Merge branch 'duraz0rz-ldap-additions'

savoirfairelinux · May 18, 2017 · cdbf47d · cdbf47d
2 parents 6ead6a5 + 20916d3
commit cdbf47d
Show file tree

Hide file tree

Showing 6 changed files with 98 additions and 25 deletions.
diff --git a/README.md b/README.md
@@ -76,18 +76,81 @@ Setup an [SSL Reverse-proxy](https://books.sonatype.com/nexus-book/3.0/reference
     ldap_hostname: 'ldap.mycompany.com'
     ldap_port: 636
     ldap_search_base: 'dc=mycompany,dc=net'
+    ldap_auth: 'none' # or simple
+    ldap_auth_username: 'username' # if auth = simple
+    ldap_auth_password: 'password' # if auth = simple
     ldap_user_base_dn: 'ou=users'
     ldap_user_object_class: 'inetOrgPerson'
     ldap_user_id_attribute: 'uid'
     ldap_user_real_name_attribute: 'cn'
     ldap_user_email_attribute: 'mail'
+    ldap_user_subtree: false
+    ldap_map_groups_as_roles: false
     ldap_group_base_dn: 'ou=groups'
     ldap_group_object_class: 'posixGroup'
     ldap_group_id_attribute: 'cn'
     ldap_group_member_attribute: 'memberUid'
     ldap_group_member_format: '${username}'
+    ldap_group_subtree: false
 ```
 
+Example LDAP config for anonymous authentication (anonymous bind), this is also the "minimal" config :
+
+```
+  - ldap_name: 'Simplest LDAP config'
+    ldap_protocol: 'ldaps'
+    ldap_hostname: 'annuaire.mycompany.com'
+    ldap_search_base: 'dc=mycompany,dc=net'
+    ldap_port: 636
+    ldap_user_id_attribute: 'uid'
+    ldap_user_real_name_attribute: 'cn'
+    ldap_user_email_attribute: 'mail'
+    ldap_user_object_class: 'inetOrgPerson'
+```
+
+Example LDAP config for simple authentication (using a DSA account) :
+
+```
+  - ldap_name: 'LDAP config with DSA'
+    ldap_protocol: 'ldaps'
+    ldap_hostname: 'annuaire.mycompany.com'
+    ldap_port: 636
+    ldap_auth: 'simple'
+    ldap_auth_username: 'cn=mynexus,ou=dsa,dc=mycompany,dc=net'
+    ldap_auth_password: "{{ vault_ldap_dsa_password }}" # better keep passwords in an ansible vault
+    ldap_search_base: 'dc=mycompany,dc=net'
+    ldap_user_base_dn: 'ou=users'
+    ldap_user_object_class: 'inetOrgPerson'
+    ldap_user_id_attribute: 'uid'
+    ldap_user_real_name_attribute: 'cn'
+    ldap_user_email_attribute: 'mail'
+    ldap_user_subtree: false
+```
+
+Example LDAP config for simple authentication (using a DSA account) + groups mapped as roles :
+
+```
+  - ldap_name: 'LDAP config with DSA'
+    ldap_protocol: 'ldaps'
+    ldap_hostname: 'annuaire.mycompany.com'
+    ldap_port: 636
+    ldap_auth: 'simple'
+    ldap_auth_username: 'cn=mynexus,ou=dsa,dc=mycompany,dc=net'
+    ldap_auth_password: "{{ vault_ldap_dsa_password }}" # better keep passwords in an ansible vault
+    ldap_search_base: 'dc=mycompany,dc=net'
+    ldap_user_base_dn: 'ou=users'
+    ldap_user_object_class: 'inetOrgPerson'
+    ldap_user_id_attribute: 'uid'
+    ldap_user_real_name_attribute: 'cn'
+    ldap_user_email_attribute: 'mail'
+    ldap_map_groups_as_roles: true
+    ldap_group_base_dn: 'ou=groups'
+    ldap_group_object_class: 'groupOfNames'
+    ldap_group_id_attribute: 'cn'
+    ldap_group_member_attribute: 'member'
+    ldap_group_member_format: 'uid=${username},ou=users,dc=mycompany,dc=net'
+    ldap_group_subtree: false
+```
 
     nexus_privileges:
       - name: all-repos-read # used as key to update a privilege

diff --git a/defaults/main.yml b/defaults/main.yml
@@ -1,5 +1,5 @@
 ---
-nexus_version: '3.3.0-01'
+nexus_version: '3.3.1-01'
 nexus_package: "nexus-{{ nexus_version }}-unix.tar.gz"
 nexus_download_dir: '/tmp'
 nexus_backup_dir: '/var/nexus-backup'
@@ -22,6 +22,9 @@ nexus_backup_log: '/var/log/nexus-backup.log'
 
 # Nexus default properties
 nexus_default_port: 8081
+nexus_docker_hosted_port: 9080
+nexus_docker_proxy_port: 9081
+nexus_docker_group_port: 9082
 nexus_default_context_path: '/'
 
 nexus_admin_password: 'changeme' # Note : admin password change subsequent to first-time install is *not implemented* yet
@@ -232,21 +235,24 @@ _nexus_repos_docker_defaults:
 
 nexus_repos_docker_hosted:
   - name: docker-hosted
-    http_port: 9080
+    http_port: "{{ nexus_docker_hosted_port }}"
     v1_enabled: True
 
 nexus_repos_docker_proxy:
   - name: docker-proxy
-    http_port: 9081
+    http_port: "{{ nexus_docker_proxy_port }}"
     v1_enabled: True
     index_type: "HUB"
     proxy_url: "https://registry-1.docker.io"
     use_nexus_certificates_to_access_index: false
 
 nexus_repos_docker_group:
   - name: docker-group
-    http_port: 9082
+    http_port: "{{ nexus_docker_group_port }}"
     v1_enabled: True
+    member_repos:
+      - docker-hosted
+      - docker-proxy
 
 # RubyGems support
 _nexus_repos_rubygems_defaults:

diff --git a/files/groovy/create_repo_docker_group.groovy b/files/groovy/create_repo_docker_group.groovy
@@ -13,10 +13,7 @@ configuration = new Configuration(
                         v1Enabled : parsed_args.v1_enabled
                 ],
                 group: [
-                        memberNames: [
-                                "private-registry",
-                                "proxy-registry"
-                        ]
+                        memberNames: parsed_args.member_repos
                 ],
                 storage: [
                         writePolicy: parsed_args.write_policy.toUpperCase(),

diff --git a/files/groovy/setup_ldap.groovy b/files/groovy/setup_ldap.groovy
@@ -26,12 +26,11 @@ ldapConfig.setName(parsed_args.name)
 // Connection
 connection = new Connection()
 connection.setHost(new Connection.Host(Connection.Protocol.valueOf(parsed_args.protocol), parsed_args.hostname, Integer.valueOf(parsed_args.port)))
-if(parsed_args.auth != null && parsed_args.auth.equals("simple")){
+if (parsed_args.auth == "simple") {
     connection.setAuthScheme("simple")
     connection.setSystemUsername(parsed_args.username)
     connection.setSystemPassword(parsed_args.password)
-}
-else {
+} else {
     connection.setAuthScheme("none")
 }
 connection.setSearchBase(parsed_args.search_base)
@@ -49,12 +48,17 @@ mapping.setUserIdAttribute(parsed_args.user_id_attribute)
 mapping.setUserRealNameAttribute(parsed_args.user_real_name_attribute)
 mapping.setEmailAddressAttribute(parsed_args.user_email_attribute)
 
-mapping.setLdapGroupsAsRoles(true)
-mapping.setGroupBaseDn(parsed_args.group_base_dn)
-mapping.setGroupObjectClass(parsed_args.group_object_class)
-mapping.setGroupIdAttribute(parsed_args.group_id_attribute)
-mapping.setGroupMemberAttribute(parsed_args.group_member_attribute)
-mapping.setGroupMemberFormat(parsed_args.group_member_format)
+if (parsed_args.map_groups_as_roles) {
+    mapping.setLdapGroupsAsRoles(true)
+    mapping.setGroupBaseDn(parsed_args.group_base_dn)
+    mapping.setGroupObjectClass(parsed_args.group_object_class)
+    mapping.setGroupIdAttribute(parsed_args.group_id_attribute)
+    mapping.setGroupMemberAttribute(parsed_args.group_member_attribute)
+    mapping.setGroupMemberFormat(parsed_args.group_member_format)
+}
+
+mapping.setUserSubtree(parsed_args.user_subtree)
+mapping.setGroupSubtree(parsed_args.group_subtree)
 
 ldapConfig.setMapping(mapping)
 

diff --git a/pom.xml b/pom.xml
@@ -10,10 +10,10 @@
     <description>Fake project meant to be imported in an IDE (IntelliJ) to edit groovy scripts with classpath-aware completion</description>
 
     <properties>
-        <nx-version>3.0.2-02</nx-version>
+        <nx-version>3.3.1-01</nx-version>
     </properties>
     <build>
-        <sourceDirectory>templates/groovy</sourceDirectory>
+        <sourceDirectory>files/groovy</sourceDirectory>
     </build>
     <dependencies>
         <dependency>

diff --git a/tasks/setup_ldap_each.yml b/tasks/setup_ldap_each.yml
@@ -11,13 +11,16 @@
       username: "{{ item.ldap_auth_username | default('') }}"
       password: "{{ item.ldap_auth_password | default('') }}"
       search_base: "{{ item.ldap_search_base }}"
-      user_base_dn: "{{ item.ldap_user_base_dn }}"
+      user_base_dn: "{{ item.ldap_user_base_dn | default('ou=users') }}"
       user_object_class: "{{ item.ldap_user_object_class }}"
       user_id_attribute: "{{ item.ldap_user_id_attribute }}"
       user_real_name_attribute: "{{ item.ldap_user_real_name_attribute }}"
       user_email_attribute: "{{ item.ldap_user_email_attribute }}"
-      group_base_dn: "{{ item.ldap_group_base_dn }}"
-      group_object_class: "{{ item.ldap_group_object_class }}"
-      group_id_attribute: "{{ item.ldap_group_id_attribute }}"
-      group_member_attribute: "{{ item.ldap_group_member_attribute }}"
-      group_member_format: "{{ item.ldap_group_member_format }}"
+      map_groups_as_roles: "{{ item.ldap_map_groups_as_roles | default(false) }}"
+      group_base_dn: "{{ item.ldap_group_base_dn | default('ou=groups') }}"
+      group_object_class: "{{ item.ldap_group_object_class | default('groupOfNames') }}"
+      group_id_attribute: "{{ item.ldap_group_id_attribute | default('cn') }}"
+      group_member_attribute: "{{ item.ldap_group_member_attribute | default('member') }}"
+      group_member_format: "{{ item.ldap_group_member_format | default('uid=${username},ou=users,dc=yourcompany') }}"
+      user_subtree: "{{ item.ldap_user_subtree | default(false) }}"
+      group_subtree: "{{ item.ldap_group_subtree | default(false) }}"