Timotej Lazar
3f53c84865
Since OIDC auth doesn’t support groups, get them from AD over LDAP. Add a script to fetch user and groups, and update /etc/pve/user.cfg. The script is only installed on one node (first alphabetically), with a cron job to run it daily. The script is installed for clusters with the sync-ldap context key set to a corresponding OIDC realm. The keys ldap_user and ldap_pass must be present in the password store under cluster/<name>.
28 lines
820 B
YAML
28 lines
820 B
YAML
- block:
|
|
- set_fact:
|
|
primary: '{{ nodes | map(attribute="inventory_hostname") | sort | first }}'
|
|
|
|
- name: Install LDAP sync script
|
|
template:
|
|
dest: /usr/local/bin/sync-ldap.py
|
|
src: sync-ldap.py.j2
|
|
mode: 0700
|
|
when: primary == inventory_hostname
|
|
|
|
- name: Remove LDAP sync script
|
|
file:
|
|
path: /usr/local/bin/sync-ldap.py
|
|
state: absent
|
|
when: primary != inventory_hostname
|
|
|
|
- name: Configure cronjob
|
|
cron:
|
|
name: 'sync LDAP users and groups'
|
|
job: 'ip vrf exec default /usr/local/bin/sync-ldap.py'
|
|
user: root
|
|
cron_file: sync-ldap
|
|
hour: "2"
|
|
minute: "51"
|
|
state: '{{ "present" if inventory_hostname == primary else "absent" }}'
|
|
when: '"sync-ldap" in hostvars[inventory_hostname]'
|