Solved ldap reference bug for nextcloud and cleaned up

2025-04-20 07:02:01 +02:00 · 2025-04-11 11:35:28 +02:00 · 2025-04-11 11:35:28 +02:00 · 536c3091e5
commit 536c3091e5
parent 2dcf8159e5
24 changed files with 126 additions and 64 deletions
--- a/docs/features/Migration.md
+++ b/docs/features/Migration.md
@ -0,0 +1,53 @@
 # Migration Feature
 ## Seamless Migration of Existing Software Solutions to CyMaIS
 CyMaIS is designed to simplify the migration of existing software solutions and IT infrastructures. The focus is on protecting existing investments while enabling the benefits of a modern and unified platform.
 ---
 ## Integration of Existing Applications
 Existing applications can be easily integrated into the [CyMaIS](https://example.com) dashboard. There is no need to migrate or modify existing software — CyMaIS provides a central interface to access and manage already deployed systems.
 ---
 ## Parallel Operation of Existing Infrastructure
 CyMaIS supports a parallel operation model, allowing the existing IT infrastructure to run alongside CyMaIS without disruption. This enables a step-by-step migration strategy where applications and user groups can be transitioned gradually.
 ---
 ## Flexible User Management and Single Sign-On (SSO)
 CyMaIS offers flexible user management by supporting multiple directory services:
 - [Microsoft Active Directory (AD)](https://en.wikipedia.org/wiki/Active_Directory)
 - [LDAP (Lightweight Directory Access Protocol)](https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol)
 In both scenarios, centralized authentication is provided through [Keycloak](https://www.keycloak.org/), enabling modern [Single Sign-On (SSO)](https://en.wikipedia.org/wiki/Single_sign-on) capabilities — not only for applications managed by CyMaIS but also for existing external services.
 ---
 ## Key Points
 - Simple migration of existing software solutions to CyMaIS  
 - Easy integration of existing applications into the CyMaIS dashboard  
 - Parallel operation of CyMaIS and existing infrastructure is fully supported  
 - User management via [Microsoft Active Directory (AD)](https://en.wikipedia.org/wiki/Active_Directory) or [LDAP](https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol)  
 - Central authentication with [Single Sign-On (SSO)](https://en.wikipedia.org/wiki/Single_sign-on) using [Keycloak](https://www.keycloak.org/)  
 ---
 ## Summary of Migration Benefits
 | Feature                         | Description                                                       |
 |--------------------------------|-------------------------------------------------------------------|
 | Easy Application Integration   | Integrate existing applications into the CyMaIS dashboard         |
 | Parallel Operation Supported   | Continue using your current infrastructure without disruption     |
 | Flexible User Management       | Support for AD and LDAP directory services                        |
 | Single Sign-On (SSO)           | Centralized authentication via Keycloak                           |
 ---
 CyMaIS enables a smooth and controlled migration path — customized to the individual needs of your organization.
--- a/docs/guides/enterprise/Readme.md
+++ b/docs/guides/enterprise/Readme.md
@ -1,4 +1,4 @@
-# Customer Guide
+# Enterprise Guide
 Are you looking for a **reliable IT infrastructure** for your business or organization? **CyMaIS** is here to help!
--- a/group_vars/all/09_ports.yml
+++ b/group_vars/all/09_ports.yml
@ -12,7 +12,7 @@ ports:
      phpldapadmin:     4186
      fusiondirectory:  4187
    ldap:
-      openldap:         389
+      ldap:             389
    http:
      nextcloud:        8001
      gitea:            8002
@ -61,7 +61,7 @@ ports:
      gitea:            2201
      gitlab:           2202
    ldaps:
-      openldap:         636
+      ldap:             636
    stun:   
      bigbluebutton:    3478 # Not sure if it's right placed here or if it should be moved to localhost section
    turn:
--- a/group_vars/all/11_iam.yml
+++ b/group_vars/all/11_iam.yml
@ -36,7 +36,7 @@ defaults_oidc:
 # Helper Variables:
 # Keep in mind to mapp this variables if there is ever the possibility for the user to define them in the inventory
 _ldap_dn_base:      "dc={{primary_domain_sld}},dc={{primary_domain_tld}}"
-_ldap_server_port:  "{% if applications.ldap.network.local | bool %}{{ ports.localhost.ldap.openldap }}{% else %}{{ ports.localhost.ldaps.openldap }}{% endif %}"
+_ldap_server_port:  "{% if applications.ldap.network.local | bool %}{{ ports.localhost.ldap.ldap }}{% else %}{{ ports.localhost.ldaps.ldap }}{% endif %}"
 ldap:
  # Distinguished Names (DN)
--- a/roles/client-wireguard-behind-firewall/README.md
+++ b/roles/client-wireguard-behind-firewall/README.md
@ -1,4 +1,4 @@
-# Client WireGuard Behind NAT Role
+# Client WireGuard Behind NAT
 ## Description
--- a/roles/docker-ldap/Administration.md
+++ b/roles/docker-ldap/Administration.md
@ -1,31 +0,0 @@
 # Administration
 ## Show Configuration
 ```bash
 docker exec -it openldap bash -c "ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b 'cn=config'"
 ```
 ```bash
 docker exec -it openldap bash -c "ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b 'cn=config' -s base '(objectClass=*)'"
 ```
 ```bash
 docker exec -it openldap bash -c "ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b 'cn=config' -s base '(objectClass=olcModuleList)'"
 ```
 ### Databases Overview
 ```bash
 docker exec -it openldap ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcDatabase=*)"
 ```
 ## Show all Entries
 ```bash 
 docker exec -it openldap bash -c "ldapsearch -LLL -o ldif-wrap=no -x -D \"\$LDAP_ADMIN_DN\" -w \"\$LDAP_ADMIN_PASSWORD\" -b \"\$LDAP_ROOT\"";
 ```
 ### Delete Groups and Subgroup
 To delete the group inclusive all subgroups use:
 ```bash
 docker exec -it openldap bash -c "ldapsearch -LLL -o ldif-wrap=no -x -D \"\$LDAP_ADMIN_DN\" -w \"\$LDAP_ADMIN_PASSWORD\" -b \"ou=applications,ou=groups,\$LDAP_ROOT\" dn | sed -n 's/^dn: //p' | tac | while read -r dn; do echo \"Deleting \$dn\"; ldapdelete -x -D \"\$LDAP_ADMIN_DN\" -w \"\$LDAP_ADMIN_PASSWORD\" \"\$dn\"; done"
 ```
--- a/roles/docker-ldap/README.md
+++ b/roles/docker-ldap/README.md
@ -9,9 +9,9 @@ Unleash the potential of centralized identity management with OpenLDAP. This pow
 Deploy OpenLDAP in a Docker environment with support for TLS-secured communication via an NGINX stream proxy. OpenLDAP offers advanced directory management capabilities, including flexible schema definitions, dynamic configuration overlays, and comprehensive query support with LDAP search utilities.
 For further setup instructions and advanced configuration details, please refer to the following resources available in this directory:
- [Administration.md](./Administration.md)
+- [Administration.md](docs/Administration.md)
- [Installation.md](./Installation.md)
+- [Installation.md](docs/Installation.md)
- [Change_DN.md](./Change_DN.md)
+- [Change_DN.md](docs/Change_DN.md)
 ## Features
--- a/roles/docker-ldap/docs/Administration.md
+++ b/roles/docker-ldap/docs/Administration.md
@ -0,0 +1,31 @@
 # Administration
 ## Show Configuration
 ```bash
 docker exec -it ldap bash -c "ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b 'cn=config'"
 ```
 ```bash
 docker exec -it ldap bash -c "ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b 'cn=config' -s base '(objectClass=*)'"
 ```
 ```bash
 docker exec -it ldap bash -c "ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b 'cn=config' -s base '(objectClass=olcModuleList)'"
 ```
 ### Databases Overview
 ```bash
 docker exec -it ldap ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcDatabase=*)"
 ```
 ## Show all Entries
 ```bash 
 docker exec -it ldap bash -c "ldapsearch -LLL -o ldif-wrap=no -x -D \"\$LDAP_ADMIN_DN\" -w \"\$LDAP_ADMIN_PASSWORD\" -b \"\$LDAP_ROOT\"";
 ```
 ### Delete Groups and Subgroup
 To delete the group inclusive all subgroups use:
 ```bash
 docker exec -it ldap bash -c "ldapsearch -LLL -o ldif-wrap=no -x -D \"\$LDAP_ADMIN_DN\" -w \"\$LDAP_ADMIN_PASSWORD\" -b \"ou=applications,ou=groups,\$LDAP_ROOT\" dn | sed -n 's/^dn: //p' | tac | while read -r dn; do echo \"Deleting \$dn\"; ldapdelete -x -D \"\$LDAP_ADMIN_DN\" -w \"\$LDAP_ADMIN_PASSWORD\" \"\$dn\"; done"
 ```
--- a/roles/docker-ldap/docs/Change_DN.md
+++ b/roles/docker-ldap/docs/Change_DN.md
@ -11,7 +11,7 @@ This document provides a step-by-step guide on how to rename the Distinguished N
 Connect to the OpenLDAP container and export the current entry:
 ```sh
-docker exec -it openldap sh -c 'ldapsearch -x -D "$LDAP_ADMIN_DN" -w "$LDAP_ADMIN_PASSWORD" -b "$LDAP_ROOT"' > all_entries.ldif
+docker exec -it ldap sh -c 'ldapsearch -x -D "$LDAP_ADMIN_DN" -w "$LDAP_ADMIN_PASSWORD" -b "$LDAP_ROOT"' > all_entries.ldif
 ```
 If your ***LDAP_ADMIN_DN*** and ***LDAP_ROOT***  are not accured pass them via ``--env``.
