Module Request: system_access_servers

[lukpre]

Module Description

This Module should allow configuring access methods to OPNsense GUI (LDAP, Radius, Voucher) under System -> Access -> Server.

Minimum Viable Product (MVP)

module: system_access_servers
short_description: Configure access methods used for authentication on the Webgui
description:
  - This Module allows you to configure different access methods (ex: LDAP) to secure the Web frontend of the OPNsense firewall. 
options:
  description:
    description: "Descriptive name of your access server"
    required: true
    type: str
  type:
    description: "The access type you want to configure"
    required: true
    default: LDAP
    choices: 
      - LDAP
      - LDAP + Timebased One Time Password
      - Local + Timebased One Time Password
      - Radius
      - Voucher
    type: list
    elements: str
  hostname:
    description: "Hostname or IP address of your access server instance"
    required: true
    type: str
  port:
    description: "Port of your access server instance."
    required: true
    default: 389
    type: int
  transport:
    description: "Transport protocol to use to connect to your server.  When choosing StartTLS or SSL, please configure the required private CAs in System -> Trust "
    required: true
    default: TCP - Standard
    choices:
      - TCP - Standard
      - StarTLS
      - SSL - Encrypted
    type: list
    elements: str
  protocol_version:
    description: "Select protocol version"
    default: 3
    choices:
      - 3
      - 2
    type: list
    elements: int
   bind_credentials:
    description: "Bind user and credentials specified with two keys user_dn and password"
    choices:
      - user_dn: <CN=Binduser,OU=Staff,O=Company,DC=example,DC=com>
      - password: <password for bind user>
    type: dict
  search_scope:
    description: "The scope of how many levels the Base DN get searched for users."
    required: true
    default: "One Level"
    choices:
      - One Level
      - Entire Subtree
    type: list
    elements: str
  authentication_containers:
    description: "Semicolon-separated list of distinguished names DC= components."
    required: true
    type: str
  extended_query:
    description: "Extended LDAP Query to map additional attributes."
    type: str
  initial_template:
    description: "Select if using OpenLDAP, Microsoft AD or Novell eDirectory"
    required: true
    default: "OpenLDAP"
    choices:
      - OpenLDAP
      - Microsoft AD
      - Novell eDirectory
    type: list
    elements: str
  user_naming_attribute:
    description: "LDAP attribute to map usernames."
    required: true
    default: "cn"
    type: str
  read_properties:
    description: " Normally the authentication only tries to bind to the remote server, when this option is enabled also the objects properties are fetched, can be practical for debugging purposes. "
    default: false
    type: bool
  synchronize_groups:
    description: "Synchronize groups specified by memberOf or class attribute after login, this option requires to enable read properties. Groups will be extracted from the first CN= section and will only be considered when already existing in OPNsense. Group memberships will be persisted in OPNsense."
    default: false
    type: bool
  constraint_groups:
    description: " Constraint allowed groups to those selected in the container section. This may offer additional security in cases where users are able to inject memberOf attributes in different trees. "
    default: false
    type: bool
  limit_groups:
    description: " Limit the groups which may be used by this authenticator, keep empty to consider all local groups in OPNsense. When groups are selected, you can assign unassigned groups to the user manually "
    default: "Nothing selected
    type: list
    elements: string
  automatic_user_creation:
    description: " To be used in combination with synchronize groups, allow the authenticator to create new local users after successful login with group memberships returned for the user. "
    default: false
    type: bool
  match_case_insensitive:
    description: " Allow mixed case input when gathering local user settings. "
   default: false
    type: bool
  state:
    description: "Whether to add or update (`present`) or remove (`absent`) an server access configuration.
    type: str
    choices: 
       - present
       - absent 
    elements: str 

Examples

Example1: Adding an ldap access server (simple)

---
- name: Configure ldap authentication server without a bind-user
  puzzle.opnsense.system_access_servers:
    description: "My ldap server"
    hostname: "ldap.example.com"
    base_dn: "dc=example,dc=com"
    authentication_container: "ou=sysadmins,dc=example,dc=com"    

Example2: Adding an ldap access server using ldaps and a binduser

---
- name: Configure ldaps authentication server with a bind-user
  puzzle.opnsense.system_access_servers:
    description: "My ldap secured server"
    hostname: "ldap.example.com"
    port: 636
    transport: "SSL - Encrypted"
    bind_credentials:
      user_dn: "uid=mybinduser,ou=bindusers,dc=example,dc=com"
      password: "secret123"
    base_dn: "dc=example,dc=com"
    authentication_container: "ou=sysadmins,dc=example,dc=com"    

Additional Notes (Optional)

* Be aware that this module request currently only takes the LDAP access type into consideration. 
  The options of the module will change depending on the type selection. This can be verified in the Webgui
  when selecting a different Type. For completion the choices are listed in the option `type` but the fields only 
  reflect the options required for the LDAP access Type. 
* You have to activate the option "read_properties" in order to configure the options synchronize_groups, 
  constraint_groups or automatic_user_creation (tested on webgui)