From 76877645ce28c2b43f2d063d638a319e0e86f26f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A2u=20Cao?= Date: Wed, 7 Dec 2022 14:27:51 +0100 Subject: [PATCH] Add missing ACI and role to LDAP seeds --- app/services/ldap_service.rb | 22 +++++++++++++++++++++- docker-compose.yml | 16 ++++++++-------- lib/tasks/ldap.rake | 20 +++++++++++--------- 3 files changed, 40 insertions(+), 18 deletions(-) diff --git a/app/services/ldap_service.rb b/app/services/ldap_service.rb index 713360a..e6507d7 100644 --- a/app/services/ldap_service.rb +++ b/app/services/ldap_service.rb @@ -17,7 +17,7 @@ class LdapService < ApplicationService res end - def delete_all_entries + def delete_all_entries! if Rails.env.production? raise "Mass deletion of entries not allowed in production" end @@ -90,6 +90,26 @@ class LdapService < ApplicationService add_entry dn, attrs, interactive end + def reset_directory! + if Rails.env.production? + raise "Resetting the directory not allowed in production" + end + + delete_all_entries! + + user_read_aci = <<-EOS +(target="ldap:///#{@suffix}")(targetattr="*") (version 3.0; acl "user-read-search-own-attributes"; allow (read,search) userdn="ldap:///self";) + EOS + + add_entry @suffix, { + dc: "kosmos", objectClass: ["top", "domain"], aci: user_read_aci + }, true + + add_entry "cn=users,#{@suffix}", { + cn: "users", objectClass: ["top", "organizationalRole"] + }, true + end + private def ldap_client diff --git a/docker-compose.yml b/docker-compose.yml index a4d5a29..cd2336b 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -8,14 +8,14 @@ services: environment: DS_DM_PASSWORD: passthebutter SUFFIX_NAME: "dc=kosmos,dc=org" - # phpldapadmin: - # image: osixia/phpldapadmin:0.9.0 - # ports: - # - "8389:80" - # environment: - # PHPLDAPADMIN_HTTPS: false - # PHPLDAPADMIN_LDAP_HOSTS: "#PYTHON2BASH:[{'ldap': [{'server': [{'tls': False}, {'port': 3389}]}, {'login': [{'bind_id': 'cn=Directory Manager'}, {'bind_pass': 'passthebutter'}]}]}]" - # PHPLDAPADMIN_LDAP_CLIENT_TLS: false + phpldapadmin: + image: osixia/phpldapadmin:0.9.0 + ports: + - "8389:80" + environment: + PHPLDAPADMIN_HTTPS: false + PHPLDAPADMIN_LDAP_HOSTS: "#PYTHON2BASH:[{'ldap': [{'server': [{'tls': False}, {'port': 3389}]}, {'login': [{'bind_id': 'cn=Directory Manager'}, {'bind_pass': 'passthebutter'}]}]}]" + PHPLDAPADMIN_LDAP_CLIENT_TLS: false # web: # build: . # tty: true diff --git a/lib/tasks/ldap.rake b/lib/tasks/ldap.rake index 827b011..a449284 100644 --- a/lib/tasks/ldap.rake +++ b/lib/tasks/ldap.rake @@ -1,18 +1,20 @@ namespace :ldap do - desc "Set up base entries for LDAP directory" + desc "Reset the LDAP directory and set up base entries and default org" task seed: :environment do |t, args| ldap = LdapService.new - ldap.delete_all_entries - - ldap.add_entry "dc=kosmos,dc=org", { - dc: "kosmos", objectClass: ["top", "domain"] - }, true - ldap.add_entry "cn=users,dc=kosmos,dc=org", { - cn: "users", objectClass: ["top", "organizationalRole"] - }, true + # Delete all existing entries and re-add base entries + ldap.reset_directory! ldap.add_organization "kosmos.org", "Kosmos", true + + # add admin role + ldap.add_entry "cn=admin_role,ou=kosmos.org,cn=users,dc=kosmos,dc=org", { + objectClass: %w{top LDAPsubentry nsRoleDefinition nsComplexRoleDefinition nsFilteredRoleDefinition}, + cn: "admin_role", + nsRoleFilter: "(&(objectclass=person)(admin=true))", + description: "filtered role for admins" + }, true end desc "List user domains/organizations"