diff --git a/group_vars/all/07_applications.yml b/group_vars/all/07_applications.yml index 2a5e7a3a..35c8ccd9 100644 --- a/group_vars/all/07_applications.yml +++ b/group_vars/all/07_applications.yml @@ -8,7 +8,7 @@ docker_restart_policy: "unless-stopped" ############################################## # By default don't expose openldap to the internet, just if explicit configured -_ldap_openldap_expose_to_internet: "{{ applications.ldap.openldap.expose_to_internet if applications.ldap is defined and applications.ldap.openldap is defined else false}}" +_ldap_openldap_expose_to_internet: "{{ applications.ldap.openldap.expose_to_internet | default(False) if applications.ldap is defined and applications.ldap.openldap is defined else false}}" defaults_applications: @@ -74,6 +74,7 @@ defaults_applications: version: "latest" expose_to_internet: "{{_ldap_openldap_expose_to_internet}}" # Set to true if you want to expose the LDAP port to the internet domain: "{{domains.ldap if _ldap_openldap_expose_to_internet else 'openldap'}}" # Mapping for public or locale access + modify: False # When false entries will just be added, when true existing entries will be modified during import procedure phpldapadmin: version: "2.0.0-dev" # @todo Attention: Change this as fast as released to latest webinterface: "lam" # The webinterface which should be used. Possible: lam and phpldapadmin diff --git a/roles/docker-ldap/README.md b/roles/docker-ldap/README.md index fe5632c1..9ebaf969 100644 --- a/roles/docker-ldap/README.md +++ b/roles/docker-ldap/README.md @@ -20,7 +20,7 @@ This Ansible role provides a streamlined implementation of an LDAP server with T ## Maintanance ### Show all Entires ```bash -docker exec --env LDAP_ADMIN_PASSWORD="$LDAP_ADMIN_PASSWORD" -it openldap bash -c "ldapsearch -LLL -o ldif-wrap=no -x -D 'cn=administrator,dc=veen,dc=world' -w \"\$LDAP_ADMIN_PASSWORD\" -b 'dc=veen,dc=world' +docker exec --env LDAP_ADMIN_PASSWORD="$LDAP_ADMIN_PASSWORD" -it openldap bash -c "ldapsearch -LLL -o ldif-wrap=no -x -D 'cn=administrator,dc=veen,dc=world' -w \"\$LDAP_ADMIN_PASSWORD\" -b 'dc=veen,dc=world'"; ``` ### Delete Groups and Subgroup diff --git a/roles/docker-ldap/handlers/main.yml b/roles/docker-ldap/handlers/main.yml index 175212ef..92e7fdb2 100644 --- a/roles/docker-ldap/handlers/main.yml +++ b/roles/docker-ldap/handlers/main.yml @@ -1,6 +1,7 @@ -- name: "import missing groups from {{groups_ldif_docker_path}} to OpenLDAP" +- name: "import missing groups from {{ldif_docker_path}} to OpenLDAP" shell: > - docker exec -i openldap ldapadd -x -D "{{ldap_admin_dn}}" -w "{{applications.ldap.administrator_database_password}}" -c -f "{{groups_ldif_docker_path}}" + docker exec -i openldap {{ 'ldapmodify' if applications.ldap.openldap.modify|bool else 'ldapadd' }} -x -D "{{ldap_admin_dn}}" -w "{{applications.ldap.administrator_database_password}}" -c -f "{{ldif_docker_path}}{{ item }}" + loop: "{{ ldif_files }}" register: ldapadd_result changed_when: "'adding new entry' in ldapadd_result.stdout" # Allow return code 0 (all entries added) or 68 (entry already exists) diff --git a/roles/docker-ldap/tasks/main.yml b/roles/docker-ldap/tasks/main.yml index 1c2d961f..0813fac7 100644 --- a/roles/docker-ldap/tasks/main.yml +++ b/roles/docker-ldap/tasks/main.yml @@ -48,9 +48,16 @@ - name: flush docker service meta: flush_handlers -- name: "create {{groups_ldif_host_path}}" +- name: "create directory {{ldif_host_path}}" + file: + path: "{{ldif_host_path}}" + state: directory + mode: 0755 + +- name: "Create LDIF files at {{ldif_host_path}}" template: - src: "groups.ldif.j2" - dest: "{{groups_ldif_host_path}}" + src: "templates/ldif/{{item}}.j2" + dest: "{{ldif_host_path}}{{item}}" mode: '770' - notify: Import missing groups to OpenLDAP \ No newline at end of file + notify: Import missing groups to OpenLDAP + loop: "{{ldif_files}}" \ No newline at end of file diff --git a/roles/docker-ldap/templates/docker-compose.yml.j2 b/roles/docker-ldap/templates/docker-compose.yml.j2 index ba7a1825..b36dfb11 100644 --- a/roles/docker-ldap/templates/docker-compose.yml.j2 +++ b/roles/docker-ldap/templates/docker-compose.yml.j2 @@ -32,7 +32,7 @@ services: {% endif %} volumes: - 'data:/bitnami/openldap' - - '{{groups_ldif_host_path}}:{{groups_ldif_docker_path}}:ro' # Mounting the groups for importing + - '{{ldif_host_path}}:{{ldif_docker_path}}:ro' # Mounting all ldif files for import healthcheck: test: > ldapsearch -x -H ldap://localhost:389 -b "{{ldap_root}}" -D "{{ldap_admin_dn}}" -w "{{applications.ldap.administrator_database_password}}" diff --git a/roles/docker-ldap/templates/groups.ldif.j2 b/roles/docker-ldap/templates/ldif/groups.ldif.j2 similarity index 97% rename from roles/docker-ldap/templates/groups.ldif.j2 rename to roles/docker-ldap/templates/ldif/groups.ldif.j2 index 77d59ea6..8754c59f 100644 --- a/roles/docker-ldap/templates/groups.ldif.j2 +++ b/roles/docker-ldap/templates/ldif/groups.ldif.j2 @@ -1,5 +1,6 @@ ####################################################################### -# This file contains the CyMaIS default groups +# This file contains the CyMaIS default groups # +# Groupps define which kind of applications users have access to # ####################################################################### ####################################################################### diff --git a/roles/docker-ldap/templates/ldif/roles.ldif.j2 b/roles/docker-ldap/templates/ldif/roles.ldif.j2 new file mode 100644 index 00000000..0756c0df --- /dev/null +++ b/roles/docker-ldap/templates/ldif/roles.ldif.j2 @@ -0,0 +1,75 @@ +####################################################################### +# This file contains the CyMaIS default roles +# Roles define which kind of rights users have +####################################################################### + +####################################################################### +# Generic container for IT roles +####################################################################### +dn: ou=roles,dc=example,dc=com +objectClass: organizationalUnit +ou: roles +description: Container for generic IT roles (for rights management) + +####################################################################### +# Role: Super Administrator +####################################################################### +dn: cn=superadministrator,ou=roles,dc=example,dc=com +objectClass: groupOfUniqueNames +cn: superadministrator +description: Role: Super Administrator – has full control over all systems and settings. +uniqueMember: cn=dummy,ou=users,dc=example,dc=com + +####################################################################### +# Role: Administrator +####################################################################### +dn: cn=administrator,ou=roles,dc=example,dc=com +objectClass: groupOfUniqueNames +cn: administrator +description: Role: Administrator – responsible for overall system management and configuration. +uniqueMember: cn=dummy,ou=users,dc=example,dc=com + +####################################################################### +# Role: Manager +####################################################################### +dn: cn=manager,ou=roles,dc=example,dc=com +objectClass: groupOfUniqueNames +cn: manager +description: Role: Manager – oversees operations, approves changes, and coordinates teams. +uniqueMember: cn=dummy,ou=users,dc=example,dc=com + +####################################################################### +# Role: Moderator +####################################################################### +dn: cn=moderator,ou=roles,dc=example,dc=com +objectClass: groupOfUniqueNames +cn: moderator +description: Role: Moderator – monitors activity and handles conflict resolution. +uniqueMember: cn=dummy,ou=users,dc=example,dc=com + +####################################################################### +# Role: Publisher +####################################################################### +dn: cn=publisher,ou=roles,dc=example,dc=com +objectClass: groupOfUniqueNames +cn: publisher +description: Role: Publisher – responsible for releasing content or updates. +uniqueMember: cn=dummy,ou=users,dc=example,dc=com + +####################################################################### +# Role: Contributor +####################################################################### +dn: cn=contributor,ou=roles,dc=veen,dc=world +objectClass: groupOfUniqueNames +cn: contributor +description: Contributor (Allowed to participate, but not to publish) +uniqueMember: cn=dummy,ou=users,dc=veen,dc=world + +####################################################################### +# Role: Subscriber +####################################################################### +dn: cn=subscriber,ou=roles,dc=veen,dc=world +objectClass: groupOfUniqueNames +cn: subscriber +description: Subscriber (read-only; manage own profile) +uniqueMember: cn=dummy,ou=users,dc=veen,dc=world diff --git a/roles/docker-ldap/templates/ldif/users.ldif.j2 b/roles/docker-ldap/templates/ldif/users.ldif.j2 new file mode 100644 index 00000000..592d1a74 --- /dev/null +++ b/roles/docker-ldap/templates/ldif/users.ldif.j2 @@ -0,0 +1 @@ +# Default users \ No newline at end of file diff --git a/roles/docker-ldap/vars/main.yml b/roles/docker-ldap/vars/main.yml index cc159d28..7df5a586 100644 --- a/roles/docker-ldap/vars/main.yml +++ b/roles/docker-ldap/vars/main.yml @@ -11,5 +11,10 @@ oauth2_proxy_active: true enable_wildcard_certificate: false # Activate dedicated Certificate -groups_ldif_host_path: "{{docker_compose.directories.volumes}}groups.ldif" # Path inside the host -groups_ldif_docker_path: "/tmp/groups.ldif" # Path inside the docker container \ No newline at end of file +# Configuration for ldif import +ldif_files: + - "groups.ldif" + - "roles.ldif" + - "users.ldif" +ldif_host_path: "{{docker_compose.directories.volumes}}ldif/" +ldif_docker_path: "/tmp/ldif/" \ No newline at end of file