Set LDAP uid variable

group_vars/all/07_applications.yml

@@ -41,6 +41,8 @@ defaults_applications:
       enabled:            true                # Activate OIDC
     database:
       central_storage:    True
+    ldap:
+      enabled:            False                # @todo LDAP needs to get propper implemented and tested, just set values during refactoring
 
   ## Bluesky
   bluesky:
@@ -78,7 +80,7 @@ defaults_applications:
   funkwhale:
     version:              "1.4.0"
     ldap:
-      enabled:            True                # Enables LDAP by default
+      enabled:            True                # Enables LDAP by default @todo check implementation
     database:
       central_storage:    True
 
@@ -252,7 +254,7 @@ defaults_applications:
       # Available options: oidc_login, sociallogin
       # @see https://apps.nextcloud.com/apps/oidc_login
       # @see https://apps.nextcloud.com/apps/sociallogin
-      flavor:               "oidc_login"                          # Keeping on sociallogin because the other option is not implemented yet                                             
+      flavor:               "sociallogin"                          # Keeping on sociallogin because the other option is not implemented yet                                             
     force_import:           False                                 # Forces the import of the LDIF files
     database:
       central_storage:      True

group_vars/all/11_iam.yml

@@ -29,7 +29,9 @@ defaults_oidc:
 #############################################
 
 # Helper Variables:
+# Keep in mind to mapp this variables if there is ever the possibility for the user to define them in the inventory
 _ldap_dn_base:      "dc={{primary_domain_sld}},dc={{primary_domain_tld}}"
+_ldap_server_port:  "{% if applications.ldap.openldap.network.local | bool %}{{ ports.localhost.ldap.openldap }}{% else %}{{ ports.localhost.ldaps.openldap }}{% endif %}"
 
 ldap:
   # Enables LDAP for all roles in play if true
@@ -46,11 +48,15 @@ ldap:
     groups:             "ou=groups,{{_ldap_dn_base}}"
     # Dn for all application roles of the users
     application_roles:  "ou=application_roles,{{_ldap_dn_base}}"
+  attributes:
+    # Attribut to identify the user
+    user_id:            "uid" 
   # Password to access dn.bind
   bind_credential:      "{{applications.ldap.administrator_database_password}}"
   server:
     domain:             "{{applications.ldap.openldap.hostname if applications.ldap.openldap.network.local | bool else domains.ldap}}" # Mapping for public or locale access
-    uri:                "{% if applications.ldap.openldap.network.local | bool %}ldap://{{ applications.ldap.openldap.hostname }}:{{ ports.localhost.ldap.openldap }}{% else %}ldaps://{{ domains.ldap }}:{{ ports.public.ldaps.openldap }}{% endif %}"
+    port:               "{{_ldap_server_port}}"
+    uri:                "{% if applications.ldap.openldap.network.local | bool %}ldap://{{ applications.ldap.openldap.hostname }}{% else %}ldaps://{{ domains.ldap }}{% endif %}:{{ _ldap_server_port }}"
   network:
     local:              "{{applications.ldap.openldap.network.local}}" # Uses the application configuration to define if local network should be available or not
   

roles/docker-bigbluebutton/templates/env.j2

@@ -161,6 +161,7 @@ OFFICE365_HD=
 # It is useful for cases when Greenlight is deployed behind a Network Load Balancer or proxy
 OAUTH2_REDIRECT=
 
