Compare commits
	
		
			1 Commits
		
	
	
		
			server-28.
			...
			5e1c639bff
		
	
	| Author | SHA1 | Date | |
|---|---|---|---|
| 5e1c639bff | 
							
								
								
									
										27
									
								
								roles/ldap-user-backend/README.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										27
									
								
								roles/ldap-user-backend/README.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,27 @@ | |||||||
|  | # `finallycoffee.nextcloud.ldap-user-backend` ansible role | ||||||
|  |  | ||||||
|  | Ansible role for managing LDAP authentication of nextcloud instances using ansible. | ||||||
|  |  | ||||||
|  | ## Prerequisites | ||||||
|  |  | ||||||
|  | This role assumes a nextcloud instance is up and running, and has the `user_ldap` | ||||||
|  | nextcloud app installed. For starting a nextcloud instance, see the | ||||||
|  | `finallycoffee.nextcloud.server` role, for managing nextcloud apps see the | ||||||
|  | `finallycoffee.nextcloud.apps` ansible role. | ||||||
|  |  | ||||||
|  | ## Configuration | ||||||
|  |  | ||||||
|  | - Set `nc_ldap_api_method` to either `occ` or `http` to control wether the | ||||||
|  |   configuration is set using `php occ` command line calls or the `http` API | ||||||
|  |   of the `user_ldap` nextcloud app. | ||||||
|  |  | ||||||
|  | - For `nc_ldap_api_method: occ`, ensure `nc_ldap_container` is set to the name | ||||||
|  |   of the docker container where nextcloud is running, and `nc_ldap_occ_user` is | ||||||
|  |   the user the container / nextcloud itself runs as. `nc_ldap_occ_command` | ||||||
|  |   _can_ also be tweaked if `php` is not in the path, but the default should | ||||||
|  |   be fine in most cases. | ||||||
|  |  | ||||||
|  | - For `nc_ldap_api_method: http`, ensure `nc_ldapi_api_instance_url` contains | ||||||
|  |   the URL to the nextcloud server, including protocol (and port, if | ||||||
|  |   non-standard), and `nc_ldap_api_basic_auth_[user|password]` contain the | ||||||
|  |   credentials of an admin user with the rights to edit the LDAP settings. | ||||||
							
								
								
									
										25
									
								
								roles/ldap-user-backend/defaults/main.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										25
									
								
								roles/ldap-user-backend/defaults/main.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,25 @@ | |||||||
|  | --- | ||||||
|  |  | ||||||
|  | nc_ldap_api_method: occ | ||||||
|  |  | ||||||
|  | nc_ldap_api_instance_url: http://localhost | ||||||
|  | nc_ldap_api_basic_auth_user: | ||||||
|  | nc_ldap_api_basic_auth_password: | ||||||
|  |  | ||||||
|  | nc_ldap_occ_command: "php occ" | ||||||
|  | nc_ldap_occ_user: "nextcloud" | ||||||
|  | nc_ldap_container: nextcloud | ||||||
|  |  | ||||||
|  | nc_ldap_config_id: s01 | ||||||
|  | nc_ldap_config_host: 127.0.0.1 | ||||||
|  | nc_ldap_config_port: 389 | ||||||
|  | nc_ldap_config_backup_host: ~ | ||||||
|  | nc_ldap_config_backup_port: ~ | ||||||
|  |  | ||||||
|  | nc_ldap_config_base_dn: | ||||||
|  | nc_ldap_config_base_dn_users: | ||||||
|  | nc_ldap_config_base_dn_groups: | ||||||
|  | nc_ldap_config_agent_name: | ||||||
|  | nc_ldap_config_agent_password: | ||||||
|  |  | ||||||
|  | nc_ldap_meta_http_agent: "ansible-httpget/finallycoffee.nextcloud.ldap-user-backend" | ||||||
							
								
								
									
										74
									
								
								roles/ldap-user-backend/tasks/main.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										74
									
								
								roles/ldap-user-backend/tasks/main.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,74 @@ | |||||||
|  | --- | ||||||
|  |  | ||||||
|  | - name: Set default api parameters for HTTP | ||||||
|  |   meta: noop | ||||||
|  |   vars: &api_defaults | ||||||
|  |     http_agent: "{{ nc_ldap_meta_http_agent }}" | ||||||
|  |     headers: "{{ nc_ldap_api_headers }}" | ||||||
|  |     url_username: "{{ nc_ldap_api_basic_auth_user }}" | ||||||
|  |     url_password: "{{ nc_ldap_api_basic_auth_password }}" | ||||||
|  |     force_basic_auth: yes | ||||||
|  |     force: yes | ||||||
|  |   when: nc_ldap_api_method == 'http' | ||||||
|  |  | ||||||
|  | - name: Check if configuration with given config ID already exists | ||||||
|  |   docker_container_exec: | ||||||
|  |     container: "{{ nc_ldap_container }}" | ||||||
|  |     command: "{{ nc_ldap_occ_command }} ldap:show-config --output json {{ nc_ldap_config_id }}" | ||||||
|  |     user: "{{ nc_ldap_occ_user }}" | ||||||
|  |     tty: yes | ||||||
|  |   when: nc_ldap_api_method == 'occ' | ||||||
|  |   register: nc_ldap_existing_config | ||||||
|  |  | ||||||
|  | - name: Check if configuration with given config ID already exists | ||||||
|  |   uri: | ||||||
|  |     <<: *api_defaults | ||||||
|  |     url: "{{ nc_ldap_api_path }}/{{ nc_ldap_config_id }}{{ query_params }}" | ||||||
|  |     method: GET | ||||||
|  |   vars: | ||||||
|  |     query_params: "?showPassword=1&format={{nc_ldap_api_parameter_format }}" | ||||||
|  |      | ||||||
|  |   when: nc_ldap_api_method == 'http' | ||||||
|  |   register: nc_ldap_existing_config | ||||||
|  |  | ||||||
|  | # TODO: Can we force an ID on POST? | ||||||
|  | - name: Create ldap configuration with id={{ nc_ldap_config_id }} | ||||||
|  |   uri: | ||||||
|  |     <<: *api_defaults | ||||||
|  |     url: "{{ nc_ldap_api_path }}" | ||||||
|  |     method: POST | ||||||
|  |   when: nc_ldap_api_method == 'http' and nc_ldap_existing_config.status != 200 | ||||||
|  |  | ||||||
|  | - name: Create ldap configuration with id={{ nc_ldap_config_id }} | ||||||
|  |   docker_container_exec: | ||||||
|  |     container: "{{ nc_ldap_container }}" | ||||||
|  |     command: "{{ nc_ldap_occ_command }} ldap:create-empty-config --output json {{ nc_ldap_config_id }}" | ||||||
|  |     user: "{{ nc_ldap_occ_user }}" | ||||||
|  |     tty: yes | ||||||
|  |   # research conditions? | ||||||
|  |   when: nc_ldap_api_method == 'occ' and nc_ldap_existing_config.exitCode = 0 | ||||||
|  |  | ||||||
|  | - name: Create changeset | ||||||
|  |   set_fact: | ||||||
|  |     nc_ldap_config_changeset: "{{ nc_ldap_config_changeset | combine(changed_entry) }}" | ||||||
|  |   vars: | ||||||
|  |     changed_entry: "{{ { item : nc_ldap_config_keys[item] } }}" | ||||||
|  |   loops: "{{ nc_ldap_config_keys.keys() }}" | ||||||
|  |   when: "{{ nc_ldap_config_keys[item] is defined and nc_ldap_config_keys[item] is not None }}" | ||||||
|  |  | ||||||
|  | - name: Ensure ldap configuration is in sync | ||||||
|  |   uri: | ||||||
|  |     <<: *api_defaults | ||||||
|  |     url: | ||||||
|  |     method: PUT | ||||||
|  |     body: | ||||||
|  |     body_format: "form-urlencoded" | ||||||
|  |   when: nc_ldap_api_method == 'http' | ||||||
|  |  | ||||||
|  | - name: Ensure ldap configuration is in sync | ||||||
|  |   docker_container_exec: | ||||||
|  |     container: "{{ nc_ldap_container }}" | ||||||
|  |     command: "{{ nc_ldap_occ_command }} ldap:set-config #args" | ||||||
|  |     user: "{{ nc_ldap_occ_user }}" | ||||||
|  |     tty: yes | ||||||
|  |   when: nc_ldap_api_method == 'occ' | ||||||
							
								
								
									
										58
									
								
								roles/ldap-user-backend/vars/main.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										58
									
								
								roles/ldap-user-backend/vars/main.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,58 @@ | |||||||
|  | --- | ||||||
|  |  | ||||||
|  | nc_ldap_api_path: "/ocs/v2.php/apps/user_ldap/api/v1/config" | ||||||
|  | nc_ldap_api_url: "{{ nc_ldap_api_instance_url }}{{ nc_ldap_api_path }}" | ||||||
|  | nc_ldap_api_headers: | ||||||
|  |   OCS-APIREQUEST: "true" | ||||||
|  | nc_ldap_api_parameter_format: json | ||||||
|  |  | ||||||
|  | nc_ldap_config_keys: | ||||||
|  |   ldapHost: "{{ nc_ldap_config_host }}" | ||||||
|  |   ldapPort: "{{ nc_ldap_config_port }}" | ||||||
|  |   ldapBackupHost: "{{ nc_ldap_config_backup_host }}" | ||||||
|  |   ldapBackupPort: "{{ nc_ldap_config_backup_port }}" | ||||||
|  |   ldapOverrideMainServer: "{{ nc_ldap_config_override_main_server }}" | ||||||
|  |   ldapBase: "{{ nc_ldap_config_base_dn }}" | ||||||
|  |   ldapBaseUsers: "{{ nc_ldap_config_base_dn_users }}" | ||||||
|  |   ldapBaseGroups: "{{ nc_ldap_config_base_dn_groups }}" | ||||||
|  |   ldapAgentName: "{{ nc_ldap_config_agent_name }}" | ||||||
|  |   ldapAgentPassword: "{{ nc_ldap_config_agent_password }}" | ||||||
|  |   ldapTLS: "{{ nc_ldap_config_tls }}" | ||||||
|  |   turnOffCertCheck: "{{ nc_ldap_config_turn_off_cert_check }}" | ||||||
|  |   ldapUserDisplayName: "{{ nc_ldap_config_user_displayname }}" | ||||||
|  |   ldapUserDisplayName2: "{{ nc_ldap_config_user_displayname2 }}" | ||||||
|  |   ldapUserAvatarRule: "{{ nc_ldap_config_user_avatar_rule }}" | ||||||
|  |   ldapGidNumber: "{{ nc_ldap_config_gid_number }}" | ||||||
|  |   ldapUserFilterObjectclass: "{{ nc_ldap_config_user_filter_objectclass }}" | ||||||
|  |   ldapUserFilterGroups: "{{ nc_ldap_config_user_filter_groups }}" | ||||||
|  |   ldapUserFilter: "{{ nc_ldap_config_user_filter }}" | ||||||
|  |   ldapUserFilterMode: "{{ nc_ldap_config_user_filter_mode }}" | ||||||
|  |   ldapAttributesForUserSearch: "{{ nc_ldap_config_attributes_for_user_search }}" | ||||||
|  |   ldapGroupFilter: "{{ nc_ldap_config_group_filter }}" | ||||||
|  |   ldapGroupFilterMode: "{{ nc_ldap_config_group_filter_mode }}" | ||||||
|  |   ldapGroupFilterObjectclass: "{{ nc_ldap_config_group_filter_objectclass }}" | ||||||
|  |   ldapGroupFilterGroups: "{{ nc_ldap_config_group_filter_groups }}" | ||||||
|  |   ldapGroupMemberAssocAttr: "{{ nc_ldap_config_group_member_assoc_attr }}" | ||||||
|  |   ldapGroupDisplayName: "{{ nc_ldap_config_group_displayname }}" | ||||||
|  |   ldapAttributesForGroupSearch: "{{ nc_ldap_config_attributes_for_group_search }}" | ||||||
|  |   ldapLoginFilter: "{{ nc_ldap_config_login_filter }}" | ||||||
|  |   ldapLoginFilterMode: "{{ nc_ldap_config_login_filter_mode }}" | ||||||
|  |   ldapLoginFilterEmail: "{{ nc_ldap_config_login_filter_email }}" | ||||||
|  |   ldapLoginFilterUsername: "{{ nc_ldap_config_login_filter_username }}" | ||||||
|  |   ldapLoginFilterAttributes: "{{ nc_ldap_config_login_filter_attributes }}" | ||||||
|  |   ldapQuotaAttribute: "{{ nc_ldap_config_quota_attribute }}" | ||||||
|  |   ldapQuotaDefault: "{{ nc_ldap_config_quota_default }}" | ||||||
|  |   ldapEmailAttribute: "{{ nc_ldap_config_email_attribute }}" | ||||||
|  |   ldapCacheTTL: "{{ nc_ldap_config_cache_ttl }}" | ||||||
|  |   ldapConfigurationActive: "{{ nc_ldap_config_configuration_active }}" | ||||||
|  |   ldapExperiencedAdmin: "{{ nc_ldap_config_experienced_admin }}" | ||||||
|  |   homeFolderNamingRule: "{{ nc_ldap_config_home_folder_naming_rule }}" | ||||||
|  |   useMemberOfToDetectMembership: "{{ nc_ldap_config_use_memberOf_to_detect_membership }}" | ||||||
|  |   ldapExpertUsernameAttr: "{{ nc_ldap_config_expert_username_attr }}" | ||||||
|  |   ldapExpertUUIDUserAttr: "{{ nc_ldap_config_expert_uuid_user_attr }}" | ||||||
|  |   ldapExpertUUIDGroupAttr: "{{ nc_ldap_config_expert_uuid_group_attr }}" | ||||||
|  |   ldapNestedGroups: "{{ nc_ldap_config_nested_groups }}" | ||||||
|  |   ldapPagingSize: "{{ nc_ldap_config_paging_size }}" | ||||||
|  |   turnOnPasswordChange: "{{ nc_ldap_config_turn_on_password_change }}" | ||||||
|  |   ldapDynamicGroupMemberURL: "{{ nc_ldap_config_dynamic_group_member_url }}" | ||||||
|  |   ldapDefaultPPolicyDN: "{{ nc_ldap_config_default_ppolicy_dn }}" | ||||||
		Reference in New Issue
	
	Block a user