From 8873afe2364d3c5b0f8cf7562dd74b8267d5ceda Mon Sep 17 00:00:00 2001 From: rmahique-github <> Date: Fri, 25 Oct 2024 14:43:58 +0200 Subject: [PATCH 01/15] Added a script and yaml file to setup ds389 in rancher --- scripts/authentication/389.yml | 195 ++++++++++++++++++++++++++++++++ scripts/authentication/ds389.sh | 152 +++++++++++++++++++++++++ 2 files changed, 347 insertions(+) create mode 100644 scripts/authentication/389.yml create mode 100644 scripts/authentication/ds389.sh diff --git a/scripts/authentication/389.yml b/scripts/authentication/389.yml new file mode 100644 index 0000000..6e185fd --- /dev/null +++ b/scripts/authentication/389.yml @@ -0,0 +1,195 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: ${ds389_ns_name:-ds389} +... +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: ${ds389_name:-ds389}-sa + namespace: ${ds389_ns_name:-ds389} +... + + +--- +apiVersion: v1 +kind: Secret +metadata: + name: dirsrv-tls-secret + namespace: ${ds389_ns_name:-ds389} +data: + tls.key: | + ${ds389_tls_key:-LS0tLS1CRUdJTiBFTkNSWVBURUQgUFJJVkFURSBLRVktLS0tLQpNSUlKbnpCSkJna3Foa2lHOXcw + QkJRMHdQREFiQmdrcWhraUc5dzBCQlF3d0RnUUlMZmtpMDkwcnZsb0NBZ2dBCk1CMEdDV0NHU0FG + bEF3UUJLZy4uLkdOWWM3aTlTVkRCb0E9PQotLS0tLUVORCBFTkNSWVBURUQgUFJJVkFURSBLRVkt + LS0tLQ==} + tls.crt: | + ${ds389_tls_cert:-LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZ4akNDQTY0Q0NRQ05UK2VQMnZqSnh6QU5C + Z2txaGtpRzl3MEJBUXNGQURDQnBERUxNQWtHQTFVRUJoTUMKUmxJeEVqQVFCZ05WQkFnTUMuLi51 + ZEp3RTdIbm5BN2xwQQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t} +... + +--- +apiVersion: v1 +kind: Secret +metadata: + name: dirsrv-dm-password + namespace: ${ds389_ns_name:-ds389} +data: +# Password must be in base64 + dm-password: ${ds389_dm_pwd_b64:-YWRtaW4xMjM=} +# dm-password: admin123 +... + + +--- +kind: StatefulSet +apiVersion: apps/v1 +metadata: + name: ${ds389_name:-ds389} + namespace: ${ds389_ns_name:-ds389} +spec: + serviceName: ${ds389_name:-ds389}-internal-svc + replicas: 1 + selector: + matchLabels: + app: ${ds389_name:-ds389} + template: + metadata: + labels: + app: ${ds389_name:-ds389} + spec: + serviceAccountName: ${ds389_name:-ds389}-sa + securityContext: + fsGroup: 499 + initContainers: + # Init container is required to change the permissions after a persistent volume is mounted. + # Otherwise dscontainer will be denied to create subdirectories and will fail to start. + - name: ${ds389_name:-ds389}-init-container + image: busybox + command: ["/bin/sh", "-c", "chown -R 499:499 /data"] + volumeMounts: + - name: ${ds389_name:-ds389}-data + mountPath: /data + containers: + - name: dirsrv-container + image: ${ds389_image:-docker.io/389ds/dirsrv} + lifecycle: + postStart: + exec: + command: ["/bin/sh", "-c", "sleep 60; dsconf localhost backend create --suffix ${ds389_rootdn:-dc=mydemo,dc=lab} --be-name userroot --create-suffix --create-entries ; + dsconf localhost pwpolicy set --pwdscheme=CRYPT-SHA512 ; + dsconf localhost config replace nsslapd-rootpwstoragescheme=CRYPT-SHA512 ; + dsconf localhost config replace nsslapd-rootpw=${ds389_dm_pwd:-admin123} ; + dsconf localhost plugin referential-integrity enable ; + dsconf localhost plugin memberof enable ; + dsconf localhost config replace nsslapd-allow-anonymous-access=off ; + dsidm localhost --basedn ${ds389_rootdn:-dc=mydemo,dc=lab} user create --uid ldap_user --cn ldap_user --displayName ldap_user --uidNumber 1001 --gidNumber 1001 --homeDirectory /home/ldap_user ; + dsidm localhost -b ${ds389_rootdn:-dc=mydemo,dc=lab} account change_password uid=ldap_user,ou=people,${ds389_rootdn:-dc=mydemo,dc=lab} ${ds389_users_pwd:-supersecret123} ; + dsidm localhost --basedn ${ds389_rootdn:-dc=mydemo,dc=lab} user create --uid developer --cn developer --displayName developer --uidNumber 1002 --gidNumber 1002 --homeDirectory /home/developer ; + dsidm localhost -b ${ds389_rootdn:-dc=mydemo,dc=lab} account change_password uid=developer,ou=people,${ds389_rootdn:-dc=mydemo,dc=lab} ${ds389_users_pwd:-supersecret123} ; + dsidm localhost --basedn ${ds389_rootdn:-dc=mydemo,dc=lab} group create --cn developers; + dsidm localhost -b ${ds389_rootdn:-dc=mydemo,dc=lab} group add_member developers uid=developer,ou=people,${ds389_rootdn:-dc=mydemo,dc=lab} "] + env: + ## Set `cn=Directory Manager`'s password + - name: DS_DM_PASSWORD + valueFrom: + secretKeyRef: + name: dirsrv-dm-password + key: dm-password + ## Use suffix as a basedn in `dsrc` file + - name: DS_SUFFIX_NAME + value: "${ds389_rootdn:-dc=mydemo,dc=lab}" + ## DS_ERRORLOG_LEVEL - set the log level for `ns-slapd`, default is 266354688 + - name: DS_ERRORLOG_LEVEL + value: "8192" + ## DS_MEMORY_PERCENTAGE - set LDBM autotune percentage (`nsslapd-cache-autosize`), default is 25 + - name: DS_MEMORY_PERCENTAGE + value: "10" + ## DS_REINDEX` - run database reindex task (`db2index`) + - name: DS_REINDEX + value: "True" + ## DS_STARTUP_TIMEOUT - set container startup timeout in seconds, default is 60 seconds. + - name: DS_STARTUP_TIMEOUT + value: "120" + ports: + - containerPort: 3389 + protocol: TCP + - containerPort: 3636 + protocol: TCP + securityContext: + runAsUser: 489 + volumeMounts: + - name: ${ds389_name:-ds389}-data + mountPath: "/data" + - name: dirsrv-tls + mountPath: '/data/tls/' + readOnly: true + volumes: + - name: dirsrv-tls + secret: + secretName: dirsrv-tls-secret + items: + - key: tls.key + path: server.key + - key: tls.crt + path: server.crt + volumeClaimTemplates: + - metadata: + name: ${ds389_name:-ds389}-data + spec: + accessModes: [ "ReadWriteOnce" ] + resources: + requests: + storage: ${ds389_vc_size:-5Gi} +... +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: ${ds389_name:-ds389} + name: ${ds389_name:-ds389}-internal-svc + namespace: ${ds389_ns_name:-ds389} +spec: + clusterIP: None + ports: + - name: ${ds389_name:-ds389}-port + port: 3389 + protocol: TCP + targetPort: 3389 + - name: ${ds389_name:-ds389}-tls-port + port: 3636 + protocol: TCP + targetPort: 3636 + selector: + app: ${ds389_name:-ds389} + type: ClusterIP +... +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: ${ds389_name:-ds389} + name: ${ds389_name:-ds389}-external-svc + namespace: ${ds389_ns_name:-ds389} +spec: + ports: + - name: ${ds389_name:-ds389}-port + port: 3389 + protocol: TCP + targetPort: 3389 + nodePort: ${ds389_port:-30389} + - name: ${ds389_name:-ds389}-tls-port + port: 3636 + protocol: TCP + targetPort: 3636 + nodePort: ${ds389_port_tls:-30636} + selector: + app: ${ds389_name:-ds389} + type: NodePort +... + diff --git a/scripts/authentication/ds389.sh b/scripts/authentication/ds389.sh new file mode 100644 index 0000000..fdbf63d --- /dev/null +++ b/scripts/authentication/ds389.sh @@ -0,0 +1,152 @@ +#!