by eric pellegrini's avatar eric pellegrini

added role for setting up and configuring sssd across the cluster

parent 3ae1f23c
---
- hosts: cluster
remote_user: "{{ cluster_users.0.name }}"
become: True
environment: "{{ proxy_settings }}"
tasks:
- import_role:
name: roles/sssd
vars:
local_homes:
- user: "{{ cluster_users.0.name }}"
home: "/localhome/{{ cluster_users.0.name }}"
Role Name
=========
A brief description of the role goes here.
Requirements
------------
Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
Role Variables
--------------
A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
Dependencies
------------
A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
Example Playbook
----------------
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
- hosts: servers
roles:
- { role: username.rolename, x: 42 }
License
-------
BSD
Author Information
------------------
An optional section for the role authors to include contact information, or a website (HTML is not allowed).
---
# defaults file for roles/sssd
# List of home directory to relocate bfore applying autofs mount
local_homes: []
#!/bin/bash
# This file must be executable to work! chmod 755!
# Look at what a host is exporting to determine what we can mount.
# This is very simple, but it appears to work surprisingly well
key="$1"
# add "nosymlink" here if you want to suppress symlinking local filesystems
# add "nonstrict" to make it OK for some filesystems to not mount
# choose one of the two lines below depending on the NFS version in your
# environment
opts="-fstype=nfs,hard,intr,nodev,nosuid"
#opts="-fstype=nfs4,hard,intr,nodev,nosuid,async"
for P in /bin /sbin /usr/bin /usr/sbin
do
for M in showmount kshowmount
do
if [ -x $P/$M ]
then
SMNT=$P/$M
break 2
fi
done
done
[ -x $SMNT ] || exit 1
# Newer distributions get this right
SHOWMOUNT="$SMNT --no-headers -e $key"
$SHOWMOUNT | LC_ALL=C cut -d' ' -f1 | LC_ALL=C sort -u | \
awk -v key="$key" -v opts="$opts" -- '
BEGIN { ORS=""; first=1 }
{ if (first) { print opts; first=0 }; print " \\\n\t" $1, key ":" $1 }
END { if (!first) print "\n"; else exit 1 }
' | sed 's/#/\\#/g'
#!/bin/bash
# This file must be executable to work! chmod 755!
# Look at what a host is exporting to determine what we can mount.
# This is very simple, but it appears to work surprisingly well
key="$1"
# add "nosymlink" here if you want to suppress symlinking local filesystems
# add "nonstrict" to make it OK for some filesystems to not mount
# choose one of the two lines below depending on the NFS version in your
# environment
#opts="-fstype=nfs,hard,intr,nodev,nosuid"
opts="-fstype=nfs4,sec=sys,hard,intr,nodev,nosuid,async"
for P in /bin /sbin /usr/bin /usr/sbin
do
for M in showmount kshowmount
do
if [ -x $P/$M ]
then
SMNT=$P/$M
break 2
fi
done
done
[ -x $SMNT ] || exit 1
# Newer distributions get this right
SHOWMOUNT="$SMNT --no-headers -e $key"
$SHOWMOUNT | LC_ALL=C cut -d' ' -f1 | LC_ALL=C sort -u | \
awk -v key="$key" -v opts="$opts" -- '
BEGIN { ORS=""; first=1 }
{ if (first) { print opts; first=0 }; print " \\\n\t" $1, key ":" $1 }
END { if (!first) print "\n"; else exit 1 }
' | sed 's/#/\\#/g'
#
# Define default options for autofs.
#
# MASTER_MAP_NAME - default map name for the master map.
#
#MASTER_MAP_NAME="/etc/auto.master"
MASTER_MAP_NAME="ldap:ou=auto.master,ou=automount,ou=system,dc=ill,dc=fr"
#
# TIMEOUT - set the default mount timeout (default 600).
#
TIMEOUT=300
#
# NEGATIVE_TIMEOUT - set the default negative timeout for
# failed mount attempts (default 60).
#
#NEGATIVE_TIMEOUT=60
#
# MOUNT_WAIT - time to wait for a response from mount(8).
# Setting this timeout can cause problems when
# mount would otherwise wait for a server that
# is temporarily unavailable, such as when it's
# restarting. The defailt of waiting for mount(8)
# usually results in a wait of around 3 minutes.
#
#MOUNT_WAIT=-1
#
# UMOUNT_WAIT - time to wait for a response from umount(8).
#
#UMOUNT_WAIT=12
#
# BROWSE_MODE - maps are browsable by default.
#
BROWSE_MODE="no"
#
# MOUNT_NFS_DEFAULT_PROTOCOL - specify the default protocol used by
# mount.nfs(8). Since we can't identify
# the default automatically we need to
# set it in our configuration.
#
#MOUNT_NFS_DEFAULT_PROTOCOL=3
#
# APPEND_OPTIONS - append to global options instead of replace.
#
#APPEND_OPTIONS="yes"
#
# LOGGING - set default log level "none", "verbose" or "debug"
#
LOGGING="verbose"
#
# Define server URIs
#
# LDAP_URI - space seperated list of server uris of the form
# <proto>://<server>[/] where <proto> can be ldap
# or ldaps. The option can be given multiple times.
# Map entries that include a server name override
# this option.
#
# This configuration option can also be used to
# request autofs lookup SRV RRs for a domain of
# the form <proto>:///[<domain dn>]. Note that a
# trailing "/" is not allowed when using this form.
# If the domain dn is not specified the dns domain
# name (if any) is used to construct the domain dn
# for the SRV RR lookup. The server list returned
# from an SRV RR lookup is refreshed according to
# the minimum ttl found in the SRV RR records or
# after one hour, whichever is less.
#
LDAP_URI="ldap://ldap.ill.fr"
#
# LDAP__TIMEOUT - timeout value for the synchronous API calls
# (default is LDAP library default).
#
#LDAP_TIMEOUT=-1
#
# LDAP_NETWORK_TIMEOUT - set the network response timeout (default 8).
#
#LDAP_NETWORK_TIMEOUT=8
#
# Define base dn for map dn lookup.
#
# SEARCH_BASE - base dn to use for searching for map search dn.
# Multiple entries can be given and they are checked
# in the order they occur here.
#
SEARCH_BASE="ou=automount,ou=system,dc=ill,dc=fr"
#
# Define the LDAP schema to used for lookups
#
# If no schema is set autofs will check each of the schemas
# below in the order given to try and locate an appropriate
# basdn for lookups. If you want to minimize the number of
# queries to the server set the values here.
#
#MAP_OBJECT_CLASS="nisMap"
#ENTRY_OBJECT_CLASS="nisObject"
#MAP_ATTRIBUTE="nisMapName"
#ENTRY_ATTRIBUTE="cn"
#VALUE_ATTRIBUTE="nisMapEntry"
#
# Other common LDAP nameing
#
#MAP_OBJECT_CLASS="automountMap"
#ENTRY_OBJECT_CLASS="automount"
#MAP_ATTRIBUTE="ou"
#ENTRY_ATTRIBUTE="cn"
#VALUE_ATTRIBUTE="automountInformation"
#
#MAP_OBJECT_CLASS="automountMap"
#ENTRY_OBJECT_CLASS="automount"
#MAP_ATTRIBUTE="automountMapName"
#ENTRY_ATTRIBUTE="automountKey"
#VALUE_ATTRIBUTE="automountInformation"
MAP_OBJECT_CLASS="automountMap"
ENTRY_OBJECT_CLASS="automount"
MAP_ATTRIBUTE="ou"
ENTRY_ATTRIBUTE="cn"
VALUE_ATTRIBUTE="automountInformation"
#
# AUTH_CONF_FILE - set the default location for the SASL
# authentication configuration file.
#
AUTH_CONF_FILE="/etc/autofs_ldap_auth.conf"
#
# MAP_HASH_TABLE_SIZE - set the map cache hash table size.
# Should be a power of 2 with a ratio roughly
# between 1:10 and 1:20 for each map.
#
#MAP_HASH_TABLE_SIZE=1024
#
# General global options
#
OPTIONS=""
#
#
# /etc/nscd.conf
#
# An example Name Service Cache config file. This file is needed by nscd.
#
# Legal entries are:
#
# logfile <file>
# debug-level <level>
# threads <initial #threads to use>
# max-threads <maximum #threads to use>
# server-user <user to run server as instead of root>
# server-user is ignored if nscd is started with -S parameters
# stat-user <user who is allowed to request statistics>
# reload-count unlimited|<number>
# paranoia <yes|no>
# restart-interval <time in seconds>
#
# enable-cache <service> <yes|no>
# positive-time-to-live <service> <time in seconds>
# negative-time-to-live <service> <time in seconds>
# suggested-size <service> <prime number>
# check-files <service> <yes|no>
# persistent <service> <yes|no>
# shared <service> <yes|no>
# max-db-size <service> <number bytes>
# auto-propagate <service> <yes|no>
#
# Currently supported cache names (services): passwd, group, hosts, services
#
# logfile /var/log/nscd.log
# threads 4
# max-threads 32
# server-user nobody
# stat-user somebody
debug-level 0
# reload-count 5
paranoia no
# restart-interval 3600
enable-cache passwd yes
positive-time-to-live passwd 3600
negative-time-to-live passwd 60
suggested-size passwd 211
check-files passwd yes
persistent passwd yes
shared passwd yes
max-db-size passwd 33554432
auto-propagate passwd yes
enable-cache group yes
positive-time-to-live group 3600
negative-time-to-live group 60
suggested-size group 211
check-files group yes
persistent group yes
shared group yes
max-db-size group 33554432
auto-propagate group yes
enable-cache hosts yes
positive-time-to-live hosts 3600
negative-time-to-live hosts 20
suggested-size hosts 211
check-files hosts yes
persistent hosts yes
shared hosts yes
max-db-size hosts 33554432
enable-cache services yes
positive-time-to-live services 28800
negative-time-to-live services 20
suggested-size services 211
check-files services yes
persistent services yes
shared services yes
max-db-size services 33554432
enable-cache netgroup no
positive-time-to-live netgroup 28800
negative-time-to-live netgroup 20
suggested-size netgroup 211
check-files netgroup yes
persistent netgroup yes
shared netgroup yes
max-db-size netgroup 33554432
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat sss
group: compat sss
shadow: compat sss
gshadow: files
hosts: files mdns4_minimal [NOTFOUND=return] dns myhostname
networks: files
protocols: db files
services: db files sss
ethers: db files
rpc: db files
netgroup: nis sss
sudoers: files sss
automount ldap
# $OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
PermitRootLogin without-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#PubkeyAuthentication yes
# Expect .ssh/authorized_keys2 to be disregarded by default in future.
#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication no
#PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
# override default of no subsystems
Subsystem sftp /usr/lib/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
[nss]
filter_groups = root, admin
filter_users = root, daemon, kdm
reconnection_retries = 3
entry_cache_timeout = 300
entry_cache_nowait_percentage = 75
entry_negative_timeout = 0
[pam]
reconnection_retries = 3
debug-level = 5
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = ILL
[domain/ILL]
enumerate = false
debug_level = 0
id_provider = ldap
access_provider = ldap
#auth_provider = krb5
auth_provider = ldap
ldap_uri = ldap://ldap.ill.fr
ldap_search_base = dc=ill,dc=fr
ldap_tls_reqcert = try
ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
ldap_schema = rfc2307
ldap_user_object_class = posixAccount
ldap_access_order = filter
ldap_access_filter = (ILLHost=unix)
ldap_user_search_base = ou=illaccount,dc=ill,dc=fr
ldap_group_search_base = ou=Group,dc=ill,dc=fr
ldap_group_member = memberUid
ldap_group_object_class = posixGroup
ldap_group_name = cn
#krb5_server = windc1.ill.fr,windc2.ill.fr,windc3.ill.fr
#krb5_realm = ILL.FR
#krb5_ccachedir = /tmp
#krb5_ccname_template = FILE:%d/krb5cc_%U_XXXXXX
#krb5_auth_timeout = 15
#krb5_renewable_lifetime = 14d
##krb5_renew_interval = 28800
#krb5_renew_interval = 1
#krb5_lifetime = 9h
#krb5_store_password_if_offline = true
---
# handlers file for roles/sssd
- name: restart sshd
service:
name: sshd
enabled: yes
state: restarted
- name: restart sssd
service:
name: sssd
enabled: yes
state: restarted
- name: restart nscd
service:
name: nscd
enabled: yes
state: restarted
- name: restart autofs
service:
name: autofs
enabled: yes
state: restarted
galaxy_info:
author: Eric Pellegrini
description: Role to setup sssd
company: Institut Laue Langevin
license: GPL-3.0-only
min_ansible_version: 2.0
platforms:
- name: Ubuntu
versions:
- bionic
galaxy_tags:
- sssd
dependencies: []
- name: create local home base directory
file:
path: "{{ item.home | dirname }}"
state: directory
loop: "{{ local_homes }}"
- name: move current home to its local location
shell: killall -KILL -u "{{ item.user }}" ; usermod -m -d "{{ item.home }}" "{{ item.user }}"
# user:
# name: "{{ item.user }}"
# home: "{{ item.home }}"
# move_home: True
loop: "{{ local_homes }}"
---
- name: copy sshd_config configuration file
copy:
src: sshd_config
dest: /etc/ssh/
owner: root
notify:
- restart sshd
- name: copy sssd configuration file
copy:
src: sssd.conf
dest: /etc/sssd/
owner: root
mode: "600"
notify:
- restart sssd
- name: copy nsswitch configuration file
copy:
src: nsswitch.conf
dest: /etc/
notify:
- restart nscd
- name: copy nscd configuration file
copy:
src: nscd.conf
dest: /etc/
notify:
- restart nscd
- name: copy auto.net and auto.net4 configuration files
copy:
src: "{{ item }}"
dest: /etc/
loop:
- auto.net
- auto.net4
notify:
- restart autofs
- name: copy autofs configuration file
copy:
src: autofs
dest: /etc/default/
notify:
- restart autofs
- name: create net4 folder
file:
path: /net4
state: directory
notify:
- restart autofs
---
- name: install sssd related packages
apt:
name: "{{ item }}"
force_apt_get: yes
state: present
update_cache: yes
loop:
- sssd
- nscd
- autofs
- autofs5
- autofs-ldap
- autofs5-ldap
---
# tasks file for roles/sssd
- import_tasks: admin.yml
- import_tasks: install.yml
- import_tasks: configure.yml
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment