Merge pull request #25 from roumano/ldap_backend

Ldap backend
mrlesmithjr · Jul 27, 2023 · 68e6053 · 68e6053
2 parents f9b98fe + ec644ee
commit 68e6053
Show file tree

Hide file tree

Showing 5 changed files with 159 additions and 0 deletions.
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -12,6 +12,9 @@ guacamole_dl_url: "{{ 'http://apache.org/dyn/closer.cgi?action=download&filename
 
 guacamole_server_hostname: localhost
 
+# Authentication LDAP
+guacamole_auth_ldap_package: "{{ 'guacamole-auth-ldap-' + guacamole_version + '.tar.gz' }}"
+
 # Authentication TOPT
 guacamole_auth_totp_package: "{{ 'guacamole-auth-totp-' + guacamole_version + '.tar.gz' }}"
 

diff --git a/tasks/ldap.yml b/tasks/ldap.yml
@@ -0,0 +1,29 @@
+---
+# Documentation : https://guacamole.apache.org/doc/gug/ldap-auth.html#how-guacamole-uses-ldap
+
+- name: config | Downloading Auth LDAP Library
+  ansible.builtin.unarchive:
+    src: "{{ guacamole_dl_url + '/binary/' + guacamole_auth_ldap_package }}"
+    dest: "{{ guacamole_src_dir }}"
+    remote_src: true
+  become: true
+
+- name: config | Copying Auth LDAP Connector  # noqa risky-file-permissions
+  ansible.builtin.copy:
+    src: "{{ guacamole_src_dir + '/' + 'guacamole-auth-ldap-' + guacamole_version + '/' + 'guacamole-auth-ldap-' + guacamole_version + '.jar' }}"
+    dest: /etc/guacamole/extensions/
+    owner: "{{ guacamole_tomcat_user }}"
+    group: "{{ guacamole_tomcat_user }}"
+    remote_src: true
+  become: true
+
+- name: config | Configuring ldap-servers.yml
+  ansible.builtin.template:
+    src: etc/guacamole/ldap-servers.yml.j2
+    dest: /etc/guacamole/ldap-servers.yml
+    owner: "{{ guacamole_tomcat_user }}"
+    group: "{{ guacamole_tomcat_user }}"
+    mode: u=rw,g=r,o=r
+  become: true
+  notify:
+    - "restart {{ guacamole_tomcat_service }}"
diff --git a/tasks/main.yml b/tasks/main.yml
@@ -23,6 +23,10 @@
 - name: Manage Guacamole client configurations
   ansible.builtin.include_tasks: client.yml
 
+- name: Manage Guacamole LDAP authentication
+  ansible.builtin.include_tasks: ldap.yml
+  when: guacamole_ldap is defined
+
 - name: Manage Guacamole TOTP configurations
   ansible.builtin.include_tasks: totp.yml
   when: guacamole_totp | default(false) | bool
diff --git a/templates/etc/guacamole/guacamole.properties.j2 b/templates/etc/guacamole/guacamole.properties.j2
@@ -39,3 +39,64 @@ openid-username-claim-type: {{ guacamole_openid['username-claim-type'] }}
 openid-groups-claim-type: {{ guacamole_openid['groups-claim-type'] }}
 openid-allowed-clock-skew: {{ guacamole_openid['allowed-clock-skew'] }}
 {% endif %}
+{% if guacamole_ldap is defined %}
+{# ldap-hostname is define in ldap-servers.yml to premit multiple ldap server #}
+{% if guacamole_ldap['port'] is defined %}
+ldap-port: {{ guacamole_ldap['port'] }}
+{% endif %}
+{% if guacamole_ldap['encryption_method'] is defined %}
+ldap-encryption-method: {{ guacamole_ldap['encryption_method'] }}
+{% endif %}
+{% if guacamole_ldap['max_search_results'] is defined %}
+ldap-max-search-results: {{ guacamole_ldap['max_search_results'] }}
+{% endif %}
+{% if guacamole_ldap['search_bind_dn'] is defined %}
+ldap-search-bind-dn: {{ guacamole_ldap['search_bind_dn'] }}
+{% endif %}
+{% if guacamole_ldap['search_bind_password'] is defined %}
+ldap-search-bind-password: {{ guacamole_ldap['search_bind_password'] }}
+{% endif %}
+{% if guacamole_ldap['user_base_dn'] is defined %}
+ldap-user-base-dn: {{ guacamole_ldap['user_base_dn'] }}
+{% endif %}
+{% if guacamole_ldap['username_attribute'] is defined %}
+ldap-username-attribute: {{ guacamole_ldap['username_attribute'] }}
+{% endif %}
+{% if guacamole_ldap['member_attribute'] is defined %}
+ldap-member-attribute: {{ guacamole_ldap['member_attribute'] }}
+{% endif %}
+{% if guacamole_ldap['member_attribute_type'] is defined %}
+ldap-member-attribute-type: {{ guacamole_ldap['member_attribute_type'] }}
+{% endif %}
+{% if guacamole_ldap['member_attribute_type'] is defined %}
+{# https://guacamole.apache.org/doc/gug/configuring-guacamole.html#parameter-tokens #}
+ldap-user-attributes: {{ guacamole_ldap['member_attribute_type'] }}
+{% endif %}
+{% if guacamole_ldap['search_filter'] is defined %}
+ldap-user-search-filter: {{ guacamole_ldap['search_filter'] }}
+{% endif %}
+{% if guacamole_ldap['config_base_dn'] is defined %}
+ldap-config-base-dn: {{ guacamole_ldap['config_base_dn'] }}
+{% endif %}
+{% if guacamole_ldap['group_base_dn'] is defined %}
+ldap-group-base-dn: {{ guacamole_ldap['group_base_dn'] }}
+{% endif %}
+{% if guacamole_ldap['group_name_attribute'] is defined %}
+ldap-group-name-attribute: {{ guacamole_ldap['group_name_attribute'] }}
+{% endif %}
+{% if guacamole_ldap['group_search_filter'] is defined %}
+ldap-group-search-filter: {{ guacamole_ldap['group_search_filter'] }}
+{% endif %}
+{% if guacamole_ldap['dereference_aliases'] is defined %}
+ldap-dereference-aliases: {{ guacamole_ldap['dereference_aliases'] }}
+{% endif %}
+{% if guacamole_ldap['follow_referrals'] is defined %}
+ldap-follow-referrals: {{ guacamole_ldap['follow_referrals'] }}
+{% endif %}
+{% if guacamole_ldap['max_referral_hops'] is defined %}
+ldap-max-referral-hops: {{ guacamole_ldap['max_referral_hops'] }}
+{% endif %}
+{% if guacamole_ldap['operation_timeout'] is defined %}
+ldap-operation-timeout: {{ guacamole_ldap['operation_timeout'] }}
+{% endif %}
+{% endif %}
diff --git a/templates/etc/guacamole/ldap-servers.yml.j2 b/templates/etc/guacamole/ldap-servers.yml.j2
@@ -0,0 +1,62 @@
+{{ ansible_managed | comment }}
+{% for ldap in guacamole_ldap.servers %}
+- hostname: {{ ldap.name }}
+{% if ldap['port'] is defined %}
+  port: {{ ldap['port'] }}
+{% endif %}
+{% if ldap['encryption_method'] is defined %}
+  encryption-method: {{ ldap['encryption_method'] }}
+{% endif %}
+{% if ldap['max_search_results'] is defined %}
+  max-search-results: {{ ldap['max_search_results'] }}
+{% endif %}
+{% if ldap['search_bind_dn'] is defined %}
+  search-bind-dn: {{ ldap['search_bind_dn'] }}
+{% endif %}
+{% if ldap['search_bind_password'] is defined %}
+  search-bind-password: {{ ldap['search_bind_password'] }}
+{% endif %}
+{% if ldap['user_base_dn'] is defined %}
+  user-base-dn: {{ ldap['user_base_dn'] }}
+{% endif %}
+{% if ldap['username_attribute'] is defined %}
+  username-attribute: {{ ldap['username_attribute'] }}
+{% endif %}
+{% if ldap['member_attribute'] is defined %}
+  member-attribute: {{ ldap['member_attribute'] }}
+{% endif %}
+{% if ldap['member_attribute_type'] is defined %}
+  member-attribute-type: {{ ldap['member_attribute_type'] }}
+{% endif %}
+{% if ldap['member_attribute_type'] is defined %}
+{# https://guacamole.apache.org/doc/gug/configuring-guacamole.html#parameter-tokens #}
+  user-attributes: {{ ldap['member_attribute_type'] }}
+{% endif %}
+{% if ldap['search_filter'] is defined %}
+  user-search-filter: {{ ldap['search_filter'] }}
+{% endif %}
+{% if ldap['config_base_dn'] is defined %}
+  config-base-dn: {{ ldap['config_base_dn'] }}
+{% endif %}
+{% if ldap['group_base_dn'] is defined %}
+  group-base-dn: {{ ldap['group_base_dn'] }}
+{% endif %}
+{% if ldap['group_name_attribute'] is defined %}
+  group-name-attribute: {{ ldap['group_name_attribute'] }}
+{% endif %}
+{% if ldap['group_search_filter'] is defined %}
+  group-search-filter: {{ ldap['group_search_filter'] }}
+{% endif %}
+{% if ldap['dereference_aliases'] is defined %}
+  dereference-aliases: {{ ldap['dereference_aliases'] }}
+{% endif %}
+{% if ldap['follow_referrals'] is defined %}
+  follow-referrals: {{ ldap['follow_referrals'] }}
+{% endif %}
+{% if ldap['max_referral_hops'] is defined %}
+  max-referral-hops: {{ ldap['max_referral_hops'] }}
+{% endif %}
+{% if ldap['operation_timeout'] is defined %}
+  operation-timeout: {{ ldap['operation_timeout'] }}
+{% endif %}
+{% endfor %}