前投稿まででいろいろ書いてしまったが、より実用的にするために、さらにplaybookを整理した。
整理するにあたり、以下の観点に注力した。
・恒久設定(一度設定したら、ずっと変わらないであろう設定)の部分は、すべてldapサーバ構築用playbookにまとめた。
・グループ(cn)やldapユーザはユーザが増えるごとに追加する部分なので、playbookを独立させた。
・ユーザ名/パスワード系やグループ名はvarsモジュールで変数定義するように統一した。
ということで出来上がったplaybookは
・ldapサーバ構築用playbook
・グループ(cn)設定用playbook
・ldapユーザ設定用playbook
・ssh公開鍵設定用playbook
・ldapクライアント構築用playbook
ssh鍵認証をしたくない、という方は、ldapサーバ構築用playbookとldapクライアント構築用playbookにある「 line=’PubkeyAuthentication yes’」となるlineinfileモジュールをコメントアウトしてssh公開鍵設定用playbookを実行しなければOKかと。その場合、sshログイン時のパスワードは「ldapuser01」になる。
※セキュリティ上お勧めしません。。。
■/etc/ansible/hostsの設定
[root@ansible_sv ~]# vi /etc/ansible/hosts [ldap_sv] 192.168.3.6 [ldapclient] 192.168.3.7
[root@ansible_sv ~]# cat /etc/ansible/yml/1_set_ldapserver.yml
- hosts: ldap_sv
remote_user: root
vars:
rootPasswd: "manager"
gid: "ldapmanager"
uid: "user01"
gidnum: "1001"
uidnum: "1001"
keypass: "sshmanager"
tasks:
- name: Yum install
yum: name={{ item }} state=present
with_items:
- openldap-servers
- openssh-ldap
- gcc
- python-devel
- openldap-devel
- openldap-clients
- sssd
- sssd-client
- sssd-ldap
- oddjob-mkhomedir
- name: install pip 1
shell: curl -kL https://bootstrap.pypa.io/get-pip.py | python
- name: install pip 2
pip:
name: python-ldap
####set slapd####
- name: port ldap to firewalld
firewalld:
service=ldap
permanent=true
state=enabled
immediate=true
- name: start slapd
service:
name=slapd
state=started
enabled=yes
- name: add schema
shell: >
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif;
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif;
ldapadd -Y EXTERNAL -H ldapi:/// -f /usr/share/doc/openssh-ldap-7.4p1/openssh-lpk-openldap.ldif;
####set rootDN####
- name: copy DB_CONFIG
shell: cp -p /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
- name: create ldif directory
file:
path=/root/ldif
state=directory
owner=root
group=root
mode=0644
- name: create rootPW
file:
state=touch
path=/root/ldif/rootPW.ldif
owner=root
group=root
mode=0644
- name: create olcRootPW
shell: slappasswd -s {{ rootPasswd }}
register: olcrootpass
- name: create rootPW.ldif
lineinfile:
dest=/root/ldif/rootPW.ldif
state=present
line="{{ item }}"
with_items:
- 'dn: olcDatabase={0}config,cn=config'
- 'changetype: modify'
- 'replace: olcRootPW'
- 'olcRootPW: {{ olcrootpass.stdout }}'
- name: execute ldapadd
shell: ldapmodify -Y EXTERNAL -H ldapi:// -f /root/ldif/rootPW.ldif
- name: create change-domain 2
shell: >
echo "dn: olcDatabase={1}monitor,cn=config" > /root/ldif/change-domain.ldif;
echo "changetype: modify" >> /root/ldif/change-domain.ldif;
echo "replace: olcAccess" >> /root/ldif/change-domain.ldif;
echo 'olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=Manager,dc=abc,dc=def,dc=com" read by * none' >> /root/ldif/change-domain.ldif;
echo \ >> /root/ldif/change-domain.ldif;
echo "dn: olcDatabase={2}hdb,cn=config" >> /root/ldif/change-domain.ldif;
echo "changetype: modify" >> /root/ldif/change-domain.ldif;
echo "replace: olcSuffix" >> /root/ldif/change-domain.ldif;
echo "olcSuffix: dc=abc,dc=def,dc=com" >> /root/ldif/change-domain.ldif;
echo \ >> /root/ldif/change-domain.ldif;
echo "dn: olcDatabase={2}hdb,cn=config" >> /root/ldif/change-domain.ldif;
echo "changetype: modify" >> /root/ldif/change-domain.ldif;
echo "replace: olcRootDN" >> /root/ldif/change-domain.ldif;
echo "olcRootDN: cn=Manager,dc=abc,dc=def,dc=com" >> /root/ldif/change-domain.ldif;
echo \ >> /root/ldif/change-domain.ldif;
echo "dn: olcDatabase={2}hdb,cn=config" >> /root/ldif/change-domain.ldif;
echo "changetype: modify" >> /root/ldif/change-domain.ldif;
echo "replace: olcRootPW" >> /root/ldif/change-domain.ldif;
echo "olcRootPW: {{ olcrootpass.stdout }}" >> /root/ldif/change-domain.ldif
- name: execute ldapmodify
shell: ldapmodify -x -D cn=config -w {{ rootPasswd }} -f /root/ldif/change-domain.ldif
####set ou####
- name: baseDN objectClass
ldap_entry:
dn: dc=abc,dc=def,dc=com
state: present
server_uri: ldap://localhost/
bind_dn: cn=Manager,dc=abc,dc=def,dc=com
bind_pw: '{{ rootPasswd }}'
objectClass:
- dcObject
- organization
attributes:
dc: abc
o: AbcDef Inc.
- name: People objectClass
ldap_entry:
dn: ou=People,dc=abc,dc=def,dc=com
state: present
server_uri: ldap://localhost/
bind_dn: cn=Manager,dc=abc,dc=def,dc=com
bind_pw: '{{ rootPasswd }}'
objectClass: organizationalUnit
attributes:
ou: People
- name: Group objectClass
ldap_entry:
dn: ou=Group,dc=abc,dc=def,dc=com
state: present
server_uri: ldap://localhost/
bind_dn: cn=Manager,dc=abc,dc=def,dc=com
bind_pw: '{{ rootPasswd }}'
objectClass: organizationalUnit
attributes:
ou: Group
####set sssd and any config####
- name: sssd.conf create
file:
state=touch
path=/etc/sssd/sssd.conf
owner=root
group=root
mode=0600
- name: sssd.conf write
lineinfile:
dest=/etc/sssd/sssd.conf
state=present
line="{{ item }}"
with_items:
- '[sssd]'
- 'debug_level = 0'
- 'config_file_version = 2'
- 'services = nss, sudo, pam, ssh'
- 'domains = default'
- '[domain/default]'
- 'id_provider = ldap'
- 'auth_provider = ldap'
- 'chpass_provider = ldap'
- 'sudo_provider = ldap'
- 'ldap_uri = ldap://192.168.3.6'
- 'ldap_search_base = dc=abc,dc=def,dc=com'
- 'ldap_sudo_search_base = ou=SUDOers,dc=abc,dc=def,dc=com'
- 'ldap_id_use_start_tls = False'
- 'ldap_search_timeout = 3'
- 'ldap_network_timeout = 3'
- 'ldap_opt_timeout = 3'
- 'ldap_enumeration_search_timeout = 60'
- 'ldap_enumeration_refresh_timeout = 300'
- 'ldap_connection_expire_timeout = 600'
- 'ldap_sudo_smart_refresh_interval = 600'
- 'ldap_sudo_full_refresh_interval = 10800'
- 'entry_cache_timeout = 1200'
- 'cache_credentials = True'
- 'ldap_tls_reqcert = never'
- '[nss]'
- 'homedir_substring = /home'
- 'entry_negative_timeout = 20'
- 'entry_cache_nowait_percentage = 50'
- '[pam]'
- '[sudo]'
- '[autofs]'
- '[ssh]'
- '[pac]'
- name: authconfig set 1
shell: authconfig --enablesssd --enablesssdauth --enablelocauthorize --disableldap --disableldapauth --disableldaptls --update
- name: homedir start
service:
name=oddjobd
state=started
enabled=yes
- name: authconfig set 2
shell: authconfig --enablemkhomedir --update
- name: sshd_config edit 1
lineinfile:
dest=/etc/ssh/sshd_config
backup=yes
state=present
regexp='#RSAAuthentication yes'
line='RSAAuthentication yes'
- name: sshd_config edit 2
lineinfile:
dest=/etc/ssh/sshd_config
state=present
regexp='PubkeyAuthentication'
line='PubkeyAuthentication yes'
- name: sshd_config edit 3
lineinfile:
dest=/etc/ssh/sshd_config
state=present
regexp='AuthorizedKeysCommand '
line='AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys'
- name: sshd_config edit 4
lineinfile:
dest=/etc/ssh/sshd_config
state=present
regexp='AuthorizedKeysCommandUser'
line='AuthorizedKeysCommandUser root'
- name: sssd restart
service:
name=sssd
state=restarted
enabled=yes
- name: sshd restart
service:
name=sshd
state=restarted
enabled=yes
- name: edit sudoers
lineinfile:
dest=/etc/sudoers
state=present
line='%{{ gid }} ALL=(ALL) ALL'
insertafter='%wheel'
[root@ansible_sv ~]#
[root@ansible_sv ~]# cat /etc/ansible/yml/2_addgroup.yml
- hosts: ldap_sv
remote_user: root
vars:
rootPasswd: "manager"
gid: "ldapmanager"
gidnum: "1001"
####add group####
tasks:
- name: cn objectClass
ldap_entry:
dn: cn={{ gid }},ou=Group,dc=abc,dc=def,dc=com
state: present
server_uri: ldap://localhost/
bind_dn: cn=Manager,dc=abc,dc=def,dc=com
bind_pw: '{{ rootPasswd }}'
objectClass:
- posixGroup
- top
attributes:
cn: '{{ gid }}'
gidNumber: '{{ gidnum }}'
[root@ansible_sv ~]#
[root@ansible_sv ~]# cat /etc/ansible/yml/3_adduser.yml
- hosts: ldap_sv
remote_user: root
vars:
rootPasswd: "manager"
