feat(ldap-user-backend): add role for managing ldap user backend in nextcloud #1
@ -13,6 +13,8 @@ and managing nextcloud installations
|
|||||||
- [`roles/apps`](roles/apps/README.md):
|
- [`roles/apps`](roles/apps/README.md):
|
||||||
For managing nextcloud apps in an already installed nextcloud
|
For managing nextcloud apps in an already installed nextcloud
|
||||||
server instance. Can install, remove, enable/disable and update apps.
|
server instance. Can install, remove, enable/disable and update apps.
|
||||||
|
- [`roles/ldap-user-backend`](roles/ldap-user-backend/README.md):
|
||||||
|
Manages LDAP authentication sources in installed nextcloud instances.
|
||||||
|
|
||||||
## License
|
## License
|
||||||
|
|
||||||
|
@ -5,6 +5,8 @@ readme: README.md
|
|||||||
authors:
|
authors:
|
||||||
- Johanna Dorothea Reichmann <transcaffeine@finallycoffee.eu>
|
- Johanna Dorothea Reichmann <transcaffeine@finallycoffee.eu>
|
||||||
description: Installing and configuring nextcloud (and related apps/services) using docker
|
description: Installing and configuring nextcloud (and related apps/services) using docker
|
||||||
|
dependencies:
|
||||||
|
"community.docker": "^1.10.0"
|
||||||
license:
|
license:
|
||||||
- CNPLv7+
|
- CNPLv7+
|
||||||
build_ignore:
|
build_ignore:
|
||||||
|
37
roles/ldap-user-backend/README.md
Normal file
37
roles/ldap-user-backend/README.md
Normal file
@ -0,0 +1,37 @@
|
|||||||
|
# `finallycoffee.nextcloud.ldap-user-backend` ansible role
|
||||||
|
|
||||||
|
Ansible role for managing LDAP authentication of nextcloud instances using ansible.
|
||||||
|
|
||||||
|
## Prerequisites
|
||||||
|
|
||||||
|
This role assumes a nextcloud instance is up and running, and has the `user_ldap`
|
||||||
|
nextcloud app installed. For starting a nextcloud instance, see the
|
||||||
|
`finallycoffee.nextcloud.server` role, for managing nextcloud apps see the
|
||||||
|
`finallycoffee.nextcloud.apps` ansible role.
|
||||||
|
|
||||||
|
## Configuration
|
||||||
|
|
||||||
|
- Set `nc_ldap_api_method` to either `occ` or `http` to control wether the
|
||||||
|
configuration is set using `php occ` command line calls or the `http` API
|
||||||
|
of the `user_ldap` nextcloud app.
|
||||||
|
|
||||||
|
- For `nc_ldap_api_method: occ`, ensure `nc_ldap_container` is set to the name
|
||||||
|
of the docker container where nextcloud is running, and `nc_ldap_occ_user` is
|
||||||
|
the user the container / nextcloud itself runs as. `nc_ldap_occ_command`
|
||||||
|
_can_ also be tweaked if `php` is not in the path, but the default should
|
||||||
|
be fine in most cases.
|
||||||
|
|
||||||
|
- For `nc_ldap_api_method: http`, ensure `nc_ldapi_api_instance_url` contains
|
||||||
|
the URL to the nextcloud server, including protocol (and port, if
|
||||||
|
non-standard), and `nc_ldap_api_basic_auth_[user|password]` contain the
|
||||||
|
credentials of an admin user with the rights to edit the LDAP settings.
|
||||||
|
|
||||||
|
- Set `nc_ldap_test_configuration` to `true`/`false` to have the role issue a
|
||||||
|
nextcloud-provided test of the configured LDAP configuration, this corresponds
|
||||||
|
to a `occ ldap:test-config <id>`.
|
||||||
|
|
||||||
|
For most of the options, see the
|
||||||
|
[nextcloud manual on configuration keys](https://docs.nextcloud.com/server/latest/admin_manual/configuration_user/user_auth_ldap_api.html#configuration-keys),
|
||||||
|
the config keys are mapped 1:1 with a prefix of `nc_ldap_config_` and
|
||||||
|
the so-called "snake-case" (`ldap_backup_host`), so `ldapUserFilterMode` becomes
|
||||||
|
`nc_ldap_config_ldap_user_filter_mode`.
