diff --git a/group_vars/all/12_iam.yml b/group_vars/all/12_iam.yml index 5c46da47..8ea63989 100644 --- a/group_vars/all/12_iam.yml +++ b/group_vars/all/12_iam.yml @@ -46,16 +46,46 @@ _ldap_filters_users_all: "(|(objectclass=inetOrgPerson))" ldap: # Distinguished Names (DN) dn: - # Defines the base Distinguished Name (DN) for the LDAP directory, constructed from the second-level domain (SLD) and top-level domain (TLD). + # ------------------------------------------------------------------------- + # Base DN / Suffix + # This is the top-level naming context for your directory, used as the + # default search base for most operations (e.g. adding users, groups). + # Example: “dc=example,dc=com” root: "{{_ldap_dn_base}}" - # Specifies the Distinguished Name (DN) of the LDAP administrator, combining the admin's username with the LDAP root domain. - administrator: "cn={{applications.ldap.users.administrator.username}},{{_ldap_dn_base}}" - # Dn from which the users should be read - users: "ou=users,{{_ldap_dn_base}}" - # Dn from which the groups should be read - groups: "ou=groups,{{_ldap_dn_base}}" - # Dn for all application roles of the users - application_roles: "ou=application_roles,{{_ldap_dn_base}}" + administrator: + # ------------------------------------------------------------------------- + # Data-Tree Administrator Bind DN + # The DN used to authenticate for regular directory operations under + # the data tree (adding users, modifying attributes, creating OUs, etc.). + # Typically: “cn=admin,dc=example,dc=com” + data: "cn={{ applications.ldap.users.administrator.username }},{{ _ldap_dn_base }}" + + # ------------------------------------------------------------------------- + # Config-Tree Administrator Bind DN + # The DN used to authenticate against the cn=config backend when you + # need to load or modify schema, overlays, modules, or other server- + # level settings. + # Typically: “cn=admin,cn=config” + configuration: "cn={{ applications.ldap.users.administrator.username }},cn=config" + + + # ------------------------------------------------------------------------- + # Organizational Units (OUs) + # Pre-created containers in the data tree to organize entries. + # – users: Where all person/posixAccount entries live. + # – groups: Where you define your application or business groups. + # – roles: A flat container for application-role entries (e.g. “cn=app1-user”). + users: "ou=users,{{ _ldap_dn_base }}" + groups: "ou=groups,{{ _ldap_dn_base }}" + application_roles: "ou=application_roles,{{ _ldap_dn_base }}" + + # ------------------------------------------------------------------------- + # Additional Notes + # – Always bind as data_admin for CRUD on entries under your base DN. + # – Always bind as config_admin when you push schema-level LDIFs via ldapi:/// + # – Keeping these distinct prevents accidental use of config credentials + # for ordinary user/group operations, and vice versa. + attributes: # Attribut to identify the user user_id: "{{ _ldap_user_id }}" @@ -73,11 +103,19 @@ ldap: network: local: "{{applications.ldap.network.docker}}" # Uses the application configuration to define if local network should be available or not user_objects: - - person # Basic person attributes (sn, cn …) – RFC 4519 - - inetOrgPerson # Extended Internet / intranet person – RFC 2798 - - posixAccount # POSIX/UNIX login attributes (uidNumber, gidNumber …) – RFC 2307 - - nextcloudUser # Nextcloud-specific auxiliary attributes (nextcloudQuota, nextcloudEnabled) – Nextcloud schema - - ldapPublicKey # Necessary for setting SSH keys for gitea + structural: + - person # Structural Classes define the core identity of an entry: + # • Specify mandatory attributes (e.g. sn, cn) + # • Each entry must have exactly one structural class + - inetOrgPerson # An extension of person adding internet-related attributes + # (e.g. mail, employeeNumber) + - posixAccount # Provides UNIX account attributes (uidNumber, gidNumber, + # homeDirectory) + auxiliary: + - nextcloudUser # Auxiliary Classes attach optional attributes without + # changing the entry’s structural role. Here they add + # nextcloudQuota and nextcloudEnabled for Nextcloud. + - ldapPublicKey # Allows storing SSH public keys for services like Gitea. filters: users: diff --git a/roles/docker-bigbluebutton/templates/env.j2 b/roles/docker-bigbluebutton/templates/env.j2 index 94101f86..063fb833 100644 --- a/roles/docker-bigbluebutton/templates/env.j2 +++ b/roles/docker-bigbluebutton/templates/env.j2 @@ -182,7 +182,7 @@ LDAP_PORT="{{ldap.server.port}}" LDAP_METHOD= LDAP_UID={{ldap.attributes.user_id}} LDAP_BASE="{{ldap.dn.root}}" -LDAP_BIND_DN="{{ldap.dn.administrator}}" +LDAP_BIND_DN="{{ldap.dn.administrator.data}}" LDAP_AUTH=password LDAP_PASSWORD="{{ldap.bind_credential}}" LDAP_ROLE_FIELD= diff --git a/roles/docker-discourse/templates/discourse_application.yml.j2 b/roles/docker-discourse/templates/discourse_application.yml.j2 index 08867a8d..e314a71c 100644 --- a/roles/docker-discourse/templates/discourse_application.yml.j2 +++ b/roles/docker-discourse/templates/discourse_application.yml.j2 @@ -161,7 +161,7 @@ run: - exec: rails r "SiteSetting.ldap_sync_port = {{ ldap.server.port }}" - exec: rails r "SiteSetting.ldap_encryption = 'simple_tls'" - exec: rails r "SiteSetting.ldap_base_dn = '{{ ldap.dn.root }}'" - - exec: rails r "SiteSetting.ldap_bind_dn = '{{ ldap.dn.administrator }}'" + - exec: rails r "SiteSetting.ldap_bind_dn = '{{ ldap.dn.administrator.data }}'" - exec: rails r "SiteSetting.ldap_bind_password = '{{ ldap.bind_credential }}'" # LDAP additional configuration diff --git a/roles/docker-espocrm/templates/env.j2 b/roles/docker-espocrm/templates/env.j2 index 03b172f4..45bd67a4 100644 --- a/roles/docker-espocrm/templates/env.j2 +++ b/roles/docker-espocrm/templates/env.j2 @@ -67,7 +67,7 @@ ESPOCRM_CONFIG_LDAP_HOST={{ ldap.server.domain }} ESPOCRM_CONFIG_LDAP_PORT={{ ldap.server.port }} # ESPOCRM_CONFIG_LDAP_SECURITY: "", SSL or TLS ESPOCRM_CONFIG_LDAP_SECURITY={{ ldap.server.security }} -ESPOCRM_CONFIG_LDAP_USERNAME={{ ldap.dn.administrator }} +ESPOCRM_CONFIG_LDAP_USERNAME={{ ldap.dn.administrator.data }} ESPOCRM_CONFIG_LDAP_PASSWORD={{ ldap.bind_credential }} ESPOCRM_CONFIG_LDAP_BASE_DN={{ ldap.dn.users }} ESPOCRM_CONFIG_LDAP_USER_LOGIN_FILTER=(sAMAccountName=%USERNAME%) diff --git a/roles/docker-funkwhale/templates/env.j2 b/roles/docker-funkwhale/templates/env.j2 index 6a42d856..981eb491 100644 --- a/roles/docker-funkwhale/templates/env.j2 +++ b/roles/docker-funkwhale/templates/env.j2 @@ -109,7 +109,7 @@ DJANGO_SECRET_KEY={{applications[application_id].credentials.django_secret}} LDAP_ENABLED = True LDAP_SERVER_URI = "{{ldap.server.uri}}" -LDAP_BIND_DN = "{{ldap.dn.administrator}}" +LDAP_BIND_DN = "{{ldap.dn.administrator.data}}" LDAP_BIND_PASSWORD = "{{ldap.bind_credential}}" LDAP_SEARCH_FILTER = "(|(cn={0})(mail={0}))" LDAP_START_TLS = False diff --git a/roles/docker-fusiondirectory/templates/env.j2 b/roles/docker-fusiondirectory/templates/env.j2 index 0a42231f..e505b556 100644 --- a/roles/docker-fusiondirectory/templates/env.j2 +++ b/roles/docker-fusiondirectory/templates/env.j2 @@ -10,5 +10,5 @@ LAM_CONFIGURATION_DATABASE= files # LDAP Configuration LDAP_SERVER= {{ldap.server.domain}} # domain of LDAP database root entry LDAP_BASE_DN= {{ldap.dn.root}} # LDAP base DN to overwrite value generated by LDAP_DOMAIN -LDAP_USER= {{ldap.dn.administrator}} # LDAP admin user (set as login user for LAM) +LDAP_USER= {{ldap.dn.administrator.data}} # LDAP admin user (set as login user for LAM) LDAP_ADMIN_PASSWORD= {{ldap.bind_credential}} # LDAP admin password \ No newline at end of file diff --git a/roles/docker-gitea/tasks/setup/ldap.yml b/roles/docker-gitea/tasks/setup/ldap.yml index 9fdcb961..d65e301f 100644 --- a/roles/docker-gitea/tasks/setup/ldap.yml +++ b/roles/docker-gitea/tasks/setup/ldap.yml @@ -7,7 +7,7 @@ --host "{{ ldap.server.domain }}" \ --port {{ ldap.server.port }} \ --security-protocol "{{ ldap.server.security | trim or 'unencrypted' }}" \ - --bind-dn "{{ ldap.dn.administrator }}" \ + --bind-dn "{{ ldap.dn.administrator.data }}" \ --bind-password "{{ ldap.bind_credential }}" \ --user-search-base "{{ ldap.dn.users }}" \ --user-filter "{{ ldap.filters.users.login }}" \ @@ -51,7 +51,7 @@ --host "{{ ldap.server.domain }}" \ --port {{ ldap.server.port }} \ --security-protocol "{{ ldap.server.security | trim or 'unencrypted' }}" \ - --bind-dn "{{ ldap.dn.administrator }}" \ + --bind-dn "{{ ldap.dn.administrator.data }}" \ --bind-password "{{ ldap.bind_credential }}" \ --user-search-base "{{ ldap.dn.users }}" \ --user-filter "(&(objectClass=inetOrgPerson)(uid=%s))" \ diff --git a/roles/docker-gitea/templates/env.j2 b/roles/docker-gitea/templates/env.j2 index d673f4f1..af7685e5 100644 --- a/roles/docker-gitea/templates/env.j2 +++ b/roles/docker-gitea/templates/env.j2 @@ -46,7 +46,7 @@ GITEA__security__INSTALL_LOCK=true # Locks the installation page # (De)activate OIDC GITEA__openid__ENABLE_OPENID_SIGNUP={{ applications | is_feature_enabled('oidc',application_id) | lower }} -GITEA__openid__ENABLE_OPENID_SIGNUP={{ applications | is_feature_enabled('oidc',application_id) | lower }} +GITEA__openid__ENABLE_OPENID_SIGNIN={{ applications | is_feature_enabled('oidc',application_id) | lower }} {% if applications | is_feature_enabled('oidc',application_id) or applications | is_feature_enabled('ldap',application_id) %} diff --git a/roles/docker-keycloak/templates/import/realm.json.j2 b/roles/docker-keycloak/templates/import/realm.json.j2 index d011ddd7..e9eaf376 100644 --- a/roles/docker-keycloak/templates/import/realm.json.j2 +++ b/roles/docker-keycloak/templates/import/realm.json.j2 @@ -2043,7 +2043,7 @@ "{{ldap.attributes.user_id}}" ], "bindDn": [ - "{{ldap.dn.administrator}}" + "{{ldap.dn.administrator.data}}" ], "lastSync": [ "1737578007" diff --git a/roles/docker-lam/templates/env.j2 b/roles/docker-lam/templates/env.j2 index 0a42231f..e505b556 100644 --- a/roles/docker-lam/templates/env.j2 +++ b/roles/docker-lam/templates/env.j2 @@ -10,5 +10,5 @@ LAM_CONFIGURATION_DATABASE= files # LDAP Configuration LDAP_SERVER= {{ldap.server.domain}} # domain of LDAP database root entry LDAP_BASE_DN= {{ldap.dn.root}} # LDAP base DN to overwrite value generated by LDAP_DOMAIN -LDAP_USER= {{ldap.dn.administrator}} # LDAP admin user (set as login user for LAM) +LDAP_USER= {{ldap.dn.administrator.data}} # LDAP admin user (set as login user for LAM) LDAP_ADMIN_PASSWORD= {{ldap.bind_credential}} # LDAP admin password \ No newline at end of file diff --git a/roles/docker-ldap/docs/Administration.md b/roles/docker-ldap/docs/Administration.md index 92fafe62..a5d94288 100644 --- a/roles/docker-ldap/docs/Administration.md +++ b/roles/docker-ldap/docs/Administration.md @@ -2,6 +2,15 @@ ## Configuration +## Load env + +To use the following commands firs load the env: +```bash +export $(grep -v '^[[:space:]]*#' ./.env/env \ + | sed -E 's/#.*$//; /^[[:space:]]*$/d; s/^[[:space:]]*//; s/[[:space:]]*$//; s/[[:space:]]*=[[:space:]]*/=/' \ + | xargs) +``` + ### Show Configuration ```bash docker exec -it ldap bash -c "ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b 'cn=config'" diff --git a/roles/docker-ldap/handlers/main.yml b/roles/docker-ldap/handlers/main.yml index 9a1ba533..16292a45 100644 --- a/roles/docker-ldap/handlers/main.yml +++ b/roles/docker-ldap/handlers/main.yml @@ -45,7 +45,7 @@ - name: "Import users, groups, etc. to LDAP" shell: > - docker exec -i {{ applications[application_id].hostname }} ldapadd -x -D "{{ldap.dn.administrator}}" -w "{{ldap.bind_credential}}" -c -f "{{ldif_docker_path}}data/{{ item | basename | regex_replace('\.j2$', '') }}" + docker exec -i {{ applications[application_id].hostname }} ldapadd -x -D "{{ldap.dn.administrator.data}}" -w "{{ldap.bind_credential}}" -c -f "{{ldif_docker_path}}data/{{ item | basename | regex_replace('\.j2$', '') }}" register: ldapadd_result changed_when: "'adding new entry' in ldapadd_result.stdout" failed_when: ldapadd_result.rc not in [0, 20, 68] diff --git a/roles/docker-ldap/meta/main.yml b/roles/docker-ldap/meta/main.yml index f3796361..c0a1d85e 100644 --- a/roles/docker-ldap/meta/main.yml +++ b/roles/docker-ldap/meta/main.yml @@ -20,6 +20,3 @@ galaxy_info: documentation: https://s.veen.world/cymais logo: class: "fa-solid fa-users" - #run_after: - # - "0" -dependencies: [] diff --git a/roles/docker-ldap/tasks/add_user_objects.yml b/roles/docker-ldap/tasks/add_user_objects.yml index 1183605a..abe12019 100644 --- a/roles/docker-ldap/tasks/add_user_objects.yml +++ b/roles/docker-ldap/tasks/add_user_objects.yml @@ -1,22 +1,32 @@ -- name: "1) Gather all existing user DNs" +- name: Gather all users with their current objectClass list community.general.ldap_search: - server_uri: "{{ ldap.server.uri }}" - bind_dn: "{{ ldap.dn.administrator }}" + server_uri: "{{ ldap_server_uri }}" + bind_dn: "{{ ldap.dn.administrator.data }}" bind_pw: "{{ ldap.bind_credential }}" - base: "{{ ldap.dn.users }}" + dn: "{{ ldap.dn.users }}" + scope: subordinate filter: "{{ ldap.filters.users.all }}" - attributes: ["dn"] - register: ldap_existing_users + attrs: + - dn + - objectClass + - "{{ ldap.attributes.user_id }}" + register: ldap_users_with_classes -- name: "2) Update each existing user with all user_objects" +- name: Add only missing auxiliary classes community.general.ldap_attrs: - server_uri: "{{ ldap.server.uri }}" - bind_dn: "{{ ldap.dn.administrator }}" + server_uri: "{{ ldap_server_uri }}" + bind_dn: "{{ ldap.dn.administrator.data }}" bind_pw: "{{ ldap.bind_credential }}" dn: "{{ item.dn }}" attributes: - objectClass: "{{ ldap.user_objects }}" - state: exact - loop: "{{ ldap_existing_users.entries }}" + objectClass: "{{ missing_auxiliary }}" + state: present + loop: "{{ ldap_users_with_classes.results }}" loop_control: label: "{{ item.dn }}" + vars: + missing_auxiliary: >- + {{ ldap.user_objects.auxiliary + | difference(item.objectClass | default([])) + }} + when: missing_auxiliary | length > 0 diff --git a/roles/docker-ldap/tasks/main.yml b/roles/docker-ldap/tasks/main.yml index e71a1b75..6832ca8f 100644 --- a/roles/docker-ldap/tasks/main.yml +++ b/roles/docker-ldap/tasks/main.yml @@ -49,11 +49,10 @@ state: present - name: "Include Nextcloud Schema" - include_tasks: create_nextcloud_schema.yml - vars: - ldap_server_uri: "ldap://127.0.0.1:{{ ports.localhost.ldap.ldap }}" - ldap_bind_dn: "cn={{ applications[application_id].users.administrator.username }},cn=config" - ldap_bind_pw: "{{ applications[application_id].credentials.administrator_password }}" + include_tasks: schemas/nextcloud.yml + +- name: "Include openssh-lpk Schema" + include_tasks: schemas/openssh_lpk.yml ############################################################################### # 1) Create the LDAP entry if it does not yet exist @@ -61,10 +60,10 @@ - name: Ensure LDAP users exist community.general.ldap_entry: dn: "{{ ldap.attributes.user_id }}={{ item.key }},{{ ldap.dn.users }}" - server_uri: "ldap://127.0.0.1:{{ ports.localhost.ldap.ldap }}" - bind_dn: "{{ ldap.dn.administrator }}" + server_uri: "{{ ldap_server_uri }}" + bind_dn: "{{ ldap.dn.administrator.data }}" bind_pw: "{{ ldap.bind_credential }}" - objectClass: "{{ ldap.user_objects }}" + objectClass: "{{ ldap.user_objects.structural }}" attributes: uid: "{{ item.key }}" # {{ ldap.attributes.user_id }} can't be used as key here, dynamic key generation isn't possible sn: "{{ item.value.sn | default(item.key) }}" @@ -85,13 +84,13 @@ - name: Ensure required objectClass values and mail address are present community.general.ldap_attrs: dn: "{{ ldap.attributes.user_id }}={{ item.key }},{{ ldap.dn.users }}" - server_uri: "ldap://127.0.0.1:{{ ports.localhost.ldap.ldap }}" - bind_dn: "{{ ldap.dn.administrator }}" + server_uri: "{{ ldap_server_uri }}" + bind_dn: "{{ ldap.dn.administrator.data }}" bind_pw: "{{ ldap.bind_credential }}" attributes: - objectClass: "{{ ldap.user_objects }}" + objectClass: "{{ ldap.user_objects.structural }}" mail: "{{ item.value.email }}" - state: exact # ‘exact’ is safest for single-valued attributes + state: exact loop: "{{ users | dict2items }}" loop_control: label: "{{ item.key }}" @@ -99,8 +98,8 @@ - name: "Ensure container for application roles exists" community.general.ldap_entry: dn: "{{ ldap.dn.application_roles }}" - server_uri: "ldap://127.0.0.1:{{ ports.localhost.ldap.ldap }}" - bind_dn: "{{ ldap.dn.administrator }}" + server_uri: "{{ ldap_server_uri }}" + bind_dn: "{{ ldap.dn.administrator.data }}" bind_pw: "{{ ldap.bind_credential }}" objectClass: organizationalUnit attributes: diff --git a/roles/docker-ldap/tasks/create_nextcloud_schema.yml b/roles/docker-ldap/tasks/schemas/nextcloud.yml similarity index 100% rename from roles/docker-ldap/tasks/create_nextcloud_schema.yml rename to roles/docker-ldap/tasks/schemas/nextcloud.yml diff --git a/roles/docker-ldap/tasks/schemas/openssh_lpk.yml b/roles/docker-ldap/tasks/schemas/openssh_lpk.yml new file mode 100644 index 00000000..f4572099 --- /dev/null +++ b/roles/docker-ldap/tasks/schemas/openssh_lpk.yml @@ -0,0 +1,40 @@ +- name: Install ldapsm + include_role: + name: pkgmgr-install + vars: + package_name: ldapsm + +- name: Ensure OpenSSH-LPK schema via ldapsm + vars: + schema_name: "openssh-lpk" + attribute_defs: + - "( 1.3.6.1.4.1.24552.1.1 NAME 'sshPublicKey' DESC 'OpenSSH Public Key' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )" + - "( 1.3.6.1.4.1.24552.1.2 NAME 'sshFingerprint' DESC 'OpenSSH Public Key Fingerprint' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )" + objectclass_defs: + - >- + ( 1.3.6.1.4.1.24552.2.1 + NAME 'ldapPublicKey' + DESC 'Auxiliary class for OpenSSH public keys' + SUP top + AUXILIARY + MAY ( sshPublicKey $ sshFingerprint ) ) + + command: > + ldapsm + -s {{ ldap_server_uri }} + -D '{{ ldap_bind_dn }}' + -W '{{ ldap_bind_pw }}' + -n {{ schema_name }} + {% for at in attribute_defs %} + -a "{{ at }}" + {% endfor %} + {% for oc in objectclass_defs %} + -c "{{ oc }}" + {% endfor %} + register: opensshlpk_ldapsm + changed_when: "'Created schema entry' in opensshlpk_ldapsm.stdout" + check_mode: no + +- name: Show ldapsm output for openssh-lpk + debug: + var: opensshlpk_ldapsm.stdout_lines diff --git a/roles/docker-ldap/templates/docker-compose.yml.j2 b/roles/docker-ldap/templates/docker-compose.yml.j2 index 490a81d9..87add91c 100644 --- a/roles/docker-ldap/templates/docker-compose.yml.j2 +++ b/roles/docker-ldap/templates/docker-compose.yml.j2 @@ -17,7 +17,7 @@ services: test: > bash -c ' ldapsearch -x -H ldap://localhost:{{ ldap_docker_port }} \ - -D "{{ ldap.dn.administrator }}" -w "{{ ldap.bind_credential }}" -b "{{ ldap.dn.root }}" > /dev/null \ + -D "{{ ldap.dn.administrator.data }}" -w "{{ ldap.bind_credential }}" -b "{{ ldap.dn.root }}" > /dev/null \ && ldapsearch -Y EXTERNAL -H ldapi:/// \ -b cn=config "(&(objectClass=olcOverlayConfig)(olcOverlay=memberof))" \ | grep "olcOverlay:" | grep -q "memberof" diff --git a/roles/docker-ldap/templates/env.j2 b/roles/docker-ldap/templates/env.j2 index fe6e7863..a4fc6d9b 100644 --- a/roles/docker-ldap/templates/env.j2 +++ b/roles/docker-ldap/templates/env.j2 @@ -12,7 +12,7 @@ LDAP_PASSWORDS= ' ' # Comma separated li LDAP_ROOT= {{ldap.dn.root}} # LDAP baseDN (or suffix) of the LDAP tree. Default: dc=example,dc=org ## Admin -LDAP_ADMIN_DN= {{ldap.dn.administrator}} +LDAP_ADMIN_DN= {{ldap.dn.administrator.data}} LDAP_CONFIG_ADMIN_ENABLED= yes LDAP_CONFIG_ADMIN_USERNAME= {{applications[application_id].users.administrator.username}} LDAP_CONFIG_ADMIN_PASSWORD= {{applications[application_id].credentials.administrator_password}} diff --git a/roles/docker-ldap/vars/main.yml b/roles/docker-ldap/vars/main.yml index b1dd793a..629a01f4 100644 --- a/roles/docker-ldap/vars/main.yml +++ b/roles/docker-ldap/vars/main.yml @@ -1,10 +1,17 @@ -application_id: "ldap" -ldaps_docker_port: 636 -ldap_docker_port: 389 -ldif_host_path: "{{docker_compose.directories.volumes}}ldif/" -ldif_docker_path: "/tmp/ldif/" -ldap.dn.application_roles: "ou=application_roles,{{ldap.dn.root}}" +application_id: "ldap" + +# LDAP Variables +ldaps_docker_port: 636 +ldap_docker_port: 389 +ldap_server_uri: "ldap://127.0.0.1:{{ ports.localhost.ldap.ldap }}" +ldap_hostname: "{{ applications[application_id].hostname }}" +ldap_bind_dn: "{{ ldap.dn.administrator.configuration }}" +ldap_bind_pw: "{{ applications[application_id].credentials.administrator_password }}" + +# LDIF Variables +ldif_host_path: "{{docker_compose.directories.volumes}}ldif/" +ldif_docker_path: "/tmp/ldif/" ldif_types: - configuration - data - - schema \ No newline at end of file + - schema # Don't know if this is still needed, it's now setup via tasks \ No newline at end of file diff --git a/roles/docker-nextcloud/vars/plugins/user_ldap.yml b/roles/docker-nextcloud/vars/plugins/user_ldap.yml index db315f41..b85d416a 100644 --- a/roles/docker-nextcloud/vars/plugins/user_ldap.yml +++ b/roles/docker-nextcloud/vars/plugins/user_ldap.yml @@ -67,7 +67,7 @@ plugin_configuration: - appid: "user_ldap" configkey: "s01ldap_dn" - configvalue: "{{ldap.dn.administrator}}" + configvalue: "{{ldap.dn.administrator.data}}" - appid: "user_ldap" configkey: "s01ldap_email_attr" diff --git a/roles/docker-openproject/vars/ldap.yml b/roles/docker-openproject/vars/ldap.yml index 6f2b0a10..33374db7 100644 --- a/roles/docker-openproject/vars/ldap.yml +++ b/roles/docker-openproject/vars/ldap.yml @@ -2,13 +2,13 @@ openproject_ldap: name: "{{ primary_domain }}" # Display name for the LDAP connection in OpenProject host: "{{ ldap.server.domain }}" # LDAP server address port: "{{ ldap.server.port }}" # LDAP server port (typically 389 or 636) - account: "{{ ldap.dn.administrator }}" # Bind DN (used for authentication) + account: "{{ ldap.dn.administrator.data }}" # Bind DN (used for authentication) account_password: "{{ ldap.bind_credential }}" # Bind password base_dn: "{{ ldap.dn.users }}" # Base DN for user search attr_login: "{{ ldap.attributes.user_id }}" # LDAP attribute used for login attr_firstname: "givenName" # LDAP attribute for first name - attr_lastname: "sn" # LDAP attribute for last name - attr_mail: "mail" # LDAP attribute for email + attr_lastname: "{{ ldap.attributes.lastname }}" # LDAP attribute for last name + attr_mail: "{{ ldap.attributes.mail }}" # LDAP attribute for email attr_admin: "{{ openproject_filters.administrators }}" # Optional: LDAP attribute for admin group (leave empty if unused) onthefly_register: true # Automatically create users on first login tls_mode: 0 # 0 = No TLS, 1 = TLS, 2 = STARTTLS