LdapCherry
- Status: open
- Priority: 3
- Complexity: 4
- Public link
- Back to the board
- Swimlane: Additional Services
- Column: Idea
- Position: 12
- Assignee: AndrewCz
- Creator: AndrewCz
- Time spent: 2143.43 hours
- Assigned Group: not assigned
- Started:
- Created: 2019/03/25 14:50
- Modified: 2021/10/13 21:58
- Moved: 2021/10/13 21:58
Description
Sub-Tasks
Title | Assignee | Due Date | Time tracking |
---|---|---|---|
Do not use debug in production
|
AndrewCz | ||
Do not do hard version pinning
|
AndrewCz | ||
target stable versions of mainstream distributions
|
AndrewCz | ||
init.py file feels hacky
|
AndrewCz | 164.31h spent | |
INI File
|
AndrewCz | ||
Roles File
|
AndrewCz | 145.88h spent | |
Attributes File
|
AndrewCz | ||
combine ini and yaml parsing structure in init.py
|
AndrewCz | ||
Remove all config options that are passed as env vars whose values are zero-length strings or False or something else valid like that
|
AndrewCz | 3.11h spent | |
Automatically add quotes to the variables passed in with env vars if necessary
|
AndrewCz | 2.27h spent | |
Setup repo with something other than putting everything in the root of the repo (edit init.py and Dockerfile paths as appropriate)
|
AndrewCz | ||
Add ability to use subdirectories
|
AndrewCz | 0.68h spent | |
Set up openldap directory container seed data
|
AndrewCz | 243.56h spent | |
make it so that I can "CTRL-C" the container
|
AndrewCz | 480.13h spent | |
comment and put docstrings in script
|
AndrewCz | 28.29h spent | |
Optional debug mode
|
AndrewCz | 28.49h spent | |
Submit documentation fixes for https://github.com/kakwa/ldapcherry/issues/36
|
AndrewCz | 28.47h spent | |
Create a PR to add demo files per https://github.com/kakwa/ldapcherry/issues/34
|
AndrewCz | 168.85h spent | |
Test Dockerfile
|
AndrewCz | 4.85h spent | |
Update README with docker documentation
|
AndrewCz | ||
Address all outstanding TODOs in `init.py`
|
AndrewCz | 94.38h spent | |
PR to merge docker stuff into upstream
|
AndrewCz | 175.15h spent | |
Allow ACLs to be added to LDAP
|
AndrewCz | 238.49h spent | |
Allow ldapcherry user to change their own password
|
AndrewCz | 336.52h spent | |
Add default bind user non-rootdn
|
AndrewCz | ||
hash passwords
|
AndrewCz | ||
Test compositional integration
|
AndrewCz |
Internal links
This task blocks (1) | Assignee | Time tracking |
---|---|---|
#428 Dogfood Services for Internal Tooling (OurCompose - Done) |
Got a message that the PR was closed b/c it was too hacky and it would take too much to maintain (hardcoded versions, etc.)
Will have to refactor setup and submit another PR.
Submitted issue that there are no roles or attributes demo files for the Demo backend.
Need to make it so that I can "CTRL-C" the container, and add quotes to the variables.
This won't work in a subdirectory, as the paths are hard-coded to use everything from the root instead of passing whatever subdirectory they are using.
I'll put off putting docker in a separate directory until I have a good reason to. FWIW, I've seen structures that use the
entrypoint.d/
directory with numbered dirs10-default-init/
,50-finalize/
etc. with shell scripts in them with the same naming convention to do startups. I'll stick to my one init script for the time being.I'll need to populate the LDAP directory, so I'm attaching my osuosc ldap docs as they could come in handy with putting something together to get this done.
I'm getting this error when trying to change the user's password:
Which seems to indicate that the uid (which is the objectclass that it's searching for) is not indexed. Sure enough, when I look in the
slapd.conf
file, the only index is forobjectClass
. So I'll have to look into this. Link above.Demo prepopulation or seeding of the directory seems to be going well with the demo. I'll have to flesh it out along with the ACLs to where I want them.
Opened issue for not being able to add indexes. Link above.
Created PR to be able to add additional indexes. Link above.
Additional indexes PR merged, but the same issue is persisting with the user being unable to change their own password.
I'll have to publish a debug container again and test this out to see if there are any errors that I am not catching.
If that doesn't work, I'll open an issue.
So, I couldn't get the debug statements to work, and I saw that nginx was trying to ping
/selfmodify
, and I only had a definition for/selfmodify/
. So I added one for/selfmodify/
and I got all of the debug statements that I put in.This also caused the correct redirect, and I got an error when trying to change the password attributes. It said that
loginShell
was an invalid attribute. Of course, this is because the user in question was not aposixAccount
. So I added that objectClass (and the other attributes necessary for that class:uidNumber
,gidNumber
, andhomeDirectory
) and then tried the password self-modify again, and it worked!!!!!Ldap now takes too long to initialize. Submitted bug report. Link above.
LdapCherry should submit subdirectories. Submitted bug report. Link above.
Since I opened https://github.com/kakwa/ldapcherry/issues/34, I should create a PR to add these files.
Need to submit PR for https://github.com/kakwa/ldapcherry/issues/36
Opened PR for openldap checking that
slapd
process is up and ready usingldapwhoami
.Submitted PR for kakwa's issues 35 and 36
Submitted PR for kakwa's issues 34 that I opened for demo backend conf files.
I'm going to try to handle a keyboard interrupt by having it as an except condition in the try block that starts the daemon
PR for dockerfile submitted. Linked above.
For hashed passwords, I'm running into the following:
I needed to add
ppolicy
instead ofppolicy.la
Submitted PR for hashing plaintext passwords for data encryption at rest.
Adding a default bind user will be interesting. How should I set that up? Per-service? One bind user to rule them all? IDK.
@Jyrno42 commented on this pull request.
In init.py:
Atleast for yaml files True will result in string True inside the file instead of boolean True.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub, or unsubscribe.