Restructured LDAP role

2025-08-29 15:06:26 +02:00 · 2025-04-25 11:34:14 +02:00
parent ec79cb8921
commit 72deb13d07
13 changed files with 137 additions and 110 deletions
--- a/roles/docker-ldap/templates/ldif/data/01_application_roles.ldif.j2
+++ b/roles/docker-ldap/templates/ldif/data/01_application_roles.ldif.j2
@@ -1,19 +1,4 @@
-
-#######################################################################
-# Generic container for Application roles
-#######################################################################
-dn: {{ldap.dn.application_roles}}
-objectClass: organizationalUnit
-ou: roles
-description: Container for application access profiles
-
-{# 
-  This template generates two LDIF entries for each application in defaults_applications:
-  one for the administrator role and one for the standard user role.
-  Please adjust the base DN (dc=example,dc=com) and other attributes as necessary.
-#}
-
-{% for app, config in defaults_applications.items() %}
+{% for app, config in applications.items() %}
 dn: cn={{ app }}-administrator,{{ldap.dn.application_roles}}
 objectClass: top
 objectClass: organizationalRole
@@ -27,3 +12,31 @@ cn: {{ app }}-user
 description: Standard user role for {{ app }} (automatically generated)

 {% endfor %}
+
+{% for username, user in users.items() %}
+
+#######################################################################
+# Assign {{ username }} to application user roles
+#######################################################################
+{% for app, config in applications.items() %}
+
+# Assign {{ username }} to {{ app }}-users
+
+dn: cn={{ app }}-user,{{ ldap.dn.application_roles }}
+changetype: modify
+add: roleOccupant
+roleOccupant: {{ ldap.attributes.user_id }}={{ username }},{{ ldap.dn.users }}
+
+{% if users.is_admin | default(false) | bool %}
+
+# Assign {{ username }} to {{ app }}-administrator
+dn: cn={{ app }}-administrator,{{ ldap.dn.application_roles }}
+changetype: modify
+add: roleOccupant
+roleOccupant: {{ ldap.attributes.user_id }}={{ users.administrator.username }},{{ ldap.dn.users }}
+
+{% endif %}
+
+{% endfor %}
+
+{% endfor %}
--- a/roles/docker-ldap/templates/ldif/data/02_users.ldif.j2
+++ b/roles/docker-ldap/templates/ldif/data/02_users.ldif.j2
@@ -1,58 +0,0 @@
-{##
-# Iterate over all users and create LDAP entries for each, then assign admin to application roles
-# This template loops through a 'users' list variable where each user is a dict with keys:
-#   username, uid, gid, password (optional), sn (optional), cn (optional)
-##}
-#######################################################################
-# Container for Application Roles (if not already created)
-#######################################################################
-dn: {{ ldap.dn.application_roles }}
-objectClass: organizationalUnit
-ou: roles
-description: Container for application access profiles
-
-{% for username, user in users.items() %}
-#######################################################################
-# Create User {{ username }}
-#######################################################################
-dn: {{ ldap.attributes.user_id }}={{ username }},{{ ldap.dn.users }}
-{% for cls in ldap.user_objects %}
-objectClass: {{ cls }}
-{% endfor %}
-{{ ldap.attributes.user_id }}: {{ username }}
-sn: {{ username }}
-cn: {{ username }}
-userPassword: {SSHA}{{ user.password }}
-loginShell: /bin/bash
-homeDirectory: /home/{{ username }}
-uidNumber: {{ user.uid }}
-gidNumber: {{ user.gid }}
-
-#######################################################################
-# Assign {{ username }} to application user roles
-#######################################################################
-{% for app, config in defaults_applications.items() %}
-dn: cn={{ app }}-user,{{ ldap.dn.application_roles }}
-changetype: modify
-add: roleOccupant
-roleOccupant: {{ ldap.attributes.user_id }}={{ username }},{{ ldap.dn.users }}
-
-{% endfor %}
-{% endfor %}
-
-#######################################################################
-# Add Admin User to All Application Role Groups (unchanged)
-#######################################################################
-{% for app, config in defaults_applications.items() %}
-dn: cn={{ app }}-administrator,{{ ldap.dn.application_roles }}
-changetype: modify
-add: roleOccupant
-roleOccupant: {{ ldap.attributes.user_id }}={{ users.administrator.username }},{{ ldap.dn.users }}
-
-dn: cn={{ app }}-user,{{ ldap.dn.application_roles }}
-changetype: modify
-add: roleOccupant
-roleOccupant: {{ ldap.attributes.user_id }}={{ users.administrator.username }},{{ ldap.dn.users }}
-
-{% endfor %}
-