From ce337661b9ddc618e7391d5b132e209c601f3d29 Mon Sep 17 00:00:00 2001 From: Martin Heide Date: Mon, 13 Jul 2020 15:33:35 +0000 Subject: [PATCH 1/4] Add missing slapd.sh script from LDAP docs, and convert it to using Docker Signed-off-by: Martin Heide --- Documentation/connectors/ldap.md | 2 +- examples/config-ldap.ldif | 12 ++++---- examples/config-ldap.yaml | 2 +- scripts/slapd.sh | 50 ++++++++++++++++++++++++++++++++ 4 files changed, 59 insertions(+), 7 deletions(-) create mode 100755 scripts/slapd.sh diff --git a/Documentation/connectors/ldap.md b/Documentation/connectors/ldap.md index e69c3005..c1c102f1 100644 --- a/Documentation/connectors/ldap.md +++ b/Documentation/connectors/ldap.md @@ -13,7 +13,7 @@ The connector executes two primary queries: The dex repo contains a basic LDAP setup using [OpenLDAP][openldap]. -First start the LDAP server using the example script. This will run the OpenLDAP daemon and seed it with an initial set of users. +First start the LDAP server using the example script. This will run the OpenLDAP daemon in a Docker container, and seed it with an initial set of users. ``` ./scripts/slapd.sh diff --git a/examples/config-ldap.ldif b/examples/config-ldap.ldif index 55cc81f9..8840bf80 100644 --- a/examples/config-ldap.ldif +++ b/examples/config-ldap.ldif @@ -1,8 +1,10 @@ -dn: dc=example,dc=org -objectClass: dcObject -objectClass: organization -o: Example Company -dc: example +# Already included in default config of Docker image osixia/openldap:1.4.0. +# +# dn: dc=example,dc=org +# objectClass: dcObject +# objectClass: organization +# o: Example Company +# dc: example dn: ou=People,dc=example,dc=org objectClass: organizationalUnit diff --git a/examples/config-ldap.yaml b/examples/config-ldap.yaml index 05265b4b..f35465ad 100644 --- a/examples/config-ldap.yaml +++ b/examples/config-ldap.yaml @@ -11,7 +11,7 @@ connectors: name: OpenLDAP id: ldap config: - host: localhost:10389 + host: localhost:389 # No TLS for this setup. insecureNoSSL: true diff --git a/scripts/slapd.sh b/scripts/slapd.sh new file mode 100755 index 00000000..6d2e774d --- /dev/null +++ b/scripts/slapd.sh @@ -0,0 +1,50 @@ +#!/bin/bash +# +# Start an OpenLDAP container and populate it with example entries. +# https://github.com/dexidp/dex/blob/master/Documentation/connectors/ldap.md +# +# Usage: +# slapd.sh Kill a possibly preexisting "ldap" container, start a new one, and populate the directory. +# slapd.sh --keep Same, but keep the container if it is already running. +# +set -eu +cd -- "$(dirname "$0")/.." + +keep_running= +if [ $# -gt 0 ] && [ "$1" = "--keep" ]; then + keep_running=1 +fi + +if [ -z "$keep_running" ] || [ "$(docker inspect --format="{{.State.Running}}" ldap 2> /dev/null)" != "true" ]; then + echo "LDAP container not running, or running and --keep not specified." + echo "Removing old LDAP container (if any)..." + docker rm --force ldap || true + echo "Starting LDAP container..." + # Currently the most popular OpenLDAP image on Docker Hub. Comes with the latest version OpenLDAP 2.4.50. + docker run -p 389:389 -p 636:636 -v $PWD:$PWD --name ldap --detach osixia/openldap:1.4.0 + + tries=1 + max_tries=10 + echo "Waiting for LDAP container ($tries/$max_tries)..." + # Wait until expected line "structuralObjectClass: organization" shows up. + # Seems to work more reliably than waiting for exit code 0. That would be: + # while ! docker exec ldap slapcat -b "dc=example,dc=org" > /dev/null 2>&1; do + while [[ ! "$(docker exec ldap slapcat -b "dc=example,dc=org" 2>/dev/null)" =~ organization ]]; do + ((++tries)) + if [ "$tries" -gt "$max_tries" ]; then + echo "ERROR: Timeout waiting for LDAP container." + exit 1 + fi + sleep 1 + echo "Waiting for LDAP container ($tries/$max_tries)..." + done +fi + +echo "Adding example entries to directory..." +set -x +docker exec ldap ldapadd \ + -x \ + -D "cn=admin,dc=example,dc=org" \ + -w admin \ + -H ldap://localhost:389/ \ + -f $PWD/examples/config-ldap.ldif From b4d22bf1b2f68feff67a316038a4530832d72c4c Mon Sep 17 00:00:00 2001 From: Martin Heide Date: Mon, 13 Jul 2020 15:40:56 +0000 Subject: [PATCH 2/4] Improve script logging Signed-off-by: Martin Heide --- scripts/slapd.sh | 64 ++++++++++++++++++++++++++---------------------- 1 file changed, 35 insertions(+), 29 deletions(-) diff --git a/scripts/slapd.sh b/scripts/slapd.sh index 6d2e774d..da3fffdf 100755 --- a/scripts/slapd.sh +++ b/scripts/slapd.sh @@ -10,41 +10,47 @@ set -eu cd -- "$(dirname "$0")/.." +run_cmd() { + echo ">" "$@" >&2 + "$@" +} + keep_running= if [ $# -gt 0 ] && [ "$1" = "--keep" ]; then - keep_running=1 + keep_running=1 fi if [ -z "$keep_running" ] || [ "$(docker inspect --format="{{.State.Running}}" ldap 2> /dev/null)" != "true" ]; then - echo "LDAP container not running, or running and --keep not specified." - echo "Removing old LDAP container (if any)..." - docker rm --force ldap || true - echo "Starting LDAP container..." - # Currently the most popular OpenLDAP image on Docker Hub. Comes with the latest version OpenLDAP 2.4.50. - docker run -p 389:389 -p 636:636 -v $PWD:$PWD --name ldap --detach osixia/openldap:1.4.0 + echo "LDAP container not running, or running and --keep not specified." + echo "Removing old LDAP container (if any)..." + run_cmd docker rm --force ldap || true + echo "Starting LDAP container..." + # Currently the most popular OpenLDAP image on Docker Hub. Comes with the latest version OpenLDAP 2.4.50. + run_cmd docker run -p 389:389 -p 636:636 -v $PWD:$PWD --name ldap --detach osixia/openldap:1.4.0 - tries=1 - max_tries=10 - echo "Waiting for LDAP container ($tries/$max_tries)..." - # Wait until expected line "structuralObjectClass: organization" shows up. - # Seems to work more reliably than waiting for exit code 0. That would be: - # while ! docker exec ldap slapcat -b "dc=example,dc=org" > /dev/null 2>&1; do - while [[ ! "$(docker exec ldap slapcat -b "dc=example,dc=org" 2>/dev/null)" =~ organization ]]; do - ((++tries)) - if [ "$tries" -gt "$max_tries" ]; then - echo "ERROR: Timeout waiting for LDAP container." - exit 1 - fi - sleep 1 - echo "Waiting for LDAP container ($tries/$max_tries)..." - done + tries=1 + max_tries=10 + echo "Waiting for LDAP container ($tries/$max_tries)..." + # Wait until expected line "structuralObjectClass: organization" shows up. + # Seems to work more reliably than waiting for exit code 0. That would be: + # while ! docker exec ldap slapcat -b "dc=example,dc=org" > /dev/null 2>&1; do + while [[ ! "$(docker exec ldap slapcat -b "dc=example,dc=org" 2>/dev/null)" =~ organization ]]; do + ((++tries)) + if [ "$tries" -gt "$max_tries" ]; then + echo "ERROR: Timeout waiting for LDAP container." + exit 1 + fi + sleep 1 + echo "Waiting for LDAP container ($tries/$max_tries)..." + done fi echo "Adding example entries to directory..." -set -x -docker exec ldap ldapadd \ - -x \ - -D "cn=admin,dc=example,dc=org" \ - -w admin \ - -H ldap://localhost:389/ \ - -f $PWD/examples/config-ldap.ldif +run_cmd docker exec ldap ldapadd \ + -x \ + -D "cn=admin,dc=example,dc=org" \ + -w admin \ + -H ldap://localhost:389/ \ + -f $PWD/examples/config-ldap.ldif + +echo "OK." From 705cf8bb6a6cdd2bc167769590f93b307bb64d40 Mon Sep 17 00:00:00 2001 From: Martin Heide Date: Wed, 15 Jul 2020 09:37:54 +0000 Subject: [PATCH 3/4] Rework to use docker-compose Signed-off-by: Martin Heide --- Documentation/connectors/ldap.md | 9 +++-- examples/{ => ldap}/config-ldap.ldif | 0 examples/{ => ldap}/config-ldap.yaml | 0 examples/ldap/docker-compose.yaml | 17 +++++++++ scripts/slapd.sh | 56 ---------------------------- 5 files changed, 22 insertions(+), 60 deletions(-) rename examples/{ => ldap}/config-ldap.ldif (100%) rename examples/{ => ldap}/config-ldap.yaml (100%) create mode 100644 examples/ldap/docker-compose.yaml delete mode 100755 scripts/slapd.sh diff --git a/Documentation/connectors/ldap.md b/Documentation/connectors/ldap.md index c1c102f1..5c74a319 100644 --- a/Documentation/connectors/ldap.md +++ b/Documentation/connectors/ldap.md @@ -13,16 +13,17 @@ The connector executes two primary queries: The dex repo contains a basic LDAP setup using [OpenLDAP][openldap]. -First start the LDAP server using the example script. This will run the OpenLDAP daemon in a Docker container, and seed it with an initial set of users. +First start the LDAP server using docker-compose. This will run the OpenLDAP daemon in a Docker container, and seed it with an initial set of users. ``` -./scripts/slapd.sh +cd examples/ldap +docker-compose up ``` -This script sets the LDAP daemon to debug mode, and is expected to print several error messages which are normal. Once the server is up, run dex. +This container is expected to print several warning messages which are normal. Once the server is up, run dex in another terminal. ``` -./bin/dex serve examples/config-ldap.yaml +./bin/dex serve examples/ldap/config-ldap.yaml ``` Then run the OAuth client in another terminal. diff --git a/examples/config-ldap.ldif b/examples/ldap/config-ldap.ldif similarity index 100% rename from examples/config-ldap.ldif rename to examples/ldap/config-ldap.ldif diff --git a/examples/config-ldap.yaml b/examples/ldap/config-ldap.yaml similarity index 100% rename from examples/config-ldap.yaml rename to examples/ldap/config-ldap.yaml diff --git a/examples/ldap/docker-compose.yaml b/examples/ldap/docker-compose.yaml new file mode 100644 index 00000000..7cb4e658 --- /dev/null +++ b/examples/ldap/docker-compose.yaml @@ -0,0 +1,17 @@ +version: "3" + +services: + ldap: + image: osixia/openldap:1.4.0 + # Copying is required because the entrypoint modifies the *.ldif files. + # For verbose output, use: + #command: ["--copy-service", "--loglevel", "debug"] + command: ["--copy-service"] + volumes: + # https://github.com/osixia/docker-openldap#seed-ldap-database-with-ldif + # Option 1: Add additional seed file by mounting to /container/service/slapd/assets/config/bootstrap/ldif/custom/ + # Option 2: Overwrite default seed file by mounting to /container/service/slapd/assets/config/bootstrap/ldif/ + - ./config-ldap.ldif:/container/service/slapd/assets/config/bootstrap/ldif/custom/config-ldap.ldif + ports: + - 389:389 + - 636:636 diff --git a/scripts/slapd.sh b/scripts/slapd.sh deleted file mode 100755 index da3fffdf..00000000 --- a/scripts/slapd.sh +++ /dev/null @@ -1,56 +0,0 @@ -#!