From ef801aa49862d34a9a4a3e803488f7525d18794a Mon Sep 17 00:00:00 2001
From: Kevin Veen-Birkenbach <kevin@veen.world>
Date: Thu, 28 Aug 2025 18:13:53 +0200
Subject: [PATCH] Joomla: Add LDAP autocreate plugin support
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Introduced autocreate_users feature flag in config/main.yml
- Added ldapautocreate.php and ldapautocreate.xml plugin files
- Implemented tasks/01_ldap_files.yml for plugin deployment
- Added tasks/05_ldap.yml to configure LDAP plugin and register ldapautocreate
- Renamed tasks for better structure (01→02, 02→03, etc.)
- Updated cli-ldap.php.j2 for clean parameter handling
- Mounted ldapautocreate plugin via docker-compose.yml.j2
- Extended vars/main.yml with LDAP autocreate configuration

Ref: https://chatgpt.com/share/68b0802f-bfd4-800f-b10a-57cf0c091f7e
---
 roles/web-app-joomla/config/main.yml          |   3 +-
 roles/web-app-joomla/files/ldapautocreate.php | 108 ++++++++++++++++++
 roles/web-app-joomla/files/ldapautocreate.xml |  10 ++
 roles/web-app-joomla/tasks/01_ldap_files.yml  |  25 ++++
 .../tasks/{01_install.yml => 02_install.yml}  |   0
 .../tasks/{02_debug.yml => 03_debug.yml}      |   0
 roles/web-app-joomla/tasks/04_ldap.yml        |   9 --
 .../tasks/{03_patch.yml => 04_patch.yml}      |   0
 roles/web-app-joomla/tasks/05_ldap.yml        |  56 +++++++++
 .../tasks/{05_assert.yml => 06_assert.yml}    |   0
 roles/web-app-joomla/tasks/main.yml           |  34 +++---
 .../web-app-joomla/templates/cli-ldap.php.j2  |  84 ++++++++------
 .../templates/docker-compose.yml.j2           |   3 +
 roles/web-app-joomla/templates/env.j2         |  42 +++----
 roles/web-app-joomla/vars/main.yml            |  71 ++++++------
 15 files changed, 326 insertions(+), 119 deletions(-)
 create mode 100644 roles/web-app-joomla/files/ldapautocreate.php
 create mode 100644 roles/web-app-joomla/files/ldapautocreate.xml
 create mode 100644 roles/web-app-joomla/tasks/01_ldap_files.yml
 rename roles/web-app-joomla/tasks/{01_install.yml => 02_install.yml} (100%)
 rename roles/web-app-joomla/tasks/{02_debug.yml => 03_debug.yml} (100%)
 delete mode 100644 roles/web-app-joomla/tasks/04_ldap.yml
 rename roles/web-app-joomla/tasks/{03_patch.yml => 04_patch.yml} (100%)
 create mode 100644 roles/web-app-joomla/tasks/05_ldap.yml
 rename roles/web-app-joomla/tasks/{05_assert.yml => 06_assert.yml} (100%)

diff --git a/roles/web-app-joomla/config/main.yml b/roles/web-app-joomla/config/main.yml
index 623be854..90b9040e 100644
--- a/roles/web-app-joomla/config/main.yml
+++ b/roles/web-app-joomla/config/main.yml
@@ -1,3 +1,4 @@
+autocreate_users:     true # Autocreate LDAP users on Login
 features:
   matomo:             true
   css:                true
@@ -24,4 +25,4 @@ docker:
       version:  latest
       name:     joomla
   volumes:
-    data:             "joomla_data"
+    data:       "joomla_data"
diff --git a/roles/web-app-joomla/files/ldapautocreate.php b/roles/web-app-joomla/files/ldapautocreate.php
new file mode 100644
index 00000000..9fafe0dc
--- /dev/null
+++ b/roles/web-app-joomla/files/ldapautocreate.php
@@ -0,0 +1,108 @@
+<?php
+/**
+ * System plugin that auto-creates a Joomla user after successful LDAP authentication.
+ * It reads the LDAP Auth plugin params from #__extensions (folder=authentication, element=ldap),
+ * looks up cn/mail for the authenticated uid, and creates a local Joomla user if missing.
+ */
+
+defined('_JEXEC') || die;
+
+use Joomla\CMS\Factory;
+use Joomla\CMS\Plugin\CMSPlugin;
+use Joomla\CMS\User\User;
+use Joomla\Database\DatabaseDriver;
+use Joomla\Authentication\Authentication;
+
+class PlgSystemLdapautocreate extends CMSPlugin
+{
+    protected $app;
+
+    /**
+     * Runs after authentication handlers; fires for both frontend and backend.
+     * @param array $options Contains 'username' and more after auth
+     * @return void
+     */
+    public function onUserAfterAuthenticate($options, $response)
+    {
+        // Only proceed on success
+        if (($response->status ?? null) !== Authentication::STATUS_SUCCESS) {
+            return;
+        }
+
+        $username = $response->username ?? $options['username'] ?? null;
+        if (!$username) {
+            return;
+        }
+
+        /** @var DatabaseDriver $dbo */
+        $dbo = Factory::getDbo();
+
+        // If user already exists locally, nothing to do
+        $exists = (int) $dbo->setQuery(
+            $dbo->getQuery(true)
+                ->select('COUNT(*)')
+                ->from($dbo->quoteName('#__users'))
+                ->where($dbo->quoteName('username') . ' = ' . $dbo->quote($username))
+        )->loadResult();
+
+        if ($exists) {
+            return;
+        }
+
+        // Read LDAP Auth plugin params to connect (the ones we configured via cli-ldap.php)
+        $ldapExt = $dbo->setQuery(
+            $dbo->getQuery(true)
+                ->select('*')
+                ->from($dbo->quoteName('#__extensions'))
+                ->where($dbo->quoteName('type') . " = 'plugin'")
+                ->where($dbo->quoteName('folder') . " = 'authentication'")
+                ->where($dbo->quoteName('element') . " = 'ldap'")
+        )->loadObject();
+
+        if (!$ldapExt) {
+            return; // LDAP plugin not found; bail out silently
+        }
+
+        $p = json_decode($ldapExt->params ?: "{}", true) ?: [];
+        $host   = $p['host'] ?? 'openldap';
+        $port   = (int) ($p['port'] ?? 389);
+        $baseDn = $p['base_dn'] ?? '';
+        $bindDn = $p['username'] ?? '';
+        $bindPw = $p['password'] ?? '';
+        $attrUid = $p['ldap_uid'] ?? 'uid';
+        $attrMail = $p['ldap_email'] ?? 'mail';
+        $attrName = $p['ldap_fullname'] ?? 'cn';
+
+        // Look up user in LDAP to fetch name/email
+        $ds = @ldap_connect($host, $port);
+        if (!$ds) { return; }
+        ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
+        @ldap_bind($ds, $bindDn, $bindPw);
+
+        $filter = sprintf('(%s=%s)', $attrUid, ldap_escape($username, '', LDAP_ESCAPE_FILTER));
+        $sr = @ldap_search($ds, $baseDn, $filter, [$attrName, $attrMail]);
+        $entry = $sr ? @ldap_first_entry($ds, $sr) : null;
+
+        $name  = $entry ? (@ldap_get_values($ds, $entry, $attrName)[0] ?? $username) : $username;
+        $email = $entry ? (@ldap_get_values($ds, $entry, $attrMail)[0] ?? ($username.'@example.invalid')) : ($username.'@example.invalid');
+
+        if ($ds) { @ldap_unbind($ds); }
+
+        // Create Joomla user (Registered group id=2)
+        $data = [
+            'name'     => $name,
+            'username' => $username,
+            'email'    => $email,
+            // Password is irrelevant for LDAP; set a random one
+            'password' => bin2hex(random_bytes(12)),
+            'block'    => 0,
+            'groups'   => [2],
+        ];
+
+        $user = new User;
+        if (!$user->bind($data)) {
+            return;
+        }
+        $user->save();
+    }
+}
diff --git a/roles/web-app-joomla/files/ldapautocreate.xml b/roles/web-app-joomla/files/ldapautocreate.xml
new file mode 100644
index 00000000..70892334
--- /dev/null
+++ b/roles/web-app-joomla/files/ldapautocreate.xml
@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="utf-8"?>
+<extension type="plugin" group="system" method="upgrade" version="4.0">
+  <name>plg_system_ldapautocreate</name>
+  <author>Infinito.Nexus</author>
+  <version>1.0.0</version>
+  <description>Auto-create Joomla users after successful LDAP authentication.</description>
+  <files>
+    <filename plugin="ldapautocreate">ldapautocreate.php</filename>
+  </files>
+</extension>
diff --git a/roles/web-app-joomla/tasks/01_ldap_files.yml b/roles/web-app-joomla/tasks/01_ldap_files.yml
new file mode 100644
index 00000000..065b4e8f
--- /dev/null
+++ b/roles/web-app-joomla/tasks/01_ldap_files.yml
