Added ldap ldif import draft

2025-02-22 12:29:39 +01:00 · 2025-02-11 18:09:26 +01:00 · 2025-02-11 18:09:26 +01:00 · c687b19a6d
commit c687b19a6d
parent e193e92443
9 changed files with 103 additions and 12 deletions
--- a/group_vars/all/07_applications.yml
+++ b/group_vars/all/07_applications.yml
@ -8,7 +8,7 @@ docker_restart_policy:        "unless-stopped"
 ##############################################

 # By default don't expose openldap to the internet, just if explicit configured
-_ldap_openldap_expose_to_internet:       "{{ applications.ldap.openldap.expose_to_internet if applications.ldap is defined and applications.ldap.openldap is defined else false}}"
+_ldap_openldap_expose_to_internet:       "{{ applications.ldap.openldap.expose_to_internet | default(False) if applications.ldap is defined and applications.ldap.openldap is defined else false}}"

 defaults_applications:

@ -74,6 +74,7 @@ defaults_applications:
      version:                        "latest"
      expose_to_internet:             "{{_ldap_openldap_expose_to_internet}}"   # Set to true if you want to expose the LDAP port to the internet
      domain:                         "{{domains.ldap if _ldap_openldap_expose_to_internet else 'openldap'}}" # Mapping for public or locale access
+      modify:                         False                                     # When false entries will just be added, when true existing entries will be modified during import procedure
    phpldapadmin:
      version:                        "2.0.0-dev"                               # @todo Attention: Change this as fast as released to latest
    webinterface:                     "lam"                                     # The webinterface which should be used. Possible: lam and phpldapadmin
--- a/roles/docker-ldap/README.md
+++ b/roles/docker-ldap/README.md
@ -20,7 +20,7 @@ This Ansible role provides a streamlined implementation of an LDAP server with T
 ## Maintanance
 ### Show all Entires
 ```bash 
-docker exec --env LDAP_ADMIN_PASSWORD="$LDAP_ADMIN_PASSWORD" -it openldap bash -c "ldapsearch -LLL -o ldif-wrap=no -x -D 'cn=administrator,dc=veen,dc=world' -w \"\$LDAP_ADMIN_PASSWORD\" -b 'dc=veen,dc=world'
+docker exec --env LDAP_ADMIN_PASSWORD="$LDAP_ADMIN_PASSWORD" -it openldap bash -c "ldapsearch -LLL -o ldif-wrap=no -x -D 'cn=administrator,dc=veen,dc=world' -w \"\$LDAP_ADMIN_PASSWORD\" -b 'dc=veen,dc=world'";
 ```

 ### Delete Groups and Subgroup
--- a/roles/docker-ldap/handlers/main.yml
+++ b/roles/docker-ldap/handlers/main.yml
@ -1,6 +1,7 @@
- name: "import missing groups from {{groups_ldif_docker_path}} to OpenLDAP"
+- name: "import missing groups from {{ldif_docker_path}} to OpenLDAP"
  shell: >
-    docker exec -i openldap ldapadd -x -D "{{ldap_admin_dn}}" -w "{{applications.ldap.administrator_database_password}}" -c -f "{{groups_ldif_docker_path}}"
+    docker exec -i openldap {{ 'ldapmodify' if applications.ldap.openldap.modify|bool else 'ldapadd' }} -x -D "{{ldap_admin_dn}}" -w "{{applications.ldap.administrator_database_password}}" -c -f "{{ldif_docker_path}}{{ item }}"
+  loop: "{{ ldif_files }}"
  register: ldapadd_result
  changed_when: "'adding new entry' in ldapadd_result.stdout"
  # Allow return code 0 (all entries added) or 68 (entry already exists)
--- a/roles/docker-ldap/tasks/main.yml
+++ b/roles/docker-ldap/tasks/main.yml
@ -48,9 +48,16 @@
 - name: flush docker service
  meta: flush_handlers

- name: "create {{groups_ldif_host_path}}"
+- name: "create directory {{ldif_host_path}}"
+  file:
+    path: "{{ldif_host_path}}"
+    state: directory
+    mode: 0755
+
+- name: "Create LDIF files at {{ldif_host_path}}"
  template:
-    src:  "groups.ldif.j2" 
-    dest: "{{groups_ldif_host_path}}"
+    src:  "templates/ldif/{{item}}.j2" 
+    dest: "{{ldif_host_path}}{{item}}"
    mode: '770'
  notify: Import missing groups to OpenLDAP
+  loop: "{{ldif_files}}"
--- a/roles/docker-ldap/templates/docker-compose.yml.j2
+++ b/roles/docker-ldap/templates/docker-compose.yml.j2
@ -32,7 +32,7 @@ services:
 {% endif %}
    volumes:
      - 'data:/bitnami/openldap'
-      - '{{groups_ldif_host_path}}:{{groups_ldif_docker_path}}:ro'  # Mounting the groups for importing
+      - '{{ldif_host_path}}:{{ldif_docker_path}}:ro' # Mounting all ldif files for import
    healthcheck:
      test: >
        ldapsearch -x -H ldap://localhost:389 -b "{{ldap_root}}" -D "{{ldap_admin_dn}}" -w "{{applications.ldap.administrator_database_password}}"
--- a/roles/docker-ldap/templates/ldif/groups.ldif.j2
+++ b/roles/docker-ldap/templates/ldif/groups.ldif.j2
@ -1,5 +1,6 @@
 #######################################################################
-# This file contains the CyMaIS default groups
+# This file contains the CyMaIS default groups                        # 
+# Groupps define which kind of applications users have access to      #
 #######################################################################

 #######################################################################
--- a/roles/docker-ldap/templates/ldif/roles.ldif.j2
+++ b/roles/docker-ldap/templates/ldif/roles.ldif.j2
@ -0,0 +1,75 @@
+#######################################################################
+# This file contains the CyMaIS default roles                          
+# Roles define which kind of rights users have                        
+#######################################################################
+
+#######################################################################
+# Generic container for IT roles
+#######################################################################
+dn: ou=roles,dc=example,dc=com
+objectClass: organizationalUnit
+ou: roles
+description: Container for generic IT roles (for rights management)
+
+#######################################################################
+# Role: Super Administrator
+#######################################################################
+dn: cn=superadministrator,ou=roles,dc=example,dc=com
+objectClass: groupOfUniqueNames
+cn: superadministrator
+description: Role: Super Administrator – has full control over all systems and settings.
+uniqueMember: cn=dummy,ou=users,dc=example,dc=com
+
+#######################################################################
+# Role: Administrator
+#######################################################################
+dn: cn=administrator,ou=roles,dc=example,dc=com
+objectClass: groupOfUniqueNames
+cn: administrator
+description: Role: Administrator – responsible for overall system management and configuration.
+uniqueMember: cn=dummy,ou=users,dc=example,dc=com
+
+#######################################################################
+# Role: Manager
+#######################################################################
+dn: cn=manager,ou=roles,dc=example,dc=com
+objectClass: groupOfUniqueNames
+cn: manager
+description: Role: Manager – oversees operations, approves changes, and coordinates teams.
+uniqueMember: cn=dummy,ou=users,dc=example,dc=com
+
+#######################################################################
+# Role: Moderator
+#######################################################################
+dn: cn=moderator,ou=roles,dc=example,dc=com
+objectClass: groupOfUniqueNames
+cn: moderator
+description: Role: Moderator – monitors activity and handles conflict resolution.
+uniqueMember: cn=dummy,ou=users,dc=example,dc=com
+
+#######################################################################
+# Role: Publisher
+#######################################################################
+dn: cn=publisher,ou=roles,dc=example,dc=com
+objectClass: groupOfUniqueNames
+cn: publisher
+description: Role: Publisher – responsible for releasing content or updates.
+uniqueMember: cn=dummy,ou=users,dc=example,dc=com
+
+#######################################################################
+# Role: Contributor
+#######################################################################
+dn: cn=contributor,ou=roles,dc=veen,dc=world
+objectClass: groupOfUniqueNames
+cn: contributor
+description: Contributor (Allowed to participate, but not to publish)
+uniqueMember: cn=dummy,ou=users,dc=veen,dc=world
+
+#######################################################################
+# Role: Subscriber
+#######################################################################
+dn: cn=subscriber,ou=roles,dc=veen,dc=world
+objectClass: groupOfUniqueNames
+cn: subscriber
+description: Subscriber (read-only; manage own profile)
+uniqueMember: cn=dummy,ou=users,dc=veen,dc=world
--- a/roles/docker-ldap/templates/ldif/users.ldif.j2
+++ b/roles/docker-ldap/templates/ldif/users.ldif.j2
@ -0,0 +1 @@
+# Default users
--- a/roles/docker-ldap/vars/main.yml
+++ b/roles/docker-ldap/vars/main.yml
@ -11,5 +11,10 @@ oauth2_proxy_active:                        true

 enable_wildcard_certificate:  false # Activate dedicated Certificate

-groups_ldif_host_path:    "{{docker_compose.directories.volumes}}groups.ldif" # Path inside the host
-groups_ldif_docker_path:  "/tmp/groups.ldif"                                  # Path inside the docker container
+# Configuration for ldif import
+ldif_files:
+  - "groups.ldif"
+  - "roles.ldif"
+  - "users.ldif"
+ldif_host_path:     "{{docker_compose.directories.volumes}}ldif/"
+ldif_docker_path:   "/tmp/ldif/"