jp-gouin/helm-openldap

Custom LDIF + ACL example for non read admin isn't working and results in phpldap admin

SamuelLHuber opened this issue · 2 comments

Describe the bug
The custom LDIF are not applied the search tree is empty and root isn't built in phpldapadmin

To Reproduce
Steps to reproduce the behavior:

  • use the following helm values and chart file to spinup the chart in a kubernetes cluster which are taken from the advanced examples

Chart.yaml

apiVersion: v2
name: openldap
version: 0.1.0
dependencies:
  - name: openldap-stack-ha
    version: "4.2.*"
    repository: https://jp-gouin.github.io/helm-openldap/

values.yaml

# based on https://github.com/jp-gouin/helm-openldap
openldap-stack-ha:
  global:
    ldapDomain: "mydomain.com"
    existingSecret: "ldap-secret"
  
  replicaCount: 1
  replication:
    enabled: false

  logLevel: debug

  customTLS:
    enabled: false

  persistence:
    enabled: false

  env:
    LDAP_ALLOW_ANON_BINDING: "no"
    LDAP_SKIP_DEFAULT_TREE: "yes"

  # make sure dn in the following ACLs fits your domain
  customAcls: |- 
    dn: olcDatabase={2}mdb,cn=config
    changetype: modify
    replace: olcAccess
    olcAccess: {0}to *
      by dn.exact=gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth manage
      by * break
    olcAccess: {1}to attrs=userPassword,shadowLastChange
      by self write
      by dn="cn=admin,dc=mydomain,dc=com" write
      by anonymous auth by * none
    olcAccess: {2}to *
      by dn="cn=admin-read,dc=mydomain,dc=com" read
      by dn="cn=admin,dc=mydomain,dc=com" write
      by self read
      by * none

  customLdifFiles:
    00-root.ldif: |-
      dn: dc=mydomain,dc=com
      objectClass: top
      objectClass: dcObject
      objectClass: organization
      o: MY-DOMAIN
      dc: mydomain
    01-admin-read-user.ldif: |-
      dn: cn=admin-read,dc=mydomain,dc=com
      cn: admin-read
      mail: admin-read@mydomain.com
      objectClass: inetOrgPerson
      objectClass: top
      userPassword:: {SSHA}xxxxxxxxxxxx
      sn: Admin read only
    02-users-group.ldif: |-
      dn: ou=users,dc=mydomain,dc=com
      ou: users
      objectClass: organizationalUnit
      objectClass: top
      
  ltb-passwd: # self service password change web interface
    enabled: true
    ingress: # we do custom ingress using istio
      enabled: false
    ldap:
      bindDN: "cn=admin-read,dc=mydomain,dc=com" # make sure this is set to correct baseDN
      searchBase: "ou=users,dc=mydomain,dc=com" # make sure this is set to correct baseDN
      passKey: LDAP_ADMIN_READ_PASSWORD
    # check https://github.com/jp-gouin/helm-openldap/tree/master/advanced_examples#use-a-user-with-restricted-permissions-for-password-portal
    initContainers:
     - name: "install-logo"
       image: "{{ tpl .Values.image.repository . }}:{{ tpl .Values.image.tag . }}"
       command: [sh, -c]
       args:
         - |-
           cat <<EOF >/data/31-logo
           #!/command/with-contenv bash
           source /assets/functions/00-container
           PROCESS_NAME="logo"
           cp /tmp/ltb-logo.png /www/ssp/images/ltb-logo.png
           chmod +x /data/31-logo
           liftoff
           EOF
       volumeMounts:
         - name: data
           mountPath: /data
    volumes:
      - name: logos
        configMap:
          name: configmap-ldap-companylogos
      - name: data
        emptyDir: {}
    volumeMounts:
      - name: logos
        mountPath: /tmp/ltb-logo.png
        subPath: my-logo.png
      - name: data
        mountPath: /etc/cont-init.d/31-logo
        subPath: 31-logo

  phpldapadmin: # web admin interface to manage ldap
    enabled: true
    ingress: # we do custom ingress using istio
      enabled: false
    # check https://github.com/jp-gouin/helm-openldap/tree/master/advanced_examples#use-a-user-with-restricted-permissions-for-password-portal
    initContainers:
     - name: modify-configuration
       image: "{{ tpl .Values.image.repository . }}:{{ tpl .Values.image.tag . }}"
       command: [sh, -c]
       args:
         - |-
           # modify startup script in order to use logos
           cp -p /container/service/phpldapadmin/startup.sh /data/
           sed -i -e 's/exit 0/# exit 0/' /data/startup.sh
           cat <<'EOF' >>/data/startup.sh
           cp /logos/my-logo.png /var/www/phpldapadmin/htdocs/images/default/logo.png
           cp /logos/my-logo_50.png /var/www/phpldapadmin/htdocs/images/default/logo-small.png
           exit 0
           EOF
       volumeMounts:
         - mountPath: /data
           name: data
    volumes:
      - name: data
        emptyDir: {}
      - name: logos
        configMap:
          name: configmap-ldap-companylogos
    volumeMounts:
      - name: data
        mountPath: /data
      - name: logos
        mountPath: /logos
      - name: data
        mountPath: /container/service/phpldapadmin/startup.sh
        subPath: startup.sh

Chart.lock for reference using helm dependency update and helm dependency build

dependencies:
- name: openldap-stack-ha
  repository: https://jp-gouin.github.io/helm-openldap/
  version: 4.2.2
digest: sha256:e3ac22b3bc116f5de9c11a88e6c8fc2fcfc47718c5385dc455f89c8e9a14f1f6
generated: "2024-02-06T21:52:14.05543689+01:00"

Expected behavior
custom ldap root should be applied

Screenshots
Screenshot 2024-02-06 at 23 36 44

Additional context

logs of openldap-0 pod on first start (restarted due to missing secret)
openldap-0.logs.txt

Hi @SamuelLHuber , I did some tests and this is what works for me :
I was able to login to phpldapadmin , use the admin and admin-read account.
Admin-read account is not able to create any entries in phpldapadmin (and in the openldap database)

I created a bob account under users and was able to change his password in ssl-ldap2.example only using his cn (bob in my case)

  1. Create namespace and secret
 kubectl create ns single
 kubectl create secret generic my-super-secret -n single --from-literal LDAP_ADMIN_PASSWORD=VerySecureP@ssword1 --from-literal LDAP_CONFIG_ADMIN_PASSWORD=VerySecureP@ssword2 --from-literal LDAP_ADMIN_READ_PASSWORD=VerySecureP@ssword3
  1. Create value file
    NOTE: you have to set the admin-read userPassword attribute in the values (you can use https://projects.marsching.org/weave4j/util/genpassword.php)
logLevel: debug
global:
  ldapDomain: "singlenode.org"
  existingSecret: "my-super-secret"
resources: 
  limits:
    cpu: "128m"
    memory: "64Mi"
replicaCount: 1
replication:
  enabled: false
customLdifFiles:
  0-root.ldif: |-
    dn: dc=singlenode,dc=org
    objectClass: top
    objectClass: dcObject
    objectClass: organization
    o: MY-DOMAIN
    dc: singlenode
  02-users-group.ldif: |-
    dn: ou=users,dc=singlenode,dc=org
    ou: users
    objectClass: organizationalUnit
    objectClass: top
  01-admin-read-user.ldif: |-
    dn: cn=admin-read,dc=singlenode,dc=org
    cn: admin-read
    mail: admin-read@singlenode.org
    objectClass: inetOrgPerson
    objectClass: top
    userPassword: {SSHA}E2vRX2ssn7ckfjXBzP27SZH9Ast4rOEo
    sn: Admin read only
customAcls: |-
  dn: olcDatabase={2}mdb,cn=config
  changetype: modify
  replace: olcAccess
  olcAccess: {0}to *
    by dn.exact=gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth manage
    by * break
  olcAccess: {1}to attrs=userPassword,shadowLastChange
    by self write
    by dn="cn=admin,dc=singlenode,dc=org" write
    by anonymous auth by * none
  olcAccess: {2}to *
    by dn="cn=admin-read,dc=singlenode,dc=org" read
    by dn="cn=admin,dc=singlenode,dc=org" write
    by self read
    by * none
ltb-passwd:
  ingress:
    hosts:
    - "ssl-ldap2.example"
  ldap:
    searchBase: "ou=users,dc=singlenode,dc=org"
    bindDN: "cn=admin-read,dc=singlenode,dc=org"
    passKey: LDAP_ADMIN_READ_PASSWORD
phpldapadmin:
  ingress:
    hosts:
    - "phpldapadmin.example"
customTLS:
  enabled: false
service:
  ldapPortNodePort: 30389
  sslLdapPortNodePort: 30636
  type: NodePort
  1. Apply helm chart

I hope that will help you.
I suspect that you did not create correctly the ssha in the values for the admin-read user

that was it.

NOTE: you have to set the admin-read userPassword attribute in the values (you can use https://projects.marsching.org/weave4j/util/genpassword.php)

fixed it. thank you! never would have thought of that