From e193e9244304c016da4c48f73c7be70b6b375e38 Mon Sep 17 00:00:00 2001 From: Kevin Veen-Birkenbach Date: Tue, 11 Feb 2025 16:19:08 +0100 Subject: [PATCH] Added ldap roles draft --- roles/docker-ldap/README.md | 79 ++-------------- roles/docker-ldap/handlers/main.yml | 8 ++ roles/docker-ldap/tasks/main.yml | 12 ++- .../templates/docker-compose.yml.j2 | 1 + .../templates/{groups.ldif => groups.ldif.j2} | 92 ++++++++----------- roles/docker-ldap/vars/main.yml | 5 +- 6 files changed, 71 insertions(+), 126 deletions(-) create mode 100644 roles/docker-ldap/handlers/main.yml rename roles/docker-ldap/templates/{groups.ldif => groups.ldif.j2} (74%) diff --git a/roles/docker-ldap/README.md b/roles/docker-ldap/README.md index 5c5590bd..fe5632c1 100644 --- a/roles/docker-ldap/README.md +++ b/roles/docker-ldap/README.md @@ -16,80 +16,21 @@ This Ansible role provides a streamlined implementation of an LDAP server with T - **Healthcheck Support**: - Ensures that the LDAP service is healthy and accessible using `ldapsearch`. ---- - -## πŸ“‹ **Requirements** - -### Prerequisites -- A valid domain name. -- Ansible installed on the deployment host. -- Docker and Docker Compose installed on the target host. - ---- - -## πŸ”§ **Role Variables** - -### Key Variables -| Variable | Description | Default Value | -|-------------------------------|----------------------------------------------------------|--------------------------------------| -| `application_id` | Name of the Docker Compose project. | `ldap` | -| `ldap_root` | Base DN for the LDAP directory. | `dc={{primary_domain_sld}},dc={{primary_domain_tld}}` | -| `ldap_admin_dn` | Distinguished Name (DN) for the LDAP administrator. | `cn={{applications.ldap.administrator_username}},{{ldap_root}}` | -| `cert_mount_directory` | Directory to mount SSL/TLS certificates. | `{{docker_compose.directories.instance}}/certs/` | -| `applications.ldap.administrator_username` | Username for the LDAP admin. | `admin` | -| `applications.ldap.administrator_password` | Password for the LDAP admin. | _Required_ | -| `applications.ldap.phpldapadmin.version` | Version of phpLDAPadmin Docker image. | `latest` | -| `applications.ldap.openldap.version` | Version of OpenLDAP Docker image. | `latest` | - ---- - -## πŸ“‚ **Role Structure** - -``` -roles/ - docker-ldap/ - README.md - vars/ - main.yml - tasks/ - main.yml - templates/ - docker-compose.yml.j2 - nginx.stream.conf.j2 +-- +## Maintanance +### Show all Entires +```bash +docker exec --env LDAP_ADMIN_PASSWORD="$LDAP_ADMIN_PASSWORD" -it openldap bash -c "ldapsearch -LLL -o ldif-wrap=no -x -D 'cn=administrator,dc=veen,dc=world' -w \"\$LDAP_ADMIN_PASSWORD\" -b 'dc=veen,dc=world' ``` ---- +### Delete Groups and Subgroup +To delete the group inclusive all subgroups use: +```bash +docker exec --env LDAP_ADMIN_PASSWORD="$LDAP_ADMIN_PASSWORD" -it openldap bash -c "ldapsearch -LLL -o ldif-wrap=no -x -D 'cn=administrator,dc=veen,dc=world' -w \"\$LDAP_ADMIN_PASSWORD\" -b 'ou=applications,ou=groups,dc=veen,dc=world' dn | sed -n 's/^dn: //p' | tac | while read -r dn; do echo \"Deleting \$dn\"; ldapdelete -x -D 'cn=administrator,dc=veen,dc=world' -w \"\$LDAP_ADMIN_PASSWORD\" \"\$dn\"; done" -## πŸ“– **Usage** - -Here’s an example playbook to use this role: - -```yaml -- name: Deploy LDAP - hosts: ldap_servers - roles: - - role: docker-ldap - vars: - docker_compose.directories.instance: "/opt/docker/ldap/" - primary_domain_sld: "veen" - primary_domain_tld: "world" - applications.ldap.administrator_username: "administrator" - applications.ldap.administrator_password: "secure_password_here" - applications.ldap.phpldapadmin.version: "latest" - applications.ldap.openldap.version: "latest" ``` -### **Steps to Deploy:** -1. Clone your playbook repository to the target server. -2. Run the playbook: - ```bash - ansible-playbook -i inventory playbook.yml - ``` -3. Access phpLDAPadmin: - - URL: `http://localhost:8080` (or your configured port) - - Login: Use the admin DN and password. - ---- +-- ## πŸ› οΈ **Technical Details** diff --git a/roles/docker-ldap/handlers/main.yml b/roles/docker-ldap/handlers/main.yml new file mode 100644 index 00000000..175212ef --- /dev/null +++ b/roles/docker-ldap/handlers/main.yml @@ -0,0 +1,8 @@ +- name: "import missing groups from {{groups_ldif_docker_path}} to OpenLDAP" + shell: > + docker exec -i openldap ldapadd -x -D "{{ldap_admin_dn}}" -w "{{applications.ldap.administrator_database_password}}" -c -f "{{groups_ldif_docker_path}}" + register: ldapadd_result + changed_when: "'adding new entry' in ldapadd_result.stdout" + # Allow return code 0 (all entries added) or 68 (entry already exists) + failed_when: ldapadd_result.rc not in [0, 68] + listen: "Import missing groups to OpenLDAP" \ No newline at end of file diff --git a/roles/docker-ldap/tasks/main.yml b/roles/docker-ldap/tasks/main.yml index b97c79aa..1c2d961f 100644 --- a/roles/docker-ldap/tasks/main.yml +++ b/roles/docker-ldap/tasks/main.yml @@ -43,4 +43,14 @@ mode: '770' force: yes notify: docker compose project setup - when: applications.ldap.webinterface == 'lam' \ No newline at end of file + when: applications.ldap.webinterface == 'lam' + +- name: flush docker service + meta: flush_handlers + +- name: "create {{groups_ldif_host_path}}" + template: + src: "groups.ldif.j2" + dest: "{{groups_ldif_host_path}}" + mode: '770' + notify: Import missing groups to OpenLDAP \ No newline at end of file diff --git a/roles/docker-ldap/templates/docker-compose.yml.j2 b/roles/docker-ldap/templates/docker-compose.yml.j2 index 1cacc6ba..ba7a1825 100644 --- a/roles/docker-ldap/templates/docker-compose.yml.j2 +++ b/roles/docker-ldap/templates/docker-compose.yml.j2 @@ -32,6 +32,7 @@ services: {% endif %} volumes: - 'data:/bitnami/openldap' + - '{{groups_ldif_host_path}}:{{groups_ldif_docker_path}}:ro' # Mounting the groups for importing healthcheck: test: > ldapsearch -x -H ldap://localhost:389 -b "{{ldap_root}}" -D "{{ldap_admin_dn}}" -w "{{applications.ldap.administrator_database_password}}" diff --git a/roles/docker-ldap/templates/groups.ldif b/roles/docker-ldap/templates/groups.ldif.j2 similarity index 74% rename from roles/docker-ldap/templates/groups.ldif rename to roles/docker-ldap/templates/groups.ldif.j2 index 6ef990c1..77d59ea6 100644 --- a/roles/docker-ldap/templates/groups.ldif +++ b/roles/docker-ldap/templates/groups.ldif.j2 @@ -1,3 +1,7 @@ +####################################################################### +# This file contains the CyMaIS default groups +####################################################################### + ####################################################################### # Base container for all role-based groups ####################################################################### @@ -7,156 +11,136 @@ ou: groups description: Container for all role-based groups (by function/profession) ####################################################################### -# Role: System Administrator +# Role: Administrators ####################################################################### -dn: cn=systemadministrator,ou=groups,dc=veen,dc=world -objectClass: groupOfNames -cn: systemadministrator -description: Role: System Administrator (infrastructure, security, database management, etc.) -member: cn=dummy,ou=users,dc=veen,dc=world +dn: cn=administrator,ou=groups,dc=veen,dc=world +objectClass: groupOfUniqueNames +cn: administrators +description: Role: Administrators of this system +uniqueMember: cn=dummy,ou=users,dc=veen,dc=world ####################################################################### # Role: Developer ####################################################################### dn: cn=developer,ou=groups,dc=veen,dc=world -objectClass: groupOfNames +objectClass: groupOfUniqueNames cn: developer description: Role: Developer and DevOps (coding, automation, CI/CD, etc.) -member: cn=dummy,ou=users,dc=veen,dc=world +uniqueMember: cn=dummy,ou=users,dc=veen,dc=world ####################################################################### # Role: Project Manager ####################################################################### dn: cn=projectmanager,ou=groups,dc=veen,dc=world -objectClass: groupOfNames +objectClass: groupOfUniqueNames cn: projectmanager description: Role: Project Manager and Collaboration (project planning, task management, etc.) -member: cn=dummy,ou=users,dc=veen,dc=world +uniqueMember: cn=dummy,ou=users,dc=veen,dc=world ####################################################################### # Role: Communication Specialist ####################################################################### dn: cn=communicationspecialist,ou=groups,dc=veen,dc=world -objectClass: groupOfNames +objectClass: groupOfUniqueNames cn: communicationspecialist description: Role: Communication Specialist (community management, messaging, social networks, etc.) -member: cn=dummy,ou=users,dc=veen,dc=world +uniqueMember: cn=dummy,ou=users,dc=veen,dc=world ####################################################################### # Role: Content Manager ####################################################################### dn: cn=contentmanager,ou=groups,dc=veen,dc=world -objectClass: groupOfNames +objectClass: groupOfUniqueNames cn: contentmanager description: Role: Content Manager/CMS Administrator (content creation, website management, etc.) -member: cn=dummy,ou=users,dc=veen,dc=world +uniqueMember: cn=dummy,ou=users,dc=veen,dc=world ####################################################################### # Role: Marketing Analyst ####################################################################### dn: cn=marketinganalyst,ou=groups,dc=veen,dc=world -objectClass: groupOfNames -cn: marketinganalyst -description: Role: Marketing, Finance & Analytics (marketing platforms, financial reporting, analytics, etc.) -member: cn=dummy,ou=users,dc=veen,dc=world - -####################################################################### -# Role: Developer -####################################################################### -dn: cn=developer,ou=groups,dc=veen,dc=world -objectClass: groupOfNames -cn: developer -description: Role: Developer (coding, software development, and DevOps tasks) -member: cn=dummy,ou=users,dc=veen,dc=world - - -####################################################################### -# Role: Marketing Analyst -####################################################################### -dn: cn=marketinganalyst,ou=groups,dc=veen,dc=world -objectClass: groupOfNames +objectClass: groupOfUniqueNames cn: marketinganalyst description: Role: Marketing Analyst (marketing, finance, and analytics) -member: cn=dummy,ou=users,dc=veen,dc=world +uniqueMember: cn=dummy,ou=users,dc=veen,dc=world ####################################################################### # Role: DevOps Engineer ####################################################################### dn: cn=devopsengineer,ou=groups,dc=veen,dc=world -objectClass: groupOfNames +objectClass: groupOfUniqueNames cn: devopsengineer description: Role: DevOps Engineer (continuous integration, deployment, and container orchestration) -member: cn=dummy,ou=users,dc=veen,dc=world +uniqueMember: cn=dummy,ou=users,dc=veen,dc=world ####################################################################### # Role: Database Administrator ####################################################################### dn: cn=databaseadministrator,ou=groups,dc=veen,dc=world -objectClass: groupOfNames +objectClass: groupOfUniqueNames cn: databaseadministrator description: Role: Database Administrator (database management and data integrity) -member: cn=dummy,ou=users,dc=veen,dc=world +uniqueMember: cn=dummy,ou=users,dc=veen,dc=world ####################################################################### # Role: Security Specialist ####################################################################### dn: cn=securityspecialist,ou=groups,dc=veen,dc=world -objectClass: groupOfNames +objectClass: groupOfUniqueNames cn: securityspecialist description: Role: Security Specialist (container security, vulnerability assessments, and compliance) -member: cn=dummy,ou=users,dc=veen,dc=world +uniqueMember: cn=dummy,ou=users,dc=veen,dc=world ####################################################################### # Role: Network Administrator ####################################################################### dn: cn=networkadministrator,ou=groups,dc=veen,dc=world -objectClass: groupOfNames +objectClass: groupOfUniqueNames cn: networkadministrator description: Role: Network Administrator (network configuration, connectivity, and firewall management) -member: cn=dummy,ou=users,dc=veen,dc=world +uniqueMember: cn=dummy,ou=users,dc=veen,dc=world ####################################################################### # Role: IT Support Specialist ####################################################################### dn: cn=itsupportspecialist,ou=groups,dc=veen,dc=world -objectClass: groupOfNames +objectClass: groupOfUniqueNames cn: itsupportspecialist description: Role: IT Support Specialist (technical support and troubleshooting) -member: cn=dummy,ou=users,dc=veen,dc=world +uniqueMember: cn=dummy,ou=users,dc=veen,dc=world ####################################################################### # Role: Quality Assurance Engineer ####################################################################### dn: cn=qualityassuranceengineer,ou=groups,dc=veen,dc=world -objectClass: groupOfNames +objectClass: groupOfUniqueNames cn: qualityassuranceengineer description: Role: Quality Assurance Engineer (testing and ensuring software quality) -member: cn=dummy,ou=users,dc=veen,dc=world +uniqueMember: cn=dummy,ou=users,dc=veen,dc=world ####################################################################### # Role: Business Analyst ####################################################################### dn: cn=businessanalyst,ou=groups,dc=veen,dc=world -objectClass: groupOfNames +objectClass: groupOfUniqueNames cn: businessanalyst description: Role: Business Analyst (analyzing business requirements and translating them into technical needs) -member: cn=dummy,ou=users,dc=veen,dc=world +uniqueMember: cn=dummy,ou=users,dc=veen,dc=world ####################################################################### # Role: Product Owner ####################################################################### dn: cn=productowner,ou=groups,dc=veen,dc=world -objectClass: groupOfNames +objectClass: groupOfUniqueNames cn: productowner description: Role: Product Owner (oversees product strategy and manages feature prioritization) -member: cn=dummy,ou=users,dc=veen,dc=world +uniqueMember: cn=dummy,ou=users,dc=veen,dc=world ####################################################################### # Role: Operations Manager ####################################################################### dn: cn=operationsmanager,ou=groups,dc=veen,dc=world -objectClass: groupOfNames +objectClass: groupOfUniqueNames cn: operationsmanager description: Role: Operations Manager (oversees daily operations and ensures system performance) -member: cn=dummy,ou=users,dc=veen,dc=world - +uniqueMember: cn=dummy,ou=users,dc=veen,dc=world diff --git a/roles/docker-ldap/vars/main.yml b/roles/docker-ldap/vars/main.yml index cae30837..cc159d28 100644 --- a/roles/docker-ldap/vars/main.yml +++ b/roles/docker-ldap/vars/main.yml @@ -4,11 +4,12 @@ ldap_admin_dn: "cn={{applications.ldap.administrator_username}},{ ldap_secure_localhost_port: 1636 ldap_secure_internet_port: 636 ldap_localhost_port: 389 - +ldap_network_enabled: "{{ldap.enabled}}" # OAuth2 Proxy Configuration oauth2_proxy_upstream_application_and_port: "{{ applications.ldap.webinterface }}:{% if applications.ldap.webinterface == 'phpldapadmin' %}8080{% else %}80{% endif %}" oauth2_proxy_active: true enable_wildcard_certificate: false # Activate dedicated Certificate -ldap_network_enabled: "{{ldap.enabled}}" \ No newline at end of file +groups_ldif_host_path: "{{docker_compose.directories.volumes}}groups.ldif" # Path inside the host +groups_ldif_docker_path: "/tmp/groups.ldif" # Path inside the docker container \ No newline at end of file