SPSH-1044

charts/dbildungs-iam-ldap/templates/configmap-config-script.yaml

@@ -21,27 +21,47 @@ data:
     ldapmodify -Y EXTERNAL -H ldapi:/// -f /ldap-configuration/modify/modify.ldif
     # no sure why this sleep is needed again - but it is
     sleep 10
-    /bin/bash /script/02.sh
+
+    # Loading Schemas
+    ucsmail_search_output=$(ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=schema,cn=config" "(cn=*ucsMail)")
+    if (echo "$ucsmail_search_output" | grep -q "numEntries: 1"); then
+      echo "Entry for ucsMail Schema already exists. If you need to modify it, delete it and readd it."
+    else
+      ldapadd -Y EXTERNAL -H ldapi:/// -f /opt/bitnami/openldap/etc/schema/00-ucsmail.ldif
+    fi
+
+    # Adding Config Users from Secret
+    /bin/bash /script/02.sh /ldap-configuration/apply/apply.ldif true
+    # Adding other Configs from Configmap
+    /bin/bash /script/02.sh /ldap-configuration/extra/apply.ldif false
+    /bin/bash /script/02.sh /ldap-configuration/extra/modify.ldif true
+
+
+
 
   # this script is needed so that Helm Chart is stable if persistence is enabled
   # it applies changes if they are new, but modifies them if they already exist
   02.sh: |  
-    LDIF_FILE="/ldap-configuration/apply/apply.ldif"
+    LDIF_FILE="$1"
+    OVERWRITE="${2:-false}"
 
-    # Function to process each entry
     process_entry() {
       local entry_dn="$1"
       local entry_ldif="$2"
 
       # Check if entry exists
-      ldapsearch -Y External -H ldapi:/// -b "$entry_dn" -s base -LLL dn > /dev/null 2>&1
+      ldapsearch -Y EXTERNAL -H ldapi:/// -b "$entry_dn" -s base -LLL dn > /dev/null 2>&1
 
       if [ $? -eq 0 ]; then
-        echo "Entry already exists: $entry_dn, updating entry by running ldapmodify"
-        echo "$entry_ldif" | sed 's/^dn: .*/changetype: modify/' | ldapmodify -Y External -H ldapi:/// 
+        if [ "$OVERWRITE" = true ]; then
+          echo "Entry already exists: $entry_dn, updating entry by running ldapmodify"
+          echo "$entry_ldif" | sed 's/^dn: .*/changetype: modify/' | ldapmodify -Y EXTERNAL -H ldapi:/// 
+        else
+          echo "Entry already exists: $entry_dn, skipping ldapmodify"
+        fi
       else
         echo "Entry does not exist, adding entry: $entry_dn"
-        echo "$entry_ldif" | ldapadd -Y External -H ldapi:/// 
+        echo "$entry_ldif" | ldapadd -Y EXTERNAL -H ldapi:/// 
       fi
     }
 
@@ -69,4 +89,4 @@ data:
     # Process the last entry in the file
     if [[ -n "$current_dn" ]]; then
       process_entry "$current_dn" "$current_entry"
-    fi
+    fi

charts/dbildungs-iam-ldap/templates/configmap-customschema.yaml

@@ -1,6 +1,6 @@
 #
 # A ConfigMap spec for openldap slapd that map directly to files under
-# /opt/bitnami/openldap/etc/schema/custom
+# /opt/bitnami/openldap/etc/schema/
 #
 {{- if .Values.customSchemaFiles }}
 apiVersion: v1

charts/dbildungs-iam-ldap/templates/configmap-customfiles.yaml → charts/dbildungs-iam-ldap/templates/configmap-extraldif.yaml

@@ -1,8 +1,8 @@
-{{- range .Values.customFileSets }}
+{{- if .Values.customExtraLdifFiles }}
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: {{ template "openldap.fullname" $ }}-fs-{{ .name }}
+  name: {{ template "openldap.fullname" $ }}-extraldif
   labels:
     app: {{ template "openldap.name" $ }}
     chart: {{ template "openldap.chart" $ }}
@@ -12,9 +12,8 @@ metadata:
 {{ toYaml $.Values.extraLabels | indent 4 }}
 {{- end }}
 data:
-{{- range .files }}
-{{ .filename | indent 2}}: |
-{{ .content | indent 4 }}
-{{- end}}
----
+{{- range $key, $val := .Values.customExtraLdifFiles }}
+  {{ $key }}: |-
+{{ $val | indent 4}}
 {{- end }}
+{{- end }}

