feat(ldap-user-backend): add role for managing ldap user backend in nextcloud

This commit is contained in:
transcaffeine 2021-10-16 15:01:14 +02:00 committed by Johanna Dorothea Reichmann
parent a907549dc9
commit 5e1c639bff
Signed by: transcaffeine
GPG Key ID: 03624C433676E465
4 changed files with 184 additions and 0 deletions

View File

@ -0,0 +1,27 @@
# `finallycoffee.nextcloud.ldap-user-backend` ansible role
Ansible role for managing LDAP authentication of nextcloud instances using ansible.
## Prerequisites
This role assumes a nextcloud instance is up and running, and has the `user_ldap`
nextcloud app installed. For starting a nextcloud instance, see the
`finallycoffee.nextcloud.server` role, for managing nextcloud apps see the
`finallycoffee.nextcloud.apps` ansible role.
## Configuration
- Set `nc_ldap_api_method` to either `occ` or `http` to control wether the
configuration is set using `php occ` command line calls or the `http` API
of the `user_ldap` nextcloud app.
- For `nc_ldap_api_method: occ`, ensure `nc_ldap_container` is set to the name
of the docker container where nextcloud is running, and `nc_ldap_occ_user` is
the user the container / nextcloud itself runs as. `nc_ldap_occ_command`
_can_ also be tweaked if `php` is not in the path, but the default should
be fine in most cases.
- For `nc_ldap_api_method: http`, ensure `nc_ldapi_api_instance_url` contains
the URL to the nextcloud server, including protocol (and port, if
non-standard), and `nc_ldap_api_basic_auth_[user|password]` contain the
credentials of an admin user with the rights to edit the LDAP settings.

View File

@ -0,0 +1,25 @@
---
nc_ldap_api_method: occ
nc_ldap_api_instance_url: http://localhost
nc_ldap_api_basic_auth_user:
nc_ldap_api_basic_auth_password:
nc_ldap_occ_command: "php occ"
nc_ldap_occ_user: "nextcloud"
nc_ldap_container: nextcloud
nc_ldap_config_id: s01
nc_ldap_config_host: 127.0.0.1
nc_ldap_config_port: 389
nc_ldap_config_backup_host: ~
nc_ldap_config_backup_port: ~
nc_ldap_config_base_dn:
nc_ldap_config_base_dn_users:
nc_ldap_config_base_dn_groups:
nc_ldap_config_agent_name:
nc_ldap_config_agent_password:
nc_ldap_meta_http_agent: "ansible-httpget/finallycoffee.nextcloud.ldap-user-backend"

View File

@ -0,0 +1,74 @@
---
- name: Set default api parameters for HTTP
meta: noop
vars: &api_defaults
http_agent: "{{ nc_ldap_meta_http_agent }}"
headers: "{{ nc_ldap_api_headers }}"
url_username: "{{ nc_ldap_api_basic_auth_user }}"
url_password: "{{ nc_ldap_api_basic_auth_password }}"
force_basic_auth: yes
force: yes
when: nc_ldap_api_method == 'http'
- name: Check if configuration with given config ID already exists
docker_container_exec:
container: "{{ nc_ldap_container }}"
command: "{{ nc_ldap_occ_command }} ldap:show-config --output json {{ nc_ldap_config_id }}"
user: "{{ nc_ldap_occ_user }}"
tty: yes
when: nc_ldap_api_method == 'occ'
register: nc_ldap_existing_config
- name: Check if configuration with given config ID already exists
uri:
<<: *api_defaults
url: "{{ nc_ldap_api_path }}/{{ nc_ldap_config_id }}{{ query_params }}"
method: GET
vars:
query_params: "?showPassword=1&format={{nc_ldap_api_parameter_format }}"
when: nc_ldap_api_method == 'http'
register: nc_ldap_existing_config
# TODO: Can we force an ID on POST?
- name: Create ldap configuration with id={{ nc_ldap_config_id }}
uri:
<<: *api_defaults
url: "{{ nc_ldap_api_path }}"
method: POST
when: nc_ldap_api_method == 'http' and nc_ldap_existing_config.status != 200
- name: Create ldap configuration with id={{ nc_ldap_config_id }}
docker_container_exec:
container: "{{ nc_ldap_container }}"
command: "{{ nc_ldap_occ_command }} ldap:create-empty-config --output json {{ nc_ldap_config_id }}"
user: "{{ nc_ldap_occ_user }}"
tty: yes
# research conditions?
when: nc_ldap_api_method == 'occ' and nc_ldap_existing_config.exitCode = 0
- name: Create changeset
set_fact:
nc_ldap_config_changeset: "{{ nc_ldap_config_changeset | combine(changed_entry) }}"
vars:
changed_entry: "{{ { item : nc_ldap_config_keys[item] } }}"
loops: "{{ nc_ldap_config_keys.keys() }}"
when: "{{ nc_ldap_config_keys[item] is defined and nc_ldap_config_keys[item] is not None }}"
- name: Ensure ldap configuration is in sync
uri:
<<: *api_defaults
url:
method: PUT
body:
body_format: "form-urlencoded"
when: nc_ldap_api_method == 'http'
- name: Ensure ldap configuration is in sync
docker_container_exec:
container: "{{ nc_ldap_container }}"
command: "{{ nc_ldap_occ_command }} ldap:set-config #args"
user: "{{ nc_ldap_occ_user }}"
tty: yes
when: nc_ldap_api_method == 'occ'

