Custom LDIF + ACL example for non read admin isn't working and results in phpldap admin
SamuelLHuber opened this issue · 2 comments
Describe the bug
The custom LDIF are not applied the search tree is empty and root isn't built in phpldapadmin
To Reproduce
Steps to reproduce the behavior:
- use the following helm values and chart file to spinup the chart in a kubernetes cluster which are taken from the advanced examples
Chart.yaml
apiVersion: v2
name: openldap
version: 0.1.0
dependencies:
- name: openldap-stack-ha
version: "4.2.*"
repository: https://jp-gouin.github.io/helm-openldap/
values.yaml
# based on https://github.com/jp-gouin/helm-openldap
openldap-stack-ha:
global:
ldapDomain: "mydomain.com"
existingSecret: "ldap-secret"
replicaCount: 1
replication:
enabled: false
logLevel: debug
customTLS:
enabled: false
persistence:
enabled: false
env:
LDAP_ALLOW_ANON_BINDING: "no"
LDAP_SKIP_DEFAULT_TREE: "yes"
# make sure dn in the following ACLs fits your domain
customAcls: |-
dn: olcDatabase={2}mdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to *
by dn.exact=gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth manage
by * break
olcAccess: {1}to attrs=userPassword,shadowLastChange
by self write
by dn="cn=admin,dc=mydomain,dc=com" write
by anonymous auth by * none
olcAccess: {2}to *
by dn="cn=admin-read,dc=mydomain,dc=com" read
by dn="cn=admin,dc=mydomain,dc=com" write
by self read
by * none
customLdifFiles:
00-root.ldif: |-
dn: dc=mydomain,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: MY-DOMAIN
dc: mydomain
01-admin-read-user.ldif: |-
dn: cn=admin-read,dc=mydomain,dc=com
cn: admin-read
mail: admin-read@mydomain.com
objectClass: inetOrgPerson
objectClass: top
userPassword:: {SSHA}xxxxxxxxxxxx
sn: Admin read only
02-users-group.ldif: |-
dn: ou=users,dc=mydomain,dc=com
ou: users
objectClass: organizationalUnit
objectClass: top
ltb-passwd: # self service password change web interface
enabled: true
ingress: # we do custom ingress using istio
enabled: false
ldap:
bindDN: "cn=admin-read,dc=mydomain,dc=com" # make sure this is set to correct baseDN
searchBase: "ou=users,dc=mydomain,dc=com" # make sure this is set to correct baseDN
passKey: LDAP_ADMIN_READ_PASSWORD
# check https://github.com/jp-gouin/helm-openldap/tree/master/advanced_examples#use-a-user-with-restricted-permissions-for-password-portal
initContainers:
- name: "install-logo"
image: "{{ tpl .Values.image.repository . }}:{{ tpl .Values.image.tag . }}"
command: [sh, -c]
args:
- |-
cat <<EOF >/data/31-logo
#!/command/with-contenv bash
source /assets/functions/00-container
PROCESS_NAME="logo"
cp /tmp/ltb-logo.png /www/ssp/images/ltb-logo.png
chmod +x /data/31-logo
liftoff
EOF
volumeMounts:
- name: data
mountPath: /data
volumes:
- name: logos
configMap:
name: configmap-ldap-companylogos
- name: data
emptyDir: {}
volumeMounts:
- name: logos
mountPath: /tmp/ltb-logo.png
subPath: my-logo.png
- name: data
mountPath: /etc/cont-init.d/31-logo
subPath: 31-logo
phpldapadmin: # web admin interface to manage ldap
enabled: true
ingress: # we do custom ingress using istio
enabled: false
# check https://github.com/jp-gouin/helm-openldap/tree/master/advanced_examples#use-a-user-with-restricted-permissions-for-password-portal
initContainers:
- name: modify-configuration
image: "{{ tpl .Values.image.repository . }}:{{ tpl .Values.image.tag . }}"
command: [sh, -c]
args:
- |-
# modify startup script in order to use logos
cp -p /container/service/phpldapadmin/startup.sh /data/
sed -i -e 's/exit 0/# exit 0/' /data/startup.sh
cat <<'EOF' >>/data/startup.sh
cp /logos/my-logo.png /var/www/phpldapadmin/htdocs/images/default/logo.png
cp /logos/my-logo_50.png /var/www/phpldapadmin/htdocs/images/default/logo-small.png
exit 0
EOF
volumeMounts:
- mountPath: /data
name: data
volumes:
- name: data
emptyDir: {}
- name: logos
configMap:
name: configmap-ldap-companylogos
volumeMounts:
- name: data
mountPath: /data
- name: logos
mountPath: /logos
- name: data
mountPath: /container/service/phpldapadmin/startup.sh
subPath: startup.sh
Chart.lock for reference using helm dependency update and helm dependency build
dependencies:
- name: openldap-stack-ha
repository: https://jp-gouin.github.io/helm-openldap/
version: 4.2.2
digest: sha256:e3ac22b3bc116f5de9c11a88e6c8fc2fcfc47718c5385dc455f89c8e9a14f1f6
generated: "2024-02-06T21:52:14.05543689+01:00"
Expected behavior
custom ldap root should be applied
Additional context
logs of openldap-0 pod on first start (restarted due to missing secret)
openldap-0.logs.txt
Hi @SamuelLHuber , I did some tests and this is what works for me :
I was able to login to phpldapadmin , use the admin and admin-read account.
Admin-read account is not able to create any entries in phpldapadmin (and in the openldap database)
I created a bob account under users and was able to change his password in ssl-ldap2.example only using his cn (bob in my case)
- Create namespace and secret
kubectl create ns single
kubectl create secret generic my-super-secret -n single --from-literal LDAP_ADMIN_PASSWORD=VerySecureP@ssword1 --from-literal LDAP_CONFIG_ADMIN_PASSWORD=VerySecureP@ssword2 --from-literal LDAP_ADMIN_READ_PASSWORD=VerySecureP@ssword3
- Create value file
NOTE: you have to set the admin-read userPassword attribute in the values (you can use https://projects.marsching.org/weave4j/util/genpassword.php)
logLevel: debug
global:
ldapDomain: "singlenode.org"
existingSecret: "my-super-secret"
resources:
limits:
cpu: "128m"
memory: "64Mi"
replicaCount: 1
replication:
enabled: false
customLdifFiles:
0-root.ldif: |-
dn: dc=singlenode,dc=org
objectClass: top
objectClass: dcObject
objectClass: organization
o: MY-DOMAIN
dc: singlenode
02-users-group.ldif: |-
dn: ou=users,dc=singlenode,dc=org
ou: users
objectClass: organizationalUnit
objectClass: top
01-admin-read-user.ldif: |-
dn: cn=admin-read,dc=singlenode,dc=org
cn: admin-read
mail: admin-read@singlenode.org
objectClass: inetOrgPerson
objectClass: top
userPassword: {SSHA}E2vRX2ssn7ckfjXBzP27SZH9Ast4rOEo
sn: Admin read only
customAcls: |-
dn: olcDatabase={2}mdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to *
by dn.exact=gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth manage
by * break
olcAccess: {1}to attrs=userPassword,shadowLastChange
by self write
by dn="cn=admin,dc=singlenode,dc=org" write
by anonymous auth by * none
olcAccess: {2}to *
by dn="cn=admin-read,dc=singlenode,dc=org" read
by dn="cn=admin,dc=singlenode,dc=org" write
by self read
by * none
ltb-passwd:
ingress:
hosts:
- "ssl-ldap2.example"
ldap:
searchBase: "ou=users,dc=singlenode,dc=org"
bindDN: "cn=admin-read,dc=singlenode,dc=org"
passKey: LDAP_ADMIN_READ_PASSWORD
phpldapadmin:
ingress:
hosts:
- "phpldapadmin.example"
customTLS:
enabled: false
service:
ldapPortNodePort: 30389
sslLdapPortNodePort: 30636
type: NodePort
- Apply helm chart
I hope that will help you.
I suspect that you did not create correctly the ssha in the values for the admin-read user
that was it.
NOTE: you have to set the admin-read userPassword attribute in the values (you can use https://projects.marsching.org/weave4j/util/genpassword.php)
fixed it. thank you! never would have thought of that