search

jp-gouin / helm-openldap

Helm chart of Openldap in High availability with multi-master replication and PhpLdapAdmin and Ltb-Passwd
Apache License 2.0
198 stars 118 forks source link

Issues bootstrapping `customLdifFiles` #175

Closed MartinWeise closed 3 months ago

MartinWeise commented 3 months ago

Describe the bug I'm trying to add a custom organizationalUnit that holds the users and a groupOfNames that holds system users. The .ldif looks like this:

dn: ou=users,dc=dbrepo,dc=at
objectclass: organizationalUnit
ou: users

dn: cn=system,ou=users,dc=dbrepo,dc=at
objectClass: groupOfNames
cn: system
member: cn=admin,ou=users,dc=dbrepo,dc=at

To Reproduce

  1. Set global.ldapDomain to dbrepo.at

  2. Set customLdifFiles as follows:

    customLdifFiles:
 00-dbrepo.ldif: |-
   version: 1

   dn: dc=dbrepo,dc=at
   objectClass: dcObject
   objectClass: organization
   dc: dbrepo
   o: example

   dn: ou=users,dc=dbrepo,dc=at
   objectClass: organizationalUnit
   ou: users

   dn: cn=system,ou=users,dc=dbrepo,dc=at
   objectClass: groupOfNames
   cn: system
   member: cn=admin,ou=users,dc=dbrepo,dc=at
  3. Connect with the admin credentials on bind dn cn=admin,dc=dbrepo,dc=at and see no organizationalUnit has been created.

Expected behavior See image below, that both objects are created. When importing the .ldif manually (afterwards) they are created, so they are valid files.

Screenshots debug

Desktop (please complete the following information): (not relevant)

Smartphone (please complete the following information): (not relevant)

Chart version 4.2.5

Additional context Running on Azure AKS with Kubernetes 1.27.9. I found a similar issue which was resolved: https://github.com/jp-gouin/helm-openldap/issues/46

jp-gouin commented 3 months ago

Hi @MartinWeise , Can you post the logs of the first openldap to start ?

MartinWeise commented 3 months ago

Hi @jp-gouin of course, unfortunately nothing significant is visible

Defaulted container "identityservice" out of: identityservice, init-schema (init), init-tls-secret (init)
 14:06:23.86 INFO  ==> ** Starting LDAP setup **
 14:06:23.96 INFO  ==> Validating settings in LDAP_* env vars
 14:06:23.98 INFO  ==> Initializing OpenLDAP...
 14:06:23.99 DEBUG ==> Ensuring expected directories/files exist...
 14:06:24.06 INFO  ==> Using persisted data
 14:06:24.07 INFO  ==> ** LDAP setup finished! **

 14:06:24.18 INFO  ==> ** Starting slapd **
66816660.0b9e575d 0x7f550b675740 @(#) $OpenLDAP: slapd 2.6.7 (May 13 2024 16:20:35) $
    @fd2dadcdc6ef:/bitnami/blacksmith-sandox/openldap-2.6.7/servers/slapd
66816660.0d54bcb7 0x7f550b675740 slapd starting
66816666.120daced 0x7f54ca8c66c0 conn=1000 fd=14 ACCEPT from IP=10.224.0.12:37950 (IP=0.0.0.0:1389)
...

From the init-schema container:

This is the main openldap so let's init all additional schemas and ldifs here

It seems the init-schema container does not apply the .ldif file.

jp-gouin commented 3 months ago

From the look of it, it's not the first execution

14:06:24.06 INFO ==> Using persisted data

Can you post the logs of the first startup ?

You can use kubectl logs pod_name --previous if the pod restart too quickly

did you had a look at the advanced example to setup memberOf ?

MartinWeise commented 3 months ago

Thank you for the hint with --previous and the advanved example. I didn't even realize the pod was restarted that really helped. I was able to debug the deployment and it was the replicaCount=1 in my deployment. The first startup logs for replicaCount=1 are:

Defaulted container "identityservice" out of: identityservice, init-schema (init), init-tls-secret (init)
 16:15:19.47 INFO  ==> ** Starting LDAP setup **
 16:15:19.69 INFO  ==> Validating settings in LDAP_* env vars
 16:15:19.73 INFO  ==> Initializing OpenLDAP...
 16:15:19.74 DEBUG ==> Ensuring expected directories/files exist...
 16:15:19.82 INFO  ==> Creating LDAP online configuration
 16:15:19.84 INFO  ==> Creating slapd.ldif
 16:15:20.04 INFO  ==> Starting OpenLDAP server in background
66818498.04fcd2e3 0x7ff0dd6ca740 @(#) $OpenLDAP: slapd 2.6.7 (May 13 2024 16:20:35) $
    @fd2dadcdc6ef:/bitnami/blacksmith-sandox/openldap-2.6.7/servers/slapd
66818498.0b514e62 0x7ff0dd6ca740 slapd starting
 16:15:21.12 INFO  ==> Configure LDAP credentials for admin user
SASL/EXTERNAL authentication started
66818499.0a18c3b5 0x7ff09c9336c0 conn=1000 fd=12 ACCEPT from PATH=/opt/bitnami/openldap/var/run/ldapi (PATH=/opt/bitnami/openldap/var/run/ldapi)
66818499.0a1d616b 0x7ff097fff6c0 conn=1000 op=0 BIND dn="" method=163
66818499.0a323b3f 0x7ff097fff6c0 conn=1000 op=0 BIND authcid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth"
66818499.0a32f8b6 0x7ff097fff6c0 conn=1000 op=0 BIND dn="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" mech=EXTERNAL bind_ssf=0 ssf=71
66818499.0a338d8d 0x7ff097fff6c0 conn=1000 op=0 RESULT tag=97 err=0 qtime=0.000025 etime=0.001492 text=
SASL username: gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth
SASL SSF: 0
66818499.0a5e55c9 0x7ff09c9336c0 conn=1000 op=1 MOD dn="olcDatabase={2}mdb,cn=config"
66818499.0aad4bec 0x7ff09c9336c0 conn=1000 op=1 MOD attr=olcSuffix
66818499.0ab608c7 0x7ff09c9336c0 conn=1000 op=1 RESULT tag=103 err=0 qtime=0.000016 etime=0.005798 text=
66818499.0aba1017 0x7ff097fff6c0 conn=1000 op=2 MOD dn="olcDatabase={2}mdb,cn=config"
66818499.0abc856d 0x7ff097fff6c0 conn=1000 op=2 MOD attr=olcRootDN
66818499.0ac46979 0x7ff09c9336c0 conn=1000 op=3 MOD dn="olcDatabase={2}mdb,cn=config"
66818499.0ac6bade 0x7ff09c9336c0 conn=1000 op=3 MOD attr=olcRootPW
66818499.0ac8aafe 0x7ff097fff6c0 conn=1000 op=2 RESULT tag=103 err=0 qtime=0.000017 etime=0.000989 text=
66818499.0ad70444 0x7ff09c9336c0 conn=1000 op=3 RESULT tag=103 err=0 qtime=0.000015 etime=0.001243 text=
66818499.0ad97486 0x7ff097fff6c0 conn=1000 op=4 MOD dn="olcDatabase={1}monitor,cn=config"
66818499.0adbc77b 0x7ff097fff6c0 conn=1000 op=4 MOD attr=olcAccess
66818499.0ae2edac 0x7ff09c9336c0 conn=1000 op=5 MOD dn="olcDatabase={0}config,cn=config"
66818499.0b0fa158 0x7ff09c9336c0 conn=1000 op=5 MOD attr=olcRootDN
66818499.0b1264cf 0x7ff097fff6c0 conn=1000 op=4 RESULT tag=103 err=0 qtime=0.000162 etime=0.003907 text=
66818499.0b19be2d 0x7ff097fff6c0 conn=1000 op=6 MOD dn="olcDatabase={0}config,cn=config"
66818499.0b1c4d4b 0x7ff097fff6c0 conn=1000 op=6 MOD attr=olcRootPW
66818499.0b1d9b4d 0x7ff09c9336c0 conn=1000 op=5 RESULT tag=103 err=0 qtime=0.000015 etime=0.003869 text=
modifying entry "olcDatabase={2}mdb,cn=config"

modifying entry "olcDatabase={2}mdb,cn=config"

modifying entry "olcDatabase={2}mdb,cn=config"

modifying entry "olcDatabase={1}monitor,cn=config"

modifying entry "olcDatabase={0}config,cn=config"

modifying entry "olcDatabase={0}config,cn=config"

66818499.0b36a576 0x7ff097fff6c0 conn=1000 op=6 RESULT tag=103 err=0 qtime=0.000015 etime=0.001917 text=
66818499.0b38cd0e 0x7ff09c9336c0 conn=1000 op=7 UNBIND
66818499.0b4713f8 0x7ff097fff6c0 conn=1000 fd=12 closed
 16:15:21.20 INFO  ==> Adding LDAP extra schemas
SASL/EXTERNAL authentication started
66818499.0f1ed8fa 0x7ff09c9336c0 conn=1001 fd=12 ACCEPT from PATH=/opt/bitnami/openldap/var/run/ldapi (PATH=/opt/bitnami/openldap/var/run/ldapi)
66818499.0f23143f 0x7ff09c9336c0 conn=1001 op=0 BIND dn="" method=163
66818499.0f8cd957 0x7ff09c9336c0 conn=1001 op=0 BIND authcid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth"
66818499.0f90b5af 0x7ff09c9336c0 conn=1001 op=0 BIND dn="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" mech=EXTERNAL bind_ssf=0 ssf=71
66818499.0f9338b1 0x7ff09c9336c0 conn=1001 op=0 RESULT tag=97 err=0 qtime=0.000019 etime=0.007371 text=
SASL username: gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth
SASL SSF: 0
66818499.0f9c7807 0x7ff097fff6c0 conn=1001 op=1 ADD dn="cn=cosine,cn=schema,cn=config"
66818499.0fb2aa6b 0x7ff097fff6c0 conn=1001 op=1 RESULT tag=105 err=0 qtime=0.000019 etime=0.001515 text=
66818499.1109826e 0x7ff09c9336c0 conn=1001 op=2 UNBIND
66818499.110d5246 0x7ff09c9336c0 conn=1001 fd=12 closed
adding new entry "cn=cosine,cn=schema,cn=config"

66818499.157f5258 0x7ff097fff6c0 conn=1002 fd=12 ACCEPT from PATH=/opt/bitnami/openldap/var/run/ldapi (PATH=/opt/bitnami/openldap/var/run/ldapi)
SASL/EXTERNAL authentication started
66818499.15880e08 0x7ff09c9336c0 conn=1002 op=0 BIND dn="" method=163
66818499.158a67a2 0x7ff09c9336c0 conn=1002 op=0 BIND authcid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth"
66818499.158c2ebd 0x7ff09c9336c0 conn=1002 op=0 BIND dn="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" mech=EXTERNAL bind_ssf=0 ssf=71
66818499.158e665a 0x7ff09c9336c0 conn=1002 op=0 RESULT tag=97 err=0 qtime=0.000010 etime=0.000430 text=
SASL username: gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth
SASL SSF: 0
66818499.15d193eb 0x7ff097fff6c0 conn=1002 op=1 ADD dn="cn=inetorgperson,cn=schema,cn=config"
66818499.15dda39d 0x7ff097fff6c0 conn=1002 op=1 RESULT tag=105 err=0 qtime=0.000012 etime=0.000832 text=
66818499.15e666b9 0x7ff09c9336c0 conn=1002 op=2 UNBIND
66818499.15e93bc4 0x7ff09c9336c0 conn=1002 fd=12 closed
adding new entry "cn=inetorgperson,cn=schema,cn=config"

