Refactored ldap implementation for ssh keys

2025-06-28 05:05:32 +02:00 · 2025-06-27 16:41:10 +02:00 · 2025-06-27 16:41:10 +02:00 · 40edaa52ad
commit 40edaa52ad
parent bb73e948d3
22 changed files with 167 additions and 67 deletions
--- a/group_vars/all/12_iam.yml
+++ b/group_vars/all/12_iam.yml
@ -46,16 +46,46 @@ _ldap_filters_users_all:  "(|(objectclass=inetOrgPerson))"
 ldap:
  # Distinguished Names (DN)
  dn:
-    # Defines the base Distinguished Name (DN) for the LDAP directory, constructed from the second-level domain (SLD) and top-level domain (TLD).
+    # -------------------------------------------------------------------------
    # Base DN / Suffix
    # This is the top-level naming context for your directory, used as the
    # default search base for most operations (e.g. adding users, groups).
    # Example: “dc=example,dc=com”
    root:               "{{_ldap_dn_base}}"
-    # Specifies the Distinguished Name (DN) of the LDAP administrator, combining the admin's username with the LDAP root domain.
+    administrator:
-    administrator:      "cn={{applications.ldap.users.administrator.username}},{{_ldap_dn_base}}"
+      # -------------------------------------------------------------------------
-    # Dn from which the users should be read
+      # Data-Tree Administrator Bind DN
      # The DN used to authenticate for regular directory operations under
      # the data tree (adding users, modifying attributes, creating OUs, etc.).
      # Typically: “cn=admin,dc=example,dc=com”
      data: "cn={{ applications.ldap.users.administrator.username }},{{ _ldap_dn_base }}"
      # -------------------------------------------------------------------------
      # Config-Tree Administrator Bind DN
      # The DN used to authenticate against the cn=config backend when you
      # need to load or modify schema, overlays, modules, or other server-
      # level settings.  
      # Typically: “cn=admin,cn=config”
      configuration: "cn={{ applications.ldap.users.administrator.username }},cn=config"
    # -------------------------------------------------------------------------
    # Organizational Units (OUs)
    # Pre-created containers in the data tree to organize entries.
    # – users:  Where all person/posixAccount entries live.
    # – groups: Where you define your application or business groups.
    # – roles:  A flat container for application-role entries (e.g. “cn=app1-user”).
    users:             "ou=users,{{ _ldap_dn_base }}"
    # Dn from which the groups should be read
    groups:            "ou=groups,{{ _ldap_dn_base }}"
    # Dn for all application roles of the users
    application_roles: "ou=application_roles,{{ _ldap_dn_base }}"
    # -------------------------------------------------------------------------
    # Additional Notes
    # – Always bind as data_admin for CRUD on entries under your base DN.
    # – Always bind as config_admin when you push schema-level LDIFs via ldapi:///
    # – Keeping these distinct prevents accidental use of config credentials
    #   for ordinary user/group operations, and vice versa.
  attributes:
    # Attribut to identify the user
    user_id:            "{{ _ldap_user_id }}"
@ -73,11 +103,19 @@ ldap:
  network:
    local:              "{{applications.ldap.network.docker}}" # Uses the application configuration to define if local network should be available or not
  user_objects:
-    - person            # Basic person attributes (sn, cn …) – RFC 4519
+    structural:
-    - inetOrgPerson     # Extended Internet / intranet person – RFC 2798
+      - person            # Structural Classes define the core identity of an entry:
-    - posixAccount      # POSIX/UNIX login attributes (uidNumber, gidNumber …) – RFC 2307
+                          # • Specify mandatory attributes (e.g. sn, cn)
-    - nextcloudUser     # Nextcloud-specific auxiliary attributes (nextcloudQuota, nextcloudEnabled) – Nextcloud schema
+                          # • Each entry must have exactly one structural class
-    - ldapPublicKey     # Necessary for setting SSH keys for gitea
+      - inetOrgPerson     # An extension of person adding internet-related attributes
                          # (e.g. mail, employeeNumber)
      - posixAccount      # Provides UNIX account attributes (uidNumber, gidNumber,
                          # homeDirectory)
    auxiliary:
      - nextcloudUser     # Auxiliary Classes attach optional attributes without
                          # changing the entry’s structural role. Here they add
                          # nextcloudQuota and nextcloudEnabled for Nextcloud.
      - ldapPublicKey     # Allows storing SSH public keys for services like Gitea.
  filters:
    users:
--- a/roles/docker-bigbluebutton/templates/env.j2
+++ b/roles/docker-bigbluebutton/templates/env.j2
@ -182,7 +182,7 @@ LDAP_PORT="{{ldap.server.port}}"
 LDAP_METHOD=
 LDAP_UID={{ldap.attributes.user_id}}
 LDAP_BASE="{{ldap.dn.root}}"
-LDAP_BIND_DN="{{ldap.dn.administrator}}"
+LDAP_BIND_DN="{{ldap.dn.administrator.data}}"
 LDAP_AUTH=password
 LDAP_PASSWORD="{{ldap.bind_credential}}"
 LDAP_ROLE_FIELD=
--- a/roles/docker-discourse/templates/discourse_application.yml.j2
+++ b/roles/docker-discourse/templates/discourse_application.yml.j2
@ -161,7 +161,7 @@ run:
  - exec: rails r "SiteSetting.ldap_sync_port = {{ ldap.server.port }}"
  - exec: rails r "SiteSetting.ldap_encryption = 'simple_tls'"
  - exec: rails r "SiteSetting.ldap_base_dn = '{{ ldap.dn.root }}'"
-  - exec: rails r "SiteSetting.ldap_bind_dn = '{{ ldap.dn.administrator }}'"
+  - exec: rails r "SiteSetting.ldap_bind_dn = '{{ ldap.dn.administrator.data }}'"
  - exec: rails r "SiteSetting.ldap_bind_password = '{{ ldap.bind_credential }}'"
  # LDAP additional configuration
--- a/roles/docker-espocrm/templates/env.j2
+++ b/roles/docker-espocrm/templates/env.j2
@ -67,7 +67,7 @@ ESPOCRM_CONFIG_LDAP_HOST={{ ldap.server.domain }}
 ESPOCRM_CONFIG_LDAP_PORT={{ ldap.server.port }}
 # ESPOCRM_CONFIG_LDAP_SECURITY: "", SSL or TLS
 ESPOCRM_CONFIG_LDAP_SECURITY={{ ldap.server.security }}         
-ESPOCRM_CONFIG_LDAP_USERNAME={{ ldap.dn.administrator }}
+ESPOCRM_CONFIG_LDAP_USERNAME={{ ldap.dn.administrator.data }}
 ESPOCRM_CONFIG_LDAP_PASSWORD={{ ldap.bind_credential }}
 ESPOCRM_CONFIG_LDAP_BASE_DN={{ ldap.dn.users }}
 ESPOCRM_CONFIG_LDAP_USER_LOGIN_FILTER=(sAMAccountName=%USERNAME%)
--- a/roles/docker-funkwhale/templates/env.j2
+++ b/roles/docker-funkwhale/templates/env.j2
@ -109,7 +109,7 @@ DJANGO_SECRET_KEY={{applications[application_id].credentials.django_secret}}
 LDAP_ENABLED        =   True
 LDAP_SERVER_URI     =   "{{ldap.server.uri}}"
-LDAP_BIND_DN        =   "{{ldap.dn.administrator}}"
+LDAP_BIND_DN        =   "{{ldap.dn.administrator.data}}"
 LDAP_BIND_PASSWORD  =   "{{ldap.bind_credential}}"
 LDAP_SEARCH_FILTER  =   "(|(cn={0})(mail={0}))"
 LDAP_START_TLS      =   False
--- a/roles/docker-fusiondirectory/templates/env.j2
+++ b/roles/docker-fusiondirectory/templates/env.j2
@ -10,5 +10,5 @@ LAM_CONFIGURATION_DATABASE= files
 # LDAP Configuration
 LDAP_SERVER=                {{ldap.server.domain}}                              # domain of LDAP database root entry
 LDAP_BASE_DN=               {{ldap.dn.root}}                                    # LDAP base DN to overwrite value generated by LDAP_DOMAIN
-LDAP_USER=                  {{ldap.dn.administrator}}                           # LDAP admin user (set as login user for LAM)
+LDAP_USER=                  {{ldap.dn.administrator.data}}                           # LDAP admin user (set as login user for LAM)
 LDAP_ADMIN_PASSWORD=        {{ldap.bind_credential}}                            # LDAP admin password
--- a/roles/docker-gitea/tasks/setup/ldap.yml
+++ b/roles/docker-gitea/tasks/setup/ldap.yml
@ -7,7 +7,7 @@
        --host "{{ ldap.server.domain }}" \
        --port {{ ldap.server.port }} \
        --security-protocol "{{ ldap.server.security | trim or 'unencrypted' }}" \
-        --bind-dn "{{ ldap.dn.administrator }}" \
+        --bind-dn "{{ ldap.dn.administrator.data }}" \
        --bind-password "{{ ldap.bind_credential }}" \
        --user-search-base "{{ ldap.dn.users }}" \
        --user-filter "{{ ldap.filters.users.login }}" \
@ -51,7 +51,7 @@
        --host "{{ ldap.server.domain }}" \
        --port {{ ldap.server.port }} \
        --security-protocol "{{ ldap.server.security | trim or 'unencrypted' }}" \
-        --bind-dn "{{ ldap.dn.administrator }}" \
+        --bind-dn "{{ ldap.dn.administrator.data }}" \
        --bind-password "{{ ldap.bind_credential }}" \
        --user-search-base "{{ ldap.dn.users }}" \
        --user-filter "(&(objectClass=inetOrgPerson)(uid=%s))" \
--- a/roles/docker-gitea/templates/env.j2
+++ b/roles/docker-gitea/templates/env.j2
@ -46,7 +46,7 @@ GITEA__security__INSTALL_LOCK=true # Locks the installation page
 # (De)activate OIDC
 GITEA__openid__ENABLE_OPENID_SIGNUP={{ applications | is_feature_enabled('oidc',application_id) | lower }}
-GITEA__openid__ENABLE_OPENID_SIGNUP={{ applications | is_feature_enabled('oidc',application_id) | lower }}
+GITEA__openid__ENABLE_OPENID_SIGNIN={{ applications | is_feature_enabled('oidc',application_id) | lower }}
 {% if applications | is_feature_enabled('oidc',application_id) or applications | is_feature_enabled('ldap',application_id) %}
--- a/roles/docker-keycloak/templates/import/realm.json.j2
+++ b/roles/docker-keycloak/templates/import/realm.json.j2
@ -2043,7 +2043,7 @@
            "{{ldap.attributes.user_id}}"
          ],
          "bindDn": [
-            "{{ldap.dn.administrator}}"
+            "{{ldap.dn.administrator.data}}"
          ],
          "lastSync": [
            "1737578007"
--- a/roles/docker-lam/templates/env.j2
+++ b/roles/docker-lam/templates/env.j2
@ -10,5 +10,5 @@ LAM_CONFIGURATION_DATABASE= files
 # LDAP Configuration
 LDAP_SERVER=                {{ldap.server.domain}}                              # domain of LDAP database root entry
 LDAP_BASE_DN=               {{ldap.dn.root}}                                    # LDAP base DN to overwrite value generated by LDAP_DOMAIN
-LDAP_USER=                  {{ldap.dn.administrator}}                           # LDAP admin user (set as login user for LAM)
+LDAP_USER=                  {{ldap.dn.administrator.data}}                           # LDAP admin user (set as login user for LAM)
 LDAP_ADMIN_PASSWORD=        {{ldap.bind_credential}}                            # LDAP admin password
--- a/roles/docker-ldap/docs/Administration.md
+++ b/roles/docker-ldap/docs/Administration.md
@ -2,6 +2,15 @@
 ## Configuration
 ## Load env 
 To use the following commands firs load the env:
 ```bash
 export $(grep -v '^[[:space:]]*#' ./.env/env \
         | sed -E 's/#.*$//; /^[[:space:]]*$/d; s/^[[:space:]]*//; s/[[:space:]]*$//; s/[[:space:]]*=[[:space:]]*/=/' \
         | xargs)
 ```
 ### Show Configuration
 ```bash
 docker exec -it ldap bash -c "ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b 'cn=config'"
--- a/roles/docker-ldap/handlers/main.yml
+++ b/roles/docker-ldap/handlers/main.yml
@ -45,7 +45,7 @@
 - name: "Import users, groups, etc. to LDAP"
  shell: >
-    docker exec -i {{ applications[application_id].hostname }} ldapadd -x -D "{{ldap.dn.administrator}}" -w "{{ldap.bind_credential}}" -c -f "{{ldif_docker_path}}data/{{ item | basename | regex_replace('\.j2$', '') }}"
+    docker exec -i {{ applications[application_id].hostname }} ldapadd -x -D "{{ldap.dn.administrator.data}}" -w "{{ldap.bind_credential}}" -c -f "{{ldif_docker_path}}data/{{ item | basename | regex_replace('\.j2$', '') }}"
  register: ldapadd_result
  changed_when: "'adding new entry' in ldapadd_result.stdout"
  failed_when: ldapadd_result.rc not in [0, 20, 68]
--- a/roles/docker-ldap/meta/main.yml
+++ b/roles/docker-ldap/meta/main.yml
@ -20,6 +20,3 @@ galaxy_info:
  documentation: https://s.veen.world/cymais
  logo:
    class: "fa-solid fa-users"
  #run_after:
  #  - "0"
 dependencies: []
--- a/roles/docker-ldap/tasks/add_user_objects.yml
+++ b/roles/docker-ldap/tasks/add_user_objects.yml
@ -1,22 +1,32 @@
- name: "1) Gather all existing user DNs"
+- name: Gather all users with their current objectClass list
  community.general.ldap_search:
-    server_uri: "{{ ldap.server.uri }}"
+    server_uri: "{{ ldap_server_uri }}"
-    bind_dn:    "{{ ldap.dn.administrator }}"
+    bind_dn:    "{{ ldap.dn.administrator.data }}"
    bind_pw:    "{{ ldap.bind_credential }}"
-    base:       "{{ ldap.dn.users }}"
+    dn:         "{{ ldap.dn.users }}"
    scope:      subordinate
    filter:     "{{ ldap.filters.users.all }}"
-    attributes: ["dn"]
+    attrs:
-  register: ldap_existing_users
+      - dn
      - objectClass
      - "{{ ldap.attributes.user_id }}"
  register: ldap_users_with_classes
- name: "2) Update each existing user with all user_objects"
+- name: Add only missing auxiliary classes
  community.general.ldap_attrs:
-    server_uri: "{{ ldap.server.uri }}"
+    server_uri: "{{ ldap_server_uri }}"
-    bind_dn:    "{{ ldap.dn.administrator }}"
+    bind_dn:    "{{ ldap.dn.administrator.data }}"
    bind_pw:    "{{ ldap.bind_credential }}"
    dn:         "{{ item.dn }}"
    attributes:
-      objectClass: "{{ ldap.user_objects }}"
+      objectClass: "{{ missing_auxiliary }}"
-    state: exact
+    state: present
-  loop: "{{ ldap_existing_users.entries }}"
+  loop: "{{ ldap_users_with_classes.results }}"
  loop_control:
    label: "{{ item.dn }}"
  vars:
    missing_auxiliary: >-
      {{ ldap.user_objects.auxiliary 
         | difference(item.objectClass | default([]))
      }}
  when: missing_auxiliary | length > 0
--- a/roles/docker-ldap/tasks/main.yml
+++ b/roles/docker-ldap/tasks/main.yml
@ -49,11 +49,10 @@
    state: present
 - name: "Include Nextcloud Schema"
-  include_tasks: create_nextcloud_schema.yml
+  include_tasks: schemas/nextcloud.yml
-  vars:
+
-    ldap_server_uri: "ldap://127.0.0.1:{{ ports.localhost.ldap.ldap }}"
+- name: "Include openssh-lpk Schema"
-    ldap_bind_dn:    "cn={{ applications[application_id].users.administrator.username }},cn=config"
+  include_tasks: schemas/openssh_lpk.yml
    ldap_bind_pw:    "{{ applications[application_id].credentials.administrator_password }}"
 ###############################################################################
 # 1) Create the LDAP entry if it does not yet exist
@ -61,10 +60,10 @@
 - name: Ensure LDAP users exist
  community.general.ldap_entry:
    dn: "{{ ldap.attributes.user_id }}={{ item.key }},{{ ldap.dn.users }}"
-    server_uri: "ldap://127.0.0.1:{{ ports.localhost.ldap.ldap }}"
+    server_uri: "{{ ldap_server_uri }}"
-    bind_dn: "{{ ldap.dn.administrator }}"
+    bind_dn: "{{ ldap.dn.administrator.data }}"
    bind_pw: "{{ ldap.bind_credential }}"
-    objectClass: "{{ ldap.user_objects }}"
+    objectClass: "{{ ldap.user_objects.structural }}"
    attributes:
      uid:           "{{ item.key }}" # {{ ldap.attributes.user_id }} can't be used as key here, dynamic key generation isn't possible
      sn:            "{{ item.value.sn  | default(item.key) }}"
@ -85,13 +84,13 @@
 - name: Ensure required objectClass values and mail address are present
  community.general.ldap_attrs:
    dn: "{{ ldap.attributes.user_id }}={{ item.key }},{{ ldap.dn.users }}"
-    server_uri: "ldap://127.0.0.1:{{ ports.localhost.ldap.ldap }}"
+    server_uri: "{{ ldap_server_uri }}"
-    bind_dn: "{{ ldap.dn.administrator }}"
+    bind_dn: "{{ ldap.dn.administrator.data }}"
    bind_pw: "{{ ldap.bind_credential }}"
    attributes:
-      objectClass: "{{ ldap.user_objects }}"
+      objectClass: "{{ ldap.user_objects.structural }}"
      mail:        "{{ item.value.email }}"
-    state: exact        # ‘exact’ is safest for single-valued attributes
+    state: exact
  loop: "{{ users | dict2items }}"
  loop_control:
    label: "{{ item.key }}"
@ -99,8 +98,8 @@
 - name: "Ensure container for application roles exists"
  community.general.ldap_entry:
    dn: "{{ ldap.dn.application_roles }}"
-    server_uri: "ldap://127.0.0.1:{{ ports.localhost.ldap.ldap }}"
+    server_uri: "{{ ldap_server_uri }}"
-    bind_dn:  "{{ ldap.dn.administrator }}"
+    bind_dn:  "{{ ldap.dn.administrator.data }}"
    bind_pw:  "{{ ldap.bind_credential }}"
    objectClass: organizationalUnit
    attributes:
--- a/roles/docker-ldap/tasks/create_nextcloud_schema.yml
+++ b/roles/docker-ldap/tasks/create_nextcloud_schema.yml
--- a/roles/docker-ldap/tasks/schemas/openssh_lpk.yml
+++ b/roles/docker-ldap/tasks/schemas/openssh_lpk.yml
@ -0,0 +1,40 @@
 - name: Install ldapsm
  include_role:
    name: pkgmgr-install
  vars:
    package_name: ldapsm
 - name: Ensure OpenSSH-LPK schema via ldapsm
  vars:
    schema_name: "openssh-lpk"
    attribute_defs:
      - "( 1.3.6.1.4.1.24552.1.1 NAME 'sshPublicKey' DESC 'OpenSSH Public Key' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )"
      - "( 1.3.6.1.4.1.24552.1.2 NAME 'sshFingerprint' DESC 'OpenSSH Public Key Fingerprint' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )"
    objectclass_defs:
      - >-
        ( 1.3.6.1.4.1.24552.2.1
          NAME 'ldapPublicKey'
          DESC 'Auxiliary class for OpenSSH public keys'
          SUP top
          AUXILIARY
          MAY ( sshPublicKey $ sshFingerprint ) )
  command: >
    ldapsm
      -s {{ ldap_server_uri }}
      -D '{{ ldap_bind_dn }}'
      -W '{{ ldap_bind_pw }}'
      -n {{ schema_name }}
      {% for at in attribute_defs %}
      -a "{{ at }}"
      {% endfor %}
      {% for oc in objectclass_defs %}
      -c "{{ oc }}"
      {% endfor %}
  register: opensshlpk_ldapsm
  changed_when: "'Created schema entry' in opensshlpk_ldapsm.stdout"
  check_mode: no
 - name: Show ldapsm output for openssh-lpk
  debug:
    var: opensshlpk_ldapsm.stdout_lines
--- a/roles/docker-ldap/templates/docker-compose.yml.j2
+++ b/roles/docker-ldap/templates/docker-compose.yml.j2
@ -17,7 +17,7 @@ services:
      test: >
        bash -c '
        ldapsearch -x -H ldap://localhost:{{ ldap_docker_port }} \
-          -D "{{ ldap.dn.administrator }}" -w "{{ ldap.bind_credential }}" -b "{{ ldap.dn.root }}" > /dev/null \
+          -D "{{ ldap.dn.administrator.data }}" -w "{{ ldap.bind_credential }}" -b "{{ ldap.dn.root }}" > /dev/null \
        && ldapsearch -Y EXTERNAL -H ldapi:/// \
          -b cn=config "(&(objectClass=olcOverlayConfig)(olcOverlay=memberof))" \
        | grep "olcOverlay:" | grep -q "memberof"
--- a/roles/docker-ldap/templates/env.j2
+++ b/roles/docker-ldap/templates/env.j2
@ -12,7 +12,7 @@ LDAP_PASSWORDS=             ' '                             # Comma separated li
 LDAP_ROOT=                  {{ldap.dn.root}}                # LDAP baseDN (or suffix) of the LDAP tree. Default: dc=example,dc=org
 ## Admin
-LDAP_ADMIN_DN=              {{ldap.dn.administrator}}
+LDAP_ADMIN_DN=              {{ldap.dn.administrator.data}}
 LDAP_CONFIG_ADMIN_ENABLED=  yes
 LDAP_CONFIG_ADMIN_USERNAME= {{applications[application_id].users.administrator.username}}
 LDAP_CONFIG_ADMIN_PASSWORD= {{applications[application_id].credentials.administrator_password}}
--- a/roles/docker-ldap/vars/main.yml
+++ b/roles/docker-ldap/vars/main.yml
@ -1,10 +1,17 @@
 application_id:     "ldap"
 # LDAP Variables
 ldaps_docker_port:  636
 ldap_docker_port:   389
 ldap_server_uri:    "ldap://127.0.0.1:{{ ports.localhost.ldap.ldap }}"
 ldap_hostname:      "{{ applications[application_id].hostname }}"
 ldap_bind_dn:       "{{ ldap.dn.administrator.configuration }}"
 ldap_bind_pw:       "{{ applications[application_id].credentials.administrator_password }}"
 # LDIF Variables
 ldif_host_path:     "{{docker_compose.directories.volumes}}ldif/"
 ldif_docker_path:   "/tmp/ldif/"
 ldap.dn.application_roles:    "ou=application_roles,{{ldap.dn.root}}"
 ldif_types:
  - configuration
  - data
-  - schema
+  - schema          # Don't know if this is still needed, it's now setup via tasks
--- a/roles/docker-nextcloud/vars/plugins/user_ldap.yml
+++ b/roles/docker-nextcloud/vars/plugins/user_ldap.yml
@ -67,7 +67,7 @@ plugin_configuration:
  -
    appid: "user_ldap"
    configkey: "s01ldap_dn"
-    configvalue: "{{ldap.dn.administrator}}"
+    configvalue: "{{ldap.dn.administrator.data}}"
  -
    appid: "user_ldap"
    configkey: "s01ldap_email_attr"
--- a/roles/docker-openproject/vars/ldap.yml
+++ b/roles/docker-openproject/vars/ldap.yml
@ -2,13 +2,13 @@ openproject_ldap:
  name:                   "{{ primary_domain }}"                     # Display name for the LDAP connection in OpenProject
  host:                   "{{ ldap.server.domain }}"                 # LDAP server address
  port:                   "{{ ldap.server.port }}"                   # LDAP server port (typically 389 or 636)
-  account:                "{{ ldap.dn.administrator }}"              # Bind DN (used for authentication)
+  account:                "{{ ldap.dn.administrator.data }}"         # Bind DN (used for authentication)
  account_password:       "{{ ldap.bind_credential }}"               # Bind password
  base_dn:                "{{ ldap.dn.users }}"                      # Base DN for user search
  attr_login:             "{{ ldap.attributes.user_id }}"            # LDAP attribute used for login
  attr_firstname:         "givenName"                                # LDAP attribute for first name
-  attr_lastname:          "sn"                                       # LDAP attribute for last name
+  attr_lastname:          "{{ ldap.attributes.lastname }}"           # LDAP attribute for last name
-  attr_mail:              "mail"                                     # LDAP attribute for email
+  attr_mail:              "{{ ldap.attributes.mail }}"               # LDAP attribute for email
  attr_admin:             "{{ openproject_filters.administrators }}" # Optional: LDAP attribute for admin group (leave empty if unused)
  onthefly_register:      true                                       # Automatically create users on first login
  tls_mode:               0                                          # 0 = No TLS, 1 = TLS, 2 = STARTTLS