Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LDAP object tree is only created if replication.enabled=false #137

Closed
ErikLundJensen opened this issue Dec 18, 2023 · 15 comments
Closed

LDAP object tree is only created if replication.enabled=false #137

ErikLundJensen opened this issue Dec 18, 2023 · 15 comments

Comments

@ErikLundJensen
Copy link

Describe the bug
The documentation explains how to use the fields users and usersPasswords to create users.
However, when replication is enables (which it is by default) then the users are not created.

To Reproduce
Values for Helm chart as in the documentation

users: user01,user02
userPasswords: bitnami1, bitnami2
group: readers

Expected behavior
Users are created in the ldap tree and assigned to the group.

Desktop (please complete the following information):

  • Version 4.1.2

Additional context
Work-a-round is to disable replication:

users: user01,user02
userPasswords: bitnami1, bitnami2
group: readers
replication:
  enabled: false
replicaCount: 1

The call to ldap_create_tree is never reached when replication is enabled:
https://github.com/bitnami/containers/blob/50c8e55a47598e50fd6392d6ff510f8472cb375a/bitnami/openldap/2.6/debian-11/rootfs/opt/bitnami/scripts/libopenldap.sh#L652
@jp-gouin
Copy link
Owner

Hi @ErikLundJensen , it works for me with the following configuration:

global:
  imageRegistry: ""
  ## E.g.
  ## imagePullSecrets:
  ##   - myRegistryKeySecretName
  ##
  imagePullSecrets: [""]
  storageClass: ""
  ldapDomain: "example.toto"
  ## Default Passwords to use, stored as a secret. Not used if existingSecret is set.
  adminPassword:  Not@SecurePassw0rd
  configPassword: Not@SecurePassw0rd
  ldapPort: 1389
  sslLdapPort: 1636
env:
 BITNAMI_DEBUG: "true"
 LDAP_LOGLEVEL: "256"
 LDAP_TLS_ENFORCE: "false"
 LDAPTLS_REQCERT: "never"
 LDAP_ENABLE_TLS: "yes"
 LDAP_CONFIG_ADMIN_ENABLED: "yes"
 LDAP_SKIP_DEFAULT_TREE: "no"
## User list to create (comma separated list) , can't be use with customLdifFiles
users: user1,user2

## User password to create (comma seprated list) 
userPasswords: password1,password2

## Group to create and add list of user above
group: myGroup

Make sure LDAP_SKIP_DEFAULT_TREE is set to no

Connect to openldap instance and run ldapsearch

LDAPTLS_REQCERT=never ldapsearch -x -D 'cn=admin,dc=example,dc=toto' -w Not@SecurePassw0rd -H ldaps://127.0.0.1:1636 -b 'dc=example,dc=toto'
I have no name!@sa-openldap-0:/$ LDAPTLS_REQCERT=never ldapsearch -x -D 'cn=admin,dc=example,dc=toto' -w Not@SecurePassw0rd -H ldaps://127.0.0.1:1636 -b 'dc=example,dc=toto'
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=toto> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# example.toto
dn: dc=example,dc=toto
objectClass: dcObject
objectClass: organization
dc: example
o: example

# users, example.toto
dn: ou=users,dc=example,dc=toto
objectClass: organizationalUnit
ou: users

# user1, users, example.toto
dn: cn=user1,ou=users,dc=example,dc=toto
cn: User1
sn: Bar1
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
userPassword:: cGFzc3dvcmQx
uid: user1
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/user1

# user2, users, example.toto
dn: cn=user2,ou=users,dc=example,dc=toto
cn: User2
sn: Bar2
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
userPassword:: cGFzc3dvcmQy
uid: user2
uidNumber: 1001
gidNumber: 1001
homeDirectory: /home/user2

# myGroup, users, example.toto
dn: cn=myGroup,ou=users,dc=example,dc=toto
cn: myGroup
objectClass: groupOfNames
member: cn=user1,ou=users,dc=example,dc=toto
member: cn=user2,ou=users,dc=example,dc=toto

# search result
search: 2
result: 0 Success

# numResponses: 6
# numEntries: 5

@zerowebcorp
Copy link

The tree is not created when replicaCount is set to 1. Is there any reason why?

