vs-eth · niklassc-xyz · Oct 3, 2024 · Oct 3, 2024 · Oct 3, 2024
diff --git a/README.md b/README.md
@@ -2,9 +2,7 @@
 [![CircleCI status](https://img.shields.io/circleci/project/github/uubk/auth-server/master.svg?style=shield)](https://circleci.com/gh/uubk/auth-server/tree/master)
 ![License](https://img.shields.io/github/license/uubk/auth-server.svg?style=popout)
 
-Set up 389ds and MIT Kerberos to authenticate users. Tested on Debian 11.
-
-Warning: This role only supports Debian 11 - for 9/10, you'll want to use the old code on the buster branch.
+Set up 389ds to authenticate users.
 
 ## Description
 This role sets up 389ds in multi-master mode.
@@ -19,9 +17,6 @@ This role sets up 389ds in multi-master mode.
 | `auth_ldap_sync_pwd` | `False` | The LDAP syncrepl user password |
 | `auth_ldap_group` | `core` | The group of hosts this role is applied to |
 | `auth_ldap_init_source` | `False` | The name of the host that should be used as a LDAP data source when adding new hosts. |
-| `auth_kerberos_ldap_password` | `False` | The kerberos LDAP service account password |
-| `auth_kerberos_database_master_key` | `False` | The initial kerberos database master key |
-| `auth_kerberos_enctypes` | `aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128` | Which encryption modes to enable? The default is for recent versions of Kerberos and no Windows clients only. |
 | `auth_ldap_have_tls` | `True` | Whether to enable SSL/TLS support in openLDAP |
 | `auth_ldap_ssl_cert_path` | `/etc/ldap/server.pem` | Path to openLDAP's certificate |
 | `auth_ldap_ssl_key_path` | `/etc/ldap/server.key` | Path to openLDAP's certificate's key|
@@ -32,9 +27,6 @@ This role sets up 389ds in multi-master mode.
 | `auth_ldap_service_bases` | (see defaults/main.yml) | LDAP containers to create for services |
 | `auth_ldap_service_accounts` | (see defaults/main.yml) | Kerberos services to generate. This will also write out a keytab for each service. |
 | `auth_ldap_permissions` | (see defaults/main.yml) | ACIs to set on the directory |
-| `auth_kerberos_admin_privs` | `[]` | Kerberos principals to grant administrative permissions to (see defaults/main.yml for format) |
-| `auth_ldap_store_pam` | `True` | Whether to actually store the generated 389ds PAM config. Useful if you want to customize it using another role |
-|`auth_kerberos_curves` | `edwards25519` | Curves to use for kerberos SPAKE |
 | `auth_ldap_use_memberof_plugin` | `False` | Whether to enable the `memberOf` LDAP plugin. |
 
 Users can be created by putting them into `auth_ldap_users` as a dict with the following format:

diff --git a/defaults/main.yml b/defaults/main.yml
@@ -8,7 +8,7 @@ auth_ldap_domain_subdomains: []
 
 # If your LDAP servers are not mutually reachable via their FQDN, set this for
 # replication
-auth_ldap_use_external_domain: False
+auth_ldap_use_external_domain: false
 auth_ldap_external_domain: None
 
 # LDAP admin credentials (you need to change these)
@@ -18,22 +18,13 @@ auth_ldap_sync_pwd: None
 # LDAP init source (you need to change this)
 # Init source designates the ldap server whose contents should be copied to all
 # other servers on iniy
-auth_ldap_init_source: False
-
-# Kerberos admin credentials (you need to change these)
-auth_kerberos_ldap_password: False
-auth_kerberos_database_master_key: False
-# Principals to be granted admin rights
-auth_kerberos_admin_privs: []
-# - principal: foo@EXAMPLE.ORG
-#   privileges: '*'
-#   target: '*'
-
-# Group that all LDAP/kerberos servers are in (you probably need to change this)
+auth_ldap_init_source: false
+
+# Group that all LDAP servers are in (you probably need to change this)
 auth_ldap_group: core
 
 # TLS for openLDAP
-auth_ldap_have_tls: True
+auth_ldap_have_tls: true
 auth_ldap_ssl_cert_path: /etc/ldap/server.pem
 auth_ldap_ssl_key_path: /etc/ldap/server.key
 auth_ldap_ssl_ca_path: /etc/ldap/ca.pem
@@ -42,12 +33,6 @@ auth_ldap_ssl_ca_path_src: /etc/dirsrv/ca.pem
 auth_ldap_ssl_cn: "{{ ansible_fqdn }}"
 auth_ldap_ssl_desc: "PKI"
 
-# Enctypes for recent kerberos
-auth_kerberos_enctypes: "aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96"
-
-# Elliptic curves for SPAKE
-auth_kerberos_curves: "edwards25519"
-
 # Users to create
 auth_ldap_users: []
 
@@ -136,11 +121,8 @@ auth_ldap_user_objectclasses:
   - top
   - inetOrgPerson
 
-# Whether to actually store the pam kerberos passthrough config
-auth_ldap_store_pam: True
-
 # Whether to enable the memberOf plugin
-auth_ldap_use_memberof_plugin: False
+auth_ldap_use_memberof_plugin: false
 
 # For additional schemas
 # auth_ldap_additional_schema:
@@ -151,7 +133,3 @@ auth_ldap_use_memberof_plugin: False
 # auth_ldap_eq_indexes:
 #  - attribute: customAttr
 #    database: userRoot
-
-# Gokrb5 on Debian Buster _also_ fails preauth when not setting this explicitly. On bullseye it works with the same
-# binary. To enable the workaround, change from -1 to your real preauth type (e.g. 20 for aes256-cts-hmac-sha384-192).
-auth_kerberos_fixed_preauth: -1
diff --git a/handlers/main.yml b/handlers/main.yml
@@ -1,29 +1,14 @@
 ---
-  - name: restart kdc
-    become: True
-    service:
-      name: krb5-kdc
-      state: restarted
-      enabled: yes
-    notify: restart kadmind
+- name: Restart dirsrv
+  become: true
+  service:
+    name: "dirsrv@{{ auth_ldap_shortname }}"
+    state: restarted
+    enabled: true
 
-  - name: restart kadmind
-    become: True
-    service:
-      name: krb5-admin-server
-      state: restarted
-      enabled: yes
-
-  - name: restart dirsrv
-    become: True
-    service:
-      name: "dirsrv@{{ auth_ldap_shortname }}"
-      state: restarted
-      enabled: yes
-
-  - name: restart haproxy
-    become: True
-    service:
-      name: haproxy
-      state: restarted
-      enabled: yes
+- name: Restart haproxy
+  become: true
+  service:
+    name: haproxy
+    state: restarted
+    enabled: true
diff --git a/tasks/389-acl.yml b/tasks/389-acl.yml
@@ -1,70 +1,70 @@
 ---
-  - name: Restrict anonymous bind to RootDN
-    ldap_attrs:
-      dn: "cn=config"
-      server_uri: "{{ auth_ldap_ansible_url }}"
-      bind_dn: "cn=Directory Manager"
-      bind_pw: "{{ auth_ldap_admin_pwd }}"
-      state: exact
-      attributes:
-        nsslapd-allow-anonymous-access: 'rootdse'
-    notify: restart dirsrv
+- name: Restrict anonymous bind to RootDN
+  community.general.ldap_attrs:
+    dn: "cn=config"
+    server_uri: "{{ auth_ldap_ansible_url }}"
+    bind_dn: "cn=Directory Manager"
+    bind_pw: "{{ auth_ldap_admin_pwd }}"
+    state: exact
+    attributes:
+      nsslapd-allow-anonymous-access: 'rootdse'
+  notify: Restart dirsrv
 
-  - name: Create LDAP system users
-    run_once: true
-    ldap_entry:
-      dn: "cn={{ item.name }},ou=TechnicalUsers,{{ auth_ldap_domain_ldap }}"
-      server_uri: "{{ auth_ldap_ansible_url }}"
-      objectClass: "{{ auth_ldap_user_objectclasses }}"
-      bind_dn: "cn=Directory Manager"
-      bind_pw: "{{ auth_ldap_admin_pwd }}"
-      state: present
-      attributes:
-        uid: "{{ item.id }}"
-        uidNumber: "{{ item.uid }}"
-        gidNumber: "{{ item.gid }}"
-        userPassword: "{{ item.initialPassword }}"
-        homeDirectory: "/dev/null"
-        sn: "{{ item.name }}"
-        givenName: "Serviceaccount"
-        mail: "root@{{ auth_ldap_domain }}"
-    with_items:
-      - "{{ auth_ldap_system_users }}"
-    no_log: True
+- name: Create LDAP system users
+  run_once: true
+  community.general.ldap_entry:
+    dn: "cn={{ item.name }},ou=TechnicalUsers,{{ auth_ldap_domain_ldap }}"
+    server_uri: "{{ auth_ldap_ansible_url }}"
+    objectClass: "{{ auth_ldap_user_objectclasses }}"
+    bind_dn: "cn=Directory Manager"
+    bind_pw: "{{ auth_ldap_admin_pwd }}"
+    state: present
+    attributes:
+      uid: "{{ item.id }}"
+      uidNumber: "{{ item.uid }}"
+      gidNumber: "{{ item.gid }}"
+      userPassword: "{{ item.initialPassword }}"
+      homeDirectory: "/dev/null"
+      sn: "{{ item.name }}"
+      givenName: "Serviceaccount"
+      mail: "root@{{ auth_ldap_domain }}"
+  with_items:
+    - "{{ auth_ldap_system_users }}"
+  no_log: true
 
-  - name: Create LDAP reader group
-    run_once: true
-    ldap_entry:
-      dn: "cn=sys_ldap_readers,ou=Groups,{{ auth_ldap_domain_ldap }}"
-      objectClass: groupOfNames
-      bind_dn: "cn=Directory Manager"
-      bind_pw: "{{ auth_ldap_admin_pwd }}"
-      server_uri: "{{ auth_ldap_ansible_url }}"
-      attributes:
-        member: "{{ item }}"
-    with_items: "{{ auth_ldap_allow_read|first }}"
+- name: Create LDAP reader group
+  run_once: true
+  community.general.ldap_entry:
+    dn: "cn=sys_ldap_readers,ou=Groups,{{ auth_ldap_domain_ldap }}"
+    objectClass: groupOfNames
+    bind_dn: "cn=Directory Manager"
+    bind_pw: "{{ auth_ldap_admin_pwd }}"
+    server_uri: "{{ auth_ldap_ansible_url }}"
+    attributes:
+      member: "{{ item }}"
+  with_items: "{{ auth_ldap_allow_read | first }}"
 
-  - name: Add LDAP reader group members
-    run_once: true
-    ldap_attrs:
-      dn: "cn=sys_ldap_readers,ou=Groups,{{ auth_ldap_domain_ldap }}"
-      bind_dn: "cn=Directory Manager"
-      bind_pw: "{{ auth_ldap_admin_pwd }}"
-      server_uri: "{{ auth_ldap_ansible_url }}"
-      state: exact
-      attributes:
-        member: "{{ auth_ldap_allow_read }}"
+- name: Add LDAP reader group members
+  run_once: true
+  community.general.ldap_attrs:
+    dn: "cn=sys_ldap_readers,ou=Groups,{{ auth_ldap_domain_ldap }}"
+    bind_dn: "cn=Directory Manager"
+    bind_pw: "{{ auth_ldap_admin_pwd }}"
+    server_uri: "{{ auth_ldap_ansible_url }}"
+    state: exact
+    attributes:
+      member: "{{ auth_ldap_allow_read }}"
 
-  - name: Configure LDAP ACLs
-    ldap_attrs:
-      dn: "{{ item.target }}"
-      bind_dn: "cn=Directory Manager"
-      bind_pw: '{{ auth_ldap_admin_pwd }}'
-      server_uri: "{{ auth_ldap_ansible_url }}"
-      attributes:
-        aci: "{{ item.acls }}"
-      state: exact
-    when: item.target != "cn=Kerberos,{{ auth_ldap_domain_ldap }}"
-    with_items: "{{ auth_ldap_permissions }}"
-    tags:
-      - skip_ansible_lint
+- name: Configure LDAP ACLs
+  ldap_attrs:
+    dn: "{{ item.target }}"
+    bind_dn: "cn=Directory Manager"
+    bind_pw: '{{ auth_ldap_admin_pwd }}'
+    server_uri: "{{ auth_ldap_ansible_url }}"
+    attributes:
+      aci: "{{ item.acls }}"
+    state: exact
+  when: item.target != "cn=Kerberos,{{ auth_ldap_domain_ldap }}"
+  with_items: "{{ auth_ldap_permissions }}"
+  tags:
+    - skip_ansible_lint