############################################# ### LDAP ### ############################################# # Helper Variables: # Keep in mind to mapp this variables if there is ever the possibility for the user to define them in the inventory _ldap_dn_base: "dc={{primary_domain_sld}},dc={{primary_domain_tld}}" _ldap_server_port: "{% if applications.ldap.network.docker | bool %}{{ ports.localhost.ldap.ldap }}{% else %}{{ ports.localhost.ldaps.ldap }}{% endif %}" _ldap_user_id: "uid" _ldap_filters_users_all: "(|(objectclass=inetOrgPerson))" ldap: # Distinguished Names (DN) dn: # ------------------------------------------------------------------------- # Base DN / Suffix # This is the top-level naming context for your directory, used as the # default search base for most operations (e.g. adding users, groups). # Example: “dc=example,dc=com” root: "{{_ldap_dn_base}}" administrator: # ------------------------------------------------------------------------- # Data-Tree Administrator Bind DN # The DN used to authenticate for regular directory operations under # the data tree (adding users, modifying attributes, creating OUs, etc.). # Typically: “cn=admin,dc=example,dc=com” data: "cn={{ applications.ldap.users.administrator.username }},{{ _ldap_dn_base }}" # ------------------------------------------------------------------------- # Config-Tree Administrator Bind DN # The DN used to authenticate against the cn=config backend when you # need to load or modify schema, overlays, modules, or other server- # level settings. # Typically: “cn=admin,cn=config” configuration: "cn={{ applications.ldap.users.administrator.username }},cn=config" # ------------------------------------------------------------------------- # Organizational Units (OUs) # Pre-created containers in the data tree to organize entries. # – users: Where all person/posixAccount entries live. # – groups: Where you define your application or business groups. # – roles: A flat container for application-role entries (e.g. “cn=app1-user”). users: "ou=users,{{ _ldap_dn_base }}" groups: "ou=groups,{{ _ldap_dn_base }}" application_roles: "ou=application_roles,{{ _ldap_dn_base }}" # ------------------------------------------------------------------------- # Additional Notes # – Always bind as data_admin for CRUD on entries under your base DN. # – Always bind as config_admin when you push schema-level LDIFs via ldapi:/// # – Keeping these distinct prevents accidental use of config credentials # for ordinary user/group operations, and vice versa. attributes: # Attribut to identify the user user_id: "{{ _ldap_user_id }}" mail: "mail" fullname: "cn" firstname: "givenname" surname: "sn" ssh_public_key: "sshPublicKey" # Password to access dn.bind bind_credential: "{{ applications.ldap.credentials.administrator_database_password }}" server: domain: "{{applications.ldap.hostname if applications.ldap.network.docker | bool else domains.ldap}}" # Mapping for public or locale access port: "{{_ldap_server_port}}" uri: "{% if applications.ldap.network.docker | bool %}ldap://{{ applications.ldap.hostname }}{% else %}ldaps://{{ domains.ldap }}{% endif %}:{{ _ldap_server_port }}" security: "" #TLS, SSL - Leave empty for none network: local: "{{applications.ldap.network.docker}}" # Uses the application configuration to define if local network should be available or not user_objects: structural: - person # Structural Classes define the core identity of an entry: # • Specify mandatory attributes (e.g. sn, cn) # • Each entry must have exactly one structural class - inetOrgPerson # An extension of person adding internet-related attributes # (e.g. mail, employeeNumber) - posixAccount # Provides UNIX account attributes (uidNumber, gidNumber, # homeDirectory) auxiliary: - nextcloudUser # Auxiliary Classes attach optional attributes without # changing the entry’s structural role. Here they add # nextcloudQuota and nextcloudEnabled for Nextcloud. - ldapPublicKey # Allows storing SSH public keys for services like Gitea. filters: users: login: "(&{{ _ldap_filters_users_all }}({{_ldap_user_id}}=%{{_ldap_user_id}}))" all: "{{ _ldap_filters_users_all }}"