Commit 1f97df46 by Torkel Ödegaard

devenv: open ldap docker block now prepopulating data with correct member groups

parent 1586a42a
......@@ -8,7 +8,8 @@ ENV OPENLDAP_VERSION 2.4.40
RUN apt-get update && \
DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends -y \
slapd=${OPENLDAP_VERSION}* && \
slapd=${OPENLDAP_VERSION}* \
ldap-utils && \
apt-get clean && \
rm -rf /var/lib/apt/lists/*
......@@ -22,6 +23,7 @@ COPY modules/ /etc/ldap.dist/modules
COPY prepopulate/ /etc/ldap.dist/prepopulate
COPY entrypoint.sh /entrypoint.sh
COPY prepopulate.sh /prepopulate.sh
ENTRYPOINT ["/entrypoint.sh"]
......
......@@ -76,21 +76,14 @@ EOF
IFS=","; declare -a modules=($SLAPD_ADDITIONAL_MODULES); unset IFS
for module in "${modules[@]}"; do
slapadd -n0 -F /etc/ldap/slapd.d -l "/etc/ldap/modules/${module}.ldif" >/dev/null 2>&1
echo "Adding module ${module}"
slapadd -n0 -F /etc/ldap/slapd.d -l "/etc/ldap/modules/${module}.ldif" >/dev/null 2>&1
done
fi
for file in `ls /etc/ldap/prepopulate/units/*.ldif`; do
slapadd -F /etc/ldap/slapd.d -l "$file"
done
for file in `ls /etc/ldap/prepopulate/groups/*.ldif`; do
slapadd -F /etc/ldap/slapd.d -l "$file"
done
for file in `ls /etc/ldap/prepopulate/users/*.ldif`; do
slapadd -F /etc/ldap/slapd.d -l "$file"
done
# This needs to run in background
# Will prepopulate entries after ldap daemon has started
./prepopulate.sh &
chown -R openldap:openldap /etc/ldap/slapd.d/ /var/lib/ldap/ /var/run/slapd/
else
......
# Notes on OpenLdap Docker Block
Any ldif files added to the prepopulate subdirectory will be automatically imported into the OpenLdap database.
Any ldif files added to the prepopulate subdirectory will be automatically imported into the OpenLdap database.
The ldif files add three users, `ldapviewer`, `ldapeditor` and `ldapadmin`. Two groups, `admins` and `users`, are added that correspond with the group mappings in the default conf/ldap.toml. `ldapadmin` is a member of `admins` and `ldapeditor` is a member of `users`.
......@@ -22,3 +22,27 @@ enabled = true
config_file = conf/ldap.toml
; allow_sign_up = true
```
Test groups & users
admins
ldap-admin
ldap-torkel
ldap-daniel
backend
ldap-carl
ldap-torkel
ldap-leo
frontend
ldap-torkel
ldap-tobias
ldap-daniel
editors
ldap-editors
no groups
ldap-viewer
#!/bin/bash
echo "Pre-populating ldap entries, first waiting for ldap to start"
sleep 3
adminUserDn="cn=admin,dc=grafana,dc=org"
adminPassword="grafana"
for file in `ls /etc/ldap/prepopulate/*.ldif`; do
ldapadd -x -D $adminUserDn -w $adminPassword -f "$file"
done
dn: ou=groups,dc=grafana,dc=org
ou: Groups
objectclass: top
objectclass: organizationalUnit
dn: ou=users,dc=grafana,dc=org
ou: Users
objectclass: top
objectclass: organizationalUnit
# ldap-admin
dn: cn=ldap-admin,ou=users,dc=grafana,dc=org
mail: ldap-admin@grafana.com
userPassword: grafana
objectClass: person
objectClass: top
objectClass: inetOrgPerson
objectClass: organizationalPerson
sn: ldap-admin
cn: ldap-admin
dn: cn=ldap-editor,ou=users,dc=grafana,dc=org
mail: ldap-editor@grafana.com
userPassword: grafana
objectClass: person
objectClass: top
objectClass: inetOrgPerson
objectClass: organizationalPerson
sn: ldap-editor
cn: ldap-editor
dn: cn=ldap-viewer,ou=users,dc=grafana,dc=org
mail: ldap-viewer@grafana.com
userPassword: grafana
objectClass: person
objectClass: top
objectClass: inetOrgPerson
objectClass: organizationalPerson
sn: ldap-viewer
cn: ldap-viewer
dn: cn=ldap-carl,ou=users,dc=grafana,dc=org
mail: ldap-carl@grafana.com
userPassword: grafana
objectClass: person
objectClass: top
objectClass: inetOrgPerson
objectClass: organizationalPerson
sn: ldap-carl
cn: ldap-carl
dn: cn=ldap-daniel,ou=users,dc=grafana,dc=org
mail: ldap-daniel@grafana.com
userPassword: grafana
objectClass: person
objectClass: top
objectClass: inetOrgPerson
objectClass: organizationalPerson
sn: ldap-daniel
cn: ldap-daniel
dn: cn=ldap-leo,ou=users,dc=grafana,dc=org
mail: ldap-leo@grafana.com
userPassword: grafana
objectClass: person
objectClass: top
objectClass: inetOrgPerson
objectClass: organizationalPerson
sn: ldap-leo
cn: ldap-leo
dn: cn=ldap-tobias,ou=users,dc=grafana,dc=org
mail: ldap-tobias@grafana.com
userPassword: grafana
objectClass: person
objectClass: top
objectClass: inetOrgPerson
objectClass: organizationalPerson
sn: ldap-tobias
cn: ldap-tobias
dn: cn=ldap-torkel,ou=users,dc=grafana,dc=org
mail: ldap-torkel@grafana.com
userPassword: grafana
objectClass: person
objectClass: top
objectClass: inetOrgPerson
objectClass: organizationalPerson
sn: ldap-torkel
cn: ldap-torkel
dn: cn=admins,ou=groups,dc=grafana,dc=org
cn: admins
objectClass: groupOfNames
objectClass: top
member: cn=ldap-admin,ou=users,dc=grafana,dc=org
member: cn=ldap-torkel,ou=users,dc=grafana,dc=org
dn: cn=editors,ou=groups,dc=grafana,dc=org
cn: editors
objectClass: groupOfNames
member: cn=ldap-editor,ou=users,dc=grafana,dc=org
dn: cn=backend,ou=groups,dc=grafana,dc=org
cn: backend
objectClass: groupOfNames
member: cn=ldap-carl,ou=users,dc=grafana,dc=org
member: cn=ldap-leo,ou=users,dc=grafana,dc=org
member: cn=ldap-torkel,ou=users,dc=grafana,dc=org
dn: cn=frontend,ou=groups,dc=grafana,dc=org
cn: frontend
objectClass: groupOfNames
member: cn=ldap-torkel,ou=users,dc=grafana,dc=org
member: cn=ldap-daniel,ou=users,dc=grafana,dc=org
member: cn=ldap-leo,ou=users,dc=grafana,dc=org
dn: cn=admins,ou=groups,dc=grafana,dc=org
cn: admins
objectClass: groupOfNames
objectClass: top
member: cn=ldap-admin,ou=users,dc=grafana,dc=org
dn: cn=backend,ou=groups,dc=grafana,dc=org
cn: backend
objectClass: groupOfNames
objectClass: top
member: cn=ldap-editor,dc=grafana,dc=org
dn: cn=editors,ou=groups,dc=grafana,dc=org
cn: editors
objectClass: groupOfNames
objectClass: top
member: cn=ldap-editor,ou=users,dc=grafana,dc=org
dn: cn=frontend,ou=groups,dc=grafana,dc=org
cn: frontend
objectClass: groupOfNames
objectClass: top
member: cn=ldap-frontend-1,ou=users,dc=grafana,dc=org
dn: ou=users,dc=grafana,dc=org
objectclass: top
objectclass: organizationalUnit
dn: cn=ldap-admin,ou=users,dc=grafana,dc=org
mail: ldap-admin@grafana.com
userPassword: grafana
objectClass: person
objectClass: top
objectClass: inetOrgPerson
objectClass: organizationalPerson
sn: ldap-admin
cn: ldap-admin
memberOf: cn=admins,ou=groups,dc=grafana,dc=org
memberOf: cn=editors,ou=groups,dc=grafana,dc=org
dn: cn=ldap-editor,ou=users,dc=grafana,dc=org
mail: ldap-editor@grafana.com
userPassword: grafana
objectClass: person
objectClass: top
objectClass: inetOrgPerson
objectClass: organizationalPerson
sn: ldap-editor
cn: ldap-editor
memberOf: cn=editors,ou=groups,dc=grafana,dc=org
dn: cn=ldap-frontend-1,ou=users,dc=grafana,dc=org
mail: ldap-frontend-1@grafana.com
userPassword: grafana
objectClass: person
objectClass: top
objectClass: inetOrgPerson
objectClass: organizationalPerson
sn: ldap-frontend-1
cn: ldap-frontend-1
memberOf: cn=frontend,ou=groups,dc=grafana,dc=org
dn: cn=ldap-viewer,ou=users,dc=grafana,dc=org
mail: ldap-viewer@grafana.com
userPassword: grafana
objectClass: person
objectClass: top
objectClass: inetOrgPerson
objectClass: organizationalPerson
sn: ldap-viewer
cn: ldap-viewer
......@@ -21,6 +21,7 @@ func UpsertUser(cmd *m.UpsertUserCommand) error {
Email: extUser.Email,
Login: extUser.Login,
}
err := bus.Dispatch(userQuery)
if err != m.ErrUserNotFound && err != nil {
return err
......@@ -90,6 +91,7 @@ func createUser(extUser *m.ExternalUserInfo) (*m.User, error) {
Name: extUser.Name,
SkipOrgSetup: len(extUser.OrgRoles) > 0,
}
if err := bus.Dispatch(cmd); err != nil {
return nil, err
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment