Intégration hydra-ldap-v1

templates/cadoles-pod-hydra-ldap-v1.conf.j2

@@ -0,0 +1,24 @@
+# {{ ansible_managed }}
+# Voir https://forge.cadoles.com/Cadoles/hydra-werther/src/branch/develop/conf/hydra-werther.conf
+# pour les variables d'environnement disponibles
+PODMAN_ARGS="\
+    -p 127.0.0.1:3005:8080 \
+    --network=slirp4netns:allow_host_loopback=true \
+    --replace --name 'cadoles-pod-hydra-ldap-v1' \
+    --tz=local \
+    -e 'WERTHER_DEV_MODE={{ hydra_ldap_dev_mode }}' \
+    -e 'WERTHER_IDENTP_HYDRA_URL=http://10.0.2.2:4445' \
+    -e 'WERTHER_LDAP_ENDPOINTS={{ hydra_ldap_endpoints | join(',') }}' \
+    -e 'WERTHER_LDAP_BINDDN={{ hydra_ldap_bind_dn }}' \
+    -e 'WERTHER_LDAP_BINDPW={{ hydra_ldap_bind_password }}' \
+    -e 'WERTHER_LDAP_BASEDN={{ hydra_ldap_base_dn }}' \
+    -e 'WERTHER_LDAP_USER_SEARCH_QUERY={{ hydra_ldap_user_search_query }}' \
+    -e 'WERTHER_LDAP_ROLE_SEARCH_QUERY={{ hydra_ldap_role_search_query }}' \
+    -e 'WERTHER_LDAP_ROLE_BASEDN={{ hydra_ldap_role_base_dn }}' \
+    -e 'WERTHER_WEB_BASE_PATH={{ haproxy_hydra_ldap_base_path }}/' \
+    -e 'WERTHER_LDAP_IS_TLS={{ hydra_ldap_use_tls }}' \
+    -e 'WERTHER_LDAP_ATTR_CLAIMS={{ hydra_ldap_attr_claims }}' \
+    -e 'WERTHER_LDAP_ROLE_ATTR={{ hydra_ldap_role_attr }}' \
+    -e 'WERTHER_LDAP_ROLE_CLAIM={{ hydra_ldap_role_claim }}' \
+    -e 'WERTHER_IDENTP_CLAIM_SCOPES={{ hydra_ldap_claim_scopes }}' \
+"

templates/haproxy.cfg.j2

@@ -50,6 +50,9 @@ frontend http-in
 {% if enable_hydra_oidc %}
     acl login_oidc path_beg -i {{ haproxy_hydra_oidc_base_path }}
 {% endif %}
+{% if enable_hydra_ldap %}
+    acl login_ldap path_beg -i {{ haproxy_hydra_ldap_base_path }}
+{% endif %}
 {% if enable_oidc_test_app %}
     acl oidc_test path_beg -i {{ haproxy_oidc_test_base_path }}
 {% endif %}
@@ -64,6 +67,9 @@ frontend http-in
 {% if enable_hydra_oidc %}
     use_backend hydra_oidc if login_oidc
 {% endif %}
+{% if enable_hydra_ldap %}
+    use_backend hydra_ldap if login_ldap
+{% endif %}
 {% if enable_oidc_test_app %}
     use_backend oidc_test if oidc_test
 {% endif %}
@@ -118,6 +124,15 @@ backend hydra_saml
     server hydra-login-saml 127.0.0.1:3002 check
 {%- endif %}
 
+{% if enable_hydra_ldap %}
+# Backend Hydra LDAP
+backend hydra_ldap
+    balance roundrobin
+    http-request set-path %[path,regsub(^{{ haproxy_hydra_ldap_base_path }},)]
+    http-request set-header X-Forwarded-Prefix {{ haproxy_hydra_ldap_base_path }}
+    server hydra-login-ldap 127.0.0.1:3005 check
+{%- endif %}
+
 {% if enable_oidc_test_app %}
 backend oidc_test
     balance roundrobin

templates/hydra-dispatcher-apps.yml.j2

@@ -36,4 +36,16 @@ hydra:
       logout_url: "{{ haproxy_public_base_url }}{{ haproxy_hydra_oidc_base_path }}/logout"
       attributes_rewrite_rules: {{ hydra_oidc_attributes_rewrite_rules | to_json }}
       icon_url: "{{ hydra_oidc_app_icon_url }}"
+{% endif %}
+{% if enable_hydra_ldap %}
+    - id: ldap
+      title: 
+        fr: "{{ hydra_ldap_app_title }}"
+      description: 
+        fr: "{{ hydra_ldap_app_description }}"
+      login_url: "{{ haproxy_public_base_url }}{{ haproxy_hydra_ldap_base_path }}/auth/login"
+      consent_url: "{{ haproxy_public_base_url }}{{ haproxy_hydra_ldap_base_path }}/auth/consent"
+      logout_url: "{{ haproxy_public_base_url }}{{ haproxy_hydra_ldap_base_path }}/auth/logout"
+      attributes_rewrite_rules: {{ hydra_ldap_attributes_rewrite_rules | to_json }}
+      icon_url: "{{ hydra_ldap_app_icon_url }}"
 {% endif %}