From f5c9c3edba17cc157cc653bef6b97f18f4048013 Mon Sep 17 00:00:00 2001 From: Kevin Veen-Birkenbach Date: Thu, 6 Feb 2025 16:27:00 +0100 Subject: [PATCH] solved locale network bugs of ldap --- group_vars/all/07_applications.yml | 12 ++++++++++-- roles/docker-keycloak/vars/main.yml | 7 ++++--- roles/docker-ldap/tasks/main.yml | 4 +++- roles/docker-ldap/templates/lam.env.j2 | 2 +- roles/docker-ldap/vars/main.yml | 2 +- .../templates/oauth2-proxy-keycloak.cfg.j2 | 4 ++-- 6 files changed, 21 insertions(+), 10 deletions(-) diff --git a/group_vars/all/07_applications.yml b/group_vars/all/07_applications.yml index fc0567f9..77723e27 100644 --- a/group_vars/all/07_applications.yml +++ b/group_vars/all/07_applications.yml @@ -3,6 +3,13 @@ ## Docker Role Specific Parameters docker_restart_policy: "unless-stopped" +############################################## +## Private Helper variables ### +############################################## + +# By default don't expose openldap to the internet, just if explicit configured +_ldap_openldap_expose_to_internet: "{{ applications.ldap.openldap.expose_to_internet if applications.ldap is defined and applications.ldap.openldap is defined else false}}" + defaults_applications: ## Akaunting @@ -62,13 +69,14 @@ defaults_applications: administrator_password: "{{user_administrator_initial_password}}" # CHANGE for security reasons openldap: version: "latest" - expose_to_internet: false # Set to true if you want to expose the LDAP port to the internet. Keep in mind to + expose_to_internet: "{{_ldap_openldap_expose_to_internet}}" # Set to true if you want to expose the LDAP port to the internet + domain: "{{domains.ldap if _ldap_openldap_expose_to_internet else 'openldap'}}" # Mapping for public or locale access phpldapadmin: version: "2.0.0-dev" # @todo Attention: Change this as fast as released to latest webinterface: "lam" # The webinterface which should be used. Possible: lam and phpldapadmin administrator_username: "{{administrator_username}}" administrator_password: "{{user_administrator_initial_password}}" # CHANGE for security reasons - administrator_database_password: "{{user_administrator_initial_password}}" # CHANGE for security reasons + administrator_database_password: "{{user_administrator_initial_password}}" # CHANGE for security reasons ## Listmonk listmonk: diff --git a/roles/docker-keycloak/vars/main.yml b/roles/docker-keycloak/vars/main.yml index 50a9f807..96295f24 100644 --- a/roles/docker-keycloak/vars/main.yml +++ b/roles/docker-keycloak/vars/main.yml @@ -1,3 +1,4 @@ -application_id: "keycloak" -database_type: "postgres" -database_password: "{{keycloak_database_password}}" \ No newline at end of file +application_id: "keycloak" +database_type: "postgres" +database_password: "{{keycloak_database_password}}" +ldap_network_enabled: true # Activate LDAP network \ No newline at end of file diff --git a/roles/docker-ldap/tasks/main.yml b/roles/docker-ldap/tasks/main.yml index dffd8e27..6b886065 100644 --- a/roles/docker-ldap/tasks/main.yml +++ b/roles/docker-ldap/tasks/main.yml @@ -40,6 +40,7 @@ mode: '770' force: yes notify: docker compose project setup + when: applications.ldap.webinterface == 'phpldapadmin' - name: "create {{docker_compose.directories.env}}lam.env" template: @@ -47,4 +48,5 @@ dest: "{{docker_compose.directories.env}}lam.env" mode: '770' force: yes - notify: docker compose project setup \ No newline at end of file + notify: docker compose project setup + when: applications.ldap.webinterface == 'lam' \ No newline at end of file diff --git a/roles/docker-ldap/templates/lam.env.j2 b/roles/docker-ldap/templates/lam.env.j2 index 7c0cd0d9..ee37ecc9 100644 --- a/roles/docker-ldap/templates/lam.env.j2 +++ b/roles/docker-ldap/templates/lam.env.j2 @@ -7,7 +7,7 @@ LAM_PASSWORD= {{applications.ldap.lam.administrator_password}} LAM_CONFIGURATION_DATABASE= files # configuration database (files or mysql) @todo implement mariadb # LDAP Configuration -LDAP_SERVER= {{domain}} # domain of LDAP database root entry, will be converted to dc=...,dc=... +LDAP_SERVER= {{applications.ldap.openldap.domain}} # domain of LDAP database root entry, will be converted to dc=...,dc=... LDAP_BASE_DN= {{ldap_root}} # LDAP base DN to overwrite value generated by LDAP_DOMAIN LDAP_USER= {{ldap_admin_dn}} # LDAP admin user (set as login user for LAM) LDAP_ADMIN_PASSWORD= {{applications.ldap.administrator_database_password}} # LDAP admin password \ No newline at end of file diff --git a/roles/docker-ldap/vars/main.yml b/roles/docker-ldap/vars/main.yml index 1bcb0982..564f09f8 100644 --- a/roles/docker-ldap/vars/main.yml +++ b/roles/docker-ldap/vars/main.yml @@ -11,4 +11,4 @@ oauth2_proxy_active: true enable_wildcard_certificate: false # Activate dedicated Certificate -ldap_network_enabled: true # Activate LDAP network \ No newline at end of file +ldap_network_enabled: true # Activate LDAP network \ No newline at end of file diff --git a/roles/docker-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2 b/roles/docker-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2 index 9c000090..6f1ec7a6 100644 --- a/roles/docker-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2 +++ b/roles/docker-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2 @@ -3,14 +3,14 @@ cookie_secret = "{{applications.oauth2_proxy.cookie_secret}}" email_domains = "{{primary_domain}}" cookie_secure = "false" upstreams = "http://{{oauth2_proxy_upstream_application_and_port}}" -cookie_domains = ["{{domain}}", "{{domains.keycloak}}"] # Required so cookie can be read on all subdomains. +cookie_domains = ["{{domain}}", "{{domains.keycloak}}"] # Required so cookie can be read on all subdomains. whitelist_domains = [".{{primary_domain}}"] # Required to allow redirection back to original requested target. # keycloak provider client_secret = "{{oidc.client.secret}}" client_id = "{{oidc.client.id}}" redirect_url = "https://{{domain}}/oauth2/callback" -oidc_issuer_url = "{{oidc_client_issuer_url}}" +oidc_issuer_url = "{{oidc.client.issuer_url}}" provider = "oidc" provider_display_name = "Keycloak"