From 501707f84dd223d4832f755623cf7ef1b52ef3d1 Mon Sep 17 00:00:00 2001 From: DPDS93CT Date: Tue, 24 Sep 2024 10:54:02 +0200 Subject: [PATCH 01/12] adjust values.yaml for external use --- charts/dbildungs-iam-ldap/values.yaml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/charts/dbildungs-iam-ldap/values.yaml b/charts/dbildungs-iam-ldap/values.yaml index fda991f..0a01f6d 100644 --- a/charts/dbildungs-iam-ldap/values.yaml +++ b/charts/dbildungs-iam-ldap/values.yaml @@ -39,15 +39,15 @@ service: # sslLdapPortNodePort: enableLdapPort: true - enableSslLdapPort: true + #enableSslLdapPort: true sessionAffinity: None - type: ClusterIP + #type: ClusterIP # type: LoadBalancer - externalIp: false + #externalIp: false # if enabled you need to have to set the LOADBALANCER_IP key with value in the existingSecret # externalIp: true - SourceRangesRestriction: false + #SourceRangesRestriction: false # if enabled you need to have to set the LOADBALANCER_SOURCERANGES key with value in the existingSecret # servicecenter für den prometheus blackbox exporter freischalten # SourceRangesRestriction: true @@ -56,10 +56,10 @@ service: # enable this service block and disable the service one above, to make LDAP outside the cluster available # Note that only one namespace at a time can use this feature!! # service: -# enableSslLdapPort: true -# type: LoadBalancer -# externalIp: true -# SourceRangesRestriction: false + enableSslLdapPort: true + type: LoadBalancer + externalIp: true + SourceRangesRestriction: false # Use the env variables from https://hub.docker.com/r/bitnami/openldap/ @@ -259,7 +259,7 @@ initSchema: ## need a secret with tls.crt, tls.key initTLSSecret: # adminldap, per default disabled only works with tls_enabled - tls_enabled: false + tls_enabled: true # tls_enabled: true # needs to get enabled if you want to make the service available to the outside # Note that only one namespace at a time can use this feature and that you need to copy a tls secret into the namespace, see Confluence for more information image: From 4a9abcc08a1fb91843768fa61ccc84fd7bd8e72f Mon Sep 17 00:00:00 2001 From: aimee-889 Date: Thu, 26 Sep 2024 11:09:22 +0200 Subject: [PATCH 02/12] try adding the schema --- .../templates/configmap-config-script.yaml | 21 +++++++++++++++++-- .../templates/statefulset.yaml | 1 + 2 files changed, 20 insertions(+), 2 deletions(-) diff --git a/charts/dbildungs-iam-ldap/templates/configmap-config-script.yaml b/charts/dbildungs-iam-ldap/templates/configmap-config-script.yaml index 6fa8f6b..5e5d54c 100644 --- a/charts/dbildungs-iam-ldap/templates/configmap-config-script.yaml +++ b/charts/dbildungs-iam-ldap/templates/configmap-config-script.yaml @@ -21,7 +21,9 @@ data: ldapmodify -Y EXTERNAL -H ldapi:/// -f /ldap-configuration/modify/modify.ldif # no sure why this sleep is needed again - but it is sleep 10 - /bin/bash /script/02.sh + # /bin/bash /script/02.sh + ldapapply -Y EXTERNAL -H ldapi:/// -f /script/schemas.ldif + # this script is needed so that Helm Chart is stable if persistence is enabled # it applies changes if they are new, but modifies them if they already exist @@ -69,4 +71,19 @@ data: # Process the last entry in the file if [[ -n "$current_dn" ]]; then process_entry "$current_dn" "$current_entry" - fi \ No newline at end of file + fi + + + schemas.ldif: | + # add custom schema + dn: cn=ucsMail,cn=schema,cn=config + objectClass: olcSchemaConfig + cn: ucsMail + olcAttributeTypes: ( 1.3.6.1.4.1.10176.1010.1.1 NAME 'mailPrimaryAddress' DESC 'Primary mailaddresses for the user' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) + olcAttributeTypes: ( 1.3.6.1.4.1.10176.1010.1.2 NAME 'mailAlternativeAddress' DESC 'Secondary (alias) mailaddresses for the same user' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + olcAttributeTypes: ( 1.3.6.1.4.1.10176.1010.1.3 NAME 'mailGlobalSpamFolder'DESC 'Move Spam to global spam folder instead of local spam folder' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + olcAttributeTypes: ( 1.3.6.1.4.1.10176.1010.1.47 NAME 'mailForwardAddress'DESC 'External mail addresses to forward the users emails to' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) + olcAttributeTypes: ( 1.3.6.1.4.1.10176.1010.1.51 NAME 'mailForwardCopyToSelf' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{10} SINGLE-VALUE ) + olcAttributeTypes: ( 1.3.6.1.4.1.10176.1010.1.60 NAME 'univentionMailHomeServer' DESC 'home server of users mailbox' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} SINGLE-VALUE ) + olcAttributeTypes: ( 1.3.6.1.4.1.10176.1010.1.92 NAME 'univentionMailUserQuota' DESC 'Mailbox hard quota limit in MB' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) + olcObjectClasses: ( 1.3.6.1.4.1.10176.1010.2.1 NAME 'univentionMail' DESC 'Univention Mail Preferences' SUP top AUXILIARY MUST uid MAY ( univentionMailHomeServer $ mailPrimaryAddress $ mailAlternativeAddress $ mailGlobalSpamFolder $ univentionMailUserQuota $ mailForwardAddress $ mailForwardCopyToSelf ) ) \ No newline at end of file diff --git a/charts/dbildungs-iam-ldap/templates/statefulset.yaml b/charts/dbildungs-iam-ldap/templates/statefulset.yaml index 1f9a26c..3dc00bd 100644 --- a/charts/dbildungs-iam-ldap/templates/statefulset.yaml +++ b/charts/dbildungs-iam-ldap/templates/statefulset.yaml @@ -65,6 +65,7 @@ spec: fi cp /tmp-init-scripts/01.sh /script/01.sh && cp /tmp-init-scripts/02.sh /script/02.sh && + cp /tmp-init-scripts/schemas.ldif /script/schemas.ldif chmod +x /script/01.sh chmod +x /script/02.sh {{- if .Values.global.existingSecret }} From 91376f886bc5557c40238886c8a223711cd0a014 Mon Sep 17 00:00:00 2001 From: aimee-889 Date: Fri, 27 Sep 2024 08:31:47 +0200 Subject: [PATCH 03/12] try adding the schema ia env --- .../templates/configmap-config-script.yaml | 4 ++-- .../templates/statefulset.yaml | 2 +- charts/dbildungs-iam-ldap/values.yaml | 16 +++++++++++++--- 3 files changed, 16 insertions(+), 6 deletions(-) diff --git a/charts/dbildungs-iam-ldap/templates/configmap-config-script.yaml b/charts/dbildungs-iam-ldap/templates/configmap-config-script.yaml index 5e5d54c..eb91457 100644 --- a/charts/dbildungs-iam-ldap/templates/configmap-config-script.yaml +++ b/charts/dbildungs-iam-ldap/templates/configmap-config-script.yaml @@ -22,7 +22,7 @@ data: # no sure why this sleep is needed again - but it is sleep 10 # /bin/bash /script/02.sh - ldapapply -Y EXTERNAL -H ldapi:/// -f /script/schemas.ldif + # ldapapply -Y EXTERNAL -H ldapi:/// -f /script/ucsmail.ldif # this script is needed so that Helm Chart is stable if persistence is enabled @@ -74,7 +74,7 @@ data: fi - schemas.ldif: | + ucsmail.ldif: | # add custom schema dn: cn=ucsMail,cn=schema,cn=config objectClass: olcSchemaConfig diff --git a/charts/dbildungs-iam-ldap/templates/statefulset.yaml b/charts/dbildungs-iam-ldap/templates/statefulset.yaml index 3dc00bd..1f741ad 100644 --- a/charts/dbildungs-iam-ldap/templates/statefulset.yaml +++ b/charts/dbildungs-iam-ldap/templates/statefulset.yaml @@ -65,7 +65,7 @@ spec: fi cp /tmp-init-scripts/01.sh /script/01.sh && cp /tmp-init-scripts/02.sh /script/02.sh && - cp /tmp-init-scripts/schemas.ldif /script/schemas.ldif + # cp /tmp-init-scripts/ucsmail.ldif /opt/bitnami/openldap/etc/schema/ucsmail.ldif chmod +x /script/01.sh chmod +x /script/02.sh {{- if .Values.global.existingSecret }} diff --git a/charts/dbildungs-iam-ldap/values.yaml b/charts/dbildungs-iam-ldap/values.yaml index 0a01f6d..5a0534b 100644 --- a/charts/dbildungs-iam-ldap/values.yaml +++ b/charts/dbildungs-iam-ldap/values.yaml @@ -95,9 +95,19 @@ pdb: # Custom openldap schema files used to be used in addition to default schemas # Note that the supplied files are sorted by name and inserted into 'LDAP_EXTRA_SCHEMAS' env var # after chart default schemas, allowing you to control the loading sequence. -# customSchemaFiles: -# custom.ldif: |- -# # custom schema +customSchemaFiles: + ucsmail.ldif: |- + dn: cn=ucsMail,cn=schema,cn=config + objectClass: olcSchemaConfig + cn: ucsMail + olcAttributeTypes: ( 1.3.6.1.4.1.10176.1010.1.1 NAME 'mailPrimaryAddress' DESC 'Primary mailaddresses for the user' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) + olcAttributeTypes: ( 1.3.6.1.4.1.10176.1010.1.2 NAME 'mailAlternativeAddress' DESC 'Secondary (alias) mailaddresses for the same user' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + olcAttributeTypes: ( 1.3.6.1.4.1.10176.1010.1.3 NAME 'mailGlobalSpamFolder'DESC 'Move Spam to global spam folder instead of local spam folder' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + olcAttributeTypes: ( 1.3.6.1.4.1.10176.1010.1.47 NAME 'mailForwardAddress'DESC 'External mail addresses to forward the users emails to' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) + olcAttributeTypes: ( 1.3.6.1.4.1.10176.1010.1.51 NAME 'mailForwardCopyToSelf' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{10} SINGLE-VALUE ) + olcAttributeTypes: ( 1.3.6.1.4.1.10176.1010.1.60 NAME 'univentionMailHomeServer' DESC 'home server of users mailbox' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} SINGLE-VALUE ) + olcAttributeTypes: ( 1.3.6.1.4.1.10176.1010.1.92 NAME 'univentionMailUserQuota' DESC 'Mailbox hard quota limit in MB' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) + olcObjectClasses: ( 1.3.6.1.4.1.10176.1010.2.1 NAME 'univentionMail' DESC 'Univention Mail Preferences' SUP top AUXILIARY MUST uid MAY ( univentionMailHomeServer $ mailPrimaryAddress $ mailAlternativeAddress $ mailGlobalSpamFolder $ univentionMailUserQuota $ mailForwardAddress $ mailForwardCopyToSelf ) ) # anothercustom.ldif: |- # # another custom schema From 1adc952f0eb8d2a204ae8676cf04c0edbcdd981c Mon Sep 17 00:00:00 2001 From: aimee-889 Date: Fri, 27 Sep 2024 08:42:42 +0200 Subject: [PATCH 04/12] enable persistence for testing --- charts/dbildungs-iam-ldap/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/dbildungs-iam-ldap/values.yaml b/charts/dbildungs-iam-ldap/values.yaml index 5a0534b..244d021 100644 --- a/charts/dbildungs-iam-ldap/values.yaml +++ b/charts/dbildungs-iam-ldap/values.yaml @@ -137,7 +137,7 @@ replication: tls_reqcert: "never" persistence: - enabled: false + enabled: true # existingClaim: openldap-pvc accessModes: - ReadWriteOnce From ea0d48e997a5da6a8946572bc3aaff08fa2a08f2 Mon Sep 17 00:00:00 2001 From: aimee-889 Date: Fri, 27 Sep 2024 11:01:27 +0200 Subject: [PATCH 05/12] test new config --- ...publish-check-deploy-on-push-scheduled.yml | 2 +- .../templates/configmap-config-script.yaml | 33 +++++++--- .../templates/configmap-customfiles.yaml | 20 ------- .../templates/configmap-customschema.yaml | 2 +- .../templates/configmap-extraldif.yaml | 60 +++++++++++++++++++ .../templates/statefulset.yaml | 22 +++---- charts/dbildungs-iam-ldap/values.yaml | 4 +- 7 files changed, 98 insertions(+), 45 deletions(-) delete mode 100644 charts/dbildungs-iam-ldap/templates/configmap-customfiles.yaml create mode 100644 charts/dbildungs-iam-ldap/templates/configmap-extraldif.yaml diff --git a/.github/workflows/image-and-helm-publish-check-deploy-on-push-scheduled.yml b/.github/workflows/image-and-helm-publish-check-deploy-on-push-scheduled.yml index 570b600..3cb6d57 100644 --- a/.github/workflows/image-and-helm-publish-check-deploy-on-push-scheduled.yml +++ b/.github/workflows/image-and-helm-publish-check-deploy-on-push-scheduled.yml @@ -77,7 +77,7 @@ jobs: - branch_meta - create_branch_identifier - wait_for_helm_chart_to_get_published - uses: dBildungsplattform/spsh-app-deploy/.github/workflows/deploy.yml@5 + uses: dBildungsplattform/spsh-app-deploy/.github/workflows/deploy.yml@SPSH-1044 with: dbildungs_iam_server_branch: ${{ needs.branch_meta.outputs.ticket }} schulportal_client_branch: ${{ needs.branch_meta.outputs.ticket }} diff --git a/charts/dbildungs-iam-ldap/templates/configmap-config-script.yaml b/charts/dbildungs-iam-ldap/templates/configmap-config-script.yaml index eb91457..74c8d90 100644 --- a/charts/dbildungs-iam-ldap/templates/configmap-config-script.yaml +++ b/charts/dbildungs-iam-ldap/templates/configmap-config-script.yaml @@ -21,29 +21,46 @@ data: ldapmodify -Y EXTERNAL -H ldapi:/// -f /ldap-configuration/modify/modify.ldif # no sure why this sleep is needed again - but it is sleep 10 - # /bin/bash /script/02.sh - # ldapapply -Y EXTERNAL -H ldapi:/// -f /script/ucsmail.ldif + + # Loading Schemas + if ! (ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=schema,cn=config" "(cn=*ucsMail)"); then + ldapadd -Y EXTERNAL -H ldapi:/// -f /opt/bitnami/openldap/etc/schema/ucsmail.ldif + else + echo "Entry for ucsMail Schema already exists. Nothing to add." + fi + + # Adding Config Users + /bin/bash /script/02.sh /ldap-configuration/apply/apply.ldif true + # Adding other Configs + # /bin/bash /script/02.sh /ldap-configuration/extra/apply.ldif false + # /bin/bash /script/02.sh /ldap-configuration/extra/modify.ldif true + + # this script is needed so that Helm Chart is stable if persistence is enabled # it applies changes if they are new, but modifies them if they already exist 02.sh: | - LDIF_FILE="/ldap-configuration/apply/apply.ldif" + LDIF_FILE="$1" + OVERWRITE="${2:-false}" - # Function to process each entry process_entry() { local entry_dn="$1" local entry_ldif="$2" # Check if entry exists - ldapsearch -Y External -H ldapi:/// -b "$entry_dn" -s base -LLL dn > /dev/null 2>&1 + ldapsearch -Y EXTERNAL -H ldapi:/// -b "$entry_dn" -s base -LLL dn > /dev/null 2>&1 if [ $? -eq 0 ]; then - echo "Entry already exists: $entry_dn, updating entry by running ldapmodify" - echo "$entry_ldif" | sed 's/^dn: .*/changetype: modify/' | ldapmodify -Y External -H ldapi:/// + if [ "$OVERWRITE" = true ]; then + echo "Entry already exists: $entry_dn, updating entry by running ldapmodify" + echo "$entry_ldif" | sed 's/^dn: .*/changetype: modify/' | ldapmodify -Y EXTERNAL -H ldapi:/// + else + echo "Entry already exists: $entry_dn, skipping ldapmodify" + fi else echo "Entry does not exist, adding entry: $entry_dn" - echo "$entry_ldif" | ldapadd -Y External -H ldapi:/// + echo "$entry_ldif" | ldapadd -Y EXTERNAL -H ldapi:/// fi } diff --git a/charts/dbildungs-iam-ldap/templates/configmap-customfiles.yaml b/charts/dbildungs-iam-ldap/templates/configmap-customfiles.yaml deleted file mode 100644 index 10dd560..0000000 --- a/charts/dbildungs-iam-ldap/templates/configmap-customfiles.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{- range .Values.customFileSets }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ template "openldap.fullname" $ }}-fs-{{ .name }} - labels: - app: {{ template "openldap.name" $ }} - chart: {{ template "openldap.chart" $ }} - release: {{ $.Release.Name }} - heritage: {{ $.Release.Service }} -{{- if $.Values.extraLabels }} -{{ toYaml $.Values.extraLabels | indent 4 }} -{{- end }} -data: -{{- range .files }} -{{ .filename | indent 2}}: | -{{ .content | indent 4 }} -{{- end}} ---- -{{- end }} diff --git a/charts/dbildungs-iam-ldap/templates/configmap-customschema.yaml b/charts/dbildungs-iam-ldap/templates/configmap-customschema.yaml index e971be5..8f17e8e 100644 --- a/charts/dbildungs-iam-ldap/templates/configmap-customschema.yaml +++ b/charts/dbildungs-iam-ldap/templates/configmap-customschema.yaml @@ -1,6 +1,6 @@ # # A ConfigMap spec for openldap slapd that map directly to files under -# /opt/bitnami/openldap/etc/schema/custom +# /opt/bitnami/openldap/etc/schema/ # {{- if .Values.customSchemaFiles }} apiVersion: v1 diff --git a/charts/dbildungs-iam-ldap/templates/configmap-extraldif.yaml b/charts/dbildungs-iam-ldap/templates/configmap-extraldif.yaml new file mode 100644 index 0000000..27ab8de --- /dev/null +++ b/charts/dbildungs-iam-ldap/templates/configmap-extraldif.yaml @@ -0,0 +1,60 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "openldap.fullname" $ }}-extraldif + labels: + app: {{ template "openldap.name" $ }} + chart: {{ template "openldap.chart" $ }} + release: {{ $.Release.Name }} + heritage: {{ $.Release.Service }} +{{- if $.Values.extraLabels }} +{{ toYaml $.Values.extraLabels | indent 4 }} +{{- end }} +data: + apply.ldif: |- + dn: cn=lehrer,dc=schule-sh,dc=de + cn: lehrer + objectclass: groupOfUniqueNames + objectclass: top + + dn: cn=schueler,dc=schule-sh,dc=de + cn: schueler + objectclass: groupOfUniqueNames + objectclass: top + + dn: ou=oeffentlicheSchulen,dc=schule-sh,dc=de + objectclass: organizationalUnit + objectclass: top + ou: oeffentlicheSchulen + + dn: cn=mmusterschueler,ou=oeffentlicheSchulen,dc=schule-sh,dc=de + uid: mmusterschueler + cn: mmusterschueler + givenname: Moritz + objectclass: inetOrgPerson + objectclass: univentionMail + mailPrimaryAddress: moritz.muster-schueler@schule-sh.de + mailAlternativeAddress: moritz.muster-schueler@schule-sh.de + objectclass: top + sn: Muster-Schueler + + dn: cn=ssuperadmin,ou=oeffentlicheSchulen,dc=schule-sh,dc=de + uid: ssuperadmin + cn: ssuperadmin + givenname: Susi + objectclass: inetOrgPerson + objectclass: univentionMail + mailPrimaryAddress: susi.superadmin@schule-sh.de + mailAlternativeAddress: susi.superadmin@schule-sh.de + objectclass: top + sn: Superadmin + + modify.ldif: |- + # Group members + dn: cn=lehrer,dc=schule-sh,dc=de + add: uniquemember + uniquemember: cn=ssuperadmin,ou=oeffentlicheSchulen,dc=schule-sh,dc=de + + dn: cn=schueler,dc=schule-sh,dc=de + add: uniquemember + uniquemember: cn=mmusterschueler,ou=oeffentlicheSchulen,dc=schule-sh,dc=de \ No newline at end of file diff --git a/charts/dbildungs-iam-ldap/templates/statefulset.yaml b/charts/dbildungs-iam-ldap/templates/statefulset.yaml index 1f741ad..f39869d 100644 --- a/charts/dbildungs-iam-ldap/templates/statefulset.yaml +++ b/charts/dbildungs-iam-ldap/templates/statefulset.yaml @@ -65,7 +65,6 @@ spec: fi cp /tmp-init-scripts/01.sh /script/01.sh && cp /tmp-init-scripts/02.sh /script/02.sh && - # cp /tmp-init-scripts/ucsmail.ldif /opt/bitnami/openldap/etc/schema/ucsmail.ldif chmod +x /script/01.sh chmod +x /script/02.sh {{- if .Values.global.existingSecret }} @@ -87,6 +86,8 @@ spec: mountPath: /ldap-configuration/apply/ - name: ldap-configuration-modify mountPath: /ldap-configuration/modify/ + - name: ldap-configuration-extra + mountPath: /ldap-configuration/extra/ {{- if .Values.customSchemaFiles }} {{- range $file := (include "openldap.customSchemaFiles" . | split ",") }} - name: cm-custom-schema-files @@ -264,6 +265,8 @@ spec: mountPath: /ldap-configuration/apply - name: ldap-configuration-modify mountPath: /ldap-configuration/modify + - name: ldap-configuration-extra + mountPath: /ldap-configuration/extra - name: certs mountPath: /opt/bitnami/openldap/certs {{- range $file := (include "openldap.builtinSchemaFiles" . | split ",") }} @@ -282,14 +285,6 @@ spec: - name: custom-ldif-files mountPath: /ldifs/ {{- end }} -{{- range .Values.customFileSets }} -{{- $fs := . }} -{{- range .files }} - - name: {{ $fs.name }} - mountPath: {{ $fs.targetPath }}/{{ .filename }} - subPath: {{ .filename }} -{{- end }} -{{- end }} {{- if .Values.extraVolumeMounts }} {{- include "common.tplvalues.render" (dict "value" .Values.extraVolumeMounts "context" $) | nindent 12 }} {{- end }} @@ -317,6 +312,10 @@ spec: secret: # could make the secret name variable secretName: dbildungs-iam-ldap-config-modify + - name: ldap-configuration-extra + configMap: + # could make the secret name variable + name: {{ template "openldap.fullname" $ }}-extraldif - name: cm-replication configMap: name: {{ template "openldap.fullname" . }}-replication @@ -358,11 +357,6 @@ spec: - name: secret-certs emptyDir: medium: Memory -{{- end }} -{{- range .Values.customFileSets }} - - name: {{ .name }} - configMap: - name: {{ template "openldap.fullname" $ }}-fs-{{ .name }} {{- end }} {{- if .Values.extraVolumes }} {{- include "common.tplvalues.render" (dict "value" .Values.extraVolumes "context" $) | nindent 8 }} diff --git a/charts/dbildungs-iam-ldap/values.yaml b/charts/dbildungs-iam-ldap/values.yaml index 244d021..21cde16 100644 --- a/charts/dbildungs-iam-ldap/values.yaml +++ b/charts/dbildungs-iam-ldap/values.yaml @@ -110,12 +110,14 @@ customSchemaFiles: olcObjectClasses: ( 1.3.6.1.4.1.10176.1010.2.1 NAME 'univentionMail' DESC 'Univention Mail Preferences' SUP top AUXILIARY MUST uid MAY ( univentionMailHomeServer $ mailPrimaryAddress $ mailAlternativeAddress $ mailGlobalSpamFolder $ univentionMailUserQuota $ mailForwardAddress $ mailForwardCopyToSelf ) ) # anothercustom.ldif: |- # # another custom schema +# # adjust the configuration script configmap-config-script to make sure schema is always loaded # Custom openldap configuration files used to override default settings # can not get loaded if TLS is required ldap_bind: Confidentiality required (13) additional info: TLS confidentiality required # DO NOT FORGET to put the Root Organisation object as it won't be created while using customLdifFiles -# Files that chage the general config or create ACL are not allowed here, insufficient permissions, they get hendled via the dbildungs-iam-ldap-configuration secret +# Files that change the general config or create ACL are not allowed here, insufficient permissions, they get hendled via the dbildungs-iam-ldap-configuration secret +# Only considered once in the initial setup customLdifFiles: 00-root.ldif: |- dn: dc=schule-sh,dc=de From f8c10a2e444d28d2855390184590d46a37c09a98 Mon Sep 17 00:00:00 2001 From: aimee-889 Date: Fri, 27 Sep 2024 11:17:29 +0200 Subject: [PATCH 06/12] final test --- ...elm-publish-check-deploy-on-push-scheduled.yml | 2 +- .../templates/configmap-config-script.yaml | 15 --------------- .../templates/configmap-extraldif.yaml | 9 +++++++-- 3 files changed, 8 insertions(+), 18 deletions(-) diff --git a/.github/workflows/image-and-helm-publish-check-deploy-on-push-scheduled.yml b/.github/workflows/image-and-helm-publish-check-deploy-on-push-scheduled.yml index 3cb6d57..570b600 100644 --- a/.github/workflows/image-and-helm-publish-check-deploy-on-push-scheduled.yml +++ b/.github/workflows/image-and-helm-publish-check-deploy-on-push-scheduled.yml @@ -77,7 +77,7 @@ jobs: - branch_meta - create_branch_identifier - wait_for_helm_chart_to_get_published - uses: dBildungsplattform/spsh-app-deploy/.github/workflows/deploy.yml@SPSH-1044 + uses: dBildungsplattform/spsh-app-deploy/.github/workflows/deploy.yml@5 with: dbildungs_iam_server_branch: ${{ needs.branch_meta.outputs.ticket }} schulportal_client_branch: ${{ needs.branch_meta.outputs.ticket }} diff --git a/charts/dbildungs-iam-ldap/templates/configmap-config-script.yaml b/charts/dbildungs-iam-ldap/templates/configmap-config-script.yaml index 74c8d90..91ba121 100644 --- a/charts/dbildungs-iam-ldap/templates/configmap-config-script.yaml +++ b/charts/dbildungs-iam-ldap/templates/configmap-config-script.yaml @@ -89,18 +89,3 @@ data: if [[ -n "$current_dn" ]]; then process_entry "$current_dn" "$current_entry" fi - - - ucsmail.ldif: | - # add custom schema - dn: cn=ucsMail,cn=schema,cn=config - objectClass: olcSchemaConfig - cn: ucsMail - olcAttributeTypes: ( 1.3.6.1.4.1.10176.1010.1.1 NAME 'mailPrimaryAddress' DESC 'Primary mailaddresses for the user' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) - olcAttributeTypes: ( 1.3.6.1.4.1.10176.1010.1.2 NAME 'mailAlternativeAddress' DESC 'Secondary (alias) mailaddresses for the same user' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - olcAttributeTypes: ( 1.3.6.1.4.1.10176.1010.1.3 NAME 'mailGlobalSpamFolder'DESC 'Move Spam to global spam folder instead of local spam folder' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - olcAttributeTypes: ( 1.3.6.1.4.1.10176.1010.1.47 NAME 'mailForwardAddress'DESC 'External mail addresses to forward the users emails to' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) - olcAttributeTypes: ( 1.3.6.1.4.1.10176.1010.1.51 NAME 'mailForwardCopyToSelf' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{10} SINGLE-VALUE ) - olcAttributeTypes: ( 1.3.6.1.4.1.10176.1010.1.60 NAME 'univentionMailHomeServer' DESC 'home server of users mailbox' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} SINGLE-VALUE ) - olcAttributeTypes: ( 1.3.6.1.4.1.10176.1010.1.92 NAME 'univentionMailUserQuota' DESC 'Mailbox hard quota limit in MB' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) - olcObjectClasses: ( 1.3.6.1.4.1.10176.1010.2.1 NAME 'univentionMail' DESC 'Univention Mail Preferences' SUP top AUXILIARY MUST uid MAY ( univentionMailHomeServer $ mailPrimaryAddress $ mailAlternativeAddress $ mailGlobalSpamFolder $ univentionMailUserQuota $ mailForwardAddress $ mailForwardCopyToSelf ) ) \ No newline at end of file diff --git a/charts/dbildungs-iam-ldap/templates/configmap-extraldif.yaml b/charts/dbildungs-iam-ldap/templates/configmap-extraldif.yaml index 27ab8de..ed96b70 100644 --- a/charts/dbildungs-iam-ldap/templates/configmap-extraldif.yaml +++ b/charts/dbildungs-iam-ldap/templates/configmap-extraldif.yaml @@ -52,9 +52,14 @@ data: modify.ldif: |- # Group members dn: cn=lehrer,dc=schule-sh,dc=de - add: uniquemember + cn: lehrer + objectclass: groupOfUniqueNames + objectclass: top + dn: cn=lehrer,dc=schule-sh,dc=de uniquemember: cn=ssuperadmin,ou=oeffentlicheSchulen,dc=schule-sh,dc=de dn: cn=schueler,dc=schule-sh,dc=de - add: uniquemember + cn: schueler + objectclass: groupOfUniqueNames + objectclass: top uniquemember: cn=mmusterschueler,ou=oeffentlicheSchulen,dc=schule-sh,dc=de \ No newline at end of file From 6886413b40172d415987641c67134c7cd66b3fcd Mon Sep 17 00:00:00 2001 From: aimee-889 Date: Fri, 27 Sep 2024 14:09:31 +0200 Subject: [PATCH 07/12] fix code --- .../templates/configmap-config-script.yaml | 15 ++++++++------- .../templates/configmap-extraldif.yaml | 3 ++- charts/dbildungs-iam-ldap/values.yaml | 1 + 3 files changed, 11 insertions(+), 8 deletions(-) diff --git a/charts/dbildungs-iam-ldap/templates/configmap-config-script.yaml b/charts/dbildungs-iam-ldap/templates/configmap-config-script.yaml index 91ba121..5b079ff 100644 --- a/charts/dbildungs-iam-ldap/templates/configmap-config-script.yaml +++ b/charts/dbildungs-iam-ldap/templates/configmap-config-script.yaml @@ -23,17 +23,18 @@ data: sleep 10 # Loading Schemas - if ! (ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=schema,cn=config" "(cn=*ucsMail)"); then - ldapadd -Y EXTERNAL -H ldapi:/// -f /opt/bitnami/openldap/etc/schema/ucsmail.ldif + ucsmail_search_output=$(ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=schema,cn=config" "(cn=*ucsMail)") + if (echo "$ucsmail_search_output" | grep -q "numEntries: 1"); then + echo "Entry for ucsMail Schema already exists. If you need to modify it, delete it and readd it." else - echo "Entry for ucsMail Schema already exists. Nothing to add." + ldapadd -Y EXTERNAL -H ldapi:/// -f /opt/bitnami/openldap/etc/schema/ucsmail.ldif fi - # Adding Config Users + # Adding Config Users from Secret /bin/bash /script/02.sh /ldap-configuration/apply/apply.ldif true - # Adding other Configs - # /bin/bash /script/02.sh /ldap-configuration/extra/apply.ldif false - # /bin/bash /script/02.sh /ldap-configuration/extra/modify.ldif true + # Adding other Configs from Configmap + /bin/bash /script/02.sh /ldap-configuration/extra/apply.ldif false + /bin/bash /script/02.sh /ldap-configuration/extra/modify.ldif true diff --git a/charts/dbildungs-iam-ldap/templates/configmap-extraldif.yaml b/charts/dbildungs-iam-ldap/templates/configmap-extraldif.yaml index ed96b70..9a76e8e 100644 --- a/charts/dbildungs-iam-ldap/templates/configmap-extraldif.yaml +++ b/charts/dbildungs-iam-ldap/templates/configmap-extraldif.yaml @@ -16,11 +16,13 @@ data: cn: lehrer objectclass: groupOfUniqueNames objectclass: top + uniquemember: dn: cn=schueler,dc=schule-sh,dc=de cn: schueler objectclass: groupOfUniqueNames objectclass: top + uniquemember: dn: ou=oeffentlicheSchulen,dc=schule-sh,dc=de objectclass: organizationalUnit @@ -55,7 +57,6 @@ data: cn: lehrer objectclass: groupOfUniqueNames objectclass: top - dn: cn=lehrer,dc=schule-sh,dc=de uniquemember: cn=ssuperadmin,ou=oeffentlicheSchulen,dc=schule-sh,dc=de dn: cn=schueler,dc=schule-sh,dc=de diff --git a/charts/dbildungs-iam-ldap/values.yaml b/charts/dbildungs-iam-ldap/values.yaml index 21cde16..aa07c7c 100644 --- a/charts/dbildungs-iam-ldap/values.yaml +++ b/charts/dbildungs-iam-ldap/values.yaml @@ -140,6 +140,7 @@ replication: persistence: enabled: true + # enabled: false # existingClaim: openldap-pvc accessModes: - ReadWriteOnce From 6514114b3c999007d6f3a69563266b0fac3f900f Mon Sep 17 00:00:00 2001 From: aimee-889 Date: Tue, 8 Oct 2024 12:05:15 +0200 Subject: [PATCH 08/12] values should be managed via values and order of schemas should be more manageable --- .../templates/configmap-config-script.yaml | 2 +- .../templates/configmap-extraldif.yaml | 58 ++---------------- charts/dbildungs-iam-ldap/values.yaml | 59 ++++++++++++++++++- 3 files changed, 64 insertions(+), 55 deletions(-) diff --git a/charts/dbildungs-iam-ldap/templates/configmap-config-script.yaml b/charts/dbildungs-iam-ldap/templates/configmap-config-script.yaml index 5b079ff..f73e55f 100644 --- a/charts/dbildungs-iam-ldap/templates/configmap-config-script.yaml +++ b/charts/dbildungs-iam-ldap/templates/configmap-config-script.yaml @@ -27,7 +27,7 @@ data: if (echo "$ucsmail_search_output" | grep -q "numEntries: 1"); then echo "Entry for ucsMail Schema already exists. If you need to modify it, delete it and readd it." else - ldapadd -Y EXTERNAL -H ldapi:/// -f /opt/bitnami/openldap/etc/schema/ucsmail.ldif + ldapadd -Y EXTERNAL -H ldapi:/// -f /opt/bitnami/openldap/etc/schema/00-ucsmail.ldif fi # Adding Config Users from Secret diff --git a/charts/dbildungs-iam-ldap/templates/configmap-extraldif.yaml b/charts/dbildungs-iam-ldap/templates/configmap-extraldif.yaml index 9a76e8e..9435bf9 100644 --- a/charts/dbildungs-iam-ldap/templates/configmap-extraldif.yaml +++ b/charts/dbildungs-iam-ldap/templates/configmap-extraldif.yaml @@ -11,56 +11,8 @@ metadata: {{ toYaml $.Values.extraLabels | indent 4 }} {{- end }} data: - apply.ldif: |- - dn: cn=lehrer,dc=schule-sh,dc=de - cn: lehrer - objectclass: groupOfUniqueNames - objectclass: top - uniquemember: - - dn: cn=schueler,dc=schule-sh,dc=de - cn: schueler - objectclass: groupOfUniqueNames - objectclass: top - uniquemember: - - dn: ou=oeffentlicheSchulen,dc=schule-sh,dc=de - objectclass: organizationalUnit - objectclass: top - ou: oeffentlicheSchulen - - dn: cn=mmusterschueler,ou=oeffentlicheSchulen,dc=schule-sh,dc=de - uid: mmusterschueler - cn: mmusterschueler - givenname: Moritz - objectclass: inetOrgPerson - objectclass: univentionMail - mailPrimaryAddress: moritz.muster-schueler@schule-sh.de - mailAlternativeAddress: moritz.muster-schueler@schule-sh.de - objectclass: top - sn: Muster-Schueler - - dn: cn=ssuperadmin,ou=oeffentlicheSchulen,dc=schule-sh,dc=de - uid: ssuperadmin - cn: ssuperadmin - givenname: Susi - objectclass: inetOrgPerson - objectclass: univentionMail - mailPrimaryAddress: susi.superadmin@schule-sh.de - mailAlternativeAddress: susi.superadmin@schule-sh.de - objectclass: top - sn: Superadmin - - modify.ldif: |- - # Group members - dn: cn=lehrer,dc=schule-sh,dc=de - cn: lehrer - objectclass: groupOfUniqueNames - objectclass: top - uniquemember: cn=ssuperadmin,ou=oeffentlicheSchulen,dc=schule-sh,dc=de - - dn: cn=schueler,dc=schule-sh,dc=de - cn: schueler - objectclass: groupOfUniqueNames - objectclass: top - uniquemember: cn=mmusterschueler,ou=oeffentlicheSchulen,dc=schule-sh,dc=de \ No newline at end of file +{{- range $key, $val := .Values.customExtraLdifFiles }} + {{ $key }}: |- +{{ $val | indent 4}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/dbildungs-iam-ldap/values.yaml b/charts/dbildungs-iam-ldap/values.yaml index aa07c7c..0d4d93e 100644 --- a/charts/dbildungs-iam-ldap/values.yaml +++ b/charts/dbildungs-iam-ldap/values.yaml @@ -96,7 +96,7 @@ pdb: # Note that the supplied files are sorted by name and inserted into 'LDAP_EXTRA_SCHEMAS' env var # after chart default schemas, allowing you to control the loading sequence. customSchemaFiles: - ucsmail.ldif: |- + 00-ucsmail.ldif: |- dn: cn=ucsMail,cn=schema,cn=config objectClass: olcSchemaConfig cn: ucsMail @@ -126,6 +126,63 @@ customLdifFiles: objectClass: organization o: SPSH + +# First the apply.ldif gets applied if entry is not existend, then the entries in modify.ldif overwrite the entries +customExtraLdifFiles: + apply.ldif: |- + dn: cn=lehrer,dc=schule-sh,dc=de + cn: lehrer + objectclass: groupOfUniqueNames + objectclass: top + uniquemember: + + dn: cn=schueler,dc=schule-sh,dc=de + cn: schueler + objectclass: groupOfUniqueNames + objectclass: top + uniquemember: + + dn: ou=oeffentlicheSchulen,dc=schule-sh,dc=de + objectclass: organizationalUnit + objectclass: top + ou: oeffentlicheSchulen + + dn: cn=mmusterschueler,ou=oeffentlicheSchulen,dc=schule-sh,dc=de + uid: mmusterschueler + cn: mmusterschueler + givenname: Moritz + objectclass: inetOrgPerson + objectclass: univentionMail + mailPrimaryAddress: moritz.muster-schueler@schule-sh.de + mailAlternativeAddress: moritz.muster-schueler@schule-sh.de + objectclass: top + sn: Muster-Schueler + + dn: cn=ssuperadmin,ou=oeffentlicheSchulen,dc=schule-sh,dc=de + uid: ssuperadmin + cn: ssuperadmin + givenname: Susi + objectclass: inetOrgPerson + objectclass: univentionMail + mailPrimaryAddress: susi.superadmin@schule-sh.de + mailAlternativeAddress: susi.superadmin@schule-sh.de + objectclass: top + sn: Superadmin + + modify.ldif: |- + # Group members + dn: cn=lehrer,dc=schule-sh,dc=de + cn: lehrer + objectclass: groupOfUniqueNames + objectclass: top + uniquemember: cn=ssuperadmin,ou=oeffentlicheSchulen,dc=schule-sh,dc=de + + dn: cn=schueler,dc=schule-sh,dc=de + cn: schueler + objectclass: groupOfUniqueNames + objectclass: top + uniquemember: cn=mmusterschueler,ou=oeffentlicheSchulen,dc=schule-sh,dc=de + replicaCount: 1 # will have to work on this From b5d095bc55b1c5a2641fa299a688d0401fed24c8 Mon Sep 17 00:00:00 2001 From: aimee-889 Date: Tue, 8 Oct 2024 12:15:28 +0200 Subject: [PATCH 09/12] add missing line --- charts/dbildungs-iam-ldap/templates/configmap-extraldif.