From 391d855fa7c697d241c11f33388903609c3f84ec Mon Sep 17 00:00:00 2001
From: Benjamin Graillot <graillot@crans.org>
Date: Sun, 19 Jul 2020 15:30:38 +0200
Subject: [PATCH] [ldap-client] use nounous ldap

---
 roles/ldap-client/tasks/main.yml             | 32 +++++++++++---------
 roles/ldap-client/templates/bin/chsh.j2      |  4 ---
 roles/ldap-client/templates/bin/chsh.ldap.j2 |  4 ---
 roles/ldap-client/templates/bin/passwd.j2    |  3 --
 roles/ldap-client/templates/nslcd.conf.j2    | 30 ++++++++----------
 5 files changed, 30 insertions(+), 43 deletions(-)
 delete mode 100644 roles/ldap-client/templates/bin/chsh.j2
 delete mode 100644 roles/ldap-client/templates/bin/chsh.ldap.j2
 delete mode 100644 roles/ldap-client/templates/bin/passwd.j2

diff --git a/roles/ldap-client/tasks/main.yml b/roles/ldap-client/tasks/main.yml
index 8195e6f1..f03a809f 100644
--- a/roles/ldap-client/tasks/main.yml
+++ b/roles/ldap-client/tasks/main.yml
@@ -4,17 +4,14 @@
   apt:
     update_cache: true
     name:
-      - nslcd
       - libnss-ldapd
-      - libpam-ldapd
-      - nscd  # local cache
     state: present
   register: apt_result
   retries: 3
   until: apt_result is succeeded
 
 # Configure /etc/nslcd.conf
-- name: Configure nslcd LDAP credentials
+- name: Configure nslcd
   template:
     src: nslcd.conf.j2
     dest: /etc/nslcd.conf
@@ -26,20 +23,27 @@
   lineinfile:
     dest: /etc/nsswitch.conf
     regexp: "^{{ item }}:"
-    line: "{{ item }}:         files ldap"
+    line: "{{ item }}:         files systemd ldap"
   loop:
     - passwd
     - group
+  notify: Restart nslcd service
+
+- name: Configure NSS to use LDAP
+  lineinfile:
+    dest: /etc/nsswitch.conf
+    regexp: "^{{ item }}:"
+    line: "{{ item }}:         files ldap"
+  loop:
     - shadow
+    - networks
   notify: Restart nslcd service
 
-# Disable passwd and chsh
-- name: Copy passwd and chsh scripts
-  template:
-    src: "bin/{{ item }}.j2"
-    dest: "/usr/local/bin/{{ item }}"
-    mode: 0755
+- name: Configure NSS to use LDAP
+  lineinfile:
+    dest: /etc/nsswitch.conf
+    regexp: "^{{ item }}:"
+    line: "{{ item }}:         files dns ldap"
   loop:
-    - chsh
-    - chsh.ldap
-    - passwd
+    - hosts
+  notify: Restart nslcd service
diff --git a/roles/ldap-client/templates/bin/chsh.j2 b/roles/ldap-client/templates/bin/chsh.j2
deleted file mode 100644
index 37462f78..00000000
--- a/roles/ldap-client/templates/bin/chsh.j2
+++ /dev/null
@@ -1,4 +0,0 @@
-#!/bin/sh
-{{ ansible_header | comment }}
-echo "Pour changer votre shell,\nAllez sur l'intranet : {{intranet_url}}"
-
diff --git a/roles/ldap-client/templates/bin/chsh.ldap.j2 b/roles/ldap-client/templates/bin/chsh.ldap.j2
deleted file mode 100644
index 175fdfc1..00000000
--- a/roles/ldap-client/templates/bin/chsh.ldap.j2
+++ /dev/null
@@ -1,4 +0,0 @@
-#!/bin/sh
-{{ ansible_header | comment }}
-echo "Pour changer votre shell,\nAllez sur l'intranet : {{intranet_url}}"
-echo "De toutes faÃ§ons la vraie commande aurait pas marchÃ©, on installe pas nslcd-utils sur les serveurs normalement."
diff --git a/roles/ldap-client/templates/bin/passwd.j2 b/roles/ldap-client/templates/bin/passwd.j2
deleted file mode 100644
index 40b04126..00000000
--- a/roles/ldap-client/templates/bin/passwd.j2
+++ /dev/null
@@ -1,3 +0,0 @@
-#!/bin/sh
-{{ ansible_header | comment }}
-echo "Pour changer votre mot de passe,\nAllez sur l'intranet : {{intranet_url}}"
diff --git a/roles/ldap-client/templates/nslcd.conf.j2 b/roles/ldap-client/templates/nslcd.conf.j2
index e634dd23..f55c1a67 100644
--- a/roles/ldap-client/templates/nslcd.conf.j2
+++ b/roles/ldap-client/templates/nslcd.conf.j2
@@ -1,35 +1,30 @@
 {{ ansible_header | comment }}
+# /etc/nslcd.conf
+# nslcd configuration file. See nslcd.conf(5)
+# for details.
 
 # The user and group nslcd should run as.
 uid nslcd
 gid nslcd
 
 # The location at which the LDAP server(s) should be reachable.
-{% if ldap_local_replica_uri is defined %}
-{% for uri in ldap_local_replica_uri %}
-uri {{ uri }}
+{% if ldap.local %}
+uri ldapi:///
+{% else %}
+{% for server in ldap.servers %}
+uri ldaps://{{ server }}/
 {% endfor %}
 {% endif %}
-uri {{ ldap_master_uri }}
 
 # The search base that will be used for all queries.
-base {{ ldap_base }}
-base passwd {{ ldap_user_tree }}
-base shadow {{ ldap_user_tree }}
-base group ou=posix,ou=groups,{{ ldap_base }}
+base dc=crans,dc=org
 
 # The LDAP protocol version to use.
-ldap_version 3
-
-# Time limit to wait for an answer
-timelimit 5
-
-# Time limit to wait for a bind
-bind_timelimit 5
+#ldap_version 3
 
 # The DN to bind with for normal lookups.
-binddn {{ ldap_nslcd_bind_dn }}
-bindpw {{ ldap_nslcd_passwd }}
+#binddn cn=annonymous,dc=example,dc=net
+#bindpw secret
 
 # The DN used for password modifications by root.
 #rootpwmoddn cn=admin,dc=example,dc=com
@@ -41,4 +36,3 @@ tls_cacertfile /etc/ssl/certs/ca-certificates.crt
 
 # The search scope.
 #scope sub
-
-- 
GitLab