ldap_ban.yml

# -*- eval: (ansible) -*-
- include: vault.yml load=ldap hosts=ldap.hashbang.sh

- name: Parse parameters
  hosts: ldap.hashbang.sh,shell_servers
  gather_facts: no

  vars_prompt:
    - name: users
      prompt: Comma-separated list of users to ban
      private: no

    - name: delete_home
      prompt: Delete home directories? (yes/no)
      private: no
      default: "no"

    - name: delete_ssh
      prompt: Delete SSH keys in LDAP? (yes/no)
      private: no
      default: "no"

  tasks:
    - name: Parse users list
      set_fact:
        user_list: "{{ users.split(',') }}"
        delete_homedirs: "{{ delete_home }}"
        delete_ssh_keys: "{{ delete_ssh  }}"

- name: Update LDAP directory
  hosts: ldap.hashbang.sh
  gather_facts: no
  tasks:
    - name: Disable the account (shell set to nologin)
      delegate_to: localhost
      with_items: "{{ user_list }}"
      ldap_attr:
        server_uri: ldaps://ldap.hashbang.sh
        bind_dn: "{{ ldap.admin.dn }}"
        bind_pw: "{{ ldap.admin.password }}"

        dn: uid={{ item }},ou=People,dc=hashbang,dc=sh
        name: loginShell
        state: exact
        values: /usr/sbin/nologin

    - name: Remove SSH keys
      delegate_to: localhost
      with_items: "{{ user_list }}"
      when: delete_ssh_keys
      ldap_attr:
        server_uri: ldaps://ldap.hashbang.sh
        bind_dn: "{{ ldap.admin.dn }}"
        bind_pw: "{{ ldap.admin.password }}"

        dn: uid={{ item }},ou=People,dc=hashbang,dc=sh
        name: sshPublicKey
        state: exact
        values: ""

- hosts: shell_servers
  become: true
  gather_facts: no
  tasks:
    - name: Invalidate SSSd cache entries
      command: sss_cache -u {{ item }}
      with_items: "{{ user_list }}"
      changed_when: false
      ignore_errors: yes

    - name: Terminate user sessions
      command: loginctl terminate-user {{ item }}
      register: terminate
      with_items: "{{ user_list }}"
      failed_when: |
        'Could not terminate user: No user' not in terminate.stderr
        and terminate is failed
      changed_when: terminate.stderr and terminate is success

    - name: Delete home directories
      when: delete_homedirs
      with_items: "{{ user_list }}"
      file:
        path: /home/{{ item }}
        state: absent