feat: keycloak & ldap

ansible-install.sh

@@ -0,0 +1 @@
+ansible-galaxy collection install community.general

group_vars/usermanagement.yaml

@@ -1,2 +1,6 @@
 ---
-keycloak_images_client_secret: HISTORY_PURGED_SECRET
+ldap_password: flanigan
+ldap_suffix: "dc=atlantishq,dc=de"
+ldap_bind_dn: "cn=Manager,dc=atlantishq,dc=de"
+ldap_user_dn: "ou=People,dc=atlantishq,dc=de"
+ldap_connection_url: ldap://192.168.122.112

roles/global-handlers/handlers/main.yml

@@ -35,6 +35,16 @@
     name: nginx
     state: restarted
 
+- name: restart ldap
+  systemd:
+    name: ldap
+    state: restarted
+
+- name: restart slapd
+  systemd:
+    name: slapd
+    state: restarted
+
 - name: daemon reload
   systemd:
     daemon-reload: yes

roles/usermanagement/files/ldap.conf

@@ -0,0 +1,2 @@
+BASE dc=atlantishq.de,dc=de
+URI ldap://ldap.atlantishq.de, ldaps://ldap.atlantishq.de

roles/usermanagement/meta/main.yml

@@ -0,0 +1,2 @@
+dependencies:
+    - global-handlers

roles/usermanagement/tasks/keycloak-ldap-provider.yaml

@@ -0,0 +1,94 @@
+- name: Create LDAP user federation
+  community.general.keycloak_user_federation:
+    auth_keycloak_url: https://{{ keycloak_address }}
+    auth_realm: master
+    auth_username: admin
+    auth_password: "{{ keycloak_admin_password }}"
+    realm: master
+    name: ldap-ansible
+    state: present
+    provider_id: ldap
+    provider_type: org.keycloak.storage.UserStorageProvider
+    id: 11111111-0000-0000-0000-000000000001
+    config:
+      priority: 0
+      enabled: true
+      cachePolicy: DEFAULT
+      batchSizeForSync: 1000
+      editMode: WRITABLE
+      importEnabled: true
+      syncRegistrations: true
+      vendor: other
+      usernameLDAPAttribute: uid
+      rdnLDAPAttribute: uid
+      uuidLDAPAttribute: entryUUID
+      userObjectClasses: person, inetOrgPerson, organizationalPerson
+      connectionUrl: "{{ ldap_connection_url }}"
+      usersDn: "{{ ldap_user_dn }}"
+      authType: simple
+      bindDn: "{{ ldap_bind_dn }}"
+      bindCredential: "{{ ldap_password }}"
+      searchScope: "1"
+      validatePasswordPolicy: false
+      trustEmail: false
+      useTruststoreSpi: ldapsOnly
+      connectionPooling: true
+      pagination: true
+      allowKerberosAuthentication: false
+      debug: false
+      useKerberosForPasswordAuthentication: false
+    mappers:
+      - name: "username"
+        providerId: "user-attribute-ldap-mapper"
+        providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper"
+        config:
+          always.read.value.from.ldap: false
+          is.mandatory.in.ldap: true
+          read.only: false
+          user.model.attribute: username
+          ldap.attribute: uid
+      - name: "email"
+        providerId: "user-attribute-ldap-mapper"
+        providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper"
+        config:
+          always.read.value.from.ldap: false
+          is.mandatory.in.ldap: true
+          read.only: false
+          user.model.attribute: email
+          ldap.attribute: email
+      - name: "first name"
+        providerId: "user-attribute-ldap-mapper"
+        providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper"
+        config:
+          always.read.value.from.ldap: true
+          is.mandatory.in.ldap: true
+          read.only: false
+          user.model.attribute: firstName
+          ldap.attribute: cn
+      - name: "last name"
+        providerId: "user-attribute-ldap-mapper"
+        providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper"
+        config:
+          always.read.value.from.ldap: true
+          is.mandatory.in.ldap: true
+          read.only: false
+          user.model.attribute: lastName
+          ldap.attribute: sn
+      - name: "modify date"
+        providerId: "user-attribute-ldap-mapper"
+        providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper"
+        config:
+          always.read.value.from.ldap: true
+          is.mandatory.in.ldap: false
+          read.only: false
+          user.model.attribute: modifyTimestamp
+          ldap.attribute: modifyTimestamp
+      - name: "creation date"
+        providerId: "user-attribute-ldap-mapper"
+        providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper"
+        config:
+          always.read.value.from.ldap: true
+          is.mandatory.in.ldap: false
+          read.only: true
+          user.model.attribute: createTimestamp
+          ldap.attribute: createTimestamp

roles/usermanagement/tasks/ldap.yaml

@@ -0,0 +1,18 @@
+- name: Install LDAP packages
+  apt:
+    pkg:
+      - slapd
+      - ldap-utils
+
+- name: Slapd /etc/default
+  lineinfile:
+    path: /etc/default/slapd
+    regex: "^SLAP_SERVICES=.*$"
+    line: SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///"
+  notify: restart slapd
+
+# etc default slapd conf
+- name: LDAP Conf
+  template:
+    src: slapd.conf
+    dest: /etc/ldap/slapd.conf

roles/usermanagement/tasks/letsencrypt.yaml

@@ -0,0 +1,18 @@
+- name: install certbot
+  apt:
+    pkg:
+      - certbot
+
+- name: Add Cronjob
+  cron:
+    name: "Cerbot"
+    job: "certbot certonly --standalone --preferred-challenges http -d ldap.atlantishq.de --register-unsafely-without-email --non-interactive --agree-tos"
+    minute: "30"
+    hour: "4"
+    day: "1"
+  register: cron
+  notify: restart slapd
+
+- name: Run Cronjob job because it changed
+  command: "certbot certonly --standalone --preferred-challenges http -d ldap.atlantishq.de --register-unsafely-without-email --non-interactive --agree-tos"
+  when: cron.changed

roles/usermanagement/tasks/main.yaml

@@ -1,3 +1,6 @@
+- name: cerbot letsencrypt standalone
+  include: letsencrypt.yaml
+
 - name: Create data-dir
   file:
     name: /data/
@@ -40,7 +43,7 @@
     status_code: 200
     body_format: json
   register: result
-  until: result.json.status == "UP"
+  until: result.status and result.json.status == "UP"
   retries: 10
   delay: 20
 
@@ -66,3 +69,9 @@
     frontchannel_logout: False
     protocol: openid-connect
   with_items: "{{ keycloak_clients.keys() | list }}"
+
+- name: Keycloak User federation (ldap-provider)
+  include: keycloak-ldap-provider.yaml
+
+- name: Include LDAP setup
+  include: ldap.yaml

roles/usermanagement/templates/slapd.conf

@@ -0,0 +1,27 @@
+modulepath /usr/lib/ldap/
+moduleload back_bdb.la
+
+pidfile         /var/run/slapd.pid
+argsfile        /var/run/slapd.args
+
+include /etc/ldap/schema/core.schema
+include /etc/ldap/schema/cosine.schema
+include /etc/ldap/schema/inetorgperson.schema
+include /etc/ldap/schema/nis.schema
+
+database    bdb
+suffix      "{{ ldap_suffix }}"
+rootdn      "{{ ldap_bind_dn }}"
+rootpw      {SSHA}HISTORY_PURGED_SECRET
+
+TLSCACertificateFile  /etc/ssl/certs/ca-certificates.crt
+TLSCertificateFile    /etc/letsencrypt/live/ldap.atlantishq.de/cert.pem
+TLSCertificateKeyFile /etc/letsencrypt/live/ldap.atlantishq.de/privkey.pem
+TLSVerifyClient try
+
+
+logfile /var/log/slapd.log
+loglevel -1
+
+directory /var/lib/ldap/
+cachesize 2000