Set LDAP uid variable

Optimized README.md
Optimized formatation
2025-04-28 18:30:24 +02:00 · 2025-02-26 10:42:25 +01:00 · 2025-02-26 10:10:48 +01:00 · 2025-02-26 09:59:46 +01:00 · 2025-02-26 09:49:32 +01:00
11 changed files with 66 additions and 35 deletions
--- a/group_vars/all/07_applications.yml
+++ b/group_vars/all/07_applications.yml
@ -36,11 +36,13 @@ defaults_applications:
  ## Big Blue Button
  bigbluebutton:
    enable_greenlight:    "true"
-    setup:                false                           # Set to true in inventory file for initial setup
+    setup:                false               # Set to true in inventory file for initial setup
    oidc:
-      enabled:               true                         # Activate OIDC
+      enabled:            true                # Activate OIDC
    database:
-      central_storage:                True
+      central_storage:    True
+    ldap:
+      enabled:            False                # @todo LDAP needs to get propper implemented and tested, just set values during refactoring

  ## Bluesky
  bluesky:
@ -78,7 +80,7 @@ defaults_applications:
  funkwhale:
    version:              "1.4.0"
    ldap:
-      enabled:            True                # Enables LDAP by default
+      enabled:            True                # Enables LDAP by default @todo check implementation
    database:
      central_storage:    True

@ -252,7 +254,7 @@ defaults_applications:
      # Available options: oidc_login, sociallogin
      # @see https://apps.nextcloud.com/apps/oidc_login
      # @see https://apps.nextcloud.com/apps/sociallogin
-      flavor:               "oidc_login"                          # Keeping on sociallogin because the other option is not implemented yet                                             
+      flavor:               "sociallogin"                          # Keeping on sociallogin because the other option is not implemented yet                                             
    force_import:           False                                 # Forces the import of the LDIF files
    database:
      central_storage:      True
--- a/group_vars/all/11_iam.yml
+++ b/group_vars/all/11_iam.yml
@ -29,7 +29,9 @@ defaults_oidc:
 #############################################

 # Helper Variables:
-_ldap_dn_base: "dc={{primary_domain_sld}},dc={{primary_domain_tld}}"
+# Keep in mind to mapp this variables if there is ever the possibility for the user to define them in the inventory
+_ldap_dn_base:      "dc={{primary_domain_sld}},dc={{primary_domain_tld}}"
+_ldap_server_port:  "{% if applications.ldap.openldap.network.local | bool %}{{ ports.localhost.ldap.openldap }}{% else %}{{ ports.localhost.ldaps.openldap }}{% endif %}"

 ldap:
  # Enables LDAP for all roles in play if true
@ -46,11 +48,15 @@ ldap:
    groups:             "ou=groups,{{_ldap_dn_base}}"
    # Dn for all application roles of the users
    application_roles:  "ou=application_roles,{{_ldap_dn_base}}"
+  attributes:
+    # Attribut to identify the user
+    user_id:            "uid" 
  # Password to access dn.bind
  bind_credential:      "{{applications.ldap.administrator_database_password}}"
  server:
    domain:             "{{applications.ldap.openldap.hostname if applications.ldap.openldap.network.local | bool else domains.ldap}}" # Mapping for public or locale access
-    uri:                "{% if applications.ldap.openldap.network.local | bool %}ldap://{{ applications.ldap.openldap.hostname }}:{{ ports.localhost.ldap.openldap }}{% else %}ldaps://{{ domains.ldap }}:{{ ports.public.ldaps.openldap }}{% endif %}"
+    port:               "{{_ldap_server_port}}"
+    uri:                "{% if applications.ldap.openldap.network.local | bool %}ldap://{{ applications.ldap.openldap.hostname }}{% else %}ldaps://{{ domains.ldap }}{% endif %}:{{ _ldap_server_port }}"
  network:
    local:              "{{applications.ldap.openldap.network.local}}" # Uses the application configuration to define if local network should be available or not
  
--- a/roles/docker-bigbluebutton/templates/env.j2
+++ b/roles/docker-bigbluebutton/templates/env.j2
@ -161,6 +161,7 @@ OFFICE365_HD=
 # It is useful for cases when Greenlight is deployed behind a Network Load Balancer or proxy
 OAUTH2_REDIRECT=

+{% if applications[application_id].ldap.enabled | bool %}
 # LDAP Login Provider (optional)
 #
 # You can enable LDAP authentication by providing values for the variables below.
@ -172,23 +173,25 @@ OAUTH2_REDIRECT=
 #   LDAP_SERVER=ldap.example.com
 #   LDAP_PORT=389
 #   LDAP_METHOD=plain
-#   LDAP_UID=uid
+#   LDAP_UID={{ldap.attributes.user_id}}
 #   LDAP_BASE=dc=example,dc=com
 #   LDAP_AUTH=simple
 #   LDAP_BIND_DN=cn=admin,dc=example,dc=com
 #   LDAP_PASSWORD=password
 #   LDAP_ROLE_FIELD=ou
 #   LDAP_FILTER=(&(attr1=value1)(attr2=value2))
-LDAP_SERVER=
-LDAP_PORT=
+LDAP_SERVER="{{ldap.server.domain}}"
+LDAP_PORT="{{ldap.server.port}}"
 LDAP_METHOD=
-LDAP_UID=
-LDAP_BASE=
-LDAP_BIND_DN=
-LDAP_AUTH=
-LDAP_PASSWORD=
+LDAP_UID={{ldap.attributes.user_id}}
+LDAP_BASE="{{ldap.dn.root}}"
+LDAP_BIND_DN="{{ldap.dn.administrator}}"
+LDAP_AUTH=password
+LDAP_PASSWORD="{{ldap.bind_credential}}"
 LDAP_ROLE_FIELD=
 LDAP_FILTER=
+{% endif %}
+
 # ====================================
 # GREENLIGHT CONFIGURATION
 # ====================================
--- a/roles/docker-keycloak/templates/import/realm.json.j2
+++ b/roles/docker-keycloak/templates/import/realm.json.j2
@ -1923,7 +1923,7 @@
              "subComponents": {},
              "config": {
                "ldap.attribute": [
-                  "uid"
+                  "{{ldap.attributes.user_id}}"
                ],
                "is.mandatory.in.ldap": [
                  "true"
@ -2008,7 +2008,7 @@
            "-1"
          ],
          "usernameLDAPAttribute": [
-            "uid"
+            "{{ldap.attributes.user_id}}"
          ],
          "bindDn": [
            "{{ldap.dn.administrator}}"
@ -2020,7 +2020,7 @@
            "other"
          ],
          "uuidLDAPAttribute": [
-            "uid"
+            "{{ldap.attributes.user_id}}"
          ],
          "allowKerberosAuthentication": [
            "false"
@ -2053,7 +2053,7 @@
            "person, inetOrgPerson, nextcloudUser"
          ],
          "rdnLDAPAttribute": [
-            "uid"
+            "{{ldap.attributes.user_id}}"
          ],
          "editMode": [
            "WRITABLE"
--- a/roles/docker-ldap/README.md
+++ b/roles/docker-ldap/README.md
@ -64,13 +64,13 @@ EOF

 ### Show all Entries
 ```bash 
-docker exec --env LDAP_ADMIN_PASSWORD="$LDAP_ADMIN_PASSWORD" -it openldap bash -c "ldapsearch -LLL -o ldif-wrap=no -x -D 'cn=administrator,dc=veen,dc=world' -w \"\$LDAP_ADMIN_PASSWORD\" -b 'dc=veen,dc=world'";
+docker exec --env LDAP_ADMIN_PASSWORD="$LDAP_ADMIN_PASSWORD" LDAP_DN_BASE="$LDAP_DN_BASE" -it openldap bash -c "ldapsearch -LLL -o ldif-wrap=no -x -D \"cn=administrator,\$LDAP_DN_BASE\" -w \"\$LDAP_ADMIN_PASSWORD\" -b \"\$LDAP_DN_BASE\"";
 ```

 ### Delete Groups and Subgroup
 To delete the group inclusive all subgroups use:
 ```bash
-docker exec --env LDAP_ADMIN_PASSWORD="$LDAP_ADMIN_PASSWORD" -it openldap bash -c "ldapsearch -LLL -o ldif-wrap=no -x -D 'cn=administrator,dc=veen,dc=world' -w \"\$LDAP_ADMIN_PASSWORD\" -b 'ou=applications,ou=groups,dc=veen,dc=world' dn | sed -n 's/^dn: //p' | tac | while read -r dn; do echo \"Deleting \$dn\"; ldapdelete -x -D 'cn=administrator,dc=veen,dc=world' -w \"\$LDAP_ADMIN_PASSWORD\" \"\$dn\"; done"
+docker exec --env LDAP_ADMIN_PASSWORD="$LDAP_ADMIN_PASSWORD" -it openldap bash -c "ldapsearch -LLL -o ldif-wrap=no -x -D \"cn=administrator,\$LDAP_DN_BASE\" -w \"\$LDAP_ADMIN_PASSWORD\" -b \"ou=applications,ou=groups,\$LDAP_DN_BASE\" dn | sed -n 's/^dn: //p' | tac | while read -r dn; do echo \"Deleting \$dn\"; ldapdelete -x -D \"cn=administrator,\$LDAP_DN_BASE\" -w \"\$LDAP_ADMIN_PASSWORD\" \"\$dn\"; done"

 ```

--- a/roles/docker-ldap/templates/ldif/data/02_users.ldif.j2
+++ b/roles/docker-ldap/templates/ldif/data/02_users.ldif.j2
@ -9,11 +9,11 @@ description: Container for application access profiles
 #######################################################################
 # Create Admin User
 #######################################################################
-dn: uid={{users.administrator.username}},{{ldap.dn.users}}
+dn: {{ldap.attributes.user_id}}={{users.administrator.username}},{{ldap.dn.users}}
 objectClass: top
 objectClass: inetOrgPerson
 objectClass: posixAccount
-uid: {{users.administrator.username}}
+{{ldap.attributes.user_id}}: {{users.administrator.username}}
 sn: Administrator
 cn: Administrator
 userPassword: {SSHA}CHANGE_THIS_PASSWORD
@ -31,11 +31,11 @@ gidNumber: {{users.administrator.gid}}
 dn: cn={{ app }}-administrator,{{ ldap.dn.application_roles }}
 changetype: modify
 add: roleOccupant
-roleOccupant: uid={{users.administrator.username}},{{ldap.dn.users}}
+roleOccupant: {{ldap.attributes.user_id}}={{users.administrator.username}},{{ldap.dn.users}}

 dn: cn={{ app }}-user,{{ ldap.dn.application_roles }}
 changetype: modify
 add: roleOccupant
-roleOccupant: uid={{users.administrator.username}},{{ldap.dn.users}}
+roleOccupant: {{ldap.attributes.user_id}}={{users.administrator.username}},{{ldap.dn.users}}

 {% endfor %}
--- a/roles/docker-nextcloud/README.md
+++ b/roles/docker-nextcloud/README.md
@ -94,6 +94,11 @@ docker-compose exec -it -u www-data application /var/www/html/occ
 ```
 ### User Administration 

+#### Create user via CLI
+```bash
+docker compose exec -it -u www-data application php occ user:add {{username}}
+```
+
 #### Make user admin via cli
 ```bash
 docker compose exec -it -u www-data application php occ group:adduser admin {{username}}
--- a/roles/docker-nextcloud/tasks/sociallogin.yml
+++ b/roles/docker-nextcloud/tasks/sociallogin.yml
@ -3,7 +3,7 @@
 - name: Flush all handlers immediately so that occ can be used
  meta: flush_handlers

- name: enable oidc_login plugin
+- name: disable oidc_login plugin
  command: "docker exec -u www-data {{nextcloud_application_container_name}} {{nextcloud_docker_path}}occ app:disable oidc_login"
  ignore_errors: true
  when: 
@ -22,6 +22,7 @@

 - name: Configure Sociallogin
  loop: "{{ nextcloud_sociallogin_configuration}}"
+  # The | to_json function is necessary to escape custom_providers correct.
  command: >
    docker exec -u www-data {{ nextcloud_application_container_name }}
-    php occ config:app:set {{ item.appid }} {{ item.configkey }} --value "{{ item.configvalue }}"
+    php occ config:app:set {{ item.appid }} {{ item.configkey }} --value '{{ item.configvalue | to_json if item.configvalue is mapping else item.configvalue }}'
--- a/roles/docker-nextcloud/templates/oidc.config.php.j2
+++ b/roles/docker-nextcloud/templates/oidc.config.php.j2
@ -14,7 +14,7 @@ return array (
    'oidc_login_client_secret' => '{{oidc.client.secret}}',

    // Automatically redirect the login page to the provider
-    'oidc_login_auto_redirect' => false,
+    'oidc_login_auto_redirect' => true,

    // Redirect to this page after logging out the user
    'oidc_login_logout_url' => 'https://{{domains[application_id]}}',
@ -23,7 +23,7 @@ return array (
    // logout endpoint of the OIDC provider after logout
    // in Nextcloud. After successfull logout the OIDC
    // provider will redirect back to 'oidc_login_logout_url' (MUST be set).
-    'oidc_login_end_session_redirect' => false,
+    'oidc_login_end_session_redirect' => true,

    // Quota to assign if no quota is specified in the OIDC response (bytes)
    //
@ -38,7 +38,7 @@ return array (
    'oidc_login_hide_password_form' => true,

    // Use ID Token instead of UserInfo
-    'oidc_login_use_id_token' => false,
+    'oidc_login_use_id_token' => true,

    // Attribute map for OIDC response. Available keys are:
    //   * id:           Unique identifier for username
@ -98,9 +98,9 @@ return array (
        'mail' => 'email',
        # 'quota' => 'nextcloudQuota',  # Not implemented yet
        # 'home' => 'homeDirectory',    # Not implemented yet
-        'ldap_uid' => 'uid',
+        'ldap_uid' => '{{ldap.attributes.user_id}}',
        # 'groups' => 'ownCloudGroups', # Not implemented yet
-        'login_filter' => 'realm_access_roles',
+        # 'login_filter' => 'realm_access_roles',
    //    'photoURL' => 'picture',
    //    'is_admin' => 'ownCloudAdmin',
    ),
--- a/roles/docker-nextcloud/vars/ldap.yml
+++ b/roles/docker-nextcloud/vars/ldap.yml
@ -107,7 +107,7 @@ nextcloud_ldap_configuration:
  -
    appid: "user_ldap"
    configkey: "s01ldap_login_filter"
-    configvalue: "(&(|(objectclass=inetOrgPerson))(uid=%uid))"
+    configvalue: "(&(|(objectclass=inetOrgPerson))({{ldap.attributes.user_id}}=%{{ldap.attributes.user_id}}))"
  -
    appid: "user_ldap"
    configkey: "s01ldap_login_filter_mode"
@ -175,4 +175,4 @@ nextcloud_ldap_configuration:
  -
    appid: "user_ldap"
    configkey: "s01ldap_expert_username_attr"
-    configvalue: "uid"
+    configvalue: "{{ldap.attributes.user_id}}"
--- a/roles/docker-nextcloud/vars/sociallogin.yml
+++ b/roles/docker-nextcloud/vars/sociallogin.yml
@ -23,7 +23,21 @@ nextcloud_sociallogin_configuration:
    # In this case, it sets up a Keycloak provider with details like URLs for authorization,
    # token retrieval, user info, and logout, as well as the client ID and secret.
    configkey: "custom_providers"
-    configvalue: '{"custom_oidc":[{"name":"{{domains.keycloak}}","title":"keycloak","style":"keycloak","authorizeUrl":"{{oidc.client.authorize_url}}","tokenUrl":"{{oidc.client.toke_url}}","displayNameClaim":"","userInfoUrl":"{{oidc.client.user_info_url}}","logoutUrl":"{{oidc.client.logout_url}}","clientId":"{{oidc.client.id}}","clientSecret":"{{oidc.client.secret}}","scope":"openid","groupsClaim":"","style":"","defaultGroup":""}]}'
+    configvalue: 
+      custom_oidc:
+        - name: "{{ domains.keycloak }}"
+          title: "keycloak"
+          style: "keycloak"
+          authorizeUrl: "{{ oidc.client.authorize_url }}"
+          tokenUrl: "{{ oidc.client.toke_url }}"
+          displayNameClaim: ""
+          userInfoUrl: "{{ oidc.client.user_info_url }}"
+          logoutUrl: "{{ oidc.client.logout_url }}"
+          clientId: "{{ oidc.client.id }}"
+          clientSecret: "{{ oidc.client.secret }}"
+          scope: "openid"
+          groupsClaim: ""
+          defaultGroup: ""
  -
    appid: "sociallogin"
    configkey: "disable_notify_admins"
Author	SHA1	Message	Date
Kevin Veen-Birkenbach	22ce80cd23	Set LDAP uid variable	2025-02-26 10:42:25 +01:00
Kevin Veen-Birkenbach	545af78e60	Optimized README.md	2025-02-26 10:10:48 +01:00
Kevin Veen-Birkenbach	db7ef0e8a5	Optimized formatation	2025-02-26 09:59:46 +01:00
Kevin Veen-Birkenbach	ae1d7c785f	Solved OIDC sociallogin bug	2025-02-26 09:49:32 +01:00