devenv: open ldap docker block now prepopulating data with correct member groups

docker/blocks/openldap/Dockerfile

@@ -8,7 +8,8 @@ ENV OPENLDAP_VERSION 2.4.40
 
 RUN apt-get update && \
     DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends -y \
-        slapd=${OPENLDAP_VERSION}* && \
+        slapd=${OPENLDAP_VERSION}* \
+        ldap-utils && \
     apt-get clean && \
     rm -rf /var/lib/apt/lists/*
 
@@ -22,6 +23,7 @@ COPY modules/ /etc/ldap.dist/modules
 COPY prepopulate/ /etc/ldap.dist/prepopulate
 
 COPY entrypoint.sh /entrypoint.sh
+COPY prepopulate.sh /prepopulate.sh
 
 ENTRYPOINT ["/entrypoint.sh"]
 

docker/blocks/openldap/entrypoint.sh

@@ -76,21 +76,14 @@ EOF
         IFS=","; declare -a modules=($SLAPD_ADDITIONAL_MODULES); unset IFS
 
         for module in "${modules[@]}"; do
+          echo "Adding module ${module}"
           slapadd -n0 -F /etc/ldap/slapd.d -l "/etc/ldap/modules/${module}.ldif" >/dev/null 2>&1
         done
     fi
 
-    for file in `ls /etc/ldap/prepopulate/units/*.ldif`; do
-        slapadd -F /etc/ldap/slapd.d -l "$file"
-    done
-
-    for file in `ls /etc/ldap/prepopulate/groups/*.ldif`; do
-        slapadd -F /etc/ldap/slapd.d -l "$file"
-    done
-
-    for file in `ls /etc/ldap/prepopulate/users/*.ldif`; do
-        slapadd -F /etc/ldap/slapd.d -l "$file"
-    done
+    # This needs to run in background
+    # Will prepopulate entries after ldap daemon has started
+    ./prepopulate.sh &
 
     chown -R openldap:openldap /etc/ldap/slapd.d/ /var/lib/ldap/ /var/run/slapd/
 else

docker/blocks/openldap/notes.md

@@ -22,3 +22,27 @@ enabled = true
 config_file = conf/ldap.toml
 ; allow_sign_up = true
 ```
+
+Test groups & users
+
+admins
+  ldap-admin
+  ldap-torkel
+  ldap-daniel
+backend
+  ldap-carl
+  ldap-torkel
+  ldap-leo
+frontend
+  ldap-torkel
+  ldap-tobias
+  ldap-daniel
+editors
+  ldap-editors
+
+
+no groups
+  ldap-viewer
+
+
+

docker/blocks/openldap/prepopulate.sh

+#!/bin/bash
+
+echo "Pre-populating ldap entries, first waiting for ldap to start"
+
+sleep 3
+
+adminUserDn="cn=admin,dc=grafana,dc=org"
+adminPassword="grafana"
+
+for file in `ls /etc/ldap/prepopulate/*.ldif`; do
+  ldapadd -x -D $adminUserDn -w $adminPassword -f "$file"
+done
+
+

docker/blocks/openldap/prepopulate/units/groups.ldif → docker/blocks/openldap/prepopulate/1_units.ldif

 dn: ou=groups,dc=grafana,dc=org
+ou: Groups
+objectclass: top
+objectclass: organizationalUnit
+
+dn: ou=users,dc=grafana,dc=org
+ou: Users
 objectclass: top
 objectclass: organizationalUnit

docker/blocks/openldap/prepopulate/2_users.ldif

+# ldap-admin
+dn: cn=ldap-admin,ou=users,dc=grafana,dc=org
+mail: ldap-admin@grafana.com
+userPassword: grafana
+objectClass: person
+objectClass: top
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+sn: ldap-admin
+cn: ldap-admin
+
+dn: cn=ldap-editor,ou=users,dc=grafana,dc=org
+mail: ldap-editor@grafana.com
+userPassword: grafana
+objectClass: person
+objectClass: top
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+sn: ldap-editor
+cn: ldap-editor
+
+dn: cn=ldap-viewer,ou=users,dc=grafana,dc=org
+mail: ldap-viewer@grafana.com
+userPassword: grafana
+objectClass: person
+objectClass: top
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+sn: ldap-viewer
+cn: ldap-viewer
+
+dn: cn=ldap-carl,ou=users,dc=grafana,dc=org
+mail: ldap-carl@grafana.com
+userPassword: grafana
+objectClass: person
+objectClass: top
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+sn: ldap-carl
+cn: ldap-carl
+
+dn: cn=ldap-daniel,ou=users,dc=grafana,dc=org
+mail: ldap-daniel@grafana.com
+userPassword: grafana
+objectClass: person
+objectClass: top
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+sn: ldap-daniel
+cn: ldap-daniel
+
+dn: cn=ldap-leo,ou=users,dc=grafana,dc=org
+mail: ldap-leo@grafana.com
+userPassword: grafana
+objectClass: person
+objectClass: top
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+sn: ldap-leo
+cn: ldap-leo
+
+dn: cn=ldap-tobias,ou=users,dc=grafana,dc=org
+mail: ldap-tobias@grafana.com
+userPassword: grafana
+objectClass: person
+objectClass: top
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+sn: ldap-tobias
+cn: ldap-tobias
+
+dn: cn=ldap-torkel,ou=users,dc=grafana,dc=org
+mail: ldap-torkel@grafana.com
+userPassword: grafana
+objectClass: person
+objectClass: top
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+sn: ldap-torkel
+cn: ldap-torkel

docker/blocks/openldap/prepopulate/3_groups.ldif

+dn: cn=admins,ou=groups,dc=grafana,dc=org
+cn: admins
+objectClass: groupOfNames
+objectClass: top
+member: cn=ldap-admin,ou=users,dc=grafana,dc=org
+member: cn=ldap-torkel,ou=users,dc=grafana,dc=org
+
+dn: cn=editors,ou=groups,dc=grafana,dc=org
+cn: editors
+objectClass: groupOfNames
+member: cn=ldap-editor,ou=users,dc=grafana,dc=org
+
+dn: cn=backend,ou=groups,dc=grafana,dc=org
+cn: backend
+objectClass: groupOfNames
+member: cn=ldap-carl,ou=users,dc=grafana,dc=org
+member: cn=ldap-leo,ou=users,dc=grafana,dc=org
+member: cn=ldap-torkel,ou=users,dc=grafana,dc=org
+
+dn: cn=frontend,ou=groups,dc=grafana,dc=org
+cn: frontend
+objectClass: groupOfNames
+member: cn=ldap-torkel,ou=users,dc=grafana,dc=org
+member: cn=ldap-daniel,ou=users,dc=grafana,dc=org
+member: cn=ldap-leo,ou=users,dc=grafana,dc=org

docker/blocks/openldap/prepopulate/groups/admins.ldif

-dn: cn=admins,ou=groups,dc=grafana,dc=org
-cn: admins
-objectClass: groupOfNames
-objectClass: top
-member: cn=ldap-admin,ou=users,dc=grafana,dc=org

docker/blocks/openldap/prepopulate/groups/backend.ldif

-dn: cn=backend,ou=groups,dc=grafana,dc=org
-cn: backend
-objectClass: groupOfNames
-objectClass: top
-member: cn=ldap-editor,dc=grafana,dc=org

docker/blocks/openldap/prepopulate/groups/editor.ldif

-dn: cn=editors,ou=groups,dc=grafana,dc=org
-cn: editors
-objectClass: groupOfNames
-objectClass: top
-member: cn=ldap-editor,ou=users,dc=grafana,dc=org

docker/blocks/openldap/prepopulate/groups/frontend.ldif

-dn: cn=frontend,ou=groups,dc=grafana,dc=org
-cn: frontend
-objectClass: groupOfNames
-objectClass: top
-member: cn=ldap-frontend-1,ou=users,dc=grafana,dc=org

docker/blocks/openldap/prepopulate/units/users.ldif

-dn: ou=users,dc=grafana,dc=org
-objectclass: top
-objectclass: organizationalUnit

docker/blocks/openldap/prepopulate/users/ldap-admin.ldif

-dn: cn=ldap-admin,ou=users,dc=grafana,dc=org
-mail: ldap-admin@grafana.com
-userPassword: grafana
-objectClass: person
-objectClass: top
-objectClass: inetOrgPerson
-objectClass: organizationalPerson
-sn: ldap-admin
-cn: ldap-admin
-memberOf: cn=admins,ou=groups,dc=grafana,dc=org
-memberOf: cn=editors,ou=groups,dc=grafana,dc=org

docker/blocks/openldap/prepopulate/users/ldap-editor.ldif

-dn: cn=ldap-editor,ou=users,dc=grafana,dc=org
-mail: ldap-editor@grafana.com
-userPassword: grafana
-objectClass: person
-objectClass: top
-objectClass: inetOrgPerson
-objectClass: organizationalPerson
-sn: ldap-editor
-cn: ldap-editor
-memberOf: cn=editors,ou=groups,dc=grafana,dc=org

docker/blocks/openldap/prepopulate/users/ldap-frontend-1.ldif

-dn: cn=ldap-frontend-1,ou=users,dc=grafana,dc=org
-mail: ldap-frontend-1@grafana.com
-userPassword: grafana
-objectClass: person
-objectClass: top
-objectClass: inetOrgPerson
-objectClass: organizationalPerson
-sn: ldap-frontend-1
-cn: ldap-frontend-1
-memberOf: cn=frontend,ou=groups,dc=grafana,dc=org

docker/blocks/openldap/prepopulate/users/ldap-viewer.ldif

-dn: cn=ldap-viewer,ou=users,dc=grafana,dc=org
-mail: ldap-viewer@grafana.com
-userPassword: grafana
-objectClass: person
-objectClass: top
-objectClass: inetOrgPerson
-objectClass: organizationalPerson
-sn: ldap-viewer
-cn: ldap-viewer

pkg/login/ext_user.go

@@ -21,6 +21,7 @@ func UpsertUser(cmd *m.UpsertUserCommand) error {
 		Email:      extUser.Email,
 		Login:      extUser.Login,
 	}
+
 	err := bus.Dispatch(userQuery)
 	if err != m.ErrUserNotFound && err != nil {
 		return err
@@ -90,6 +91,7 @@ func createUser(extUser *m.ExternalUserInfo) (*m.User, error) {
 		Name:         extUser.Name,
 		SkipOrgSetup: len(extUser.OrgRoles) > 0,
 	}
+
 	if err := bus.Dispatch(cmd); err != nil {
 		return nil, err
 	}