diff --git a/roles/usermanagement/tasks/keycloak-ldap-provider.yaml b/roles/usermanagement/tasks/keycloak-ldap-provider.yaml index e86c679..0ffbe09 100644 --- a/roles/usermanagement/tasks/keycloak-ldap-provider.yaml +++ b/roles/usermanagement/tasks/keycloak-ldap-provider.yaml @@ -18,6 +18,7 @@ editMode: WRITABLE importEnabled: true syncRegistrations: true + fullSyncPeriod: 600 vendor: other usernameLDAPAttribute: uid rdnLDAPAttribute: uid @@ -92,3 +93,20 @@ read.only: true user.model.attribute: createTimestamp ldap.attribute: createTimestamp + - name: "group-mapper" + providerId: "group-ldap-mapper" + providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper" + config: + membership.attribute.type: "DN" + group.name.ldap.attribute: "cn" + preserve.group.inheritance: true + membership.user.ldap.attribute: "uid" + groups.dn: "ou=groups,{{ ldap_suffix }}" + mode: "LDAP_ONLY" + user.roles.retrieve.strategy: "LOAD_GROUPS_BY_MEMBER_ATTRIBUTE" + ignore.missing.groups: false + membership.ldap.attribute: "member" + group.object.classes: "groupOfNames" + memberof.ldap.attribute: "memberOf" + groups.path: "/" + drop.non.existing.groups.during.sync : true diff --git a/roles/usermanagement/tasks/keycloak.yaml b/roles/usermanagement/tasks/keycloak.yaml new file mode 100644 index 0000000..3db857d --- /dev/null +++ b/roles/usermanagement/tasks/keycloak.yaml @@ -0,0 +1,71 @@ +- name: Create data-dir + file: + name: /data/ + state: directory + +- name: Create keycloak psql mount + file: + name: /data/keycloak-postgres/ + state: directory + +- name: Create compose directory keycloak + file: + name: "/opt/keycloak/" + state: directory + +- name: Copy compose templates keycloak + template: + src: "keycloak.yaml" + dest: "/opt/keycloak/" + +- name: Copy compose environment files keycloak + template: + src: "{{ item }}" + dest: "/opt/keycloak/" + with_items: + - postgres_password + +- name: Deploy compose templates + community.docker.docker_compose: + project_src: "/opt/keycloak/" + pull: true + files: + - "keycloak.yaml" + +- name: Check/Wait for Keycloak to be up + uri: + url: https://keycloak.atlantishq.de/health + method: GET + return_content: yes + status_code: 200 + body_format: json + register: result + until: result.status and result.json.status == "UP" + retries: 10 + delay: 20 + +- name: Create Keycloak Clients + local_action: + module: keycloak_client + auth_client_id: admin-cli + auth_keycloak_url: https://keycloak.atlantishq.de/ + auth_realm: master + auth_username: admin + auth_password: "{{ keycloak_admin_password }}" + state: present + realm: master + client_id: '{{ keycloak_clients[item]["client_id"] }}' + id: '{{ keycloak_clients[item]["keycloak_id"] }}' + name: '{{ keycloak_clients[item]["client_id"] }}' + description: '{{ keycloak_clients[item]["description"] }}' + enabled: True + client_authenticator_type: client-secret + public_client: false + secret: '{{ keycloak_clients[item]["client_secret"] }}' + authorization_services_enabled: true + service_accounts_enabled: true + redirect_uris: '{{ keycloak_clients[item]["redirect_uris"] }}' + web_origins: '{{ keycloak_clients[item]["redirect_uris"] }}' + frontchannel_logout: False + protocol: openid-connect + with_items: "{{ keycloak_clients.keys() | list }}" diff --git a/roles/usermanagement/tasks/main.yaml b/roles/usermanagement/tasks/main.yaml index d1cc117..424fba8 100644 --- a/roles/usermanagement/tasks/main.yaml +++ b/roles/usermanagement/tasks/main.yaml @@ -1,77 +1,8 @@ - name: cerbot letsencrypt standalone include: letsencrypt.yaml -- name: Create data-dir - file: - name: /data/ - state: directory - -- name: Create keycloak psql mount - file: - name: /data/keycloak-postgres/ - state: directory - -- name: Create compose directory keycloak - file: - name: "/opt/keycloak/" - state: directory - -- name: Copy compose templates keycloak - template: - src: "keycloak.yaml" - dest: "/opt/keycloak/" - -- name: Copy compose environment files keycloak - template: - src: "{{ item }}" - dest: "/opt/keycloak/" - with_items: - - postgres_password - -- name: Deploy compose templates - community.docker.docker_compose: - project_src: "/opt/keycloak/" - pull: true - files: - - "keycloak.yaml" - -- name: Check/Wait for Keycloak to be up - uri: - url: https://keycloak.atlantishq.de/health - method: GET - return_content: yes - status_code: 200 - body_format: json - register: result - until: result.status and result.json.status == "UP" - retries: 10 - delay: 20 - -- name: Create Keycloak Clients - local_action: - module: keycloak_client - auth_client_id: admin-cli - auth_keycloak_url: https://keycloak.atlantishq.de/ - auth_realm: master - auth_username: admin - auth_password: "{{ keycloak_admin_password }}" - state: present - realm: master - client_id: '{{ keycloak_clients[item]["client_id"] }}' - id: '{{ keycloak_clients[item]["keycloak_id"] }}' - name: '{{ keycloak_clients[item]["client_id"] }}' - description: '{{ keycloak_clients[item]["description"] }}' - enabled: True - client_authenticator_type: client-secret - public_client: false - secret: '{{ keycloak_clients[item]["client_secret"] }}' - authorization_services_enabled: true - service_accounts_enabled: true - redirect_uris: '{{ keycloak_clients[item]["redirect_uris"] }}' - web_origins: '{{ keycloak_clients[item]["redirect_uris"] }}' - frontchannel_logout: False - protocol: openid-connect - with_items: "{{ keycloak_clients.keys() | list }}" +- name: Keycloak User federation (ldap-provider) + include: keycloak.yaml - name: Keycloak User federation (ldap-provider) include: keycloak-ldap-provider.yaml