kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-07-05 08:23:08 +02:00
Code Issues Packages Projects Releases Wiki Activity

Refactored LDAP and Keycloak implementation and added RBAC based groups to Keycloak

Browse Source
This commit is contained in:
Kevin Veen-Birkenbach 2025-07-04 16:16:45 +02:00
parent ee0561db72
commit 06b864ad52
No known key found for this signature in database
GPG Key ID: 44D8F11FD62F878E
17 changed files with 206 additions and 84 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
group_vars/all/12_oidc.yml
View File

@ -39,4 +39,6 @@ defaults_oidc:
username: "preferred_username" username: "preferred_username"
given_name: "givenName" given_name: "givenName"
family_name: "surname" family_name: "surname"
email: "email" email: "email"
claims:
groups: "groups"

47
group_vars/all/13_ldap.yml
View File

@ -54,14 +54,6 @@ ldap:
# Keeping these distinct prevents accidental use of config credentials # Keeping these distinct prevents accidental use of config credentials
# for ordinary user/group operations, and vice versa. # for ordinary user/group operations, and vice versa.
attributes:
# Attribut to identify the user
user_id: "{{ _ldap_user_id }}"
mail: "mail"
fullname: "cn"
firstname: "givenname"
surname: "sn"
ssh_public_key: "sshPublicKey"
# Password to access dn.bind # Password to access dn.bind
bind_credential: "{{ applications.ldap.credentials.administrator_database_password }}" bind_credential: "{{ applications.ldap.credentials.administrator_database_password }}"
server: server:
@ -71,21 +63,30 @@ ldap:
security: "" #TLS, SSL - Leave empty for none security: "" #TLS, SSL - Leave empty for none
network: network:
local: "{{applications.ldap.network.docker}}" # Uses the application configuration to define if local network should be available or not local: "{{applications.ldap.network.docker}}" # Uses the application configuration to define if local network should be available or not
user_objects: user:
structural: objects:
- person # Structural Classes define the core identity of an entry: structural:
# • Specify mandatory attributes (e.g. sn, cn) - person # Structural Classes define the core identity of an entry:
# • Each entry must have exactly one structural class # • Specify mandatory attributes (e.g. sn, cn)
- inetOrgPerson # An extension of person adding internet-related attributes # • Each entry must have exactly one structural class
# (e.g. mail, employeeNumber) - inetOrgPerson # An extension of person adding internet-related attributes
- posixAccount # Provides UNIX account attributes (uidNumber, gidNumber, # (e.g. mail, employeeNumber)
# homeDirectory) - posixAccount # Provides UNIX account attributes (uidNumber, gidNumber,
auxiliary: # homeDirectory)
- nextcloudUser # Auxiliary Classes attach optional attributes without auxiliary:
# changing the entrys structural role. Here they add nextloud_user: "nextcloudUser" # Auxiliary Classes attach optional attributes without
# nextcloudQuota and nextcloudEnabled for Nextcloud. # changing the entrys structural role. Here they add
- ldapPublicKey # Allows storing SSH public keys for services like Gitea. # nextcloudQuota and nextcloudEnabled for Nextcloud.
ssh_public_key: "ldapPublicKey" # Allows storing SSH public keys for services like Gitea.
attributes:
# Attribut to identify the user
id: "{{ _ldap_user_id }}"
mail: "mail"
fullname: "cn"
firstname: "givenname"
surname: "sn"
ssh_public_key: "sshPublicKey"
nextcloud_quota: "nextcloudQuota"
filters: filters:
users: users:
login: "(&{{ _ldap_filters_users_all }}({{_ldap_user_id}}=%{{_ldap_user_id}}))" login: "(&{{ _ldap_filters_users_all }}({{_ldap_user_id}}=%{{_ldap_user_id}}))"

4
roles/docker-bigbluebutton/templates/env.j2
View File

@ -170,7 +170,7 @@ OAUTH2_REDIRECT=
# LDAP_SERVER=ldap.example.com # LDAP_SERVER=ldap.example.com
# LDAP_PORT=389 # LDAP_PORT=389
# LDAP_METHOD=plain # LDAP_METHOD=plain
# LDAP_UID={{ldap.attributes.user_id}} # LDAP_UID={{ldap.user.attributes.id}}
# LDAP_BASE=dc=example,dc=com # LDAP_BASE=dc=example,dc=com
# LDAP_AUTH=simple # LDAP_AUTH=simple
# LDAP_BIND_DN=cn=admin,dc=example,dc=com # LDAP_BIND_DN=cn=admin,dc=example,dc=com
@ -180,7 +180,7 @@ OAUTH2_REDIRECT=
LDAP_SERVER="{{ldap.server.domain}}" LDAP_SERVER="{{ldap.server.domain}}"
LDAP_PORT="{{ldap.server.port}}" LDAP_PORT="{{ldap.server.port}}"
LDAP_METHOD= LDAP_METHOD=
LDAP_UID={{ldap.attributes.user_id}} LDAP_UID={{ldap.user.attributes.id}}
LDAP_BASE="{{ldap.dn.root}}" LDAP_BASE="{{ldap.dn.root}}"
LDAP_BIND_DN="{{ldap.dn.administrator.data}}" LDAP_BIND_DN="{{ldap.dn.administrator.data}}"
LDAP_AUTH=password LDAP_AUTH=password

4
roles/docker-funkwhale/templates/env.j2
View File

@ -111,10 +111,10 @@ LDAP_ENABLED = True
LDAP_SERVER_URI = "{{ ldap.server.uri }}" LDAP_SERVER_URI = "{{ ldap.server.uri }}"
LDAP_BIND_DN = "{{ ldap.dn.administrator.data }}" LDAP_BIND_DN = "{{ ldap.dn.administrator.data }}"
LDAP_BIND_PASSWORD = "{{ ldap.bind_credential }}" LDAP_BIND_PASSWORD = "{{ ldap.bind_credential }}"
#LDAP_SEARCH_FILTER = "{{ ldap.filters.users.login | replace('%' ~ ldap.attributes.user_id, '{0}') }}" #LDAP_SEARCH_FILTER = "{{ ldap.filters.users.login | replace('%' ~ ldap.user.attributes.id, '{0}') }}"
LDAP_START_TLS = False LDAP_START_TLS = False
LDAP_ROOT_DN = "{{ldap.dn.root}}" LDAP_ROOT_DN = "{{ldap.dn.root}}"
#LDAP_USER_ATTR_MAP = "first_name:{{ ldap.attributes.firstname }}, last_name:{{ ldap.attributes.surname }}, username:{{ ldap.attributes.user_id }}, email:{{ ldap.attributes.mail }}" #LDAP_USER_ATTR_MAP = "first_name:{{ ldap.user.attributes.firstname }}, last_name:{{ ldap.user.attributes.surname }}, username:{{ ldap.user.attributes.id }}, email:{{ ldap.user.attributes.mail }}"
{% endif %} {% endif %}

10
roles/docker-gitea/vars/main.yml
View File

@ -9,9 +9,9 @@ gitea_ldap_auth_args:
- '--bind-password "{{ ldap.bind_credential }}"' - '--bind-password "{{ ldap.bind_credential }}"'
- '--user-search-base "{{ ldap.dn.ou.users }}"' - '--user-search-base "{{ ldap.dn.ou.users }}"'
- '--user-filter "(&(objectClass=inetOrgPerson)(uid=%s))"' - '--user-filter "(&(objectClass=inetOrgPerson)(uid=%s))"'
- '--username-attribute "{{ ldap.attributes.user_id }}"' - '--username-attribute "{{ ldap.user.attributes.id }}"'
- '--firstname-attribute "{{ ldap.attributes.firstname }}"' - '--firstname-attribute "{{ ldap.user.attributes.firstname }}"'
- '--surname-attribute "{{ ldap.attributes.surname }}"' - '--surname-attribute "{{ ldap.user.attributes.surname }}"'
- '--email-attribute "{{ ldap.attributes.mail }}"' - '--email-attribute "{{ ldap.user.attributes.mail }}"'
- '--public-ssh-key-attribute "{{ ldap.attributes.ssh_public_key }}"' - '--public-ssh-key-attribute "{{ ldap.user.attributes.ssh_public_key }}"'
- '--synchronize-users' - '--synchronize-users'

10
roles/docker-keycloak/tasks/attributes/ssh_public_key.yml
View File

@ -32,19 +32,19 @@
set_fact: set_fact:
ldap_component_id: "{{ (ldap_components.stdout | from_json)[0].id }}" ldap_component_id: "{{ (ldap_components.stdout | from_json)[0].id }}"
- name: Ensure {{ ldap.attributes.ssh_public_key }} LDAP Mapper exists - name: Ensure {{ ldap.user.attributes.ssh_public_key }} LDAP Mapper exists
shell: | shell: |
docker exec -i keycloak_application bash -c ' docker exec -i keycloak_application bash -c '
/opt/keycloak/bin/kcadm.sh get components -r {{ keycloak_realm }} \ /opt/keycloak/bin/kcadm.sh get components -r {{ keycloak_realm }} \
| grep -q "\"name\" : \"{{ ldap.attributes.ssh_public_key }}\"" \ | grep -q "\"name\" : \"{{ ldap.user.attributes.ssh_public_key }}\"" \
|| printf "%s\n" "{ || printf "%s\n" "{
\"name\": \"{{ ldap.attributes.ssh_public_key }}\", \"name\": \"{{ ldap.user.attributes.ssh_public_key }}\",
\"parentId\": \"{{ ldap_component_id }}\", \"parentId\": \"{{ ldap_component_id }}\",
\"providerId\": \"user-attribute-ldap-mapper\", \"providerId\": \"user-attribute-ldap-mapper\",
\"providerType\": \"org.keycloak.storage.ldap.mappers.LDAPStorageMapper\", \"providerType\": \"org.keycloak.storage.ldap.mappers.LDAPStorageMapper\",
\"config\": { \"config\": {
\"user.model.attribute\": [\"{{ ldap.attributes.ssh_public_key }}\"], \"user.model.attribute\": [\"{{ ldap.user.attributes.ssh_public_key }}\"],
\"ldap.attribute\": [\"{{ ldap.attributes.ssh_public_key }}\"], \"ldap.attribute\": [\"{{ ldap.user.attributes.ssh_public_key }}\"],
\"read.only\": [\"false\"], \"read.only\": [\"false\"],
\"write.only\": [\"true\"], \"write.only\": [\"true\"],
\"always.read.value.from.ldap\": [\"false\"], \"always.read.value.from.ldap\": [\"false\"],

155
roles/docker-keycloak/templates/import/realm.json.j2
View File

@ -885,12 +885,14 @@
"email" "email"
], ],
"optionalClientScopes": [ "optionalClientScopes": [
"nextcloud",
"address", "address",
"phone", "phone",
"organization", "organization",
"offline_access", "offline_access",
"microprofile-jwt" "microprofile-jwt",
"{{ applications[application_id]scopes.rbac_roles }}",
"{{ applications[application_id]scopes.nextcloud }}"
] ]
} }
], ],
@ -1195,7 +1197,7 @@
}, },
{ {
"id": "15dd4961-5b4f-4635-a3f1-a21e1fa7bf3a", "id": "15dd4961-5b4f-4635-a3f1-a21e1fa7bf3a",
"name": "nextcloud", "name": "{{ applications[application_id]scopes.nextcloud }}",
"description": "Optimized mappers for nextcloud oidc_login with ldap.", "description": "Optimized mappers for nextcloud oidc_login with ldap.",
"protocol": "openid-connect", "protocol": "openid-connect",
"attributes": { "attributes": {
@ -1207,7 +1209,7 @@
"protocolMappers": [ "protocolMappers": [
{ {
"id": "62190b21-f649-4aa2-806a-2bf7ba103ce1", "id": "62190b21-f649-4aa2-806a-2bf7ba103ce1",
"name": "nextcloudQuota", "name": "{{ ldap.user.attributes.nextcloud_quota }}",
"protocol": "openid-connect", "protocol": "openid-connect",
"protocolMapper": "oidc-usermodel-attribute-mapper", "protocolMapper": "oidc-usermodel-attribute-mapper",
"consentRequired": false, "consentRequired": false,
@ -1216,11 +1218,11 @@
"introspection.token.claim": "true", "introspection.token.claim": "true",
"multivalued": "false", "multivalued": "false",
"userinfo.token.claim": "true", "userinfo.token.claim": "true",
"user.attribute": "nextcloudQuota", "user.attribute": "{{ ldap.user.attributes.nextcloud_quota }}",
"id.token.claim": "true", "id.token.claim": "true",
"lightweight.claim": "false", "lightweight.claim": "false",
"access.token.claim": "true", "access.token.claim": "true",
"claim.name": "nextcloudQuota", "claim.name": "{{ ldap.user.attributes.nextcloud_quota }}",
"jsonType.label": "int" "jsonType.label": "int"
} }
}, },
@ -1239,12 +1241,43 @@
"id.token.claim": "true", "id.token.claim": "true",
"lightweight.claim": "false", "lightweight.claim": "false",
"access.token.claim": "true", "access.token.claim": "true",
"claim.name": "{{ldap.attributes.user_id}}", "claim.name": "{{ldap.user.attributes.id}}",
"jsonType.label": "String" "jsonType.label": "String"
} }
} }
] ]
}, },
{
"id": "59917c48-a7ef-464a-a8b0-ea24316db18e",
"name": "{{ applications[application_id]scopes.rbac_roles }}",
"description": "RBAC Groups",
"protocol": "openid-connect",
"attributes": {
"include.in.token.scope": "false",
"display.on.consent.screen": "true",
"gui.order": "",
"consent.screen.text": ""
},
"protocolMappers": [
{
"id": "0388cdf9-4751-484a-956c-431dbd872578",
"name": "groups",
"protocol": "openid-connect",
"protocolMapper": "oidc-group-membership-mapper",
"consentRequired": false,
"config": {
"full.path": "true",
"introspection.token.claim": "true",
"userinfo.token.claim": "true",
"multivalued": "true",
"id.token.claim": "true",
"lightweight.claim": "false",
"access.token.claim": "true",
"claim.name": "{{ oidc.claims.groups }}"
}
}
]
},
{ {
"id": "c07f07bc-c4f9-48c7-87e6-0a09fca6bfa0", "id": "c07f07bc-c4f9-48c7-87e6-0a09fca6bfa0",
"name": "web-origins", "name": "web-origins",
@ -1637,12 +1670,13 @@
"basic" "basic"
], ],
"defaultOptionalClientScopes": [ "defaultOptionalClientScopes": [
"nextcloud",
"offline_access", "offline_access",
"address", "address",
"phone", "phone",
"microprofile-jwt", "microprofile-jwt",
"organization" "organization",
"{{ applications[application_id]scopes.rbac_roles }}",
"{{ applications[application_id]scopes.nextcloud }}"
], ],
"browserSecurityHeaders": { "browserSecurityHeaders": {
"contentSecurityPolicyReportOnly": "", "contentSecurityPolicyReportOnly": "",
@ -1792,7 +1826,7 @@
"subComponents": {}, "subComponents": {},
"config": { "config": {
"kc.user.profile.config": [ "kc.user.profile.config": [
"{\"attributes\":[{\"name\":\"username\",\"displayName\":\"${username}\",\"validations\":{\"length\":{\"min\":3,\"max\":255},\"pattern\":{\"pattern\":\"^[a-z0-9]+$\",\"error-message\":\"\"}},\"annotations\":{},\"permissions\":{\"view\":[\"admin\",\"user\"],\"edit\":[\"admin\",\"user\"]},\"multivalued\":false},{\"name\":\"email\",\"displayName\":\"${email}\",\"validations\":{\"email\":{},\"length\":{\"max\":255}},\"required\":{\"roles\":[\"user\"]},\"permissions\":{\"view\":[\"admin\",\"user\"],\"edit\":[\"admin\",\"user\"]},\"multivalued\":false},{\"name\":\"firstName\",\"displayName\":\"${firstName}\",\"validations\":{\"length\":{\"max\":255},\"person-name-prohibited-characters\":{}},\"required\":{\"roles\":[\"user\"]},\"permissions\":{\"view\":[\"admin\",\"user\"],\"edit\":[\"admin\",\"user\"]},\"multivalued\":false},{\"name\":\"lastName\",\"displayName\":\"${lastName}\",\"validations\":{\"length\":{\"max\":255},\"person-name-prohibited-characters\":{}},\"required\":{\"roles\":[\"user\"]},\"permissions\":{\"view\":[\"admin\",\"user\"],\"edit\":[\"admin\",\"user\"]},\"multivalued\":false},{\"name\":\"{{ ldap.attributes.ssh_public_key }}\",\"displayName\":\"SSH Public Key\",\"validations\":{},\"annotations\":{},\"permissions\":{\"view\":[\"admin\",\"user\"],\"edit\":[\"admin\",\"user\"]},\"group\":\"user-metadata\",\"multivalued\":true}],\"groups\":[{\"name\":\"user-metadata\",\"displayHeader\":\"User metadata\",\"displayDescription\":\"Attributes, which refer to user metadata\"}]}" "{\"attributes\":[{\"name\":\"username\",\"displayName\":\"${username}\",\"validations\":{\"length\":{\"min\":3,\"max\":255},\"pattern\":{\"pattern\":\"^[a-z0-9]+$\",\"error-message\":\"\"}},\"annotations\":{},\"permissions\":{\"view\":[\"admin\",\"user\"],\"edit\":[\"admin\",\"user\"]},\"multivalued\":false},{\"name\":\"email\",\"displayName\":\"${email}\",\"validations\":{\"email\":{},\"length\":{\"max\":255}},\"required\":{\"roles\":[\"user\"]},\"permissions\":{\"view\":[\"admin\",\"user\"],\"edit\":[\"admin\",\"user\"]},\"multivalued\":false},{\"name\":\"firstName\",\"displayName\":\"${firstName}\",\"validations\":{\"length\":{\"max\":255},\"person-name-prohibited-characters\":{}},\"required\":{\"roles\":[\"user\"]},\"permissions\":{\"view\":[\"admin\",\"user\"],\"edit\":[\"admin\",\"user\"]},\"multivalued\":false},{\"name\":\"lastName\",\"displayName\":\"${lastName}\",\"validations\":{\"length\":{\"max\":255},\"person-name-prohibited-characters\":{}},\"required\":{\"roles\":[\"user\"]},\"permissions\":{\"view\":[\"admin\",\"user\"],\"edit\":[\"admin\",\"user\"]},\"multivalued\":false},{\"name\":\"{{ ldap.user.attributes.ssh_public_key }}\",\"displayName\":\"SSH Public Key\",\"validations\":{},\"annotations\":{},\"permissions\":{\"view\":[\"admin\",\"user\"],\"edit\":[\"admin\",\"user\"]},\"group\":\"user-metadata\",\"multivalued\":true}],\"groups\":[{\"name\":\"user-metadata\",\"displayHeader\":\"User metadata\",\"displayDescription\":\"Attributes, which refer to user metadata\"}]}"
] ]
} }
} }
@ -1858,12 +1892,12 @@
}, },
{ {
"id": "12b99578-e0bf-4eeb-b0fb-8e400c0cd73e", "id": "12b99578-e0bf-4eeb-b0fb-8e400c0cd73e",
"name": "nextcloudQuota", "name": "{{ ldap.user.attributes.nextcloud_quota }}",
"providerId": "user-attribute-ldap-mapper", "providerId": "user-attribute-ldap-mapper",
"subComponents": {}, "subComponents": {},
"config": { "config": {
"ldap.attribute": [ "ldap.attribute": [
"nextcloudQuota" "{{ ldap.user.attributes.nextcloud_quota }}"
], ],
"is.mandatory.in.ldap": [ "is.mandatory.in.ldap": [
"false" "false"
@ -1881,7 +1915,86 @@
"false" "false"
], ],
"user.model.attribute": [ "user.model.attribute": [
"nextcloudQuota" "{{ ldap.user.attributes.nextcloud_quota }}"
]
}
},
{
"id": "24cd9c3b-e22d-4540-bddf-ae7faac0196c",
"name": "SSH Public Key",
"providerId": "user-attribute-ldap-mapper",
"subComponents": {},
"config": {
"ldap.attribute": [
"{{ ldap.user.attributes.ssh_public_key }}"
],
"is.mandatory.in.ldap": [
"false"
],
"attribute.force.default": [
"false"
],
"is.binary.attribute": [
"false"
],
"read.only": [
"false"
],
"always.read.value.from.ldap": [
"true"
],
"user.model.attribute": [
"{{ ldap.user.attributes.ssh_public_key }}"
]
}
},
{
"id": "f56e4551-c5b5-4596-b567-bc8309a74e72",
"name": "ldap-roles",
"providerId": "group-ldap-mapper",
"subComponents": {},
"config": {
"membership.attribute.type": [
"DN"
],
"group.name.ldap.attribute": [
"{{ ldap.user.attributes.fullname }}"
],
"membership.user.ldap.attribute": [
"{{ ldap.user.attributes.id }}"
],
"preserve.group.inheritance": [
"false"
],
"groups.dn": [
"{{ ldap.dn.ou.roles }}"
],
"mode": [
"LDAP_ONLY"
],
"user.roles.retrieve.strategy": [
"LOAD_GROUPS_BY_MEMBER_ATTRIBUTE"
],
"groups.ldap.filter": [
"(objectClass=groupOfNames)"
],
"membership.ldap.attribute": [
"member"
],
"ignore.missing.groups": [
"true"
],
"group.object.classes": [
"groupOfNames"
],
"memberof.ldap.attribute": [
"memberOf"
],
"drop.non.existing.groups.during.sync": [
"false"
],
"groups.path": [
"{{ applications[application_id].rbac_groups }}"
] ]
} }
}, },
@ -1944,7 +2057,7 @@
"true" "true"
], ],
"ldap.full.name.attribute": [ "ldap.full.name.attribute": [
"{{ ldap.attributes.fullname }}" "{{ ldap.user.attributes.fullname }}"
] ]
} }
}, },
@ -1955,7 +2068,7 @@
"subComponents": {}, "subComponents": {},
"config": { "config": {
"ldap.attribute": [ "ldap.attribute": [
"{{ldap.attributes.user_id}}" "{{ldap.user.attributes.id}}"
], ],
"is.mandatory.in.ldap": [ "is.mandatory.in.ldap": [
"true" "true"
@ -1984,7 +2097,7 @@
"subComponents": {}, "subComponents": {},
"config": { "config": {
"ldap.attribute": [ "ldap.attribute": [
"{{ ldap.attributes.ssh_public_key }}" "{{ ldap.user.attributes.ssh_public_key }}"
], ],
"is.mandatory.in.ldap": [ "is.mandatory.in.ldap": [
"false" "false"
@ -2002,7 +2115,7 @@
"true" "true"
], ],
"user.model.attribute": [ "user.model.attribute": [
"{{ ldap.attributes.ssh_public_key }}" "{{ ldap.user.attributes.ssh_public_key }}"
] ]
} }
}, },
@ -2069,7 +2182,7 @@
"-1" "-1"
], ],
"usernameLDAPAttribute": [ "usernameLDAPAttribute": [
"{{ldap.attributes.user_id}}" "{{ldap.user.attributes.id}}"
], ],
"bindDn": [ "bindDn": [
"{{ldap.dn.administrator.data}}" "{{ldap.dn.administrator.data}}"
@ -2081,7 +2194,7 @@
"other" "other"
], ],
"uuidLDAPAttribute": [ "uuidLDAPAttribute": [
"{{ldap.attributes.user_id}}" "{{ldap.user.attributes.id}}"
], ],
"allowKerberosAuthentication": [ "allowKerberosAuthentication": [
"false" "false"
@ -2111,10 +2224,10 @@
"false" "false"
], ],
"userObjectClasses": [ "userObjectClasses": [
"{{ ldap.user_objects | join(', ') }}" "{{ ldap.user.objects | join(', ') }}"
], ],
"rdnLDAPAttribute": [ "rdnLDAPAttribute": [
"{{ldap.attributes.user_id}}" "{{ldap.user.attributes.id}}"
], ],
"editMode": [ "editMode": [
"WRITABLE" "WRITABLE"

7
roles/docker-keycloak/vars/configuration.yml
View File

@ -19,4 +19,9 @@ csp:
unsafe-inline: true unsafe-inline: true
domains: domains:
canonical: canonical:
- "auth.{{ primary_domain }}" - "auth.{{ primary_domain }}"
scopes:
rbac_roles: rbac_roles
nextcloud: nextcloud
rbac_groups: "/rbac"

4
roles/docker-ldap/tasks/add_user_objects.yml
View File

@ -9,7 +9,7 @@
attrs: attrs:
- dn - dn
- objectClass - objectClass
- "{{ ldap.attributes.user_id }}" - "{{ ldap.user.attributes.id }}"
register: ldap_users_with_classes register: ldap_users_with_classes
- name: Add only missing auxiliary classes - name: Add only missing auxiliary classes
@ -28,7 +28,7 @@
label: "{{ item.dn }}" label: "{{ item.dn }}"
vars: vars:
missing_auxiliary: >- missing_auxiliary: >-
{{ ldap.user_objects.auxiliary {{ (ldap.user.objects.auxiliary.values() | list)
| difference(item.objectClass | default([])) | difference(item.objectClass | default([]))
}} }}
when: missing_auxiliary | length > 0 when: missing_auxiliary | length > 0

8
roles/docker-ldap/tasks/main.yml
View File

@ -63,11 +63,11 @@
############################################################################### ###############################################################################
- name: Ensure LDAP users exist - name: Ensure LDAP users exist
community.general.ldap_entry: community.general.ldap_entry:
dn: "{{ ldap.attributes.user_id }}={{ item.key }},{{ ldap.dn.ou.users }}" dn: "{{ ldap.user.attributes.id }}={{ item.key }},{{ ldap.dn.ou.users }}"
server_uri: "{{ ldap_server_uri }}" server_uri: "{{ ldap_server_uri }}"
bind_dn: "{{ ldap.dn.administrator.data }}" bind_dn: "{{ ldap.dn.administrator.data }}"
bind_pw: "{{ ldap.bind_credential }}" bind_pw: "{{ ldap.bind_credential }}"
objectClass: "{{ ldap.user_objects.structural }}" objectClass: "{{ ldap.user.objects.structural }}"
attributes: attributes:
uid: "{{ item.value.username }}" uid: "{{ item.value.username }}"
sn: "{{ item.value.sn | default(item.key) }}" sn: "{{ item.value.sn | default(item.key) }}"
@ -89,12 +89,12 @@
############################################################################### ###############################################################################
- name: Ensure required objectClass values and mail address are present - name: Ensure required objectClass values and mail address are present
community.general.ldap_attrs: community.general.ldap_attrs:
dn: "{{ ldap.attributes.user_id }}={{ item.key }},{{ ldap.dn.ou.users }}" dn: "{{ ldap.user.attributes.id }}={{ item.key }},{{ ldap.dn.ou.users }}"
server_uri: "{{ ldap_server_uri }}" server_uri: "{{ ldap_server_uri }}"
bind_dn: "{{ ldap.dn.administrator.data }}" bind_dn: "{{ ldap.dn.administrator.data }}"
bind_pw: "{{ ldap.bind_credential }}" bind_pw: "{{ ldap.bind_credential }}"
attributes: attributes:
objectClass: "{{ ldap.user_objects.structural }}" objectClass: "{{ ldap.user.objects.structural }}"
mail: "{{ item.value.email }}" mail: "{{ item.value.email }}"
state: exact state: exact
async: 60 async: 60

4
roles/docker-ldap/tasks/schemas/nextcloud.yml
View File

@ -8,9 +8,9 @@
vars: vars:
schema_name: "nextcloud" schema_name: "nextcloud"
attribute_defs: attribute_defs:
- "( 1.3.6.1.4.1.99999.1 NAME 'nextcloudQuota' DESC 'Quota for Nextcloud' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )" - "( 1.3.6.1.4.1.99999.1 NAME '{{ ldap.user.attributes.nextcloud_quota }}' DESC 'Quota for Nextcloud' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )"
objectclass_defs: objectclass_defs:
- "( 1.3.6.1.4.1.99999.2 NAME 'nextcloudUser' DESC 'Auxiliary class for Nextcloud attributes' AUXILIARY MAY ( nextcloudQuota ) )" - "( 1.3.6.1.4.1.99999.2 NAME 'nextcloudUser' DESC 'Auxiliary class for Nextcloud attributes' AUXILIARY MAY ( {{ ldap.user.attributes.nextcloud_quota }} ) )"
command: > command: >
ldapsm ldapsm
-s {{ ldap_server_uri }} -s {{ ldap_server_uri }}

6
roles/docker-ldap/tasks/schemas/openssh_lpk.yml
View File

@ -8,16 +8,16 @@
vars: vars:
schema_name: "openssh-lpk" schema_name: "openssh-lpk"
attribute_defs: attribute_defs:
- "( 1.3.6.1.4.1.24552.1.1 NAME '{{ ldap.attributes.ssh_public_key }}' DESC 'OpenSSH Public Key' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )" - "( 1.3.6.1.4.1.24552.1.1 NAME '{{ ldap.user.attributes.ssh_public_key }}' DESC 'OpenSSH Public Key' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )"
- "( 1.3.6.1.4.1.24552.1.2 NAME 'sshFingerprint' DESC 'OpenSSH Public Key Fingerprint' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )" - "( 1.3.6.1.4.1.24552.1.2 NAME 'sshFingerprint' DESC 'OpenSSH Public Key Fingerprint' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )"
objectclass_defs: objectclass_defs:
- >- - >-
( 1.3.6.1.4.1.24552.2.1 ( 1.3.6.1.4.1.24552.2.1
NAME 'ldapPublicKey' NAME '{{ ldap.user.objects.auxiliary.ssh_public_key }}'
DESC 'Auxiliary class for OpenSSH public keys' DESC 'Auxiliary class for OpenSSH public keys'
SUP top SUP top
AUXILIARY AUXILIARY
MAY ( {{ ldap.attributes.ssh_public_key }} $ sshFingerprint ) ) MAY ( {{ ldap.user.attributes.ssh_public_key }} $ sshFingerprint ) )
command: > command: >
ldapsm ldapsm

4
roles/docker-nextcloud/templates/config/oidc.config.php.j2
View File

@ -97,10 +97,10 @@ return array (
// note: on Keycloak, OIDC name claim = "${given_name} ${family_name}" or one of them if any is missing // note: on Keycloak, OIDC name claim = "${given_name} ${family_name}" or one of them if any is missing
// //
'oidc_login_attributes' => array ( 'oidc_login_attributes' => array (
'id' => '{{ldap.attributes.user_id}}', 'id' => '{{ldap.user.attributes.id}}',
'name' => 'name', 'name' => 'name',
'mail' => 'email', 'mail' => 'email',
'quota' => 'nextcloudQuota', 'quota' => '{{ ldap.user.attributes.nextcloud_quota }}',
# 'home' => 'homeDirectory', # Not implemented yet # 'home' => 'homeDirectory', # Not implemented yet
'ldap_uid' => '{{oidc.attributes.username}}', 'ldap_uid' => '{{oidc.attributes.username}}',
# 'groups' => 'ownCloudGroups', # Not implemented yet # 'groups' => 'ownCloudGroups', # Not implemented yet

2
roles/docker-nextcloud/vars/plugins/user_ldap.yml
View File

@ -181,4 +181,4 @@ plugin_configuration:
- -
appid: "user_ldap" appid: "user_ldap"
configkey: "s01ldap_expert_username_attr" configkey: "s01ldap_expert_username_attr"
configvalue: "{{ldap.attributes.user_id}}" configvalue: "{{ldap.user.attributes.id}}"

