diff --git a/roles/docker-snipe-it/tasks/ldap.yml b/roles/docker-snipe-it/tasks/ldap.yml index 7e7d23f2..6125b78a 100644 --- a/roles/docker-snipe-it/tasks/ldap.yml +++ b/roles/docker-snipe-it/tasks/ldap.yml @@ -12,32 +12,56 @@ until: snipeit_admin_check.status == 200 when: not ( applications | is_feature_enabled('oauth2', application_id)) +- name: "Debug: show APP_KEY in container shell" + shell: | + docker-compose exec -T \ + -u www-data \ + -e XDG_CONFIG_HOME=/tmp \ + -e APP_KEY='{{ applications[application_id].credentials.app_key }}' \ + application \ + sh -c 'echo "SHELL sees APP_KEY=$APP_KEY"' + args: + chdir: "/opt/docker/snipe-it/" + +- name: "Debug: show APP_KEY in container shell" + shell: | + docker-compose exec -T -u www-data \ + -e XDG_CONFIG_HOME=/tmp \ + -e APP_KEY="{{ applications[application_id].credentials.app_key }}" \ + application \ + php artisan tinker --execute="echo 'CONFIG app.key: ' . config('app.key') . PHP_EOL;" + args: + chdir: "/opt/docker/snipe-it/" + - name: "Set all LDAP settings via Laravel Setting model (inside container as www-data)" shell: | - docker-compose exec -T -e XDG_CONFIG_HOME=/tmp -u www-data application sh -c 'php artisan tinker << "EOF" + docker-compose exec -T \ + -e APP_KEY='{{ applications[application_id].credentials.app_key }}' \ + -e XDG_CONFIG_HOME=/tmp \ + -u www-data application \ + sh -c 'php artisan tinker << "EOF" $s = \App\Models\Setting::getSettings(); $s->ldap_enabled = 1; $s->ldap_server = "{{ ldap.server.uri }}"; $s->ldap_port = {{ ldap.server.port }}; $s->ldap_uname = "{{ ldap.dn.administrator.data }}"; $s->ldap_pword = "{{ ldap.bind_credential }}"; - $s->ldap_basedn = "{{ ldap.dn.root }}"; - $s->ldap_filter = "objectclass=inetOrgPerson"; + $s->ldap_basedn = "{{ ldap.dn.users }}"; + $s->ldap_filter = "&(objectClass=inetOrgPerson)"; $s->ldap_username_field = "{{ ldap.attributes.user_id }}"; $s->ldap_fname_field = "{{ ldap.attributes.firstname }}"; $s->ldap_lname_field = "{{ ldap.attributes.surname }}"; - $s->ldap_auth_filter_query = "{{ ldap.filters.users.login }}"; + $s->ldap_auth_filter_query = "uid="; $s->ldap_version = 3; $s->ldap_pw_sync = 0; $s->is_ad = 0; $s->ad_domain = ""; $s->ldap_default_group = ""; $s->ldap_email = "{{ ldap.attributes.mail }}"; - $s->custom_forgot_pass_url = "{{ ldap.attributes.mail }}"; + $s->custom_forgot_pass_url = "{{ oidc.client.reset_credentials }}"; $s->save(); EOF' args: - #chdir: "/opt/docker/snipe-it/" chdir: "{{ docker_compose.directories.instance }}" register: ldap_tinker failed_when: > @@ -48,38 +72,36 @@ and ldap_tinker.stdout_lines[0] == '= true' notify: docker compose up +- name: Encrypt & save LDAP bind password via Crypt + DB façade + shell: | + docker-compose exec -T \ + -u www-data \ + -e APP_KEY="{{ applications[application_id].credentials.app_key }}" \ + -e XDG_CONFIG_HOME=/tmp \ + application \ + php artisan tinker --execute=" + use Illuminate\Support\Facades\Crypt; + use Illuminate\Support\Facades\DB; + + /* encrypt the clear-text password */ + \$encrypted = Crypt::encrypt('{{ ldap.bind_credential }}'); + + /* write it straight into settings.ldap_pword */ + /* update the one and only row in `settings` */ + DB::table('settings')->update([ + 'ldap_pword' => \$encrypted + ]); + echo 'Stored: ' . \$encrypted . PHP_EOL; + " + args: + chdir: "/opt/docker/snipe-it/" + register: ldap_encrypt + failed_when: ldap_encrypt.rc != 0 + - name: "Clear Laravel config & cache (inside container as www-data)" shell: | docker-compose exec -T -u www-data application php artisan config:clear docker-compose exec -T -u www-data application php artisan cache:clear args: - #chdir: "/opt/docker/snipe-it/" chdir: "{{ docker_compose.directories.instance }}" - notify: docker compose up - -#- name: "Enable und konfiguriere LDAP in Snipe-IT" -# community.mysql.mysql_query: -# login_host: "127.0.0.1" -# login_port: "{{ database_port }}" -# login_user: "{{ database_username }}" -# login_password: "{{ database_password }}" -# login_db: "{{ database_name }}" -# query: | -# UPDATE settings SET -# ldap_enabled = 1, -# ldap_server = '{{ ldap.server.uri }}', -# ldap_port = '{{ ldap.server.port }}', -# ldap_uname = '{{ ldap.dn.administrator.data }}', -# ldap_pword = '{{ ldap.bind_credential }}', -# ldap_basedn = '{{ ldap.dn.root }}', -# ldap_filter = '{{ ldap.filters.users.all }}', -# ldap_username_field = '{{ ldap.attributes.user_id }}', -# ldap_lname_field = '{{ ldap.attributes.surname }}', -# ldap_fname_field = '{{ ldap.attributes.firstname }}', -# ldap_auth_filter_query = '{{ ldap.filters.users.login }}', -# ldap_version = 3, -# ldap_pw_sync = 0, -# is_ad = 0, -# ad_domain = '', -# ldap_default_group = '', -# ldap_email = '{{ ldap.attributes.mail }}'; + notify: docker compose up \ No newline at end of file diff --git a/roles/docker-snipe-it/templates/env.j2 b/roles/docker-snipe-it/templates/env.j2 index c2d69a46..faedb6e1 100644 --- a/roles/docker-snipe-it/templates/env.j2 +++ b/roles/docker-snipe-it/templates/env.j2 @@ -3,8 +3,7 @@ # -------------------------------------------- APP_ENV={{ CYMAIS_ENVIRONMENT | lower }} APP_DEBUG={{enable_debug | string | lower }} -# Please regenerate the APP_KEY value by calling `docker compose run --rm app php artisan key:generate --show`. Copy paste the value here -APP_KEY={{applications[application_id].credentials.app_key}} +APP_KEY={{ applications[application_id].credentials.app_key}} APP_URL={{ snipe_it_url }} # https://en.wikipedia.org/wiki/List_of_tz_database_time_zones - TZ identifier APP_TIMEZONE='{{ HOST_TIMEZONE }}' diff --git a/roles/docker-snipe-it/vars/configuration.yml b/roles/docker-snipe-it/vars/configuration.yml index b8474a47..574444e8 100644 --- a/roles/docker-snipe-it/vars/configuration.yml +++ b/roles/docker-snipe-it/vars/configuration.yml @@ -4,8 +4,8 @@ features: css: false portfolio_iframe: false central_database: true - ldap: false - oauth2: false + ldap: true + oauth2: true domains: canonical: - "inventory.{{ primary_domain }}"