AnsibleでOpenLDAP環境構築 -まとめ

投稿者: | 2018年1月28日

前投稿まででいろいろ書いてしまったが、より実用的にするために、さらにplaybookを整理した。

整理するにあたり、以下の観点に注力した。
・恒久設定(一度設定したら、ずっと変わらないであろう設定)の部分は、すべてldapサーバ構築用playbookにまとめた。
・グループ(cn)やldapユーザはユーザが増えるごとに追加する部分なので、playbookを独立させた。
・ユーザ名/パスワード系やグループ名はvarsモジュールで変数定義するように統一した。

ということで出来上がったplaybookは
・ldapサーバ構築用playbook
・グループ(cn)設定用playbook
・ldapユーザ設定用playbook
・ssh公開鍵設定用playbook
・ldapクライアント構築用playbook

ssh鍵認証をしたくない、という方は、ldapサーバ構築用playbookとldapクライアント構築用playbookにある「 line=’PubkeyAuthentication yes’」となるlineinfileモジュールをコメントアウトしてssh公開鍵設定用playbookを実行しなければOKかと。その場合、sshログイン時のパスワードは「ldapuser01」になる。
※セキュリティ上お勧めしません。。。


■/etc/ansible/hostsの設定

[root@ansible_sv ~]# vi /etc/ansible/hosts
[ldap_sv]
192.168.3.6

[ldapclient]
192.168.3.7

 

■ldapサーバ構築用playbook

[root@ansible_sv ~]# cat /etc/ansible/yml/1_set_ldapserver.yml
- hosts: ldap_sv
  remote_user: root

  vars:
    rootPasswd: "manager"
    gid: "ldapmanager"
    uid: "user01"
    gidnum: "1001"
    uidnum: "1001"
    keypass: "sshmanager"

  tasks:
  - name: Yum install
    yum: name={{ item }} state=present
    with_items:
      - openldap-servers
      - openssh-ldap
      - gcc
      - python-devel
      - openldap-devel
      - openldap-clients
      - sssd
      - sssd-client
      - sssd-ldap
      - oddjob-mkhomedir

  - name: install pip 1
    shell: curl -kL https://bootstrap.pypa.io/get-pip.py | python

  - name: install pip 2
    pip:
      name: python-ldap

####set slapd####
  - name: port ldap to firewalld
    firewalld:
      service=ldap
      permanent=true
      state=enabled
      immediate=true

  - name: start slapd
    service:
      name=slapd
      state=started
      enabled=yes

  - name: add schema
    shell: >
      ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif;
      ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif;
      ldapadd -Y EXTERNAL -H ldapi:/// -f /usr/share/doc/openssh-ldap-7.4p1/openssh-lpk-openldap.ldif;

####set rootDN####
  - name: copy DB_CONFIG
    shell: cp -p /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

  - name: create ldif directory
    file:
      path=/root/ldif
      state=directory
      owner=root
      group=root
      mode=0644

  - name: create rootPW
    file:
      state=touch
      path=/root/ldif/rootPW.ldif
      owner=root
      group=root
      mode=0644

  - name: create olcRootPW
    shell: slappasswd -s {{ rootPasswd }}
    register: olcrootpass

  - name: create rootPW.ldif
    lineinfile:
      dest=/root/ldif/rootPW.ldif
      state=present
      line="{{ item }}"
    with_items:
      - 'dn: olcDatabase={0}config,cn=config'
      - 'changetype: modify'
      - 'replace: olcRootPW'
      - 'olcRootPW: {{ olcrootpass.stdout }}'

  - name: execute ldapadd
    shell: ldapmodify -Y EXTERNAL -H ldapi:// -f /root/ldif/rootPW.ldif

  - name: create change-domain 2
    shell: >
      echo "dn: olcDatabase={1}monitor,cn=config" > /root/ldif/change-domain.ldif;
      echo "changetype: modify" >> /root/ldif/change-domain.ldif;
      echo "replace: olcAccess" >> /root/ldif/change-domain.ldif;
      echo 'olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=Manager,dc=abc,dc=def,dc=com" read by * none' >> /root/ldif/change-domain.ldif;
      echo \ >> /root/ldif/change-domain.ldif;
      echo "dn: olcDatabase={2}hdb,cn=config" >> /root/ldif/change-domain.ldif;
      echo "changetype: modify" >> /root/ldif/change-domain.ldif;
      echo "replace: olcSuffix" >> /root/ldif/change-domain.ldif;
      echo "olcSuffix: dc=abc,dc=def,dc=com"  >> /root/ldif/change-domain.ldif;
      echo \ >> /root/ldif/change-domain.ldif;
      echo "dn: olcDatabase={2}hdb,cn=config" >> /root/ldif/change-domain.ldif;
      echo "changetype: modify" >> /root/ldif/change-domain.ldif;
      echo "replace: olcRootDN" >> /root/ldif/change-domain.ldif;
      echo "olcRootDN: cn=Manager,dc=abc,dc=def,dc=com" >> /root/ldif/change-domain.ldif;
      echo \ >> /root/ldif/change-domain.ldif;
      echo "dn: olcDatabase={2}hdb,cn=config" >> /root/ldif/change-domain.ldif;
      echo "changetype: modify" >> /root/ldif/change-domain.ldif;
      echo "replace: olcRootPW" >> /root/ldif/change-domain.ldif;
      echo "olcRootPW: {{ olcrootpass.stdout }}" >> /root/ldif/change-domain.ldif

  - name: execute ldapmodify
    shell: ldapmodify -x -D cn=config -w {{ rootPasswd }} -f /root/ldif/change-domain.ldif

####set ou####
  - name: baseDN objectClass
    ldap_entry:
      dn: dc=abc,dc=def,dc=com
      state: present
      server_uri: ldap://localhost/
      bind_dn: cn=Manager,dc=abc,dc=def,dc=com
      bind_pw: '{{ rootPasswd }}'
      objectClass:
        - dcObject
        - organization
      attributes:
        dc: abc
        o: AbcDef Inc.

  - name: People objectClass
    ldap_entry:
      dn: ou=People,dc=abc,dc=def,dc=com
      state: present
      server_uri: ldap://localhost/
      bind_dn: cn=Manager,dc=abc,dc=def,dc=com
      bind_pw: '{{ rootPasswd }}'
      objectClass: organizationalUnit
      attributes:
        ou: People

  - name: Group objectClass
    ldap_entry:
      dn: ou=Group,dc=abc,dc=def,dc=com
      state: present
      server_uri: ldap://localhost/
      bind_dn: cn=Manager,dc=abc,dc=def,dc=com
      bind_pw: '{{ rootPasswd }}'
      objectClass: organizationalUnit
      attributes:
        ou: Group

####set sssd and any config####
  - name: sssd.conf create
    file:
      state=touch
      path=/etc/sssd/sssd.conf
      owner=root
      group=root
      mode=0600

  - name: sssd.conf write
    lineinfile:
      dest=/etc/sssd/sssd.conf
      state=present
      line="{{ item }}"
    with_items:
      - '[sssd]'
      - 'debug_level = 0'
      - 'config_file_version = 2'
      - 'services = nss, sudo, pam, ssh'
      - 'domains = default'
      - '[domain/default]'
      - 'id_provider = ldap'
      - 'auth_provider = ldap'
      - 'chpass_provider = ldap'
      - 'sudo_provider = ldap'
      - 'ldap_uri = ldap://192.168.3.6'
      - 'ldap_search_base = dc=abc,dc=def,dc=com'
      - 'ldap_sudo_search_base = ou=SUDOers,dc=abc,dc=def,dc=com'
      - 'ldap_id_use_start_tls = False'
      - 'ldap_search_timeout = 3'
      - 'ldap_network_timeout = 3'
      - 'ldap_opt_timeout = 3'
      - 'ldap_enumeration_search_timeout = 60'
      - 'ldap_enumeration_refresh_timeout = 300'
      - 'ldap_connection_expire_timeout = 600'
      - 'ldap_sudo_smart_refresh_interval = 600'
      - 'ldap_sudo_full_refresh_interval = 10800'
      - 'entry_cache_timeout = 1200'
      - 'cache_credentials = True'
      - 'ldap_tls_reqcert = never'
      - '[nss]'
      - 'homedir_substring = /home'
      - 'entry_negative_timeout = 20'
      - 'entry_cache_nowait_percentage = 50'
      - '[pam]'
      - '[sudo]'
      - '[autofs]'
      - '[ssh]'
      - '[pac]'

  - name: authconfig set 1
    shell: authconfig --enablesssd --enablesssdauth --enablelocauthorize --disableldap --disableldapauth --disableldaptls --update

  - name: homedir start
    service:
      name=oddjobd
      state=started
      enabled=yes

  - name: authconfig set 2
    shell: authconfig --enablemkhomedir --update

  - name: sshd_config edit 1
    lineinfile:
      dest=/etc/ssh/sshd_config
      backup=yes
      state=present
      regexp='#RSAAuthentication yes'
      line='RSAAuthentication yes'

  - name: sshd_config edit 2
    lineinfile:
      dest=/etc/ssh/sshd_config
      state=present
      regexp='PubkeyAuthentication'
      line='PubkeyAuthentication yes'

  - name: sshd_config edit 3
    lineinfile:
      dest=/etc/ssh/sshd_config
      state=present
      regexp='AuthorizedKeysCommand '
      line='AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys'

  - name: sshd_config edit 4
    lineinfile:
      dest=/etc/ssh/sshd_config
      state=present
      regexp='AuthorizedKeysCommandUser'
      line='AuthorizedKeysCommandUser root'

  - name: sssd restart
    service:
      name=sssd
      state=restarted
      enabled=yes

  - name: sshd restart
    service:
      name=sshd
      state=restarted
      enabled=yes

  - name: edit sudoers
    lineinfile:
      dest=/etc/sudoers
      state=present
      line='%{{ gid }}  ALL=(ALL)       ALL'
      insertafter='%wheel'
[root@ansible_sv ~]#

 

■グループ(cn)設定用playbook

[root@ansible_sv ~]# cat /etc/ansible/yml/2_addgroup.yml
- hosts: ldap_sv
  remote_user: root

  vars:
    rootPasswd: "manager"
    gid: "ldapmanager"
    gidnum: "1001"

####add group####
  tasks:
  - name: cn objectClass
    ldap_entry:
      dn: cn={{ gid }},ou=Group,dc=abc,dc=def,dc=com
      state: present
      server_uri: ldap://localhost/
      bind_dn: cn=Manager,dc=abc,dc=def,dc=com
      bind_pw: '{{ rootPasswd }}'
      objectClass:
        - posixGroup
        - top
      attributes:
        cn: '{{ gid }}'
        gidNumber: '{{ gidnum }}'
[root@ansible_sv ~]#

 

■ldapユーザ設定用playbook

[root@ansible_sv ~]# cat /etc/ansible/yml/3_adduser.yml
- hosts: ldap_sv
  remote_user: root

  vars:
    rootPasswd: "manager"
    gid: "ldapmanager"
    uid: "user01"
    gidnum: "1001"
    uidnum: "1001"

####set user####
  tasks:
  - name: slappasswd
    shell: slappasswd -s ldapuser01
    register: user01pass

  - name: useradd
    ldap_entry:
      dn: uid={{ uid }},cn={{ gid }},ou=Group,dc=abc,dc=def,dc=com
      state: present
      server_uri: ldap://localhost/
      bind_dn: cn=Manager,dc=abc,dc=def,dc=com
      bind_pw: '{{ rootPasswd }}'
      objectClass:
        - top
        - posixAccount
        - account
      attributes:
        gecos: ldapsystem manager
        cn: '{{ gid }}'
        uid: '{{ uid }}'
        uidNumber: '{{ uidnum }}'
        gidNumber: '{{ gidnum }}'
        homeDirectory: /home/{{ uid }}
        loginShell: /bin/bash
        userPassword: '{{ user01pass.stdout }}'
[root@ansible_sv ~]#

 

■ssh公開鍵設定用playbook

[root@ansible_sv ~]# cat /etc/ansible/yml/4_publickey.yml
- hosts: ldap_sv
  remote_user: root

  vars:
    rootPasswd: "manager"
    gid: "ldapmanager"
    uid: "user01"
    gidnum: "1001"
    uidnum: "1001"
    userpass: "ldapuser01"
    keypass: "sshmanager"

  tasks:
  - name: execute su
    shell: >
      su {{ uid }}

  - name: create .ssh directory
    file:
      path=/home/{{ uid }}/.ssh
      state=directory
      owner={{ uid }}
      group={{ gid }}
      mode=0700

  - name: create sshPublickey
    shell: >
      ssh-keygen -t ed25519 -f /home/{{ uid }}/.ssh/id_ed25519 -N "{{ keypass }}";

  - name: chmod id_ed25519*
    file:
      path=/home/{{ uid }}/.ssh/{{ item }}
      state=file
      owner={{ uid }}
      group={{ gid }}
      mode=0600
    with_items:
      - 'id_ed25519'
      - 'id_ed25519.pub'

  - name: rename authorized_keys
    shell: >
      mv /home/{{ uid }}/.ssh/id_ed25519.pub /home/{{ uid }}/.ssh/authorized_keys

  - name: userdel
    ldap_entry:
      dn: uid={{ uid }},cn={{ gid }},ou=Group,dc=abc,dc=def,dc=com
      state: absent
      server_uri: ldap://localhost/
      bind_dn: cn=Manager,dc=abc,dc=def,dc=com
      bind_pw: '{{ rootPasswd }}'

  - name: stdout slappasswd
    shell: slappasswd -s {{ userpass }}
    register: user01pass

  - name: stdout sshPublickey
    shell: cat /home/{{ uid }}/.ssh/authorized_keys
    register: pubkey

  - name: re-exec useradd
    ldap_entry:
      dn: uid={{ uid }},cn={{ gid }},ou=Group,dc=abc,dc=def,dc=com
      state: present
      server_uri: ldap://localhost/
      bind_dn: cn=Manager,dc=abc,dc=def,dc=com
      bind_pw: '{{ rootPasswd }}'
      objectClass:
        - top
        - posixAccount
        - account
        - ldapPublickey
      attributes:
        gecos: ldapsystem manager
        cn: "{{ gid }}"
        uid: "{{ uid }}"
        uidNumber: "{{ uidnum }}"
        gidNumber: "{{ gidnum }}"
        homeDirectory: /home/{{ uid }}
        loginShell: /bin/bash
        userPassword: "{{ user01pass.stdout }}"
        sshPublicKey: "{{ pubkey.stdout }}"

[root@ansible_sv ~]#

 

■ldapクライアント構築用playbook

[root@ansible_sv yml]# cat 5_ldapClient-create.yml
- hosts: ldapclient
  remote_user: root

  vars:
    gid: ldapmanager

  tasks:
  - name: Yum install
    yum: name={{ item }} state=present
    with_items:
      - openldap-clients
      - sssd
      - sssd-client
      - sssd-ldap
      - oddjob-mkhomedir

  - name: sssd.conf create
    file:
      state=touch
      path=/etc/sssd/sssd.conf
      owner=root
      group=root
      mode=0600

  - name: sssd.conf write
    lineinfile:
      dest=/etc/sssd/sssd.conf
      state=present
      line="{{ item }}"
    with_items:
      - '[sssd]'
      - 'debug_level = 0'
      - 'config_file_version = 2'
      - 'services = nss, sudo, pam, ssh'
      - 'domains = default'
      - '[domain/default]'
      - 'id_provider = ldap'
      - 'auth_provider = ldap'
      - 'chpass_provider = ldap'
      - 'sudo_provider = ldap'
      - 'ldap_uri = ldap://192.168.3.6'
      - 'ldap_search_base = dc=abc,dc=def,dc=com'
      - 'ldap_sudo_search_base = ou=SUDOers,dc=abc,dc=def,dc=com'
      - 'ldap_id_use_start_tls = False'
      - 'ldap_search_timeout = 3'
      - 'ldap_network_timeout = 3'
      - 'ldap_opt_timeout = 3'
      - 'ldap_enumeration_search_timeout = 60'
      - 'ldap_enumeration_refresh_timeout = 300'
      - 'ldap_connection_expire_timeout = 600'
      - 'ldap_sudo_smart_refresh_interval = 600'
      - 'ldap_sudo_full_refresh_interval = 10800'
      - 'entry_cache_timeout = 1200'
      - 'cache_credentials = True'
      - 'ldap_tls_reqcert = never'
      - '[nss]'
      - 'homedir_substring = /home'
      - 'entry_negative_timeout = 20'
      - 'entry_cache_nowait_percentage = 50'
      - '[pam]'
      - '[sudo]'
      - '[autofs]'
      - '[ssh]'
      - '[pac]'

  - name: authconfig set 1
    shell: authconfig --enablesssd --enablesssdauth --enablelocauthorize --disableldap --disableldapauth --disableldaptls --update

  - name: homedir start
    service:
      name=oddjobd
      state=started
      enabled=yes

  - name: authconfig set 2
    shell: authconfig --enablemkhomedir --update

  - name: sshd_config edit 1
    lineinfile:
      dest=/etc/ssh/sshd_config
      backup=yes
      state=present
      regexp='#RSAAuthentication yes'
      line='RSAAuthentication yes'

  - name: sshd_config edit 2
    lineinfile:
      dest=/etc/ssh/sshd_config
      state=present
      regexp='PubkeyAuthentication'
      line='PubkeyAuthentication yes'

  - name: sshd_config edit 3
    lineinfile:
      dest=/etc/ssh/sshd_config
      state=present
      regexp='AuthorizedKeysCommand '
      line='AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys'

  - name: sshd_config edit 4
    lineinfile:
      dest=/etc/ssh/sshd_config
      state=present
      regexp='AuthorizedKeysCommandUser'
      line='AuthorizedKeysCommandUser root'

  - name: sssd restart
    service:
      name=sssd
      state=restarted
      enabled=yes

  - name: sshd restart
    service:
      name=sshd
      state=restarted
      enabled=yes

  - name: edit sudoers
    lineinfile:
      dest=/etc/sudoers
      state=present
      line='%{{ gid }}  ALL=(ALL)       ALL'
      insertafter='%wheel'
[root@ansible_sv yml]#

※「#」から始まる行はコメントアウト。
以上、5つのplaybookを順番に流してやるだけ!
そうすればldapサーバの構築からldapユーザの設定までメチャ楽チンです♪

え、そこまで作りこむのが面倒?(自演)

確かに大変かもしれません。けどansibleって「構成管理ツール」って謳ってますから。
スクリプトであると同時に、サーバがどんな設定なのかを、中身を見て分かるようになっているってのも特徴のひとつなんです。シェルスクリプトだと読み込まないと分からないですからね。。。
一度作っちゃえば本当に楽です。サーバ壊れてもすぐ立て直せます!

ldapサーバの構築だけをやりたい場合は、1_set_ldapserver.ymlだけ実行すればいいし。
ldapサーバの構築が終わった後、グループやユーザを追加する場合は2_addgroup.yml、3_adduser.yml、4_publickey.ymlをやればいいし。(ユーザ名やパスワードはvarsモジュールで宣言している該当箇所を変更して使いまわせるし)
てな感じ!


■ansible-playbookコマンドでplaybookを実行

せっかく整理したんで、がっつりやっちゃいましょう!
コマンドは
# ansible-playbook <playbook名(フルパス)>

[root@ansible_sv yml]# ansible-playbook /etc/ansible/yml/1_set_ldapserver.yml
SSH password:

PLAY [ldap_sv] ***************************************************************************************************************************************

TASK [Gathering Facts] *******************************************************************************************************************************
ok: [192.168.3.6]

TASK [Yum install] ***********************************************************************************************************************************
changed: [192.168.3.6] => (item=[u'openldap-servers', u'openssh-ldap', u'gcc', u'python-devel', u'openldap-devel', u'openldap-clients', u'sssd', u'sssd-client', u'sssd-ldap', u'oddjob-mkhomedir'])

TASK [install pip 1] *********************************************************************************************************************************
 [WARNING]: Consider using get_url or uri module rather than running curl

changed: [192.168.3.6]

TASK [install pip 2] *********************************************************************************************************************************
changed: [192.168.3.6]

