From 961d799152e55c6254d550c4116291e082923d72 Mon Sep 17 00:00:00 2001 From: Filip Hanik Date: Wed, 8 Jan 2025 17:14:19 -0800 Subject: [PATCH] Add a docker service using openldap/slapd to replace a native one running on localhost This service gets populated with the same data set as the in memory albeit, the InMemoryLDAPServer and slapd use two separate file for data now InMemoryLdapServer uses ./uaa/src/test/resources/ldap_init.ldif (same as before) docker-compose uses ./scripts/ldap/ldap_slapd_data.ldif (new, copy of above for now) --- scripts/docker-compose.yml | 28 +- scripts/ldap/Dockerfile | 49 +++ scripts/ldap/docker-compose.yml | 22 -- scripts/ldap/install-ldap.sh | 53 --- scripts/ldap/ldap-start-and-populate.sh | 51 +++ scripts/ldap/ldap_slapd_data.ldif | 326 ++++++++++++++++++ .../ldap/ldap_slapd_schema.ldif | 43 +-- scripts/ldap/mac-ldap-install.sh | 8 - scripts/ldap/mac-ldap-run.sh | 12 - scripts/ldap/slapd.conf | 60 ---- 10 files changed, 451 insertions(+), 201 deletions(-) create mode 100644 scripts/ldap/Dockerfile delete mode 100644 scripts/ldap/docker-compose.yml delete mode 100755 scripts/ldap/install-ldap.sh create mode 100755 scripts/ldap/ldap-start-and-populate.sh create mode 100644 scripts/ldap/ldap_slapd_data.ldif rename uaa/src/test/resources/ldap_db_init.ldif => scripts/ldap/ldap_slapd_schema.ldif (68%) delete mode 100644 scripts/ldap/mac-ldap-install.sh delete mode 100755 scripts/ldap/mac-ldap-run.sh delete mode 100644 scripts/ldap/slapd.conf diff --git a/scripts/docker-compose.yml b/scripts/docker-compose.yml index 77a26251f9a..d65894d3257 100644 --- a/scripts/docker-compose.yml +++ b/scripts/docker-compose.yml @@ -1,7 +1,7 @@ name: uaa services: - postgres: + postgresql: image: "postgres:15" ports: - 5432:5432 @@ -33,22 +33,18 @@ services: - TZ=${TZ} command: - --sql_mode=ONLY_FULL_GROUP_BY,STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_ENGINE_SUBSTITUTION,PAD_CHAR_TO_FULL_LENGTH + openldap: - image: docker.io/bitnami/openldap:2.6 + build: + context: . + dockerfile: ldap/Dockerfile ports: - - '389:1389' - - '636:1636' - # docs of these env vars: https://github.com/bitnami/containers/tree/2724f9cd02b3b4e7986a1e2a0b0b30af3737bbd2/bitnami/openldap#configuration - environment: - - LDAP_ROOT=dc=test,dc=com - - LDAP_ADMIN_USERNAME=admin - - LDAP_ADMIN_PASSWORD=password - - LDAP_USERS=user01,user02 - - LDAP_PASSWORDS=password1,password2 - - LDAP_GROUP=some-ldap-group + - '389:389' + - '636:636' + entrypoint: [ "/bin/bash", "-c" ] + command: + - "/uaa/docker/ldap-start-and-populate.sh" + tty: true volumes: - - 'openldap_data:/bitnami/openldap' + - ./ldap:/uaa/docker/ -volumes: - openldap_data: - driver: local \ No newline at end of file diff --git a/scripts/ldap/Dockerfile b/scripts/ldap/Dockerfile new file mode 100644 index 00000000000..6953eb52462 --- /dev/null +++ b/scripts/ldap/Dockerfile @@ -0,0 +1,49 @@ +FROM ubuntu:jammy + +STOPSIGNAL SIGQUIT + +SHELL ["/bin/bash", "-xo", "pipefail", "-c"] + +# Generate locale C.UTF-8 +ENV LANG=C.UTF-8 +ENV TZ=UTC + +RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone + +RUN DEBIAN_FRONTEND=noninteractive apt-get -qy update +RUN DEBIAN_FRONTEND=noninteractive apt-get -qy install slapd ldap-utils +RUN DEBIAN_FRONTEND=noninteractive apt-get -qy install gnutls-bin ssl-cert + +RUN \ + certtool --generate-privkey > /etc/ssl/private/cakey.pem && \ + echo -e "cn = Pivotal Software Test\nca\ncert_signing_key" > /etc/ssl/ca.info && \ + certtool --generate-self-signed --load-privkey /etc/ssl/private/cakey.pem --template /etc/ssl/ca.info --outfile /etc/ssl/certs/cacert.pem && \ + certtool --generate-privkey --bits 1024 --outfile /etc/ssl/private/ldap01_slapd_key.pem && \ + echo -e "organization = Pivotal Software Test\ncn = ldap01.example.com\ntls_www_server\nencryption_key\nsigning_key\nexpiration_days = 3650" > /etc/ssl/ldap01.info && \ + certtool --generate-certificate --load-privkey /etc/ssl/private/ldap01_slapd_key.pem --load-ca-certificate /etc/ssl/certs/cacert.pem --load-ca-privkey /etc/ssl/private/cakey.pem --template /etc/ssl/ldap01.info --outfile /etc/ssl/certs/ldap01_slapd_cert.pem + +RUN \ + adduser openldap ssl-cert && \ + chgrp ssl-cert /etc/ssl/private/ldap01_slapd_key.pem && \ + chmod g+r /etc/ssl/private/ldap01_slapd_key.pem && \ + chmod o-r /etc/ssl/private/ldap01_slapd_key.pem + +RUN \ + echo "dn: cn=config" > /etc/ssl/certinfo.ldif && \ + echo "changetype: modify" >> /etc/ssl/certinfo.ldif && \ + echo "add: olcTLSCACertificateFile" >> /etc/ssl/certinfo.ldif && \ + echo "olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem" >> /etc/ssl/certinfo.ldif && \ + echo "-" >> /etc/ssl/certinfo.ldif && \ + echo "add: olcTLSCertificateKeyFile" >> /etc/ssl/certinfo.ldif && \ + echo "olcTLSCertificateKeyFile: /etc/ssl/private/ldap01_slapd_key.pem" >> /etc/ssl/certinfo.ldif && \ + echo "-" >> /etc/ssl/certinfo.ldif && \ + echo "add: olcTLSCertificateFile" >> /etc/ssl/certinfo.ldif && \ + echo "olcTLSCertificateFile: /etc/ssl/certs/ldap01_slapd_cert.pem" >> /etc/ssl/certinfo.ldif + +RUN sed -i "s/^SLAPD_SERVICES.*/SLAPD_SERVICES=\"ldap\:\/\/\/ ldapi\:\/\/\/ ldaps\:\/\/\/\"/g" /etc/default/slapd + +RUN mkdir -p /uaa/docker/ + +COPY *.ldif /uaa/docker/ + +STOPSIGNAL SIGQUIT diff --git a/scripts/ldap/docker-compose.yml b/scripts/ldap/docker-compose.yml deleted file mode 100644 index 0d869fb0559..00000000000 --- a/scripts/ldap/docker-compose.yml +++ /dev/null @@ -1,22 +0,0 @@ -version: '2' - -services: - openldap: - image: docker.io/bitnami/openldap:2.6 - ports: - - '389:1389' - - '636:1636' - # docs of these env vars: https://github.com/bitnami/containers/tree/2724f9cd02b3b4e7986a1e2a0b0b30af3737bbd2/bitnami/openldap#configuration - environment: - - LDAP_ROOT=dc=test,dc=com - - LDAP_ADMIN_USERNAME=admin - - LDAP_ADMIN_PASSWORD=password - - LDAP_USERS=user01,user02 - - LDAP_PASSWORDS=password1,password2 - - LDAP_GROUP=some-ldap-group - volumes: - - 'openldap_data:/bitnami/openldap' - -volumes: - openldap_data: - driver: local diff --git a/scripts/ldap/install-ldap.sh b/scripts/ldap/install-ldap.sh deleted file mode 100755 index 52027a8429b..00000000000 --- a/scripts/ldap/install-ldap.sh +++ /dev/null @@ -1,53 +0,0 @@ -#!/bin/bash - -set -e - -cd `dirname $0`/../.. - -sudo apt-get -qy purge slapd ldap-utils -set -x - -sudo apt-get -qy update -sudo DEBIAN_FRONTEND=noninteractive apt-get -qy install slapd ldap-utils - -# SSH Installation notes - from https://help.ubuntu.com/14.04/serverguide/openldap-server.html#openldap-tls -if test "$1" == "ssl" -then - sudo apt-get -qy install gnutls-bin ssl-cert - sudo sh -c "certtool --generate-privkey > /etc/ssl/private/cakey.pem" - sudo sh -c 'echo "cn = Pivotal Software Test - ca - cert_signing_key" > /etc/ssl/ca.info' - sudo certtool --generate-self-signed --load-privkey /etc/ssl/private/cakey.pem --template /etc/ssl/ca.info --outfile /etc/ssl/certs/cacert.pem - sudo certtool --generate-privkey --bits 1024 --outfile /etc/ssl/private/ldap01_slapd_key.pem - sudo sh -c 'echo "organization = Pivotal Software Test - cn = ldap01.example.com - tls_www_server - encryption_key - signing_key - expiration_days = 3650" > /etc/ssl/ldap01.info' - sudo certtool --generate-certificate --load-privkey /etc/ssl/private/ldap01_slapd_key.pem --load-ca-certificate /etc/ssl/certs/cacert.pem --load-ca-privkey /etc/ssl/private/cakey.pem --template /etc/ssl/ldap01.info --outfile /etc/ssl/certs/ldap01_slapd_cert.pem - sudo adduser openldap ssl-cert - sudo chgrp ssl-cert /etc/ssl/private/ldap01_slapd_key.pem - sudo chmod g+r /etc/ssl/private/ldap01_slapd_key.pem - sudo chmod o-r /etc/ssl/private/ldap01_slapd_key.pem - sudo sh -c 'echo "dn: cn=config -changetype: modify -add: olcTLSCACertificateFile -olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem -- -add: olcTLSCertificateFile -olcTLSCertificateFile: /etc/ssl/certs/ldap01_slapd_cert.pem -- -add: olcTLSCertificateKeyFile -olcTLSCertificateKeyFile: /etc/ssl/private/ldap01_slapd_key.pem" > /etc/ssl/certinfo.ldif' - echo "Adding LDAP Certs" - sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ssl/certinfo.ldif - echo "LDAP Certs added" - sudo sed -i "s/^SLAPD_SERVICES.*/SLAPD_SERVICES=\"ldap\:\/\/\/ ldapi\:\/\/\/ ldaps\:\/\/\/\"/g" /etc/default/slapd - sudo /etc/init.d/slapd restart - -fi - -sudo ldapadd -Y EXTERNAL -H ldapi:/// -f uaa/src/test/resources/ldap_db_init.ldif -sudo ldapadd -x -D 'cn=admin,dc=test,dc=com' -w password -f uaa/src/test/resources/ldap_init.ldif diff --git a/scripts/ldap/ldap-start-and-populate.sh b/scripts/ldap/ldap-start-and-populate.sh new file mode 100755 index 00000000000..dccde75133e --- /dev/null +++ b/scripts/ldap/ldap-start-and-populate.sh @@ -0,0 +1,51 @@ +#!/bin/bash + +# +# **************************************************************************** +# Cloud Foundry +# Copyright (c) [2009-2025] Pivotal Software, Inc. All Rights Reserved. +# This product is licensed to you under the Apache License, Version 2.0 (the "License"). +# You may not use this product except in compliance with the License. +# +# This product includes a number of subcomponents with +# separate copyright notices and license terms. Your use of these +# subcomponents is subject to the terms and conditions of the +# subcomponent's license, as noted in the LICENSE file. +# **************************************************************************** +# + +set -e + +#cd `dirname $0`/../.. +SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )" + +START_FILE=/tmp/run-once + +echo "LDAP server Status:" +service slapd status || true + +if [ ! -f ${START_FILE} ]; then + echo "Starting LDAP server." + service slapd restart + echo "Creating LDAP schema." + ldapadd -Y EXTERNAL -H ldapi:/// -f $SCRIPT_DIR/ldap_slapd_schema.ldif + echo "Populating LDAP database entries." + ldapadd -x -D 'cn=admin,dc=test,dc=com' -w password -f $SCRIPT_DIR/ldap_slapd_data.ldif + touch ${START_FILE} +else + echo "Starting LDAP server with existing data." + service slapd restart +fi + +doExit() { + echo "Caught SIGTERM signal." + exit 0 +} + +trap doExit SIGINT SIGQUIT SIGTERM + +echo "LDAP server is READY" + +while true; do + sleep 1 +done diff --git a/scripts/ldap/ldap_slapd_data.ldif b/scripts/ldap/ldap_slapd_data.ldif new file mode 100644 index 00000000000..867baac4edb --- /dev/null +++ b/scripts/ldap/ldap_slapd_data.ldif @@ -0,0 +1,326 @@ +dn: dc=test,dc=com +changetype: add +objectClass: top +objectClass: dcObject +objectClass: domain + +dn: ou=Users,dc=test,dc=com +changetype: add +objectClass: organizationalUnit +ou: Users + +dn: cn=admin,ou=Users,dc=test,dc=com +changetype: add +objectClass: person +objectClass: organizationalPerson +objectClass: inetOrgPerson +cn: admin +sn: Administrator +userPassword: adminsecret +uid: 3378a03c-fc8c-46b6-8a76-f67f9d7a7b4a +mail: admin@test.com +givenname: Bob +initials: X +telephonenumber: 8885550987 +streetAddress: 1111 Admin St +l: Adminton +st: California +postalCode: 94119 + +dn: cn=marissa,ou=Users,dc=test,dc=com +changetype: add +objectClass: person +objectClass: organizationalPerson +objectClass: inetOrgPerson +cn: marissa +userPassword: koala +uid: 20f459e0-e30b-4d1f-998c-3ded7f769db1 +mail: marissa@test.com +sn: Marissa + +dn: cn=slash/username,ou=Users,dc=test,dc=com +changetype: add +objectClass: person +objectClass: organizationalPerson +objectClass: inetOrgPerson +cn: slash/username +userPassword: koala +uid: 20f459e0-e30b-4d1f-998c-3ded7fff9db1 +mail: slash-username@test.com +sn: Marissa + +dn: cn=slash/贺琳,ou=Users,dc=test,dc=com +changetype: add +objectClass: person +objectClass: organizationalPerson +objectClass: inetOrgPerson +cn: slash/贺琳 +userPassword: koala +uid: 20f459e0-e30b-4d1f-998c-3ded7fff9db1 +mail: slash-username2@test.com +sn: Marissa + +dn: cn=琳贺,ou=Users,dc=test,dc=com +changetype: add +objectClass: person +objectClass: organizationalPerson +objectClass: inetOrgPerson +cn: 琳贺 +userPassword: koala +uid: 20f459e0-e30b-4d1f-998c-3ded7fff9db1 +mail: username3@test.com +sn: Marissa + +dn: cn=marissa2,ou=Users,dc=test,dc=com +changetype: add +objectClass: person +objectClass: organizationalPerson +objectClass: inetOrgPerson +cn: marissa2 +userPassword: ldap +uid: 20f459e0-e30b-4d1f-998c-3ded7f769db2 +mail: marissa2@test.com +sn: Marissa2 + +dn: cn=marissa3,ou=Users,dc=test,dc=com +changetype: add +objectClass: person +objectClass: organizationalPerson +objectClass: inetOrgPerson +objectClass: customUaaUser +cn: marissa3 +userPassword: ldap3 +uid: 20f459e0-e30b-4d1f-998c-3ded7f769db3 +mail: marissa3@test.com +sn: Lastnamerton +givenname: Marissa +initials: M +telephonenumber: 8885550986 +streetAddress: 1111 Marissa St +l: Marissaville +st: Florida +postalCode: 32561 +costCenter: Denver,CO +uaaManager: John the Sloth +uaaManager: Kari the Ant Eater +emailVerified: false +memberOf: cn=developers,ou=scopes,dc=test,dc=com + +dn: cn=marissa4,ou=Users,dc=test,dc=com +changetype: add +objectClass: person +objectClass: organizationalPerson +objectClass: inetOrgPerson +cn: marissa4 +userPassword: ldap4 +uid: 20f459e0-e30b-4d1f-998c-3ded7f769db4 +mail: marissa4@test.com +sn: Marissa4 + +dn: cn=marissa5,ou=Users,dc=test,dc=com +changetype: add +objectClass: person +objectClass: organizationalPerson +objectClass: inetOrgPerson +cn: marissa5 +userPassword: ldap5 +uid: 20f459e0-e30b-4d1f-998c-3ded7f769db5 +mail: marissa5@test.com +sn: Marissa5 + +dn: cn=marissa6,ou=Users,dc=test,dc=com +changetype: add +objectClass: person +objectClass: organizationalPerson +objectClass: inetOrgPerson +cn: marissa6 +userPassword: ldap6 +uid: 20f459e0-e30b-4d1f-998c-3ded7f769db6 +mail: marissa6@test.com +sn: Marissa6 + +dn: cn=marissa7,ou=Users,dc=test,dc=com +changetype: add +objectClass: person +objectClass: organizationalPerson +objectClass: inetOrgPerson +cn: marissa7 +userPassword: ldap7 +uid: 20f459e0-e30b-4d1f-998c-3ded7f769db7 +sn: Marissa7 + +dn: cn=marissa8,ou=Users,dc=test,dc=com +changetype: add +objectClass: person +objectClass: organizationalPerson +objectClass: inetOrgPerson +cn: marissa8 +userPassword: ldap8 +uid: 20f459e0-e30b-4d1f-998c-3ded7f769db8 +sn: Marissa8 + +dn: cn=marissa9,ou=Users,dc=test,dc=com +changetype: add +objectClass: person +objectClass: organizationalPerson +objectClass: inetOrgPerson +objectClass: customUaaUser +cn: marissa9 +mail: marissa9@test.com +userPassword: ldap9 +uid: 20f459e0-e30b-4d1f-998c-3ded7f769db9 +sn: Marissa9 +costCenter: Denver,CO +uaaManager: John the Sloth +uaaManager: Kari the Ant Eater +givenname: Marissa +initials: M +telephonenumber: 8885550986 +mail: marissa9-custom@test.com +emailVerified: true +memberOf: cn=developers,ou=scopes,dc=test,dc=com + +dn: cn=marissa10,ou=Users,dc=test,dc=com +changetype: add +objectClass: person +objectClass: organizationalPerson +objectClass: inetOrgPerson +objectClass: customUaaUser +cn: marissa10 +userPassword: ldap10 +uid: 20f459e0-e30b-4d1f-998c-3ded7f769d10 +sn: Marissa10 +costCenter: Denver,CO +uaaManager: John the Sloth +uaaManager: Kari the Ant Eater +emailVerified: true +memberOf: cn=developers,ou=scopes,dc=test,dc=com +memberOf: cn=superusers,ou=scopes,dc=test,dc=com + +dn: cn=marissa 11,ou=Users,dc=test,dc=com +changetype: add +objectClass: person +objectClass: organizationalPerson +objectClass: inetOrgPerson +cn: marissa 11 +userPassword: ldap11 +uid: 20f459e0-e30b-4d1f-998c-3ded7f769d10 +sn: Marissa11 + +############################################################################### +# BEGIN GROUP TO SCOPE MAPPING +############################################################################### +#scopes as groups mapping - this is the search base + +dn: ou=scopes,dc=test,dc=com +changetype: add +objectClass: organizationalUnit +ou: scopes + +#This groups contains scopes as comma separated list in the description attribute +dn: cn=admins,ou=scopes,dc=test,dc=com +changetype: add +objectClass: groupOfNames +objectClass: top +cn: admins +description: uaa.admin,cloud_controller.read +member: cn=admin,ou=Users,dc=test,dc=com +member: cn=marissa3,ou=Users,dc=test,dc=com + +dn: cn=marissagroup1,ou=scopes,dc=test,dc=com +changetype: add +objectClass: groupOfNames +objectClass: top +cn: marissagroup1 +description: foobar # the description field is required for ldap-groups-as-scopes.xml, but not for ldap-groups-map-to-scopes.xml +member: cn=marissa,ou=Users,dc=test,dc=com + +dn: cn=marissagroup2,ou=scopes,dc=test,dc=com +changetype: add +objectClass: groupOfNames +objectClass: top +cn: marissagroup2 +description: foobar # the description field is required for ldap-groups-as-scopes.xml, but not for ldap-groups-map-to-scopes.xml +member: cn=marissa,ou=Users,dc=test,dc=com + +#This groups contains scope as the cn attribute +dn: cn=uaa.admin,ou=scopes,dc=test,dc=com +changetype: add +objectClass: groupOfNames +objectClass: top +cn: uaa.admin +member: cn=admin,ou=Users,dc=test,dc=com +member: cn=marissa3,ou=Users,dc=test,dc=com + +dn: cn=thirdmarissa,ou=scopes,dc=test,dc=com +changetype: add +objectClass: groupOfNames +objectClass: top +cn: thirdmarissa +description: thirdmarissa +member: cn=marissa3,ou=Users,dc=test,dc=com + +dn: cn=developers,ou=scopes,dc=test,dc=com +changetype: add +objectClass: groupOfNames +objectClass: top +cn: developers +description: test.read +member: cn=operators,ou=scopes,dc=test,dc=com +member: cn=marissa6,ou=Users,dc=test,dc=com + +dn: cn=operators,ou=scopes,dc=test,dc=com +changetype: add +objectClass: groupOfNames +objectClass: top +cn: operators +description: test.write +member: cn=superusers,ou=scopes,dc=test,dc=com +member: cn=marissa5,ou=Users,dc=test,dc=com + +dn: cn=superusers,ou=scopes,dc=test,dc=com +changetype: add +objectClass: groupOfNames +objectClass: top +cn: superusers +description: test.everything +member: cn=marissa4,ou=Users,dc=test,dc=com + +dn: cn=otherusers,ou=scopes,dc=test,dc=com +changetype: add +objectClass: groupOfNames +objectClass: top +cn: otherusers +description: test.everything +member: cn=marissa8,ou=Users,dc=test,dc=com + +# Invalid referral cause PartialResultsException + +dn: cn=Referral1,ou=scopes,dc=test,dc=com +changetype: add +objectclass: referral +objectclass: extensibleObject +member: cn=marissa8,ou=Users,dc=test,dc=com +ref: ldap://localhost:43389/cn=otherusers1,ou=scopes,dc=test,dc=com + +#This groups contains scopes as comma separated list in the description attribute +dn: cn=marissaniner,ou=scopes,dc=test,dc=com +changetype: add +objectClass: groupOfNames +objectClass: top +cn: marissaniner +description: marissaniner +member: cn=marissa9,ou=Users,dc=test,dc=com + +#This groups contains scopes as comma separated list in the description attribute +dn: cn=marissaniner2,ou=scopes,dc=test,dc=com +changetype: add +objectClass: groupOfNames +objectClass: top +cn: marissaniner2 +description: marissaniner2 +member: cn=marissa9,ou=Users,dc=test,dc=com + +############################################################################### +# END GROUP TO SCOPE MAPPING +############################################################################### diff --git a/uaa/src/test/resources/ldap_db_init.ldif b/scripts/ldap/ldap_slapd_schema.ldif similarity index 68% rename from uaa/src/test/resources/ldap_db_init.ldif rename to scripts/ldap/ldap_slapd_schema.ldif index 0ed78ad13c0..823ecf6a796 100644 --- a/uaa/src/test/resources/ldap_db_init.ldif +++ b/scripts/ldap/ldap_slapd_schema.ldif @@ -1,21 +1,19 @@ -# Load modules for database type dn: cn=module,cn=config objectclass: olcModuleList cn: module -olcModuleLoad: back_bdb.la -# Create directory database -dn: olcDatabase=bdb,cn=config +# Create an in memory directory database +dn: olcDatabase={1}mdb,cn=config objectClass: olcDatabaseConfig -objectClass: olcBdbConfig -olcDatabase: bdb -# Domain name (e.g. home.local) -olcSuffix: dc=test,dc=com -# Location on system where database is stored +objectClass: olcMdbConfig +olcDatabase: {1}mdb olcDbDirectory: /var/lib/ldap -# Manager of the database +olcSuffix: dc=test,dc=com +olcDbMaxSize: 1073741824 +olcLastMod: TRUE +olcMaxDerefDepth: 15 olcRootDN: cn=admin,dc=test,dc=com -olcRootPW: {SSHA}XerHS1s6xgIHpLrR9hCvelH7grepkqiv +olcRootPW: {SSHA}bycWaE1yKM3DpXpxrx3UAdbxWAk0pcm4 # Indices in database to speed up searches olcDbIndex: uid pres,eq olcDbIndex: cn,sn,mail pres,eq,approx,sub @@ -36,45 +34,30 @@ olcAccess: to * by dn.base="cn=admin,dc=test,dc=com" write by * read -dn: cn=schema,cn=config -changetype: modify -add: olcAttributeTypes +dn: cn=uaaschema,cn=schema,cn=config +changetype: add +objectClass: olcSchemaConfig +cn: uaaschema olcAttributeTypes: ( 1.3.6.1.4.1.35015.1.2.4 NAME 'costCenter' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) - -dn: cn=schema,cn=config -changetype: modify -add: olcAttributeTypes olcAttributeTypes: ( 1.3.6.1.4.1.35015.1.2.5 NAME 'uaaManager' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) - -dn: cn=schema,cn=config -changetype: modify -add: olcAttributeTypes olcAttributeTypes: ( 1.3.6.1.4.1.35015.1.2.6 NAME 'memberOf' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) - -dn: cn=schema,cn=config -changetype: modify -add: olcAttributeTypes olcAttributeTypes: ( 1.3.6.1.4.1.35015.1.2.7 NAME 'emailVerified' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) - -dn: cn=schema,cn=config -changetype: modify -add: olcObjectClasses olcObjectClasses: ( 1.3.6.1.4.1.35015.1.2.8 NAME 'customUaaUser' diff --git a/scripts/ldap/mac-ldap-install.sh b/scripts/ldap/mac-ldap-install.sh deleted file mode 100644 index af2d56c6011..00000000000 --- a/scripts/ldap/mac-ldap-install.sh +++ /dev/null @@ -1,8 +0,0 @@ -#!/usr/bin/env bash - -brew install ldap-utils slapd - -sudo cp -v ./slapd.conf /etc/openldap - -sudo mkdir -vp /var/lib/ldap -sudo cp -v /private/etc/openldap/DB_CONFIG.example /var/lib/ldap diff --git a/scripts/ldap/mac-ldap-run.sh b/scripts/ldap/mac-ldap-run.sh deleted file mode 100755 index 1458afad6e7..00000000000 --- a/scripts/ldap/mac-ldap-run.sh +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/bash - -# Starting LDAP server on different ports is done through the command line startup with the -h switch -# -h "ldap://localhost:10389" - -# run ldap server with debug output enabled ( -d3 switch ) -if test "$1" == "debug" -then - sudo /usr/libexec/slapd -d3 -else - sudo /usr/libexec/slapd -fi \ No newline at end of file diff --git a/scripts/ldap/slapd.conf b/scripts/ldap/slapd.conf deleted file mode 100644 index c30f3d9e651..00000000000 --- a/scripts/ldap/slapd.conf +++ /dev/null @@ -1,60 +0,0 @@ -# See slapd.conf(5) for details on configuration options. This file should NOT be world readable. -include /opt/homebrew/etc/openldap/schema/core.schema -include /opt/homebrew/etc/openldap/schema/cosine.schema -include /opt/homebrew/etc/openldap/schema/nis.schema -include /opt/homebrew/etc/openldap/schema/inetorgperson.schema - -# Define global ACLs to disable default read access. -# Do not enable referrals until AFTER you have a working directory service AND an understanding of referrals. -#referral ldap://root.openldap.org -pidfile /opt/homebrew/var/run/slapd.pid -argsfile /opt/homebrew/var/run/slapd.args - -# Load dynamic backend modules: -modulepath /opt/homebrew/Cellar/openldap/2.6.3/libexec/openldap -moduleload back_mdb.la -# moduleload back_ldap.la - -# config database definitions -database config -# Uncomment the rootpw line to allow binding as the cn=config rootdn so that temporary modifications to the -# configuration can be made while slapd is running. They will not persist across a restart. -database ldif -suffix "dc=example,dc=com" -rootdn "cn=admin,dc=example,dc=com" -# Cleartext passwords, especially for the rootdn, should be avoided, see slappasswd(8) and slapd.conf(5) for details. -# Use of strong authentication encouraged. -rootpw {SSHA}7e+zIbbJkC++wF3bUnrbXLPDlS6ancY5 -# The database directory MUST exist prior to running slapd AND should only be accessible by the slapd and slap tools. -# Mode 700 recommended. -directory /opt/homebrew/var/openldap-data - -# monitor database definitions -database monitor - -# Sample security restrictions -# Require integrity protection (prevent hijacking) -# Require 112-bit (3DES or better) encryption for updates -# Require 63-bit encryption for simple bind -# security ssf=1 update_ssf=112 simple_bind=64 - -# Sample access control policy: -# Root DSE: allow anyone to read it -# Subschema (sub)entry DSE: allow anyone to read it -# Other DSEs: -# Allow self write access -# Allow authenticated users read access -# Allow anonymous users to authenticate -# Directives needed to implement policy: -# access to dn.base="" by * read -# access to dn.base="cn=Subschema" by * read -# access to * -# by self write -# by users read -# by anonymous auth -# -# if no access controls are present, the default policy -# allows anyone and everyone to read anything but restricts -# updates to rootdn. (e.g., "access to * by * read") -# -# rootdn can always read and write EVERYTHING!