6 Commits

Author	SHA1	Message	Date
Kevin Veen-Birkenbach	8008afe0de	Refactor user variable name from OPERNLDAP_USERS to OPENLDAP_USERS and add dynamic state handling for objectClass cleanup. ... See conversation: https://chatgpt.com/share/692cab28-1ce0-800f-81da-712c8ea08e5c	2025-11-30 21:38:16 +01:00
Kevin Veen-Birkenbach	26dfab147d	Implement reserved username handling for users, LDAP and Keycloak ... Add end-to-end support for reserved usernames and tighten CAPTCHA / Keycloak logic. Changes: - Makefile: rename EXTRA_USERS → RESERVED_USERNAMES and pass it as --reserved-usernames to the users defaults generator. - cli/build/defaults/users.py: propagate flag into generated users, add --reserved-usernames CLI option and mark listed accounts as reserved. - Add reserved_users filter plugin with and helpers for Ansible templates and tasks. - Add unit tests for reserved_users filters and the new reserved-usernames behaviour in the users defaults generator. - group_vars/all/00_general.yml: harden RECAPTCHA_ENABLED / HCAPTCHA_ENABLED checks with default('') and explicit > 0 length checks. - svc-db-openldap: introduce OPENLDAP_PROVISION_* flags, add OPENLDAP_PROVISION_RESERVED and OPERNLDAP_USERS to optionally exclude reserved users from provisioning. - svc-db-openldap templates/tasks: switch role/group LDIF and user import loops to use OPERNLDAP_USERS instead of the full users dict. - networks: assign dedicated subnet for web-app-roulette-wheel. - web-app-keycloak vars: compute KEYCLOAK_RESERVED_USERNAMES_LIST and KEYCLOAK_RESERVED_USERNAMES_REGEX from users | reserved_usernames. - web-app-keycloak user profile template: inject reserved-username regex into username validation pattern and improve error message, fix SSH public key attribute usage and add component name field. - web-app-keycloak update/_update.yml: strip subComponents from component payloads before update and disable async/poll for easier debugging. - web-app-keycloak tasks/main.yml: guard cleanup include with MODE_CLEANUP and keep reCAPTCHA update behind KEYCLOAK_RECAPTCHA_ENABLED. - user/users defaults: mark system/service accounts (root, daemon, mail, admin, webmaster, etc.) as reserved so they cannot be chosen as login names. - svc-prx-openresty vars: simplify OPENRESTY_CONTAINER lookup by dropping unused default parameter. - sys-ctl-rpr-btrfs-balancer: simplify main.yml by removing the extra block wrapper. - sys-daemon handlers: quote handler name for consistency. Context: change set discussed and refined in ChatGPT on 2025-11-29 (Infinito.Nexus reserved usernames & Keycloak user profile flow). See conversation: https://chatgpt.com/share/692b21f5-5d98-800f-8e15-1ded49deddc9	2025-11-29 17:40:45 +01:00
Kevin Veen-Birkenbach	208848579d	svc-db-openldap: make LDIF import idempotent, unify container var, and tidy role ... - Add handlers/main.yml to load memberof/refint modules and import groups via docker exec - Use OPENLDAP_CONTAINER consistently (replace OPENLDAP_NAME) - Rename tasks/ldifs_creation.yml -> tasks/_ldifs_creation.yml and update includes - Drop default param from get_app_conf calls; add explicit meta: flush_handlers - docker-compose: honor OPENLDAP_NETWORK_EXPOSE_LOCAL | bool; minor formatting - env template: formatting/comments consistency - Remove unused 01_rbac_group.ldif.j2; rename 02_rbac_roles -> 01_rbac_roles and fix filter to LDAP - vars: rename OPENLDAP_NAME -> OPENLDAP_CONTAINER; prune LDIF schema type Conversation: https://chatgpt.com/share/68d1d25d-e788-800f-bfb6-13b1f5bc6121	2025-09-23 00:49:57 +02:00
Kevin Veen-Birkenbach	ff18c7cd73	Expect this to solve openldap import bug	2025-07-22 14:18:33 +02:00
Kevin Veen-Birkenbach	e78974b469	Solved openldap folder naming bug	2025-07-21 17:41:18 +02:00
Kevin Veen-Birkenbach	732607bbb6	Added provisioning switches for openldap to improve performance	2025-07-14 08:45:53 +02:00