TASK [port ldap to firewalld] ************************************************************************************************************************
changed: [192.168.3.6]

TASK [start slapd] ***********************************************************************************************************************************
changed: [192.168.3.6]

TASK [add schema] ************************************************************************************************************************************
changed: [192.168.3.6]

TASK [copy DB_CONFIG] ********************************************************************************************************************************
changed: [192.168.3.6]

TASK [create ldif directory] *************************************************************************************************************************
changed: [192.168.3.6]

TASK [create rootPW] *********************************************************************************************************************************
changed: [192.168.3.6]

TASK [create olcRootPW] ******************************************************************************************************************************
changed: [192.168.3.6]

TASK [create rootPW.ldif] ****************************************************************************************************************************
changed: [192.168.3.6] => (item=dn: olcDatabase={0}config,cn=config)
changed: [192.168.3.6] => (item=changetype: modify)
changed: [192.168.3.6] => (item=replace: olcRootPW)
changed: [192.168.3.6] => (item=olcRootPW: {SSHA}siQSliG0mpzcKcfSQFCF0e3jJ8vgBycu)

TASK [execute ldapadd] *******************************************************************************************************************************
changed: [192.168.3.6]

TASK [create change-domain 2] ************************************************************************************************************************
changed: [192.168.3.6]

TASK [execute ldapmodify] ****************************************************************************************************************************
changed: [192.168.3.6]

TASK [baseDN objectClass] ****************************************************************************************************************************
changed: [192.168.3.6]

TASK [People objectClass] ****************************************************************************************************************************
changed: [192.168.3.6]

TASK [Group objectClass] *****************************************************************************************************************************
changed: [192.168.3.6]

TASK [sssd.conf create] ******************************************************************************************************************************
changed: [192.168.3.6]

TASK [sssd.conf write] *******************************************************************************************************************************
changed: [192.168.3.6] => (item=[sssd])
changed: [192.168.3.6] => (item=debug_level = 0)
changed: [192.168.3.6] => (item=config_file_version = 2)
changed: [192.168.3.6] => (item=services = nss, sudo, pam, ssh)
changed: [192.168.3.6] => (item=domains = default)
changed: [192.168.3.6] => (item=[domain/default])
changed: [192.168.3.6] => (item=id_provider = ldap)
changed: [192.168.3.6] => (item=auth_provider = ldap)
changed: [192.168.3.6] => (item=chpass_provider = ldap)
changed: [192.168.3.6] => (item=sudo_provider = ldap)
changed: [192.168.3.6] => (item=ldap_uri = ldap://192.168.3.6)
changed: [192.168.3.6] => (item=ldap_search_base = dc=abc,dc=def,dc=com)
changed: [192.168.3.6] => (item=ldap_sudo_search_base = ou=SUDOers,dc=abc,dc=def,dc=com)
changed: [192.168.3.6] => (item=ldap_id_use_start_tls = False)
changed: [192.168.3.6] => (item=ldap_search_timeout = 3)
changed: [192.168.3.6] => (item=ldap_network_timeout = 3)
changed: [192.168.3.6] => (item=ldap_opt_timeout = 3)
changed: [192.168.3.6] => (item=ldap_enumeration_search_timeout = 60)
changed: [192.168.3.6] => (item=ldap_enumeration_refresh_timeout = 300)
changed: [192.168.3.6] => (item=ldap_connection_expire_timeout = 600)
changed: [192.168.3.6] => (item=ldap_sudo_smart_refresh_interval = 600)
changed: [192.168.3.6] => (item=ldap_sudo_full_refresh_interval = 10800)
changed: [192.168.3.6] => (item=entry_cache_timeout = 1200)
changed: [192.168.3.6] => (item=cache_credentials = True)
changed: [192.168.3.6] => (item=ldap_tls_reqcert = never)
changed: [192.168.3.6] => (item=[nss])
changed: [192.168.3.6] => (item=homedir_substring = /home)
changed: [192.168.3.6] => (item=entry_negative_timeout = 20)
changed: [192.168.3.6] => (item=entry_cache_nowait_percentage = 50)
changed: [192.168.3.6] => (item=[pam])
changed: [192.168.3.6] => (item=[sudo])
changed: [192.168.3.6] => (item=[autofs])
changed: [192.168.3.6] => (item=[ssh])
changed: [192.168.3.6] => (item=[pac])

