From 671448dbfca550579c8f053474d5d6ee9e705a6d Mon Sep 17 00:00:00 2001 From: Kevin Veen-Birkenbach Date: Tue, 18 Feb 2025 14:46:09 +0100 Subject: [PATCH] Optimized ldap integration --- group_vars/all/07_applications.yml | 4 ++-- group_vars/all/11_iam.yml | 8 +++++--- roles/docker-funkwhale/templates/env.j2 | 4 ++-- roles/docker-keycloak/templates/realm-export.json.j2 | 6 +++--- roles/docker-ldap/handlers/main.yml | 2 +- roles/docker-ldap/templates/docker-compose.yml.j2 | 2 +- roles/docker-ldap/templates/env.j2 | 2 +- roles/docker-ldap/templates/lam.env.j2 | 4 ++-- 8 files changed, 17 insertions(+), 15 deletions(-) diff --git a/group_vars/all/07_applications.yml b/group_vars/all/07_applications.yml index 1fc2175b..1498f645 100644 --- a/group_vars/all/07_applications.yml +++ b/group_vars/all/07_applications.yml @@ -91,8 +91,8 @@ defaults_applications: version: "2.0.0-dev" # @todo Attention: Change this as fast as released to latest webinterface: "lam" # The webinterface which should be used. Possible: lam and phpldapadmin administrator_username: "{{administrator_username}}" - administrator_password: "{{user_administrator_initial_password}}" # CHANGE for security reasons in inventory file - administrator_database_password: "{{user_administrator_initial_password}}" # CHANGE for security reasons in inventory file + # administrator_password: # CHANGE for security reasons in inventory file + # administrator_database_password: # CHANGE for security reasons in inventory file ## Listmonk listmonk: diff --git a/group_vars/all/11_iam.yml b/group_vars/all/11_iam.yml index e4401bf1..1dd631d4 100644 --- a/group_vars/all/11_iam.yml +++ b/group_vars/all/11_iam.yml @@ -45,15 +45,17 @@ ldap_enabled: false ldap: # Enables LDAP for all roles in play if true - enabled: true + enabled: true # Distinguished Names (DN) dn: # Defines the base Distinguished Name (DN) for the LDAP directory, constructed from the second-level domain (SLD) and top-level domain (TLD). - root: "{{_ldap_dn_base}}" + root: "{{_ldap_dn_base}}" # Specifies the Distinguished Name (DN) of the LDAP administrator, combining the admin's username with the LDAP root domain. - administrator: "cn={{applications.ldap.administrator_username}},{{_ldap_dn_base}}" + bind: "cn={{applications.ldap.administrator_username}},{{_ldap_dn_base}}" # Dn from which the users should be read users: "ou=users,{{_ldap_dn_base}}" + # Password to access dn.bind + bind_credential: "{{applications.ldap.administrator_database_password}}" server: domain: "{{applications.ldap.openldap.hostname if applications.ldap.openldap.network.local | bool else domains.ldap}}" # Mapping for public or locale access uri: "{% if applications.ldap.openldap.network.local | bool %}ldap://{{ applications.ldap.openldap.hostname }}:{{ ports.localhost.ldap.openldap }}{% else %}ldaps://{{ domains.ldap }}:{{ ports.public.ldaps.openldap }}{% endif %}" diff --git a/roles/docker-funkwhale/templates/env.j2 b/roles/docker-funkwhale/templates/env.j2 index e4dd79e0..a33cb656 100644 --- a/roles/docker-funkwhale/templates/env.j2 +++ b/roles/docker-funkwhale/templates/env.j2 @@ -109,8 +109,8 @@ DJANGO_SECRET_KEY={{funkwhale_django_secret}} LDAP_ENABLED = True LDAP_SERVER_URI = "{{ldap.server.uri}}" -LDAP_BIND_DN = "{{ldap.dn.administrator}}" -LDAP_BIND_PASSWORD = "{{applications.ldap.administrator_database_password}}" +LDAP_BIND_DN = "{{ldap.dn.bind}}" +LDAP_BIND_PASSWORD = "{{ldap.dn.bind_credential}}" LDAP_SEARCH_FILTER = "(|(cn={0})(mail={0}))" LDAP_START_TLS = False LDAP_ROOT_DN = "{{ldap.dn.root}}" diff --git a/roles/docker-keycloak/templates/realm-export.json.j2 b/roles/docker-keycloak/templates/realm-export.json.j2 index ed2bc1e0..7633fc9c 100644 --- a/roles/docker-keycloak/templates/realm-export.json.j2 +++ b/roles/docker-keycloak/templates/realm-export.json.j2 @@ -1941,7 +1941,7 @@ "true" ], "bindCredential": [ - "**********" + "{{ldap.bind_credential}}" ], "changedSyncPeriod": [ "-1" @@ -1950,7 +1950,7 @@ "uid" ], "bindDn": [ - "{{ldap.dn.administrator}}" + "{{ldap.dn.bind}}" ], "lastSync": [ "1737578007" @@ -1965,7 +1965,7 @@ "false" ], "connectionUrl": [ - "ldap://openldap" + "{{ldap.dn.server.uri}}" ], "syncRegistrations": [ "true" diff --git a/roles/docker-ldap/handlers/main.yml b/roles/docker-ldap/handlers/main.yml index 23385982..67503cf0 100644 --- a/roles/docker-ldap/handlers/main.yml +++ b/roles/docker-ldap/handlers/main.yml @@ -19,7 +19,7 @@ - name: "Import Access Roles to OpenLDAP" shell: > - docker exec -i openldap ldapadd -x -D "{{ldap.dn.administrator}}" -w "{{applications.ldap.administrator_database_password}}" -c -f "{{ldif_docker_path}}04_access_profiles.ldif" + docker exec -i openldap ldapadd -x -D "{{ldap.dn.bind}}" -w "{{ldap.dn.bind_credential}}" -c -f "{{ldif_docker_path}}04_access_profiles.ldif" register: ldapadd_result changed_when: "'adding new entry' in ldapadd_result.stdout" # Allow return code 0 (all entries added) or 68 (entry already exists) diff --git a/roles/docker-ldap/templates/docker-compose.yml.j2 b/roles/docker-ldap/templates/docker-compose.yml.j2 index 70d8bc21..1b71d79a 100644 --- a/roles/docker-ldap/templates/docker-compose.yml.j2 +++ b/roles/docker-ldap/templates/docker-compose.yml.j2 @@ -34,7 +34,7 @@ services: - '{{ldif_host_path}}:{{ldif_docker_path}}:ro' # Mounting all ldif files for import healthcheck: test: > - ldapsearch -x -H ldap://localhost:{{ldap_docker_port}} -b "{{ldap.dn.root}}" -D "{{ldap.dn.administrator}}" -w "{{applications.ldap.administrator_database_password}}" + ldapsearch -x -H ldap://localhost:{{ldap_docker_port}} -b "{{ldap.dn.root}}" -D "{{ldap.dn.bind}}" -w "{{ldap.dn.bind_credential}}" interval: 30s timeout: 10s retries: 3 diff --git a/roles/docker-ldap/templates/env.j2 b/roles/docker-ldap/templates/env.j2 index d61d551b..917ec692 100644 --- a/roles/docker-ldap/templates/env.j2 +++ b/roles/docker-ldap/templates/env.j2 @@ -12,7 +12,7 @@ LDAP_PASSWORDS= ' ' # Comma separated li LDAP_ROOT= {{ldap.dn.root}} # LDAP baseDN (or suffix) of the LDAP tree. Default: dc=example,dc=org ## Admin -LDAP_ADMIN_DN= {{ldap.dn.administrator}} # Not well documented. Don't know if this has an effect +LDAP_ADMIN_DN= {{ldap.dn.bind}} LDAP_CONFIG_ADMIN_ENABLED= yes LDAP_CONFIG_ADMIN_USERNAME= {{applications.ldap.administrator_username}} LDAP_CONFIG_ADMIN_PASSWORD= {{applications.ldap.administrator_password}} diff --git a/roles/docker-ldap/templates/lam.env.j2 b/roles/docker-ldap/templates/lam.env.j2 index 02a776d6..d14d5341 100644 --- a/roles/docker-ldap/templates/lam.env.j2 +++ b/roles/docker-ldap/templates/lam.env.j2 @@ -9,5 +9,5 @@ LAM_CONFIGURATION_DATABASE= files # LDAP Configuration LDAP_SERVER= {{ldap.server.domain}} # domain of LDAP database root entry LDAP_BASE_DN= {{ldap.dn.root}} # LDAP base DN to overwrite value generated by LDAP_DOMAIN -LDAP_USER= {{ldap.dn.administrator}} # LDAP admin user (set as login user for LAM) -LDAP_ADMIN_PASSWORD= {{applications.ldap.administrator_database_password}} # LDAP admin password \ No newline at end of file +LDAP_USER= {{ldap.dn.bind}} # LDAP admin user (set as login user for LAM) +LDAP_ADMIN_PASSWORD= {{ldap.dn.bind_credential}} # LDAP admin password \ No newline at end of file