2025-04-28 18:30:24 +02:00
11 changed files with 35 additions and 66 deletions
--- a/group_vars/all/07_applications.yml
+++ b/group_vars/all/07_applications.yml
@ -36,13 +36,11 @@ defaults_applications:
  ## Big Blue Button
  bigbluebutton:
    enable_greenlight:    "true"
-    setup:                false               # Set to true in inventory file for initial setup
+    setup:                false                           # Set to true in inventory file for initial setup
    oidc:
-      enabled:            true                # Activate OIDC
+      enabled:               true                         # Activate OIDC
    database:
-      central_storage:    True
+      central_storage:                True
    ldap:
      enabled:            False                # @todo LDAP needs to get propper implemented and tested, just set values during refactoring
  ## Bluesky
  bluesky:
@ -80,7 +78,7 @@ defaults_applications:
  funkwhale:
    version:              "1.4.0"
    ldap:
-      enabled:            True                # Enables LDAP by default @todo check implementation
+      enabled:            True                # Enables LDAP by default
    database:
      central_storage:    True
@ -254,7 +252,7 @@ defaults_applications:
      # Available options: oidc_login, sociallogin
      # @see https://apps.nextcloud.com/apps/oidc_login
      # @see https://apps.nextcloud.com/apps/sociallogin
-      flavor:               "sociallogin"                          # Keeping on sociallogin because the other option is not implemented yet                                             
+      flavor:               "oidc_login"                          # Keeping on sociallogin because the other option is not implemented yet                                             
    force_import:           False                                 # Forces the import of the LDIF files
    database:
      central_storage:      True
--- a/group_vars/all/11_iam.yml
+++ b/group_vars/all/11_iam.yml
@ -29,9 +29,7 @@ defaults_oidc:
 #############################################
 # Helper Variables:
-# Keep in mind to mapp this variables if there is ever the possibility for the user to define them in the inventory
+_ldap_dn_base: "dc={{primary_domain_sld}},dc={{primary_domain_tld}}"
 _ldap_dn_base:      "dc={{primary_domain_sld}},dc={{primary_domain_tld}}"
 _ldap_server_port:  "{% if applications.ldap.openldap.network.local | bool %}{{ ports.localhost.ldap.openldap }}{% else %}{{ ports.localhost.ldaps.openldap }}{% endif %}"
 ldap:
  # Enables LDAP for all roles in play if true
@ -48,15 +46,11 @@ ldap:
    groups:             "ou=groups,{{_ldap_dn_base}}"
    # Dn for all application roles of the users
    application_roles:  "ou=application_roles,{{_ldap_dn_base}}"
  attributes:
    # Attribut to identify the user
    user_id:            "uid" 
  # Password to access dn.bind
  bind_credential:      "{{applications.ldap.administrator_database_password}}"
  server:
    domain:             "{{applications.ldap.openldap.hostname if applications.ldap.openldap.network.local | bool else domains.ldap}}" # Mapping for public or locale access
-    port:               "{{_ldap_server_port}}"
+    uri:                "{% if applications.ldap.openldap.network.local | bool %}ldap://{{ applications.ldap.openldap.hostname }}:{{ ports.localhost.ldap.openldap }}{% else %}ldaps://{{ domains.ldap }}:{{ ports.public.ldaps.openldap }}{% endif %}"
    uri:                "{% if applications.ldap.openldap.network.local | bool %}ldap://{{ applications.ldap.openldap.hostname }}{% else %}ldaps://{{ domains.ldap }}{% endif %}:{{ _ldap_server_port }}"
  network:
    local:              "{{applications.ldap.openldap.network.local}}" # Uses the application configuration to define if local network should be available or not
--- a/roles/docker-bigbluebutton/templates/env.j2
+++ b/roles/docker-bigbluebutton/templates/env.j2
@ -161,7 +161,6 @@ OFFICE365_HD=
 # It is useful for cases when Greenlight is deployed behind a Network Load Balancer or proxy
 OAUTH2_REDIRECT=
 {% if applications[application_id].ldap.enabled | bool %}
 # LDAP Login Provider (optional)
 #
 # You can enable LDAP authentication by providing values for the variables below.
@ -173,25 +172,23 @@ OAUTH2_REDIRECT=
 #   LDAP_SERVER=ldap.example.com
 #   LDAP_PORT=389
 #   LDAP_METHOD=plain
-#   LDAP_UID={{ldap.attributes.user_id}}
+#   LDAP_UID=uid
 #   LDAP_BASE=dc=example,dc=com
 #   LDAP_AUTH=simple
 #   LDAP_BIND_DN=cn=admin,dc=example,dc=com
 #   LDAP_PASSWORD=password
 #   LDAP_ROLE_FIELD=ou
 #   LDAP_FILTER=(&(attr1=value1)(attr2=value2))
-LDAP_SERVER="{{ldap.server.domain}}"
+LDAP_SERVER=
-LDAP_PORT="{{ldap.server.port}}"
+LDAP_PORT=
 LDAP_METHOD=
-LDAP_UID={{ldap.attributes.user_id}}
+LDAP_UID=
-LDAP_BASE="{{ldap.dn.root}}"
+LDAP_BASE=
-LDAP_BIND_DN="{{ldap.dn.administrator}}"
+LDAP_BIND_DN=
-LDAP_AUTH=password
+LDAP_AUTH=
-LDAP_PASSWORD="{{ldap.bind_credential}}"
+LDAP_PASSWORD=
 LDAP_ROLE_FIELD=
 LDAP_FILTER=
 {% endif %}
 # ====================================
 # GREENLIGHT CONFIGURATION
 # ====================================
--- a/roles/docker-keycloak/templates/import/realm.json.j2
+++ b/roles/docker-keycloak/templates/import/realm.json.j2
@ -1923,7 +1923,7 @@
              "subComponents": {},
              "config": {
                "ldap.attribute": [
-                  "{{ldap.attributes.user_id}}"
+                  "uid"
                ],
                "is.mandatory.in.ldap": [
                  "true"
@ -2008,7 +2008,7 @@
            "-1"
          ],
          "usernameLDAPAttribute": [
-            "{{ldap.attributes.user_id}}"
+            "uid"
          ],
          "bindDn": [
            "{{ldap.dn.administrator}}"
@ -2020,7 +2020,7 @@
            "other"
          ],
          "uuidLDAPAttribute": [
-            "{{ldap.attributes.user_id}}"
+            "uid"
          ],
          "allowKerberosAuthentication": [
            "false"
@ -2053,7 +2053,7 @@
            "person, inetOrgPerson, nextcloudUser"
          ],
          "rdnLDAPAttribute": [
-            "{{ldap.attributes.user_id}}"
+            "uid"
          ],
          "editMode": [
            "WRITABLE"
--- a/roles/docker-ldap/README.md
+++ b/roles/docker-ldap/README.md
@ -64,13 +64,13 @@ EOF
 ### Show all Entries
 ```bash 
-docker exec --env LDAP_ADMIN_PASSWORD="$LDAP_ADMIN_PASSWORD" LDAP_DN_BASE="$LDAP_DN_BASE" -it openldap bash -c "ldapsearch -LLL -o ldif-wrap=no -x -D \"cn=administrator,\$LDAP_DN_BASE\" -w \"\$LDAP_ADMIN_PASSWORD\" -b \"\$LDAP_DN_BASE\"";
+docker exec --env LDAP_ADMIN_PASSWORD="$LDAP_ADMIN_PASSWORD" -it openldap bash -c "ldapsearch -LLL -o ldif-wrap=no -x -D 'cn=administrator,dc=veen,dc=world' -w \"\$LDAP_ADMIN_PASSWORD\" -b 'dc=veen,dc=world'";
 ```
 ### Delete Groups and Subgroup
 To delete the group inclusive all subgroups use:
 ```bash
-docker exec --env LDAP_ADMIN_PASSWORD="$LDAP_ADMIN_PASSWORD" -it openldap bash -c "ldapsearch -LLL -o ldif-wrap=no -x -D \"cn=administrator,\$LDAP_DN_BASE\" -w \"\$LDAP_ADMIN_PASSWORD\" -b \"ou=applications,ou=groups,\$LDAP_DN_BASE\" dn | sed -n 's/^dn: //p' | tac | while read -r dn; do echo \"Deleting \$dn\"; ldapdelete -x -D \"cn=administrator,\$LDAP_DN_BASE\" -w \"\$LDAP_ADMIN_PASSWORD\" \"\$dn\"; done"
+docker exec --env LDAP_ADMIN_PASSWORD="$LDAP_ADMIN_PASSWORD" -it openldap bash -c "ldapsearch -LLL -o ldif-wrap=no -x -D 'cn=administrator,dc=veen,dc=world' -w \"\$LDAP_ADMIN_PASSWORD\" -b 'ou=applications,ou=groups,dc=veen,dc=world' dn | sed -n 's/^dn: //p' | tac | while read -r dn; do echo \"Deleting \$dn\"; ldapdelete -x -D 'cn=administrator,dc=veen,dc=world' -w \"\$LDAP_ADMIN_PASSWORD\" \"\$dn\"; done"
 ```
--- a/roles/docker-ldap/templates/ldif/data/02_users.ldif.j2
+++ b/roles/docker-ldap/templates/ldif/data/02_users.ldif.j2
@ -9,11 +9,11 @@ description: Container for application access profiles
 #######################################################################
 # Create Admin User
 #######################################################################
-dn: {{ldap.attributes.user_id}}={{users.administrator.username}},{{ldap.dn.users}}
+dn: uid={{users.administrator.username}},{{ldap.dn.users}}
 objectClass: top
 objectClass: inetOrgPerson
 objectClass: posixAccount
-{{ldap.attributes.user_id}}: {{users.administrator.username}}
+uid: {{users.administrator.username}}
 sn: Administrator
 cn: Administrator
 userPassword: {SSHA}CHANGE_THIS_PASSWORD
@ -31,11 +31,11 @@ gidNumber: {{users.administrator.gid}}
 dn: cn={{ app }}-administrator,{{ ldap.dn.application_roles }}
 changetype: modify
 add: roleOccupant
-roleOccupant: {{ldap.attributes.user_id}}={{users.administrator.username}},{{ldap.dn.users}}
+roleOccupant: uid={{users.administrator.username}},{{ldap.dn.users}}
 dn: cn={{ app }}-user,{{ ldap.dn.application_roles }}
 changetype: modify
 add: roleOccupant
-roleOccupant: {{ldap.attributes.user_id}}={{users.administrator.username}},{{ldap.dn.users}}
+roleOccupant: uid={{users.administrator.username}},{{ldap.dn.users}}
 {% endfor %}
--- a/roles/docker-nextcloud/README.md
+++ b/roles/docker-nextcloud/README.md
@ -94,11 +94,6 @@ docker-compose exec -it -u www-data application /var/www/html/occ
 ```
 ### User Administration 
 #### Create user via CLI
 ```bash
 docker compose exec -it -u www-data application php occ user:add {{username}}
 ```
 #### Make user admin via cli
 ```bash
 docker compose exec -it -u www-data application php occ group:adduser admin {{username}}
--- a/roles/docker-nextcloud/tasks/sociallogin.yml
+++ b/roles/docker-nextcloud/tasks/sociallogin.yml
@ -3,7 +3,7 @@
 - name: Flush all handlers immediately so that occ can be used
  meta: flush_handlers
- name: disable oidc_login plugin
+- name: enable oidc_login plugin
  command: "docker exec -u www-data {{nextcloud_application_container_name}} {{nextcloud_docker_path}}occ app:disable oidc_login"
  ignore_errors: true
  when: 
@ -22,7 +22,6 @@
 - name: Configure Sociallogin
  loop: "{{ nextcloud_sociallogin_configuration}}"
  # The | to_json function is necessary to escape custom_providers correct.
  command: >
    docker exec -u www-data {{ nextcloud_application_container_name }}
-    php occ config:app:set {{ item.appid }} {{ item.configkey }} --value '{{ item.configvalue | to_json if item.configvalue is mapping else item.configvalue }}'
+    php occ config:app:set {{ item.appid }} {{ item.configkey }} --value "{{ item.configvalue }}"
--- a/roles/docker-nextcloud/templates/oidc.config.php.j2
+++ b/roles/docker-nextcloud/templates/oidc.config.php.j2
@ -14,7 +14,7 @@ return array (
    'oidc_login_client_secret' => '{{oidc.client.secret}}',
    // Automatically redirect the login page to the provider
-    'oidc_login_auto_redirect' => true,
+    'oidc_login_auto_redirect' => false,
    // Redirect to this page after logging out the user
    'oidc_login_logout_url' => 'https://{{domains[application_id]}}',
@ -23,7 +23,7 @@ return array (
    // logout endpoint of the OIDC provider after logout
    // in Nextcloud. After successfull logout the OIDC
    // provider will redirect back to 'oidc_login_logout_url' (MUST be set).
-    'oidc_login_end_session_redirect' => true,
+    'oidc_login_end_session_redirect' => false,
    // Quota to assign if no quota is specified in the OIDC response (bytes)
    //
@ -38,7 +38,7 @@ return array (
    'oidc_login_hide_password_form' => true,
    // Use ID Token instead of UserInfo
-    'oidc_login_use_id_token' => true,
+    'oidc_login_use_id_token' => false,
    // Attribute map for OIDC response. Available keys are:
    //   * id:           Unique identifier for username
@ -98,9 +98,9 @@ return array (
        'mail' => 'email',
        # 'quota' => 'nextcloudQuota',  # Not implemented yet
        # 'home' => 'homeDirectory',    # Not implemented yet
-        'ldap_uid' => '{{ldap.attributes.user_id}}',
+        'ldap_uid' => 'uid',
        # 'groups' => 'ownCloudGroups', # Not implemented yet
-        # 'login_filter' => 'realm_access_roles',
+        'login_filter' => 'realm_access_roles',
    //    'photoURL' => 'picture',
    //    'is_admin' => 'ownCloudAdmin',
    ),
--- a/roles/docker-nextcloud/vars/ldap.yml
+++ b/roles/docker-nextcloud/vars/ldap.yml
@ -107,7 +107,7 @@ nextcloud_ldap_configuration:
  -
    appid: "user_ldap"
    configkey: "s01ldap_login_filter"
-    configvalue: "(&(|(objectclass=inetOrgPerson))({{ldap.attributes.user_id}}=%{{ldap.attributes.user_id}}))"
+    configvalue: "(&(|(objectclass=inetOrgPerson))(uid=%uid))"
  -
    appid: "user_ldap"
    configkey: "s01ldap_login_filter_mode"
@ -175,4 +175,4 @@ nextcloud_ldap_configuration:
  -
    appid: "user_ldap"
    configkey: "s01ldap_expert_username_attr"
-    configvalue: "{{ldap.attributes.user_id}}"
+    configvalue: "uid"
--- a/roles/docker-nextcloud/vars/sociallogin.yml
+++ b/roles/docker-nextcloud/vars/sociallogin.yml
@ -23,21 +23,7 @@ nextcloud_sociallogin_configuration:
    # In this case, it sets up a Keycloak provider with details like URLs for authorization,
    # token retrieval, user info, and logout, as well as the client ID and secret.
    configkey: "custom_providers"
-    configvalue: 
+    configvalue: '{"custom_oidc":[{"name":"{{domains.keycloak}}","title":"keycloak","style":"keycloak","authorizeUrl":"{{oidc.client.authorize_url}}","tokenUrl":"{{oidc.client.toke_url}}","displayNameClaim":"","userInfoUrl":"{{oidc.client.user_info_url}}","logoutUrl":"{{oidc.client.logout_url}}","clientId":"{{oidc.client.id}}","clientSecret":"{{oidc.client.secret}}","scope":"openid","groupsClaim":"","style":"","defaultGroup":""}]}'
      custom_oidc:
        - name: "{{ domains.keycloak }}"
          title: "keycloak"
          style: "keycloak"
          authorizeUrl: "{{ oidc.client.authorize_url }}"
          tokenUrl: "{{ oidc.client.toke_url }}"
          displayNameClaim: ""
          userInfoUrl: "{{ oidc.client.user_info_url }}"
          logoutUrl: "{{ oidc.client.logout_url }}"
          clientId: "{{ oidc.client.id }}"
          clientSecret: "{{ oidc.client.secret }}"
          scope: "openid"
          groupsClaim: ""
          defaultGroup: ""
  -
    appid: "sociallogin"
    configkey: "disable_notify_admins"