kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-06-25 03:38:59 +02:00
Code Issues Packages Projects Releases Wiki Activity

Implemented discourse LDAP draft

Browse Source
This commit is contained in:
Kevin Veen-Birkenbach 2025-06-20 05:45:43 +02:00
parent 13141ac7d6
commit 1ed26ab706
No known key found for this signature in database
GPG Key ID: 44D8F11FD62F878E
7 changed files with 55 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
group_vars/all/12_iam.yml
View File

@ -40,6 +40,7 @@ defaults_oidc:
# Keep in mind to mapp this variables if there is ever the possibility for the user to define them in the inventory # Keep in mind to mapp this variables if there is ever the possibility for the user to define them in the inventory
_ldap_dn_base: "dc={{primary_domain_sld}},dc={{primary_domain_tld}}" _ldap_dn_base: "dc={{primary_domain_sld}},dc={{primary_domain_tld}}"
_ldap_server_port: "{% if applications.ldap.network.docker | bool %}{{ ports.localhost.ldap.ldap }}{% else %}{{ ports.localhost.ldaps.ldap }}{% endif %}" _ldap_server_port: "{% if applications.ldap.network.docker | bool %}{{ ports.localhost.ldap.ldap }}{% else %}{{ ports.localhost.ldaps.ldap }}{% endif %}"
_ldap_user_id: "uid"
ldap: ldap:
# Distinguished Names (DN) # Distinguished Names (DN)
@ -56,7 +57,7 @@ ldap:
application_roles: "ou=application_roles,{{_ldap_dn_base}}" application_roles: "ou=application_roles,{{_ldap_dn_base}}"
attributes: attributes:
# Attribut to identify the user # Attribut to identify the user
user_id: "uid" user_id: "{{ _ldap_user_id }}"
# Password to access dn.bind # Password to access dn.bind
bind_credential: "{{applications.ldap.credentials.administrator_database_password}}" bind_credential: "{{applications.ldap.credentials.administrator_database_password}}"
server: server:
@ -70,3 +71,5 @@ ldap:
- inetOrgPerson # Extended Internet / intranet person RFC 2798 - inetOrgPerson # Extended Internet / intranet person RFC 2798
- posixAccount # POSIX/UNIX login attributes (uidNumber, gidNumber …) RFC 2307 - posixAccount # POSIX/UNIX login attributes (uidNumber, gidNumber …) RFC 2307
- nextcloudUser # Nextcloud-specific auxiliary attributes (nextcloudQuota, nextcloudEnabled) Nextcloud schema - nextcloudUser # Nextcloud-specific auxiliary attributes (nextcloudQuota, nextcloudEnabled) Nextcloud schema
filters:
user_filter: "(&(|(objectclass=inetOrgPerson))({{_ldap_user_id}}=%{{_ldap_user_id}}))"

8
roles/docker-compose/handlers/main.yml
View File

@ -10,13 +10,7 @@
# default setup for docker compose files # default setup for docker compose files
- name: docker compose up - name: docker compose up
shell: > shell: docker-compose -p {{ application_id }} up -d --force-recreate --remove-orphans --build
docker-compose -p {{ application_id }} up -d --force-recreate --remove-orphans
2>&1 | tee >(systemd-cat -t docker-compose-{{ application_id }})
shell: >
docker-compose -p {{ application_id }} up -d
--force-recreate --remove-orphans --build
2>&1 | tee >(systemd-cat -t docker-compose-{{ application_id }})
args: args:
chdir: "{{ docker_compose.directories.instance }}" chdir: "{{ docker_compose.directories.instance }}"
executable: /bin/bash executable: /bin/bash

2
roles/docker-discourse/Todo.md Normal file
View File

@ -0,0 +1,2 @@
# Todo
- Finish LDAP implementation

4
roles/docker-discourse/handlers/main.yml
View File

@ -17,9 +17,7 @@
listen: recreate discourse listen: recreate discourse
- name: rebuild discourse - name: rebuild discourse
shell: > shell: ./launcher rebuild {{applications[application_id].container}}
./launcher rebuild {{applications[application_id].container}}
2>&1 | tee >(systemd-cat -t rebuild-{{ application_id }})
args: args:
executable: /bin/bash executable: /bin/bash
chdir: "{{docker_repository_directory }}" chdir: "{{docker_repository_directory }}"

31
roles/docker-discourse/templates/discourse_application.yml.j2
View File

@ -111,7 +111,14 @@ hooks:
- git clone --depth=1 https://github.com/discourse/discourse-solved.git - git clone --depth=1 https://github.com/discourse/discourse-solved.git
- git clone --depth=1 https://github.com/discourse/discourse-voting.git - git clone --depth=1 https://github.com/discourse/discourse-voting.git
- git clone --depth=1 https://github.com/discourse/discourse-oauth2-basic.git - git clone --depth=1 https://github.com/discourse/discourse-oauth2-basic.git
{% if applications | is_feature_enabled('oidc',application_id) %}
- git clone --depth=1 https://github.com/discourse/discourse-openid-connect.git - git clone --depth=1 https://github.com/discourse/discourse-openid-connect.git
{% endif %}
{% if applications | is_feature_enabled('ldap',application_id) %}
- git clone --depth=1 https://github.com/jonmbake/discourse-ldap-auth.git
{% endif %}
## Any custom commands to run after building ## Any custom commands to run after building
run: run:
@ -143,6 +150,30 @@ run:
- exec: rails r "SiteSetting.openid_connect_allow_association_change = false" - exec: rails r "SiteSetting.openid_connect_allow_association_change = false"
- exec: rails r "SiteSetting.openid_connect_rp_initiated_logout = true" - exec: rails r "SiteSetting.openid_connect_rp_initiated_logout = true"
{% endif %} {% endif %}
{% if applications | is_feature_enabled('ldap',application_id) %}
# Enable LDAP authentication
- exec: rails r "SiteSetting.ldap_auth_enabled = true"
- exec: rails r "SiteSetting.ldap_sync_enabled = true"
# LDAP connection settings
- exec: rails r "SiteSetting.ldap_sync_host = '{{ ldap.server.domain }}'"
- exec: rails r "SiteSetting.ldap_sync_port = {{ ldap.server.port }}"
- exec: rails r "SiteSetting.ldap_encryption = 'simple_tls'"
- exec: rails r "SiteSetting.ldap_base_dn = '{{ ldap.dn.root }}'"
- exec: rails r "SiteSetting.ldap_bind_dn = '{{ ldap.dn.administrator }}'"
- exec: rails r "SiteSetting.ldap_bind_password = '{{ ldap.bind_credential }}'"
# LDAP additional configuration
- exec: rails r "SiteSetting.ldap_user_filter = '{{ ldap.filters.user_filter }}'"
- exec: rails r "SiteSetting.ldap_group_base_dn = '{{ ldap.dn.groups }}'"
- exec: rails r "SiteSetting.ldap_group_member_check = 'memberUid'"
- exec: rails r "SiteSetting.ldap_sync_period = 1"
- exec: rails r "SiteSetting.ldap_sync_unit = 'hours'"
{% endif %}
- exec: echo "End of custom commands" - exec: echo "End of custom commands"
docker_args: docker_args:

1
roles/docker-discourse/vars/configuration.yml
View File

@ -8,6 +8,7 @@ features:
portfolio_iframe: false portfolio_iframe: false
oidc: true oidc: true
central_database: true central_database: true
ldap: false # @todo implement and activate
csp: csp:
flags: flags:
style-src: style-src:

2
roles/docker-nextcloud/vars/plugins/user_ldap.yml
View File

@ -107,7 +107,7 @@ plugin_configuration:
- -
appid: "user_ldap" appid: "user_ldap"
configkey: "s01ldap_login_filter" configkey: "s01ldap_login_filter"
configvalue: "(&(|(objectclass=inetOrgPerson))({{ldap.attributes.user_id}}=%{{ldap.attributes.user_id}}))" configvalue: "{{ ldap.filters.user_filter }}"
- -
appid: "user_ldap" appid: "user_ldap"
configkey: "s01ldap_login_filter_mode" configkey: "s01ldap_login_filter_mode"