search

jp-gouin / helm-openldap

Helm chart of Openldap in High availability with multi-master replication and PhpLdapAdmin and Ltb-Passwd
Apache License 2.0
181 stars 115 forks source link

Add memberOf using customSchemaFiles: ->ldap_modify: No such object (32) #134

Closed RaffaelGrob closed 4 months ago

RaffaelGrob commented 7 months ago

Using version 4.1.2, my bitnami container bitnami/openldap 2.6.3 is unwilling to apply the provided schema.

The goal is to add "memberOf" to the LDAP by adding this to the values.yaml. 

  customSchemaFiles:
    00-modules.ldif: |-
      dn: cn=module{0},cn=config
      changetype: modify
      add: olcModuleLoad
      olcModuleLoad: memberof
      olcModuleLoad: refint
    01-memberof.ldif: |-
      dn: olcOverlay=memberof,olcDatabase={2}mdb,cn=config
      changetype: add
      objectClass: olcConfig
      objectClass: olcMemberOf
      objectClass: olcOverlayConfig
      objectClass: top
      olcOverlay: memberof
      olcMemberOfDangling: ignore
      olcMemberOfRefInt: TRUE
      olcMemberOfGroupOC: groupOfNames
      olcMemberOfMemberAD: member
      olcMemberOfMemberOfAD: memberOf
    02-refint.ldif: |-
      dn: olcOverlay=refint,olcDatabase={2}mdb,cn=config
      changetype: add
      objectClass: olcConfig
      objectClass: olcOverlayConfig
      objectClass: olcRefintConfig
      objectClass: top
      olcOverlay: refint
      olcRefintAttribute: memberof member manager owner

Than, when I apply it, the pod logs the following error and restarts the ldap server. However, the server after the crash doesn't know about its misery and starts in a incomplete configuration.

....
      654eaa30.22d06959 0x7f424b308700 conn=1006 op=1 MOD dn="cn=module{0},cn=config"
      654eaa30.22d0c32a 0x7f424b308700 conn=1006 op=1 MOD attr=olcModuleLoad
      654eaa30.22d180c5 0x7f424b308700 conn=1006 op=1 RESULT tag=103 err=32 qtime=0.000015 etime=0.000103 text=
      ldap_modify: No such object (32)
      matched DN: cn=config
      modifying entry "cn=module{0},cn=config"
....

I'm unsure whether this is a chart problem but I can imagine that other might also like to see the solution when using this chart. I already googled and found input on the bitnami/openldap container project but i can't apply it with this chart.

Do you have any idea what's wrong with the ldif? (or with the chart). Thanks for help!

baobabtr33 commented 7 months ago

I'm facing the same issue. Could the reason be that configs can't be added via custom ldifs? The docs says "All internal configuration like cn=config , cn=module{0},cn=config cannot be configured yet."

GabeChurch commented 7 months ago

Trying to do the same thing, been deep diving on it. Still not working.

From the base image side at least it should be doable. https://github.com/bitnami/containers/issues/982

GabeChurch commented 7 months ago

I figured it out finally, this is how you do it 

customSchemaFiles:
  #enable memberOf ldap search functionality, users automagically track groups they belong to
  00-modules.ldif: |-
    dn: cn=module{0},cn=config
    changetype: modify
    add: olcModuleLoad
    olcModuleLoad: memberof
    olcModuleLoad: refint

  01-memberof.ldif: |-
    dn: olcOverlay=memberof,olcDatabase={2}mdb,cn=config
    changetype: add
    objectClass: olcMemberOf
    objectClass: olcOverlayConfig
    olcOverlay: memberof
    olcMemberOfRefInt: TRUE
    olcMemberOfGroupOC: groupOfUniqueNames
    olcMemberOfMemberAD: uniqueMember
    olcMemberOfMemberOfAD: memberOf

  refint.ldif: |-
    dn: olcOverlay=refint,olcDatabase={2}mdb,cn=config
    changetype: add
    objectClass: olcConfig
    objectClass: olcOverlayConfig
    objectClass: olcRefintConfig
    objectClass: top
    olcOverlay: refint
    olcRefintAttribute: memberof uniqueMember manager owner
seang96 commented 6 months ago

Only adding the custom schema files does not appear to do anything for me. Could you show the rest of your configuration?

jp-gouin commented 6 months ago

Hi @seang96 I just tested the following configuration: 

customSchemaFiles:
  #enable memberOf ldap search functionality, users automagically track groups they belong to
  00-memberof.ldif: |-
    dn: cn=module{0},cn=config
    changetype: modify
    add: olcModuleLoad
    olcModuleLoad: memberof

  01-memberof.ldif: |-
    dn: olcOverlay=memberof,olcDatabase={2}mdb,cn=config
    changetype: add
    objectClass: olcOverlayConfig
    objectClass: olcMemberOf
    olcOverlay: memberof
    olcMemberOfRefint: TRUE
customLdifFiles:
  00-root.ldif: |-
    # Root creation
    dn: dc=example,dc=org
    objectClass: dcObject
    objectClass: organization
    o: Example, Inc
  01-default-user.ldif: |-
    dn: cn=Jean Dupond,dc=example,dc=org
    cn: Jean Dupond
    gidnumber: 500
    givenname: Jean
    homedirectory: /home/users/jdupond
    objectclass: inetOrgPerson
    objectclass: posixAccount
    objectclass: top
    sn: Dupond
    uid: jdupond
    uidnumber: 1000
    userpassword: {MD5}KOULhzfBhPTq9k7a9XfCGw==
  02-default-group.ldif: |-
    dn: cn=myGroup,dc=example,dc=org
    cn: myGroup
    gidnumber: 500
    objectclass: posixGroup
    objectclass: top
    add: memberUid
    memberUid: jdupond    
  03-test-memberof.ldif: |-
    dn: ou=Group,dc=example,dc=org
    objectclass: organizationalUnit
    ou: Group

    dn: ou=People,dc=example,dc=org
    objectclass: organizationalUnit
    ou: People

    dn: uid=test1,ou=People,dc=example,dc=org
    objectclass: account
    uid: test1

    dn: cn=testgroup,ou=Group,dc=example,dc=org
    objectclass: groupOfNames
    cn: testgroup
    member: uid=test1,ou=People,dc=example,dc=org

Run: LDAPTLS_REQCERT=never ldapsearch -x -D 'cn=admin,dc=example,dc=org' -w Not@SecurePassw0rd -H ldaps://127.0.0.1:1636 -b 'dc=example,dc=org' "(memberOf=cn=testgroup,ou=Group,dc=example,dc=org)"

You should get : 

# extended LDIFemberOf=cn=testgroup,ou=Group,dc=example,dc=org)"1636 -b 'dc=examp
#
# LDAPv3
# base <dc=example,dc=org> with scope subtree
# filter: (memberOf=cn=testgroup,ou=Group,dc=example,dc=org)
# requesting: ALL
#

# test1, People, example.org
dn: uid=test1,ou=People,dc=example,dc=org
objectClass: account
uid: test1

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Let me know if this is working for you, i'll update the advanced configuration and I'll plan to add an enabler in the values to ease the configuration

seang96 commented 6 months ago

Looks like it did not work for me. I started namespace / helm install from scratch with no PVC.

LDAP response:

# extended LDIF
#
# LDAPv3
# base <dc=example,dc=org> with scope subtree
# filter: (memberOf=cn=testgroup,ou=Group,dc=example,dc=org)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

# numResponses: 1

Helm install info:

NAME: ldap
CHART: openldap-stack-ha
VERSION: 4.1.2
APP_VERSION: 2.6.3
NAMESPACE: ldap
REVISION: 1
STATUS: deployed
DEPLOYED_AT: 2023-12-20T00:18:06-05:00

Initial startup logs: (It fails to import everything, database is not a shadow)

 05:18:22.38 INFO  ==> ** Starting LDAP setup **
 05:18:22.45 INFO  ==> Validating settings in LDAP_* env vars
 05:18:22.53 INFO  ==> Initializing OpenLDAP...
 05:18:22.53 DEBUG ==> Ensuring expected directories/files exist...
 05:18:22.57 INFO  ==> Creating LDAP online configuration
 05:18:22.62 INFO  ==> Starting OpenLDAP server in background
6582791e.26117108 0x7fadb4437740 @(#) $OpenLDAP: slapd 2.6.3 (Jan 17 2023 16:44:38) $
        @a34c3898a374:/bitnami/blacksmith-sandox/openldap-2.6.3/servers/slapd
6582791e.3015e635 0x7fadb4437740 slapd starting
 05:18:23.63 INFO  ==> Configure LDAP credentials for admin user
SASL/EXTERNAL authentication started
6582791f.26ae0da4 0x7fadb2bfe700 conn=1000 fd=12 ACCEPT from PATH=/opt/bitnami/openldap/var/run/ldapi (PATH=/opt/bitnami/openldap/var/run/ldapi)
6582791f.26af6c7c 0x7fadb2bfe700 conn=1000 op=0 BIND dn="" method=163
6582791f.26b012e7 0x7fadb2bfe700 conn=1000 op=0 BIND authcid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth"
6582791f.26b080da 0x7fadb2bfe700 conn=1000 op=0 BIND dn="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" mech=EXTERNAL bind_ssf=0 ssf=71
6582791f.26b10714 0x7fadb2bfe700 conn=1000 op=0 RESULT tag=97 err=0 qtime=0.000005 etime=0.000123 text=
SASL username: gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth
SASL SSF: 0
6582791f.26b3f8e0 0x7fadb23fd700 conn=1000 op=1 MOD dn="olcDatabase={2}mdb,cn=config"
6582791f.26b4a5d7 0x7fadb23fd700 conn=1000 op=1 MOD attr=olcSuffix
6582791f.26bfc1b4 0x7fadb23fd700 conn=1000 op=1 RESULT tag=103 err=0 qtime=0.000019 etime=0.000818 text=
6582791f.26c171d9 0x7fadb2bfe700 conn=1000 op=2 MOD dn="olcDatabase={2}mdb,cn=config"
6582791f.26c1f258 0x7fadb2bfe700 conn=1000 op=2 MOD attr=olcRootDN
6582791f.283becd6 0x7fadb2bfe700 conn=1000 op=2 RESULT tag=103 err=0 qtime=0.000012 etime=0.024828 text=
6582791f.283dc816 0x7fadb23fd700 conn=1000 op=3 MOD dn="olcDatabase={2}mdb,cn=config"
6582791f.283e4137 0x7fadb23fd700 conn=1000 op=3 MOD attr=olcRootPW
6582791f.29078232 0x7fadb23fd700 conn=1000 op=3 RESULT tag=103 err=0 qtime=0.000011 etime=0.013242 text=
6582791f.2909f07e 0x7fadb2bfe700 conn=1000 op=4 MOD dn="olcDatabase={1}monitor,cn=config"
6582791f.290a8cd2 0x7fadb2bfe700 conn=1000 op=4 MOD attr=olcAccess
6582791f.29140d8b 0x7fadb2bfe700 conn=1000 op=4 RESULT tag=103 err=0 qtime=0.000027 etime=0.000706 text=
6582791f.291656bd 0x7fadb23fd700 conn=1000 op=5 MOD dn="olcDatabase={0}config,cn=config"
6582791f.2916dff7 0x7fadb23fd700 conn=1000 op=5 MOD attr=olcRootDN
6582791f.29203ff3 0x7fadb23fd700 conn=1000 op=5 RESULT tag=103 err=0 qtime=0.000015 etime=0.000688 text=
6582791f.2922866b 0x7fadb2bfe700 conn=1000 op=6 MOD dn="olcDatabase={0}config,cn=config"
6582791f.29231cbe 0x7fadb2bfe700 conn=1000 op=6 MOD attr=olcRootPW
6582791f.2a0d44b9 0x7fadb2bfe700 conn=1000 op=6 RESULT tag=103 err=0 qtime=0.000011 etime=0.015408 text=
6582791f.2a0f7ea4 0x7fadb23fd700 conn=1000 op=7 UNBIND
6582791f.2a107ca2 0x7fadb23fd700 conn=1000 fd=12 closed
modifying entry "olcDatabase={2}mdb,cn=config"

modifying entry "olcDatabase={2}mdb,cn=config"

modifying entry "olcDatabase={2}mdb,cn=config"

modifying entry "olcDatabase={1}monitor,cn=config"

modifying entry "olcDatabase={0}config,cn=config"

modifying entry "olcDatabase={0}config,cn=config"

 05:18:23.70 INFO  ==> Configuring TLS
SASL/EXTERNAL authentication started
6582791f.2a70bfcb 0x7fadb2bfe700 conn=1001 fd=12 ACCEPT from PATH=/opt/bitnami/openldap/var/run/ldapi (PATH=/opt/bitnami/openldap/var/run/ldapi)
6582791f.2a716dda 0x7fadb23fd700 conn=1001 op=0 BIND dn="" method=163
6582791f.2a71ee9f 0x7fadb23fd700 conn=1001 op=0 BIND authcid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth"
6582791f.2a722830 0x7fadb23fd700 conn=1001 op=0 BIND dn="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" mech=EXTERNAL bind_ssf=0 ssf=71
6582791f.2a7276c2 0x7fadb23fd700 conn=1001 op=0 RESULT tag=97 err=0 qtime=0.000009 etime=0.000080 text=
SASL username: gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth
SASL SSF: 0
6582791f.2a74cbb0 0x7fadb2bfe700 conn=1001 op=1 MOD dn="cn=config"
6582791f.2a750e41 0x7fadb2bfe700 conn=1001 op=1 MOD attr=olcTLSCACertificateFile olcTLSCertificateFile olcTLSCertificateKeyFile
6582791f.2a8b80e8 0x7fadb2bfe700 conn=1001 op=1 RESULT tag=103 err=0 qtime=0.000010 etime=0.001511 text=
modifying entry "cn=config"
6582791f.2a8e59e1 0x7fadb23fd700 conn=1001 op=2 UNBIND
6582791f.2a8f22f2 0x7fadb23fd700 conn=1001 fd=12 closed

 05:18:23.71 INFO  ==> Adding LDAP extra schemas
SASL/EXTERNAL authentication started
6582791f.2b251f70 0x7fadb2bfe700 conn=1002 fd=12 ACCEPT from PATH=/opt/bitnami/openldap/var/run/ldapi (PATH=/opt/bitnami/openldap/var/run/ldapi)
6582791f.2b263b2b 0x7fadb23fd700 conn=1002 op=0 BIND dn="" method=163
6582791f.2b271c3e 0x7fadb23fd700 conn=1002 op=0 BIND authcid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth"
6582791f.2b276ba2 0x7fadb23fd700 conn=1002 op=0 BIND dn="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" mech=EXTERNAL bind_ssf=0 ssf=71
6582791f.2b27f1dc 0x7fadb23fd700 conn=1002 op=0 RESULT tag=97 err=0 qtime=0.000010 etime=0.000121 text=
SASL username: gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth
SASL SSF: 0
6582791f.2b316bc4 0x7fadb2bfe700 conn=1002 op=1 ADD dn="cn=cosine,cn=schema,cn=config"
6582791f.2b48eddf 0x7fadb2bfe700 conn=1002 op=1 RESULT tag=105 err=0 qtime=0.000014 etime=0.001589 text=
6582791f.2b4a3db6 0x7fadb2bfe700 conn=1002 op=2 UNBIND
6582791f.2b4ab7a9 0x7fadb2bfe700 conn=1002 fd=12 closed
adding new entry "cn=cosine,cn=schema,cn=config"

SASL/EXTERNAL authentication started
6582791f.2b8c255c 0x7fadb23fd700 conn=1003 fd=12 ACCEPT from PATH=/opt/bitnami/openldap/var/run/ldapi (PATH=/opt/bitnami/openldap/var/run/ldapi)
6582791f.2b8d1988 0x7fadb2bfe700 conn=1003 op=0 BIND dn="" method=163
6582791f.2b8dcbf4 0x7fadb2bfe700 conn=1003 op=0 BIND authcid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth"
6582791f.2b8e688d 0x7fadb2bfe700 conn=1003 op=0 BIND dn="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" mech=EXTERNAL bind_ssf=0 ssf=71
6582791f.2b8ed07f 0x7fadb2bfe700 conn=1003 op=0 RESULT tag=97 err=0 qtime=0.000010 etime=0.000123 text=
SASL username: gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth
SASL SSF: 0
6582791f.2b936ee4 0x7fadb23fd700 conn=1003 op=1 ADD dn="cn=inetorgperson,cn=schema,cn=config"
6582791f.2b9bd128 0x7fadb23fd700 conn=1003 op=1 RESULT tag=105 err=0 qtime=0.000010 etime=0.000581 text=
6582791f.2b9d1844 0x7fadb2bfe700 conn=1003 op=2 UNBIND
6582791f.2b9dd4c9 0x7fadb2bfe700 conn=1003 fd=12 closed
adding new entry "cn=inetorgperson,cn=schema,cn=config"

SASL/EXTERNAL authentication started
6582791f.2c1bdd68 0x7fadb23fd700 conn=1004 fd=12 ACCEPT from PATH=/opt/bitnami/openldap/var/run/ldapi (PATH=/opt/bitnami/openldap/var/run/ldapi)
6582791f.2c1ce3db 0x7fadb23fd700 conn=1004 op=0 BIND dn="" method=163
6582791f.2c1d6f44 0x7fadb23fd700 conn=1004 op=0 BIND authcid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth"
6582791f.2c1dcaa9 0x7fadb23fd700 conn=1004 op=0 BIND dn="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" mech=EXTERNAL bind_ssf=0 ssf=71
6582791f.2c1e4d11 0x7fadb23fd700 conn=1004 op=0 RESULT tag=97 err=0 qtime=0.000008 etime=0.000106 text=
SASL username: gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth
SASL SSF: 0
6582791f.2c25f5d1 0x7fadb2bfe700 conn=1004 op=1 ADD dn="cn=nis,cn=schema,cn=config"
6582791f.2c3552c5 0x7fadb2bfe700 conn=1004 op=1 RESULT tag=105 err=0 qtime=0.000009 etime=0.001037 text=
6582791f.2c36b686 0x7fadb23fd700 conn=1004 op=2 UNBIND
adding new entry "cn=nis,cn=schema,cn=config"

6582791f.2c388e80 0x7fadb23fd700 conn=1004 fd=12 closed
SASL/EXTERNAL authentication started
6582791f.2c7d9ec9 0x7fadb2bfe700 conn=1005 fd=12 ACCEPT from PATH=/opt/bitnami/openldap/var/run/ldapi (PATH=/opt/bitnami/openldap/var/run/ldapi)
6582791f.2c7e8022 0x7fadb23fd700 conn=1005 op=0 BIND dn="" method=163
6582791f.2c7f3e49 0x7fadb23fd700 conn=1005 op=0 BIND authcid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth"
6582791f.2c7f93f4 0x7fadb23fd700 conn=1005 op=0 BIND dn="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" mech=EXTERNAL bind_ssf=0 ssf=71
6582791f.2c7ff0fc 0x7fadb23fd700 conn=1005 op=0 RESULT tag=97 err=0 qtime=0.000010 etime=0.000109 text=
SASL username: gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth
SASL SSF: 0
6582791f.2c82811d 0x7fadb2bfe700 conn=1005 op=1 ADD dn="cn=module{0},cn=config"
6582791f.2c97a9a7 0x7fadb2bfe700 conn=1005 op=1 RESULT tag=105 err=0 qtime=0.000008 etime=0.001410 text=
6582791f.2c9927df 0x7fadb23fd700 conn=1005 op=2 UNBIND
6582791f.2c99e092 0x7fadb23fd700 conn=1005 fd=12 closed
adding new entry "cn=module{0},cn=config"