@ -58,7 +58,7 @@ We need an **LDIF file that deletes all objects** under `dc=flock,dc=town`.
 Instead of manually writing an LDIF file, you can use `ldapsearch` and `awk` to generate it dynamically:
 ```sh
-docker exec -it openldap sh -c 'ldapsearch -x -D "cn=administrator,dc=flock,dc=town" -w "$LDAP_ADMIN_PASSWORD" -b "dc=flock,dc=town" dn' | awk "/^dn:/ {print \$2}" | tac > delete_all_dns.txt
+docker exec -it ldap sh -c 'ldapsearch -x -D "cn=administrator,dc=flock,dc=town" -w "$LDAP_ADMIN_PASSWORD" -b "dc=flock,dc=town" dn' | awk "/^dn:/ {print \$2}" | tac > delete_all_dns.txt
 ```
 This creates an **ordered delete list**, starting with child objects before deleting `dc=flock,dc=town`.
@ -69,7 +69,7 @@ This creates an **ordered delete list**, starting with child objects before dele
 Now apply the generated `delete_all.ldif` to delete all entries **recursively**:
 ```sh
-docker exec -i openldap sh -c '
+docker exec -i ldap sh -c '
 while read dn; do
  ldapdelete -x -D "cn=administrator,dc=flock,dc=town" -w "$LDAP_ADMIN_PASSWORD" "$dn"
 done' < delete_all_dns.txt
@ -81,7 +81,7 @@ done' < delete_all_dns.txt
 After running the delete command, verify that `dc=flock,dc=town` is empty:
 ```sh
-docker exec -it openldap sh -c 'ldapsearch -x -D "cn=administrator,dc=flock,dc=town" -w "$LDAP_ADMIN_PASSWORD" -b "dc=flock,dc=town"'
+docker exec -it ldap sh -c 'ldapsearch -x -D "cn=administrator,dc=flock,dc=town" -w "$LDAP_ADMIN_PASSWORD" -b "dc=flock,dc=town"'
 ```
 - ✅ If **no results** are returned, the domain has been deleted successfully.
 - ❌ If results still exist, some entries were not removed.
@ -89,14 +89,14 @@ docker exec -it openldap sh -c 'ldapsearch -x -D "cn=administrator,dc=flock,dc=t
 #### Create new_database.ldif
-docker exec -i openldap ldapadd -Y EXTERNAL -H ldapi:/// -f /dev/stdin < new_database.ldif
+docker exec -i ldap ldapadd -Y EXTERNAL -H ldapi:/// -f /dev/stdin < new_database.ldif
 ## 4. Add the New Entry
 Now, upload the modified `all_entries.ldif`:
 ```sh
-cat all_entries.ldif | docker exec -i openldap sh -c 'ldapadd -x -D "cn=admin,dc=cymais,dc=cloud" -w "$LDAP_ADMIN_PASSWORD"'
+cat all_entries.ldif | docker exec -i ldap sh -c 'ldapadd -x -D "cn=admin,dc=cymais,dc=cloud" -w "$LDAP_ADMIN_PASSWORD"'
 ```
 ---
@ -117,7 +117,7 @@ olcRootDN: cn=administrator,dc=cymais,dc=cloud
 Save the change and apply it:
 ```sh
-docker exec -it openldap ldapmodify -Y EXTERNAL -H ldapi:/// -f config_update.ldif
+docker exec -it ldap ldapmodify -Y EXTERNAL -H ldapi:/// -f config_update.ldif
 ```
 ---
@ -127,7 +127,7 @@ docker exec -it openldap ldapmodify -Y EXTERNAL -H ldapi:/// -f config_update.ld
 Restart the OpenLDAP container if necessary:
 ```sh
-docker restart openldap
+docker restart ldap
 ```
 Now, `cn=administrator,dc=cymais,dc=cloud` should be active as the new administrator account.
