Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Strange replication behaviour #219

Open
ZeChArtiahSaher opened this issue Nov 19, 2024 · 8 comments
Open

Strange replication behaviour #219

ZeChArtiahSaher opened this issue Nov 19, 2024 · 8 comments

Comments

@ZeChArtiahSaher
Copy link

ZeChArtiahSaher commented Nov 19, 2024
edited
Loading

When I toggle replication on (which also does work as I verified in terms of replicating schemas that are in the container) during initialization phase however there is an error that seemingly prevents fully successful initialization and maybe prevents custom ldifs? Unless ofc those are completely ignored idk, would be nice to know that precisely, docs don't specify.

P.S: Without replication ldifs/schemas init just fine. Also, I will start looking into replication definitions in the chart as well in the mean time

# ...

image:
  repository: jpgouin/openldap
  tag: 2.6.8-fix
  pullPolicy: Always
  
env:
  LDAP_ROOT: "dc=example,dc=com"
  LDAP_ADMIN_DN: "cn=admin,dc=example,dc=com"
  LDAP_PASSWORD_HASH: "{SSHA}"
  BITNAMI_DEBUG: "true"
  LDAP_LOGLEVEL: "256"
  LDAP_REQUIRE_TLS: "false"
  LDAPTLS_REQCERT: "never"
  LDAP_ENABLE_TLS: "yes"
  LDAP_SKIP_DEFAULT_TREE: "no"

# ...

replicaCount: 1 # reduced down to 1 pod for quick testing

readOnlyReplicaCount: 0 # reduced down to 0 pods for quick testing

# ...

customLdifFiles:
  00-root.ldif: |-
    dn: dc=example,dc=com
    objectClass: dcObject
    objectClass: organization
    o: Example, Inc
    dc: example

customSchemaFiles:
  00-password-hash.ldif: |-
    dn: cn=config
    changetype: modify
    replace: olcPasswordHash
    olcPasswordHash: "{SSHA}"

# ...

replication:
  enabled: true # <--- this breaks init
  clusterName: "cluster.local"
  retry: 60
  timeout: 1
  interval: 00:00:00:10
  starttls: "critical"

persistence:
  enabled: true
  accessModes:
    - ReadWriteOnce
  size: 8Gi

initTLSSecret:
  tls_enabled: true
  secret: openldap-tls-secret

Cert (created prior to deploy):

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: openldap-cert
  namespace: openldap
spec:
  secretName: openldap-tls-secret
  duration: 8760h
  renewBefore: 720h
  commonName: "dc=example,dc=com"
  privateKey:
    algorithm: RSA
    size: 4096
  dnsNames:
    - "openldap"
    - "openldap.openldap"
    - "openldap.openldap.svc"
    - "openldap.openldap.svc.cluster.local"
    - "*.openldap.openldap.svc.cluster.local"
    - "*.openldap-headless.openldap.svc.cluster.local"
  issuerRef:
    name: selfsigning-issuer
    kind: ClusterIssuer
    group: cert-manager.io

Possible log entry in question?:

...
SASL SSF: 0
673cd53a.18ca669e 0x7f291f7fe6c0 conn=1007 op=1 MOD dn="olcDatabase={0}config,cn=config"
673cd53a.18cad064 0x7f291f7fe6c0 conn=1007 op=1 MOD attr=olcSyncRepl olcMultiProvider
673cd53a.18ccd476 0x7f291f7fe6c0 olcMultiProvider: value #0: <olcMultiProvider> database is not a shadow
673cd53a.18cd967f 0x7f291f7fe6c0 conn=1007 op=1 RESULT tag=103 err=80 qtime=0.000016 etime=0.000244 text=<olcMultiProvider> database is not a shadow
ldap_modify: Other (e.g., implementation specific) error (80)
        additional info: <olcMultiProvider> database is not a shadow
673cd53a.18cf04f5 0x7f291ffff6c0 conn=1007 op=2 UNBIND
673cd53a.18cf82ac 0x7f291ffff6c0 conn=1007 fd=12 closed
modifying entry "olcDatabase={0}config,cn=config"
...

log dump:

Defaulted container "openldap-stack-ha" out of: openldap-stack-ha, init-schema (init), init-tls-secret (init), volume-permissions (init)
 18:13:13.16 INFO  ==> ** Starting LDAP setup **
 18:13:13.19 INFO  ==> Validating settings in LDAP_* env vars
 18:13:13.20 INFO  ==> Initializing OpenLDAP...
 18:13:13.20 DEBUG ==> Ensuring expected directories/files exist...
 18:13:13.22 INFO  ==> Creating LDAP online configuration
 18:13:13.22 INFO  ==> Creating slapd.ldif
 18:13:13.29 INFO  ==> Starting OpenLDAP server in background
673cd539.12472d33 0x7f2964f16740 @(#) $OpenLDAP: slapd 2.6.8 (Jul 22 2024 15:17:33) $
        @5166997a1da7:/bitnami/blacksmith-sandox/openldap-2.6.8/servers/slapd
673cd539.13b7df7d 0x7f2964f16740 slapd starting
 18:13:14.30 INFO  ==> Configure LDAP credentials for admin user
SASL/EXTERNAL authentication started
673cd53a.128fa44f 0x7f291ffff6c0 conn=1000 fd=12 ACCEPT from PATH=/opt/bitnami/openldap/var/run/ldapi (PATH=/opt/bitnami/openldap/var/run/ldapi)
673cd53a.1290ec86 0x7f291ffff6c0 conn=1000 op=0 BIND dn="" method=163
673cd53a.1291e828 0x7f291ffff6c0 conn=1000 op=0 BIND authcid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth"
673cd53a.12925882 0x7f291ffff6c0 conn=1000 op=0 BIND dn="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" mech=EXTERNAL bind_ssf=0 ssf=71
673cd53a.1292e3bb 0x7f291ffff6c0 conn=1000 op=0 RESULT tag=97 err=0 qtime=0.000013 etime=0.000157 text=
SASL username: gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth
SASL SSF: 0
673cd53a.12973b47 0x7f291f7fe6c0 conn=1000 op=1 MOD dn="olcDatabase={2}mdb,cn=config"
673cd53a.1297d68f 0x7f291f7fe6c0 conn=1000 op=1 MOD attr=olcSuffix
673cd53a.1301eb1d 0x7f291f7fe6c0 conn=1000 op=1 RESULT tag=103 err=0 qtime=0.000021 etime=0.007040 text=
673cd53a.1304483d 0x7f291ffff6c0 conn=1000 op=2 MOD dn="olcDatabase={2}mdb,cn=config"
673cd53a.1304dd86 0x7f291ffff6c0 conn=1000 op=2 MOD attr=olcRootDN
673cd53a.136a520f 0x7f291ffff6c0 conn=1000 op=2 RESULT tag=103 err=0 qtime=0.000026 etime=0.006724 text=
673cd53a.136cd110 0x7f291f7fe6c0 conn=1000 op=3 MOD dn="olcDatabase={2}mdb,cn=config"
673cd53a.136d3a22 0x7f291f7fe6c0 conn=1000 op=3 MOD attr=olcRootPW
673cd53a.13c96786 0x7f291f7fe6c0 conn=1000 op=3 RESULT tag=103 err=0 qtime=0.000012 etime=0.006095 text=
673cd53a.13cb2a14 0x7f291ffff6c0 conn=1000 op=4 MOD dn="olcDatabase={1}monitor,cn=config"
673cd53a.13cbe205 0x7f291ffff6c0 conn=1000 op=4 MOD attr=olcAccess
673cd53a.14140a50 0x7f291ffff6c0 conn=1000 op=4 RESULT tag=103 err=0 qtime=0.000015 etime=0.004806 text=
673cd53a.1415dfe0 0x7f291f7fe6c0 conn=1000 op=5 MOD dn="olcDatabase={0}config,cn=config"
673cd53a.141671ee 0x7f291f7fe6c0 conn=1000 op=5 MOD attr=olcRootDN
673cd53a.1461f43a 0x7f291f7fe6c0 conn=1000 op=5 RESULT tag=103 err=0 qtime=0.000015 etime=0.005011 text=
673cd53a.1464efed 0x7f291ffff6c0 conn=1000 op=6 MOD dn="olcDatabase={0}config,cn=config"
673cd53a.14656ea7 0x7f291ffff6c0 conn=1000 op=6 MOD attr=olcRootPW
673cd53a.14bb2e08 0x7f291ffff6c0 conn=1000 op=6 RESULT tag=103 err=0 qtime=0.000015 etime=0.005680 text=
modifying entry "olcDatabase={2}mdb,cn=config"

modifying entry "olcDatabase={2}mdb,cn=config"

modifying entry "olcDatabase={2}mdb,cn=config"

modifying entry "olcDatabase={1}monitor,cn=config"

modifying entry "olcDatabase={0}config,cn=config"

modifying entry "olcDatabase={0}config,cn=config"

673cd53a.14be3cd3 0x7f291f7fe6c0 conn=1000 op=7 UNBIND
673cd53a.14bf0871 0x7f291f7fe6c0 conn=1000 fd=12 closed
 18:13:14.34 INFO  ==> Adding LDAP extra schemas
SASL/EXTERNAL authentication started
673cd53a.152e4c2e 0x7f291ffff6c0 conn=1001 fd=12 ACCEPT from PATH=/opt/bitnami/openldap/var/run/ldapi (PATH=/opt/bitnami/openldap/var/run/ldapi)
673cd53a.152ef5df 0x7f291f7fe6c0 conn=1001 op=0 BIND dn="" method=163
673cd53a.152fb5d8 0x7f291f7fe6c0 conn=1001 op=0 BIND authcid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth"
673cd53a.15300733 0x7f291f7fe6c0 conn=1001 op=0 BIND dn="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" mech=EXTERNAL bind_ssf=0 ssf=71
673cd53a.1530655a 0x7f291f7fe6c0 conn=1001 op=0 RESULT tag=97 err=0 qtime=0.000011 etime=0.000109 text=
SASL username: gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth
SASL SSF: 0
673cd53a.1534efef 0x7f291ffff6c0 conn=1001 op=1 ADD dn="cn=cosine,cn=schema,cn=config"
673cd53a.158edc26 0x7f291ffff6c0 conn=1001 op=1 RESULT tag=105 err=0 qtime=0.000014 etime=0.005939 text=
673cd53a.15909daa 0x7f291f7fe6c0 conn=1001 op=2 UNBIND
adding new entry "cn=cosine,cn=schema,cn=config"

673cd53a.1591d0a1 0x7f291f7fe6c0 conn=1001 fd=12 closed
SASL/EXTERNAL authentication started
673cd53a.15bf963e 0x7f291ffff6c0 conn=1002 fd=12 ACCEPT from PATH=/opt/bitnami/openldap/var/run/ldapi (PATH=/opt/bitnami/openldap/var/run/ldapi)
673cd53a.15c0c213 0x7f291f7fe6c0 conn=1002 op=0 BIND dn="" method=163
673cd53a.15c16792 0x7f291f7fe6c0 conn=1002 op=0 BIND authcid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth"
673cd53a.15c21924 0x7f291f7fe6c0 conn=1002 op=0 BIND dn="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" mech=EXTERNAL bind_ssf=0 ssf=71
673cd53a.15c2b2d8 0x7f291f7fe6c0 conn=1002 op=0 RESULT tag=97 err=0 qtime=0.000018 etime=0.000149 text=
SASL username: gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth
SASL SSF: 0
673cd53a.15c50a6b 0x7f291ffff6c0 conn=1002 op=1 ADD dn="cn=inetorgperson,cn=schema,cn=config"
673cd53a.16192bb7 0x7f291ffff6c0 conn=1002 op=1 RESULT tag=105 err=0 qtime=0.000014 etime=0.005541 text=
673cd53a.161ba4dc 0x7f291f7fe6c0 conn=1002 op=2 UNBIND
673cd53a.161c1a22 0x7f291f7fe6c0 conn=1002 fd=12 closed
adding new entry "cn=inetorgperson,cn=schema,cn=config"

SASL/EXTERNAL authentication started
673cd53a.16596b47 0x7f291ffff6c0 conn=1003 fd=12 ACCEPT from PATH=/opt/bitnami/openldap/var/run/ldapi (PATH=/opt/bitnami/openldap/var/run/ldapi)
673cd53a.165a5583 0x7f291f7fe6c0 conn=1003 op=0 BIND dn="" method=163
673cd53a.165b0ef2 0x7f291f7fe6c0 conn=1003 op=0 BIND authcid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth"
673cd53a.165b6b8f 0x7f291f7fe6c0 conn=1003 op=0 BIND dn="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" mech=EXTERNAL bind_ssf=0 ssf=71
673cd53a.165c0176 0x7f291f7fe6c0 conn=1003 op=0 RESULT tag=97 err=0 qtime=0.000014 etime=0.000128 text=
SASL username: gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth
SASL SSF: 0
673cd53a.165fc2e4 0x7f291ffff6c0 conn=1003 op=1 ADD dn="cn=nis,cn=schema,cn=config"
673cd53a.16ba3006 0x7f291ffff6c0 conn=1003 op=1 RESULT tag=105 err=0 qtime=0.000013 etime=0.005958 text=
673cd53a.16bbcc21 0x7f291f7fe6c0 conn=1003 op=2 UNBIND
adding new entry "cn=nis,cn=schema,cn=config"

673cd53a.16bd2c74 0x7f291f7fe6c0 conn=1003 fd=12 closed
SASL/EXTERNAL authentication started
673cd53a.16f6844d 0x7f291ffff6c0 conn=1004 fd=12 ACCEPT from PATH=/opt/bitnami/openldap/var/run/ldapi (PATH=/opt/bitnami/openldap/var/run/ldapi)
673cd53a.16f767e5 0x7f291f7fe6c0 conn=1004 op=0 BIND dn="" method=163
673cd53a.16f813d8 0x7f291f7fe6c0 conn=1004 op=0 BIND authcid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth"
673cd53a.16f8823e 0x7f291f7fe6c0 conn=1004 op=0 BIND dn="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" mech=EXTERNAL bind_ssf=0 ssf=71
673cd53a.16f919ee 0x7f291f7fe6c0 conn=1004 op=0 RESULT tag=97 err=0 qtime=0.000014 etime=0.000128 text=
SASL username: gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth
SASL SSF: 0
673cd53a.16fc8977 0x7f291ffff6c0 conn=1004 op=1 ADD dn="cn=module,cn=config"
673cd53a.175f7079 0x7f291ffff6c0 conn=1004 op=1 RESULT tag=105 err=0 qtime=0.000014 etime=0.006509 text=
673cd53a.1760bd3c 0x7f291f7fe6c0 conn=1004 op=2 UNBIND
673cd53a.1761978a 0x7f291f7fe6c0 conn=1004 fd=12 closed
adding new entry "cn=module,cn=config"

SASL/EXTERNAL authentication started
673cd53a.179b4261 0x7f291ffff6c0 conn=1005 fd=12 ACCEPT from PATH=/opt/bitnami/openldap/var/run/ldapi (PATH=/opt/bitnami/openldap/var/run/ldapi)
673cd53a.179c0419 0x7f291f7fe6c0 conn=1005 op=0 BIND dn="" method=163
673cd53a.179cd90e 0x7f291f7fe6c0 conn=1005 op=0 BIND authcid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth"
673cd53a.179d3317 0x7f291f7fe6c0 conn=1005 op=0 BIND dn="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" mech=EXTERNAL bind_ssf=0 ssf=71
673cd53a.179daaf1 0x7f291f7fe6c0 conn=1005 op=0 RESULT tag=97 err=0 qtime=0.000012 etime=0.000124 text=
SASL username: gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth
SASL SSF: 0
673cd53a.17a05766 0x7f291ffff6c0 conn=1005 op=1 MOD dn="cn=config"
673cd53a.17a0d642 0x7f291ffff6c0 conn=1005 op=1 MOD attr=olcServerID
673cd53a.17f117b2 0x7f291ffff6c0 conn=1005 op=1 RESULT tag=103 err=0 qtime=0.000014 etime=0.005315 text=
673cd53a.17f23179 0x7f291f7fe6c0 conn=1005 op=2 UNBIND
673cd53a.17f2db6e 0x7f291f7fe6c0 conn=1005 fd=12 closed
modifying entry "cn=config"

SASL/EXTERNAL authentication started
673cd53a.182dd682 0x7f291ffff6c0 conn=1006 fd=12 ACCEPT from PATH=/opt/bitnami/openldap/var/run/ldapi (PATH=/opt/bitnami/openldap/var/run/ldapi)
673cd53a.182eb6e1 0x7f291f7fe6c0 conn=1006 op=0 BIND dn="" method=163
673cd53a.182f7cb1 0x7f291f7fe6c0 conn=1006 op=0 BIND authcid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth"
673cd53a.182fcb82 0x7f291f7fe6c0 conn=1006 op=0 BIND dn="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" mech=EXTERNAL bind_ssf=0 ssf=71
673cd53a.18303d2e 0x7f291f7fe6c0 conn=1006 op=0 RESULT tag=97 err=0 qtime=0.000013 etime=0.000118 text=
SASL username: gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth
SASL SSF: 0
673cd53a.1833d038 0x7f291ffff6c0 conn=1006 op=1 ADD dn="olcOverlay=syncprov,olcDatabase={0}config,cn=config"
673cd53a.1893717f 0x7f291ffff6c0 conn=1006 op=1 RESULT tag=105 err=0 qtime=0.000009 etime=0.006312 text=
673cd53a.1895235f 0x7f291f7fe6c0 conn=1006 op=2 UNBIND
adding new entry "olcOverlay=syncprov,olcDatabase={0}config,cn=config"

673cd53a.1896d794 0x7f291f7fe6c0 conn=1006 fd=12 closed
SASL/EXTERNAL authentication started
673cd53a.18c5915b 0x7f291ffff6c0 conn=1007 fd=12 ACCEPT from PATH=/opt/bitnami/openldap/var/run/ldapi (PATH=/opt/bitnami/openldap/var/run/ldapi)
673cd53a.18c6685e 0x7f291ffff6c0 conn=1007 op=0 BIND dn="" method=163
673cd53a.18c6e86a 0x7f291ffff6c0 conn=1007 op=0 BIND authcid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth"
673cd53a.18c738f8 0x7f291ffff6c0 conn=1007 op=0 BIND dn="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" mech=EXTERNAL bind_ssf=0 ssf=71
673cd53a.18c7a651 0x7f291ffff6c0 conn=1007 op=0 RESULT tag=97 err=0 qtime=0.000011 etime=0.000096 text=
SASL username: gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth
SASL SSF: 0
673cd53a.18ca669e 0x7f291f7fe6c0 conn=1007 op=1 MOD dn="olcDatabase={0}config,cn=config"
673cd53a.18cad064 0x7f291f7fe6c0 conn=1007 op=1 MOD attr=olcSyncRepl olcMultiProvider
673cd53a.18ccd476 0x7f291f7fe6c0 olcMultiProvider: value #0: <olcMultiProvider> database is not a shadow
673cd53a.18cd967f 0x7f291f7fe6c0 conn=1007 op=1 RESULT tag=103 err=80 qtime=0.000016 etime=0.000244 text=<olcMultiProvider> database is not a shadow
ldap_modify: Other (e.g., implementation specific) error (80)
        additional info: <olcMultiProvider> database is not a shadow
673cd53a.18cf04f5 0x7f291ffff6c0 conn=1007 op=2 UNBIND
673cd53a.18cf82ac 0x7f291ffff6c0 conn=1007 fd=12 closed
modifying entry "olcDatabase={0}config,cn=config"

673cd53a.18ed2e55 0x7f29249806c0 daemon: shutdown requested and initiated.
673cd53a.18efd198 0x7f29249806c0 slapd shutdown: waiting for 0 operations/tasks to finish
673cd53a.1957fa3d 0x7f2964f16740 slapd stopped.
@ZeChArtiahSaher
Copy link
Author

Okay it does seem to work with 2 replicas however no custom schemas are applied

@ZeChArtiahSaher
Copy link
Author

ZeChArtiahSaher commented Nov 20, 2024
edited
Loading

okay honestly I just patched init-schema container to distribute initial schemas to all pods because it seems that with replication and having schemas only on pod 0, the subsequent pods just overwrite pod 0 with empty config:

- name: init-schema
  image: {{ include "openldap.initSchemaImage" . }}
  imagePullPolicy: {{ .Values.initSchema.image.pullPolicy | quote }}
  command:
    - sh
    - -c
    - |
      # Copy all schema and replication configs
      cp -p -f /cm-schemas-acls/*.ldif /custom_config/
      if [ -d /cm-schemas ]; then
        echo "Copying schema files"
        cp -p -f /cm-schemas/*.ldif /custom-schemas/
      fi
      if [ -d /cm-ldifs ]; then
        echo "Copying LDIF files"
        cp -p -f /cm-ldifs/*.ldif /custom-ldifs/
      fi
      {{- if .Values.global.existingSecret }}
      sed -i -e "s/%%CONFIG_PASSWORD%%/${LDAP_CONFIG_ADMIN_PASSWORD}/g" /custom_config/*
      sed -i -e "s/%%ADMIN_PASSWORD%%/${LDAP_ADMIN_PASSWORD}/g" /custom_config/*
      {{- end }}

runtime ldap calls seem to replicate just fine with this, ofc upgrading has to be done more carefully

@jp-gouin
Copy link
Owner

Hi @ZeChArtiahSaher , I don't think you are using the latest release of the chart as this has been fixed.
Can you please update to the 4.3.1 ?

@ZeChArtiahSaher
Copy link
Author

ZeChArtiahSaher commented Nov 23, 2024
edited
Loading

@jp-gouin I'm on 4.3.1 + in-place patches

@jp-gouin
Copy link
Owner

I'm asking because this is already implemented see https://github.com/jp-gouin/helm-openldap/blob/master/templates/statefulset.yaml#L63
All schemas are copied and only data are replicated during startup

@ZeChArtiahSaher
Copy link
Author

ZeChArtiahSaher commented Nov 26, 2024
edited
Loading

That's true and I'm referring to this line:

helm-openldap/templates/statefulset.yaml

Line 52 in c22e62e

if [ "$host" = "{{ template "openldap.fullname" . }}-0" ]

with which in my env for some reason I get this behavior:

  1. pod 0 spawns and gets correct ldifs/schemas applied
  2. pod 1 spawns with no ldifs/schemas (as per line above) and eventually starts syncing
  3. pod 0 eventually receives empty/default db config with no ldfis/schemas from pod 1 (My assumption)
  4. both pods now have empty config in store (aka ldifs/schemas got wiped in store for the entire ldap cluster)

Each stage I validated via ldapi socket inside pods

My assumption is that newly deployed pod has greater priority due to recency? I'm not versed in syncprov.

And I'm assuming this also applies to helm upgrades. It seems to me the most reasonable thing to do is to scale to 0 first unless one wants to risk having replication come swinging during upgrade if you've got say a few pods

@ZeChArtiahSaher
Copy link
Author

ZeChArtiahSaher commented Nov 26, 2024
edited
Loading

It seems it might be best to externally load up schemas/ldifs & even subsequent acl mods in general with replication enabled. Probably should update docs on that fact

@Drumar
Copy link

Drumar commented Dec 16, 2024
edited
Loading

tbh, I think it's not a schema you're trying to change. It would assume this data would appear in customLdif. That said, even if it applies, you're changing olcPasswordHash, this could be the reason replication fails in one direction. And also: you're sending an ldif in "ldapmodify" format, is that what is used in the chart? And it does a modify, what is the behaviour of a modify on a non-existent key? Is it added? (I'm not sure here, would have to test that out) but I'm pretty sure the key (olcPasswordHash) does not exist by default in the ldap server created by the stack.

One thing I noticed and could be up for a nice feature update one day, would be to do the replication with another user than the admin

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Drumar @jp-gouin @ZeChArtiahSaher