Configure LDAP authentication & authorization with parametrized user/host/project lookups.
You must place your LDAP server certificate in files/certs/*.crt.
- 
ldap_uri- URI of your LDAP server(s). Separate multiple URIs with a space.
- 
ldap_dn,ldap_pw(optional) - credentials to connect to your LDAP server with.
- 
ldap_base_sudoers- base for sudoers records lookups.
- 
ldap_lookups- a dictionary. Keyhostsdescribes SSH hosts,userdescribes all user accounts,membershipcross-references user and host DNs for access control, andadminlooks up user accounts which get unconditional access and bypass membership check. Each item is a dictionary with three keys:base,scope(defaulting to sub), andfilter.
- 
ldap_nss_user_filter- filter for NSS user lookups. NSS will add user ID clause to this filter.
- 
ldap_authorized_keys_command_user- the user as whom SSH daemon will run the command to fetch authorized keys from LDAP.
- 
ldap_base- default LDAP base for libldap.
- 
ldap_client_files- dictionary of config templates (without.j2suffix) and their destinations and modes.
- 
ldap_netgroup_base,ldap_netgroup_scope,ldap_netgroup_filter- netgroup lookup parameters.
- 
ldap_pam_param_config_file- location of pam-param INI file.
- 
ldap_pam_param_short_name- whether to use short host names (vs FQDN) when looking up hosts in LDAP.
- 
ldap_pubkey_attr- the name of LDAP attribute that holds printable public key (possibly with comments).
- 
ldap_pubkey_filter- the filter used to look up public keys by user ID;%ssubstituted for UID.
- 
ldap_sshd_config- location of SSH daemon config.
- 
ldap_sudoers- whether to try looking up sudoers records in LDAP. If false, NSS will only consider local files. This would be useful to override generic LDAP sudoers with local settings (e.g. to disallow sudoers).
- 
ldap_uid_min- minimum numeric ID for non-system users, on most modern systems equals 1000.
- hosts: ldap-auth
  roles:
    - ldap-auth
  vars:
    ldap_uri: ldaps://ldap.example.org
    ldap_sudoers: false
    ldap_base: dc=example,dc=org
    ldap_base_sudoers: ou=sudoers,{{ ldap_base }}
    ldap_lookups:
      admin:
        base: cn=admins,ou=groups,{{ ldap_base }}
        scope: base
        filter: (member=%s)
      user:
        base: ou=people,{{ ldap_base }}
        scope: sub
        filter: (&(objectClass=posixAccount)(uid=%s)(gidNumber=100))
      host:
        base: ou=hosts,{{ ldap_base }}
        scope: sub
        filter: (&(|(objectClass=virtualMachine)(objectClass=server))(cn=%s))
      membership:
        base: ou=projects,{{ ldap_base }}
        scope: sub
        filter: (&(objectClass=groupOfNames)(member=%1$s)(serverMember=%2$s))
GPLv3+
Development Gateway