Added OpenLDAP 2.4.41 image #6
Conversation
stevekuznetsov
force-pushed
the
skuznets/openldap
branch
from
ee5d657
to
17d007d
Compare
|
@liggitt PTAL |
stevekuznetsov
force-pushed
the
skuznets/openldap
branch
from
17d007d
to
c606ee0
Compare
|
@bparees PTAL as well! This image will only be used for our testing (for now). I am of the opinion that as long as we label it as such we can get away with keeping the future TODO list as future TODOs. |
| VOLUME ["/var/lib/ldap", "/etc/openldap"] | ||
|
|
||
| # Expose default ports for ldap and ldaps | ||
| EXPOSE 389 636 |
There was a problem hiding this comment.
you're going to be running as non-root, presumably...can you listen on these ports?
There was a problem hiding this comment.
Seemed to work perfectly fine in testing
There was a problem hiding this comment.
I was able to chmod the slapd binary in such a way that it does indeed have the permissions to listen on these ports. I think this is preferable to mapping them to something with a router.
There was a problem hiding this comment.
you chmod'd it to setuid root? no that is bad.
There was a problem hiding this comment.
@smarterclayton selinux is going to prevent this sort of thing at some point, right?
There was a problem hiding this comment.
@bparees @smarterclayton would it be valid to setcap 'cap_net_bind_service=+ep' the slapd binary?
There was a problem hiding this comment.
that sounds like a better approach..
There was a problem hiding this comment.
You know what they say, why use a brush when you have a bulldozer?
There was a problem hiding this comment.
@deads2k is the only person i know who likely has bulldozer driving experience.
stevekuznetsov
force-pushed
the
skuznets/openldap
branch
6 times, most recently
from
b5a3290
to
761425b
Compare
|
@bparees Updated, everything works fine with UID == 0 and UID != 0 |
stevekuznetsov
force-pushed
the
skuznets/openldap
branch
5 times, most recently
from
77b5a23
to
b6b35e6
Compare
|
@bparees updated |
| mkdir -p /etc/openldap && \ | ||
| chmod a+rwx -R /etc/openldap && \ | ||
| mkdir -p /var/run/openldap && \ | ||
| chmod a+rwx -R /var/run/openldap |
|
@bparees Unfortunately I have not been able to find a way in the last two weeks to get this to run as non-root other than to bulldoze my way through the config and data directories, overwriting it all from a default-configured setup. I would also prefer not to put the binaries in the repository, but that is the only way this works at all. |
|
i'm going to need a better understanding of why that is........ it's going to be a pain to maintain that as binary files, nevermind the general horribleness of having binary content in git in terms of what it does to repo size. |
stevekuznetsov
force-pushed
the
skuznets/openldap
branch
4 times, most recently
from
518df58
to
21ad5d6
Compare
|
@bparees PTAL - added HACKING.md to address your concerns. Will merge if it LGTY. |
stevekuznetsov
force-pushed
the
skuznets/openldap
branch
2 times, most recently
from
d28fd28
to
9d0c888
Compare
|
@bparees Moved test data out of this repo |
| The default out-of-the-box installation of OpenLDAP contains a `olcRootDN` manager for the `cn=config` database but does not list a password, which is problematic as it does not allow you to use the full authentication (`-x -D <managerCN> -w <password>`) and therefore does not allow for the user to use this set-up to add or remove records unless they are `UID 0`. | ||
|
|
||
| ### OpenLDAP Configuration Dump | ||
| OpenLDAP exposes administrative tools like [`slapadd`](http://www.openldap.org/software/man.cgi?query=slapadd&apropos=0&sektion=0&manpath=OpenLDAP+2.4-Release&format=html) and [`slpacat`](http://www.openldap.org/software/man.cgi?query=slapcat&apropos=0&sektion=0&manpath=OpenLDAP+2.4-Release&format=html) which operate on OpenLDAP installations with the daemon not running. These tools are a promising work-around to the authentication nightmare above. The gist of this approach is as such: first, install OpenLDAP on a machine or container where you have `root` privileges (`UID 0` and `GID 0` are required due to how OpenLDAP generates authentication identities), create an OpenLDAP installation to your liking, stop the daemon (`slapd`), dump all of the OpenLDAP installation to `ldif` using `slapcat -n0`, then import all of the data using `slapadd -n0` on another installation. This approach does not seem to work as if there are no vestiges of the new `cn=config` configuration schema in the `etc/openldap` directory, the `slapadd` command looks for the old `slapd.conf` configuration schema and fails because it is deprecated. `slapadd` also cannot be used while the daemon is off to insert the records we want to `olcDatabase{0}config` as it is only capable of adding object, not editing or amending current objects. Editing the files by hand will trigger checksum errors and cause a corrupt installation. Therefore, this option was abandoned. |
There was a problem hiding this comment.
work on the tone a little... "nightmare" is probably not how we want to describe this.
There was a problem hiding this comment.
Little to much heart in that one?
|
one final comment and lgtm. |
stevekuznetsov
force-pushed
the
skuznets/openldap
branch
from
9d0c888
to
1223112
Compare
stevekuznetsov
force-pushed
the
skuznets/openldap
branch
2 times, most recently
from
1b64bdc
to
ea5ffd9
Compare
|
@stevekuznetsov failed testing: https://ci.openshift.redhat.com/jenkins/view/Image%20Verification/job/openldap/3/console looks like it might just be this rmdir that failed, though i'm not clear why that would be...maybe the dir couldn't be rm'd because your container didn't stop so the cidfile wasn't removed? rmdir /tmp/tmp.jjean7DZk1openldap_test_cidfiles
|
|
I can't reproduce this with |
|
@bparees I use |
|
can you curl/wget ldapsearch as part of the test script? |
|
I'll look into it. I think it should be possible. |
stevekuznetsov
force-pushed
the
skuznets/openldap
branch
from
ea5ffd9
to
2a70977
Compare
|
@bparees Great Success |
|
@stevekuznetsov i actually just meant use curl to download ldapsearch and then use it..but i guess that works too. |
Added OpenLDAP 2.4.41 image
Added OpenLDAP 2.4.41 image
Also added a testenv image that adds test data for use in Origin integration testing.
Future TODO:
ldiffororganizationobjectEnable blind-mount of config #3(pulled into this PR now)Add testing for images #5(pulled into this PR now)