diff --git a/.github/workflows/merge_group,pull_request,schedule.codeql.yaml b/.github/workflows/merge_group,pull_request,schedule.codeql.yaml new file mode 100644 index 00000000..80d9bfe4 --- /dev/null +++ b/.github/workflows/merge_group,pull_request,schedule.codeql.yaml @@ -0,0 +1,74 @@ +name: CodeQL + +on: + merge_group: {} + pull_request: {} + schedule: + - cron: 31 14 * * 6 + +permissions: read-all + +jobs: + analyze: + name: Analyze + # Runner size impacts CodeQL analysis time. To learn more, please see: + # - https://gh.io/recommended-hardware-resources-for-running-codeql + # - https://gh.io/supported-runners-and-hardware-resources + # - https://gh.io/using-larger-runners + # Consider using larger runners for possible analysis time improvements. + runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} + timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }} + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: [go] + # CodeQL supports [ 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift' ] + # Use only 'java-kotlin' to analyze code written in Java, Kotlin or both + # Use only 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both + # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support + + steps: + - name: Checkout repository + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + - name: Install Golang + uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # renovate: tag=v5.0.0 + with: + go-version-file: go.mod + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@379614612a29c9e28f31f39a59013eb8012a51f0 # v3.24.3 + with: + languages: ${{ matrix.language }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + + # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + # queries: security-extended,security-and-quality + + # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift). + # If this step fails, then you should remove it and run the build manually (see below) + # - name: Autobuild + # uses: github/codeql-action/autobuild@b374143c1149a9115d881581d29b8390bbcbb59c # renovate: tag=v3.22.1 + + # ℹī¸ Command-line programs to run using the OS shell. + # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + + # If the Autobuild fails above, remove it and uncomment the following three lines. + # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. + + # - run: | + # echo "Run, Build Application using script" + # ./location_of_script_within_repo/buildscript.sh + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@379614612a29c9e28f31f39a59013eb8012a51f0 # v3.24.3 + with: + category: "/language:${{matrix.language}}" diff --git a/.github/workflows/merge_group,pull_request.all.lint.yaml b/.github/workflows/merge_group,pull_request.all.lint.yaml new file mode 100644 index 00000000..d2f2e4ac --- /dev/null +++ b/.github/workflows/merge_group,pull_request.all.lint.yaml @@ -0,0 +1,17 @@ +name: Lint everything (Trunk) + +on: + merge_group: {} + pull_request: {} + +permissions: read-all + +jobs: + trunk: + name: Trunk Check + permissions: + checks: write + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: trunk-io/trunk-action@97ecd21fe6c743bf7a606791584b683a7995c70e # v1.1.9 diff --git a/.github/workflows/merge_group,pull_request.go.test.yaml b/.github/workflows/merge_group,pull_request.go.test.yaml new file mode 100644 index 00000000..40eacec6 --- /dev/null +++ b/.github/workflows/merge_group,pull_request.go.test.yaml @@ -0,0 +1,37 @@ +name: Test code (Go) +on: + merge_group: {} + pull_request: + paths: + - "**/*.go" + - go.mod + - go.sum + - .github/workflows/pull_request,push.go.test.yaml + +permissions: read-all + +jobs: + test: + name: Go test + runs-on: ${{ matrix.os }} + strategy: + matrix: + go: [1.21] + os: [ubuntu-latest, macos-latest] + steps: + - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # renovate: tag=v5.0.0 + with: + go-version: ${{ matrix.go }} + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - run: go test -v -race -covermode=atomic -coverprofile=coverage.out ./... + - uses: codecov/codecov-action@e0b68c6749509c5f83f984dd99a76a1c1a231044 # v4.0.1 + env: + OS: ${{ matrix.os }} + GO_VERSION: ${{ matrix.go }} + with: + token: ${{ secrets.CODECOV_TOKEN }} + files: coverage.out + env_vars: GO_VERSION + fail_ci_if_error: true + flags: unittests + verbose: true diff --git a/.github/workflows/pull_request,push,schedule.codeql.yaml b/.github/workflows/pull_request,push,schedule.codeql.yaml deleted file mode 100644 index 59b3a288..00000000 --- a/.github/workflows/pull_request,push,schedule.codeql.yaml +++ /dev/null @@ -1,75 +0,0 @@ -name: "CodeQL" - -on: - pull_request: - branches: [main] - push: - branches: [main] - schedule: - - cron: '31 14 * * 6' - -jobs: - analyze: - name: Analyze - # Runner size impacts CodeQL analysis time. To learn more, please see: - # - https://gh.io/recommended-hardware-resources-for-running-codeql - # - https://gh.io/supported-runners-and-hardware-resources - # - https://gh.io/using-larger-runners - # Consider using larger runners for possible analysis time improvements. - runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} - timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }} - permissions: - actions: read - contents: read - security-events: write - - strategy: - fail-fast: false - matrix: - language: [ 'go' ] - # CodeQL supports [ 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift' ] - # Use only 'java-kotlin' to analyze code written in Java, Kotlin or both - # Use only 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both - # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support - - steps: - - name: Checkout repository - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - - name: Install Golang - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # renovate: tag=v5.0.0 - with: - go-version-file: go.mod - - # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL - uses: github/codeql-action/init@379614612a29c9e28f31f39a59013eb8012a51f0 # v3.24.3 - with: - languages: ${{ matrix.language }} - # If you wish to specify custom queries, you can do so here or in a config file. - # By default, queries listed here will override any specified in a config file. - # Prefix the list here with "+" to use these queries and those in the config file. - - # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs - # queries: security-extended,security-and-quality - - - # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift). - # If this step fails, then you should remove it and run the build manually (see below) - # - name: Autobuild - # uses: github/codeql-action/autobuild@b374143c1149a9115d881581d29b8390bbcbb59c # renovate: tag=v3.22.1 - - # ℹī¸ Command-line programs to run using the OS shell. - # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun - - # If the Autobuild fails above, remove it and uncomment the following three lines. - # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. - - # - run: | - # echo "Run, Build Application using script" - # ./location_of_script_within_repo/buildscript.sh - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@379614612a29c9e28f31f39a59013eb8012a51f0 # v3.24.3 - with: - category: "/language:${{matrix.language}}" diff --git a/.github/workflows/pull_request,push.go.lint.yaml b/.github/workflows/pull_request,push.go.lint.yaml deleted file mode 100644 index e472872d..00000000 --- a/.github/workflows/pull_request,push.go.lint.yaml +++ /dev/null @@ -1,22 +0,0 @@ -name: Lint code (Go) -on: - pull_request: - paths: - - "**/*.go" - - .github/workflows/pull_request,push.go.lint.yaml - -jobs: - golangci-lint: - name: golanci-lint - permissions: - contents: read - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # renovate: tag=v5.0.0 - with: - go-version-file: go.mod - - uses: golangci/golangci-lint-action@3cfe3a4abbb849e10058ce4af15d205b6da42804 # v4.0.0 - with: - version: latest - only-new-issues: true diff --git a/.github/workflows/pull_request,push.go.test.yaml b/.github/workflows/pull_request,push.go.test.yaml deleted file mode 100644 index 47c9abe6..00000000 --- a/.github/workflows/pull_request,push.go.test.yaml +++ /dev/null @@ -1,36 +0,0 @@ -name: Test code (Go) -on: - pull_request: - paths: - - "**/*.go" - - go.mod - - go.sum - - .github/workflows/pull_request,push.go.test.yaml - push: - branches: [main] - -jobs: - test: - name: Go test - runs-on: ${{ matrix.os }} - strategy: - matrix: - go: [1.21] - os: [ubuntu-latest, macos-latest] - steps: - - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # renovate: tag=v5.0.0 - with: - go-version: ${{ matrix.go }} - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - run: go test -v -race -covermode=atomic -coverprofile=coverage.out ./... - - uses: codecov/codecov-action@e0b68c6749509c5f83f984dd99a76a1c1a231044 # v4.0.1 - env: - OS: ${{ matrix.os }} - GO_VERSION: ${{ matrix.go }} - with: - token: ${{ secrets.CODECOV_TOKEN }} - files: coverage.out - env_vars: GO_VERSION - fail_ci_if_error: true - flags: unittests - verbose: true diff --git a/.github/workflows/pull_request.security.workflows.yaml b/.github/workflows/pull_request.security.workflows.yaml index bc961fa1..99da6592 100644 --- a/.github/workflows/pull_request.security.workflows.yaml +++ b/.github/workflows/pull_request.security.workflows.yaml @@ -1,9 +1,12 @@ name: Security hardening (Github Actions workflows) on: + merge_group: {} pull_request: types: [opened, synchronize] - paths: [".github/workflows/**"] + paths: [.github/workflows/**] + +permissions: read-all jobs: ci_harden_security: diff --git a/.github/workflows/push.repo.labels.yaml b/.github/workflows/push.repo.labels.yaml index 8dbd461d..398b8d1a 100644 --- a/.github/workflows/push.repo.labels.yaml +++ b/.github/workflows/push.repo.labels.yaml @@ -4,15 +4,17 @@ on: branches: [main] paths: [.github/workflows/push.repo.labels.yaml, .github/labels.yaml] +permissions: read-all + jobs: sync: name: Synchronize labels runs-on: ubuntu-latest steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: micnncim/action-label-syncer@3abd5ab72fda571e69fffd97bd4e0033dd5f495c # renovate: tag=v1.3.0 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - manifest: .github/labels.yaml - prune: true + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: micnncim/action-label-syncer@3abd5ab72fda571e69fffd97bd4e0033dd5f495c # renovate: tag=v1.3.0 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + manifest: .github/labels.yaml + prune: true diff --git a/.github/workflows/push.trunk-cache.yaml b/.github/workflows/push.trunk-cache.yaml new file mode 100644 index 00000000..d8399d76 --- /dev/null +++ b/.github/workflows/push.trunk-cache.yaml @@ -0,0 +1,21 @@ +name: Refresh Trunk cache + +on: + push: + branches: [main] + paths: [.trunk/trunk.yaml] + +permissions: read-all + +jobs: + trunk-cache: + name: Refresh Trunk cache + runs-on: ubuntu-latest + permissions: + actions: write + + steps: + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: trunk-io/trunk-action@97ecd21fe6c743bf7a606791584b683a7995c70e # v1.1.9 + with: + check-mode: populate_cache_only diff --git a/.lefthook.toml b/.lefthook.toml deleted file mode 100644 index 71d75854..00000000 --- a/.lefthook.toml +++ /dev/null @@ -1,19 +0,0 @@ -skip_output = ["meta", "skips"] - -[pre-commit] -follow = true -parallel = true - -[pre-commit.commands.lint] -glob = "*.go" -run = "golangci-lint run --out-format=tab --fix" -tags = "go,lint" - -[pre-commit.commands.test] -glob = "*.go" -run = "go test ./... -race" -tags = "go,test" - -[prepare-commit-msg.commands.gitmoji] -run = "gitmoji --hook {0} {1}" -interactive = true diff --git a/.tool-versions b/.tool-versions index c56332d0..f5264425 100644 --- a/.tool-versions +++ b/.tool-versions @@ -1,2 +1 @@ golang 1.22.0 -lefthook 1.5.5 diff --git a/.trunk/.gitignore b/.trunk/.gitignore new file mode 100644 index 00000000..15966d08 --- /dev/null +++ b/.trunk/.gitignore @@ -0,0 +1,9 @@ +*out +*logs +*actions +*notifications +*tools +plugins +user_trunk.yaml +user.yaml +tmp diff --git a/.trunk/configs/.markdownlint.yaml b/.trunk/configs/.markdownlint.yaml new file mode 100644 index 00000000..fb940393 --- /dev/null +++ b/.trunk/configs/.markdownlint.yaml @@ -0,0 +1,10 @@ +# Autoformatter friendly markdownlint config (all formatting rules disabled) +default: true +blank_lines: false +bullet: false +html: false +indentation: false +line_length: false +spaces: false +url: false +whitespace: false diff --git a/.trunk/configs/.yamllint.yaml b/.trunk/configs/.yamllint.yaml new file mode 100644 index 00000000..4d444662 --- /dev/null +++ b/.trunk/configs/.yamllint.yaml @@ -0,0 +1,10 @@ +rules: + quoted-strings: + required: only-when-needed + extra-allowed: ["{|}"] + empty-values: + forbid-in-block-mappings: true + forbid-in-flow-mappings: true + key-duplicates: {} + octal-values: + forbid-implicit-octal: true diff --git a/.trunk/trunk.yaml b/.trunk/trunk.yaml new file mode 100644 index 00000000..ce4bc20f --- /dev/null +++ b/.trunk/trunk.yaml @@ -0,0 +1,46 @@ +# This file controls the behavior of Trunk: https://docs.trunk.io/cli +# To learn more about the format of this file, see https://docs.trunk.io/reference/trunk-yaml +version: 0.1 +cli: + version: 1.20.0 +# Trunk provides extensibility via plugins. (https://docs.trunk.io/plugins) +plugins: + sources: + - id: chezmoi-sh + ref: main + uri: https://github.com/chezmoi-sh/libraries + - id: trunk + ref: v1.4.3 + uri: https://github.com/trunk-io/plugins +# Many linters and tools depend on runtimes - configure them here. (https://docs.trunk.io/runtimes) +runtimes: + enabled: + - go@1.21.0 + - node@18.12.1 + - python@3.10.8 +# This is the section where you manage your linters. (https://docs.trunk.io/check/configuration) +lint: + enabled: + - golangci-lint + - actionlint@1.6.26 + - checkov@3.2.21 + - git-diff-check + - gofmt@1.20.4 + - markdownlint@0.39.0 + - prettier@3.2.5 + - renovate@37.192.2 + - trivy@0.49.1 + - trufflehog@3.67.6 + - yamllint@1.35.0 + ignore: + - linters: [ALL] + paths: + - pkg/ldap/directory/yaml/fixtures/** +actions: + enabled: + - trunk-check-pre-commit + - gitmoji + - trunk-announce + - trunk-check-pre-push + - trunk-fmt-pre-commit + - trunk-upgrade-available diff --git a/Dockerfile b/Dockerfile index 351eefa4..dc595128 100644 --- a/Dockerfile +++ b/Dockerfile @@ -50,6 +50,8 @@ WORKDIR /opt/yaldap ENTRYPOINT [ "yaldap" ] EXPOSE 389 +HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 \ + CMD nc -z -w 2 localhost 389 # metadata as defined by the Open Container Initiative (OCI) and using the # xunleii conventions to keep traceability with the source code. diff --git a/README.md b/README.md index 6bef9b20..ca5c29af 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,5 @@ # yaLDAP: yet another LDAP + yaLDAP is an easy-to-use LDAP server using YAML file as directory definition. ![GitHub go.mod Go version](https://img.shields.io/github/go-mod/go-version/xunleii/yaldap) @@ -8,16 +9,17 @@ yaLDAP is an easy-to-use LDAP server using YAML file as directory definition. [![Go Report Card](https://goreportcard.com/badge/github.com/xunleii/yaldap)](https://goreportcard.com/report/github.com/xunleii/yaldap) _Sometimes, we just need a simple LDAP compatible server to store user/group information and other information. -For this purpose, many simple LDAP server exists and manage user/group in a better way than yaLDAP. However, no one can -have a fully customisable LDAP directory that can be used to store information or to follow a specific directory structure. -**I don't recommend to use this project for other thing than dev or homelab purpose; this LDAP server is not _(yet)_ -compliant with the LDAP RFCs.**_ +For this purpose, many simple LDAP server exists and manage user/group in a better way than yaLDAP. However, no one can +have a fully customisable LDAP directory that can be used to store information or to follow a specific directory structure._ +**_I don't recommend to use this project for other thing than dev or homelab purpose; this LDAP server is not _(yet)_ +compliant with the LDAP RFCs._** ## Usage ## Configuration ### YAML + yaLDAP can be configured using an YAML file to describe the LDAP directory. See [/pkg/ldap/yaml](pkg/ldap/directory/yaml/README.md) for more information. @@ -28,7 +30,7 @@ See [/pkg/ldap/yaml](pkg/ldap/directory/yaml/README.md) for more information. dc:org: #dn: dc=org dc:example: #dn: dc=example,dc=org ou:group: #dn: ou=group,dc=example,dc=org - cn:owner: &test #dn: cn=admin,ou=group,dc=example,dc=org + cn:owner: &test #dn: cn=admin,ou=group,dc=example,dc=org objectClass: posixGroup gidNumber: 1000 description: Organization owners @@ -73,7 +75,7 @@ dc:org: #dn: dc=org homeDirectory: /home/bob uidNumber: 1001 gidNumber: 1001 - userPassword: !!ldap/bind:password bob + userPassword: !!ldap/bind:password bob c:fr: #dn: c=fr,dc=example,dc=org ou:people: #dn: ou=people,c=fr,dc=example,dc=org diff --git a/pkg/ldap/directory/yaml/README.md b/pkg/ldap/directory/yaml/README.md index 2d7d92d8..36b39251 100644 --- a/pkg/ldap/directory/yaml/README.md +++ b/pkg/ldap/directory/yaml/README.md @@ -1,19 +1,20 @@ # LDAP directory implementation for YAML format ## Why using YAML? + Nowadays, I found that `YAML` is overused to configure things that sometimes requires more simple markup languages (`ini`, `txt`, ...), or mode specific DSL (like `hcl`). Of course, `YAML` is now a well known markup language and can be easily use by almost everyone. However, I personally chose `YAML` because it gives me a better representation of the directory structure; I picture an LDAP directory as a file directory, with folders (`containers`) and files (`leafs`). The fact that `YAML` uses indentation to define the depth of a field reminds me the `tree` command and helps me a lot in the global representation of the LDAP directory. - ## Syntax + As explained above, I chose the `YAML` format because it allows the LDAP directory to be represented like this: ```yaml dc:org: #dn: dc=org └── dc:example: #dn: dc=example,dc=org ├── ou:group: #dn: ou=group,dc=example,dc=org - │ ├── cn:owner: #dn: cn=admin,ou=group,dc=example,dc=org + │ ├── cn:owner: #dn: cn=admin,ou=group,dc=example,dc=org │ ├── cn:dev: #dn: cn=dev,ou=group,dc=example,dc=org │ ├── cn:qa: #dn: cn=qa,ou=group,dc=example,dc=org │ └── cn:ok: #dn: cn=ok,ou=group,dc=example,dc=org @@ -48,90 +49,93 @@ dc:org: #dn: dc=org - **These values are not stored inside the attribute** ### Extension: `go` template + To extend the `YAML` syntax _(injecting secrets for example)_, the `YAML` parser will use the `text/template` package to parse the `YAML` file. The format is the same as all other Go template (see [text/template](https://pkg.go.dev/text/template)) and uses `sprig` to add functions _(see http://masterminds.github.io/sprig/ for the list)_. Beside that, the `YAML` parser will add some functions to help the parsing: + - `readFile`: reads a file and return its content as a string (see [readFile](https://pkg.go.dev/io/ioutil#ReadFile)) ### Example ```yaml - dc:example: #dn: dc=example,dc=org - ou:group: #dn: ou=group,dc=example,dc=org - cn:owner: &test #dn: cn=admin,ou=group,dc=example,dc=org - objectClass: posixGroup +dc:example: #dn: dc=example,dc=org + ou:group: #dn: ou=group,dc=example,dc=org + cn:owner: &test #dn: cn=admin,ou=group,dc=example,dc=org + objectClass: posixGroup + gidNumber: 1000 + description: Organization owners + memberUid: [alice] + cn:dev: #dn: cn=dev,ou=group,dc=example,dc=org + objectClass: posixGroup + gidNumber: 1001 + description: Organization developers + memberUid: [bob, charlie] + cn:qa: #dn: cn=qa,ou=group,dc=example,dc=org + objectClass: posixGroup + gidNumber: 1002 + memberUid: [charlie, eve] + cn:ok: #dn: cn=ok,ou=group,dc=example,dc=org + <<: *test + gidNumber: 1003 + description: Dummy group + # memberUid: [alice] + + c:global: #dn: c=global,dc=example,dc=org + ou:people: #dn: ou=people,c=global,dc=example,dc=org + cn:alice: #dn: cn=alice,ou=people,c=global,dc=example,dc=org + objectClass: [posixAccount, UserMail] + .#acl: + - !!ldap/acl:allow-on dc=org # allow alice to request everything + + description: Main organization admin + uid: alice + uidNumber: 1000 gidNumber: 1000 - description: Organization owners - memberUid: [alice] - cn:dev: #dn: cn=dev,ou=group,dc=example,dc=org - objectClass: posixGroup + loginShell: /bin/bash + homeDirectory: /home/alice + userPassword: !!ldap/bind:password '{{ index (readFile "/run/secrets/passwords.json" | fromJson) alice }}' + usermail: alice@example.org + + cn:bob: #dn: cn=bob,ou=people,c=global,dc=example,dc=org + objectClass: posixAccount + .#acl: + - !!ldap/acl:allow-on ou=group,dc=example,dc=org # allow bob request only for user groups + + uid: bob + homeDirectory: /home/bob + uidNumber: 1001 + gidNumber: 1001 + userPassword: !!ldap/bind:password '{{ index (readFile "/run/secrets/passwords.json" | fromJson) bob }}' + + c:fr: #dn: c=fr,dc=example,dc=org + ou:people: #dn: ou=people,c=fr,dc=example,dc=org + cn:charlie: #dn: cn=charlie,ou=people,c=fr,dc=example,dc=org + objectClass: posixAccount + .#acl: + - !!ldap/acl:allow-on ou=group,dc=example,dc=org # allow charlie request for all groups... + - !!ldap/acl:deny-on cn=admin,ou=group,dc=example,dc=org # ...but to owner group + + uid: charlie + homeDirectory: /home/charlie + uidNumber: 1100 gidNumber: 1001 - description: Organization developers - memberUid: [bob, charlie] - cn:qa: #dn: cn=qa,ou=group,dc=example,dc=org - objectClass: posixGroup + userPassword: !!ldap/bind:password '{{ index (readFile "/run/secrets/passwords.json" | fromJson) charlie }}' + + c:uk: #dn: c=uk,dc=example,dc=org + ou:people: #dn: ou=people,c=fr,dc=example,dc=org + cn:eve: #dn: cn=eve,ou=people,c=uk,dc=example,dc=org + objectClass: posixAccount + #NOTE: eve can't make any LDAP request (no !!ldap/bind:password field) + uid: eve + homeDirectory: /home/eve + uidNumber: 1003 gidNumber: 1002 - memberUid: [charlie, eve] - cn:ok: #dn: cn=ok,ou=group,dc=example,dc=org - <<: *test - gidNumber: 1003 - description: Dummy group - # memberUid: [alice] - - c:global: #dn: c=global,dc=example,dc=org - ou:people: #dn: ou=people,c=global,dc=example,dc=org - cn:alice: #dn: cn=alice,ou=people,c=global,dc=example,dc=org - objectClass: [posixAccount, UserMail] - .#acl: - - !!ldap/acl:allow-on dc=org # allow alice to request everything - - description: Main organization admin - uid: alice - uidNumber: 1000 - gidNumber: 1000 - loginShell: /bin/bash - homeDirectory: /home/alice - userPassword: !!ldap/bind:password {{ index (readFile "/run/secrets/passwords.json" | fromJson) alice }} - usermail: alice@example.org - - cn:bob: #dn: cn=bob,ou=people,c=global,dc=example,dc=org - objectClass: posixAccount - .#acl: - - !!ldap/acl:allow-on ou=group,dc=example,dc=org # allow bob request only for user groups - - uid: bob - homeDirectory: /home/bob - uidNumber: 1001 - gidNumber: 1001 - userPassword: !!ldap/bind:password {{ index (readFile "/run/secrets/passwords.json" | fromJson) bob }} - - c:fr: #dn: c=fr,dc=example,dc=org - ou:people: #dn: ou=people,c=fr,dc=example,dc=org - cn:charlie: #dn: cn=charlie,ou=people,c=fr,dc=example,dc=org - objectClass: posixAccount - .#acl: - - !!ldap/acl:allow-on ou=group,dc=example,dc=org # allow charlie request for all groups... - - !!ldap/acl:deny-on cn=admin,ou=group,dc=example,dc=org # ...but to owner group - - uid: charlie - homeDirectory: /home/charlie - uidNumber: 1100 - gidNumber: 1001 - userPassword: !!ldap/bind:password {{ index (readFile "/run/secrets/passwords.json" | fromJson) charlie }} - - c:uk: #dn: c=uk,dc=example,dc=org - ou:people: #dn: ou=people,c=fr,dc=example,dc=org - cn:eve: #dn: cn=eve,ou=people,c=uk,dc=example,dc=org - objectClass: posixAccount - #NOTE: eve can't make any LDAP request (no !!ldap/bind:password field) - uid: eve - homeDirectory: /home/eve - uidNumber: 1003 - gidNumber: 1002 - userPassword: {{ index (readFile "/run/secrets/passwords.json" | fromJson) eve }} + userPassword: '{{ index (readFile "/run/secrets/passwords.json" | fromJson) eve }}' ``` ## RFCs ### Schema generation (12/06/2022) + Some LDAP tools needs metadata like `objectclass` and `attributes` definition. _Need more details_ diff --git a/pkg/ldap/directory/yaml/fixtures/secrets/password.json b/pkg/ldap/directory/yaml/fixtures/secrets/password.json index b338cd89..fbbfa7dc 100644 --- a/pkg/ldap/directory/yaml/fixtures/secrets/password.json +++ b/pkg/ldap/directory/yaml/fixtures/secrets/password.json @@ -1,6 +1,6 @@ { - "alice": "alice", - "bob": "bob", - "charlie": "charlie", - "eve": "eve" -} \ No newline at end of file + "alice": "alice", + "bob": "bob", + "charlie": "charlie", + "eve": "eve" +}