From a8f664d9bb2f3830310f59bd9f82af499f6dda05 Mon Sep 17 00:00:00 2001 From: Kevin Veen-Birkenbach Date: Tue, 21 Jan 2025 19:44:47 +0100 Subject: [PATCH] Added LDAP integration --- group_vars/all | 2 +- roles/docker-ldap/README.md | 147 ++++++++++++++++-- .../templates/docker-compose.yml.j2 | 26 ++-- 3 files changed, 155 insertions(+), 20 deletions(-) diff --git a/group_vars/all b/group_vars/all index 5732b52b..0ae244ca 100644 --- a/group_vars/all +++ b/group_vars/all @@ -246,7 +246,7 @@ keycloak_administrator_username: "{{administrator_username}}" #### LDAP ldap_version: "latest" -ldap_admin_version: "2.0.0-dev" +ldap_admin_version: "2.0.0-dev" # @todo Attention: Change this as fast as released to latest ldap_administrator_username: "{{administrator_username}}" ldap_administrator_password: "{{user_administrator_initial_password}}" #CHANGE for security reasons diff --git a/roles/docker-ldap/README.md b/roles/docker-ldap/README.md index 001b59d4..233b1f87 100644 --- a/roles/docker-ldap/README.md +++ b/roles/docker-ldap/README.md @@ -1,10 +1,137 @@ -# Draft Docker LDAP and SSO -Draft role for an LDAP implementation with sso. -## See -- [ChatGPT Conversation](https://chat.openai.com/share/77919994-5d44-4a64-877d-b572d67483d4) -- [Discouse Documentation](https://forum.veen.world/t/cymais-ldap-implementierung-documentation/49) -- [Setup Guide](https://goneuland.de/ldap-nextcloud-und-mailserver-in-docker/) -- https://hub.docker.com/r/bitnami/openldap -- https://github.com/LDAPAccountManager/docker -- https://github.com/LDAPAccountManager/lam/blob/develop/lam-packaging/docker/.env -- https://github.com/leenooks/phpLDAPadmin/wiki/Docker-Container \ No newline at end of file +# Docker LDAP Role + +This Ansible role provides a streamlined implementation of an LDAP server with TLS support. It leverages Docker Compose to deploy a pre-configured OpenLDAP server and phpLDAPadmin for easy management. + +--- + +## πŸš€ **Features** + +- **Secure LDAP with TLS**: + - Automatically configures TLS certificates for secure communication. + - Provides configurable support for LDAPS on port 636. + +- **phpLDAPadmin Integration**: + - Includes a Dockerized phpLDAPadmin setup for easy user and group management. + +- **Healthcheck Support**: + - Ensures that the LDAP service is healthy and accessible using `ldapsearch`. + +--- + +## πŸ“‹ **Requirements** + +### Prerequisites +- A valid domain name. +- SSL/TLS certificates (e.g., from Let’s Encrypt). +- Ansible installed on the deployment host. +- Docker and Docker Compose installed on the target host. + +--- + +## πŸ”§ **Role Variables** + +### Key Variables +| Variable | Description | Default Value | +|-------------------------------|----------------------------------------------------------|--------------------------------------| +| `docker_compose_project_name` | Name of the Docker Compose project. | `ldap` | +| `ldap_root` | Base DN for the LDAP directory. | `dc={{primary_domain_sld}},dc={{primary_domain_tld}}` | +| `ldap_admin_dn` | Distinguished Name (DN) for the LDAP administrator. | `cn={{ldap_administrator_username}},{{ldap_root}}` | +| `cert_mount_directory` | Directory to mount SSL/TLS certificates. | `{{docker_compose_instance_directory}}/certs/` | +| `ldap_administrator_username` | Username for the LDAP admin. | `admin` | +| `ldap_administrator_password` | Password for the LDAP admin. | _Required_ | +| `ldap_admin_version` | Version of phpLDAPadmin Docker image. | `latest` | +| `ldap_version` | Version of OpenLDAP Docker image. | `latest` | + +--- + +## πŸ“‚ **Role Structure** + +``` +roles/ + docker-ldap/ + README.md + vars/ + main.yml + tasks/ + main.yml + templates/ + docker-compose.yml.j2 +``` + +--- + +## πŸ“– **Usage** + +Here’s an example playbook to use this role: + +```yaml +- name: Deploy LDAP with SSO + hosts: ldap_servers + roles: + - role: docker-ldap + vars: + docker_compose_instance_directory: "/home/administrator/docker-compose/ldap/" + primary_domain_sld: "veen" + primary_domain_tld: "world" + ldap_administrator_username: "administrator" + ldap_administrator_password: "secure_password_here" + ldap_admin_version: "latest" + ldap_version: "latest" +``` + +### **Steps to Deploy:** +1. Clone your playbook repository to the target server. +2. Run the playbook: + ```bash + ansible-playbook -i inventory playbook.yml + ``` +3. Access phpLDAPadmin: + - URL: `http://localhost:8080` (or your configured port) + - Login: Use the admin DN and password. + +--- + +## πŸ› οΈ **Technical Details** + +### **Services Configured** + +1. **OpenLDAP** + - TLS enabled on port 636. + - Configuration driven by environment variables. + +2. **phpLDAPadmin** + - Accessible on port 8080. + - Simplifies LDAP management via a web interface. + +3. **Healthchecks** + - Uses `ldapsearch` to validate LDAP functionality. + +### **Directory Structure** + +The following directories are mounted in the container: +- **Certificates:** `{{cert_mount_directory}}` for TLS certificates. +- **LDAP Data:** `data:/bitnami/openldap` for persistent data storage. + +--- + +## πŸ”’ **Security Recommendations** +- Always use strong passwords for `ldap_administrator_password`. +- Ensure proper file permissions for mounted certificate files. +- Restrict access to phpLDAPadmin by binding it to `127.0.0.1` or using a reverse proxy. + +--- + +## πŸ“œ **References** +- [Bitnami OpenLDAP](https://hub.docker.com/r/bitnami/openldap) +- [phpLDAPadmin Documentation](https://github.com/leenooks/phpLDAPadmin/wiki/Docker-Container) +- [LDAP Account Manager](https://github.com/LDAPAccountManager/docker) + +--- + + +## πŸ‘¨β€πŸ’» **Author** + +Kevin Veen-Birkenbach - [veen.world](https://www.veen.world) + +Feel free to report issues, suggest features, or contribute to the repository! 😊 + diff --git a/roles/docker-ldap/templates/docker-compose.yml.j2 b/roles/docker-ldap/templates/docker-compose.yml.j2 index 61bd692c..4752f4f3 100644 --- a/roles/docker-ldap/templates/docker-compose.yml.j2 +++ b/roles/docker-ldap/templates/docker-compose.yml.j2 @@ -9,29 +9,30 @@ services: environment: # @See https://github.com/leenooks/phpLDAPadmin/wiki/Docker-Container APP_URL: https://{{domain}} - LDAP_HOST: {{domain}} + LDAP_HOST: openldap openldap: image: bitnami/openldap:{{ldap_version}} logging: driver: journald restart: {{docker_restart_policy}} ports: - - '127.0.0.1:389:1389' # Expose just on local host for security reasons + - '127.0.0.1:389:389' # Expose just on local host for security reasons, phpLDAPadmin requires this - '636:636' # Expose to internet environment: # @See https://hub.docker.com/r/bitnami/openldap # GENERAL - LDAP_ADMIN_USERNAME: {{ldap_administrator_username}} # LDAP database admin user. - LDAP_ADMIN_PASSWORD: {{ldap_administrator_password}} # LDAP database admin password. - #LDAP_USERS: user01,user02 # Comma separated list of LDAP users to create in the default LDAP tree. Default: user01,user02 - #LDAP_PASSWORDS: password1,password2 # Comma separated list of passwords to use for LDAP users. Default: bitnami1,bitnami - LDAP_ROOT: {{ldap_root}} # LDAP baseDN (or suffix) of the LDAP tree. Default: dc=example,dc=org - LDAP_ADMIN_DN: {{ldap_admin_dn}} + LDAP_ADMIN_USERNAME: {{ldap_administrator_username}} # LDAP database admin user. + LDAP_ADMIN_PASSWORD: {{ldap_administrator_password}} # LDAP database admin password. + #LDAP_USERS: user01,user02 # Comma separated list of LDAP users to create in the default LDAP tree. Default: user01,user02 + #LDAP_PASSWORDS: password1,password2 # Comma separated list of passwords to use for LDAP users. Default: bitnami1,bitnami + LDAP_ROOT: {{ldap_root}} # LDAP baseDN (or suffix) of the LDAP tree. Default: dc=example,dc=org + LDAP_ADMIN_DN: {{ldap_admin_dn}} + LDAP_PORT_NUMBER: 389 # Route to default port # TLS LDAP_ENABLE_TLS: yes # Whether to enable TLS for traffic or not. Defaults to no - LDAP_REQUIRE_TLS: yes # Whether connections must use TLS. Will only be applied with LDAP_ENABLE_TLS active. Defaults to no + LDAP_REQUIRE_TLS: no # Deactivated so that it can be accessed on the server itself via phpldapadmin LDAP_LDAPS_PORT_NUMBER: 636 # Port used for TLS secure traffic. Priviledged port is supported (e.g. 636). Default: 1636 (non privileged port). LDAP_TLS_CERT_FILE: /certs/cert.pem # File containing the certificate file for the TLS traffic. No defaults. LDAP_TLS_KEY_FILE: /certs/key.pem # File containing the key for certificate. No defaults. @@ -40,6 +41,13 @@ services: volumes: - {{cert_mount_directory}}:/certs:ro - 'data:/bitnami/openldap' + healthcheck: + test: > + ldapsearch -x -H ldap://localhost:389 -b "{{ldap_root}}" -D "{{ldap_admin_dn}}" -w "{{ldap_administrator_password}}" + interval: 30s + timeout: 10s + retries: 3 + start_period: 20s {% include 'templates/docker/container/networks.yml.j2' %} {% include 'templates/docker/compose/volumes.yml.j2' %} data: