kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-02-22 12:29:39 +01:00
Code Issues Packages Projects Releases Wiki Activity

Optimized setup routine for memberOf ldap

Browse Source
This commit is contained in:
Kevin Veen-Birkenbach 2025-02-12 19:06:32 +01:00
parent d947d0a49d
commit e947c203a1
13 changed files with 210 additions and 259 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
group_vars/all/07_applications.yml
View File

@ -76,7 +76,6 @@ defaults_applications:
local: True # Activates local network to allow other docker containers to connect
public: False # Set to true in inventory file if you want to expose the LDAP port to the internet
hostname: "openldap" # Hostname of the LDAP Server in the central_ldap network
modify: False # When false entries will just be added, when true existing entries will be modified during import procedure
phpldapadmin:
version: "2.0.0-dev" # @todo Attention: Change this as fast as released to latest
webinterface: "lam" # The webinterface which should be used. Possible: lam and phpldapadmin

40
roles/docker-ldap/README.md
View File

@ -18,6 +18,46 @@ This Ansible role provides a streamlined implementation of an LDAP server with T
--
## Maintanance
### Show Config
```bash
docker exec -it openldap bash -c "ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b 'cn=config'"
```
```bash
docker exec -it openldap bash -c "ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b 'cn=config' -s base '(objectClass=*)'"
```
```bash
docker exec -it openldap bash -c "ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b 'cn=config' -s base '(objectClass=olcModuleList)'"
```
## install
### MemberOf
```bash
ldapmodify -Y EXTERNAL -H ldapi:/// <<EOF
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: /opt/bitnami/openldap/lib/openldap/memberof.so
EOF
ldapadd -Y EXTERNAL -H ldapi:/// <<EOF
dn: olcOverlay=memberof,olcDatabase={2}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcMemberOf
olcOverlay: memberof
olcMemberOfRefInt: TRUE
olcMemberOfDangling: ignore
olcMemberOfGroupOC: groupOfNames
olcMemberOfMemberAD: member
olcMemberOfMemberOfAD: memberOf
EOF
```
### Show all Entires
```bash
docker exec --env LDAP_ADMIN_PASSWORD="$LDAP_ADMIN_PASSWORD" -it openldap bash -c "ldapsearch -LLL -o ldif-wrap=no -x -D 'cn=administrator,dc=veen,dc=world' -w \"\$LDAP_ADMIN_PASSWORD\" -b 'dc=veen,dc=world'";

26
roles/docker-ldap/handlers/main.yml
View File

@ -1,9 +1,27 @@
- name: "import missing groups from {{ldif_docker_path}} to OpenLDAP"
- name: Load memberof module from file in OpenLDAP container
shell: >
docker exec -i openldap {{ 'ldapmodify' if applications.ldap.openldap.modify|bool else 'ldapadd' }} -x -D "{{ldap.dn.administrator}}" -w "{{applications.ldap.administrator_database_password}}" -c -f "{{ldif_docker_path}}{{ item }}"
loop: "{{ ldif_files }}"
docker exec -i openldap ldapmodify -Y EXTERNAL -H ldapi:/// -f {{ldif_docker_path}}01_member_of_configuration.ldif
listen: "Import LDIF files"
- name: Refint Module Activation for OpenLDAP
shell: >
docker exec -i openldap ldapadd -Y EXTERNAL -H ldapi:/// -f {{ldif_docker_path}}02_member_of_configuration.ldif
listen: "Import LDIF files"
register: ldapadd_result
failed_when: ldapadd_result.rc not in [0, 68]
- name: Refint Overlay Configuration for OpenLDAP
shell: >
docker exec -i openldap modify -Y EXTERNAL -H ldapi:/// -f {{ldif_docker_path}}02_member_of_configuration.ldif
listen: "Import LDIF files"
register: ldapadd_result
failed_when: ldapadd_result.rc not in [0, 68]
- name: "Import Access Roles to OpenLDAP"
shell: >
docker exec -i openldap ldapadd -x -D "{{ldap.dn.administrator}}" -w "{{applications.ldap.administrator_database_password}}" -c -f "{{ldif_docker_path}}04_access_profiles.ldif"
