From a070cd48b8872089f39c5eb47c7dd480f62eb62c Mon Sep 17 00:00:00 2001
From: David Kilias <dkdent@netz39.de>
Date: Mon, 4 Jul 2022 22:42:07 +0200
Subject: [PATCH] pottwal - add ldap docker similar to pingtech setup
---
pottwal.yml | 79 +++++++++++++++++++++++++++++++++++++++++------------
1 file changed, 62 insertions(+), 17 deletions(-)
diff --git a/pottwal.yml b/pottwal.yml
index 20ad29f..bcfccf6 100644
--- a/pottwal.yml
+++ b/pottwal.yml
@@ -276,30 +276,75 @@
path: "{{ item }}"
state: directory
with_items:
- - "{{ openldap_data }}/database"
- - "{{ openldap_data }}/config"
+ - "{{ openldap_data }}/ldap"
+ - "{{ openldap_data }}/slapd"
+ - "{{ openldap_data }}/ldif"
- "{{ dehydrated_certs_dir }}/certs/{{ openldap_domain }}"
- name: Ensure container for openLDAP is running.
docker_container:
name: openLDAP
image: "osixia/openldap:{{ openldap_image_version }}"
- pull: true
- state: started
detach: yes
- ports:
- - "389:389" # unencrypted/STARTTLS
- - "636:636" # SSL
- volumes:
- - "{{ openldap_data }}/database:/var/lib/ldap"
- - "{{ openldap_data }}/config:/etc/ldap/slapd.d"
- - "{{ dehydrated_certs_dir }}/certs/{{ openldap_domain }}:/container/service/slapd/assets/certs"
- env:
- LDAP_ORGANISATION: "Netz39 e.V."
- LDAP_DOMAIN: "{{ openldap_domain }}"
- LDAP_ADMIN_PASSWORD: "{{ ldap_admin_password }}"
- LDAP_TLS_CRT_FILENAME: "cert.pem"
- LDAP_TLS_KEY_FILENAME: "key.pem"
+ state: started
restart_policy: unless-stopped
+ container_default_behavior: no_defaults
+ pull: true
+ env:
+ LDAP_LOG_LEVEL: "256"
+ LDAP_ORGANISATION: "{{ldap_org}}"
+ LDAP_DOMAIN: "{{ldap_domain}}"
+ LDAP_BASE_DN: "{{ldap_base_dn}}"
+ LDAP_READONLY_USER: "false"
+
+ LDAP_ADMIN_PASSWORD: "{{ldap_admin_password}}"
+ LDAP_CONFIG_PASSWORD: "{{ldap_config_password}}"
+
+ LDAP_RFC2307BIS_SCHEMA: "true"
+
+ LDAP_TLS_CIPHER_SUITE: "SECURE256:-VERS-SSL3.0"
+
+ LDAP_REPLICATION: "{{ldap_replication_enable}}"
+ LDAP_REPLICATION_CONFIG_SYNCPROV: "{{ldap_replication_config_syncprov}}"
+ LDAP_REPLICATION_DB_SYNCPROV: "{{ldap_replication_db_syncprov}}"
+ LDAP_REPLICATION_HOSTS: "{{ldap_replication_hosts}}"
+
+ KEEP_EXISTING_CONFIG: "false"
+ LDAP_REMOVE_CONFIG_AFTER_SETUP: "true"
+ published_ports:
+ - "{{ldap_ip}}:389:389" # unencrypted/STARTTLS
+ - "{{ldap_ip}}:636:636" # SSL
+ volumes:
+ - "{{ openldap_data }}/ldap:/var/lib/ldap"
+ - "{{ openldap_data }}/slapd:/etc/ldap/slapd.d"
+ - "{{ dehydrated_certs_dir }}/certs/{{ openldap_domain }}:/container/service/slapd/assets/certs"
+ - "{{ openldap_data }}/ldif/custom-element.ldif:/container/service/slapd/assets/config/bootstrap/ldif/custom/01_netz39.ldif"
+ timeout: 500
+ # For replication to work correctly, domainname and hostname must be
+ # set correctly so that "hostname"."domainname" equates to the
+ # fully-qualified domain name for the host.
+ domainname: "{{ldap_domainname}}"
+ hostname: "{{ldap_hostname}}"
+ command: "--copy-service --loglevel debug"
+
+ - name: Allow access to openLDAP from local docker container [1/2]
+ become: true
+ community.general.ufw:
+ rule: allow
+ port: '389'
+ proto: tcp
+ from: "{{ item }}"
+ comment: LDAP Docker Access
+ loop: "{{ docker_ip_ranges }}"
+
+ - name: Allow access to openLDAP from local docker container [2/2]
+ become: true
+ community.general.ufw:
+ rule: allow
+ port: '636'
+ proto: tcp
+ from: "{{ item }}"
+ comment: LDAP Docker Access
+ loop: "{{ docker_ip_ranges }}"
handlers: