Setting up ldap auth on Ubuntu

I am trying to set up ldap authentication on Ubuntu machines using Ansible. A challenge here is that if you simply do:
apt-get install -y libnss-ldap libpam-ldap ldap-utils nscd

You get dialog boxes with values to fill in.

I found this out of date page which got me started using debconf to set the values for those dialogs: linux - How to do an initial setup of slapd OLC with ldapmodify - Stack Overflow

And using that I was able to come up with this shell script that works (some values have been anonymized):

export DEBIAN_FRONTEND=noninteractive
sudo debconf-set-selections <<EOF
ldap-auth-config        ldap-auth-config/dblogin        boolean false
ldap-auth-config        ldap-auth-config/dbrootlogin    boolean true
ldap-auth-config        ldap-auth-config/ldapns/base-dn string  myvalue
ldap-auth-config        ldap-auth-config/ldapns/ldap-server     string  myvalue
ldap-auth-config        ldap-auth-config/ldapns/ldap_version    select  3
ldap-auth-config        ldap-auth-config/override       boolean true
ldap-auth-config        ldap-auth-config/rootbinddn     string  myvalue
ldap-auth-config        ldap-auth-config/rootbindpw     password myvalue
EOF
apt-get -y install libnss-ldap libpam-ldap ldap-utils nscd

So trying to convert that to Ansible tasks I’ve got this so far:

- name: install debconf-utils
  apt:
    name:
      - debconf-utils
    update_cache: yes
- name: do ldap auth install
  ansible.builtin.shell:
    cmd: |
      export DEBIAN_FRONTEND=noninteractive; debconf-set-selections <<EOF
      ldap-auth-config        ldap-auth-config/dblogin        boolean false
      ldap-auth-config        ldap-auth-config/dbrootlogin    boolean true
      ldap-auth-config        ldap-auth-config/ldapns/base-dn string  myvalue
      ldap-auth-config        ldap-auth-config/ldapns/ldap-server     string  myvalue
      ldap-auth-config        ldap-auth-config/ldapns/ldap_version    select  3
      ldap-auth-config        ldap-auth-config/override       boolean true
      ldap-auth-config        ldap-auth-config/rootbinddn     string  myvalue
      ldap-auth-config        ldap-auth-config/rootbindpw     password myvalue
      EOF; apt-get install -y libnss-ldap libpam-ldap ldap-utils nscd

But I’d really prefer to use the apt module for the actual install but I don’t see how to set the DEBIAN_FRONTEND=noninteractive with the Ansible apt module.

Can someone get me the rest of the way?

After posting this I tested and found out that the Ansible apt module appears to set DEBIAN_FRONTEND=noninteractive out of the box so I basically had it and now it’s working. So the final tasks look like:

- name: install debconf-utils
  apt:
    pkg:
      - debconf-utils
    state: latest
    update_cache: yes
- name: set debconf values
  ansible.builtin.shell:
    cmd: |
      debconf-set-selections <<EOF
      ldap-auth-config        ldap-auth-config/dblogin        boolean false
      ldap-auth-config        ldap-auth-config/dbrootlogin    boolean true
      ldap-auth-config        ldap-auth-config/ldapns/base-dn string  changeme
      ldap-auth-config        ldap-auth-config/ldapns/ldap-server     string  changeme
      ldap-auth-config        ldap-auth-config/ldapns/ldap_version    select  3
      ldap-auth-config        ldap-auth-config/override       boolean true
      ldap-auth-config        ldap-auth-config/rootbinddn     string  changeme
      ldap-auth-config        ldap-auth-config/rootbindpw     password changeme
      EOF
- name: install ldap auth
  apt:
    pkg:
      - libnss-ldap
      - libpam-ldap
      - ldap-utils
      - nscd
    state: latest
    update_cache: yes
- name: configure common-session
  lineinfile:
    path: /etc/pam.d/common-session
    line: 'session required    	pam_mkhomedir.so skel=/etc/skel umask=077'
- name: configure common-session
  lineinfile:
    path: /etc/ldap.conf
    line: 'nss_override_attribute_value loginShell /bin/bash'
- name: Restart service nscd, in all cases
  service:
    name: nscd
    state: restarted

Just so nobody tries this and it doesn’t work for them, a remaining thing I’ve got to add is to update the lines in /etc/nsswitch.conf to read:
passwd: compat ldap
group: compat ldap
shadow: compat ldap

1 Like

You could potentially use the debconf module rather than the shell module for this if you want.

4 Likes

Thanks, that does look better! Despite having used Ubuntu for over a decade I didn’t know about the debconf subsystem until yesterday. I guess until you’re looking to automate installs it’s not something you’d be aware of. At the time I was posting this I was focusing on the aspect that I thought I had to set DEBIAN_FRONTEND=noninteractive to run the apt install until I discovered that was built in. When I was Googling for automated LDAP auth install I only found obsolete info, hopefully this thread will be useful for future searches.

1 Like