/bin/bash + + + +_admin_user="cn=Directory Manager" +_admin_pwd="admin123" +_uri="ldap://node101.mydemo.lab:30389" +_connection_str="-D \"${_admin_user}\" -w \"${_admin_pwd}\" -x -H \"${_uri}\"" +_basedn="dc=mydemo,dc=lab" +_ldap_user_dn="uid=ldap_user,ou=people,${_basedn}" +_ldap_user_pwd="supersecret123" + + + +# Inspired from https://stackoverflow.com/questions/2914220/bash-templating-how-to-build-configuration-files-from-templates-with-bash#11050943 +function process_templates() { + eval "cat </tmp/389.yml + kubectl apply -f 389.yml + sleep 60 + ds389_restrict_permissions + ds389_ldap_user-user_private_read +} + + +## DS389: uninstall 389 Directory server +function ds389_uninstall() { + kubectl -n ds389 delete ServiceAccount/ds389-sa Secret/dirsrv-tls-secret Secret/dirsrv-dm-password StatefulSet/ds389 Ingress/ds389 Service/ds389 Namespace/ds389 service/ds389-internal-svc service/ds389-external-svc; sleep 15 +} + + +function usage() { + echo "Usage: +$0 [install|uninstall|create-user|delete-user|create-group|delete-group|check-user|check-group|change-passwd] <[user|group]> " + +} + + +_arg="$1" + + +if [[ ! ${_arg} ]] +then + echo "ERROR: Missing argument" + usage + exit 1 +fi + +case ${_arg} in + install) + ds389_install + ;; + uninstall) + ds389_uninstall + ;; + create-user) + [[ "$2" == "" ]] && ( echo "ERROR: Missing user"; usage ; exit 1) + # these are only for rancher, therefore doesn't matter if they have the same UID + dsidm localhost --basedn "${_basedn}" user create --uid $2 --cn $2 --displayName $2 --uidNumber 1001 --gidNumber 1001 --homeDirectory /home/${2} + ;; + delete-user) + [[ "$2" == "" ]] && ( echo "ERROR: Missing user"; usage ; exit 1) + ldapmodify ${_connection_str} << EOL +dn: ou=people,${_basedn} +changetype: modify +delete: uid +uid: $2 +EOL + ;; + create-group) + [[ "$2" == "" ]] && ( echo "ERROR: Missing group"; usage ; exit 1) + dsidm localhost --basedn "${_basedn}" group create --cn $2 ; + ;; + delete-group) + [[ "$2" == "" ]] && ( echo "ERROR: Missing group"; usage ; exit 1) + ldapmodify ${_connection_str} << EOL +dn: ou=group,${_basedn} +changetype: modify +delete: cn +cn: $2 +EOL + ;; + check-user) + [[ "$2" == "" ]] && ( echo "ERROR: Missing user"; usage ; exit 1) + dsidm localhost --basedn "${_basedn}" account get-by-dn uid=${2},ou=people,${_basedn} + ;; + check-group) + [[ "$2" == "" ]] && ( echo "ERROR: Missing group"; usage ; exit 1) + dsidm localhost --basedn "${_basedn}" account get-by-dn uid=${2},ou=group,${_basedn} + ;; + change-passwd) + [[ "$2" == "" ]] && ( echo "ERROR: Missing user"; usage ; exit 1) + [[ "$3" == "" ]] && ( echo "ERROR: Missing password"; usage ; exit 1) + dsidm localhost -b "${_basedn}" account change_password uid=${2},ou=people,dc=mydemo,dc=lab $3 + ;; + *) + usage + exit 1 + ;; +esac + + From 97258cf2cc21a48003468562063f59749342eeb5 Mon Sep 17 00:00:00 2001 From: rmahique-github <> Date: Fri, 25 Oct 2024 15:10:18 +0200 Subject: [PATCH 02/15] correction --- scripts/authentication/ds389.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/scripts/authentication/ds389.sh b/scripts/authentication/ds389.sh index fdbf63d..d591f20 100644 --- a/scripts/authentication/ds389.sh +++ b/scripts/authentication/ds389.sh @@ -5,7 +5,7 @@ _admin_user="cn=Directory Manager" _admin_pwd="admin123" _uri="ldap://node101.mydemo.lab:30389" -_connection_str="-D \"${_admin_user}\" -w \"${_admin_pwd}\" -x -H \"${_uri}\"" +_connection_str="-D '${_admin_user}' -w '${_admin_pwd}' -x -H '${_uri}'" _basedn="dc=mydemo,dc=lab" _ldap_user_dn="uid=ldap_user,ou=people,${_basedn}" _ldap_user_pwd="supersecret123" @@ -57,16 +57,16 @@ EOL ## DS389: Verify ldap_user has access function ds389_ldap_user-access() { - ldapsearch -x -D "${_ldap_user_dn}" -w "${__ldap_user_pwd}" -H "${_uri}" -b "${_basedn}" + ldapsearch -x -D "${_ldap_user_dn}" -w "${_ldap_user_pwd}" -H "${_uri}" -b "${_basedn}" } ## DS389: Install 389 Directory server function ds389_install() { - template_file=${LAB_SETUP_PATH}/cloud-init/template_${_type} + template_file=389.yml process_templates >/tmp/389.yml - kubectl apply -f 389.yml + kubectl apply -f /tmp/389.yml sleep 60 ds389_restrict_permissions ds389_ldap_user-user_private_read From f28e43ed58bbd293ae25e0617dd361214250c885 Mon Sep 17 00:00:00 2001 From: rmahique-github <> Date: Fri, 25 Oct 2024 17:09:13 +0200 Subject: [PATCH 03/15] changed to helm chart --- charts/ds389/Chart.yaml | 6 + charts/ds389/templates/namespace.yaml | 5 + charts/ds389/templates/secrets.yaml | 18 ++ charts/ds389/templates/service-external.yaml | 23 +++ charts/ds389/templates/service-internal.yaml | 22 +++ charts/ds389/templates/serviceaccount.yaml | 6 + charts/ds389/templates/statefulset.yaml | 94 +++++++++ charts/ds389/values.yaml | 16 ++ scripts/authentication/389.yml | 195 ------------------- scripts/authentication/ds389.sh | 41 ++-- 10 files changed, 211 insertions(+), 215 deletions(-) create mode 100644 charts/ds389/Chart.yaml create mode 100644 charts/ds389/templates/namespace.yaml create mode 100644 charts/ds389/templates/secrets.yaml create mode 100644 charts/ds389/templates/service-external.yaml create mode 100644 charts/ds389/templates/service-internal.yaml create mode 100644 charts/ds389/templates/serviceaccount.yaml create mode 100644 charts/ds389/templates/statefulset.yaml create mode 100644 charts/ds389/values.yaml delete mode 100644 scripts/authentication/389.yml diff --git a/charts/ds389/Chart.yaml b/charts/ds389/Chart.yaml new file mode 100644 index 0000000..4d71889 --- /dev/null +++ b/charts/ds389/Chart.yaml @@ -0,0 +1,6 @@ +apiVersion: v2 +name: ds389-helm-chart +description: A Helm chart for deploying the 389 Directory Server +version: 1.0.0 +appVersion: "1.0" + diff --git a/charts/ds389/templates/namespace.yaml b/charts/ds389/templates/namespace.yaml new file mode 100644 index 0000000..9752c5c --- /dev/null +++ b/charts/ds389/templates/namespace.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: {{ .Values.ds389.nsName }} + diff --git a/charts/ds389/templates/secrets.yaml b/charts/ds389/templates/secrets.yaml new file mode 100644 index 0000000..ce882b3 --- /dev/null +++ b/charts/ds389/templates/secrets.yaml @@ -0,0 +1,18 @@ +--- +apiVersion: v1 +kind: Secret +metadata: + name: dirsrv-tls-secret + namespace: {{ .Values.ds389.nsName }} +data: + tls.key: {{ .Values.ds389.tlsKey | b64enc | quote }} + tls.crt: {{ .Values.ds389.tlsCert | b64enc | quote }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: dirsrv-dm-password + namespace: {{ .Values.ds389.nsName }} +data: + dm-password: {{ .Values.ds389.dmPassword | quote }} + diff --git a/charts/ds389/templates/service-external.yaml b/charts/ds389/templates/service-external.yaml new file mode 100644 index 0000000..e454d0c --- /dev/null +++ b/charts/ds389/templates/service-external.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app: {{ .Values.ds389.name }} + name: {{ .Values.ds389.name }}-external-svc + namespace: {{ .Values.ds389.nsName }} +spec: + ports: + - name: {{ .Values.ds389.name }}-port + port: {{ .Values.ds389.internalPort }} + protocol: TCP + targetPort: {{ .Values.ds389.internalPort }} + nodePort: {{ .Values.ds389.nodePort }} + - name: {{ .Values.ds389.name }}-tls-port + port: {{ .Values.ds389.tlsPort }} + protocol: TCP + targetPort: {{ .Values.ds389.tlsPort }} + nodePort: {{ .Values.ds389.nodePortTls }} + selector: + app: {{ .Values.ds389.name }} + type: NodePort + diff --git a/charts/ds389/templates/service-internal.yaml b/charts/ds389/templates/service-internal.yaml new file mode 100644 index 0000000..eb6178d --- /dev/null +++ b/charts/ds389/templates/service-internal.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app: {{ .Values.ds389.name }} + name: {{ .Values.ds389.name }}-internal-svc + namespace: {{ .Values.ds389.nsName }} +spec: + clusterIP: None + ports: + - name: {{ .Values.ds389.name }}-port + port: {{ .Values.ds389.internalPort }} + protocol: TCP + targetPort: {{ .Values.ds389.internalPort }} + - name: {{ .Values.ds389.name }}-tls-port + port: {{ .Values.ds389.tlsPort }} + protocol: TCP + targetPort: {{ .Values.ds389.tlsPort }} + selector: + app: {{ .Values.ds389.name }} + type: ClusterIP + diff --git a/charts/ds389/templates/serviceaccount.yaml b/charts/ds389/templates/serviceaccount.yaml new file mode 100644 index 0000000..ce47416 --- /dev/null +++ b/charts/ds389/templates/serviceaccount.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.ds389.name }}-sa + namespace: {{ .Values.ds389.nsName }} + diff --git a/charts/ds389/templates/statefulset.yaml b/charts/ds389/templates/statefulset.yaml new file mode 100644 index 0000000..9639426 --- /dev/null +++ b/charts/ds389/templates/statefulset.yaml @@ -0,0 +1,94 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ .Values.ds389.name }} + namespace: {{ .Values.ds389.nsName }} +spec: + serviceName: {{ .Values.ds389.name }}-internal-svc + replicas: 1 + selector: + matchLabels: + app: {{ .Values.ds389.name }} + template: + metadata: + labels: + app: {{ .Values.ds389.name }} + spec: + serviceAccountName: {{ .Values.ds389.name }}-sa + securityContext: + fsGroup: 499 + initContainers: + - name: {{ .Values.ds389.name }}-init-container + image: busybox + command: ["/bin/sh", "-c", "chown -R 499:499 /data"] + volumeMounts: + - name: {{ .Values.ds389.name }}-data + mountPath: /data + containers: + - name: dirsrv-container + image: {{ .Values.ds389.image }} + lifecycle: + postStart: + exec: + command: ["/bin/sh", "-c", "sleep 60; + dsconf localhost backend create --suffix {{ .Values.ds389.rootDN }} --be-name userroot --create-suffix --create-entries ; + dsconf localhost pwpolicy set --pwdscheme=CRYPT-SHA512 ; + dsconf localhost config replace nsslapd-rootpwstoragescheme=CRYPT-SHA512 ; + dsconf localhost config replace nsslapd-rootpw={{ .Values.ds389.dm_pwd }} ; + dsconf localhost plugin referential-integrity enable ; + dsconf localhost plugin memberof enable ; + dsconf localhost config replace nsslapd-allow-anonymous-access=off ; + dsidm localhost --basedn {{ .Values.ds389.rootDN }} user create --uid ldap_user --cn ldap_user --displayName ldap_user --uidNumber 1001 --gidNumber 1001 --homeDirectory /home/ldap_user ; + dsidm localhost -b {{ .Values.ds389.rootDN }} account change_password uid=ldap_user,ou=people,{{ .Values.ds389.rootDN }} {{ .Values.ds389.users_pwd }} ; + dsidm localhost --basedn {{ .Values.ds389.rootDN }} user create --uid developer --cn developer --displayName developer --uidNumber 1002 --gidNumber 1002 --homeDirectory /home/developer ; + dsidm localhost -b {{ .Values.ds389.rootDN }} account change_password uid=developer,ou=people,{{ .Values.ds389.rootDN }} {{ .Values.ds389.users_pwd }} ; + dsidm localhost --basedn {{ .Values.ds389.rootDN }} group create --cn developers; + dsidm localhost -b {{ .Values.ds389.rootDN }} group add_member developers uid=developer,ou=people,{{ .Values.ds389.rootDN }} + "] + env: + - name: DS_DM_PASSWORD + valueFrom: + secretKeyRef: + name: dirsrv-dm-password + key: dm-password + - name: DS_SUFFIX_NAME + value: "{{ .Values.ds389.rootDN }}" + - name: DS_ERRORLOG_LEVEL + value: "8192" + - name: DS_MEMORY_PERCENTAGE + value: "10" + - name: DS_REINDEX + value: "True" + - name: DS_STARTUP_TIMEOUT + value: "120" + ports: + - containerPort: {{ .Values.ds389.internalPort }} + protocol: TCP + - containerPort: {{ .Values.ds389.tlsPort }} + protocol: TCP + securityContext: + runAsUser: 489 + volumeMounts: + - name: {{ .Values.ds389.name }}-data + mountPath: "/data" + - name: dirsrv-tls + mountPath: '/data/tls/' + readOnly: true + volumes: + - name: dirsrv-tls + secret: + secretName: dirsrv-tls-secret + items: + - key: tls.key + path: server.key + - key: tls.crt + path: server.crt + volumeClaimTemplates: + - metadata: + name: {{ .Values.ds389.name }}-data + spec: + accessModes: [ "ReadWriteOnce" ] + resources: + requests: + storage: {{ .Values.ds389.vcSize }} + diff --git a/charts/ds389/values.yaml b/charts/ds389/values.yaml new file mode 100644 index 0000000..3ab000e --- /dev/null +++ b/charts/ds389/values.yaml @@ -0,0 +1,16 @@ +# Default values for ds389-helm-chart +ds389: + nsName: "ds389" + name: "ds389" + image: "docker.io/389ds/dirsrv" + tlsKey: "LS0tLS1CRUdJTiBFTkNSWVBURUQgUFJJVkFURSBLRVktLS0tLQpNSUlKbnpCSkJna3Foa2lHOXcwQkJRMHdQREFiQmdrcWhraUc5dzBCQlF3d0RnUUlMZmtpMDkwcnZsb0NBZ2dBCk1CMEdDV0NHU0FGbEF3UUJLZy4uLkdOWWM3aTlTVkRCb0E9PQotLS0tLUVORCBFTkNSWVBURUQgUFJJVkFURSBLRVktLS0tLQ==" + tlsCert: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZ4akNDQTY0Q0NRQ05UK2VQMnZqSnh6QU5CZ2txaGtpRzl3MEJBUXNGQURDQnBERUxNQWtHQTFVRUJoTUMKUmxJeEVqQVFCZ05WQkFnTUMuLi51ZEp3RTdIbm5BN2xwQQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t" + dmPassword: "YWRtaW4xMjM=" + rootDN: "dc=mydemo,dc=lab" + userPassword: "supersecret123" + vcSize: "5Gi" + internalPort: 3389 + tlsPort: 3636 + nodePort: 30389 + nodePortTls: 30636 + diff --git a/scripts/authentication/389.yml b/scripts/authentication/389.yml deleted file mode 100644 index 6e185fd..0000000 --- a/scripts/authentication/389.yml +++ /dev/null @@ -1,195 +0,0 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - name: ${ds389_ns_name:-ds389} -... ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: ${ds389_name:-ds389}-sa - namespace: ${ds389_ns_name:-ds389} -... - - ---- -apiVersion: v1 -kind: Secret -metadata: - name: dirsrv-tls-secret - namespace: ${ds389_ns_name:-ds389} -data: - tls.key: | - ${ds389_tls_key:-LS0tLS1CRUdJTiBFTkNSWVBURUQgUFJJVkFURSBLRVktLS0tLQpNSUlKbnpCSkJna3Foa2lHOXcw - QkJRMHdQREFiQmdrcWhraUc5dzBCQlF3d0RnUUlMZmtpMDkwcnZsb0NBZ2dBCk1CMEdDV0NHU0FG - bEF3UUJLZy4uLkdOWWM3aTlTVkRCb0E9PQotLS0tLUVORCBFTkNSWVBURUQgUFJJVkFURSBLRVkt - LS0tLQ==} - tls.crt: | - ${ds389_tls_cert:-LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZ4akNDQTY0Q0NRQ05UK2VQMnZqSnh6QU5C - Z2txaGtpRzl3MEJBUXNGQURDQnBERUxNQWtHQTFVRUJoTUMKUmxJeEVqQVFCZ05WQkFnTUMuLi51 - ZEp3RTdIbm5BN2xwQQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t} -... - ---- -apiVersion: v1 -kind: Secret -metadata: - name: dirsrv-dm-password - namespace: ${ds389_ns_name:-ds389} -data: -# Password must be in base64 - dm-password: ${ds389_dm_pwd_b64:-YWRtaW4xMjM=} -# dm-password: admin123 -... - - ---- -kind: StatefulSet -apiVersion: apps/v1 -metadata: - name: ${ds389_name:-ds389} - namespace: ${ds389_ns_name:-ds389} -spec: - serviceName: ${ds389_name:-ds389}-internal-svc - replicas: 1 - selector: - matchLabels: - app: ${ds389_name:-ds389} - template: - metadata: - labels: - app: ${ds389_name:-ds389} - spec: - serviceAccountName: ${ds389_name:-ds389}-sa - securityContext: - fsGroup: 499 - initContainers: - # Init container is required to change the permissions after a persistent volume is mounted. - # Otherwise dscontainer will be denied to create subdirectories and will fail to start. - - name: ${ds389_name:-ds389}-init-container - image: busybox - command: ["/bin/sh", "-c", "chown -R 499:499 /data"] - volumeMounts: - - name: ${ds389_name:-ds389}-data - mountPath: /data - containers: - - name: dirsrv-container - image: ${ds389_image:-docker.io/389ds/dirsrv} - lifecycle: - postStart: - exec: - command: ["/bin/sh", "-c", "sleep 60; dsconf localhost backend create --suffix ${ds389_rootdn:-dc=mydemo,dc=lab} --be-name userroot --create-suffix --create-entries ; - dsconf localhost pwpolicy set --pwdscheme=CRYPT-SHA512 ; - dsconf localhost config replace nsslapd-rootpwstoragescheme=CRYPT-SHA512 ; - dsconf localhost config replace nsslapd-rootpw=${ds389_dm_pwd:-admin123} ; - dsconf localhost plugin referential-integrity enable ; - dsconf localhost plugin memberof enable ; - dsconf localhost config replace nsslapd-allow-anonymous-access=off ; - dsidm localhost --basedn ${ds389_rootdn:-dc=mydemo,dc=lab} user create --uid ldap_user --cn ldap_user --displayName ldap_user --uidNumber 1001 --gidNumber 1001 --homeDirectory /home/ldap_user ; - dsidm localhost -b ${ds389_rootdn:-dc=mydemo,dc=lab} account change_password uid=ldap_user,ou=people,${ds389_rootdn:-dc=mydemo,dc=lab} ${ds389_users_pwd:-supersecret123} ; - dsidm localhost --basedn ${ds389_rootdn:-dc=mydemo,dc=lab} user create --uid developer --cn developer --displayName developer --uidNumber 1002 --gidNumber 1002 --homeDirectory /home/developer ; - dsidm localhost -b ${ds389_rootdn:-dc=mydemo,dc=lab} account change_password uid=developer,ou=people,${ds389_rootdn:-dc=mydemo,dc=lab} ${ds389_users_pwd:-supersecret123} ; - dsidm localhost --basedn ${ds389_rootdn:-dc=mydemo,dc=lab} group create --cn developers; - dsidm localhost -b ${ds389_rootdn:-dc=mydemo,dc=lab} group add_member developers uid=developer,ou=people,${ds389_rootdn:-dc=mydemo,dc=lab} "] - env: - ## Set `cn=Directory Manager`'s password - - name: DS_DM_PASSWORD - valueFrom: - secretKeyRef: - name: dirsrv-dm-password - key: dm-password - ## Use suffix as a basedn in `dsrc` file - - name: DS_SUFFIX_NAME - value: "${ds389_rootdn:-dc=mydemo,dc=lab}" - ## DS_ERRORLOG_LEVEL - set the log level for `ns-slapd`, default is 266354688 - - name: DS_ERRORLOG_LEVEL - value: "8192" - ## DS_MEMORY_PERCENTAGE - set LDBM autotune percentage (`nsslapd-cache-autosize`), default is 25 - - name: DS_MEMORY_PERCENTAGE - value: "10" - ## DS_REINDEX` - run database reindex task (`db2index`) - - name: DS_REINDEX - value: "True" - ## DS_STARTUP_TIMEOUT - set container startup timeout in seconds, default is 60 seconds. - - name: DS_STARTUP_TIMEOUT - value: "120" - ports: - - containerPort: 3389 - protocol: TCP - - containerPort: 3636 - protocol: TCP - securityContext: - runAsUser: 489 - volumeMounts: - - name: ${ds389_name:-ds389}-data - mountPath: "/data" - - name: dirsrv-tls - mountPath: '/data/tls/' - readOnly: true - volumes: - - name: dirsrv-tls - secret: - secretName: dirsrv-tls-secret - items: - - key: tls.key - path: server.key - - key: tls.crt - path: server.crt - volumeClaimTemplates: - - metadata: - name: ${ds389_name:-ds389}-data - spec: - accessModes: [ "ReadWriteOnce" ] - resources: - requests: - storage: ${ds389_vc_size:-5Gi} -... ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app: ${ds389_name:-ds389} - name: ${ds389_name:-ds389}-internal-svc - namespace: ${ds389_ns_name:-ds389} -spec: - clusterIP: None - ports: - - name: ${ds389_name:-ds389}-port - port: 3389 - protocol: TCP - targetPort: 3389 - - name: ${ds389_name:-ds389}-tls-port - port: 3636 - protocol: TCP - targetPort: 3636 - selector: - app: ${ds389_name:-ds389} - type: ClusterIP -... ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app: ${ds389_name:-ds389} - name: ${ds389_name:-ds389}-external-svc - namespace: ${ds389_ns_name:-ds389} -spec: - ports: - - name: ${ds389_name:-ds389}-port - port: 3389 - protocol: TCP - targetPort: 3389 - nodePort: ${ds389_port:-30389} - - name: ${ds389_name:-ds389}-tls-port - port: 3636 - protocol: TCP - targetPort: 3636 - nodePort: ${ds389_port_tls:-30636} - selector: - app: ${ds389_name:-ds389} - type: NodePort -... - diff --git a/scripts/authentication/ds389.sh b/scripts/authentication/ds389.sh index d591f20..5a704df 100644 --- a/scripts/authentication/ds389.sh +++ b/scripts/authentication/ds389.sh @@ -1,24 +1,15 @@ #!