Renamed the mariadb, openldap and postgres database

roles/svc-db-openldap/templates/docker-compose.yml.j2

@@ -0,0 +1,28 @@
+{% include 'roles/docker-compose/templates/base.yml.j2' %}
+
+  application:
+    image: "{{ applications[application_id].images.openldap }}"
+    container_name: {{ applications[application_id].hostname }}
+{% include 'roles/docker-container/templates/base.yml.j2' %}
+{% if applications[application_id].network.public | bool or applications[application_id].network.local | bool %}
+    ports:
+      - 127.0.0.1:{{ports.localhost.ldap['svc-db-openldap']}}:{{ldap_docker_port}}
+{% endif %}
+    volumes:
+      - 'data:/bitnami/openldap'
+      - '{{ldif_host_path}}:{{ldif_docker_path}}:ro'
+    healthcheck:
+      test: >
+        bash -c '
+        ldapsearch -x -H ldap://localhost:{{ ldap_docker_port }} \
+          -D "{{ ldap.dn.administrator.data }}" -w "{{ ldap.bind_credential }}" -b "{{ ldap.dn.root }}" > /dev/null \
+        && ldapsearch -Y EXTERNAL -H ldapi:/// \
+          -b cn=config "(&(objectClass=olcOverlayConfig)(olcOverlay=memberof))" \
+        | grep "olcOverlay:" | grep -q "memberof"
+        '
+{% include 'roles/docker-container/templates/networks.yml.j2' %}
+
+{% include 'roles/docker-compose/templates/volumes.yml.j2' %}
+  data:
+
+{% include 'roles/docker-compose/templates/networks.yml.j2' %}

roles/svc-db-openldap/templates/env.j2

@@ -0,0 +1,26 @@
+
+# @See https://hub.docker.com/r/bitnami/openldap
+      
+# GENERAL
+## Admin (Data)
+LDAP_ADMIN_USERNAME=        {{applications[application_id].users.administrator.username}} # LDAP database admin user.
+LDAP_ADMIN_PASSWORD=        {{ldap.bind_credential}}                                      # LDAP database admin password.
+
+## Users
+LDAP_USERS=                 ' '                             # Comma separated list of LDAP users to create in the default LDAP tree. Default: user01,user02
+LDAP_PASSWORDS=             ' '                             # Comma separated list of passwords to use for LDAP users. Default: bitnami1,bitnami2
+LDAP_ROOT=                  {{ldap.dn.root}}                # LDAP baseDN (or suffix) of the LDAP tree. Default: dc=example,dc=org
+
+## Admin (Config)
+LDAP_ADMIN_DN=              {{ldap.dn.administrator.data}}
+LDAP_CONFIG_ADMIN_ENABLED=  yes
+LDAP_CONFIG_ADMIN_USERNAME= {{applications[application_id].users.administrator.username}}
+LDAP_CONFIG_ADMIN_PASSWORD= {{applications[application_id].credentials.administrator_password}}
+  
+# Network
+LDAP_PORT_NUMBER=           {{ldap_docker_port}}            # Route to default port
+LDAP_ENABLE_TLS=            no                              # Using nginx proxy for tls
+LDAP_LDAPS_PORT_NUMBER=     {{ldaps_docker_port}}           # Port used for TLS secure traffic. Priviledged port is supported (e.g. 636). Default: 1636 (non privileged port).
+
+# Security
+LDAP_ALLOW_ANON_BINDING=    no                              # Allow anonymous bindings to the LDAP server. Default: yes.

roles/svc-db-openldap/templates/ldif/configuration/01_member_of_configuration.ldif.j2

@@ -0,0 +1,50 @@
+# MemberOf Overlay Configuration for OpenLDAP
+#
+# This file activates the memberOf module and configures the memberOf overlay,
+# which is required by Nextcloud for proper group management.
+# @see https://docs.nextcloud.com/server/latest/admin_manual/configuration_user/user_auth_ldap.html 
+# @see https://www.adimian.com/blog/how-to-enable-memberof-using-openldap/
+#
+# The first section loads the memberof module from the specified path.
+#   - olcModuleLoad: Specifies that the "memberof" module should be loaded.
+#   - olcModulePath: Provides the full path to the memberof shared object.
+#
+# The second section configures the memberOf overlay for the designated database.
+#   - The DN "olcOverlay={0}memberof,olcDatabase={1}hdb,cn=config" sets up the overlay
+#     on the database backend (here assumed to be "hdb").
+#   - olcMemberOfDangling: ignore
+#         Instructs the overlay to ignore references to non-existent objects.
+#   - olcMemberOfRefInt: TRUE
+#         Enables referential integrity so that changes in group membership automatically
+#         update the user's "memberOf" attribute.
+#   - olcMemberOfGroupOC: groupOfNames
+#         Specifies that the overlay applies to groups with the object class "groupOfNames".
+#   - olcMemberOfMemberAD: member
+#         Indicates that the group's membership is stored in the "member" attribute.
+#   - olcMemberOfMemberOfAD: memberOf
+#         Defines that the overlay will maintain the "memberOf" attribute in user entries.
+#
+# IMPORTANT: All groups created before enabling this module must be deleted and recreated,
+# as the overlay only assigns the "member" attribute when a new group is created.
+
+# @todo Solve the following error:
+#fatal: [echoserver]: FAILED! => {"changed": true, "cmd": "docker exec -i ldap ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/ldif/01_member_of_configuration.ldif\n", "delta": "0:00:00.059605", "end": "2025-02-25 12:01:18.218851", "msg": "non-zero return code", "rc": 247, "start": "2025-02-25 12:01:18.159246", "stderr": "SASL/EXTERNAL authentication started\nSASL username: gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\nldapmodify: modify operation type is missing at line 2, entry \"cn=module,cn=config\"", "stderr_lines": ["SASL/EXTERNAL authentication started", "SASL username: gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth", "SASL SSF: 0", "ldapmodify: modify operation type is missing at line 2, entry \"cn=module,cn=config\""], "stdout": "", "stdout_lines": []}
+
+
+dn: cn=module,cn=config
+cn: module
+objectClass: olcModuleList
+olcModuleLoad: memberof
+olcModulePath: /opt/bitnami/openldap/lib/openldap/memberof.so
+
+dn: olcOverlay={0}memberof,olcDatabase={1}hdb,cn=config
+objectClass: olcConfig
+objectClass: olcMemberOf
+objectClass: olcOverlayConfig
+objectClass: top
+olcOverlay: memberof
+olcMemberOfDangling: ignore
+olcMemberOfRefInt: TRUE
+olcMemberOfGroupOC: groupOfNames
+olcMemberOfMemberAD: member
+olcMemberOfMemberOfAD: memberOf

roles/svc-db-openldap/templates/ldif/configuration/02_member_of_configuration.ldif.j2

@@ -0,0 +1,10 @@
+# Refint Module Activation for OpenLDAP
+#
+# This section adds the refint module to the LDAP configuration.
+# The refint module ensures referential integrity by automatically updating
+# or removing references when objects are renamed or deleted.
+#
+# In this file, the "olcmoduleload" attribute is used to load the "refint" module.
+dn: cn=module{1},cn=config
+add: olcmoduleload
+olcmoduleload: refint

roles/svc-db-openldap/templates/ldif/configuration/03_member_of_configuration.ldif.j2

@@ -0,0 +1,23 @@
+# Refint Overlay Configuration for OpenLDAP
+#
+# This file configures the refint overlay for the specified LDAP database.
+#
+# The overlay is applied to the database (here using the "hdb" backend) and is
+# responsible for maintaining referential integrity.
+#
+# The attribute "olcRefintAttribute" lists the attributes that will be monitored
+# for changes. In this case, changes to the following attributes will be tracked:
+#   - memberof
+#   - member
+#   - manager
+#   - owner
+#
+# This ensures that any changes in the LDAP directory (such as deletion or modification
+# of an object) automatically update all references to that object, preventing dangling references.
+dn: olcOverlay={1}refint,olcDatabase={1}hdb,cn=config
+objectClass: olcConfig
+objectClass: olcOverlayConfig
+objectClass: olcRefintConfig
+objectClass: top
+olcOverlay: {1}refint
+olcRefintAttribute: memberof member manager owner

roles/svc-db-openldap/templates/ldif/configuration/04_hashed_password.ldif.j2

@@ -0,0 +1,6 @@
+# Activates Password hashing in ldap
+
+dn: cn=config
+changetype: modify
+replace: olcPasswordHash
+olcPasswordHash: {SSHA}

roles/svc-db-openldap/templates/ldif/configuration/README.md

@@ -0,0 +1 @@
+This folder contains configuration files where a specific logic needs to be applied.

roles/svc-db-openldap/templates/ldif/data/01_rbac_group.ldif.j2

@@ -0,0 +1,30 @@
+{# 
+@todo: activate
+{% for dn, entry in (applications | build_ldap_role_entries(users, ldap)).items() %}
+
+dn: {{ dn }}
+{% for oc in entry.objectClass %}
+objectClass: {{ oc }}
+{% endfor %}
+{% if entry.ou is defined %}
+ou: {{ entry.ou }}
+{% else %}
+cn: {{ entry.cn }}
+{% endif %}
+{% if entry.gidNumber is defined %}
+gidNumber: {{ entry.gidNumber }}
+{% endif %}
+description: {{ entry.description }}
+{% if entry.memberUid is defined %}
+{% for uid in entry.memberUid %}
+memberUid: {{ uid }}
+{% endfor %}
+{% endif %}
+{% if entry.member is defined %}
+{% for m in entry.member %}
+member: {{ m }}
+{% endfor %}
+{% endif %}
+
+{% endfor %}
+#}

roles/svc-db-openldap/templates/ldif/data/02_rbac_roles.ldif.j2

@@ -0,0 +1,23 @@
+{% for dn, entry in (applications | build_ldap_role_entries(users, ldap)).items() %}
+
+dn: {{ dn }}
+{% for oc in entry.objectClass %}
+objectClass: {{ oc }}
+{% endfor %}
+{% if entry.gidNumber is defined %}
+gidNumber: {{ entry.gidNumber }}
+{% endif %}
+cn: {{ entry.cn }}
+description: {{ entry.description }}
+{% if entry.memberUid is defined %}
+{% for uid in entry.memberUid %}
+memberUid: {{ uid }}
+{% endfor %}
+{% endif %}
+{% if entry.member is defined %}
+{% for m in entry.member %}
+member: {{ m }}
+{% endfor %}
+{% endif %}
+
+{% endfor %}

roles/svc-db-openldap/templates/ldif/data/README.md

@@ -0,0 +1 @@
+This folder contains files which are importet via ldapadd without any specific logic

roles/svc-db-openldap/templates/nginx.stream.conf.j2

@@ -0,0 +1,6 @@
+server {
+    listen {{ ports.public.ldaps['svc-db-openldap'] }}ssl;
+    proxy_pass 127.0.0.1:{{ ports.localhost.ldap['svc-db-openldap'] }};
+    
+    {% include 'roles/srv-web-7-7-letsencrypt/templates/ssl_credentials.j2' %}
+}