Add dry-run

[mrvanes]

This PR adds the option to specify 'test' as SBS host and a sync key to point to a local file containing the /api/plsc/sync endpoint to test against in json format:

...
sbs:
  src:
    # host: https://sbs.example.net
    host: test
    sync: sync.json
...

dump_sbs.py can be used to dump the /api/plsc/sync endpoint

[mrvanes]

To save/load the LDAP contents on a docker based LDAP instance we can use

docker exec sram-ldap slapcat -F /bitnami/openldap/slapd.d/ -b 'dc=services,dc=vnet' > backup.ldif
docker exec sram-ldap slapadd -F /bitnami/openldap/slapd.d/ -b 'dc=services,dc=vnet' -l backup.ldif

[mrvanes]

Workflow:

• Copy prd slapcat output to backup.ldif
• Copy prd /api/plsc/sync output to sync.json
• Run ./dry-run.sh
• Inspect output

[baszoetekouw]

Het gaat nog mis als ik test met data van test:

DEBUG:root:Storing ldap: {'objectClass': ['inetOrgPerson', 'person', 'eduPerson', 'voPerson'], 'eduPersonUniqueId': ['urn:paul'], 'displayName': ['Paul Doe'], 'givenName': ['n/a'], 'sn': ['n/a'], 'cn': ['urn:paul'], 'mail': ['paul@ucc.org'], 'voPersonExternalAffiliation': [], 'eduPersonScopedAffiliation': ['member@sram.surf.nl'], 'voPersonExternalID': [], 'uid': ['paul'], 'voPersonStatus': ['active'], 'voPersonPolicyAgreement;time-1714744733': ['https://google.nl']}
DEBUG:root:Search: uid=paul,ou=People,o=uniharderwijk.monitor1,dc=ordered,dc=804d6956-0c82-4bf4-b189-be10c78c2930,dc=services,dc=sram-tst,dc=surf,dc=nl
INFO:root:[LDAP] Update: uid=paul,ou=People,o=uniharderwijk.monitor1,dc=ordered,dc=804d6956-0c82-4bf4-b189-be10c78c2930,dc=services,dc=sram-tst,dc=surf,dc=nl
DEBUG:root:[LDAP] Update will modify: [(0, 'voPersonPolicyAgreement;time-1714744733', [b'https://google.nl'])]
ERROR:root:Exception on modify of uid=paul,ou=People,o=uniharderwijk.monitor1,dc=ordered,dc=804d6956-0c82-4bf4-b189-be10c78c2930,dc=services,dc=sram-tst,dc=surf,dc=nl: {'msgtype': 103, 'msgid': 16, 'result': 17, 'desc': 'Undefined attribute type', 'ctrls': [], 'info': 'voPersonPolicyAgreement;time-1714744733: unrecognized option'}
ERROR:root:[(0, 'voPersonPolicyAgreement;time-1714744733', [b'https://google.nl'])]
ldap.UNDEFINED_TYPE: {'msgtype': 103, 'msgid': 16, 'result': 17, 'desc': 'Undefined attribute type', 'ctrls': [], 'info': 'voPersonPolicyAgreement;time-1714744733: unrecognized option'}

Erg vreemd wel, want bij het ldapadden van de source data zit er ook die time- option in de voPersonPolicyAgreement en dan pakt hij hem wel (bv uid=paul,ou=People,o=uniharderwijk.monitor1,dc=ordered,dc=https://ldap-monitor.example.org,dc=services,dc=sram-tst,dc=surf,dc=nl). Slapcat op de gevullende docker-ldap toont hem ook, maar ldapsearch ziet hem alleen als een soort operational attribute:

╰─▶ ldapsearch -H ldap://172.20.255.1:1389 -o ldif-wrap=no -b ou=People,o=uniharderwijk.monitor1,dc=ordered,dc=https://ldap-monitor.example.org,dc=services,dc=sram-tst,dc=surf,dc=nl -D cn=admin,dc=services,dc=sram-tst,dc=surf,dc=nl -w changethispassword  '(uid=paul)' '*' '+'
# extended LDIF
#
# LDAPv3
# base <ou=People,o=uniharderwijk.monitor1,dc=ordered,dc=https://ldap-monitor.example.org,dc=services,dc=sram-tst,dc=surf,dc=nl> with scope subtree
# filter: (uid=paul)
# requesting: * +
#

# paul, People, uniharderwijk.monitor1, ordered.https://ldap-monitor.example.org.services.sram-tst.surf.nl
dn: uid=paul,ou=People,o=uniharderwijk.monitor1,dc=ordered,dc=https://ldap-monitor.example.org,dc=services,dc=sram-tst,dc=surf,dc=nl
objectClass: inetOrgPerson
objectClass: person
objectClass: eduPerson
objectClass: voPerson
eduPersonUniqueId: urn:paul
displayName: Paul Doe
givenName: n/a
sn: n/a
cn: urn:paul
mail: paul@ucc.org
eduPersonScopedAffiliation: member@sram.surf.nl
uid: paul
voPersonStatus: active
structuralObjectClass: inetOrgPerson
entryUUID: 1b0fb7ec-75a0-103e-93e9-6be5fee8040c
creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
createTimestamp: 20240313161134Z
MEMBEROF: cn=@all,ou=Groups,o=uniharderwijk.monitor1,dc=ordered,dc=https://ldap-monitor.example.org,dc=services,dc=sram-tst,dc=surf,dc=nl
VOPERSONPOLICYAGREEMENT;TIME-1714744733: https://example.nl/aup
entryCSN: 20240503135953.998034Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20240503135953Z
entryDN: uid=paul,ou=People,o=uniharderwijk.monitor1,dc=ordered,dc=https://ldap-monitor.example.org,dc=services,dc=sram-tst,dc=surf,dc=nl
subschemaSubentry: cn=Subschema
hasSubordinates: FALSE

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Merk op dat de membership overlay ook op dezelfde manier niet goed lijkt te gaan.

[baszoetekouw]

zie comments

[baszoetekouw]

Zou een betere route niet zijn om de hele ldap config die we nu in ansible doen te verplaatsen naar een custom ldap container image waar onze config ingebakken zit? Dan kunnen we die container hier ook gewoon hergebruiken, en halen we ook weer wat complexiteit uit ansible.