Skip to content
Permalink
Browse files

[debops.dokuwki] Add LDAP support in DokuWiki

  • Loading branch information...
drybjed committed Oct 4, 2019
1 parent b6d60c7 commit 3aa81e14d073ab61f712d911e472f3f51a94b5ef
@@ -66,6 +66,14 @@ LDAP

.. __: https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet
:ref:`debops.dokuwiki` role
'''''''''''''''''''''''''''

- The role will configure LDAP support in DokuWiki when LDAP environment
managed by the :ref:`debops.ldap` Ansible role is detected. Read the
:ref:`dokuwiki__ref_ldap_support` chapter in the documentation for more
details.

:ref:`debops.saslauthd` role
''''''''''''''''''''''''''''

@@ -45,10 +45,17 @@
- role: debops.python
tags: [ 'role::python', 'skip::python' ]
python__dependent_packages3:
- '{{ ldap__python__dependent_packages3 }}'
- '{{ nginx__python__dependent_packages3 }}'
python__dependent_packages2:
- '{{ ldap__python__dependent_packages2 }}'
- '{{ nginx__python__dependent_packages2 }}'

- role: debops.ldap
tags: [ 'role::ldap', 'skip::ldap' ]
ldap__dependent_tasks:
- '{{ dokuwiki__ldap__dependent_tasks }}'

- role: debops.nginx
tags: [ 'role::nginx', 'skip::nginx' ]
nginx__dependent_upstreams:
@@ -1,7 +1,7 @@
debops.dokuwiki - Manage DokuWiki installation with Ansible

Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
Copyright (C) 2015-2017 DebOps https://debops.org/
Copyright (C) 2015-2019 Maciej Delmanowski <drybjed@gmail.com>
Copyright (C) 2015-2019 DebOps https://debops.org/

This Ansible role is part of DebOps.

@@ -126,6 +126,261 @@ dokuwiki__git_version: 'stable'
dokuwiki__git_checkout: '{{ dokuwiki__www + "/sites/" + dokuwiki__domains[0] + "/public" }}'
# ]]]
# ]]]
# LDAP environment [[[
# --------------------

# .. envvar:: dokuwiki__ldap_enabled [[[
#
# Enable or disable support for LDAP authentication in DokuWiki. Only the main
# instance is supported at the moment.
dokuwiki__ldap_enabled: '{{ True
if (ansible_local|d() and ansible_local.ldap|d() and
(ansible_local.ldap.enabled|d())|bool)
else False }}'

# ]]]
# .. envvar:: dokuwiki__ldap_base_dn [[[
#
# The base Distinguished Name which should be used to create Distinguished
# Names of the LDAP directory objects, defined as a YAML list. If this variable
# is empty, LDAP configuration will not be performed.
dokuwiki__ldap_base_dn: '{{ ansible_local.ldap.base_dn
if (ansible_local|d() and ansible_local.ldap|d() and
ansible_local.ldap.base_dn|d())
else [] }}'

# ]]]
# .. envvar:: dokuwiki__ldap_device_dn [[[
#
# The Distinguished Name of the current host LDAP object, defined as a YAML
# list. It will be used as a base for the DokuWiki service account LDAP
# object. If the list is empty, the role will not create the account LDAP
# object automatically.
dokuwiki__ldap_device_dn: '{{ ansible_local.ldap.device_dn
if (ansible_local|d() and ansible_local.ldap|d() and
ansible_local.ldap.device_dn|d())
else [] }}'

# ]]]
# .. envvar:: dokuwiki__ldap_self_rdn [[[
#
# The Relative Distinguished Name of the account LDAP object used by the
# DokuWiki service to access the LDAP directory.
dokuwiki__ldap_self_rdn: 'uid=dokuwiki'

# ]]]
# .. envvar:: dokuwiki__ldap_self_object_classes [[[
#
# List of the LDAP object classes which will be used to create the LDAP object
# used by the DokuWiki service to access the LDAP directory.
dokuwiki__ldap_self_object_classes: [ 'account', 'simpleSecurityObject' ]

# ]]]
# .. envvar:: dokuwiki__ldap_self_attributes [[[
#
# YAML dictionary that defines the attributes of the LDAP object used by the
# DokuWiki service to access the LDAP directory.
dokuwiki__ldap_self_attributes:
uid: '{{ dokuwiki__ldap_self_rdn.split("=")[1] }}'
userPassword: '{{ dokuwiki__ldap_bindpw }}'
host: '{{ [ ansible_fqdn, ansible_hostname ] | unique }}'
description: 'Account used by the "DokuWiki" service to access the LDAP directory'

# ]]]
# .. envvar:: dokuwiki__ldap_binddn [[[
#
# The Distinguished Name of the account LDAP object used by the
# DokuWiki service to bind to the LDAP directory.
dokuwiki__ldap_binddn: '{{ ([ dokuwiki__ldap_self_rdn ] + dokuwiki__ldap_device_dn) | join(",") }}'

# ]]]
# .. envvar:: dokuwiki__ldap_bindpw [[[
#
# The password stored in the account LDAP object used by the DokuWiki service
# to bind to the LDAP directory.
dokuwiki__ldap_bindpw: '{{ lookup("password", secret + "/ldap/credentials/"
+ dokuwiki__ldap_binddn | to_uuid + ".password length=32") }}'

# ]]]
# .. envvar:: dokuwiki__ldap_people_rdn [[[
#
# The Relative Distinguished Name of the LDAP object which contains the user
# accounts stored in LDAP.
dokuwiki__ldap_people_rdn: '{{ ansible_local.ldap.people_rdn
if (ansible_local|d() and ansible_local.ldap|d() and
ansible_local.ldap.people_rdn|d())
else "ou=People" }}'

# ]]]
# .. envvar:: dokuwiki__ldap_people_dn [[[
#
# The Distinguished Name of the LDAP object which contains the user accounts
# used by DokuWiki.
dokuwiki__ldap_people_dn: '{{ [ dokuwiki__ldap_people_rdn ] + dokuwiki__ldap_base_dn }}'

# ]]]
# .. envvar:: dokuwiki__ldap_private_groups [[[
#
# When this variable is enabled, the :ref:`debops.ldap` role will create
# a separate LDAP objects that manage the DokuWiki groups as subtree of the
# DokiWiki service LDAP object. If you set this parameter to ``False``, the
# role will use the global ``ou=Groups,dc=example,dc=org`` subtree instead.
dokuwiki__ldap_private_groups: True

# ]]]
# .. envvar:: dokuwiki__ldap_groups_rdn [[[
#
# The Relative Distinguished Name of the LDAP object which contains the groups
# stored in LDAP.
dokuwiki__ldap_groups_rdn: '{{ ansible_local.ldap.groups_rdn
if (ansible_local|d() and ansible_local.ldap|d() and
ansible_local.ldap.groups_rdn|d())
else "ou=Groups" }}'

# ]]]
# .. envvar:: dokuwiki__ldap_groups_dn [[[
#
# The Distinguished Name of the LDAP object which contains the groups used by
# DokuWiki. If private groups are enabled, this object will be created
# automatically.
dokuwiki__ldap_groups_dn: '{{ ([ dokuwiki__ldap_groups_rdn, dokuwiki__ldap_self_rdn ]
+ dokuwiki__ldap_device_dn)
if dokuwiki__ldap_private_groups|bool
else ([ dokuwiki__ldap_groups_rdn ] + dokuwiki__ldap_base_dn) }}'

# ]]]
# .. envvar:: dokuwiki__ldap_admin_group_rdn [[[
#
# The Relative Distinguished Name of the LDAP object which defines who has
# administrative access to a given DokuWiki instance.
dokuwiki__ldap_admin_group_rdn: 'cn=DokuWiki Administrators'

# ]]]
# .. envvar:: dokuwiki__ldap_admin_group_dn [[[
#
# The Distinguished Name of the LDAP object which defines who has
# administrative access to a given DokuWiki instance.
dokuwiki__ldap_admin_group_dn: '{{ [ dokuwiki__ldap_admin_group_rdn ]
+ dokuwiki__ldap_groups_dn }}'

