kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-02-22 12:29:39 +01:00
Code Issues Packages Projects Releases Wiki Activity

Added ldap ldif import draft

Browse Source
This commit is contained in:
Kevin Veen-Birkenbach 2025-02-11 18:09:26 +01:00
parent e193e92443
commit c687b19a6d
9 changed files with 103 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
group_vars/all/07_applications.yml
View File

@ -8,7 +8,7 @@ docker_restart_policy: "unless-stopped"
############################################## ##############################################
# By default don't expose openldap to the internet, just if explicit configured # By default don't expose openldap to the internet, just if explicit configured
_ldap_openldap_expose_to_internet: "{{ applications.ldap.openldap.expose_to_internet if applications.ldap is defined and applications.ldap.openldap is defined else false}}" _ldap_openldap_expose_to_internet: "{{ applications.ldap.openldap.expose_to_internet | default(False) if applications.ldap is defined and applications.ldap.openldap is defined else false}}"
defaults_applications: defaults_applications:
@ -74,6 +74,7 @@ defaults_applications:
version: "latest" version: "latest"
expose_to_internet: "{{_ldap_openldap_expose_to_internet}}" # Set to true if you want to expose the LDAP port to the internet expose_to_internet: "{{_ldap_openldap_expose_to_internet}}" # Set to true if you want to expose the LDAP port to the internet
domain: "{{domains.ldap if _ldap_openldap_expose_to_internet else 'openldap'}}" # Mapping for public or locale access domain: "{{domains.ldap if _ldap_openldap_expose_to_internet else 'openldap'}}" # Mapping for public or locale access
modify: False # When false entries will just be added, when true existing entries will be modified during import procedure
phpldapadmin: phpldapadmin:
version: "2.0.0-dev" # @todo Attention: Change this as fast as released to latest version: "2.0.0-dev" # @todo Attention: Change this as fast as released to latest
webinterface: "lam" # The webinterface which should be used. Possible: lam and phpldapadmin webinterface: "lam" # The webinterface which should be used. Possible: lam and phpldapadmin

2
roles/docker-ldap/README.md
View File

@ -20,7 +20,7 @@ This Ansible role provides a streamlined implementation of an LDAP server with T
## Maintanance ## Maintanance
### Show all Entires ### Show all Entires
```bash ```bash
docker exec --env LDAP_ADMIN_PASSWORD="$LDAP_ADMIN_PASSWORD" -it openldap bash -c "ldapsearch -LLL -o ldif-wrap=no -x -D 'cn=administrator,dc=veen,dc=world' -w \"\$LDAP_ADMIN_PASSWORD\" -b 'dc=veen,dc=world' docker exec --env LDAP_ADMIN_PASSWORD="$LDAP_ADMIN_PASSWORD" -it openldap bash -c "ldapsearch -LLL -o ldif-wrap=no -x -D 'cn=administrator,dc=veen,dc=world' -w \"\$LDAP_ADMIN_PASSWORD\" -b 'dc=veen,dc=world'";
``` ```
### Delete Groups and Subgroup ### Delete Groups and Subgroup

5
roles/docker-ldap/handlers/main.yml
View File

@ -1,6 +1,7 @@
- name: "import missing groups from {{groups_ldif_docker_path}} to OpenLDAP" - name: "import missing groups from {{ldif_docker_path}} to OpenLDAP"
shell: > shell: >
docker exec -i openldap ldapadd -x -D "{{ldap_admin_dn}}" -w "{{applications.ldap.administrator_database_password}}" -c -f "{{groups_ldif_docker_path}}" docker exec -i openldap {{ 'ldapmodify' if applications.ldap.openldap.modify|bool else 'ldapadd' }} -x -D "{{ldap_admin_dn}}" -w "{{applications.ldap.administrator_database_password}}" -c -f "{{ldif_docker_path}}{{ item }}"
loop: "{{ ldif_files }}"
register: ldapadd_result register: ldapadd_result
changed_when: "'adding new entry' in ldapadd_result.stdout" changed_when: "'adding new entry' in ldapadd_result.stdout"
# Allow return code 0 (all entries added) or 68 (entry already exists) # Allow return code 0 (all entries added) or 68 (entry already exists)

15
roles/docker-ldap/tasks/main.yml
View File

@ -48,9 +48,16 @@
- name: flush docker service - name: flush docker service
meta: flush_handlers meta: flush_handlers
- name: "create {{groups_ldif_host_path}}" - name: "create directory {{ldif_host_path}}"
file:
path: "{{ldif_host_path}}"
state: directory
mode: 0755
- name: "Create LDIF files at {{ldif_host_path}}"
template: template:
src: "groups.ldif.j2" src: "templates/ldif/{{item}}.j2"
dest: "{{groups_ldif_host_path}}" dest: "{{ldif_host_path}}{{item}}"
mode: '770' mode: '770'
notify: Import missing groups to OpenLDAP notify: Import missing groups to OpenLDAP
loop: "{{ldif_files}}"

2
roles/docker-ldap/templates/docker-compose.yml.j2
View File

@ -32,7 +32,7 @@ services:
{% endif %} {% endif %}
volumes: volumes:
- 'data:/bitnami/openldap' - 'data:/bitnami/openldap'
- '{{groups_ldif_host_path}}:{{groups_ldif_docker_path}}:ro' # Mounting the groups for importing - '{{ldif_host_path}}:{{ldif_docker_path}}:ro' # Mounting all ldif files for import
healthcheck: healthcheck:
test: > test: >
ldapsearch -x -H ldap://localhost:389 -b "{{ldap_root}}" -D "{{ldap_admin_dn}}" -w "{{applications.ldap.administrator_database_password}}" ldapsearch -x -H ldap://localhost:389 -b "{{ldap_root}}" -D "{{ldap_admin_dn}}" -w "{{applications.ldap.administrator_database_password}}"

3
roles/docker-ldap/templates/groups.ldif.j2 → roles/docker-ldap/templates/ldif/groups.ldif.j2
View File

@ -1,5 +1,6 @@
####################################################################### #######################################################################
# This file contains the CyMaIS default groups # This file contains the CyMaIS default groups #
# Groupps define which kind of applications users have access to #
####################################################################### #######################################################################
####################################################################### #######################################################################

75
roles/docker-ldap/templates/ldif/roles.ldif.j2 Normal file
View File

@ -0,0 +1,75 @@
#######################################################################
# This file contains the CyMaIS default roles
# Roles define which kind of rights users have
#######################################################################
#######################################################################
# Generic container for IT roles
#######################################################################
dn: ou=roles,dc=example,dc=com
objectClass: organizationalUnit
ou: roles
description: Container for generic IT roles (for rights management)
#######################################################################
# Role: Super Administrator
#######################################################################
dn: cn=superadministrator,ou=roles,dc=example,dc=com
objectClass: groupOfUniqueNames
cn: superadministrator
description: Role: Super Administrator has full control over all systems and settings.
uniqueMember: cn=dummy,ou=users,dc=example,dc=com
#######################################################################
# Role: Administrator
#######################################################################
dn: cn=administrator,ou=roles,dc=example,dc=com
objectClass: groupOfUniqueNames
cn: administrator
description: Role: Administrator responsible for overall system management and configuration.
uniqueMember: cn=dummy,ou=users,dc=example,dc=com
#######################################################################
# Role: Manager
#######################################################################
dn: cn=manager,ou=roles,dc=example,dc=com
objectClass: groupOfUniqueNames
cn: manager
description: Role: Manager oversees operations, approves changes, and coordinates teams.
uniqueMember: cn=dummy,ou=users,dc=example,dc=com
#######################################################################
# Role: Moderator
#######################################################################
dn: cn=moderator,ou=roles,dc=example,dc=com
objectClass: groupOfUniqueNames
cn: moderator
description: Role: Moderator monitors activity and handles conflict resolution.
uniqueMember: cn=dummy,ou=users,dc=example,dc=com
#######################################################################
# Role: Publisher
#######################################################################
dn: cn=publisher,ou=roles,dc=example,dc=com
objectClass: groupOfUniqueNames
cn: publisher
description: Role: Publisher responsible for releasing content or updates.
uniqueMember: cn=dummy,ou=users,dc=example,dc=com
#######################################################################
# Role: Contributor
#######################################################################
dn: cn=contributor,ou=roles,dc=veen,dc=world
objectClass: groupOfUniqueNames
cn: contributor
description: Contributor (Allowed to participate, but not to publish)
uniqueMember: cn=dummy,ou=users,dc=veen,dc=world
#######################################################################
# Role: Subscriber
#######################################################################
dn: cn=subscriber,ou=roles,dc=veen,dc=world
objectClass: groupOfUniqueNames
cn: subscriber
description: Subscriber (read-only; manage own profile)
uniqueMember: cn=dummy,ou=users,dc=veen,dc=world

1
roles/docker-ldap/templates/ldif/users.ldif.j2 Normal file
View File

@ -0,0 +1 @@
# Default users

9
roles/docker-ldap/vars/main.yml
View File

@ -11,5 +11,10 @@ oauth2_proxy_active: true
enable_wildcard_certificate: false # Activate dedicated Certificate enable_wildcard_certificate: false # Activate dedicated Certificate
groups_ldif_host_path: "{{docker_compose.directories.volumes}}groups.ldif" # Path inside the host # Configuration for ldif import
groups_ldif_docker_path: "/tmp/groups.ldif" # Path inside the docker container ldif_files:
- "groups.ldif"
- "roles.ldif"
- "users.ldif"
ldif_host_path: "{{docker_compose.directories.volumes}}ldif/"
ldif_docker_path: "/tmp/ldif/"