Refactor LDAP variable schema to use top-level constant LDAP and nested ALL-CAPS keys.

- Converted group_vars/all/13_ldap.yml from lower-case to ALL-CAPS nested keys. - Updated all roles, tasks, templates, and filter_plugins to reference LDAP.* instead of ldap.*. - Fixed Keycloak JSON templates to properly quote Jinja variables. - Adjusted svc-db-openldap filter plugins and unit tests to handle new LDAP structure. - Updated integration test to only check uniqueness of TOP-LEVEL ALL-CAPS constants, ignoring nested keys. See: https://chatgpt.com/share/68b01017-efe0-800f-a508-7d7e2f1c8c8d
2025-11-04 04:08:15 +00:00 · 2025-08-28 10:15:48 +02:00
parent b9da6908ec
commit cb66fb2978
33 changed files with 238 additions and 249 deletions
--- a/roles/svc-db-openldap/tasks/01_credentials.yml
+++ b/roles/svc-db-openldap/tasks/01_credentials.yml
@@ -28,7 +28,7 @@
 - name: "Generate hash for Database Admin password"
  shell: |
    docker exec {{ openldap_name }} \
-      slappasswd -s "{{ ldap.bind_credential }}"
+      slappasswd -s "{{ LDAP.BIND_CREDENTIAL }}"
  register: database_admin_pw_hash

 - name: "Reset Database Admin password in LDAP (olcRootPW)"
--- a/roles/svc-db-openldap/tasks/03_users.yml
+++ b/roles/svc-db-openldap/tasks/03_users.yml
@@ -3,11 +3,11 @@
 ###############################################################################
 - name: Ensure LDAP users exist
  community.general.ldap_entry:
-    dn:           "{{ ldap.user.attributes.id }}={{ item.key }},{{ ldap.dn.ou.users }}"
+    dn:           "{{ LDAP.USER.ATTRIBUTES.ID }}={{ item.key }},{{ LDAP.DN.OU.USERS }}"
    server_uri:   "{{ openldap_server_uri }}"
-    bind_dn:      "{{ ldap.dn.administrator.data }}"
-    bind_pw:      "{{ ldap.bind_credential }}"
-    objectClass:  "{{ ldap.user.objects.structural }}"
+    bind_dn:      "{{ LDAP.DN.ADMINISTRATOR.DATA }}"
+    bind_pw:      "{{ LDAP.BIND_CREDENTIAL }}"
+    objectClass:  "{{ LDAP.USER.OBJECTS.STRUCTURAL }}"
    attributes:
      uid:           "{{ item.value.username }}"
      sn:            "{{ item.value.sn  | default(item.key) }}"
@@ -29,12 +29,12 @@
 ###############################################################################
 - name: Ensure required objectClass values and mail address are present
  community.general.ldap_attrs:
-    dn: "{{ ldap.user.attributes.id }}={{ item.key }},{{ ldap.dn.ou.users }}"
+    dn: "{{ LDAP.USER.ATTRIBUTES.ID }}={{ item.key }},{{ LDAP.DN.OU.USERS }}"
    server_uri: "{{ openldap_server_uri }}"
-    bind_dn: "{{ ldap.dn.administrator.data }}"
-    bind_pw: "{{ ldap.bind_credential }}"
+    bind_dn: "{{ LDAP.DN.ADMINISTRATOR.DATA }}"
+    bind_pw: "{{ LDAP.BIND_CREDENTIAL }}"
    attributes:
-      objectClass: "{{ ldap.user.objects.structural }}"
+      objectClass: "{{ LDAP.USER.OBJECTS.STRUCTURAL }}"
      mail:        "{{ item.value.email }}"
    state: exact
  async: "{{ ASYNC_TIME if ASYNC_ENABLED | bool else omit }}"
@@ -45,10 +45,10 @@

 - name: "Ensure container for application roles exists"
  community.general.ldap_entry:
-    dn: "{{ ldap.dn.ou.roles }}"
+    dn: "{{ LDAP.DN.OU.ROLES }}"
    server_uri: "{{ openldap_server_uri }}"
-    bind_dn:  "{{ ldap.dn.administrator.data }}"
-    bind_pw:  "{{ ldap.bind_credential }}"
+    bind_dn:  "{{ LDAP.DN.ADMINISTRATOR.DATA }}"
+    bind_pw:  "{{ LDAP.BIND_CREDENTIAL }}"
    objectClass: organizationalUnit
    attributes:
      ou: roles
--- a/roles/svc-db-openldap/tasks/04_update.yml
+++ b/roles/svc-db-openldap/tasks/04_update.yml
@@ -1,22 +1,22 @@
 - name: Gather all users with their current objectClass list
  community.general.ldap_search:
    server_uri: "{{ openldap_server_uri }}"
-    bind_dn:    "{{ ldap.dn.administrator.data }}"
-    bind_pw:    "{{ ldap.bind_credential }}"
-    dn:         "{{ ldap.dn.ou.users }}"
+    bind_dn:    "{{ LDAP.DN.ADMINISTRATOR.DATA }}"
+    bind_pw:    "{{ LDAP.BIND_CREDENTIAL }}"
+    dn:         "{{ LDAP.DN.OU.USERS }}"
    scope:      subordinate
-    filter:     "{{ ldap.filters.users.all }}"
+    filter:     "{{ LDAP.FILTERS.USERS.ALL }}"
    attrs:
      - dn
      - objectClass
-      - "{{ ldap.user.attributes.id }}"
+      - "{{ LDAP.USER.ATTRIBUTES.ID }}"
  register: ldap_users_with_classes

 - name: Add only missing auxiliary classes
  community.general.ldap_attrs:
    server_uri: "{{ openldap_server_uri }}"
-    bind_dn:    "{{ ldap.dn.administrator.data }}"
-    bind_pw:    "{{ ldap.bind_credential }}"
+    bind_dn:    "{{ LDAP.DN.ADMINISTRATOR.DATA }}"
+    bind_pw:    "{{ LDAP.BIND_CREDENTIAL }}"
    dn:         "{{ item.dn }}"
    attributes:
      objectClass: "{{ missing_auxiliary }}"
@@ -28,7 +28,7 @@
    label: "{{ item.dn }}"
  vars:
    missing_auxiliary: >-
-      {{ (ldap.user.objects.auxiliary.values() | list) 
+      {{ (LDAP.USER.OBJECTS.AUXILIARY.values() | list) 
         | difference(item.objectClass | default([]))
      }}
  when: missing_auxiliary | length > 0
--- a/roles/svc-db-openldap/tasks/schemas/nextcloud.yml
+++ b/roles/svc-db-openldap/tasks/schemas/nextcloud.yml
@@ -8,9 +8,9 @@
  vars:
    schema_name: "nextcloud"
    attribute_defs:
-      - "( 1.3.6.1.4.1.99999.1 NAME '{{ ldap.user.attributes.nextcloud_quota }}' DESC 'Quota for Nextcloud' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )"
+      - "( 1.3.6.1.4.1.99999.1 NAME '{{ LDAP.USER.ATTRIBUTES.NEXTCLOUD_QUOTA }}' DESC 'Quota for Nextcloud' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )"
    objectclass_defs:
-      - "( 1.3.6.1.4.1.99999.2 NAME 'nextcloudUser' DESC 'Auxiliary class for Nextcloud attributes' AUXILIARY MAY ( {{ ldap.user.attributes.nextcloud_quota }} ) )"
+      - "( 1.3.6.1.4.1.99999.2 NAME '{{ LDAP.USER.OBJECTS.AUXILIARY.NEXTCLOUD_USER }}' DESC 'Auxiliary class for Nextcloud attributes' AUXILIARY MAY ( {{ LDAP.USER.ATTRIBUTES.NEXTCLOUD_QUOTA }} ) )"
  command: >
    ldapsm
      -s {{ openldap_server_uri }}
--- a/roles/svc-db-openldap/tasks/schemas/openssh_lpk.yml
+++ b/roles/svc-db-openldap/tasks/schemas/openssh_lpk.yml
@@ -8,16 +8,16 @@
  vars:
    schema_name: "openssh-lpk"
    attribute_defs:
-      - "( 1.3.6.1.4.1.24552.1.1 NAME '{{ ldap.user.attributes.ssh_public_key }}' DESC 'OpenSSH Public Key' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )"
+      - "( 1.3.6.1.4.1.24552.1.1 NAME '{{ LDAP.USER.ATTRIBUTES.SSH_PUBLIC_KEY }}' DESC 'OpenSSH Public Key' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )"
      - "( 1.3.6.1.4.1.24552.1.2 NAME 'sshFingerprint' DESC 'OpenSSH Public Key Fingerprint' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )"
    objectclass_defs:
      - >-
        ( 1.3.6.1.4.1.24552.2.1
-          NAME '{{ ldap.user.objects.auxiliary.ssh_public_key }}'
+          NAME '{{ LDAP.USER.OBJECTS.AUXILIARY.SSH_PUBLIC_KEY }}'
          DESC 'Auxiliary class for OpenSSH public keys'
          SUP top
          AUXILIARY
-          MAY ( {{ ldap.user.attributes.ssh_public_key }} $ sshFingerprint ) )
+          MAY ( {{ LDAP.USER.ATTRIBUTES.SSH_PUBLIC_KEY }} $ sshFingerprint ) )

  command: >
    ldapsm