didmos2-openldap

mkdir -p /usr/src/didmos/
cd /usr/src/didmos/
tar -xzf PATH_TO_FILE/ldap.tgz

mkdir /usr/src/didmos/
cd /usr/src/didmos/
git clone https://gitlab.daasi.de/didmos2/didmos2-openldap.git ldap
cd ldap
git checkout feature/scale

cd /usr/src/didmos/
git clone https://gitlab.daasi.de/<customer_group>/<customer-repo> ldap_customer

wget https://repo.symas.com/repo/gpg/RPM-GPG-KEY-symas-com-signing-key -O /usr/share/keyrings/symas-key.asc
echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/symas-key.asc] https://repo.symas.com/repo/deb/main/release26 jammy main' | tee -a /etc/apt/sources.list.d/soldap-release26.list
apt update
apt install symas-openldap-clients symas-openldap-server symas-openldap-dev

# /etc/tmpfiles.d/openldap.conf
d /run/slapd/ 0755 openldap openldap -

export MANAGER_PW=secret
export EVENTLOG_PW=secret
export ACCESSLOG_PW=secret
export DIDMOSCONFIG_PW=secret
export LOG_LEVEL=stats
export SUPER_ADMIN_LDAP_ACCOUNT_PW=secret
export BACKEND_PW=secret

export DB_MAX_SIZE_ACCESSLOG=500000000
export DB_MAX_SIZE_DATA=500000000
export DB_MAX_SIZE_EVENTLOG=500000000
export ACCESSLOG_LOG_PURGE="07+00:00 01+00:00"
export TLS_CHAIN=/etc/ssl/certs/MYCHAIN.pem
export TLS_CERT=/etc/ssl/certs/MYCERT.pem
export TLS_KEY=/etc/ssl/private/MYKEY.pem

bash entrypoint-scale-p.sh -s /usr/src/didmos/ldap -t /etc/ldap/ -m /var/didmos/ldap/ -d /var/lib/ldap/ -x /usr/src/didmos/ldap_customer/extension/ -e /etc/ldap/.env

ldap:
  container_name: ...
  ...
  volumes:
  - didmos2-demo-openldap-db:/var/lib/ldap:rw
  - didmos2-demo-openldap-config:/etc/ldap:rw
  - didmos2-demo-openldap-data:/var/didmos/ldap:rw
  - didmos2-demo-openldap-mig:/MIGRATIONS:rw
  - mux_socket:/var/run/saslauthd/
  - /var/didmos/core/ldap/backup:/BACKUP:rw

LDAP_URL=ldap://ldap:1389

docker.gitlab.daasi.de/didmos2/didmos2-openldap/didmos2-openldap-scale-p

ldap:
  container_name: ...
  ...
  volumes:
  - didmos2-demo-openldap-db:/var/lib/ldap:rw
  - didmos2-demo-openldap-config:/etc/ldap:rw
  - didmos2-demo-openldap-data:/var/didmos/ldap:rw
  - mux_socket:/var/run/saslauthd/

"delete": [
  { "dn": "<DN>" }
]

"rename": [
  { "dn": "<OLD_DN>",
    "newdn": "<NEW_DN>" }
]

"add": [
  { "dn": "ou=permissions,@parent.baseDN@",
    "attributes": [
      { "name": "<ATTRIBUTE_1>",
        "value": ["<VALUE_1>", "<VALUE_2>"]
      },
      { "name": "<ATTRIBUTE_2>",
        "value": ["<VALUE_3>", "<VALUE_4>"]
      }
    ]
  }
]

"modify": [
  { "dn": "rbacName=admin-permission,@parent.baseDN@",
    "attributes": [
      { "name": "<ATTRIBUTE_1>",
        "value": ["<VALUE_1>", "<VALUE_2>"],
        "op": "add | delete | modify | replace"
      }
    ]
  }
],

"search": {
  "baseDN": "ou=tenants,ou=data,ou=root-tenant,dc=didmos,dc=de",
  "searchFilter": "(&(objectClass=didmosTenant)(objectClass=organizationalUnit))",
  "scope": "one | base | sub",
  "forEach": {

  },
  "else": {

  }
}

{
	"version": "1",
  "modify": [
    {
      "dn": "rbacName=defaultuser-modify-permission,ou=permissions,ou=pdp,ou=root-tenant,dc=didmos,dc=de",
      "attributes": [
        { "name": "rbacConstraint",
          "value": ["EXISTINGVALUE"],
          "op": "add"
        }
      ],
      "ignoreErrors": true
    },
    {
      "dn": "rbacName=defaultuser-modify-permission,ou=permissions,ou=pdp,ou=root-tenant,dc=didmos,dc=de",
      "attributes": [
        { "name": "rbacConstraint",
          "value": ["NEWVALUE"],
          "op": "add"
        }
      ]
    }
  ]
}

{
  "version": "1",
  "search": {
    "baseDN": "ou=tenants,ou=data,ou=root-tenant,dc=didmos,dc=de",
    "searchFilter": "(&(objectClass=didmosTenant)(objectClass=organizationalUnit))",

    "forEach": {
      "search": {
        "baseDN": "ou=pdp,@forEach@",
        "searchFilter": "(&(ou=permissions)(objectClass=organizationalUnit))",
        "scope": "one",
  
        "forEach": {
          "functions": [
            { "name": "ext_explode_dn", "args": ["@forEach@", 2], "result": "tenant.DN" },
            { "name": "ext_generate_uuid", "args": "", "result": "UUID1" },
            { "name": "ext_intersection", "result": "rbacResourceDN",
              "args": [
              { "name": "ext_search",
                "args": ["ou=people,ou=data,@tenant.DN@", "(&(objectClass=didmosPerson)(sn=Admin))"] },
              { "name": "ext_search",
                "args": ["ou=roles,@parent.baseDN@", "(rbacName=admin)", "rbacPerformer"] }
              ]
            }
          ],
          "add": [
            {
              "dn": "rbacName=@UUID1@,@forEach@",
              "attributes": [
                { "name": "objectClass", "value": ["rbacPermission"] },
                { "name": "rbacName", "value": "@UUID1@" },
                { "name": "rbacRoleDN", "value": "rbacName=defaultuser,ou=roles,@parent.baseDN@" },
                { "name": "rbacConstraint", "value": "attribute:sn" },
                { "name": "rbacOperation", "value": [ "read" ] },
                { "name": "rbacResourceDN", "value": "@rbacResourceDN@"}
              ]
            }
          ]
        },
        "else": {
          "functions": [
            {
              "name": "ext_generate_uuid",
              "args": "",
              "result": "UUID1"
            },
            {
              "name": "ext_search",
              "args": ["ou=roles,@parent.baseDN@", "(&(objectClass=rbacRole)(rbacDisplayName=defaultuser))"],
              "result": "DEFUALTUSERROLEDN"
            }
          ],
          "add": [
            { "dn": "ou=permissions,@parent.baseDN@",
              "attributes": [
              { "name": "objecClass",
                "value": ["organizationalUnit"],
              },
              { "name": "ou",
                "value": ["permissions"],
              }
            },
            {
              "dn": "rbacName=@UUID1@,ou=permissions,@parent.baseDN@",
              "attributes": [
                { "name": "rbacName",
                  "value": ["@UUID1@"],
                },
                { "name": "objecClass",
                  "value": ["rbacPermission"],
                },
                { "name": "rbacPermissionString",
                  "value": ["self"],
                }
                { "name": "rbacOperations",
                  "value": ["read", "write", "modify-del", "modify-replace", "modify-add"],
                }
                { "name": "rbacRoleDN",
                  "value": ["@DEFUALTUSERROLEDN@"],
                }
              ]
            }
          ]
        }
      }
    }
  }
}

{
  "version": "1",
  "search": {
    "baseDN": "ou=tenants,ou=data,ou=root-tenant,dc=didmos,dc=de",
    "searchFilter": "(&(objectClass=didmosTenant)(objectClass=organizationalUnit))",

    "forEach": {
      "search": {
        "baseDN": "ou=pdp,@forEach@",
        "searchFilter": "(&(ou=permissions)(objectClass=organizationalUnit))",
        "scope": "one",
  
        "forEach": {
          "add": [
            {
              "dn": "rbacName=defaultuser-permission,@forEach@",
              "attributes": [
                { "name": "objectClass", "value": ["rbacPermission"] },
                { "name": "rbacName", "value": "defaultuser-permission" },
                { "name": "rbacRoleDN", "value": "rbacName=defaultuser,ou=roles,@parent.baseDN@" },
                { "name": "rbacOperation", "value": [ "delete", "modify-add", "modify-del", "modify-replace",
                                    "read", "readHistory", "write"
                                  ] },
                { "name": "rbacPermissionString", "value": "self" }
              ]
            },
            {
              "dn": "rbacName=groupMember-permission,@parent.baseDN@",
              "attributes": [
                { "name": "objectClass", "value": ["rbacPermission"] },
                { "name": "rbacName", "value": "groupMember-permission" },
                { "name": "rbacRoleDN",
                  "value": {
                  "search": {
                    "baseDN": "",
                    "searchFilter": "(objectClass=person)",
                    "attributes": ["entryDN"]
                  }
                  }
                },
                { "name": "rbacOperation", "value": ["read"] },
                { "name": "rbacConstraint", "value": ["attribute:cn", "member:self"] },
                { "name": "rbacPermissionFilter", "value": "(&(objectClass=didmosGroup)(member=self))" }
              ]
            }
          ],
          "modify": [
            {
              "dn": "rbacName=admin-permission,@parent.baseDN@",
              "attributes": [
                { "name": "rbacOperation",
                  "value": ["delete", "modify-add", "modify-del", "modify-replace"],
                  "op": "add"
                },
                { "name": "rbacOperation",
                  "value": ["create"],
                  "op": "delete"
                },
                { "name": "description",
                  "op": "delete"
                },
                { "name": "rbacPermissionFilter",
                  "value": ["(objectClass=*)"],
                  "op": "replace"
                }
              ]
            }
          ],
          "delete": [
            { "dn": "rbacName=dummy,@forEach@" }
          ],
          "rename": [
            { "dn": "rbacName=prod,@forEach@",
              "newdn": "rbacName=test,@forEach@" }
          ]
        }
      }
    }
  }
}

usage: migration.py [-h] (-l LDIF_FILE | -j CONFIG_FILE) [-H URI] [-D BIND]
                    [-w PASSWORD OR FILE] [-W] [-d] [-v] [-c]

optional arguments:
  -h, --help            show this help message and exit
  -l LDIF_FILE, --ldif LDIF_FILE
                        The ldif to import
  -j CONFIG_FILE, --json CONFIG_FILE
                        The json configuration file
  -H URI, --uri URI     The connection URI for the server (LDAP or HTTP)
  -D BIND, --bind BIND  The bind DN that is allowed to read the LDAP
                        configuration
  -w PASSWORD, --password PASSWORD
                        The password to authenticate the script for reading
                        the configuration
  -W, --ask-password    Ask for the password to authenticate the script for
                        reading the configuration
  -d, --dryrun          If set to true, planed changes are only shown but
                        changes are made to the LDAP
  -v, --verbose         If set to true, changes are shown
  -c, --continue        Continue processing even if errors occur

usage: migration.sh PASSWORD [FILE|VARIABLES] 

required arguments: 
  PASSWORD              The ldap password of the system. 

optional arguments:
  VARIABLES             A list of Variable Names which are replaced during the migration. 
  FILE                  Path to a file containing key-value pairs of variables.