-
Notifications
You must be signed in to change notification settings - Fork 1.7k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #1022 from ericchiang/ldap-example
*: add "getting started" example for LDAP
- Loading branch information
Showing
6 changed files
with
231 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,42 @@ | ||
dn: dc=example,dc=org | ||
objectClass: dcObject | ||
objectClass: organization | ||
o: Example Company | ||
dc: example | ||
|
||
dn: ou=People,dc=example,dc=org | ||
objectClass: organizationalUnit | ||
ou: People | ||
|
||
dn: cn=jane,ou=People,dc=example,dc=org | ||
objectClass: person | ||
objectClass: inetOrgPerson | ||
sn: doe | ||
cn: jane | ||
mail: janedoe@example.com | ||
userpassword: foo | ||
|
||
dn: cn=john,ou=People,dc=example,dc=org | ||
objectClass: person | ||
objectClass: inetOrgPerson | ||
sn: doe | ||
cn: john | ||
mail: johndoe@example.com | ||
userpassword: bar | ||
|
||
# Group definitions. | ||
|
||
dn: ou=Groups,dc=example,dc=org | ||
objectClass: organizationalUnit | ||
ou: Groups | ||
|
||
dn: cn=admins,ou=Groups,dc=example,dc=org | ||
objectClass: groupOfNames | ||
cn: admins | ||
member: cn=john,ou=People,dc=example,dc=org | ||
member: cn=jane,ou=People,dc=example,dc=org | ||
|
||
dn: cn=developers,ou=Groups,dc=example,dc=org | ||
objectClass: groupOfNames | ||
cn: developers | ||
member: cn=jane,ou=People,dc=example,dc=org |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,51 @@ | ||
issuer: http://127.0.0.1:5556/dex | ||
storage: | ||
type: sqlite3 | ||
config: | ||
file: examples/dex.db | ||
web: | ||
http: 0.0.0.0:5556 | ||
|
||
connectors: | ||
- type: ldap | ||
name: OpenLDAP | ||
id: ldap | ||
config: | ||
host: localhost:10389 | ||
|
||
# No TLS for this setup. | ||
insecureNoSSL: true | ||
|
||
# This would normally be a read-only user. | ||
bindDN: cn=admin,dc=example,dc=org | ||
bindPW: admin | ||
|
||
userSearch: | ||
baseDN: ou=People,dc=example,dc=org | ||
filter: "(objectClass=person)" | ||
username: mail | ||
# "DN" (case sensitive) is a special attribute name. It indicates that | ||
# this value should be taken from the entity's DN not an attribute on | ||
# the entity. | ||
idAttr: DN | ||
emailAttr: mail | ||
nameAttr: cn | ||
|
||
groupSearch: | ||
baseDN: ou=Groups,dc=example,dc=org | ||
filter: "(objectClass=groupOfNames)" | ||
|
||
# A user is a member of a group when their DN matches | ||
# the value of a "member" attribute on the group entity. | ||
userAttr: DN | ||
groupAttr: member | ||
|
||
# The group name should be the "cn" value. | ||
nameAttr: cn | ||
|
||
staticClients: | ||
- id: example-app | ||
redirectURIs: | ||
- 'http://127.0.0.1:5555/callback' | ||
name: 'Example App' | ||
secret: ZXhhbXBsZS1hcHAtc2VjcmV0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,98 @@ | ||
#!/bin/bash -e | ||
|
||
if ! [[ "$0" =~ "scripts/slapd.sh" ]]; then | ||
echo "This script must be run in a toplevel dex directory" | ||
exit 255 | ||
fi | ||
|
||
command -v slapd >/dev/null 2>&1 || { | ||
echo >&2 "OpenLDAP not installed. Install using one of the following commands: | ||
brew install openldap | ||
sudo dnf -y install openldap-servers openldap-clients | ||
sudo apt-get install slapd ldap-utils | ||
"; exit 1; | ||
} | ||
|
||
TEMPDIR=$( mktemp -d ) | ||
|
||
trap "{ rm -r $TEMPDIR ; exit 255; }" EXIT | ||
|
||
CONFIG_DIR=$PWD/connector/ldap/testdata | ||
|
||
# Include the schema files in the connector test directory. Installing OpenLDAP installs | ||
# these in /etc somewhere, but the path isn't reliable across installs. Easier to ship | ||
# the schema files directly. | ||
for config in $( ls $CONFIG_DIR/*.schema ); do | ||
echo "include $config" >> $TEMPDIR/config | ||
done | ||
|
||
DATA_DIR=$TEMPDIR/data | ||
mkdir $DATA_DIR | ||
|
||
# Config template copied from: | ||
# http://www.zytrax.com/books/ldap/ch5/index.html#step1-slapd | ||
cat << EOF >> $TEMPDIR/config | ||
# MODULELOAD definitions | ||
# not required (comment out) before version 2.3 | ||
moduleload back_bdb.la | ||
database bdb | ||
suffix "dc=example,dc=org" | ||
# root or superuser | ||
rootdn "cn=admin,dc=example,dc=org" | ||
rootpw admin | ||
# The database directory MUST exist prior to running slapd AND | ||
# change path as necessary | ||
directory $DATA_DIR | ||
# Indices to maintain for this directory | ||
# unique id so equality match only | ||
index uid eq | ||
# allows general searching on commonname, givenname and email | ||
index cn,gn,mail eq,sub | ||
# allows multiple variants on surname searching | ||
index sn eq,sub | ||
# sub above includes subintial,subany,subfinal | ||
# optimise department searches | ||
index ou eq | ||
# if searches will include objectClass uncomment following | ||
# index objectClass eq | ||
# shows use of default index parameter | ||
index default eq,sub | ||
# indices missing - uses default eq,sub | ||
index telephonenumber | ||
# other database parameters | ||
# read more in slapd.conf reference section | ||
cachesize 10000 | ||
checkpoint 128 15 | ||
EOF | ||
|
||
SLAPD_PID="" | ||
trap "kill $SLAPD_PID" SIGINT | ||
|
||
# Background the LDAP daemon so we can run an LDAP add command. | ||
slapd \ | ||
-d any \ | ||
-h "ldap://localhost:10389/" \ | ||
-f $TEMPDIR/config & | ||
SLAPD_PID=$! | ||
|
||
# Wait for server to come up. | ||
time sleep 1 | ||
|
||
# Seed the initial set of users. Edit these values to change the initial | ||
# set of users. | ||
ldapadd \ | ||
-x \ | ||
-D "cn=admin,dc=example,dc=org" \ | ||
-w admin \ | ||
-H ldap://localhost:10389/ \ | ||
-f $PWD/examples/config-ldap.ldif | ||
|
||
# Wait for slapd to exit. | ||
wait $SLAPD_PID |