66818499.1a8fd9d3 0x7ff097fff6c0 conn=1003 fd=12 ACCEPT from PATH=/opt/bitnami/openldap/var/run/ldapi (PATH=/opt/bitnami/openldap/var/run/ldapi)
SASL/EXTERNAL authentication started
66818499.1a99e898 0x7ff09c9336c0 conn=1003 op=0 BIND dn="" method=163
66818499.1a9c5fe3 0x7ff09c9336c0 conn=1003 op=0 BIND authcid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth"
66818499.1ad80e30 0x7ff09c9336c0 conn=1003 op=0 BIND dn="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" mech=EXTERNAL bind_ssf=0 ssf=71
66818499.1adb4f72 0x7ff09c9336c0 conn=1003 op=0 RESULT tag=97 err=0 qtime=0.000011 etime=0.004301 text=
SASL username: gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth
SASL SSF: 0
66818499.1ae36903 0x7ff097fff6c0 conn=1003 op=1 ADD dn="cn=nis,cn=schema,cn=config"
66818499.1af29476 0x7ff097fff6c0 conn=1003 op=1 RESULT tag=105 err=0 qtime=0.000011 etime=0.001041 text=
66818499.1af69c8e 0x7ff09c9336c0 conn=1003 op=2 UNBIND
66818499.1af915cc 0x7ff09c9336c0 conn=1003 fd=12 closed
adding new entry "cn=nis,cn=schema,cn=config"

SASL/EXTERNAL authentication started
66818499.1b9ed947 0x7ff097fff6c0 conn=1004 fd=12 ACCEPT from PATH=/opt/bitnami/openldap/var/run/ldapi (PATH=/opt/bitnami/openldap/var/run/ldapi)
66818499.1ba1f634 0x7ff09c9336c0 conn=1004 op=0 BIND dn="" method=163
66818499.1ba441bd 0x7ff09c9336c0 conn=1004 op=0 BIND authcid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth"
66818499.1ba60f19 0x7ff09c9336c0 conn=1004 op=0 BIND dn="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" mech=EXTERNAL bind_ssf=0 ssf=71
66818499.1bcba84f 0x7ff09c9336c0 conn=1004 op=0 RESULT tag=97 err=0 qtime=0.000008 etime=0.002740 text=
SASL username: gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth
SASL SSF: 0
66818499.1bd32a4e 0x7ff09c9336c0 conn=1004 op=1 ADD dn="cn=module,cn=config"
66818499.1beb5cd6 0x7ff09c9336c0 conn=1004 op=1 RESULT tag=105 err=0 qtime=0.000009 etime=0.001615 text=
66818499.1c00e22b 0x7ff097fff6c0 conn=1004 op=2 UNBIND
66818499.1c36d149 0x7ff097fff6c0 conn=1004 fd=12 closed
adding new entry "cn=module,cn=config"

66818499.1d600945 0x7ff09c9336c0 conn=1005 fd=12 ACCEPT from PATH=/opt/bitnami/openldap/var/run/ldapi (PATH=/opt/bitnami/openldap/var/run/ldapi)
SASL/EXTERNAL authentication started
66818499.1d689de4 0x7ff097fff6c0 conn=1005 op=0 BIND dn="" method=163
66818499.1da987bb 0x7ff097fff6c0 conn=1005 op=0 BIND authcid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth"
66818499.1dce71ef 0x7ff097fff6c0 conn=1005 op=0 BIND dn="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" mech=EXTERNAL bind_ssf=0 ssf=71
66818499.1dea2cd1 0x7ff097fff6c0 conn=1005 op=0 RESULT tag=97 err=0 qtime=0.000010 etime=0.008501 text=
SASL username: gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth
SASL SSF: 0
66818499.1df1f7de 0x7ff09c9336c0 conn=1005 op=1 MOD dn="cn=config"
66818499.1df3c601 0x7ff09c9336c0 conn=1005 op=1 MOD attr=olcServerID
66818499.1dfafc37 0x7ff09c9336c0 conn=1005 op=1 RESULT tag=103 err=0 qtime=0.000011 etime=0.000623 text=
66818499.1dfee82f 0x7ff097fff6c0 conn=1005 op=2 UNBIND
66818499.1e014de5 0x7ff097fff6c0 conn=1005 fd=12 closed
modifying entry "cn=config"

66818499.217ea777 0x7ff09c9336c0 conn=1006 fd=12 ACCEPT from PATH=/opt/bitnami/openldap/var/run/ldapi (PATH=/opt/bitnami/openldap/var/run/ldapi)
SASL/EXTERNAL authentication started
66818499.2187e281 0x7ff097fff6c0 conn=1006 op=0 BIND dn="" method=163
66818499.218a2bb3 0x7ff097fff6c0 conn=1006 op=0 BIND authcid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth"
66818499.218c2ef7 0x7ff097fff6c0 conn=1006 op=0 BIND dn="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" mech=EXTERNAL bind_ssf=0 ssf=71
66818499.218e468c 0x7ff097fff6c0 conn=1006 op=0 RESULT tag=97 err=0 qtime=0.000010 etime=0.000432 text=
SASL username: gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth
SASL SSF: 0
66818499.219580a9 0x7ff09c9336c0 conn=1006 op=1 ADD dn="olcOverlay=syncprov,olcDatabase={0}config,cn=config"
66818499.219d6b5a 0x7ff09c9336c0 conn=1006 op=1 RESULT tag=105 err=0 qtime=0.000010 etime=0.000559 text=
66818499.21a130a6 0x7ff097fff6c0 conn=1006 op=2 UNBIND
66818499.21a386bb 0x7ff097fff6c0 conn=1006 fd=12 closed
adding new entry "olcOverlay=syncprov,olcDatabase={0}config,cn=config"

SASL/EXTERNAL authentication started
66818499.22ec765e 0x7ff09c9336c0 conn=1007 fd=12 ACCEPT from PATH=/opt/bitnami/openldap/var/run/ldapi (PATH=/opt/bitnami/openldap/var/run/ldapi)
66818499.22f732fa 0x7ff097fff6c0 conn=1007 op=0 BIND dn="" method=163
66818499.22fa07a2 0x7ff097fff6c0 conn=1007 op=0 BIND authcid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth"
66818499.22fc538f 0x7ff097fff6c0 conn=1007 op=0 BIND dn="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" mech=EXTERNAL bind_ssf=0 ssf=71
66818499.23287f4d 0x7ff097fff6c0 conn=1007 op=0 RESULT tag=97 err=0 qtime=0.000010 etime=0.003242 text=
SASL username: gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth
SASL SSF: 0
66818499.2330a0ae 0x7ff09c9336c0 conn=1007 op=1 MOD dn="olcDatabase={0}config,cn=config"
66818499.2332c5ef 0x7ff09c9336c0 conn=1007 op=1 MOD attr=olcSyncRepl olcMirrorMode
66818499.23516b59 0x7ff09c9336c0 olcMultiProvider: value #0: <olcMultiProvider> database is not a shadow
66818499.23687b3c 0x7ff09c9336c0 conn=1007 op=1 RESULT tag=103 err=80 qtime=0.000009 etime=0.003698 text=<olcMultiProvider> database is not a shadow
ldap_modify: Other (e.g., implementation specific) error (80)
    additional info: <olcMultiProvider> database is not a shadow
66818499.237fe8e1 0x7ff097fff6c0 conn=1007 op=2 UNBIND
66818499.2382a99c 0x7ff097fff6c0 conn=1007 fd=12 closed
modifying entry "olcDatabase={0}config,cn=config"

66818499.26243f66 0x7ff09d1346c0 daemon: shutdown requested and initiated.
66818499.267dcc47 0x7ff09d1346c0 slapd shutdown: waiting for 0 operations/tasks to finish
66818499.26faefe2 0x7ff0dd6ca740 slapd stopped.

I can however confirm that with the standard replicaCount=3 the custom .ldif is executed and I can finally see the created organization and groupOfNames. Also I can confirm the advanced example with memberOf is working, thank you again. Not sure if this is still considered a bug (since high availability being the chart use-case), please feel free to close the issue on your judgement.

jp-gouin commented 3 months ago

Awesome glad you fixed your issue. If you want to use the chart with 1 replicas, it’s supported but you have to turn off the replication (it’s not done automatically by the chart) . So setting replication.enabledto false should do the trick

Closing the issue , feel free to open it again if needed

jasonhao518 commented 1 month ago

actually I got the same issue, and tried several times still the same. good to know this trick to fix the issue.