kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-04-28 18:30:24 +02:00
Code Issues Packages Projects Releases Wiki Activity
computer-playbook/group_vars/all/11_iam.yml

73 lines
4.9 KiB
YAML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

#############################################
### Identity and Access Management (IAM) ###
#############################################
#############################################
### OIDC ###
#############################################
# @see https://en.wikipedia.org/wiki/OpenID_Connect
## Helper Variables:
_oidc_client_realm: "{{ oidc.client.realm if oidc.client is defined and oidc.client.realm is defined else primary_domain }}"
_oidc_client_issuer_url: "{{ web_protocol }}://{{domains.keycloak}}/realms/{{_oidc_client_realm}}"
defaults_oidc:
client:
id: "{{primary_domain}}" # Client identifier, typically matching your primary domain
# secret: # Client secret for authenticating with the OIDC provider (set in the inventory file). Recommend greater then 32 characters
realm: "{{_oidc_client_realm}}" # The realm to which the client belongs in the OIDC provider
issuer_url: "{{_oidc_client_issuer_url}}" # Base URL of the OIDC provider (issuer)
discovery_document: "{{_oidc_client_issuer_url}}/.well-known/openid-configuration" # URL for fetching the provider's configuration details
authorize_url: "{{_oidc_client_issuer_url}}/protocol/openid-connect/auth" # Endpoint to start the authorization process
token_url: "{{_oidc_client_issuer_url}}/protocol/openid-connect/token" # Endpoint to exchange authorization codes for tokens (note: 'token_url' may be a typo for 'token_url')
user_info_url: "{{_oidc_client_issuer_url}}/protocol/openid-connect/userinfo" # Endpoint to retrieve user information
logout_url: "{{_oidc_client_issuer_url}}/protocol/openid-connect/logout" # Endpoint to log out the user
change_credentials: "{{_oidc_client_issuer_url}}account/account-security/signing-in" # URL for managing or changing user credentials
certs: "{{_oidc_client_issuer_url}}/protocol/openid-connect/certs" # JSON Web Key Set (JWKS)
button_text: "SSO Login ({{primary_domain | upper}})" # Default button text
attributes:
# Attribut to identify the user
username: "preferred_username"
given_name: "given_name"
family_name: "family_name"
email: "email"
#############################################
### LDAP ###
#############################################
# Helper Variables:
# Keep in mind to mapp this variables if there is ever the possibility for the user to define them in the inventory
_ldap_dn_base: "dc={{primary_domain_sld}},dc={{primary_domain_tld}}"
_ldap_server_port: "{% if applications.ldap.network.local | bool %}{{ ports.localhost.ldap.ldap }}{% else %}{{ ports.localhost.ldaps.ldap }}{% endif %}"
ldap:
# Distinguished Names (DN)
dn:
# Defines the base Distinguished Name (DN) for the LDAP directory, constructed from the second-level domain (SLD) and top-level domain (TLD).
root: "{{_ldap_dn_base}}"
# Specifies the Distinguished Name (DN) of the LDAP administrator, combining the admin's username with the LDAP root domain.
administrator: "cn={{applications.ldap.users.administrator.username}},{{_ldap_dn_base}}"
# Dn from which the users should be read
users: "ou=users,{{_ldap_dn_base}}"
# Dn from which the groups should be read
groups: "ou=groups,{{_ldap_dn_base}}"
# Dn for all application roles of the users
application_roles: "ou=application_roles,{{_ldap_dn_base}}"
attributes:
# Attribut to identify the user
user_id: "uid"
# Password to access dn.bind
bind_credential: "{{applications.ldap.administrator_database_password}}"
server:
domain: "{{applications.ldap.hostname if applications.ldap.network.local | bool else domains.ldap}}" # Mapping for public or locale access
port: "{{_ldap_server_port}}"
uri: "{% if applications.ldap.network.local | bool %}ldap://{{ applications.ldap.hostname }}{% else %}ldaps://{{ domains.ldap }}{% endif %}:{{ _ldap_server_port }}"
network:
local: "{{applications.ldap.network.local}}" # Uses the application configuration to define if local network should be available or not
user_objects:
- person # Basic person attributes (sn, cn …) RFC 4519
- inetOrgPerson # Extended Internet / intranet person RFC 2798
- posixAccount # POSIX/UNIX login attributes (uidNumber, gidNumber …) RFC 2307
- nextcloudUser # Nextcloud-specific auxiliary attributes (nextcloudQuota, nextcloudEnabled) Nextcloud schema
Reference in New Issue View Git Blame Copy Permalink