public_git
/
bitnami-containers
mirror of https://github.com/bitnami/containers.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Update bitnami/openldap/README.md (#75937) 

* Update bitnami/openldap/README.md

Add documentation for OpenLdap Dyn List and Member Of overlays consideration while using msuser schema

Signed-off-by: Philippe Duveau <pduvax@gmail.com>
This commit is contained in:
Philippe Duveau 2025-01-08 09:56:14 +01:00 committed by GitHub
parent 6a8d0aef6f
commit 9b45607a3e
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 36 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
bitnami/openldap/README.md
View File

@ -235,6 +235,42 @@ Check the official page [OpenLDAP, Overlays, Access Logging](https://www.openlda
Check the official page [OpenLDAP, Overlays, Sync Provider](https://www.openldap.org/doc/admin26/overlays.html#Sync%20Provider) for detailed configuration information.
#### Dynamic List or Member Of
The overlays `dynlist` and `memberof` both require the operational `memberOf` attribute to be present in the loaded schema. During initialization, a check is performed for the presence of this attribute; if it is absent, it is created programmatically.
At the same time, the `msuser` schema declares the same attribute. If both the schema and at least one of the overlays are required, a conflict may arise depending on the load order, such as whether the schema is loaded before or after the overlays. If the overlays are loaded first, the process stops and raises a `Duplicate attribute` error.
In a standard {{ .Name }} installation (deb or rpm), its configuration is stored in the main file, which may include another one. In this case, the order is determined by the order of directives.
For configuration flexibility, the container-based approach relies on a file tree structure rather than a master file with includes. To ensure the correct order, the file tree must be read deterministically. Fortunately, Linux sorts folder content using alphanumeric order. This allows overlay loading after the schema by using a keyword that is after `schema` in alphanumeric sorting (i.e. `cn=z-module{N}` will be loaded after `cn=schema` as they are both children of `cn=config`). Doing so, the configuration merging `msuser` schema and `dynlist` (or `memberof`) will load without errors.
IMPORTANT: The `dynlist` requires the schema `dyngroup`. This can be done by adding it to the list of schemas to load through `LDAP_EXTRA_SCHEMAS`.
The following example shows how to declare the module `dynlist` with the support of dynamic (groupOfUrls) and static (groupOfNames) groups. The `olcDatabase={N}mdb` has to be adjusted to the target configuration.
```bash
ldapadd -D "cn=admin,cn=config" -w "configpassword" <<EOF
dn: cn=z-module,cn=config
objectClass: olcModuleList
cn: z-module
olcModuleLoad: dynlist.so
olcModulePath: /opt/bitnami/openldap/lib/openldap
dn: olcOverlay=dynlist,olcDatabase={N}mdb,cn=config
objectClass: olcConfig
objectClass: olcDynListConfig
objectClass: olcOverlayConfig
objectClass: top
olcOverlay: dynlist
olcDynListAttrSet: groupOfUrls memberURL member+memberOf@groupOfNames
EOF
```
This example is compatible with or without the usage of the `msuser` schema.
Check the official page [OpenLDAP, Overlays, Dynamic Lists](https://www.openldap.org/doc/admin26/overlays.html#Dynamic%20Lists) for detailed configuration information.
### Securing OpenLDAP traffic
OpenLDAP clients and servers are capable of using the Transport Layer Security (TLS) framework to provide integrity and confidentiality protections and to support LDAP authentication using the SASL EXTERNAL mechanism. Should you desire to enable this optional feature, you may use the following environment variables to configure the application: