search

jp-gouin / helm-openldap

Helm chart of Openldap in High availability with multi-master replication and PhpLdapAdmin and Ltb-Passwd
Apache License 2.0
198 stars 118 forks source link

LDAP object tree is only created if replication.enabled=false #137

Closed ErikLundJensen closed 8 months ago

ErikLundJensen commented 9 months ago

Describe the bug The documentation explains how to use the fields users and usersPasswords to create users. However, when replication is enables (which it is by default) then the users are not created.

To Reproduce Values for Helm chart as in the documentation

users: user01,user02
userPasswords: bitnami1, bitnami2
group: readers

Expected behavior Users are created in the ldap tree and assigned to the group.

Desktop (please complete the following information):

Additional context Work-a-round is to disable replication:

users: user01,user02
userPasswords: bitnami1, bitnami2
group: readers
replication:
  enabled: false
replicaCount: 1

The call to ldap_create_tree is never reached when replication is enabled: https://github.com/bitnami/containers/blob/50c8e55a47598e50fd6392d6ff510f8472cb375a/bitnami/openldap/2.6/debian-11/rootfs/opt/bitnami/scripts/libopenldap.sh#L652

jp-gouin commented 9 months ago

Hi @ErikLundJensen , it works for me with the following configuration:

global:
  imageRegistry: ""
  ## E.g.
  ## imagePullSecrets:
  ##   - myRegistryKeySecretName
  ##
  imagePullSecrets: [""]
  storageClass: ""
  ldapDomain: "example.toto"
  ## Default Passwords to use, stored as a secret. Not used if existingSecret is set.
  adminPassword:  Not@SecurePassw0rd
  configPassword: Not@SecurePassw0rd
  ldapPort: 1389
  sslLdapPort: 1636
env:
 BITNAMI_DEBUG: "true"
 LDAP_LOGLEVEL: "256"
 LDAP_TLS_ENFORCE: "false"
 LDAPTLS_REQCERT: "never"
 LDAP_ENABLE_TLS: "yes"
 LDAP_CONFIG_ADMIN_ENABLED: "yes"
 LDAP_SKIP_DEFAULT_TREE: "no"
## User list to create (comma separated list) , can't be use with customLdifFiles
users: user1,user2

## User password to create (comma seprated list) 
userPasswords: password1,password2

## Group to create and add list of user above
group: myGroup

Make sure LDAP_SKIP_DEFAULT_TREE is set to no

Connect to openldap instance and run ldapsearch 

LDAPTLS_REQCERT=never ldapsearch -x -D 'cn=admin,dc=example,dc=toto' -w Not@SecurePassw0rd -H ldaps://127.0.0.1:1636 -b 'dc=example,dc=toto'
I have no name!@sa-openldap-0:/$ LDAPTLS_REQCERT=never ldapsearch -x -D 'cn=admin,dc=example,dc=toto' -w Not@SecurePassw0rd -H ldaps://127.0.0.1:1636 -b 'dc=example,dc=toto'
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=toto> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# example.toto
dn: dc=example,dc=toto
objectClass: dcObject
objectClass: organization
dc: example
o: example

# users, example.toto
dn: ou=users,dc=example,dc=toto
objectClass: organizationalUnit
ou: users

# user1, users, example.toto
dn: cn=user1,ou=users,dc=example,dc=toto
cn: User1
sn: Bar1
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
userPassword:: cGFzc3dvcmQx
uid: user1
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/user1

# user2, users, example.toto
dn: cn=user2,ou=users,dc=example,dc=toto
cn: User2
sn: Bar2
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
userPassword:: cGFzc3dvcmQy
uid: user2
uidNumber: 1001
gidNumber: 1001
homeDirectory: /home/user2

# myGroup, users, example.toto
dn: cn=myGroup,ou=users,dc=example,dc=toto
cn: myGroup
objectClass: groupOfNames
member: cn=user1,ou=users,dc=example,dc=toto
member: cn=user2,ou=users,dc=example,dc=toto

# search result
search: 2
result: 0 Success

# numResponses: 6
# numEntries: 5
zerowebcorp commented 9 months ago

The tree is not created when replicaCount is set to 1. Is there any reason why?

jp-gouin commented 8 months ago

The tree is created (should be at least ๐Ÿ˜) regardless of the replicaCount. however it wil, depend of the env. LDAP_SKIP_DEFAULT_TREE variable .

jp-gouin commented 8 months ago

The issue here seems to be related to a change in the container image where the TLS initialization was done at the end of the openldap initialization and breaking the chart replication configuration. more here

zsq1234 commented 8 months ago

Hi, I use bitnami/openldap:2.6.6 and replicaCount: 1, change PHPLDAPADMIN_LDAP_HOSTS 'tls': False, but it not effect, only have "dc=example,dc=org" ๅ›พ็‰‡

zerowebcorp commented 8 months ago

2.6.6 is buggy. Try with 2.6.5

zsq1234 commented 8 months ago

it has same problem, i find it init stop at libopenldap.sh:

        # Initialize OpenLDAP with schemas/tree structure
        if is_boolean_yes "$LDAP_ADD_SCHEMAS"; then
            ldap_add_schemas
        fi

it not run script behind that.

zsq1234 commented 8 months ago

i run this in pod, and wait for restart.

. /opt/bitnami/scripts/liblog.sh
. /opt/bitnami/scripts/openldap/setup.sh

ldap_configure_ppolicy  # if want to open ppolicy module
ldap_configure_tls
ldap_create_tree

and restart phpLDAPAdmin, it seem is ok.

jp-gouin commented 8 months ago

If you want to use openldap 2.6.6 please try with 

image:
  # From repository https://hub.docker.com/r/bitnami/openldap/
  #repository: bitnami/openldap
  #tag: 2.6.3
  # Temporary fix
  repository: jpgouin/openldap
  tag: 2.6.6-fix
zsq1234 commented 8 months ago

Hi, i try it to use this values.yaml

image:
  repository: jpgouin/openldap
  tag: 2.6.6-fix
  pullPolicy: IfNotPresent

replicaCount: 1

replication:
  enabled: true

initTLSSecret:
  image:
    tag: 3.1.4

ltb-passwd:
  image:
    tag: 5.2.3
    pullPolicy: IfNotPresent
  ingress:
    enabled: false

phpldapadmin:
  image:
    tag: 0.9.0
    pullPolicy: IfNotPresent
  ingress:
    enabled: false

and i open phpldapadmin : ๅ›พ็‰‡

ErikLundJensen commented 8 months ago

Sorry for not paying attention to this isse, however, my point is that when replication is enabled then the directory $LDAP_DATA_DIR is not empty. Therefore the code in following "else" statement is never executed.

libopenldap.sh:614

jp-gouin commented 8 months ago

@ErikLundJensen no when replication is enabled all ldifs go to schemas set by $LDAP_CUSTOM_SCHEMA_DIR . $LDAP_DATA_DIR is by default set to LDAP_DATA_DIR="${LDAP_VOLUME_DIR}/data and itโ€™s not overridden by the chart

jp-gouin commented 8 months ago

@zsq1234 you have set replicaCount to 1 and you enabled the replication. You should either disable the replication or use more than 1 replica

zsq1234 commented 8 months ago

@zsq1234 you have set replicaCount to 1 and you enabled the replication. You should either disable the replication or use more than 1 replica

Thank you for your help. I understand now.

ErikLundJensen commented 8 months ago

Documentation could be improved, saying that setting replicaCount=1 requires also setting replication=false