Optimized setup routine for memberOf ldap

2025-02-22 20:39:40 +01:00 · 2025-02-12 19:06:32 +01:00 · 2025-02-12 19:06:32 +01:00 · e947c203a1
commit e947c203a1
parent d947d0a49d
13 changed files with 210 additions and 259 deletions
--- a/group_vars/all/07_applications.yml
+++ b/group_vars/all/07_applications.yml
@ -76,7 +76,6 @@ defaults_applications:
        local:                        True                                      # Activates local network to allow other docker containers to connect
        public:                       False                                     # Set to true in inventory file if you want to expose the LDAP port to the internet
      hostname:                       "openldap"                                # Hostname of the LDAP Server in the central_ldap network
      modify:                         False                                     # When false entries will just be added, when true existing entries will be modified during import procedure
    phpldapadmin:
      version:                        "2.0.0-dev"                               # @todo Attention: Change this as fast as released to latest
    webinterface:                     "lam"                                     # The webinterface which should be used. Possible: lam and phpldapadmin
--- a/roles/docker-ldap/README.md
+++ b/roles/docker-ldap/README.md
@ -18,6 +18,46 @@ This Ansible role provides a streamlined implementation of an LDAP server with T
 --
 ## Maintanance
 ### Show Config
 ```bash
 docker exec -it openldap bash -c "ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b 'cn=config'"
 ```
 ```bash
 docker exec -it openldap bash -c "ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b 'cn=config' -s base '(objectClass=*)'"
 ```
 ```bash
 docker exec -it openldap bash -c "ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b 'cn=config' -s base '(objectClass=olcModuleList)'"
 ```
 ## install
 ### MemberOf
 ```bash
 ldapmodify -Y EXTERNAL -H ldapi:/// <<EOF
 dn: cn=module{0},cn=config
 changetype: modify
 add: olcModuleLoad
 olcModuleLoad: /opt/bitnami/openldap/lib/openldap/memberof.so
 EOF
 ldapadd -Y EXTERNAL -H ldapi:/// <<EOF
 dn: olcOverlay=memberof,olcDatabase={2}mdb,cn=config
 objectClass: olcOverlayConfig
 objectClass: olcMemberOf
 olcOverlay: memberof
 olcMemberOfRefInt: TRUE
 olcMemberOfDangling: ignore
 olcMemberOfGroupOC: groupOfNames
 olcMemberOfMemberAD: member
 olcMemberOfMemberOfAD: memberOf
 EOF
 ```
 ### Show all Entires
 ```bash 
 docker exec --env LDAP_ADMIN_PASSWORD="$LDAP_ADMIN_PASSWORD" -it openldap bash -c "ldapsearch -LLL -o ldif-wrap=no -x -D 'cn=administrator,dc=veen,dc=world' -w \"\$LDAP_ADMIN_PASSWORD\" -b 'dc=veen,dc=world'";
--- a/roles/docker-ldap/handlers/main.yml
+++ b/roles/docker-ldap/handlers/main.yml
@ -1,9 +1,27 @@
- name: "import missing groups from {{ldif_docker_path}} to OpenLDAP"
+- name: Load memberof module from file in OpenLDAP container
  shell: >
-    docker exec -i openldap {{ 'ldapmodify' if applications.ldap.openldap.modify|bool else 'ldapadd' }} -x -D "{{ldap.dn.administrator}}" -w "{{applications.ldap.administrator_database_password}}" -c -f "{{ldif_docker_path}}{{ item }}"
+    docker exec -i openldap ldapmodify -Y EXTERNAL -H ldapi:/// -f {{ldif_docker_path}}01_member_of_configuration.ldif
-  loop: "{{ ldif_files }}"
+  listen: "Import LDIF files"
 - name: Refint Module Activation for OpenLDAP
  shell: >
    docker exec -i openldap ldapadd -Y EXTERNAL -H ldapi:/// -f {{ldif_docker_path}}02_member_of_configuration.ldif
  listen: "Import LDIF files"
  register: ldapadd_result
  failed_when: ldapadd_result.rc not in [0, 68]
 - name: Refint Overlay Configuration for OpenLDAP
  shell: >
    docker exec -i openldap modify -Y EXTERNAL -H ldapi:/// -f {{ldif_docker_path}}02_member_of_configuration.ldif
  listen: "Import LDIF files"
  register: ldapadd_result
  failed_when: ldapadd_result.rc not in [0, 68]
 - name: "Import Access Roles to OpenLDAP"
  shell: >
    docker exec -i openldap ldapadd -x -D "{{ldap.dn.administrator}}" -w "{{applications.ldap.administrator_database_password}}" -c -f "{{ldif_docker_path}}04_access_profiles.ldif"
  register: ldapadd_result
  changed_when: "'adding new entry' in ldapadd_result.stdout"
  # Allow return code 0 (all entries added) or 68 (entry already exists)
  failed_when: ldapadd_result.rc not in [0, 68]
-  listen: "Import missing groups to OpenLDAP"
+  listen: "Import LDIF files"
--- a/roles/docker-ldap/tasks/main.yml
+++ b/roles/docker-ldap/tasks/main.yml
@ -54,10 +54,10 @@
    state: directory
    mode: 0755
- name: "Create LDIF files at {{ldif_host_path}}"
+- name: "Create LDIF files at {{ ldif_host_path }}"
  template:
-    src:  "templates/ldif/{{item}}.j2" 
+    src: "{{ item }}"
-    dest: "{{ldif_host_path}}{{item}}"
+    dest: "{{ ldif_host_path }}/{{ item | basename | regex_replace('\\.j2$', '') }}"
    mode: '770'
-  notify: Import missing groups to OpenLDAP
+  loop: "{{ lookup('fileglob', '{{ role_path }}/templates/ldif/*.j2', wantlist=True) }}"
-  loop: "{{ldif_files}}"
+  notify: Import LDIF files
--- a/roles/docker-ldap/templates/ldif/01_member_of_configuration.ldif.j2
+++ b/roles/docker-ldap/templates/ldif/01_member_of_configuration.ldif.j2
@ -0,0 +1,45 @@
 # MemberOf Overlay Configuration for OpenLDAP
 #
 # This file activates the memberOf module and configures the memberOf overlay,
 # which is required by Nextcloud for proper group management.
 # @see https://docs.nextcloud.com/server/latest/admin_manual/configuration_user/user_auth_ldap.html 
 # @see https://www.adimian.com/blog/how-to-enable-memberof-using-openldap/
 #
 # The first section loads the memberof module from the specified path.
 #   - olcModuleLoad: Specifies that the "memberof" module should be loaded.
 #   - olcModulePath: Provides the full path to the memberof shared object.
 #
 # The second section configures the memberOf overlay for the designated database.
 #   - The DN "olcOverlay={0}memberof,olcDatabase={1}hdb,cn=config" sets up the overlay
 #     on the database backend (here assumed to be "hdb").
 #   - olcMemberOfDangling: ignore
 #         Instructs the overlay to ignore references to non-existent objects.
 #   - olcMemberOfRefInt: TRUE
 #         Enables referential integrity so that changes in group membership automatically
 #         update the user's "memberOf" attribute.
 #   - olcMemberOfGroupOC: groupOfNames
 #         Specifies that the overlay applies to groups with the object class "groupOfNames".
 #   - olcMemberOfMemberAD: member
 #         Indicates that the group's membership is stored in the "member" attribute.
 #   - olcMemberOfMemberOfAD: memberOf
 #         Defines that the overlay will maintain the "memberOf" attribute in user entries.
 #
 # IMPORTANT: All groups created before enabling this module must be deleted and recreated,
 # as the overlay only assigns the "member" attribute when a new group is created.
 dn: cn=module,cn=config
 cn: module
 objectClass: olcModuleList
 olcModuleLoad: memberof
 olcModulePath: /opt/bitnami/openldap/lib/openldap/memberof.so
 dn: olcOverlay={0}memberof,olcDatabase={1}hdb,cn=config
 objectClass: olcConfig
 objectClass: olcMemberOf
 objectClass: olcOverlayConfig
 objectClass: top
 olcOverlay: memberof
 olcMemberOfDangling: ignore
 olcMemberOfRefInt: TRUE
 olcMemberOfGroupOC: groupOfNames
 olcMemberOfMemberAD: member
 olcMemberOfMemberOfAD: memberOf
--- a/roles/docker-ldap/templates/ldif/02_member_of_configuration.ldif.j2
+++ b/roles/docker-ldap/templates/ldif/02_member_of_configuration.ldif.j2
@ -0,0 +1,10 @@
 # Refint Module Activation for OpenLDAP
 #
 # This section adds the refint module to the LDAP configuration.
 # The refint module ensures referential integrity by automatically updating
 # or removing references when objects are renamed or deleted.
 #
 # In this file, the "olcmoduleload" attribute is used to load the "refint" module.
 dn: cn=module{1},cn=config
 add: olcmoduleload
 olcmoduleload: refint
--- a/roles/docker-ldap/templates/ldif/03_member_of_configuration.ldif.j2
+++ b/roles/docker-ldap/templates/ldif/03_member_of_configuration.ldif.j2
