Optimized Nextcloud for OIDC flavor login and adapted user administrator credentials

roles/docker-ldap/README.md

@@ -62,7 +62,7 @@ EOF
 
 ```
 
-### Show all Entires
+### Show all Entries
 ```bash 
 docker exec --env LDAP_ADMIN_PASSWORD="$LDAP_ADMIN_PASSWORD" -it openldap bash -c "ldapsearch -LLL -o ldif-wrap=no -x -D 'cn=administrator,dc=veen,dc=world' -w \"\$LDAP_ADMIN_PASSWORD\" -b 'dc=veen,dc=world'";
 ```

roles/docker-ldap/handlers/main.yml

@@ -2,7 +2,9 @@
   shell: >
     docker exec -i openldap ldapmodify -Y EXTERNAL -H ldapi:/// -f {{ldif_docker_path}}01_member_of_configuration.ldif
   listen: "Import LDIF files"
-  ignore_errors: true # @todo check if this works
+  # @todo Remove the following ignore errors when setting up a new server
+  # Just here because debugging would take to much time
+  ignore_errors: true
 
 - name: Refint Module Activation for OpenLDAP
   shell: >
@@ -10,7 +12,9 @@
   listen: "Import LDIF files"
   register: ldapadd_result
   failed_when: ldapadd_result.rc not in [0, 68]
-  ignore_errors: true # @todo check if this works
+  # @todo Remove the following ignore errors when setting up a new server
+  # Just here because debugging would take to much time
+  ignore_errors: true
 
 - name: Refint Overlay Configuration for OpenLDAP
   shell: >
@@ -18,15 +22,24 @@
   listen: "Import LDIF files"
   register: ldapadd_result
   failed_when: ldapadd_result.rc not in [0, 68]
-  ignore_errors: true # @todo check if this works
+  # @todo Remove the following ignore errors when setting up a new server
+  # Just here because debugging would take to much time
+  ignore_errors: true
 
 - name: "Import users, groups, etc. to LDAP"
   shell: >
-    docker exec -i openldap ldapadd -x -D "{{ldap.dn.administrator}}" -w "{{ldap.bind_credential}}" -c -f "{{ldif_docker_path}}import/{{ item | basename | regex_replace(r'\.j2$', '') }}"
+    docker exec -i openldap ldapadd -x -D "{{ldap.dn.administrator}}" -w "{{ldap.bind_credential}}" -c -f "{{ldif_docker_path}}data/{{ item | basename | regex_replace('\.j2$', '') }}"
   register: ldapadd_result
   changed_when: "'adding new entry' in ldapadd_result.stdout"
-  # Allow return code 0 (all entries added) or 68 (entry already exists)
-  failed_when: ldapadd_result.rc not in [0, 68]
+  failed_when: ldapadd_result.rc not in [0, 20, 68]
   listen: "Import LDIF files"
-  ignore_errors: true
-  loop: "{{ lookup('fileglob', role_path ~ '/templates/ldif/import/*.j2', wantlist=True) }}"
+  loop: "{{ lookup('fileglob', role_path ~ '/templates/ldif/data/*.j2', wantlist=True) }}"
+
+- name: "Import schemas"
+  shell: >
+    docker exec -i openldap ldapadd -Y EXTERNAL -H ldapi:/// -f "{{ldif_docker_path}}schema/{{ item | basename | regex_replace('\.j2$', '') }}"
+  register: ldapadd_result
+  changed_when: "'adding new entry' in ldapadd_result.stdout"
+  failed_when: ldapadd_result.rc not in [0, 80]
+  listen: "Import LDIF files"
+  loop: "{{ lookup('fileglob', role_path ~ '/templates/ldif/schema/*.j2', wantlist=True) }}"

roles/docker-ldap/tasks/create_ldif_files.yml

@@ -1,3 +1,5 @@
+# In own task file for easier looping
+
 - name: "Create LDIF files at {{ ldif_host_path }}/{{ folder }}"
   template:
     src: "{{ item }}"

roles/docker-ldap/templates/env.j2

@@ -3,7 +3,7 @@
       
 # GENERAL
 ## Database
-LDAP_ADMIN_USERNAME=        {{applications.ldap.administrator_username}}          # LDAP database admin user.
+LDAP_ADMIN_USERNAME=        {{applications.ldap.users.administrator.username}}          # LDAP database admin user.
 LDAP_ADMIN_PASSWORD=        {{applications.ldap.administrator_database_password}} # LDAP database admin password.
 
 ## Users
@@ -14,7 +14,7 @@ LDAP_ROOT=                  {{ldap.dn.root}}                # LDAP baseDN (or su
 ## Admin
 LDAP_ADMIN_DN=              {{ldap.dn.administrator}}
 LDAP_CONFIG_ADMIN_ENABLED=  yes
-LDAP_CONFIG_ADMIN_USERNAME= {{applications.ldap.administrator_username}}
+LDAP_CONFIG_ADMIN_USERNAME= {{applications.ldap.users.administrator.username}}
 LDAP_CONFIG_ADMIN_PASSWORD= {{applications.ldap.administrator_password}}
   
 # Network

roles/docker-ldap/templates/ldif/configuration/01_member_of_configuration.ldif.j2

@@ -26,6 +26,11 @@
 #
 # IMPORTANT: All groups created before enabling this module must be deleted and recreated,
 # as the overlay only assigns the "member" attribute when a new group is created.
+
+# @todo Solve the following error:
+#fatal: [echoserver]: FAILED! => {"changed": true, "cmd": "docker exec -i openldap ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/ldif/01_member_of_configuration.ldif\n", "delta": "0:00:00.059605", "end": "2025-02-25 12:01:18.218851", "msg": "non-zero return code", "rc": 247, "start": "2025-02-25 12:01:18.159246", "stderr": "SASL/EXTERNAL authentication started\nSASL username: gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\nldapmodify: modify operation type is missing at line 2, entry \"cn=module,cn=config\"", "stderr_lines": ["SASL/EXTERNAL authentication started", "SASL username: gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth", "SASL SSF: 0", "ldapmodify: modify operation type is missing at line 2, entry \"cn=module,cn=config\""], "stdout": "", "stdout_lines": []}
+
+
 dn: cn=module,cn=config
 cn: module
 objectClass: olcModuleList

roles/docker-ldap/templates/ldif/data/02_users.ldif.j2

@@ -9,16 +9,18 @@ description: Container for application access profiles
 #######################################################################
 # Create Admin User
 #######################################################################
-dn: uid={{administrator_username}},{{ldap.dn.users}}
+dn: uid={{users.administrator.username}},{{ldap.dn.users}}
 objectClass: top
 objectClass: inetOrgPerson
 objectClass: posixAccount
-uid: {{administrator_username}}
+uid: {{users.administrator.username}}
 sn: Administrator
 cn: Administrator
 userPassword: {SSHA}CHANGE_THIS_PASSWORD
 loginShell: /bin/bash
 homeDirectory: /home/admin
+uidNumber: {{users.administrator.uid}}
+gidNumber: {{users.administrator.gid}}
 
 #######################################################################
 # Add Admin User to All Application Role Groups
@@ -29,11 +31,11 @@ homeDirectory: /home/admin
 dn: cn={{ app }}-administrator,{{ ldap.dn.application_roles }}
 changetype: modify
 add: roleOccupant
-roleOccupant: uid={{administrator_username}},{{ldap.dn.users}}
+roleOccupant: uid={{users.administrator.username}},{{ldap.dn.users}}
 
 dn: cn={{ app }}-user,{{ ldap.dn.application_roles }}
 changetype: modify
 add: roleOccupant
-roleOccupant: uid={{administrator_username}},{{ldap.dn.users}}
+roleOccupant: uid={{users.administrator.username}},{{ldap.dn.users}}
 
 {% endfor %}

roles/docker-ldap/templates/ldif/schema/01_nextcloud.schema.ldif_deactivated

@@ -0,0 +1,16 @@
+# nextcloud.schema
+# This schema is deactivated, because with keycloak it's impossible to set schemas to new created users
+# Until then the managament is done over keycloak
+# @todo activate in ldap 
+
+dn: cn=nextcloud,cn=schema,cn=config
+objectClass: olcSchemaConfig
+cn: nextcloud
+olcAttributeTypes: ( 1.3.6.1.4.1.99999.1 NAME 'nextcloudQuota'
+  DESC 'Quota for Nextcloud'
+  EQUALITY caseIgnoreMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{64} )
+olcObjectClasses: ( 1.3.6.1.4.1.99999.2 NAME 'nextcloudUser'
+  DESC 'Auxiliary class for Nextcloud attributes'
+  AUXILIARY
+  MAY ( nextcloudQuota ) )

roles/docker-ldap/templates/ldif/schema/README.md

@@ -0,0 +1 @@
+This folder contains schemas for the different applications to import

roles/docker-ldap/vars/main.yml

@@ -9,4 +9,5 @@ ldif_docker_path:           "/tmp/ldif/"
 ldap.dn.application_roles:  "ou=application_roles,{{ldap.dn.root}}"
 ldif_types:
   - configuration
-  - import 
+  - data
+  - schema