From 22ce80cd23d44c24d7bed2352a36a073ff7eca07 Mon Sep 17 00:00:00 2001
From: Kevin Veen-Birkenbach <kevin@veen.world>
Date: Wed, 26 Feb 2025 10:42:25 +0100
Subject: [PATCH] Set LDAP uid variable

---
 group_vars/all/07_applications.yml            | 10 ++++++----
 group_vars/all/11_iam.yml                     | 10 ++++++++--
 roles/docker-bigbluebutton/templates/env.j2   | 19 +++++++++++--------
 .../templates/import/realm.json.j2            |  8 ++++----
 .../templates/ldif/data/02_users.ldif.j2      |  8 ++++----
 .../templates/oidc.config.php.j2              |  4 ++--
 roles/docker-nextcloud/vars/ldap.yml          |  4 ++--
 7 files changed, 37 insertions(+), 26 deletions(-)

diff --git a/group_vars/all/07_applications.yml b/group_vars/all/07_applications.yml
index 4a256363..412540a3 100644
--- a/group_vars/all/07_applications.yml
+++ b/group_vars/all/07_applications.yml
@@ -36,11 +36,13 @@ defaults_applications:
   ## Big Blue Button
   bigbluebutton:
     enable_greenlight:    "true"
-    setup:                false                           # Set to true in inventory file for initial setup
+    setup:                false               # Set to true in inventory file for initial setup
     oidc:
-      enabled:               true                         # Activate OIDC
+      enabled:            true                # Activate OIDC
     database:
-      central_storage:                True
+      central_storage:    True
+    ldap:
+      enabled:            False                # @todo LDAP needs to get propper implemented and tested, just set values during refactoring
 
   ## Bluesky
   bluesky:
@@ -78,7 +80,7 @@ defaults_applications:
   funkwhale:
     version:              "1.4.0"
     ldap:
-      enabled:            True                # Enables LDAP by default
+      enabled:            True                # Enables LDAP by default @todo check implementation
     database:
       central_storage:    True
 
diff --git a/group_vars/all/11_iam.yml b/group_vars/all/11_iam.yml
index b3292380..1e810e06 100644
--- a/group_vars/all/11_iam.yml
+++ b/group_vars/all/11_iam.yml
@@ -29,7 +29,9 @@ defaults_oidc:
 #############################################
 
 # Helper Variables:
-_ldap_dn_base: "dc={{primary_domain_sld}},dc={{primary_domain_tld}}"
+# Keep in mind to mapp this variables if there is ever the possibility for the user to define them in the inventory
+_ldap_dn_base:      "dc={{primary_domain_sld}},dc={{primary_domain_tld}}"
+_ldap_server_port:  "{% if applications.ldap.openldap.network.local | bool %}{{ ports.localhost.ldap.openldap }}{% else %}{{ ports.localhost.ldaps.openldap }}{% endif %}"
 
 ldap:
   # Enables LDAP for all roles in play if true
@@ -46,11 +48,15 @@ ldap:
     groups:             "ou=groups,{{_ldap_dn_base}}"
     # Dn for all application roles of the users
     application_roles:  "ou=application_roles,{{_ldap_dn_base}}"
+  attributes:
+    # Attribut to identify the user
+    user_id:            "uid" 
   # Password to access dn.bind
   bind_credential:      "{{applications.ldap.administrator_database_password}}"
   server:
     domain:             "{{applications.ldap.openldap.hostname if applications.ldap.openldap.network.local | bool else domains.ldap}}" # Mapping for public or locale access
-    uri:                "{% if applications.ldap.openldap.network.local | bool %}ldap://{{ applications.ldap.openldap.hostname }}:{{ ports.localhost.ldap.openldap }}{% else %}ldaps://{{ domains.ldap }}:{{ ports.public.ldaps.openldap }}{% endif %}"
+    port:               "{{_ldap_server_port}}"
+    uri:                "{% if applications.ldap.openldap.network.local | bool %}ldap://{{ applications.ldap.openldap.hostname }}{% else %}ldaps://{{ domains.ldap }}{% endif %}:{{ _ldap_server_port }}"
   network:
     local:              "{{applications.ldap.openldap.network.local}}" # Uses the application configuration to define if local network should be available or not
   
\ No newline at end of file
diff --git a/roles/docker-bigbluebutton/templates/env.j2 b/roles/docker-bigbluebutton/templates/env.j2
index 9395f292..73f484a2 100644
--- a/roles/docker-bigbluebutton/templates/env.j2
+++ b/roles/docker-bigbluebutton/templates/env.j2
@@ -161,6 +161,7 @@ OFFICE365_HD=
 # It is useful for cases when Greenlight is deployed behind a Network Load Balancer or proxy
 OAUTH2_REDIRECT=
 
+{% if applications[application_id].ldap.enabled | bool %}
 # LDAP Login Provider (optional)
 #
 # You can enable LDAP authentication by providing values for the variables below.
@@ -172,23 +173,25 @@ OAUTH2_REDIRECT=
 #   LDAP_SERVER=ldap.example.com
 #   LDAP_PORT=389
 #   LDAP_METHOD=plain
-#   LDAP_UID=uid
+#   LDAP_UID={{ldap.attributes.user_id}}
 #   LDAP_BASE=dc=example,dc=com
 #   LDAP_AUTH=simple
 #   LDAP_BIND_DN=cn=admin,dc=example,dc=com
 #   LDAP_PASSWORD=password
 #   LDAP_ROLE_FIELD=ou
 #   LDAP_FILTER=(&(attr1=value1)(attr2=value2))
-LDAP_SERVER=
-LDAP_PORT=
+LDAP_SERVER="{{ldap.server.domain}}"
+LDAP_PORT="{{ldap.server.port}}"
 LDAP_METHOD=
-LDAP_UID=
-LDAP_BASE=
-LDAP_BIND_DN=
-LDAP_AUTH=
-LDAP_PASSWORD=
+LDAP_UID={{ldap.attributes.user_id}}
+LDAP_BASE="{{ldap.dn.root}}"
+LDAP_BIND_DN="{{ldap.dn.administrator}}"
+LDAP_AUTH=password
+LDAP_PASSWORD="{{ldap.bind_credential}}"
 LDAP_ROLE_FIELD=
 LDAP_FILTER=
+{% endif %}
+
 # ====================================
 # GREENLIGHT CONFIGURATION
 # ====================================
diff --git a/roles/docker-keycloak/templates/import/realm.json.j2 b/roles/docker-keycloak/templates/import/realm.json.j2
index a781dcd4..3b70002c 100644
--- a/roles/docker-keycloak/templates/import/realm.json.j2
+++ b/roles/docker-keycloak/templates/import/realm.json.j2
@@ -1923,7 +1923,7 @@
               "subComponents": {},
               "config": {
                 "ldap.attribute": [
-                  "uid"
+                  "{{ldap.attributes.user_id}}"
                 ],
                 "is.mandatory.in.ldap": [
                   "true"
@@ -2008,7 +2008,7 @@
             "-1"
           ],
           "usernameLDAPAttribute": [
-            "uid"
+            "{{ldap.attributes.user_id}}"
           ],
           "bindDn": [
             "{{ldap.dn.administrator}}"
@@ -2020,7 +2020,7 @@
             "other"
           ],
           "uuidLDAPAttribute": [
-            "uid"
+            "{{ldap.attributes.user_id}}"
           ],
           "allowKerberosAuthentication": [
             "false"
@@ -2053,7 +2053,7 @@
             "person, inetOrgPerson, nextcloudUser"
           ],
           "rdnLDAPAttribute": [
-            "uid"
+            "{{ldap.attributes.user_id}}"
           ],
           "editMode": [
             "WRITABLE"
diff --git a/roles/docker-ldap/templates/ldif/data/02_users.ldif.j2 b/roles/docker-ldap/templates/ldif/data/02_users.ldif.j2
index 37df7292..35d1f684 100644
--- a/roles/docker-ldap/templates/ldif/data/02_users.ldif.j2
+++ b/roles/docker-ldap/templates/ldif/data/02_users.ldif.j2
@@ -9,11 +9,11 @@ description: Container for application access profiles
 #######################################################################
 # Create Admin User
 #######################################################################
-dn: uid={{users.administrator.username}},{{ldap.dn.users}}
+dn: {{ldap.attributes.user_id}}={{users.administrator.username}},{{ldap.dn.users}}
 objectClass: top
 objectClass: inetOrgPerson
 objectClass: posixAccount
-uid: {{users.administrator.username}}
+{{ldap.attributes.user_id}}: {{users.administrator.username}}
 sn: Administrator
 cn: Administrator
 userPassword: {SSHA}CHANGE_THIS_PASSWORD
@@ -31,11 +31,11 @@ gidNumber: {{users.administrator.gid}}
 dn: cn={{ app }}-administrator,{{ ldap.dn.application_roles }}
 changetype: modify
 add: roleOccupant
-roleOccupant: uid={{users.administrator.username}},{{ldap.dn.users}}
+roleOccupant: {{ldap.attributes.user_id}}={{users.administrator.username}},{{ldap.dn.users}}
 
 dn: cn={{ app }}-user,{{ ldap.dn.application_roles }}
 changetype: modify
 add: roleOccupant
-roleOccupant: uid={{users.administrator.username}},{{ldap.dn.users}}
+roleOccupant: {{ldap.attributes.user_id}}={{users.administrator.username}},{{ldap.dn.users}}
 
 {% endfor %}
diff --git a/roles/docker-nextcloud/templates/oidc.config.php.j2 b/roles/docker-nextcloud/templates/oidc.config.php.j2
index 3cd94fe0..ad5fb42a 100644
--- a/roles/docker-nextcloud/templates/oidc.config.php.j2
+++ b/roles/docker-nextcloud/templates/oidc.config.php.j2
@@ -98,9 +98,9 @@ return array (
         'mail' => 'email',
         # 'quota' => 'nextcloudQuota',  # Not implemented yet
         # 'home' => 'homeDirectory',    # Not implemented yet
-        'ldap_uid' => 'uid',
+        'ldap_uid' => '{{ldap.attributes.user_id}}',
         # 'groups' => 'ownCloudGroups', # Not implemented yet
-        'login_filter' => 'realm_access_roles',
+        # 'login_filter' => 'realm_access_roles',
     //    'photoURL' => 'picture',
     //    'is_admin' => 'ownCloudAdmin',
     ),
diff --git a/roles/docker-nextcloud/vars/ldap.yml b/roles/docker-nextcloud/vars/ldap.yml
index 152f1eb9..25500783 100644
--- a/roles/docker-nextcloud/vars/ldap.yml
+++ b/roles/docker-nextcloud/vars/ldap.yml
@@ -107,7 +107,7 @@ nextcloud_ldap_configuration:
   -
     appid: "user_ldap"
     configkey: "s01ldap_login_filter"
-    configvalue: "(&(|(objectclass=inetOrgPerson))(uid=%uid))"
+    configvalue: "(&(|(objectclass=inetOrgPerson))({{ldap.attributes.user_id}}=%{{ldap.attributes.user_id}}))"
   -
     appid: "user_ldap"
     configkey: "s01ldap_login_filter_mode"
@@ -175,4 +175,4 @@ nextcloud_ldap_configuration:
   -
     appid: "user_ldap"
     configkey: "s01ldap_expert_username_attr"
-    configvalue: "uid"
\ No newline at end of file
+    configvalue: "{{ldap.attributes.user_id}}"
\ No newline at end of file