svc-db-openldap: make LDIF import idempotent, unify container var, and tidy role

- Add handlers/main.yml to load memberof/refint modules and import groups via docker exec - Use OPENLDAP_CONTAINER consistently (replace OPENLDAP_NAME) - Rename tasks/ldifs_creation.yml -> tasks/_ldifs_creation.yml and update includes - Drop default param from get_app_conf calls; add explicit meta: flush_handlers - docker-compose: honor OPENLDAP_NETWORK_EXPOSE_LOCAL | bool; minor formatting - env template: formatting/comments consistency - Remove unused 01_rbac_group.ldif.j2; rename 02_rbac_roles -> 01_rbac_roles and fix filter to LDAP - vars: rename OPENLDAP_NAME -> OPENLDAP_CONTAINER; prune LDIF schema type Conversation: https://chatgpt.com/share/68d1d25d-e788-800f-bfb6-13b1f5bc6121
2025-11-13 08:36:47 +00:00 · 2025-09-23 00:49:57 +02:00
parent d8c73e9fc3
commit 208848579d
9 changed files with 74 additions and 63 deletions
--- a/roles/svc-db-openldap/templates/docker-compose.yml.j2
+++ b/roles/svc-db-openldap/templates/docker-compose.yml.j2
@@ -2,15 +2,15 @@

  application:
    image: "{{ OPENLDAP_IMAGE }}:{{ OPENLDAP_VERSION }}"
-    container_name: "{{ OPENLDAP_NAME }}"
+    container_name: "{{ OPENLDAP_CONTAINER }}"
 {% include 'roles/docker-container/templates/base.yml.j2' %}
-{% if OPENLDAP_NETWORK_EXPOSE_LOCAL %}
+{% if OPENLDAP_NETWORK_EXPOSE_LOCAL | bool %}
    ports:
-      - 127.0.0.1:{{ports.localhost.ldap['svc-db-openldap']}}:{{OPENLDAP_DOCKER_PORT_OPEN}}
+      - 127.0.0.1:{{ports.localhost.ldap['svc-db-openldap']}}:{{ OPENLDAP_DOCKER_PORT_OPEN }}
 {% endif %}
    volumes:
      - 'data:/bitnami/openldap'
-      - '{{OPENLDAP_LDIF_PATH_HOST}}:{{ OPENLDAP_LDIF_PATH_DOCKER }}:ro'
+      - '{{ OPENLDAP_LDIF_PATH_HOST }}:{{ OPENLDAP_LDIF_PATH_DOCKER }}:ro'
    healthcheck:
      test: >
        bash -c '
--- a/roles/svc-db-openldap/templates/env.j2
+++ b/roles/svc-db-openldap/templates/env.j2
@@ -3,24 +3,24 @@
      
 # GENERAL
 ## Admin (Data)
-LDAP_ADMIN_USERNAME=        {{ applications | get_app_conf(application_id, 'users.administrator.username') }} # LDAP database admin user.
-LDAP_ADMIN_PASSWORD=        {{ LDAP.BIND_CREDENTIAL }}                                      # LDAP database admin password.
+LDAP_ADMIN_USERNAME=        {{ applications | get_app_conf(application_id, 'users.administrator.username') }}   # LDAP database admin user.
+LDAP_ADMIN_PASSWORD=        {{ LDAP.BIND_CREDENTIAL }}                                                          # LDAP database admin password.

 ## Users
-LDAP_USERS=                 ' '                             # Comma separated list of LDAP users to create in the default LDAP tree. Default: user01,user02
-LDAP_PASSWORDS=             ' '                             # Comma separated list of passwords to use for LDAP users. Default: bitnami1,bitnami2
-LDAP_ROOT=                  {{ LDAP.DN.ROOT }}                # LDAP baseDN (or suffix) of the LDAP tree. Default: dc=example,dc=org
+LDAP_USERS=                 ' '                                 # Comma separated list of LDAP users to create in the default LDAP tree. Default: user01,user02
+LDAP_PASSWORDS=             ' '                                 # Comma separated list of passwords to use for LDAP users. Default: bitnami1,bitnami2
+LDAP_ROOT=                  {{ LDAP.DN.ROOT }}                  # LDAP baseDN (or suffix) of the LDAP tree. Default: dc=example,dc=org

 ## Admin (Config)
-LDAP_ADMIN_DN=              {{LDAP.DN.ADMINISTRATOR.DATA}}
+LDAP_ADMIN_DN=              {{ LDAP.DN.ADMINISTRATOR.DATA }}
 LDAP_CONFIG_ADMIN_ENABLED=  yes
 LDAP_CONFIG_ADMIN_USERNAME= {{ applications | get_app_conf(application_id, 'users.administrator.username') }}
 LDAP_CONFIG_ADMIN_PASSWORD= {{ applications | get_app_conf(application_id, 'credentials.administrator_password') }}
  
 # Network
-LDAP_PORT_NUMBER=           {{OPENLDAP_DOCKER_PORT_OPEN}}            # Route to default port
-LDAP_ENABLE_TLS=            no                              # Using nginx proxy for tls
-LDAP_LDAPS_PORT_NUMBER=     {{OPENLDAP_DOCKER_PORT_SECURE}}           # Port used for TLS secure traffic. Priviledged port is supported (e.g. 636). Default: 1636 (non privileged port).
+LDAP_PORT_NUMBER=           {{ OPENLDAP_DOCKER_PORT_OPEN }}             # Route to default port
+LDAP_ENABLE_TLS=            no                                          # Using nginx proxy for tls
+LDAP_LDAPS_PORT_NUMBER=     {{ OPENLDAP_DOCKER_PORT_SECURE }}           # Port used for TLS secure traffic. Priviledged port is supported (e.g. 636). Default: 1636 (non privileged port).

 # Security
-LDAP_ALLOW_ANON_BINDING=    no                              # Allow anonymous bindings to the LDAP server. Default: yes.
+LDAP_ALLOW_ANON_BINDING=    no                                          # Allow anonymous bindings to the LDAP server. Default: yes.
--- a/roles/svc-db-openldap/templates/ldif/groups/01_rbac_group.ldif.j2
+++ b/roles/svc-db-openldap/templates/ldif/groups/01_rbac_group.ldif.j2
@@ -1,30 +0,0 @@
-{# 
-@todo: activate
-{% for dn, entry in (applications | build_ldap_role_entries(users, ldap)).items() %}
-
-dn: {{ dn }}
-{% for oc in entry.objectClass %}
-objectClass: {{ oc }}
-{% endfor %}
-{% if entry.ou is defined %}
-ou: {{ entry.ou }}
-{% else %}
-cn: {{ entry.cn }}
-{% endif %}
-{% if entry.gidNumber is defined %}
-gidNumber: {{ entry.gidNumber }}
-{% endif %}
-description: {{ entry.description }}
-{% if entry.memberUid is defined %}
-{% for uid in entry.memberUid %}
-memberUid: {{ uid }}
-{% endfor %}
-{% endif %}
-{% if entry.member is defined %}
-{% for m in entry.member %}
-member: {{ m }}
-{% endfor %}
-{% endif %}
-
-{% endfor %}
-#}
--- a/roles/svc-db-openldap/templates/ldif/groups/01_rbac_roles.ldif.j2
+++ b/roles/svc-db-openldap/templates/ldif/groups/01_rbac_roles.ldif.j2
@@ -1,4 +1,4 @@
-{% for dn, entry in (applications | build_ldap_role_entries(users, ldap)).items() %}
+{% for dn, entry in (applications | build_ldap_role_entries(users, LDAP)).items() %}

 dn: {{ dn }}
 {% for oc in entry.objectClass %}