kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-10-10 10:48:10 +02:00
Code Issues Packages Projects Releases Wiki Activity

Optimized OpenProject and CSP rules

Browse Source
This commit is contained in:
Kevin Veen-Birkenbach
2025-09-25 14:47:28 +02:00
parent 73bcdcaf45
commit 5186eb5714
4 changed files with 54 additions and 53 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
roles/web-app-openproject/vars/ldap.yml
View File

@@ -1,17 +1,17 @@
openproject_ldap:
name: "{{ PRIMARY_DOMAIN }}" # Display name for the LDAP connection in OpenProject
host: "{{ LDAP.SERVER.DOMAIN }}" # LDAP server address
port: "{{ LDAP.SERVER.PORT }}" # LDAP server port (typically 389 or 636)
account: "{{ LDAP.DN.ADMINISTRATOR.DATA }}" # Bind DN (used for authentication)
account_password: "{{ LDAP.BIND_CREDENTIAL }}" # Bind password
base_dn: "{{ LDAP.DN.OU.USERS }}" # Base DN for user search
attr_login: "{{ LDAP.USER.ATTRIBUTES.ID }}" # LDAP attribute used for login
attr_firstname: "givenName" # LDAP attribute for first name
attr_lastname: "{{ LDAP.USER.ATTRIBUTES.SURNAME }}" # LDAP attribute for last name
attr_mail: "{{ LDAP.USER.ATTRIBUTES.MAIL }}" # LDAP attribute for email
attr_admin: "{{ OPENPROJECT_LDAP_FILTERS.ADMINISTRATORS }}" # Optional: LDAP attribute for admin group (leave empty if unused)
onthefly_register: true # Automatically create users on first login
tls_mode: 0 # 0 = No TLS, 1 = TLS, 2 = STARTTLS
verify_peer: false # Whether to verify the SSL certificate
filter_string: "{{ OPENPROJECT_LDAP_FILTERS.USERS }}" # Optional: Custom filter for users (e.g., "(objectClass=person)")
tls_certificate_string: "" # Optional: Client certificate string for TLS (usually left empty)
OPENPROJECT_LDAP:
name: "{{ PRIMARY_DOMAIN }}" # Display name for the LDAP connection in OpenProject
host: "{{ LDAP.SERVER.DOMAIN }}" # LDAP server address
port: "{{ LDAP.SERVER.PORT }}" # LDAP server port (typically 389 or 636)
account: "{{ LDAP.DN.ADMINISTRATOR.DATA }}" # Bind DN (used for authentication)
account_password: "{{ LDAP.BIND_CREDENTIAL }}" # Bind password
base_dn: "{{ LDAP.DN.OU.USERS }}" # Base DN for user search
attr_login: "{{ LDAP.USER.ATTRIBUTES.ID }}" # LDAP attribute used for login
attr_firstname: "givenName" # LDAP attribute for first name
attr_lastname: "{{ LDAP.USER.ATTRIBUTES.SURNAME }}" # LDAP attribute for last name
attr_mail: "{{ LDAP.USER.ATTRIBUTES.MAIL }}" # LDAP attribute for email
attr_admin: "{{ OPENPROJECT_LDAP_FILTERS.ADMINISTRATORS }}" # Optional: LDAP attribute for admin group (leave empty if unused)
onthefly_register: true # Automatically create users on first login
tls_mode: 0 # 0 = No TLS, 1 = TLS, 2 = STARTTLS
verify_peer: false # Whether to verify the SSL certificate
filter_string: "{{ OPENPROJECT_LDAP_FILTERS.USERS }}" # Optional: Custom filter for users (e.g., "(objectClass=person)")
tls_certificate_string: "" # Optional: Client certificate string for TLS (usually left empty)

4
roles/web-app-openproject/vars/main.yml
View File

@@ -61,5 +61,5 @@ OPENPROJECT_LDAP_FILTER_ADMINISTRATORS_ENABLED: "{{ applications | get_app_conf(
OPENPROJECT_LDAP_FILTER_USERS_ENABLED: "{{ applications | get_app_conf(application_id, 'ldap.filters.users') }}"
OPENPROJECT_LDAP_FILTERS:
# The administrator filter just works in the Enterprise edition
ADMINISTRATORS: "{{ '(memberOf=cn=openproject-admins,' ~ LDAP.DN.OU.ROLES ~ ')' if OPENPROJECT_LDAP_FILTER_ADMINISTRATORS_ENABLED else '' }}"
USERS: "{{ '(memberOf=cn=openproject-users,' ~ LDAP.DN.OU.ROLES ~ ')' if OPENPROJECT_LDAP_FILTER_USERS_ENABLED else '' }}"
ADMINISTRATORS: "{{ '(memberOf=cn=openproject-admins,' ~ LDAP.DN.OU.ROLES ~ ')' if OPENPROJECT_LDAP_FILTER_ADMINISTRATORS_ENABLED | bool else '' }}"
USERS: "{{ '(memberOf=cn=openproject-users,' ~ LDAP.DN.OU.ROLES ~ ')' if OPENPROJECT_LDAP_FILTER_USERS_ENABLED | bool else '' }}"