From 59d017490595431577411914fb7b276b61fd81b2 Mon Sep 17 00:00:00 2001 From: Bert-Jan Fikse Date: Fri, 13 Mar 2026 10:46:49 +0100 Subject: [PATCH] feat: add ldap provisioning to nextcloud Signed-off-by: Bert-Jan Fikse --- roles/nextcloud/defaults/main.yml | 23 ++++++++++++++++- roles/nextcloud/tasks/ldap.yml | 41 +++++++++++++++++++++++++++++++ roles/nextcloud/tasks/main.yml | 4 +++ 3 files changed, 67 insertions(+), 1 deletion(-) create mode 100644 roles/nextcloud/tasks/ldap.yml diff --git a/roles/nextcloud/defaults/main.yml b/roles/nextcloud/defaults/main.yml index 7110ca5..e40ea55 100644 --- a/roles/nextcloud/defaults/main.yml +++ b/roles/nextcloud/defaults/main.yml @@ -76,4 +76,25 @@ nextcloud_oidc_providers: [] # OIDC providers to remove nextcloud_oidc_providers_removed: [] -# - old-provider \ No newline at end of file +# - old-provider + +# LDAP configuration +nextcloud_ldap_enabled: false +nextcloud_ldap_config: {} +# Example for 389ds with Keycloak user federation: +# ldapHost: "ldaps://389ds" +# ldapPort: "3636" +# ldapAgentName: "cn=Directory Manager" +# ldapAgentPassword: "changeme" +# ldapBase: "dc=example,dc=com" +# ldapBaseUsers: "ou=users,dc=example,dc=com" +# ldapBaseGroups: "dc=example,dc=com" +# ldapTLS: "0" +# turnOffCertCheck: "0" +# ldapUserFilter: "(&(objectclass=inetOrgPerson)(uid=*))" +# ldapLoginFilter: "(&(objectclass=inetOrgPerson)(uid=%uid))" +# ldapUserDisplayName: "displayname" +# ldapEmailAttribute: "mail" +# ldapExpertUsernameAttr: "uid" +# ldapExpertUUIDUserAttr: "nsuniqueid" +# ldapConfigurationActive: "1" \ No newline at end of file diff --git a/roles/nextcloud/tasks/ldap.yml b/roles/nextcloud/tasks/ldap.yml new file mode 100644 index 0000000..dcb2392 --- /dev/null +++ b/roles/nextcloud/tasks/ldap.yml @@ -0,0 +1,41 @@ +#SPDX-License-Identifier: MIT-0 +--- +# LDAP configuration for Nextcloud user_ldap app + +- name: Check if LDAP configuration exists + community.docker.docker_container_exec: + container: "{{ nextcloud_service_name }}-nextcloud-1" + command: php /var/www/html/occ ldap:show-config + register: ldap_show_config + changed_when: false + +- name: Create LDAP configuration + community.docker.docker_container_exec: + container: "{{ nextcloud_service_name }}-nextcloud-1" + command: php /var/www/html/occ ldap:create-empty-config + when: "'s01' not in ldap_show_config.stdout" + +- name: Configure LDAP settings + community.docker.docker_container_exec: + container: "{{ nextcloud_service_name }}-nextcloud-1" + argv: + - php + - /var/www/html/occ + - ldap:set-config + - s01 + - "{{ item.key }}" + - "{{ item.value | string }}" + loop: "{{ nextcloud_ldap_config | dict2items }}" + loop_control: + label: "{{ item.key }}" + no_log: true + +- name: Test LDAP configuration + community.docker.docker_container_exec: + container: "{{ nextcloud_service_name }}-nextcloud-1" + command: php /var/www/html/occ ldap:test-config s01 + register: ldap_test_result + changed_when: false + failed_when: + - ldap_test_result.rc != 0 + - "'succeeded' not in (ldap_test_result.stdout | default('') | lower)" \ No newline at end of file diff --git a/roles/nextcloud/tasks/main.yml b/roles/nextcloud/tasks/main.yml index 1d1a565..71f68c5 100644 --- a/roles/nextcloud/tasks/main.yml +++ b/roles/nextcloud/tasks/main.yml @@ -70,6 +70,10 @@ ansible.builtin.include_tasks: collabora.yml when: nextcloud_enable_collabora +- name: Configure LDAP backend + ansible.builtin.include_tasks: ldap.yml + when: nextcloud_ldap_enabled + - name: Configure OIDC providers ansible.builtin.include_tasks: oidc.yml when: nextcloud_oidc_providers | length > 0 or nextcloud_oidc_providers_removed | length > 0