diff --git a/roles/svc-db-openldap/config/main.yml b/roles/svc-db-openldap/config/main.yml index 7a4a236c..0fc19e75 100644 --- a/roles/svc-db-openldap/config/main.yml +++ b/roles/svc-db-openldap/config/main.yml @@ -8,4 +8,11 @@ images: openldap: "bitnami/openldap:latest" webinterface: "lam" # The webinterface which should be used. Possible: lam and phpldapadmin features: - ldap: true \ No newline at end of file + ldap: true +import: +# Here it's possible to define what can be imported. +# It doesn't make sense to let the import run everytime because its very time consuming + credentials: true + schemas: true + entries: true + users: true diff --git a/roles/svc-db-openldap/tasks/reset_admin_passwords.yml b/roles/svc-db-openldap/tasks/01_credentials.yml similarity index 100% rename from roles/svc-db-openldap/tasks/reset_admin_passwords.yml rename to roles/svc-db-openldap/tasks/01_credentials.yml diff --git a/roles/svc-db-openldap/tasks/02_schemas.yml b/roles/svc-db-openldap/tasks/02_schemas.yml new file mode 100644 index 00000000..759c1471 --- /dev/null +++ b/roles/svc-db-openldap/tasks/02_schemas.yml @@ -0,0 +1,5 @@ +- name: "Include Nextcloud Schema" + include_tasks: schemas/nextcloud.yml + +- name: "Include openssh-lpk Schema" + include_tasks: schemas/openssh_lpk.yml \ No newline at end of file diff --git a/roles/svc-db-openldap/tasks/03_entries.yml b/roles/svc-db-openldap/tasks/03_entries.yml new file mode 100644 index 00000000..22ae9f91 --- /dev/null +++ b/roles/svc-db-openldap/tasks/03_entries.yml @@ -0,0 +1,56 @@ +############################################################################### +# 1) Create the LDAP entry if it does not yet exist +############################################################################### +- name: Ensure LDAP users exist + community.general.ldap_entry: + dn: "{{ ldap.user.attributes.id }}={{ item.key }},{{ ldap.dn.ou.users }}" + server_uri: "{{ ldap_server_uri }}" + bind_dn: "{{ ldap.dn.administrator.data }}" + bind_pw: "{{ ldap.bind_credential }}" + objectClass: "{{ ldap.user.objects.structural }}" + attributes: + uid: "{{ item.value.username }}" + sn: "{{ item.value.sn | default(item.key) }}" + cn: "{{ item.value.cn | default(item.key) }}" + userPassword: "{SSHA}{{ item.value.password }}" + loginShell: /bin/bash + homeDirectory: "/home/{{ item.key }}" + uidNumber: "{{ item.value.uid | int }}" + gidNumber: "{{ item.value.gid | int }}" + state: present # ↳ creates but never updates + async: 60 + poll: 0 + loop: "{{ users | dict2items }}" + loop_control: + label: "{{ item.key }}" + +############################################################################### +# 2) Keep the objectClass list AND the mail attribute up-to-date +############################################################################### +- name: Ensure required objectClass values and mail address are present + community.general.ldap_attrs: + dn: "{{ ldap.user.attributes.id }}={{ item.key }},{{ ldap.dn.ou.users }}" + server_uri: "{{ ldap_server_uri }}" + bind_dn: "{{ ldap.dn.administrator.data }}" + bind_pw: "{{ ldap.bind_credential }}" + attributes: + objectClass: "{{ ldap.user.objects.structural }}" + mail: "{{ item.value.email }}" + state: exact + async: 60 + poll: 0 + loop: "{{ users | dict2items }}" + loop_control: + label: "{{ item.key }}" + +- name: "Ensure container for application roles exists" + community.general.ldap_entry: + dn: "{{ ldap.dn.ou.roles }}" + server_uri: "{{ ldap_server_uri }}" + bind_dn: "{{ ldap.dn.administrator.data }}" + bind_pw: "{{ ldap.bind_credential }}" + objectClass: organizationalUnit + attributes: + ou: roles + description: Container for application access profiles + state: present diff --git a/roles/svc-db-openldap/tasks/add_user_objects.yml b/roles/svc-db-openldap/tasks/04_user_updates.yml similarity index 100% rename from roles/svc-db-openldap/tasks/add_user_objects.yml rename to roles/svc-db-openldap/tasks/04_user_updates.yml diff --git a/roles/svc-db-openldap/tasks/create_ldif_files.yml b/roles/svc-db-openldap/tasks/ldifs_creation.yml similarity index 88% rename from roles/svc-db-openldap/tasks/create_ldif_files.yml rename to roles/svc-db-openldap/tasks/ldifs_creation.yml index 5ae39b90..61c98bb0 100644 --- a/roles/svc-db-openldap/tasks/create_ldif_files.yml +++ b/roles/svc-db-openldap/tasks/ldifs_creation.yml @@ -8,4 +8,4 @@ lookup('fileglob', role_path ~ '/templates/ldif/' ~ folder ~ '/*.j2', wantlist=True) | sort }} - notify: "Import {{ folder }} LDIF files" + notify: "Import {{ folder }} LDIF files" \ No newline at end of file diff --git a/roles/svc-db-openldap/tasks/main.yml b/roles/svc-db-openldap/tasks/main.yml index a524c0de..b7212ad3 100644 --- a/roles/svc-db-openldap/tasks/main.yml +++ b/roles/svc-db-openldap/tasks/main.yml @@ -34,8 +34,8 @@ timeout: 120 state: started -- name: "Reset LDAP admin passwords" - include_tasks: reset_admin_passwords.yml +- name: "Reset LDAP Credentials" + include_tasks: 01_credentials.yml when: applications | get_app_conf(application_id, 'network.local', True) - name: "create directory {{ldif_host_path}}{{item}}" @@ -45,8 +45,8 @@ mode: 0755 loop: "{{ldif_types}}" -- name: "Process all LDIF types" - include_tasks: create_ldif_files.yml +- name: "Import LDIF Configuration" + include_tasks: ldifs_creation.yml loop: - configuration loop_control: @@ -61,75 +61,18 @@ - python-ldap state: present -- name: "Include Nextcloud Schema" - include_tasks: schemas/nextcloud.yml +- name: "Include Schemas (if enabled)" + include_tasks: 02_schemas.yml -- name: "Include openssh-lpk Schema" - include_tasks: schemas/openssh_lpk.yml +- name: "Import LDAP Entries (if enabled)" + include_tasks: 03_entries.yml -############################################################################### -# 1) Create the LDAP entry if it does not yet exist -############################################################################### -- name: Ensure LDAP users exist - community.general.ldap_entry: - dn: "{{ ldap.user.attributes.id }}={{ item.key }},{{ ldap.dn.ou.users }}" - server_uri: "{{ ldap_server_uri }}" - bind_dn: "{{ ldap.dn.administrator.data }}" - bind_pw: "{{ ldap.bind_credential }}" - objectClass: "{{ ldap.user.objects.structural }}" - attributes: - uid: "{{ item.value.username }}" - sn: "{{ item.value.sn | default(item.key) }}" - cn: "{{ item.value.cn | default(item.key) }}" - userPassword: "{SSHA}{{ item.value.password }}" - loginShell: /bin/bash - homeDirectory: "/home/{{ item.key }}" - uidNumber: "{{ item.value.uid | int }}" - gidNumber: "{{ item.value.gid | int }}" - state: present # ↳ creates but never updates - async: 60 - poll: 0 - loop: "{{ users | dict2items }}" - loop_control: - label: "{{ item.key }}" - -############################################################################### -# 2) Keep the objectClass list AND the mail attribute up-to-date -############################################################################### -- name: Ensure required objectClass values and mail address are present - community.general.ldap_attrs: - dn: "{{ ldap.user.attributes.id }}={{ item.key }},{{ ldap.dn.ou.users }}" - server_uri: "{{ ldap_server_uri }}" - bind_dn: "{{ ldap.dn.administrator.data }}" - bind_pw: "{{ ldap.bind_credential }}" - attributes: - objectClass: "{{ ldap.user.objects.structural }}" - mail: "{{ item.value.email }}" - state: exact - async: 60 - poll: 0 - loop: "{{ users | dict2items }}" - loop_control: - label: "{{ item.key }}" - -- name: "Ensure container for application roles exists" - community.general.ldap_entry: - dn: "{{ ldap.dn.ou.roles }}" - server_uri: "{{ ldap_server_uri }}" - bind_dn: "{{ ldap.dn.administrator.data }}" - bind_pw: "{{ ldap.bind_credential }}" - objectClass: organizationalUnit - attributes: - ou: roles - description: Container for application access profiles - state: present - -- name: "Process all LDIF types" - include_tasks: create_ldif_files.yml +- name: "Import LDIF Data (if enabled)" + include_tasks: ldifs_creation.yml loop: - data loop_control: loop_var: folder - name: "Add Objects to all users" - include_tasks: add_user_objects.yml \ No newline at end of file + include_tasks: 04_user_updates.yml \ No newline at end of file