@ -0,0 +1,23 @@
 # Refint Overlay Configuration for OpenLDAP
 #
 # This file configures the refint overlay for the specified LDAP database.
 #
 # The overlay is applied to the database (here using the "hdb" backend) and is
 # responsible for maintaining referential integrity.
 #
 # The attribute "olcRefintAttribute" lists the attributes that will be monitored
 # for changes. In this case, changes to the following attributes will be tracked:
 #   - memberof
 #   - member
 #   - manager
 #   - owner
 #
 # This ensures that any changes in the LDAP directory (such as deletion or modification
 # of an object) automatically update all references to that object, preventing dangling references.
 dn: olcOverlay={1}refint,olcDatabase={1}hdb,cn=config
 objectClass: olcConfig
 objectClass: olcOverlayConfig
 objectClass: olcRefintConfig
 objectClass: top
 olcOverlay: {1}refint
 olcRefintAttribute: memberof member manager owner
--- a/roles/docker-ldap/templates/ldif/04_access_roles.ldif.j2
+++ b/roles/docker-ldap/templates/ldif/04_access_roles.ldif.j2
@ -0,0 +1,57 @@
 #######################################################################
 # This file contains the CyMaIS default roles (converted to posix groups)
 # Roles define which kind of rights users have.
 #######################################################################
 #######################################################################
 # Generic container for IT roles
 #######################################################################
 dn: {{dn_roles}}
 objectClass: organizationalUnit
 ou: roles
 description: Container for IT access profiles (for rights management)
 #######################################################################
 # Role: Super Administrator
 #######################################################################
 dn: cn=superadministrator,{{dn_roles}}
 objectClass: posixGroup
 cn: superadministrator
 gidNumber: 1000
 description: Role: Super Administrator – has full control over all systems and settings.
 #######################################################################
 # Role: Administrator
 #######################################################################
 dn: cn=administrator,{{dn_roles}}
 objectClass: posixGroup
 cn: administrator
 gidNumber: 1001
 description: Role: Administrator – responsible for overall system management and configuration.
 #######################################################################
 # Role: Manager
 #######################################################################
 dn: cn=manager,{{dn_roles}}
 objectClass: posixGroup
 cn: manager
 gidNumber: 1002
 description: Role: Manager – oversees operations, approves changes, and coordinates teams.
 #######################################################################
 # Role: Moderator
 #######################################################################
 dn: cn=moderator,{{dn_roles}}
 objectClass: posixGroup
 cn: moderator
 gidNumber: 1003
 description: Role: Moderator – monitors activity and handles conflict resolution.
 #######################################################################
 # Role: User
 #######################################################################
 dn: cn=user,{{dn_roles}}
 objectClass: posixGroup
 cn: user
 gidNumber: 1004
 description: Role: User - Uses the software
--- a/roles/docker-ldap/templates/ldif/groups.ldif.j2
+++ b/roles/docker-ldap/templates/ldif/groups.ldif.j2
@ -1,147 +0,0 @@
 #######################################################################
 # This file contains the CyMaIS default groups                        # 
 # Groupps define which kind of applications users have access to      #
 #######################################################################
 #######################################################################
 # Base container for all role-based groups
 #######################################################################
 dn: ou=groups,dc=veen,dc=world
 objectClass: organizationalUnit
 ou: groups
 description: Container for all role-based groups (by function/profession)
 #######################################################################
 # Role: Administrators
 #######################################################################
 dn: cn=administrator,ou=groups,dc=veen,dc=world
 objectClass: groupOfUniqueNames
 cn: administrators
 description: Role: Administrators of this system
 uniqueMember: cn=dummy,ou=users,dc=veen,dc=world
 #######################################################################
 # Role: Developer
 #######################################################################
 dn: cn=developer,ou=groups,dc=veen,dc=world
 objectClass: groupOfUniqueNames
 cn: developer
 description: Role: Developer and DevOps (coding, automation, CI/CD, etc.)
 uniqueMember: cn=dummy,ou=users,dc=veen,dc=world
 #######################################################################
 # Role: Project Manager
 #######################################################################
 dn: cn=projectmanager,ou=groups,dc=veen,dc=world
 objectClass: groupOfUniqueNames
 cn: projectmanager
 description: Role: Project Manager and Collaboration (project planning, task management, etc.)
 uniqueMember: cn=dummy,ou=users,dc=veen,dc=world
 #######################################################################
 # Role: Communication Specialist
 #######################################################################
 dn: cn=communicationspecialist,ou=groups,dc=veen,dc=world
 objectClass: groupOfUniqueNames
 cn: communicationspecialist
 description: Role: Communication Specialist (community management, messaging, social networks, etc.)
 uniqueMember: cn=dummy,ou=users,dc=veen,dc=world
 #######################################################################
 # Role: Content Manager
 #######################################################################
 dn: cn=contentmanager,ou=groups,dc=veen,dc=world
 objectClass: groupOfUniqueNames
 cn: contentmanager
 description: Role: Content Manager/CMS Administrator (content creation, website management, etc.)
 uniqueMember: cn=dummy,ou=users,dc=veen,dc=world
 #######################################################################
 # Role: Marketing Analyst
 #######################################################################
 dn: cn=marketinganalyst,ou=groups,dc=veen,dc=world
 objectClass: groupOfUniqueNames
 cn: marketinganalyst
 description: Role: Marketing Analyst (marketing, finance, and analytics)
 uniqueMember: cn=dummy,ou=users,dc=veen,dc=world
 #######################################################################
 # Role: DevOps Engineer
 #######################################################################
 dn: cn=devopsengineer,ou=groups,dc=veen,dc=world
 objectClass: groupOfUniqueNames
 cn: devopsengineer
 description: Role: DevOps Engineer (continuous integration, deployment, and container orchestration)
 uniqueMember: cn=dummy,ou=users,dc=veen,dc=world
 #######################################################################
 # Role: Database Administrator
 #######################################################################
 dn: cn=databaseadministrator,ou=groups,dc=veen,dc=world
 objectClass: groupOfUniqueNames
 cn: databaseadministrator
 description: Role: Database Administrator (database management and data integrity)
 uniqueMember: cn=dummy,ou=users,dc=veen,dc=world
 #######################################################################
 # Role: Security Specialist
 #######################################################################
 dn: cn=securityspecialist,ou=groups,dc=veen,dc=world
 objectClass: groupOfUniqueNames
 cn: securityspecialist
