From 8be422cc9981c72340b86f0c9162d2bb730fab32 Mon Sep 17 00:00:00 2001
From: Kevin Veen-Birkenbach <kevin@veen.world>
Date: Tue, 18 Mar 2025 20:25:07 +0100
Subject: [PATCH] Updated ldap docu and implemented change draft

---
 roles/docker-ldap/Administration.md |   9 +-
 roles/docker-ldap/Change_DN.md      | 156 ++++++++++++++++++++++++++++
 roles/docker-ldap/tasks/main.yml    |   2 +-
 roles/docker-ldap/templates/env.j2  |   4 +-
 4 files changed, 166 insertions(+), 5 deletions(-)
 create mode 100644 roles/docker-ldap/Change_DN.md

diff --git a/roles/docker-ldap/Administration.md b/roles/docker-ldap/Administration.md
index 35eea055..f6fe9b04 100644
--- a/roles/docker-ldap/Administration.md
+++ b/roles/docker-ldap/Administration.md
@@ -13,14 +13,19 @@ docker exec -it openldap bash -c "ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b 'c
 docker exec -it openldap bash -c "ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b 'cn=config' -s base '(objectClass=olcModuleList)'"
 ```
 
+### Databases Overview
+```bash
+docker exec -it openldap ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcDatabase=*)"
+```
+
 ## Show all Entries
 ```bash 
-docker exec --env LDAP_ADMIN_PASSWORD="$LDAP_ADMIN_PASSWORD" LDAP_DN_BASE="$LDAP_DN_BASE" -it openldap bash -c "ldapsearch -LLL -o ldif-wrap=no -x -D \"cn=administrator,\$LDAP_DN_BASE\" -w \"\$LDAP_ADMIN_PASSWORD\" -b \"\$LDAP_DN_BASE\"";
+docker exec -it openldap bash -c "ldapsearch -LLL -o ldif-wrap=no -x -D \"\$LDAP_ADMIN_DN\" -w \"\$LDAP_ADMIN_PASSWORD\" -b \"\$LDAP_ROOT\"";
 ```
 
 ### Delete Groups and Subgroup
 To delete the group inclusive all subgroups use:
 ```bash
-docker exec --env LDAP_ADMIN_PASSWORD="$LDAP_ADMIN_PASSWORD" -it openldap bash -c "ldapsearch -LLL -o ldif-wrap=no -x -D \"cn=administrator,\$LDAP_DN_BASE\" -w \"\$LDAP_ADMIN_PASSWORD\" -b \"ou=applications,ou=groups,\$LDAP_DN_BASE\" dn | sed -n 's/^dn: //p' | tac | while read -r dn; do echo \"Deleting \$dn\"; ldapdelete -x -D \"cn=administrator,\$LDAP_DN_BASE\" -w \"\$LDAP_ADMIN_PASSWORD\" \"\$dn\"; done"
+docker exec -it openldap bash -c "ldapsearch -LLL -o ldif-wrap=no -x -D \"\$LDAP_ADMIN_DN\" -w \"\$LDAP_ADMIN_PASSWORD\" -b \"ou=applications,ou=groups,\$LDAP_ROOT\" dn | sed -n 's/^dn: //p' | tac | while read -r dn; do echo \"Deleting \$dn\"; ldapdelete -x -D \"\$LDAP_ADMIN_DN\" -w \"\$LDAP_ADMIN_PASSWORD\" \"\$dn\"; done"
 
 ```
\ No newline at end of file
diff --git a/roles/docker-ldap/Change_DN.md b/roles/docker-ldap/Change_DN.md
new file mode 100644
index 00000000..e7f3036b
--- /dev/null
+++ b/roles/docker-ldap/Change_DN.md
@@ -0,0 +1,156 @@
+Here is the full content in English with all instructions, formatted as a markdown (`CHANGE_DN.md`) file:
+
+```md
+# Change Distinguished Name (DN) in OpenLDAP Docker
+
+This document provides a step-by-step guide on how to rename the Distinguished Name (DN) from `cn=administrator,dc=flock,dc=town` to `cn=administrator,dc=cymais,dc=cloud` in an **OpenLDAP Docker** environment.
+
+**Reference:** [Conversation Link](https://chatgpt.com/share/67d9a2f7-4e04-800f-9a0f-1673194f276c)
+
+---
+
+## 1. Export the Current Entry
+
+Connect to the OpenLDAP container and export the current entry:
+
+```sh
+docker exec -it openldap sh -c 'ldapsearch -x -D "$LDAP_ADMIN_DN" -w "$LDAP_ADMIN_PASSWORD" -b "$LDAP_ROOT"' > all_entries.ldif
+```
+
+If your ***LDAP_ADMIN_DN*** and ***LDAP_ROOT***  are not accured pass them via ``--env``.
+
+---
+
+## 2. Modify the LDIF File
+
+Open `all_entries.ldif` and update the DN (`dn:` line) and `dc` attributes.
+
+- Open the file in an editor (`nano`, `vim`, `sed`).
+- Replace **all occurrences** of `dc=flock,dc=town` with `dc=cymais,dc=cloud`.
+
+**Using `sed` to modify automatically:**
+```sh
+sed -i 's/dc=flock,dc=town/dc=cymais,dc=cloud/g' all_entries.ldif
+```
+
+**Before:**
+```ldif
+dn: cn=administrator,dc=flock,dc=town
+cn: administrator
+objectClass: organizationalRole
+objectClass: simpleSecurityObject
+userPassword: {SSHA}...
+```
+
+**After:**
+```ldif
+dn: cn=administrator,dc=cymais,dc=cloud
+cn: administrator
+objectClass: organizationalRole
+objectClass: simpleSecurityObject
+userPassword: {SSHA}...
+```
+
+---
+
+## 3. Delete the Old Entry
+
+### Generate a Recursive Delete LDIF
+We need an **LDIF file that deletes all objects** under `dc=flock,dc=town`.
+
+Instead of manually writing an LDIF file, you can use `ldapsearch` and `awk` to generate it dynamically:
+
+```sh
+docker exec -it openldap sh -c 'ldapsearch -x -D "cn=administrator,dc=flock,dc=town" -w "$LDAP_ADMIN_PASSWORD" -b "dc=flock,dc=town" dn' | awk "/^dn:/ {print \$2}" | tac > delete_all_dns.txt
+```
+
+This creates an **ordered delete list**, starting with child objects before deleting `dc=flock,dc=town`.
+
+---
+
+#### Apply the Recursive Delete
+Now apply the generated `delete_all.ldif` to delete all entries **recursively**:
+
+```sh
+docker exec -i openldap sh -c '
+while read dn; do
+  ldapdelete -x -D "cn=administrator,dc=flock,dc=town" -w "$LDAP_ADMIN_PASSWORD" "$dn"
+done' < delete_all_dns.txt
+```
+
+---
+
+#### Verify That Everything Is Deleted
+After running the delete command, verify that `dc=flock,dc=town` is empty:
+
+```sh
+docker exec -it openldap sh -c 'ldapsearch -x -D "cn=administrator,dc=flock,dc=town" -w "$LDAP_ADMIN_PASSWORD" -b "dc=flock,dc=town"'
+```
+- ✅ If **no results** are returned, the domain has been deleted successfully.
+- ❌ If results still exist, some entries were not removed.
+
+
+---
+
+#### Manually Create the Base DN (dc=cymais,dc=cloud)
+Before importing the full LDIF file, you need to explicitly create the base DN (dc=cymais,dc=cloud) first.
+
+#### Create base.ldif for dc=cymais,dc=cloud
+Save this LDIF content into a file:
+```sh
+dn: dc=cymais,dc=cloud
+objectClass: top
+objectClass: domain
+dc: cymais
+```
+#### Add the Base DN to LDAP
+Run the following command to create the base DN before importing other entries:
+```sh
+cat base.ldif | docker exec -i openldap sh -c 'ldapadd -x -D "cn=admin,dc=cymais,dc=cloud" -w "$LDAP_ADMIN_PASSWORD"'
+```
+
+docker exec -i openldap ldapadd -Y EXTERNAL -H ldapi:/// -f /dev/stdin < new_database.ldif
+
+## 4. Add the New Entry
+
+Now, upload the modified `all_entries.ldif`:
+
+```sh
+cat all_entries.ldif | docker exec -i openldap sh -c 'ldapadd -x -D "cn=admin,dc=cymais,dc=cloud" -w "$LDAP_ADMIN_PASSWORD"'
+```
+
+---
+
+## 5. Update Root DN Configuration
+
+If `cn=administrator` is used as `rootdn`, update the OpenLDAP configuration file (`slapd.conf` or `olcDatabase={1}mdb.ldif` under `cn=config`).
+
+Find:
+```ldif
+olcRootDN: cn=administrator,dc=flock,dc=town
+```
+Replace with:
+```ldif
+olcRootDN: cn=administrator,dc=cymais,dc=cloud
+```
+
+Save the change and apply it:
+
+```sh
+docker exec -it openldap ldapmodify -Y EXTERNAL -H ldapi:/// -f config_update.ldif
+```
+
+---
+
+## 6. Restart OpenLDAP
+
+Restart the OpenLDAP container if necessary:
+
+```sh
+docker restart openldap
+```
+
+Now, `cn=administrator,dc=cymais,dc=cloud` should be active as the new administrator account.
+```
+
+This file contains the complete set of instructions in English, properly formatted, and ready to be used in OpenLDAP Docker. Let me know if you need any adjustments! 🚀
\ No newline at end of file
diff --git a/roles/docker-ldap/tasks/main.yml b/roles/docker-ldap/tasks/main.yml
index 8b737bcb..325b7957 100644
--- a/roles/docker-ldap/tasks/main.yml
+++ b/roles/docker-ldap/tasks/main.yml
@@ -38,7 +38,7 @@
     force: yes
   notify: docker compose project setup
   when: applications.ldap.webinterface == 'phpldapadmin'
-
+  
 - name: "create {{docker_compose.directories.env}}lam.env"
   template: 
     src:  "lam.env.j2" 
diff --git a/roles/docker-ldap/templates/env.j2 b/roles/docker-ldap/templates/env.j2
index 19a3c72d..c5bcd08d 100644
--- a/roles/docker-ldap/templates/env.j2
+++ b/roles/docker-ldap/templates/env.j2
@@ -3,8 +3,8 @@
       
 # GENERAL
 ## Database
-LDAP_ADMIN_USERNAME=        {{applications.ldap.users.administrator.username}}          # LDAP database admin user.
-LDAP_ADMIN_PASSWORD=        {{applications.ldap.administrator_database_password}} # LDAP database admin password.
+LDAP_ADMIN_USERNAME=        {{applications.ldap.users.administrator.username}}      # LDAP database admin user.
+LDAP_ADMIN_PASSWORD=        {{applications.ldap.administrator_database_password}}   # LDAP database admin password.
 
 ## Users
 LDAP_USERS=                 ' '                             # Comma separated list of LDAP users to create in the default LDAP tree. Default: user01,user02