From 52904151f12f21bbbf802d5afcdef928b971c1c3 Mon Sep 17 00:00:00 2001 From: linoman <2051016+linoman@users.noreply.github.com> Date: Thu, 18 Aug 2022 12:31:19 +0200 Subject: [PATCH] Update open ldap for macos (#53819) * Add new OpenLDAP Docker block for macOS * Add preconfigured users, groups and modules * Add README --- devenv/docker/blocks/openldap-mac/README.md | 56 +++++++++ .../blocks/openldap-mac/docker-compose.yaml | 15 +++ .../blocks/openldap-mac/modules/memberof.ldif | 33 ++++++ .../openldap-mac/prepopulate/1_units.ldif | 9 ++ .../openldap-mac/prepopulate/2_users.ldif | 108 ++++++++++++++++++ .../openldap-mac/prepopulate/3_groups.ldif | 43 +++++++ 6 files changed, 264 insertions(+) create mode 100644 devenv/docker/blocks/openldap-mac/README.md create mode 100644 devenv/docker/blocks/openldap-mac/docker-compose.yaml create mode 100644 devenv/docker/blocks/openldap-mac/modules/memberof.ldif create mode 100644 devenv/docker/blocks/openldap-mac/prepopulate/1_units.ldif create mode 100644 devenv/docker/blocks/openldap-mac/prepopulate/2_users.ldif create mode 100644 devenv/docker/blocks/openldap-mac/prepopulate/3_groups.ldif diff --git a/devenv/docker/blocks/openldap-mac/README.md b/devenv/docker/blocks/openldap-mac/README.md new file mode 100644 index 00000000000..eb9f63191e4 --- /dev/null +++ b/devenv/docker/blocks/openldap-mac/README.md @@ -0,0 +1,56 @@ +# OpenLDAP for MacOS Docker Block + +This Docker block is an updated version from [OpenLDAP](../openldap/) block. This Docker block uses `osixia/openldap` image. The original Docker block was based of `debian:jessie` which is not available for Apple's ARM chip. + +## Deployment + +First build and deploy the `openldap` container. + +```bash +make devenv sources=openldap-mac +``` + +### Exposed ports + +The container will expose port `389` and `636`. + +### Background services + +The `osixia/openldap` container will update the database with any `*.ldif` file changes inside `./prepopulate` and the `./modules` folder. Remember to rebuild the `devenv` to apply any changes. + +## Grafana configuration changes + +The following changes are needed at Grafana's configuration file. + +```ini +[auth.ldap] +enabled = true +config_file = conf/ldap_dev.toml +``` + +The configuration between Grafana and the OpenLDAP container is configured at [./conf/ldap.toml](../../../../conf/ldap.toml). + +## Available users and groups + +- admins + - ldap-admin + - ldap-torkel +- backend + - ldap-carl + - ldap-torkel + - ldap-leo +- frontend + - ldap-torkel + - ldap-tobias + - ldap-daniel +- editors + - ldap-editors +- no groups + - ldap-viewer + +## Groups & Users (POSIX) + +- admins + - ldap-posix-admin +- no groups + - ldap-posix \ No newline at end of file diff --git a/devenv/docker/blocks/openldap-mac/docker-compose.yaml b/devenv/docker/blocks/openldap-mac/docker-compose.yaml new file mode 100644 index 00000000000..f6fd258afbc --- /dev/null +++ b/devenv/docker/blocks/openldap-mac/docker-compose.yaml @@ -0,0 +1,15 @@ + openldap-mac: + container_name: ldap + image: osixia/openldap + environment: + LDAP_ORGANISATION: grafana + LDAP_DOMAIN: grafana.org + LDAP_ADMIN_PASSWORD: grafana + LDAP_SEED_INTERNAL_LDIF_PATH: /tmp/smt/ + ports: + - 389:389 + - 636:636 + restart: unless-stopped + volumes: + - ./docker/blocks/openldap-mac/prepopulate/:/tmp/smt/ + - ./docker/blocks/openldap-mac/modules/:/tmp/smt/ diff --git a/devenv/docker/blocks/openldap-mac/modules/memberof.ldif b/devenv/docker/blocks/openldap-mac/modules/memberof.ldif new file mode 100644 index 00000000000..fd9cce957c3 --- /dev/null +++ b/devenv/docker/blocks/openldap-mac/modules/memberof.ldif @@ -0,0 +1,33 @@ +dn: cn=module,cn=config +cn: module +objectClass: olcModuleList +objectClass: top +olcModulePath: /usr/lib/ldap +olcModuleLoad: memberof.la + +dn: olcOverlay={0}memberof,olcDatabase={1}hdb,cn=config +objectClass: olcConfig +objectClass: olcMemberOf +objectClass: olcOverlayConfig +objectClass: top +olcOverlay: memberof +olcMemberOfDangling: ignore +olcMemberOfRefInt: TRUE +olcMemberOfGroupOC: groupOfNames +olcMemberOfMemberAD: member +olcMemberOfMemberOfAD: memberOf + +dn: cn=module,cn=config +cn: module +objectClass: olcModuleList +objectClass: top +olcModulePath: /usr/lib/ldap +olcModuleLoad: refint.la + +dn: olcOverlay={1}refint,olcDatabase={1}hdb,cn=config +objectClass: olcConfig +objectClass: olcOverlayConfig +objectClass: olcRefintConfig +objectClass: top +olcOverlay: {1}refint +olcRefintAttribute: memberof member manager owner diff --git a/devenv/docker/blocks/openldap-mac/prepopulate/1_units.ldif b/devenv/docker/blocks/openldap-mac/prepopulate/1_units.ldif new file mode 100644 index 00000000000..22e06303688 --- /dev/null +++ b/devenv/docker/blocks/openldap-mac/prepopulate/1_units.ldif @@ -0,0 +1,9 @@ +dn: ou=groups,dc=grafana,dc=org +ou: Groups +objectclass: top +objectclass: organizationalUnit + +dn: ou=users,dc=grafana,dc=org +ou: Users +objectclass: top +objectclass: organizationalUnit diff --git a/devenv/docker/blocks/openldap-mac/prepopulate/2_users.ldif b/devenv/docker/blocks/openldap-mac/prepopulate/2_users.ldif new file mode 100644 index 00000000000..a13614428b7 --- /dev/null +++ b/devenv/docker/blocks/openldap-mac/prepopulate/2_users.ldif @@ -0,0 +1,108 @@ +# ldap-admin +dn: cn=ldap-admin,ou=users,dc=grafana,dc=org +mail: ldap-admin@grafana.com +userPassword: grafana +objectClass: person +objectClass: top +objectClass: inetOrgPerson +objectClass: organizationalPerson +sn: ldap-admin +cn: ldap-admin + +dn: cn=ldap-editor,ou=users,dc=grafana,dc=org +mail: ldap-editor@grafana.com +userPassword: grafana +objectClass: person +objectClass: top +objectClass: inetOrgPerson +objectClass: organizationalPerson +sn: ldap-editor +cn: ldap-editor + +dn: cn=ldap-viewer,ou=users,dc=grafana,dc=org +mail: ldap-viewer@grafana.com +userPassword: grafana +objectClass: person +objectClass: top +objectClass: inetOrgPerson +objectClass: organizationalPerson +sn: ldap-viewer +cn: ldap-viewer + +dn: cn=ldap-carl,ou=users,dc=grafana,dc=org +mail: ldap-carl@grafana.com +userPassword: grafana +objectClass: person +objectClass: top +objectClass: inetOrgPerson +objectClass: organizationalPerson +sn: ldap-carl +cn: ldap-carl + +dn: cn=ldap-daniel,ou=users,dc=grafana,dc=org +mail: ldap-daniel@grafana.com +userPassword: grafana +objectClass: person +objectClass: top +objectClass: inetOrgPerson +objectClass: organizationalPerson +sn: ldap-daniel +cn: ldap-daniel + +dn: cn=ldap-leo,ou=users,dc=grafana,dc=org +mail: ldap-leo@grafana.com +userPassword: grafana +objectClass: person +objectClass: top +objectClass: inetOrgPerson +objectClass: organizationalPerson +sn: ldap-leo +cn: ldap-leo + +dn: cn=ldap-tobias,ou=users,dc=grafana,dc=org +mail: ldap-tobias@grafana.com +userPassword: grafana +objectClass: person +objectClass: top +objectClass: inetOrgPerson +objectClass: organizationalPerson +sn: ldap-tobias +cn: ldap-tobias + +dn: cn=ldap-torkel,ou=users,dc=grafana,dc=org +mail: ldap-torkel@grafana.com +userPassword: grafana +objectClass: person +objectClass: top +objectClass: inetOrgPerson +objectClass: organizationalPerson +sn: ldap-torkel +cn: ldap-torkel + +# admin for posix group (without support for memberOf attribute) +dn: uid=ldap-posix-admin,ou=users,dc=grafana,dc=org +mail: ldap-posix-admin@grafana.com +userPassword: grafana +objectclass: top +objectclass: posixAccount +objectclass: inetOrgPerson +homedirectory: /home/ldap-posix-admin +sn: ldap-posix-admin +cn: ldap-posix-admin +uid: ldap-posix-admin +uidnumber: 1 +gidnumber: 1 + +# user for posix group (without support for memberOf attribute) +dn: uid=ldap-posix,ou=users,dc=grafana,dc=org +mail: ldap-posix@grafana.com +userPassword: grafana +objectclass: top +objectclass: posixAccount +objectclass: inetOrgPerson +homedirectory: /home/ldap-posix +sn: ldap-posix +cn: ldap-posix +uid: ldap-posix +uidnumber: 2 +gidnumber: 2 diff --git a/devenv/docker/blocks/openldap-mac/prepopulate/3_groups.ldif b/devenv/docker/blocks/openldap-mac/prepopulate/3_groups.ldif new file mode 100644 index 00000000000..90fcca3f133 --- /dev/null +++ b/devenv/docker/blocks/openldap-mac/prepopulate/3_groups.ldif @@ -0,0 +1,43 @@ +dn: cn=admins,ou=groups,dc=grafana,dc=org +cn: admins +objectClass: groupOfNames +objectClass: top +member: cn=ldap-admin,ou=users,dc=grafana,dc=org +member: cn=ldap-torkel,ou=users,dc=grafana,dc=org + +dn: cn=editors,ou=groups,dc=grafana,dc=org +cn: editors +objectClass: groupOfNames +member: cn=ldap-editor,ou=users,dc=grafana,dc=org + +dn: cn=backend,ou=groups,dc=grafana,dc=org +cn: backend +objectClass: groupOfNames +member: cn=ldap-carl,ou=users,dc=grafana,dc=org +member: cn=ldap-leo,ou=users,dc=grafana,dc=org +member: cn=ldap-torkel,ou=users,dc=grafana,dc=org + +dn: cn=frontend,ou=groups,dc=grafana,dc=org +cn: frontend +objectClass: groupOfNames +member: cn=ldap-torkel,ou=users,dc=grafana,dc=org +member: cn=ldap-daniel,ou=users,dc=grafana,dc=org +member: cn=ldap-leo,ou=users,dc=grafana,dc=org + +# -- POSIX -- + +# posix admin group (without support for memberOf attribute) +dn: cn=posix-admins,ou=groups,dc=grafana,dc=org +cn: admins +objectClass: top +objectClass: posixGroup +gidNumber: 1 +memberUid: ldap-posix-admin + +# posix group (without support for memberOf attribute) +dn: cn=posix,ou=groups,dc=grafana,dc=org +cn: viewers +objectClass: top +objectClass: posixGroup +gidNumber: 2 +memberUid: ldap-posix