Ldap auth

README.md

@@ -9,12 +9,15 @@ An Ansible role for setting up Samba as a file server. It is tested on CentOS, D
 - Create share directories
 - Manage Samba users and passwords
 - Manage access to shares
+- Connect with LDAP server (ONLY tested on RedHat & CentOS)
 
 The following are not considered concerns of this role, and you should configure these using another role (e.g. [bertvv.rh-base](https://galaxy.ansible.com/bertvv/rh-base/):
 
 - Managing firewall settings.
 - Creating system users. Samba users should already exist as system users.
 
+(System users & groups, created by an LDAP server, for creation of samba users and shares, could be added to samba fileserver when authenticating to LDAP server)
+
 **If you like/use this role, please consider giving it a star! Thanks!**
 
 ## CVE-2017-7494
@@ -65,6 +68,9 @@ No specific requirements
 | `samba_users`                  | []                       | List of dicts defining users that can access shares.                                                                         |
 | `samba_wins_support`           | true                     | When true, Samba will act as a WINS server                                                                                   |
 | `samba_workgroup`              | `WORKGROUP`              | Name of the server workgroup.                                                                                                |
+| `samba_ldap_auth`              | false                    | When true, openLDAP packages will be installed and authentication to LDAP server will be possible                            |
+| `samba_openldap_server_ip_address`              | -                        | LDAP server ip address (when samba_ldap_auth = true) for LDAP server authentication                         |
+| `samba_openldap_server_domain_name`             | -                        | LDAP server domain name (when samba_ldap_auth = true) for LDAP server authentication                        |
 
 ### Defining users
 
@@ -174,6 +180,21 @@ A complete overview of share options follows below. Only `name` is required, the
 
 The values for `valid_users` and `write_list` should be a comma separated list of users. Names prepended with `+` or `@` are interpreted as groups. The documentation for the [Samba configuration](https://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html) has more details on these options.
 
+### Authenticating with LDAP server
+
+You may want to authenticate with an LDAP server that has defined system users and groups, so you could create samba users and shares from these system users and groups. Authenticating to an LDAP server, can be done by using the following variables. 
+When the first defined variable, `samba_ldap_auth` is set to true, the necessary OpenLDAP packages will be installed and a connection (when the other two variables are set as well) to an LDAP server will be made.
+
+```Yaml
+samba_ldap_auth: true
+samba_openldap_server_ip_address: 192.168.0.1
+samba_openldap_server_domain_name: example.local
+```
+
+Use the following commands to check if you have access to the LDAP's server created users: `getent passwd`
+
+Use the following commands to check if you have access to the LDAP's server created group: `ldapsearch -x -LLL`
+
 ## Adding arbitrary configuration files
 
 You can add settings that are not supported by this role out-of-the-box through custom configuration files that will be included from the main configuration file. There are three types of include files: for the global section, for the homes section, and for individual shares. Put your custom configuration files in a subdirectory `templates`, relative to your master playbook location. Then, specify them in the variables `samba_global_include`, `samba_homes_include`, or `include_file` in the `samba_shares` definition.

defaults/main.yml

@@ -18,6 +18,7 @@ samba_shares_root: '/srv/shares'
 samba_shares: []
 samba_users: []
 
+samba_ldap_auth: false
 samba_wins_support: 'yes'
 samba_local_master: 'yes'
 samba_domain_master: 'yes'

tasks/install_&_configure_LDAP.yml

@@ -0,0 +1,14 @@
+- name: Install OpenLDAP and its packages for RedHat
+  yum:
+    name: "{{ openldap_client_packages }}"
+    state: present
+  when: ansible_os_family == 'RedHat'
+
+
+- name: Conect to LDAP server
+  shell: authconfig 
+        --enableldap 
+        --enableldapauth 
+        --ldapserver={{ samba_openldap_server_ip_address }} 
+        --ldapbasedn="dc={{ samba_openldap_server_domain_name.split('.')[0] }},dc={{ samba_openldap_server_domain_name.split('.')[1] }}" 
+        --enablemkhomedir --updateall

tasks/main.yml

@@ -8,6 +8,9 @@
     - "os_{{ ansible_os_family }}.yml"
   tags: samba
 
+- include: install_&_configure_LDAP.yml
+  when: samba_ldap_auth == true
+
 - name: Install Samba packages
   package:
     name: "{{ samba_packages }}"
@@ -159,3 +162,5 @@
   register: create_user_output
   changed_when: "'Added user' in create_user_output.stdout"
   tags: samba
+
+

vars/os_RedHat.yml

@@ -24,3 +24,10 @@ samba_services:
   - nmb
 
 samba_www_documentroot: /var/www/html
+
+openldap_client_packages:
+  - openldap
+  - openldap-clients
+  - authconfig
+  - pam_ldap
+