Added LDAP integration

2025-10-31 18:29:21 +00:00 · 2025-01-21 19:44:47 +01:00
parent b9c51d29ae
commit a8f664d9bb
3 changed files with 155 additions and 20 deletions
--- a/group_vars/all
+++ b/group_vars/all
@@ -246,7 +246,7 @@ keycloak_administrator_username:  "{{administrator_username}}"

 #### LDAP
 ldap_version:                     "latest"
-ldap_admin_version:               "2.0.0-dev"
+ldap_admin_version:               "2.0.0-dev"   # @todo Attention: Change this as fast as released to latest
 ldap_administrator_username:      "{{administrator_username}}"
 ldap_administrator_password:      "{{user_administrator_initial_password}}" #CHANGE for security reasons

--- a/roles/docker-ldap/README.md
+++ b/roles/docker-ldap/README.md
@@ -1,10 +1,137 @@
-# Draft Docker LDAP and SSO
-Draft role for an LDAP implementation with sso. 
-## See
- [ChatGPT Conversation](https://chat.openai.com/share/77919994-5d44-4a64-877d-b572d67483d4)
- [Discouse Documentation](https://forum.veen.world/t/cymais-ldap-implementierung-documentation/49)
- [Setup Guide](https://goneuland.de/ldap-nextcloud-und-mailserver-in-docker/)
- https://hub.docker.com/r/bitnami/openldap 
- https://github.com/LDAPAccountManager/docker
- https://github.com/LDAPAccountManager/lam/blob/develop/lam-packaging/docker/.env
- https://github.com/leenooks/phpLDAPadmin/wiki/Docker-Container
+# Docker LDAP Role
+
+This Ansible role provides a streamlined implementation of an LDAP server with TLS support. It leverages Docker Compose to deploy a pre-configured OpenLDAP server and phpLDAPadmin for easy management.
+
+---
+
+## 🚀 **Features**
+
+- **Secure LDAP with TLS**:
+  - Automatically configures TLS certificates for secure communication.
+  - Provides configurable support for LDAPS on port 636.
+
+- **phpLDAPadmin Integration**:
+  - Includes a Dockerized phpLDAPadmin setup for easy user and group management.
+
+- **Healthcheck Support**:
+  - Ensures that the LDAP service is healthy and accessible using `ldapsearch`.
+
+---
+
+## 📋 **Requirements**
+
+### Prerequisites
+- A valid domain name.
+- SSL/TLS certificates (e.g., from Let’s Encrypt).
+- Ansible installed on the deployment host.
+- Docker and Docker Compose installed on the target host.
+
+---
+
+## 🔧 **Role Variables**
+
+### Key Variables
+| Variable                      | Description                                              | Default Value                        |
+|-------------------------------|----------------------------------------------------------|--------------------------------------|
+| `docker_compose_project_name` | Name of the Docker Compose project.                     | `ldap`                               |
+| `ldap_root`                   | Base DN for the LDAP directory.                         | `dc={{primary_domain_sld}},dc={{primary_domain_tld}}` |
+| `ldap_admin_dn`               | Distinguished Name (DN) for the LDAP administrator.     | `cn={{ldap_administrator_username}},{{ldap_root}}` |
+| `cert_mount_directory`        | Directory to mount SSL/TLS certificates.                | `{{docker_compose_instance_directory}}/certs/` |
+| `ldap_administrator_username` | Username for the LDAP admin.                            | `admin`                              |
+| `ldap_administrator_password` | Password for the LDAP admin.                            | _Required_                           |
+| `ldap_admin_version`          | Version of phpLDAPadmin Docker image.                   | `latest`                             |
+| `ldap_version`                | Version of OpenLDAP Docker image.                       | `latest`                             |
+
+---
+
+## 📂 **Role Structure**
+
+```
+roles/
+  docker-ldap/
+    README.md
+    vars/
+      main.yml
+    tasks/
+      main.yml
+    templates/
+      docker-compose.yml.j2
+```
+
+---
+
+## 📖 **Usage**
+
+Here’s an example playbook to use this role:
+
+```yaml
+- name: Deploy LDAP with SSO
+  hosts: ldap_servers
+  roles:
+    - role: docker-ldap
+      vars:
+        docker_compose_instance_directory: "/home/administrator/docker-compose/ldap/"
+        primary_domain_sld: "veen"
+        primary_domain_tld: "world"
+        ldap_administrator_username: "administrator"
+        ldap_administrator_password: "secure_password_here"
+        ldap_admin_version: "latest"
+        ldap_version: "latest"
+```
+
+### **Steps to Deploy:**
+1. Clone your playbook repository to the target server.
+2. Run the playbook:
+   ```bash
+   ansible-playbook -i inventory playbook.yml
+   ```
+3. Access phpLDAPadmin:
+   - URL: `http://localhost:8080` (or your configured port)
+   - Login: Use the admin DN and password.
+
+---
+
+## 🛠️ **Technical Details**
+
+### **Services Configured**
+
+1. **OpenLDAP**
+   - TLS enabled on port 636.
+   - Configuration driven by environment variables.
+
+2. **phpLDAPadmin**
+   - Accessible on port 8080.
+   - Simplifies LDAP management via a web interface.
+
+3. **Healthchecks**
+   - Uses `ldapsearch` to validate LDAP functionality.
+
+### **Directory Structure**
+
+The following directories are mounted in the container:
+- **Certificates:** `{{cert_mount_directory}}` for TLS certificates.
+- **LDAP Data:** `data:/bitnami/openldap` for persistent data storage.
+
+---
+
+## 🔒 **Security Recommendations**
+- Always use strong passwords for `ldap_administrator_password`.
+- Ensure proper file permissions for mounted certificate files.
+- Restrict access to phpLDAPadmin by binding it to `127.0.0.1` or using a reverse proxy.
+
+---
+
+## 📜 **References**
+- [Bitnami OpenLDAP](https://hub.docker.com/r/bitnami/openldap)
+- [phpLDAPadmin Documentation](https://github.com/leenooks/phpLDAPadmin/wiki/Docker-Container)
+- [LDAP Account Manager](https://github.com/LDAPAccountManager/docker)
+
+---
+
+
+## 👨‍💻 **Author**
+
+Kevin Veen-Birkenbach - [veen.world](https://www.veen.world)
+
+Feel free to report issues, suggest features, or contribute to the repository! 😊
+
--- a/roles/docker-ldap/templates/docker-compose.yml.j2
+++ b/roles/docker-ldap/templates/docker-compose.yml.j2
@@ -9,29 +9,30 @@ services:
    environment:
      # @See https://github.com/leenooks/phpLDAPadmin/wiki/Docker-Container
      APP_URL:    https://{{domain}}
-      LDAP_HOST:  {{domain}}
+      LDAP_HOST:  openldap
  openldap:
    image: bitnami/openldap:{{ldap_version}}
    logging:
      driver: journald
    restart: {{docker_restart_policy}}
    ports:
-      - '127.0.0.1:389:1389'  # Expose just on local host for security reasons
+      - '127.0.0.1:389:389'   # Expose just on local host for security reasons, phpLDAPadmin requires this
      - '636:636'             # Expose to internet
    environment:
      # @See https://hub.docker.com/r/bitnami/openldap

      # GENERAL
-      LDAP_ADMIN_USERNAME:  {{ldap_administrator_username}} # LDAP database admin user.
-      LDAP_ADMIN_PASSWORD:  {{ldap_administrator_password}} # LDAP database admin password.
-      #LDAP_USERS:          user01,user02                   # Comma separated list of LDAP users to create in the default LDAP tree. Default: user01,user02
-      #LDAP_PASSWORDS:      password1,password2             # Comma separated list of passwords to use for LDAP users. Default: bitnami1,bitnami 
-      LDAP_ROOT:            {{ldap_root}}                   # LDAP baseDN (or suffix) of the LDAP tree. Default: dc=example,dc=org
-      LDAP_ADMIN_DN:        {{ldap_admin_dn}}
+      LDAP_ADMIN_USERNAME:    {{ldap_administrator_username}} # LDAP database admin user.
+      LDAP_ADMIN_PASSWORD:    {{ldap_administrator_password}} # LDAP database admin password.
+      #LDAP_USERS:            user01,user02                   # Comma separated list of LDAP users to create in the default LDAP tree. Default: user01,user02
+      #LDAP_PASSWORDS:        password1,password2             # Comma separated list of passwords to use for LDAP users. Default: bitnami1,bitnami 
+      LDAP_ROOT:              {{ldap_root}}                   # LDAP baseDN (or suffix) of the LDAP tree. Default: dc=example,dc=org
+      LDAP_ADMIN_DN:          {{ldap_admin_dn}}
+      LDAP_PORT_NUMBER:       389                             # Route to default port

      # TLS
      LDAP_ENABLE_TLS:          yes                         # Whether to enable TLS for traffic or not. Defaults to no
-      LDAP_REQUIRE_TLS:         yes                         # Whether connections must use TLS. Will only be applied with LDAP_ENABLE_TLS active. Defaults to no
+      LDAP_REQUIRE_TLS:         no                          # Deactivated so that it can be accessed on the server itself via phpldapadmin
      LDAP_LDAPS_PORT_NUMBER:   636                         # Port used for TLS secure traffic. Priviledged port is supported (e.g. 636). Default: 1636 (non privileged port).
      LDAP_TLS_CERT_FILE:       /certs/cert.pem             # File containing the certificate file for the TLS traffic. No defaults.
      LDAP_TLS_KEY_FILE:        /certs/key.pem              # File containing the key for certificate. No defaults.
@@ -40,6 +41,13 @@ services:
    volumes:
      - {{cert_mount_directory}}:/certs:ro
      - 'data:/bitnami/openldap'
+    healthcheck:
+      test: >
+        ldapsearch -x -H ldap://localhost:389 -b "{{ldap_root}}" -D "{{ldap_admin_dn}}" -w "{{ldap_administrator_password}}"
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 20s
 {% include 'templates/docker/container/networks.yml.j2' %}
 {% include 'templates/docker/compose/volumes.yml.j2' %}
  data: