search

jp-gouin / helm-openldap

Helm chart of Openldap in High availability with multi-master replication and PhpLdapAdmin and Ltb-Passwd
Apache License 2.0
188 stars 116 forks source link

i tried installing helm chart with tls enabled and ingress for phpadmin and i get ssl error #181

Closed avodapalli2 closed 1 month ago

avodapalli2 commented 1 month ago

After installing helm chart and enabling tls and ingress i get below error after logging in with admin user in phpadmin

Array ( [class] => N/A [function] => debug_dump [file] => /var/www/phpldapadmin/lib/functions.php [line] => 723 [debug] => Array ( [Incoming MSG] => Array ( [title] => Could not start TLS. (openldap.ldap) [body] => Error: Could not start TLS. Please check your LDAP server configuration. [type] => error )

        [existing] => Array
            (
                [0] => Array
                    (
                        [title] => Could not start TLS. (openldap.ldap)
                        [body] => Error: Could not start TLS. Please check your LDAP server configuration.
                        [type] => error
                    )

                [1] => Array
                    (
                        [title] => Authenticate to server
                        [body] => Successfully logged into server.
                        [type] => info
                    )

            )

    )

)

jp-gouin commented 1 month ago

Hi @avodapalli2

Can you please include logs of openldap pod ?

Include the log of the first execution of the pod <openldap>-0

Can you also include the values that you used

Thanks

jp-gouin commented 1 month ago

So you are using only 1 replicas so you should turn off the replication

replication:
  enabled: false

btw the log file is not the first execution or you are re-deploying the chart because of this trace

 09:40:44.10 INFO  ==> Using persisted data

So if you changed your customAcls or customLdifFiles without cleaning (removing pvc the namespace they wont be took into account.

jp-gouin commented 1 month ago

Are you able to ldapsearch against your base ?

avodapalli2 commented 1 month ago

when i removed custom acl it works. I am not sure what is the problem with my custom acl. will you be able help with that?

avodapalli2 commented 1 month ago

same acl was working with my old helm chart with version 3.0.1 as custom ldiff files set mounted at /container/service/slapd/assets/config/bootstrap/ldif/custom. but now it does not work with customldiff or customacl either.

jp-gouin commented 1 month ago

So between 3.x and 4.x the chart uses a newer version of openldap that included breaking changes.

so your acl is using the old scheme :

dn: olcDatabase={1}mdb,cn=config

where it should be now 

dn: olcDatabase={2}mdb,cn=config
jp-gouin commented 1 month ago

Can you add .ldif to your customSchemaFiles pwm.schema ? otherwise I'm afraid the file will be ignore (or break the deployment)

jp-gouin commented 1 month ago

What are the logs ?

jp-gouin commented 1 month ago

Okay, so your customSchemaFiles is not a valid ldif file it misses dn objectclass etc

The pwm project provide a more valid file I think here but the identation seems off.

You should end-up with something like : 

dn: cn=pwm,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: pwm
olcAttributeTypes: ( 1.3.6.1.4.1.35015.1.2.1 NAME 'pwmEventLog' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
olcAttributeTypes: ( 1.3.6.1.4.1.35015.1.2.2 NAME 'pwmResponseSet' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
olcAttributeTypes: ( 1.3.6.1.4.1.35015.1.2.3 NAME 'pwmLastPwdUpdate' SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
olcAttributeTypes: ( 1.3.6.1.4.1.35015.1.2.4 NAME 'pwmGUID' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: ( 1.3.6.1.4.1.35015.1.2.6 NAME 'pwmOtpSecret' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
olcAttributeTypes: ( 1.3.6.1.4.1.35015.1.2.7 NAME 'pwmData' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
olcObjectClasses: ( 1.3.6.1.4.1.35015.1.1.1 NAME 'pwmUser' AUXILIARY MAY ( pwmLastPwdUpdate $ pwmEventLog $ pwmResponseSet $ pwmOtpSecret $ pwmGUID $ pwmData ) )
jp-gouin commented 1 month ago

There are multiples errors in the log file

I would suggest that you start from a less complicated setup , only with your schema and then start adding one by one your custom ldif and see what's going on .

avodapalli2 commented 1 month ago

Thanks for your suggestion, only with schema it works and when i login to phpadmin it shows my orgranisation as "example" instead of what i set in LDAP_ORGANISATION environmet variable. And i still get issue with ldiff even if i add very simple one ldiff with below entry dn: ou=People,dc=skat-classic,dc=dxc,dc=com associateddomain: dxc.com objectclass: top objectclass: organizationalUnit objectclass: domainRelatedObject ou: People

I get error as ldap_add: No such object (32) adding new entry "ou=People,dc=skat-classic,dc=dxc,dc=com"

jp-gouin commented 1 month ago

So when you want to boostrap your custom ldif you need to create the organisation object 

dn: dc=test,dc=example
dc: test
o: Example Inc.
objectclass: top
objectclass: dcObject
objectclass: organization

A default tree (Root organisation, users and group) is created during startup (using the value of global.ldapDomain), this can be skipped using LDAP_SKIP_DEFAULT_TREE , however you need to use customLdifFiles or customLdifCm to create a root organisation and fill the global.ldapDomain.

avodapalli2 commented 1 month ago

I have set the gobal.ldapDomain so domain is created correctly. only thing is it shows organisation as example

avodapalli2 commented 1 month ago

thank you so much for your help , now i am able to add all the ldiff files but seems like readonly earlier i created using LDAP_READONLY_USER_USERNAME and LDAP_READONLY_USER_PASSWORD environment variables but that does not work with new version 4 helmchart

avodapalli2 commented 1 month ago

anyway we can close this case. Thank you very much for your help.