前投稿まででいろいろ書いてしまったが、より実用的にするために、さらにplaybookを整理した。
整理するにあたり、以下の観点に注力した。
・恒久設定(一度設定したら、ずっと変わらないであろう設定)の部分は、すべてldapサーバ構築用playbookにまとめた。
・グループ(cn)やldapユーザはユーザが増えるごとに追加する部分なので、playbookを独立させた。
・ユーザ名/パスワード系やグループ名はvarsモジュールで変数定義するように統一した。
ということで出来上がったplaybookは
・ldapサーバ構築用playbook
・グループ(cn)設定用playbook
・ldapユーザ設定用playbook
・ssh公開鍵設定用playbook
・ldapクライアント構築用playbook
ssh鍵認証をしたくない、という方は、ldapサーバ構築用playbookとldapクライアント構築用playbookにある「 line=’PubkeyAuthentication yes’」となるlineinfileモジュールをコメントアウトしてssh公開鍵設定用playbookを実行しなければOKかと。その場合、sshログイン時のパスワードは「ldapuser01」になる。
※セキュリティ上お勧めしません。。。
■/etc/ansible/hostsの設定
[root@ansible_sv ~]# vi /etc/ansible/hosts [ldap_sv] 192.168.3.6 [ldapclient] 192.168.3.7
[root@ansible_sv ~]# cat /etc/ansible/yml/1_set_ldapserver.yml - hosts: ldap_sv remote_user: root vars: rootPasswd: "manager" gid: "ldapmanager" uid: "user01" gidnum: "1001" uidnum: "1001" keypass: "sshmanager" tasks: - name: Yum install yum: name={{ item }} state=present with_items: - openldap-servers - openssh-ldap - gcc - python-devel - openldap-devel - openldap-clients - sssd - sssd-client - sssd-ldap - oddjob-mkhomedir - name: install pip 1 shell: curl -kL https://bootstrap.pypa.io/get-pip.py | python - name: install pip 2 pip: name: python-ldap ####set slapd#### - name: port ldap to firewalld firewalld: service=ldap permanent=true state=enabled immediate=true - name: start slapd service: name=slapd state=started enabled=yes - name: add schema shell: > ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif; ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif; ldapadd -Y EXTERNAL -H ldapi:/// -f /usr/share/doc/openssh-ldap-7.4p1/openssh-lpk-openldap.ldif; ####set rootDN#### - name: copy DB_CONFIG shell: cp -p /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG - name: create ldif directory file: path=/root/ldif state=directory owner=root group=root mode=0644 - name: create rootPW file: state=touch path=/root/ldif/rootPW.ldif owner=root group=root mode=0644 - name: create olcRootPW shell: slappasswd -s {{ rootPasswd }} register: olcrootpass - name: create rootPW.ldif lineinfile: dest=/root/ldif/rootPW.ldif state=present line="{{ item }}" with_items: - 'dn: olcDatabase={0}config,cn=config' - 'changetype: modify' - 'replace: olcRootPW' - 'olcRootPW: {{ olcrootpass.stdout }}' - name: execute ldapadd shell: ldapmodify -Y EXTERNAL -H ldapi:// -f /root/ldif/rootPW.ldif - name: create change-domain 2 shell: > echo "dn: olcDatabase={1}monitor,cn=config" > /root/ldif/change-domain.ldif; echo "changetype: modify" >> /root/ldif/change-domain.ldif; echo "replace: olcAccess" >> /root/ldif/change-domain.ldif; echo 'olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=Manager,dc=abc,dc=def,dc=com" read by * none' >> /root/ldif/change-domain.ldif; echo \ >> /root/ldif/change-domain.ldif; echo "dn: olcDatabase={2}hdb,cn=config" >> /root/ldif/change-domain.ldif; echo "changetype: modify" >> /root/ldif/change-domain.ldif; echo "replace: olcSuffix" >> /root/ldif/change-domain.ldif; echo "olcSuffix: dc=abc,dc=def,dc=com" >> /root/ldif/change-domain.ldif; echo \ >> /root/ldif/change-domain.ldif; echo "dn: olcDatabase={2}hdb,cn=config" >> /root/ldif/change-domain.ldif; echo "changetype: modify" >> /root/ldif/change-domain.ldif; echo "replace: olcRootDN" >> /root/ldif/change-domain.ldif; echo "olcRootDN: cn=Manager,dc=abc,dc=def,dc=com" >> /root/ldif/change-domain.ldif; echo \ >> /root/ldif/change-domain.ldif; echo "dn: olcDatabase={2}hdb,cn=config" >> /root/ldif/change-domain.ldif; echo "changetype: modify" >> /root/ldif/change-domain.ldif; echo "replace: olcRootPW" >> /root/ldif/change-domain.ldif; echo "olcRootPW: {{ olcrootpass.stdout }}" >> /root/ldif/change-domain.ldif - name: execute ldapmodify shell: ldapmodify -x -D cn=config -w {{ rootPasswd }} -f /root/ldif/change-domain.ldif ####set ou#### - name: baseDN objectClass ldap_entry: dn: dc=abc,dc=def,dc=com state: present server_uri: ldap://localhost/ bind_dn: cn=Manager,dc=abc,dc=def,dc=com bind_pw: '{{ rootPasswd }}' objectClass: - dcObject - organization attributes: dc: abc o: AbcDef Inc. - name: People objectClass ldap_entry: dn: ou=People,dc=abc,dc=def,dc=com state: present server_uri: ldap://localhost/ bind_dn: cn=Manager,dc=abc,dc=def,dc=com bind_pw: '{{ rootPasswd }}' objectClass: organizationalUnit attributes: ou: People - name: Group objectClass ldap_entry: dn: ou=Group,dc=abc,dc=def,dc=com state: present server_uri: ldap://localhost/ bind_dn: cn=Manager,dc=abc,dc=def,dc=com bind_pw: '{{ rootPasswd }}' objectClass: organizationalUnit attributes: ou: Group ####set sssd and any config#### - name: sssd.conf create file: state=touch path=/etc/sssd/sssd.conf owner=root group=root mode=0600 - name: sssd.conf write lineinfile: dest=/etc/sssd/sssd.conf state=present line="{{ item }}" with_items: - '[sssd]' - 'debug_level = 0' - 'config_file_version = 2' - 'services = nss, sudo, pam, ssh' - 'domains = default' - '[domain/default]' - 'id_provider = ldap' - 'auth_provider = ldap' - 'chpass_provider = ldap' - 'sudo_provider = ldap' - 'ldap_uri = ldap://192.168.3.6' - 'ldap_search_base = dc=abc,dc=def,dc=com' - 'ldap_sudo_search_base = ou=SUDOers,dc=abc,dc=def,dc=com' - 'ldap_id_use_start_tls = False' - 'ldap_search_timeout = 3' - 'ldap_network_timeout = 3' - 'ldap_opt_timeout = 3' - 'ldap_enumeration_search_timeout = 60' - 'ldap_enumeration_refresh_timeout = 300' - 'ldap_connection_expire_timeout = 600' - 'ldap_sudo_smart_refresh_interval = 600' - 'ldap_sudo_full_refresh_interval = 10800' - 'entry_cache_timeout = 1200' - 'cache_credentials = True' - 'ldap_tls_reqcert = never' - '[nss]' - 'homedir_substring = /home' - 'entry_negative_timeout = 20' - 'entry_cache_nowait_percentage = 50' - '[pam]' - '[sudo]' - '[autofs]' - '[ssh]' - '[pac]' - name: authconfig set 1 shell: authconfig --enablesssd --enablesssdauth --enablelocauthorize --disableldap --disableldapauth --disableldaptls --update - name: homedir start service: name=oddjobd state=started enabled=yes - name: authconfig set 2 shell: authconfig --enablemkhomedir --update - name: sshd_config edit 1 lineinfile: dest=/etc/ssh/sshd_config backup=yes state=present regexp='#RSAAuthentication yes' line='RSAAuthentication yes' - name: sshd_config edit 2 lineinfile: dest=/etc/ssh/sshd_config state=present regexp='PubkeyAuthentication' line='PubkeyAuthentication yes' - name: sshd_config edit 3 lineinfile: dest=/etc/ssh/sshd_config state=present regexp='AuthorizedKeysCommand ' line='AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys' - name: sshd_config edit 4 lineinfile: dest=/etc/ssh/sshd_config state=present regexp='AuthorizedKeysCommandUser' line='AuthorizedKeysCommandUser root' - name: sssd restart service: name=sssd state=restarted enabled=yes - name: sshd restart service: name=sshd state=restarted enabled=yes - name: edit sudoers lineinfile: dest=/etc/sudoers state=present line='%{{ gid }} ALL=(ALL) ALL' insertafter='%wheel' [root@ansible_sv ~]#
[root@ansible_sv ~]# cat /etc/ansible/yml/2_addgroup.yml - hosts: ldap_sv remote_user: root vars: rootPasswd: "manager" gid: "ldapmanager" gidnum: "1001" ####add group#### tasks: - name: cn objectClass ldap_entry: dn: cn={{ gid }},ou=Group,dc=abc,dc=def,dc=com state: present server_uri: ldap://localhost/ bind_dn: cn=Manager,dc=abc,dc=def,dc=com bind_pw: '{{ rootPasswd }}' objectClass: - posixGroup - top attributes: cn: '{{ gid }}' gidNumber: '{{ gidnum }}' [root@ansible_sv ~]#
[root@ansible_sv ~]# cat /etc/ansible/yml/3_adduser.yml - hosts: ldap_sv remote_user: root vars: rootPasswd: "manager" gid: "ldapmanager" uid: "user01" gidnum: "1001" uidnum: "1001" ####set user#### tasks: - name: slappasswd shell: slappasswd -s ldapuser01 register: user01pass - name: useradd ldap_entry: dn: uid={{ uid }},cn={{ gid }},ou=Group,dc=abc,dc=def,dc=com state: present server_uri: ldap://localhost/ bind_dn: cn=Manager,dc=abc,dc=def,dc=com bind_pw: '{{ rootPasswd }}' objectClass: - top - posixAccount - account attributes: gecos: ldapsystem manager cn: '{{ gid }}' uid: '{{ uid }}' uidNumber: '{{ uidnum }}' gidNumber: '{{ gidnum }}' homeDirectory: /home/{{ uid }} loginShell: /bin/bash userPassword: '{{ user01pass.stdout }}' [root@ansible_sv ~]#
[root@ansible_sv ~]# cat /etc/ansible/yml/4_publickey.yml - hosts: ldap_sv remote_user: root vars: rootPasswd: "manager" gid: "ldapmanager" uid: "user01" gidnum: "1001" uidnum: "1001" userpass: "ldapuser01" keypass: "sshmanager" tasks: - name: execute su shell: > su {{ uid }} - name: create .ssh directory file: path=/home/{{ uid }}/.ssh state=directory owner={{ uid }} group={{ gid }} mode=0700 - name: create sshPublickey shell: > ssh-keygen -t ed25519 -f /home/{{ uid }}/.ssh/id_ed25519 -N "{{ keypass }}"; - name: chmod id_ed25519* file: path=/home/{{ uid }}/.ssh/{{ item }} state=file owner={{ uid }} group={{ gid }} mode=0600 with_items: - 'id_ed25519' - 'id_ed25519.pub' - name: rename authorized_keys shell: > mv /home/{{ uid }}/.ssh/id_ed25519.pub /home/{{ uid }}/.ssh/authorized_keys - name: userdel ldap_entry: dn: uid={{ uid }},cn={{ gid }},ou=Group,dc=abc,dc=def,dc=com state: absent server_uri: ldap://localhost/ bind_dn: cn=Manager,dc=abc,dc=def,dc=com bind_pw: '{{ rootPasswd }}' - name: stdout slappasswd shell: slappasswd -s {{ userpass }} register: user01pass - name: stdout sshPublickey shell: cat /home/{{ uid }}/.ssh/authorized_keys register: pubkey - name: re-exec useradd ldap_entry: dn: uid={{ uid }},cn={{ gid }},ou=Group,dc=abc,dc=def,dc=com state: present server_uri: ldap://localhost/ bind_dn: cn=Manager,dc=abc,dc=def,dc=com bind_pw: '{{ rootPasswd }}' objectClass: - top - posixAccount - account - ldapPublickey attributes: gecos: ldapsystem manager cn: "{{ gid }}" uid: "{{ uid }}" uidNumber: "{{ uidnum }}" gidNumber: "{{ gidnum }}" homeDirectory: /home/{{ uid }} loginShell: /bin/bash userPassword: "{{ user01pass.stdout }}" sshPublicKey: "{{ pubkey.stdout }}" [root@ansible_sv ~]#
[root@ansible_sv yml]# cat 5_ldapClient-create.yml - hosts: ldapclient remote_user: root vars: gid: ldapmanager tasks: - name: Yum install yum: name={{ item }} state=present with_items: - openldap-clients - sssd - sssd-client - sssd-ldap - oddjob-mkhomedir - name: sssd.conf create file: state=touch path=/etc/sssd/sssd.conf owner=root group=root mode=0600 - name: sssd.conf write lineinfile: dest=/etc/sssd/sssd.conf state=present line="{{ item }}" with_items: - '[sssd]' - 'debug_level = 0' - 'config_file_version = 2' - 'services = nss, sudo, pam, ssh' - 'domains = default' - '[domain/default]' - 'id_provider = ldap' - 'auth_provider = ldap' - 'chpass_provider = ldap' - 'sudo_provider = ldap' - 'ldap_uri = ldap://192.168.3.6' - 'ldap_search_base = dc=abc,dc=def,dc=com' - 'ldap_sudo_search_base = ou=SUDOers,dc=abc,dc=def,dc=com' - 'ldap_id_use_start_tls = False' - 'ldap_search_timeout = 3' - 'ldap_network_timeout = 3' - 'ldap_opt_timeout = 3' - 'ldap_enumeration_search_timeout = 60' - 'ldap_enumeration_refresh_timeout = 300' - 'ldap_connection_expire_timeout = 600' - 'ldap_sudo_smart_refresh_interval = 600' - 'ldap_sudo_full_refresh_interval = 10800' - 'entry_cache_timeout = 1200' - 'cache_credentials = True' - 'ldap_tls_reqcert = never' - '[nss]' - 'homedir_substring = /home' - 'entry_negative_timeout = 20' - 'entry_cache_nowait_percentage = 50' - '[pam]' - '[sudo]' - '[autofs]' - '[ssh]' - '[pac]' - name: authconfig set 1 shell: authconfig --enablesssd --enablesssdauth --enablelocauthorize --disableldap --disableldapauth --disableldaptls --update - name: homedir start service: name=oddjobd state=started enabled=yes - name: authconfig set 2 shell: authconfig --enablemkhomedir --update - name: sshd_config edit 1 lineinfile: dest=/etc/ssh/sshd_config backup=yes state=present regexp='#RSAAuthentication yes' line='RSAAuthentication yes' - name: sshd_config edit 2 lineinfile: dest=/etc/ssh/sshd_config state=present regexp='PubkeyAuthentication' line='PubkeyAuthentication yes' - name: sshd_config edit 3 lineinfile: dest=/etc/ssh/sshd_config state=present regexp='AuthorizedKeysCommand ' line='AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys' - name: sshd_config edit 4 lineinfile: dest=/etc/ssh/sshd_config state=present regexp='AuthorizedKeysCommandUser' line='AuthorizedKeysCommandUser root' - name: sssd restart service: name=sssd state=restarted enabled=yes - name: sshd restart service: name=sshd state=restarted enabled=yes - name: edit sudoers lineinfile: dest=/etc/sudoers state=present line='%{{ gid }} ALL=(ALL) ALL' insertafter='%wheel' [root@ansible_sv yml]#
※「#」から始まる行はコメントアウト。
以上、5つのplaybookを順番に流してやるだけ!
そうすればldapサーバの構築からldapユーザの設定までメチャ楽チンです♪
え、そこまで作りこむのが面倒?(自演)
確かに大変かもしれません。けどansibleって「構成管理ツール」って謳ってますから。
スクリプトであると同時に、サーバがどんな設定なのかを、中身を見て分かるようになっているってのも特徴のひとつなんです。シェルスクリプトだと読み込まないと分からないですからね。。。
一度作っちゃえば本当に楽です。サーバ壊れてもすぐ立て直せます!
ldapサーバの構築だけをやりたい場合は、1_set_ldapserver.ymlだけ実行すればいいし。
ldapサーバの構築が終わった後、グループやユーザを追加する場合は2_addgroup.yml、3_adduser.yml、4_publickey.ymlをやればいいし。(ユーザ名やパスワードはvarsモジュールで宣言している該当箇所を変更して使いまわせるし)
てな感じ!
■ansible-playbookコマンドでplaybookを実行
せっかく整理したんで、がっつりやっちゃいましょう!
コマンドは
# ansible-playbook <playbook名(フルパス)>
[root@ansible_sv yml]# ansible-playbook /etc/ansible/yml/1_set_ldapserver.yml SSH password: PLAY [ldap_sv] *************************************************************************************************************************************** TASK [Gathering Facts] ******************************************************************************************************************************* ok: [192.168.3.6] TASK [Yum install] *********************************************************************************************************************************** changed: [192.168.3.6] => (item=[u'openldap-servers', u'openssh-ldap', u'gcc', u'python-devel', u'openldap-devel', u'openldap-clients', u'sssd', u'sssd-client', u'sssd-ldap', u'oddjob-mkhomedir']) TASK [install pip 1] ********************************************************************************************************************************* [WARNING]: Consider using get_url or uri module rather than running curl changed: [192.168.3.6] TASK [install pip 2] ********************************************************************************************************************************* changed: [192.168.3.6] TASK [port ldap to firewalld] ************************************************************************************************************************ changed: [192.168.3.6] TASK [start slapd] *********************************************************************************************************************************** changed: [192.168.3.6] TASK [add schema] ************************************************************************************************************************************ changed: [192.168.3.6] TASK [copy DB_CONFIG] ******************************************************************************************************************************** changed: [192.168.3.6] TASK [create ldif directory] ************************************************************************************************************************* changed: [192.168.3.6] TASK [create rootPW] ********************************************************************************************************************************* changed: [192.168.3.6] TASK [create olcRootPW] ****************************************************************************************************************************** changed: [192.168.3.6] TASK [create rootPW.ldif] **************************************************************************************************************************** changed: [192.168.3.6] => (item=dn: olcDatabase={0}config,cn=config) changed: [192.168.3.6] => (item=changetype: modify) changed: [192.168.3.6] => (item=replace: olcRootPW) changed: [192.168.3.6] => (item=olcRootPW: {SSHA}siQSliG0mpzcKcfSQFCF0e3jJ8vgBycu) TASK [execute ldapadd] ******************************************************************************************************************************* changed: [192.168.3.6] TASK [create change-domain 2] ************************************************************************************************************************ changed: [192.168.3.6] TASK [execute ldapmodify] **************************************************************************************************************************** changed: [192.168.3.6] TASK [baseDN objectClass] **************************************************************************************************************************** changed: [192.168.3.6] TASK [People objectClass] **************************************************************************************************************************** changed: [192.168.3.6] TASK [Group objectClass] ***************************************************************************************************************************** changed: [192.168.3.6] TASK [sssd.conf create] ****************************************************************************************************************************** changed: [192.168.3.6] TASK [sssd.conf write] ******************************************************************************************************************************* changed: [192.168.3.6] => (item=[sssd]) changed: [192.168.3.6] => (item=debug_level = 0) changed: [192.168.3.6] => (item=config_file_version = 2) changed: [192.168.3.6] => (item=services = nss, sudo, pam, ssh) changed: [192.168.3.6] => (item=domains = default) changed: [192.168.3.6] => (item=[domain/default]) changed: [192.168.3.6] => (item=id_provider = ldap) changed: [192.168.3.6] => (item=auth_provider = ldap) changed: [192.168.3.6] => (item=chpass_provider = ldap) changed: [192.168.3.6] => (item=sudo_provider = ldap) changed: [192.168.3.6] => (item=ldap_uri = ldap://192.168.3.6) changed: [192.168.3.6] => (item=ldap_search_base = dc=abc,dc=def,dc=com) changed: [192.168.3.6] => (item=ldap_sudo_search_base = ou=SUDOers,dc=abc,dc=def,dc=com) changed: [192.168.3.6] => (item=ldap_id_use_start_tls = False) changed: [192.168.3.6] => (item=ldap_search_timeout = 3) changed: [192.168.3.6] => (item=ldap_network_timeout = 3) changed: [192.168.3.6] => (item=ldap_opt_timeout = 3) changed: [192.168.3.6] => (item=ldap_enumeration_search_timeout = 60) changed: [192.168.3.6] => (item=ldap_enumeration_refresh_timeout = 300) changed: [192.168.3.6] => (item=ldap_connection_expire_timeout = 600) changed: [192.168.3.6] => (item=ldap_sudo_smart_refresh_interval = 600) changed: [192.168.3.6] => (item=ldap_sudo_full_refresh_interval = 10800) changed: [192.168.3.6] => (item=entry_cache_timeout = 1200) changed: [192.168.3.6] => (item=cache_credentials = True) changed: [192.168.3.6] => (item=ldap_tls_reqcert = never) changed: [192.168.3.6] => (item=[nss]) changed: [192.168.3.6] => (item=homedir_substring = /home) changed: [192.168.3.6] => (item=entry_negative_timeout = 20) changed: [192.168.3.6] => (item=entry_cache_nowait_percentage = 50) changed: [192.168.3.6] => (item=[pam]) changed: [192.168.3.6] => (item=[sudo]) changed: [192.168.3.6] => (item=[autofs]) changed: [192.168.3.6] => (item=[ssh]) changed: [192.168.3.6] => (item=[pac]) TASK [authconfig set 1] ****************************************************************************************************************************** changed: [192.168.3.6] TASK [homedir start] ********************************************************************************************************************************* changed: [192.168.3.6] TASK [authconfig set 2] ****************************************************************************************************************************** changed: [192.168.3.6] TASK [sshd_config edit 1] **************************************************************************************************************************** changed: [192.168.3.6] TASK [sshd_config edit 2] **************************************************************************************************************************** changed: [192.168.3.6] TASK [sshd_config edit 3] **************************************************************************************************************************** changed: [192.168.3.6] TASK [sshd_config edit 4] **************************************************************************************************************************** changed: [192.168.3.6] TASK [sssd restart] ********************************************************************************************************************************** changed: [192.168.3.6] TASK [sshd restart] ********************************************************************************************************************************** changed: [192.168.3.6] TASK [edit sudoers] ********************************************************************************************************************************** changed: [192.168.3.6] PLAY RECAP ******************************************************************************************************************************************* 192.168.3.6 : ok=30 changed=29 unreachable=0 failed=0 [root@ansible_sv yml]# ansible-playbook /etc/ansible/yml/2_addgroup.yml SSH password: PLAY [ldap_sv] *************************************************************************************************************************************** TASK [Gathering Facts] ******************************************************************************************************************************* ok: [192.168.3.6] TASK [cn objectClass] ******************************************************************************************************************************** changed: [192.168.3.6] PLAY RECAP ******************************************************************************************************************************************* 192.168.3.6 : ok=2 changed=1 unreachable=0 failed=0 [root@ansible_sv yml]# ansible-playbook /etc/ansible/yml/3_adduser.yml SSH password: PLAY [ldap_sv] *************************************************************************************************************************************** TASK [Gathering Facts] ******************************************************************************************************************************* ok: [192.168.3.6] TASK [slappasswd] ************************************************************************************************************************************ changed: [192.168.3.6] TASK [useradd] *************************************************************************************************************************************** changed: [192.168.3.6] PLAY RECAP ******************************************************************************************************************************************* 192.168.3.6 : ok=3 changed=2 unreachable=0 failed=0 [root@ansible_sv yml]# ansible-playbook /etc/ansible/yml/4_publickey.yml SSH password: PLAY [ldap_sv] *************************************************************************************************************************************** TASK [Gathering Facts] ******************************************************************************************************************************* ok: [192.168.3.6] TASK [execute su] ************************************************************************************************************************************ [WARNING]: Consider using 'become', 'become_method', and 'become_user' rather than running su changed: [192.168.3.6] TASK [create .ssh directory] ************************************************************************************************************************* changed: [192.168.3.6] TASK [create sshPublickey] *************************************************************************************************************************** changed: [192.168.3.6] TASK [chmod id_ed25519*] ***************************************************************************************************************************** changed: [192.168.3.6] => (item=id_ed25519) changed: [192.168.3.6] => (item=id_ed25519.pub) TASK [rename authorized_keys] ************************************************************************************************************************ changed: [192.168.3.6] TASK [userdel] *************************************************************************************************************************************** changed: [192.168.3.6] TASK [stdout slappasswd] ***************************************************************************************************************************** changed: [192.168.3.6] TASK [stdout sshPublickey] *************************************************************************************************************************** changed: [192.168.3.6] TASK [re-exec useradd] ******************************************************************************************************************************* changed: [192.168.3.6] PLAY RECAP ******************************************************************************************************************************************* 192.168.3.6 : ok=10 changed=9 unreachable=0 failed=0 [root@ansible_sv ~]# ansible-playbook /etc/ansible/yml/5_ldapClient-create.yml SSH password: PLAY [ldapclient] ************************************************************************************************************************************ TASK [Gathering Facts] ******************************************************************************************************************************* ok: [192.168.3.7] TASK [Yum install] *********************************************************************************************************************************** changed: [192.168.3.7] => (item=[u'openldap-clients', u'sssd', u'sssd-client', u'sssd-ldap', u'oddjob-mkhomedir']) TASK [sssd.conf create] ****************************************************************************************************************************** changed: [192.168.3.7] TASK [sssd.conf write] ******************************************************************************************************************************* changed: [192.168.3.7] => (item=[sssd]) changed: [192.168.3.7] => (item=debug_level = 0) changed: [192.168.3.7] => (item=config_file_version = 2) changed: [192.168.3.7] => (item=services = nss, sudo, pam, ssh) changed: [192.168.3.7] => (item=domains = default) changed: [192.168.3.7] => (item=[domain/default]) changed: [192.168.3.7] => (item=id_provider = ldap) changed: [192.168.3.7] => (item=auth_provider = ldap) changed: [192.168.3.7] => (item=chpass_provider = ldap) changed: [192.168.3.7] => (item=sudo_provider = ldap) changed: [192.168.3.7] => (item=ldap_uri = ldap://192.168.3.6) changed: [192.168.3.7] => (item=ldap_search_base = dc=abc,dc=def,dc=com) changed: [192.168.3.7] => (item=ldap_sudo_search_base = ou=SUDOers,dc=abc,dc=def,dc=com) changed: [192.168.3.7] => (item=ldap_id_use_start_tls = False) changed: [192.168.3.7] => (item=ldap_search_timeout = 3) changed: [192.168.3.7] => (item=ldap_network_timeout = 3) changed: [192.168.3.7] => (item=ldap_opt_timeout = 3) changed: [192.168.3.7] => (item=ldap_enumeration_search_timeout = 60) changed: [192.168.3.7] => (item=ldap_enumeration_refresh_timeout = 300) changed: [192.168.3.7] => (item=ldap_connection_expire_timeout = 600) changed: [192.168.3.7] => (item=ldap_sudo_smart_refresh_interval = 600) changed: [192.168.3.7] => (item=ldap_sudo_full_refresh_interval = 10800) changed: [192.168.3.7] => (item=entry_cache_timeout = 1200) changed: [192.168.3.7] => (item=cache_credentials = True) changed: [192.168.3.7] => (item=ldap_tls_reqcert = never) changed: [192.168.3.7] => (item=[nss]) changed: [192.168.3.7] => (item=homedir_substring = /home) changed: [192.168.3.7] => (item=entry_negative_timeout = 20) changed: [192.168.3.7] => (item=entry_cache_nowait_percentage = 50) changed: [192.168.3.7] => (item=[pam]) changed: [192.168.3.7] => (item=[sudo]) changed: [192.168.3.7] => (item=[autofs]) changed: [192.168.3.7] => (item=[ssh]) changed: [192.168.3.7] => (item=[pac]) TASK [authconfig set 1] ****************************************************************************************************************************** changed: [192.168.3.7] TASK [homedir start] ********************************************************************************************************************************* changed: [192.168.3.7] TASK [authconfig set 2] ****************************************************************************************************************************** changed: [192.168.3.7] TASK [sshd_config edit 1] **************************************************************************************************************************** changed: [192.168.3.7] TASK [sshd_config edit 2] **************************************************************************************************************************** changed: [192.168.3.7] TASK [sshd_config edit 3] **************************************************************************************************************************** changed: [192.168.3.7] TASK [sshd_config edit 4] **************************************************************************************************************************** changed: [192.168.3.7] TASK [sssd restart] ********************************************************************************************************************************** changed: [192.168.3.7] TASK [sshd restart] ********************************************************************************************************************************** changed: [192.168.3.7] TASK [edit sudoers] ********************************************************************************************************************************** changed: [192.168.3.7] PLAY RECAP ******************************************************************************************************************************************* 192.168.3.7 : ok=14 changed=13 unreachable=0 failed=0 [root@ansible_sv yml]#
一切エラー無し!
いやー気持ちいいっす\(^o^)/