From 4b487106c8c89569c536eaec207ec1bed2896f3c Mon Sep 17 00:00:00 2001 From: Sheppy Date: Sat, 14 Jan 2023 08:02:39 +0100 Subject: [PATCH] feat: keycloak & ldap --- ansible-install.sh | 1 + group_vars/usermanagement.yaml | 6 +- roles/global-handlers/handlers/main.yml | 10 ++ roles/usermanagement/files/ldap.conf | 2 + roles/usermanagement/meta/main.yml | 2 + .../tasks/keycloak-ldap-provider.yaml | 94 +++++++++++++++++++ roles/usermanagement/tasks/ldap.yaml | 18 ++++ roles/usermanagement/tasks/letsencrypt.yaml | 18 ++++ roles/usermanagement/tasks/main.yaml | 11 ++- roles/usermanagement/templates/slapd.conf | 27 ++++++ 10 files changed, 187 insertions(+), 2 deletions(-) create mode 100644 ansible-install.sh create mode 100644 roles/usermanagement/files/ldap.conf create mode 100644 roles/usermanagement/meta/main.yml create mode 100644 roles/usermanagement/tasks/keycloak-ldap-provider.yaml create mode 100644 roles/usermanagement/tasks/ldap.yaml create mode 100644 roles/usermanagement/tasks/letsencrypt.yaml create mode 100644 roles/usermanagement/templates/slapd.conf diff --git a/ansible-install.sh b/ansible-install.sh new file mode 100644 index 0000000..78efe91 --- /dev/null +++ b/ansible-install.sh @@ -0,0 +1 @@ +ansible-galaxy collection install community.general diff --git a/group_vars/usermanagement.yaml b/group_vars/usermanagement.yaml index f728fb4..0e86e3a 100644 --- a/group_vars/usermanagement.yaml +++ b/group_vars/usermanagement.yaml @@ -1,2 +1,6 @@ --- -keycloak_images_client_secret: HISTORY_PURGED_SECRET +ldap_password: flanigan +ldap_suffix: "dc=atlantishq,dc=de" +ldap_bind_dn: "cn=Manager,dc=atlantishq,dc=de" +ldap_user_dn: "ou=People,dc=atlantishq,dc=de" +ldap_connection_url: ldap://192.168.122.112 diff --git a/roles/global-handlers/handlers/main.yml b/roles/global-handlers/handlers/main.yml index 69ed780..2020cff 100644 --- a/roles/global-handlers/handlers/main.yml +++ b/roles/global-handlers/handlers/main.yml @@ -35,6 +35,16 @@ name: nginx state: restarted +- name: restart ldap + systemd: + name: ldap + state: restarted + +- name: restart slapd + systemd: + name: slapd + state: restarted + - name: daemon reload systemd: daemon-reload: yes diff --git a/roles/usermanagement/files/ldap.conf b/roles/usermanagement/files/ldap.conf new file mode 100644 index 0000000..19b0428 --- /dev/null +++ b/roles/usermanagement/files/ldap.conf @@ -0,0 +1,2 @@ +BASE dc=atlantishq.de,dc=de +URI ldap://ldap.atlantishq.de, ldaps://ldap.atlantishq.de diff --git a/roles/usermanagement/meta/main.yml b/roles/usermanagement/meta/main.yml new file mode 100644 index 0000000..c808c92 --- /dev/null +++ b/roles/usermanagement/meta/main.yml @@ -0,0 +1,2 @@ +dependencies: + - global-handlers diff --git a/roles/usermanagement/tasks/keycloak-ldap-provider.yaml b/roles/usermanagement/tasks/keycloak-ldap-provider.yaml new file mode 100644 index 0000000..f5a293e --- /dev/null +++ b/roles/usermanagement/tasks/keycloak-ldap-provider.yaml @@ -0,0 +1,94 @@ +- name: Create LDAP user federation + community.general.keycloak_user_federation: + auth_keycloak_url: https://{{ keycloak_address }} + auth_realm: master + auth_username: admin + auth_password: "{{ keycloak_admin_password }}" + realm: master + name: ldap-ansible + state: present + provider_id: ldap + provider_type: org.keycloak.storage.UserStorageProvider + id: 11111111-0000-0000-0000-000000000001 + config: + priority: 0 + enabled: true + cachePolicy: DEFAULT + batchSizeForSync: 1000 + editMode: WRITABLE + importEnabled: true + syncRegistrations: true + vendor: other + usernameLDAPAttribute: uid + rdnLDAPAttribute: uid + uuidLDAPAttribute: entryUUID + userObjectClasses: person, inetOrgPerson, organizationalPerson + connectionUrl: "{{ ldap_connection_url }}" + usersDn: "{{ ldap_user_dn }}" + authType: simple + bindDn: "{{ ldap_bind_dn }}" + bindCredential: "{{ ldap_password }}" + searchScope: "1" + validatePasswordPolicy: false + trustEmail: false + useTruststoreSpi: ldapsOnly + connectionPooling: true + pagination: true + allowKerberosAuthentication: false + debug: false + useKerberosForPasswordAuthentication: false + mappers: + - name: "username" + providerId: "user-attribute-ldap-mapper" + providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper" + config: + always.read.value.from.ldap: false + is.mandatory.in.ldap: true + read.only: false + user.model.attribute: username + ldap.attribute: uid + - name: "email" + providerId: "user-attribute-ldap-mapper" + providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper" + config: + always.read.value.from.ldap: false + is.mandatory.in.ldap: true + read.only: false + user.model.attribute: email + ldap.attribute: email + - name: "first name" + providerId: "user-attribute-ldap-mapper" + providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper" + config: + always.read.value.from.ldap: true + is.mandatory.in.ldap: true + read.only: false + user.model.attribute: firstName + ldap.attribute: cn + - name: "last name" + providerId: "user-attribute-ldap-mapper" + providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper" + config: + always.read.value.from.ldap: true + is.mandatory.in.ldap: true + read.only: false + user.model.attribute: lastName + ldap.attribute: sn + - name: "modify date" + providerId: "user-attribute-ldap-mapper" + providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper" + config: + always.read.value.from.ldap: true + is.mandatory.in.ldap: false + read.only: false + user.model.attribute: modifyTimestamp + ldap.attribute: modifyTimestamp + - name: "creation date" + providerId: "user-attribute-ldap-mapper" + providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper" + config: + always.read.value.from.ldap: true + is.mandatory.in.ldap: false + read.only: true + user.model.attribute: createTimestamp + ldap.attribute: createTimestamp diff --git a/roles/usermanagement/tasks/ldap.yaml b/roles/usermanagement/tasks/ldap.yaml new file mode 100644 index 0000000..2eb59bf --- /dev/null +++ b/roles/usermanagement/tasks/ldap.yaml @@ -0,0 +1,18 @@ +- name: Install LDAP packages + apt: + pkg: + - slapd + - ldap-utils + +- name: Slapd /etc/default + lineinfile: + path: /etc/default/slapd + regex: "^SLAP_SERVICES=.*$" + line: SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///" + notify: restart slapd + +# etc default slapd conf +- name: LDAP Conf + template: + src: slapd.conf + dest: /etc/ldap/slapd.conf diff --git a/roles/usermanagement/tasks/letsencrypt.yaml b/roles/usermanagement/tasks/letsencrypt.yaml new file mode 100644 index 0000000..2872dfe --- /dev/null +++ b/roles/usermanagement/tasks/letsencrypt.yaml @@ -0,0 +1,18 @@ +- name: install certbot + apt: + pkg: + - certbot + +- name: Add Cronjob + cron: + name: "Cerbot" + job: "certbot certonly --standalone --preferred-challenges http -d ldap.atlantishq.de --register-unsafely-without-email --non-interactive --agree-tos" + minute: "30" + hour: "4" + day: "1" + register: cron + notify: restart slapd + +- name: Run Cronjob job because it changed + command: "certbot certonly --standalone --preferred-challenges http -d ldap.atlantishq.de --register-unsafely-without-email --non-interactive --agree-tos" + when: cron.changed diff --git a/roles/usermanagement/tasks/main.yaml b/roles/usermanagement/tasks/main.yaml index 16ce456..e4dc8d5 100644 --- a/roles/usermanagement/tasks/main.yaml +++ b/roles/usermanagement/tasks/main.yaml @@ -1,3 +1,6 @@ +- name: cerbot letsencrypt standalone + include: letsencrypt.yaml + - name: Create data-dir file: name: /data/ @@ -40,7 +43,7 @@ status_code: 200 body_format: json register: result - until: result.json.status == "UP" + until: result.status and result.json.status == "UP" retries: 10 delay: 20 @@ -66,3 +69,9 @@ frontchannel_logout: False protocol: openid-connect with_items: "{{ keycloak_clients.keys() | list }}" + +- name: Keycloak User federation (ldap-provider) + include: keycloak-ldap-provider.yaml + +- name: Include LDAP setup + include: ldap.yaml diff --git a/roles/usermanagement/templates/slapd.conf b/roles/usermanagement/templates/slapd.conf new file mode 100644 index 0000000..4d437b5 --- /dev/null +++ b/roles/usermanagement/templates/slapd.conf @@ -0,0 +1,27 @@ +modulepath /usr/lib/ldap/ +moduleload back_bdb.la + +pidfile /var/run/slapd.pid +argsfile /var/run/slapd.args + +include /etc/ldap/schema/core.schema +include /etc/ldap/schema/cosine.schema +include /etc/ldap/schema/inetorgperson.schema +include /etc/ldap/schema/nis.schema + +database bdb +suffix "{{ ldap_suffix }}" +rootdn "{{ ldap_bind_dn }}" +rootpw {SSHA}HISTORY_PURGED_SECRET + +TLSCACertificateFile /etc/ssl/certs/ca-certificates.crt +TLSCertificateFile /etc/letsencrypt/live/ldap.atlantishq.de/cert.pem +TLSCertificateKeyFile /etc/letsencrypt/live/ldap.atlantishq.de/privkey.pem +TLSVerifyClient try + + +logfile /var/log/slapd.log +loglevel -1 + +directory /var/lib/ldap/ +cachesize 2000