Getting started

Support for sudoers in LDAP

The debops.sudo role will automatically enable integration with the debops.ldap Ansible role to configure support for sudoers rules defined in the LDAP directory. When the LDAP support and LDAP-POSIX integration is enabled on a host, the role will register its own LDAP account object (using debops.ldap as a dependency) and configure access to the LDAP directory using simple bind. The ldap/init-directory.yml Ansible playbook will create the needed LDAP directory structure required for sudoers rules.

See the sudoers.ldap(5) manual page for more details about the LDAP support in sudo.

Example inventory

The debops.sudo role is included by default in the common.yml DebOps playbook; you don't need to add hosts to any Ansible groups to enable it.

Example playbook

If you are using this role without DebOps, here's an example Ansible playbook that uses the debops.sudo role:

---

- name: Configure sudo service
  collections: [ 'debops.debops', 'debops.roles01',
                 'debops.roles02', 'debops.roles03' ]
  hosts: [ 'debops_all_hosts', 'debops_service_sudo' ]
  become: True

  environment: '{{ inventory__environment | d({})
                   | combine(inventory__group_environment | d({}))
                   | combine(inventory__host_environment  | d({})) }}'

  roles:

    - role: python
      tags: [ 'role::python', 'skip::python', 'role::ldap' ]
      python__dependent_packages3:
        - '{{ ldap__python__dependent_packages3 }}'
      python__dependent_packages2:
        - '{{ ldap__python__dependent_packages2 }}'

    - role: ldap
      tags: [ 'role::ldap', 'skip::ldap' ]
      ldap__dependent_tasks:
        - '{{ sudo__ldap__dependent_tasks }}'

    - role: sudo
      tags: [ 'role::sudo', 'skip::sudo' ]

Ansible tags

You can use Ansible --tags or --skip-tags parameters to limit what tasks are performed during Ansible run. This can be used after a host was first configured to speed up playbook execution, when you are sure that most of the configuration is already in the desired state.

Available role tags:

role::sudo

Main role tag, should be used in the playbook to execute all of the role tasks as well as role dependencies.

Other resources

List of other useful resources related to the debops.sudo Ansible role:

• Manual pages: sudo(8), sudoers(5), sudoers.ldap(5)