@jp-gouin
Copy link
Owner

The tree is created (should be at least 😁) regardless of the replicaCount .
however it wil, depend of the env. LDAP_SKIP_DEFAULT_TREE variable .

@jp-gouin
Copy link
Owner

The issue here seems to be related to a change in the container image where the TLS initialization was done at the end of the openldap initialization and breaking the chart replication configuration.
more here

@zsq1234
Copy link

zsq1234 commented Jan 18, 2024
edited
Loading

Hi, I use bitnami/openldap:2.6.6 and replicaCount: 1, change PHPLDAPADMIN_LDAP_HOSTS 'tls': False, but it not effect, only have "dc=example,dc=org"
图片

@zerowebcorp
Copy link

2.6.6 is buggy. Try with 2.6.5

@zsq1234
Copy link

zsq1234 commented Jan 18, 2024
edited
Loading

it has same problem, i find it init stop at libopenldap.sh:

        # Initialize OpenLDAP with schemas/tree structure
        if is_boolean_yes "$LDAP_ADD_SCHEMAS"; then
            ldap_add_schemas
        fi

it not run script behind that.

@zsq1234
Copy link

zsq1234 commented Jan 18, 2024

i run this in pod, and wait for restart.

. /opt/bitnami/scripts/liblog.sh
. /opt/bitnami/scripts/openldap/setup.sh

ldap_configure_ppolicy  # if want to open ppolicy module
ldap_configure_tls
ldap_create_tree

and restart phpLDAPAdmin, it seem is ok.

@jp-gouin
Copy link
Owner

If you want to use openldap 2.6.6 please try with

image:
  # From repository https://hub.docker.com/r/bitnami/openldap/
  #repository: bitnami/openldap
  #tag: 2.6.3
  # Temporary fix
  repository: jpgouin/openldap
  tag: 2.6.6-fix

@jp-gouin jp-gouin reopened this Jan 18, 2024
@zsq1234
Copy link

zsq1234 commented Jan 23, 2024

Hi, i try it to use this values.yaml

image:
  repository: jpgouin/openldap
  tag: 2.6.6-fix
  pullPolicy: IfNotPresent

replicaCount: 1

replication:
  enabled: true

initTLSSecret:
  image:
    tag: 3.1.4

ltb-passwd:
  image:
    tag: 5.2.3
    pullPolicy: IfNotPresent
  ingress:
    enabled: false

phpldapadmin:
  image:
    tag: 0.9.0
    pullPolicy: IfNotPresent
  ingress:
    enabled: false

and i open phpldapadmin :
图片

@ErikLundJensen
Copy link
Author

Sorry for not paying attention to this isse, however, my point is that when replication is enabled then the directory $LDAP_DATA_DIR is not empty. Therefore the code in following "else" statement is never executed.

libopenldap.sh:614

@jp-gouin
Copy link
Owner

@ErikLundJensen no when replication is enabled all ldifs go to schemas set by $LDAP_CUSTOM_SCHEMA_DIR .
$LDAP_DATA_DIR is by default set to LDAP_DATA_DIR="${LDAP_VOLUME_DIR}/data and it’s not overridden by the chart

@jp-gouin
Copy link
Owner

@zsq1234 you have set replicaCount to 1 and you enabled the replication. You should either disable the replication or use more than 1 replica

@zsq1234
Copy link

zsq1234 commented Jan 25, 2024

@zsq1234 you have set replicaCount to 1 and you enabled the replication. You should either disable the replication or use more than 1 replica

Thank you for your help. I understand now.

@ErikLundJensen
Copy link
Author

Documentation could be improved, saying that setting replicaCount=1 requires also setting replication=false

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@zerowebcorp @ErikLundJensen @jp-gouin @zsq1234