gid: "ldapmanager"
uid: "user01"
gidnum: "1001"
uidnum: "1001"
####set user####
tasks:
- name: slappasswd
shell: slappasswd -s ldapuser01
register: user01pass
- name: useradd
ldap_entry:
dn: uid={{ uid }},cn={{ gid }},ou=Group,dc=abc,dc=def,dc=com
state: present
server_uri: ldap://localhost/
bind_dn: cn=Manager,dc=abc,dc=def,dc=com
bind_pw: '{{ rootPasswd }}'
objectClass:
- top
- posixAccount
- account
attributes:
gecos: ldapsystem manager
cn: '{{ gid }}'
uid: '{{ uid }}'
uidNumber: '{{ uidnum }}'
gidNumber: '{{ gidnum }}'
homeDirectory: /home/{{ uid }}
loginShell: /bin/bash
userPassword: '{{ user01pass.stdout }}'
[root@ansible_sv ~]#
[root@ansible_sv ~]# cat /etc/ansible/yml/4_publickey.yml
- hosts: ldap_sv
remote_user: root
vars:
rootPasswd: "manager"
gid: "ldapmanager"
uid: "user01"
gidnum: "1001"
uidnum: "1001"
userpass: "ldapuser01"
keypass: "sshmanager"
tasks:
- name: execute su
shell: >
su {{ uid }}
- name: create .ssh directory
file:
path=/home/{{ uid }}/.ssh
state=directory
owner={{ uid }}
group={{ gid }}
mode=0700
- name: create sshPublickey
shell: >
ssh-keygen -t ed25519 -f /home/{{ uid }}/.ssh/id_ed25519 -N "{{ keypass }}";
- name: chmod id_ed25519*
file:
path=/home/{{ uid }}/.ssh/{{ item }}
state=file
owner={{ uid }}
group={{ gid }}
mode=0600
with_items:
- 'id_ed25519'
- 'id_ed25519.pub'
- name: rename authorized_keys
shell: >
mv /home/{{ uid }}/.ssh/id_ed25519.pub /home/{{ uid }}/.ssh/authorized_keys
- name: userdel
ldap_entry:
dn: uid={{ uid }},cn={{ gid }},ou=Group,dc=abc,dc=def,dc=com
state: absent
server_uri: ldap://localhost/
bind_dn: cn=Manager,dc=abc,dc=def,dc=com
bind_pw: '{{ rootPasswd }}'
- name: stdout slappasswd
shell: slappasswd -s {{ userpass }}
register: user01pass
- name: stdout sshPublickey
shell: cat /home/{{ uid }}/.ssh/authorized_keys
register: pubkey
- name: re-exec useradd
ldap_entry:
dn: uid={{ uid }},cn={{ gid }},ou=Group,dc=abc,dc=def,dc=com
state: present
server_uri: ldap://localhost/
bind_dn: cn=Manager,dc=abc,dc=def,dc=com
bind_pw: '{{ rootPasswd }}'
objectClass:
- top
- posixAccount
- account
- ldapPublickey
attributes:
gecos: ldapsystem manager
cn: "{{ gid }}"
uid: "{{ uid }}"
uidNumber: "{{ uidnum }}"
gidNumber: "{{ gidnum }}"
homeDirectory: /home/{{ uid }}
loginShell: /bin/bash
userPassword: "{{ user01pass.stdout }}"
sshPublicKey: "{{ pubkey.stdout }}"
[root@ansible_sv ~]#
[root@ansible_sv yml]# cat 5_ldapClient-create.yml
- hosts: ldapclient
remote_user: root
vars:
gid: ldapmanager
tasks:
- name: Yum install
yum: name={{ item }} state=present
with_items:
- openldap-clients
- sssd
- sssd-client
- sssd-ldap
- oddjob-mkhomedir
- name: sssd.conf create
file:
state=touch
path=/etc/sssd/sssd.conf
owner=root
group=root
mode=0600
- name: sssd.conf write
lineinfile:
dest=/etc/sssd/sssd.conf
state=present
line="{{ item }}"
with_items:
- '[sssd]'
- 'debug_level = 0'
- 'config_file_version = 2'
- 'services = nss, sudo, pam, ssh'
- 'domains = default'
- '[domain/default]'
- 'id_provider = ldap'
- 'auth_provider = ldap'
- 'chpass_provider = ldap'
- 'sudo_provider = ldap'
- 'ldap_uri = ldap://192.168.3.6'
- 'ldap_search_base = dc=abc,dc=def,dc=com'
- 'ldap_sudo_search_base = ou=SUDOers,dc=abc,dc=def,dc=com'
- 'ldap_id_use_start_tls = False'
- 'ldap_search_timeout = 3'
- 'ldap_network_timeout = 3'
- 'ldap_opt_timeout = 3'
- 'ldap_enumeration_search_timeout = 60'
- 'ldap_enumeration_refresh_timeout = 300'
- 'ldap_connection_expire_timeout = 600'
- 'ldap_sudo_smart_refresh_interval = 600'
- 'ldap_sudo_full_refresh_interval = 10800'
- 'entry_cache_timeout = 1200'
- 'cache_credentials = True'
- 'ldap_tls_reqcert = never'
- '[nss]'
- 'homedir_substring = /home'
- 'entry_negative_timeout = 20'
- 'entry_cache_nowait_percentage = 50'
- '[pam]'
- '[sudo]'
- '[autofs]'
- '[ssh]'
- '[pac]'
- name: authconfig set 1
shell: authconfig --enablesssd --enablesssdauth --enablelocauthorize --disableldap --disableldapauth --disableldaptls --update
- name: homedir start
service:
name=oddjobd
state=started
enabled=yes
- name: authconfig set 2
shell: authconfig --enablemkhomedir --update
- name: sshd_config edit 1
lineinfile:
dest=/etc/ssh/sshd_config
backup=yes
state=present
regexp='#RSAAuthentication yes'
line='RSAAuthentication yes'
- name: sshd_config edit 2
lineinfile:
dest=/etc/ssh/sshd_config
state=present
regexp='PubkeyAuthentication'
line='PubkeyAuthentication yes'
- name: sshd_config edit 3
lineinfile:
dest=/etc/ssh/sshd_config
state=present
regexp='AuthorizedKeysCommand '
line='AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys'
- name: sshd_config edit 4
lineinfile:
dest=/etc/ssh/sshd_config
state=present
regexp='AuthorizedKeysCommandUser'
line='AuthorizedKeysCommandUser root'
- name: sssd restart
service:
name=sssd
state=restarted
enabled=yes
- name: sshd restart
service:
name=sshd
state=restarted
enabled=yes
- name: edit sudoers
lineinfile:
dest=/etc/sudoers
state=present
line='%{{ gid }} ALL=(ALL) ALL'
insertafter='%wheel'
[root@ansible_sv yml]#
※「#」から始まる行はコメントアウト。
以上、5つのplaybookを順番に流してやるだけ!
そうすればldapサーバの構築からldapユーザの設定までメチャ楽チンです♪
え、そこまで作りこむのが面倒?(自演)
確かに大変かもしれません。けどansibleって「構成管理ツール」って謳ってますから。
スクリプトであると同時に、サーバがどんな設定なのかを、中身を見て分かるようになっているってのも特徴のひとつなんです。シェルスクリプトだと読み込まないと分からないですからね。。。
一度作っちゃえば本当に楽です。サーバ壊れてもすぐ立て直せます!
ldapサーバの構築だけをやりたい場合は、1_set_ldapserver.ymlだけ実行すればいいし。
ldapサーバの構築が終わった後、グループやユーザを追加する場合は2_addgroup.yml、3_adduser.yml、4_publickey.ymlをやればいいし。(ユーザ名やパスワードはvarsモジュールで宣言している該当箇所を変更して使いまわせるし)
てな感じ!
■ansible-playbookコマンドでplaybookを実行
せっかく整理したんで、がっつりやっちゃいましょう!
コマンドは
# ansible-playbook <playbook名(フルパス)>
[root@ansible_sv yml]# ansible-playbook /etc/ansible/yml/1_set_ldapserver.yml SSH password: PLAY [ldap_sv] *************************************************************************************************************************************** TASK [Gathering Facts] ******************************************************************************************************************************* ok: [192.168.3.6] TASK [Yum install] *********************************************************************************************************************************** changed: [192.168.3.6] => (item=[u'openldap-servers', u'openssh-ldap', u'gcc', u'python-devel', u'openldap-devel', u'openldap-clients', u'sssd', u'sssd-client', u'sssd-ldap', u'oddjob-mkhomedir']) TASK [install pip 1] ********************************************************************************************************************************* [WARNING]: Consider using get_url or uri module rather than running curl changed: [192.168.3.6] TASK [install pip 2] ********************************************************************************************************************************* changed: [192.168.3.6] TASK [port ldap to firewalld] ************************************************************************************************************************ changed: [192.168.3.6] TASK [start slapd] *********************************************************************************************************************************** changed: [192.168.3.6] TASK [add schema] ************************************************************************************************************************************ changed: [192.168.3.6] TASK [copy DB_CONFIG] ******************************************************************************************************************************** changed: [192.168.3.6] TASK [create ldif directory] ************************************************************************************************************************* changed: [192.168.3.6] TASK [create rootPW] ********************************************************************************************************************************* changed: [192.168.3.6] TASK [create olcRootPW] ****************************************************************************************************************************** changed: [192.168.3.6] TASK [create rootPW.ldif] **************************************************************************************************************************** changed: [192.168.3.6] => (item=dn: olcDatabase={0}config,cn=config) changed: [192.168.3.6] => (item=changetype: modify) changed: [192.168.3.6] => (item=replace: olcRootPW) changed: [192.168.3.6] => (item=olcRootPW: {SSHA}siQSliG0mpzcKcfSQFCF0e3jJ8vgBycu) TASK [execute ldapadd] ******************************************************************************************************************************* changed: [192.168.3.6] TASK [create change-domain 2] ************************************************************************************************************************ changed: [192.168.3.6] TASK [execute ldapmodify] **************************************************************************************************************************** changed: [192.168.3.6] TASK [baseDN objectClass] **************************************************************************************************************************** changed: [192.168.3.6] TASK [People objectClass] **************************************************************************************************************************** changed: [192.168.3.6] TASK [Group objectClass] ***************************************************************************************************************************** changed: [192.168.3.6] TASK [sssd.conf create] ****************************************************************************************************************************** changed: [192.168.3.6] TASK [sssd.conf write] ******************************************************************************************************************************* changed: [192.168.3.6] => (item=[sssd]) changed: [192.168.3.6] => (item=debug_level = 0) changed: [192.168.3.6] => (item=config_file_version = 2) changed: [192.168.3.6] => (item=services = nss, sudo, pam, ssh) changed: [192.168.3.6] => (item=domains = default) changed: [192.168.3.6] => (item=[domain/default]) changed: [192.168.3.6] => (item=id_provider = ldap) changed: [192.168.3.6] => (item=auth_provider = ldap) changed: [192.168.3.6] => (item=chpass_provider = ldap) changed: [192.168.3.6] => (item=sudo_provider = ldap) changed: [192.168.3.6] => (item=ldap_uri = ldap://192.168.3.6) changed: [192.168.3.6] => (item=ldap_search_base = dc=abc,dc=def,dc=com) changed: [192.168.3.6] => (item=ldap_sudo_search_base = ou=SUDOers,dc=abc,dc=def,dc=com) changed: [192.168.3.6] => (item=ldap_id_use_start_tls = False) changed: [192.168.3.6] => (item=ldap_search_timeout = 3) changed: [192.168.3.6] => (item=ldap_network_timeout = 3) changed: [192.168.3.6] => (item=ldap_opt_timeout = 3) changed: [192.168.3.6] => (item=ldap_enumeration_search_timeout = 60) changed: [192.168.3.6] => (item=ldap_enumeration_refresh_timeout = 300) changed: [192.168.3.6] => (item=ldap_connection_expire_timeout = 600) changed: [192.168.3.6] => (item=ldap_sudo_smart_refresh_interval = 600) changed: [192.168.3.6] => (item=ldap_sudo_full_refresh_interval = 10800) changed: [192.168.3.6] => (item=entry_cache_timeout = 1200) changed: [192.168.3.6] => (item=cache_credentials = True) changed: [192.168.3.6] => (item=ldap_tls_reqcert = never) changed: [192.168.3.6] => (item=[nss]) changed: [192.168.3.6] => (item=homedir_substring = /home) changed: [192.168.3.6] => (item=entry_negative_timeout = 20) changed: [192.168.3.6] => (item=entry_cache_nowait_percentage = 50) changed: [192.168.3.6] => (item=[pam]) changed: [192.168.3.6] => (item=[sudo]) changed: [192.168.3.6] => (item=[autofs]) changed: [192.168.3.6] => (item=[ssh]) changed: [192.168.3.6] => (item=[pac]) TASK [authconfig set 1] ****************************************************************************************************************************** changed: [192.168.3.6] TASK [homedir start] ********************************************************************************************************************************* changed: [192.168.3.6] TASK [authconfig set 2] ****************************************************************************************************************************** changed: [192.168.3.6] TASK [sshd_config edit 1] **************************************************************************************************************************** changed: [192.168.3.6] TASK [sshd_config edit 2] **************************************************************************************************************************** changed: [192.168.3.6] TASK [sshd_config edit 3] **************************************************************************************************************************** changed: [192.168.3.6] TASK [sshd_config edit 4] **************************************************************************************************************************** changed: [192.168.3.6] TASK [sssd restart] ********************************************************************************************************************************** changed: [192.168.3.6] TASK [sshd restart] ********************************************************************************************************************************** changed: [192.168.3.6] TASK [edit sudoers] ********************************************************************************************************************************** changed: [192.168.3.6] PLAY RECAP ******************************************************************************************************************************************* 192.168.3.6 : ok=30 changed=29 unreachable=0 failed=0 [root@ansible_sv yml]# ansible-playbook /etc/ansible/yml/2_addgroup.yml SSH password: PLAY [ldap_sv] *************************************************************************************************************************************** TASK [Gathering Facts] ******************************************************************************************************************************* ok: [192.168.3.6] TASK [cn objectClass] ******************************************************************************************************************************** changed: [192.168.3.6] PLAY RECAP ******************************************************************************************************************************************* 192.168.3.6 : ok=2 changed=1 unreachable=0 failed=0 [root@ansible_sv yml]# ansible-playbook /etc/ansible/yml/3_adduser.yml SSH password: PLAY [ldap_sv] *************************************************************************************************************************************** TASK [Gathering Facts] ******************************************************************************************************************************* ok: [192.168.3.6] TASK [slappasswd] ************************************************************************************************************************************ changed: [192.168.3.6] TASK [useradd] *************************************************************************************************************************************** changed: [192.168.3.6] PLAY RECAP ******************************************************************************************************************************************* 192.168.3.6 : ok=3 changed=2 unreachable=0 failed=0 [root@ansible_sv yml]# ansible-playbook /etc/ansible/yml/4_publickey.yml SSH password: PLAY [ldap_sv] *************************************************************************************************************************************** TASK [Gathering Facts] ******************************************************************************************************************************* ok: [192.168.3.6] TASK [execute su] ************************************************************************************************************************************ [WARNING]: Consider using 'become', 'become_method', and 'become_user' rather than running su changed: [192.168.3.6] TASK [create .ssh directory] ************************************************************************************************************************* changed: [192.168.3.6] TASK [create sshPublickey] *************************************************************************************************************************** changed: [192.168.3.6] TASK [chmod id_ed25519*] ***************************************************************************************************************************** changed: [192.168.3.6] => (item=id_ed25519) changed: [192.168.3.6] => (item=id_ed25519.pub) TASK [rename authorized_keys] ************************************************************************************************************************ changed: [192.168.3.6] TASK [userdel] *************************************************************************************************************************************** changed: [192.168.3.6] TASK [stdout slappasswd] ***************************************************************************************************************************** changed: [192.168.3.6] TASK [stdout sshPublickey] *************************************************************************************************************************** changed: [192.168.3.6] TASK [re-exec useradd] ******************************************************************************************************************************* changed: [192.168.3.6] PLAY RECAP ******************************************************************************************************************************************* 192.168.3.6 : ok=10 changed=9 unreachable=0 failed=0 [root@ansible_sv ~]# ansible-playbook /etc/ansible/yml/5_ldapClient-create.yml SSH password: PLAY [ldapclient] ************************************************************************************************************************************ TASK [Gathering Facts] ******************************************************************************************************************************* ok: [192.168.3.7] TASK [Yum install] *********************************************************************************************************************************** changed: [192.168.3.7] => (item=[u'openldap-clients', u'sssd', u'sssd-client', u'sssd-ldap', u'oddjob-mkhomedir']) TASK [sssd.conf create] ****************************************************************************************************************************** changed: [192.168.3.7] TASK [sssd.conf write] ******************************************************************************************************************************* changed: [192.168.3.7] => (item=[sssd]) changed: [192.168.3.7] => (item=debug_level = 0) changed: [192.168.3.7] => (item=config_file_version = 2) changed: [192.168.3.7] => (item=services = nss, sudo, pam, ssh) changed: [192.168.3.7] => (item=domains = default) changed: [192.168.3.7] => (item=[domain/default]) changed: [192.168.3.7] => (item=id_provider = ldap) changed: [192.168.3.7] => (item=auth_provider = ldap) changed: [192.168.3.7] => (item=chpass_provider = ldap) changed: [192.168.3.7] => (item=sudo_provider = ldap) changed: [192.168.3.7] => (item=ldap_uri = ldap://192.168.3.6) changed: [192.168.3.7] => (item=ldap_search_base = dc=abc,dc=def,dc=com) changed: [192.168.3.7] => (item=ldap_sudo_search_base = ou=SUDOers,dc=abc,dc=def,dc=com) changed: [192.168.3.7] => (item=ldap_id_use_start_tls = False) changed: [192.168.3.7] => (item=ldap_search_timeout = 3) changed: [192.168.3.7] => (item=ldap_network_timeout = 3) changed: [192.168.3.7] => (item=ldap_opt_timeout = 3) changed: [192.168.3.7] => (item=ldap_enumeration_search_timeout = 60) changed: [192.168.3.7] => (item=ldap_enumeration_refresh_timeout = 300) changed: [192.168.3.7] => (item=ldap_connection_expire_timeout = 600) changed: [192.168.3.7] => (item=ldap_sudo_smart_refresh_interval = 600) changed: [192.168.3.7] => (item=ldap_sudo_full_refresh_interval = 10800) changed: [192.168.3.7] => (item=entry_cache_timeout = 1200) changed: [192.168.3.7] => (item=cache_credentials = True) changed: [192.168.3.7] => (item=ldap_tls_reqcert = never) changed: [192.168.3.7] => (item=[nss]) changed: [192.168.3.7] => (item=homedir_substring = /home) changed: [192.168.3.7] => (item=entry_negative_timeout = 20) changed: [192.168.3.7] => (item=entry_cache_nowait_percentage = 50) changed: [192.168.3.7] => (item=[pam]) changed: [192.168.3.7] => (item=[sudo]) changed: [192.168.3.7] => (item=[autofs]) changed: [192.168.3.7] => (item=[ssh]) changed: [192.168.3.7] => (item=[pac]) TASK [authconfig set 1] ****************************************************************************************************************************** changed: [192.168.3.7] TASK [homedir start] ********************************************************************************************************************************* changed: [192.168.3.7] TASK [authconfig set 2] ****************************************************************************************************************************** changed: [192.168.3.7] TASK [sshd_config edit 1] **************************************************************************************************************************** changed: [192.168.3.7] TASK [sshd_config edit 2] **************************************************************************************************************************** changed: [192.168.3.7] TASK [sshd_config edit 3] **************************************************************************************************************************** changed: [192.168.3.7] TASK [sshd_config edit 4] **************************************************************************************************************************** changed: [192.168.3.7] TASK [sssd restart] ********************************************************************************************************************************** changed: [192.168.3.7] TASK [sshd restart] ********************************************************************************************************************************** changed: [192.168.3.7] TASK [edit sudoers] ********************************************************************************************************************************** changed: [192.168.3.7] PLAY RECAP ******************************************************************************************************************************************* 192.168.3.7 : ok=14 changed=13 unreachable=0 failed=0 [root@ansible_sv yml]#
一切エラー無し!
いやー気持ちいいっす\(^o^)/