search

openshift / openldap

Apache License 2.0
32 stars 59 forks source link

add memberof and refint overlays #10

Closed stevekuznetsov closed 9 years ago

stevekuznetsov commented 9 years ago

This PR adds the Reverse Group Membership (memberof) and Referential Integrity (refint) overlays to the OpenLDAP image. These overlays enable us to use a Active-Directory-esque memberOf query that exposes reverse membership data without storing it in explicit attributes on our user entries.

The ldif to load the modules is found in load_modules.ldif. The ldif to configure the memberof overlay is found in configure_memberof.ldif. The ldif to configure the refint overlay is found in configure_refint.ldif.

The server is configured here.

@liggitt @deads2k PTAL

deads2k commented 9 years ago

why are tons of files now executable?

stevekuznetsov commented 9 years ago

Change should have been to chmod a+rw the necessary files. I'll look into it tomorrow.

deads2k commented 9 years ago

I don't see this as working. Please take it through the whole flow, including your ldif file from https://github.com/openshift/origin/pull/4923 and a search ldapsearch -h 172.30.216.211:389 -x -b "ou=ad,dc=example,dc=com" to confirm that you get back all the groups.

stevekuznetsov commented 9 years ago

@deads2k You are correct in noticing that the current version of the ldif in https://github.com/openshift/origin/pull/4923 is not valid. We cannot specify memberOf attributes as they do not actually exist on the server as attributes and are instead calculated at query-time. That's a separate issue and easy to solve. We also cannot have a pure Active-Directory schema in OpenLDAP - first-class groups must always exist. However, the Active Directory syncer will work fine with enhanced Active Directory schemas, with the downside of not being able to grab metadata. Here's output I get by adding the current version of the ldif:

$ docker run -u 1001 openshift/openldap-2441-centos7
$ docker exec -it b9dd8d67e72d bash
$ ldapadd -x -D cn=Manager,dc=example,dc=com -w admin -f init.ldif #with init.ldif from HEAD of origin
adding new entry "ou=groups,dc=example,dc=com"
adding new entry "ou=people,dc=example,dc=com"
adding new entry "cn=Person1,ou=people,dc=example,dc=com"
adding new entry "cn=Person2,ou=people,dc=example,dc=com"
adding new entry "cn=Person3,ou=people,dc=example,dc=com"
adding new entry "cn=Person4,ou=people,dc=example,dc=com"
adding new entry "cn=Person5,ou=people,dc=example,dc=com"
adding new entry "cn=group1,ou=groups,dc=example,dc=com"
adding new entry "cn=group2,ou=groups,dc=example,dc=com"
adding new entry "cn=group3,ou=groups,dc=example,dc=com"
$ ldapsearch -LLL -x -b cn=Person1,ou=people,dc=example,dc=com dn memberof
dn: cn=Person1,ou=people,dc=example,dc=com
memberOf: cn=group1,ou=groups,dc=example,dc=com
memberOf: cn=group2,ou=groups,dc=example,dc=com
memberOf: cn=group3,ou=groups,dc=example,dc=com
stevekuznetsov commented 9 years ago

I've added a test, which adds memberof functionality test to the test suite and also refactors to use the LDAP client tools now that they're on the CI server. For whatever reason, though, it's massively flakey and even though there is a connectivity test, the actual tests fail to connect frequently. Need help understanding why.

stevekuznetsov commented 9 years ago

@deads2k @bparees I'm seeing ldapsearch: command not found on the test, but after https://github.com/openshift/vagrant-openshift/pull/336 we should see the tools on this server. Have we not rolled out a new build?

deads2k commented 9 years ago

squash

deads2k commented 9 years ago

and figure out why your test fails.

stevekuznetsov commented 9 years ago

Removed test for now, added it to https://github.com/openshift/openldap/pull/12