TASK [authconfig set 1] ******************************************************************************************************************************
changed: [192.168.3.6]

TASK [homedir start] *********************************************************************************************************************************
changed: [192.168.3.6]

TASK [authconfig set 2] ******************************************************************************************************************************
changed: [192.168.3.6]

TASK [sshd_config edit 1] ****************************************************************************************************************************
changed: [192.168.3.6]

TASK [sshd_config edit 2] ****************************************************************************************************************************
changed: [192.168.3.6]

TASK [sshd_config edit 3] ****************************************************************************************************************************
changed: [192.168.3.6]

TASK [sshd_config edit 4] ****************************************************************************************************************************
changed: [192.168.3.6]

TASK [sssd restart] **********************************************************************************************************************************
changed: [192.168.3.6]

TASK [sshd restart] **********************************************************************************************************************************
changed: [192.168.3.6]

TASK [edit sudoers] **********************************************************************************************************************************
changed: [192.168.3.6]

PLAY RECAP *******************************************************************************************************************************************
192.168.3.6                : ok=30   changed=29   unreachable=0    failed=0

[root@ansible_sv yml]# ansible-playbook /etc/ansible/yml/2_addgroup.yml
SSH password:

PLAY [ldap_sv] ***************************************************************************************************************************************

TASK [Gathering Facts] *******************************************************************************************************************************
ok: [192.168.3.6]

TASK [cn objectClass] ********************************************************************************************************************************
changed: [192.168.3.6]

PLAY RECAP *******************************************************************************************************************************************
192.168.3.6                : ok=2    changed=1    unreachable=0    failed=0

[root@ansible_sv yml]# ansible-playbook /etc/ansible/yml/3_adduser.yml
SSH password:

PLAY [ldap_sv] ***************************************************************************************************************************************

TASK [Gathering Facts] *******************************************************************************************************************************
ok: [192.168.3.6]

TASK [slappasswd] ************************************************************************************************************************************
changed: [192.168.3.6]

TASK [useradd] ***************************************************************************************************************************************
changed: [192.168.3.6]

PLAY RECAP *******************************************************************************************************************************************
192.168.3.6                : ok=3    changed=2    unreachable=0    failed=0

[root@ansible_sv yml]# ansible-playbook /etc/ansible/yml/4_publickey.yml
SSH password:

PLAY [ldap_sv] ***************************************************************************************************************************************

TASK [Gathering Facts] *******************************************************************************************************************************
ok: [192.168.3.6]

TASK [execute su] ************************************************************************************************************************************
 [WARNING]: Consider using 'become', 'become_method', and 'become_user' rather than running su

changed: [192.168.3.6]

TASK [create .ssh directory] *************************************************************************************************************************
changed: [192.168.3.6]

TASK [create sshPublickey] ***************************************************************************************************************************
changed: [192.168.3.6]

TASK [chmod id_ed25519*] *****************************************************************************************************************************
changed: [192.168.3.6] => (item=id_ed25519)
changed: [192.168.3.6] => (item=id_ed25519.pub)

TASK [rename authorized_keys] ************************************************************************************************************************
changed: [192.168.3.6]

TASK [userdel] ***************************************************************************************************************************************
changed: [192.168.3.6]

TASK [stdout slappasswd] *****************************************************************************************************************************
changed: [192.168.3.6]

TASK [stdout sshPublickey] ***************************************************************************************************************************
changed: [192.168.3.6]

TASK [re-exec useradd] *******************************************************************************************************************************
changed: [192.168.3.6]

PLAY RECAP *******************************************************************************************************************************************
192.168.3.6                : ok=10   changed=9    unreachable=0    failed=0

[root@ansible_sv ~]# ansible-playbook /etc/ansible/yml/5_ldapClient-create.yml
SSH password:

PLAY [ldapclient] ************************************************************************************************************************************

TASK [Gathering Facts] *******************************************************************************************************************************
ok: [192.168.3.7]

TASK [Yum install] ***********************************************************************************************************************************
changed: [192.168.3.7] => (item=[u'openldap-clients', u'sssd', u'sssd-client', u'sssd-ldap', u'oddjob-mkhomedir'])

TASK [sssd.conf create] ******************************************************************************************************************************
changed: [192.168.3.7]

TASK [sssd.conf write] *******************************************************************************************************************************
changed: [192.168.3.7] => (item=[sssd])
changed: [192.168.3.7] => (item=debug_level = 0)
changed: [192.168.3.7] => (item=config_file_version = 2)
changed: [192.168.3.7] => (item=services = nss, sudo, pam, ssh)
changed: [192.168.3.7] => (item=domains = default)
changed: [192.168.3.7] => (item=[domain/default])
changed: [192.168.3.7] => (item=id_provider = ldap)
changed: [192.168.3.7] => (item=auth_provider = ldap)
changed: [192.168.3.7] => (item=chpass_provider = ldap)
changed: [192.168.3.7] => (item=sudo_provider = ldap)
changed: [192.168.3.7] => (item=ldap_uri = ldap://192.168.3.6)
changed: [192.168.3.7] => (item=ldap_search_base = dc=abc,dc=def,dc=com)
changed: [192.168.3.7] => (item=ldap_sudo_search_base = ou=SUDOers,dc=abc,dc=def,dc=com)
changed: [192.168.3.7] => (item=ldap_id_use_start_tls = False)
changed: [192.168.3.7] => (item=ldap_search_timeout = 3)
changed: [192.168.3.7] => (item=ldap_network_timeout = 3)
changed: [192.168.3.7] => (item=ldap_opt_timeout = 3)
changed: [192.168.3.7] => (item=ldap_enumeration_search_timeout = 60)
changed: [192.168.3.7] => (item=ldap_enumeration_refresh_timeout = 300)
changed: [192.168.3.7] => (item=ldap_connection_expire_timeout = 600)
changed: [192.168.3.7] => (item=ldap_sudo_smart_refresh_interval = 600)
changed: [192.168.3.7] => (item=ldap_sudo_full_refresh_interval = 10800)
changed: [192.168.3.7] => (item=entry_cache_timeout = 1200)
changed: [192.168.3.7] => (item=cache_credentials = True)
changed: [192.168.3.7] => (item=ldap_tls_reqcert = never)
changed: [192.168.3.7] => (item=[nss])
changed: [192.168.3.7] => (item=homedir_substring = /home)
changed: [192.168.3.7] => (item=entry_negative_timeout = 20)
changed: [192.168.3.7] => (item=entry_cache_nowait_percentage = 50)
changed: [192.168.3.7] => (item=[pam])
changed: [192.168.3.7] => (item=[sudo])
changed: [192.168.3.7] => (item=[autofs])
changed: [192.168.3.7] => (item=[ssh])
changed: [192.168.3.7] => (item=[pac])

TASK [authconfig set 1] ******************************************************************************************************************************
changed: [192.168.3.7]

TASK [homedir start] *********************************************************************************************************************************
changed: [192.168.3.7]

TASK [authconfig set 2] ******************************************************************************************************************************
changed: [192.168.3.7]

TASK [sshd_config edit 1] ****************************************************************************************************************************
changed: [192.168.3.7]

TASK [sshd_config edit 2] ****************************************************************************************************************************
changed: [192.168.3.7]

TASK [sshd_config edit 3] ****************************************************************************************************************************
changed: [192.168.3.7]

TASK [sshd_config edit 4] ****************************************************************************************************************************
changed: [192.168.3.7]

TASK [sssd restart] **********************************************************************************************************************************
changed: [192.168.3.7]

TASK [sshd restart] **********************************************************************************************************************************
changed: [192.168.3.7]

TASK [edit sudoers] **********************************************************************************************************************************
changed: [192.168.3.7]

PLAY RECAP *******************************************************************************************************************************************
192.168.3.7                : ok=14   changed=13   unreachable=0    failed=0

[root@ansible_sv yml]#

一切エラー無し!
いやー気持ちいいっす\(^o^)/

コメントを残す

メールアドレスが公開されることはありません。 が付いている欄は必須項目です

CAPTCHA