HPCC-26455 Make ldapAddress part of LDAP config

Make LDAP Server IP Address part of the LDAP config

Signed-off-by: Russ Whitehead <william.whitehead@lexisnexisrisk.com>

dali/server/daserver.cpp

@@ -407,10 +407,6 @@ static IPropertyTree * getContainerLDAPConfiguration(const IPropertyTree *appCon
         throw makeStringExceptionV(-1, "Unrecognized auth method specified, (auth: %s)", authMethod);
     }
 
-    const char *ldapAddress = appConfig->queryProp("@ldapAddress");
-    if (isEmptyString(ldapAddress))
-        throw makeStringException(-1, "LDAP not configured (missing 'ldapAddress').  To run without security set 'auth: none'");
-
     //Get default LDAP attributes from ldap.yaml
     StringBuffer ldapDefaultsFile(hpccBuildInfo.componentDir);
     char sepchar = getPathSepChar(ldapDefaultsFile.str());
@@ -424,8 +420,7 @@ static IPropertyTree * getContainerLDAPConfiguration(const IPropertyTree *appCon
 
     //Build merged configuration
     Owned<IPropertyTree> mergedConfig = defaults->getPropTree("ldap");
-    mergePTree(mergedConfig, appConfig->queryPropTree("ldap"));//overlay defaults with config settings
-    mergedConfig->addProp("@ldapAddress", ldapAddress);
+    mergeConfiguration(*mergedConfig, *appConfig->queryPropTree("ldap"));
 
     return LINK(mergedConfig);
 }

esp/applications/common/ldap/ldap.yaml

@@ -1,4 +1,5 @@
 ldap:
+  #ldapAddress: "myldapserver"
   serverType: ActiveDirectory
   description: LDAP server process
   ldapProtocol: ldaps

esp/platform/application_config.cpp

@@ -91,10 +91,6 @@ static void copyDirectories(IPropertyTree *target, IPropertyTree *src)
 
 bool addLdapSecurity(IPropertyTree *legacyEsp, IPropertyTree *appEsp, StringBuffer &bindAuth, LdapType ldapType)
 {
-    const char *ldapAddress = appEsp->queryProp("@ldapAddress");
-    if (isEmptyString(ldapAddress))
-        throw MakeStringException(-1, "LDAP not configured.  To run without security set auth=none");
-
     StringBuffer path(hpccBuildInfo.componentDir);
     char sepchar = getPathSepChar(hpccBuildInfo.componentDir);
     addPathSepChar(path, sepchar).append("applications").append(sepchar).append("common").append(sepchar).append("ldap").append(sepchar).append("ldap.yaml");
@@ -103,11 +99,13 @@ bool addLdapSecurity(IPropertyTree *legacyEsp, IPropertyTree *appEsp, StringBuff
 
     IPropertyTree *appLdap = appEsp->queryPropTree("ldap");
     if (!appLdap)
-        throw MakeStringException(-1, "Can't find application LDAP settings.  To run without security set auth=none");
+        throw MakeStringException(-1, "Can't find application LDAP settings.  To run without security set 'auth: none'");
+
+    if (!appLdap->hasProp("@ldapAddress"))
+        throw MakeStringException(-1, "LDAP not configured (Missing 'ldapAddress').  To run without security set 'auth: none'");
 
     IPropertyTree *legacyLdap = legacyEsp->addPropTree("ldapSecurity");
     copyAttributes(legacyLdap, appLdap);
-    legacyLdap->setProp("@ldapAddress", ldapAddress);
 
     StringAttr configname(appLdap->queryProp("@objname"));
     if (!legacyLdap->hasProp("@name"))
@@ -126,20 +124,20 @@ bool addAuthNZSecurity(const char *name, IPropertyTree *legacyEsp, IPropertyTree
 {
     IPropertyTree *authNZ = appEsp->queryPropTree("authNZ");
     if (!authNZ)
-        throw MakeStringException(-1, "Can't find application AuthNZ section.  To run without security set auth=none");
+        throw MakeStringException(-1, "Can't find application AuthNZ section.  To run without security set 'auth: none'");
     authNZ = authNZ->queryPropTree(name);
     if (!authNZ)
-        throw MakeStringException(-1, "Can't find application %s AuthNZ settings.  To run without security set auth=none", name);
+        throw MakeStringException(-1, "Can't find application %s AuthNZ settings.  To run without security set 'auth: none'", name);
     IPropertyTree *appSecMgr = authNZ->queryPropTree("SecurityManager");
     if (!appSecMgr)
     {
         const char *application = appEsp->queryProp("@application");
-        throw MakeStringException(-1, "Can't find SecurityManager settings configuring application '%s'.  To run without security set auth=none", application ? application : "");
+        throw MakeStringException(-1, "Can't find SecurityManager settings configuring application '%s'.  To run without security set 'auth: none'", application ? application : "");
     }
     const char *method = appSecMgr->queryProp("@name");
     const char *tag = appSecMgr->queryProp("@type");
     if (isEmptyString(tag))
-        throw MakeStringException(-1, "SecurityManager type attribute required.  To run without security set auth=none");
+        throw MakeStringException(-1, "SecurityManager type attribute required.  To run without security set 'auth: none'");
 
     legacyEsp->addPropTree("AuthDomains", createPTreeFromXMLString("<AuthDomains><AuthDomain authType='AuthPerRequestOnly' clientSessionTimeoutMinutes='120' domainName='default' invalidURLsAfterAuth='/esp/login' loginLogoURL='/esp/files/eclwatch/img/Loginlogo.png' logonURL='/esp/files/Login.html' logoutURL='' serverSessionTimeoutMinutes='240' unrestrictedResources='/favicon.ico,/esp/files/*,/esp/xslt/*'/></AuthDomains>"));
 
@@ -159,7 +157,7 @@ bool addSecurity(IPropertyTree *legacyEsp, IPropertyTree *appEsp, StringBuffer &
 {
     const char *auth = appEsp->queryProp("@auth");
     if (isEmptyString(auth))
-        throw MakeStringException(-1, "'auth' attribute required.  To run without security set 'auth=none'");
+        throw MakeStringException(-1, "'auth' attribute required.  To run without security set ''auth: none''");
     if (streq(auth, "none"))
         return false;
     if (streq(auth, "ldap"))
@@ -186,7 +184,7 @@ void bindAuthResources(IPropertyTree *legacyAuthenticate, IPropertyTree *app, co
             return;
     }
     if (!appAuth)
-        throw MakeStringException(-1, "Can't find application Auth settings.  To run without security set auth=none");
+        throw MakeStringException(-1, "Can't find application Auth settings.  To run without security set 'auth: none'");
     IPropertyTree *root_access = appAuth->queryPropTree("root_access");
     StringAttr required(root_access->queryProp("@required"));
     StringAttr description(root_access->queryProp("@description"));

helm/examples/ldap/README.md

@@ -10,7 +10,7 @@ Note that the LDAP Administrator account performs AD directory searches and modi
 ### Create the k8s secret
    From the CLI, create the LDAP "secret" similar to the following.
    Make note of the secret name, "myk8sldapadmincreds" in this example.
-   The "username" and "password" key/values are required; additional properties are allowed but ignored.
+   The LDAP Administrator "username" and "password" key/values are required; additional properties are allowed but ignored.
 
 ```bash
    kubectl create secret generic myk8sldapadmincreds --from-literal=username=hpcc_admin --from-literal=password=t0pS3cr3tP@ssw0rd
@@ -19,29 +19,28 @@ Note that the LDAP Administrator account performs AD directory searches and modi
 For more details on how to create secrets, see the "secrets" examples in the "HPCC-Platform\helm\examples\secrets" folder.
 
 ### Deploy the k8s secret to the ECLWatch container
-   Modify the HPCC-Platform\helm\hpcc\values.yaml's "secrets:" category as follows.
-   Create a unique key name used to reference the secret, and set it to the secret value ("myk8sldapadmincreds") that you created above. In this example we give the key the name "ldapadminkey," and define an additional alternate one "ldapalternateadminkey" which could be used with another Active Directory server.
-   Note that the "ldapadminkey" key/value pair already exists as a default in the values.yaml file, and the key is referenced in the component's ldap.yaml file.  You may change these and add additional key/values as needed.
+   Override the HPCC-Platform\helm\hpcc\values.yaml's "secrets:" category as follows.
+   Create a unique key name used to reference the secret, and set it to the secret value ("myk8sldapadmincreds") that you created above. In this example we give the key the name "ldapadmincredskey," and optionally define an additional alternate one "ldapalternateadminkey" which could be used with another Active Directory server.
+   Note that the "ldapadmincredskey" key/value pair already exists as a default in the values.yaml file, and the key is referenced in the component's ldap.yaml file.  You may override these and add additional key/values as needed.
 
 ```bash
    secrets:
      authn:
-       ldapadminkey: "myk8sldapadmincreds"
+       ldapadmincredskey: "myk8sldapadmincreds"
        ldapalternateadminkey: "myk8sldapalternateadmincreds"
 ```
 
 ### Enable LDAP and reference the k8s secret key
-   In the HPCC-Platform\esp\applications\common\ldap\ldap.yaml (or azure_ldap.yaml) file, the "ldapAdminSecretKey" is already set to the key name created above. To enable LDAP authentication and to override this value if you don't want to use the default name, modify the ESP/ECLWatch helm component located in values.yaml as follows.
+   In the HPCC-Platform\esp\applications\common\ldap\ldap.yaml file, the "ldapAdminSecretKey" is already set to the key name created above. To enable LDAP authentication and to override this value, override the ESP/ECLWatch helm component located in values.yaml as follows.
 
 ```bash
 esp:
 - name: eclwatch
   application: eclwatch
   auth: ldap
-  ldapAddress: "127.0.0.1"
   ldap:
-    ldapAdminSecretKey: "ldapadminkey"
-    servertype: "ActiveDirectory"
+    ldapAddress: "myldapserver"
+    ldapAdminSecretKey: "ldapalternateadminkey"
 ```
 
 --------------------------------------------------------------------------------------------------------
@@ -50,8 +49,8 @@ esp:
 ### Create the vault secret
    From the CLI, create the LDAP vault "secret" similar to the following.
    Make note of the secret name, "myvaultadmincreds" in this example.
-   The "username" and "password" key/values are required, additional properties are allowed but ignored.
-   Make sure the secret name is specified with the "secret/authn/" prefix
+   The LDAP Administrator "username" and "password" key/values are required; additional properties are allowed but ignored.
+   Make sure the secret name is specified with the "secret/authn/" prefix.
 
 ```bash
    vault kv put secret/authn/myvaultadmincreds username=hpcc_admin password=t0pS3cr3tP@ssw0rd
@@ -78,9 +77,8 @@ esp:
 - name: eclwatch
   application: eclwatch
   auth: ldap
-  ldapAddress: "127.0.0.1"
   ldap:
+    ldapAddress: "myldapserver"
     ldapAdminSecretKey: "myvaultadmincreds"
     ldapAdminVaultId: "my-authn-vault"
-    servertype: "ActiveDirectory"
 ```

helm/hpcc/values.schema.json

@@ -598,8 +598,13 @@
     },
     "ldap": {
       "type": "object",
+      "required": [ "ldapAddress" ],
       "additionalProperties": { "type": ["integer", "string", "boolean"] },
       "properties": {
+        "ldapAddress": {
+          "type": "string",
+          "description": "LDAP Server IP address(es), comma separated"
+        },
         "ldapProtocol": {
           "type": "string",
           "description": "The protocol to use - standard \"LDAP\" or secure \"LDAPS\" over SSL"