register: ldapadd_result
changed_when: "'adding new entry' in ldapadd_result.stdout"
# Allow return code 0 (all entries added) or 68 (entry already exists)
failed_when: ldapadd_result.rc not in [0, 68]
listen: "Import missing groups to OpenLDAP"
listen: "Import LDIF files"

10
roles/docker-ldap/tasks/main.yml
View File

@ -54,10 +54,10 @@
state: directory
mode: 0755
- name: "Create LDIF files at {{ldif_host_path}}"
- name: "Create LDIF files at {{ ldif_host_path }}"
template:
src: "templates/ldif/{{item}}.j2"
dest: "{{ldif_host_path}}{{item}}"
src: "{{ item }}"
dest: "{{ ldif_host_path }}/{{ item | basename | regex_replace('\\.j2$', '') }}"
mode: '770'
notify: Import missing groups to OpenLDAP
loop: "{{ldif_files}}"
loop: "{{ lookup('fileglob', '{{ role_path }}/templates/ldif/*.j2', wantlist=True) }}"
notify: Import LDIF files

45
roles/docker-ldap/templates/ldif/01_member_of_configuration.ldif.j2 Normal file
View File

@ -0,0 +1,45 @@
# MemberOf Overlay Configuration for OpenLDAP
#
# This file activates the memberOf module and configures the memberOf overlay,
# which is required by Nextcloud for proper group management.
# @see https://docs.nextcloud.com/server/latest/admin_manual/configuration_user/user_auth_ldap.html
# @see https://www.adimian.com/blog/how-to-enable-memberof-using-openldap/
#
# The first section loads the memberof module from the specified path.
# - olcModuleLoad: Specifies that the "memberof" module should be loaded.
# - olcModulePath: Provides the full path to the memberof shared object.
#
# The second section configures the memberOf overlay for the designated database.
# - The DN "olcOverlay={0}memberof,olcDatabase={1}hdb,cn=config" sets up the overlay
# on the database backend (here assumed to be "hdb").
# - olcMemberOfDangling: ignore
# Instructs the overlay to ignore references to non-existent objects.
# - olcMemberOfRefInt: TRUE
# Enables referential integrity so that changes in group membership automatically
# update the user's "memberOf" attribute.
# - olcMemberOfGroupOC: groupOfNames
# Specifies that the overlay applies to groups with the object class "groupOfNames".
# - olcMemberOfMemberAD: member
# Indicates that the group's membership is stored in the "member" attribute.
# - olcMemberOfMemberOfAD: memberOf
# Defines that the overlay will maintain the "memberOf" attribute in user entries.
#
# IMPORTANT: All groups created before enabling this module must be deleted and recreated,
# as the overlay only assigns the "member" attribute when a new group is created.
dn: cn=module,cn=config
cn: module
objectClass: olcModuleList
olcModuleLoad: memberof
olcModulePath: /opt/bitnami/openldap/lib/openldap/memberof.so
dn: olcOverlay={0}memberof,olcDatabase={1}hdb,cn=config
objectClass: olcConfig
objectClass: olcMemberOf
objectClass: olcOverlayConfig
objectClass: top
olcOverlay: memberof
olcMemberOfDangling: ignore
olcMemberOfRefInt: TRUE
olcMemberOfGroupOC: groupOfNames
olcMemberOfMemberAD: member
olcMemberOfMemberOfAD: memberOf

10
roles/docker-ldap/templates/ldif/02_member_of_configuration.ldif.j2 Normal file
View File

@ -0,0 +1,10 @@
# Refint Module Activation for OpenLDAP
#
# This section adds the refint module to the LDAP configuration.
# The refint module ensures referential integrity by automatically updating
# or removing references when objects are renamed or deleted.
#
# In this file, the "olcmoduleload" attribute is used to load the "refint" module.
dn: cn=module{1},cn=config
add: olcmoduleload
olcmoduleload: refint

23
roles/docker-ldap/templates/ldif/03_member_of_configuration.ldif.j2 Normal file
View File

