docker-openldap-fusiondirectory icon indicating copy to clipboard operation
docker-openldap-fusiondirectory copied to clipboard

Published 20 hours ago verified publisher icon tiredofit

FusionDirectory not initialized properly when overriding BASE_DN

Open bmalynovytch opened this issue 4 years ago • 6 comments

Summary

When BASE_DN is set, as well as DOMAIN, setup gets completely messed up (BASE_DN is overwritten in /assets/custom-scripts/001-install-fusiondirectory.sh). After first init, user FD is absent, either using defined BASE_DN or DOMAIN base value.

Steps to reproduce

Run setting BASE_DN & DOMAIN. ie:

BASE_DN="dc=localdomain"
DOMAIN="mydomain.com"

What is the expected correct behavior?

BASE_DN shouldn't be redefined in /assets/custom-scripts/001-install-fusiondirectory.sh and schemas should work using the provided BASE_DN

Probably related to #25 and maybe #23

bmalynovytch avatar Aug 24 '21 08:08 bmalynovytch

Latest tests seem to enlighten that even if BASE_DN is set to the computed value (which should work seamlessly).

Conclusion is that overriding BASE_DN in env variables just breaks the initial setup.

bmalynovytch avatar Aug 24 '21 08:08 bmalynovytch

This surfaced a few years ago and I sat for an hour before responding to remember how we got to this point in the first place, which I am still at a loss. My Base DN and domains are fairly simple (domain.tld / dc=domain,dc=tld) but anything more than that certainly did make things fall apart at some time. Are you using subdomains at all?

tiredofit avatar Aug 24 '21 14:08 tiredofit

In fact I'm trying to setup something like this:

DOMAIN="mydomain.tld"
BASE_DN="dc=sso"

This is because we will someday need to change the domain and don't want to be stuck with LDAP using a legacy domain, without the need to export/import again to update (as this would have to be done on tens of instances).

For now, I'm setting DOMAIN=sso 😄

bmalynovytch avatar Aug 24 '21 14:08 bmalynovytch

Understood. Once you do it once, stick with it :) Can I recommend a dc=sso,dc=sso to see if that works?

I am really wondering why the heck I am still relying on the DOMAIN env var. I will scan through this code base later today and see if I can rejog my memory.

tiredofit avatar Aug 24 '21 14:08 tiredofit

The part I find the more strange is there: https://github.com/tiredofit/docker-openldap-fusiondirectory/blob/master/install/assets/custom-scripts/001-install-fusiondirectory.sh#L12

I tried to remove the entire block and provide BASE_DN="dc=sso" but the whole script stops working (most of schemas and objects fail to import). I didn't have time to dig further more, it's really strange ^^

bmalynovytch avatar Aug 24 '21 14:08 bmalynovytch

Yup - that 5 line block has been a source of trouble for years sadly. https://github.com/tiredofit/docker-openldap/issues/16 talks about it over a year ago and there's reference it was popping up in 2019. I am really interested in any solutions you are able to come up with.

tiredofit avatar Aug 24 '21 14:08 tiredofit