Update to 2020-09-30 00:00

4 years ago · 06c89e7fb7
parent 4e6ece362a
commit 06c89e7fb7
7 changed files with 159 additions and 5 deletions
--- a/roles/jitsi/defaults/main.yml
+++ b/roles/jitsi/defaults/main.yml
@ -133,11 +133,11 @@ jitsi_meet_interface_conf_base:
    - camera
    - closedcaptions
    - desktop
+    - embedmeeting
    - fullscreen
    - fodeviceselection
    - hangup
    - profile
-    - info
    - chat
    #- recording
    #- livestreaming
@ -156,6 +156,7 @@ jitsi_meet_interface_conf_base:
    - download
    - help
    - mute-everyone
+    - security
    #- localrecording
  SETTINGS_SECTIONS:
    - devices
--- a/roles/mayan_edms/defaults/main.yml
+++ b/roles/mayan_edms/defaults/main.yml
@ -32,3 +32,64 @@ mayan_from_mail: mayan-edsm@{{ ansible_domain }}

 # Main language for document
 mayan_doc_lang: fra
+
+# LDAP Auth
+# Most of these settings will try to detect system auth config
+# and use them. But you can override if you want
+#
+# This is to turn on of off LDAP auth
+mayan_ldap_auth: "{{ (ad_auth | default(False) or ldap_auth | default(False)) | ternary(True,False) }}"
+# URI of your LDAP server, eg ldap://ldap.example.org:389
+mayan_ldap_uri: "{{ ad_auth | default(False) | ternary('ldap://' + ad_realm | default(samba_realm) | default(ansible_domain) | lower,ldap_uri) }}"
+# SHould Start TLS be used ?
+mayan_ldap_start_tls: True
+# Base of your LDAP tree. Eg DC=example,DC=org
+mayan_ldap_base: "{{ ad_auth | default(False) | ternary('DC=' + ad_realm | default(samba_realm) | default(ansible_domain) | regex_replace('\\.',',DC='), ldap_base) }}"
+# If your directory only allow authenticated searches, you can define it here
+# mayan_ldap_bind_dn:
+# mayan_ldap_bind_pass:
+#
+# If set, will restrict user search in these OU. Default is to search from the base
+# Eg
+# mayan_ldap_user_ou:
+#   - OU=People,DC=example,DC=org
+#   - OU=Presta,DC=example,DC=org
+mayan_ldap_user_ou: []
+# Filter to search for users
+mayan_ldap_user_filter: "{{ ad_auth | default(False) | ternary('(sAMAccountName=%(user)s)','(uid=%(user)s)') }}"
+# Mapping of LDAP attributes into Django attributes
+mayan_ldap_user_attr_map:
+  username: "{{ ad_auth | default(False) | ternary('sAMAccountName','uid') }}"
+  first_name: givenName
+  last_name: sn
+  email: mail
+
+# Same for groups
+mayan_ldap_group_ou: []
+# How are group represented in your directory.
+# See https://django-auth-ldap.readthedocs.io/en/latest/groups.html for a list of valid values
+mayan_ldap_group_type: "{{ ad_auth | default(False) | ternary('NestedActiveDirectoryGroupType','PosixGroupType') }}"
+# LDAP filter to search for groups
+mayan_ldap_group_filter: "{{ ad_auth | default(False) | ternary('(objectClass=group)','(objectClass=posixGroup)') }}"
+
+# If defined, will either require user to be part of one of those groups,
+# or forbid access to membres of those groups
+# mayan_ldap_require_group:
+#   - CN=Admins,OU=Groups,DC=example,DC=org
+#   - CN=Board,OU=Groups,DC=example,DC=org
+#
+# mayan_ldap_deny_group:
+#   - CN=Guests,OU=Groups,DC=example,DC=org
+
+# Useful to debug LDAP related issues
+mayan_ldap_debug: False
+
+# Custom settings to set in the auth.py module
+# Eg
+# mayan_auth_custom_conf: |
+# AUTH_LDAP_USER_FLAGS_BY_GROUP = {
+#     'is_active': 'CN=Role_EDMS,OU=Roles,DC=example,DC=org',
+#     'is_staff': 'CN=Role_Staff,OU=Roles,DC=example,DC=org',
+#     'is_superuser': 'CN=Role_Infra_Admin,OU=Roles,DC=example,DC=org',
+# }
+
--- a/roles/mayan_edms/meta/main.yml
+++ b/roles/mayan_edms/meta/main.yml
@ -2,6 +2,7 @@