/bin/bash +# example: +#_admin_user="cn=Directory Manager" +#_admin_pwd="admin123" +#_uri="ldap://node101.mydemo.lab:30389" +#_connection_str="-D '${_admin_user}' -w '${_admin_pwd}' -x -H '${_uri}'" +#_basedn="dc=mydemo,dc=lab" +#_ldap_user_dn="uid=ldap_user,ou=people,${_basedn}" +#_ldap_user_pwd="supersecret123" -_admin_user="cn=Directory Manager" -_admin_pwd="admin123" -_uri="ldap://node101.mydemo.lab:30389" -_connection_str="-D '${_admin_user}' -w '${_admin_pwd}' -x -H '${_uri}'" -_basedn="dc=mydemo,dc=lab" -_ldap_user_dn="uid=ldap_user,ou=people,${_basedn}" -_ldap_user_pwd="supersecret123" - - - -# Inspired from https://stackoverflow.com/questions/2914220/bash-templating-how-to-build-configuration-files-from-templates-with-bash#11050943 -function process_templates() { - eval "cat </tmp/389.yml - kubectl apply -f /tmp/389.yml + + # add the repo + helm repo add suse-lab-setup https://opensource.suse.com/lab-setup + helm repo update + + # installs the chart with default parameters + if [[ -f values.yaml ]] + then + helm upgrade --install ds389 suse-lab-setup/ds389 -f values.yaml + else + helm upgrade --install ds389 suse-lab-setup/ds389 + fi + sleep 60 ds389_restrict_permissions ds389_ldap_user-user_private_read From 7adf037d9ab2a1d8bc0ea2bbe1767f70e3a5e6f5 Mon Sep 17 00:00:00 2001 From: rmahique-github <> Date: Fri, 25 Oct 2024 21:53:18 +0200 Subject: [PATCH 04/15] turned into a library --- scripts/authentication/ds389.sh | 176 +++++++++++--------------------- 1 file changed, 62 insertions(+), 114 deletions(-) diff --git a/scripts/authentication/ds389.sh b/scripts/authentication/ds389.sh index 5a704df..76d5bc5 100644 --- a/scripts/authentication/ds389.sh +++ b/scripts/authentication/ds389.sh @@ -1,65 +1,80 @@ #!/bin/bash - -# example: -#_admin_user="cn=Directory Manager" -#_admin_pwd="admin123" -#_uri="ldap://node101.mydemo.lab:30389" -#_connection_str="-D '${_admin_user}' -w '${_admin_pwd}' -x -H '${_uri}'" -#_basedn="dc=mydemo,dc=lab" -#_ldap_user_dn="uid=ldap_user,ou=people,${_basedn}" -#_ldap_user_pwd="supersecret123" - - - - -## DS389: Restrict permissions -## This will: -## - prevent normal users from reading the whole directory +####################################### +# DS389 - restrict permissions: +# - prevent normal users from reading the whole directory +# Global vars: +# _ldap_uri +# _ldap_basedn +# _admin_user +# _admin_pwd +# Examples: +# ds389_restrict_permissions +####################################### function ds389_restrict_permissions() { - ldapmodify ${_connection_str} << EOL -dn: ou=people,${_basedn} + ldapmodify -D "${_admin_user}" -w "${_admin_pwd}" -x -H "${_ldap_uri}" << EOL +dn: ou=people,${_ldap_basedn} changetype: modify delete: aci aci: (targetattr="objectClass || description || nsUniqueId || uid || displayName || loginShell || uidNumber || gidNumber || gecos || homeDirectory || cn || memberOf || mail || nsSshPublicKey || nsAccountLock || userCertificate")(targetfilter="(objectClass=posixaccount)")(version 3.0; acl "Enable anyone user read"; allow (read, search, compare)(userdn="ldap:///anyone");) -dn: ou=people,${_basedn} +dn: ou=people,${_ldap_basedn} changetype: modify add: aci aci: (targetattr="objectClass || description || nsUniqueId || uid || displayName || loginShell || uidNumber || gidNumber || gecos || homeDirectory || cn || memberOf || mail || nsSshPublicKey || nsAccountLock || userCertificate")(targetfilter="(objectClass=posixaccount)")(version 3.0; acl "Enable self user read"; allow (read, search, compare)(userdn="ldap:///self");) EOL - - } - - -## DS389: Grant ldap_user privileges to read the whole directory +####################################### +# DS389 - Grant user privileges to read the whole directory +# Global vars: +# _ldap_uri +# _ldap_basedn +# _admin_user +# _admin_pwd +# Arguments: +# 1 - Username (Default: ldap_user) +# Examples: +# ds389_user_private_read [] +####################################### function ds389_ldap_user-user_private_read() { - ldapmodify ${_connection_str} << EOL -dn: cn=user_private_read,ou=permissions,${_basedn} + ldapmodify -D "${_admin_user}" -w "${_admin_pwd}" -x -H "${_ldap_uri}" << EOL +dn: cn=user_private_read,ou=permissions,${_ldap_basedn} changetype: modify add: member -member: uid=ldap_user,ou=people,${_basedn} +member: uid=${1:-ldap_user},ou=people,${_ldap_basedn} EOL - } - -## DS389: Verify ldap_user has access -function ds389_ldap_user-access() { - ldapsearch -x -D "${_ldap_user_dn}" -w "${_ldap_user_pwd}" -H "${_uri}" -b "${_basedn}" +####################################### +# DS389 - Verify user has access +# Global vars: +# _ldap_uri +# _ldap_basedn +# Arguments: +# 1 - ldap user DN +# 2 - ldap user pwd +# Examples: +# ds389_ldap_user_access_check "uid=ldap_user,ou=people,dc=mydemo,dc=lab" "mypassword" +####################################### +function ds389_ldap_user_access_check() { + ldapsearch -x -D "${1}" -w "${2}" -H "${_ldap_uri}" -b "${_ldap_basedn}" } - - -## DS389: Install 389 Directory server +####################################### +# DS389 - Install 389 Directory server +# Global vars: +# _ldap_uri +# _ldap_basedn +# _admin_user +# _admin_pwd +# Examples: +# ds389_install +####################################### function ds389_install() { - # add the repo helm repo add suse-lab-setup https://opensource.suse.com/lab-setup helm repo update - # installs the chart with default parameters if [[ -f values.yaml ]] then @@ -67,87 +82,20 @@ function ds389_install() { else helm upgrade --install ds389 suse-lab-setup/ds389 fi - sleep 60 ds389_restrict_permissions ds389_ldap_user-user_private_read } - -## DS389: uninstall 389 Directory server +####################################### +# DS389 - Uninstall 389 Directory server +# Arguments: +# 1 - Namespace (Default: ds389) +# 2 - App_name (Default: ds389) +# Examples: +# ds389_uninstall [ ] +####################################### function ds389_uninstall() { - kubectl -n ds389 delete ServiceAccount/ds389-sa Secret/dirsrv-tls-secret Secret/dirsrv-dm-password StatefulSet/ds389 Ingress/ds389 Service/ds389 Namespace/ds389 service/ds389-internal-svc service/ds389-external-svc; sleep 15 -} - - -function usage() { - echo "Usage: -$0 [install|uninstall|create-user|delete-user|create-group|delete-group|check-user|check-group|change-passwd] <[user|group]> " - + kubectl -n ${1:-ds389} delete ServiceAccount/${2:-ds389}-sa Secret/dirsrv-tls-secret Secret/dirsrv-dm-password StatefulSet/${2:-ds389} Ingress/${2:-ds389} Service/${2:-ds389} service/${2:-ds389}-internal-svc service/${2:-ds389}-external-svc Namespace/${1:-ds389} + sleep 15 } - - -_arg="$1" - - -if [[ ! ${_arg} ]] -then - echo "ERROR: Missing argument" - usage - exit 1 -fi - -case ${_arg} in - install) - ds389_install - ;; - uninstall) - ds389_uninstall - ;; - create-user) - [[ "$2" == "" ]] && ( echo "ERROR: Missing user"; usage ; exit 1) - # these are only for rancher, therefore doesn't matter if they have the same UID - dsidm localhost --basedn "${_basedn}" user create --uid $2 --cn $2 --displayName $2 --uidNumber 1001 --gidNumber 1001 --homeDirectory /home/${2} - ;; - delete-user) - [[ "$2" == "" ]] && ( echo "ERROR: Missing user"; usage ; exit 1) - ldapmodify ${_connection_str} << EOL -dn: ou=people,${_basedn} -changetype: modify -delete: uid -uid: $2 -EOL - ;; - create-group) - [[ "$2" == "" ]] && ( echo "ERROR: Missing group"; usage ; exit 1) - dsidm localhost --basedn "${_basedn}" group create --cn $2 ; - ;; - delete-group) - [[ "$2" == "" ]] && ( echo "ERROR: Missing group"; usage ; exit 1) - ldapmodify ${_connection_str} << EOL -dn: ou=group,${_basedn} -changetype: modify -delete: cn -cn: $2 -EOL - ;; - check-user) - [[ "$2" == "" ]] && ( echo "ERROR: Missing user"; usage ; exit 1) - dsidm localhost --basedn "${_basedn}" account get-by-dn uid=${2},ou=people,${_basedn} - ;; - check-group) - [[ "$2" == "" ]] && ( echo "ERROR: Missing group"; usage ; exit 1) - dsidm localhost --basedn "${_basedn}" account get-by-dn uid=${2},ou=group,${_basedn} - ;; - change-passwd) - [[ "$2" == "" ]] && ( echo "ERROR: Missing user"; usage ; exit 1) - [[ "$3" == "" ]] && ( echo "ERROR: Missing password"; usage ; exit 1) - dsidm localhost -b "${_basedn}" account change_password uid=${2},ou=people,dc=mydemo,dc=lab $3 - ;; - *) - usage - exit 1 - ;; -esac - - From 1212142021772254667f1728866c7005e54a74a8 Mon Sep 17 00:00:00 2001 From: rmahique-github <> Date: Mon, 28 Oct 2024 12:30:53 +0100 Subject: [PATCH 05/15] changes --- scripts/authentication/ds389.sh | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/scripts/authentication/ds389.sh b/scripts/authentication/ds389.sh index 76d5bc5..b98d464 100644 --- a/scripts/authentication/ds389.sh +++ b/scripts/authentication/ds389.sh @@ -12,6 +12,10 @@ # ds389_restrict_permissions ####################################### function ds389_restrict_permissions() { + local _ldap_uri=$1 + local _ldap_basedn=$2 + local _admin_user=$3 + local _admin_pwd=$4 ldapmodify -D "${_admin_user}" -w "${_admin_pwd}" -x -H "${_ldap_uri}" << EOL dn: ou=people,${_ldap_basedn} changetype: modify @@ -38,6 +42,10 @@ EOL # ds389_user_private_read [] ####################################### function ds389_ldap_user-user_private_read() { + local _ldap_uri=${_ldap_uri} + local _ldap_basedn=${_ldap_basedn} + local _admin_user=${_admin_user} + local _admin_pwd=${_admin_pwd} ldapmodify -D "${_admin_user}" -w "${_admin_pwd}" -x -H "${_ldap_uri}" << EOL dn: cn=user_private_read,ou=permissions,${_ldap_basedn} changetype: modify @@ -58,6 +66,8 @@ EOL # ds389_ldap_user_access_check "uid=ldap_user,ou=people,dc=mydemo,dc=lab" "mypassword" ####################################### function ds389_ldap_user_access_check() { + local _ldap_uri=${_ldap_uri} + local _ldap_basedn=${_ldap_basedn} ldapsearch -x -D "${1}" -w "${2}" -H "${_ldap_uri}" -b "${_ldap_basedn}" } @@ -72,6 +82,10 @@ function ds389_ldap_user_access_check() { # ds389_install ####################################### function ds389_install() { + local _ldap_uri=${_ldap_uri} + local _ldap_basedn=${_ldap_basedn} + local _admin_user=${_admin_user} + local _admin_pwd=${_admin_pwd} # add the repo helm repo add suse-lab-setup https://opensource.suse.com/lab-setup helm repo update From deeeaf0feab4aadfa618cac3c240b851d608e83d Mon Sep 17 00:00:00 2001 From: rmahique-github <> Date: Mon, 28 Oct 2024 13:56:51 +0100 Subject: [PATCH 06/15] changes --- scripts/authentication/ds389.sh | 108 +++++++++++++++++++------------- 1 file changed, 64 insertions(+), 44 deletions(-) diff --git a/scripts/authentication/ds389.sh b/scripts/authentication/ds389.sh index b98d464..4a79805 100644 --- a/scripts/authentication/ds389.sh +++ b/scripts/authentication/ds389.sh @@ -1,21 +1,43 @@ #!/bin/bash +# This library contains some functions to use and setup 389 +# directory server ( https://www.port389.org/index.html ) +# which is an "enterprise-class Open Source LDAP server for Linux.". +# SPDX-License-Identifier: GPL-3.0-only or GPL-3.0-or-later +# +# Copyright (C) 2024 Raul Mahiques +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# For more details find a copy of the license here: +# https://www.gnu.org/licenses/gpl-3.0.txt +# + + ####################################### # DS389 - restrict permissions: # - prevent normal users from reading the whole directory -# Global vars: -# _ldap_uri -# _ldap_basedn -# _admin_user -# _admin_pwd +# Arguments: +# 1 - _ldap_uri +# 2 - _ldap_basedn +# 3 - _admin_user +# 4 - _admin_pwd # Examples: -# ds389_restrict_permissions +# ds389_restrict_permissions "<_ldap_uri>" "<_ldap_basedn>" "<_admin_user>" "<_admin_pwd>" ####################################### function ds389_restrict_permissions() { - local _ldap_uri=$1 - local _ldap_basedn=$2 - local _admin_user=$3 - local _admin_pwd=$4 + local _ldap_uri="$1" + local _ldap_basedn="$2" + local _admin_user="$3" + local _admin_pwd="$4" ldapmodify -D "${_admin_user}" -w "${_admin_pwd}" -x -H "${_ldap_uri}" << EOL dn: ou=people,${_ldap_basedn} changetype: modify @@ -31,21 +53,21 @@ EOL ####################################### # DS389 - Grant user privileges to read the whole directory -# Global vars: -# _ldap_uri -# _ldap_basedn -# _admin_user -# _admin_pwd # Arguments: -# 1 - Username (Default: ldap_user) +# 1 - _ldap_uri +# 2 - _ldap_basedn +# 3 - _admin_user +# 4 - _admin_pwd +# 5 - Username (Default: ldap_user) # Examples: -# ds389_user_private_read [] +# ds389_user_private_read "ldap://ldap.mydemo.lab:389" "dc=mydemo,dc=lab" "cn=Directory Manager" "secret" "ldap_user" ####################################### function ds389_ldap_user-user_private_read() { - local _ldap_uri=${_ldap_uri} - local _ldap_basedn=${_ldap_basedn} - local _admin_user=${_admin_user} - local _admin_pwd=${_admin_pwd} + local _ldap_uri="$1" + local _ldap_basedn="$2" + local _admin_user="$3" + local _admin_pwd="$4" + local username="$5" ldapmodify -D "${_admin_user}" -w "${_admin_pwd}" -x -H "${_ldap_uri}" << EOL dn: cn=user_private_read,ou=permissions,${_ldap_basedn} changetype: modify @@ -56,36 +78,37 @@ EOL ####################################### # DS389 - Verify user has access -# Global vars: -# _ldap_uri -# _ldap_basedn # Arguments: # 1 - ldap user DN # 2 - ldap user pwd +# 3 - _ldap_uri +# 4 - _ldap_basedn # Examples: -# ds389_ldap_user_access_check "uid=ldap_user,ou=people,dc=mydemo,dc=lab" "mypassword" +# ds389_ldap_user_access_check "cn=Directory Manager" "secret" "uid=ldap_user,ou=people,dc=mydemo,dc=lab" "mypassword" ####################################### function ds389_ldap_user_access_check() { - local _ldap_uri=${_ldap_uri} - local _ldap_basedn=${_ldap_basedn} - ldapsearch -x -D "${1}" -w "${2}" -H "${_ldap_uri}" -b "${_ldap_basedn}" + local _ldap_user_dn="${1}" + local _ldap_user_pwd="${2}" + local _ldap_uri="${3}" + local _ldap_basedn="${4}" + ldapsearch -x -D "${_ldap_user_dn}" -w "${_ldap_user_pwd}" -H "${_ldap_uri}" -b "${_ldap_basedn}" } ####################################### # DS389 - Install 389 Directory server -# Global vars: -# _ldap_uri -# _ldap_basedn -# _admin_user -# _admin_pwd +# Arguments: +# 1 - _ldap_uri +# 2 - _ldap_basedn +# 3 - _admin_user +# 4 - _admin_pwd # Examples: -# ds389_install +# ds389_install "ldap://ldap.mydemo.lab:389" "dc=mydemo,dc=lab" "cn=Directory Manager" "secret" ####################################### function ds389_install() { - local _ldap_uri=${_ldap_uri} - local _ldap_basedn=${_ldap_basedn} - local _admin_user=${_admin_user} - local _admin_pwd=${_admin_pwd} + local _ldap_uri="${1}" + local _ldap_basedn="${2}" + local _admin_user="${3}" + local _admin_pwd="${4}" # add the repo helm repo add suse-lab-setup https://opensource.suse.com/lab-setup helm repo update @@ -97,19 +120,16 @@ function ds389_install() { helm upgrade --install ds389 suse-lab-setup/ds389 fi sleep 60 - ds389_restrict_permissions + ds389_restrict_permissions "${_ldap_uri}" "${_ldap_basedn}" "${_admin_user}" "${_admin_pwd}" ds389_ldap_user-user_private_read } ####################################### # DS389 - Uninstall 389 Directory server -# Arguments: -# 1 - Namespace (Default: ds389) -# 2 - App_name (Default: ds389) # Examples: -# ds389_uninstall [ ] +# ds389_uninstall ####################################### function ds389_uninstall() { - kubectl -n ${1:-ds389} delete ServiceAccount/${2:-ds389}-sa Secret/dirsrv-tls-secret Secret/dirsrv-dm-password StatefulSet/${2:-ds389} Ingress/${2:-ds389} Service/${2:-ds389} service/${2:-ds389}-internal-svc service/${2:-ds389}-external-svc Namespace/${1:-ds389} + helm uninstall ds389 sleep 15 } From 220fa923991bbe7a30b9e1258fa12ca098a2824c Mon Sep 17 00:00:00 2001 From: rmahique-github <> Date: Mon, 28 Oct 2024 14:06:03 +0100 Subject: [PATCH 07/15] changes --- charts/ds389/templates/secrets.yaml | 4 ++-- charts/ds389/templates/service-external.yaml | 2 +- charts/ds389/templates/service-internal.yaml | 2 +- charts/ds389/templates/serviceaccount.yaml | 2 +- charts/ds389/templates/statefulset.yaml | 2 +- 5 files changed, 6 insertions(+), 6 deletions(-) diff --git a/charts/ds389/templates/secrets.yaml b/charts/ds389/templates/secrets.yaml index ce882b3..2a404db 100644 --- a/charts/ds389/templates/secrets.yaml +++ b/charts/ds389/templates/secrets.yaml @@ -3,7 +3,7 @@ apiVersion: v1 kind: Secret metadata: name: dirsrv-tls-secret - namespace: {{ .Values.ds389.nsName }} +# namespace: {{ .Values.ds389.nsName }} data: tls.key: {{ .Values.ds389.tlsKey | b64enc | quote }} tls.crt: {{ .Values.ds389.tlsCert | b64enc | quote }} @@ -12,7 +12,7 @@ apiVersion: v1 kind: Secret metadata: name: dirsrv-dm-password - namespace: {{ .Values.ds389.nsName }} +# namespace: {{ .Values.ds389.nsName }} data: dm-password: {{ .Values.ds389.dmPassword | quote }} diff --git a/charts/ds389/templates/service-external.yaml b/charts/ds389/templates/service-external.yaml index e454d0c..1d60d84 100644 --- a/charts/ds389/templates/service-external.yaml +++ b/charts/ds389/templates/service-external.yaml @@ -4,7 +4,7 @@ metadata: labels: app: {{ .Values.ds389.name }} name: {{ .Values.ds389.name }}-external-svc - namespace: {{ .Values.ds389.nsName }} +# namespace: {{ .Values.ds389.nsName }} spec: ports: - name: {{ .Values.ds389.name }}-port diff --git a/charts/ds389/templates/service-internal.yaml b/charts/ds389/templates/service-internal.yaml index eb6178d..caff2df 100644 --- a/charts/ds389/templates/service-internal.yaml +++ b/charts/ds389/templates/service-internal.yaml @@ -4,7 +4,7 @@ metadata: labels: app: {{ .Values.ds389.name }} name: {{ .Values.ds389.name }}-internal-svc - namespace: {{ .Values.ds389.nsName }} +# namespace: {{ .Values.ds389.nsName }} spec: clusterIP: None ports: diff --git a/charts/ds389/templates/serviceaccount.yaml b/charts/ds389/templates/serviceaccount.yaml index ce47416..d125fad 100644 --- a/charts/ds389/templates/serviceaccount.yaml +++ b/charts/ds389/templates/serviceaccount.yaml @@ -2,5 +2,5 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ .Values.ds389.name }}-sa - namespace: {{ .Values.ds389.nsName }} +# namespace: {{ .Values.ds389.nsName }} diff --git a/charts/ds389/templates/statefulset.yaml b/charts/ds389/templates/statefulset.yaml index 9639426..14b2d1a 100644 --- a/charts/ds389/templates/statefulset.yaml +++ b/charts/ds389/templates/statefulset.yaml @@ -2,7 +2,7 @@ apiVersion: apps/v1 kind: StatefulSet metadata: name: {{ .Values.ds389.name }} - namespace: {{ .Values.ds389.nsName }} +# namespace: {{ .Values.ds389.nsName }} spec: serviceName: {{ .Values.ds389.name }}-internal-svc replicas: 1 From 31840a50546cdcc10e090057f568b9b74afddd90 Mon Sep 17 00:00:00 2001 From: rmahique-github <> Date: Mon, 28 Oct 2024 14:10:01 +0100 Subject: [PATCH 08/15] changes --- scripts/authentication/ds389.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/authentication/ds389.sh b/scripts/authentication/ds389.sh index 4a79805..8d6bedb 100644 --- a/scripts/authentication/ds389.sh +++ b/scripts/authentication/ds389.sh @@ -67,12 +67,12 @@ function ds389_ldap_user-user_private_read() { local _ldap_basedn="$2" local _admin_user="$3" local _admin_pwd="$4" - local username="$5" + local ldap_user="$5" ldapmodify -D "${_admin_user}" -w "${_admin_pwd}" -x -H "${_ldap_uri}" << EOL dn: cn=user_private_read,ou=permissions,${_ldap_basedn} changetype: modify add: member -member: uid=${1:-ldap_user},ou=people,${_ldap_basedn} +member: uid=${ldap_user},ou=people,${_ldap_basedn} EOL } From b45a0d205e59a56ec9e88a88182cdfd0e48d5f0f Mon Sep 17 00:00:00 2001 From: rmahique-github <> Date: Mon, 28 Oct 2024 14:18:52 +0100 Subject: [PATCH 09/15] changes --- scripts/authentication/ds389.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/authentication/ds389.sh b/scripts/authentication/ds389.sh index 8d6bedb..d466358 100644 --- a/scripts/authentication/ds389.sh +++ b/scripts/authentication/ds389.sh @@ -115,9 +115,9 @@ function ds389_install() { # installs the chart with default parameters if [[ -f values.yaml ]] then - helm upgrade --install ds389 suse-lab-setup/ds389 -f values.yaml + helm upgrade --install ds389 --namespace ds389 suse-lab-setup/ds389 -f values.yaml else - helm upgrade --install ds389 suse-lab-setup/ds389 + helm upgrade --install ds389 --namespace ds389 suse-lab-setup/ds389 fi sleep 60 ds389_restrict_permissions "${_ldap_uri}" "${_ldap_basedn}" "${_admin_user}" "${_admin_pwd}" From 12314a1c3714d2bb394b0d9b44651a023032abd9 Mon Sep 17 00:00:00 2001 From: rmahique-github <> Date: Mon, 28 Oct 2024 14:22:40 +0100 Subject: [PATCH 10/15] changes --- scripts/authentication/ds389.