/ansible-adauth

Ansible role to configure RHEL and derivates to use Active Directory for authentication

MIT LicenseMIT

adauth

Ansible role to configure RHEL and derivates to use Microsoft Active Directory for authentication.

Tested on Centos 6.5 and Centos 7.0. After configuration it allows only local users and users matching the $adauth_access_filter to login. You should probabably see templates/sssd.conf.j2 and defaults/main.yml.

Modifications by Sig-I/O:

  • Mounting of DFS directory on login, unmounting on logout
  • Use 'service' module in handlers
  • Installation of pam_mount from sig-io repositories (as EL6 packages seem to be non existant)

Requirements

It is nice for the servers to be configured to use at least the Primary and Secondary domain controlers as NTP servers for the kerberos tickets.

The role joins the server in AD with Samba to generate the Keytab for GSSAPI authentication so a user with sufficient privileges to join is required.

Role Variables

The role uses the following variables, which you should override in your playbook:

  • adauth_workgroup - The short domain name uppercase.
  • adauth_realm - The domain name uppercase.
  • adauth_pdc - The primary domain controller fqdn.
  • adauth_pdc_ip - The primary domain controller ip (for dns).
  • adauth_sdc - The secondary domain controller fqdn.
  • adauth_sdc_ip - The secondary domain controller ip (for dns).
  • adauth_ldap_base - The LDAP search base.
  • adauth_server_ou - The Organisational unit where to create the server in AD.
  • adauth_access_filter - LDAP search query to limit who can login to the server. See defaults for examples.
  • adauth_username - The username with join privileges in the server OU.
  • adauth_password - The password. You can use var_prompts in your playbook for this.
  • adauth_fileserver- The name of the server that hosts the DFS path to mount.
  • adauth_homepath - The path to the DFS mount which should be mounted on login.
  • adauth_homemount - The location to mount the DFS share to.

Example Playbook

- hosts: ad-servers
  vars_files:
    - site_vars/adauth.yml

  roles:
     - glisha.adauth

Where site_vars/adauth.yml is defaults/main.yml modifed to your needs.

License

MIT

Author Information

Georgi Stanojevski Mark Janssen mark@sig-io.nl GitHub project page