Add missing ACI and role to LDAP seeds

2022-12-07 14:27:51 +01:00 · 2022-12-07 14:27:51 +01:00 · 76877645ce
commit 76877645ce
parent 7d143fabb8
3 changed files with 40 additions and 18 deletions
--- a/app/services/ldap_service.rb
+++ b/app/services/ldap_service.rb
@ -17,7 +17,7 @@ class LdapService < ApplicationService
    res
  end

-  def delete_all_entries
+  def delete_all_entries!
    if Rails.env.production?
      raise "Mass deletion of entries not allowed in production"
    end
@ -90,6 +90,26 @@ class LdapService < ApplicationService
    add_entry dn, attrs, interactive
  end

+  def reset_directory!
+    if Rails.env.production?
+      raise "Resetting the directory not allowed in production"
+    end
+
+    delete_all_entries!
+
+    user_read_aci = <<-EOS
+(target="ldap:///#{@suffix}")(targetattr="*") (version 3.0; acl "user-read-search-own-attributes"; allow (read,search) userdn="ldap:///self";)
+    EOS
+
+    add_entry @suffix, {
+      dc: "kosmos", objectClass: ["top", "domain"], aci: user_read_aci
+    }, true
+
+    add_entry "cn=users,#{@suffix}", {
+       cn: "users", objectClass: ["top", "organizationalRole"]
+    }, true
+  end
+
  private

  def ldap_client
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -8,14 +8,14 @@ services:
    environment:
      DS_DM_PASSWORD: passthebutter
      SUFFIX_NAME: "dc=kosmos,dc=org"
-  # phpldapadmin:
-  #   image: osixia/phpldapadmin:0.9.0
-  #   ports:
-  #     - "8389:80"
-  #   environment:
-  #     PHPLDAPADMIN_HTTPS: false
-  #     PHPLDAPADMIN_LDAP_HOSTS: "#PYTHON2BASH:[{'ldap': [{'server': [{'tls': False}, {'port': 3389}]}, {'login': [{'bind_id': 'cn=Directory Manager'}, {'bind_pass': 'passthebutter'}]}]}]"
-  #     PHPLDAPADMIN_LDAP_CLIENT_TLS: false
+  phpldapadmin:
+    image: osixia/phpldapadmin:0.9.0
+    ports:
+      - "8389:80"
+    environment:
+      PHPLDAPADMIN_HTTPS: false
+      PHPLDAPADMIN_LDAP_HOSTS: "#PYTHON2BASH:[{'ldap': [{'server': [{'tls': False}, {'port': 3389}]}, {'login': [{'bind_id': 'cn=Directory Manager'}, {'bind_pass': 'passthebutter'}]}]}]"
+      PHPLDAPADMIN_LDAP_CLIENT_TLS: false
  # web:
  #   build: .
  #   tty: true
--- a/lib/tasks/ldap.rake
+++ b/lib/tasks/ldap.rake
@ -1,18 +1,20 @@
 namespace :ldap do
-  desc "Set up base entries for LDAP directory"
+  desc "Reset the LDAP directory and set up base entries and default org"
  task seed: :environment do |t, args|
    ldap = LdapService.new

-    ldap.delete_all_entries
-
-    ldap.add_entry "dc=kosmos,dc=org", {
-      dc: "kosmos", objectClass: ["top", "domain"]
-    }, true
-    ldap.add_entry "cn=users,dc=kosmos,dc=org", {
-       cn: "users", objectClass: ["top", "organizationalRole"]
-    }, true
+    # Delete all existing entries and re-add base entries
+    ldap.reset_directory!

    ldap.add_organization "kosmos.org", "Kosmos", true
+
+    # add admin role
+    ldap.add_entry "cn=admin_role,ou=kosmos.org,cn=users,dc=kosmos,dc=org", {
+      objectClass: %w{top LDAPsubentry nsRoleDefinition nsComplexRoleDefinition nsFilteredRoleDefinition},
+      cn: "admin_role",
+      nsRoleFilter: "(&(objectclass=person)(admin=true))",
+      description: "filtered role for admins"
+    }, true
  end

  desc "List user domains/organizations"