kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-04-20 07:02:01 +02:00
Code Issues Packages Projects Releases Wiki Activity

Optimized memberof for docker-ldap. LAM integration not functioning yet

Browse Source
This commit is contained in:
Kevin Veen-Birkenbach 2025-04-07 23:39:06 +02:00
parent b00988e792
commit 87d5854831
No known key found for this signature in database
GPG Key ID: 44D8F11FD62F878E
11 changed files with 70 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
group_vars/all/03_domains.yml
View File

@ -55,8 +55,9 @@ defaults_redirect_domain_mappings:
- { source: "funkwhale.{{primary_domain}}", target: "{{domains.funkwhale}}" } - { source: "funkwhale.{{primary_domain}}", target: "{{domains.funkwhale}}" }
- { source: "gitea.{{primary_domain}}", target: "{{domains.gitea}}" } - { source: "gitea.{{primary_domain}}", target: "{{domains.gitea}}" }
- { source: "keycloak.{{primary_domain}}", target: "{{domains.keycloak}}" } - { source: "keycloak.{{primary_domain}}", target: "{{domains.keycloak}}" }
- { source: "lam.{{primary_domain}}", target: "{{domains.ldap}}" }
- { source: "listmonk.{{primary_domain}}", target: "{{domains.listmonk}}" } - { source: "listmonk.{{primary_domain}}", target: "{{domains.listmonk}}" }
- { source: "mailu.{{primary_domain}}", target: "{{domains.mailu}}" } - { source: "mailu.{{primary_domain}}", target: "{{domains.mailu}}" }
- { source: "moodle.{{primary_domain}}", target: "{{domains.moodle}}" } - { source: "moodle.{{primary_domain}}", target: "{{domains.moodle}}" }
- { source: "nextcloud.{{primary_domain}}", target: "{{domains.nextcloud}}" } - { source: "nextcloud.{{primary_domain}}", target: "{{domains.nextcloud}}" }
- { source: "openproject.{{primary_domain}}", target: "{{domains.openproject}}" } - { source: "openproject.{{primary_domain}}", target: "{{domains.openproject}}" }

6
roles/docker-ldap/Installation.md
View File

@ -27,3 +27,9 @@ EOF
``` ```
### Verifiy that MemberOf is activated and loaded
```bash
docker exec -it openldap sh -c 'ls -l /opt/bitnami/openldap/lib/openldap/memberof.*'
docker exec -it openldap ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config '(&(objectClass=olcOverlayConfig)(olcOverlay=memberof))'
```

33
roles/docker-ldap/tasks/lam.yml Normal file
View File

@ -0,0 +1,33 @@
- name: "load lam variables"
include_vars:
file: lam.yml
- name: "Ensure LAM profiles directory exists"
file:
path: "{{ lam_profiles_dir }}"
state: directory
mode: '0755'
recurse: true
- name: "create {{docker_compose.directories.env}}lam.env"
template:
src: "lam/env.j2"
dest: "{{docker_compose.directories.env}}lam.env"
mode: '770'
force: yes
notify: docker compose project setup
- name: "create default.group to enable groupOfNames in LAM"
template:
src: "lam/default.group.j2"
dest: "{{ lam_profiles_dir }}/default.group"
mode: '0644'
notify: docker compose project setup
- name: "Create groupOfNames.conf to enable groupOfNames as base module in LAM"
template:
src: "lam/groupOfNames.conf.j2"
dest: "{{ lam_profiles_dir }}/groupOfNames.conf"
mode: '0644'

9
roles/docker-ldap/tasks/main.yml
View File

@ -39,13 +39,8 @@
notify: docker compose project setup notify: docker compose project setup
when: applications.ldap.webinterface == 'phpldapadmin' when: applications.ldap.webinterface == 'phpldapadmin'
- name: "create {{docker_compose.directories.env}}lam.env" - name: "execute lam tasks"
template: include_tasks: lam.yml
src: "lam.env.j2"
dest: "{{docker_compose.directories.env}}lam.env"
mode: '770'
force: yes
notify: docker compose project setup
when: applications.ldap.webinterface == 'lam' when: applications.ldap.webinterface == 'lam'
- name: "copy docker-compose.yml and env file" - name: "copy docker-compose.yml and env file"

17
roles/docker-ldap/templates/docker-compose.yml.j2
View File

@ -8,11 +8,13 @@ services:
driver: journald driver: journald
restart: {{docker_restart_policy}} restart: {{docker_restart_policy}}
{% if applications.ldap.webinterface == 'lam' %} {% if applications.ldap.webinterface == 'lam' %}
image: ghcr.io/ldapaccountmanager/lam:{{applications.ldap.lam.version}} # Dies ist das Docker-Image für LAM image: ghcr.io/ldapaccountmanager/lam:{{applications.ldap.lam.version}}
ports: ports:
- 127.0.0.1:{{ports.localhost.http.ldap}}:80 - 127.0.0.1:{{ports.localhost.http.ldap}}:80
env_file: env_file:
- "{{docker_compose.directories.env}}lam.env" - "{{docker_compose.directories.env}}lam.env"
volumes:
- "{{ lam_profiles_dir }}:/var/lib/ldap-account-manager/config/profiles/"
{% elif applications.ldap.webinterface == 'phpldapadmin' %} {% elif applications.ldap.webinterface == 'phpldapadmin' %}
image: leenooks/phpldapadmin:{{applications.ldap.phpldapadmin.version}} image: leenooks/phpldapadmin:{{applications.ldap.phpldapadmin.version}}
@ -34,11 +36,14 @@ services:
- '{{ldif_host_path}}:{{ldif_docker_path}}:ro' # Mounting all ldif files for import - '{{ldif_host_path}}:{{ldif_docker_path}}:ro' # Mounting all ldif files for import
healthcheck: healthcheck:
test: > test: >
ldapsearch -x -H ldap://localhost:{{ldap_docker_port}} -b "{{ldap.dn.root}}" -D "{{ldap.dn.administrator}}" -w "{{ldap.bind_credential}}" bash -c '
interval: 30s ldapsearch -x -H ldap://localhost:{{ ldap_docker_port }} \
timeout: 10s -D "{{ ldap.dn.administrator }}" -w "{{ ldap.bind_credential }}" -b "{{ ldap.dn.root }}" > /dev/null \
retries: 3 && \
start_period: 20s ldapsearch -Y EXTERNAL -H ldapi:/// \
-b cn=config "(&(objectClass=olcOverlayConfig)(olcOverlay=memberof))" \
| grep "olcOverlay:" | grep -q "memberof"
'
{% include 'templates/docker/container/networks.yml.j2' %} {% include 'templates/docker/container/networks.yml.j2' %}
{% include 'templates/docker/compose/volumes.yml.j2' %} {% include 'templates/docker/compose/volumes.yml.j2' %}

1
roles/docker-ldap/templates/lam/default.group.j2 Normal file
View File

@ -0,0 +1 @@
Modules: groupOfNames

0
roles/docker-ldap/templates/lam.env.j2 → roles/docker-ldap/templates/lam/env.j2
View File

5
roles/docker-ldap/templates/lam/groupOfNames.conf.j2 Normal file
View File

@ -0,0 +1,5 @@
type: group
module: groupOfNames
cn: cn
description: description
member: member

1
roles/docker-ldap/vars/lam.yml Normal file
View File

@ -0,0 +1 @@
lam_profiles_dir: "{{ docker_compose.directories.volumes }}lam/config/profiles/"

14
roles/docker-ldap/vars/main.yml
View File

@ -1,12 +1,12 @@
application_id: "ldap" application_id: "ldap"
ldaps_docker_port: 636 ldaps_docker_port: 636
ldap_docker_port: 389 ldap_docker_port: 389
enable_wildcard_certificate: false # Deactivate dedicated Certificate enable_wildcard_certificate: false # Deactivate Wildcard Certificate
ldif_host_path: "{{docker_compose.directories.volumes}}ldif/" ldif_host_path: "{{docker_compose.directories.volumes}}ldif/"
ldif_docker_path: "/tmp/ldif/" ldif_docker_path: "/tmp/ldif/"
ldap.dn.application_roles: "ou=application_roles,{{ldap.dn.root}}" ldap.dn.application_roles: "ou=application_roles,{{ldap.dn.root}}"
ldif_types: ldif_types:
- configuration - configuration
- data - data

3
roles/docker-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2
View File

@ -16,4 +16,5 @@ provider_display_name = "Keycloak"
# role restrictions # role restrictions
#cookie_roles = "realm_access.roles" #cookie_roles = "realm_access.roles"
allowed_roles = "{{applications.oauth2_proxy.allowed_roles}}" # This is not correct here. needs to be placed in applications @todo move there when implementing #allowed_groups = "{{applications.oauth2_proxy.allowed_roles}}" # This is not correct here. needs to be placed in applications @todo move there when implementing
# @see https://chatgpt.com/share/67f42607-bf68-800f-b587-bd56fe9067b5