7
roles/docker-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2
View File

@ -11,13 +11,14 @@ client_id = "{{ oidc.client.id }}"
redirect_url = "{{ web_protocol }}://{{ domains | get_domain(oauth2_proxy_application_id) }}/oauth2/callback" redirect_url = "{{ web_protocol }}://{{ domains | get_domain(oauth2_proxy_application_id) }}/oauth2/callback"
oidc_issuer_url = "{{ oidc.client.issuer_url }}" oidc_issuer_url = "{{ oidc.client.issuer_url }}"
provider = "oidc" provider = "oidc"
provider_display_name = "Keycloak" provider_display_name = "{{ oidc.button_text }}"
{% if applications[oauth2_proxy_application_id].oauth2_proxy.allowed_groups is defined %} {% if applications[oauth2_proxy_application_id].oauth2_proxy.allowed_groups is defined %}
{# role based restrictions #} {# role based restrictions #}
scope = "openid email profile groups" scope = "openid email profile {{ oidc.claims.groups }}"
oidc_groups_claim = "realm_access.roles" oidc_groups_claim = "{{ oidc.claims.groups }}"
allowed_groups = {{ applications[oauth2_proxy_application_id].oauth2_proxy.allowed_groups | tojson }} allowed_groups = {{ applications[oauth2_proxy_application_id].oauth2_proxy.allowed_groups | tojson }}
email_domains = ["*"]
{% else %} {% else %}
email_domains = "{{ primary_domain }}" email_domains = "{{ primary_domain }}"
{% endif %} {% endif %}

6
roles/docker-openproject/vars/ldap.yml
View File

@ -5,10 +5,10 @@ openproject_ldap:
account: "{{ ldap.dn.administrator.data }}" # Bind DN (used for authentication) account: "{{ ldap.dn.administrator.data }}" # Bind DN (used for authentication)
account_password: "{{ ldap.bind_credential }}" # Bind password account_password: "{{ ldap.bind_credential }}" # Bind password
base_dn: "{{ ldap.dn.ou.users }}" # Base DN for user search base_dn: "{{ ldap.dn.ou.users }}" # Base DN for user search
attr_login: "{{ ldap.attributes.user_id }}" # LDAP attribute used for login attr_login: "{{ ldap.user.attributes.id }}" # LDAP attribute used for login
attr_firstname: "givenName" # LDAP attribute for first name attr_firstname: "givenName" # LDAP attribute for first name
attr_lastname: "{{ ldap.attributes.surname }}" # LDAP attribute for last name attr_lastname: "{{ ldap.user.attributes.surname }}" # LDAP attribute for last name
attr_mail: "{{ ldap.attributes.mail }}" # LDAP attribute for email attr_mail: "{{ ldap.user.attributes.mail }}" # LDAP attribute for email
attr_admin: "{{ openproject_filters.administrators }}" # Optional: LDAP attribute for admin group (leave empty if unused) attr_admin: "{{ openproject_filters.administrators }}" # Optional: LDAP attribute for admin group (leave empty if unused)
onthefly_register: true # Automatically create users on first login onthefly_register: true # Automatically create users on first login
tls_mode: 0 # 0 = No TLS, 1 = TLS, 2 = STARTTLS tls_mode: 0 # 0 = No TLS, 1 = TLS, 2 = STARTTLS

8
roles/docker-snipe-it/tasks/ldap.yml
View File

@ -47,16 +47,16 @@
$s->ldap_uname = "{{ ldap.dn.administrator.data }}"; $s->ldap_uname = "{{ ldap.dn.administrator.data }}";
$s->ldap_basedn = "{{ ldap.dn.ou.users }}"; $s->ldap_basedn = "{{ ldap.dn.ou.users }}";
$s->ldap_filter = "&(objectClass=inetOrgPerson)"; $s->ldap_filter = "&(objectClass=inetOrgPerson)";
$s->ldap_username_field = "{{ ldap.attributes.user_id }}"; $s->ldap_username_field = "{{ ldap.user.attributes.id }}";
$s->ldap_fname_field = "{{ ldap.attributes.firstname }}"; $s->ldap_fname_field = "{{ ldap.user.attributes.firstname }}";
$s->ldap_lname_field = "{{ ldap.attributes.surname }}"; $s->ldap_lname_field = "{{ ldap.user.attributes.surname }}";
$s->ldap_auth_filter_query = "uid="; $s->ldap_auth_filter_query = "uid=";
$s->ldap_version = 3; $s->ldap_version = 3;
$s->ldap_pw_sync = 0; $s->ldap_pw_sync = 0;
$s->is_ad = 0; $s->is_ad = 0;
$s->ad_domain = ""; $s->ad_domain = "";
$s->ldap_default_group = ""; $s->ldap_default_group = "";
$s->ldap_email = "{{ ldap.attributes.mail }}"; $s->ldap_email = "{{ ldap.user.attributes.mail }}";
$s->custom_forgot_pass_url = "{{ oidc.client.reset_credentials }}"; $s->custom_forgot_pass_url = "{{ oidc.client.reset_credentials }}";
$s->save(); $s->save();
EOF' EOF'