Redesigned LDAP (DRAFT)

roles/docker-ldap/templates/ldif/configuration/01_member_of_configuration.ldif.j2

@@ -0,0 +1,45 @@
+# MemberOf Overlay Configuration for OpenLDAP
+#
+# This file activates the memberOf module and configures the memberOf overlay,
+# which is required by Nextcloud for proper group management.
+# @see https://docs.nextcloud.com/server/latest/admin_manual/configuration_user/user_auth_ldap.html 
+# @see https://www.adimian.com/blog/how-to-enable-memberof-using-openldap/
+#
+# The first section loads the memberof module from the specified path.
+#   - olcModuleLoad: Specifies that the "memberof" module should be loaded.
+#   - olcModulePath: Provides the full path to the memberof shared object.
+#
+# The second section configures the memberOf overlay for the designated database.
+#   - The DN "olcOverlay={0}memberof,olcDatabase={1}hdb,cn=config" sets up the overlay
+#     on the database backend (here assumed to be "hdb").
+#   - olcMemberOfDangling: ignore
+#         Instructs the overlay to ignore references to non-existent objects.
+#   - olcMemberOfRefInt: TRUE
+#         Enables referential integrity so that changes in group membership automatically
+#         update the user's "memberOf" attribute.
+#   - olcMemberOfGroupOC: groupOfNames
+#         Specifies that the overlay applies to groups with the object class "groupOfNames".
+#   - olcMemberOfMemberAD: member
+#         Indicates that the group's membership is stored in the "member" attribute.
+#   - olcMemberOfMemberOfAD: memberOf
+#         Defines that the overlay will maintain the "memberOf" attribute in user entries.
+#
+# IMPORTANT: All groups created before enabling this module must be deleted and recreated,
+# as the overlay only assigns the "member" attribute when a new group is created.
+dn: cn=module,cn=config
+cn: module
+objectClass: olcModuleList
+olcModuleLoad: memberof
+olcModulePath: /opt/bitnami/openldap/lib/openldap/memberof.so
+
+dn: olcOverlay={0}memberof,olcDatabase={1}hdb,cn=config
+objectClass: olcConfig
+objectClass: olcMemberOf
+objectClass: olcOverlayConfig
+objectClass: top
+olcOverlay: memberof
+olcMemberOfDangling: ignore
+olcMemberOfRefInt: TRUE
+olcMemberOfGroupOC: groupOfNames
+olcMemberOfMemberAD: member
+olcMemberOfMemberOfAD: memberOf

roles/docker-ldap/templates/ldif/configuration/02_member_of_configuration.ldif.j2

@@ -0,0 +1,10 @@
+# Refint Module Activation for OpenLDAP
+#
+# This section adds the refint module to the LDAP configuration.
+# The refint module ensures referential integrity by automatically updating
+# or removing references when objects are renamed or deleted.
+#
+# In this file, the "olcmoduleload" attribute is used to load the "refint" module.
+dn: cn=module{1},cn=config
+add: olcmoduleload
+olcmoduleload: refint

roles/docker-ldap/templates/ldif/configuration/03_member_of_configuration.ldif.j2

@@ -0,0 +1,23 @@
+# Refint Overlay Configuration for OpenLDAP
+#
+# This file configures the refint overlay for the specified LDAP database.
+#
+# The overlay is applied to the database (here using the "hdb" backend) and is
+# responsible for maintaining referential integrity.
+#
+# The attribute "olcRefintAttribute" lists the attributes that will be monitored
+# for changes. In this case, changes to the following attributes will be tracked:
+#   - memberof
+#   - member
+#   - manager
+#   - owner
+#
+# This ensures that any changes in the LDAP directory (such as deletion or modification
+# of an object) automatically update all references to that object, preventing dangling references.
+dn: olcOverlay={1}refint,olcDatabase={1}hdb,cn=config
+objectClass: olcConfig
+objectClass: olcOverlayConfig
+objectClass: olcRefintConfig
+objectClass: top
+olcOverlay: {1}refint
+olcRefintAttribute: memberof member manager owner

roles/docker-ldap/templates/ldif/configuration/README.md

@@ -0,0 +1 @@
+This folder contains configuration files where a specific logic needs to be applied.