From 3d096f1fc7403fe4e068c95e85a3093925633242 Mon Sep 17 00:00:00 2001
From: Kevin Veen-Birkenbach <kevin@veen.world>
Date: Thu, 27 Feb 2025 10:47:50 +0100
Subject: [PATCH] Enabled password hashing for LDAP and Keycloak

---
 playbook.servers.yml                                  |  7 -------
 roles/docker-keycloak/templates/import/realm.json.j2  |  2 +-
 .../ldif/configuration/04_hashed_password.ldif.j2     |  6 ++++++
 roles/docker-nextcloud/README.md                      | 11 +++++++++++
 4 files changed, 18 insertions(+), 8 deletions(-)
 create mode 100644 roles/docker-ldap/templates/ldif/configuration/04_hashed_password.ldif.j2

diff --git a/playbook.servers.yml b/playbook.servers.yml
index 45a961e0..cb1e4d16 100644
--- a/playbook.servers.yml
+++ b/playbook.servers.yml
@@ -253,11 +253,4 @@
   roles:
    -  role: nginx-redirect-www
 
-# Helper Roles for partial deployment
-- name: Copy global css 
-  hosts: nginx-modifier-css
-  become: true
-  roles:
-   -  role: nginx-modifier-css
-
 - import_playbook: playbook.destructor.yml
\ No newline at end of file
diff --git a/roles/docker-keycloak/templates/import/realm.json.j2 b/roles/docker-keycloak/templates/import/realm.json.j2
index 3b70002c..be46d773 100644
--- a/roles/docker-keycloak/templates/import/realm.json.j2
+++ b/roles/docker-keycloak/templates/import/realm.json.j2
@@ -2044,7 +2044,7 @@
             "always"
           ],
           "usePasswordModifyExtendedOp": [
-            "false"
+            "true"
           ],
           "trustEmail": [
             "false"
diff --git a/roles/docker-ldap/templates/ldif/configuration/04_hashed_password.ldif.j2 b/roles/docker-ldap/templates/ldif/configuration/04_hashed_password.ldif.j2
new file mode 100644
index 00000000..e362e586
--- /dev/null
+++ b/roles/docker-ldap/templates/ldif/configuration/04_hashed_password.ldif.j2
@@ -0,0 +1,6 @@
+# Activates Password hashing in ldap
+
+dn: cn=config
+changetype: modify
+replace: olcPasswordHash
+olcPasswordHash: {SSHA}
\ No newline at end of file
diff --git a/roles/docker-nextcloud/README.md b/roles/docker-nextcloud/README.md
index a3d86c61..ee898d8f 100644
--- a/roles/docker-nextcloud/README.md
+++ b/roles/docker-nextcloud/README.md
@@ -99,6 +99,11 @@ docker-compose exec -it -u www-data application /var/www/html/occ
 docker compose exec -it -u www-data application php occ user:list
 ```
 
+#### Sync Users
+```bash
+docker compose exec -it -u www-data application php occ user:sync
+```
+
 #### Create user via CLI
 ```bash
 docker compose exec -it -u www-data application php occ user:add {{username}}
@@ -161,6 +166,12 @@ More information: https://docs.nextcloud.com/server/latest/admin_manual/configur
 SELECT * FROM `oc_appconfig` WHERE appid LIKE "%ldap%" and configkey != "s01ldap_agent_password";
 ```
 
+## Update User with LDAP values
+
+```bash
+docker compose exec -it -u www-data application php occ ldap:check-user --update {{username}}
+```
+
 ## Federation
 
 If users are just created via Keycloak and not via LDAP, they have a different username. Due to this reaso concider to use LDAP to guaranty that the username is valid.