--- a/roles/docker-ldap/docs/Installation.md
+++ b/roles/docker-ldap/docs/Installation.md
@ -31,5 +31,5 @@ EOF
 ### Verifiy that MemberOf is activated and loaded
 ```bash
 docker exec -it ldap sh -c 'ls -l /opt/bitnami/openldap/lib/openldap/memberof.*'
-docker exec -it openldap ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config '(&(objectClass=olcOverlayConfig)(olcOverlay=memberof))'
+docker exec -it ldap ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config '(&(objectClass=olcOverlayConfig)(olcOverlay=memberof))'
 ```
--- a/roles/docker-ldap/templates/docker-compose.yml.j2
+++ b/roles/docker-ldap/templates/docker-compose.yml.j2
@ -8,7 +8,7 @@ services:
 {% include 'roles/docker-compose/templates/services/base.yml.j2' %}
 {% if applications[application_id].network.public | bool %}
    ports:
-      - 127.0.0.1:{{ports.localhost.ldap.openldap}}:{{ldap_docker_port}}  # Expose just on localhost so that nginx stream proxy can use it
+      - 127.0.0.1:{{ports.localhost.ldap.ldap}}:{{ldap_docker_port}}  # Expose just on localhost so that nginx stream proxy can use it
 {% endif %}
    volumes:
      - 'data:/bitnami/openldap'
--- a/roles/docker-ldap/templates/ldif/configuration/01_member_of_configuration.ldif.j2
+++ b/roles/docker-ldap/templates/ldif/configuration/01_member_of_configuration.ldif.j2
@ -28,7 +28,7 @@
 # as the overlay only assigns the "member" attribute when a new group is created.
 # @todo Solve the following error:
-#fatal: [echoserver]: FAILED! => {"changed": true, "cmd": "docker exec -i openldap ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/ldif/01_member_of_configuration.ldif\n", "delta": "0:00:00.059605", "end": "2025-02-25 12:01:18.218851", "msg": "non-zero return code", "rc": 247, "start": "2025-02-25 12:01:18.159246", "stderr": "SASL/EXTERNAL authentication started\nSASL username: gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\nldapmodify: modify operation type is missing at line 2, entry \"cn=module,cn=config\"", "stderr_lines": ["SASL/EXTERNAL authentication started", "SASL username: gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth", "SASL SSF: 0", "ldapmodify: modify operation type is missing at line 2, entry \"cn=module,cn=config\""], "stdout": "", "stdout_lines": []}
+#fatal: [echoserver]: FAILED! => {"changed": true, "cmd": "docker exec -i ldap ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/ldif/01_member_of_configuration.ldif\n", "delta": "0:00:00.059605", "end": "2025-02-25 12:01:18.218851", "msg": "non-zero return code", "rc": 247, "start": "2025-02-25 12:01:18.159246", "stderr": "SASL/EXTERNAL authentication started\nSASL username: gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\nldapmodify: modify operation type is missing at line 2, entry \"cn=module,cn=config\"", "stderr_lines": ["SASL/EXTERNAL authentication started", "SASL username: gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth", "SASL SSF: 0", "ldapmodify: modify operation type is missing at line 2, entry \"cn=module,cn=config\""], "stdout": "", "stdout_lines": []}
 dn: cn=module,cn=config
--- a/roles/docker-ldap/templates/nginx.stream.conf.j2
+++ b/roles/docker-ldap/templates/nginx.stream.conf.j2
@ -1,6 +1,6 @@
 server {
-    listen {{ports.public.ldaps.openldap}}ssl;
+    listen {{ports.public.ldaps.ldap}}ssl;
-    proxy_pass 127.0.0.1:{{ports.localhost.ldap.openldap}};
+    proxy_pass 127.0.0.1:{{ports.localhost.ldap.ldap}};
    # SSL Configuration for LDAPS
    {% include 'roles/letsencrypt/templates/ssl_credentials.j2' %}
--- a/roles/docker-nextcloud/README.md
+++ b/roles/docker-nextcloud/README.md
@ -8,15 +8,6 @@ Elevate your collaboration with Nextcloud, a vibrant self-hosted cloud solution
 This role provisions a complete Nextcloud deployment using Docker Compose. It automates the setup of the Nextcloud application along with its underlying MariaDB database and configures the system for secure public access via an Nginx reverse proxy. The deployment includes automated configuration merging into `config.php`, health check routines, and integrated support for backup and recovery operations.
 For comprehensive installation instructions, please refer to the [Installation.md](./Installation.md) file. Additional operational guidance can be found in the following supporting documentation files:
 - [Applications.md](./Applications.md)
 - [Architecture.md](./Architecture.md)
 - [Administration.md](./Administration.md)
 - [Update.md](./Update.md)
 - [OCC.md](./OCC.md)
 - [Database.md](./Database.md)
 - [IAM.md](./IAM.md)
 ## Features
 - **Fully Dockerized Deployment:** Simplifies installation using Docker Compose for the Nextcloud application and its MariaDB backend.
@ -26,6 +17,10 @@ For comprehensive installation instructions, please refer to the [Installation.m
 - **Integrated Backup & Recovery:** Provides built-in support for backup and restoration operations to safeguard your data.
 - **Extensible Plugin Framework:** Easily manage and configure hundreds of Nextcloud plugins using the OCC command line tool.
 ## Documentation
 A detailled documentation for the use and administration of Nextcloud on CyMaIS you will find [here](docs/README.md)
 ## Additional Resources
 - [Nextcloud Official Website](https://nextcloud.com/)
--- a/roles/docker-nextcloud/docs/Administration.md
+++ b/roles/docker-nextcloud/docs/Administration.md
--- a/roles/docker-nextcloud/docs/Applications.md
+++ b/roles/docker-nextcloud/docs/Applications.md
--- a/roles/docker-nextcloud/docs/Architecture.md
+++ b/roles/docker-nextcloud/docs/Architecture.md
--- a/roles/docker-nextcloud/docs/Database.md
+++ b/roles/docker-nextcloud/docs/Database.md
--- a/roles/docker-nextcloud/docs/IAM.md
+++ b/roles/docker-nextcloud/docs/IAM.md
--- a/roles/docker-nextcloud/docs/OCC.md
+++ b/roles/docker-nextcloud/docs/OCC.md
--- a/roles/docker-nextcloud/docs/README.md
+++ b/roles/docker-nextcloud/docs/README.md
@ -0,0 +1,14 @@
 # Nextcloud Docs for CyMaIS
 This folder contains the Nextcloud Docs for CyMaIS.
 ## Index
 Operational guidance can be found in the following supporting documentation files:
 - [Applications.md](Applications.md)
 - [Architecture.md](Architecture.md)
 - [Administration.md](Administration.md)
 - [Update.md](Update.md)
 - [OCC.md](OCC.md)
 - [Database.md](Database.md)
 - [IAM.md](IAM.md)
--- a/roles/docker-nextcloud/docs/Update.md
+++ b/roles/docker-nextcloud/docs/Update.md
--- a/roles/docker-nextcloud/vars/plugins/user_ldap.yml
+++ b/roles/docker-nextcloud/vars/plugins/user_ldap.yml
@ -27,7 +27,7 @@ plugin_configuration:
  -
    appid: "user_ldap"
    configkey: "s01ldap_backup_port"
-    configvalue: "{{ ports.localhost.ldap.openldap }}" # This is just optimized for local port @todo implement for external ports as well
+    configvalue: "{{ ports.localhost.ldap.ldap }}" # This is just optimized for local port @todo implement for external ports as well
  -
    appid: "user_ldap"
@ -103,7 +103,7 @@ plugin_configuration:
  -
    appid: "user_ldap"
    configkey: "s01ldap_host"
-    configvalue: "openldap"
+    configvalue: "{{ldap.server.domain}}"
  -
    appid: "user_ldap"
    configkey: "s01ldap_login_filter"
--- a/roles/docker-phpldapadmin/templates/env.j2
+++ b/roles/docker-phpldapadmin/templates/env.j2
@ -1,3 +1,3 @@
 # @See https://github.com/leenooks/phpLDAPadmin/wiki/Docker-Container
 APP_URL=    https://{{domains[application_id]}}
-LDAP_HOST=  openldap
+LDAP_HOST=  {{ldap.server.domain}}
`@ -1,4 +1,4 @@`
	`# Customer Guide`	`# Enterprise Guide`

	`Are you looking for a reliable IT infrastructure for your business or organization? CyMaIS is here to help!`	`Are you looking for a reliable IT infrastructure for your business or organization? CyMaIS is here to help!`
`@ -1,4 +1,4 @@`
	`# Client WireGuard Behind NAT Role`	`# Client WireGuard Behind NAT`

	`## Description`	`## Description`