Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Question: ACLs are not working - or i configured them the wrong way? #211

Closed
EugenMayer opened this issue Oct 24, 2024 · 8 comments
Closed

Question: ACLs are not working - or i configured them the wrong way? #211

EugenMayer opened this issue Oct 24, 2024 · 8 comments
Labels
enhancement New feature or request

Comments

@EugenMayer
Copy link
Contributor

I do deploy custom ACLs to have the ability to

  1. let every user maintain there password
  2. let the admin do anything
  3. create a read-only user that can read everythin

So i did

customAcls: |-
  dn: olcDatabase={2}mdb,cn=config
  changetype: modify
  replace: olcAccess
  olcAccess: {0}to *
    by dn="cn=readonly,ou=users,dc=example,dc=com" read
    by dn="cn=readonly,dc=example,dc=com" read
    by dn="cn=admin,dc=example,dc=com" write
    by * none
  olcAccess: {1}to attrs=userPassword,shadowLastChange
    by self write
    by dn="cn=admin,dc=example,dc=com" write
    by anonymous auth by * none

Now, i can connect with the admin user and i can see the entire tree (and edit).

While connecting with the readoly user does work, i cannot see any entries at all. I'am aware of #115 and the issue of bitnami that all of this is not applied after the first bootstrap - so i only test this with initial bootstrap (with the same result).

Any hints what i do wrong or how to validate that those ACLs have been applied at all?
@EugenMayer EugenMayer added the enhancement New feature or request label Oct 24, 2024
@EugenMayer
Copy link
Contributor Author

Checking the boostrap, i cannot see any log about customACLs bing applied - nothing about ACLs. I see that those are immplemented with

helm-openldap/templates/configmap-replication-acls.yaml

Line 66 in 8fd04c4

{{- if .Values.customAcls }}
and via

helm-openldap/templates/statefulset.yaml

Line 94 in 8fd04c4

- name: replication-acls
in the init-schema container

but the only log i see is in the init-schema is

This is the main openldap so let's init all additional schemas and ldifs here

I checked the config map openldap-replication-acls and und acls.ldif i see my ACL defintions at least

@EugenMayer
Copy link
Contributor Author

I enriched my setup to add schemas and custom ldifs

customLdifFiles:
  00-root.ldif: |-
    dn: dc=example,dc=com
    objectClass: top
    objectClass: dcObject
    objectClass: organization
    o: example
    dc: example
  01-readonly.ldif: |-
    dn: cn=readonly,dc=example,dc=com
    objectClass: organizationalRole
    objectClass: simpleSecurityObject
    cn: readonly
    userPassword:: {SSHA}NBhpOZsabcczdass23dJglApn/ 
    description: LDAP read only user
  03-test-memberof.ldif: |-
    dn: ou=Group,dc=example,dc=org
    objectclass: organizationalUnit
    ou: Group
    
    dn: ou=People,dc=example,dc=org
    objectclass: organizationalUnit
    ou: People
    
    dn: uid=test1,ou=People,dc=example,dc=org
    objectclass: account
    uid: test1
    
    dn: cn=testgroup,ou=Group,dc=example,dc=org
    objectclass: groupOfNames
    cn: testgroup
    member: uid=test1,ou=People,dc=example,dc=org
customSchemaFiles:
  memberof.ldif: |-
    dn: cn=module,cn=config
    cn: module
    objectClass: olcModuleList
    olcModuleLoad: memberof
    olcmoduleload: refint
    olcModulePath: /opt/bitnami/openldap/lib/openldap
    
    #memberof overlay
    dn: olcOverlay=memberof,olcDatabase={2}mdb,cn=config
    objectClass: olcMemberOf
    objectClass: olcOverlayConfig
    objectClass: olcConfig
    objectClass: top
    olcOverlay: memberof
    olcMemberOfDangling: ignore
    olcMemberOfRefInt: TRUE
    olcMemberOfGroupOC: groupOfUniqueNames
    olcMemberOfMemberAD: uniqueMember
    olcMemberOfMemberOfAD: memberOf
    
    #refint overlay
    dn: olcOverlay=refint,olcDatabase={2}mdb,cn=config
    objectClass: olcOverlayConfig
    objectClass: olcRefintConfig
    olcOverlay: refint
    olcRefintAttribute: owner
    olcRefintAttribute: manager
    olcRefintAttribute: uniqueMember
    olcRefintAttribute: member
    olcRefintAttribute: memberOf

customAcls: |-
  dn: olcDatabase={2}mdb,cn=config
  changetype: modify
  replace: olcAccess
  olcAccess: {0}to *
    by dn.exact=gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth manage
    by * break
  olcAccess: {1}to attrs=userPassword,shadowLastChange
    by self write
    by dn="cn=admin,dc=example,dc=com" write
    by anonymous auth by * none
  olcAccess: {2}to *
    by dn="cn=readonly,ou=users,dc=example,dc=com" read
    by dn="cn=readonly,dc=example,dc=com" read
    by dn="cn=admin,dc=example,dc=com" write
    by self read
    by * none

Neither of these things have actually been created.

It is hard to debug what the cause might be since https://github.com/jp-gouin/helm-openldap/blob/master/templates/statefulset.yaml#L55 is fairly "silent" - i would suggest adding -v there so everybody can see the logs in the init container.

Nevertheless neither the users, groups nor anything else have been created and i currently cannot understand how this is supposed to work right now. The bitnami image does not support either of this folders out of the box:

  • /custom-schemas/
  • /custom-ldifs/
  • /custom_config/

Still, all the init container does is copy files into that folder, on those mounts are later not used for the actual image anyway. So how is this supposed to work, i assume i missed something?

@jp-gouin
Copy link
Owner

Can you post the log of the openldap-0 pod ?
If it has restarted once please provide the log of the previous start (e.g kubectl logs --previous...)

@EugenMayer
Copy link
Contributor Author

EugenMayer commented Oct 25, 2024
edited
Loading 

 05:52:17.95 INFO  ==> ** Starting LDAP setup **
 05:52:17.98 INFO  ==> Validating settings in LDAP_* env vars
 05:52:17.99 INFO  ==> Initializing OpenLDAP...
 05:52:17.99 DEBUG ==> Ensuring expected directories/files exist...
 05:52:18.00 INFO  ==> Using persisted data
 05:52:18.00 INFO  ==> ** LDAP setup finished! **

 05:52:18.03 INFO  ==> ** Starting slapd **
 05:52:18.03 DEBUG ==> Startup cmd: /opt/bitnami/openldap/sbin/slapd -d 256 -h ldapi:/// ldap://:1389/ ldaps://:1636/ -F /opt/bitnami/openldap/etc/slapd.d

I used to have a lot more setup steps. I assume you will ask, so i upfront, those are the ENV vars being in effect (openlens snapshot)

image

And skip is not enabled. One thing i should mention is, that i do not use you image, but i used bit bitnami/openldap:2.6.8 - AFAIC you added fixes for TLS handling, which is not interesting to me and i want to stick to the original image if any possible.

Thanks for any help

@EugenMayer
Copy link
Contributor Author

EugenMayer commented Oct 25, 2024
edited
Loading

Sorry i missed your part about "previous" at first .. and here we go, the entire bootstrap i looked for is in the other log since the pod is restarted along the way

05:52:07.47 INFO  ==> ** Starting LDAP setup **
 05:52:07.50 INFO  ==> Validating settings in LDAP_* env vars
 05:52:07.51 INFO  ==> Initializing OpenLDAP...
 05:52:07.51 DEBUG ==> Ensuring expected directories/files exist...
 05:52:07.52 INFO  ==> Creating LDAP online configuration
 05:52:07.52 INFO  ==> Creating slapd.ldif
 05:52:07.54 INFO  ==> Starting OpenLDAP server in background
671b3207.20bb08ac 0x7b928421f740 @(#) $OpenLDAP: slapd 2.6.8 (Jul 22 2024 15:17:33) $
	@5166997a1da7:/bitnami/blacksmith-sandox/openldap-2.6.8/servers/slapd
671b3207.23748154 0x7b928421f740 slapd starting
 05:52:08.54 INFO  ==> Configure LDAP credentials for admin user
SASL/EXTERNAL authentication started
671b3208.2137ce1f 0x7b92433fe6c0 conn=1000 fd=12 ACCEPT from PATH=/opt/bitnami/openldap/var/run/ldapi (PATH=/opt/bitnami/openldap/var/run/ldapi)
671b3208.2139665f 0x7b92433fe6c0 conn=1000 op=0 BIND dn="" method=163
671b3208.213a0994 0x7b92433fe6c0 conn=1000 op=0 BIND authcid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth"
671b3208.213a53d6 0x7b92433fe6c0 conn=1000 op=0 BIND dn="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" mech=EXTERNAL bind_ssf=0 ssf=71
671b3208.213acb2d 0x7b92433fe6c0 conn=1000 op=0 RESULT tag=97 err=0 qtime=0.000007 etime=0.000111 text=
SASL username: gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth
SASL SSF: 0
671b3208.213e6421 0x7b9242bfd6c0 conn=1000 op=1 MOD dn="olcDatabase={2}mdb,cn=config"
671b3208.213f01f2 0x7b9242bfd6c0 conn=1000 op=1 MOD attr=olcSuffix
671b3208.2144ca17 0x7b9242bfd6c0 conn=1000 op=1 RESULT tag=103 err=0 qtime=0.000013 etime=0.000465 text=
671b3208.21462c79 0x7b92433fe6c0 conn=1000 op=2 MOD dn="olcDatabase={2}mdb,cn=config"
671b3208.2146adc5 0x7b92433fe6c0 conn=1000 op=2 MOD attr=olcRootDN
671b3208.22daa6bc 0x7b92433fe6c0 conn=1000 op=2 RESULT tag=103 err=0 qtime=0.000009 etime=0.026531 text=
671b3208.22dc0b3a 0x7b9242bfd6c0 conn=1000 op=3 MOD dn="olcDatabase={2}mdb,cn=config"
671b3208.22dc7958 0x7b9242bfd6c0 conn=1000 op=3 MOD attr=olcRootPW
671b3208.2536612d 0x7b9242bfd6c0 conn=1000 op=3 RESULT tag=103 err=0 qtime=0.000009 etime=0.039491 text=
671b3208.2538298d 0x7b92433fe6c0 conn=1000 op=4 MOD dn="olcDatabase={1}monitor,cn=config"
671b3208.2538cdc6 0x7b92433fe6c0 conn=1000 op=4 MOD attr=olcAccess
671b3208.253f0e14 0x7b92433fe6c0 conn=1000 op=4 RESULT tag=103 err=0 qtime=0.000014 etime=0.000478 text=
671b3208.2540b5b8 0x7b9242bfd6c0 conn=1000 op=5 MOD dn="olcDatabase={0}config,cn=config"
671b3208.2541296c 0x7b9242bfd6c0 conn=1000 op=5 MOD attr=olcRootDN
671b3208.25456b0d 0x7b9242bfd6c0 conn=1000 op=5 RESULT tag=103 err=0 qtime=0.000009 etime=0.000327 text=
671b3208.254781e8 0x7b92433fe6c0 conn=1000 op=6 MOD dn="olcDatabase={0}config,cn=config"
671b3208.25484dbd 0x7b92433fe6c0 conn=1000 op=6 MOD attr=olcRootPW
671b3208.254fd974 0x7b92433fe6c0 conn=1000 op=6 RESULT tag=103 err=0 qtime=0.000014 etime=0.000577 text=
671b3208.25511f15 0x7b9242bfd6c0 conn=1000 op=7 UNBIND
671b3208.2551cf10 0x7b9242bfd6c0 conn=1000 fd=12 closed
modifying entry "olcDatabase={2}mdb,cn=config"

modifying entry "olcDatabase={2}mdb,cn=config"

modifying entry "olcDatabase={2}mdb,cn=config"

modifying entry "olcDatabase={1}monitor,cn=config"

modifying entry "olcDatabase={0}config,cn=config"

modifying entry "olcDatabase={0}config,cn=config"

 05:52:08.62 INFO  ==> Disable LDAP anonymous binding
SASL/EXTERNAL authentication started
671b3208.25d33cec 0x7b92433fe6c0 conn=1001 fd=12 ACCEPT from PATH=/opt/bitnami/openldap/var/run/ldapi (PATH=/opt/bitnami/openldap/var/run/ldapi)
671b3208.25d42121 0x7b92433fe6c0 conn=1001 op=0 BIND dn="" method=163
671b3208.25d48c34 0x7b92433fe6c0 conn=1001 op=0 BIND authcid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth"
671b3208.25d4d108 0x7b92433fe6c0 conn=1001 op=0 BIND dn="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" mech=EXTERNAL bind_ssf=0 ssf=71
671b3208.25d53ec2 0x7b92433fe6c0 conn=1001 op=0 RESULT tag=97 err=0 qtime=0.000007 etime=0.000081 text=
SASL username: gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth
SASL SSF: 0
671b3208.25d73ccf 0x7b9242bfd6c0 conn=1001 op=1 MOD dn="cn=config"
671b3208.25d7e748 0x7b9242bfd6c0 conn=1001 op=1 MOD attr=olcDisallows
671b3208.25dded75 0x7b9242bfd6c0 conn=1001 op=1 RESULT tag=103 err=0 qtime=0.000011 etime=0.000460 text=
671b3208.25defeaa 0x7b9242bfd6c0 conn=1001 op=2 MOD dn="cn=config"
671b3208.25df80a1 0x7b9242bfd6c0 conn=1001 op=2 MOD attr=olcRequires
671b3208.26204aae 0x7b9242bfd6c0 conn=1001 op=2 RESULT tag=103 err=0 qtime=0.000010 etime=0.004297 text=
671b3208.26213f87 0x7b9242bfd6c0 conn=1001 op=3 UNBIND
671b3208.2621e01e 0x7b9242bfd6c0 conn=1001 fd=12 closed
modifying entry "cn=config"

modifying entry "cn=config"

 05:52:08.64 INFO  ==> Adding LDAP extra schemas
SASL/EXTERNAL authentication started
671b3208.26a7f2f2 0x7b92433fe6c0 conn=1002 fd=12 ACCEPT from PATH=/opt/bitnami/openldap/var/run/ldapi (PATH=/opt/bitnami/openldap/var/run/ldapi)
671b3208.26a8a08a 0x7b92433fe6c0 conn=1002 op=0 BIND dn="" method=163
671b3208.26a8fb03 0x7b92433fe6c0 conn=1002 op=0 BIND authcid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth"
671b3208.26a93bbd 0x7b92433fe6c0 conn=1002 op=0 BIND dn="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" mech=EXTERNAL bind_ssf=0 ssf=71
671b3208.26a9a978 0x7b92433fe6c0 conn=1002 op=0 RESULT tag=97 err=0 qtime=0.000005 etime=0.000074 text=
SASL username: gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth
SASL SSF: 0
671b3208.26acd8f4 0x7b9242bfd6c0 conn=1002 op=1 ADD dn="cn=cosine,cn=schema,cn=config"
671b3208.26b8ed32 0x7b9242bfd6c0 conn=1002 op=1 RESULT tag=105 err=0 qtime=0.000005 etime=0.000813 text=
671b3208.26b9f6b6 0x7b92433fe6c0 conn=1002 op=2 UNBIND
671b3208.26baa5de 0x7b92433fe6c0 conn=1002 fd=12 closed
adding new entry "cn=cosine,cn=schema,cn=config"

671b3208.2702b4e4 0x7b9242bfd6c0 conn=1003 fd=12 ACCEPT from PATH=/opt/bitnami/openldap/var/run/ldapi (PATH=/opt/bitnami/openldap/var/run/ldapi)
SASL/EXTERNAL authentication started
671b3208.2703d45c 0x7b92433fe6c0 conn=1003 op=0 BIND dn="" method=163
671b3208.2704602a 0x7b92433fe6c0 conn=1003 op=0 BIND authcid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth"
671b3208.2704ba5d 0x7b92433fe6c0 conn=1003 op=0 BIND dn="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" mech=EXTERNAL bind_ssf=0 ssf=71
671b3208.27054095 0x7b92433fe6c0 conn=1003 op=0 RESULT tag=97 err=0 qtime=0.000008 etime=0.000103 text=
SASL username: gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth
SASL SSF: 0
671b3208.27075dc4 0x7b9242bfd6c0 conn=1003 op=1 ADD dn="cn=inetorgperson,cn=schema,cn=config"
671b3208.270d555f 0x7b9242bfd6c0 conn=1003 op=1 RESULT tag=105 err=0 qtime=0.000005 etime=0.000408 text=
671b3208.270e22d8 0x7b92433fe6c0 conn=1003 op=2 UNBIND
671b3208.270ea867 0x7b92433fe6c0 conn=1003 fd=12 closed
adding new entry "cn=inetorgperson,cn=schema,cn=config"

671b3208.274cbdf0 0x7b9242bfd6c0 conn=1004 fd=12 ACCEPT from PATH=/opt/bitnami/openldap/var/run/ldapi (PATH=/opt/bitnami/openldap/var/run/ldapi)
SASL/EXTERNAL authentication started
671b3208.274d8943 0x7b92433fe6c0 conn=1004 op=0 BIND dn="" method=163
671b3208.274ddb6a 0x7b92433fe6c0 conn=1004 op=0 BIND authcid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth"
671b3208.274e0a72 0x7b92433fe6c0 conn=1004 op=0 BIND dn="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" mech=EXTERNAL bind_ssf=0 ssf=71
671b3208.274e581a 0x7b92433fe6c0 conn=1004 op=0 RESULT tag=97 err=0 qtime=0.000005 etime=0.000058 text=
SASL username: gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth
SASL SSF: 0
671b3208.275130ac 0x7b9242bfd6c0 conn=1004 op=1 ADD dn="cn=nis,cn=schema,cn=config"
671b3208.275ab2a9 0x7b9242bfd6c0 conn=1004 op=1 RESULT tag=105 err=0 qtime=0.000007 etime=0.000646 text=
671b3208.275ba89a 0x7b92433fe6c0 conn=1004 op=2 UNBIND
671b3208.275c1105 0x7b92433fe6c0 conn=1004 fd=12 closed
adding new entry "cn=nis,cn=schema,cn=config"

SASL/EXTERNAL authentication started
671b3208.2786e733 0x7b9242bfd6c0 conn=1005 fd=12 ACCEPT from PATH=/opt/bitnami/openldap/var/run/ldapi (PATH=/opt/bitnami/openldap/var/run/ldapi)
671b3208.27878ec8 0x7b92433fe6c0 conn=1005 op=0 BIND dn="" method=163
671b3208.2787e2c5 0x7b92433fe6c0 conn=1005 op=0 BIND authcid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth"
671b3208.27881191 0x7b92433fe6c0 conn=1005 op=0 BIND dn="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" mech=EXTERNAL bind_ssf=0 ssf=71
671b3208.27885ae3 0x7b92433fe6c0 conn=1005 op=0 RESULT tag=97 err=0 qtime=0.000005 etime=0.000058 text=
SASL username: gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth
SASL SSF: 0
671b3208.2789eb2b 0x7b9242bfd6c0 conn=1005 op=1 MOD dn="olcDatabase={2}mdb,cn=config"
671b3208.278a3095 0x7b9242bfd6c0 conn=1005 op=1 MOD attr=olcAccess
671b3208.278b70f1 0x7b9242bfd6c0 olcAccess: value #1: rootdn is always granted unlimited privileges.
671b3208.278beb18 0x7b9242bfd6c0 olcAccess: value #2: rootdn is always granted unlimited privileges.
671b3208.278ef45f 0x7b9242bfd6c0 conn=1005 op=1 RESULT tag=103 err=0 qtime=0.000005 etime=0.000341 text=
671b3208.278fa2e8 0x7b92433fe6c0 conn=1005 op=2 UNBIND
671b3208.2790178d 0x7b92433fe6c0 conn=1005 fd=12 closed
modifying entry "olcDatabase={2}mdb,cn=config"

671b3208.27cef0a3 0x7b9242bfd6c0 conn=1006 fd=12 ACCEPT from PATH=/opt/bitnami/openldap/var/run/ldapi (PATH=/opt/bitnami/openldap/var/run/ldapi)
SASL/EXTERNAL authentication started
671b3208.27d00e26 0x7b92433fe6c0 conn=1006 op=0 BIND dn="" method=163
671b3208.27d075b5 0x7b92433fe6c0 conn=1006 op=0 BIND authcid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth"
671b3208.27d0a49f 0x7b92433fe6c0 conn=1006 op=0 BIND dn="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" mech=EXTERNAL bind_ssf=0 ssf=71
671b3208.27d0ee5f 0x7b92433fe6c0 conn=1006 op=0 RESULT tag=97 err=0 qtime=0.000005 etime=0.000064 text=
SASL username: gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth
SASL SSF: 0
671b3208.27d25b93 0x7b9242bfd6c0 conn=1006 op=1 ADD dn="cn=module,cn=config"
671b3208.27eb6e0e 0x7b9242bfd6c0 conn=1006 op=1 RESULT tag=105 err=0 qtime=0.000005 etime=0.001656 text=
671b3208.27ec7ae3 0x7b92433fe6c0 conn=1006 op=2 ADD dn="olcOverlay=memberof,olcDatabase={2}mdb,cn=config"
671b3208.27ef7869 0x7b92433fe6c0 conn=1006 op=2 RESULT tag=105 err=0 qtime=0.000005 etime=0.000209 text=
671b3208.27f0625c 0x7b9242bfd6c0 conn=1006 op=3 ADD dn="olcOverlay=refint,olcDatabase={2}mdb,cn=config"
671b3208.27f294a3 0x7b9242bfd6c0 conn=1006 op=3 RESULT tag=105 err=0 qtime=0.000005 etime=0.000158 text=
671b3208.27f344e4 0x7b92433fe6c0 conn=1006 op=4 UNBIND
671b3208.27f3a376 0x7b92433fe6c0 conn=1006 fd=12 closed
adding new entry "cn=module,cn=config"

adding new entry "olcOverlay=memberof,olcDatabase={2}mdb,cn=config"

adding new entry "olcOverlay=refint,olcDatabase={2}mdb,cn=config"

 05:52:08.67 INFO  ==> Loading custom LDIF files...
 05:52:08.67 WARN  ==> Ignoring LDAP_USERS, LDAP_PASSWORDS, LDAP_USER_DC and LDAP_GROUP environment variables...
671b3208.28cff0ae 0x7b9242bfd6c0 conn=1007 fd=12 ACCEPT from PATH=/opt/bitnami/openldap/var/run/ldapi (PATH=/opt/bitnami/openldap/var/run/ldapi)
671b3208.28d07eb7 0x7b92433fe6c0 conn=1007 op=0 BIND dn="cn=admin,dc=example,dc=com" method=128
671b3208.28d0e506 0x7b92433fe6c0 conn=1007 op=0 BIND dn="cn=admin,dc=example,dc=com" mech=SIMPLE bind_ssf=0 ssf=71
671b3208.28d1327c 0x7b92433fe6c0 conn=1007 op=0 RESULT tag=97 err=0 qtime=0.000005 etime=0.000061 text=
671b3208.28d26233 0x7b9242bfd6c0 conn=1007 op=1 ADD dn="dc=example,dc=com"
671b3208.2966cf65 0x7b9242bfd6c0 conn=1007 op=1 RESULT tag=105 err=0 qtime=0.000005 etime=0.009738 text=
671b3208.29679ed2 0x7b92433fe6c0 conn=1007 op=2 UNBIND
adding new entry "dc=example,dc=com"

671b3208.29683202 0x7b92433fe6c0 conn=1007 fd=12 closed
671b3208.29c302d7 0x7b9242bfd6c0 conn=1008 fd=12 ACCEPT from PATH=/opt/bitnami/openldap/var/run/ldapi (PATH=/opt/bitnami/openldap/var/run/ldapi)
671b3208.29c381b7 0x7b92433fe6c0 conn=1008 op=0 BIND dn="cn=admin,dc=example,dc=com" method=128
671b3208.29c3e5a4 0x7b92433fe6c0 conn=1008 op=0 BIND dn="cn=admin,dc=example,dc=com" mech=SIMPLE bind_ssf=0 ssf=71
671b3208.29c4410c 0x7b92433fe6c0 conn=1008 op=0 RESULT tag=97 err=0 qtime=0.000005 etime=0.000062 text=
ldapadd: invalid format (line 5) entry: "cn=readonly,dc=example,dc=com"
671b3208.29c57998 0x7b9242bfd6c0 conn=1008 op=1 UNBIND
671b3208.29c5f094 0x7b9242bfd6c0 conn=1008 fd=12 closed
671b3208.2a1ecbd7 0x7b92433fe6c0 conn=1009 fd=12 ACCEPT from PATH=/opt/bitnami/openldap/var/run/ldapi (PATH=/opt/bitnami/openldap/var/run/ldapi)
671b3208.2a1f69b2 0x7b9242bfd6c0 conn=1009 op=0 BIND dn="cn=admin,dc=example,dc=com" method=128
671b3208.2a1fe57c 0x7b9242bfd6c0 conn=1009 op=0 BIND dn="cn=admin,dc=example,dc=com" mech=SIMPLE bind_ssf=0 ssf=71
671b3208.2a2059f9 0x7b9242bfd6c0 conn=1009 op=0 RESULT tag=97 err=0 qtime=0.000007 etime=0.000078 text=
671b3208.2a21678c 0x7b92433fe6c0 conn=1009 op=1 ADD dn="ou=Group,dc=example,dc=org"
671b3208.2a21d8df 0x7b92433fe6c0 conn=1009 op=1 RESULT tag=105 err=53 qtime=0.000005 etime=0.000041 text=no global superior knowledge
ldap_add: Server is unwilling to perform (53)
	additional info: no global superior knowledge
671b3208.2a229dfc 0x7b9242bfd6c0 conn=1009 op=2 UNBIND
671b3208.2a23146c 0x7b9242bfd6c0 conn=1009 fd=12 closed
adding new entry "ou=Group,dc=example,dc=org"

671b3208.2a47318e 0x7b9243bff6c0 daemon: shutdown requested and initiated.
671b3208.2a48ed28 0x7b9243bff6c0 slapd shutdown: waiting for 0 operations/tasks to finish
671b3208.2a4fcba1 0x7b928421f740 slapd stopped.

i now see the group is created and so forth, but connecting with the admin user in Apache Ldap Studio, i only see the base-dn and it is empty

@EugenMayer
Copy link
Contributor Author

I tried to disable the the customACLS to ensure i did not lock out myself in a way (i always completely wipe and redeploy) - same outcome

@jp-gouin
Copy link
Owner

After a quick look , it looks like there is an issue with one of your custom file

671b3208.2a21d8df 0x7b92433fe6c0 conn=1009 op=1 RESULT tag=105 err=53 qtime=0.000005 etime=0.000041 text=no global superior knowledge
ldap_add: Server is unwilling to perform (53)
	additional info: no global superior knowledge

Which make the initialisation fail and might explain why you don't see any information.

I'll take a deeper look at your customAcl but I wanted to quickly inform you about what I found in the log file.

You should take a look at the advance example in the doc advanced_examples/README.md there is an example with a read only user using customACLs

@EugenMayer
Copy link
Contributor Author

Sorry, after digging through the logs i found that the example groups user were created on the wrong base-dn and even the readonly user had a double :: in the password section.

I screwed up here and the problem was, i could not see the logs until you pointed me to the restart / --previous part.

Now everything is working, even the ACLs.

Classic Layer8 issue - sorry for wasting your time!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@EugenMayer @jp-gouin