Restructured openldap tasks

2025-07-17 14:04:24 +02:00 · 2025-07-14 00:31:47 +02:00 · 2025-07-14 00:31:47 +02:00 · f012b4fc78
commit f012b4fc78
parent 56f6a2dc3b
7 changed files with 81 additions and 70 deletions
--- a/roles/svc-db-openldap/config/main.yml
+++ b/roles/svc-db-openldap/config/main.yml
@ -8,4 +8,11 @@ images:
  openldap:       "bitnami/openldap:latest"
 webinterface:     "lam"                               # The webinterface which should be used. Possible: lam and phpldapadmin
 features:
-  ldap:           true
+  ldap:           true
+import:           
+# Here it's possible to define what can be imported. 
+# It doesn't make sense to let  the import run everytime because its very time consuming
+  credentials:    true 
+  schemas:        true 
+  entries:        true 
+  users:          true
--- a/roles/svc-db-openldap/tasks/reset_admin_passwords.yml
+++ b/roles/svc-db-openldap/tasks/reset_admin_passwords.yml
--- a/roles/svc-db-openldap/tasks/02_schemas.yml
+++ b/roles/svc-db-openldap/tasks/02_schemas.yml
@ -0,0 +1,5 @@
+- name: "Include Nextcloud Schema"
+  include_tasks: schemas/nextcloud.yml
+
+- name: "Include openssh-lpk Schema"
+  include_tasks: schemas/openssh_lpk.yml
--- a/roles/svc-db-openldap/tasks/03_entries.yml
+++ b/roles/svc-db-openldap/tasks/03_entries.yml
@ -0,0 +1,56 @@
+###############################################################################
+# 1) Create the LDAP entry if it does not yet exist
+###############################################################################
+- name: Ensure LDAP users exist
+  community.general.ldap_entry:
+    dn:           "{{ ldap.user.attributes.id }}={{ item.key }},{{ ldap.dn.ou.users }}"
+    server_uri:   "{{ ldap_server_uri }}"
+    bind_dn:      "{{ ldap.dn.administrator.data }}"
+    bind_pw:      "{{ ldap.bind_credential }}"
+    objectClass:  "{{ ldap.user.objects.structural }}"
+    attributes:
+      uid:           "{{ item.value.username }}"
+      sn:            "{{ item.value.sn  | default(item.key) }}"
+      cn:            "{{ item.value.cn  | default(item.key) }}"
+      userPassword:  "{SSHA}{{ item.value.password }}"
+      loginShell:    /bin/bash
+      homeDirectory: "/home/{{ item.key }}"
+      uidNumber:     "{{ item.value.uid | int }}"
+      gidNumber:     "{{ item.value.gid | int }}"
+    state: present            # ↳ creates but never updates
+  async: 60
+  poll: 0
+  loop: "{{ users | dict2items }}"
+  loop_control:
+    label: "{{ item.key }}"
+
+###############################################################################
+# 2) Keep the objectClass list AND the mail attribute up-to-date
+###############################################################################
+- name: Ensure required objectClass values and mail address are present
+  community.general.ldap_attrs:
+    dn: "{{ ldap.user.attributes.id }}={{ item.key }},{{ ldap.dn.ou.users }}"
+    server_uri: "{{ ldap_server_uri }}"
+    bind_dn: "{{ ldap.dn.administrator.data }}"
+    bind_pw: "{{ ldap.bind_credential }}"
+    attributes:
+      objectClass: "{{ ldap.user.objects.structural }}"
+      mail:        "{{ item.value.email }}"
+    state: exact
+  async: 60
+  poll: 0
+  loop: "{{ users | dict2items }}"
+  loop_control:
+    label: "{{ item.key }}"
+
+- name: "Ensure container for application roles exists"
+  community.general.ldap_entry:
+    dn: "{{ ldap.dn.ou.roles }}"
+    server_uri: "{{ ldap_server_uri }}"
+    bind_dn:  "{{ ldap.dn.administrator.data }}"
+    bind_pw:  "{{ ldap.bind_credential }}"
+    objectClass: organizationalUnit
+    attributes:
+      ou: roles
+      description: Container for application access profiles
+    state: present
--- a/roles/svc-db-openldap/tasks/add_user_objects.yml
+++ b/roles/svc-db-openldap/tasks/add_user_objects.yml
--- a/roles/svc-db-openldap/tasks/create_ldif_files.yml
+++ b/roles/svc-db-openldap/tasks/create_ldif_files.yml
@ -8,4 +8,4 @@
      lookup('fileglob', role_path ~ '/templates/ldif/' ~ folder ~ '/*.j2', wantlist=True)
      | sort
    }}
-  notify: "Import {{ folder }} LDIF files"
+  notify: "Import {{ folder }} LDIF files"
--- a/roles/svc-db-openldap/tasks/main.yml
+++ b/roles/svc-db-openldap/tasks/main.yml
@ -34,8 +34,8 @@
    timeout: 120
    state: started

- name: "Reset LDAP admin passwords"
-  include_tasks: reset_admin_passwords.yml
+- name: "Reset LDAP Credentials"
+  include_tasks: 01_credentials.yml
  when: applications | get_app_conf(application_id, 'network.local', True)

 - name: "create directory {{ldif_host_path}}{{item}}"
@ -45,8 +45,8 @@
    mode: 0755
  loop: "{{ldif_types}}"

- name: "Process all LDIF types"
-  include_tasks: create_ldif_files.yml
+- name: "Import LDIF Configuration"
+  include_tasks: ldifs_creation.yml
  loop:
    - configuration
  loop_control:
@ -61,75 +61,18 @@
      - python-ldap
    state: present

- name: "Include Nextcloud Schema"
-  include_tasks: schemas/nextcloud.yml
+- name: "Include Schemas (if enabled)"
+  include_tasks: 02_schemas.yml

- name: "Include openssh-lpk Schema"
-  include_tasks: schemas/openssh_lpk.yml
+- name: "Import LDAP Entries (if enabled)"
+  include_tasks: 03_entries.yml

-###############################################################################
-# 1) Create the LDAP entry if it does not yet exist
-###############################################################################
- name: Ensure LDAP users exist
-  community.general.ldap_entry:
-    dn:           "{{ ldap.user.attributes.id }}={{ item.key }},{{ ldap.dn.ou.users }}"
-    server_uri:   "{{ ldap_server_uri }}"
-    bind_dn:      "{{ ldap.dn.administrator.data }}"
-    bind_pw:      "{{ ldap.bind_credential }}"
-    objectClass:  "{{ ldap.user.objects.structural }}"
-    attributes:
-      uid:           "{{ item.value.username }}"
-      sn:            "{{ item.value.sn  | default(item.key) }}"
-      cn:            "{{ item.value.cn  | default(item.key) }}"
-      userPassword:  "{SSHA}{{ item.value.password }}"
-      loginShell:    /bin/bash
-      homeDirectory: "/home/{{ item.key }}"
-      uidNumber:     "{{ item.value.uid | int }}"
-      gidNumber:     "{{ item.value.gid | int }}"
-    state: present            # ↳ creates but never updates
-  async: 60
-  poll: 0
-  loop: "{{ users | dict2items }}"
-  loop_control:
-    label: "{{ item.key }}"
-
-###############################################################################
-# 2) Keep the objectClass list AND the mail attribute up-to-date
-###############################################################################
- name: Ensure required objectClass values and mail address are present
-  community.general.ldap_attrs:
-    dn: "{{ ldap.user.attributes.id }}={{ item.key }},{{ ldap.dn.ou.users }}"
-    server_uri: "{{ ldap_server_uri }}"
-    bind_dn: "{{ ldap.dn.administrator.data }}"
-    bind_pw: "{{ ldap.bind_credential }}"
-    attributes:
-      objectClass: "{{ ldap.user.objects.structural }}"
-      mail:        "{{ item.value.email }}"
-    state: exact
-  async: 60
-  poll: 0
-  loop: "{{ users | dict2items }}"
-  loop_control:
-    label: "{{ item.key }}"
-
- name: "Ensure container for application roles exists"
-  community.general.ldap_entry:
-    dn: "{{ ldap.dn.ou.roles }}"
-    server_uri: "{{ ldap_server_uri }}"
-    bind_dn:  "{{ ldap.dn.administrator.data }}"
-    bind_pw:  "{{ ldap.bind_credential }}"
-    objectClass: organizationalUnit
-    attributes:
-      ou: roles
-      description: Container for application access profiles
-    state: present
-
- name: "Process all LDIF types"
-  include_tasks: create_ldif_files.yml
+- name: "Import LDIF Data (if enabled)"
+  include_tasks: ldifs_creation.yml
  loop:
    - data
  loop_control:
    loop_var: folder

 - name: "Add Objects to all users"
-  include_tasks: add_user_objects.yml
+  include_tasks: 04_user_updates.yml