+{% if applications[application_id].ldap.enabled | bool %}
 # LDAP Login Provider (optional)
 #
 # You can enable LDAP authentication by providing values for the variables below.
@@ -172,23 +173,25 @@ OAUTH2_REDIRECT=
 #   LDAP_SERVER=ldap.example.com
 #   LDAP_PORT=389
 #   LDAP_METHOD=plain
-#   LDAP_UID=uid
+#   LDAP_UID={{ldap.attributes.user_id}}
 #   LDAP_BASE=dc=example,dc=com
 #   LDAP_AUTH=simple
 #   LDAP_BIND_DN=cn=admin,dc=example,dc=com
 #   LDAP_PASSWORD=password
 #   LDAP_ROLE_FIELD=ou
 #   LDAP_FILTER=(&(attr1=value1)(attr2=value2))
-LDAP_SERVER=
+LDAP_SERVER="{{ldap.server.domain}}"
-LDAP_PORT=
+LDAP_PORT="{{ldap.server.port}}"
 LDAP_METHOD=
-LDAP_UID=
+LDAP_UID={{ldap.attributes.user_id}}
-LDAP_BASE=
+LDAP_BASE="{{ldap.dn.root}}"
-LDAP_BIND_DN=
+LDAP_BIND_DN="{{ldap.dn.administrator}}"
-LDAP_AUTH=
+LDAP_AUTH=password
-LDAP_PASSWORD=
+LDAP_PASSWORD="{{ldap.bind_credential}}"
 LDAP_ROLE_FIELD=
 LDAP_FILTER=
+{% endif %}
+
 # ====================================
 # GREENLIGHT CONFIGURATION
 # ====================================

roles/docker-keycloak/templates/import/realm.json.j2

@@ -1923,7 +1923,7 @@
               "subComponents": {},
               "config": {
                 "ldap.attribute": [
-                  "uid"
+                  "{{ldap.attributes.user_id}}"
                 ],
                 "is.mandatory.in.ldap": [
                   "true"
@@ -2008,7 +2008,7 @@
             "-1"
           ],
           "usernameLDAPAttribute": [
-            "uid"
+            "{{ldap.attributes.user_id}}"
           ],
           "bindDn": [
             "{{ldap.dn.administrator}}"
@@ -2020,7 +2020,7 @@
             "other"
           ],
           "uuidLDAPAttribute": [
-            "uid"
+            "{{ldap.attributes.user_id}}"
           ],
           "allowKerberosAuthentication": [
             "false"
@@ -2053,7 +2053,7 @@
             "person, inetOrgPerson, nextcloudUser"
           ],
           "rdnLDAPAttribute": [
-            "uid"
+            "{{ldap.attributes.user_id}}"
           ],
           "editMode": [
             "WRITABLE"

roles/docker-ldap/README.md

@@ -64,13 +64,13 @@ EOF
 
 ### Show all Entries
 ```bash 
-docker exec --env LDAP_ADMIN_PASSWORD="$LDAP_ADMIN_PASSWORD" -it openldap bash -c "ldapsearch -LLL -o ldif-wrap=no -x -D 'cn=administrator,dc=veen,dc=world' -w \"\$LDAP_ADMIN_PASSWORD\" -b 'dc=veen,dc=world'";
+docker exec --env LDAP_ADMIN_PASSWORD="$LDAP_ADMIN_PASSWORD" LDAP_DN_BASE="$LDAP_DN_BASE" -it openldap bash -c "ldapsearch -LLL -o ldif-wrap=no -x -D \"cn=administrator,\$LDAP_DN_BASE\" -w \"\$LDAP_ADMIN_PASSWORD\" -b \"\$LDAP_DN_BASE\"";
 ```
 
 ### Delete Groups and Subgroup
 To delete the group inclusive all subgroups use:
 ```bash
-docker exec --env LDAP_ADMIN_PASSWORD="$LDAP_ADMIN_PASSWORD" -it openldap bash -c "ldapsearch -LLL -o ldif-wrap=no -x -D 'cn=administrator,dc=veen,dc=world' -w \"\$LDAP_ADMIN_PASSWORD\" -b 'ou=applications,ou=groups,dc=veen,dc=world' dn | sed -n 's/^dn: //p' | tac | while read -r dn; do echo \"Deleting \$dn\"; ldapdelete -x -D 'cn=administrator,dc=veen,dc=world' -w \"\$LDAP_ADMIN_PASSWORD\" \"\$dn\"; done"
+docker exec --env LDAP_ADMIN_PASSWORD="$LDAP_ADMIN_PASSWORD" -it openldap bash -c "ldapsearch -LLL -o ldif-wrap=no -x -D \"cn=administrator,\$LDAP_DN_BASE\" -w \"\$LDAP_ADMIN_PASSWORD\" -b \"ou=applications,ou=groups,\$LDAP_DN_BASE\" dn | sed -n 's/^dn: //p' | tac | while read -r dn; do echo \"Deleting \$dn\"; ldapdelete -x -D \"cn=administrator,\$LDAP_DN_BASE\" -w \"\$LDAP_ADMIN_PASSWORD\" \"\$dn\"; done"
 
 ```
 

roles/docker-ldap/templates/ldif/data/02_users.ldif.j2

@@ -9,11 +9,11 @@ description: Container for application access profiles
 #######################################################################
 # Create Admin User
 #######################################################################
-dn: uid={{users.administrator.username}},{{ldap.dn.users}}
+dn: {{ldap.attributes.user_id}}={{users.administrator.username}},{{ldap.dn.users}}
 objectClass: top
 objectClass: inetOrgPerson
 objectClass: posixAccount
-uid: {{users.administrator.username}}
+{{ldap.attributes.user_id}}: {{users.administrator.username}}
 sn: Administrator
 cn: Administrator
 userPassword: {SSHA}CHANGE_THIS_PASSWORD
@@ -31,11 +31,11 @@ gidNumber: {{users.administrator.gid}}
 dn: cn={{ app }}-administrator,{{ ldap.dn.application_roles }}
 changetype: modify
 add: roleOccupant
-roleOccupant: uid={{users.administrator.username}},{{ldap.dn.users}}
+roleOccupant: {{ldap.attributes.user_id}}={{users.administrator.username}},{{ldap.dn.users}}
 
 dn: cn={{ app }}-user,{{ ldap.dn.application_roles }}
 changetype: modify
 add: roleOccupant
-roleOccupant: uid={{users.administrator.username}},{{ldap.dn.users}}
+roleOccupant: {{ldap.attributes.user_id}}={{users.administrator.username}},{{ldap.dn.users}}
 
 {% endfor %}

roles/docker-nextcloud/README.md

@@ -94,6 +94,11 @@ docker-compose exec -it -u www-data application /var/www/html/occ
 ```
 ### User Administration 
 
+#### Create user via CLI
+```bash
+docker compose exec -it -u www-data application php occ user:add {{username}}
+```
+
 #### Make user admin via cli
 ```bash
 docker compose exec -it -u www-data application php occ group:adduser admin {{username}}

roles/docker-nextcloud/tasks/sociallogin.yml

@@ -3,7 +3,7 @@
 - name: Flush all handlers immediately so that occ can be used
   meta: flush_handlers
 
-- name: enable oidc_login plugin
+- name: disable oidc_login plugin
   command: "docker exec -u www-data {{nextcloud_application_container_name}} {{nextcloud_docker_path}}occ app:disable oidc_login"
   ignore_errors: true
   when: 
@@ -22,6 +22,7 @@
 
 - name: Configure Sociallogin
   loop: "{{ nextcloud_sociallogin_configuration}}"
+  # The | to_json function is necessary to escape custom_providers correct.
   command: >
     docker exec -u www-data {{ nextcloud_application_container_name }}
-    php occ config:app:set {{ item.appid }} {{ item.configkey }} --value "{{ item.configvalue }}"
+    php occ config:app:set {{ item.appid }} {{ item.configkey }} --value '{{ item.configvalue | to_json if item.configvalue is mapping else item.configvalue }}'

roles/docker-nextcloud/templates/oidc.config.php.j2

@@ -14,7 +14,7 @@ return array (
     'oidc_login_client_secret' => '{{oidc.client.secret}}',
 
     // Automatically redirect the login page to the provider
-    'oidc_login_auto_redirect' => false,
+    'oidc_login_auto_redirect' => true,
 
     // Redirect to this page after logging out the user
     'oidc_login_logout_url' => 'https://{{domains[application_id]}}',
@@ -23,7 +23,7 @@ return array (
     // logout endpoint of the OIDC provider after logout
     // in Nextcloud. After successfull logout the OIDC
     // provider will redirect back to 'oidc_login_logout_url' (MUST be set).
-    'oidc_login_end_session_redirect' => false,
+    'oidc_login_end_session_redirect' => true,
 
     // Quota to assign if no quota is specified in the OIDC response (bytes)
     //
@@ -38,7 +38,7 @@ return array (
     'oidc_login_hide_password_form' => true,
 
     // Use ID Token instead of UserInfo
-    'oidc_login_use_id_token' => false,
+    'oidc_login_use_id_token' => true,
 
     // Attribute map for OIDC response. Available keys are:
     //   * id:           Unique identifier for username
@@ -98,9 +98,9 @@ return array (
         'mail' => 'email',
         # 'quota' => 'nextcloudQuota',  # Not implemented yet
         # 'home' => 'homeDirectory',    # Not implemented yet
-        'ldap_uid' => 'uid',
+        'ldap_uid' => '{{ldap.attributes.user_id}}',
         # 'groups' => 'ownCloudGroups', # Not implemented yet
-        'login_filter' => 'realm_access_roles',
+        # 'login_filter' => 'realm_access_roles',
     //    'photoURL' => 'picture',
     //    'is_admin' => 'ownCloudAdmin',
     ),

roles/docker-nextcloud/vars/ldap.yml

@@ -107,7 +107,7 @@ nextcloud_ldap_configuration:
   -
     appid: "user_ldap"
     configkey: "s01ldap_login_filter"
-    configvalue: "(&(|(objectclass=inetOrgPerson))(uid=%uid))"
+    configvalue: "(&(|(objectclass=inetOrgPerson))({{ldap.attributes.user_id}}=%{{ldap.attributes.user_id}}))"
   -
     appid: "user_ldap"
     configkey: "s01ldap_login_filter_mode"
@@ -175,4 +175,4 @@ nextcloud_ldap_configuration:
   -
     appid: "user_ldap"
     configkey: "s01ldap_expert_username_attr"
-    configvalue: "uid"
+    configvalue: "{{ldap.attributes.user_id}}"

roles/docker-nextcloud/vars/sociallogin.yml

@@ -23,7 +23,21 @@ nextcloud_sociallogin_configuration:
     # In this case, it sets up a Keycloak provider with details like URLs for authorization,
     # token retrieval, user info, and logout, as well as the client ID and secret.
     configkey: "custom_providers"
-    configvalue: '{"custom_oidc":[{"name":"{{domains.keycloak}}","title":"keycloak","style":"keycloak","authorizeUrl":"{{oidc.client.authorize_url}}","tokenUrl":"{{oidc.client.toke_url}}","displayNameClaim":"","userInfoUrl":"{{oidc.client.user_info_url}}","logoutUrl":"{{oidc.client.logout_url}}","clientId":"{{oidc.client.id}}","clientSecret":"{{oidc.client.secret}}","scope":"openid","groupsClaim":"","style":"","defaultGroup":""}]}'
+    configvalue: 
+      custom_oidc:
+        - name: "{{ domains.keycloak }}"
+          title: "keycloak"
+          style: "keycloak"
+          authorizeUrl: "{{ oidc.client.authorize_url }}"
+          tokenUrl: "{{ oidc.client.toke_url }}"
+          displayNameClaim: ""
+          userInfoUrl: "{{ oidc.client.user_info_url }}"
+          logoutUrl: "{{ oidc.client.logout_url }}"
+          clientId: "{{ oidc.client.id }}"
+          clientSecret: "{{ oidc.client.secret }}"
+          scope: "openid"
+          groupsClaim: ""
+          defaultGroup: ""
   -
     appid: "sociallogin"
     configkey: "disable_notify_admins"