Merge pull request #841 from Anand-Reddy7/anand-sssd-19nov

Adding OpenLDAP SSSD support

Author: rajan-mis

roles/auth_configure/tasks/ldap_prerequisites.yml

@@ -1,34 +1,21 @@
 ---
 # Installing required ldap client packages for the integration.
 
-- name: LDAP | Installing Packages
+- name: LDAP | Check OS version for OpenLDAP package installation
   ansible.builtin.shell: "grep -oE 'release [0-9]+' /etc/redhat-release | awk '{print $2}'"
   register: rhel_version
   changed_when: false
 
-- name: LDAP | Install Packages for RHEL 7
-  ansible.builtin.yum:
-    name:
-      - openldap-clients
-      - nss-pam-ldapd
-      - sssd
-      - oddjob
-      - oddjob-mkhomedir
-    state: present
-  when: rhel_version.stdout == "7"
-  register: install_ldap_client
-
-- name: LDAP | Install Packages for RHEL 8
+- name: LDAP | Install Required OpenLDAP Packages
   ansible.builtin.dnf:
     name:
       - libnsl
       - libnsl2
       - openldap-clients
-      - nss-pam-ldapd
-      - authselect
       - sssd
-      - oddjob
+      - sssd-ldap
       - oddjob-mkhomedir
+      - openssl-perl
+      - authselect
     state: present
-  when: rhel_version.stdout == "8"
-  register: install_ldap_client
+  when: rhel_version.stdout in ["8", "9"]

roles/auth_configure/tasks/ldap_user_integration.yml

@@ -1,79 +1,69 @@
 ---
-# Installing required LDAP client packages for the integration.
 
-- name: LDAP | OS version check
+- name: LDAP | Check OS version
   ansible.builtin.shell: "grep -oE 'release [0-9]+' /etc/redhat-release | awk '{print $2}'"
   register: rhel_version
   changed_when: false
 
 - block:
-    - name: LDAP | Enable LDAP authentication
-      ansible.builtin.command:
-        cmd: authconfig --enableldap --enableldapauth --ldapserver=ldap://{{ LDAP_SERVER_IP }} --ldapbasedn="dc={{ BASE_DN.split('.')[0] }},dc={{ BASE_DN.split('.')[1] }}" --enablemkhomedir --update
-      register: enable_authconfig
-
-    - debug:
-        var: enable_authconfig.stdout_lines
+    - name: LDAP | Check for existing ldap_cacert.pem
+      ansible.builtin.stat:
+        path: "{{ LDAP_CERT_FILES_DIR }}/ldap_cacert.pem"
+      register: ldap_cert_stat
 
-    - name: Update nsswitch.conf
-      ansible.builtin.lineinfile:
-        path: /etc/nsswitch.conf
-        regexp: "{{ item.regexp }}"
-        line: "{{ item.line }}"
-      loop:
-        - { regexp: '^passwd:', line: 'passwd: files ldap' }
-        - { regexp: '^shadow:', line: 'shadow: files ldap' }
-        - { regexp: '^group:', line: 'group: files ldap' }
-
-    - name: Remove 'auth' lines from password-auth PAM configuration
-      ansible.builtin.lineinfile:
-        path: "{{ item }}"
-        state: absent
-        regexp: '^auth.*'
-      loop:
-        - /etc/pam.d/password-auth
-        - /etc/pam.d/system-auth
+    - name: LDAP | Copy ldap_cacert.pem to remote servers if not present
+      ansible.builtin.copy:
+        src: "{{ LDAP_CERT_FILES_DIR }}/ldap_cacert.pem"
+        dest: /etc/openldap/certs/ldap_cacert.pem
+        owner: root
+        group: root
+        mode: '0600'
+      when: not ldap_cert_stat.stat.exists
+      register: ldap_cert_result
 
-    - name: Add custom auth lines to PAM configuration files
+    - name: LDAP | Update LDAP configuration with server details
       ansible.builtin.blockinfile:
-        path: "{{ item }}"
+        path: /etc/openldap/ldap.conf
         block: |
-          auth        required      pam_env.so
-          auth        sufficient    pam_unix.so nullok try_first_pass
-          auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
-          auth        sufficient    pam_ldap.so use_first_pass
-          auth        required      pam_deny.so
+          BASE   dc={{ BASE_DN.split('.')[0] }},dc={{ BASE_DN.split('.')[1] }}
+          URI    ldap://{{ LDAP_SERVER_IP }}/
+          TLS_CACERT /etc/openldap/certs/ldap_cacert.pem
+          TLS_CACERTDIR /etc/openldap/certs
         create: yes
-      loop:
-        - /etc/pam.d/password-auth
-        - /etc/pam.d/system-auth
-        - /etc/pam.d/sshd
 
-    - name: Remove nslcd.conf file
+    - name: LDAP | Rehash certificates in OpenLDAP directory
+      ansible.builtin.command:
+        cmd: openssl rehash /etc/openldap/certs
+
+    - name: LDAP | Configure SSSD with mkhomedir
+      ansible.builtin.command:
+        cmd: authselect select sssd with-mkhomedir --force
+
+    - name: LDAP | Remove existing SSSD configuration file if present
       ansible.builtin.file:
-        path: /etc/nslcd.conf
+        path: /etc/sssd/sssd.conf
         state: absent
 
-    - name: LDAP | Update LDAP Configuration with LDAP_SERVER and BASE_DN
-      ansible.builtin.blockinfile:
-        path: /etc/nslcd.conf
-        block: |
-          uid nslcd
-          gid ldap
-          uri ldap://{{ LDAP_SERVER_IP }}/
-          base dc={{ BASE_DN.split('.')[0] }},dc={{ BASE_DN.split('.')[1] }}
-        create: yes
-
-    - name: Allow SSH authentication
-      ansible.builtin.command: sed -i 's/PasswordAuthentication no/PasswordAuthentication yes/' /etc/ssh/sshd_config
-      notify: Restart SSH Service
+    - name: LDAP | Create new SSSD configuration file
+      ansible.builtin.template:
+        src: sssd.conf.j2
+        dest: /etc/sssd/sssd.conf
+        mode: '0600'
+        owner: root
+        group: root
 
-    - name: Restart and enable the services
+    - name: LDAP | Restart and enable SSSD and oddjobd services
       ansible.builtin.systemd:
         name: "{{ item }}"
         state: restarted
         enabled: yes
       loop:
-        - nslcd
-        - nscd
-  when: rhel_version.stdout in ["7", "8"]
+        - sssd
+        - oddjobd
+
+    - name: LDAP | Allow SSH password authentication
+      ansible.builtin.command:
+        cmd: sed -i 's/PasswordAuthentication no/PasswordAuthentication yes/' /etc/ssh/sshd_config
+      notify: Restart SSH Service
+
+  when: rhel_version.stdout in ["8", "9"]

roles/auth_configure/tasks/user_auth_ldap.yml

@@ -1,13 +1,45 @@
 ---
 # Authenticating LDAP to the cluster
 
-- name: LDAP | Authenticate Cluster
+- name: LDAP | CES - Check if LDAP authentication is already configured
+  shell: mmuserauth service list
+  register: ldap_config_check
+  changed_when: false
+  run_once: true
+
+- name: LDAP | CES - Authenticate Cluster with LDAP
   shell: |
-    echo -e "{{ ldap_admin_password }}" | mmuserauth service create --type ldap --data-access-method file --servers {{ ldap_server }} --base-dn dc={{ BASE_DN.split('.')[0] }},dc={{ BASE_DN.split('.')[1] }} --user-name cn=admin,dc={{ BASE_DN.split('.')[0] }},dc={{ BASE_DN.split('.')[1] }} --netbios-name ces
-  when: service_result.rc is defined and service_result.rc != 0
+    echo -e "{{ ldap_admin_password }}" | mmuserauth service create \
+      --type ldap \
+      --data-access-method file \
+      --servers {{ ldap_server }} \
+      --base-dn "dc={{ BASE_DN.split('.')[0] }},dc={{ BASE_DN.split('.')[1] }}" \
+      --user-name "cn=admin,dc={{ BASE_DN.split('.')[0] }},dc={{ BASE_DN.split('.')[1] }}" \
+      --netbios-name ces
+  when: "'LDAP' not in ldap_config_check.stdout"
   register: ldap_authenticate_cluster
-  ignore_errors: yes
   run_once: true
 
-- debug:
-    var: ldap_authenticate_cluster.stdout_lines
+# Following tasks have been added to prevent updates to the sssd.conf file after "CES - Authenticate Cluster with LDAP."
+- name: LDAP | CES - Ensure SSSD Configuration File is Absent
+  ansible.builtin.file:
+    path: /etc/sssd/sssd.conf
+    state: absent
+    force: yes
+  when: ldap_authenticate_cluster.changed
+
+- name: LDAP | CES - Deploy SSSD Configuration File
+  ansible.builtin.template:
+    src: sssd.conf.j2
+    dest: /etc/sssd/sssd.conf
+    mode: '0600'
+    owner: root
+    group: root
+  when: ldap_authenticate_cluster.changed
+
+- name: LDAP | CES - Restart SSSD Service
+  ansible.builtin.systemd:
+    name: sssd
+    state: restarted
+    enabled: yes
+  when: ldap_authenticate_cluster.changed

roles/auth_configure/templates/sssd.conf.j2

@@ -0,0 +1,21 @@
+[sssd]
+config_file_version = 2
+services = nss, pam, autofs
+domains = default
+
+[nss]
+homedir_substring = /home
+
+[pam]
+
+[domain/default]
+id_provider = ldap
+autofs_provider = ldap
+auth_provider = ldap
+chpass_provider = ldap
+ldap_uri = ldap://{{ LDAP_SERVER_IP }}
+ldap_search_base = dc={{ BASE_DN | regex_replace('\\..*', '') }},dc={{ BASE_DN | regex_replace('^[^.]+\\.', '') }}
+ldap_id_use_start_tls = True
+ldap_tls_cacertdir = /etc/openldap/certs
+cache_credentials = True
+ldap_tls_reqcert = allow

roles/auth_configure/vars/main.yml

@@ -1,3 +1,4 @@
 LDAP_ADMIN_PASSWORD: "{{ ldap_admin_password }}"
 BASE_DN: "{{ ldap_basedns }}"
-LDAP_SERVER_IP: "{{ ldap_server }}"
+LDAP_SERVER_IP: "{{ ldap_server }}"
+LDAP_CERT_FILES_DIR: "/opt/IBM/ibm-spectrumscale-cloud-deploy/ldap_key"

roles/auth_ldap_server_prepare/tasks/get_ldap_certs.yml

@@ -0,0 +1,19 @@
+---
+# Getting OpenLDAP SSL cert
+
+- name: LDAP | Check if ldap_cacert.pem exists on remote
+  stat:
+    path: /usr/local/share/ca-certificates/ldap_cacert.pem
+  register: remote_cert_status
+
+- name: LDAP | Check if ldap_cacert.pem exists locally
+  stat:
+    path: "{{ LDAP_CERT_FILES_DIR }}/ldap_cacert.pem"
+  register: ldap_cert_status
+
+- name: LDAP | Copy ldap_cacert.pem to Bootstrap
+  fetch:
+    src: /usr/local/share/ca-certificates/ldap_cacert.pem
+    dest: "{{ LDAP_CERT_FILES_DIR }}/ldap_cacert.pem"
+    flat: yes
+  when: remote_cert_status.stat.exists and not ldap_cert_status.stat.exists