Skip to content

Latest commit

 

History

History

advanced_examples

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
MemberOf.md
MemberOf.md
 
 
README.md
README.md
 
 

README.md

Examples of advanced configurations

You will find here some examples of advanced configurations.

Use your own logos

To use your own logos for password portal and phpmyadmin, first create a configmap with your logos.
For instance, a configmap with 2 keys:

  • my-logo.png: logo with size for instance 450x128 pixels
  • my-logo_50.png: smaller logo, for instance 180x50 pixels

Next, configure your values so that your logos are installed in the containers:

ltb-passwd:
   initContainers:
     - name: install-logo
       image: "{{ tpl .Values.image.repository . }}:{{ tpl .Values.image.tag . }}"
       command: [sh, -c]
       args:
         - |-
           cat <<EOF >/data/31-logo
           #!/command/with-contenv bash
           source /assets/functions/00-container
           PROCESS_NAME="logo"
           cp /tmp/ltb-logo.png /www/ssp/images/ltb-logo.png
           chmod +x /data/31-logo
           liftoff
           EOF
       volumeMounts:
         - name: data
           mountPath: /data
  volumes:
    - name: logos
      configMap:
        name: logos
    - name: data
      emptyDir: {}
  volumeMounts:
    - name: logos
      mountPath: /tmp/ltb-logo.png
      subPath: my-logo.png
    - name: data
      mountPath: /etc/cont-init.d/31-logo
      subPath: 31-logo

phpldapadmin:
  initContainers:
     - name: modify-configuration
       image: "{{ tpl .Values.image.repository . }}:{{ tpl .Values.image.tag . }}"
       command: [sh, -c]
       args:
         - |-
           # modify startup script in order to use logos
           cp -p /container/service/phpldapadmin/startup.sh /data/
           sed -i -e 's/exit 0/# exit 0/' /data/startup.sh
           cat <<'EOF' >>/data/startup.sh
           cp /logos/my-logo.png /var/www/phpldapadmin/htdocs/images/default/logo.png
           cp /logos/my-logo_50.png /var/www/phpldapadmin/htdocs/images/default/logo-small.png
           exit 0
           EOF
       volumeMounts:
         - mountPath: /data
           name: data
  volumes:
    - name: data
      emptyDir: {}
    - name: logos
      configMap:
        name: logos
  volumeMounts:
    - name: data
      mountPath: /data
    - name: logos
      mountPath: /logos
    - name: data
      mountPath: /container/service/phpldapadmin/startup.sh
      subPath: startup.sh

Use a user with restricted permissions for password portal

By default cn=admin account is used by the password portal to retrieve the users.
We will define here a user with restricted permissions (only read-only on attributes except passwords).
His password is set in a separated secret (allowing vault solutions).
For that, we need to define a custom ldif and custom acls.
First, create a custom ldif file (or add it directly in the values file):

apiVersion: v1
kind: ConfigMap
metadata:
  name: my-customldif
data:
  00-root.ldif: |-
    dn: dc=mydomain,dc=com
    objectClass: top
    objectClass: dcObject
    objectClass: organization
    o: MY-DOMAIN
    dc: mydomain
  01-admin-read-user.ldif: |-
    dn: cn=admin-read,dc=mydomain,dc=com
    cn: admin-read
    mail: admin-read@mydomain.com
    objectClass: inetOrgPerson
    objectClass: top
    userPassword:: {SSHA}xxxxxxxxxxxx
    sn: Admin read only
  02-users-group.ldif: |-
    dn: ou=users,dc=mydomain,dc=com
    ou: users
    objectClass: organizationalUnit
    objectClass: top
  03-foo-user.ldif: |-
    dn: cn=foo,ou=users,dc=mydomain,dc=com
    cn: foo
    objectClass: inetOrgPerson
    objectClass: top
    sn: Foo Foo
    mail: foo@mydomain.com
    userPassword:: {SSHA}xxxxxxxxx

Now create a secret for the passwords:

kind: Secret
apiVersion: v1
metadata:
  name: openldap-secrets
type: Opaque
stringData:
  LDAP_ADMIN_PASSWORD: xxxxxxxx
  LDAP_CONFIG_ADMIN_PASSWORD: xxxxxxxx
  LDAP_ADMIN_READ_PASSWORD: xxxxxxxx

Next configure the values to use this secret, set the correct acls for admin-read and configure password portal to use this account:

global:
  existingSecret: "openldap-secrets"

customAcls: |-
  dn: olcDatabase={2}mdb,cn=config
  changetype: modify
  replace: olcAccess
  olcAccess: {0}to *
    by dn.exact=gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth manage
    by * break
  olcAccess: {1}to attrs=userPassword,shadowLastChange
    by self write
    by dn="cn=admin,dc=mydomain,dc=com" write
    by anonymous auth by * none
  olcAccess: {2}to *
    by dn="cn=admin-read,dc=mydomain,dc=com" read
    by dn="cn=admin,dc=mydomain,dc=com" write
    by self read
    by * none

ltb-passwd:
  ldap:
    searchBase: "ou=users,dc=mydomain,dc=com"
    bindDN: "cn=admin-read,dc=mydomain,dc=com"
    passKey: LDAP_ADMIN_READ_PASSWORD

Allow login to phpldapadmin using only cn attribute

It is easier to login on phpldapadmin using only your cn attribute instead of cn=xxx,dc=xxx,dc=xxxx.
At the same time, use the previous read only admin account to retrieve the user.
Here is the values.yaml to use:

phpldapadmin:
  initContainers:
     - name: modify-configuration
       image: "{{ tpl .Values.image.repository . }}:{{ tpl .Values.image.tag . }}"
       command: [sh, -c]
       args:
         - |-
           # adapt config.php: allow login without complete dn (only username) - needs admin read account
           # use also binddn with restricted permissions (read only)
           cat <<EOF >/data/my_config.php
           \$servers->setValue('login','attr','cn');
           \$servers->setValue('login','bind_id','cn=admin-read,dc=mydomain,dc=com');
           \$servers->setValue('login','bind_pass','${LDAP_ADMIN_READ_PASSWORD}');
           EOF
           # modify startup script in order to use modified config.php and logos
           cp -p /container/service/phpldapadmin/startup.sh /data/
           sed -i -e 's/exit 0/# exit 0/' /data/startup.sh
           cat <<'EOF' >>/data/startup.sh
           sed -i -e 's/\($servers->setValue..login.,.bind_id\)/#\1/' /var/www/phpldapadmin/config/config.php
           cat /data/my_config.php >> /var/www/phpldapadmin/config/config.php
           exit 0
           EOF
       volumeMounts:
         - mountPath: /data
           name: data
       env:
         - name: LDAP_ADMIN_READ_PASSWORD
           valueFrom:
             secretKeyRef:
               name: openldap-secrets
               key: LDAP_ADMIN_READ_PASSWORD
  volumes:
    - name: data
      emptyDir: {}
  volumeMounts:
    - name: data
      mountPath: /data
    - name: data
      mountPath: /container/service/phpldapadmin/startup.sh
      subPath: startup.sh

Allow a user to have admin permissions

More tricky, we now authorize users to be administrator according to the value of the attribute employeeType. If this attribute has a value of LDAP_ADMIN the user will be LDAP administrator.
Using the previous my-customldif configmap just add the following line in the foo user section:

    employeeType: LDAP_ADMIN

In long:

  03-foo-user.ldif: |-
    dn: cn=foo,ou=users,dc=mydomain,dc=com
    cn: foo
    objectClass: inetOrgPerson
    objectClass: top
    sn: Foo Foo
    mail: foo@mydomain.com
    employeeType: LDAP_ADMIN
    userPassword:: {SSHA}xxxxxxxxx

Now modify the custom acls in the values file using the set feature:

customAcls: |-
  dn: olcDatabase={2}mdb,cn=config
  changetype: modify
  replace: olcAccess
  olcAccess: {0}to *
    by dn.exact=gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth manage
    by * break
  olcAccess: {1}to attrs=userPassword,shadowLastChange
    by self write
    by dn="cn=admin,dc=mydomain,dc=com" write
    by set="user/employeeType & [ldap_admin]" write
    by anonymous auth by * none
  olcAccess: {2}to *
    by dn="cn=admin-read,dc=mydomain,dc=com" read
    by dn="cn=admin,dc=mydomain,dc=com" write
    by set="user/employeeType & [ldap_admin]" write
    by self read
    by * none

Putting all together, the user foo can now login on phpldapadmin with only foo as username and his password, and with full permissions to manage the ldap database.