Optimized RBAC implementation

2025-09-08 03:07:14 +02:00 · 2025-07-03 22:51:42 +02:00
parent 1486862327
commit a93e1520d4
20 changed files with 106 additions and 68 deletions
--- a/roles/docker-openproject/vars/ldap.yml
+++ b/roles/docker-openproject/vars/ldap.yml
@@ -4,7 +4,7 @@ openproject_ldap:
  port:                   "{{ ldap.server.port }}"                    # LDAP server port (typically 389 or 636)
  account:                "{{ ldap.dn.administrator.data }}"          # Bind DN (used for authentication)
  account_password:       "{{ ldap.bind_credential }}"                # Bind password
-  base_dn:                "{{ ldap.dn.users }}"                       # Base DN for user search
+  base_dn:                "{{ ldap.dn.ou.users }}"                       # Base DN for user search
  attr_login:             "{{ ldap.attributes.user_id }}"             # LDAP attribute used for login
  attr_firstname:         "givenName"                                 # LDAP attribute for first name
  attr_lastname:          "{{ ldap.attributes.surname }}"             # LDAP attribute for last name
--- a/roles/docker-openproject/vars/main.yml
+++ b/roles/docker-openproject/vars/main.yml
@@ -19,9 +19,9 @@ openproject_rails_settings:

 openproject_filters:
  administrators: >-
-    {{ '(memberOf=cn=openproject-admins,' ~ ldap.dn.application_roles ~ ')' 
+    {{ '(memberOf=cn=openproject-admins,' ~ ldap.dn.ou.roles ~ ')' 
       if applications[application_id].ldap.filters.administrators else '' }}

  users: >-
-    {{ '(memberOf=cn=openproject-users,' ~ ldap.dn.application_roles ~ ')' 
+    {{ '(memberOf=cn=openproject-users,' ~ ldap.dn.ou.roles ~ ')' 
       if applications[application_id].ldap.filters.users else '' }}