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/charts/dbildungs-iam-ldap/templates/configmap-extraldif.yaml b/charts/dbildungs-iam-ldap/templates/configmap-extraldif.yaml index 9435bf9..4bb6275 100644 --- a/charts/dbildungs-iam-ldap/templates/configmap-extraldif.yaml +++ b/charts/dbildungs-iam-ldap/templates/configmap-extraldif.yaml @@ -1,3 +1,4 @@ +{{- if .Values.customExtraLdifFiles }} apiVersion: v1 kind: ConfigMap metadata: From 1639f4bf0d10ed9a118ecf68cf1546554281b8c6 Mon Sep 17 00:00:00 2001 From: aimee-889 Date: Tue, 8 Oct 2024 13:29:21 +0200 Subject: [PATCH 10/12] prepare PR for merging --- charts/dbildungs-iam-ldap/values.yaml | 21 ++++++--------------- 1 file changed, 6 insertions(+), 15 deletions(-) diff --git a/charts/dbildungs-iam-ldap/values.yaml b/charts/dbildungs-iam-ldap/values.yaml index 0d4d93e..c691d92 100644 --- a/charts/dbildungs-iam-ldap/values.yaml +++ b/charts/dbildungs-iam-ldap/values.yaml @@ -39,28 +39,20 @@ service: # sslLdapPortNodePort: enableLdapPort: true - #enableSslLdapPort: true + enableSslLdapPort: true sessionAffinity: None - #type: ClusterIP + type: ClusterIP # type: LoadBalancer - #externalIp: false + externalIp: false # if enabled you need to have to set the LOADBALANCER_IP key with value in the existingSecret # externalIp: true - #SourceRangesRestriction: false + SourceRangesRestriction: false # if enabled you need to have to set the LOADBALANCER_SOURCERANGES key with value in the existingSecret # servicecenter für den prometheus blackbox exporter freischalten # SourceRangesRestriction: true # enableLdapPort: false -# enable this service block and disable the service one above, to make LDAP outside the cluster available -# Note that only one namespace at a time can use this feature!! -# service: - enableSslLdapPort: true - type: LoadBalancer - externalIp: true - SourceRangesRestriction: false - # Use the env variables from https://hub.docker.com/r/bitnami/openldap/ env: @@ -196,8 +188,7 @@ replication: tls_reqcert: "never" persistence: - enabled: true - # enabled: false + enabled: false # existingClaim: openldap-pvc accessModes: - ReadWriteOnce @@ -329,7 +320,7 @@ initSchema: ## need a secret with tls.crt, tls.key initTLSSecret: # adminldap, per default disabled only works with tls_enabled - tls_enabled: true + tls_enabled: false # tls_enabled: true # needs to get enabled if you want to make the service available to the outside # Note that only one namespace at a time can use this feature and that you need to copy a tls secret into the namespace, see Confluence for more information image: From 754a4509f1c20b0fca2dea71198e7a0946355a37 Mon Sep 17 00:00:00 2001 From: aimee-889 Date: Tue, 8 Oct 2024 14:05:56 +0200 Subject: [PATCH 11/12] readd deleted block --- charts/dbildungs-iam-ldap/values.yaml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/charts/dbildungs-iam-ldap/values.yaml b/charts/dbildungs-iam-ldap/values.yaml index c691d92..f33c4f0 100644 --- a/charts/dbildungs-iam-ldap/values.yaml +++ b/charts/dbildungs-iam-ldap/values.yaml @@ -53,6 +53,14 @@ service: # SourceRangesRestriction: true # enableLdapPort: false +# enable this service block and disable the service one above, to make LDAP outside the cluster available +# Note that only one namespace at a time can use this feature!! +# service: +# enableSslLdapPort: true +# type: LoadBalancer +# externalIp: true +# SourceRangesRestriction: false + # Use the env variables from https://hub.docker.com/r/bitnami/openldap/ env: From ee6d1bb7340263c1d48dd40eb5d9f7a4412b910b Mon Sep 17 00:00:00 2001 From: aimee-889 Date: Tue, 8 Oct 2024 19:03:00 +0200 Subject: [PATCH 12/12] add ersatzSchulen entry --- charts/dbildungs-iam-ldap/values.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/charts/dbildungs-iam-ldap/values.yaml b/charts/dbildungs-iam-ldap/values.yaml index f33c4f0..2a81eaf 100644 --- a/charts/dbildungs-iam-ldap/values.yaml +++ b/charts/dbildungs-iam-ldap/values.yaml @@ -147,6 +147,11 @@ customExtraLdifFiles: objectclass: top ou: oeffentlicheSchulen + dn: ou=ersatzSchulen,dc=schule-sh,dc=de + objectclass: organizationalUnit + objectclass: top + ou: ersatzSchulen + dn: cn=mmusterschueler,ou=oeffentlicheSchulen,dc=schule-sh,dc=de uid: mmusterschueler cn: mmusterschueler