From 189aaaa9ece4e4f9b1e67985eda8142803f65523 Mon Sep 17 00:00:00 2001
From: Kevin Veen-Birkenbach <kevin@veen.world>
Date: Thu, 25 Sep 2025 11:10:46 +0200
Subject: [PATCH] Deactivated OpenProject LDAP Administrator Flag

---
 roles/web-app-openproject/config/main.yml | 14 ++++++--------
 roles/web-app-openproject/vars/main.yml   | 10 +++++-----
 2 files changed, 11 insertions(+), 13 deletions(-)

diff --git a/roles/web-app-openproject/config/main.yml b/roles/web-app-openproject/config/main.yml
index fa24c87b..74b2cbc6 100644
--- a/roles/web-app-openproject/config/main.yml
+++ b/roles/web-app-openproject/config/main.yml
@@ -8,7 +8,7 @@ oauth2_proxy:
       - "/oauth/token"        # Necessary for Nextcloud Plugin to work
 ldap:
   filters:
-    administrators:   True    # Set true to filter administrators
+    administrators:   False   # Set true to filter administrators
     users:            False   # Set true to filter users
 features:
   matomo:             true
@@ -37,9 +37,9 @@ docker:
     database:
       enabled: true
     web:
-      name:     openproject-web
-      image:    openproject/community
-      version:  "13"    # Update when available. No rolling release implemented
+      name:               openproject-web
+      image:              openproject/community
+      version:            "13"    # Update when available. No rolling release implemented
       backup:
         no_stop_required: true
       cpus:               "1.0"
@@ -47,7 +47,7 @@ docker:
       mem_limit:          "2g"
       pids_limit:         512
     seeder:
-      name:     openproject-seeder
+      name:               openproject-seeder
       cpus:               "0.3"
       mem_reservation:    "256m"
       mem_limit:          "512m"
@@ -80,6 +80,4 @@ docker:
       pids_limit:         256
     
   volumes:
-    data: "openproject_data"
-
-
+    data:                 "openproject_data"
diff --git a/roles/web-app-openproject/vars/main.yml b/roles/web-app-openproject/vars/main.yml
index f006b509..a6c6bf14 100644
--- a/roles/web-app-openproject/vars/main.yml
+++ b/roles/web-app-openproject/vars/main.yml
@@ -56,10 +56,10 @@ OPENPROJECT_RAILS_SETTINGS:
   smtp_ssl:                   false
 
 ## LDAP
-OPENPROJECT_LDAP_ENABLED:     "{{ applications | get_app_conf(application_id, 'features.ldap') }}"
+OPENPROJECT_LDAP_ENABLED:                       "{{ applications | get_app_conf(application_id, 'features.ldap') }}"
+OPENPROJECT_LDAP_FILTER_ADMINISTRATORS_ENABLED: "{{ applications | get_app_conf(application_id, 'ldap.filters.administrators') }}"
+OPENPROJECT_LDAP_FILTER_USERS_ENABLED:          "{{ applications | get_app_conf(application_id, 'ldap.filters.users') }}"
 OPENPROJECT_LDAP_FILTERS:
   # The administrator filter just works in the Enterprise edition
-  ADMINISTRATORS: "{{ '(memberOf=cn=openproject-admins,' ~ LDAP.DN.OU.ROLES ~ ')' 
-       if applications | get_app_conf(application_id, 'ldap.filters.administrators') else '' }}"
-  USERS: "{{ '(memberOf=cn=openproject-users,' ~ LDAP.DN.OU.ROLES ~ ')' 
-       if applications | get_app_conf(application_id, 'ldap.filters.users') else '' }}"
+  ADMINISTRATORS: "{{ '(memberOf=cn=openproject-admins,' ~ LDAP.DN.OU.ROLES ~ ')' if OPENPROJECT_LDAP_FILTER_ADMINISTRATORS_ENABLED else '' }}"
+  USERS: "{{ '(memberOf=cn=openproject-users,' ~ LDAP.DN.OU.ROLES ~ ')' if OPENPROJECT_LDAP_FILTER_USERS_ENABLED else '' }}"