kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-03-29 04:23:34 +01:00
Code Issues Packages Projects Releases Wiki Activity

Optimized nextcloud keycloak ldap implementation

Browse Source
This commit is contained in:
Kevin Veen-Birkenbach 2025-03-21 22:50:48 +01:00
parent e2166235ad
commit 99f633d222
No known key found for this signature in database
GPG Key ID: 44D8F11FD62F878E
7 changed files with 103 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
group_vars/all/07_applications.yml
View File

@ -338,33 +338,33 @@ defaults_applications:
## Nextcloud ## Nextcloud
nextcloud: nextcloud:
version: "production" # @see https://nextcloud.com/blog/nextcloud-release-channels-and-how-to-track-them/ version: "production" # @see https://nextcloud.com/blog/nextcloud-release-channels-and-how-to-track-them/
ldap: ldap:
enabled: True # Enables LDAP by default enabled: True # Enables LDAP by default
oidc: oidc:
enabled: "{{ _applications_nextcloud_oidc_enabled }}" # Activate OIDC for Nextcloud enabled: "{{ _applications_nextcloud_oidc_enabled }}" # Activate OIDC for Nextcloud
# floavor decides which OICD plugin should be used. # floavor decides which OICD plugin should be used.
# Available options: oidc_login, sociallogin # Available options: oidc_login, sociallogin
# @see https://apps.nextcloud.com/apps/oidc_login # @see https://apps.nextcloud.com/apps/oidc_login
# @see https://apps.nextcloud.com/apps/sociallogin # @see https://apps.nextcloud.com/apps/sociallogin
flavor: "oidc_login" # Keeping on sociallogin because the other option is not implemented yet flavor: "oidc_login" # Keeping on sociallogin because the other option is not implemented yet
matomo_tracking_enabled: "{{matomo_tracking_enabled_default}}" # Enables\Disables Matomo Tracking matomo_tracking_enabled: "{{matomo_tracking_enabled_default}}" # Enables\Disables Matomo Tracking
css_enabled: "{{css_enabled_default}}" # Enables\Disables Global CSS Style css_enabled: "{{css_enabled_default}}" # Enables\Disables Global CSS Style
landingpage_iframe_enabled: "{{landingpage_iframe_enabled_default}}" # Enables\Disables the possibility to embed this on landing page via iframe landingpage_iframe_enabled: "{{landingpage_iframe_enabled_default}}" # Enables\Disables the possibility to embed this on landing page via iframe
database: database:
central_storage: True # Activate Central Database Storage central_storage: True # Activate Central Database Storage
credentials: credentials:
# database_password: Null # Needs to be set in inventory file # database_password: Null # Needs to be set in inventory file
users: users:
administrator: administrator:
username: "{{users.administrator.username}}" username: "{{users.administrator.username}}"
initial_password: "{{users.administrator.initial_password}}" # Keep in mind to change the password fast after creation and activate 2FA initial_password: "{{users.administrator.initial_password}}" # Keep in mind to change the password fast after creation and activate 2FA
default_quota: '1000000000' # Quota to assign if no quota is specified in the OIDC response (bytes) default_quota: '1000000000' # Quota to assign if no quota is specified in the OIDC response (bytes)
legacy_login_mask: legacy_login_mask:
enabled: False # If true, then legacy login mask is shown. Otherwise just SSO enabled: False # If true, then legacy login mask is shown. Otherwise just SSO
container: container:
application: "nextcloud-application" # Nextcloud application container name application: "nextcloud-application" # Nextcloud application container name
proxy: "nextcloud-web" # Nextcloud Proxy Container Name proxy: "nextcloud-web" # Nextcloud Proxy Container Name
performance: performance:
php: php:
memory_limit: "{{ ((ansible_memtotal_mb | int) / 30)|int }}M" # Dynamic set memory limit memory_limit: "{{ ((ansible_memtotal_mb | int) / 30)|int }}M" # Dynamic set memory limit

22
roles/docker-keycloak/templates/import/realm.json.j2
View File

@ -885,6 +885,7 @@
"email" "email"
], ],
"optionalClientScopes": [ "optionalClientScopes": [
"nextcloud",
"address", "address",
"phone", "phone",
"organization", "organization",
@ -1195,7 +1196,7 @@
{ {
"id": "15dd4961-5b4f-4635-a3f1-a21e1fa7bf3a", "id": "15dd4961-5b4f-4635-a3f1-a21e1fa7bf3a",
"name": "nextcloud", "name": "nextcloud",
"description": "", "description": "Optimized mappers for nextcloud oidc_login with ldap.",
"protocol": "openid-connect", "protocol": "openid-connect",
"attributes": { "attributes": {
"include.in.token.scope": "false", "include.in.token.scope": "false",
@ -1222,6 +1223,25 @@
"claim.name": "nextcloudQuota", "claim.name": "nextcloudQuota",
"jsonType.label": "int" "jsonType.label": "int"
} }
},
{
"id": "018c63c6-3fea-43fe-abbf-2c17e3f2353f",
"name": "UID Mapper",
"protocol": "openid-connect",
"protocolMapper": "oidc-usermodel-attribute-mapper",
"consentRequired": false,
"config": {
"aggregate.attrs": "false",
"introspection.token.claim": "true",
"multivalued": "false",
"userinfo.token.claim": "true",
"user.attribute": "username",
"id.token.claim": "true",
"lightweight.claim": "false",
"access.token.claim": "true",
"claim.name": "{{ldap.attributes.user_id}}",
"jsonType.label": "String"
}
} }
] ]
}, },

6
roles/docker-nextcloud/Applications.md
View File

@ -2,6 +2,12 @@
Details on specific apps like Cospend, including related SQL queries and debugging tips. Details on specific apps like Cospend, including related SQL queries and debugging tips.
## Recieve Plugin Information
To recieve the relevant configuration options for a plugin type:
```bash
docker compose exec -u www-data application php occ config:list oidc_login
```
## App Relevant Tables 🗃️ ## App Relevant Tables 🗃️
- `oc_appconfig` - `oc_appconfig`

40
roles/docker-nextcloud/IAM.md
View File

@ -15,6 +15,12 @@ docker compose exec -u www-data application /var/www/html/occ config:app:get soc
More information: https://docs.nextcloud.com/server/latest/admin_manual/configuration_user/user_auth_ldap.html More information: https://docs.nextcloud.com/server/latest/admin_manual/configuration_user/user_auth_ldap.html
## Get LDAP Configuration
```bash
docker compose exec -u www-data application php occ ldap:show-config
```
## Get all relevant entries except password ## Get all relevant entries except password
```sql ```sql
@ -27,6 +33,40 @@ SELECT * FROM `oc_appconfig` WHERE appid LIKE "%ldap%" and configkey != "s01ldap
docker compose exec -it -u www-data application php occ ldap:check-user --update {{username}} docker compose exec -it -u www-data application php occ ldap:check-user --update {{username}}
``` ```
## Update LDAP Sync
```bash
docker compose exec -u www-data application php occ user:sync-account-data
```
### Update Each User
If you want to update **every LDAP user**, run:
```bash
for user in $(docker compose exec -u www-data application php occ user:list --output=json | jq -r 'keys[]'); do
docker compose exec -u www-data application php occ ldap:check-user --update "$user"
done
```
### Unlink All
```bash
for user in $(docker compose exec -u www-data application php occ ldap:show-remnants | tail -n +3 | awk -F '|' '{print $2}' | tr -d ' ' | grep -v '^$'); do
echo "Unlinking user from LDAP: $user"
echo "y" | docker compose exec -T -u www-data application php occ ldap:reset-user "$user"
done
```
### Reset LDAP Links for Orphaned Users
Run this **corrected script**:
```bash
for user in $(docker compose exec -u www-data application php occ ldap:show-remnants | tail -n +3 | awk -F '|' '{print $2}' | tr -d ' ' | grep -v '^$'); do
echo "Resetting LDAP link for user: $user"
echo "y" | docker compose exec -T -u www-data application php occ ldap:reset-user "$user"
done
```
## Federation ## Federation
If users are just created via Keycloak and not via LDAP, they have a different username. Due to this reaso concider to use LDAP to guaranty that the username is valid. If users are just created via Keycloak and not via LDAP, they have a different username. Due to this reaso concider to use LDAP to guaranty that the username is valid.

