Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[full-ci] adapt for new LDAP config #3476

Merged
merged 5 commits into from
Apr 11, 2022
Merged

Conversation

rhafer
Copy link
Contributor

@rhafer rhafer commented Apr 6, 2022

Description

Unify LDAP config settings accross services

The storage services where updated to adapt for the recent changes of the LDAP
settings in reva.

Also we allow now to use a new set of top-level LDAP environment variables that
are shared between all LDAP-using services in ocis (graph, idp,
storage-auth-basic, storage-userprovider, storage-groupprovider, idm). This
should simplify the most LDAP based configurations considerably.

Here is a list of the new environment variables:
LDAP_URI
LDAP_INSECURE
LDAP_CACERT
LDAP_BIND_DN
LDAP_BIND_PASSWORD
LDAP_LOGIN_ATTRIBUTES
LDAP_USER_BASE_DN
LDAP_USER_SCOPE
LDAP_USER_FILTER
LDAP_USER_OBJECTCLASS
LDAP_USER_SCHEMA_MAIL
LDAP_USER_SCHEMA_DISPLAY_NAME
LDAP_USER_SCHEMA_USERNAME
LDAP_USER_SCHEMA_ID
LDAP_USER_SCHEMA_ID_IS_OCTETSTRING
LDAP_GROUP_BASE_DN
LDAP_GROUP_SCOPE
LDAP_GROUP_FILTER
LDAP_GROUP_OBJECTCLASS
LDAP_GROUP_SCHEMA_GROUPNAME
LDAP_GROUP_SCHEMA_ID
LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING

Where need these can be overwritten by service specific variables. E.g. it is possible
to use STORAGE_LDAP_URI to overide the top-level LDAP_URI variable.

Related Issue

Motivation and Context

How Has This Been Tested?

  • test environment:
  • test case 1:
  • test case 2:
  • ...

Screenshots (if appropriate):

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Technical debt
  • Tests only (no source changes)

Checklist:

@update-docs
Copy link

update-docs bot commented Apr 6, 2022

Thanks for opening this pull request! The maintainers of this repository would appreciate it if you would create a changelog item based on your changes.

@rhafer rhafer force-pushed the share-ldap-con branch 11 times, most recently from e531a86 to 8190db8 Compare April 11, 2022 16:06
rhafer added 5 commits April 11, 2022 18:17
Allow to pass comma-separated strings via Enviroment variables and store
them in a string slice.
This adapts the storage service to the recent changes of the LDAP
settings in reva.

Also we define a new set of LDAP env variables that can be shared
between all LDAP related ocis services (graph, idp, storage-auth-basic,
storage-userprovider, storage-groupprovider, idm). This should simplify
the most LDAP based configurations considerably.
webUISharingInternalGroupsEdgeCases/shareWithGroupsEdgeCases.feature:41
no longer fails as cs3org/reva#2708 fixed some
issue with LDAP filter escaping.
@rhafer rhafer marked this pull request as ready for review April 11, 2022 16:19
@rhafer rhafer self-assigned this Apr 11, 2022
@sonarqubecloud
Copy link

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

37.8% 37.8% Coverage
4.0% 4.0% Duplication

@micbar
Copy link
Contributor

micbar commented Apr 11, 2022

You fixed a test scenario regarding group sharing. There is good stuff in that PR 👍

Copy link
Contributor

@micbar micbar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

UUIDAttribute: "uid",
UUIDAttributeType: "text",
Filter: "(objectClass=posixaccount)",
Filter: "",
ObjectClass: "posixAccount",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hm, posixaccount has no displayName, inetOrgPerson MAY have a displayName. And only inetOrgPerson may have a mail attribute. sn is a MUST for the STRUCTURAL person objectclass.

Maybe switch from posixAccount to inetOrgPerson?

Suggested change
ObjectClass: "posixAccount",
ObjectClass: "inetOrgPerson",

func waitForLDAPCA(log log.Logger, cfg *config.LDAP) error {
if !cfg.Insecure && cfg.CACert != "" {
if _, err := os.Stat(cfg.CACert); errors.Is(err, os.ErrNotExist) {
log.Warn().Str("LDAP CACert", cfg.CACert).Msgf("File does not exist. Waiting %d seconds for it to appear.", caTimeout)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is just my personal vendetta against Msgf which should be avoided in favor of a structured log property. In addition to better machine readibility people will c'n'p it to other places where it might actually start to hurt.

Suggested change
log.Warn().Str("LDAP CACert", cfg.CACert).Msgf("File does not exist. Waiting %d seconds for it to appear.", caTimeout)
log.Warn().Str("LDAP CACert", cfg.CACert).Int("seconds", caTimeout).Msg("File does not exist. Waiting for it to appear.", caTimeout)

log.Warn().Str("LDAP CACert", cfg.CACert).Msgf("File does not exist. Waiting %d seconds for it to appear.", caTimeout)
time.Sleep(caTimeout * time.Second)
if _, err := os.Stat(cfg.CACert); errors.Is(err, os.ErrNotExist) {
log.Warn().Str("LDAP CACert", cfg.CACert).Msgf("File does still not exist after Timeout")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
log.Warn().Str("LDAP CACert", cfg.CACert).Msgf("File does still not exist after Timeout")
log.Warn().Str("LDAP CACert", cfg.CACert).Msgf"File does still not exist after Timeout")

logger.Debug().
Str("server", "users").
Interface("reva-config", rcfg).
Msg("config")

if cfg.Reva.Users.Driver == "ldap" {
if err := waitForLDAPCA(logger, &cfg.Reva.LDAP); err != nil {
logger.Error().Err(err).Msg("The configured LDAP CA cert does not exist")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
logger.Error().Err(err).Msg("The configured LDAP CA cert does not exist")
logger.Error().Err(err).Str("LDAP CACert", cfg.Reva.LDAP.CACert).Msg("The configured LDAP CA cert does not exist")

Copy link
Member

@butonic butonic left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All the suggestions I made can be added in a subsequent PR or might need further discussion. But this is already awesome, so I just want to get this in ASAP.

@butonic butonic merged commit f828a63 into owncloud:master Apr 11, 2022
ownclouders pushed a commit that referenced this pull request Apr 11, 2022
Merge: e24a5a4 4ecf4c6
Author: Jörn Friedrich Dreyer <[email protected]>
Date:   Mon Apr 11 22:36:28 2022 +0200

    Merge pull request #3476 from rhafer/share-ldap-con

    [full-ci] adapt for new LDAP config
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Seamless LDAP configuration
3 participants