Configure machines as LDAP client for graphical LDAP user login

From Notes_Wiki

Home > CentOS > CentOS 6.x > System administration tools > ansible > Ansible-playbooks > Configure machines as LDAP client for graphical LDAP user login

To configure machines as LDAP client for graphical LDAP user login using ansible use following steps:

Configure machine once using following playbook: 

---
  - name: Configure machine for LDAP login using GUI
    remote_user: root
    hosts: lab-machine

    tasks:
    - name: Disable SELinux for now
      shell: setenforce 0
      ignore_errors: yes

    - name: Disable SELinux permanently
      lineinfile: dest=/etc/sysconfig/selinux regexp="SELINUX=" line="SELINUX=disabled"

    - name: To remove sssd-client
      yum: name={{item}} state=absent
      with_items:
        - sssd-client
        - ipa-admintools      
        - ipa-client          
        - ipa-server          
        - ipa-server-selinux  
        - sssd                
        - sssd-ad             
        - sssd-common         
        - sssd-common-pac     
        - sssd-dbus           
        - sssd-ipa            
        - sssd-krb5           
        - sssd-krb5-common    
        - sssd-ldap           
        - sssd-proxy   

    - name: To install openldap-clients, openldap and nss-pam-ldapd
      yum: name={{item}} state=present
      with_items:
        - openldap-clients 
        - openldap 
        - nss-pam-ldapd
   
    - name: Configure machine as LDAP client
      shell: authconfig --enableldap --enableldapauth --ldapserver=ldap.sbarjatiya.com --ldapbasedn="ou=Users,dc=sbarjatiya,dc=com" --enablelocauthorize --enablepamaccess --enablemkhomedir --enablecachecreds --enablecache --updateall

#Use only on CentOS 6.*,  On CentOS 7 or Fedora-20 this would fail
#    - name: Set LDAP bind policy to soft
#      lineinfile: dest=/etc/pam_ldap.conf regexp="^bind_policy" line="bind_policy soft"

    - name: Replace nsswitch.conf as it is not getting configured properly by authconfig
      copy: src=nsswitch.conf dest=/etc/nsswitch.conf owner=root group=root mode=644

    - name: Replace all references to sss in pam.d
      shell: cd /etc/pam.d; sed -i 's/^.*sss.*$//g' *

    - name: Enable nscd on system boot
      service: name=nscd enabled=yes state=started

#Replace folder list with appropriate base folder names.  For example if LDAP user saurabh's home folder is /rekall/saurabh then /rekall folder should be created 
#using this task
    - name: Create the directories on each machine 
      file: path={{item}} state=directory mode=755
      with_items:
          - /courses
          - /home1
          - /students

#Adjust this line as per lab-machine OS.  Also test it on few machines and edit appropriately.  The final output should be name of interface to be brought up using DHCP on boot for ansible-pull mechanism.
#Feodra 20 line
#    - shell: ifconfig | grep mtu  | sed 's/:.*$//g' | grep [0-9]
#CentOS-7 line
#    - shell: ifconfig | grep mtu | grep [ep][n0-9]p[0-9] | sed 's/:.*$//g'
#CentOS6 line
#    - shell: ifconfig | grep Link| grep HW | sed 's/ .*$//g'
      register: ifconfig_output

    - name: Copy the rc.local for DHCP and sss configuration on boot
      template: src=rc.local dest=/etc/rc.d/rc.local mode=777

    - name: Disable management of {{ifconfig_output.stdout}} by network-manager (Possibly disconnects current ansible session)
      shell: 'echo NM_CONTROLLED="no" >> /etc/sysconfig/network-scripts/ifcfg-{{ifconfig_output.stdout}}'

Here:

  • NM_CONTROLLED="no" helps in getting machine IP from DHCP during boot via rc.local file. Without this machine does not has IP to contact LDAP server and LDAP login cannot work.
  • sssd removal is necessary as without it GUI login keeps getting slower. For a lab of 120 machines the login may take up to 4 hours unless sssd is removed thoroughly as automated in playbook above


A file rc.local should be available with following content: 

#! /bin/bash

cd /etc/pam.d
sed -i 's/^.*sss.*$//g' *

dhclient -v {{ifconfig_output.stdout}}

Other lines such as pull-configuration described at HTTP based ansible-pull configuration without-git can follow these lines in rc.local file.


A file nsswitch.conf should be available with following content: 

passwd:     files ldap
shadow:     files ldap
group:      files ldap
#initgroups: files

#hosts:     db files nisplus nis dns
#hosts:      files mdns4_minimal [NOTFOUND=return] dns
hosts:      files ldap dns

bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files

netgroup:   files

publickey:  nisplus

automount:  files
aliases:    files nisplus

Ideally authconfig should take care of adding ldap and removing sss, but it does not seem to do so.


Home > CentOS > CentOS 6.x > System administration tools > ansible > Ansible-playbooks > Configure machines as LDAP client for graphical LDAP user login

Retrieved from "http://www.sbarjatiya.com/notes_wiki/index.php?title=Configure_machines_as_LDAP_client_for_graphical_LDAP_user_login&oldid=6667"