|
67
roles/ldap-user-backend/defaults/main.yml
Normal file
67
roles/ldap-user-backend/defaults/main.yml
Normal file
@ -0,0 +1,67 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
nc_ldap_api_method: occ
|
||||||
|
nc_ldap_test_configuration: true
|
||||||
|
|
||||||
|
nc_ldap_api_instance_url: http://localhost
|
||||||
|
nc_ldap_api_basic_auth_user:
|
||||||
|
nc_ldap_api_basic_auth_password:
|
||||||
|
|
||||||
|
nc_ldap_occ_command: "php occ"
|
||||||
|
nc_ldap_occ_user: "nextcloud"
|
||||||
|
nc_ldap_container: nextcloud
|
||||||
|
|
||||||
|
nc_ldap_config_id: s01
|
||||||
|
nc_ldap_config_host: 127.0.0.1
|
||||||
|
nc_ldap_config_port: 389
|
||||||
|
nc_ldap_config_backup_host: ~
|
||||||
|
nc_ldap_config_backup_port: ~
|
||||||
|
|
||||||
|
nc_ldap_config_base_dn:
|
||||||
|
nc_ldap_config_base_dn_users:
|
||||||
|
nc_ldap_config_base_dn_groups:
|
||||||
|
nc_ldap_config_agent_name:
|
||||||
|
nc_ldap_config_agent_password:
|
||||||
|
|
||||||
|
nc_ldap_config_override_main_server: ~
|
||||||
|
nc_ldap_config_tls: ~
|
||||||
|
nc_ldap_config_turn_off_cert_check: ~
|
||||||
|
nc_ldap_config_user_displayname: ~
|
||||||
|
nc_ldap_config_user_displayname2: ~
|
||||||
|
nc_ldap_config_user_avatar_rule: ~
|
||||||
|
nc_ldap_config_gid_number: ~
|
||||||
|
nc_ldap_config_user_filter_objectclass: ~
|
||||||
|
nc_ldap_config_user_filter_groups: ~
|
||||||
|
nc_ldap_config_user_filter: ~
|
||||||
|
nc_ldap_config_user_filter_mode: ~
|
||||||
|
nc_ldap_config_attributes_for_user_search: ~
|
||||||
|
nc_ldap_config_group_filter: ~
|
||||||
|
nc_ldap_config_group_filter_mode: ~
|
||||||
|
nc_ldap_config_group_filter_objectclass: ~
|
||||||
|
nc_ldap_config_group_filter_groups: ~
|
||||||
|
nc_ldap_config_group_member_assoc_attr: ~
|
||||||
|
nc_ldap_config_group_displayname: ~
|
||||||
|
nc_ldap_config_attributes_for_group_search: ~
|
||||||
|
nc_ldap_config_login_filter: ~
|
||||||
|
nc_ldap_config_login_filter_mode: ~
|
||||||
|
nc_ldap_config_login_filter_email: ~
|
||||||
|
nc_ldap_config_login_filter_username: ~
|
||||||
|
nc_ldap_config_login_filter_attributes: ~
|
||||||
|
nc_ldap_config_quota_attribute: ~
|
||||||
|
nc_ldap_config_quota_default: ~
|
||||||
|
nc_ldap_config_email_attribute: ~
|
||||||
|
nc_ldap_config_cache_ttl: ~
|
||||||
|
nc_ldap_config_configuration_active: ~
|
||||||
|
nc_ldap_config_experienced_admin: ~
|
||||||
|
nc_ldap_config_home_folder_naming_rule: ~
|
||||||
|
nc_ldap_config_use_memberOf_to_detect_membership: ~
|
||||||
|
nc_ldap_config_expert_username_attr: ~
|
||||||
|
nc_ldap_config_expert_uuid_user_attr: ~
|
||||||
|
nc_ldap_config_expert_uuid_group_attr: ~
|
||||||
|
nc_ldap_config_nested_groups: ~
|
||||||
|
nc_ldap_config_paging_size: ~
|
||||||
|
nc_ldap_config_turn_on_password_change: ~
|
||||||
|
nc_ldap_config_dynamic_group_member_url: ~
|
||||||
|
nc_ldap_config_default_ppolicy_dn: ~
|
||||||
|
|
||||||
|
nc_ldap_meta_http_agent: "ansible-httpget/finallycoffee.nextcloud.ldap-user-backend"
|
4
roles/ldap-user-backend/meta/main.yml
Normal file
4
roles/ldap-user-backend/meta/main.yml
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
collections:
|
||||||
|
- community.docker
|
49
roles/ldap-user-backend/tasks/load_config_http.yml
Normal file
49
roles/ldap-user-backend/tasks/load_config_http.yml
Normal file
@ -0,0 +1,49 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
- name: Set default api parameters for HTTP
|
||||||
|
meta: noop
|
||||||
|
vars: &api_defaults
|
||||||
|
http_agent: "{{ nc_ldap_meta_http_agent }}"
|
||||||
|
headers: "{{ nc_ldap_api_headers }}"
|
||||||
|
url_username: "{{ nc_ldap_api_basic_auth_user }}"
|
||||||
|
url_password: "{{ nc_ldap_api_basic_auth_password }}"
|
||||||
|
force_basic_auth: yes
|
||||||
|
force: yes
|
||||||
|
|
||||||
|
- name: Check if configuration with given config ID already exists
|
||||||
|
uri:
|
||||||
|
<<: *api_defaults
|
||||||
|
url: "{{ nc_ldap_api_path }}/{{ nc_ldap_config_id }}{{ query_params }}"
|
||||||
|
method: GET
|
||||||
|
vars:
|
||||||
|
query_params: "?showPassword={{ '1' if nc_ldap_config_agent_password else '0' }}&format={{nc_ldap_api_parameter_format }}"
|
||||||
|
register: nc_ldap_existing_config_api
|
||||||
|
|
||||||
|
# TODO: Can we force an ID on POST?
|
||||||
|
- name: Create ldap configuration with id={{ nc_ldap_config_id }}
|
||||||
|
uri:
|
||||||
|
<<: *api_defaults
|
||||||
|
url: "{{ nc_ldap_api_path }}"
|
||||||
|
method: POST
|
||||||
|
when: nc_ldap_existing_config_api.status != 200
|
||||||
|
|
||||||
|
- name: Parse output of query command to dict
|
||||||
|
set_fact:
|
||||||
|
nc_ldap_existing_config: "{{ nc_ldap_existing_config_api.stdout | from_json }}"
|
||||||
|
changed_when: false
|
||||||
|
|
||||||
|
- name: Create changeset
|
||||||
|
set_fact:
|
||||||
|
nc_ldap_config_changeset: "{{ nc_ldap_config_changeset | combine(changed_entry) }}"
|
||||||
|
vars:
|
||||||
|
changed_entry: "{{ { item : nc_ldap_config_keys[item] } }}"
|
||||||
|
loop: "{{ nc_ldap_config_keys.keys() }}"
|
||||||
|
when: nc_ldap_config_keys[item] is defined and nc_ldap_config_keys[item] and nc_ldap_config_keys[item] != nc_ldap_existing_config[nc_ldap_config_id][item]
|
||||||
|
|
||||||
|
- name: Ensure ldap configuration is in sync (http)
|
||||||
|
uri:
|
||||||
|
<<: *api_defaults
|
||||||
|
url: "{{ nc_lap_api_path }}/{{ nc_ldap_config_id }}"
|
||||||
|
method: PUT
|
||||||
|
body: "{{ { 'configData': nc_ldap_config_changeset } }}"
|
||||||
|
body_format: "form-urlencoded"
|
49
roles/ldap-user-backend/tasks/load_config_occ.yml
Normal file
49
roles/ldap-user-backend/tasks/load_config_occ.yml
Normal file
@ -0,0 +1,49 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
- name: Check if configuration with given config ID already exists
|
||||||
|
docker_container_exec:
|
||||||
|
container: "{{ nc_ldap_container }}"
|
||||||
|
command: "{{ nc_ldap_occ_command }} ldap:show-config --output json {{ '--show-password' if nc_ldap_config_agent_password else '' }} {{ nc_ldap_config_id }}"
|
||||||
|
user: "{{ nc_ldap_occ_user }}"
|
||||||
|
tty: yes
|
||||||
|
changed_when: false
|
||||||
|
check_mode: false
|
||||||
|
register: nc_ldap_existing_config_occ
|
||||||
|
|
||||||
|
- name: Create ldap configuration with id={{ nc_ldap_config_id }}
|
||||||
|
docker_container_exec:
|
||||||
|
container: "{{ nc_ldap_container }}"
|
||||||
|
command: "{{ nc_ldap_occ_command }} ldap:create-empty-config --output json {{ nc_ldap_config_id }}"
|
||||||
|
user: "{{ nc_ldap_occ_user }}"
|
||||||
|
tty: yes
|
||||||
|
when: nc_ldap_existing_config_occ.rc != 0 and nc_ldap_config_id not in (nc_ldap_existing_config_occ.stdout | from_json).keys()
|
||||||
|
|
||||||
|
- name: Parse output of query command to dict
|
||||||
|
set_fact:
|
||||||
|
nc_ldap_existing_config: "{{ nc_ldap_existing_config_occ.stdout | from_json }}"
|
||||||
|
changed_when: false
|
||||||
|
|
||||||
|
- name: Create changeset
|
||||||
|
set_fact:
|
||||||
|
nc_ldap_config_changeset: "{{ nc_ldap_config_changeset | combine(changed_entry) }}"
|
||||||
|
vars:
|
||||||
|
changed_entry: "{{ { item : nc_ldap_config_keys[item] } }}"
|
||||||
|
loop: "{{ nc_ldap_config_keys.keys() }}"
|
||||||
|
when: nc_ldap_config_keys[item] is defined and nc_ldap_config_keys[item] and nc_ldap_config_keys[item] != nc_ldap_existing_config[nc_ldap_config_id][item]
|
||||||
|
|
||||||
|
- name: Ensure ldap configuration is in sync
|
||||||
|
docker_container_exec:
|
||||||
|
container: "{{ nc_ldap_container }}"
|
||||||
|
command: "{{ nc_ldap_occ_command }} ldap:set-config \"{{ nc_ldap_config_id }}\" \"{{ item.key }}\" \"{{ item.value }}\""
|
||||||
|
user: "{{ nc_ldap_occ_user }}"
|
||||||
|
tty: yes
|
||||||
|
loop: "{{ nc_ldap_config_changeset | dict2items }}"
|
||||||
|
|
||||||
|
- name: Ensure ldap configuration is working
|
||||||
|
docker_container_exec:
|
||||||
|
container: "{{ nc_ldap_container }}"
|
||||||
|
command: "{{ nc_ldap_occ_command }} ldap:test-config {{ nc_ldap_config_id }}"
|
||||||
|
user: "{{ nc_ldap_occ_user }}"
|
||||||
|
tty: yes
|
||||||
|
changed_when: false
|
||||||
|
when: nc_ldap_test_configuration
|
10
roles/ldap-user-backend/tasks/main.yml
Normal file
10
roles/ldap-user-backend/tasks/main.yml
Normal file
@ -0,0 +1,10 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
- name: Load config {{ nc_ldap_config_id }} (and create if not exists) when running mode is http
|
||||||
|
include_tasks: load_config_http.yml
|
||||||
|
when: nc_ldap_api_method == 'http'
|
||||||
|
|
||||||
|
- name: Load config {{ nc_ldap_config_id }} (and create if not exists) when running mode is occ
|
||||||
|
include_tasks: load_config_occ.yml
|
||||||
|
when: nc_ldap_api_method == 'occ'
|
||||||
|
|
60
roles/ldap-user-backend/vars/main.yml
Normal file
60
roles/ldap-user-backend/vars/main.yml
Normal file
@ -0,0 +1,60 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
nc_ldap_api_path: "/ocs/v2.php/apps/user_ldap/api/v1/config"
|
||||||
|
nc_ldap_api_url: "{{ nc_ldap_api_instance_url }}{{ nc_ldap_api_path }}"
|
||||||
|
nc_ldap_api_headers:
|
||||||
|
OCS-APIREQUEST: "true"
|
||||||
|
nc_ldap_api_parameter_format: json
|
||||||
|
|
||||||
|
nc_ldap_config_keys:
|
||||||
|
ldapHost: "{{ nc_ldap_config_host }}"
|
||||||
|
ldapPort: "{{ nc_ldap_config_port }}"
|
||||||
|
ldapBackupHost: "{{ nc_ldap_config_backup_host }}"
|
||||||
|
ldapBackupPort: "{{ nc_ldap_config_backup_port }}"
|
||||||
|
ldapOverrideMainServer: "{{ nc_ldap_config_override_main_server }}"
|
||||||
|
ldapBase: "{{ nc_ldap_config_base_dn }}"
|
||||||
|
ldapBaseUsers: "{{ nc_ldap_config_base_dn_users }}"
|
||||||
|
ldapBaseGroups: "{{ nc_ldap_config_base_dn_groups }}"
|
||||||
|
ldapAgentName: "{{ nc_ldap_config_agent_name }}"
|
||||||
|
ldapAgentPassword: "{{ nc_ldap_config_agent_password }}"
|
||||||
|
ldapTLS: "{{ nc_ldap_config_tls }}"
|
||||||
|
turnOffCertCheck: "{{ nc_ldap_config_turn_off_cert_check }}"
|
||||||
|
ldapUserDisplayName: "{{ nc_ldap_config_user_displayname }}"
|
||||||
|
ldapUserDisplayName2: "{{ nc_ldap_config_user_displayname2 }}"
|
||||||
|
ldapUserAvatarRule: "{{ nc_ldap_config_user_avatar_rule }}"
|
||||||
|
ldapGidNumber: "{{ nc_ldap_config_gid_number }}"
|
||||||
|
ldapUserFilterObjectclass: "{{ nc_ldap_config_user_filter_objectclass }}"
|
||||||
|
ldapUserFilterGroups: "{{ nc_ldap_config_user_filter_groups }}"
|
||||||
|
ldapUserFilter: "{{ nc_ldap_config_user_filter }}"
|
||||||
|
ldapUserFilterMode: "{{ nc_ldap_config_user_filter_mode }}"
|
||||||
|
ldapAttributesForUserSearch: "{{ nc_ldap_config_attributes_for_user_search }}"
|
||||||
|
ldapGroupFilter: "{{ nc_ldap_config_group_filter }}"
|
||||||
|
ldapGroupFilterMode: "{{ nc_ldap_config_group_filter_mode }}"
|
||||||
|
ldapGroupFilterObjectclass: "{{ nc_ldap_config_group_filter_objectclass }}"
|
||||||
|
ldapGroupFilterGroups: "{{ nc_ldap_config_group_filter_groups }}"
|
||||||
|
ldapGroupMemberAssocAttr: "{{ nc_ldap_config_group_member_assoc_attr }}"
|
||||||
|
ldapGroupDisplayName: "{{ nc_ldap_config_group_displayname }}"
|
||||||
|
ldapAttributesForGroupSearch: "{{ nc_ldap_config_attributes_for_group_search }}"
|
||||||
|
ldapLoginFilter: "{{ nc_ldap_config_login_filter }}"
|
||||||
|
ldapLoginFilterMode: "{{ nc_ldap_config_login_filter_mode }}"
|
||||||
|
ldapLoginFilterEmail: "{{ nc_ldap_config_login_filter_email }}"
|
||||||
|
ldapLoginFilterUsername: "{{ nc_ldap_config_login_filter_username }}"
|
||||||
|
ldapLoginFilterAttributes: "{{ nc_ldap_config_login_filter_attributes }}"
|
||||||
|
ldapQuotaAttribute: "{{ nc_ldap_config_quota_attribute }}"
|
||||||
|
ldapQuotaDefault: "{{ nc_ldap_config_quota_default }}"
|
||||||
|
ldapEmailAttribute: "{{ nc_ldap_config_email_attribute }}"
|
||||||
|
ldapCacheTTL: "{{ nc_ldap_config_cache_ttl }}"
|
||||||
|
ldapConfigurationActive: "{{ nc_ldap_config_configuration_active }}"
|
||||||
|
ldapExperiencedAdmin: "{{ nc_ldap_config_experienced_admin }}"
|
||||||
|
homeFolderNamingRule: "{{ nc_ldap_config_home_folder_naming_rule }}"
|
||||||
|
useMemberOfToDetectMembership: "{{ nc_ldap_config_use_memberOf_to_detect_membership }}"
|
||||||
|
ldapExpertUsernameAttr: "{{ nc_ldap_config_expert_username_attr }}"
|
||||||
|
ldapExpertUUIDUserAttr: "{{ nc_ldap_config_expert_uuid_user_attr }}"
|
||||||
|
ldapExpertUUIDGroupAttr: "{{ nc_ldap_config_expert_uuid_group_attr }}"
|
||||||
|
ldapNestedGroups: "{{ nc_ldap_config_nested_groups }}"
|
||||||
|
ldapPagingSize: "{{ nc_ldap_config_paging_size }}"
|
||||||
|
turnOnPasswordChange: "{{ nc_ldap_config_turn_on_password_change }}"
|
||||||
|
ldapDynamicGroupMemberURL: "{{ nc_ldap_config_dynamic_group_member_url }}"
|
||||||
|
ldapDefaultPPolicyDN: "{{ nc_ldap_config_default_ppolicy_dn }}"
|
||||||
|
|
||||||
|
nc_ldap_config_changeset: {}
|
Loading…
x
Reference in New Issue
Block a user