LdapCherry

Status: open
Priority: 3
Complexity: 4
Public link
Back to the board

Swimlane: Additional Services
Column: Idea
Position: 12

Assignee: AndrewCz
Creator: AndrewCz
Time spent: 2143.43 hours
Assigned Group: not assigned

Started:
Created: 2019/03/25 14:50
Modified: 2021/10/13 21:58
Moved: 2021/10/13 21:58

Description

Sub-Tasks

Title	Assignee	Time tracking
Do not use debug in production	AndrewCz
Do not do hard version pinning	AndrewCz
target stable versions of mainstream distributions	AndrewCz
init.py file feels hacky	AndrewCz	164.31h spent
INI File	AndrewCz
Roles File	AndrewCz	145.88h spent
Attributes File	AndrewCz
combine ini and yaml parsing structure in init.py	AndrewCz
Remove all config options that are passed as env vars whose values are zero-length strings or False or something else valid like that	AndrewCz	3.11h spent
Automatically add quotes to the variables passed in with env vars if necessary	AndrewCz	2.27h spent
Setup repo with something other than putting everything in the root of the repo (edit init.py and Dockerfile paths as appropriate)	AndrewCz
Add ability to use subdirectories	AndrewCz	0.68h spent
Set up openldap directory container seed data	AndrewCz	243.56h spent
make it so that I can "CTRL-C" the container	AndrewCz	480.13h spent
comment and put docstrings in script	AndrewCz	28.29h spent
Optional debug mode	AndrewCz	28.49h spent
Submit documentation fixes for https://github.com/kakwa/ldapcherry/issues/36	AndrewCz	28.47h spent
Create a PR to add demo files per https://github.com/kakwa/ldapcherry/issues/34	AndrewCz	168.85h spent
Test Dockerfile	AndrewCz	4.85h spent
Update README with docker documentation	AndrewCz
Address all outstanding TODOs in `init.py`	AndrewCz	94.38h spent
PR to merge docker stuff into upstream	AndrewCz	175.15h spent
Allow ACLs to be added to LDAP	AndrewCz	238.49h spent
Allow ldapcherry user to change their own password	AndrewCz	336.52h spent
Add default bind user non-rootdn	AndrewCz
hash passwords	AndrewCz
Test compositional integration	AndrewCz

Internal links

This task blocks (1)	Assignee	Time tracking
#428 Dogfood Services for Internal Tooling (OurCompose - Done)

Comments

AndrewCz Created at: 2019/04/05 19:38 Updated at: 2019/04/05 19:38

Got a message that the PR was closed b/c it was too hacky and it would take too much to maintain (hardcoded versions, etc.)

Will have to refactor setup and submit another PR.

AndrewCz Created at: 2019/04/28 16:16 Updated at: 2019/04/28 16:16

Submitted issue that there are no roles or attributes demo files for the Demo backend.

AndrewCz Created at: 2019/05/19 18:40 Updated at: 2019/05/19 18:40

Need to make it so that I can "CTRL-C" the container, and add quotes to the variables.

AndrewCz Created at: 2019/05/22 23:46 Updated at: 2019/05/22 23:46

This won't work in a subdirectory, as the paths are hard-coded to use everything from the root instead of passing whatever subdirectory they are using.

AndrewCz Created at: 2019/05/25 18:47 Updated at: 2019/05/25 18:47

I'll put off putting docker in a separate directory until I have a good reason to. FWIW, I've seen structures that use the entrypoint.d/ directory with numbered dirs 10-default-init/, 50-finalize/ etc. with shell scripts in them with the same naming convention to do startups. I'll stick to my one init script for the time being.

AndrewCz Created at: 2019/05/27 14:06 Updated at: 2019/05/27 14:06

I'll need to populate the LDAP directory, so I'm attaching my osuosc ldap docs as they could come in handy with putting something together to get this done.

AndrewCz Created at: 2019/06/29 00:33 Updated at: 2019/06/29 00:33

I'm getting this error when trying to change the user's password:

5d16e3d2 <= mdb_equality_candidates: (uid) not indexed

Which seems to indicate that the uid (which is the objectclass that it's searching for) is not indexed. Sure enough, when I look in the slapd.conf file, the only index is for objectClass. So I'll have to look into this. Link above.

AndrewCz Created at: 2019/06/29 00:33 Updated at: 2019/06/29 00:33

Demo prepopulation or seeding of the directory seems to be going well with the demo. I'll have to flesh it out along with the ACLs to where I want them.

AndrewCz Created at: 2019/07/01 23:20 Updated at: 2019/07/01 23:20

Opened issue for not being able to add indexes. Link above.

AndrewCz Created at: 2019/07/05 22:32 Updated at: 2019/07/05 22:32

Created PR to be able to add additional indexes. Link above.

AndrewCz Created at: 2019/07/08 23:09 Updated at: 2019/07/08 23:10

Additional indexes PR merged, but the same issue is persisting with the user being unable to change their own password.

I'll have to publish a debug container again and test this out to see if there are any errors that I am not catching.

If that doesn't work, I'll open an issue.

AndrewCz Created at: 2019/07/13 00:57 Updated at: 2019/07/13 00:59

So, I couldn't get the debug statements to work, and I saw that nginx was trying to ping /selfmodify, and I only had a definition for /selfmodify/. So I added one for /selfmodify/ and I got all of the debug statements that I put in.

This also caused the correct redirect, and I got an error when trying to change the password attributes. It said that loginShell was an invalid attribute. Of course, this is because the user in question was not a posixAccount. So I added that objectClass (and the other attributes necessary for that class: uidNumber, gidNumber, and homeDirectory) and then tried the password self-modify again, and it worked!!!!!

AndrewCz Created at: 2019/07/13 01:46 Updated at: 2019/07/13 01:46

Ldap now takes too long to initialize. Submitted bug report. Link above.

AndrewCz Created at: 2019/07/13 01:47 Updated at: 2019/07/13 01:47

LdapCherry should submit subdirectories. Submitted bug report. Link above.

AndrewCz Created at: 2019/07/13 01:54 Updated at: 2019/07/13 01:54

Since I opened https://github.com/kakwa/ldapcherry/issues/34, I should create a PR to add these files.

AndrewCz Created at: 2019/07/13 01:56 Updated at: 2019/07/13 01:56

Need to submit PR for https://github.com/kakwa/ldapcherry/issues/36

AndrewCz Created at: 2019/07/20 22:02 Updated at: 2019/07/20 22:02

Opened PR for openldap checking that slapd process is up and ready using ldapwhoami.

AndrewCz Created at: 2019/07/21 20:02 Updated at: 2019/07/21 20:02

Submitted PR for kakwa's issues 35 and 36

AndrewCz Created at: 2019/07/21 20:15 Updated at: 2019/07/21 20:15

Submitted PR for kakwa's issues 34 that I opened for demo backend conf files.

AndrewCz Created at: 2019/07/31 22:37 Updated at: 2019/07/31 22:37

I'm going to try to handle a keyboard interrupt by having it as an except condition in the try block that starts the daemon

AndrewCz Created at: 2019/08/18 23:48 Updated at: 2019/08/18 23:48

PR for dockerfile submitted. Linked above.

AndrewCz Created at: 2019/08/22 00:09 Updated at: 2019/08/22 00:09

For hashed passwords, I'm running into the following:

lt_dlopenext failed: (ppolicy.la) file not found

AndrewCz Created at: 2019/08/24 17:32 Updated at: 2019/08/24 17:32

I needed to add ppolicy instead of ppolicy.la

AndrewCz Created at: 2019/08/24 18:10 Updated at: 2019/08/24 18:10

Submitted PR for hashing plaintext passwords for data encryption at rest.

AndrewCz Created at: 2019/08/24 18:12 Updated at: 2019/08/24 18:12

Adding a default bind user will be interesting. How should I set that up? Per-service? One bind user to rule them all? IDK.

AndrewCz Created at: 2020/01/26 07:17 Updated at: 2020/01/26 07:17

@Jyrno42 commented on this pull request.

In init.py:

return config

+def get_config_value(env_var):

"""

Format valid configuration values based on the string that is passed

@str env_var: the environment var that needs to be formatted

"""

val = os.getenv(env_var)

if val is not None:

if val.isdigit():

return val

if val in ['True', 'False']:

return val

Atleast for yaml files True will result in string True inside the file instead of boolean True.

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub, or unsubscribe.