Intégration hydra-ldap-v1
This commit is contained in:
parent
762c2559b3
commit
d52e83e3f4
|
|
@ -12,6 +12,7 @@ cadoles_pod_shibboleth_sp_v3_package_version: '*'
|
|||
cadoles_pod_hydra_remote_user_v1_package_version: '*'
|
||||
cadoles_pod_hydra_passwordless_v1_package_version: '*'
|
||||
cadoles_pod_hydra_oidc_v1_package_version: '*'
|
||||
cadoles_pod_hydra_ldap_v1_package_version: '*'
|
||||
|
||||
# Hydra database configuration
|
||||
hydra_use_external_database: no
|
||||
|
|
@ -30,6 +31,7 @@ haproxy_hydra_dispatcher_base_path: /auth/dispatcher
|
|||
haproxy_hydra_passwordless_base_path: /auth/passwordless
|
||||
haproxy_hydra_saml_base_path: /auth/saml
|
||||
haproxy_hydra_oidc_base_path: /auth/oidc
|
||||
haproxy_hydra_ldap_base_path: /auth/ldap
|
||||
haproxy_oidc_test_base_path: /auth/test
|
||||
|
||||
haproxy_forwarded_proto: https
|
||||
|
|
@ -178,4 +180,27 @@ hydra_oidc_attributes_rewrite_rules:
|
|||
birthplace:
|
||||
- consent.session.id_token.birthplace
|
||||
birthcountry:
|
||||
- consent.session.id_token.birthcountry
|
||||
- consent.session.id_token.birthcountry
|
||||
|
||||
# Hydra LDAP configuration
|
||||
|
||||
enable_hydra_ldap: no
|
||||
hydra_ldap_app_title: LDAP
|
||||
hydra_ldap_app_description: Authentification via LDAP
|
||||
hydra_ldap_app_icon_url:
|
||||
hydra_ldap_dev_mode: false
|
||||
hydra_ldap_attributes_rewrite_rules:
|
||||
email:
|
||||
- consent.session.id_token.email
|
||||
hydra_ldap_endpoints: []
|
||||
hydra_ldap_bind_dn:
|
||||
hydra_ldap_bind_password:
|
||||
hydra_ldap_base_dn:
|
||||
hydra_ldap_user_search_query: "(&(objectClass=inetOrgPerson)(|(uid=%[1]s)(mail=%[1]s)))"
|
||||
hydra_ldap_role_search_query: "(&(memberUid=%[1]s)(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)(objectclass=posixGroup)))"
|
||||
hydra_ldap_attr_claims: "sn:family_name,givenName:given_name,mail:email"
|
||||
hydra_ldap_role_base_dn:
|
||||
hydra_ldap_role_attr: cn
|
||||
hydra_ldap_use_tls: false
|
||||
hydra_ldap_role_claim: roles
|
||||
hydra_ldap_claim_scopes: "name:profile,family_name:profile,given_name:profile,email:email,roles:roles"
|
||||
|
|
|
|||
|
|
@ -41,6 +41,12 @@
|
|||
state: restarted
|
||||
become: true
|
||||
|
||||
- name: Restart cadoles-pod-hydra-ldap-v1
|
||||
service:
|
||||
name: cadoles-pod-hydra-ldap-v1
|
||||
state: restarted
|
||||
become: true
|
||||
|
||||
- name: Reload hydra clients
|
||||
ansible.builtin.include_tasks:
|
||||
file: hydra-reload-clients.yml
|
||||
|
|
@ -0,0 +1,20 @@
|
|||
---
|
||||
|
||||
- name: Install cadoles-pod-hydra-ldap-v1 package
|
||||
ansible.builtin.apt:
|
||||
name:
|
||||
- "cadoles-pod-hydra-ldap-v1={{ cadoles_pod_hydra_ldap_v1_package_version }}"
|
||||
update_cache: yes
|
||||
state: present
|
||||
become: true
|
||||
|
||||
- name: Configure cadoles-pod-hydra-ldap-v1
|
||||
template:
|
||||
src: "{{ item.src }}"
|
||||
dest: "{{ item.dest }}"
|
||||
with_items:
|
||||
- src: cadoles-pod-hydra-ldap-v1.conf.j2
|
||||
dest: /etc/cadoles-pod-hydra-ldap-v1.conf
|
||||
notify:
|
||||
- Restart cadoles-pod-hydra-ldap-v1
|
||||
become: true
|
||||
|
|
@ -111,6 +111,10 @@
|
|||
ansible.builtin.include_tasks: hydra-oidc.yml
|
||||
when: enable_hydra_oidc
|
||||
|
||||
- name: Configure LDAP authentification if enabled
|
||||
ansible.builtin.include_tasks: hydra-ldap.yml
|
||||
when: enable_hydra_ldap
|
||||
|
||||
- name: Start OIDC Test app if enabled
|
||||
ansible.builtin.include_tasks: start-oidc-test.yml
|
||||
when: enable_oidc_test_app
|
||||
|
|
|
|||
|
|
@ -0,0 +1,24 @@
|
|||
# {{ ansible_managed }}
|
||||
# Voir https://forge.cadoles.com/Cadoles/hydra-werther/src/branch/develop/conf/hydra-werther.conf
|
||||
# pour les variables d'environnement disponibles
|
||||
PODMAN_ARGS="\
|
||||
-p 127.0.0.1:3005:8080 \
|
||||
--network=slirp4netns:allow_host_loopback=true \
|
||||
--replace --name 'cadoles-pod-hydra-ldap-v1' \
|
||||
--tz=local \
|
||||
-e 'WERTHER_DEV_MODE={{ hydra_ldap_dev_mode }}' \
|
||||
-e 'WERTHER_IDENTP_HYDRA_URL=http://10.0.2.2:4445' \
|
||||
-e 'WERTHER_LDAP_ENDPOINTS={{ hydra_ldap_endpoints | join(',') }}' \
|
||||
-e 'WERTHER_LDAP_BINDDN={{ hydra_ldap_bind_dn }}' \
|
||||
-e 'WERTHER_LDAP_BINDPW={{ hydra_ldap_bind_password }}' \
|
||||
-e 'WERTHER_LDAP_BASEDN={{ hydra_ldap_base_dn }}' \
|
||||
-e 'WERTHER_LDAP_USER_SEARCH_QUERY={{ hydra_ldap_user_search_query }}' \
|
||||
-e 'WERTHER_LDAP_ROLE_SEARCH_QUERY={{ hydra_ldap_role_search_query }}' \
|
||||
-e 'WERTHER_LDAP_ROLE_BASEDN={{ hydra_ldap_role_base_dn }}' \
|
||||
-e 'WERTHER_WEB_BASE_PATH={{ haproxy_hydra_ldap_base_path }}/' \
|
||||
-e 'WERTHER_LDAP_IS_TLS={{ hydra_ldap_use_tls }}' \
|
||||
-e 'WERTHER_LDAP_ATTR_CLAIMS={{ hydra_ldap_attr_claims }}' \
|
||||
-e 'WERTHER_LDAP_ROLE_ATTR={{ hydra_ldap_role_attr }}' \
|
||||
-e 'WERTHER_LDAP_ROLE_CLAIM={{ hydra_ldap_role_claim }}' \
|
||||
-e 'WERTHER_IDENTP_CLAIM_SCOPES={{ hydra_ldap_claim_scopes }}' \
|
||||
"
|
||||
|
|
@ -50,6 +50,9 @@ frontend http-in
|
|||
{% if enable_hydra_oidc %}
|
||||
acl login_oidc path_beg -i {{ haproxy_hydra_oidc_base_path }}
|
||||
{% endif %}
|
||||
{% if enable_hydra_ldap %}
|
||||
acl login_ldap path_beg -i {{ haproxy_hydra_ldap_base_path }}
|
||||
{% endif %}
|
||||
{% if enable_oidc_test_app %}
|
||||
acl oidc_test path_beg -i {{ haproxy_oidc_test_base_path }}
|
||||
{% endif %}
|
||||
|
|
@ -64,6 +67,9 @@ frontend http-in
|
|||
{% if enable_hydra_oidc %}
|
||||
use_backend hydra_oidc if login_oidc
|
||||
{% endif %}
|
||||
{% if enable_hydra_ldap %}
|
||||
use_backend hydra_ldap if login_ldap
|
||||
{% endif %}
|
||||
{% if enable_oidc_test_app %}
|
||||
use_backend oidc_test if oidc_test
|
||||
{% endif %}
|
||||
|
|
@ -118,6 +124,15 @@ backend hydra_saml
|
|||
server hydra-login-saml 127.0.0.1:3002 check
|
||||
{%- endif %}
|
||||
|
||||
{% if enable_hydra_ldap %}
|
||||
# Backend Hydra LDAP
|
||||
backend hydra_ldap
|
||||
balance roundrobin
|
||||
http-request set-path %[path,regsub(^{{ haproxy_hydra_ldap_base_path }},)]
|
||||
http-request set-header X-Forwarded-Prefix {{ haproxy_hydra_ldap_base_path }}
|
||||
server hydra-login-ldap 127.0.0.1:3005 check
|
||||
{%- endif %}
|
||||
|
||||
{% if enable_oidc_test_app %}
|
||||
backend oidc_test
|
||||
balance roundrobin
|
||||
|
|
|
|||
|
|
@ -36,4 +36,16 @@ hydra:
|
|||
logout_url: "{{ haproxy_public_base_url }}{{ haproxy_hydra_oidc_base_path }}/logout"
|
||||
attributes_rewrite_rules: {{ hydra_oidc_attributes_rewrite_rules | to_json }}
|
||||
icon_url: "{{ hydra_oidc_app_icon_url }}"
|
||||
{% endif %}
|
||||
{% if enable_hydra_ldap %}
|
||||
- id: ldap
|
||||
title:
|
||||
fr: "{{ hydra_ldap_app_title }}"
|
||||
description:
|
||||
fr: "{{ hydra_ldap_app_description }}"
|
||||
login_url: "{{ haproxy_public_base_url }}{{ haproxy_hydra_ldap_base_path }}/auth/login"
|
||||
consent_url: "{{ haproxy_public_base_url }}{{ haproxy_hydra_ldap_base_path }}/auth/consent"
|
||||
logout_url: "{{ haproxy_public_base_url }}{{ haproxy_hydra_ldap_base_path }}/auth/logout"
|
||||
attributes_rewrite_rules: {{ hydra_ldap_attributes_rewrite_rules | to_json }}
|
||||
icon_url: "{{ hydra_ldap_app_icon_url }}"
|
||||
{% endif %}
|
||||
Loading…
Reference in New Issue