Provide lastbind overlay

[boesr]

Name and Version

bitnami/openldap:2.6.8-debian-12-r1

What is the problem this feature will solve?

There probably should be lastbind included. Unfortunately the lastbind.so / lastbind.la files are not present in the container and till now I haven't been able to add it. According to https://github.com/bitnami/containers/issues/43045, it should be sufficient to add the option somewhere.

What is the feature you are proposing to solve the problem?

Compile the .so / .la files so we could activate the overlay via a ldif.

[jotamartos]

That's a configuration parameter of the application.

https://man7.org/linux/man-pages/man5/slapd-config.5.html

Please take a look at the upstream documentation to know more about it. You can use the LDAP_CUSTOM_LDIF_DIR to provide a custom directory with your configuration.

[boesr]

Thanks for the reply. I tried adding it to my 00_config.ldif (see below) that is placed in /ldifs, but that fails with ldap_modify: Insufficient access (50) probably due to the config admin not being used. I then tried to add it manually via ldapadd -Y EXTERNAL -H "ldapi:///" -f 01_update_config.ldif, which just contains the olcLastBind change shown below. There I receive the error:

modifying entry "cn=config"
ldap_modify: Object class violation (65)
    additional info: attribute 'olcLastBind' not allowed

I also tried to create an overlay ldif, but since the .so/.la file is missing that doesn't work either. Do I need to build it on my own?

# Create the root entry for the domain
dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: Example Organization
dc: example

# Create organizational unit for people
dn: ou=People,dc=example,dc=com
objectClass: organizationalUnit
ou: People

# Create organizational unit for groups
dn: ou=Groups,dc=example,dc=com
objectClass: organizationalUnit
ou: Groups

# 01_update_config.ldif part
#dn: cn=config
#changetype: modify
#add: olcLastBind
#olcLastBind: TRUE

[github-actions[bot]]

This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.

[jotamartos]

Hi @boesr,

We confirmed that the libraries are not included in the container as you mentioned. We are going to continue reviewing and investigating the issue.

In case you want to include the .so/.a files on your own, you would need to build OpenLDAP and the module and copy the necessary files to the running container

apt update
apt install build-essential groff
cd /tmp
git clone --depth https://github.com/openldap/openldap.git
cd opendlap
./configure
make
cd contrib/slapd-modules/lastbind/
make
find .

You will see the files there and you can copy them to the running container

[jotamartos]

Hi again,

A new revision of the docker image is being built now and it'll probably be available soon. We enabled the olcLastBind feature this way and everything looks great.

The libraries are inside the /opt/bitnami/openldap/libexec/openldap/ directory

I have no name!@b7979008cb4d:/$ ls -la /opt/bitnami/openldap/libexec/openldap/
total 92
drwxr-xr-x 2 root root  4096 Jul 22 07:26 .
drwxr-xr-x 3 root root  4096 Jul 22 07:26 ..
lrwxrwxrwx 1 root root    17 Jul 22 07:13 lastbind.so -> lastbind.so.0.0.0
lrwxrwxrwx 1 root root    17 Jul 22 07:13 lastbind.so.0 -> lastbind.so.0.0.0
-rwxr-xr-x 1 root root 14704 Jul 22 07:13 lastbind.so.0.0.0
lrwxrwxrwx 1 root root    18 Jul 22 07:13 pw-pbkdf2.so -> pw-pbkdf2.so.0.0.0
lrwxrwxrwx 1 root root    18 Jul 22 07:13 pw-pbkdf2.so.0 -> pw-pbkdf2.so.0.0.0
-rwxr-xr-x 1 root root 14392 Jul 22 07:13 pw-pbkdf2.so.0.0.0
lrwxrwxrwx 1 root root    16 Jul 22 07:13 pw-sha2.so -> pw-sha2.so.0.0.0
lrwxrwxrwx 1 root root    16 Jul 22 07:13 pw-sha2.so.0 -> pw-sha2.so.0.0.0
-rwxr-xr-x 1 root root 26744 Jul 22 07:13 pw-sha2.so.0.0.0
lrwxrwxrwx 1 root root    17 Jul 22 07:13 smbk5pwd.so -> smbk5pwd.so.0.0.0
lrwxrwxrwx 1 root root    17 Jul 22 07:13 smbk5pwd.so.0 -> smbk5pwd.so.0.0.0
-rwxr-xr-x 1 root root 23536 Jul 22 07:13 smbk5pwd.so.0.0.0

and we executed the following commands:

$ cat /tmp/update_config.ldif
dn: olcDatabase={2}mdb,cn=config
changetype: modify
add: olcLastBind
olcLastBind: TRUE

$ ldapmodify -Y EXTERNAL -H "ldapi:///" -D "cn=admin,dc=example,dc=org" -f /tmp/update_config.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={2}mdb,cn=config"

$ ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config
...
# {2}mdb, config
dn: olcDatabase={2}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {2}mdb
olcDbDirectory: /bitnami/openldap/data
olcSuffix: dc=example,dc=org
olcRootDN: cn=admin,dc=example,dc=org
olcRootPW: {SSHA}omHXQzC6iILzbZGvMt482vH17b9ipow4
olcMonitoring: FALSE
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
olcDbMaxSize: 1073741824
olcLastBind: TRUE

# search result
search: 2
result: 0 Success

# numResponses: 12
# numEntries: 11

As you can see, the configuration parameter is enabled and we didn't get any error. Please confirm everything works as expected

[boesr]

Hi @jotamartos,

thanks for the reply and integration the libraries. I will test it as soon as it is released and get back to you with the result.

[boesr]

Hi @jotamartos

I just tested the new release and can confirm, that the configuration is working like you explained. Many thanks for the quick solution.

I added the config to my compose file for bootstrapping it. If anyone is interested how:

services:
  openldap:
    container_name: openldap
    image: bitnami/openldap:2.6.8-debian-12-r4
    ports:
      - '389:389'
      - '636:636'
    environment:
      LDAP_LDAPS_PORT_NUMBER: 636
      LDAP_PORT_NUMBER: 389
      LDAP_ALLOW_ANON_BINDING: no
      LDAP_ROOT: ${LDAP_ROOT:-dc=example,dc=com}
      LDAP_ADMIN_USERNAME: ${LDAP_ADMIN_USERNAME:-admin}
      LDAP_ADMIN_PASSWORD: ${LDAP_ADMIN_PASSWORD:-myadminpassword}
      LDAP_EXTRA_SCHEMAS: cosine,inetorgperson,argon2,ldapPublicKey,memberof,lastBind
      LDAP_ENABLE_TLS: yes
      LDAP_TLS_CERT_FILE: /opt/bitnami/openldap/certs/ldap-server-cert.pem
      LDAP_TLS_KEY_FILE: /opt/bitnami/openldap/certs/ldap-server-key.pem
      LDAP_TLS_CA_FILE: /opt/bitnami/openldap/certs/ldap-ca-cert.pem
    volumes: # I cutted out the other volumes (e.g. for ldapPublicKey and memberOf) to make it more clear
      - './openldap/ldifs/lastBind.ldif:/opt/bitnami/openldap/etc/schema/lastBind.ldif'
    env_file:
      - .env
volumes:
  openldap_data:

lastBind.ldif contains the lines of the /tmp/update_config.ldif of @jotamartos

[github-actions[bot]]

This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.