From cc78025c4742a16dccf50100e092c0081ff6b2df Mon Sep 17 00:00:00 2001
From: David Thorpe <djt@mutablelogic.com>
Date: Wed, 3 Apr 2024 14:23:36 +0200
Subject: [PATCH] Updated openldap-admin

---
 README.md                               | 28 ++++++++++++++++++-------
 _examples/openldap-admin.tf             | 23 ++++++++++++++++++++
 openldap-admin/input.tf                 | 12 +++++++++++
 openldap-admin/main.tf                  |  3 ++-
 openldap-admin/nomad/openldap-admin.hcl | 20 +++++++++++++++++-
 5 files changed, 77 insertions(+), 9 deletions(-)
 create mode 100755 _examples/openldap-admin.tf

diff --git a/README.md b/README.md
index c36c7c3..49a682d 100755
--- a/README.md
+++ b/README.md
@@ -108,20 +108,34 @@ TODO:
   * [ ] Add replication support 
   * [ ] Add custom schema support
 
+
+## OpenLDAP Administation
+
+OpenLDAP administration, for adding users and groups, and changing
+passwords
+
+   * [Documentation](https://www.openldap.org/)
+   * [Terraform Example](_examples/openldap.tf)
+   * [Nomad Job](openldap/nomad/openldap.hcl)
+
+TODO:
+  * [ ] In progress
+  * [ ] Add TLS support
+  * [ ] Add replication support 
+  * [ ] Add custom schema support
+
+
 ## PostgreSQL
 
 PostgreSQL is a database server
 
-   * [Documentation](https://www.postgresql.org/)
-   * [Terraform Example](_examples/postgresql.tf)
-   * [Nomad Job](postgresql/nomad/postgresql.hcl)
+   * [Documentation](https://github.com/wheelybird/ldap-user-manager)
+   * [Terraform Example](_examples/openldap-admin.tf)
+   * [Nomad Job](postgresql/openldap-admin/openldap-admin.hcl)
 
 TODO:
-  * [ ] LDAP integration
   * [ ] Add TLS support
-  * [ ] Add replication support
-  * [ ] Use volume instead when the data does not have '/' as prefix
-  * [ ] Add users, databases and roles support on initialization
+  * [ ] Add SNMP support
 
 ## seaweedfs
 
diff --git a/_examples/openldap-admin.tf b/_examples/openldap-admin.tf
new file mode 100755
index 0000000..500db8a
--- /dev/null
+++ b/_examples/openldap-admin.tf
@@ -0,0 +1,23 @@
+
+// Once the job is running, you should proceed to set-up http://<service_dns>:5000/setup
+module "openldap-admin" {
+  source = "github.com/mutablelogic/tf-nomad//openldap-admin"
+
+  // Required parameters
+  dc        = local.datacenter // Nomad datacenter for the cluster
+  namespace = local.namespace  // Nomad namespace for the cluster
+  hosts     = ["cm1"]          // Host constraint for the job
+
+  // Optional parameters
+  enabled     = true             // If false, no-op
+  port        = 5000             // Port to expose
+  service_dns = ["dns1", "dns2"] // Service discovery DNS
+
+  // LDAP parameters
+  url            = "ldap://openldap-ldap.default.nomad:389/"
+  basedn         = format("dc=%s,dc=com",local.organization)
+  admin_password = local.LDAP_ADMIN_PASSWORD
+  organization   = local.organization
+  domain         = local.domain
+  debug          = false
+}
diff --git a/openldap-admin/input.tf b/openldap-admin/input.tf
index 87ec7da..79d2645 100755
--- a/openldap-admin/input.tf
+++ b/openldap-admin/input.tf
@@ -68,6 +68,12 @@ variable "basedn" {
   type        = string
 }
 
+variable "admin_user" {
+  description = "LDAP admin user"
+  type        = string
+  default     = "admin"
+}
+
 variable "admin_password" {
   description = "LDAP admin password"
   type        = string
@@ -83,3 +89,9 @@ variable "domain" {
   description = "Organization domain"
   type        = string
 }
+
+variable "debug" {
+  description = "Debug output"
+  type        = bool
+  default     = false
+}
diff --git a/openldap-admin/main.tf b/openldap-admin/main.tf
index 37630b5..197162f 100755
--- a/openldap-admin/main.tf
+++ b/openldap-admin/main.tf
@@ -4,7 +4,6 @@ resource "nomad_job" "openldap" {
   jobspec = file("${path.module}/nomad/openldap-admin.hcl")
 
   hcl2 {
-    allow_fs = true
     vars = {
       dc                 = jsonencode([var.dc])
       namespace          = var.namespace
@@ -19,9 +18,11 @@ resource "nomad_job" "openldap" {
       port           = var.port
       url            = var.url
       basedn         = var.basedn
+      admin_user     = var.admin_user
       admin_password = var.admin_password
       organization   = var.organization
       domain         = var.domain
+      debug          = var.debug
     }
   }
 }
diff --git a/openldap-admin/nomad/openldap-admin.hcl b/openldap-admin/nomad/openldap-admin.hcl
index 0b29f97..72f6241 100755
--- a/openldap-admin/nomad/openldap-admin.hcl
+++ b/openldap-admin/nomad/openldap-admin.hcl
@@ -81,6 +81,12 @@ variable "basedn" {
   type        = string
 }
 
+variable "admin_user" {
+  description = "LDAP admin user"
+  type        = string
+  default     = "admin"
+}
+
 variable "admin_password" {
   description = "LDAP admin password"
   type        = string
@@ -102,6 +108,13 @@ variable "domain" {
   type        = string
 }
 
+///////////////////////////////////////////////////////////////////////////////
+// LOCALS
+
+locals {
+  starttls = substr(lower(trimspace(var.url)), 0, 5) == "ldap:" ? "FALSE" : "TRUE"
+}
+
 ///////////////////////////////////////////////////////////////////////////////
 // JOB
 
@@ -144,15 +157,20 @@ job "openldap-admin" {
       provider = var.service_provider
     }
 
+    ephemeral_disk {
+      migrate = true
+    }
+
     task "daemon" {
       driver = "docker"
 
       env {
         LDAP_URI              = var.url
         LDAP_BASE_DN          = var.basedn
-        LDAP_ADMIN_BIND_DN    = format("cn=admin,%s", var.basedn)
+        LDAP_ADMIN_BIND_DN    = format("cn=%s,%s", var.admin_user, var.basedn)
         LDAP_ADMIN_BIND_PWD   = var.admin_password
         LDAP_ADMINS_GROUP     = var.admin_group
+        LDAP_REQUIRE_STARTTLS = local.starttls
         LDAP_USER_OU          = "users"
         LDAP_GROUP_OU         = "groups"
         NO_HTTPS              = "true"