Added LDAP Draft for Funkwhale

2025-08-29 15:06:26 +02:00 · 2025-02-12 12:41:13 +01:00
parent c687b19a6d
commit eaca564c6f
31 changed files with 92 additions and 78 deletions
--- a/roles/docker-ldap/handlers/main.yml
+++ b/roles/docker-ldap/handlers/main.yml
@@ -1,6 +1,6 @@
 - name: "import missing groups from {{ldif_docker_path}} to OpenLDAP"
  shell: >
-    docker exec -i openldap {{ 'ldapmodify' if applications.ldap.openldap.modify|bool else 'ldapadd' }} -x -D "{{ldap_admin_dn}}" -w "{{applications.ldap.administrator_database_password}}" -c -f "{{ldif_docker_path}}{{ item }}"
+    docker exec -i openldap {{ 'ldapmodify' if applications.ldap.openldap.modify|bool else 'ldapadd' }} -x -D "{{ldap.dn.administrator}}" -w "{{applications.ldap.administrator_database_password}}" -c -f "{{ldif_docker_path}}{{ item }}"
  loop: "{{ ldif_files }}"
  register: ldapadd_result
  changed_when: "'adding new entry' in ldapadd_result.stdout"
--- a/roles/docker-ldap/tasks/main.yml
+++ b/roles/docker-ldap/tasks/main.yml
@@ -11,13 +11,13 @@
    src:  "nginx.stream.conf.j2" 
    dest: "{{nginx.directories.streams}}{{domain}}.conf"
  notify: restart nginx
-  when: applications.ldap.openldap.expose_to_internet | bool
+  when: applications.ldap.openldap.network.public | bool

 - name: Remove {{domain}}.conf if LDAP is not exposed to internet
  file:
    path: "{{ nginx.directories.streams }}{{ domain }}.conf"
    state: absent
-  when: not applications.ldap.openldap.expose_to_internet | bool
+  when: not applications.ldap.openldap.network.public | bool

 - name: create docker network for LDAP, so that other applications can access it
  docker_network:
--- a/roles/docker-ldap/templates/docker-compose.yml.j2
+++ b/roles/docker-ldap/templates/docker-compose.yml.j2
@@ -23,19 +23,18 @@ services:
 {% endif %}
  openldap:
    image: bitnami/openldap:{{applications.ldap.openldap.version}}
-    container_name: openldap
+    container_name: {{applications.ldap.openldap.hostname}}
 {% include 'roles/docker-compose/templates/services/base.yml.j2' %}
-{% if applications.ldap.openldap.expose_to_internet | bool %}
+{% if applications.ldap.openldap.network.public | bool %}
    ports:
-      - 127.0.0.1:{{ldap_localhost_port}}:{{ldap_localhost_port}}               # Expose just on localhost so that nginx stream proxy can use it
-      - 127.0.0.1:{{ldap_secure_localhost_port}}:{{ldap_secure_localhost_port}} # Expose just on localhost
+      - 127.0.0.1:{{ports.localhost.ldap.openldap}}:{{ldap_docker_port}}  # Expose just on localhost so that nginx stream proxy can use it
 {% endif %}
    volumes:
      - 'data:/bitnami/openldap'
-      - '{{ldif_host_path}}:{{ldif_docker_path}}:ro' # Mounting all ldif files for import
+      - '{{ldif_host_path}}:{{ldif_docker_path}}:ro'                      # Mounting all ldif files for import
    healthcheck:
      test: >
-        ldapsearch -x -H ldap://localhost:389 -b "{{ldap_root}}" -D "{{ldap_admin_dn}}" -w "{{applications.ldap.administrator_database_password}}"
+        ldapsearch -x -H ldap://localhost:{{ldap_docker_port}} -b "{{ldap.dn.root}}" -D "{{ldap.dn.administrator}}" -w "{{applications.ldap.administrator_database_password}}"
      interval: 30s
      timeout: 10s
      retries: 3
--- a/roles/docker-ldap/templates/env.j2
+++ b/roles/docker-ldap/templates/env.j2
@@ -9,18 +9,18 @@ LDAP_ADMIN_PASSWORD=        {{applications.ldap.administrator_database_password}
 ## Users
 LDAP_USERS=                 ' '                             # Comma separated list of LDAP users to create in the default LDAP tree. Default: user01,user02
 LDAP_PASSWORDS=             ' '                             # Comma separated list of passwords to use for LDAP users. Default: bitnami1,bitnami2
-LDAP_ROOT=                  {{ldap_root}}                   # LDAP baseDN (or suffix) of the LDAP tree. Default: dc=example,dc=org
+LDAP_ROOT=                  {{ldap.dn.root}}                # LDAP baseDN (or suffix) of the LDAP tree. Default: dc=example,dc=org

 ## Admin
-LDAP_ADMIN_DN=              {{ldap_admin_dn}}               # Not well documented. Don't know if this has an effect
+LDAP_ADMIN_DN=              {{ldap.dn.administrator}}       # Not well documented. Don't know if this has an effect
 LDAP_CONFIG_ADMIN_ENABLED=  yes
 LDAP_CONFIG_ADMIN_USERNAME= {{applications.ldap.administrator_username}}
 LDAP_CONFIG_ADMIN_PASSWORD= {{applications.ldap.administrator_password}}
  
 # Network
-LDAP_PORT_NUMBER=           {{ldap_localhost_port}}         # Route to default port
+LDAP_PORT_NUMBER=           {{ldap_docker_port}}            # Route to default port
 LDAP_ENABLE_TLS=            no                              # Using nginx proxy for tls
-LDAP_LDAPS_PORT_NUMBER=     {{ldap_secure_localhost_port}}  # Port used for TLS secure traffic. Priviledged port is supported (e.g. 636). Default: 1636 (non privileged port).
+LDAP_LDAPS_PORT_NUMBER=     {{ldaps_docker_port}}           # Port used for TLS secure traffic. Priviledged port is supported (e.g. 636). Default: 1636 (non privileged port).

 # Security
 LDAP_ALLOW_ANON_BINDING=    no                              # Allow anonymous bindings to the LDAP server. Default: yes.
--- a/roles/docker-ldap/templates/lam.env.j2
+++ b/roles/docker-ldap/templates/lam.env.j2
@@ -7,7 +7,7 @@ LAM_PASSWORD=               {{applications.ldap.lam.administrator_password}}
 LAM_CONFIGURATION_DATABASE= files                                                   # configuration database (files or mysql) @todo implement mariadb

 # LDAP Configuration
-LDAP_SERVER=                {{applications.ldap.openldap.domain}}                   # domain of LDAP database root entry, will be converted to dc=...,dc=...
-LDAP_BASE_DN=               {{ldap_root}}                                           # LDAP base DN to overwrite value generated by LDAP_DOMAIN
-LDAP_USER=                  {{ldap_admin_dn}}                                       # LDAP admin user (set as login user for LAM)
+LDAP_SERVER=                {{ldap.server.domain}}                                  # domain of LDAP database root entry
+LDAP_BASE_DN=               {{ldap.dn.root}}                                        # LDAP base DN to overwrite value generated by LDAP_DOMAIN
+LDAP_USER=                  {{ldap.dn.administrator}}                               # LDAP admin user (set as login user for LAM)
 LDAP_ADMIN_PASSWORD=        {{applications.ldap.administrator_database_password}}   # LDAP admin password
--- a/roles/docker-ldap/templates/nginx.stream.conf.j2
+++ b/roles/docker-ldap/templates/nginx.stream.conf.j2
@@ -1,6 +1,6 @@
 server {
-    listen {{ldap_secure_internet_port}} ssl;
-    proxy_pass 127.0.0.1:{{ldap_localhost_port}};
+    listen {{ports.public.ldaps.openldap}}ssl;
+    proxy_pass 127.0.0.1:{{ports.localhost.ldap.openldap}};

    # SSL Configuration for LDAPS
    {% include 'roles/letsencrypt/templates/ssl_credentials.j2' %}
--- a/roles/docker-ldap/vars/main.yml
+++ b/roles/docker-ldap/vars/main.yml
@@ -1,10 +1,8 @@
-application_id:               "ldap"
-ldap_root:                    "dc={{primary_domain_sld}},dc={{primary_domain_tld}}"
-ldap_admin_dn:                "cn={{applications.ldap.administrator_username}},{{ldap_root}}"
-ldap_secure_localhost_port:   1636
-ldap_secure_internet_port:    636
-ldap_localhost_port:          389
-ldap_network_enabled:         "{{ldap.enabled}}"
+application_id:       "ldap"
+ldaps_docker_port:    636
+ldap_docker_port:     389
+ldap_enabled:         True
+
 # OAuth2 Proxy Configuration
 oauth2_proxy_upstream_application_and_port: "{{ applications.ldap.webinterface }}:{% if applications.ldap.webinterface == 'phpldapadmin' %}8080{% else %}80{% endif %}"
 oauth2_proxy_active:                        true