dinkel
Can't find members of a group, if prepopulation is used
Hi!
I can't get the search of "memberOf" working. My setup using docker-compose is following:
version: "2"
services: openldap: image: dinkel/openldap:latest container_name: openldap environment: SLAPD_ORGANIZATION: "a company" SLAPD_DOMAIN: "rosinad.com" SLAPD_PASSWORD: "admin" SLAPD_CONFIG_PASSWORD: "config" SLAPD_ADDITIONAL_MODULES: "memberof" volumes: - data_openldap:/etc/ldap - data_openldap_config:/var/lib/ldap - ./docker/openldap:/etc/ldap.dist/prepopulate ports: - "389:389"
I have three files in ./docker/openldap: 01-base.ldif, 02-users.ldif and 03-groups.ldif with following content (only important parts are shown):
01-base.ldif: dn: ou=people,dc=rosinad,dc=com objectclass: organizationalUnit ou: People
dn: ou=groups,dc=rosinad,dc=com objectclass: organizationalUnit ou: Groups
02-users.ldif: dn: uid=seagate_user,ou=people,dc=rosinad,dc=com cn: Seagate User sn: User gidnumber: 10000 homedirectory: /home/users/seagate_user objectClass: posixAccount objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person loginShell: /bin/bash uid: seagate_user uidnumber: 1001 userpassword: seagate_user
03-groups.ldif: dn: cn=GPWUSERS,ou=groups,dc=rosinad,dc=com cn: GPWUSERS objectClass: groupofnames member: uid=seagate_user,ou=people,dc=rosinad,dc=com
and search by the query "(&(objectClass=person)(memberOf=cn=GPWUSERS,ou=groups,dc=rosinad,dc=com))" is returning nothing.
But if I manually add the group with member after OpenLDAP is started, then the search is returning that one result.
My guess is that memberOf module is enabled after my files are prepopulated, but if I look at the source code of entrypoint script, then I see that prepopulation is performed in the end of the script.
Could you give me some hints that could be wrong with my approach?
thanks!
i think the easiest solution would be to add your ldif files after the service start, as it seems to make memeberof effective. Or you can build your own image and do somegarage stuff like launching a script in the background that wait 10seconds and then populate the DIT (after the 10 sec, the ldap will be started).
Refactor the entrypoint.sh script?
Edit: Doesn't seem to work, currently struggling with the same problem. Will post an update if I found a solution.
I get these in the logs: 594bf5ec <= bdb_equality_candidates: (memberOf) not indexed
slapadd doesn't work with overlays, like memberOf. So the only workaround I'm aware of would be adding the groups with ldapadd while slapd is running.
I'll add supervisord and add a script which checks if slapd is already running and then injecting the prepopulated data once.
It's working fine when doing the said above. The supervisord script I've written therefore:
https://pastebin.c4s.de/asajafevul.bash
Hi @duketwo
I have the same problem, but I don't fully understand what to do to make your solution work. Could you post a full procedure or a working fork?
Thanks a lot!
i assume you have to delete the prepopulate part of the original entrypoint.sh (the
if [[ "$first_run" == "true" ]]; then if [[ -d "/etc/ldap/prepopulate" ]]; then for file in
ls /etc/ldap/prepopulate/*.ldif; do slapadd -F /etc/ldap/slapd.d -l "$file" done fi fi
block) you also have to run his script from the entrypoint.sh.
@xgodon Unfortunatelly script is gone :( And not clear what was there. Does that require adding some libraries to the image? @duketwo could you please repost it?
https://github.com/duketwo/Shib-Idp/blob/master/ldap/populate.sh
If anybody still needs that
What is possible to do in the entrypoint file is to:
- enable job control by
set -m - start slapd and sent it to background
"$@" & - sleep for 2 seconds…
- instead of
slapadduseldapaddto import prepopulation files- requires ldap-utils to be installed within the dockerfile
- bring slapd back to foreground
fg
It's somewhat ugly though… or @dinkel do you think this would be tolerable to fix the issue?
