feat: add ldap provisioning to nextcloud

Signed-off-by: Bert-Jan Fikse <bert-jan@whatwedo.ch>

roles/nextcloud/defaults/main.yml

@@ -76,4 +76,25 @@ nextcloud_oidc_providers: []
 
 # OIDC providers to remove
 nextcloud_oidc_providers_removed: []
-# - old-provider
+# - old-provider
+
+# LDAP configuration
+nextcloud_ldap_enabled: false
+nextcloud_ldap_config: {}
+# Example for 389ds with Keycloak user federation:
+#   ldapHost: "ldaps://389ds"
+#   ldapPort: "3636"
+#   ldapAgentName: "cn=Directory Manager"
+#   ldapAgentPassword: "changeme"
+#   ldapBase: "dc=example,dc=com"
+#   ldapBaseUsers: "ou=users,dc=example,dc=com"
+#   ldapBaseGroups: "dc=example,dc=com"
+#   ldapTLS: "0"
+#   turnOffCertCheck: "0"
+#   ldapUserFilter: "(&(objectclass=inetOrgPerson)(uid=*))"
+#   ldapLoginFilter: "(&(objectclass=inetOrgPerson)(uid=%uid))"
+#   ldapUserDisplayName: "displayname"
+#   ldapEmailAttribute: "mail"
+#   ldapExpertUsernameAttr: "uid"
+#   ldapExpertUUIDUserAttr: "nsuniqueid"
+#   ldapConfigurationActive: "1"

roles/nextcloud/tasks/ldap.yml

@@ -0,0 +1,41 @@
+#SPDX-License-Identifier: MIT-0
+---
+# LDAP configuration for Nextcloud user_ldap app
+
+- name: Check if LDAP configuration exists
+  community.docker.docker_container_exec:
+    container: "{{ nextcloud_service_name }}-nextcloud-1"
+    command: php /var/www/html/occ ldap:show-config
+  register: ldap_show_config
+  changed_when: false
+
+- name: Create LDAP configuration
+  community.docker.docker_container_exec:
+    container: "{{ nextcloud_service_name }}-nextcloud-1"
+    command: php /var/www/html/occ ldap:create-empty-config
+  when: "'s01' not in ldap_show_config.stdout"
+
+- name: Configure LDAP settings
+  community.docker.docker_container_exec:
+    container: "{{ nextcloud_service_name }}-nextcloud-1"
+    argv:
+      - php
+      - /var/www/html/occ
+      - ldap:set-config
+      - s01
+      - "{{ item.key }}"
+      - "{{ item.value | string }}"
+  loop: "{{ nextcloud_ldap_config | dict2items }}"
+  loop_control:
+    label: "{{ item.key }}"
+  no_log: true
+
+- name: Test LDAP configuration
+  community.docker.docker_container_exec:
+    container: "{{ nextcloud_service_name }}-nextcloud-1"
+    command: php /var/www/html/occ ldap:test-config s01
+  register: ldap_test_result
+  changed_when: false
+  failed_when:
+    - ldap_test_result.rc != 0
+    - "'succeeded' not in (ldap_test_result.stdout | default('') | lower)"

roles/nextcloud/tasks/main.yml

@@ -70,6 +70,10 @@
   ansible.builtin.include_tasks: collabora.yml
   when: nextcloud_enable_collabora
 
+- name: Configure LDAP backend
+  ansible.builtin.include_tasks: ldap.yml
+  when: nextcloud_ldap_enabled
+
 - name: Configure OIDC providers
   ansible.builtin.include_tasks: oidc.yml
   when: nextcloud_oidc_providers | length > 0 or nextcloud_oidc_providers_removed | length > 0