Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LDAP groups should be in a different OU than users #19716

Closed
jamshid opened this issue Jan 9, 2023 · 12 comments · Fixed by #75245 or #77099
Closed

LDAP groups should be in a different OU than users #19716

jamshid opened this issue Jan 9, 2023 · 12 comments · Fixed by #75245 or #77099
Assignees
@carrodher
Labels
openldap solved stale 15 days without activity tech-issues The user has a technical issue about an application triage Triage is needed

Comments

@jamshid
Copy link
Contributor

jamshid commented Jan 9, 2023
edited
Loading

Name and Version

bitnami/openldap:2.6

What steps will reproduce the bug?

Create an LDAP container with a user and group, why are groups in the same OU as users?

What is the expected behavior?

Groups should be under a different ou, not users or people right? E.g.
https://serverfault.com/questions/87079/openldap-posix-groups-account

# User primary group
dn: cn=ussergroup,ou=groups,dc=me,dc=com
...
# User account
dn: uid=user,ou=users,dc=me,dc=com

Please add a LDAP_GROUP_OU similar to LDAP_USER_DC and use that in the template.
Btw LDAP_USER_DC should probably be renamed to "LDAP_USER_OU", since it defaults to ou=users not a dc?

What do you see instead?

dn: cn=mygroup,ou=users,dc=example,dc=org

Additional information

this originally came up in https://github.com/bitnami/bitnami-docker-openldap/issues/2
@jamshid jamshid added the tech-issues The user has a technical issue about an application label Jan 9, 2023
@github-actions github-actions bot added the triage Triage is needed label Jan 9, 2023
@carrodher
Copy link
Member

Thanks for reporting this issue. Would you like to contribute by creating a PR to solve the issue? The Bitnami team will be happy to review it and provide feedback. Here you can find the contributing guidelines.

@github-actions
Copy link

This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.

@github-actions github-actions bot added the stale 15 days without activity label Jan 26, 2023
@github-actions
Copy link

Due to the lack of activity in the last 5 days since it was marked as "stale", we proceed to close this Issue. Do not hesitate to reopen it later if necessary.

@bitnami-bot bitnami-bot closed this as not planned Won't fix, can't repro, duplicate, stale Jan 31, 2023
@barsikus007 barsikus007 mentioned this issue Oct 6, 2023
Closed
barsikus007 added a commit to barsikus007/containers that referenced this issue Nov 26, 2024
@barsikus007
[bitnami/openldap] Renaming env variables as pointed in bitnami#19716
5339b56
barsikus007 added a commit to barsikus007/containers that referenced this issue Nov 26, 2024
@barsikus007
[bitnami/openldap] Renaming env variables as pointed in bitnami#19716
6ca2343 
Signed-off-by: barsikus007 <[email protected]>
@barsikus007 barsikus007 mentioned this issue Nov 26, 2024
Merged
dgomezleon pushed a commit that referenced this issue Nov 27, 2024
@barsikus007
[bitnami/openldap] Renaming env variables as pointed in #19716 (#75245)
5482697 
Signed-off-by: barsikus007 <[email protected]>
@jamshid
Copy link
Contributor Author

jamshid commented Feb 8, 2025

@dgomezleon @barsikus007 this issue was not fixed. The env var was changed but the group created is still in ou=users instead of ou=groups. Adding -e LDAP_GROUP_OU=groups does not help.

docker run -d --name openldap -p 1389:1389 bitnami/openldap:latest

$ curl 'ldap://localhost:1389/dc=example,dc=org?*?sub?(objectclass=*)'
DN: ou=users,dc=example,dc=org
	objectClass: organizationalUnit

	ou: users

DN: cn=user01,ou=users,dc=example,dc=org
...
DN: cn=readers,ou=users,dc=example,dc=org
	cn: readers

	objectClass: groupOfNames

	member: cn=user01,ou=users,dc=example,dc=org
	member: cn=user02,ou=users,dc=example,dc=org

There should be a
DN: ou=groups,dc=example,dc=org
and that's where the readers group should live:
DN: cn=readers,ou=groups,dc=example,dc=org

jamshid added a commit to jamshid/bitnami-containers that referenced this issue Feb 8, 2025
@jamshid
Update libopenldap.sh group DN to fix issue 19716
b435d5d 
Fix remaining bug leading to groups being in the LDAP_USER_OU instead of LDAP_GROUP_OU. bitnami#19716

Signed-off-by: jamshid <[email protected]>
@jamshid jamshid mentioned this issue Feb 8, 2025
Merged
@jamshid
Copy link
Contributor Author

jamshid commented Feb 8, 2025

Here's the bug -- group creation is still referencing LDAP_USER_OU:

containers/bitnami/openldap/2.6/debian-12/rootfs/opt/bitnami/scripts/libopenldap.sh

Line 579 in 278116b

dn: ${LDAP_GROUP/#/cn=},${LDAP_USER_OU/#/ou=},${LDAP_ROOT}

I made a PR @dgomezleon @barsikus007 lmk if any problems:
#77099

alvneiayu pushed a commit that referenced this issue Feb 10, 2025
@jamshid
Update libopenldap.sh group DN to fix issue 19716 (#77099)
d9e3679 
Fix remaining bug leading to groups being in the LDAP_USER_OU instead of LDAP_GROUP_OU. #19716

Signed-off-by: jamshid <[email protected]>
@jamshid
Copy link
Contributor Author

jamshid commented Feb 10, 2025

Thanks @alvneiayu for merging the PR. Any idea when a new bitnami/openldap image build (2.6.10?) will be available?

@carrodher
Copy link
Member

The latest tags were pushed some hours ago, see https://hub.docker.com/r/bitnami/openldap/tags

@jamshid
Copy link
Contributor Author

jamshid commented Feb 11, 2025

Thanks @carrodher but is there something else that has to be done to get the change into bitnami/openldap:latest? It's still using the old code:

% docker pull bitnami/openldap:latest
latest: Pulling from bitnami/openldap
Digest: sha256:e1929afbb392b76baa1c4508bdaff613423b478620a7130d28c4cd9f39fef084
Status: Image is up to date for bitnami/openldap:latest
docker.io/bitnami/openldap:latest

% docker run bitnami/openldap:latest fgrep 'dn: ${LDAP_GROUP/' opt/bitnami/scripts/libopenldap.sh

dn: ${LDAP_GROUP/#/cn=},${LDAP_USER_OU/#/ou=},${LDAP_ROOT}

jamshid referenced this issue Feb 11, 2025
@bitnami-bot
[bitnami/openldap] Release openldap-2.6.9-debian-12-r4 (#77147)
f05a597 
Signed-off-by: Bitnami Bot <[email protected]>
@jamshid
Copy link
Contributor Author

jamshid commented Feb 11, 2025

Ah this bitnami-bot commit reverted my change. IDK why. Just asked on the commit.

Maybe it is rebuilding 2.6.9 for some reason and doesn't want to introduce a change. But seems it shouldn't break/revert what's on main.

f05a597

commit f05a5976bde823582ed29ce1d3a7bb8a7c60d9bd
Author: Bitnami Bot <[email protected]>
Date:   Mon Feb 10 20:31:38 2025 +0100

    [bitnami/openldap] Release openldap-2.6.9-debian-12-r4 (#77147)
    
    Signed-off-by: Bitnami Bot <[email protected]>

commit d8158d6a510a222cbb5f36bd4abf3b378343e1e6

@alvneiayu
Copy link
Contributor

Hi @jamshid

No worries, I will fix it.

Sorry for the inconveniences

Alvaro

@alvneiayu
Copy link
Contributor

alvneiayu commented Feb 12, 2025
edited
Loading

here we go @jamshid

https://github.com/bitnami/containers/blob/main/bitnami/openldap/2.6/debian-12/rootfs/opt/bitnami/scripts/libopenldap.sh#L579

Sorry for the noise. My fault. Now the container is already released. And again, thanks a lot for your contribution.

@jamshid
Copy link
Contributor Author

jamshid commented Feb 12, 2025

Thanks @alvneiayu! I confirmed bitnami/openldap:latest is correct. Hopefully it gets a release tag like 2.6.10 soon so users can pin to it.

beertje44 pushed a commit to beertje44/bitnami-containers that referenced this issue Feb 12, 2025
@jamshid @beertje44
Update libopenldap.sh group DN to fix issue 19716 (bitnami#77099)
0156263 
Fix remaining bug leading to groups being in the LDAP_USER_OU instead of LDAP_GROUP_OU. bitnami#19716

Signed-off-by: jamshid <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@carrodher carrodher

Labels
openldap solved stale 15 days without activity tech-issues The user has a technical issue about an application triage Triage is needed
Projects
None yet
Milestone
No milestone
4 participants
@jamshid @alvneiayu @bitnami-bot @carrodher