 dependencies:
  - role: mkdir
+  - role: repo_remi_safe # for gnupg1
  - role: mysql_server
    when: mayan_db_server == '127.0.0.1' or mayan_db_server == 'localhost'
  - role: redis_server
--- a/roles/mayan_edms/tasks/directories.yml
+++ b/roles/mayan_edms/tasks/directories.yml
@ -7,13 +7,12 @@
    group: "{{ item.group | default(omit) }}"
    mode: "{{ item.mode | default(omit) }}"
  loop:
-    - path: "{{ mayan_root_dir }}/venv"
    - path: "{{ mayan_root_dir }}/meta"
      mode: 700
    - path: "{{ mayan_root_dir }}/tmp"
      mode: 700
      owner: "{{ mayan_user }}"
-    - path: "{{ mayan_root_dir }}/data"
+    - path: "{{ mayan_root_dir }}/data/mayan_settings/"
      mode: 700
      owner: "{{ mayan_user }}"
    - path: "{{ mayan_root_dir }}/archive"
--- a/roles/mayan_edms/tasks/install.yml
+++ b/roles/mayan_edms/tasks/install.yml
@ -13,7 +13,7 @@
      - mysql-devel
      - libexif
      - ghostscript
-      - gnupg
+      - gnupg1
      - graphviz
      - fuse-libs
      - file-libs
@ -28,6 +28,14 @@
      - python-setuptools
  tags: mayan

+# WHen using upstream MariaDB repo, we have to install MariaDB-shared
+- name: Install MariaDB shared libs
+  yum:
+    name:
+      - MariaDB-shared
+  when: mysql_mariadb_version is defined and mysql_mariadb_version != 'default'
+  tags: mayan
+
 - name: Wipe the venv on upgrades
  file: path={{ mayan_root_dir }}/venv state=absent
  when: mayan_install_mode=='upgrade'
@ -43,6 +51,8 @@
      - pip
      - redis
      - mysql
+      - python-ldap
+      - django_auth_ldap
    state: "{{ (mayan_install_mode == 'none') | ternary('present', 'latest') }}"
    virtualenv: "{{ mayan_root_dir }}/venv"
    virtualenv_command: /usr/bin/virtualenv-3
@ -90,6 +100,7 @@
    - mayan-edms-worker-slow.service
    - mayan-edms-beat.service
  register: mayan_systemd_units
+  notify: restart mayan-edms
  tags: mayan

 - name: Reload systemd
@ -103,3 +114,9 @@
    - pre
    - post
  tags: mayan
+
+- name: Deploy auth configuration
+  template: src=auth.py.j2 dest={{ mayan_root_dir }}/data/mayan_settings/auth.py group={{ mayan_user }} mode=640
+  when: mayan_ldap_auth
+  notify: restart mayan-edms
+  tags: mayan
--- a/roles/mayan_edms/templates/auth.py.j2
+++ b/roles/mayan_edms/templates/auth.py.j2
@ -0,0 +1,70 @@
+import ldap
+
+from django_auth_ldap.config import (
+    LDAPSearch, LDAPSearchUnion, {{ mayan_ldap_group_type }}
+)
+
+from mayan.settings.production import *
+
+ldap.set_option(ldap.OPT_DEBUG_LEVEL, {{ mayan_ldap_debug | ternary('1','0') }})
+
+AUTH_LDAP_ALWAYS_UPDATE_USER = True
+LDAP_USER_AUTO_CREATION = True
+
+AUTH_LDAP_START_TLS = {{ mayan_ldap_start_tls | ternary('True','False') }}
+
+{% if mayan_ldap_bind_dn is defined and mayan_ldap_bind_pass is defined %}
+AUTH_LDAP_BIND_DN = '{{ mayan_ldap_bind_dn }}'
+AUTH_LDAP_BIND_PASSWORD = '{{ mayan_ldap_bind_pass }}'
+{% endif %}
+LDAP_BASE_DN = '{{ mayan_ldap_base }}'
+AUTH_LDAP_SERVER_URI = '{{ mayan_ldap_uri }}'
+
+{% if mayan_ldap_user_ou | length > 0 %}
+AUTH_LDAP_USER_SEARCH = LDAPSearchUnion(
+{% for ou in mayan_ldap_user_ou %}
+    LDAPSearch(
+        '{{ ou }}', ldap.SCOPE_SUBTREE,
+        '{{ mayan_ldap_user_filter }}'
+    ),
+{% endfor %}
+)
+{% else %}
+AUTH_LDAP_USER_SEARCH = LDAPSearch(
+    '{{ mayan_ldap_base }}', ldap.SCOPE_SUBTREE,
+    '{{ mayan_ldap_user_filter }}'
+)
+{% endif %}
+
+AUTH_LDAP_USER_ATTR_MAP = {
+{% for attr in mayan_ldap_user_attr_map.keys() %}
+    '{{ attr }}': '{{ mayan_ldap_user_attr_map[attr] }}',
+{% endfor %}
+}
+
+{% if mayan_ldap_group_ou | length > 0 %}
+AUTH_LDAP_GROUP_SEARCH = LDAPSearchUnion(
+{% for ou in mayan_ldap_group_ou %}
+    LDAPSearch(
+        '{{ ou }}', ldap.SCOPE_SUBTREE,
+        '{{ mayan_ldap_group_filter }}'
+    ),
+{% endfor %}
+)
+{% else %}
+AUTH_LDAP_GROUP_SEARCH = LDAPSearch(
+    '{{ mayan_ldap_base }}', ldap.SCOPE_SUBTREE,
+    '{{ mayan_ldap_group_filter }}'
+)
+{% endif %}
+
+AUTH_LDAP_GROUP_TYPE = {{ mayan_ldap_group_type }}()
+
+AUTHENTICATION_BACKENDS = (
+    'django_auth_ldap.backend.LDAPBackend',
+    'django.contrib.auth.backends.ModelBackend'
+)
+
+{% if mayan_auth_custom_conf is defined %}
+{{ mayan_auth_custom_conf }}
+{% endif %}
--- a/roles/mayan_edms/templates/env.j2
+++ b/roles/mayan_edms/templates/env.j2
@ -1,10 +1,15 @@
 MAYAN_ALLOWED_HOSTS="['*']"
 PYTHONPATH="{{ mayan_root_dir }}/data/mayan_settings"
-DJANGO_SETTINGS_MODULE=mayan.settings.production
+DJANGO_SETTINGS_MODULE={{ mayan_ldap_auth | ternary('auth','mayan.settings.production') }}
 MAYAN_MEDIA_ROOT="{{ mayan_root_dir }}/data"
 MAYAN_CELERY_RESULT_BACKEND="{{ mayan_redis_url }}/{{ mayan_redis_db.result_backend }}"
 MAYAN_CELERY_BROKER_URL="{{ mayan_redis_url }}/{{ mayan_redis_db.broker }}"
 MAYAN_DATABASES="{default: {ENGINE: django.db.backends.mysql, HOST: '{{ mayan_db_server }}', NAME: '{{ mayan_db_user }}', PASSWORD: '{{ mayan_db_pass }}', USER: '{{ mayan_db_user }}'}}"
+MAYAN_DATABASE_ENGINE="django.db.backends.mysql"
+MAYAN_DATABASE_NAME={{ mayan_db_name | quote }}
+MAYAN_DATABASE_PASSWORD={{ mayan_db_pass | quote }}
+MAYAN_DATABASE_USER={{ mayan_db_user | quote }}
+MAYAN_DATABASE_HOST={{ mayan_db_server | quote }}
 MAYAN_DEFAULT_FROM_EMAIL={{ mayan_from_mail | quote }}
 MAYAN_DOCUMENTS_LANGUAGE={{ mayan_doc_lang }}
 MAYAN_SECURE_PROXY_SSL_HEADER="('HTTP_X_FORWARDED_PROTO', 'https')"