18
roles/docker-nextcloud/OCC.md
View File

@ -16,6 +16,11 @@ docker-compose exec -it -u www-data application /var/www/html/occ
docker compose exec -it -u www-data application php occ user:list docker compose exec -it -u www-data application php occ user:list
``` ```
### Get User Info
```bash
docker compose exec -u www-data application php occ user:info {{username}}
```
### Sync Users ### Sync Users
```bash ```bash
docker compose exec -it -u www-data application php occ user:sync docker compose exec -it -u www-data application php occ user:sync
@ -35,7 +40,18 @@ docker compose exec -it -u www-data application php occ group:adduser admin {{us
```bash ```bash
docker compose exec -it -u www-data application php occ user:delete {{username}} docker compose exec -it -u www-data application php occ user:delete {{username}}
``` ```
---
### Delete all User (if no ldap is used)
```bash
for user in $(docker compose exec -u www-data application php occ user:list --output=json | jq -r 'keys[]'); do
docker compose exec -u www-data application php occ user:delete "$user"
done
```
### Identify users which exist still in nextcloud but not in LDAP anymore
```bash
occ ldap:show-remnants
```
## App Administration ## App Administration
```bash ```bash

4
roles/docker-nextcloud/templates/config/oidc.config.php.j2
View File

@ -97,10 +97,10 @@ return array (
// note: on Keycloak, OIDC name claim = "${given_name} ${family_name}" or one of them if any is missing // note: on Keycloak, OIDC name claim = "${given_name} ${family_name}" or one of them if any is missing
// //
'oidc_login_attributes' => array ( 'oidc_login_attributes' => array (
'id' => 'username', 'id' => '{{ldap.attributes.user_id}}',
'name' => 'name', 'name' => 'name',
'mail' => 'email', 'mail' => 'email',
# 'quota' => 'nextcloudQuota', # Not implemented yet 'quota' => 'nextcloudQuota',
# 'home' => 'homeDirectory', # Not implemented yet # 'home' => 'homeDirectory', # Not implemented yet
'ldap_uid' => 'preferred_username', 'ldap_uid' => 'preferred_username',
# 'groups' => 'ownCloudGroups', # Not implemented yet # 'groups' => 'ownCloudGroups', # Not implemented yet

8
roles/docker-portfolio/templates/config.yaml.j2
View File

@ -210,7 +210,7 @@ cards:
- icon: - icon:
class: "fa-solid fa-envelope" class: "fa-solid fa-envelope"
title: "Mailu Mail Server" title: "Mail Server"
text: "Revolutionize your email communications with Mailu, a secure and flexible mail server solution that integrates seamlessly into your workflow. Experience enhanced reliability, robust security, and an energetic approach to managing your digital correspondence." text: "Revolutionize your email communications with Mailu, a secure and flexible mail server solution that integrates seamlessly into your workflow. Experience enhanced reliability, robust security, and an energetic approach to managing your digital correspondence."
url: https://{{domains.mailu}} url: https://{{domains.mailu}}
link_text: "Elevate Your Email Now!" link_text: "Elevate Your Email Now!"
@ -682,19 +682,19 @@ navigation:
class: fas fa-user-shield class: fas fa-user-shield
iframe: {{ applications | get_landingpage_iframe_enabled('keycloak') }} iframe: {{ applications | get_landingpage_iframe_enabled('keycloak') }}
children: children:
- name: Keycloak Master Admin - name: Administration
description: Access the central admin console description: Access the central admin console
icon: icon:
class: fa-solid fa-shield-halved class: fa-solid fa-shield-halved
url: https://{{domains.keycloak}}/admin url: https://{{domains.keycloak}}/admin
iframe: {{ applications | get_landingpage_iframe_enabled('keycloak') }} iframe: {{ applications | get_landingpage_iframe_enabled('keycloak') }}
- name: Manage Your Profile - name: Profile
description: Update your personal admin settings description: Update your personal admin settings
icon: icon:
class: fa-solid fa-user-gear class: fa-solid fa-user-gear
url: https://{{ domains.keycloak }}/realms/{{oidc.client.id}}/account url: https://{{ domains.keycloak }}/realms/{{oidc.client.id}}/account
iframe: {{ applications | get_landingpage_iframe_enabled('keycloak') }} iframe: {{ applications | get_landingpage_iframe_enabled('keycloak') }}
- name: Log Out of Keycloak - name: Logout
description: End your admin session securely description: End your admin session securely
icon: icon:
class: fa-solid fa-right-from-bracket class: fa-solid fa-right-from-bracket