############################################# ### Identity and Access Management (IAM) ### ############################################# ############################################# ### OIDC ### ############################################# # @see https://en.wikipedia.org/wiki/OpenID_Connect ## Helper Variables: _oidc_client_realm: "{{ oidc.client.realm if oidc.client is defined and oidc.client.realm is defined else primary_domain }}" _oidc_client_issuer_url: "{{ web_protocol }}://{{domains | get_domain('keycloak')}}/realms/{{_oidc_client_realm}}" defaults_oidc: client: id: "{{primary_domain}}" # Client identifier, typically matching your primary domain # secret: # Client secret for authenticating with the OIDC provider (set in the inventory file). Recommend greater then 32 characters realm: "{{_oidc_client_realm}}" # The realm to which the client belongs in the OIDC provider issuer_url: "{{_oidc_client_issuer_url}}" # Base URL of the OIDC provider (issuer) discovery_document: "{{_oidc_client_issuer_url}}/.well-known/openid-configuration" # URL for fetching the provider's configuration details authorize_url: "{{_oidc_client_issuer_url}}/protocol/openid-connect/auth" # Endpoint to start the authorization process token_url: "{{_oidc_client_issuer_url}}/protocol/openid-connect/token" # Endpoint to exchange authorization codes for tokens (note: 'token_url' may be a typo for 'token_url') user_info_url: "{{_oidc_client_issuer_url}}/protocol/openid-connect/userinfo" # Endpoint to retrieve user information logout_url: "{{_oidc_client_issuer_url}}/protocol/openid-connect/logout" # Endpoint to log out the user change_credentials: "{{_oidc_client_issuer_url}}account/account-security/signing-in" # URL for managing or changing user credentials certs: "{{_oidc_client_issuer_url}}/protocol/openid-connect/certs" # JSON Web Key Set (JWKS) button_text: "SSO Login ({{primary_domain | upper}})" # Default button text attributes: # Attribut to identify the user username: "preferred_username" given_name: "givenName" family_name: "surname" email: "email" ############################################# ### LDAP ### ############################################# # Helper Variables: # Keep in mind to mapp this variables if there is ever the possibility for the user to define them in the inventory _ldap_dn_base: "dc={{primary_domain_sld}},dc={{primary_domain_tld}}" _ldap_server_port: "{% if applications.ldap.network.docker | bool %}{{ ports.localhost.ldap.ldap }}{% else %}{{ ports.localhost.ldaps.ldap }}{% endif %}" _ldap_user_id: "uid" _ldap_filters_users_all: "(|(objectclass=inetOrgPerson))" ldap: # Distinguished Names (DN) dn: # ------------------------------------------------------------------------- # Base DN / Suffix # This is the top-level naming context for your directory, used as the # default search base for most operations (e.g. adding users, groups). # Example: “dc=example,dc=com” root: "{{_ldap_dn_base}}" administrator: # ------------------------------------------------------------------------- # Data-Tree Administrator Bind DN # The DN used to authenticate for regular directory operations under # the data tree (adding users, modifying attributes, creating OUs, etc.). # Typically: “cn=admin,dc=example,dc=com” data: "cn={{ applications.ldap.users.administrator.username }},{{ _ldap_dn_base }}" # ------------------------------------------------------------------------- # Config-Tree Administrator Bind DN # The DN used to authenticate against the cn=config backend when you # need to load or modify schema, overlays, modules, or other server- # level settings. # Typically: “cn=admin,cn=config” configuration: "cn={{ applications.ldap.users.administrator.username }},cn=config" # ------------------------------------------------------------------------- # Organizational Units (OUs) # Pre-created containers in the data tree to organize entries. # – users: Where all person/posixAccount entries live. # – groups: Where you define your application or business groups. # – roles: A flat container for application-role entries (e.g. “cn=app1-user”). users: "ou=users,{{ _ldap_dn_base }}" groups: "ou=groups,{{ _ldap_dn_base }}" application_roles: "ou=application_roles,{{ _ldap_dn_base }}" # ------------------------------------------------------------------------- # Additional Notes # – Always bind as data_admin for CRUD on entries under your base DN. # – Always bind as config_admin when you push schema-level LDIFs via ldapi:/// # – Keeping these distinct prevents accidental use of config credentials # for ordinary user/group operations, and vice versa. attributes: # Attribut to identify the user user_id: "{{ _ldap_user_id }}" mail: "mail" fullname: "cn" firstname: "givenname" surname: "sn" # Password to access dn.bind bind_credential: "{{applications.ldap.credentials.administrator_database_password}}" server: domain: "{{applications.ldap.hostname if applications.ldap.network.docker | bool else domains.ldap}}" # Mapping for public or locale access port: "{{_ldap_server_port}}" uri: "{% if applications.ldap.network.docker | bool %}ldap://{{ applications.ldap.hostname }}{% else %}ldaps://{{ domains.ldap }}{% endif %}:{{ _ldap_server_port }}" security: "" #TLS, SSL - Leave empty for none network: local: "{{applications.ldap.network.docker}}" # Uses the application configuration to define if local network should be available or not user_objects: structural: - person # Structural Classes define the core identity of an entry: # • Specify mandatory attributes (e.g. sn, cn) # • Each entry must have exactly one structural class - inetOrgPerson # An extension of person adding internet-related attributes # (e.g. mail, employeeNumber) - posixAccount # Provides UNIX account attributes (uidNumber, gidNumber, # homeDirectory) auxiliary: - nextcloudUser # Auxiliary Classes attach optional attributes without # changing the entry’s structural role. Here they add # nextcloudQuota and nextcloudEnabled for Nextcloud. - ldapPublicKey # Allows storing SSH public keys for services like Gitea. filters: users: login: "(&{{ _ldap_filters_users_all }}({{_ldap_user_id}}=%{{_ldap_user_id}}))" all: "{{ _ldap_filters_users_all }}"