# ]]]
# .. envvar:: dokuwiki__ldap_object_owner_rdn [[[
#
# The Relative Distinguished Name of the LDAP object of the person who
# installed a given DokuWiki instance and is used as the owner of the "DokuWiki
# Administrators" group.
dokuwiki__ldap_object_owner_rdn: 'uid={{ lookup("env", "USER") }}'

# ]]]
# .. envvar:: dokuwiki__ldap_object_ownerdn [[[
#
# The Distinguished Name of the LDAP object of the person who installed a given
# DokuWiki instance and is used as the owner of the "DokuWiki Administrators"
# group, defined as a string.
dokuwiki__ldap_object_ownerdn: '{{ ([ dokuwiki__ldap_object_owner_rdn, dokuwiki__ldap_people_rdn ]
+ dokuwiki__ldap_base_dn) | join(",") }}'
# ]]]
# ]]]
# LDAP connection options [[[
# ---------------------------

# .. envvar:: dokuwiki__ldap_server_uri [[[
#
# The URI address of the LDAP server used by DokuWiki.
dokuwiki__ldap_server_uri: '{{ (ansible_local.ldap.uri
if (ansible_local|d() and ansible_local.ldap|d() and
ansible_local.ldap.uri|d())
else [""]) | first }}'

# ]]]
# .. envvar:: dokuwiki__ldap_server_port [[[
#
# The TCP port which should be used for connections to the LDAP server.
dokuwiki__ldap_server_port: '{{ ansible_local.ldap.port
if (ansible_local|d() and ansible_local.ldap|d() and
ansible_local.ldap.port|d())
else ("389" if dokuwiki__ldap_start_tls|bool else "636") }}'

# ]]]
# .. envvar:: dokuwiki__ldap_start_tls [[[
#
# If ``True``, DokuWiki will use STARTTLS extension to make encrypted
# connections to the LDAP server.
dokuwiki__ldap_start_tls: '{{ ansible_local.ldap.start_tls
if (ansible_local|d() and ansible_local.ldap|d() and
(ansible_local.ldap.start_tls|d())|bool)
else True }}'

# ]]]
# .. envvar:: dokuwiki__ldap_user_filter [[[
#
# The LDAP filter used to look up user accounts in the directory.
dokuwiki__ldap_user_filter: '(&
(objectClass=inetOrgPerson)
(|
(uid=%{user})
(mail=%{user})
)
(|
(authorizedService=dokuwiki)
(authorizedService=web-public)
(authorizedService=\\*)
)
)'

# ]]]
# .. envvar:: dokuwiki__ldap_group_filter [[[
#
# The LDAP filter used to loo up groups in the directory.
dokuwiki__ldap_group_filter: '(&
(objectClass=groupOfNames)
(member=%{dn})
)'

# ]]]
# .. envvar:: dokuwiki__ldap_configuration [[[
#
# The variable which contains the LDAP configuration stored in the
# :file:`conf/local.protected.php` configuration file. The contents should be
# written in PHP, Jinja can be used for logic outside of the PHP engine.
dokuwiki__ldap_configuration: |
$conf['useacl'] = 1;
$conf['authtype'] = 'authldap';
$conf['superuser'] = '{{ "@" + dokuwiki__ldap_admin_group_rdn.split("=")[1] }}';
$conf['plugin']['authldap']['server'] = '{{ dokuwiki__ldap_server_uri }}';
$conf['plugin']['authldap']['port'] = '{{ dokuwiki__ldap_server_port }}';
$conf['plugin']['authldap']['usertree'] = '{{ dokuwiki__ldap_people_dn | join(",") }}';
$conf['plugin']['authldap']['grouptree'] = '{{ dokuwiki__ldap_groups_dn | join(",") }}';
$conf['plugin']['authldap']['userfilter'] = '{{ dokuwiki__ldap_user_filter }}';
$conf['plugin']['authldap']['groupfilter'] = '{{ dokuwiki__ldap_group_filter }}';
$conf['plugin']['authldap']['version'] = 3;
$conf['plugin']['authldap']['starttls'] = {{ "1" if dokuwiki__ldap_start_tls|bool else "0" }};
$conf['plugin']['authldap']['referrals'] = '0';
$conf['plugin']['authldap']['deref'] = '0';
$conf['plugin']['authldap']['binddn'] = '{{ dokuwiki__ldap_binddn }}';
$conf['plugin']['authldap']['bindpw'] = '{{ dokuwiki__ldap_bindpw }}';
$conf['plugin']['authldap']['userscope'] = 'sub';
$conf['plugin']['authldap']['groupscope'] = 'sub';
$conf['plugin']['authldap']['userkey'] = 'uid';
$conf['plugin']['authldap']['groupkey'] = 'cn';
$conf['plugin']['authldap']['debug'] = 0;
$conf['plugin']['authldap']['modPass'] = 0;
# ]]]
# ]]]
# Protected local configuration [[[
# ---------------------------------

# .. envvar:: dokuwiki__protected_conf_php [[[
#
# This variable defines the contents of the :file:`conf/local.protected.php`
# configuration file. The contents should be written in PHP, Jinja can be used
# for logic outside of the PHP engine.
dokuwiki__protected_conf_php: |
{% if dokuwiki__ldap_enabled|bool %}
{{ dokuwiki__ldap_configuration }}
{% endif %}
# ]]]
# ]]]
# Application plugins, themes, system packages [[[
# ------------------------------------------------

@@ -302,6 +557,39 @@ dokuwiki__python__dependent_packages2:

- 'python-docutils'

# ]]]
# .. envvar:: dokuwiki__ldap__dependent_tasks [[[
#
# Configuration for the :ref:`debops.ldap` Ansible role.
dokuwiki__ldap__dependent_tasks:

- name: 'Create DokuWiki account for {{ dokuwiki__ldap_device_dn | join(",") }}'
dn: '{{ dokuwiki__ldap_binddn }}'
objectClass: '{{ dokuwiki__ldap_self_object_classes }}'
attributes: '{{ dokuwiki__ldap_self_attributes }}'
no_log: True
state: '{{ "present" if dokuwiki__ldap_device_dn|d() else "ignore" }}'

- name: 'Create DokuWiki group container for {{ dokuwiki__ldap_device_dn | join(",") }}'
dn: '{{ dokuwiki__ldap_groups_dn }}'
objectClass: 'organizationalUnit'
attributes:
ou: '{{ dokuwiki__ldap_groups_rdn.split("=")[1] }}'
description: 'User groups used in DokuWiki'
state: '{{ "present"
if (dokuwiki__ldap_device_dn|d() and
dokuwiki__ldap_private_groups|bool)
else "ignore" }}'

- name: 'Create DokuWiki admin group for {{ dokuwiki__ldap_device_dn | join(",") }}'
dn: '{{ dokuwiki__ldap_admin_group_dn }}'
objectClass: 'groupOfNames'
attributes:
cn: '{{ dokuwiki__ldap_admin_group_rdn.split("=")[1] }}'
owner: '{{ dokuwiki__ldap_object_ownerdn }}'
member: '{{ dokuwiki__ldap_object_ownerdn }}'
state: '{{ "present" if dokuwiki__ldap_device_dn|d() else "ignore" }}'

# ]]]
# .. envvar:: dokuwiki__php__dependent_packages [[[
#
@@ -149,6 +149,15 @@
(item.repo|d() and item.repo) and (item.dest|d() and item.dest) and
(item.state is undefined or (item.state|d() and item.state != 'absent')))

- name: Generate protected local configuration file
template:
src: 'srv/www/dokuwiki/sites/public/conf/local.protected.php.j2'
dest: '{{ dokuwiki__git_checkout + "/conf/local.protected.php" }}'
owner: '{{ dokuwiki__user }}'
group: '{{ dokuwiki__group }}'
mode: '0600'
no_log: True

- name: Install maintenance scripts
template:
src: '{{ item }}.j2'
@@ -0,0 +1,7 @@
<?php
/* {{ ansible_managed }} */

/* Local DokuWiki configuration options which are not configurable using the
Configuration Manager interface */

{{ dokuwiki__protected_conf_php | regex_replace('\n$','') }}

0 comments on commit 3aa81e1

Please sign in to comment.
You can’t perform that action at this time.