SASL/EXTERNAL authentication started
6582791f.2cda16b6 0x7fadb2bfe700 conn=1006 fd=12 ACCEPT from PATH=/opt/bitnami/openldap/var/run/ldapi (PATH=/opt/bitnami/openldap/var/run/ldapi)
6582791f.2cdadc3b 0x7fadb2bfe700 conn=1006 op=0 BIND dn="" method=163
6582791f.2cdb3088 0x7fadb2bfe700 conn=1006 op=0 BIND authcid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth"
6582791f.2cdb67ea 0x7fadb2bfe700 conn=1006 op=0 BIND dn="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" mech=EXTERNAL bind_ssf=0 ssf=71
6582791f.2cdbc8c4 0x7fadb2bfe700 conn=1006 op=0 RESULT tag=97 err=0 qtime=0.000006 etime=0.000069 text=
SASL username: gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth
SASL SSF: 0
6582791f.2cddb0d6 0x7fadb23fd700 conn=1006 op=1 MOD dn="cn=config"
6582791f.2cde43e3 0x7fadb23fd700 conn=1006 op=1 MOD attr=olcServerID
6582791f.2ce60118 0x7fadb23fd700 conn=1006 op=1 RESULT tag=103 err=0 qtime=0.000008 etime=0.000567 text=
6582791f.2ce77e7f 0x7fadb2bfe700 conn=1006 op=2 UNBIND
modifying entry "cn=config"

6582791f.2ce89f23 0x7fadb2bfe700 conn=1006 fd=12 closed
SASL/EXTERNAL authentication started
6582791f.2d30fe40 0x7fadb23fd700 conn=1007 fd=12 ACCEPT from PATH=/opt/bitnami/openldap/var/run/ldapi (PATH=/opt/bitnami/openldap/var/run/ldapi)
6582791f.2d31e9f7 0x7fadb2bfe700 conn=1007 op=0 BIND dn="" method=163
6582791f.2d32c138 0x7fadb2bfe700 conn=1007 op=0 BIND authcid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth"
6582791f.2d331ab4 0x7fadb2bfe700 conn=1007 op=0 BIND dn="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" mech=EXTERNAL bind_ssf=0 ssf=71
6582791f.2d339233 0x7fadb2bfe700 conn=1007 op=0 RESULT tag=97 err=0 qtime=0.000011 etime=0.000129 text=
SASL username: gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth
SASL SSF: 0
6582791f.2d36a802 0x7fadb23fd700 conn=1007 op=1 ADD dn="olcOverlay=syncprov,olcDatabase={0}config,cn=config"
6582791f.2d3c76df 0x7fadb23fd700 conn=1007 op=1 RESULT tag=105 err=0 qtime=0.000011 etime=0.000426 text=
6582791f.2d3de244 0x7fadb2bfe700 conn=1007 op=2 UNBIND
adding new entry "olcOverlay=syncprov,olcDatabase={0}config,cn=config"
6582791f.2d3eb26d 0x7fadb2bfe700 conn=1007 fd=12 closed

SASL/EXTERNAL authentication started
6582791f.2d812c94 0x7fadb23fd700 conn=1008 fd=12 ACCEPT from PATH=/opt/bitnami/openldap/var/run/ldapi (PATH=/opt/bitnami/openldap/var/run/ldapi)
6582791f.2d81fea6 0x7fadb2bfe700 conn=1008 op=0 BIND dn="" method=163
6582791f.2d827cb1 0x7fadb2bfe700 conn=1008 op=0 BIND authcid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth"
6582791f.2d82c171 0x7fadb2bfe700 conn=1008 op=0 BIND dn="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" mech=EXTERNAL bind_ssf=0 ssf=71
6582791f.2d831aa7 0x7fadb2bfe700 conn=1008 op=0 RESULT tag=97 err=0 qtime=0.000012 etime=0.000084 text=
SASL username: gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth
SASL SSF: 0
6582791f.2d8500d0 0x7fadb23fd700 conn=1008 op=1 MOD dn="olcDatabase={0}config,cn=config"
6582791f.2d85491c 0x7fadb23fd700 conn=1008 op=1 MOD attr=olcSyncRepl olcMirrorMode
6582791f.2d87c0f6 0x7fadb23fd700 olcMultiProvider: value #0: <olcMultiProvider> database is not a shadow
6582791f.2d888c7b 0x7fadb23fd700 conn=1008 op=1 RESULT tag=103 err=80 qtime=0.000006 etime=0.000256 text=<olcMultiProvider> database is not a shadow
ldap_modify: Other (e.g., implementation specific) error (80)
        additional info: <olcMultiProvider> database is not a shadow
6582791f.2d89f9c9 0x7fadb2bfe700 conn=1008 op=2 UNBIND
6582791f.2d8a7b1a 0x7fadb2bfe700 conn=1008 fd=12 closed
modifying entry "olcDatabase={0}config,cn=config"

6582791f.2dd01a12 0x7fadb33ff700 daemon: shutdown requested and initiated.
6582791f.2dd2beef 0x7fadb33ff700 slapd shutdown: waiting for 0 operations/tasks to finish
6582791f.2de4b8d6 0x7fadb4437740 slapd stopped.

values.yaml:

global:
  ldapDomain: dc=example,dc=org
  existingSecret: ldap-admin
replicaCount: 1
customLdifFiles:
  00-root.ldif: |-
    # Root creation
    dn: dc=example,dc=org
    objectClass: dcObject
    objectClass: organization
    o: Example, Inc
  01-default-user.ldif: |-
    dn: cn=Jean Dupond,dc=example,dc=org
    cn: Jean Dupond
    gidnumber: 500
    givenname: Jean
    homedirectory: /home/users/jdupond
    objectclass: inetOrgPerson
    objectclass: posixAccount
    objectclass: top
    sn: Dupond
    uid: jdupond
    uidnumber: 1000
    userpassword: {MD5}KOULhzfBhPTq9k7a9XfCGw==
  02-default-group.ldif: |-
    dn: cn=myGroup,dc=example,dc=org
    cn: myGroup
    gidnumber: 500
    objectclass: posixGroup
    objectclass: top
    add: memberUid
    memberUid: jdupond    
  03-test-memberof.ldif: |-
    dn: ou=Group,dc=example,dc=org
    objectclass: organizationalUnit
    ou: Group

    dn: ou=People,dc=example,dc=org
    objectclass: organizationalUnit
    ou: People

    dn: uid=test1,ou=People,dc=example,dc=org
    objectclass: account
    uid: test1

    dn: cn=testgroup,ou=Group,dc=example,dc=org
    objectclass: groupOfNames
    cn: testgroup
    member: uid=test1,ou=People,dc=example,dc=org
customSchemaFiles:
  #enable memberOf ldap search functionality, users automagically track groups they belong to
  00-memberof.ldif: |-
    dn: cn=module{0},cn=config
    changetype: modify
    add: olcModuleLoad
    olcModuleLoad: memberof

  01-memberof.ldif: |-
    dn: olcOverlay=memberof,olcDatabase={2}mdb,cn=config
    changetype: add
    objectClass: olcOverlayConfig
    objectClass: olcMemberOf
    olcOverlay: memberof
    olcMemberOfRefint: TRUE
jp-gouin commented 6 months ago

I see that replicaCount is 1 , did you disable the replication ?

seang96 commented 6 months ago

Yes for quicker testing since you have to wipe the PVC

jp-gouin commented 6 months ago

Ok can you post your full values file ?

seang96 commented 6 months ago

That was my values.yaml file for testing. As for my real one I am also intending to load in rfc2307bis using ldif file from https://github.com/osixia/docker-openldap in my production config. I am currently using that docker image for my setup that is not HA.

jp-gouin commented 6 months ago

Alright, in that case can you add the following in your values to disable the replication : 

replication:
  enabled: false
seang96 commented 6 months ago

Running with replication false I still get an error

Logs on initial pod creation

 05:12:29.99 INFO  ==> ** Starting LDAP setup **
 05:12:30.03 INFO  ==> Validating settings in LDAP_* env vars
 05:12:30.04 INFO  ==> Initializing OpenLDAP...
 05:12:30.04 DEBUG ==> Ensuring expected directories/files exist...
 05:12:30.06 INFO  ==> Creating LDAP online configuration
 05:12:30.09 INFO  ==> Starting OpenLDAP server in background
65851abe.062e167a 0x7f6f4dd70740 @(#) $OpenLDAP: slapd 2.6.3 (Jan 17 2023 16:44:38) $
        @a34c3898a374:/bitnami/blacksmith-sandox/openldap-2.6.3/servers/slapd
65851abe.1e90d743 0x7f6f4dd70740 slapd starting
 05:12:31.10 INFO  ==> Configure LDAP credentials for admin user
SASL/EXTERNAL authentication started
65851abf.06d4733c 0x7f6f47fff700 conn=1000 fd=12 ACCEPT from PATH=/opt/bitnami/openldap/var/run/ldapi (PATH=/opt/bitnami/openldap/var/run/ldapi)
65851abf.06d79251 0x7f6f477fe700 conn=1000 op=0 BIND dn="" method=163
65851abf.06d85dd7 0x7f6f477fe700 conn=1000 op=0 BIND authcid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth"
65851abf.06d8cf9b 0x7f6f477fe700 conn=1000 op=0 BIND dn="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" mech=EXTERNAL bind_ssf=0 ssf=71
65851abf.06d954be 0x7f6f477fe700 conn=1000 op=0 RESULT tag=97 err=0 qtime=0.000025 etime=0.000152 text=
SASL username: gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth
SASL SSF: 0
65851abf.06de3ae4 0x7f6f47fff700 conn=1000 op=1 MOD dn="olcDatabase={2}mdb,cn=config"
65851abf.06df03f5 0x7f6f47fff700 conn=1000 op=1 MOD attr=olcSuffix
65851abf.06e9b754 0x7f6f47fff700 conn=1000 op=1 RESULT tag=103 err=0 qtime=0.000014 etime=0.000839 text=
65851abf.06ec61a6 0x7f6f477fe700 conn=1000 op=2 MOD dn="olcDatabase={2}mdb,cn=config"
65851abf.06ed302c 0x7f6f477fe700 conn=1000 op=2 MOD attr=olcRootDN
65851abf.0c420cb8 0x7f6f477fe700 conn=1000 op=2 RESULT tag=103 err=0 qtime=0.000010 etime=0.089525 text=
65851abf.0c45b77d 0x7f6f47fff700 conn=1000 op=3 MOD dn="olcDatabase={2}mdb,cn=config"
65851abf.0c4696ed 0x7f6f47fff700 conn=1000 op=3 MOD attr=olcRootPW
65851abf.0e0ac282 0x7f6f47fff700 conn=1000 op=3 RESULT tag=103 err=0 qtime=0.000041 etime=0.029766 text=
65851abf.0e0d1fe4 0x7f6f477fe700 conn=1000 op=4 MOD dn="olcDatabase={1}monitor,cn=config"
65851abf.0e0dcc96 0x7f6f477fe700 conn=1000 op=4 MOD attr=olcAccess
65851abf.0e172006 0x7f6f477fe700 conn=1000 op=4 RESULT tag=103 err=0 qtime=0.000010 etime=0.000686 text=
65851abf.0e1a69f1 0x7f6f47fff700 conn=1000 op=5 MOD dn="olcDatabase={0}config,cn=config"
65851abf.0e1aedfc 0x7f6f47fff700 conn=1000 op=5 MOD attr=olcRootDN
65851abf.0e2049b7 0x7f6f47fff700 conn=1000 op=5 RESULT tag=103 err=0 qtime=0.000015 etime=0.000426 text=
65851abf.0e23d334 0x7f6f477fe700 conn=1000 op=6 MOD dn="olcDatabase={0}config,cn=config"
65851abf.0e2498b9 0x7f6f477fe700 conn=1000 op=6 MOD attr=olcRootPW
65851abf.14e4f4b4 0x7f6f477fe700 conn=1000 op=6 RESULT tag=103 err=0 qtime=0.000016 etime=0.113345 text=
65851abf.14e6c3ad 0x7f6f47fff700 conn=1000 op=7 UNBIND
modifying entry "olcDatabase={2}mdb,cn=config"

modifying entry "olcDatabase={2}mdb,cn=config"
65851abf.14e9aad6 0x7f6f47fff700 conn=1000 fd=12 closed

modifying entry "olcDatabase={2}mdb,cn=config"

modifying entry "olcDatabase={1}monitor,cn=config"

modifying entry "olcDatabase={0}config,cn=config"

modifying entry "olcDatabase={0}config,cn=config"

 05:12:31.35 INFO  ==> Configuring TLS
65851abf.1593e7b4 0x7f6f477fe700 conn=1001 fd=12 ACCEPT from PATH=/opt/bitnami/openldap/var/run/ldapi (PATH=/opt/bitnami/openldap/var/run/ldapi)
SASL/EXTERNAL authentication started
65851abf.159d9871 0x7f6f47fff700 conn=1001 op=0 BIND dn="" method=163
65851abf.15a0963e 0x7f6f47fff700 conn=1001 op=0 BIND authcid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth"
65851abf.15a11149 0x7f6f47fff700 conn=1001 op=0 BIND dn="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" mech=EXTERNAL bind_ssf=0 ssf=71
65851abf.15a1aa10 0x7f6f47fff700 conn=1001 op=0 RESULT tag=97 err=0 qtime=0.000015 etime=0.000287 text=
SASL username: gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth
SASL SSF: 0
65851abf.15a7e53c 0x7f6f477fe700 conn=1001 op=1 MOD dn="cn=config"
65851abf.15a88fbf 0x7f6f477fe700 conn=1001 op=1 MOD attr=olcTLSCACertificateFile olcTLSCertificateFile olcTLSCertificateKeyFile
65851abf.15d5e5ff 0x7f6f477fe700 conn=1001 op=1 RESULT tag=103 err=0 qtime=0.000013 etime=0.003063 text=
65851abf.15d94f4a 0x7f6f47fff700 conn=1001 op=2 UNBIND
modifying entry "cn=config"

65851abf.15e4c45c 0x7f6f477fe700 conn=1001 fd=12 closed
 05:12:31.37 INFO  ==> Adding LDAP extra schemas
SASL/EXTERNAL authentication started
65851abf.16d2d067 0x7f6f47fff700 conn=1002 fd=12 ACCEPT from PATH=/opt/bitnami/openldap/var/run/ldapi (PATH=/opt/bitnami/openldap/var/run/ldapi)
65851abf.16d5b032 0x7f6f477fe700 conn=1002 op=0 BIND dn="" method=163
65851abf.16d719f4 0x7f6f477fe700 conn=1002 op=0 BIND authcid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth"
65851abf.16d79c5c 0x7f6f477fe700 conn=1002 op=0 BIND dn="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" mech=EXTERNAL bind_ssf=0 ssf=71
65851abf.16d8476b 0x7f6f477fe700 conn=1002 op=0 RESULT tag=97 err=0 qtime=0.000022 etime=0.000198 text=
SASL username: gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth
SASL SSF: 0
65851abf.16deb06c 0x7f6f47fff700 conn=1002 op=1 ADD dn="cn=cosine,cn=schema,cn=config"
65851abf.1705be22 0x7f6f47fff700 conn=1002 op=1 RESULT tag=105 err=0 qtime=0.000013 etime=0.002675 text=
65851abf.1707e697 0x7f6f477fe700 conn=1002 op=2 UNBIND
65851abf.17089904 0x7f6f477fe700 conn=1002 fd=12 closed
adding new entry "cn=cosine,cn=schema,cn=config"

65851abf.1783bd35 0x7f6f47fff700 conn=1003 fd=12 ACCEPT from PATH=/opt/bitnami/openldap/var/run/ldapi (PATH=/opt/bitnami/openldap/var/run/ldapi)
SASL/EXTERNAL authentication started
65851abf.17863e55 0x7f6f477fe700 conn=1003 op=0 BIND dn="" method=163
65851abf.17881d21 0x7f6f477fe700 conn=1003 op=0 BIND authcid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth"
65851abf.178a37f2 0x7f6f477fe700 conn=1003 op=0 BIND dn="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" mech=EXTERNAL bind_ssf=0 ssf=71
65851abf.178c966b 0x7f6f477fe700 conn=1003 op=0 RESULT tag=97 err=0 qtime=0.000015 etime=0.000435 text=
SASL username: gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth
SASL SSF: 0
65851abf.1791ff3f 0x7f6f47fff700 conn=1003 op=1 ADD dn="cn=inetorgperson,cn=schema,cn=config"
65851abf.17a08b39 0x7f6f47fff700 conn=1003 op=1 RESULT tag=105 err=0 qtime=0.000013 etime=0.000991 text=
65851abf.17a28b93 0x7f6f477fe700 conn=1003 op=2 UNBIND
65851abf.17a382c0 0x7f6f477fe700 conn=1003 fd=12 closed
adding new entry "cn=inetorgperson,cn=schema,cn=config"

SASL/EXTERNAL authentication started
65851abf.180c8c4c 0x7f6f47fff700 conn=1004 fd=12 ACCEPT from PATH=/opt/bitnami/openldap/var/run/ldapi (PATH=/opt/bitnami/openldap/var/run/ldapi)
65851abf.180f91bd 0x7f6f477fe700 conn=1004 op=0 BIND dn="" method=163
65851abf.18110e52 0x7f6f477fe700 conn=1004 op=0 BIND authcid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth"
65851abf.18137312 0x7f6f477fe700 conn=1004 op=0 BIND dn="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" mech=EXTERNAL bind_ssf=0 ssf=71
65851abf.1817daa2 0x7f6f477fe700 conn=1004 op=0 RESULT tag=97 err=0 qtime=0.000028 etime=0.000577 text=
SASL username: gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth
SASL SSF: 0
65851abf.18222126 0x7f6f47fff700 conn=1004 op=1 ADD dn="cn=nis,cn=schema,cn=config"
65851abf.183ce72c 0x7f6f47fff700 conn=1004 op=1 RESULT tag=105 err=0 qtime=0.000018 etime=0.001802 text=
adding new entry "cn=nis,cn=schema,cn=config"

