Optimized ldap integration

group_vars/all/07_applications.yml

@@ -91,8 +91,8 @@ defaults_applications:
       version:                        "2.0.0-dev"                               # @todo Attention: Change this as fast as released to latest
     webinterface:                     "lam"                                     # The webinterface which should be used. Possible: lam and phpldapadmin
     administrator_username:           "{{administrator_username}}"
-    administrator_password:           "{{user_administrator_initial_password}}" # CHANGE for security reasons in inventory file
-    administrator_database_password:  "{{user_administrator_initial_password}}" # CHANGE for security reasons in inventory file
+    # administrator_password:          # CHANGE for security reasons in inventory file
+    # administrator_database_password: # CHANGE for security reasons in inventory file
 
   ## Listmonk
   listmonk:

group_vars/all/11_iam.yml

@@ -51,9 +51,11 @@ ldap:
     # Defines the base Distinguished Name (DN) for the LDAP directory, constructed from the second-level domain (SLD) and top-level domain (TLD).
     root:   "{{_ldap_dn_base}}"
     # Specifies the Distinguished Name (DN) of the LDAP administrator, combining the admin's username with the LDAP root domain.
-    administrator:  "cn={{applications.ldap.administrator_username}},{{_ldap_dn_base}}"
+    bind:   "cn={{applications.ldap.administrator_username}},{{_ldap_dn_base}}"
     # Dn from which the users should be read
     users:          "ou=users,{{_ldap_dn_base}}"
+  # Password to access dn.bind
+  bind_credential:  "{{applications.ldap.administrator_database_password}}"
   server:
     domain: "{{applications.ldap.openldap.hostname if applications.ldap.openldap.network.local | bool else domains.ldap}}" # Mapping for public or locale access
     uri:    "{% if applications.ldap.openldap.network.local | bool %}ldap://{{ applications.ldap.openldap.hostname }}:{{ ports.localhost.ldap.openldap }}{% else %}ldaps://{{ domains.ldap }}:{{ ports.public.ldaps.openldap }}{% endif %}"

roles/docker-funkwhale/templates/env.j2

@@ -109,8 +109,8 @@ DJANGO_SECRET_KEY={{funkwhale_django_secret}}
 
 LDAP_ENABLED        =   True
 LDAP_SERVER_URI     =   "{{ldap.server.uri}}"
-LDAP_BIND_DN        =   "{{ldap.dn.administrator}}"
-LDAP_BIND_PASSWORD  =   "{{applications.ldap.administrator_database_password}}"
+LDAP_BIND_DN        =   "{{ldap.dn.bind}}"
+LDAP_BIND_PASSWORD  =   "{{ldap.dn.bind_credential}}"
 LDAP_SEARCH_FILTER  =   "(|(cn={0})(mail={0}))"
 LDAP_START_TLS      =   False
 LDAP_ROOT_DN        =   "{{ldap.dn.root}}"

roles/docker-keycloak/templates/realm-export.json.j2

@@ -1941,7 +1941,7 @@
             "true"
           ],
           "bindCredential": [
-            "**********"
+            "{{ldap.bind_credential}}"
           ],
           "changedSyncPeriod": [
             "-1"
@@ -1950,7 +1950,7 @@
             "uid"
           ],
           "bindDn": [
-            "{{ldap.dn.administrator}}"
+            "{{ldap.dn.bind}}"
           ],
           "lastSync": [
             "1737578007"
@@ -1965,7 +1965,7 @@
             "false"
           ],
           "connectionUrl": [
-            "ldap://openldap"
+            "{{ldap.dn.server.uri}}"
           ],
           "syncRegistrations": [
             "true"

roles/docker-ldap/handlers/main.yml

@@ -19,7 +19,7 @@
 
 - name: "Import Access Roles to OpenLDAP"
   shell: >
-    docker exec -i openldap ldapadd -x -D "{{ldap.dn.administrator}}" -w "{{applications.ldap.administrator_database_password}}" -c -f "{{ldif_docker_path}}04_access_profiles.ldif"
+    docker exec -i openldap ldapadd -x -D "{{ldap.dn.bind}}" -w "{{ldap.dn.bind_credential}}" -c -f "{{ldif_docker_path}}04_access_profiles.ldif"
   register: ldapadd_result
   changed_when: "'adding new entry' in ldapadd_result.stdout"
   # Allow return code 0 (all entries added) or 68 (entry already exists)

roles/docker-ldap/templates/docker-compose.yml.j2

@@ -34,7 +34,7 @@ services:
       - '{{ldif_host_path}}:{{ldif_docker_path}}:ro'                      # Mounting all ldif files for import
     healthcheck:
       test: >
-        ldapsearch -x -H ldap://localhost:{{ldap_docker_port}} -b "{{ldap.dn.root}}" -D "{{ldap.dn.administrator}}" -w "{{applications.ldap.administrator_database_password}}"
+        ldapsearch -x -H ldap://localhost:{{ldap_docker_port}} -b "{{ldap.dn.root}}" -D "{{ldap.dn.bind}}" -w "{{ldap.dn.bind_credential}}"
       interval: 30s
       timeout: 10s
       retries: 3

roles/docker-ldap/templates/env.j2

@@ -12,7 +12,7 @@ LDAP_PASSWORDS=             ' '                             # Comma separated li
 LDAP_ROOT=                  {{ldap.dn.root}}                # LDAP baseDN (or suffix) of the LDAP tree. Default: dc=example,dc=org
 
 ## Admin
-LDAP_ADMIN_DN=              {{ldap.dn.administrator}}       # Not well documented. Don't know if this has an effect
+LDAP_ADMIN_DN=              {{ldap.dn.bind}}
 LDAP_CONFIG_ADMIN_ENABLED=  yes
 LDAP_CONFIG_ADMIN_USERNAME= {{applications.ldap.administrator_username}}
 LDAP_CONFIG_ADMIN_PASSWORD= {{applications.ldap.administrator_password}}

roles/docker-ldap/templates/lam.env.j2

@@ -9,5 +9,5 @@ LAM_CONFIGURATION_DATABASE= files
 # LDAP Configuration
 LDAP_SERVER=                {{ldap.server.domain}}                                  # domain of LDAP database root entry
 LDAP_BASE_DN=               {{ldap.dn.root}}                                        # LDAP base DN to overwrite value generated by LDAP_DOMAIN
-LDAP_USER=                  {{ldap.dn.administrator}}                               # LDAP admin user (set as login user for LAM)
-LDAP_ADMIN_PASSWORD=        {{applications.ldap.administrator_database_password}}   # LDAP admin password
+LDAP_USER=                  {{ldap.dn.bind}}                                        # LDAP admin user (set as login user for LAM)
+LDAP_ADMIN_PASSWORD=        {{ldap.dn.bind_credential}}                             # LDAP admin password