Support syncing users and groups for ldap-based realms

mrtwnklr · mrtwnklr · commit 13f2a8082a0d · 2023-03-07T23:21:22.000+01:00
diff --git a/README.md b/README.md
@@ -466,6 +466,7 @@ you need to install the `ifupdown2` package. Note that this will remove
 You can set realms / domains as authentication sources in the `domains.cfg` configuration file.
 If this file is not present, only the `Linux PAM` and `Proxmox VE authentication server` realms
 are available. Supported types are `pam`, `pve`, `ad` and `ldap`.
+It’s possible to automatically sync users and groups for LDAP-based realms (LDAP & Microsoft Active Directory) with `sync: true`.
 One realm should have the `default: 1` property to mark it as the default:
 
 ```
@@ -489,6 +490,7 @@ pve_domains_cfg:
       server2: dc02.yourdomain.com
   - name: ldap
     type: ldap
+    sync: true
     attributes:
       comment: LDAP authentication
       base_dn: CN=Users,dc=yourdomain,dc=com
diff --git a/tasks/main.yml b/tasks/main.yml
@@ -241,6 +241,27 @@
   with_items: "{{ pve_users }}"
   when: "not pve_cluster_enabled | bool or (pve_cluster_enabled | bool and inventory_hostname == groups[pve_group][0])"
 
+- import_tasks: realms_config.yml
+  when:
+    - not pve_cluster_enabled | bool or (pve_cluster_enabled and inventory_hostname == groups[pve_group][0])
+    - pve_domains_cfg | length > 0
+
+- name: Select ldap-based realms with sync
+  set_fact:
+    pve_ldap_realms_with_sync: |
+      {{ pve_domains_cfg | selectattr('type', 'in', ['ad', 'ldap'])
+                         | selectattr('sync', 'defined') }}
+
+- name: Sync ldap-based realms
+  include_tasks: realms_sync.yml
+  loop: "{{ pve_ldap_realms_with_sync | flatten(levels=1) }}"
+  loop_control:
+    loop_var: pve_ldap_realm
+  when:
+    - not pve_cluster_enabled | bool or (pve_cluster_enabled and inventory_hostname == groups[pve_group][0])
+    - pve_domains_cfg | length > 0
+    - pve_ldap_realm.sync | bool
+
 - name: Configure Proxmox ACLs
   proxmox_acl:
     path: "{{ item.path }}"
@@ -322,11 +343,6 @@
     - "not pve_cluster_enabled | bool or (pve_cluster_enabled | bool and inventory_hostname == groups[pve_group][0])"
     - "pve_datacenter_cfg | length > 0"
 
-- import_tasks: realms_config.yml
-  when:
-    - not pve_cluster_enabled | bool or (pve_cluster_enabled and inventory_hostname == groups[pve_group][0])
-    - pve_domains_cfg | length > 0
-
 - import_tasks: ssl_config.yml
   when:
     - "pve_ssl_private_key is defined"
diff --git a/tasks/realms_sync.yml b/tasks/realms_sync.yml
@@ -0,0 +1,59 @@
+---
+# expects to be called with variable pve_ldap_realm set
+
+- name: Get pre-sync state of groups
+  ansible.builtin.shell: pveum group list --output-format json-pretty
+  register: groups_before
+  changed_when: false
+
+- name: Get pre-sync state of users
+  ansible.builtin.shell: pveum user list --output-format json-pretty
+  register: users_before
+  changed_when: false
+
+- name: "Sync ldap-based realm {{ pve_ldap_realm.name }}"
+  ansible.builtin.shell: |
+    pveum realm sync {{ pve_ldap_realm.name }}
+  changed_when: false
+
+- name: Get post-sync state of groups
+  ansible.builtin.shell: pveum group list --output-format json-pretty
+  register: groups_after
+  changed_when: false
+
+- name: Get post-sync state of users
+  ansible.builtin.shell: pveum user list --output-format json-pretty
+  register: users_after
+  changed_when: false
+
+- name: Create temporary file for pre-post-sync comparation
+  ansible.builtin.tempfile:
+    state: file
+    suffix: pve_realm_sync_pre
+  register: pre_sync_content
+  changed_when: false
+
+- name: Save pre-sync state of groups and users
+  ansible.builtin.copy:
+    content: |
+      {{ groups_before.stdout | from_json | sort(attribute='groupid') | to_yaml }}
+      {{ users_before.stdout | from_json | sort(attribute='userid') | to_yaml }}
+    dest: "{{ pre_sync_content.path }}"
+  changed_when: false
+  when: not ansible_check_mode
+
+- name: "Compare to post-sync state of groups and users for realm {{ pve_ldap_realm.name }}"
+  ansible.builtin.copy:
+    content: |
+      {{ groups_after.stdout | from_json | sort(attribute='groupid') | to_yaml }}
+      {{ users_after.stdout | from_json | sort(attribute='userid') | to_yaml }}
+    dest: "{{ pre_sync_content.path }}"
+  when: not ansible_check_mode
+  diff: true
+
+- name: Remove the temporary file for pre-post-sync comparation
+  ansible.builtin.file:
+    path: "{{ pre_sync_content.path }}"
+    state: absent
+  when: not ansible_check_mode
+  changed_when: false
