Add missing ACI and role to LDAP seeds

app/services/ldap_service.rb

@@ -17,7 +17,7 @@ class LdapService < ApplicationService
     res
   end
 
-  def delete_all_entries
+  def delete_all_entries!
     if Rails.env.production?
       raise "Mass deletion of entries not allowed in production"
     end
@@ -90,6 +90,26 @@ class LdapService < ApplicationService
     add_entry dn, attrs, interactive
   end
 
+  def reset_directory!
+    if Rails.env.production?
+      raise "Resetting the directory not allowed in production"
+    end
+
+    delete_all_entries!
+
+    user_read_aci = <<-EOS
+(target="ldap:///#{@suffix}")(targetattr="*") (version 3.0; acl "user-read-search-own-attributes"; allow (read,search) userdn="ldap:///self";)
+    EOS
+
+    add_entry @suffix, {
+      dc: "kosmos", objectClass: ["top", "domain"], aci: user_read_aci
+    }, true
+
+    add_entry "cn=users,#{@suffix}", {
+       cn: "users", objectClass: ["top", "organizationalRole"]
+    }, true
+  end
+
   private
 
   def ldap_client

docker-compose.yml

@@ -8,14 +8,14 @@ services:
     environment:
       DS_DM_PASSWORD: passthebutter
       SUFFIX_NAME: "dc=kosmos,dc=org"
-  # phpldapadmin:
+  phpldapadmin:
-  #   image: osixia/phpldapadmin:0.9.0
+    image: osixia/phpldapadmin:0.9.0
-  #   ports:
+    ports:
-  #     - "8389:80"
+      - "8389:80"
-  #   environment:
+    environment:
-  #     PHPLDAPADMIN_HTTPS: false
+      PHPLDAPADMIN_HTTPS: false
-  #     PHPLDAPADMIN_LDAP_HOSTS: "#PYTHON2BASH:[{'ldap': [{'server': [{'tls': False}, {'port': 3389}]}, {'login': [{'bind_id': 'cn=Directory Manager'}, {'bind_pass': 'passthebutter'}]}]}]"
+      PHPLDAPADMIN_LDAP_HOSTS: "#PYTHON2BASH:[{'ldap': [{'server': [{'tls': False}, {'port': 3389}]}, {'login': [{'bind_id': 'cn=Directory Manager'}, {'bind_pass': 'passthebutter'}]}]}]"
-  #     PHPLDAPADMIN_LDAP_CLIENT_TLS: false
+      PHPLDAPADMIN_LDAP_CLIENT_TLS: false
   # web:
   #   build: .
   #   tty: true

lib/tasks/ldap.rake

@@ -1,18 +1,20 @@
 namespace :ldap do
-  desc "Set up base entries for LDAP directory"
+  desc "Reset the LDAP directory and set up base entries and default org"
   task seed: :environment do |t, args|
     ldap = LdapService.new
 
-    ldap.delete_all_entries
+    # Delete all existing entries and re-add base entries
-
+    ldap.reset_directory!
-    ldap.add_entry "dc=kosmos,dc=org", {
-      dc: "kosmos", objectClass: ["top", "domain"]
-    }, true
-    ldap.add_entry "cn=users,dc=kosmos,dc=org", {
-       cn: "users", objectClass: ["top", "organizationalRole"]
-    }, true
 
     ldap.add_organization "kosmos.org", "Kosmos", true
+
+    # add admin role
+    ldap.add_entry "cn=admin_role,ou=kosmos.org,cn=users,dc=kosmos,dc=org", {
+      objectClass: %w{top LDAPsubentry nsRoleDefinition nsComplexRoleDefinition nsFilteredRoleDefinition},
+      cn: "admin_role",
+      nsRoleFilter: "(&(objectclass=person)(admin=true))",
+      description: "filtered role for admins"
+    }, true
   end
 
   desc "List user domains/organizations"