LDAP object tree is only created if replication.enabled=false
ErikLundJensen opened this issue · 15 comments
Describe the bug
The documentation explains how to use the fields users and usersPasswords to create users.
However, when replication is enables (which it is by default) then the users are not created.
To Reproduce
Values for Helm chart as in the documentation
users: user01,user02
userPasswords: bitnami1, bitnami2
group: readers
Expected behavior
Users are created in the ldap tree and assigned to the group.
Desktop (please complete the following information):
- Version 4.1.2
Additional context
Work-a-round is to disable replication:
users: user01,user02
userPasswords: bitnami1, bitnami2
group: readers
replication:
enabled: false
replicaCount: 1
The call to ldap_create_tree
is never reached when replication is enabled:
https://github.com/bitnami/containers/blob/50c8e55a47598e50fd6392d6ff510f8472cb375a/bitnami/openldap/2.6/debian-11/rootfs/opt/bitnami/scripts/libopenldap.sh#L652
Hi @ErikLundJensen , it works for me with the following configuration:
global:
imageRegistry: ""
## E.g.
## imagePullSecrets:
## - myRegistryKeySecretName
##
imagePullSecrets: [""]
storageClass: ""
ldapDomain: "example.toto"
## Default Passwords to use, stored as a secret. Not used if existingSecret is set.
adminPassword: Not@SecurePassw0rd
configPassword: Not@SecurePassw0rd
ldapPort: 1389
sslLdapPort: 1636
env:
BITNAMI_DEBUG: "true"
LDAP_LOGLEVEL: "256"
LDAP_TLS_ENFORCE: "false"
LDAPTLS_REQCERT: "never"
LDAP_ENABLE_TLS: "yes"
LDAP_CONFIG_ADMIN_ENABLED: "yes"
LDAP_SKIP_DEFAULT_TREE: "no"
## User list to create (comma separated list) , can't be use with customLdifFiles
users: user1,user2
## User password to create (comma seprated list)
userPasswords: password1,password2
## Group to create and add list of user above
group: myGroup
Make sure LDAP_SKIP_DEFAULT_TREE
is set to no
Connect to openldap instance and run ldapsearch
LDAPTLS_REQCERT=never ldapsearch -x -D 'cn=admin,dc=example,dc=toto' -w Not@SecurePassw0rd -H ldaps://127.0.0.1:1636 -b 'dc=example,dc=toto'
I have no name!@sa-openldap-0:/$ LDAPTLS_REQCERT=never ldapsearch -x -D 'cn=admin,dc=example,dc=toto' -w Not@SecurePassw0rd -H ldaps://127.0.0.1:1636 -b 'dc=example,dc=toto'
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=toto> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# example.toto
dn: dc=example,dc=toto
objectClass: dcObject
objectClass: organization
dc: example
o: example
# users, example.toto
dn: ou=users,dc=example,dc=toto
objectClass: organizationalUnit
ou: users
# user1, users, example.toto
dn: cn=user1,ou=users,dc=example,dc=toto
cn: User1
sn: Bar1
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
userPassword:: cGFzc3dvcmQx
uid: user1
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/user1
# user2, users, example.toto
dn: cn=user2,ou=users,dc=example,dc=toto
cn: User2
sn: Bar2
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
userPassword:: cGFzc3dvcmQy
uid: user2
uidNumber: 1001
gidNumber: 1001
homeDirectory: /home/user2
# myGroup, users, example.toto
dn: cn=myGroup,ou=users,dc=example,dc=toto
cn: myGroup
objectClass: groupOfNames
member: cn=user1,ou=users,dc=example,dc=toto
member: cn=user2,ou=users,dc=example,dc=toto
# search result
search: 2
result: 0 Success
# numResponses: 6
# numEntries: 5
The tree is not created when replicaCount
is set to 1. Is there any reason why?
The tree is created (should be at least 😁) regardless of the replicaCount
.
however it wil, depend of the env. LDAP_SKIP_DEFAULT_TREE
variable .
The issue here seems to be related to a change in the container image where the TLS initialization was done at the end of the openldap initialization and breaking the chart replication configuration.
more here
2.6.6 is buggy. Try with 2.6.5
it has same problem, i find it init stop at libopenldap.sh
:
# Initialize OpenLDAP with schemas/tree structure
if is_boolean_yes "$LDAP_ADD_SCHEMAS"; then
ldap_add_schemas
fi
it not run script behind that.
i run this in pod, and wait for restart.
. /opt/bitnami/scripts/liblog.sh
. /opt/bitnami/scripts/openldap/setup.sh
ldap_configure_ppolicy # if want to open ppolicy module
ldap_configure_tls
ldap_create_tree
and restart phpLDAPAdmin, it seem is ok.
If you want to use openldap
2.6.6
please try with
image:
# From repository https://hub.docker.com/r/bitnami/openldap/
#repository: bitnami/openldap
#tag: 2.6.3
# Temporary fix
repository: jpgouin/openldap
tag: 2.6.6-fix
Hi, i try it to use this values.yaml
image:
repository: jpgouin/openldap
tag: 2.6.6-fix
pullPolicy: IfNotPresent
replicaCount: 1
replication:
enabled: true
initTLSSecret:
image:
tag: 3.1.4
ltb-passwd:
image:
tag: 5.2.3
pullPolicy: IfNotPresent
ingress:
enabled: false
phpldapadmin:
image:
tag: 0.9.0
pullPolicy: IfNotPresent
ingress:
enabled: false
Sorry for not paying attention to this isse, however, my point is that when replication is enabled then the directory $LDAP_DATA_DIR is not empty. Therefore the code in following "else" statement is never executed.
@ErikLundJensen no when replication is enabled all ldifs go to schemas
set by $LDAP_CUSTOM_SCHEMA_DIR
.
$LDAP_DATA_DIR
is by default set to LDAP_DATA_DIR="${LDAP_VOLUME_DIR}/data
and it’s not overridden by the chart
@zsq1234 you have set replicaCount
to 1 and you enabled the replication. You should either disable the replication or use more than 1 replica
@zsq1234 you have set
replicaCount
to 1 and you enabled the replication. You should either disable the replication or use more than 1 replica
Thank you for your help. I understand now.
Documentation could be improved, saying that setting replicaCount=1 requires also setting replication=false