2022-10-25 23:37:34 +00:00
3 changed files with 22 additions and 20 deletions
--- a/roles/openldap/defaults/main.yml
+++ b/roles/openldap/defaults/main.yml
@ -4,10 +4,12 @@ openldap_uid: "{{systemuserlist.openldap.uid}}"
 openldap_gid: "{{systemuserlist.openldap.gid}}"
 openldap_root: "{{ systemuserlist.openldap.home }}"

-ldap_users: "{{ userlist.values()|selectattr('ldap_enabled', 'true') }}"
-ldap_usernames: "{{ ldap_users | map(attribute='username') | list }}"
-ldap_users_in_groups: "{{ ldap_users | selectattr('ldap_groups') }}"

-ldap_usernames_disabled_ldap: "{{ userlist.values()|selectattr('ldap_enabled', 'false') | map(attribute='username') | unique }}"
-ldap_usernames_disabled_system: "{{ userlist.values()|selectattr('enabled', 'false') | map(attribute='username') | unique }}"
-ldap_usernames_disabled: "{{ ldap_usernames_disabled_ldap + ldap_usernames_disabled_system }}"
+ldap_human_users: "{{ userlist.values()|selectattr('ldap_enabled', 'true') }}"
+ldap_human_users_in_groups: "{{ ldap_human_users | selectattr('ldap_groups') }}"
+
+ldap_only_users_enabled: "{{ ldap_only_users.values() | selectattr('ldap_enabled', 'true') }}"
+
+ldap_linux_usernames_disabled: "{{ userlist.values()|selectattr('ldap_enabled', 'false') | map(attribute='username') }}"
+ldap_only_usernames_disabled: "{{ ldap_only_users.values()|selectattr('ldap_enabled', 'false') | map(attribute='username') }}"
+ldap_usernames_disabled: "{{ ldap_only_usernames_disabled + ldap_linux_usernames_disabled }}"
--- a/roles/openldap/tasks/openldap.yml
+++ b/roles/openldap/tasks/openldap.yml
@ -196,7 +196,7 @@

 # this module doesnt change existing users if they exist, so it is setting anything that a user
 # should be able to change themselves
- name: add inventory users
+- name: add inventory human users
  community.general.ldap_entry:
    dn: "uid={{ item.username }},ou=users,{{ openldap_dc }}"
    objectClass:
@ -217,7 +217,7 @@
    bind_pw: "{{ openldap_admin_pass }}"
  loop_control:
    label: "{{ item.username }}"
-  with_items: "{{ ldap_users }}" # see role/openldap/defaults/main.yml
+  with_items: "{{ ldap_human_users }}" # see role/openldap/defaults/main.yml
  tags:
    - ldap-users

@ -237,9 +237,10 @@
    bind_pw: "{{ openldap_admin_pass }}"
  loop_control:
    label: "{{ item.username }}"
-  with_items: "{{ ldap_only_users.values() }}"
+  with_items: "{{ ldap_only_users_enabled }}"
  tags:
    - ldap-users
+    - ldap-only-users


 - name: add inventory user groups
@ -256,7 +257,7 @@
    bind_pw: "{{ openldap_admin_pass }}"
  loop_control:
    label: "{{ item.username }}"
-  with_items: "{{ ldap_users }}"
+  with_items: "{{ ldap_human_users }}"
  tags:
    - ldap-users

@ -292,7 +293,7 @@
    label: "{{ item[1].username }}, group={{ item[0] }}, present={{ item[0] in item[1].ldap_groups|default([]) }}"
  with_nested:
    - "{{ openldap_groups }}"
-    - "{{ ldap_users }}"
+    - "{{ ldap_human_users }}"
  # when:
  #   - item[1] in item[0].ldap_groups|default([])
  tags:
@ -311,7 +312,7 @@
    label: "{{ item[1].username }}, group={{ item[0] }}, present={{ item[0] in item[1].ldap_groups|default([]) }}"
  with_nested:
    - "{{ openldap_groups }}"
-    - "{{ ldap_only_users.values() }}"
+    - "{{ ldap_only_users_enabled }}"
  tags:
    - ldap-users

@ -327,6 +328,7 @@
  with_items: "{{ ldap_usernames_disabled }}"
  tags:
    - ldap-users
+    - ldap-users-disabled

 # # this task will change attrs if they dont match
 # - name: adding attrs that are
--- a/roles/users/tasks/users.yml
+++ b/roles/users/tasks/users.yml
@ -135,19 +135,17 @@

    - name: set authorized_keys for system users with pubkeys
      template:
-        src: "private/sshkeys/{{ item.key }}.authorized_keys"
+        src: "private/sshkeys/{{ item.username }}.authorized_keys"
        dest: "~/.ssh/authorized_keys"
-        owner: "{{ item.key }}"
-        group: "{{ item.key }}"
+        owner: "{{ item.username }}"
+        group: "{{ item.username }}"
        mode: 0600
      become: true
-      become_user: "{{ item.key }}"
+      become_user: "{{ item.username }}"
      ignore_errors: "{{ ansible_check_mode }}"
      loop_control:
-        label: "{{ item.key }}"
-      with_dict: "{{ systemuserlist }}"
-      when:
-        - item.value.sshkey|default(false)
+        label: "{{ item.username }}"
+      with_items: "{{ systemuserlist.values() | selectattr('sshkey', 'true') }}"

    - name: remove disabled system users
      user: