kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-08-30 15:28:12 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
6ea8301364e735ae3135afe2d854ff87ab99a121
computer-playbook/roles/svc-db-openldap/tasks/03_users.yml
Kevin Veen-Birkenbach cb66fb2978 Refactor LDAP variable schema to use top-level constant LDAP and nested ALL-CAPS keys. 
- Converted group_vars/all/13_ldap.yml from lower-case to ALL-CAPS nested keys.
- Updated all roles, tasks, templates, and filter_plugins to reference LDAP.* instead of ldap.*.
- Fixed Keycloak JSON templates to properly quote Jinja variables.
- Adjusted svc-db-openldap filter plugins and unit tests to handle new LDAP structure.
- Updated integration test to only check uniqueness of TOP-LEVEL ALL-CAPS constants, ignoring nested keys.

See: https://chatgpt.com/share/68b01017-efe0-800f-a508-7d7e2f1c8c8d
2025-08-28 10:15:48 +02:00

57 lines
2.5 KiB
YAML
Raw Blame History

###############################################################################
# 1) Create the LDAP entry if it does not yet exist
###############################################################################
- name: Ensure LDAP users exist
community.general.ldap_entry:
dn: "{{ LDAP.USER.ATTRIBUTES.ID }}={{ item.key }},{{ LDAP.DN.OU.USERS }}"
server_uri: "{{ openldap_server_uri }}"
bind_dn: "{{ LDAP.DN.ADMINISTRATOR.DATA }}"
bind_pw: "{{ LDAP.BIND_CREDENTIAL }}"
objectClass: "{{ LDAP.USER.OBJECTS.STRUCTURAL }}"
attributes:
uid: "{{ item.value.username }}"
sn: "{{ item.value.sn | default(item.key) }}"
cn: "{{ item.value.cn | default(item.key) }}"
userPassword: "{SSHA}{{ item.value.password }}"
loginShell: /bin/bash
homeDirectory: "/home/{{ item.key }}"
uidNumber: "{{ item.value.uid | int }}"
gidNumber: "{{ item.value.gid | int }}"
state: present # ↳ creates but never updates
async: "{{ ASYNC_TIME if ASYNC_ENABLED | bool else omit }}"
poll: "{{ ASYNC_POLL if ASYNC_ENABLED | bool else omit }}"
loop: "{{ users | dict2items }}"
loop_control:
label: "{{ item.key }}"
###############################################################################
# 2) Keep the objectClass list AND the mail attribute up-to-date
###############################################################################
- name: Ensure required objectClass values and mail address are present
community.general.ldap_attrs:
dn: "{{ LDAP.USER.ATTRIBUTES.ID }}={{ item.key }},{{ LDAP.DN.OU.USERS }}"
server_uri: "{{ openldap_server_uri }}"
bind_dn: "{{ LDAP.DN.ADMINISTRATOR.DATA }}"
bind_pw: "{{ LDAP.BIND_CREDENTIAL }}"
attributes:
objectClass: "{{ LDAP.USER.OBJECTS.STRUCTURAL }}"
mail: "{{ item.value.email }}"
state: exact
async: "{{ ASYNC_TIME if ASYNC_ENABLED | bool else omit }}"
poll: "{{ ASYNC_POLL if ASYNC_ENABLED | bool else omit }}"
loop: "{{ users | dict2items }}"
loop_control:
label: "{{ item.key }}"
- name: "Ensure container for application roles exists"
community.general.ldap_entry:
dn: "{{ LDAP.DN.OU.ROLES }}"
server_uri: "{{ openldap_server_uri }}"
bind_dn: "{{ LDAP.DN.ADMINISTRATOR.DATA }}"
bind_pw: "{{ LDAP.BIND_CREDENTIAL }}"
objectClass: organizationalUnit
attributes:
ou: roles
description: Container for application access profiles
state: present
Reference in New Issue View Git Blame Copy Permalink