Fixed LDAP config default values, updated documentation

savoirfairelinux · May 18, 2017 · 20916d3 · 20916d3
1 parent ac358ce
commit 20916d3
Show file tree

Hide file tree

Showing 3 changed files with 75 additions and 14 deletions.
diff --git a/README.md b/README.md
@@ -85,6 +85,7 @@ Setup an [SSL Reverse-proxy](https://books.sonatype.com/nexus-book/3.0/reference
     ldap_user_real_name_attribute: 'cn'
     ldap_user_email_attribute: 'mail'
     ldap_user_subtree: false
+    ldap_map_groups_as_roles: false
     ldap_group_base_dn: 'ou=groups'
     ldap_group_object_class: 'posixGroup'
     ldap_group_id_attribute: 'cn'
@@ -93,6 +94,63 @@ Setup an [SSL Reverse-proxy](https://books.sonatype.com/nexus-book/3.0/reference
     ldap_group_subtree: false
 ```
 
+Example LDAP config for anonymous authentication (anonymous bind), this is also the "minimal" config :
+
+```
+  - ldap_name: 'Simplest LDAP config'
+    ldap_protocol: 'ldaps'
+    ldap_hostname: 'annuaire.mycompany.com'
+    ldap_search_base: 'dc=mycompany,dc=net'
+    ldap_port: 636
+    ldap_user_id_attribute: 'uid'
+    ldap_user_real_name_attribute: 'cn'
+    ldap_user_email_attribute: 'mail'
+    ldap_user_object_class: 'inetOrgPerson'
+```
+
+Example LDAP config for simple authentication (using a DSA account) :
+
+```
+  - ldap_name: 'LDAP config with DSA'
+    ldap_protocol: 'ldaps'
+    ldap_hostname: 'annuaire.mycompany.com'
+    ldap_port: 636
+    ldap_auth: 'simple'
+    ldap_auth_username: 'cn=mynexus,ou=dsa,dc=mycompany,dc=net'
+    ldap_auth_password: "{{ vault_ldap_dsa_password }}" # better keep passwords in an ansible vault
+    ldap_search_base: 'dc=mycompany,dc=net'
+    ldap_user_base_dn: 'ou=users'
+    ldap_user_object_class: 'inetOrgPerson'
+    ldap_user_id_attribute: 'uid'
+    ldap_user_real_name_attribute: 'cn'
+    ldap_user_email_attribute: 'mail'
+    ldap_user_subtree: false
+```
+
+Example LDAP config for simple authentication (using a DSA account) + groups mapped as roles :
+
+```
+  - ldap_name: 'LDAP config with DSA'
+    ldap_protocol: 'ldaps'
+    ldap_hostname: 'annuaire.mycompany.com'
+    ldap_port: 636
+    ldap_auth: 'simple'
+    ldap_auth_username: 'cn=mynexus,ou=dsa,dc=mycompany,dc=net'
+    ldap_auth_password: "{{ vault_ldap_dsa_password }}" # better keep passwords in an ansible vault
+    ldap_search_base: 'dc=mycompany,dc=net'
+    ldap_user_base_dn: 'ou=users'
+    ldap_user_object_class: 'inetOrgPerson'
+    ldap_user_id_attribute: 'uid'
+    ldap_user_real_name_attribute: 'cn'
+    ldap_user_email_attribute: 'mail'
+    ldap_map_groups_as_roles: true
+    ldap_group_base_dn: 'ou=groups'
+    ldap_group_object_class: 'groupOfNames'
+    ldap_group_id_attribute: 'cn'
+    ldap_group_member_attribute: 'member'
+    ldap_group_member_format: 'uid=${username},ou=users,dc=mycompany,dc=net'
+    ldap_group_subtree: false
+```
 
     nexus_privileges:
       - name: all-repos-read # used as key to update a privilege

diff --git a/files/groovy/setup_ldap.groovy b/files/groovy/setup_ldap.groovy
@@ -48,12 +48,14 @@ mapping.setUserIdAttribute(parsed_args.user_id_attribute)
 mapping.setUserRealNameAttribute(parsed_args.user_real_name_attribute)
 mapping.setEmailAddressAttribute(parsed_args.user_email_attribute)
 
-mapping.setLdapGroupsAsRoles(true)
-mapping.setGroupBaseDn(parsed_args.group_base_dn)
-mapping.setGroupObjectClass(parsed_args.group_object_class)
-mapping.setGroupIdAttribute(parsed_args.group_id_attribute)
-mapping.setGroupMemberAttribute(parsed_args.group_member_attribute)
-mapping.setGroupMemberFormat(parsed_args.group_member_format)
+if (parsed_args.map_groups_as_roles) {
+    mapping.setLdapGroupsAsRoles(true)
+    mapping.setGroupBaseDn(parsed_args.group_base_dn)
+    mapping.setGroupObjectClass(parsed_args.group_object_class)
+    mapping.setGroupIdAttribute(parsed_args.group_id_attribute)
+    mapping.setGroupMemberAttribute(parsed_args.group_member_attribute)
+    mapping.setGroupMemberFormat(parsed_args.group_member_format)
+}
 
 mapping.setUserSubtree(parsed_args.user_subtree)
 mapping.setGroupSubtree(parsed_args.group_subtree)

diff --git a/tasks/setup_ldap_each.yml b/tasks/setup_ldap_each.yml
@@ -11,15 +11,16 @@
       username: "{{ item.ldap_auth_username | default('') }}"
       password: "{{ item.ldap_auth_password | default('') }}"
       search_base: "{{ item.ldap_search_base }}"
-      user_base_dn: "{{ item.ldap_user_base_dn }}"
+      user_base_dn: "{{ item.ldap_user_base_dn | default('ou=users') }}"
       user_object_class: "{{ item.ldap_user_object_class }}"
       user_id_attribute: "{{ item.ldap_user_id_attribute }}"
       user_real_name_attribute: "{{ item.ldap_user_real_name_attribute }}"
       user_email_attribute: "{{ item.ldap_user_email_attribute }}"
-      group_base_dn: "{{ item.ldap_group_base_dn }}"
-      group_object_class: "{{ item.ldap_group_object_class }}"
-      group_id_attribute: "{{ item.ldap_group_id_attribute }}"
-      group_member_attribute: "{{ item.ldap_group_member_attribute }}"
-      group_member_format: "{{ item.ldap_group_member_format }}"
-      user_subtree: "{{ item.ldap_user_subtree }}"
-      group_subtree: "{{ item.ldap_group_subtree }}"
+      map_groups_as_roles: "{{ item.ldap_map_groups_as_roles | default(false) }}"
+      group_base_dn: "{{ item.ldap_group_base_dn | default('ou=groups') }}"
+      group_object_class: "{{ item.ldap_group_object_class | default('groupOfNames') }}"
+      group_id_attribute: "{{ item.ldap_group_id_attribute | default('cn') }}"
+      group_member_attribute: "{{ item.ldap_group_member_attribute | default('member') }}"
+      group_member_format: "{{ item.ldap_group_member_format | default('uid=${username},ou=users,dc=yourcompany') }}"
+      user_subtree: "{{ item.ldap_user_subtree | default(false) }}"
+      group_subtree: "{{ item.ldap_group_subtree | default(false) }}"