Optimized Nextcloud for OIDC flavor login and adapted user administrator credentials

2025-08-29 15:06:26 +02:00 · 2025-02-25 15:17:56 +01:00
parent ab258cb6dd
commit 9a9bae4f2c
47 changed files with 393 additions and 95 deletions
--- a/roles/docker-ldap/templates/env.j2
+++ b/roles/docker-ldap/templates/env.j2
@@ -3,7 +3,7 @@
      
 # GENERAL
 ## Database
-LDAP_ADMIN_USERNAME=        {{applications.ldap.administrator_username}}          # LDAP database admin user.
+LDAP_ADMIN_USERNAME=        {{applications.ldap.users.administrator.username}}          # LDAP database admin user.
 LDAP_ADMIN_PASSWORD=        {{applications.ldap.administrator_database_password}} # LDAP database admin password.

 ## Users
@@ -14,7 +14,7 @@ LDAP_ROOT=                  {{ldap.dn.root}}                # LDAP baseDN (or su
 ## Admin
 LDAP_ADMIN_DN=              {{ldap.dn.administrator}}
 LDAP_CONFIG_ADMIN_ENABLED=  yes
-LDAP_CONFIG_ADMIN_USERNAME= {{applications.ldap.administrator_username}}
+LDAP_CONFIG_ADMIN_USERNAME= {{applications.ldap.users.administrator.username}}
 LDAP_CONFIG_ADMIN_PASSWORD= {{applications.ldap.administrator_password}}
  
 # Network
--- a/roles/docker-ldap/templates/ldif/configuration/01_member_of_configuration.ldif.j2
+++ b/roles/docker-ldap/templates/ldif/configuration/01_member_of_configuration.ldif.j2
@@ -26,6 +26,11 @@
 #
 # IMPORTANT: All groups created before enabling this module must be deleted and recreated,
 # as the overlay only assigns the "member" attribute when a new group is created.
+
+# @todo Solve the following error:
+#fatal: [echoserver]: FAILED! => {"changed": true, "cmd": "docker exec -i openldap ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/ldif/01_member_of_configuration.ldif\n", "delta": "0:00:00.059605", "end": "2025-02-25 12:01:18.218851", "msg": "non-zero return code", "rc": 247, "start": "2025-02-25 12:01:18.159246", "stderr": "SASL/EXTERNAL authentication started\nSASL username: gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\nldapmodify: modify operation type is missing at line 2, entry \"cn=module,cn=config\"", "stderr_lines": ["SASL/EXTERNAL authentication started", "SASL username: gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth", "SASL SSF: 0", "ldapmodify: modify operation type is missing at line 2, entry \"cn=module,cn=config\""], "stdout": "", "stdout_lines": []}
+
+
 dn: cn=module,cn=config
 cn: module
 objectClass: olcModuleList
--- a/roles/docker-ldap/templates/ldif/import/01_application_roles.ldif.j2
+++ b/roles/docker-ldap/templates/ldif/import/01_application_roles.ldif.j2
--- a/roles/docker-ldap/templates/ldif/import/02_users.ldif.j2
+++ b/roles/docker-ldap/templates/ldif/import/02_users.ldif.j2
@@ -9,16 +9,18 @@ description: Container for application access profiles
 #######################################################################
 # Create Admin User
 #######################################################################
-dn: uid={{administrator_username}},{{ldap.dn.users}}
+dn: uid={{users.administrator.username}},{{ldap.dn.users}}
 objectClass: top
 objectClass: inetOrgPerson
 objectClass: posixAccount
-uid: {{administrator_username}}
+uid: {{users.administrator.username}}
 sn: Administrator
 cn: Administrator
 userPassword: {SSHA}CHANGE_THIS_PASSWORD
 loginShell: /bin/bash
 homeDirectory: /home/admin
+uidNumber: {{users.administrator.uid}}
+gidNumber: {{users.administrator.gid}}

 #######################################################################
 # Add Admin User to All Application Role Groups
@@ -29,11 +31,11 @@ homeDirectory: /home/admin
 dn: cn={{ app }}-administrator,{{ ldap.dn.application_roles }}
 changetype: modify
 add: roleOccupant
-roleOccupant: uid={{administrator_username}},{{ldap.dn.users}}
+roleOccupant: uid={{users.administrator.username}},{{ldap.dn.users}}

 dn: cn={{ app }}-user,{{ ldap.dn.application_roles }}
 changetype: modify
 add: roleOccupant
-roleOccupant: uid={{administrator_username}},{{ldap.dn.users}}
+roleOccupant: uid={{users.administrator.username}},{{ldap.dn.users}}

 {% endfor %}
--- a/roles/docker-ldap/templates/ldif/import/README.md
+++ b/roles/docker-ldap/templates/ldif/import/README.md
--- a/roles/docker-ldap/templates/ldif/schema/01_nextcloud.schema.ldif_deactivated
+++ b/roles/docker-ldap/templates/ldif/schema/01_nextcloud.schema.ldif_deactivated
@@ -0,0 +1,16 @@
+# nextcloud.schema
+# This schema is deactivated, because with keycloak it's impossible to set schemas to new created users
+# Until then the managament is done over keycloak
+# @todo activate in ldap 
+
+dn: cn=nextcloud,cn=schema,cn=config
+objectClass: olcSchemaConfig
+cn: nextcloud
+olcAttributeTypes: ( 1.3.6.1.4.1.99999.1 NAME 'nextcloudQuota'
+  DESC 'Quota for Nextcloud'
+  EQUALITY caseIgnoreMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{64} )
+olcObjectClasses: ( 1.3.6.1.4.1.99999.2 NAME 'nextcloudUser'
+  DESC 'Auxiliary class for Nextcloud attributes'
+  AUXILIARY
+  MAY ( nextcloudQuota ) )
--- a/roles/docker-ldap/templates/ldif/schema/README.md
+++ b/roles/docker-ldap/templates/ldif/schema/README.md
@@ -0,0 +1 @@
+This folder contains schemas for the different applications to import
				`@@ -0,0 +1 @@`
				`This folder contains schemas for the different applications to import`