View File

@ -0,0 +1,58 @@
---
nc_ldap_api_path: "/ocs/v2.php/apps/user_ldap/api/v1/config"
nc_ldap_api_url: "{{ nc_ldap_api_instance_url }}{{ nc_ldap_api_path }}"
nc_ldap_api_headers:
OCS-APIREQUEST: "true"
nc_ldap_api_parameter_format: json
nc_ldap_config_keys:
ldapHost: "{{ nc_ldap_config_host }}"
ldapPort: "{{ nc_ldap_config_port }}"
ldapBackupHost: "{{ nc_ldap_config_backup_host }}"
ldapBackupPort: "{{ nc_ldap_config_backup_port }}"
ldapOverrideMainServer: "{{ nc_ldap_config_override_main_server }}"
ldapBase: "{{ nc_ldap_config_base_dn }}"
ldapBaseUsers: "{{ nc_ldap_config_base_dn_users }}"
ldapBaseGroups: "{{ nc_ldap_config_base_dn_groups }}"
ldapAgentName: "{{ nc_ldap_config_agent_name }}"
ldapAgentPassword: "{{ nc_ldap_config_agent_password }}"
ldapTLS: "{{ nc_ldap_config_tls }}"
turnOffCertCheck: "{{ nc_ldap_config_turn_off_cert_check }}"
ldapUserDisplayName: "{{ nc_ldap_config_user_displayname }}"
ldapUserDisplayName2: "{{ nc_ldap_config_user_displayname2 }}"
ldapUserAvatarRule: "{{ nc_ldap_config_user_avatar_rule }}"
ldapGidNumber: "{{ nc_ldap_config_gid_number }}"
ldapUserFilterObjectclass: "{{ nc_ldap_config_user_filter_objectclass }}"
ldapUserFilterGroups: "{{ nc_ldap_config_user_filter_groups }}"
ldapUserFilter: "{{ nc_ldap_config_user_filter }}"
ldapUserFilterMode: "{{ nc_ldap_config_user_filter_mode }}"
ldapAttributesForUserSearch: "{{ nc_ldap_config_attributes_for_user_search }}"
ldapGroupFilter: "{{ nc_ldap_config_group_filter }}"
ldapGroupFilterMode: "{{ nc_ldap_config_group_filter_mode }}"
ldapGroupFilterObjectclass: "{{ nc_ldap_config_group_filter_objectclass }}"
ldapGroupFilterGroups: "{{ nc_ldap_config_group_filter_groups }}"
ldapGroupMemberAssocAttr: "{{ nc_ldap_config_group_member_assoc_attr }}"
ldapGroupDisplayName: "{{ nc_ldap_config_group_displayname }}"
ldapAttributesForGroupSearch: "{{ nc_ldap_config_attributes_for_group_search }}"
ldapLoginFilter: "{{ nc_ldap_config_login_filter }}"
ldapLoginFilterMode: "{{ nc_ldap_config_login_filter_mode }}"
ldapLoginFilterEmail: "{{ nc_ldap_config_login_filter_email }}"
ldapLoginFilterUsername: "{{ nc_ldap_config_login_filter_username }}"
ldapLoginFilterAttributes: "{{ nc_ldap_config_login_filter_attributes }}"
ldapQuotaAttribute: "{{ nc_ldap_config_quota_attribute }}"
ldapQuotaDefault: "{{ nc_ldap_config_quota_default }}"
ldapEmailAttribute: "{{ nc_ldap_config_email_attribute }}"
ldapCacheTTL: "{{ nc_ldap_config_cache_ttl }}"
ldapConfigurationActive: "{{ nc_ldap_config_configuration_active }}"
ldapExperiencedAdmin: "{{ nc_ldap_config_experienced_admin }}"
homeFolderNamingRule: "{{ nc_ldap_config_home_folder_naming_rule }}"
useMemberOfToDetectMembership: "{{ nc_ldap_config_use_memberOf_to_detect_membership }}"
ldapExpertUsernameAttr: "{{ nc_ldap_config_expert_username_attr }}"
ldapExpertUUIDUserAttr: "{{ nc_ldap_config_expert_uuid_user_attr }}"
ldapExpertUUIDGroupAttr: "{{ nc_ldap_config_expert_uuid_group_attr }}"
ldapNestedGroups: "{{ nc_ldap_config_nested_groups }}"
ldapPagingSize: "{{ nc_ldap_config_paging_size }}"
turnOnPasswordChange: "{{ nc_ldap_config_turn_on_password_change }}"
ldapDynamicGroupMemberURL: "{{ nc_ldap_config_dynamic_group_member_url }}"
ldapDefaultPPolicyDN: "{{ nc_ldap_config_default_ppolicy_dn }}"