65851abf.18449449 0x7f6f477fe700 conn=1004 op=2 UNBIND
65851abf.184b2bf0 0x7f6f477fe700 conn=1004 fd=12 closed
SASL/EXTERNAL authentication started
65851abf.18af9c47 0x7f6f47fff700 conn=1005 fd=12 ACCEPT from PATH=/opt/bitnami/openldap/var/run/ldapi (PATH=/opt/bitnami/openldap/var/run/ldapi)
65851abf.18b30faa 0x7f6f477fe700 conn=1005 op=0 BIND dn="" method=163
65851abf.18b3f2a6 0x7f6f477fe700 conn=1005 op=0 BIND authcid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth"
65851abf.18b469df 0x7f6f477fe700 conn=1005 op=0 BIND dn="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" mech=EXTERNAL bind_ssf=0 ssf=71
65851abf.18b5104a 0x7f6f477fe700 conn=1005 op=0 RESULT tag=97 err=0 qtime=0.000013 etime=0.000148 text=
SASL username: gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth
SASL SSF: 0
65851abf.18b98d21 0x7f6f47fff700 conn=1005 op=1 MOD dn="olcDatabase={2}mdb,cn=config"
65851abf.18bab7de 0x7f6f47fff700 conn=1005 op=1 MOD attr=olcAccess
65851abf.18bea71d 0x7f6f47fff700 slapd: line 0: rootdn is always granted unlimited privileges.
65851abf.18c00197 0x7f6f47fff700 slapd: line 0: rootdn is always granted unlimited privileges.
65851abf.18caf4ce 0x7f6f47fff700 conn=1005 op=1 RESULT tag=103 err=0 qtime=0.000009 etime=0.001170 text=
65851abf.18cd7d91 0x7f6f477fe700 conn=1005 op=2 UNBIND
65851abf.18ce7c1b 0x7f6f47fff700 conn=1005 fd=12 closed
modifying entry "olcDatabase={2}mdb,cn=config"

65851abf.194c7d5d 0x7f6f477fe700 conn=1006 fd=12 ACCEPT from PATH=/opt/bitnami/openldap/var/run/ldapi (PATH=/opt/bitnami/openldap/var/run/ldapi)
SASL/EXTERNAL authentication started
65851abf.194e52e2 0x7f6f47fff700 conn=1006 op=0 BIND dn="" method=163
65851abf.194f9f73 0x7f6f47fff700 conn=1006 op=0 BIND authcid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth"
65851abf.19503a23 0x7f6f47fff700 conn=1006 op=0 BIND dn="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" mech=EXTERNAL bind_ssf=0 ssf=71
65851abf.1950fbd6 0x7f6f47fff700 conn=1006 op=0 RESULT tag=97 err=0 qtime=0.000012 etime=0.000181 text=
SASL username: gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth
SASL SSF: 0
65851abf.19540c77 0x7f6f477fe700 conn=1006 op=1 MOD dn="cn=module{0},cn=config"
65851abf.1955b1f8 0x7f6f477fe700 conn=1006 op=1 MOD attr=olcModuleLoad
65851abf.1957854f 0x7f6f477fe700 conn=1006 op=1 RESULT tag=103 err=32 qtime=0.000031 etime=0.000289 text=
ldap_modify: No such object (32)
        matched DN: cn=config
65851abf.19595519 0x7f6f47fff700 conn=1006 op=2 UNBIND
65851abf.195b29cd 0x7f6f47fff700 conn=1006 fd=12 closed
modifying entry "cn=module{0},cn=config"

65851abf.19d18ff3 0x7f6f4cbff700 daemon: shutdown requested and initiated.
65851abf.19d4588e 0x7f6f4cbff700 slapd shutdown: waiting for 0 operations/tasks to finish
65851abf.19df0077 0x7f6f4dd70740 slapd stopped.

LDAP response

# extended LDIF
#
# LDAPv3
# base <dc=example,dc=org> with scope subtree
# filter: (memberOf=cn=testgroup,ou=Group,dc=example,dc=org)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

# numResponses: 1
zoc commented 6 months ago

I have the exact the same issue, and the workaround provided by @jp-gouin does not work neither. It looks like syncprov module is configured after import of custom schemas, thus overwriting the cn=module{0},cn=config attributes.

RaffaelGrob commented 5 months ago

Based on your test @jp-gouin , I retried. I'm also failing. For troubleshooting purposes I ran it with this command:

cat <<EOF > /tmp/schema.ldif
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: memberof
EOF
ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/schema.ldif

and got:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=module{0},cn=config"
ldap_modify: No such object (32)
        matched DN: cn=config

Currently I run bitnami/openldap 2.6.3, as non-root - what magic did you do that it works on your machine ?

And after Updating to 2.6.6, still as non-root - i get this using the snipped above:

I have no name!@openldap-demo-7-0:/$ ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/schema.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=module{0},cn=config"
ldap_modify: Other (e.g., implementation specific) error (80)
        additional info: <olcModuleLoad> handler exited with 1

I have no name!@openldap-demo-7-0:/$

and see this in my log on K8S:

SASL/EXTERNAL authentication startedSASL username: gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=authSASL SSF: 0659ece9f.3b5eab1d 0x7f55b5ddf700 \
lt_dlopenext failed: (memberof) file not found659ece9f.3b5fc65d 0x7f55b5ddf700 olcModuleLoad: value #0: \
<olcModuleLoad> handler exited with 1!ldap_modify: Other (e.g., implementation specific) error (80) \
additional info: <olcModuleLoad> handler exited with 1modifying entry "cn=module{0},cn=config"
RaffaelGrob commented 5 months ago

Based on the quoted comment below of @GabeChurch , I could overcome problems adding the customSchemaFiles. But I had to do a tweak!

    00-memberof.ldif: |-
      dn: cn=module{0},cn=config
      changetype: modify
      add: olcModuleLoad
     # use fully qualified path, as the default points to: /opt/bitnami/openldap/libexec/openldap
      olcModuleLoad: /opt/bitnami/openldap/lib/openldap/memberof.so
      olcModuleLoad: /opt/bitnami/openldap/lib/openldap/refint.so

The next two ldifs for:

But this is only an intermediate step. A proof that it really works is waiting for time. I need to know two ldifs that create a user and a group and a way to assess if memberof works. If somebody reads this and can append such a test, that would help certainly :-)

I figured it out finally, this is how you do it

customSchemaFiles:
  #enable memberOf ldap search functionality, users automagically track groups they belong to
  00-modules.ldif: |-
    dn: cn=module{0},cn=config
    changetype: modify
    add: olcModuleLoad
    olcModuleLoad: memberof
    olcModuleLoad: refint

  01-memberof.ldif: |-
    dn: olcOverlay=memberof,olcDatabase={2}mdb,cn=config
    changetype: add
    objectClass: olcMemberOf
    objectClass: olcOverlayConfig
    olcOverlay: memberof
    olcMemberOfRefInt: TRUE
    olcMemberOfGroupOC: groupOfUniqueNames
    olcMemberOfMemberAD: uniqueMember
    olcMemberOfMemberOfAD: memberOf

  refint.ldif: |-
    dn: olcOverlay=refint,olcDatabase={2}mdb,cn=config
    changetype: add
    objectClass: olcConfig
    objectClass: olcOverlayConfig
    objectClass: olcRefintConfig
    objectClass: top
    olcOverlay: refint
    olcRefintAttribute: memberof uniqueMember manager owner
jp-gouin commented 5 months ago

Hi, I've compiled the following guide to use memberof module :

Examples of MemberOf configuration

Enable MemberOf using replication

Use the following values to enable memberof attribute:

# Default configuration for openldap as environment variables. These get injected directly in the container.
# Use the env variables from https://github.com/osixia/docker-openldap#beginner-guide
env:
 BITNAMI_DEBUG: "true"
 LDAP_LOGLEVEL: "256"
 LDAP_TLS_ENFORCE: "false"
 LDAPTLS_REQCERT: "never"
 LDAP_ENABLE_TLS: "yes"
 LDAP_CONFIG_ADMIN_ENABLED: "yes"
 LDAP_SKIP_DEFAULT_TREE: "no"

customLdifFiles:
  00-root.ldif: |-
    # Root creation
    dn: dc=example,dc=org
    objectClass: dcObject
    objectClass: organization
    o: Example, Inc
  01-default-user.ldif: |-
    dn: cn=Jean Dupond,dc=example,dc=org
    cn: Jean Dupond
    gidnumber: 500
    givenname: Jean
    homedirectory: /home/users/jdupond
    objectclass: inetOrgPerson
    objectclass: posixAccount
    objectclass: top
    sn: Dupond
    uid: jdupond
    uidnumber: 1000
    userpassword: {MD5}KOULhzfBhPTq9k7a9XfCGw==
  02-default-group.ldif: |-
    dn: cn=myGroup,dc=example,dc=org
    cn: myGroup
    gidnumber: 500
    objectclass: posixGroup
    objectclass: top
    add: memberUid
    memberUid: jdupond    
  03-test-memberof.ldif: |-
    dn: ou=Group,dc=example,dc=org
    objectclass: organizationalUnit
    ou: Group

    dn: ou=People,dc=example,dc=org
    objectclass: organizationalUnit
    ou: People

    dn: uid=test1,ou=People,dc=example,dc=org
    objectclass: account
    uid: test1

    dn: cn=testgroup,ou=Group,dc=example,dc=org
    objectclass: groupOfNames
    cn: testgroup
    member: uid=test1,ou=People,dc=example,dc=org
customSchemaFiles:
  #enable memberOf ldap search functionality, users automagically track groups they belong to
  00-memberof.ldif: |-
    dn: cn=module{0},cn=config
    changetype: modify
    add: olcModuleLoad
    olcModuleLoad: memberof

  01-memberof.ldif: |-
    dn: olcOverlay=memberof,olcDatabase={2}mdb,cn=config
    changetype: add
    objectClass: olcOverlayConfig
    objectClass: olcMemberOf
    olcOverlay: memberof
    olcMemberOfRefint: TRUE

Connect to your openldap instance and execute:

LDAPTLS_REQCERT=never ldapsearch -x -D 'cn=admin,dc=example,dc=org' -w Not@SecurePassw0rd -H ldaps://127.0.0.1:1636 -b 'dc=example,dc=org' "(memberOf=cn=testgroup,ou=Group,dc=example,dc=org)"

You should get the following result: 

# extended LDIF
#
# LDAPv3
# base <dc=example,dc=org> with scope subtree
# filter: (memberOf=cn=testgroup,ou=Group,dc=example,dc=org)
# requesting: ALL
#

# test1, People, example.org
dn: uid=test1,ou=People,dc=example,dc=org
objectClass: account
uid: test1

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Enable MemberOf without replication

When the replication is disabled, the cn=module needs to be loaded using :

# Load memberof module
dn: cn=module,cn=config
cn: module
objectClass: olcModuleList
olcModuleLoad: memberof.so
olcModulePath: /opt/bitnami/openldap/lib/openldap

Use the following values to enable memberof attribute:

# Default configuration for openldap as environment variables. These get injected directly in the container.
# Use the env variables from https://github.com/osixia/docker-openldap#beginner-guide
env:
 BITNAMI_DEBUG: "true"
 LDAP_LOGLEVEL: "256"
 LDAP_TLS_ENFORCE: "false"
 LDAPTLS_REQCERT: "never"
 LDAP_ENABLE_TLS: "yes"
 LDAP_CONFIG_ADMIN_ENABLED: "yes"
 LDAP_SKIP_DEFAULT_TREE: "no"

replicaCount: 1

replication:
  enabled: false

customLdifFiles:
  00-root.ldif: |-
    # Root creation
    dn: dc=example,dc=org
    objectClass: dcObject
    objectClass: organization
    o: Example, Inc
  01-default-user.ldif: |-
    dn: cn=Jean Dupond,dc=example,dc=org
    cn: Jean Dupond
    gidnumber: 500
    givenname: Jean
    homedirectory: /home/users/jdupond
    objectclass: inetOrgPerson
    objectclass: posixAccount
    objectclass: top
    sn: Dupond
    uid: jdupond
    uidnumber: 1000
    userpassword: {MD5}KOULhzfBhPTq9k7a9XfCGw==
  02-default-group.ldif: |-
    dn: cn=myGroup,dc=example,dc=org
    cn: myGroup
    gidnumber: 500
    objectclass: posixGroup
    objectclass: top
    add: memberUid
    memberUid: jdupond    
  03-test-memberof.ldif: |-
    dn: ou=Group,dc=example,dc=org
    objectclass: organizationalUnit
    ou: Group

    dn: ou=People,dc=example,dc=org
    objectclass: organizationalUnit
    ou: People

    dn: uid=test1,ou=People,dc=example,dc=org
    objectclass: account
    uid: test1

    dn: cn=testgroup,ou=Group,dc=example,dc=org
    objectclass: groupOfNames
    cn: testgroup
    member: uid=test1,ou=People,dc=example,dc=org
customSchemaFiles:
  #enable memberOf ldap search functionality, users automagically track groups they belong to
  00-memberof.ldif: |-
    # Load memberof module
    dn: cn=module,cn=config
    cn: module
    objectClass: olcModuleList
    olcModuleLoad: memberof.so
    olcModulePath: /opt/bitnami/openldap/lib/openldap

  01-memberof.ldif: |-
    dn: olcOverlay=memberof,olcDatabase={2}mdb,cn=config
    changetype: add
    objectClass: olcOverlayConfig
    objectClass: olcMemberOf
    olcOverlay: memberof
    olcMemberOfRefint: TRUE

Connect to your openldap instance and execute:

LDAPTLS_REQCERT=never ldapsearch -x -D 'cn=admin,dc=example,dc=org' -w Not@SecurePassw0rd -H ldaps://127.0.0.1:1636 -b 'dc=example,dc=org' "(memberOf=cn=testgroup,ou=Group,dc=example,dc=org)"

You should get the following result: 

# extended LDIF
#
# LDAPv3
# base <dc=example,dc=org> with scope subtree
# filter: (memberOf=cn=testgroup,ou=Group,dc=example,dc=org)
# requesting: ALL
#

# test1, People, example.org
dn: uid=test1,ou=People,dc=example,dc=org
objectClass: account
uid: test1

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
seang96 commented 5 months ago

Hi @jp-gouin

I just tested this on 4.2.1 and got the same issue in #146. I noticed you added this in advanced examples in 4.2.0, so I removed my chart and installed 4.2.0. Unfortunately this issue persists on 4.2.0 as well.

Thanks for the continued support in this request and work on the chart.

seang96 commented 5 months ago

Using the exact config for replica from your comment I get an error that causes the pods to crash on first initialization. memberof doesn't work afterwards either.

seang96@DESKTOP-K78DKFR:~/homelab/ldap$ k logs ldap-0 --previous 
Defaulted container "openldap-stack-ha" out of: openldap-stack-ha, init-schema (init), init-tls-secret (init)
 05:02:35.18 INFO  ==> ** Starting LDAP setup **
 05:02:35.25 INFO  ==> Validating settings in LDAP_* env vars
 05:02:35.26 INFO  ==> Initializing OpenLDAP...
 05:02:35.26 DEBUG ==> Ensuring expected directories/files exist...
 05:02:35.29 INFO  ==> Creating LDAP online configuration
 05:02:35.29 INFO  ==> Creating slapd.ldif
 05:02:35.32 INFO  ==> Starting OpenLDAP server in background
65c1bd6b.13e557f6 0x7f5251612740 @(#) $OpenLDAP: slapd 2.6.6 (Aug 18 2023 23:33:58) $
        @a67812f7d14b:/bitnami/blacksmith-sandox/openldap-2.6.6/servers/slapd
65c1bd6b.1a9e1de8 0x7f5251612740 slapd starting
 05:02:36.33 INFO  ==> Configure LDAP credentials for admin user
SASL/EXTERNAL authentication started
65c1bd6c.144bb9e0 0x7f520bfff700 conn=1000 fd=12 ACCEPT from PATH=/opt/bitnami/openldap/var/run/ldapi (PATH=/opt/bitnami/openldap/var/run/ldapi)
65c1bd6c.144d9b45 0x7f520bfff700 conn=1000 op=0 BIND dn="" method=163
65c1bd6c.144e3795 0x7f520bfff700 conn=1000 op=0 BIND authcid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth"
65c1bd6c.144e60ea 0x7f520bfff700 conn=1000 op=0 BIND dn="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" mech=EXTERNAL bind_ssf=0 ssf=71
65c1bd6c.144e9dd6 0x7f520bfff700 conn=1000 op=0 RESULT tag=97 err=0 qtime=0.000006 etime=0.000082 text=
SASL username: gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth
SASL SSF: 0
65c1bd6c.14503dac 0x7f520bfff700 conn=1000 op=1 MOD dn="olcDatabase={2}mdb,cn=config"
65c1bd6c.1451b13e 0x7f520bfff700 conn=1000 op=1 MOD attr=olcSuffix
65c1bd6c.145a6e17 0x7f520bfff700 conn=1000 op=1 RESULT tag=103 err=0 qtime=0.000004 etime=0.000711 text=
65c1bd6c.14632e8f 0x7f520bfff700 conn=1000 op=2 MOD dn="olcDatabase={2}mdb,cn=config"
65c1bd6c.1463b222 0x7f520bfff700 conn=1000 op=2 MOD attr=olcRootDN
65c1bd6c.156d010f 0x7f520bfff700 conn=1000 op=2 RESULT tag=103 err=0 qtime=0.000008 etime=0.017430 text=
65c1bd6c.157169e6 0x7f520b7fe700 conn=1000 op=3 MOD dn="olcDatabase={2}mdb,cn=config"
65c1bd6c.1572039c 0x7f520b7fe700 conn=1000 op=3 MOD attr=olcRootPW
65c1bd6c.1578c824 0x7f520b7fe700 conn=1000 op=3 RESULT tag=103 err=0 qtime=0.000010 etime=0.000521 text=
65c1bd6c.157e029a 0x7f520bfff700 conn=1000 op=4 MOD dn="olcDatabase={1}monitor,cn=config"
65c1bd6c.157e6f42 0x7f520bfff700 conn=1000 op=4 MOD attr=olcAccess
65c1bd6c.15857a82 0x7f520bfff700 conn=1000 op=4 RESULT tag=103 err=0 qtime=0.000007 etime=0.000512 text=
65c1bd6c.15862525 0x7f520b7fe700 conn=1000 op=5 MOD dn="olcDatabase={0}config,cn=config"
65c1bd6c.15868ef5 0x7f520b7fe700 conn=1000 op=5 MOD attr=olcRootDN
65c1bd6c.158a97ca 0x7f520b7fe700 conn=1000 op=5 RESULT tag=103 err=0 qtime=0.000028 etime=0.000330 text=
65c1bd6c.1590dce9 0x7f520b7fe700 conn=1000 op=6 MOD dn="olcDatabase={0}config,cn=config"
65c1bd6c.15911dc6 0x7f520b7fe700 conn=1000 op=6 MOD attr=olcRootPW
65c1bd6c.16a1782e 0x7f520b7fe700 conn=1000 op=6 RESULT tag=103 err=0 qtime=0.000005 etime=0.017874 text=
65c1bd6c.16a290ef 0x7f520bfff700 conn=1000 op=7 UNBIND
65c1bd6c.16a31354 0x7f520bfff700 conn=1000 fd=12 closed
modifying entry "olcDatabase={2}mdb,cn=config"

modifying entry "olcDatabase={2}mdb,cn=config"

modifying entry "olcDatabase={2}mdb,cn=config"

modifying entry "olcDatabase={1}monitor,cn=config"

modifying entry "olcDatabase={0}config,cn=config"

modifying entry "olcDatabase={0}config,cn=config"

 05:02:36.38 INFO  ==> Adding LDAP extra schemas
SASL/EXTERNAL authentication started
65c1bd6c.16f1da60 0x7f520b7fe700 conn=1001 fd=12 ACCEPT from PATH=/opt/bitnami/openldap/var/run/ldapi (PATH=/opt/bitnami/openldap/var/run/ldapi)
65c1bd6c.16f27a3e 0x7f520bfff700 conn=1001 op=0 BIND dn="" method=163
65c1bd6c.16f30506 0x7f520bfff700 conn=1001 op=0 BIND authcid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth"
65c1bd6c.16f32ee2 0x7f520bfff700 conn=1001 op=0 BIND dn="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" mech=EXTERNAL bind_ssf=0 ssf=71
65c1bd6c.16f38365 0x7f520bfff700 conn=1001 op=0 RESULT tag=97 err=0 qtime=0.000004 etime=0.000075 text=
SASL username: gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth
SASL SSF: 0
65c1bd6c.170a3d40 0x7f520b7fe700 conn=1001 op=1 ADD dn="cn=cosine,cn=schema,cn=config"
65c1bd6c.17191e1b 0x7f520b7fe700 conn=1001 op=1 RESULT tag=105 err=0 qtime=0.000006 etime=0.001025 text=
65c1bd6c.171af273 0x7f520bfff700 conn=1001 op=2 UNBIND
65c1bd6c.171b5c6c 0x7f520bfff700 conn=1001 fd=12 closed
adding new entry "cn=cosine,cn=schema,cn=config"

SASL/EXTERNAL authentication started
65c1bd6c.174b9942 0x7f520b7fe700 conn=1002 fd=12 ACCEPT from PATH=/opt/bitnami/openldap/var/run/ldapi (PATH=/opt/bitnami/openldap/var/run/ldapi)
65c1bd6c.174c0e70 0x7f520bfff700 conn=1002 op=0 BIND dn="" method=163
65c1bd6c.174cc0b8 0x7f520bfff700 conn=1002 op=0 BIND authcid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth"
65c1bd6c.174ce81a 0x7f520bfff700 conn=1002 op=0 BIND dn="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" mech=EXTERNAL bind_ssf=0 ssf=71
65c1bd6c.174e278d 0x7f520bfff700 conn=1002 op=0 RESULT tag=97 err=0 qtime=0.000006 etime=0.000147 text=
SASL username: gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth
SASL SSF: 0
65c1bd6c.17537e53 0x7f520b7fe700 conn=1002 op=1 ADD dn="cn=inetorgperson,cn=schema,cn=config"
65c1bd6c.175bf98e 0x7f520b7fe700 conn=1002 op=1 RESULT tag=105 err=0 qtime=0.000007 etime=0.000585 text=
65c1bd6c.175c7f2d 0x7f520bfff700 conn=1002 op=2 UNBIND
65c1bd6c.175cf1d7 0x7f520bfff700 conn=1002 fd=12 closed
adding new entry "cn=inetorgperson,cn=schema,cn=config"

SASL/EXTERNAL authentication started
65c1bd6c.1788ef06 0x7f520b7fe700 conn=1003 fd=12 ACCEPT from PATH=/opt/bitnami/openldap/var/run/ldapi (PATH=/opt/bitnami/openldap/var/run/ldapi)
65c1bd6c.1789542c 0x7f520bfff700 conn=1003 op=0 BIND dn="" method=163
65c1bd6c.178a3ec0 0x7f520bfff700 conn=1003 op=0 BIND authcid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth"
65c1bd6c.178a5caa 0x7f520bfff700 conn=1003 op=0 BIND dn="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" mech=EXTERNAL bind_ssf=0 ssf=71
65c1bd6c.178a92ed 0x7f520bfff700 conn=1003 op=0 RESULT tag=97 err=0 qtime=0.000004 etime=0.000089 text=
SASL username: gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth
SASL SSF: 0
65c1bd6c.17903e0c 0x7f520b7fe700 conn=1003 op=1 ADD dn="cn=nis,cn=schema,cn=config"
65c1bd6c.179be97f 0x7f520b7fe700 conn=1003 op=1 RESULT tag=105 err=0 qtime=0.000005 etime=0.000793 text=
65c1bd6c.179c6946 0x7f520bfff700 conn=1003 op=2 UNBIND
65c1bd6c.179cc382 0x7f520bfff700 conn=1003 fd=12 closed
adding new entry "cn=nis,cn=schema,cn=config"

SASL/EXTERNAL authentication started
65c1bd6c.17c2bab8 0x7f520b7fe700 conn=1004 fd=12 ACCEPT from PATH=/opt/bitnami/openldap/var/run/ldapi (PATH=/opt/bitnami/openldap/var/run/ldapi)
65c1bd6c.17c333c5 0x7f520bfff700 conn=1004 op=0 BIND dn="" method=163
65c1bd6c.17c38d76 0x7f520bfff700 conn=1004 op=0 BIND authcid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth"
65c1bd6c.17c3a7d3 0x7f520bfff700 conn=1004 op=0 BIND dn="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" mech=EXTERNAL bind_ssf=0 ssf=71
65c1bd6c.17c3ce9c 0x7f520bfff700 conn=1004 op=0 RESULT tag=97 err=0 qtime=0.000005 etime=0.000047 text=
SASL username: gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth
SASL SSF: 0
65c1bd6c.17c4d914 0x7f520b7fe700 conn=1004 op=1 ADD dn="cn=module,cn=config"
65c1bd6c.17d96544 0x7f520b7fe700 conn=1004 op=1 RESULT tag=105 err=0 qtime=0.000005 etime=0.001367 text=
65c1bd6c.17d9edba 0x7f520b7fe700 conn=1004 op=2 UNBIND
65c1bd6c.17da3ddf 0x7f520b7fe700 conn=1004 fd=12 closed
adding new entry "cn=module,cn=config"

SASL/EXTERNAL authentication started
65c1bd6c.1807f878 0x7f520bfff700 conn=1005 fd=12 ACCEPT from PATH=/opt/bitnami/openldap/var/run/ldapi (PATH=/opt/bitnami/openldap/var/run/ldapi)
65c1bd6c.180856c8 0x7f520b7fe700 conn=1005 op=0 BIND dn="" method=163
65c1bd6c.1808e72a 0x7f520b7fe700 conn=1005 op=0 BIND authcid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth"
65c1bd6c.18091d16 0x7f520b7fe700 conn=1005 op=0 BIND dn="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" mech=EXTERNAL bind_ssf=0 ssf=71
65c1bd6c.18095c44 0x7f520b7fe700 conn=1005 op=0 RESULT tag=97 err=0 qtime=0.000008 etime=0.000079 text=
SASL username: gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth
SASL SSF: 0
65c1bd6c.180a807e 0x7f520bfff700 conn=1005 op=1 MOD dn="cn=config"
65c1bd6c.180aaf39 0x7f520bfff700 conn=1005 op=1 MOD attr=olcServerID
65c1bd6c.180fe069 0x7f520bfff700 conn=1005 op=1 RESULT tag=103 err=0 qtime=0.000005 etime=0.000377 text=
65c1bd6c.18108621 0x7f520b7fe700 conn=1005 op=2 UNBIND
65c1bd6c.1810cd5e 0x7f520b7fe700 conn=1005 fd=12 closed
modifying entry "cn=config"

SASL/EXTERNAL authentication started
65c1bd6c.1842995f 0x7f520bfff700 conn=1006 fd=12 ACCEPT from PATH=/opt/bitnami/openldap/var/run/ldapi (PATH=/opt/bitnami/openldap/var/run/ldapi)
65c1bd6c.18433183 0x7f520b7fe700 conn=1006 op=0 BIND dn="" method=163
65c1bd6c.18437247 0x7f520b7fe700 conn=1006 op=0 BIND authcid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth"
65c1bd6c.18438c45 0x7f520b7fe700 conn=1006 op=0 BIND dn="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" mech=EXTERNAL bind_ssf=0 ssf=71
65c1bd6c.1843b2ef 0x7f520b7fe700 conn=1006 op=0 RESULT tag=97 err=0 qtime=0.000003 etime=0.000039 text=
SASL username: gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth
SASL SSF: 0
65c1bd6c.18448e02 0x7f520bfff700 conn=1006 op=1 ADD dn="olcOverlay=syncprov,olcDatabase={0}config,cn=config"
65c1bd6c.18472e41 0x7f520bfff700 conn=1006 op=1 RESULT tag=105 err=0 qtime=0.000002 etime=0.000190 text=
65c1bd6c.1847a37e 0x7f520b7fe700 conn=1006 op=2 UNBIND
65c1bd6c.1847de02 0x7f520b7fe700 conn=1006 fd=12 closed
adding new entry "olcOverlay=syncprov,olcDatabase={0}config,cn=config"

SASL/EXTERNAL authentication started
65c1bd6c.187769b5 0x7f520bfff700 conn=1007 fd=12 ACCEPT from PATH=/opt/bitnami/openldap/var/run/ldapi (PATH=/opt/bitnami/openldap/var/run/ldapi)
65c1bd6c.1877e951 0x7f520bfff700 conn=1007 op=0 BIND dn="" method=163
65c1bd6c.18782034 0x7f520bfff700 conn=1007 op=0 BIND authcid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth"
65c1bd6c.18784994 0x7f520bfff700 conn=1007 op=0 BIND dn="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" mech=EXTERNAL bind_ssf=0 ssf=71
65c1bd6c.187882bc 0x7f520bfff700 conn=1007 op=0 RESULT tag=97 err=0 qtime=0.000004 etime=0.000045 text=
SASL username: gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth
SASL SSF: 0
65c1bd6c.187ab865 0x7f520b7fe700 conn=1007 op=1 MOD dn="olcDatabase={0}config,cn=config"
65c1bd6c.187b03ef 0x7f520b7fe700 conn=1007 op=1 MOD attr=olcSyncRepl olcMirrorMode
65c1bd6c.1880a2b4 0x7f520b7fe700 conn=1007 op=1 RESULT tag=103 err=0 qtime=0.000005 etime=0.000411 text=
modifying entry "olcDatabase={0}config,cn=config"

65c1bd6c.1881dc2b 0x7f520b7fe700 conn=1007 op=2 UNBIND
65c1bd6c.1882f87a 0x7f520b7fe700 conn=1007 fd=12 closed
SASL/EXTERNAL authentication started
65c1bd6c.18aa61eb 0x7f520b7fe700 conn=1008 fd=13 ACCEPT from PATH=/opt/bitnami/openldap/var/run/ldapi (PATH=/opt/bitnami/openldap/var/run/ldapi)
65c1bd6c.18aafbaf 0x7f520b7fe700 conn=1008 op=0 BIND dn="" method=163
65c1bd6c.18ab3e2b 0x7f520b7fe700 conn=1008 op=0 BIND authcid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth"
65c1bd6c.18ab6c36 0x7f520b7fe700 conn=1008 op=0 BIND dn="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" mech=EXTERNAL bind_ssf=0 ssf=71
65c1bd6c.18abb13a 0x7f520b7fe700 conn=1008 op=0 RESULT tag=97 err=0 qtime=0.000003 etime=0.000052 text=
SASL username: gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth
SASL SSF: 0
65c1bd6c.18ac8e9a 0x7f520b7fe700 conn=1008 op=1 ADD dn="olcOverlay=syncprov,olcDatabase={2}mdb,cn=config"
65c1bd6c.18bc3048 0x7f520affd700 slap_client_connect: URI=ldap://ldap-2.ldap-headless.ldap.svc.cluster.local:1389 Error, ldap_start_tls failed (-1)
65c1bd6c.18bc8a68 0x7f520affd700 do_syncrepl: rid=003 rc -1 retrying
65c1bd6c.18ec5ef3 0x7f520bfff700 slap_client_connect: URI=ldap://ldap-1.ldap-headless.ldap.svc.cluster.local:1389 Error, ldap_start_tls failed (-1)
65c1bd6c.18ecb748 0x7f520bfff700 do_syncrepl: rid=002 rc -1 retrying
65c1bd6c.18efcef4 0x7f520b7fe700 conn=1008 op=1 RESULT tag=105 err=0 qtime=0.000002 etime=0.004423 text=
65c1bd6c.18f0aec0 0x7f520affd700 conn=1008 op=2 UNBIND
65c1bd6c.18f11cb1 0x7f520affd700 conn=1008 fd=13 closed
adding new entry "olcOverlay=syncprov,olcDatabase={2}mdb,cn=config"

SASL/EXTERNAL authentication started
65c1bd6c.1923879f 0x7f520b7fe700 conn=1009 fd=12 ACCEPT from PATH=/opt/bitnami/openldap/var/run/ldapi (PATH=/opt/bitnami/openldap/var/run/ldapi)
65c1bd6c.19240cfa 0x7f520bfff700 conn=1009 op=0 BIND dn="" method=163
65c1bd6c.19248fc8 0x7f520bfff700 conn=1009 op=0 BIND authcid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth"
65c1bd6c.1924bc58 0x7f520bfff700 conn=1009 op=0 BIND dn="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" mech=EXTERNAL bind_ssf=0 ssf=71
65c1bd6c.1924f700 0x7f520bfff700 conn=1009 op=0 RESULT tag=97 err=0 qtime=0.000006 etime=0.000070 text=
SASL username: gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth
SASL SSF: 0
65c1bd6c.19268573 0x7f520affd700 conn=1009 op=1 MOD dn="olcDatabase={2}mdb,cn=config"
65c1bd6c.1926cd42 0x7f520affd700 conn=1009 op=1 MOD attr=olcSyncrepl
65c1bd6c.192c65cc 0x7f520affd700 conn=1009 op=1 RESULT tag=103 err=0 qtime=0.000004 etime=0.000407 text=
65c1bd6c.192d33d0 0x7f520bfff700 conn=1009 op=2 MOD dn="olcDatabase={2}mdb,cn=config"
65c1bd6c.192d85a5 0x7f520bfff700 conn=1009 op=2 MOD attr=olcMirrorMode
65c1bd6c.196046c4 0x7f520b7fe700 slap_client_connect: URI=ldap://ldap-2.ldap-headless.ldap.svc.cluster.local:1389 Error, ldap_start_tls failed (-1)
65c1bd6c.1995a23c 0x7f520affd700 slap_client_connect: URI=ldap://ldap-1.ldap-headless.ldap.svc.cluster.local:1389 Error, ldap_start_tls failed (-1)
65c1bd6d.0017c3ba 0x7f520b7fe700 do_syncrepl: rid=103 rc -1 retrying
65c1bd6d.0017c95b 0x7f520affd700 do_syncrepl: rid=102 rc -1 retrying
65c1bd6d.001f96af 0x7f520bfff700 conn=1009 op=2 RESULT tag=103 err=0 qtime=0.000005 etime=0.579691 text=
65c1bd6d.0020e6fc 0x7f520affd700 conn=1009 op=3 UNBIND
65c1bd6d.00220e7e 0x7f520bfff700 conn=1009 fd=12 closed
modifying entry "olcDatabase={2}mdb,cn=config"

modifying entry "olcDatabase={2}mdb,cn=config"

SASL/EXTERNAL authentication started
65c1bd6d.0052fb38 0x7f520b7fe700 conn=1010 fd=12 ACCEPT from PATH=/opt/bitnami/openldap/var/run/ldapi (PATH=/opt/bitnami/openldap/var/run/ldapi)
65c1bd6d.0053d885 0x7f520affd700 conn=1010 op=0 BIND dn="" method=163
65c1bd6d.0054c4db 0x7f520affd700 conn=1010 op=0 BIND authcid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth"
65c1bd6d.00554815 0x7f520affd700 conn=1010 op=0 BIND dn="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" mech=EXTERNAL bind_ssf=0 ssf=71
65c1bd6d.0055909a 0x7f520affd700 conn=1010 op=0 RESULT tag=97 err=0 qtime=0.000007 etime=0.000130 text=
SASL username: gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth
SASL SSF: 0
65c1bd6d.005c7b88 0x7f520bfff700 conn=1010 op=1 MOD dn="olcDatabase={2}mdb,cn=config"
65c1bd6d.005d5bfd 0x7f520bfff700 conn=1010 op=1 MOD attr=olcAccess
65c1bd6d.005fdec7 0x7f520bfff700 slapd: line 0: rootdn is always granted unlimited privileges.
65c1bd6d.00608760 0x7f520bfff700 slapd: line 0: rootdn is always granted unlimited privileges.
65c1bd6d.01895908 0x7f520bfff700 conn=1010 op=1 RESULT tag=103 err=0 qtime=0.000005 etime=0.019736 text=
65c1bd6d.018b89e0 0x7f520b7fe700 conn=1010 op=2 UNBIND
65c1bd6d.018c1d32 0x7f520b7fe700 conn=1010 fd=12 closed
modifying entry "olcDatabase={2}mdb,cn=config"

SASL/EXTERNAL authentication started
65c1bd6d.01c96e93 0x7f520bfff700 conn=1011 fd=12 ACCEPT from PATH=/opt/bitnami/openldap/var/run/ldapi (PATH=/opt/bitnami/openldap/var/run/ldapi)
65c1bd6d.01c9f2a3 0x7f520affd700 conn=1011 op=0 BIND dn="" method=163
65c1bd6d.01ca5eef 0x7f520affd700 conn=1011 op=0 BIND authcid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth"
65c1bd6d.01ca83f5 0x7f520affd700 conn=1011 op=0 BIND dn="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" mech=EXTERNAL bind_ssf=0 ssf=71
65c1bd6d.01cab006 0x7f520affd700 conn=1011 op=0 RESULT tag=97 err=0 qtime=0.000007 etime=0.000059 text=
SASL username: gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth
SASL SSF: 0
65c1bd6d.01cc0bb7 0x7f520b7fe700 conn=1011 op=1 ADD dn="olcOverlay=memberof,olcDatabase={2}mdb,cn=config"
65c1bd6d.01cc6e85 0x7f520b7fe700 conn=1011 op=1 RESULT tag=105 err=21 qtime=0.000003 etime=0.000047 text=objectClass: value #1 invalid per syntax
ldap_add: Invalid syntax (21)
        additional info: objectClass: value #1 invalid per syntax
adding new entry "olcOverlay=memberof,olcDatabase={2}mdb,cn=config"

65c1bd6d.01d7cc0e 0x7f520bfff700 conn=1011 op=2 UNBIND
65c1bd6d.01d85d29 0x7f520bfff700 conn=1011 fd=12 closed
65c1bd6d.023f8322 0x7f5210fff700 daemon: shutdown requested and initiated.
65c1bd6d.02428ed8 0x7f5210fff700 slapd shutdown: waiting for 0 operations/tasks to finish
65c1bd6d.025ac230 0x7f5251612740 slapd stopped.
seang96@DESKTOP-K78DKFR:~/homelab/ldap$ k exec -it ldap-0 -- bash
Defaulted container "openldap-stack-ha" out of: openldap-stack-ha, init-schema (init), init-tls-secret (init)
I have no name!@ldap-0:/$ LDAPTLS_REQCERT=never ldapsearch -x -D 'cn=admin,dc=example,dc=org' -w Not@SecurePassw0rd -H ldaps://127.0.0.1:1636 -b 'dc=example,dc=org' "(memberOf=cn=testgroup,ou=Group,dc=example,dc=org)"
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=org> with scope subtree
# filter: (memberOf=cn=testgroup,ou=Group,dc=example,dc=org)
# requesting: ALL
#

# search result
search: 2
result: 0 Success

# numResponses: 1
I have no name!@ldap-0:/$
jp-gouin commented 5 months ago

Hi ,

Please take a look at memberOf documentation I'm also using it now in the CI. Values file in .bin/myval.yaml