 description: Role: Security Specialist (container security, vulnerability assessments, and compliance)
 uniqueMember: cn=dummy,ou=users,dc=veen,dc=world
 #######################################################################
 # Role: Network Administrator
 #######################################################################
 dn: cn=networkadministrator,ou=groups,dc=veen,dc=world
 objectClass: groupOfUniqueNames
 cn: networkadministrator
 description: Role: Network Administrator (network configuration, connectivity, and firewall management)
 uniqueMember: cn=dummy,ou=users,dc=veen,dc=world
 #######################################################################
 # Role: IT Support Specialist
 #######################################################################
 dn: cn=itsupportspecialist,ou=groups,dc=veen,dc=world
 objectClass: groupOfUniqueNames
 cn: itsupportspecialist
 description: Role: IT Support Specialist (technical support and troubleshooting)
 uniqueMember: cn=dummy,ou=users,dc=veen,dc=world
 #######################################################################
 # Role: Quality Assurance Engineer
 #######################################################################
 dn: cn=qualityassuranceengineer,ou=groups,dc=veen,dc=world
 objectClass: groupOfUniqueNames
 cn: qualityassuranceengineer
 description: Role: Quality Assurance Engineer (testing and ensuring software quality)
 uniqueMember: cn=dummy,ou=users,dc=veen,dc=world
 #######################################################################
 # Role: Business Analyst
 #######################################################################
 dn: cn=businessanalyst,ou=groups,dc=veen,dc=world
 objectClass: groupOfUniqueNames
 cn: businessanalyst
 description: Role: Business Analyst (analyzing business requirements and translating them into technical needs)
 uniqueMember: cn=dummy,ou=users,dc=veen,dc=world
 #######################################################################
 # Role: Product Owner
 #######################################################################
 dn: cn=productowner,ou=groups,dc=veen,dc=world
 objectClass: groupOfUniqueNames
 cn: productowner
 description: Role: Product Owner (oversees product strategy and manages feature prioritization)
 uniqueMember: cn=dummy,ou=users,dc=veen,dc=world
 #######################################################################
 # Role: Operations Manager
 #######################################################################
 dn: cn=operationsmanager,ou=groups,dc=veen,dc=world
 objectClass: groupOfUniqueNames
 cn: operationsmanager
 description: Role: Operations Manager (oversees daily operations and ensures system performance)
 uniqueMember: cn=dummy,ou=users,dc=veen,dc=world
--- a/roles/docker-ldap/templates/ldif/roles.ldif.j2
+++ b/roles/docker-ldap/templates/ldif/roles.ldif.j2
@ -1,75 +0,0 @@
 #######################################################################
 # This file contains the CyMaIS default roles                          
 # Roles define which kind of rights users have                        
 #######################################################################
 #######################################################################
 # Generic container for IT roles
 #######################################################################
 dn: ou=roles,dc=example,dc=com
 objectClass: organizationalUnit
 ou: roles
 description: Container for generic IT roles (for rights management)
 #######################################################################
 # Role: Super Administrator
 #######################################################################
 dn: cn=superadministrator,ou=roles,dc=example,dc=com
 objectClass: groupOfUniqueNames
 cn: superadministrator
 description: Role: Super Administrator – has full control over all systems and settings.
 uniqueMember: cn=dummy,ou=users,dc=example,dc=com
 #######################################################################
 # Role: Administrator
 #######################################################################
 dn: cn=administrator,ou=roles,dc=example,dc=com
 objectClass: groupOfUniqueNames
 cn: administrator
 description: Role: Administrator – responsible for overall system management and configuration.
 uniqueMember: cn=dummy,ou=users,dc=example,dc=com
 #######################################################################
 # Role: Manager
 #######################################################################
 dn: cn=manager,ou=roles,dc=example,dc=com
 objectClass: groupOfUniqueNames
 cn: manager
 description: Role: Manager – oversees operations, approves changes, and coordinates teams.
 uniqueMember: cn=dummy,ou=users,dc=example,dc=com
 #######################################################################
 # Role: Moderator
 #######################################################################
 dn: cn=moderator,ou=roles,dc=example,dc=com
 objectClass: groupOfUniqueNames
 cn: moderator
 description: Role: Moderator – monitors activity and handles conflict resolution.
 uniqueMember: cn=dummy,ou=users,dc=example,dc=com
 #######################################################################
 # Role: Publisher
 #######################################################################
 dn: cn=publisher,ou=roles,dc=example,dc=com
 objectClass: groupOfUniqueNames
 cn: publisher
 description: Role: Publisher – responsible for releasing content or updates.
 uniqueMember: cn=dummy,ou=users,dc=example,dc=com
 #######################################################################
 # Role: Contributor
 #######################################################################
 dn: cn=contributor,ou=roles,dc=veen,dc=world
 objectClass: groupOfUniqueNames
 cn: contributor
 description: Contributor (Allowed to participate, but not to publish)
 uniqueMember: cn=dummy,ou=users,dc=veen,dc=world
 #######################################################################
 # Role: Subscriber
 #######################################################################
 dn: cn=subscriber,ou=roles,dc=veen,dc=world
 objectClass: groupOfUniqueNames
 cn: subscriber
 description: Subscriber (read-only; manage own profile)
 uniqueMember: cn=dummy,ou=users,dc=veen,dc=world
--- a/roles/docker-ldap/templates/ldif/users.ldif.j2
+++ b/roles/docker-ldap/templates/ldif/users.ldif.j2
@ -1 +0,0 @@
 # Default users
--- a/roles/docker-ldap/vars/main.yml
+++ b/roles/docker-ldap/vars/main.yml
@ -11,8 +11,11 @@ enable_wildcard_certificate:  false # Activate dedicated Certificate
 # Configuration for ldif import
 ldif_files:
-  - "groups.ldif"
+  - "01_member_of_configuration.ldif"
-  - "roles.ldif"
+  - "02_member_of_configuration.ldif"
-  - "users.ldif"
+  - "03_member_of_configuration.ldif"
  - "04_access_profiles.ldif"
 ldif_host_path:     "{{docker_compose.directories.volumes}}ldif/"
-ldif_docker_path:   "/tmp/ldif/"
+ldif_docker_path:   "/tmp/ldif/"
 dn_roles:           "ou=access_roles,{{ldap.dn.root}}"
--- a/roles/docker-nextcloud/README.md
+++ b/roles/docker-nextcloud/README.md
@ -127,28 +127,7 @@ OIDC is supported in this role—for example, via **Keycloak**. OIDC-specific ta
 ## LDAP 
-
+More information: https://docs.nextcloud.com/server/latest/admin_manual/configuration_user/user_auth_ldap.html
 ---
 ## Architecture
 ### MariaDB
 Until Nextcloud 24, the MariaDB version must be used.
 ---
 ## Performance: 504 Gateway Timeout ⏱️
 ```bash
 docker-compose logs web --tail 1000 | grep 504
 ```
 #### See:
 - [F5 Support: K48373902](https://support.f5.com/csp/article/K48373902)
 - [Nextcloud Server Issue #25436](https://github.com/nextcloud/server/issues/25436)
 - [Nextcloud 21.0.2 Update Error](https://help.nextcloud.com/t/update-to-next-cloud-21-0-2-has-get-an-error/117028/23?page=2)
 - [ServerFault: Nginx PHP-FPM 504 Error](https://serverfault.com/questions/178671/nginx-php-fpm-504-gateway-time-out-error-with-almost-zero-load-on-a-test-se)
 - [Manual LEMP Install Timeout](https://help.nextcloud.com/t/solved-manual-lemp-install-php-fpm-timing-out/39070)
 ---