jp-gouin/helm-openldap

LDAP object tree is only created if replication.enabled=false

ErikLundJensen opened this issue · 15 comments

Describe the bug
The documentation explains how to use the fields users and usersPasswords to create users.
However, when replication is enables (which it is by default) then the users are not created.

To Reproduce
Values for Helm chart as in the documentation

users: user01,user02
userPasswords: bitnami1, bitnami2
group: readers

Expected behavior
Users are created in the ldap tree and assigned to the group.

Desktop (please complete the following information):

  • Version 4.1.2

Additional context
Work-a-round is to disable replication:

users: user01,user02
userPasswords: bitnami1, bitnami2
group: readers
replication:
  enabled: false
replicaCount: 1

The call to ldap_create_tree is never reached when replication is enabled:
https://github.com/bitnami/containers/blob/50c8e55a47598e50fd6392d6ff510f8472cb375a/bitnami/openldap/2.6/debian-11/rootfs/opt/bitnami/scripts/libopenldap.sh#L652

Hi @ErikLundJensen , it works for me with the following configuration:

global:
  imageRegistry: ""
  ## E.g.
  ## imagePullSecrets:
  ##   - myRegistryKeySecretName
  ##
  imagePullSecrets: [""]
  storageClass: ""
  ldapDomain: "example.toto"
  ## Default Passwords to use, stored as a secret. Not used if existingSecret is set.
  adminPassword:  Not@SecurePassw0rd
  configPassword: Not@SecurePassw0rd
  ldapPort: 1389
  sslLdapPort: 1636
env:
 BITNAMI_DEBUG: "true"
 LDAP_LOGLEVEL: "256"
 LDAP_TLS_ENFORCE: "false"
 LDAPTLS_REQCERT: "never"
 LDAP_ENABLE_TLS: "yes"
 LDAP_CONFIG_ADMIN_ENABLED: "yes"
 LDAP_SKIP_DEFAULT_TREE: "no"
## User list to create (comma separated list) , can't be use with customLdifFiles
users: user1,user2

## User password to create (comma seprated list) 
userPasswords: password1,password2

## Group to create and add list of user above
group: myGroup

Make sure LDAP_SKIP_DEFAULT_TREE is set to no

Connect to openldap instance and run ldapsearch

LDAPTLS_REQCERT=never ldapsearch -x -D 'cn=admin,dc=example,dc=toto' -w Not@SecurePassw0rd -H ldaps://127.0.0.1:1636 -b 'dc=example,dc=toto'
I have no name!@sa-openldap-0:/$ LDAPTLS_REQCERT=never ldapsearch -x -D 'cn=admin,dc=example,dc=toto' -w Not@SecurePassw0rd -H ldaps://127.0.0.1:1636 -b 'dc=example,dc=toto'
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=toto> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# example.toto
dn: dc=example,dc=toto
objectClass: dcObject
objectClass: organization
dc: example
o: example

# users, example.toto
dn: ou=users,dc=example,dc=toto
objectClass: organizationalUnit
ou: users

# user1, users, example.toto
dn: cn=user1,ou=users,dc=example,dc=toto
cn: User1
sn: Bar1
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
userPassword:: cGFzc3dvcmQx
uid: user1
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/user1

# user2, users, example.toto
dn: cn=user2,ou=users,dc=example,dc=toto
cn: User2
sn: Bar2
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
userPassword:: cGFzc3dvcmQy
uid: user2
uidNumber: 1001
gidNumber: 1001
homeDirectory: /home/user2

# myGroup, users, example.toto
dn: cn=myGroup,ou=users,dc=example,dc=toto
cn: myGroup
objectClass: groupOfNames
member: cn=user1,ou=users,dc=example,dc=toto
member: cn=user2,ou=users,dc=example,dc=toto

# search result
search: 2
result: 0 Success

# numResponses: 6
# numEntries: 5

The tree is not created when replicaCount is set to 1. Is there any reason why?

The tree is created (should be at least 😁) regardless of the replicaCount .
however it wil, depend of the env. LDAP_SKIP_DEFAULT_TREE variable .

The issue here seems to be related to a change in the container image where the TLS initialization was done at the end of the openldap initialization and breaking the chart replication configuration.
more here

Hi, I use bitnami/openldap:2.6.6 and replicaCount: 1, change PHPLDAPADMIN_LDAP_HOSTS 'tls': False, but it not effect, only have "dc=example,dc=org"
图片

2.6.6 is buggy. Try with 2.6.5

it has same problem, i find it init stop at libopenldap.sh:

        # Initialize OpenLDAP with schemas/tree structure
        if is_boolean_yes "$LDAP_ADD_SCHEMAS"; then
            ldap_add_schemas
        fi

it not run script behind that.

i run this in pod, and wait for restart.

. /opt/bitnami/scripts/liblog.sh
. /opt/bitnami/scripts/openldap/setup.sh

ldap_configure_ppolicy  # if want to open ppolicy module
ldap_configure_tls
ldap_create_tree

and restart phpLDAPAdmin, it seem is ok.

If you want to use openldap 2.6.6 please try with

image:
  # From repository https://hub.docker.com/r/bitnami/openldap/
  #repository: bitnami/openldap
  #tag: 2.6.3
  # Temporary fix
  repository: jpgouin/openldap
  tag: 2.6.6-fix

Hi, i try it to use this values.yaml

image:
  repository: jpgouin/openldap
  tag: 2.6.6-fix
  pullPolicy: IfNotPresent

replicaCount: 1

replication:
  enabled: true

initTLSSecret:
  image:
    tag: 3.1.4

ltb-passwd:
  image:
    tag: 5.2.3
    pullPolicy: IfNotPresent
  ingress:
    enabled: false

phpldapadmin:
  image:
    tag: 0.9.0
    pullPolicy: IfNotPresent
  ingress:
    enabled: false

and i open phpldapadmin :
图片

Sorry for not paying attention to this isse, however, my point is that when replication is enabled then the directory $LDAP_DATA_DIR is not empty. Therefore the code in following "else" statement is never executed.

libopenldap.sh:614

@ErikLundJensen no when replication is enabled all ldifs go to schemas set by $LDAP_CUSTOM_SCHEMA_DIR .
$LDAP_DATA_DIR is by default set to LDAP_DATA_DIR="${LDAP_VOLUME_DIR}/data and it’s not overridden by the chart

@zsq1234 you have set replicaCount to 1 and you enabled the replication. You should either disable the replication or use more than 1 replica

@zsq1234 you have set replicaCount to 1 and you enabled the replication. You should either disable the replication or use more than 1 replica

Thank you for your help. I understand now.

Documentation could be improved, saying that setting replicaCount=1 requires also setting replication=false