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/authentication/ds389.sh b/scripts/authentication/ds389.sh index d466358..c22ecd8 100644 --- a/scripts/authentication/ds389.sh +++ b/scripts/authentication/ds389.sh @@ -121,7 +121,7 @@ function ds389_install() { fi sleep 60 ds389_restrict_permissions "${_ldap_uri}" "${_ldap_basedn}" "${_admin_user}" "${_admin_pwd}" - ds389_ldap_user-user_private_read + ds389_ldap_user-user_private_read "${_ldap_uri}" "${_ldap_basedn}" "${_admin_user}" "${_admin_pwd}" "ldap_user" } ####################################### From 7a185fa6351abb0d4d3733c25f8eff1cdac5d575 Mon Sep 17 00:00:00 2001 From: rmahique-github <> Date: Mon, 28 Oct 2024 14:24:52 +0100 Subject: [PATCH 11/15] changes --- scripts/authentication/ds389.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/authentication/ds389.sh b/scripts/authentication/ds389.sh index c22ecd8..855ee49 100644 --- a/scripts/authentication/ds389.sh +++ b/scripts/authentication/ds389.sh @@ -62,7 +62,7 @@ EOL # Examples: # ds389_user_private_read "ldap://ldap.mydemo.lab:389" "dc=mydemo,dc=lab" "cn=Directory Manager" "secret" "ldap_user" ####################################### -function ds389_ldap_user-user_private_read() { +function ds389_ldap_user_user_private_read() { local _ldap_uri="$1" local _ldap_basedn="$2" local _admin_user="$3" @@ -121,7 +121,7 @@ function ds389_install() { fi sleep 60 ds389_restrict_permissions "${_ldap_uri}" "${_ldap_basedn}" "${_admin_user}" "${_admin_pwd}" - ds389_ldap_user-user_private_read "${_ldap_uri}" "${_ldap_basedn}" "${_admin_user}" "${_admin_pwd}" "ldap_user" + ds389_ldap_user_user_private_read "${_ldap_uri}" "${_ldap_basedn}" "${_admin_user}" "${_admin_pwd}" "ldap_user" } ####################################### From 7399f02a8250e4a206f83e02656d4086df555bda Mon Sep 17 00:00:00 2001 From: rmahique-github <> Date: Mon, 28 Oct 2024 14:44:58 +0100 Subject: [PATCH 12/15] changes --- charts/ds389/Chart.yaml | 7 ++++++- charts/ds389/templates/namespace.yaml | 5 ----- charts/ds389/templates/secrets.yaml | 1 - charts/ds389/templates/service-external.yaml | 1 - charts/ds389/templates/service-internal.yaml | 1 - charts/ds389/templates/serviceaccount.yaml | 1 - charts/ds389/templates/statefulset.yaml | 1 - charts/ds389/values.yaml | 1 - 8 files changed, 6 insertions(+), 12 deletions(-) delete mode 100644 charts/ds389/templates/namespace.yaml diff --git a/charts/ds389/Chart.yaml b/charts/ds389/Chart.yaml index 4d71889..0b9b4df 100644 --- a/charts/ds389/Chart.yaml +++ b/charts/ds389/Chart.yaml @@ -3,4 +3,9 @@ name: ds389-helm-chart description: A Helm chart for deploying the 389 Directory Server version: 1.0.0 appVersion: "1.0" - +maintainers: + - name: Raul Mahiques +keywords: + - ldap + - '389' + - '636' diff --git a/charts/ds389/templates/namespace.yaml b/charts/ds389/templates/namespace.yaml deleted file mode 100644 index 9752c5c..0000000 --- a/charts/ds389/templates/namespace.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: {{ .Values.ds389.nsName }} - diff --git a/charts/ds389/templates/secrets.yaml b/charts/ds389/templates/secrets.yaml index 2a404db..7bb1002 100644 --- a/charts/ds389/templates/secrets.yaml +++ b/charts/ds389/templates/secrets.yaml @@ -15,4 +15,3 @@ metadata: # namespace: {{ .Values.ds389.nsName }} data: dm-password: {{ .Values.ds389.dmPassword | quote }} - diff --git a/charts/ds389/templates/service-external.yaml b/charts/ds389/templates/service-external.yaml index 1d60d84..ff09ae6 100644 --- a/charts/ds389/templates/service-external.yaml +++ b/charts/ds389/templates/service-external.yaml @@ -20,4 +20,3 @@ spec: selector: app: {{ .Values.ds389.name }} type: NodePort - diff --git a/charts/ds389/templates/service-internal.yaml b/charts/ds389/templates/service-internal.yaml index caff2df..73176ba 100644 --- a/charts/ds389/templates/service-internal.yaml +++ b/charts/ds389/templates/service-internal.yaml @@ -19,4 +19,3 @@ spec: selector: app: {{ .Values.ds389.name }} type: ClusterIP - diff --git a/charts/ds389/templates/serviceaccount.yaml b/charts/ds389/templates/serviceaccount.yaml index d125fad..516cf7a 100644 --- a/charts/ds389/templates/serviceaccount.yaml +++ b/charts/ds389/templates/serviceaccount.yaml @@ -3,4 +3,3 @@ kind: ServiceAccount metadata: name: {{ .Values.ds389.name }}-sa # namespace: {{ .Values.ds389.nsName }} - diff --git a/charts/ds389/templates/statefulset.yaml b/charts/ds389/templates/statefulset.yaml index 14b2d1a..e546584 100644 --- a/charts/ds389/templates/statefulset.yaml +++ b/charts/ds389/templates/statefulset.yaml @@ -91,4 +91,3 @@ spec: resources: requests: storage: {{ .Values.ds389.vcSize }} - diff --git a/charts/ds389/values.yaml b/charts/ds389/values.yaml index 3ab000e..bed3109 100644 --- a/charts/ds389/values.yaml +++ b/charts/ds389/values.yaml @@ -13,4 +13,3 @@ ds389: tlsPort: 3636 nodePort: 30389 nodePortTls: 30636 - From 00d6e4a77a75786183972f2196b70e03cbca6de0 Mon Sep 17 00:00:00 2001 From: rmahique-github <> Date: Mon, 28 Oct 2024 14:51:59 +0100 Subject: [PATCH 13/15] changes --- charts/ds389/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/ds389/Chart.yaml b/charts/ds389/Chart.yaml index 0b9b4df..065fb5e 100644 --- a/charts/ds389/Chart.yaml +++ b/charts/ds389/Chart.yaml @@ -4,7 +4,7 @@ description: A Helm chart for deploying the 389 Directory Server version: 1.0.0 appVersion: "1.0" maintainers: - - name: Raul Mahiques + - name: "Raul Mahiques" keywords: - ldap - '389' From f50811b385b49eac555b51610a6fbd80a8993cdc Mon Sep 17 00:00:00 2001 From: rmahique-github <> Date: Mon, 28 Oct 2024 14:54:29 +0100 Subject: [PATCH 14/15] changes --- charts/ds389/Chart.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/charts/ds389/Chart.yaml b/charts/ds389/Chart.yaml index 065fb5e..259b44d 100644 --- a/charts/ds389/Chart.yaml +++ b/charts/ds389/Chart.yaml @@ -5,6 +5,7 @@ version: 1.0.0 appVersion: "1.0" maintainers: - name: "Raul Mahiques" + email: raul.mahiques@suse.com keywords: - ldap - '389' From 7a1581e5b4b4ee4b766b607ddb5f35c7155aef2c Mon Sep 17 00:00:00 2001 From: rmahique-github <> Date: Mon, 28 Oct 2024 15:02:29 +0100 Subject: [PATCH 15/15] changes --- charts/ds389/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/ds389/Chart.yaml b/charts/ds389/Chart.yaml index 259b44d..83e34cc 100644 --- a/charts/ds389/Chart.yaml +++ b/charts/ds389/Chart.yaml @@ -4,7 +4,7 @@ description: A Helm chart for deploying the 389 Directory Server version: 1.0.0 appVersion: "1.0" maintainers: - - name: "Raul Mahiques" + - name: rmahique email: raul.mahiques@suse.com keywords: - ldap