diff --git a/group_vars/all/03_domains.yml b/group_vars/all/03_domains.yml index c0dc1729..20a2ea7e 100644 --- a/group_vars/all/03_domains.yml +++ b/group_vars/all/03_domains.yml @@ -55,8 +55,9 @@ defaults_redirect_domain_mappings: - { source: "funkwhale.{{primary_domain}}", target: "{{domains.funkwhale}}" } - { source: "gitea.{{primary_domain}}", target: "{{domains.gitea}}" } - { source: "keycloak.{{primary_domain}}", target: "{{domains.keycloak}}" } +- { source: "lam.{{primary_domain}}", target: "{{domains.ldap}}" } - { source: "listmonk.{{primary_domain}}", target: "{{domains.listmonk}}" } -- { source: "mailu.{{primary_domain}}", target: "{{domains.mailu}}" } +- { source: "mailu.{{primary_domain}}", target: "{{domains.mailu}}" } - { source: "moodle.{{primary_domain}}", target: "{{domains.moodle}}" } - { source: "nextcloud.{{primary_domain}}", target: "{{domains.nextcloud}}" } - { source: "openproject.{{primary_domain}}", target: "{{domains.openproject}}" } diff --git a/roles/docker-ldap/Installation.md b/roles/docker-ldap/Installation.md index e66920a9..76199fe8 100644 --- a/roles/docker-ldap/Installation.md +++ b/roles/docker-ldap/Installation.md @@ -27,3 +27,9 @@ EOF ``` + +### Verifiy that MemberOf is activated and loaded +```bash +docker exec -it openldap sh -c 'ls -l /opt/bitnami/openldap/lib/openldap/memberof.*' +docker exec -it openldap ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config '(&(objectClass=olcOverlayConfig)(olcOverlay=memberof))' +``` diff --git a/roles/docker-ldap/tasks/lam.yml b/roles/docker-ldap/tasks/lam.yml new file mode 100644 index 00000000..b68e17a6 --- /dev/null +++ b/roles/docker-ldap/tasks/lam.yml @@ -0,0 +1,33 @@ +- name: "load lam variables" + include_vars: + file: lam.yml + +- name: "Ensure LAM profiles directory exists" + file: + path: "{{ lam_profiles_dir }}" + state: directory + mode: '0755' + recurse: true + +- name: "create {{docker_compose.directories.env}}lam.env" + template: + src: "lam/env.j2" + dest: "{{docker_compose.directories.env}}lam.env" + mode: '770' + force: yes + notify: docker compose project setup + +- name: "create default.group to enable groupOfNames in LAM" + template: + src: "lam/default.group.j2" + dest: "{{ lam_profiles_dir }}/default.group" + mode: '0644' + notify: docker compose project setup + +- name: "Create groupOfNames.conf to enable groupOfNames as base module in LAM" + template: + src: "lam/groupOfNames.conf.j2" + dest: "{{ lam_profiles_dir }}/groupOfNames.conf" + mode: '0644' + + diff --git a/roles/docker-ldap/tasks/main.yml b/roles/docker-ldap/tasks/main.yml index 325b7957..7130f4f7 100644 --- a/roles/docker-ldap/tasks/main.yml +++ b/roles/docker-ldap/tasks/main.yml @@ -39,13 +39,8 @@ notify: docker compose project setup when: applications.ldap.webinterface == 'phpldapadmin' -- name: "create {{docker_compose.directories.env}}lam.env" - template: - src: "lam.env.j2" - dest: "{{docker_compose.directories.env}}lam.env" - mode: '770' - force: yes - notify: docker compose project setup +- name: "execute lam tasks" + include_tasks: lam.yml when: applications.ldap.webinterface == 'lam' - name: "copy docker-compose.yml and env file" diff --git a/roles/docker-ldap/templates/docker-compose.yml.j2 b/roles/docker-ldap/templates/docker-compose.yml.j2 index 6a35bac8..b4ca86be 100644 --- a/roles/docker-ldap/templates/docker-compose.yml.j2 +++ b/roles/docker-ldap/templates/docker-compose.yml.j2 @@ -8,11 +8,13 @@ services: driver: journald restart: {{docker_restart_policy}} {% if applications.ldap.webinterface == 'lam' %} - image: ghcr.io/ldapaccountmanager/lam:{{applications.ldap.lam.version}} # Dies ist das Docker-Image für LAM + image: ghcr.io/ldapaccountmanager/lam:{{applications.ldap.lam.version}} ports: - 127.0.0.1:{{ports.localhost.http.ldap}}:80 env_file: - "{{docker_compose.directories.env}}lam.env" + volumes: + - "{{ lam_profiles_dir }}:/var/lib/ldap-account-manager/config/profiles/" {% elif applications.ldap.webinterface == 'phpldapadmin' %} image: leenooks/phpldapadmin:{{applications.ldap.phpldapadmin.version}} @@ -34,11 +36,14 @@ services: - '{{ldif_host_path}}:{{ldif_docker_path}}:ro' # Mounting all ldif files for import healthcheck: test: > - ldapsearch -x -H ldap://localhost:{{ldap_docker_port}} -b "{{ldap.dn.root}}" -D "{{ldap.dn.administrator}}" -w "{{ldap.bind_credential}}" - interval: 30s - timeout: 10s - retries: 3 - start_period: 20s + bash -c ' + ldapsearch -x -H ldap://localhost:{{ ldap_docker_port }} \ + -D "{{ ldap.dn.administrator }}" -w "{{ ldap.bind_credential }}" -b "{{ ldap.dn.root }}" > /dev/null \ + && \ + ldapsearch -Y EXTERNAL -H ldapi:/// \ + -b cn=config "(&(objectClass=olcOverlayConfig)(olcOverlay=memberof))" \ + | grep "olcOverlay:" | grep -q "memberof" + ' {% include 'templates/docker/container/networks.yml.j2' %} {% include 'templates/docker/compose/volumes.yml.j2' %} diff --git a/roles/docker-ldap/templates/lam/default.group.j2 b/roles/docker-ldap/templates/lam/default.group.j2 new file mode 100644 index 00000000..d4bae6df --- /dev/null +++ b/roles/docker-ldap/templates/lam/default.group.j2 @@ -0,0 +1 @@ +Modules: groupOfNames \ No newline at end of file diff --git a/roles/docker-ldap/templates/lam.env.j2 b/roles/docker-ldap/templates/lam/env.j2 similarity index 100% rename from roles/docker-ldap/templates/lam.env.j2 rename to roles/docker-ldap/templates/lam/env.j2 diff --git a/roles/docker-ldap/templates/lam/groupOfNames.conf.j2 b/roles/docker-ldap/templates/lam/groupOfNames.conf.j2 new file mode 100644 index 00000000..d74163dc --- /dev/null +++ b/roles/docker-ldap/templates/lam/groupOfNames.conf.j2 @@ -0,0 +1,5 @@ +type: group +module: groupOfNames +cn: cn +description: description +member: member \ No newline at end of file diff --git a/roles/docker-ldap/vars/lam.yml b/roles/docker-ldap/vars/lam.yml new file mode 100644 index 00000000..f412bbbe --- /dev/null +++ b/roles/docker-ldap/vars/lam.yml @@ -0,0 +1 @@ +lam_profiles_dir: "{{ docker_compose.directories.volumes }}lam/config/profiles/" \ No newline at end of file diff --git a/roles/docker-ldap/vars/main.yml b/roles/docker-ldap/vars/main.yml index 50187061..bb7681ea 100644 --- a/roles/docker-ldap/vars/main.yml +++ b/roles/docker-ldap/vars/main.yml @@ -1,12 +1,12 @@ -application_id: "ldap" -ldaps_docker_port: 636 -ldap_docker_port: 389 +application_id: "ldap" +ldaps_docker_port: 636 +ldap_docker_port: 389 -enable_wildcard_certificate: false # Deactivate dedicated Certificate +enable_wildcard_certificate: false # Deactivate Wildcard Certificate -ldif_host_path: "{{docker_compose.directories.volumes}}ldif/" -ldif_docker_path: "/tmp/ldif/" -ldap.dn.application_roles: "ou=application_roles,{{ldap.dn.root}}" +ldif_host_path: "{{docker_compose.directories.volumes}}ldif/" +ldif_docker_path: "/tmp/ldif/" +ldap.dn.application_roles: "ou=application_roles,{{ldap.dn.root}}" ldif_types: - configuration - data diff --git a/roles/docker-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2 b/roles/docker-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2 index 403a3e3c..8d322f2a 100644 --- a/roles/docker-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2 +++ b/roles/docker-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2 @@ -16,4 +16,5 @@ provider_display_name = "Keycloak" # role restrictions #cookie_roles = "realm_access.roles" -allowed_roles = "{{applications.oauth2_proxy.allowed_roles}}" # This is not correct here. needs to be placed in applications @todo move there when implementing \ No newline at end of file +#allowed_groups = "{{applications.oauth2_proxy.allowed_roles}}" # This is not correct here. needs to be placed in applications @todo move there when implementing +# @see https://chatgpt.com/share/67f42607-bf68-800f-b587-bd56fe9067b5 \ No newline at end of file