Skip to content

devgateway/ansible-ldap-auth

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

61 Commits

defaults

defaults

 
 

files

files

 
 

handlers

handlers

 
 

meta

meta

 
 

tasks

tasks

 
 

templates

templates

 
 

.gitignore

.gitignore

 
 

README.md

README.md

 
 

Repository files navigation

ldap-auth

Configure LDAP authentication & authorization with parametrized user/host/project lookups.

Requirements

You must place your LDAP server certificate in files/certs/*.crt.

Role Variables

General LDAP configuration

  • ldap_uri - URI of your LDAP server(s). Separate multiple URIs with a space.

  • ldap_dn, ldap_pw (optional) - credentials to connect to your LDAP server with.

LDAP lookup configuration for NSS and pam-param

  • ldap_base_sudoers - base for sudoers records lookups.

  • ldap_lookups - a dictionary. Key hosts describes SSH hosts, user describes all user accounts, membership cross-references user and host DNs for access control, and admin looks up user accounts which get unconditional access and bypass membership check. Each item is a dictionary with three keys: base, scope (defaulting to sub), and filter.

  • ldap_nss_user_filter - filter for NSS user lookups. NSS will add user ID clause to this filter.

Optional variables

  • ldap_authorized_keys_command_user - the user as whom SSH daemon will run the command to fetch authorized keys from LDAP.

  • ldap_base - default LDAP base for libldap.

  • ldap_client_files - dictionary of config templates (without .j2 suffix) and their destinations and modes.

  • ldap_netgroup_base, ldap_netgroup_scope, ldap_netgroup_filter - netgroup lookup parameters.

  • ldap_pam_param_config_file - location of pam-param INI file.

  • ldap_pam_param_short_name - whether to use short host names (vs FQDN) when looking up hosts in LDAP.

  • ldap_pubkey_attr - the name of LDAP attribute that holds printable public key (possibly with comments).

  • ldap_pubkey_filter - the filter used to look up public keys by user ID; %s substituted for UID.

  • ldap_sshd_config - location of SSH daemon config.

  • ldap_sudoers - whether to try looking up sudoers records in LDAP. If false, NSS will only consider local files. This would be useful to override generic LDAP sudoers with local settings (e.g. to disallow sudoers).

  • ldap_uid_min - minimum numeric ID for non-system users, on most modern systems equals 1000.

Example Playbook

- hosts: ldap-auth
  roles:
    - ldap-auth
  vars:
    ldap_uri: ldaps://ldap.example.org
    ldap_sudoers: false
    ldap_base: dc=example,dc=org
    ldap_base_sudoers: ou=sudoers,{{ ldap_base }}
    ldap_lookups:
      admin:
        base: cn=admins,ou=groups,{{ ldap_base }}
        scope: base
        filter: (member=%s)
      user:
        base: ou=people,{{ ldap_base }}
        scope: sub
        filter: (&(objectClass=posixAccount)(uid=%s)(gidNumber=100))
      host:
        base: ou=hosts,{{ ldap_base }}
        scope: sub
        filter: (&(|(objectClass=virtualMachine)(objectClass=server))(cn=%s))
      membership:
        base: ou=projects,{{ ldap_base }}
        scope: sub
        filter: (&(objectClass=groupOfNames)(member=%1$s)(serverMember=%2$s))

License

GPLv3+

Author Information

Development Gateway

About

Configure LDAP authentication & authorization with parametrized user/host/project lookups

Topics

linux ssh security ansible ldap pam ansible-role ssh-server ldap-authentication ldap-server nss

Resources

Readme
Activity
Custom properties

Stars

15 stars

Watchers

9 watching

Forks

6 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •