GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → lae → ansible-role-system_ldap

lae / ansible-role-system_ldap

Licence: other
Configures SSSD to authenticate against AD's LDAP endpoints

Programming Languages

shell
77523 projects

Labels

ansibleldapactive-directorysssd

Projects that are alternatives of or similar to ansible-role-system ldap

Linux-Active-Directory-join-script
Active directory Join script for Ubuntu, Debian, CentOS, Linux Mint, Fedora, Kali, Elementary OS and Raspbian with built in failchcheck and debugmode for Ubuntu. "The most advanced and updated AD join script on GITHUB for Linux"
Stars: ✭ 97 (+212.9%)
Mutual labels:  ldap, active-directory, sssd
ldapconsole
The ldapconsole script allows you to perform custom LDAP requests to a Windows domain.
Stars: ✭ 25 (-19.35%)
Mutual labels:  ldap, active-directory
k8s-idm-lab
Kubernetes Identity Management Lab
Stars: ✭ 20 (-35.48%)
Mutual labels:  ldap, active-directory
Server-Help
💻 This VSTO Add-In allows the user to ping a list of servers and creates a file for Microsoft Remote Desktop Manager an Excel table. This is used for quickly determining which servers are offline in a list. It is written in 3 different versions as a VSTO Add-In in C# and VB.NET as well as a VBA Add-In.
Stars: ✭ 21 (-32.26%)
Mutual labels:  ldap, active-directory
Ad Ldap Enum
An LDAP based Active Directory user and group enumeration tool
Stars: ✭ 223 (+619.35%)
Mutual labels:  ldap, active-directory
aspnet-core-ad-authentication
ASP.NET Core Active Directory authentication use LDAP
Stars: ✭ 21 (-32.26%)
Mutual labels:  ldap, active-directory
werther
An Identity Provider for ORY Hydra over LDAP
Stars: ✭ 103 (+232.26%)
Mutual labels:  ldap, active-directory
AD-webmanager
A web interface for administration of Active Directory Domains, made in Python, with focus on easy of use and simplicity.
Stars: ✭ 26 (-16.13%)
Mutual labels:  ldap, active-directory
Eloquent Ldap
A Laravel 5.1 package that first tries to log the user against the internal database if that fails, it tries against the configured LDAP/AD server.
Stars: ✭ 19 (-38.71%)
Mutual labels:  ldap, active-directory
Verdaccio Ldap
LDAP auth plugin for verdaccio
Stars: ✭ 39 (+25.81%)
Mutual labels:  ldap, active-directory
Ldap Passwd Webui
Very simple web interface for changing password stored in LDAP or Active Directory (Samba 4 AD).
Stars: ✭ 150 (+383.87%)
Mutual labels:  ldap, active-directory
gitlab-ldap-group-sync
Manage your gitlab groups with ldap / active directory
Stars: ✭ 21 (-32.26%)
Mutual labels:  ldap, active-directory
Ldaptools
LdapTools is a feature-rich LDAP library for PHP 5.6+.
Stars: ✭ 185 (+496.77%)
Mutual labels:  ldap, active-directory
Auth
Manage multiple user authentication databases from a central web application
Stars: ✭ 17 (-45.16%)
Mutual labels:  ldap, active-directory
ldap2json
The ldap2json script allows you to extract the whole LDAP content of a Windows domain into a JSON file.
Stars: ✭ 56 (+80.65%)
Mutual labels:  ldap, active-directory
OpenAM
OpenAM is an open access management solution that includes Authentication, SSO, Authorization, Federation, Entitlements and Web Services Security.
Stars: ✭ 476 (+1435.48%)
Mutual labels:  ldap, active-directory
multiOTPCredentialProvider
multiOTP Credential Provider is a V2 Credential Provider for Windows 7/8/8.1/10/2012(R2)/2016 with options like RDP only and UPN name support
Stars: ✭ 121 (+290.32%)
Mutual labels:  ldap, active-directory
adalanche
Active Directory ACL Visualizer and Explorer - who's really Domain Admin?
Stars: ✭ 862 (+2680.65%)
Mutual labels:  ldap, active-directory
Laravel Enterprise Starter Kit
👔 Enterprise Web application starter kit or template using Laravel
Stars: ✭ 356 (+1048.39%)
Mutual labels:  ldap, active-directory
Multiotp
multiOTP open source strong two factor authentication PHP library, OATH certified, with TOTP, HOTP, Mobile-OTP, YubiKey, SMS, QRcode provisioning, etc.
Stars: ✭ 173 (+458.06%)
Mutual labels:  ldap, active-directory
View All Similar Projects ➔

Build Status Galaxy Role

lae.system_ldap

Install and configure SSSD for system-level LDAP authentication against an LDAP-enabled Active Directory server.

Role Variables

Read defaults/main.yml for a list of all configurable role variables. As the defaults should suffice for most users, we'll cover only the ones that need to be defined in this section.

The following must be configured to communicate to your LDAP/AD server:

Variable Example Description
system_ldap_domain LDAP A label for sssd to use to identify this configuration/domain.
system_ldap_search_base OU=Idol Schools,DC=Aikatsu,DC=net The default base DN to use for performing LDAP user operations.
system_ldap_uris - ldaps://ldap-tyo.example.aikatsu.net:636
- ldaps://ldap-ngo.example.aikatsu.net:636		 A list of URIs of the LDAP servers to which sssd should connect.
system_ldap_bind_dn CN=Naoto Suzukawa,OU=Service Accounts,OU=Idol Schools,DC=Aikatsu,DC=net The default bind DN to use for performing LDAP operations.
system_ldap_bind_password sunrise The authentication token of the default bind DN. Only clear text passwords are currently supported.
system_ldap_access_filter_groups - CN=operations,OU=Security Groups,OU=Idol Schools,DC=Aikatsu,DC=net List of group DNs authorized to access the current host.
system_ldap_access_unix_groups - operations Should effectively be the same as system_ldap_access_filter_groups, but using their UNIX group names (usually CN).
system_ldap_access_filter_users - hoshimiya.ichigo
- nikaidou.yuzu		 List of usernames (passed to the filter (sAMAccountName=%s) by default) authorized to access the current host.
system_ldap_sudo_groups - operations List of groups to configure to allow sudo usage on the current host.
system_ldap_sudo_users - hoshimiya.ichigo List of users to configure to allow sudo usage on the current host.
system_ldap_allow_passwordauth_in_sshd true Specifies whether to configure sshd_config to allow password authentication for authorized users. This is needed if your SSHD is configured to not allow password authentication by default. Defaults to false.

Example Playbook

The following is typically what we use in a multi-tenant playbook:

---
- hosts: all
  user: ansible
  roles:
    - lae.system_ldap
  become: True

There is also an example playbook in the test directory

Extended usage

For this section, the playbook in the code block above is system_ldap.yml. Let's look at the following playbook layout:

- system_ldap.yml
- inventory
- group_vars/
    - all/
        - main.yml
    - starlight/
        - main.yml
- host_vars/
    - research-node01
- roles/
    - requirements.yml

In this layout, we're typically able to group access control per hostgroup or per host. There are some variables that you likely want to set across all hosts, in group_vars/all/main.yml (or just group_vars/all if not using a directory):

---
system_ldap_domain: aikatsu.net
system_ldap_bind_dn: CN=Naoto Suzukawa,OU=Service Accounts,OU=Idol Schools,DC=Aikatsu,DC=net
system_ldap_bind_password: sunrise
system_ldap_search_base: OU=Idol Schools,DC=Aikatsu,DC=net
system_ldap_uris:
  - ldaps://ldap-tyo.example.aikatsu.net:636
  - ldaps://ldap-ngo.example.aikatsu.net:636
system_ldap_access_filter_groups:
  - CN=operations,OU=Security Groups,OU=Idol Schools,DC=Aikatsu,DC=net
system_ldap_access_filter_users: []
system_ldap_access_unix_groups:
  - operations
system_ldap_sudo_groups:
  - operations
system_ldap_sudo_users: []

Here we're using a search user account and password (system_ldap_bind_*) to keep in sync with an LDAP server over SSL (with a failover LDAPS server), allowing an "operations" group to authenticate as well as root privileges.

The starlight group's variables file may look like this:

---
system_ldap_allow_passwordauth_in_sshd: true
system_ldap_access_filter_users:
  - hoshimiya.ichigo
system_ldap_sudo_users:
  - hoshimiya.ichigo

This allows the user name hoshimiya.ichigo to login to the machines in the starlight hostgroup, as well as use sudo on them. The variables above are matched against the sAMAccountName value from your LDAP-enabled AD server for any users in the system_ldap_search_base group.

You can also specify groups, but you will need to provide the full DN for the group filter variable. You'll also probably want to copy the group-related variables from all. For the other variables you can just use the CN. E.g:

system_ldap_access_filter_groups:
  - CN=operations,OU=Security Groups,OU=Global,OU=Idol Schools,DC=Aikatsu,DC=net
  - CN=starlight-students,OU=Security Groups,OU=Starlight Academy,OU=Idol Schools,DC=Aikatsu,DC=net
system_ldap_access_unix_groups:
  - operations
  - starlight-students
system_ldap_sudo_groups:
  - operations

Here we add a starlight-students LDAP group, but only allow them to login.

Developing

First clone and branch, or fork, this repo, make your changes, commit and submit a pull request.

To keep track of ansible vault changes, include .gitconfig in your git config:

echo -e "[include]\n\tpath = ../.gitconfig" >> .git/config

Testing

vagrant box add debian/stretch64
vagrant up
vagrant provision

License

MIT

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].