From 62bebc0838c1f295839a32887eea66246d78b8b3 Mon Sep 17 00:00:00 2001 From: "Jason C. Nucciarone" Date: Mon, 16 Dec 2024 23:43:01 -0500 Subject: [PATCH] feat: add `anonymousdse_enabled` config option `anonymousdse` must be enabled for applications like SSSD to successfully bind to the Glauth server, but it's recommended to keep off if not using applications that need to anonymously query the root DSE. Signed-off-by: Jason C. Nucciarone --- charmcraft.yaml | 10 ++++++++++ src/charm.py | 2 ++ src/configs.py | 2 ++ templates/glauth.cfg.j2 | 1 + 4 files changed, 15 insertions(+) diff --git a/charmcraft.yaml b/charmcraft.yaml index 0b6e10cf..32645b5b 100644 --- a/charmcraft.yaml +++ b/charmcraft.yaml @@ -87,6 +87,16 @@ config: Enable the StartTLS support or not. DO NOT TURN IT OFF IN PRODUCTION. default: true type: boolean + anonymousdse_enabled: + description: | + Allow anonymous requests to the root directory server agent service entry (root DSE). + + Anonymous request MUST be enabled for applications like SSSD to + successfully bind to the Glauth server. Anonymous requests should + be disabled if not integrating with applications that must first + anonymously query the root DSE before binding to an LDAP server. + default: false + type: boolean base: ubuntu@22.04 diff --git a/src/charm.py b/src/charm.py index 7a9aa20e..f7590e0a 100755 --- a/src/charm.py +++ b/src/charm.py @@ -150,6 +150,7 @@ def __init__(self, *args: Any): self.config_file = ConfigFile( base_dn=self.config.get("base_dn"), + anonymousdse_enabled=self.config.get("anonymousdse_enabled"), starttls_config=StartTLSConfig.load(self.config), ) self._ldap_integration = LdapIntegration(self) @@ -237,6 +238,7 @@ def _on_database_changed(self, event: DatabaseEndpointsChangedEvent) -> None: def _on_config_changed(self, event: ConfigChangedEvent) -> None: self.config_file.base_dn = self.config.get("base_dn") + self.config_file.anonymousdse_enabled = self.config.get("anonymousdse_enabled") self._handle_event_update(event) self.ldap_provider.update_relations_app_data(self._ldap_integration.provider_base_data) diff --git a/src/configs.py b/src/configs.py index e674e3fb..3aba9b28 100644 --- a/src/configs.py +++ b/src/configs.py @@ -78,6 +78,7 @@ def load(cls, config: Mapping[str, Any]) -> "StartTLSConfig": @dataclass class ConfigFile: base_dn: Optional[str] = None + anonymousdse_enabled: bool = False database_config: Optional[DatabaseConfig] = None starttls_config: Optional[StartTLSConfig] = None ldap_servers_config: Optional[LdapServerConfig] = None @@ -95,6 +96,7 @@ def render(self) -> str: starttls_config = asdict(self.starttls_config) if self.starttls_config else None rendered = template.render( base_dn=self.base_dn, + anonymousdse_enabled=self.anonymousdse_enabled, database=database_config, ldap_servers=ldap_servers_config, starttls=starttls_config, diff --git a/templates/glauth.cfg.j2 b/templates/glauth.cfg.j2 index 0aa23e5c..b0bf273a 100644 --- a/templates/glauth.cfg.j2 +++ b/templates/glauth.cfg.j2 @@ -24,6 +24,7 @@ structuredlog = true pluginhandler = "NewPostgresHandler" baseDN = "{{ base_dn }}" database = "postgres://{{ database.get('username') }}:{{ database.get('password') }}@{{ database.get('endpoint') }}/{{ database.get('database') }}?sslmode=disable" + anonymousdse = {{ "true" if anonymousdse_enabled else "false" }} {% endif %} [behaviors]