Implemented discourse LDAP draft

2025-06-24 19:25:32 +02:00 · 2025-06-20 05:45:43 +02:00 · 2025-06-20 05:45:43 +02:00 · 1ed26ab706
commit 1ed26ab706
parent 13141ac7d6
7 changed files with 55 additions and 26 deletions
--- a/group_vars/all/12_iam.yml
+++ b/group_vars/all/12_iam.yml
@ -40,6 +40,7 @@ defaults_oidc:
 # Keep in mind to mapp this variables if there is ever the possibility for the user to define them in the inventory
 _ldap_dn_base:      "dc={{primary_domain_sld}},dc={{primary_domain_tld}}"
 _ldap_server_port:  "{% if applications.ldap.network.docker | bool %}{{ ports.localhost.ldap.ldap }}{% else %}{{ ports.localhost.ldaps.ldap }}{% endif %}"
+_ldap_user_id:      "uid"

 ldap:
  # Distinguished Names (DN)
@ -56,7 +57,7 @@ ldap:
    application_roles:  "ou=application_roles,{{_ldap_dn_base}}"
  attributes:
    # Attribut to identify the user
-    user_id:            "uid" 
+    user_id:            "{{ _ldap_user_id }}" 
  # Password to access dn.bind
  bind_credential:      "{{applications.ldap.credentials.administrator_database_password}}"
  server:
@ -66,7 +67,9 @@ ldap:
  network:
    local:              "{{applications.ldap.network.docker}}" # Uses the application configuration to define if local network should be available or not
  user_objects:
-    - person          # Basic person attributes (sn, cn …) – RFC 4519
-    - inetOrgPerson   # Extended Internet / intranet person – RFC 2798
-    - posixAccount    # POSIX/UNIX login attributes (uidNumber, gidNumber …) – RFC 2307
-    - nextcloudUser   # Nextcloud-specific auxiliary attributes (nextcloudQuota, nextcloudEnabled) – Nextcloud schema
+    - person            # Basic person attributes (sn, cn …) – RFC 4519
+    - inetOrgPerson     # Extended Internet / intranet person – RFC 2798
+    - posixAccount      # POSIX/UNIX login attributes (uidNumber, gidNumber …) – RFC 2307
+    - nextcloudUser     # Nextcloud-specific auxiliary attributes (nextcloudQuota, nextcloudEnabled) – Nextcloud schema
+  filters:
+    user_filter:        "(&(|(objectclass=inetOrgPerson))({{_ldap_user_id}}=%{{_ldap_user_id}}))"
--- a/roles/docker-compose/handlers/main.yml
+++ b/roles/docker-compose/handlers/main.yml
@ -10,13 +10,7 @@

 # default setup for docker compose files
 - name: docker compose up
-  shell: > 
-    docker-compose -p {{ application_id }} up -d --force-recreate --remove-orphans
-    2>&1 | tee >(systemd-cat -t docker-compose-{{ application_id }})
-  shell: >
-      docker-compose -p {{ application_id }} up -d
-      --force-recreate --remove-orphans --build
-      2>&1 | tee >(systemd-cat -t docker-compose-{{ application_id }})
+  shell: docker-compose -p {{ application_id }} up -d --force-recreate --remove-orphans --build
  args:
    chdir: "{{ docker_compose.directories.instance }}"
    executable: /bin/bash
--- a/roles/docker-discourse/Todo.md
+++ b/roles/docker-discourse/Todo.md
@ -0,0 +1,2 @@
+# Todo
+- Finish LDAP implementation
--- a/roles/docker-discourse/handlers/main.yml
+++ b/roles/docker-discourse/handlers/main.yml
@ -17,9 +17,7 @@
  listen: recreate discourse

 - name: rebuild discourse
-  shell: > 
-    ./launcher rebuild {{applications[application_id].container}}
-    2>&1 | tee >(systemd-cat -t rebuild-{{ application_id }})
+  shell: ./launcher rebuild {{applications[application_id].container}}
  args:
    executable: /bin/bash  
    chdir: "{{docker_repository_directory }}"
--- a/roles/docker-discourse/templates/discourse_application.yml.j2
+++ b/roles/docker-discourse/templates/discourse_application.yml.j2
@ -103,15 +103,22 @@ hooks:
    - exec:
        cd: $home/plugins
        cmd:
-          - git clone  --depth=1 https://github.com/discourse/docker_manager.git
-          - git clone  --depth=1 https://github.com/discourse/discourse-activity-pub.git
-          - git clone  --depth=1 https://github.com/discourse/discourse-calendar.git
-          - git clone  --depth=1 https://github.com/discourse/discourse-akismet.git
-          - git clone  --depth=1 https://github.com/discourse/discourse-cakeday.git
-          - git clone  --depth=1 https://github.com/discourse/discourse-solved.git
-          - git clone  --depth=1 https://github.com/discourse/discourse-voting.git
-          - git clone  --depth=1 https://github.com/discourse/discourse-oauth2-basic.git
-          - git clone  --depth=1 https://github.com/discourse/discourse-openid-connect.git
+          - git clone --depth=1 https://github.com/discourse/docker_manager.git
+          - git clone --depth=1 https://github.com/discourse/discourse-activity-pub.git
+          - git clone --depth=1 https://github.com/discourse/discourse-calendar.git
+          - git clone --depth=1 https://github.com/discourse/discourse-akismet.git
+          - git clone --depth=1 https://github.com/discourse/discourse-cakeday.git
+          - git clone --depth=1 https://github.com/discourse/discourse-solved.git
+          - git clone --depth=1 https://github.com/discourse/discourse-voting.git
+          - git clone --depth=1 https://github.com/discourse/discourse-oauth2-basic.git
+
+{% if applications | is_feature_enabled('oidc',application_id) %}
+          - git clone --depth=1 https://github.com/discourse/discourse-openid-connect.git
+{% endif %}
+
+{% if applications | is_feature_enabled('ldap',application_id) %}
+          - git clone --depth=1 https://github.com/jonmbake/discourse-ldap-auth.git
+{% endif %}

 ## Any custom commands to run after building
 run:
@ -143,6 +150,30 @@ run:
  - exec: rails r "SiteSetting.openid_connect_allow_association_change = false"
  - exec: rails r "SiteSetting.openid_connect_rp_initiated_logout = true"
 {% endif %}
+
+{% if applications | is_feature_enabled('ldap',application_id) %}
+  # Enable LDAP authentication
+  - exec: rails r "SiteSetting.ldap_auth_enabled = true"
+  - exec: rails r "SiteSetting.ldap_sync_enabled = true"
+
+  # LDAP connection settings
+  - exec: rails r "SiteSetting.ldap_sync_host = '{{ ldap.server.domain }}'"
+  - exec: rails r "SiteSetting.ldap_sync_port = {{ ldap.server.port }}"
+  - exec: rails r "SiteSetting.ldap_encryption = 'simple_tls'"
+  - exec: rails r "SiteSetting.ldap_base_dn = '{{ ldap.dn.root }}'"
+  - exec: rails r "SiteSetting.ldap_bind_dn = '{{ ldap.dn.administrator }}'"
+  - exec: rails r "SiteSetting.ldap_bind_password = '{{ ldap.bind_credential }}'"
+
+  # LDAP additional configuration
+  - exec: rails r "SiteSetting.ldap_user_filter = '{{ ldap.filters.user_filter }}'"
+  - exec: rails r "SiteSetting.ldap_group_base_dn = '{{ ldap.dn.groups }}'"
+  - exec: rails r "SiteSetting.ldap_group_member_check = 'memberUid'"
+
+  - exec: rails r "SiteSetting.ldap_sync_period = 1"
+  - exec: rails r "SiteSetting.ldap_sync_unit = 'hours'"
+
+{% endif %}
+
  - exec: echo "End of custom commands"

 docker_args:
--- a/roles/docker-discourse/vars/configuration.yml
+++ b/roles/docker-discourse/vars/configuration.yml
@ -5,9 +5,10 @@ credentials:
 features:
  matomo:             true
  css:                true
-  portfolio_iframe: false
+  portfolio_iframe:   false
  oidc:               true
  central_database:   true
+  ldap:               false         # @todo implement and activate
 csp:
  flags:
    style-src:
--- a/roles/docker-nextcloud/vars/plugins/user_ldap.yml
+++ b/roles/docker-nextcloud/vars/plugins/user_ldap.yml
@ -107,7 +107,7 @@ plugin_configuration:
  -
    appid: "user_ldap"
    configkey: "s01ldap_login_filter"
-    configvalue: "(&(|(objectclass=inetOrgPerson))({{ldap.attributes.user_id}}=%{{ldap.attributes.user_id}}))"
+    configvalue: "{{ ldap.filters.user_filter }}"
  -
    appid: "user_ldap"
    configkey: "s01ldap_login_filter_mode"