Kuaqe
LLLDAP
•Created by Kuaqe on 11/12/2024 in #troubleshooting
Kuaqe - Hey, am setting up the LLDAP docker con...
got it
48 replies
LLLDAP
•Created by Kuaqe on 11/12/2024 in #troubleshooting
Kuaqe - Hey, am setting up the LLDAP docker con...
sure, will do sometime tomorrow
48 replies
LLLDAP
•Created by Kuaqe on 11/12/2024 in #troubleshooting
Kuaqe - Hey, am setting up the LLDAP docker con...
congrats on the project so far, and good luck!
48 replies
LLLDAP
•Created by Kuaqe on 11/12/2024 in #troubleshooting
Kuaqe - Hey, am setting up the LLDAP docker con...
yep, thats a start for sure
48 replies
LLLDAP
•Created by Kuaqe on 11/12/2024 in #troubleshooting
Kuaqe - Hey, am setting up the LLDAP docker con...
but significantly reduce the pain on most
48 replies
LLLDAP
•Created by Kuaqe on 11/12/2024 in #troubleshooting
Kuaqe - Hey, am setting up the LLDAP docker con...
make it a touch more painful (in the form of errors)
48 replies
LLLDAP
•Created by Kuaqe on 11/12/2024 in #troubleshooting
Kuaqe - Hey, am setting up the LLDAP docker con...
then I guess this is the most neutral route
48 replies
LLLDAP
•Created by Kuaqe on 11/12/2024 in #troubleshooting
Kuaqe - Hey, am setting up the LLDAP docker con...
I see
48 replies
LLLDAP
•Created by Kuaqe on 11/12/2024 in #troubleshooting
Kuaqe - Hey, am setting up the LLDAP docker con...
Considering most people use lldap in smaller scale environments, I dont think most of us are too restrictive on file permissions (from what I've seen)
You might want to confirm this first, though
48 replies
LLLDAP
•Created by Kuaqe on 11/12/2024 in #troubleshooting
Kuaqe - Hey, am setting up the LLDAP docker con...
I think considering all possible scenarios such as this one might hamper the ease of setup aspect that lldap has going on
48 replies
LLLDAP
•Created by Kuaqe on 11/12/2024 in #troubleshooting
Kuaqe - Hey, am setting up the LLDAP docker con...
yeah perhaps print out the jwt in the error log and just tell them to copy it over or something
48 replies
LLLDAP
•Created by Kuaqe on 11/12/2024 in #troubleshooting
Kuaqe - Hey, am setting up the LLDAP docker con...
hmmm
48 replies
LLLDAP
•Created by Kuaqe on 11/12/2024 in #troubleshooting
Kuaqe - Hey, am setting up the LLDAP docker con...
Fair enough, I hate doing UI too.
Understand the admin password part too, so then it can just be a hard error if the password is "password" like you mentioned
about the jwt secret part, do you think its better to have something like LLDAP_JWT_SECRET_AUTO=true/false
LLDAP_JWT_SECRET_LENGTH= xx #above 32 chars
LLDAP_JWT_SECRET=only used if the first var is false #still needs to be 32 chars
and/or their .toml counterparts in the config?
48 replies
LLLDAP
•Created by Kuaqe on 11/12/2024 in #troubleshooting
Kuaqe - Hey, am setting up the LLDAP docker con...
Off the top of my head, I think there are two approaches from what I've seen from other the services i've deployed
1. If the admin user is default -> set up the admin user on the first login to the web interface (initially insecure, but user friendly)
2. Do something similar to the above, but across all platforms. If the .toml file passes certain tests such as:
- Admin password is atleast 8 characters long, has mix of upper/lower, special characters etc
- JWT secret is atleast 32 characters long and satisfy the above conditions, moreover, it should NOT match those in a lightweight dictionary (to avoid predictable secrets)
...(likewise for other necessary parameters)
...then flip a boolean in the program/database (this config is "verified" so these tests dont have to be done again on reboot. also save the hash of the config file
every time the config file changes (hash differs) -> run internal tests again
I might be over engineering this part, but I think something like this would be sufficient. After all, it is the deployer's responsibility to make sure they do a decent job at the end of the day.
48 replies
LLLDAP
•Created by Kuaqe on 11/12/2024 in #troubleshooting
Kuaqe - Hey, am setting up the LLDAP docker con...
However, I do agree that doing things this way is better, i.e forcing the container (in docker's case) into a restart loop and highlighting the lack of a good jwt secret and/or admin password in
docker logs48 replies
LLLDAP
•Created by Kuaqe on 11/12/2024 in #troubleshooting
Kuaqe - Hey, am setting up the LLDAP docker con...
Hi! So I did find the admin password's behavior based on what was given in the default lldap_config.toml template and a bit of my own thinking.
48 replies
LLLDAP
•Created by Kuaqe on 11/12/2024 in #troubleshooting
Kuaqe - Hey, am setting up the LLDAP docker con...
sure! no worries, just making sure it doesnt happen to anyone else
48 replies
LLLDAP
•Created by Kuaqe on 11/12/2024 in #troubleshooting
Kuaqe - Hey, am setting up the LLDAP docker con...
about this ^ hope this gets into the next "big" merge, bc i was thinking its too small to pr
48 replies
LLLDAP
•Created by Kuaqe on 11/12/2024 in #troubleshooting
Kuaqe - Hey, am setting up the LLDAP docker con...
Stupid question, stupider solution sigh
Persisting the /data folder means the admin does not get a password if you start the docker container without the LLDAP_LDAP_USER_PASS ENV variable (which a lot of ppl might do, since its not listed in the sample docker compose)
so i had to delete the users.db and recreate it for the admin login to work
Please add this to the I can't log in! section or add the ENV variable to the docker compose example. Thanks!
48 replies