From 1ed26ab706ac6ea37822d9c7de4043ee075e0fdb Mon Sep 17 00:00:00 2001 From: Kevin Veen-Birkenbach Date: Fri, 20 Jun 2025 05:45:43 +0200 Subject: [PATCH] Implemented discourse LDAP draft --- group_vars/all/12_iam.yml | 13 +++-- roles/docker-compose/handlers/main.yml | 8 +-- roles/docker-discourse/Todo.md | 2 + roles/docker-discourse/handlers/main.yml | 4 +- .../templates/discourse_application.yml.j2 | 49 +++++++++++++++---- roles/docker-discourse/vars/configuration.yml | 3 +- .../vars/plugins/user_ldap.yml | 2 +- 7 files changed, 55 insertions(+), 26 deletions(-) create mode 100644 roles/docker-discourse/Todo.md diff --git a/group_vars/all/12_iam.yml b/group_vars/all/12_iam.yml index 90866c9c..00288b8f 100644 --- a/group_vars/all/12_iam.yml +++ b/group_vars/all/12_iam.yml @@ -40,6 +40,7 @@ defaults_oidc: # Keep in mind to mapp this variables if there is ever the possibility for the user to define them in the inventory _ldap_dn_base: "dc={{primary_domain_sld}},dc={{primary_domain_tld}}" _ldap_server_port: "{% if applications.ldap.network.docker | bool %}{{ ports.localhost.ldap.ldap }}{% else %}{{ ports.localhost.ldaps.ldap }}{% endif %}" +_ldap_user_id: "uid" ldap: # Distinguished Names (DN) @@ -56,7 +57,7 @@ ldap: application_roles: "ou=application_roles,{{_ldap_dn_base}}" attributes: # Attribut to identify the user - user_id: "uid" + user_id: "{{ _ldap_user_id }}" # Password to access dn.bind bind_credential: "{{applications.ldap.credentials.administrator_database_password}}" server: @@ -66,7 +67,9 @@ ldap: network: local: "{{applications.ldap.network.docker}}" # Uses the application configuration to define if local network should be available or not user_objects: - - person # Basic person attributes (sn, cn …) – RFC 4519 - - inetOrgPerson # Extended Internet / intranet person – RFC 2798 - - posixAccount # POSIX/UNIX login attributes (uidNumber, gidNumber …) – RFC 2307 - - nextcloudUser # Nextcloud-specific auxiliary attributes (nextcloudQuota, nextcloudEnabled) – Nextcloud schema + - person # Basic person attributes (sn, cn …) – RFC 4519 + - inetOrgPerson # Extended Internet / intranet person – RFC 2798 + - posixAccount # POSIX/UNIX login attributes (uidNumber, gidNumber …) – RFC 2307 + - nextcloudUser # Nextcloud-specific auxiliary attributes (nextcloudQuota, nextcloudEnabled) – Nextcloud schema + filters: + user_filter: "(&(|(objectclass=inetOrgPerson))({{_ldap_user_id}}=%{{_ldap_user_id}}))" \ No newline at end of file diff --git a/roles/docker-compose/handlers/main.yml b/roles/docker-compose/handlers/main.yml index 61b33246..c68dd9a8 100644 --- a/roles/docker-compose/handlers/main.yml +++ b/roles/docker-compose/handlers/main.yml @@ -10,13 +10,7 @@ # default setup for docker compose files - name: docker compose up - shell: > - docker-compose -p {{ application_id }} up -d --force-recreate --remove-orphans - 2>&1 | tee >(systemd-cat -t docker-compose-{{ application_id }}) - shell: > - docker-compose -p {{ application_id }} up -d - --force-recreate --remove-orphans --build - 2>&1 | tee >(systemd-cat -t docker-compose-{{ application_id }}) + shell: docker-compose -p {{ application_id }} up -d --force-recreate --remove-orphans --build args: chdir: "{{ docker_compose.directories.instance }}" executable: /bin/bash diff --git a/roles/docker-discourse/Todo.md b/roles/docker-discourse/Todo.md new file mode 100644 index 00000000..26940718 --- /dev/null +++ b/roles/docker-discourse/Todo.md @@ -0,0 +1,2 @@ +# Todo +- Finish LDAP implementation \ No newline at end of file diff --git a/roles/docker-discourse/handlers/main.yml b/roles/docker-discourse/handlers/main.yml index a8e61e22..393e3bcc 100644 --- a/roles/docker-discourse/handlers/main.yml +++ b/roles/docker-discourse/handlers/main.yml @@ -17,9 +17,7 @@ listen: recreate discourse - name: rebuild discourse - shell: > - ./launcher rebuild {{applications[application_id].container}} - 2>&1 | tee >(systemd-cat -t rebuild-{{ application_id }}) + shell: ./launcher rebuild {{applications[application_id].container}} args: executable: /bin/bash chdir: "{{docker_repository_directory }}" diff --git a/roles/docker-discourse/templates/discourse_application.yml.j2 b/roles/docker-discourse/templates/discourse_application.yml.j2 index bf8fa903..31bdf22d 100644 --- a/roles/docker-discourse/templates/discourse_application.yml.j2 +++ b/roles/docker-discourse/templates/discourse_application.yml.j2 @@ -103,15 +103,22 @@ hooks: - exec: cd: $home/plugins cmd: - - git clone --depth=1 https://github.com/discourse/docker_manager.git - - git clone --depth=1 https://github.com/discourse/discourse-activity-pub.git - - git clone --depth=1 https://github.com/discourse/discourse-calendar.git - - git clone --depth=1 https://github.com/discourse/discourse-akismet.git - - git clone --depth=1 https://github.com/discourse/discourse-cakeday.git - - git clone --depth=1 https://github.com/discourse/discourse-solved.git - - git clone --depth=1 https://github.com/discourse/discourse-voting.git - - git clone --depth=1 https://github.com/discourse/discourse-oauth2-basic.git - - git clone --depth=1 https://github.com/discourse/discourse-openid-connect.git + - git clone --depth=1 https://github.com/discourse/docker_manager.git + - git clone --depth=1 https://github.com/discourse/discourse-activity-pub.git + - git clone --depth=1 https://github.com/discourse/discourse-calendar.git + - git clone --depth=1 https://github.com/discourse/discourse-akismet.git + - git clone --depth=1 https://github.com/discourse/discourse-cakeday.git + - git clone --depth=1 https://github.com/discourse/discourse-solved.git + - git clone --depth=1 https://github.com/discourse/discourse-voting.git + - git clone --depth=1 https://github.com/discourse/discourse-oauth2-basic.git + +{% if applications | is_feature_enabled('oidc',application_id) %} + - git clone --depth=1 https://github.com/discourse/discourse-openid-connect.git +{% endif %} + +{% if applications | is_feature_enabled('ldap',application_id) %} + - git clone --depth=1 https://github.com/jonmbake/discourse-ldap-auth.git +{% endif %} ## Any custom commands to run after building run: @@ -143,6 +150,30 @@ run: - exec: rails r "SiteSetting.openid_connect_allow_association_change = false" - exec: rails r "SiteSetting.openid_connect_rp_initiated_logout = true" {% endif %} + +{% if applications | is_feature_enabled('ldap',application_id) %} + # Enable LDAP authentication + - exec: rails r "SiteSetting.ldap_auth_enabled = true" + - exec: rails r "SiteSetting.ldap_sync_enabled = true" + + # LDAP connection settings + - exec: rails r "SiteSetting.ldap_sync_host = '{{ ldap.server.domain }}'" + - exec: rails r "SiteSetting.ldap_sync_port = {{ ldap.server.port }}" + - exec: rails r "SiteSetting.ldap_encryption = 'simple_tls'" + - exec: rails r "SiteSetting.ldap_base_dn = '{{ ldap.dn.root }}'" + - exec: rails r "SiteSetting.ldap_bind_dn = '{{ ldap.dn.administrator }}'" + - exec: rails r "SiteSetting.ldap_bind_password = '{{ ldap.bind_credential }}'" + + # LDAP additional configuration + - exec: rails r "SiteSetting.ldap_user_filter = '{{ ldap.filters.user_filter }}'" + - exec: rails r "SiteSetting.ldap_group_base_dn = '{{ ldap.dn.groups }}'" + - exec: rails r "SiteSetting.ldap_group_member_check = 'memberUid'" + + - exec: rails r "SiteSetting.ldap_sync_period = 1" + - exec: rails r "SiteSetting.ldap_sync_unit = 'hours'" + +{% endif %} + - exec: echo "End of custom commands" docker_args: diff --git a/roles/docker-discourse/vars/configuration.yml b/roles/docker-discourse/vars/configuration.yml index c5b19c84..d41f6a1a 100644 --- a/roles/docker-discourse/vars/configuration.yml +++ b/roles/docker-discourse/vars/configuration.yml @@ -5,9 +5,10 @@ credentials: features: matomo: true css: true - portfolio_iframe: false + portfolio_iframe: false oidc: true central_database: true + ldap: false # @todo implement and activate csp: flags: style-src: diff --git a/roles/docker-nextcloud/vars/plugins/user_ldap.yml b/roles/docker-nextcloud/vars/plugins/user_ldap.yml index 36ac3c1f..ac2bfb4f 100644 --- a/roles/docker-nextcloud/vars/plugins/user_ldap.yml +++ b/roles/docker-nextcloud/vars/plugins/user_ldap.yml @@ -107,7 +107,7 @@ plugin_configuration: - appid: "user_ldap" configkey: "s01ldap_login_filter" - configvalue: "(&(|(objectclass=inetOrgPerson))({{ldap.attributes.user_id}}=%{{ldap.attributes.user_id}}))" + configvalue: "{{ ldap.filters.user_filter }}" - appid: "user_ldap" configkey: "s01ldap_login_filter_mode"