ben
/
infra
1
1
Fork 2
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity

fix user enabled/disabled handling in openldap role, fix system users with ssh keys in users role #29

Merged
ben merged 2 commits from openldap-fix into main 2022-10-25 23:37:34 +00:00
Conversation 0 Commits 2 Files Changed 3 +22 -20
3 changed files with 22 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
roles/openldap/defaults/main.yml
View File

@ -4,10 +4,12 @@ openldap_uid: "{{systemuserlist.openldap.uid}}"
openldap_gid: "{{systemuserlist.openldap.gid}}" openldap_gid: "{{systemuserlist.openldap.gid}}"
openldap_root: "{{ systemuserlist.openldap.home }}" openldap_root: "{{ systemuserlist.openldap.home }}"
ldap_users: "{{ userlist.values()|selectattr('ldap_enabled', 'true') }}"
ldap_usernames: "{{ ldap_users | map(attribute='username') | list }}"
ldap_users_in_groups: "{{ ldap_users | selectattr('ldap_groups') }}"
ldap_usernames_disabled_ldap: "{{ userlist.values()|selectattr('ldap_enabled', 'false') | map(attribute='username') | unique }}" ldap_human_users: "{{ userlist.values()|selectattr('ldap_enabled', 'true') }}"
ldap_usernames_disabled_system: "{{ userlist.values()|selectattr('enabled', 'false') | map(attribute='username') | unique }}" ldap_human_users_in_groups: "{{ ldap_human_users | selectattr('ldap_groups') }}"
ldap_usernames_disabled: "{{ ldap_usernames_disabled_ldap + ldap_usernames_disabled_system }}"
ldap_only_users_enabled: "{{ ldap_only_users.values() | selectattr('ldap_enabled', 'true') }}"
ldap_linux_usernames_disabled: "{{ userlist.values()|selectattr('ldap_enabled', 'false') | map(attribute='username') }}"
ldap_only_usernames_disabled: "{{ ldap_only_users.values()|selectattr('ldap_enabled', 'false') | map(attribute='username') }}"
ldap_usernames_disabled: "{{ ldap_only_usernames_disabled + ldap_linux_usernames_disabled }}"

14
roles/openldap/tasks/openldap.yml
View File

@ -196,7 +196,7 @@
# this module doesnt change existing users if they exist, so it is setting anything that a user # this module doesnt change existing users if they exist, so it is setting anything that a user
# should be able to change themselves # should be able to change themselves
- name: add inventory users - name: add inventory human users
community.general.ldap_entry: community.general.ldap_entry:
dn: "uid={{ item.username }},ou=users,{{ openldap_dc }}" dn: "uid={{ item.username }},ou=users,{{ openldap_dc }}"
objectClass: objectClass:
@ -217,7 +217,7 @@
bind_pw: "{{ openldap_admin_pass }}" bind_pw: "{{ openldap_admin_pass }}"
loop_control: loop_control:
label: "{{ item.username }}" label: "{{ item.username }}"
with_items: "{{ ldap_users }}" # see role/openldap/defaults/main.yml with_items: "{{ ldap_human_users }}" # see role/openldap/defaults/main.yml
tags: tags:
- ldap-users - ldap-users
@ -237,9 +237,10 @@
bind_pw: "{{ openldap_admin_pass }}" bind_pw: "{{ openldap_admin_pass }}"
loop_control: loop_control:
label: "{{ item.username }}" label: "{{ item.username }}"
with_items: "{{ ldap_only_users.values() }}" with_items: "{{ ldap_only_users_enabled }}"
tags: tags:
- ldap-users - ldap-users
- ldap-only-users
- name: add inventory user groups - name: add inventory user groups
@ -256,7 +257,7 @@
bind_pw: "{{ openldap_admin_pass }}" bind_pw: "{{ openldap_admin_pass }}"
loop_control: loop_control:
label: "{{ item.username }}" label: "{{ item.username }}"
with_items: "{{ ldap_users }}" with_items: "{{ ldap_human_users }}"
tags: tags:
- ldap-users - ldap-users
@ -292,7 +293,7 @@
label: "{{ item[1].username }}, group={{ item[0] }}, present={{ item[0] in item[1].ldap_groups|default([]) }}" label: "{{ item[1].username }}, group={{ item[0] }}, present={{ item[0] in item[1].ldap_groups|default([]) }}"
with_nested: with_nested:
- "{{ openldap_groups }}" - "{{ openldap_groups }}"
- "{{ ldap_users }}" - "{{ ldap_human_users }}"
# when: # when:
# - item[1] in item[0].ldap_groups|default([]) # - item[1] in item[0].ldap_groups|default([])
tags: tags:
@ -311,7 +312,7 @@
label: "{{ item[1].username }}, group={{ item[0] }}, present={{ item[0] in item[1].ldap_groups|default([]) }}" label: "{{ item[1].username }}, group={{ item[0] }}, present={{ item[0] in item[1].ldap_groups|default([]) }}"
with_nested: with_nested:
- "{{ openldap_groups }}" - "{{ openldap_groups }}"
- "{{ ldap_only_users.values() }}" - "{{ ldap_only_users_enabled }}"
tags: tags:
- ldap-users - ldap-users
@ -327,6 +328,7 @@
with_items: "{{ ldap_usernames_disabled }}" with_items: "{{ ldap_usernames_disabled }}"
tags: tags:
- ldap-users - ldap-users
- ldap-users-disabled
# # this task will change attrs if they dont match # # this task will change attrs if they dont match
# - name: adding attrs that are # - name: adding attrs that are

14
roles/users/tasks/users.yml
View File

@ -135,19 +135,17 @@
- name: set authorized_keys for system users with pubkeys - name: set authorized_keys for system users with pubkeys
template: template:
src: "private/sshkeys/{{ item.key }}.authorized_keys" src: "private/sshkeys/{{ item.username }}.authorized_keys"
dest: "~/.ssh/authorized_keys" dest: "~/.ssh/authorized_keys"
owner: "{{ item.key }}" owner: "{{ item.username }}"
group: "{{ item.key }}" group: "{{ item.username }}"
mode: 0600 mode: 0600
become: true become: true
become_user: "{{ item.key }}" become_user: "{{ item.username }}"
ignore_errors: "{{ ansible_check_mode }}" ignore_errors: "{{ ansible_check_mode }}"
loop_control: loop_control:
label: "{{ item.key }}" label: "{{ item.username }}"
with_dict: "{{ systemuserlist }}" with_items: "{{ systemuserlist.values() | selectattr('sshkey', 'true') }}"
when:
- item.value.sshkey|default(false)
- name: remove disabled system users - name: remove disabled system users
user: user: