Update open ldap for macos (#53819)

* Add new OpenLDAP Docker block for macOS * Add preconfigured users, groups and modules * Add README
2025-02-25 18:55:37 -06:00 · 2022-08-18 12:31:19 +02:00 · 2022-08-18 12:31:19 +02:00 · 52904151f1
commit 52904151f1
parent 4ff4aaab23
6 changed files with 264 additions and 0 deletions
--- a/devenv/docker/blocks/openldap-mac/README.md
+++ b/devenv/docker/blocks/openldap-mac/README.md
@ -0,0 +1,56 @@
+# OpenLDAP for MacOS Docker Block
+
+This Docker block is an updated version from [OpenLDAP](../openldap/) block. This Docker block uses `osixia/openldap` image. The original Docker block was based of `debian:jessie` which is not available for Apple's ARM chip. 
+
+## Deployment
+
+First build and deploy the `openldap` container.
+
+```bash
+make devenv sources=openldap-mac
+```
+
+### Exposed ports
+
+The container will expose port `389` and `636`.
+
+### Background services
+
+The `osixia/openldap` container will update the database with any `*.ldif` file changes inside `./prepopulate` and the `./modules` folder. Remember to rebuild the `devenv` to apply any changes.
+
+## Grafana configuration changes
+
+The following changes are needed at Grafana's configuration file.
+
+```ini
+[auth.ldap]
+enabled = true
+config_file = conf/ldap_dev.toml
+```
+
+The configuration between Grafana and the OpenLDAP container is configured at [./conf/ldap.toml](../../../../conf/ldap.toml).
+
+## Available users and groups
+
+- admins
+  - ldap-admin
+  - ldap-torkel
+- backend
+  - ldap-carl
+  - ldap-torkel
+  - ldap-leo
+- frontend
+  - ldap-torkel
+  - ldap-tobias
+  - ldap-daniel
+- editors
+  - ldap-editors
+- no groups
+  - ldap-viewer
+
+## Groups & Users (POSIX)
+
+- admins
+  - ldap-posix-admin
+- no groups
+  - ldap-posix
--- a/devenv/docker/blocks/openldap-mac/docker-compose.yaml
+++ b/devenv/docker/blocks/openldap-mac/docker-compose.yaml
@ -0,0 +1,15 @@
+  openldap-mac:
+    container_name: ldap
+    image: osixia/openldap
+    environment:
+      LDAP_ORGANISATION: grafana
+      LDAP_DOMAIN: grafana.org
+      LDAP_ADMIN_PASSWORD: grafana
+      LDAP_SEED_INTERNAL_LDIF_PATH: /tmp/smt/
+    ports:
+      - 389:389
+      - 636:636
+    restart: unless-stopped
+    volumes:
+      - ./docker/blocks/openldap-mac/prepopulate/:/tmp/smt/
+      - ./docker/blocks/openldap-mac/modules/:/tmp/smt/
--- a/devenv/docker/blocks/openldap-mac/modules/memberof.ldif
+++ b/devenv/docker/blocks/openldap-mac/modules/memberof.ldif
@ -0,0 +1,33 @@
+dn: cn=module,cn=config
+cn: module
+objectClass: olcModuleList
+objectClass: top
+olcModulePath: /usr/lib/ldap
+olcModuleLoad: memberof.la
+
+dn: olcOverlay={0}memberof,olcDatabase={1}hdb,cn=config
+objectClass: olcConfig
+objectClass: olcMemberOf
+objectClass: olcOverlayConfig
+objectClass: top
+olcOverlay: memberof
+olcMemberOfDangling: ignore
+olcMemberOfRefInt: TRUE
+olcMemberOfGroupOC: groupOfNames
+olcMemberOfMemberAD: member
+olcMemberOfMemberOfAD: memberOf
+
+dn: cn=module,cn=config
+cn: module
+objectClass: olcModuleList
+objectClass: top
+olcModulePath: /usr/lib/ldap
+olcModuleLoad: refint.la
+
+dn: olcOverlay={1}refint,olcDatabase={1}hdb,cn=config
+objectClass: olcConfig
+objectClass: olcOverlayConfig
+objectClass: olcRefintConfig
+objectClass: top
+olcOverlay: {1}refint
+olcRefintAttribute: memberof member manager owner
--- a/devenv/docker/blocks/openldap-mac/prepopulate/1_units.ldif
+++ b/devenv/docker/blocks/openldap-mac/prepopulate/1_units.ldif
@ -0,0 +1,9 @@
+dn: ou=groups,dc=grafana,dc=org
+ou: Groups
+objectclass: top
+objectclass: organizationalUnit
+
+dn: ou=users,dc=grafana,dc=org
+ou: Users
+objectclass: top
+objectclass: organizationalUnit
--- a/devenv/docker/blocks/openldap-mac/prepopulate/2_users.ldif
+++ b/devenv/docker/blocks/openldap-mac/prepopulate/2_users.ldif
@ -0,0 +1,108 @@
+# ldap-admin
+dn: cn=ldap-admin,ou=users,dc=grafana,dc=org
+mail: ldap-admin@grafana.com
+userPassword: grafana
+objectClass: person
+objectClass: top
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+sn: ldap-admin
+cn: ldap-admin
+
+dn: cn=ldap-editor,ou=users,dc=grafana,dc=org
+mail: ldap-editor@grafana.com
+userPassword: grafana
+objectClass: person
+objectClass: top
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+sn: ldap-editor
+cn: ldap-editor
+
+dn: cn=ldap-viewer,ou=users,dc=grafana,dc=org
+mail: ldap-viewer@grafana.com
+userPassword: grafana
+objectClass: person
+objectClass: top
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+sn: ldap-viewer
+cn: ldap-viewer
+
+dn: cn=ldap-carl,ou=users,dc=grafana,dc=org
+mail: ldap-carl@grafana.com
+userPassword: grafana
+objectClass: person
+objectClass: top
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+sn: ldap-carl
+cn: ldap-carl
+
+dn: cn=ldap-daniel,ou=users,dc=grafana,dc=org
+mail: ldap-daniel@grafana.com
+userPassword: grafana
+objectClass: person
+objectClass: top
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+sn: ldap-daniel
+cn: ldap-daniel
+
+dn: cn=ldap-leo,ou=users,dc=grafana,dc=org
+mail: ldap-leo@grafana.com
+userPassword: grafana
+objectClass: person
+objectClass: top
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+sn: ldap-leo
+cn: ldap-leo
+
+dn: cn=ldap-tobias,ou=users,dc=grafana,dc=org
+mail: ldap-tobias@grafana.com
+userPassword: grafana
+objectClass: person
+objectClass: top
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+sn: ldap-tobias
+cn: ldap-tobias
+
+dn: cn=ldap-torkel,ou=users,dc=grafana,dc=org
+mail: ldap-torkel@grafana.com
+userPassword: grafana
+objectClass: person
+objectClass: top
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+sn: ldap-torkel
+cn: ldap-torkel
+
+# admin for posix group (without support for memberOf attribute)
+dn: uid=ldap-posix-admin,ou=users,dc=grafana,dc=org
+mail: ldap-posix-admin@grafana.com
+userPassword: grafana
+objectclass: top
+objectclass: posixAccount
+objectclass: inetOrgPerson
+homedirectory: /home/ldap-posix-admin
+sn: ldap-posix-admin
+cn: ldap-posix-admin
+uid: ldap-posix-admin
+uidnumber: 1
+gidnumber: 1
+
+# user for posix group (without support for memberOf attribute)
+dn: uid=ldap-posix,ou=users,dc=grafana,dc=org
+mail: ldap-posix@grafana.com
+userPassword: grafana
+objectclass: top
+objectclass: posixAccount
+objectclass: inetOrgPerson
+homedirectory: /home/ldap-posix
+sn: ldap-posix
+cn: ldap-posix
+uid: ldap-posix
+uidnumber: 2
+gidnumber: 2
--- a/devenv/docker/blocks/openldap-mac/prepopulate/3_groups.ldif
+++ b/devenv/docker/blocks/openldap-mac/prepopulate/3_groups.ldif
@ -0,0 +1,43 @@
+dn: cn=admins,ou=groups,dc=grafana,dc=org
+cn: admins
+objectClass: groupOfNames
+objectClass: top
+member: cn=ldap-admin,ou=users,dc=grafana,dc=org
+member: cn=ldap-torkel,ou=users,dc=grafana,dc=org
+
+dn: cn=editors,ou=groups,dc=grafana,dc=org
+cn: editors
+objectClass: groupOfNames
+member: cn=ldap-editor,ou=users,dc=grafana,dc=org
+
+dn: cn=backend,ou=groups,dc=grafana,dc=org
+cn: backend
+objectClass: groupOfNames
+member: cn=ldap-carl,ou=users,dc=grafana,dc=org
+member: cn=ldap-leo,ou=users,dc=grafana,dc=org
+member: cn=ldap-torkel,ou=users,dc=grafana,dc=org
+
+dn: cn=frontend,ou=groups,dc=grafana,dc=org
+cn: frontend
+objectClass: groupOfNames
+member: cn=ldap-torkel,ou=users,dc=grafana,dc=org
+member: cn=ldap-daniel,ou=users,dc=grafana,dc=org
+member: cn=ldap-leo,ou=users,dc=grafana,dc=org
+
+# -- POSIX --
+
+# posix admin group (without support for memberOf attribute)
+dn: cn=posix-admins,ou=groups,dc=grafana,dc=org
+cn: admins
+objectClass: top
+objectClass: posixGroup
+gidNumber: 1
+memberUid: ldap-posix-admin
+
+# posix group (without support for memberOf attribute)
+dn: cn=posix,ou=groups,dc=grafana,dc=org
+cn: viewers
+objectClass: top
+objectClass: posixGroup
+gidNumber: 2
+memberUid: ldap-posix