mirror of
https://github.com/kevinveenbirkenbach/computer-playbook.git
synced 2025-08-29 23:08:06 +02:00
- Converted group_vars/all/13_ldap.yml from lower-case to ALL-CAPS nested keys. - Updated all roles, tasks, templates, and filter_plugins to reference LDAP.* instead of ldap.*. - Fixed Keycloak JSON templates to properly quote Jinja variables. - Adjusted svc-db-openldap filter plugins and unit tests to handle new LDAP structure. - Updated integration test to only check uniqueness of TOP-LEVEL ALL-CAPS constants, ignoring nested keys. See: https://chatgpt.com/share/68b01017-efe0-800f-a508-7d7e2f1c8c8d
103 lines
5.5 KiB
YAML
103 lines
5.5 KiB
YAML
|
||
#############################################
|
||
### LDAP ###
|
||
#############################################
|
||
|
||
# Helper Variables:
|
||
# Keep in mind to mapp this variables if there is ever the possibility for the user to define them in the inventory
|
||
LDAP_DN_BASE: "{{ PRIMARY_DOMAIN.split('.') | map('regex_replace', '^(.*)$', 'dc=\\1') | join(',') }}"
|
||
_ldap_docker_network_enabled: "{{ applications | get_app_conf('svc-db-openldap', 'network.docker') }}"
|
||
_ldap_protocol: "{{ 'ldap' if _ldap_docker_network_enabled else 'ldaps' }}"
|
||
_ldap_server_port: "{{ ports.localhost[_ldap_protocol]['svc-db-openldap'] }}"
|
||
_ldap_name: "{{ applications | get_app_conf('svc-db-openldap', 'docker.services.openldap.name') }}"
|
||
_ldap_domain: "{{ PRIMARY_DOMAIN }}" # LDAP is jsut listening to a port not to a dedicated domain, so primary domain should be sufficient
|
||
_ldap_user_id: "uid"
|
||
_ldap_filters_users_all: "(|(objectclass=inetOrgPerson))"
|
||
|
||
LDAP:
|
||
# Distinguished Names (DN)
|
||
DN:
|
||
# -------------------------------------------------------------------------
|
||
# Base DN / Suffix
|
||
# This is the top-level naming context for your directory, used as the
|
||
# default search base for most operations (e.g. adding users, groups).
|
||
# Example: “dc=example,dc=com”
|
||
ROOT: "{{ LDAP_DN_BASE }}"
|
||
ADMINISTRATOR:
|
||
# -------------------------------------------------------------------------
|
||
# Data-Tree Administrator Bind DN
|
||
# The DN used to authenticate for regular directory operations under
|
||
# the data tree (adding users, modifying attributes, creating OUs, etc.).
|
||
# Typically: “cn=admin,dc=example,dc=com”
|
||
DATA: "cn={{ applications['svc-db-openldap'].users.administrator.username }},{{ LDAP_DN_BASE }}"
|
||
|
||
# -------------------------------------------------------------------------
|
||
# Config-Tree Administrator Bind DN
|
||
# The DN used to authenticate against the cn=config backend when you
|
||
# need to load or modify schema, overlays, modules, or other server-
|
||
# level settings.
|
||
# Typically: “cn=admin,cn=config”
|
||
CONFIGURATION: "cn={{ applications['svc-db-openldap'].users.administrator.username }},cn=config"
|
||
|
||
OU:
|
||
# -------------------------------------------------------------------------
|
||
# Organizational Units (OUs)
|
||
# Pre-created containers in the directory tree to logically separate entries:
|
||
# – users: Contains all user objects (person/posixAccount entries).
|
||
# – groups: Contains organizational or business groups (e.g., departments, teams).
|
||
# – roles: Contains application-specific RBAC roles
|
||
# (e.g., "cn=app1-user", "cn=yourls-admin").
|
||
USERS: "ou=users,{{ LDAP_DN_BASE }}"
|
||
GROUPS: "ou=groups,{{ LDAP_DN_BASE }}"
|
||
ROLES: "ou=roles,{{ LDAP_DN_BASE }}"
|
||
|
||
# -------------------------------------------------------------------------
|
||
# Additional Notes
|
||
# – Always bind as data_admin for CRUD on entries under your base DN.
|
||
# – Always bind as config_admin when you push schema-level LDIFs via ldapi:///
|
||
# – Keeping these distinct prevents accidental use of config credentials
|
||
# for ordinary user/group operations, and vice versa.
|
||
|
||
# Password to access dn.bind
|
||
BIND_CREDENTIAL: "{{ applications | get_app_conf('svc-db-openldap', 'credentials.administrator_database_password') }}"
|
||
SERVER:
|
||
DOMAIN: "{{ _ldap_name if _ldap_docker_network_enabled else _ldap_domain }}" # Mapping for public or locale access
|
||
PORT: "{{ _ldap_server_port }}"
|
||
URI: "{{ _ldap_protocol }}://{{ _ldap_name if _ldap_docker_network_enabled else _ldap_domain }}:{{ _ldap_server_port }}"
|
||
SECURITY: "" #TLS, SSL - Leave empty for none
|
||
NETWORK:
|
||
LOCAL: "{{ _ldap_docker_network_enabled }}" # Uses the application configuration to define if local network should be available or not
|
||
USER:
|
||
OBJECTS:
|
||
STRUCTURAL:
|
||
- person # Structural Classes define the core identity of an entry:
|
||
# • Specify mandatory attributes (e.g. sn, cn)
|
||
# • Each entry must have exactly one structural class
|
||
- inetOrgPerson # An extension of person adding internet-related attributes
|
||
# (e.g. mail, employeeNumber)
|
||
- posixAccount # Provides UNIX account attributes (uidNumber, gidNumber,
|
||
# homeDirectory)
|
||
AUXILIARY:
|
||
NEXTCLOUD_USER: "nextcloudUser" # Auxiliary Classes attach optional attributes without
|
||
# changing the entry’s structural role. Here they add
|
||
# nextcloudQuota and nextcloudEnabled for Nextcloud.
|
||
SSH_PUBLIC_KEY: "ldapPublicKey" # Allows storing SSH public keys for services like Gitea.
|
||
ATTRIBUTES:
|
||
# Attribut to identify the user
|
||
ID: "{{ _ldap_user_id }}"
|
||
MAIL: "mail"
|
||
FULLNAME: "cn"
|
||
FIRSTNAME: "givenname"
|
||
SURNAME: "sn"
|
||
SSH_PUBLIC_KEY: "sshPublicKey"
|
||
NEXTCLOUD_QUOTA: "nextcloudQuota"
|
||
FILTERS:
|
||
USERS:
|
||
LOGIN: "(&{{ _ldap_filters_users_all }}({{_ldap_user_id}}=%{{_ldap_user_id}}))"
|
||
ALL: "{{ _ldap_filters_users_all }}"
|
||
RBAC:
|
||
FLAVORS:
|
||
# Valid values posixGroup, groupOfNames
|
||
- groupOfNames
|
||
# - posixGroup
|