openldap Plugin

This plugin installs OpenLDAP in an existing Kubernetes cluster using the Helm chart. Please at least make sure your Kubernetes’s version is greater than 1.18.

Usage

  1. tools:
  2. # name of the tool
  3. - name: openldap
  4.   # id of the tool instance
  5.   instanceID: default
  6.   # format: name.instanceID; If specified, dtm will make sure the dependency is applied first before handling this tool.
  7.   dependsOn: []
  8.   # options for the plugin  
  9.   options:
  10.     # need to create the namespace or not, default: false
  11.     create_namespace: true
  12.     repo:
  13.       # name of the Helm repo
  14.       name: helm-openldap
  15.       # url of the Helm repo
  16.       url: https://jp-gouin.github.io/helm-openldap/
  17.     # Helm chart information
  18.     chart:
  19.       # name of the chart
  20.       chart_name: helm-openldap/openldap-stack-ha
  21.       # release name of the chart
  22.       release_name: openldap
  23.       # k8s namespace where OpenLDAP will be installed
  24.       namespace: openldap
  25.       # whether to wait for the release to be deployed or not
  26.       wait: true
  27.       # the time to wait for any individual Kubernetes operation (like Jobs for hooks). This defaults to 5m0s
  28.       timeout: 5m
  29.       # custom configuration (Optional). You can refer to https://github.com/jp-gouin/helm-openldap/blob/master/values.yaml
  30.       values_yaml: |
  31.         replicaCount: 1
  32.         service: 
  33.           type: NodePort  
  34.         env:
  35.           LDAP_ORGANISATION: "DevStream Inc."
  36.           LDAP_DOMAIN: "devstream.io"
  37.         persistence:
  38.           enabled: false
  39.         adminPassword: Not@SecurePassw0rd
  40.         configPassword: Not@SecurePassw0rd
  42.         ltb-passwd:
  43.           enabled : false
  45.         phpldapadmin:
  46.           enabled: true
  47.           ingress:
  48.             enabled: false

Description of Key Fields in values_yaml

  • replicaCount: The default value is 3, for the convenience of local testing, the above example is set to 1
  • service.type: The default value is ClusterIP, if you have services outside the Kubernetes cluster that require ldap integration, the value preferably be set to NodePort, so that services outside the Kubernetes cluster can access the ldap service via ldap://ip:389 instead of ldap://openldap.openldap-openldap-stack-ha:389
  • adminPassword: Use your own custom password
  • configPassword: Use your own custom password
  • ltb-passwd: Ingress of the Ltb-Passwd service by which you can modify your password. If you need this service, you can set ltb-passwd.enabled to true.
  • phpldapadmin.ingress: Ingress of Phpldapadmin service by which you can manage your ldap service. If you wish to expose the service to the Internet, you can change the phpldapadmin.ingress.enabled to true and configure your own domain name

Post-installation Operations

Once the installation is complete, you can manage ldap service through phpldapadmin. For local testing, you can access the service through port forwarding. The commands are as follows.

  1. kubectl port-forward svc/openldap-phpldapadmin 8080:80 -n openldap

Now you can now access the phpldapadmin service on your browser via http://127.0.0.1:8080

If you have not changed the default values in the above example, its account will be cn=admin,dc=devstream,dc=org and password will be Not@SecurePassw0rd.

Note: If you’re familiar with OpenLDAP, then you don’t need to continue reading the tutorial below, you can just go ahead and integrate ldap for your service.

Importing Your Data

The following is a sample file, if you have changed the above configuration, remember to replace dc=devstream,dc=org with your own.

  1. dn: cn=admin,dc=devstream,dc=org
  2. cn: admin
  3. objectclass: organizationalRole
  5. dn: ou=Group,dc=devstream,dc=org
  6. cn: Group
  7. objectclass: organizationalRole
  8. ou: Group
  10. # confluence organizationalUnit
  11. dn: ou=confluence,ou=Group,dc=devstream,dc=org
  12. objectclass: organizationalUnit
  13. objectclass: top
  14. ou: confluence
  16. # confluence administrators group
  17. dn: cn=confluence-administrators,ou=confluence,ou=Group,dc=devstream,dc=org
  18. cn: confluence-administrators
  19. description:: d2lraeeuoeeQhue7hA==
  20. objectclass: groupOfUniqueNames
  21. uniquemember: uid=example,ou=People,dc=devstream,dc=org
  23. # confluence users group
  24. dn: cn=confluence-users,ou=confluence,ou=Group,dc=devstream,dc=org
  25. cn: confluence-users
  26. description:: d2lraeaZrumAmueUqOaItw==
  27. objectclass: groupOfUniqueNames
  28. uniquemember: uid=example,ou=People,dc=devstream,dc=org
  30. # jira organizationalUnit
  31. dn: ou=jira,ou=Group,dc=devstream,dc=org
  32. objectclass: organizationalUnit
  33. objectclass: top
  34. ou: jira
  36. # jira administrators Group
  37. dn: cn=jira-administrators,ou=jira,ou=Group,dc=devstream,dc=org
  38. cn: jira-administrators
  39. description:: amlyYeeuoeeQhue7hA==
  40. objectclass: groupOfUniqueNames
  41. uniquemember: uid=example,ou=People,dc=devstream,dc=org
  43. # jira users group
  44. dn: cn=jira-software-users,ou=jira,ou=Group,dc=devstream,dc=org
  45. cn: jira-software-users
  46. description:: amlyYeeuoeeQhue7hA==
  47. objectclass: groupOfUniqueNames
  48. uniquemember: uid=example,ou=People,dc=devstream,dc=org
  50. dn: ou=People,dc=devstream,dc=org
  51. objectclass: organizationalUnit
  52. ou: People
  54. # People for example
  55. dn: uid=example,ou=People,dc=devstream,dc=org
  56. cn: example
  57. gidnumber: 500
  58. givenname: example
  59. homedirectory: /home/example
  60. loginshell: /bin/sh
  61. mail: example@devstream.org
  62. objectclass: inetOrgPerson
  63. objectclass: posixAccount
  64. objectclass: top
  65. sn: example
  66. uid: example
  67. uidnumber: 1007
  68. userpassword: example@123456

Login your phpldapadmin service and import the sample configuration above.After importing the data successfully, the result is as follows.

Verify the LDAP Service

Log in to the container where the ldap service is located, and then use the ldapsearch command to query the user(uid=example,ou=people,dc=devstream,dc=org) created above

  1. root@openldap-openldap-stack-ha-0:/# ldapsearch -x -H ldap://127.0.0.1:389 -b uid=example,ou=people,dc=devstream,dc=org -D "cn=admin,dc=devstream,dc=org" -w Not@SecurePassw0rd
  3. # extended LDIF
  4. #
  5. # LDAPv3
  6. # base <uid=example,ou=people,dc=devstream,dc=org> with scope subtree
  7. # filter: (objectclass=*)
  8. # requesting: ALL
  9. #
  11. # example, People, devstream.org
  12. dn: uid=example,ou=People,dc=devstream,dc=org
  13. cn: example
  14. gidNumber: 500
  15. givenName: example
  16. homeDirectory: /home/example
  17. loginShell: /bin/sh
  18. mail: example@devstream.org
  19. objectClass: inetOrgPerson
  20. objectClass: posixAccount
  21. objectClass: top
  22. sn: example
  23. uid: example
  24. uidNumber: 1007
  25. userPassword:: ZXhhbXBsZUAxMjM0NTY=
  27. # search result
  28. search: 2
  29. result: 0 Success
  31. # numResponses: 2
  32. # numEntries: 1

If your command output is as above, your ldap service is fine. The above values_yaml is only to facilitate your local testing, if you want production available, you also have to configure replicaCount, data persistence, etc., refer to OpenLDAP values.yaml