computer-playbook/group_vars/all/12_iam.yml

#############################################
### Identity and Access Management (IAM)  ###
#############################################

#############################################
### OIDC                                  ###
#############################################
# @see https://en.wikipedia.org/wiki/OpenID_Connect

## Helper Variables:
_oidc_client_realm:       "{{ oidc.client.realm if oidc.client is defined and oidc.client.realm is defined else primary_domain }}"
_oidc_client_issuer_url:  "{{ web_protocol }}://{{domains | get_domain('keycloak')}}/realms/{{_oidc_client_realm}}"

defaults_oidc:
  client:
    id:                   "{{primary_domain}}"                                              # Client identifier, typically matching your primary domain
#   secret:                                                                                 # Client secret for authenticating with the OIDC provider (set in the inventory file). Recommend greater then 32 characters
    realm:                "{{_oidc_client_realm}}"                                          # The realm to which the client belongs in the OIDC provider
    issuer_url:           "{{_oidc_client_issuer_url}}"                                     # Base URL of the OIDC provider (issuer)
    discovery_document:   "{{_oidc_client_issuer_url}}/.well-known/openid-configuration"    # URL for fetching the provider's configuration details
    authorize_url:        "{{_oidc_client_issuer_url}}/protocol/openid-connect/auth"        # Endpoint to start the authorization process
    token_url:            "{{_oidc_client_issuer_url}}/protocol/openid-connect/token"       # Endpoint to exchange authorization codes for tokens (note: 'token_url' may be a typo for 'token_url')
    user_info_url:        "{{_oidc_client_issuer_url}}/protocol/openid-connect/userinfo"    # Endpoint to retrieve user information
    logout_url:           "{{_oidc_client_issuer_url}}/protocol/openid-connect/logout"      # Endpoint to log out the user
    change_credentials:   "{{_oidc_client_issuer_url}}account/account-security/signing-in"  # URL for managing or changing user credentials
    certs:                "{{_oidc_client_issuer_url}}/protocol/openid-connect/certs"       # JSON Web Key Set (JWKS)
  button_text:            "SSO Login ({{primary_domain | upper}})"                           # Default button text
  attributes:
    # Attribut to identify the user
    username:             "preferred_username"
    given_name:           "givenName"
    family_name:          "surname"
    email:                "email"

#############################################
### LDAP                                  ###
#############################################

# Helper Variables:
# Keep in mind to mapp this variables if there is ever the possibility for the user to define them in the inventory
_ldap_dn_base:            "dc={{primary_domain_sld}},dc={{primary_domain_tld}}"
_ldap_server_port:        "{% if applications.ldap.network.docker | bool %}{{ ports.localhost.ldap.ldap }}{% else %}{{ ports.localhost.ldaps.ldap }}{% endif %}"
_ldap_user_id:            "uid"
_ldap_filters_users_all:  "(|(objectclass=inetOrgPerson))"

ldap:
  # Distinguished Names (DN)
  dn:
    # -------------------------------------------------------------------------
    # Base DN / Suffix
    # This is the top-level naming context for your directory, used as the
    # default search base for most operations (e.g. adding users, groups).
    # Example: “dc=example,dc=com”
    root:               "{{_ldap_dn_base}}"
    administrator:
      # -------------------------------------------------------------------------
      # Data-Tree Administrator Bind DN
      # The DN used to authenticate for regular directory operations under
      # the data tree (adding users, modifying attributes, creating OUs, etc.).
      # Typically: “cn=admin,dc=example,dc=com”
      data: "cn={{ applications.ldap.users.administrator.username }},{{ _ldap_dn_base }}"

      # -------------------------------------------------------------------------
      # Config-Tree Administrator Bind DN
      # The DN used to authenticate against the cn=config backend when you
      # need to load or modify schema, overlays, modules, or other server-
      # level settings.  
      # Typically: “cn=admin,cn=config”
      configuration: "cn={{ applications.ldap.users.administrator.username }},cn=config"


    # -------------------------------------------------------------------------
    # Organizational Units (OUs)
    # Pre-created containers in the data tree to organize entries.
    # – users:  Where all person/posixAccount entries live.
    # – groups: Where you define your application or business groups.
    # – roles:  A flat container for application-role entries (e.g. “cn=app1-user”).
    users:             "ou=users,{{ _ldap_dn_base }}"
    groups:            "ou=groups,{{ _ldap_dn_base }}"
    application_roles: "ou=application_roles,{{ _ldap_dn_base }}"

    # -------------------------------------------------------------------------
    # Additional Notes
    # – Always bind as data_admin for CRUD on entries under your base DN.
    # – Always bind as config_admin when you push schema-level LDIFs via ldapi:///
    # – Keeping these distinct prevents accidental use of config credentials
    #   for ordinary user/group operations, and vice versa.

  attributes:
    # Attribut to identify the user
    user_id:            "{{ _ldap_user_id }}"
    mail:               "mail"
    fullname:           "cn"
    firstname:          "givenname"
    surname:            "sn"
    ssh_public_key:     "sshPublicKey"
  # Password to access dn.bind
  bind_credential:      "{{applications.ldap.credentials.administrator_database_password}}"
  server:
    domain:             "{{applications.ldap.hostname if applications.ldap.network.docker | bool else domains.ldap}}" # Mapping for public or locale access
    port:               "{{_ldap_server_port}}"
    uri:                "{% if applications.ldap.network.docker | bool %}ldap://{{ applications.ldap.hostname }}{% else %}ldaps://{{ domains.ldap }}{% endif %}:{{ _ldap_server_port }}"
    security:           "" #TLS, SSL - Leave empty for none
  network:
    local:              "{{applications.ldap.network.docker}}" # Uses the application configuration to define if local network should be available or not
  user_objects:
    structural:
      - person            # Structural Classes define the core identity of an entry:
                          # • Specify mandatory attributes (e.g. sn, cn)
                          # • Each entry must have exactly one structural class
      - inetOrgPerson     # An extension of person adding internet-related attributes
                          # (e.g. mail, employeeNumber)
      - posixAccount      # Provides UNIX account attributes (uidNumber, gidNumber,
                          # homeDirectory)
    auxiliary:
      - nextcloudUser     # Auxiliary Classes attach optional attributes without
                          # changing the entry’s structural role. Here they add
                          # nextcloudQuota and nextcloudEnabled for Nextcloud.
      - ldapPublicKey     # Allows storing SSH public keys for services like Gitea.

  filters:
    users:
      login:            "(&{{ _ldap_filters_users_all }}({{_ldap_user_id}}=%{{_ldap_user_id}}))"
      all:              "{{ _ldap_filters_users_all }}"