diff --git a/group_vars/all/07_applications.yml b/group_vars/all/07_applications.yml index 8833f32a..a1298a2f 100644 --- a/group_vars/all/07_applications.yml +++ b/group_vars/all/07_applications.yml @@ -76,7 +76,6 @@ defaults_applications: local: True # Activates local network to allow other docker containers to connect public: False # Set to true in inventory file if you want to expose the LDAP port to the internet hostname: "openldap" # Hostname of the LDAP Server in the central_ldap network - modify: False # When false entries will just be added, when true existing entries will be modified during import procedure phpldapadmin: version: "2.0.0-dev" # @todo Attention: Change this as fast as released to latest webinterface: "lam" # The webinterface which should be used. Possible: lam and phpldapadmin diff --git a/roles/docker-ldap/README.md b/roles/docker-ldap/README.md index 9ebaf969..289eca8e 100644 --- a/roles/docker-ldap/README.md +++ b/roles/docker-ldap/README.md @@ -18,6 +18,46 @@ This Ansible role provides a streamlined implementation of an LDAP server with T -- ## Maintanance + +### Show Config +```bash +docker exec -it openldap bash -c "ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b 'cn=config'" +``` + +```bash +docker exec -it openldap bash -c "ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b 'cn=config' -s base '(objectClass=*)'" +``` + +```bash +docker exec -it openldap bash -c "ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b 'cn=config' -s base '(objectClass=olcModuleList)'" +``` + +## install + +### MemberOf +```bash +ldapmodify -Y EXTERNAL -H ldapi:/// < - docker exec -i openldap {{ 'ldapmodify' if applications.ldap.openldap.modify|bool else 'ldapadd' }} -x -D "{{ldap.dn.administrator}}" -w "{{applications.ldap.administrator_database_password}}" -c -f "{{ldif_docker_path}}{{ item }}" - loop: "{{ ldif_files }}" + docker exec -i openldap ldapmodify -Y EXTERNAL -H ldapi:/// -f {{ldif_docker_path}}01_member_of_configuration.ldif + listen: "Import LDIF files" + +- name: Refint Module Activation for OpenLDAP + shell: > + docker exec -i openldap ldapadd -Y EXTERNAL -H ldapi:/// -f {{ldif_docker_path}}02_member_of_configuration.ldif + listen: "Import LDIF files" + register: ldapadd_result + failed_when: ldapadd_result.rc not in [0, 68] + +- name: Refint Overlay Configuration for OpenLDAP + shell: > + docker exec -i openldap modify -Y EXTERNAL -H ldapi:/// -f {{ldif_docker_path}}02_member_of_configuration.ldif + listen: "Import LDIF files" + register: ldapadd_result + failed_when: ldapadd_result.rc not in [0, 68] + +- name: "Import Access Roles to OpenLDAP" + shell: > + docker exec -i openldap ldapadd -x -D "{{ldap.dn.administrator}}" -w "{{applications.ldap.administrator_database_password}}" -c -f "{{ldif_docker_path}}04_access_profiles.ldif" register: ldapadd_result changed_when: "'adding new entry' in ldapadd_result.stdout" # Allow return code 0 (all entries added) or 68 (entry already exists) failed_when: ldapadd_result.rc not in [0, 68] - listen: "Import missing groups to OpenLDAP" \ No newline at end of file + listen: "Import LDIF files" \ No newline at end of file diff --git a/roles/docker-ldap/tasks/main.yml b/roles/docker-ldap/tasks/main.yml index 96c7ca77..eabfc4e1 100644 --- a/roles/docker-ldap/tasks/main.yml +++ b/roles/docker-ldap/tasks/main.yml @@ -54,10 +54,10 @@ state: directory mode: 0755 -- name: "Create LDIF files at {{ldif_host_path}}" +- name: "Create LDIF files at {{ ldif_host_path }}" template: - src: "templates/ldif/{{item}}.j2" - dest: "{{ldif_host_path}}{{item}}" + src: "{{ item }}" + dest: "{{ ldif_host_path }}/{{ item | basename | regex_replace('\\.j2$', '') }}" mode: '770' - notify: Import missing groups to OpenLDAP - loop: "{{ldif_files}}" \ No newline at end of file + loop: "{{ lookup('fileglob', '{{ role_path }}/templates/ldif/*.j2', wantlist=True) }}" + notify: Import LDIF files diff --git a/roles/docker-ldap/templates/ldif/01_member_of_configuration.ldif.j2 b/roles/docker-ldap/templates/ldif/01_member_of_configuration.ldif.j2 new file mode 100644 index 00000000..5c40d564 --- /dev/null +++ b/roles/docker-ldap/templates/ldif/01_member_of_configuration.ldif.j2 @@ -0,0 +1,45 @@ +# MemberOf Overlay Configuration for OpenLDAP +# +# This file activates the memberOf module and configures the memberOf overlay, +# which is required by Nextcloud for proper group management. +# @see https://docs.nextcloud.com/server/latest/admin_manual/configuration_user/user_auth_ldap.html +# @see https://www.adimian.com/blog/how-to-enable-memberof-using-openldap/ +# +# The first section loads the memberof module from the specified path. +# - olcModuleLoad: Specifies that the "memberof" module should be loaded. +# - olcModulePath: Provides the full path to the memberof shared object. +# +# The second section configures the memberOf overlay for the designated database. +# - The DN "olcOverlay={0}memberof,olcDatabase={1}hdb,cn=config" sets up the overlay +# on the database backend (here assumed to be "hdb"). +# - olcMemberOfDangling: ignore +# Instructs the overlay to ignore references to non-existent objects. +# - olcMemberOfRefInt: TRUE +# Enables referential integrity so that changes in group membership automatically +# update the user's "memberOf" attribute. +# - olcMemberOfGroupOC: groupOfNames +# Specifies that the overlay applies to groups with the object class "groupOfNames". +# - olcMemberOfMemberAD: member +# Indicates that the group's membership is stored in the "member" attribute. +# - olcMemberOfMemberOfAD: memberOf +# Defines that the overlay will maintain the "memberOf" attribute in user entries. +# +# IMPORTANT: All groups created before enabling this module must be deleted and recreated, +# as the overlay only assigns the "member" attribute when a new group is created. +dn: cn=module,cn=config +cn: module +objectClass: olcModuleList +olcModuleLoad: memberof +olcModulePath: /opt/bitnami/openldap/lib/openldap/memberof.so + +dn: olcOverlay={0}memberof,olcDatabase={1}hdb,cn=config +objectClass: olcConfig +objectClass: olcMemberOf +objectClass: olcOverlayConfig +objectClass: top +olcOverlay: memberof +olcMemberOfDangling: ignore +olcMemberOfRefInt: TRUE +olcMemberOfGroupOC: groupOfNames +olcMemberOfMemberAD: member +olcMemberOfMemberOfAD: memberOf \ No newline at end of file diff --git a/roles/docker-ldap/templates/ldif/02_member_of_configuration.ldif.j2 b/roles/docker-ldap/templates/ldif/02_member_of_configuration.ldif.j2 new file mode 100644 index 00000000..ecd8f3d7 --- /dev/null +++ b/roles/docker-ldap/templates/ldif/02_member_of_configuration.ldif.j2 @@ -0,0 +1,10 @@ +# Refint Module Activation for OpenLDAP +# +# This section adds the refint module to the LDAP configuration. +# The refint module ensures referential integrity by automatically updating +# or removing references when objects are renamed or deleted. +# +# In this file, the "olcmoduleload" attribute is used to load the "refint" module. +dn: cn=module{1},cn=config +add: olcmoduleload +olcmoduleload: refint \ No newline at end of file diff --git a/roles/docker-ldap/templates/ldif/03_member_of_configuration.ldif.j2 b/roles/docker-ldap/templates/ldif/03_member_of_configuration.ldif.j2 new file mode 100644 index 00000000..092c5a01 --- /dev/null +++ b/roles/docker-ldap/templates/ldif/03_member_of_configuration.ldif.j2 @@ -0,0 +1,23 @@ +# Refint Overlay Configuration for OpenLDAP +# +# This file configures the refint overlay for the specified LDAP database. +# +# The overlay is applied to the database (here using the "hdb" backend) and is +# responsible for maintaining referential integrity. +# +# The attribute "olcRefintAttribute" lists the attributes that will be monitored +# for changes. In this case, changes to the following attributes will be tracked: +# - memberof +# - member +# - manager +# - owner +# +# This ensures that any changes in the LDAP directory (such as deletion or modification +# of an object) automatically update all references to that object, preventing dangling references. +dn: olcOverlay={1}refint,olcDatabase={1}hdb,cn=config +objectClass: olcConfig +objectClass: olcOverlayConfig +objectClass: olcRefintConfig +objectClass: top +olcOverlay: {1}refint +olcRefintAttribute: memberof member manager owner \ No newline at end of file diff --git a/roles/docker-ldap/templates/ldif/04_access_roles.ldif.j2 b/roles/docker-ldap/templates/ldif/04_access_roles.ldif.j2 new file mode 100644 index 00000000..1c5f0a6c --- /dev/null +++ b/roles/docker-ldap/templates/ldif/04_access_roles.ldif.j2 @@ -0,0 +1,57 @@ +####################################################################### +# This file contains the CyMaIS default roles (converted to posix groups) +# Roles define which kind of rights users have. +####################################################################### + +####################################################################### +# Generic container for IT roles +####################################################################### +dn: {{dn_roles}} +objectClass: organizationalUnit +ou: roles +description: Container for IT access profiles (for rights management) + +####################################################################### +# Role: Super Administrator +####################################################################### +dn: cn=superadministrator,{{dn_roles}} +objectClass: posixGroup +cn: superadministrator +gidNumber: 1000 +description: Role: Super Administrator – has full control over all systems and settings. + +####################################################################### +# Role: Administrator +####################################################################### +dn: cn=administrator,{{dn_roles}} +objectClass: posixGroup +cn: administrator +gidNumber: 1001 +description: Role: Administrator – responsible for overall system management and configuration. + +####################################################################### +# Role: Manager +####################################################################### +dn: cn=manager,{{dn_roles}} +objectClass: posixGroup +cn: manager +gidNumber: 1002 +description: Role: Manager – oversees operations, approves changes, and coordinates teams. + +####################################################################### +# Role: Moderator +####################################################################### +dn: cn=moderator,{{dn_roles}} +objectClass: posixGroup +cn: moderator +gidNumber: 1003 +description: Role: Moderator – monitors activity and handles conflict resolution. + +####################################################################### +# Role: User +####################################################################### +dn: cn=user,{{dn_roles}} +objectClass: posixGroup +cn: user +gidNumber: 1004 +description: Role: User - Uses the software \ No newline at end of file diff --git a/roles/docker-ldap/templates/ldif/groups.ldif.j2 b/roles/docker-ldap/templates/ldif/groups.ldif.j2 deleted file mode 100644 index 8754c59f..00000000 --- a/roles/docker-ldap/templates/ldif/groups.ldif.j2 +++ /dev/null @@ -1,147 +0,0 @@ -####################################################################### -# This file contains the CyMaIS default groups # -# Groupps define which kind of applications users have access to # -####################################################################### - -####################################################################### -# Base container for all role-based groups -####################################################################### -dn: ou=groups,dc=veen,dc=world -objectClass: organizationalUnit -ou: groups -description: Container for all role-based groups (by function/profession) - -####################################################################### -# Role: Administrators -####################################################################### -dn: cn=administrator,ou=groups,dc=veen,dc=world -objectClass: groupOfUniqueNames -cn: administrators -description: Role: Administrators of this system -uniqueMember: cn=dummy,ou=users,dc=veen,dc=world - -####################################################################### -# Role: Developer -####################################################################### -dn: cn=developer,ou=groups,dc=veen,dc=world -objectClass: groupOfUniqueNames -cn: developer -description: Role: Developer and DevOps (coding, automation, CI/CD, etc.) -uniqueMember: cn=dummy,ou=users,dc=veen,dc=world - -####################################################################### -# Role: Project Manager -####################################################################### -dn: cn=projectmanager,ou=groups,dc=veen,dc=world -objectClass: groupOfUniqueNames -cn: projectmanager -description: Role: Project Manager and Collaboration (project planning, task management, etc.) -uniqueMember: cn=dummy,ou=users,dc=veen,dc=world - -####################################################################### -# Role: Communication Specialist -####################################################################### -dn: cn=communicationspecialist,ou=groups,dc=veen,dc=world -objectClass: groupOfUniqueNames -cn: communicationspecialist -description: Role: Communication Specialist (community management, messaging, social networks, etc.) -uniqueMember: cn=dummy,ou=users,dc=veen,dc=world - -####################################################################### -# Role: Content Manager -####################################################################### -dn: cn=contentmanager,ou=groups,dc=veen,dc=world -objectClass: groupOfUniqueNames -cn: contentmanager -description: Role: Content Manager/CMS Administrator (content creation, website management, etc.) -uniqueMember: cn=dummy,ou=users,dc=veen,dc=world - -####################################################################### -# Role: Marketing Analyst -####################################################################### -dn: cn=marketinganalyst,ou=groups,dc=veen,dc=world -objectClass: groupOfUniqueNames -cn: marketinganalyst -description: Role: Marketing Analyst (marketing, finance, and analytics) -uniqueMember: cn=dummy,ou=users,dc=veen,dc=world - -####################################################################### -# Role: DevOps Engineer -####################################################################### -dn: cn=devopsengineer,ou=groups,dc=veen,dc=world -objectClass: groupOfUniqueNames -cn: devopsengineer -description: Role: DevOps Engineer (continuous integration, deployment, and container orchestration) -uniqueMember: cn=dummy,ou=users,dc=veen,dc=world - -####################################################################### -# Role: Database Administrator -####################################################################### -dn: cn=databaseadministrator,ou=groups,dc=veen,dc=world -objectClass: groupOfUniqueNames -cn: databaseadministrator -description: Role: Database Administrator (database management and data integrity) -uniqueMember: cn=dummy,ou=users,dc=veen,dc=world - -####################################################################### -# Role: Security Specialist -####################################################################### -dn: cn=securityspecialist,ou=groups,dc=veen,dc=world -objectClass: groupOfUniqueNames -cn: securityspecialist -description: Role: Security Specialist (container security, vulnerability assessments, and compliance) -uniqueMember: cn=dummy,ou=users,dc=veen,dc=world - -####################################################################### -# Role: Network Administrator -####################################################################### -dn: cn=networkadministrator,ou=groups,dc=veen,dc=world -objectClass: groupOfUniqueNames -cn: networkadministrator -description: Role: Network Administrator (network configuration, connectivity, and firewall management) -uniqueMember: cn=dummy,ou=users,dc=veen,dc=world - -####################################################################### -# Role: IT Support Specialist -####################################################################### -dn: cn=itsupportspecialist,ou=groups,dc=veen,dc=world -objectClass: groupOfUniqueNames -cn: itsupportspecialist -description: Role: IT Support Specialist (technical support and troubleshooting) -uniqueMember: cn=dummy,ou=users,dc=veen,dc=world - -####################################################################### -# Role: Quality Assurance Engineer -####################################################################### -dn: cn=qualityassuranceengineer,ou=groups,dc=veen,dc=world -objectClass: groupOfUniqueNames -cn: qualityassuranceengineer -description: Role: Quality Assurance Engineer (testing and ensuring software quality) -uniqueMember: cn=dummy,ou=users,dc=veen,dc=world - -####################################################################### -# Role: Business Analyst -####################################################################### -dn: cn=businessanalyst,ou=groups,dc=veen,dc=world -objectClass: groupOfUniqueNames -cn: businessanalyst -description: Role: Business Analyst (analyzing business requirements and translating them into technical needs) -uniqueMember: cn=dummy,ou=users,dc=veen,dc=world - -####################################################################### -# Role: Product Owner -####################################################################### -dn: cn=productowner,ou=groups,dc=veen,dc=world -objectClass: groupOfUniqueNames -cn: productowner -description: Role: Product Owner (oversees product strategy and manages feature prioritization) -uniqueMember: cn=dummy,ou=users,dc=veen,dc=world - -####################################################################### -# Role: Operations Manager -####################################################################### -dn: cn=operationsmanager,ou=groups,dc=veen,dc=world -objectClass: groupOfUniqueNames -cn: operationsmanager -description: Role: Operations Manager (oversees daily operations and ensures system performance) -uniqueMember: cn=dummy,ou=users,dc=veen,dc=world diff --git a/roles/docker-ldap/templates/ldif/roles.ldif.j2 b/roles/docker-ldap/templates/ldif/roles.ldif.j2 deleted file mode 100644 index 0756c0df..00000000 --- a/roles/docker-ldap/templates/ldif/roles.ldif.j2 +++ /dev/null @@ -1,75 +0,0 @@ -####################################################################### -# This file contains the CyMaIS default roles -# Roles define which kind of rights users have -####################################################################### - -####################################################################### -# Generic container for IT roles -####################################################################### -dn: ou=roles,dc=example,dc=com -objectClass: organizationalUnit -ou: roles -description: Container for generic IT roles (for rights management) - -####################################################################### -# Role: Super Administrator -####################################################################### -dn: cn=superadministrator,ou=roles,dc=example,dc=com -objectClass: groupOfUniqueNames -cn: superadministrator -description: Role: Super Administrator – has full control over all systems and settings. -uniqueMember: cn=dummy,ou=users,dc=example,dc=com - -####################################################################### -# Role: Administrator -####################################################################### -dn: cn=administrator,ou=roles,dc=example,dc=com -objectClass: groupOfUniqueNames -cn: administrator -description: Role: Administrator – responsible for overall system management and configuration. -uniqueMember: cn=dummy,ou=users,dc=example,dc=com - -####################################################################### -# Role: Manager -####################################################################### -dn: cn=manager,ou=roles,dc=example,dc=com -objectClass: groupOfUniqueNames -cn: manager -description: Role: Manager – oversees operations, approves changes, and coordinates teams. -uniqueMember: cn=dummy,ou=users,dc=example,dc=com - -####################################################################### -# Role: Moderator -####################################################################### -dn: cn=moderator,ou=roles,dc=example,dc=com -objectClass: groupOfUniqueNames -cn: moderator -description: Role: Moderator – monitors activity and handles conflict resolution. -uniqueMember: cn=dummy,ou=users,dc=example,dc=com - -####################################################################### -# Role: Publisher -####################################################################### -dn: cn=publisher,ou=roles,dc=example,dc=com -objectClass: groupOfUniqueNames -cn: publisher -description: Role: Publisher – responsible for releasing content or updates. -uniqueMember: cn=dummy,ou=users,dc=example,dc=com - -####################################################################### -# Role: Contributor -####################################################################### -dn: cn=contributor,ou=roles,dc=veen,dc=world -objectClass: groupOfUniqueNames -cn: contributor -description: Contributor (Allowed to participate, but not to publish) -uniqueMember: cn=dummy,ou=users,dc=veen,dc=world - -####################################################################### -# Role: Subscriber -####################################################################### -dn: cn=subscriber,ou=roles,dc=veen,dc=world -objectClass: groupOfUniqueNames -cn: subscriber -description: Subscriber (read-only; manage own profile) -uniqueMember: cn=dummy,ou=users,dc=veen,dc=world diff --git a/roles/docker-ldap/templates/ldif/users.ldif.j2 b/roles/docker-ldap/templates/ldif/users.ldif.j2 deleted file mode 100644 index 592d1a74..00000000 --- a/roles/docker-ldap/templates/ldif/users.ldif.j2 +++ /dev/null @@ -1 +0,0 @@ -# Default users \ No newline at end of file diff --git a/roles/docker-ldap/vars/main.yml b/roles/docker-ldap/vars/main.yml index c3efbf85..97c1365b 100644 --- a/roles/docker-ldap/vars/main.yml +++ b/roles/docker-ldap/vars/main.yml @@ -11,8 +11,11 @@ enable_wildcard_certificate: false # Activate dedicated Certificate # Configuration for ldif import ldif_files: - - "groups.ldif" - - "roles.ldif" - - "users.ldif" + - "01_member_of_configuration.ldif" + - "02_member_of_configuration.ldif" + - "03_member_of_configuration.ldif" + - "04_access_profiles.ldif" + ldif_host_path: "{{docker_compose.directories.volumes}}ldif/" -ldif_docker_path: "/tmp/ldif/" \ No newline at end of file +ldif_docker_path: "/tmp/ldif/" +dn_roles: "ou=access_roles,{{ldap.dn.root}}" \ No newline at end of file diff --git a/roles/docker-nextcloud/README.md b/roles/docker-nextcloud/README.md index 17b10347..b17add2a 100644 --- a/roles/docker-nextcloud/README.md +++ b/roles/docker-nextcloud/README.md @@ -127,28 +127,7 @@ OIDC is supported in this role—for example, via **Keycloak**. OIDC-specific ta ## LDAP - ---- - -## Architecture - -### MariaDB -Until Nextcloud 24, the MariaDB version must be used. - ---- - -## Performance: 504 Gateway Timeout ⏱️ - -```bash -docker-compose logs web --tail 1000 | grep 504 -``` - -#### See: -- [F5 Support: K48373902](https://support.f5.com/csp/article/K48373902) -- [Nextcloud Server Issue #25436](https://github.com/nextcloud/server/issues/25436) -- [Nextcloud 21.0.2 Update Error](https://help.nextcloud.com/t/update-to-next-cloud-21-0-2-has-get-an-error/117028/23?page=2) -- [ServerFault: Nginx PHP-FPM 504 Error](https://serverfault.com/questions/178671/nginx-php-fpm-504-gateway-time-out-error-with-almost-zero-load-on-a-test-se) -- [Manual LEMP Install Timeout](https://help.nextcloud.com/t/solved-manual-lemp-install-php-fpm-timing-out/39070) +More information: https://docs.nextcloud.com/server/latest/admin_manual/configuration_user/user_auth_ldap.html ---