Closed stevekuznetsov closed 9 years ago
why are tons of files now executable?
Change should have been to chmod a+rw
the necessary files. I'll look into it tomorrow.
I don't see this as working. Please take it through the whole flow, including your ldif file from https://github.com/openshift/origin/pull/4923 and a search ldapsearch -h 172.30.216.211:389 -x -b "ou=ad,dc=example,dc=com"
to confirm that you get back all the groups.
@deads2k You are correct in noticing that the current version of the ldif
in https://github.com/openshift/origin/pull/4923 is not valid. We cannot specify memberOf
attributes as they do not actually exist on the server as attributes and are instead calculated at query-time. That's a separate issue and easy to solve. We also cannot have a pure Active-Directory schema in OpenLDAP - first-class groups must always exist. However, the Active Directory syncer will work fine with enhanced Active Directory schemas, with the downside of not being able to grab metadata. Here's output I get by adding the current version of the ldif
:
$ docker run -u 1001 openshift/openldap-2441-centos7
$ docker exec -it b9dd8d67e72d bash
$ ldapadd -x -D cn=Manager,dc=example,dc=com -w admin -f init.ldif #with init.ldif from HEAD of origin
adding new entry "ou=groups,dc=example,dc=com"
adding new entry "ou=people,dc=example,dc=com"
adding new entry "cn=Person1,ou=people,dc=example,dc=com"
adding new entry "cn=Person2,ou=people,dc=example,dc=com"
adding new entry "cn=Person3,ou=people,dc=example,dc=com"
adding new entry "cn=Person4,ou=people,dc=example,dc=com"
adding new entry "cn=Person5,ou=people,dc=example,dc=com"
adding new entry "cn=group1,ou=groups,dc=example,dc=com"
adding new entry "cn=group2,ou=groups,dc=example,dc=com"
adding new entry "cn=group3,ou=groups,dc=example,dc=com"
$ ldapsearch -LLL -x -b cn=Person1,ou=people,dc=example,dc=com dn memberof
dn: cn=Person1,ou=people,dc=example,dc=com
memberOf: cn=group1,ou=groups,dc=example,dc=com
memberOf: cn=group2,ou=groups,dc=example,dc=com
memberOf: cn=group3,ou=groups,dc=example,dc=com
I've added a test, which adds memberof
functionality test to the test suite and also refactors to use the LDAP client tools now that they're on the CI server. For whatever reason, though, it's massively flakey and even though there is a connectivity test, the actual tests fail to connect frequently. Need help understanding why.
@deads2k @bparees I'm seeing ldapsearch: command not found
on the test, but after https://github.com/openshift/vagrant-openshift/pull/336 we should see the tools on this server. Have we not rolled out a new build?
squash
and figure out why your test fails.
Removed test for now, added it to https://github.com/openshift/openldap/pull/12
This PR adds the Reverse Group Membership (
memberof
) and Referential Integrity (refint
) overlays to the OpenLDAP image. These overlays enable us to use a Active-Directory-esquememberOf
query that exposes reverse membership data without storing it in explicit attributes on our user entries.The
ldif
to load the modules is found inload_modules.ldif
. Theldif
to configure thememberof
overlay is found inconfigure_memberof.ldif
. Theldif
to configure therefint
overlay is found inconfigure_refint.ldif
.The server is configured here.
@liggitt @deads2k PTAL