Refactored ldap implementation for ssh keys

2025-08-29 15:06:26 +02:00 · 2025-06-27 16:41:10 +02:00
parent bb73e948d3
commit 40edaa52ad
22 changed files with 167 additions and 67 deletions
--- a/group_vars/all/12_iam.yml
+++ b/group_vars/all/12_iam.yml
@@ -46,16 +46,46 @@ _ldap_filters_users_all:  "(|(objectclass=inetOrgPerson))"
 ldap:
  # Distinguished Names (DN)
  dn:
-    # Defines the base Distinguished Name (DN) for the LDAP directory, constructed from the second-level domain (SLD) and top-level domain (TLD).
+    # -------------------------------------------------------------------------
+    # Base DN / Suffix
+    # This is the top-level naming context for your directory, used as the
+    # default search base for most operations (e.g. adding users, groups).
+    # Example: “dc=example,dc=com”
    root:               "{{_ldap_dn_base}}"
-    # Specifies the Distinguished Name (DN) of the LDAP administrator, combining the admin's username with the LDAP root domain.
-    administrator:      "cn={{applications.ldap.users.administrator.username}},{{_ldap_dn_base}}"
-    # Dn from which the users should be read
-    users:              "ou=users,{{_ldap_dn_base}}"
-    # Dn from which the groups should be read
-    groups:             "ou=groups,{{_ldap_dn_base}}"
-    # Dn for all application roles of the users
-    application_roles:  "ou=application_roles,{{_ldap_dn_base}}"
+    administrator:
+      # -------------------------------------------------------------------------
+      # Data-Tree Administrator Bind DN
+      # The DN used to authenticate for regular directory operations under
+      # the data tree (adding users, modifying attributes, creating OUs, etc.).
+      # Typically: “cn=admin,dc=example,dc=com”
+      data: "cn={{ applications.ldap.users.administrator.username }},{{ _ldap_dn_base }}"
+
+      # -------------------------------------------------------------------------
+      # Config-Tree Administrator Bind DN
+      # The DN used to authenticate against the cn=config backend when you
+      # need to load or modify schema, overlays, modules, or other server-
+      # level settings.  
+      # Typically: “cn=admin,cn=config”
+      configuration: "cn={{ applications.ldap.users.administrator.username }},cn=config"
+
+
+    # -------------------------------------------------------------------------
+    # Organizational Units (OUs)
+    # Pre-created containers in the data tree to organize entries.
+    # – users:  Where all person/posixAccount entries live.
+    # – groups: Where you define your application or business groups.
+    # – roles:  A flat container for application-role entries (e.g. “cn=app1-user”).
+    users:             "ou=users,{{ _ldap_dn_base }}"
+    groups:            "ou=groups,{{ _ldap_dn_base }}"
+    application_roles: "ou=application_roles,{{ _ldap_dn_base }}"
+
+    # -------------------------------------------------------------------------
+    # Additional Notes
+    # – Always bind as data_admin for CRUD on entries under your base DN.
+    # – Always bind as config_admin when you push schema-level LDIFs via ldapi:///
+    # – Keeping these distinct prevents accidental use of config credentials
+    #   for ordinary user/group operations, and vice versa.
+
  attributes:
    # Attribut to identify the user
    user_id:            "{{ _ldap_user_id }}"
@@ -73,11 +103,19 @@ ldap:
  network:
    local:              "{{applications.ldap.network.docker}}" # Uses the application configuration to define if local network should be available or not
  user_objects:
-    - person            # Basic person attributes (sn, cn …) – RFC 4519
-    - inetOrgPerson     # Extended Internet / intranet person – RFC 2798
-    - posixAccount      # POSIX/UNIX login attributes (uidNumber, gidNumber …) – RFC 2307
-    - nextcloudUser     # Nextcloud-specific auxiliary attributes (nextcloudQuota, nextcloudEnabled) – Nextcloud schema
-    - ldapPublicKey     # Necessary for setting SSH keys for gitea
+    structural:
+      - person            # Structural Classes define the core identity of an entry:
+                          # • Specify mandatory attributes (e.g. sn, cn)
+                          # • Each entry must have exactly one structural class
+      - inetOrgPerson     # An extension of person adding internet-related attributes
+                          # (e.g. mail, employeeNumber)
+      - posixAccount      # Provides UNIX account attributes (uidNumber, gidNumber,
+                          # homeDirectory)
+    auxiliary:
+      - nextcloudUser     # Auxiliary Classes attach optional attributes without
+                          # changing the entry’s structural role. Here they add
+                          # nextcloudQuota and nextcloudEnabled for Nextcloud.
+      - ldapPublicKey     # Allows storing SSH public keys for services like Gitea.

  filters:
    users: