sheppy/no-secrets-athq-ansible
1
0
Fork 0
mirror of https://github.com/FAUSheppy/no-secrets-athq-ansible synced 2025-12-06 09:21:37 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

feat: keycloak & ldap

Browse Source
This commit is contained in:
Johnathen Sheppard
2023-01-14 08:02:39 +01:00
parent 90b529fb32
commit 4b487106c8
10 changed files with 187 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
ansible-install.sh Normal file
View File

@@ -0,0 +1 @@
ansible-galaxy collection install community.general

6
group_vars/usermanagement.yaml
View File

@@ -1,2 +1,6 @@
--- ---
keycloak_images_client_secret: HISTORY_PURGED_SECRET ldap_password: flanigan
ldap_suffix: "dc=atlantishq,dc=de"
ldap_bind_dn: "cn=Manager,dc=atlantishq,dc=de"
ldap_user_dn: "ou=People,dc=atlantishq,dc=de"
ldap_connection_url: ldap://192.168.122.112

10
roles/global-handlers/handlers/main.yml
View File

@@ -35,6 +35,16 @@
name: nginx name: nginx
state: restarted state: restarted
- name: restart ldap
systemd:
name: ldap
state: restarted
- name: restart slapd
systemd:
name: slapd
state: restarted
- name: daemon reload - name: daemon reload
systemd: systemd:
daemon-reload: yes daemon-reload: yes

2
roles/usermanagement/files/ldap.conf Normal file
View File

@@ -0,0 +1,2 @@
BASE dc=atlantishq.de,dc=de
URI ldap://ldap.atlantishq.de, ldaps://ldap.atlantishq.de

2
roles/usermanagement/meta/main.yml Normal file
View File

@@ -0,0 +1,2 @@
dependencies:
- global-handlers

94
roles/usermanagement/tasks/keycloak-ldap-provider.yaml Normal file
View File

@@ -0,0 +1,94 @@
- name: Create LDAP user federation
community.general.keycloak_user_federation:
auth_keycloak_url: https://{{ keycloak_address }}
auth_realm: master
auth_username: admin
auth_password: "{{ keycloak_admin_password }}"
realm: master
name: ldap-ansible
state: present
provider_id: ldap
provider_type: org.keycloak.storage.UserStorageProvider
id: 11111111-0000-0000-0000-000000000001
config:
priority: 0
enabled: true
cachePolicy: DEFAULT
batchSizeForSync: 1000
editMode: WRITABLE
importEnabled: true
syncRegistrations: true
vendor: other
usernameLDAPAttribute: uid
rdnLDAPAttribute: uid
uuidLDAPAttribute: entryUUID
userObjectClasses: person, inetOrgPerson, organizationalPerson
connectionUrl: "{{ ldap_connection_url }}"
usersDn: "{{ ldap_user_dn }}"
authType: simple
bindDn: "{{ ldap_bind_dn }}"
bindCredential: "{{ ldap_password }}"
searchScope: "1"
validatePasswordPolicy: false
trustEmail: false
useTruststoreSpi: ldapsOnly
connectionPooling: true
pagination: true
allowKerberosAuthentication: false
debug: false
useKerberosForPasswordAuthentication: false
mappers:
- name: "username"
providerId: "user-attribute-ldap-mapper"
providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper"
config:
always.read.value.from.ldap: false
is.mandatory.in.ldap: true
read.only: false
user.model.attribute: username
ldap.attribute: uid
- name: "email"
providerId: "user-attribute-ldap-mapper"
providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper"
config:
always.read.value.from.ldap: false
is.mandatory.in.ldap: true
read.only: false
user.model.attribute: email
ldap.attribute: email
- name: "first name"
providerId: "user-attribute-ldap-mapper"
providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper"
config:
always.read.value.from.ldap: true
is.mandatory.in.ldap: true
read.only: false
user.model.attribute: firstName
ldap.attribute: cn
- name: "last name"
providerId: "user-attribute-ldap-mapper"
providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper"
config:
always.read.value.from.ldap: true
is.mandatory.in.ldap: true
read.only: false
user.model.attribute: lastName
ldap.attribute: sn
- name: "modify date"
providerId: "user-attribute-ldap-mapper"
providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper"
config:
always.read.value.from.ldap: true
is.mandatory.in.ldap: false
read.only: false
user.model.attribute: modifyTimestamp
ldap.attribute: modifyTimestamp
- name: "creation date"
providerId: "user-attribute-ldap-mapper"
providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper"
config:
always.read.value.from.ldap: true
is.mandatory.in.ldap: false
read.only: true
user.model.attribute: createTimestamp
ldap.attribute: createTimestamp

18
roles/usermanagement/tasks/ldap.yaml Normal file
View File

@@ -0,0 +1,18 @@
- name: Install LDAP packages
apt:
pkg:
- slapd
- ldap-utils
- name: Slapd /etc/default
lineinfile:
path: /etc/default/slapd
regex: "^SLAP_SERVICES=.*$"
line: SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///"
notify: restart slapd
# etc default slapd conf
- name: LDAP Conf
template:
src: slapd.conf
dest: /etc/ldap/slapd.conf

18
roles/usermanagement/tasks/letsencrypt.yaml Normal file
View File

@@ -0,0 +1,18 @@
- name: install certbot
apt:
pkg:
- certbot
- name: Add Cronjob
cron:
name: "Cerbot"
job: "certbot certonly --standalone --preferred-challenges http -d ldap.atlantishq.de --register-unsafely-without-email --non-interactive --agree-tos"
minute: "30"
hour: "4"
day: "1"
register: cron
notify: restart slapd
- name: Run Cronjob job because it changed
command: "certbot certonly --standalone --preferred-challenges http -d ldap.atlantishq.de --register-unsafely-without-email --non-interactive --agree-tos"
when: cron.changed

11
roles/usermanagement/tasks/main.yaml
View File

@@ -1,3 +1,6 @@
- name: cerbot letsencrypt standalone
include: letsencrypt.yaml
- name: Create data-dir - name: Create data-dir
file: file:
name: /data/ name: /data/
@@ -40,7 +43,7 @@
status_code: 200 status_code: 200
body_format: json body_format: json
register: result register: result
until: result.json.status == "UP" until: result.status and result.json.status == "UP"
retries: 10 retries: 10
delay: 20 delay: 20
@@ -66,3 +69,9 @@
frontchannel_logout: False frontchannel_logout: False
protocol: openid-connect protocol: openid-connect
with_items: "{{ keycloak_clients.keys() | list }}" with_items: "{{ keycloak_clients.keys() | list }}"
- name: Keycloak User federation (ldap-provider)
include: keycloak-ldap-provider.yaml
- name: Include LDAP setup
include: ldap.yaml

27
roles/usermanagement/templates/slapd.conf Normal file
View File

@@ -0,0 +1,27 @@
modulepath /usr/lib/ldap/
moduleload back_bdb.la
pidfile /var/run/slapd.pid
argsfile /var/run/slapd.args
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/nis.schema
database bdb
suffix "{{ ldap_suffix }}"
rootdn "{{ ldap_bind_dn }}"
rootpw {SSHA}HISTORY_PURGED_SECRET
TLSCACertificateFile /etc/ssl/certs/ca-certificates.crt
TLSCertificateFile /etc/letsencrypt/live/ldap.atlantishq.de/cert.pem
TLSCertificateKeyFile /etc/letsencrypt/live/ldap.atlantishq.de/privkey.pem
TLSVerifyClient try
logfile /var/log/slapd.log
loglevel -1
directory /var/lib/ldap/
cachesize 2000