tests: Change OpenLDAP image to bitnami/openldap
#3494
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
TL;DR:
.ldif
files.Dockerfile
required to build, we can just rely ondocker run
.Changing to
bitnami/openldap
(supported registries: Azure and Dockerhub).Full Details
Startup time for this new image is around 5 seconds? (The LDAP test uses a standard 20 second timeout check to wait until the server is ready before continuing with starting the DMS image).
The image
osixia/openldap
has not seen any activity since Feb 2021, while ourDockerfile
was fixed to v1.1.6` (Feb 2018). It was originally contributed to DMS in in Oct 2016 with no real changes since then.This PR migrates to
bitnami/openldap
which required modifying the01_mail-tree.ldif
to also include adding the root object to start successfully.The user account
.ldif
files have minimal changes:objectClass
attributes (person
,top
) from theorgnizationalPerson
class. Attributesn
changed to long formsurname
and values corrected withgivenName
.changetype: add
was also not necessary.Additionally, the image does not support the
.schema
format, they must be converted to.ldif
. We need this for supporting thepostfix-book.schema
(supposedly the source of the file we carry, docs have mentioned it since May 2021) which allows the LDAP user account objects (defined in.ldif
files) to use extra attributes provided by the schema.postfix-book.schema
(as explained here) intopostfix-book.ldif
.Benefit: We no longer need to build an image with the LDIF files to use it for tests, just an initial pull. The
bitnami/openldap
image is actively maintained and one of the most popular OpenLDAP images on DockerHub.Concerns:
BITNAMI_DEBUG=true
plus looking through the image source scripts to get a bet understanding.Alternative: https://github.com/clayrisser/docker-openldap
bitnami/openldap
(notes on trying to migrate, details this alternative andbitnami/openldap
).postfix-book.schema
so that we don't have to..ldif
migration file to allow LDAP queries to authenticate for theuserPassword
attribute.bitnami/openldap
. For DMS LDAP tests at least, since I finally gotbitnami/openldap
to work, the value of this alternative image is low.clayrisser
is or was a user of DMS with LDAP 馃槑 (I came across a comment from them in 2020 on our issue tracker while looking through LDAP issues).When troubleshooting:
BITNAMI_DEBUG=true
.testsaslauthd
will use/etc/saslauthd.conf
, but is not affected by the omission of-r
(thus realm / domain-part is not silently ignored byfilter_query
), careful not to be misled.testsaslauthd
fails, it could be due to the/etc/saslauthd.conf
, and the same applies for auth through Postfix when proxied through SASLAuthd daemon. Make sure your LDAP container is configured correctly by verifying a user can authenticate with their credentials (run in the openldap container, not DMS):ldapwhoami -v -x -H ldap://ldap.example.test -D 'userID=some.user,ou=users,dc=example,dc=test' -w secret
If switching to the alternative, these changes are needed:
Image is
registry.gitlab.com/bitspur/rock8s/docker-openldap
The
postfix-book.schema
is already added in the image, but you need a migration for fixing ACL for auth. That belongs at/migrations
dir, so volume mount: 'local/path/:/migrations/:ro' with a file (eg:auth.ldif
) and the following content:Type of change
Checklist: