proxmox: add LDAP user sync script

Since OIDC auth doesn’t support groups, get them from AD over LDAP. Add a script to fetch user and groups, and update /etc/pve/user.cfg. The script is only installed on one node (first alphabetically), with a cron job to run it daily. The script is installed for clusters with the sync-ldap context key set to a corresponding OIDC realm. The keys ldap_user and ldap_pass must be present in the password store under cluster/<name>.
2024-05-14 12:04:35 +02:00 · 2024-05-14 12:04:35 +02:00 · 3f53c84865
commit 3f53c84865
parent 5762236ac2
3 changed files with 86 additions and 0 deletions
--- a/roles/proxmox/tasks/main.yml
+++ b/roles/proxmox/tasks/main.yml
@ -52,3 +52,5 @@
 - include_tasks: firewall.yml

 - include_tasks: frr.yml
+
+- include_tasks: user.yml
--- a/roles/proxmox/tasks/user.yml
+++ b/roles/proxmox/tasks/user.yml
@ -0,0 +1,27 @@
+- block:
+    - set_fact:
+        primary: '{{ nodes | map(attribute="inventory_hostname") | sort | first }}'
+
+    - name: Install LDAP sync script
+      template:
+        dest: /usr/local/bin/sync-ldap.py
+        src: sync-ldap.py.j2
+        mode: 0700
+      when: primary == inventory_hostname
+
+    - name: Remove LDAP sync script
+      file:
+        path: /usr/local/bin/sync-ldap.py
+        state: absent
+      when: primary != inventory_hostname
+
+    - name: Configure cronjob
+      cron:
+        name: 'sync LDAP users and groups'
+        job: 'ip vrf exec default /usr/local/bin/sync-ldap.py'
+        user: root
+        cron_file: sync-ldap
+        hour: "2"
+        minute: "51"
+        state: '{{ "present" if inventory_hostname == primary else "absent" }}'
+  when: '"sync-ldap" in hostvars[inventory_hostname]'