Skip to content

Commit

Permalink
SPSH-1044 (#5)
Browse files Browse the repository at this point in the history 
SPSH-1044 (#5)
  • Loading branch information
@aimee-889
aimee-889 authored Oct 10, 2024
1 parent 31f9ba5 commit 2227e49
Show file tree
Hide file tree
Showing 5 changed files with 128 additions and 40 deletions.
36 changes: 28 additions & 8 deletions charts/dbildungs-iam-ldap/templates/configmap-config-script.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,27 +21,47 @@ data:
ldapmodify -Y EXTERNAL -H ldapi:/// -f /ldap-configuration/modify/modify.ldif
# no sure why this sleep is needed again - but it is
sleep 10
/bin/bash /script/02.sh
# Loading Schemas
ucsmail_search_output=$(ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=schema,cn=config" "(cn=*ucsMail)")
if (echo "$ucsmail_search_output" | grep -q "numEntries: 1"); then
echo "Entry for ucsMail Schema already exists. If you need to modify it, delete it and readd it."
else
ldapadd -Y EXTERNAL -H ldapi:/// -f /opt/bitnami/openldap/etc/schema/00-ucsmail.ldif
fi
# Adding Config Users from Secret
/bin/bash /script/02.sh /ldap-configuration/apply/apply.ldif true
# Adding other Configs from Configmap
/bin/bash /script/02.sh /ldap-configuration/extra/apply.ldif false
/bin/bash /script/02.sh /ldap-configuration/extra/modify.ldif true
# this script is needed so that Helm Chart is stable if persistence is enabled
# it applies changes if they are new, but modifies them if they already exist
02.sh: |
LDIF_FILE="/ldap-configuration/apply/apply.ldif"
LDIF_FILE="$1"
OVERWRITE="${2:-false}"
# Function to process each entry
process_entry() {
local entry_dn="$1"
local entry_ldif="$2"
# Check if entry exists
ldapsearch -Y External -H ldapi:/// -b "$entry_dn" -s base -LLL dn > /dev/null 2>&1
ldapsearch -Y EXTERNAL -H ldapi:/// -b "$entry_dn" -s base -LLL dn > /dev/null 2>&1
if [ $? -eq 0 ]; then
echo "Entry already exists: $entry_dn, updating entry by running ldapmodify"
echo "$entry_ldif" | sed 's/^dn: .*/changetype: modify/' | ldapmodify -Y External -H ldapi:///
if [ "$OVERWRITE" = true ]; then
echo "Entry already exists: $entry_dn, updating entry by running ldapmodify"
echo "$entry_ldif" | sed 's/^dn: .*/changetype: modify/' | ldapmodify -Y EXTERNAL -H ldapi:///
else
echo "Entry already exists: $entry_dn, skipping ldapmodify"
fi
else
echo "Entry does not exist, adding entry: $entry_dn"
echo "$entry_ldif" | ldapadd -Y External -H ldapi:///
echo "$entry_ldif" | ldapadd -Y EXTERNAL -H ldapi:///
fi
}
Expand Down Expand Up @@ -69,4 +89,4 @@ data:
# Process the last entry in the file
if [[ -n "$current_dn" ]]; then
process_entry "$current_dn" "$current_entry"
fi
fi
2 changes: 1 addition & 1 deletion charts/dbildungs-iam-ldap/templates/configmap-customschema.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
#
# A ConfigMap spec for openldap slapd that map directly to files under
# /opt/bitnami/openldap/etc/schema/custom
# /opt/bitnami/openldap/etc/schema/
#
{{- if .Values.customSchemaFiles }}
apiVersion: v1
Expand Down
13 changes: 6 additions & 7 deletions ...ldap/templates/configmap-customfiles.yaml → ...m-ldap/templates/configmap-extraldif.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
{{- range .Values.customFileSets }}
{{- if .Values.customExtraLdifFiles }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "openldap.fullname" $ }}-fs-{{ .name }}
name: {{ template "openldap.fullname" $ }}-extraldif
labels:
app: {{ template "openldap.name" $ }}
chart: {{ template "openldap.chart" $ }}
Expand All @@ -12,9 +12,8 @@ metadata:
{{ toYaml $.Values.extraLabels | indent 4 }}
{{- end }}
data:
{{- range .files }}
{{ .filename | indent 2}}: |
{{ .content | indent 4 }}
{{- end}}
---
{{- range $key, $val := .Values.customExtraLdifFiles }}
{{ $key }}: |-
{{ $val | indent 4}}
{{- end }}
{{- end }}
21 changes: 8 additions & 13 deletions charts/dbildungs-iam-ldap/templates/statefulset.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -86,6 +86,8 @@ spec:
mountPath: /ldap-configuration/apply/
- name: ldap-configuration-modify
mountPath: /ldap-configuration/modify/
- name: ldap-configuration-extra
mountPath: /ldap-configuration/extra/
{{- if .Values.customSchemaFiles }}
{{- range $file := (include "openldap.customSchemaFiles" . | split ",") }}
- name: cm-custom-schema-files
Expand Down Expand Up @@ -263,6 +265,8 @@ spec:
mountPath: /ldap-configuration/apply
- name: ldap-configuration-modify
mountPath: /ldap-configuration/modify
- name: ldap-configuration-extra
mountPath: /ldap-configuration/extra
- name: certs
mountPath: /opt/bitnami/openldap/certs
{{- range $file := (include "openldap.builtinSchemaFiles" . | split ",") }}
Expand All @@ -281,14 +285,6 @@ spec:
- name: custom-ldif-files
mountPath: /ldifs/
{{- end }}
{{- range .Values.customFileSets }}
{{- $fs := . }}
{{- range .files }}
- name: {{ $fs.name }}
mountPath: {{ $fs.targetPath }}/{{ .filename }}
subPath: {{ .filename }}
{{- end }}
{{- end }}
{{- if .Values.extraVolumeMounts }}
{{- include "common.tplvalues.render" (dict "value" .Values.extraVolumeMounts "context" $) | nindent 12 }}
{{- end }}
Expand Down Expand Up @@ -316,6 +312,10 @@ spec:
secret:
# could make the secret name variable
secretName: dbildungs-iam-ldap-config-modify
- name: ldap-configuration-extra
configMap:
# could make the secret name variable
name: {{ template "openldap.fullname" $ }}-extraldif
- name: cm-replication
configMap:
name: {{ template "openldap.fullname" . }}-replication
Expand Down Expand Up @@ -357,11 +357,6 @@ spec:
- name: secret-certs
emptyDir:
medium: Memory
{{- end }}
{{- range .Values.customFileSets }}
- name: {{ .name }}
configMap:
name: {{ template "openldap.fullname" $ }}-fs-{{ .name }}
{{- end }}
{{- if .Values.extraVolumes }}
{{- include "common.tplvalues.render" (dict "value" .Values.extraVolumes "context" $) | nindent 8 }}
Expand Down
96 changes: 85 additions & 11 deletions charts/dbildungs-iam-ldap/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,12 +53,12 @@ service:
# SourceRangesRestriction: true
# enableLdapPort: false

# enable this service block and disable the service one above, to make LDAP outside the cluster available
# Note that only one namespace at a time can use this feature!!
# service:
# enableSslLdapPort: true
# type: LoadBalancer
# externalIp: true
# enable this service block and disable the service one above, to make LDAP outside the cluster available
# Note that only one namespace at a time can use this feature!!
# service:
# enableSslLdapPort: true
# type: LoadBalancer
# externalIp: true
# SourceRangesRestriction: false


Expand Down Expand Up @@ -95,17 +95,29 @@ pdb:
# Custom openldap schema files used to be used in addition to default schemas
# Note that the supplied files are sorted by name and inserted into 'LDAP_EXTRA_SCHEMAS' env var
# after chart default schemas, allowing you to control the loading sequence.
# customSchemaFiles:
# custom.ldif: |-
# # custom schema
customSchemaFiles:
00-ucsmail.ldif: |-
dn: cn=ucsMail,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: ucsMail
olcAttributeTypes: ( 1.3.6.1.4.1.10176.1010.1.1 NAME 'mailPrimaryAddress' DESC 'Primary mailaddresses for the user' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.10176.1010.1.2 NAME 'mailAlternativeAddress' DESC 'Secondary (alias) mailaddresses for the same user' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.10176.1010.1.3 NAME 'mailGlobalSpamFolder'DESC 'Move Spam to global spam folder instead of local spam folder' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.10176.1010.1.47 NAME 'mailForwardAddress'DESC 'External mail addresses to forward the users emails to' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: ( 1.3.6.1.4.1.10176.1010.1.51 NAME 'mailForwardCopyToSelf' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{10} SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.10176.1010.1.60 NAME 'univentionMailHomeServer' DESC 'home server of users mailbox' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.10176.1010.1.92 NAME 'univentionMailUserQuota' DESC 'Mailbox hard quota limit in MB' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcObjectClasses: ( 1.3.6.1.4.1.10176.1010.2.1 NAME 'univentionMail' DESC 'Univention Mail Preferences' SUP top AUXILIARY MUST uid MAY ( univentionMailHomeServer $ mailPrimaryAddress $ mailAlternativeAddress $ mailGlobalSpamFolder $ univentionMailUserQuota $ mailForwardAddress $ mailForwardCopyToSelf ) )
# anothercustom.ldif: |-
# # another custom schema
# # adjust the configuration script configmap-config-script to make sure schema is always loaded


# Custom openldap configuration files used to override default settings
# can not get loaded if TLS is required ldap_bind: Confidentiality required (13) additional info: TLS confidentiality required
# DO NOT FORGET to put the Root Organisation object as it won't be created while using customLdifFiles
# Files that chage the general config or create ACL are not allowed here, insufficient permissions, they get hendled via the dbildungs-iam-ldap-configuration secret
# Files that change the general config or create ACL are not allowed here, insufficient permissions, they get hendled via the dbildungs-iam-ldap-configuration secret
# Only considered once in the initial setup
customLdifFiles:
00-root.ldif: |-
dn: dc=schule-sh,dc=de
Expand All @@ -114,6 +126,68 @@ customLdifFiles:
objectClass: organization
o: SPSH
# First the apply.ldif gets applied if entry is not existend, then the entries in modify.ldif overwrite the entries
customExtraLdifFiles:
apply.ldif: |-
dn: cn=lehrer,dc=schule-sh,dc=de
cn: lehrer
objectclass: groupOfUniqueNames
objectclass: top
uniquemember:
dn: cn=schueler,dc=schule-sh,dc=de
cn: schueler
objectclass: groupOfUniqueNames
objectclass: top
uniquemember:
dn: ou=oeffentlicheSchulen,dc=schule-sh,dc=de
objectclass: organizationalUnit
objectclass: top
ou: oeffentlicheSchulen
dn: ou=ersatzSchulen,dc=schule-sh,dc=de
objectclass: organizationalUnit
objectclass: top
ou: ersatzSchulen
dn: cn=mmusterschueler,ou=oeffentlicheSchulen,dc=schule-sh,dc=de
uid: mmusterschueler
cn: mmusterschueler
givenname: Moritz
objectclass: inetOrgPerson
objectclass: univentionMail
mailPrimaryAddress: [email protected]
mailAlternativeAddress: [email protected]
objectclass: top
sn: Muster-Schueler
dn: cn=ssuperadmin,ou=oeffentlicheSchulen,dc=schule-sh,dc=de
uid: ssuperadmin
cn: ssuperadmin
givenname: Susi
objectclass: inetOrgPerson
objectclass: univentionMail
mailPrimaryAddress: [email protected]
mailAlternativeAddress: [email protected]
objectclass: top
sn: Superadmin
modify.ldif: |-
# Group members
dn: cn=lehrer,dc=schule-sh,dc=de
cn: lehrer
objectclass: groupOfUniqueNames
objectclass: top
uniquemember: cn=ssuperadmin,ou=oeffentlicheSchulen,dc=schule-sh,dc=de
dn: cn=schueler,dc=schule-sh,dc=de
cn: schueler
objectclass: groupOfUniqueNames
objectclass: top
uniquemember: cn=mmusterschueler,ou=oeffentlicheSchulen,dc=schule-sh,dc=de
replicaCount: 1

# will have to work on this
Expand Down Expand Up @@ -259,7 +333,7 @@ initSchema:
## need a secret with tls.crt, tls.key
initTLSSecret:
# adminldap, per default disabled only works with tls_enabled
tls_enabled: false
tls_enabled: false
# tls_enabled: true # needs to get enabled if you want to make the service available to the outside
# Note that only one namespace at a time can use this feature and that you need to copy a tls secret into the namespace, see Confluence for more information
image:
Expand Down

0 comments on commit 2227e49

Please sign in to comment.