kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-07-05 00:13:09 +02:00
Code Issues Packages Projects Releases Wiki Activity
computer-playbook/group_vars/all/13_ldap.yml

92 lines
4.9 KiB
YAML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

#############################################
### LDAP ###
#############################################
# Helper Variables:
# Keep in mind to mapp this variables if there is ever the possibility for the user to define them in the inventory
_ldap_dn_base: "dc={{primary_domain_sld}},dc={{primary_domain_tld}}"
_ldap_server_port: "{% if applications.ldap.network.docker | bool %}{{ ports.localhost.ldap.ldap }}{% else %}{{ ports.localhost.ldaps.ldap }}{% endif %}"
_ldap_user_id: "uid"
_ldap_filters_users_all: "(|(objectclass=inetOrgPerson))"
ldap:
# Distinguished Names (DN)
dn:
# -------------------------------------------------------------------------
# Base DN / Suffix
# This is the top-level naming context for your directory, used as the
# default search base for most operations (e.g. adding users, groups).
# Example: “dc=example,dc=com”
root: "{{_ldap_dn_base}}"
administrator:
# -------------------------------------------------------------------------
# Data-Tree Administrator Bind DN
# The DN used to authenticate for regular directory operations under
# the data tree (adding users, modifying attributes, creating OUs, etc.).
# Typically: “cn=admin,dc=example,dc=com”
data: "cn={{ applications.ldap.users.administrator.username }},{{ _ldap_dn_base }}"
# -------------------------------------------------------------------------
# Config-Tree Administrator Bind DN
# The DN used to authenticate against the cn=config backend when you
# need to load or modify schema, overlays, modules, or other server-
# level settings.
# Typically: “cn=admin,cn=config”
configuration: "cn={{ applications.ldap.users.administrator.username }},cn=config"
ou:
# -------------------------------------------------------------------------
# Organizational Units (OUs)
# Pre-created containers in the directory tree to logically separate entries:
# users: Contains all user objects (person/posixAccount entries).
# groups: Contains organizational or business groups (e.g., departments, teams).
# roles: Contains application-specific RBAC roles
# (e.g., "cn=app1-user", "cn=yourls-admin").
users: "ou=users,{{ _ldap_dn_base }}"
groups: "ou=groups,{{ _ldap_dn_base }}"
roles: "ou=roles,{{ _ldap_dn_base }}"
# -------------------------------------------------------------------------
# Additional Notes
# Always bind as data_admin for CRUD on entries under your base DN.
# Always bind as config_admin when you push schema-level LDIFs via ldapi:///
# Keeping these distinct prevents accidental use of config credentials
# for ordinary user/group operations, and vice versa.
attributes:
# Attribut to identify the user
user_id: "{{ _ldap_user_id }}"
mail: "mail"
fullname: "cn"
firstname: "givenname"
surname: "sn"
ssh_public_key: "sshPublicKey"
# Password to access dn.bind
bind_credential: "{{ applications.ldap.credentials.administrator_database_password }}"
server:
domain: "{{applications.ldap.hostname if applications.ldap.network.docker | bool else domains.ldap}}" # Mapping for public or locale access
port: "{{_ldap_server_port}}"
uri: "{% if applications.ldap.network.docker | bool %}ldap://{{ applications.ldap.hostname }}{% else %}ldaps://{{ domains.ldap }}{% endif %}:{{ _ldap_server_port }}"
security: "" #TLS, SSL - Leave empty for none
network:
local: "{{applications.ldap.network.docker}}" # Uses the application configuration to define if local network should be available or not
user_objects:
structural:
- person # Structural Classes define the core identity of an entry:
# • Specify mandatory attributes (e.g. sn, cn)
# • Each entry must have exactly one structural class
- inetOrgPerson # An extension of person adding internet-related attributes
# (e.g. mail, employeeNumber)
- posixAccount # Provides UNIX account attributes (uidNumber, gidNumber,
# homeDirectory)
auxiliary:
- nextcloudUser # Auxiliary Classes attach optional attributes without
# changing the entrys structural role. Here they add
# nextcloudQuota and nextcloudEnabled for Nextcloud.
- ldapPublicKey # Allows storing SSH public keys for services like Gitea.
filters:
users:
login: "(&{{ _ldap_filters_users_all }}({{_ldap_user_id}}=%{{_ldap_user_id}}))"
all: "{{ _ldap_filters_users_all }}"
Reference in New Issue View Git Blame Copy Permalink