kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-04-20 23:14:56 +02:00
Code Issues Packages Projects Releases Wiki Activity

Optimized memberof for docker-ldap. LAM integration not functioning yet

Browse Source
This commit is contained in:
Kevin Veen-Birkenbach 2025-04-07 23:39:06 +02:00
parent b00988e792
commit 87d5854831
No known key found for this signature in database
GPG Key ID: 44D8F11FD62F878E
11 changed files with 70 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
group_vars/all/03_domains.yml
View File

@ -55,6 +55,7 @@ defaults_redirect_domain_mappings:
- { source: "funkwhale.{{primary_domain}}", target: "{{domains.funkwhale}}" }
- { source: "gitea.{{primary_domain}}", target: "{{domains.gitea}}" }
- { source: "keycloak.{{primary_domain}}", target: "{{domains.keycloak}}" }
- { source: "lam.{{primary_domain}}", target: "{{domains.ldap}}" }
- { source: "listmonk.{{primary_domain}}", target: "{{domains.listmonk}}" }
- { source: "mailu.{{primary_domain}}", target: "{{domains.mailu}}" }
- { source: "moodle.{{primary_domain}}", target: "{{domains.moodle}}" }

6
roles/docker-ldap/Installation.md
View File

@ -27,3 +27,9 @@ EOF
```
### Verifiy that MemberOf is activated and loaded
```bash
docker exec -it openldap sh -c 'ls -l /opt/bitnami/openldap/lib/openldap/memberof.*'
docker exec -it openldap ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config '(&(objectClass=olcOverlayConfig)(olcOverlay=memberof))'
```

33
roles/docker-ldap/tasks/lam.yml Normal file
View File

@ -0,0 +1,33 @@
- name: "load lam variables"
include_vars:
file: lam.yml
- name: "Ensure LAM profiles directory exists"
file:
path: "{{ lam_profiles_dir }}"
state: directory
mode: '0755'
recurse: true
- name: "create {{docker_compose.directories.env}}lam.env"
template:
src: "lam/env.j2"
dest: "{{docker_compose.directories.env}}lam.env"
mode: '770'
force: yes
notify: docker compose project setup
- name: "create default.group to enable groupOfNames in LAM"
template:
src: "lam/default.group.j2"
dest: "{{ lam_profiles_dir }}/default.group"
mode: '0644'
notify: docker compose project setup
- name: "Create groupOfNames.conf to enable groupOfNames as base module in LAM"
template:
src: "lam/groupOfNames.conf.j2"
dest: "{{ lam_profiles_dir }}/groupOfNames.conf"
mode: '0644'

9
roles/docker-ldap/tasks/main.yml
View File

@ -39,13 +39,8 @@
notify: docker compose project setup
when: applications.ldap.webinterface == 'phpldapadmin'
- name: "create {{docker_compose.directories.env}}lam.env"
template:
src: "lam.env.j2"
dest: "{{docker_compose.directories.env}}lam.env"
mode: '770'
force: yes
notify: docker compose project setup
- name: "execute lam tasks"
include_tasks: lam.yml
when: applications.ldap.webinterface == 'lam'
- name: "copy docker-compose.yml and env file"

17
roles/docker-ldap/templates/docker-compose.yml.j2
View File

@ -8,11 +8,13 @@ services:
driver: journald
restart: {{docker_restart_policy}}
{% if applications.ldap.webinterface == 'lam' %}
image: ghcr.io/ldapaccountmanager/lam:{{applications.ldap.lam.version}} # Dies ist das Docker-Image für LAM
image: ghcr.io/ldapaccountmanager/lam:{{applications.ldap.lam.version}}
ports:
- 127.0.0.1:{{ports.localhost.http.ldap}}:80
env_file:
- "{{docker_compose.directories.env}}lam.env"
volumes:
- "{{ lam_profiles_dir }}:/var/lib/ldap-account-manager/config/profiles/"
{% elif applications.ldap.webinterface == 'phpldapadmin' %}
image: leenooks/phpldapadmin:{{applications.ldap.phpldapadmin.version}}
@ -34,11 +36,14 @@ services:
- '{{ldif_host_path}}:{{ldif_docker_path}}:ro' # Mounting all ldif files for import
healthcheck:
test: >
ldapsearch -x -H ldap://localhost:{{ldap_docker_port}} -b "{{ldap.dn.root}}" -D "{{ldap.dn.administrator}}" -w "{{ldap.bind_credential}}"
interval: 30s
timeout: 10s
retries: 3
start_period: 20s
bash -c '
ldapsearch -x -H ldap://localhost:{{ ldap_docker_port }} \
-D "{{ ldap.dn.administrator }}" -w "{{ ldap.bind_credential }}" -b "{{ ldap.dn.root }}" > /dev/null \
&& \
ldapsearch -Y EXTERNAL -H ldapi:/// \
-b cn=config "(&(objectClass=olcOverlayConfig)(olcOverlay=memberof))" \
| grep "olcOverlay:" | grep -q "memberof"
'
{% include 'templates/docker/container/networks.yml.j2' %}
{% include 'templates/docker/compose/volumes.yml.j2' %}

1
roles/docker-ldap/templates/lam/default.group.j2 Normal file
View File

@ -0,0 +1 @@
Modules: groupOfNames

0
roles/docker-ldap/templates/lam.env.j2 → roles/docker-ldap/templates/lam/env.j2
View File

5
roles/docker-ldap/templates/lam/groupOfNames.conf.j2 Normal file
View File

@ -0,0 +1,5 @@
type: group
module: groupOfNames
cn: cn
description: description
member: member

1
roles/docker-ldap/vars/lam.yml Normal file
View File

@ -0,0 +1 @@
lam_profiles_dir: "{{ docker_compose.directories.volumes }}lam/config/profiles/"

2
roles/docker-ldap/vars/main.yml
View File

@ -2,7 +2,7 @@ application_id: "ldap"
ldaps_docker_port: 636
ldap_docker_port: 389
enable_wildcard_certificate: false # Deactivate dedicated Certificate
enable_wildcard_certificate: false # Deactivate Wildcard Certificate
ldif_host_path: "{{docker_compose.directories.volumes}}ldif/"
ldif_docker_path: "/tmp/ldif/"

3
roles/docker-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2
View File

@ -16,4 +16,5 @@ provider_display_name = "Keycloak"
# role restrictions
#cookie_roles = "realm_access.roles"
allowed_roles = "{{applications.oauth2_proxy.allowed_roles}}" # This is not correct here. needs to be placed in applications @todo move there when implementing
#allowed_groups = "{{applications.oauth2_proxy.allowed_roles}}" # This is not correct here. needs to be placed in applications @todo move there when implementing
# @see https://chatgpt.com/share/67f42607-bf68-800f-b587-bd56fe9067b5