From 405964f8bd3c15ba39ec8721fd9cb53050c182bd Mon Sep 17 00:00:00 2001
From: David Kilias <dkdent@netz39.de>
Date: Mon, 4 Jul 2022 18:43:15 +0200
Subject: [PATCH 1/4] Add ldap admin password to inventory

---
 inventory | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/inventory b/inventory
index f1193ca..76bdac8 100644
--- a/inventory
+++ b/inventory
@@ -83,6 +83,13 @@ all:
         38656238663565386631306263333166633064313762343139373735626439666665356530383363
         3134373261386435310a626461376537643937643838636638313033383463356663396464643361
         36333766383139376331336633646633396430323663366636616431643134666536
+      ldap_admin_password: !vault |
+        $ANSIBLE_VAULT;1.1;AES256
+        30646262643765616236666665363366353934333264343064383265316162333033653839396466
+        3262306131373461323032363234323161613431613133360a396531343438313165666163646363
+        65333334666132313834663839626431373339646631366261316139333233666566383131353035
+        3765613264626637660a343562363166313535613964336261356530353732333965313830653865
+        39373837643837663630333765306463616234363535613666333862396632643961
     unicorn.n39.eu:
       server_admin: "admin+unicorn@netz39.de"
     platon.n39.eu:

From d30eb2df9c7f291d26805871a1cb09e2f88fb93b Mon Sep 17 00:00:00 2001
From: David Kilias <dkdent@netz39.de>
Date: Mon, 4 Jul 2022 18:38:22 +0200
Subject: [PATCH 2/4] Add openldap container on pottwal

---
 pottwal.yml | 41 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 41 insertions(+)

diff --git a/pottwal.yml b/pottwal.yml
index c6cc998..20ad29f 100644
--- a/pottwal.yml
+++ b/pottwal.yml
@@ -23,6 +23,10 @@
     hedgedoc_host_port: 8084
     hedgedoc_image: quay.io/hedgedoc/hedgedoc:1.9.3
 
+    openldap_image_version: 1.5.0
+    openldap_data: "{{ data_dir }}/openldap"
+    openldap_domain: "ldap.n39.eu"
+
   roles:
     - role: docker_setup
       vars:
@@ -261,4 +265,41 @@
         site_name: pad.n39.eu
         proxy_port: "{{ hedgedoc_host_port }}"
 
+    - name: Setup dehydrated challenge endpoint for {{ openldap_domain }}
+      include_role:
+        name: setup-http-dehydrated
+      vars:
+        site_name: "{{ openldap_domain }}"
+
+    - name: Ensure openLDAP directories are present.
+      file:
+        path: "{{ item }}"
+        state: directory
+      with_items:
+        - "{{ openldap_data }}/database"
+        - "{{ openldap_data }}/config"
+        - "{{ dehydrated_certs_dir }}/certs/{{ openldap_domain }}"
+
+    - name: Ensure container for openLDAP is running.
+      docker_container:
+        name: openLDAP
+        image: "osixia/openldap:{{ openldap_image_version }}"
+        pull: true
+        state: started
+        detach: yes
+        ports:
+          - "389:389" # unencrypted/STARTTLS
+          - "636:636" # SSL
+        volumes:
+          - "{{ openldap_data }}/database:/var/lib/ldap"
+          - "{{ openldap_data }}/config:/etc/ldap/slapd.d"
+          - "{{ dehydrated_certs_dir }}/certs/{{ openldap_domain }}:/container/service/slapd/assets/certs"
+        env:
+          LDAP_ORGANISATION: "Netz39 e.V."
+          LDAP_DOMAIN: "{{ openldap_domain }}"
+          LDAP_ADMIN_PASSWORD: "{{ ldap_admin_password }}"
+          LDAP_TLS_CRT_FILENAME: "cert.pem"
+          LDAP_TLS_KEY_FILENAME: "key.pem"
+        restart_policy: unless-stopped
+
   handlers:

From a070cd48b8872089f39c5eb47c7dd480f62eb62c Mon Sep 17 00:00:00 2001
From: David Kilias <dkdent@netz39.de>
Date: Mon, 4 Jul 2022 22:42:07 +0200
Subject: [PATCH 3/4] pottwal - add ldap docker similar to pingtech setup

---
 pottwal.yml | 79 +++++++++++++++++++++++++++++++++++++++++------------
 1 file changed, 62 insertions(+), 17 deletions(-)

diff --git a/pottwal.yml b/pottwal.yml
index 20ad29f..bcfccf6 100644
--- a/pottwal.yml
+++ b/pottwal.yml
@@ -276,30 +276,75 @@
         path: "{{ item }}"
         state: directory
       with_items:
-        - "{{ openldap_data }}/database"
-        - "{{ openldap_data }}/config"
+        - "{{ openldap_data }}/ldap"
+        - "{{ openldap_data }}/slapd"
+        - "{{ openldap_data }}/ldif"
         - "{{ dehydrated_certs_dir }}/certs/{{ openldap_domain }}"
 
     - name: Ensure container for openLDAP is running.
       docker_container:
         name: openLDAP
         image: "osixia/openldap:{{ openldap_image_version }}"
-        pull: true
-        state: started
         detach: yes
-        ports:
-          - "389:389" # unencrypted/STARTTLS
-          - "636:636" # SSL
-        volumes:
-          - "{{ openldap_data }}/database:/var/lib/ldap"
-          - "{{ openldap_data }}/config:/etc/ldap/slapd.d"
-          - "{{ dehydrated_certs_dir }}/certs/{{ openldap_domain }}:/container/service/slapd/assets/certs"
-        env:
-          LDAP_ORGANISATION: "Netz39 e.V."
-          LDAP_DOMAIN: "{{ openldap_domain }}"
-          LDAP_ADMIN_PASSWORD: "{{ ldap_admin_password }}"
-          LDAP_TLS_CRT_FILENAME: "cert.pem"
-          LDAP_TLS_KEY_FILENAME: "key.pem"
+        state: started
         restart_policy: unless-stopped
+        container_default_behavior: no_defaults
+        pull: true
+        env:
+          LDAP_LOG_LEVEL: "256"
+          LDAP_ORGANISATION: "{{ldap_org}}"
+          LDAP_DOMAIN: "{{ldap_domain}}"
+          LDAP_BASE_DN: "{{ldap_base_dn}}"
+          LDAP_READONLY_USER: "false"
+
+          LDAP_ADMIN_PASSWORD: "{{ldap_admin_password}}"
+          LDAP_CONFIG_PASSWORD: "{{ldap_config_password}}"
+
+          LDAP_RFC2307BIS_SCHEMA: "true"
+
+          LDAP_TLS_CIPHER_SUITE: "SECURE256:-VERS-SSL3.0"
+
+          LDAP_REPLICATION: "{{ldap_replication_enable}}"
+          LDAP_REPLICATION_CONFIG_SYNCPROV: "{{ldap_replication_config_syncprov}}"
+          LDAP_REPLICATION_DB_SYNCPROV: "{{ldap_replication_db_syncprov}}"
+          LDAP_REPLICATION_HOSTS: "{{ldap_replication_hosts}}"
+
+          KEEP_EXISTING_CONFIG: "false"
+          LDAP_REMOVE_CONFIG_AFTER_SETUP: "true"
+        published_ports:
+          - "{{ldap_ip}}:389:389" # unencrypted/STARTTLS
+          - "{{ldap_ip}}:636:636" # SSL
+        volumes:
+          - "{{ openldap_data }}/ldap:/var/lib/ldap"
+          - "{{ openldap_data }}/slapd:/etc/ldap/slapd.d"
+          - "{{ dehydrated_certs_dir }}/certs/{{ openldap_domain }}:/container/service/slapd/assets/certs"
+          - "{{ openldap_data }}/ldif/custom-element.ldif:/container/service/slapd/assets/config/bootstrap/ldif/custom/01_netz39.ldif"
+        timeout: 500
+        # For replication to work correctly, domainname and hostname must be
+        # set correctly so that "hostname"."domainname" equates to the
+        # fully-qualified domain name for the host.
+        domainname: "{{ldap_domainname}}"
+        hostname: "{{ldap_hostname}}"
+        command: "--copy-service --loglevel debug"
+    
+    - name: Allow access to openLDAP from local docker container [1/2]
+      become: true
+      community.general.ufw:
+        rule: allow
+        port: '389'
+        proto: tcp
+        from: "{{  item  }}"
+        comment: LDAP Docker Access
+      loop: "{{  docker_ip_ranges  }}"
+
+    - name: Allow access to openLDAP from local docker container [2/2]
+      become: true
+      community.general.ufw:
+        rule: allow
+        port: '636'
+        proto: tcp
+        from: "{{  item  }}"
+        comment: LDAP Docker Access
+      loop: "{{  docker_ip_ranges  }}"
 
   handlers:

From 2f78ff74f6f230aebb8778e95ad347ae06c46c9f Mon Sep 17 00:00:00 2001
From: David Kilias <dkdent@netz39.de>
Date: Tue, 5 Jul 2022 17:00:09 +0200
Subject: [PATCH 4/4] pottwal: ldap dehydrated Config auskommentiert

---
 pottwal.yml | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/pottwal.yml b/pottwal.yml
index bcfccf6..c71e11f 100644
--- a/pottwal.yml
+++ b/pottwal.yml
@@ -26,6 +26,8 @@
     openldap_image_version: 1.5.0
     openldap_data: "{{ data_dir }}/openldap"
     openldap_domain: "ldap.n39.eu"
+    ldap_org: "Netz39 e.V."
+    
 
   roles:
     - role: docker_setup
@@ -265,11 +267,11 @@
         site_name: pad.n39.eu
         proxy_port: "{{ hedgedoc_host_port }}"
 
-    - name: Setup dehydrated challenge endpoint for {{ openldap_domain }}
-      include_role:
-        name: setup-http-dehydrated
-      vars:
-        site_name: "{{ openldap_domain }}"
+    # - name: Setup dehydrated challenge endpoint for {{ openldap_domain }}
+    #   include_role:
+    #     name: setup-http-dehydrated
+    #   vars:
+    #     site_name: "{{ openldap_domain }}"
 
     - name: Ensure openLDAP directories are present.
       file:
@@ -279,7 +281,7 @@
         - "{{ openldap_data }}/ldap"
         - "{{ openldap_data }}/slapd"
         - "{{ openldap_data }}/ldif"
-        - "{{ dehydrated_certs_dir }}/certs/{{ openldap_domain }}"
+        # - "{{ dehydrated_certs_dir }}/certs/{{ openldap_domain }}"
 
     - name: Ensure container for openLDAP is running.
       docker_container:
@@ -317,7 +319,7 @@
         volumes:
           - "{{ openldap_data }}/ldap:/var/lib/ldap"
           - "{{ openldap_data }}/slapd:/etc/ldap/slapd.d"
-          - "{{ dehydrated_certs_dir }}/certs/{{ openldap_domain }}:/container/service/slapd/assets/certs"
+          # - "{{ dehydrated_certs_dir }}/certs/{{ openldap_domain }}:/container/service/slapd/assets/certs"
           - "{{ openldap_data }}/ldif/custom-element.ldif:/container/service/slapd/assets/config/bootstrap/ldif/custom/01_netz39.ldif"
         timeout: 500
         # For replication to work correctly, domainname and hostname must be