Merge pull request #11439 from grafana/ldap-block

docker: add users and groups to ldap block

Merge pull request #11439 from grafana/ldap-block
docker: add users and groups to ldap block
166778b3 · Marcus Efraimsson · GitHub · 94d1a9fd · de6cd7ed · 166778b3
Commit 166778b3 authored Apr 05, 2018 by Marcus Efraimsson Committed by GitHub Apr 05, 2018
8 changed files
--- a/docker/blocks/openldap/Dockerfile
+++ b/docker/blocks/openldap/Dockerfile
@@ -17,6 +17,7 @@ EXPOSE 389
 VOLUME ["/etc/ldap", "/var/lib/ldap"]
 COPY modules/ /etc/ldap.dist/modules
+COPY prepopulate/ /etc/ldap.dist/prepopulate
 COPY entrypoint.sh /entrypoint.sh

--- a/docker/blocks/openldap/entrypoint.sh
+++ b/docker/blocks/openldap/entrypoint.sh
@@ -65,7 +65,7 @@ EOF
    fi
    if [[ -n "$SLAPD_ADDITIONAL_SCHEMAS" ]]; then
-        IFS=","; declare -a schemas=($SLAPD_ADDITIONAL_SCHEMAS)
+        IFS=","; declare -a schemas=($SLAPD_ADDITIONAL_SCHEMAS); unset IFS
        for schema in "${schemas[@]}"; do
            slapadd -n0 -F /etc/ldap/slapd.d -l "/etc/ldap/schema/${schema}.ldif" >/dev/null 2>&1
@@ -73,14 +73,18 @@ EOF
    fi
    if [[ -n "$SLAPD_ADDITIONAL_MODULES" ]]; then
-        IFS=","; declare -a modules=($SLAPD_ADDITIONAL_MODULES)
+        IFS=","; declare -a modules=($SLAPD_ADDITIONAL_MODULES); unset IFS
        for module in "${modules[@]}"; do
             slapadd -n0 -F /etc/ldap/slapd.d -l "/etc/ldap/modules/${module}.ldif" >/dev/null 2>&1
        done
    fi
-    chown -R openldap:openldap /etc/ldap/slapd.d/
+    for file in `ls /etc/ldap/prepopulate/*.ldif`; do
+        slapadd -F /etc/ldap/slapd.d -l "$file"
+    done
+    chown -R openldap:openldap /etc/ldap/slapd.d/ /var/lib/ldap/ /var/run/slapd/
 else
    slapd_configs_in_env=`env | grep 'SLAPD_'`

--- a/docker/blocks/openldap/notes.md
+++ b/docker/blocks/openldap/notes.md
+# Notes on OpenLdap Docker Block
+Any ldif files added to the prepopulate subdirectory will be automatically imported into the OpenLdap database. 
+The ldif files add three users, `ldapviewer`, `ldapeditor` and `ldapadmin`. Two groups, `admins` and `users`, are added that correspond with the group mappings in the default conf/ldap.toml. `ldapadmin` is a member of `admins` and `ldapeditor` is a member of `users`.
+Note that users that are added here need to specify a `memberOf` attribute manually as well as the `member` attribute for the group. The `memberOf` module usually does this automatically (if you add a group in Apache Directory Studio for example) but this does not work in the entrypoint script as it uses the `slapadd` command to add entries before the server has started and before the `memberOf` module is loaded.
+After adding ldif files to `prepopulate`:
+1. Remove your current docker image: `docker rm docker_openldap_1`
+2. Build: `docker-compose build`
+3. `docker-compose up`
--- a/docker/blocks/openldap/prepopulate/admin.ldif
+++ b/docker/blocks/openldap/prepopulate/admin.ldif
+dn: cn=ldapadmin,dc=grafana,dc=org
+mail: ldapadmin@grafana.com
+userPassword: grafana
+objectClass: person
+objectClass: top
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+sn: ldapadmin
+cn: ldapadmin
+memberOf: cn=admins,dc=grafana,dc=org
--- a/docker/blocks/openldap/prepopulate/adminsgroup.ldif
+++ b/docker/blocks/openldap/prepopulate/adminsgroup.ldif
+dn: cn=admins,dc=grafana,dc=org
+cn: admins
+member: cn=ldapadmin,dc=grafana,dc=org
+objectClass: groupOfNames
+objectClass: top
--- a/docker/blocks/openldap/prepopulate/editor.ldif
+++ b/docker/blocks/openldap/prepopulate/editor.ldif
+dn: cn=ldapeditor,dc=grafana,dc=org
+mail: ldapeditor@grafana.com
+userPassword: grafana
+objectClass: person
+objectClass: top
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+sn: ldapeditor
+cn: ldapeditor
+memberOf: cn=users,dc=grafana,dc=org
--- a/docker/blocks/openldap/prepopulate/usersgroup.ldif
+++ b/docker/blocks/openldap/prepopulate/usersgroup.ldif
+dn: cn=users,dc=grafana,dc=org
+cn: users
+member: cn=ldapeditor,dc=grafana,dc=org
+objectClass: groupOfNames
+objectClass: top
--- a/docker/blocks/openldap/prepopulate/viewer.ldif
+++ b/docker/blocks/openldap/prepopulate/viewer.ldif
+dn: cn=ldapviewer,dc=grafana,dc=org
+mail: ldapviewer@grafana.com
+userPassword: grafana
+objectClass: person
+objectClass: top
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+sn: ldapviewer
+cn: ldapviewer