search

jp-gouin / helm-openldap

Helm chart of Openldap in High availability with multi-master replication and PhpLdapAdmin and Ltb-Passwd
Apache License 2.0
192 stars 116 forks source link

additional info: olcPPolicyDefault: attribute type undefined #184

Closed avodapalli2 closed 1 month ago

avodapalli2 commented 1 month ago

Hi,

I want to set the password policy for my ldap confiiguration so in old openldap with osixia image i was able to set it with olcPPolicyDefault but the newest helm chart with bitnami i get this error as olcPPolicyDefault: attribute type undefined.

Do you have any idea? I set below envs 

 LDAP_CONFIGURE_PPOLICY: "yes"
  LDAP_PPOLICY_HASH_CLEARTEXT : "true"
  LDAP_PPOLICY_USE_LOCKOUT : "true"

and add custom acl as 

  dn: olcOverlay={0}ppolicy,olcDatabase={2}mdb,cn=config
  changetype: modify
  add: olcPPolicyDefault
  olcPPolicyDefault: cn=default,ou=pwpolicies,dc=example,dc=com
jp-gouin commented 1 month ago

hi @avodapalli2 , it’s most likely you need to enable the module first , similar to :

# Load syncprov module
    dn: cn=module,cn=config
    cn: module
    objectClass: olcModuleList
    olcModuleLoad: syncprov.so
    olcModulePath: /opt/bitnami/openldap/lib/openldap

You should add it as part as your existing customSchemaFiles configuration

jp-gouin commented 1 month ago

Hi @avodapalli2

I investigated your issue and find out that ldap_configure_ppolicy function called inside the bitnami container is done after adding ldap_add_custom_schema .

So basically adding a custom scheme with 

dn: olcOverlay={0}ppolicy,olcDatabase={2}mdb,cn=config
  changetype: modify
  add: olcPPolicyDefault
  olcPPolicyDefault: cn=default,ou=pwpolicies,dc=skat-classic,dc=dxc,dc=com

Will fail because the module is not yet enabled and configured.

I tried to manually add the olcPPolicyDefault and it worked (however without the ou=pwpolicies you probably need to create the ou first)

Anyway, you have 3 options

  1. You open a ticket on Bitnami side and asked for ppolicy_create_configuration.ldif to contain the olcPPolicyDefault parameter
  2. You open a ticket on Bitnami side and asked for ldap_configure_ppolicy to be executed before calling ldap_add_custom_schema
  3. You enable the module only using the chart and not the env var. You'll have to add the same ldif as the following and enable the module ppolicy.so 
    ldap_configure_ppolicy() {
info "Configuring LDAP ppolicy"
ldap_load_module "/opt/bitnami/openldap/lib/openldap" "ppolicy.so"
# create configuration
cat > "${LDAP_SHARE_DIR}/ppolicy_create_configuration.ldif" << EOF
dn: olcOverlay={0}ppolicy,olcDatabase={2}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
olcOverlay: {0}ppolicy
EOF
debug_execute ldapadd -Q -Y EXTERNAL -H "ldapi:///" -f "${LDAP_SHARE_DIR}/ppolicy_create_configuration.ldif"
# enable ppolicy_hash_cleartext
if is_boolean_yes "$LDAP_PPOLICY_HASH_CLEARTEXT"; then
    info "Enabling ppolicy_hash_cleartext"
    cat > "${LDAP_SHARE_DIR}/ppolicy_configuration_hash_cleartext.ldif" << EOF
dn: olcOverlay={0}ppolicy,olcDatabase={2}mdb,cn=config
changetype: modify
add: olcPPolicyHashCleartext
olcPPolicyHashCleartext: TRUE
EOF
debug_execute ldapmodify -Q -Y EXTERNAL -H "ldapi:///" -f "${LDAP_SHARE_DIR}/ppolicy_configuration_hash_cleartext.ldif"
fi
# enable ppolicy_use_lockout
if is_boolean_yes "$LDAP_PPOLICY_USE_LOCKOUT"; then
    info "Enabling ppolicy_use_lockout"
    cat > "${LDAP_SHARE_DIR}/ppolicy_configuration_use_lockout.ldif" << EOF
dn: olcOverlay={0}ppolicy,olcDatabase={2}mdb,cn=config
changetype: modify
add: olcPPolicyUseLockout
olcPPolicyUseLockout: TRUE
EOF
    debug_execute ldapmodify -Q -Y EXTERNAL -H "ldapi:///" -f "${LDAP_SHARE_DIR}/ppolicy_configuration_use_lockout.ldif"
fi
}
avodapalli2 commented 1 month ago

@jp-gouin thank you so much for your help. So if i try with 3rd option suggested by you. so where should i add this lidff with ppolicy enabled? Is it in custom schemas or in customacl or in customldiffs?

jp-gouin commented 1 month ago

You should add them incustomSchemaFiles

avodapalli2 commented 1 month ago

@jp-gouin I have added that in custom schema and the error related to olcPPolicyDefault but got new error as missing or invalid at 'pwdPolicySubentry', no policy will be applied! And still same issue with 'attribute 'pwmData' not allowed'

jp-gouin commented 1 month ago

Can you provide me the log of the first startup of openldap-0 ? and what are the ldif files you try to apply (and schema)

Thanks

avodapalli2 commented 1 month ago

Finally PWM integration worked i had to move my acl part also in schemas with specific attributes instead of * like this

dn: olcDatabase={2}mdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to attrs=jpegPhoto,userPassword,shadowLastChange,pwmResponseSet
   by self write
   by dn="cn=admin,dc=example,dc=com" write
   by anonymous auth
   by * none
olcAccess: {1}to *
   by self write
   by dn="cn=admin,dc=example,dc=com" write
   by dn="cn=readonly,dc=example,dc=com" read
   by * none
jp-gouin commented 1 month ago

Glad to hear it, would you like to describe your use case in the advanced_examples folder ?

If you prefer you can provide me your values file and I'll do it

avodapalli2 commented 1 month ago

@jp-gouin Sure , as you told previously that password policy is loaded after the schemas were added. schemas are loaded after the custom acls are executed and those pwm attributes which i provided with schemas were not available for the custom acls. So the order of the schemas, acl and ldiff is somewhat not correct. So I moved my acl in schemas after loading the attributes from schemas. Here is my latest values file which worked with pwm intergration. I changed my values file with example domain instead of my own domain. final-values.txt