kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-02-22 20:39:40 +01:00
Code Issues Packages Projects Releases Wiki Activity

Optimized ldap integration

Browse Source
This commit is contained in:
Kevin Veen-Birkenbach 2025-02-18 14:46:09 +01:00
parent 82bdbbaf57
commit 671448dbfc
8 changed files with 17 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
group_vars/all/07_applications.yml
View File

@ -91,8 +91,8 @@ defaults_applications:
version: "2.0.0-dev" # @todo Attention: Change this as fast as released to latest version: "2.0.0-dev" # @todo Attention: Change this as fast as released to latest
webinterface: "lam" # The webinterface which should be used. Possible: lam and phpldapadmin webinterface: "lam" # The webinterface which should be used. Possible: lam and phpldapadmin
administrator_username: "{{administrator_username}}" administrator_username: "{{administrator_username}}"
administrator_password: "{{user_administrator_initial_password}}" # CHANGE for security reasons in inventory file # administrator_password: # CHANGE for security reasons in inventory file
administrator_database_password: "{{user_administrator_initial_password}}" # CHANGE for security reasons in inventory file # administrator_database_password: # CHANGE for security reasons in inventory file
## Listmonk ## Listmonk
listmonk: listmonk:

8
group_vars/all/11_iam.yml
View File

@ -45,15 +45,17 @@ ldap_enabled: false
ldap: ldap:
# Enables LDAP for all roles in play if true # Enables LDAP for all roles in play if true
enabled: true enabled: true
# Distinguished Names (DN) # Distinguished Names (DN)
dn: dn:
# Defines the base Distinguished Name (DN) for the LDAP directory, constructed from the second-level domain (SLD) and top-level domain (TLD). # Defines the base Distinguished Name (DN) for the LDAP directory, constructed from the second-level domain (SLD) and top-level domain (TLD).
root: "{{_ldap_dn_base}}" root: "{{_ldap_dn_base}}"
# Specifies the Distinguished Name (DN) of the LDAP administrator, combining the admin's username with the LDAP root domain. # Specifies the Distinguished Name (DN) of the LDAP administrator, combining the admin's username with the LDAP root domain.
administrator: "cn={{applications.ldap.administrator_username}},{{_ldap_dn_base}}" bind: "cn={{applications.ldap.administrator_username}},{{_ldap_dn_base}}"
# Dn from which the users should be read # Dn from which the users should be read
users: "ou=users,{{_ldap_dn_base}}" users: "ou=users,{{_ldap_dn_base}}"
# Password to access dn.bind
bind_credential: "{{applications.ldap.administrator_database_password}}"
server: server:
domain: "{{applications.ldap.openldap.hostname if applications.ldap.openldap.network.local | bool else domains.ldap}}" # Mapping for public or locale access domain: "{{applications.ldap.openldap.hostname if applications.ldap.openldap.network.local | bool else domains.ldap}}" # Mapping for public or locale access
uri: "{% if applications.ldap.openldap.network.local | bool %}ldap://{{ applications.ldap.openldap.hostname }}:{{ ports.localhost.ldap.openldap }}{% else %}ldaps://{{ domains.ldap }}:{{ ports.public.ldaps.openldap }}{% endif %}" uri: "{% if applications.ldap.openldap.network.local | bool %}ldap://{{ applications.ldap.openldap.hostname }}:{{ ports.localhost.ldap.openldap }}{% else %}ldaps://{{ domains.ldap }}:{{ ports.public.ldaps.openldap }}{% endif %}"

4
roles/docker-funkwhale/templates/env.j2
View File

@ -109,8 +109,8 @@ DJANGO_SECRET_KEY={{funkwhale_django_secret}}
LDAP_ENABLED = True LDAP_ENABLED = True
LDAP_SERVER_URI = "{{ldap.server.uri}}" LDAP_SERVER_URI = "{{ldap.server.uri}}"
LDAP_BIND_DN = "{{ldap.dn.administrator}}" LDAP_BIND_DN = "{{ldap.dn.bind}}"
LDAP_BIND_PASSWORD = "{{applications.ldap.administrator_database_password}}" LDAP_BIND_PASSWORD = "{{ldap.dn.bind_credential}}"
LDAP_SEARCH_FILTER = "(|(cn={0})(mail={0}))" LDAP_SEARCH_FILTER = "(|(cn={0})(mail={0}))"
LDAP_START_TLS = False LDAP_START_TLS = False
LDAP_ROOT_DN = "{{ldap.dn.root}}" LDAP_ROOT_DN = "{{ldap.dn.root}}"

6
roles/docker-keycloak/templates/realm-export.json.j2
View File

@ -1941,7 +1941,7 @@
"true" "true"
], ],
"bindCredential": [ "bindCredential": [
"**********" "{{ldap.bind_credential}}"
], ],
"changedSyncPeriod": [ "changedSyncPeriod": [
"-1" "-1"
@ -1950,7 +1950,7 @@
"uid" "uid"
], ],
"bindDn": [ "bindDn": [
"{{ldap.dn.administrator}}" "{{ldap.dn.bind}}"
], ],
"lastSync": [ "lastSync": [
"1737578007" "1737578007"
@ -1965,7 +1965,7 @@
"false" "false"
], ],
"connectionUrl": [ "connectionUrl": [
"ldap://openldap" "{{ldap.dn.server.uri}}"
], ],
"syncRegistrations": [ "syncRegistrations": [
"true" "true"

2
roles/docker-ldap/handlers/main.yml
View File

@ -19,7 +19,7 @@
- name: "Import Access Roles to OpenLDAP" - name: "Import Access Roles to OpenLDAP"
shell: > shell: >
docker exec -i openldap ldapadd -x -D "{{ldap.dn.administrator}}" -w "{{applications.ldap.administrator_database_password}}" -c -f "{{ldif_docker_path}}04_access_profiles.ldif" docker exec -i openldap ldapadd -x -D "{{ldap.dn.bind}}" -w "{{ldap.dn.bind_credential}}" -c -f "{{ldif_docker_path}}04_access_profiles.ldif"
register: ldapadd_result register: ldapadd_result
changed_when: "'adding new entry' in ldapadd_result.stdout" changed_when: "'adding new entry' in ldapadd_result.stdout"
# Allow return code 0 (all entries added) or 68 (entry already exists) # Allow return code 0 (all entries added) or 68 (entry already exists)

2
roles/docker-ldap/templates/docker-compose.yml.j2
View File

@ -34,7 +34,7 @@ services:
- '{{ldif_host_path}}:{{ldif_docker_path}}:ro' # Mounting all ldif files for import - '{{ldif_host_path}}:{{ldif_docker_path}}:ro' # Mounting all ldif files for import
healthcheck: healthcheck:
test: > test: >
ldapsearch -x -H ldap://localhost:{{ldap_docker_port}} -b "{{ldap.dn.root}}" -D "{{ldap.dn.administrator}}" -w "{{applications.ldap.administrator_database_password}}" ldapsearch -x -H ldap://localhost:{{ldap_docker_port}} -b "{{ldap.dn.root}}" -D "{{ldap.dn.bind}}" -w "{{ldap.dn.bind_credential}}"
interval: 30s interval: 30s
timeout: 10s timeout: 10s
retries: 3 retries: 3

2
roles/docker-ldap/templates/env.j2
View File

@ -12,7 +12,7 @@ LDAP_PASSWORDS= ' ' # Comma separated li
LDAP_ROOT= {{ldap.dn.root}} # LDAP baseDN (or suffix) of the LDAP tree. Default: dc=example,dc=org LDAP_ROOT= {{ldap.dn.root}} # LDAP baseDN (or suffix) of the LDAP tree. Default: dc=example,dc=org
## Admin ## Admin
LDAP_ADMIN_DN= {{ldap.dn.administrator}} # Not well documented. Don't know if this has an effect LDAP_ADMIN_DN= {{ldap.dn.bind}}
LDAP_CONFIG_ADMIN_ENABLED= yes LDAP_CONFIG_ADMIN_ENABLED= yes
LDAP_CONFIG_ADMIN_USERNAME= {{applications.ldap.administrator_username}} LDAP_CONFIG_ADMIN_USERNAME= {{applications.ldap.administrator_username}}
LDAP_CONFIG_ADMIN_PASSWORD= {{applications.ldap.administrator_password}} LDAP_CONFIG_ADMIN_PASSWORD= {{applications.ldap.administrator_password}}

4
roles/docker-ldap/templates/lam.env.j2
View File

@ -9,5 +9,5 @@ LAM_CONFIGURATION_DATABASE= files
# LDAP Configuration # LDAP Configuration
LDAP_SERVER= {{ldap.server.domain}} # domain of LDAP database root entry LDAP_SERVER= {{ldap.server.domain}} # domain of LDAP database root entry
LDAP_BASE_DN= {{ldap.dn.root}} # LDAP base DN to overwrite value generated by LDAP_DOMAIN LDAP_BASE_DN= {{ldap.dn.root}} # LDAP base DN to overwrite value generated by LDAP_DOMAIN
LDAP_USER= {{ldap.dn.administrator}} # LDAP admin user (set as login user for LAM) LDAP_USER= {{ldap.dn.bind}} # LDAP admin user (set as login user for LAM)
LDAP_ADMIN_PASSWORD= {{applications.ldap.administrator_database_password}} # LDAP admin password LDAP_ADMIN_PASSWORD= {{ldap.dn.bind_credential}} # LDAP admin password