@@ -0,0 +1,25 @@
+- name: "Render LDAP CLI helper"
+  template:
+    src: cli-ldap.php.j2
+    dest: "{{ JOOMLA_LDAP_CONF_FILE }}"
+    mode: "0644"
+  when: JOOMLA_LDAP_ENABLED | bool
+  notify: docker compose restart
+
+- block:
+  - name: "Ensure ldapautocreate plugin hostdir exists"
+    file:
+      path: "{{ JOOMLA_LDAP_AUT_CRT_HOST_DIR }}"
+      state: directory
+      mode: "0755"
+
+  - name: "Deploy ldapautocreate plugin files"
+    copy:
+      src: "ldapautocreate.{{ item }}"
+      dest: "{{ [ JOOMLA_LDAP_AUT_CRT_HOST_DIR, 'ldapautocreate.' ~ item ] | path_join }}"
+      mode: "0644"
+    notify: docker compose restart
+    loop:
+      - php
+      - xml
+  when: JOOMLA_LDAP_AUTO_CREATE_ENABLED | bool
diff --git a/roles/web-app-joomla/tasks/01_install.yml b/roles/web-app-joomla/tasks/02_install.yml
similarity index 100%
rename from roles/web-app-joomla/tasks/01_install.yml
rename to roles/web-app-joomla/tasks/02_install.yml
diff --git a/roles/web-app-joomla/tasks/02_debug.yml b/roles/web-app-joomla/tasks/03_debug.yml
similarity index 100%
rename from roles/web-app-joomla/tasks/02_debug.yml
rename to roles/web-app-joomla/tasks/03_debug.yml
diff --git a/roles/web-app-joomla/tasks/04_ldap.yml b/roles/web-app-joomla/tasks/04_ldap.yml
deleted file mode 100644
index 6b2c2d0d..00000000
--- a/roles/web-app-joomla/tasks/04_ldap.yml
+++ /dev/null
@@ -1,9 +0,0 @@
-- name: "Configure LDAP plugin params via helper"
-  command: >
-    docker exec {{ JOOMLA_CONTAINER }}
-    php cli/cli-ldap.php
-  register: ldap_conf
-  changed_when: "'configured' in ldap_conf.stdout | lower"
-  async: "{{ ASYNC_TIME if ASYNC_ENABLED | bool else omit }}"
-  poll:  "{{ ASYNC_POLL if ASYNC_ENABLED | bool else omit }}"
-  when: JOOMLA_LDAP_ENABLED | bool
\ No newline at end of file
diff --git a/roles/web-app-joomla/tasks/03_patch.yml b/roles/web-app-joomla/tasks/04_patch.yml
similarity index 100%
rename from roles/web-app-joomla/tasks/03_patch.yml
rename to roles/web-app-joomla/tasks/04_patch.yml
diff --git a/roles/web-app-joomla/tasks/05_ldap.yml b/roles/web-app-joomla/tasks/05_ldap.yml
new file mode 100644
index 00000000..72812d39
--- /dev/null
+++ b/roles/web-app-joomla/tasks/05_ldap.yml
@@ -0,0 +1,56 @@
+- name: "Configure LDAP plugin params via helper"
+  command: >
+    docker exec {{ JOOMLA_CONTAINER }}
+    sh -c 'test -f /var/www/html/cli/cli-ldap.php && php /var/www/html/cli/cli-ldap.php'
+  register: ldap_conf
+  changed_when: "'configured' in ldap_conf.stdout | lower"
+  async: "{{ ASYNC_TIME if ASYNC_ENABLED | bool else omit }}"
+  poll: "{{ ASYNC_POLL if ASYNC_ENABLED | bool else omit }}"
+  when: JOOMLA_LDAP_ENABLED | bool
+
+- name: "Register & enable ldapautocreate Joomla system plugin"
+  command: >
+    docker exec {{ JOOMLA_CONTAINER }}
+    sh -lc '
+      test -f /var/www/html/plugins/system/ldapautocreate/ldapautocreate.php ||
+        { echo "ERROR: plugin file missing"; exit 1; };
+      php -r "
+      define(\"_JEXEC\",1);
+      \$root=\"/var/www/html\";
+      require \$root.\"/includes/defines.php\";
+      require \$root.\"/includes/framework.php\";
+      \$dbo = Joomla\\CMS\\Factory::getDbo();
+      \$ext = \$dbo->setQuery(
+        \"SELECT * FROM #__extensions WHERE type=\\\"plugin\\\" AND folder=\\\"system\\\" AND element=\\\"ldapautocreate\\\"\"
+      )->loadObject();
+      if (!\$ext) {
+        \$row = (object)[
+          \"name\" => \"plg_system_ldapautocreate\",
+          \"type\" => \"plugin\",
+          \"element\" => \"ldapautocreate\",
+          \"folder\" => \"system\",
+          \"enabled\" => 1,
+          \"access\" => 1,
+          \"protected\" => 0,
+          \"manifest_cache\" => \"{}\",
+          \"params\" => \"{}\",
+          \"custom_data\" => \"{}\",
+          \"state\" => 0,
+          \"ordering\" => 0,
+          \"client_id\" => 0
+        ];
+        \$dbo->insertObject(\"#__extensions\", \$row);
+        echo \"Plugin registered + enabled\\n\";
+      } else {
+        \$ext->enabled = 1;
+        \$dbo->updateObject(\"#__extensions\", \$ext, \"extension_id\");
+        echo \"Plugin already exists, just enabled\\n\";
+      }
+      "
+    '
+  register: ldapautocreate_reg
+  changed_when: >
+    ('registered + enabled' in (ldapautocreate_reg.stdout | lower)) or
+    ('just enabled' in (ldapautocreate_reg.stdout | lower))
+  failed_when: ldapautocreate_reg.rc != 0
+  when: JOOMLA_LDAP_AUTO_CREATE_ENABLED | bool
\ No newline at end of file
diff --git a/roles/web-app-joomla/tasks/05_assert.yml b/roles/web-app-joomla/tasks/06_assert.yml
similarity index 100%
rename from roles/web-app-joomla/tasks/05_assert.yml
rename to roles/web-app-joomla/tasks/06_assert.yml
diff --git a/roles/web-app-joomla/tasks/main.yml b/roles/web-app-joomla/tasks/main.yml
index e6191fe8..b01a584a 100644
--- a/roles/web-app-joomla/tasks/main.yml
+++ b/roles/web-app-joomla/tasks/main.yml
@@ -1,12 +1,12 @@
 ---
-- name: "Include role srv-domain-provision for {{ application_id }}"
-  include_role:
-    name: srv-domain-provision
-  loop: "{{ JOOMLA_DOMAINS }}"
-  loop_control:
-    loop_var: domain
-  vars:
-    http_port: "{{ ports.localhost.http[application_id] }}"
+#- name: "Include role srv-domain-provision for {{ application_id }}"
+#  include_role:
+#    name: srv-domain-provision
+#  loop: "{{ JOOMLA_DOMAINS }}"
+#  loop_control:
+#    loop_var: domain
+#  vars:
+#    http_port: "{{ ports.localhost.http[application_id] }}"
 
 - name: "load docker and db for {{ application_id }}"
   include_role: 
@@ -14,12 +14,8 @@
   vars:
     docker_compose_flush_handlers: false
 
-- name: "Render LDAP CLI helper"
-  template:
-    src: cli-ldap.php.j2
-    dest: "{{ JOOMLA_LDAP_CONF_FILE }}"
-    mode: "0644"
-  when: JOOMLA_LDAP_ENABLED | bool
+- name: Include install routines
+  include_tasks: "01_ldap_files.yml"
 
 - name: "flush docker compose handlers"
   meta: flush_handlers
@@ -27,8 +23,8 @@
 - name: Include install routines
   include_tasks: "{{ item }}"
   loop:
-    - 01_install.yml
-    - 02_debug.yml
-    - 03_patch.yml
-    - 04_ldap.yml
-    - 05_assert.yml
+    - 02_install.yml
+    - 03_debug.yml
+    - 04_patch.yml
+    - 05_ldap.yml
+    - 06_assert.yml
diff --git a/roles/web-app-joomla/templates/cli-ldap.php.j2 b/roles/web-app-joomla/templates/cli-ldap.php.j2
index 5a21d8e8..65e26e8b 100644
--- a/roles/web-app-joomla/templates/cli-ldap.php.j2
+++ b/roles/web-app-joomla/templates/cli-ldap.php.j2
@@ -1,54 +1,68 @@
 <?php
-// Tiny Joomla CLI to enable + configure Authentication - LDAP plugin.
-// Safe to run multiple times.
+// Joomla CLI script to enable and configure the Authentication - LDAP plugin.
+// Safe to run multiple times. Uses only Factory::getDbo() (no web/administrator app context required).
+
 define('_JEXEC', 1);
-if (PHP_SAPI !== 'cli') { fwrite(STDERR, "CLI only\n"); exit(1); }
+define('JPATH_BASE', __DIR__ . '/..');
 
-$root = __DIR__ . '/..';
-require $root . '/includes/defines.php';
-require $root . '/includes/framework.php';
+// Load Joomla framework
+require JPATH_BASE . '/includes/defines.php';
+require JPATH_BASE . '/includes/framework.php';
 
-$app = \Joomla\CMS\Factory::getApplication('administrator');
-$dbo = \Joomla\CMS\Factory::getDbo();
+use Joomla\CMS\Factory;
+
+// Database driver from Factory
+$dbo = Factory::getDbo();
 
 // Locate the LDAP plugin row in #__extensions
 $query = $dbo->getQuery(true)
-  ->select('*')
-  ->from($dbo->quoteName('#__extensions'))
-  ->where($dbo->quoteName('type') . ' = ' . $dbo->quote('plugin'))
-  ->where($dbo->quoteName('folder') . ' = ' . $dbo->quote('authentication'))
-  ->where($dbo->quoteName('element') . ' = ' . $dbo->quote('ldap'));
+    ->select('*')
+    ->from($dbo->quoteName('#__extensions'))
+    ->where($dbo->quoteName('type') . ' = ' . $dbo->quote('plugin'))
+    ->where($dbo->quoteName('folder') . ' = ' . $dbo->quote('authentication'))
+    ->where($dbo->quoteName('element') . ' = ' . $dbo->quote('ldap'));
 $dbo->setQuery($query);
 $ext = $dbo->loadObject();
 
-if (!$ext) { fwrite(STDERR, "LDAP plugin not found.\n"); exit(2); }
+if (!$ext) {
+    fwrite(STDERR, "LDAP plugin not found.\n");
+    exit(2);
+}
 
-// Merge desired params
+// Helper to strip quotes if present in env-file values
+$get = static fn($k) => preg_replace('/^(["\'])(.*)\1$/', '$2', getenv($k) ?: '');
+
+// Desired plugin parameters (must match Joomla LDAP plugin schema)
 $desired = [
-  "host"                => getenv('JOOMLA_LDAP_HOST'),
-  "port"                => (int) getenv('JOOMLA_LDAP_PORT'),
-  "basedn"              => getenv('JOOMLA_LDAP_BASE_DN'),
-  "userbasedn"          => getenv('JOOMLA_LDAP_USER_TREE_DN'),
-  "groupbasedn"         => getenv('JOOMLA_LDAP_GROUP_TREE_DN'),
-  "authmethod"          => getenv('JOOMLA_LDAP_AUTH_METHOD'),        // "bind" or "search"
-  "searchstring"        => getenv('JOOMLA_LDAP_USER_SEARCH_STRING'),
-  "username"            => getenv('JOOMLA_LDAP_BIND_DN'),
-  "password"            => getenv('JOOMLA_LDAP_BIND_PASSWORD'),
-  "uid"                 => getenv('JOOMLA_LDAP_UID_ATTR'),
-  "email"               => getenv('JOOMLA_LDAP_EMAIL_ATTR'),
-  "fullname"            => getenv('JOOMLA_LDAP_NAME_ATTR'),
-  "starttls"            => (bool) getenv('JOOMLA_LDAP_USE_STARTTLS'),
-  "ignore_reqcert"      => (bool) getenv('JOOMLA_LDAP_IGNORE_CERT'),
-  "mapfullname"         => (bool) getenv('JOOMLA_LDAP_MAP_FULLNAME'),
-  "mapemail"            => (bool) getenv('JOOMLA_LDAP_MAP_EMAIL'),
+    // Connection settings
+    "host"          => $get('JOOMLA_LDAP_HOST'),
+    "port"          => (int) $get('JOOMLA_LDAP_PORT'),
+    "use_ldapV3"    => true,
+    "negotiate_tls" => (bool) $get('JOOMLA_LDAP_USE_STARTTLS'),
+    "no_referrals"  => false,
+
+    // Authentication settings
+    "auth_method"   => $get('JOOMLA_LDAP_AUTH_METHOD') ?: "search", // "search" or "bind"
+    "base_dn"       => $get('JOOMLA_LDAP_BASE_DN'),
+    "search_string" => $get('JOOMLA_LDAP_USER_SEARCH_STRING'),      // e.g. uid=[username]
+    "users_dn"      => $get('JOOMLA_LDAP_USER_TREE_DN'),            // required for "bind" mode
+    "username"      => $get('JOOMLA_LDAP_BIND_DN'),
+    "password"      => $get('JOOMLA_LDAP_BIND_PASSWORD'),
+
+    // Attribute mapping
+    "ldap_uid"      => $get('JOOMLA_LDAP_UID_ATTR')   ?: "uid",
+    "ldap_email"    => $get('JOOMLA_LDAP_EMAIL_ATTR') ?: "mail",
+    "ldap_fullname" => $get('JOOMLA_LDAP_NAME_ATTR')  ?: "cn",
 ];
 
+// Merge current parameters with desired values
 $current = json_decode($ext->params ?: "{}", true) ?: [];
-$merged  = array_replace($current, array_filter($desired, fn($v) => $v !== null && $v !== ''));
+$clean   = array_filter($desired, static fn($v) => $v !== null && $v !== '');
+$merged  = array_replace($current, $clean);
 
+// Save back to database and enable the plugin
 $ext->params  = json_encode($merged, JSON_UNESCAPED_SLASHES);
-$ext->enabled = {{ JOOMLA_LDAP_ENABLED | ternary(1, 0) }};
-
+$ext->enabled = 1;
 $dbo->updateObject('#__extensions', $ext, 'extension_id');
 
-echo "LDAP plugin enabled=". $ext->enabled . " and configured.\n";
+echo "LDAP plugin enabled={$ext->enabled} and configured.\n";
diff --git a/roles/web-app-joomla/templates/docker-compose.yml.j2 b/roles/web-app-joomla/templates/docker-compose.yml.j2
index 2f9cf8f9..6e504162 100644
--- a/roles/web-app-joomla/templates/docker-compose.yml.j2
+++ b/roles/web-app-joomla/templates/docker-compose.yml.j2
@@ -11,6 +11,9 @@
       - data:/var/www/html
 {% if JOOMLA_LDAP_ENABLED %}
       - {{ JOOMLA_LDAP_CONF_FILE }}:/var/www/html/cli/cli-ldap.php:ro
+{% if JOOMLA_LDAP_AUTO_CREATE_ENABLED | bool %}
+      - {{ JOOMLA_LDAP_AUT_CRT_HOST_DIR }}:{{ JOOMLA_LDAP_AUT_CRT_DOCK_DIR }}:ro
+{% endif %}
 {% endif %}
     ports:
       - "127.0.0.1:{{ ports.localhost.http[application_id] }}:{{ container_port }}"
diff --git a/roles/web-app-joomla/templates/env.j2 b/roles/web-app-joomla/templates/env.j2
index 3b90f152..2a52ea46 100644
--- a/roles/web-app-joomla/templates/env.j2
+++ b/roles/web-app-joomla/templates/env.j2
@@ -6,29 +6,29 @@ JOOMLA_ADMIN_EMAIL={{ JOOMLA_USER_EMAIL }}
 
 {% if database_type == 'mariadb' %}
 # Database
-JOOMLA_DB_HOST="{{ database_host }}:{{ database_port }}"
-JOOMLA_DB_USER="{{ database_username }}"
-JOOMLA_DB_PASSWORD="{{ database_password }}"
-JOOMLA_DB_NAME="{{ database_name }}"
-JOOMLA_DB_TYPE="{{ JOOMLA_DB_CONNECTOR }}"
+JOOMLA_DB_HOST={{ database_host }}:{{ database_port }}
+JOOMLA_DB_USER={{ database_username }}
+JOOMLA_DB_PASSWORD={{ database_password }}
+JOOMLA_DB_NAME={{ database_name }}
+JOOMLA_DB_TYPE={{ JOOMLA_DB_CONNECTOR }}
 {% endif %}
 
 {% if JOOMLA_LDAP_ENABLED %}
 # LDAP
-JOOMLA_LDAP_HOST="{{ JOOMLA_LDAP_HOST }}"
-JOOMLA_LDAP_PORT="{{ JOOMLA_LDAP_PORT }}"
-JOOMLA_LDAP_BASE_DN="{{ JOOMLA_LDAP_BASE_DN }}"
-JOOMLA_LDAP_USER_TREE_DN="{{ JOOMLA_LDAP_USER_TREE_DN }}"
-JOOMLA_LDAP_GROUP_TREE_DN="{{ JOOMLA_LDAP_GROUP_TREE_DN }}"
-JOOMLA_LDAP_UID_ATTR="{{ JOOMLA_LDAP_UID_ATTR }}"
-JOOMLA_LDAP_EMAIL_ATTR="{{ JOOMLA_LDAP_EMAIL_ATTR }}"
-JOOMLA_LDAP_NAME_ATTR="{{ JOOMLA_LDAP_NAME_ATTR }}"
-JOOMLA_LDAP_BIND_DN="{{ JOOMLA_LDAP_BIND_DN }}"
-JOOMLA_LDAP_BIND_PASSWORD="{{ JOOMLA_LDAP_BIND_PASSWORD }}"
-JOOMLA_LDAP_USE_STARTTLS="{{ JOOMLA_LDAP_USE_STARTTLS | ternary('1','') }}"
-JOOMLA_LDAP_IGNORE_CERT="{{ JOOMLA_LDAP_IGNORE_CERT | ternary('1','') }}"
-JOOMLA_LDAP_MAP_FULLNAME="{{ JOOMLA_LDAP_MAP_FULLNAME | ternary('1','') }}"
-JOOMLA_LDAP_MAP_EMAIL="{{ JOOMLA_LDAP_MAP_EMAIL | ternary('1','') }}"
-JOOMLA_LDAP_AUTH_METHOD="{{ JOOMLA_LDAP_AUTH_METHOD }}"
-JOOMLA_LDAP_USER_SEARCH_STRING="{{ JOOMLA_LDAP_USER_SEARCH_STRING }}"
+JOOMLA_LDAP_HOST={{ JOOMLA_LDAP_HOST }}
+JOOMLA_LDAP_PORT={{ JOOMLA_LDAP_PORT }}
+JOOMLA_LDAP_BASE_DN={{ JOOMLA_LDAP_BASE_DN }}
+JOOMLA_LDAP_USER_TREE_DN={{ JOOMLA_LDAP_USER_TREE_DN }}
+JOOMLA_LDAP_GROUP_TREE_DN={{ JOOMLA_LDAP_GROUP_TREE_DN }}
+JOOMLA_LDAP_UID_ATTR={{ JOOMLA_LDAP_UID_ATTR }}
+JOOMLA_LDAP_EMAIL_ATTR={{ JOOMLA_LDAP_EMAIL_ATTR }}
+JOOMLA_LDAP_NAME_ATTR={{ JOOMLA_LDAP_NAME_ATTR }}
+JOOMLA_LDAP_BIND_DN={{ JOOMLA_LDAP_BIND_DN }}
+JOOMLA_LDAP_BIND_PASSWORD={{ JOOMLA_LDAP_BIND_PASSWORD }}
+JOOMLA_LDAP_USE_STARTTLS={{ JOOMLA_LDAP_USE_STARTTLS | ternary('1','') }}
+JOOMLA_LDAP_IGNORE_CERT={{ JOOMLA_LDAP_IGNORE_CERT | ternary('1','') }}
+JOOMLA_LDAP_MAP_FULLNAME={{ JOOMLA_LDAP_MAP_FULLNAME | ternary('1','') }}
+JOOMLA_LDAP_MAP_EMAIL={{ JOOMLA_LDAP_MAP_EMAIL | ternary('1','') }}
+JOOMLA_LDAP_AUTH_METHOD={{ JOOMLA_LDAP_AUTH_METHOD }}
+JOOMLA_LDAP_USER_SEARCH_STRING={{ JOOMLA_LDAP_USER_SEARCH_STRING }}
 {% endif %}
\ No newline at end of file
diff --git a/roles/web-app-joomla/vars/main.yml b/roles/web-app-joomla/vars/main.yml
index 2d61f59e..0b959f05 100644
--- a/roles/web-app-joomla/vars/main.yml
+++ b/roles/web-app-joomla/vars/main.yml
@@ -1,41 +1,44 @@
 # General
-application_id:                 "web-app-joomla"
-database_type:                  "mariadb"
-container_port:                 80
+application_id:                   "web-app-joomla"
+database_type:                    "mariadb"
+container_port:                   80
 
 # Joomla
-JOOMLA_VERSION:                 "{{ applications | get_app_conf(application_id, 'docker.services.joomla.version') }}"
-JOOMLA_IMAGE:                   "{{ applications | get_app_conf(application_id, 'docker.services.joomla.image') }}"
-JOOMLA_CONTAINER:               "{{ applications | get_app_conf(application_id, 'docker.services.joomla.name') }}"
-JOOMLA_VOLUME:                  "{{ applications | get_app_conf(application_id, 'docker.volumes.data') }}"
-JOOMLA_CUSTOM_IMAGE:            "{{ JOOMLA_IMAGE }}_custom"
-JOOMLA_DOMAINS:                 "{{ applications | get_app_conf(application_id, 'server.domains.canonical') }}"
-JOOMLA_SITE_NAME:               "{{ SOFTWARE_NAME }} Joomla - CMS"
-JOOMLA_DB_CONNECTOR:            "{{ 'pgsql' if database_type == 'postgres' else 'mysqli' }}"
-JOOMLA_CONFIG_FILE:             "/var/www/html/configuration.php"
+JOOMLA_VERSION:                   "{{ applications | get_app_conf(application_id, 'docker.services.joomla.version') }}"
+JOOMLA_IMAGE:                     "{{ applications | get_app_conf(application_id, 'docker.services.joomla.image') }}"
+JOOMLA_CONTAINER:                 "{{ applications | get_app_conf(application_id, 'docker.services.joomla.name') }}"
+JOOMLA_VOLUME:                    "{{ applications | get_app_conf(application_id, 'docker.volumes.data') }}"
+JOOMLA_CUSTOM_IMAGE:              "{{ JOOMLA_IMAGE }}_custom"
+JOOMLA_DOMAINS:                   "{{ applications | get_app_conf(application_id, 'server.domains.canonical') }}"
+JOOMLA_SITE_NAME:                 "{{ SOFTWARE_NAME }} Joomla - CMS"
+JOOMLA_DB_CONNECTOR:              "{{ 'pgsql' if database_type == 'postgres' else 'mysqli' }}"
+JOOMLA_CONFIG_FILE:               "/var/www/html/configuration.php"
 
 # User
-JOOMLA_USER_NAME:               "{{ users.administrator.username }}"
-JOOMLA_USER:                    "{{ JOOMLA_USER_NAME | capitalize }}"     
-JOOMLA_USER_PASSWORD:           "{{ users.administrator.password }}"
-JOOMLA_USER_EMAIL:              "{{ users.administrator.email }}"
+JOOMLA_USER_NAME:                 "{{ users.administrator.username }}"
+JOOMLA_USER:                      "{{ JOOMLA_USER_NAME | capitalize }}"     
+JOOMLA_USER_PASSWORD:             "{{ users.administrator.password }}"
+JOOMLA_USER_EMAIL:                "{{ users.administrator.email }}"
 
 # LDAP
-JOOMLA_LDAP_CONF_FILE:          "{{ [ docker_compose.directories.volumes, 'cli-ldap.php' ] | path_join }}"
-JOOMLA_LDAP_ENABLED:            "{{ applications | get_app_conf(application_id, 'features.ldap') }}"
-JOOMLA_LDAP_HOST:               "{{ LDAP.SERVER.DOMAIN }}"
-JOOMLA_LDAP_PORT:               "{{ LDAP.SERVER.PORT }}"
-JOOMLA_LDAP_BASE_DN:            "{{ LDAP.DN.ROOT }}"
-JOOMLA_LDAP_USER_TREE_DN:       "{{ LDAP.DN.OU.USERS }}"
-JOOMLA_LDAP_GROUP_TREE_DN:      "{{ LDAP.DN.OU.GROUPS }}"
-JOOMLA_LDAP_UID_ATTR:           "{{ LDAP.USER.ATTRIBUTES.ID }}"        # e.g. uid
-JOOMLA_LDAP_EMAIL_ATTR:         "{{ LDAP.USER.ATTRIBUTES.MAIL }}"
-JOOMLA_LDAP_NAME_ATTR:          "{{ LDAP.USER.ATTRIBUTES.FULLNAME }}"
-JOOMLA_LDAP_BIND_DN:            "{{ LDAP.DN.ADMINISTRATOR.DATA }}"
-JOOMLA_LDAP_BIND_PASSWORD:      "{{ LDAP.BIND_CREDENTIAL }}"
-JOOMLA_LDAP_USE_STARTTLS:       false
-JOOMLA_LDAP_IGNORE_CERT:        true
-JOOMLA_LDAP_MAP_FULLNAME:       true
-JOOMLA_LDAP_MAP_EMAIL:          true
-JOOMLA_LDAP_AUTH_METHOD:        "search"     # "bind" or "search"
-JOOMLA_LDAP_USER_SEARCH_STRING: "{{ JOOMLA_LDAP_UID_ATTR }}=[username],{{ JOOMLA_LDAP_USER_TREE_DN }}"
+JOOMLA_LDAP_CONF_FILE:            "{{ [ docker_compose.directories.volumes, 'cli-ldap.php' ] | path_join }}"
+JOOMLA_LDAP_ENABLED:              "{{ applications | get_app_conf(application_id, 'features.ldap') }}"
+JOOMLA_LDAP_AUTO_CREATE_ENABLED:  "{{ applications | get_app_conf(application_id, 'autocreate_users') }}"
+JOOMLA_LDAP_HOST:                 "{{ LDAP.SERVER.DOMAIN }}"
+JOOMLA_LDAP_PORT:                 "{{ LDAP.SERVER.PORT }}"
+JOOMLA_LDAP_BASE_DN:              "{{ LDAP.DN.ROOT }}"
+JOOMLA_LDAP_USER_TREE_DN:         "{{ LDAP.DN.OU.USERS }}"
+JOOMLA_LDAP_GROUP_TREE_DN:        "{{ LDAP.DN.OU.GROUPS }}"
+JOOMLA_LDAP_UID_ATTR:             "{{ LDAP.USER.ATTRIBUTES.ID }}"        # e.g. uid
+JOOMLA_LDAP_EMAIL_ATTR:           "{{ LDAP.USER.ATTRIBUTES.MAIL }}"
+JOOMLA_LDAP_NAME_ATTR:            "{{ LDAP.USER.ATTRIBUTES.FULLNAME }}"
+JOOMLA_LDAP_BIND_DN:              "{{ LDAP.DN.ADMINISTRATOR.DATA }}"
+JOOMLA_LDAP_BIND_PASSWORD:        "{{ LDAP.BIND_CREDENTIAL }}"
+JOOMLA_LDAP_USE_STARTTLS:         false
+JOOMLA_LDAP_IGNORE_CERT:          true
+JOOMLA_LDAP_MAP_FULLNAME:         true
+JOOMLA_LDAP_MAP_EMAIL:            true
+JOOMLA_LDAP_AUTH_METHOD:          "search"     # "bind" or "search"
+JOOMLA_LDAP_USER_SEARCH_STRING:   "{{ JOOMLA_LDAP_UID_ATTR }}=[username]"
+JOOMLA_LDAP_AUT_CRT_HOST_DIR:     "{{ [ docker_compose.directories.volumes, 'ldapautocreate' ] | path_join }}"
+JOOMLA_LDAP_AUT_CRT_DOCK_DIR:     "/var/www/html/plugins/system/ldapautocreate"