Optimized LDAP implementation for Snipe-IT and implemented Mobilizon draft

2025-08-29 15:06:26 +02:00 · 2025-07-01 09:08:12 +02:00
parent 4963503f2c
commit abc9a46667
38 changed files with 517 additions and 140 deletions
--- a/group_vars/all/13_ldap.yml
+++ b/group_vars/all/13_ldap.yml
@@ -0,0 +1,91 @@
+
+#############################################
+### LDAP                                  ###
+#############################################
+
+# Helper Variables:
+# Keep in mind to mapp this variables if there is ever the possibility for the user to define them in the inventory
+_ldap_dn_base:            "dc={{primary_domain_sld}},dc={{primary_domain_tld}}"
+_ldap_server_port:        "{% if applications.ldap.network.docker | bool %}{{ ports.localhost.ldap.ldap }}{% else %}{{ ports.localhost.ldaps.ldap }}{% endif %}"
+_ldap_user_id:            "uid"
+_ldap_filters_users_all:  "(|(objectclass=inetOrgPerson))"
+
+ldap:
+  # Distinguished Names (DN)
+  dn:
+    # -------------------------------------------------------------------------
+    # Base DN / Suffix
+    # This is the top-level naming context for your directory, used as the
+    # default search base for most operations (e.g. adding users, groups).
+    # Example: “dc=example,dc=com”
+    root:               "{{_ldap_dn_base}}"
+    administrator:
+      # -------------------------------------------------------------------------
+      # Data-Tree Administrator Bind DN
+      # The DN used to authenticate for regular directory operations under
+      # the data tree (adding users, modifying attributes, creating OUs, etc.).
+      # Typically: “cn=admin,dc=example,dc=com”
+      data: "cn={{ applications.ldap.users.administrator.username }},{{ _ldap_dn_base }}"
+
+      # -------------------------------------------------------------------------
+      # Config-Tree Administrator Bind DN
+      # The DN used to authenticate against the cn=config backend when you
+      # need to load or modify schema, overlays, modules, or other server-
+      # level settings.  
+      # Typically: “cn=admin,cn=config”
+      configuration: "cn={{ applications.ldap.users.administrator.username }},cn=config"
+
+
+    # -------------------------------------------------------------------------
+    # Organizational Units (OUs)
+    # Pre-created containers in the data tree to organize entries.
+    # – users:  Where all person/posixAccount entries live.
+    # – groups: Where you define your application or business groups.
+    # – roles:  A flat container for application-role entries (e.g. “cn=app1-user”).
+    users:             "ou=users,{{ _ldap_dn_base }}"
+    groups:            "ou=groups,{{ _ldap_dn_base }}"
+    application_roles: "ou=application_roles,{{ _ldap_dn_base }}"
+
+    # -------------------------------------------------------------------------
+    # Additional Notes
+    # – Always bind as data_admin for CRUD on entries under your base DN.
+    # – Always bind as config_admin when you push schema-level LDIFs via ldapi:///
+    # – Keeping these distinct prevents accidental use of config credentials
+    #   for ordinary user/group operations, and vice versa.
+
+  attributes:
+    # Attribut to identify the user
+    user_id:            "{{ _ldap_user_id }}"
+    mail:               "mail"
+    fullname:           "cn"
+    firstname:          "givenname"
+    surname:            "sn"
+    ssh_public_key:     "sshPublicKey"
+  # Password to access dn.bind
+  bind_credential:      "{{applications.ldap.credentials.administrator_database_password}}"
+  server:
+    domain:             "{{applications.ldap.hostname if applications.ldap.network.docker | bool else domains.ldap}}" # Mapping for public or locale access
+    port:               "{{_ldap_server_port}}"
+    uri:                "{% if applications.ldap.network.docker | bool %}ldap://{{ applications.ldap.hostname }}{% else %}ldaps://{{ domains.ldap }}{% endif %}:{{ _ldap_server_port }}"
+    security:           "" #TLS, SSL - Leave empty for none
+  network:
+    local:              "{{applications.ldap.network.docker}}" # Uses the application configuration to define if local network should be available or not
+  user_objects:
+    structural:
+      - person            # Structural Classes define the core identity of an entry:
+                          # • Specify mandatory attributes (e.g. sn, cn)
+                          # • Each entry must have exactly one structural class
+      - inetOrgPerson     # An extension of person adding internet-related attributes
+                          # (e.g. mail, employeeNumber)
+      - posixAccount      # Provides UNIX account attributes (uidNumber, gidNumber,
+                          # homeDirectory)
+    auxiliary:
+      - nextcloudUser     # Auxiliary Classes attach optional attributes without
+                          # changing the entry’s structural role. Here they add
+                          # nextcloudQuota and nextcloudEnabled for Nextcloud.
+      - ldapPublicKey     # Allows storing SSH public keys for services like Gitea.
+
+  filters:
+    users:
+      login:            "(&{{ _ldap_filters_users_all }}({{_ldap_user_id}}=%{{_ldap_user_id}}))"
+      all:              "{{ _ldap_filters_users_all }}"