/bin/bash -# -# Start an OpenLDAP container and populate it with example entries. -# https://github.com/dexidp/dex/blob/master/Documentation/connectors/ldap.md -# -# Usage: -# slapd.sh Kill a possibly preexisting "ldap" container, start a new one, and populate the directory. -# slapd.sh --keep Same, but keep the container if it is already running. -# -set -eu -cd -- "$(dirname "$0")/.." - -run_cmd() { - echo ">" "$@" >&2 - "$@" -} - -keep_running= -if [ $# -gt 0 ] && [ "$1" = "--keep" ]; then - keep_running=1 -fi - -if [ -z "$keep_running" ] || [ "$(docker inspect --format="{{.State.Running}}" ldap 2> /dev/null)" != "true" ]; then - echo "LDAP container not running, or running and --keep not specified." - echo "Removing old LDAP container (if any)..." - run_cmd docker rm --force ldap || true - echo "Starting LDAP container..." - # Currently the most popular OpenLDAP image on Docker Hub. Comes with the latest version OpenLDAP 2.4.50. - run_cmd docker run -p 389:389 -p 636:636 -v $PWD:$PWD --name ldap --detach osixia/openldap:1.4.0 - - tries=1 - max_tries=10 - echo "Waiting for LDAP container ($tries/$max_tries)..." - # Wait until expected line "structuralObjectClass: organization" shows up. - # Seems to work more reliably than waiting for exit code 0. That would be: - # while ! docker exec ldap slapcat -b "dc=example,dc=org" > /dev/null 2>&1; do - while [[ ! "$(docker exec ldap slapcat -b "dc=example,dc=org" 2>/dev/null)" =~ organization ]]; do - ((++tries)) - if [ "$tries" -gt "$max_tries" ]; then - echo "ERROR: Timeout waiting for LDAP container." - exit 1 - fi - sleep 1 - echo "Waiting for LDAP container ($tries/$max_tries)..." - done -fi - -echo "Adding example entries to directory..." -run_cmd docker exec ldap ldapadd \ - -x \ - -D "cn=admin,dc=example,dc=org" \ - -w admin \ - -H ldap://localhost:389/ \ - -f $PWD/examples/config-ldap.ldif - -echo "OK." From 521954a3b9f413c432d0a362dd16e8b8b901b33f Mon Sep 17 00:00:00 2001 From: Martin Heide Date: Wed, 15 Jul 2020 09:43:28 +0000 Subject: [PATCH 4/4] Improve formatting Signed-off-by: Martin Heide --- examples/ldap/docker-compose.yaml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/examples/ldap/docker-compose.yaml b/examples/ldap/docker-compose.yaml index 7cb4e658..73ae5ebd 100644 --- a/examples/ldap/docker-compose.yaml +++ b/examples/ldap/docker-compose.yaml @@ -4,13 +4,12 @@ services: ldap: image: osixia/openldap:1.4.0 # Copying is required because the entrypoint modifies the *.ldif files. - # For verbose output, use: - #command: ["--copy-service", "--loglevel", "debug"] + # For verbose output, use: command: ["--copy-service", "--loglevel", "debug"] command: ["--copy-service"] - volumes: # https://github.com/osixia/docker-openldap#seed-ldap-database-with-ldif - # Option 1: Add additional seed file by mounting to /container/service/slapd/assets/config/bootstrap/ldif/custom/ - # Option 2: Overwrite default seed file by mounting to /container/service/slapd/assets/config/bootstrap/ldif/ + # Option 1: Add custom seed file -> mount to /container/service/slapd/assets/config/bootstrap/ldif/custom/ + # Option 2: Overwrite default seed file -> mount to /container/service/slapd/assets/config/bootstrap/ldif/ + volumes: - ./config-ldap.ldif:/container/service/slapd/assets/config/bootstrap/ldif/custom/config-ldap.ldif ports: - 389:389