@ -0,0 +1,23 @@
# Refint Overlay Configuration for OpenLDAP
#
# This file configures the refint overlay for the specified LDAP database.
#
# The overlay is applied to the database (here using the "hdb" backend) and is
# responsible for maintaining referential integrity.
#
# The attribute "olcRefintAttribute" lists the attributes that will be monitored
# for changes. In this case, changes to the following attributes will be tracked:
# - memberof
# - member
# - manager
# - owner
#
# This ensures that any changes in the LDAP directory (such as deletion or modification
# of an object) automatically update all references to that object, preventing dangling references.
dn: olcOverlay={1}refint,olcDatabase={1}hdb,cn=config
objectClass: olcConfig
objectClass: olcOverlayConfig
objectClass: olcRefintConfig
objectClass: top
olcOverlay: {1}refint
olcRefintAttribute: memberof member manager owner

57
roles/docker-ldap/templates/ldif/04_access_roles.ldif.j2 Normal file
View File

@ -0,0 +1,57 @@
#######################################################################
# This file contains the CyMaIS default roles (converted to posix groups)
# Roles define which kind of rights users have.
#######################################################################
#######################################################################
# Generic container for IT roles
#######################################################################
dn: {{dn_roles}}
objectClass: organizationalUnit
ou: roles
description: Container for IT access profiles (for rights management)
#######################################################################
# Role: Super Administrator
#######################################################################
dn: cn=superadministrator,{{dn_roles}}
objectClass: posixGroup
cn: superadministrator
gidNumber: 1000
description: Role: Super Administrator has full control over all systems and settings.
#######################################################################
# Role: Administrator
#######################################################################
dn: cn=administrator,{{dn_roles}}
objectClass: posixGroup
cn: administrator
gidNumber: 1001
description: Role: Administrator responsible for overall system management and configuration.
#######################################################################
# Role: Manager
#######################################################################
dn: cn=manager,{{dn_roles}}
objectClass: posixGroup
cn: manager
gidNumber: 1002
description: Role: Manager oversees operations, approves changes, and coordinates teams.
#######################################################################
# Role: Moderator
#######################################################################
dn: cn=moderator,{{dn_roles}}
objectClass: posixGroup
cn: moderator
gidNumber: 1003
description: Role: Moderator monitors activity and handles conflict resolution.
#######################################################################
# Role: User
#######################################################################
dn: cn=user,{{dn_roles}}
objectClass: posixGroup
cn: user
gidNumber: 1004
description: Role: User - Uses the software

147
roles/docker-ldap/templates/ldif/groups.ldif.j2
View File

@ -1,147 +0,0 @@
#######################################################################
# This file contains the CyMaIS default groups #
# Groupps define which kind of applications users have access to #
#######################################################################
#######################################################################
# Base container for all role-based groups
#######################################################################
dn: ou=groups,dc=veen,dc=world
objectClass: organizationalUnit
ou: groups
description: Container for all role-based groups (by function/profession)
#######################################################################
# Role: Administrators
#######################################################################
dn: cn=administrator,ou=groups,dc=veen,dc=world
objectClass: groupOfUniqueNames
cn: administrators
description: Role: Administrators of this system
uniqueMember: cn=dummy,ou=users,dc=veen,dc=world
#######################################################################
# Role: Developer
#######################################################################
dn: cn=developer,ou=groups,dc=veen,dc=world
objectClass: groupOfUniqueNames
cn: developer
description: Role: Developer and DevOps (coding, automation, CI/CD, etc.)
uniqueMember: cn=dummy,ou=users,dc=veen,dc=world
#######################################################################
# Role: Project Manager
#######################################################################
dn: cn=projectmanager,ou=groups,dc=veen,dc=world
objectClass: groupOfUniqueNames
cn: projectmanager
description: Role: Project Manager and Collaboration (project planning, task management, etc.)
uniqueMember: cn=dummy,ou=users,dc=veen,dc=world
#######################################################################
# Role: Communication Specialist
#######################################################################
dn: cn=communicationspecialist,ou=groups,dc=veen,dc=world
objectClass: groupOfUniqueNames
cn: communicationspecialist
description: Role: Communication Specialist (community management, messaging, social networks, etc.)
uniqueMember: cn=dummy,ou=users,dc=veen,dc=world
#######################################################################
# Role: Content Manager
#######################################################################
dn: cn=contentmanager,ou=groups,dc=veen,dc=world
objectClass: groupOfUniqueNames
cn: contentmanager
description: Role: Content Manager/CMS Administrator (content creation, website management, etc.)
uniqueMember: cn=dummy,ou=users,dc=veen,dc=world
#######################################################################
# Role: Marketing Analyst
#######################################################################
dn: cn=marketinganalyst,ou=groups,dc=veen,dc=world
objectClass: groupOfUniqueNames
cn: marketinganalyst
description: Role: Marketing Analyst (marketing, finance, and analytics)
uniqueMember: cn=dummy,ou=users,dc=veen,dc=world
#######################################################################
# Role: DevOps Engineer
#######################################################################
dn: cn=devopsengineer,ou=groups,dc=veen,dc=world
objectClass: groupOfUniqueNames
cn: devopsengineer
description: Role: DevOps Engineer (continuous integration, deployment, and container orchestration)
uniqueMember: cn=dummy,ou=users,dc=veen,dc=world
#######################################################################
# Role: Database Administrator
#######################################################################
dn: cn=databaseadministrator,ou=groups,dc=veen,dc=world
objectClass: groupOfUniqueNames
cn: databaseadministrator
description: Role: Database Administrator (database management and data integrity)
uniqueMember: cn=dummy,ou=users,dc=veen,dc=world
#######################################################################
# Role: Security Specialist
#######################################################################
dn: cn=securityspecialist,ou=groups,dc=veen,dc=world
objectClass: groupOfUniqueNames
cn: securityspecialist
description: Role: Security Specialist (container security, vulnerability assessments, and compliance)
uniqueMember: cn=dummy,ou=users,dc=veen,dc=world
#######################################################################
# Role: Network Administrator
#######################################################################
dn: cn=networkadministrator,ou=groups,dc=veen,dc=world
objectClass: groupOfUniqueNames
cn: networkadministrator
description: Role: Network Administrator (network configuration, connectivity, and firewall management)
uniqueMember: cn=dummy,ou=users,dc=veen,dc=world
#######################################################################
# Role: IT Support Specialist
#######################################################################
dn: cn=itsupportspecialist,ou=groups,dc=veen,dc=world
objectClass: groupOfUniqueNames
cn: itsupportspecialist
description: Role: IT Support Specialist (technical support and troubleshooting)
uniqueMember: cn=dummy,ou=users,dc=veen,dc=world
#######################################################################
# Role: Quality Assurance Engineer
#######################################################################
dn: cn=qualityassuranceengineer,ou=groups,dc=veen,dc=world
objectClass: groupOfUniqueNames
cn: qualityassuranceengineer
description: Role: Quality Assurance Engineer (testing and ensuring software quality)
uniqueMember: cn=dummy,ou=users,dc=veen,dc=world
#######################################################################
# Role: Business Analyst
#######################################################################
dn: cn=businessanalyst,ou=groups,dc=veen,dc=world
objectClass: groupOfUniqueNames
cn: businessanalyst
description: Role: Business Analyst (analyzing business requirements and translating them into technical needs)
uniqueMember: cn=dummy,ou=users,dc=veen,dc=world
#######################################################################
# Role: Product Owner
#######################################################################
dn: cn=productowner,ou=groups,dc=veen,dc=world
objectClass: groupOfUniqueNames
cn: productowner
description: Role: Product Owner (oversees product strategy and manages feature prioritization)
uniqueMember: cn=dummy,ou=users,dc=veen,dc=world
#######################################################################
# Role: Operations Manager
#######################################################################
dn: cn=operationsmanager,ou=groups,dc=veen,dc=world
objectClass: groupOfUniqueNames
cn: operationsmanager
description: Role: Operations Manager (oversees daily operations and ensures system performance)
uniqueMember: cn=dummy,ou=users,dc=veen,dc=world

75
roles/docker-ldap/templates/ldif/roles.ldif.j2
View File

@ -1,75 +0,0 @@
#######################################################################
# This file contains the CyMaIS default roles
# Roles define which kind of rights users have
#######################################################################
#######################################################################
# Generic container for IT roles
#######################################################################
dn: ou=roles,dc=example,dc=com
objectClass: organizationalUnit
ou: roles
description: Container for generic IT roles (for rights management)
#######################################################################
# Role: Super Administrator
#######################################################################
dn: cn=superadministrator,ou=roles,dc=example,dc=com
objectClass: groupOfUniqueNames
cn: superadministrator
description: Role: Super Administrator has full control over all systems and settings.
uniqueMember: cn=dummy,ou=users,dc=example,dc=com
#######################################################################
# Role: Administrator
#######################################################################
dn: cn=administrator,ou=roles,dc=example,dc=com
objectClass: groupOfUniqueNames
cn: administrator
description: Role: Administrator responsible for overall system management and configuration.
uniqueMember: cn=dummy,ou=users,dc=example,dc=com
#######################################################################
# Role: Manager
#######################################################################
dn: cn=manager,ou=roles,dc=example,dc=com
objectClass: groupOfUniqueNames
cn: manager
description: Role: Manager oversees operations, approves changes, and coordinates teams.
uniqueMember: cn=dummy,ou=users,dc=example,dc=com
#######################################################################
# Role: Moderator
#######################################################################
dn: cn=moderator,ou=roles,dc=example,dc=com
objectClass: groupOfUniqueNames
cn: moderator
description: Role: Moderator monitors activity and handles conflict resolution.
uniqueMember: cn=dummy,ou=users,dc=example,dc=com
#######################################################################
# Role: Publisher
#######################################################################
dn: cn=publisher,ou=roles,dc=example,dc=com
objectClass: groupOfUniqueNames
cn: publisher
description: Role: Publisher responsible for releasing content or updates.
uniqueMember: cn=dummy,ou=users,dc=example,dc=com
#######################################################################
# Role: Contributor
#######################################################################
dn: cn=contributor,ou=roles,dc=veen,dc=world
objectClass: groupOfUniqueNames
cn: contributor
description: Contributor (Allowed to participate, but not to publish)
uniqueMember: cn=dummy,ou=users,dc=veen,dc=world
#######################################################################
# Role: Subscriber
#######################################################################
dn: cn=subscriber,ou=roles,dc=veen,dc=world
objectClass: groupOfUniqueNames
cn: subscriber
description: Subscriber (read-only; manage own profile)
uniqueMember: cn=dummy,ou=users,dc=veen,dc=world

1
roles/docker-ldap/templates/ldif/users.ldif.j2
View File

@ -1 +0,0 @@
# Default users

11
roles/docker-ldap/vars/main.yml
View File

@ -11,8 +11,11 @@ enable_wildcard_certificate: false # Activate dedicated Certificate
# Configuration for ldif import
ldif_files:
- "groups.ldif"
- "roles.ldif"
- "users.ldif"
- "01_member_of_configuration.ldif"
- "02_member_of_configuration.ldif"
- "03_member_of_configuration.ldif"
- "04_access_profiles.ldif"
ldif_host_path: "{{docker_compose.directories.volumes}}ldif/"
ldif_docker_path: "/tmp/ldif/"
ldif_docker_path: "/tmp/ldif/"
dn_roles: "ou=access_roles,{{ldap.dn.root}}"

23
roles/docker-nextcloud/README.md
View File

@ -127,28 +127,7 @@ OIDC is supported in this role—for example, via **Keycloak**. OIDC-specific ta
## LDAP
---
## Architecture
### MariaDB
Until Nextcloud 24, the MariaDB version must be used.
---
## Performance: 504 Gateway Timeout ⏱️
```bash
docker-compose logs web --tail 1000 | grep 504
```
#### See:
- [F5 Support: K48373902](https://support.f5.com/csp/article/K48373902)
- [Nextcloud Server Issue #25436](https://github.com/nextcloud/server/issues/25436)
- [Nextcloud 21.0.2 Update Error](https://help.nextcloud.com/t/update-to-next-cloud-21-0-2-has-get-an-error/117028/23?page=2)
- [ServerFault: Nginx PHP-FPM 504 Error](https://serverfault.com/questions/178671/nginx-php-fpm-504-gateway-time-out-error-with-almost-zero-load-on-a-test-se)
- [Manual LEMP Install Timeout](https://help.nextcloud.com/t/solved-manual-lemp-install-php-fpm-timing-out/39070)
More information: https://docs.nextcloud.com/server/latest/admin_manual/configuration_user/user_auth_ldap.html
---