charts/dbildungs-iam-ldap/templates/statefulset.yaml

@@ -86,6 +86,8 @@ spec:
               mountPath: /ldap-configuration/apply/
             - name: ldap-configuration-modify
               mountPath: /ldap-configuration/modify/
+            - name: ldap-configuration-extra
+              mountPath: /ldap-configuration/extra/
     {{- if .Values.customSchemaFiles }}
       {{- range $file := (include "openldap.customSchemaFiles" . | split ",") }}
             - name: cm-custom-schema-files
@@ -263,6 +265,8 @@ spec:
               mountPath: /ldap-configuration/apply
             - name: ldap-configuration-modify
               mountPath: /ldap-configuration/modify
+            - name: ldap-configuration-extra
+              mountPath: /ldap-configuration/extra
             - name: certs
               mountPath: /opt/bitnami/openldap/certs
             {{- range $file := (include "openldap.builtinSchemaFiles" . | split ",") }}
@@ -281,14 +285,6 @@ spec:
             - name: custom-ldif-files
               mountPath: /ldifs/
 {{- end }}
-{{- range .Values.customFileSets }}
-{{- $fs := . }}
-{{- range .files }}
-            - name: {{ $fs.name }}
-              mountPath: {{ $fs.targetPath }}/{{ .filename }}
-              subPath: {{ .filename }}
-{{- end }}
-{{- end }}
 {{- if .Values.extraVolumeMounts }}
 {{- include "common.tplvalues.render" (dict "value" .Values.extraVolumeMounts "context" $) | nindent 12 }}
 {{- end }}
@@ -316,6 +312,10 @@ spec:
           secret:
             # could make the secret name variable
             secretName: dbildungs-iam-ldap-config-modify
+        - name: ldap-configuration-extra
+          configMap:
+            # could make the secret name variable
+            name: {{ template "openldap.fullname" $ }}-extraldif
         - name: cm-replication
           configMap:
             name: {{ template "openldap.fullname" . }}-replication
@@ -357,11 +357,6 @@ spec:
         - name: secret-certs
           emptyDir:
             medium: Memory
-{{- end }}
-{{- range .Values.customFileSets }}
-        - name: {{ .name }}
-          configMap:
-            name: {{ template "openldap.fullname" $ }}-fs-{{ .name }}
 {{- end }}
         {{- if .Values.extraVolumes }}
         {{- include "common.tplvalues.render" (dict "value" .Values.extraVolumes "context" $) | nindent 8 }}

charts/dbildungs-iam-ldap/values.yaml

@@ -53,12 +53,12 @@ service:
   # SourceRangesRestriction: true
   # enableLdapPort: false
 
-# enable this service block and disable the service one above, to make LDAP outside the cluster available 
-# Note that only one namespace at a time can use this feature!!
-# service:
-#   enableSslLdapPort: true
-#   type: LoadBalancer
-#   externalIp: true
+# enable this service block and disable the service one above, to make LDAP outside the cluster available 	
+# Note that only one namespace at a time can use this feature!!	
+# service:	
+#   enableSslLdapPort: true	
+#   type: LoadBalancer	
+#   externalIp: true	
 #   SourceRangesRestriction: false
 
 
@@ -95,17 +95,29 @@ pdb:
 # Custom openldap schema files used to be used in addition to default schemas
 # Note that the supplied files are sorted by name and inserted into 'LDAP_EXTRA_SCHEMAS' env var
 # after chart default schemas, allowing you to control the loading sequence.
-# customSchemaFiles:
-#   custom.ldif: |-
-#     # custom schema
+customSchemaFiles:
+  00-ucsmail.ldif: |-
+    dn: cn=ucsMail,cn=schema,cn=config
+    objectClass: olcSchemaConfig
+    cn: ucsMail
+    olcAttributeTypes: ( 1.3.6.1.4.1.10176.1010.1.1 NAME 'mailPrimaryAddress' DESC 'Primary mailaddresses for the user' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
+    olcAttributeTypes: ( 1.3.6.1.4.1.10176.1010.1.2 NAME 'mailAlternativeAddress' DESC 'Secondary (alias) mailaddresses for the same user' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+    olcAttributeTypes: ( 1.3.6.1.4.1.10176.1010.1.3 NAME 'mailGlobalSpamFolder'DESC 'Move Spam to global spam folder instead of local spam folder' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+    olcAttributeTypes: ( 1.3.6.1.4.1.10176.1010.1.47 NAME 'mailForwardAddress'DESC 'External mail addresses to forward the users emails to' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+    olcAttributeTypes: ( 1.3.6.1.4.1.10176.1010.1.51 NAME 'mailForwardCopyToSelf' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{10} SINGLE-VALUE )
+    olcAttributeTypes: ( 1.3.6.1.4.1.10176.1010.1.60 NAME 'univentionMailHomeServer' DESC 'home server of users mailbox' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} SINGLE-VALUE )
+    olcAttributeTypes: ( 1.3.6.1.4.1.10176.1010.1.92 NAME 'univentionMailUserQuota' DESC 'Mailbox hard quota limit in MB' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+    olcObjectClasses: ( 1.3.6.1.4.1.10176.1010.2.1 NAME 'univentionMail' DESC 'Univention Mail Preferences' SUP top AUXILIARY MUST uid MAY ( univentionMailHomeServer $ mailPrimaryAddress $ mailAlternativeAddress $ mailGlobalSpamFolder $ univentionMailUserQuota $ mailForwardAddress $ mailForwardCopyToSelf ) )
 #   anothercustom.ldif: |-
 #     # another custom schema
+#     # adjust the configuration script configmap-config-script to make sure schema is always loaded 
 
 
 # Custom openldap configuration files used to override default settings
 # can not get loaded if TLS is required ldap_bind: Confidentiality required (13) additional info: TLS confidentiality required
 # DO NOT FORGET to put the Root Organisation object as it won't be created while using customLdifFiles
-# Files that chage the general config or create ACL are not allowed here, insufficient permissions, they get hendled via the dbildungs-iam-ldap-configuration secret
+# Files that change the general config or create ACL are not allowed here, insufficient permissions, they get hendled via the dbildungs-iam-ldap-configuration secret
+# Only considered once in the initial setup
 customLdifFiles:
   00-root.ldif: |-
     dn: dc=schule-sh,dc=de
@@ -114,6 +126,68 @@ customLdifFiles:
     objectClass: organization
     o: SPSH
 
+
+# First the apply.ldif gets applied if entry is not existend, then the entries in modify.ldif overwrite the entries
+customExtraLdifFiles: 
+  apply.ldif: |-
+    dn: cn=lehrer,dc=schule-sh,dc=de
+    cn: lehrer
+    objectclass: groupOfUniqueNames
+    objectclass: top
+    uniquemember:
+
+    dn: cn=schueler,dc=schule-sh,dc=de
+    cn: schueler
+    objectclass: groupOfUniqueNames
+    objectclass: top
+    uniquemember:
+
+    dn: ou=oeffentlicheSchulen,dc=schule-sh,dc=de
+    objectclass: organizationalUnit
+    objectclass: top
+    ou: oeffentlicheSchulen
+
+    dn: ou=ersatzSchulen,dc=schule-sh,dc=de
+    objectclass: organizationalUnit
+    objectclass: top
+    ou: ersatzSchulen
+
+    dn: cn=mmusterschueler,ou=oeffentlicheSchulen,dc=schule-sh,dc=de
+    uid: mmusterschueler
+    cn: mmusterschueler
+    givenname: Moritz
+    objectclass: inetOrgPerson
+    objectclass: univentionMail
+    mailPrimaryAddress: [email protected]
+    mailAlternativeAddress: [email protected]
+    objectclass: top
+    sn: Muster-Schueler
+
+    dn: cn=ssuperadmin,ou=oeffentlicheSchulen,dc=schule-sh,dc=de
+    uid: ssuperadmin
+    cn: ssuperadmin
+    givenname: Susi
+    objectclass: inetOrgPerson
+    objectclass: univentionMail
+    mailPrimaryAddress: [email protected]
+    mailAlternativeAddress: [email protected]
+    objectclass: top
+    sn: Superadmin
+
+  modify.ldif: |-
+    # Group members
+    dn: cn=lehrer,dc=schule-sh,dc=de
+    cn: lehrer
+    objectclass: groupOfUniqueNames
+    objectclass: top
+    uniquemember: cn=ssuperadmin,ou=oeffentlicheSchulen,dc=schule-sh,dc=de
+
+    dn: cn=schueler,dc=schule-sh,dc=de
+    cn: schueler
+    objectclass: groupOfUniqueNames
+    objectclass: top
+    uniquemember: cn=mmusterschueler,ou=oeffentlicheSchulen,dc=schule-sh,dc=de
+
 replicaCount: 1
 
 # will have to work on this
@@ -259,7 +333,7 @@ initSchema:
 ##  need a secret with tls.crt, tls.key 
 initTLSSecret:
   # adminldap, per default disabled only works with tls_enabled
-  tls_enabled: false 
+  tls_enabled: false
   # tls_enabled: true # needs to get enabled if you want to make the service available to the outside 
   # Note that only one namespace at a time can use this feature and that you need to copy a tls secret into the namespace, see Confluence for more information
   image: