Skip to content

Feature/auth docker setup docs#12459

Open
mahesh-wor wants to merge 13 commits into
masterfrom
feature/auth-docker-setup-docs
Open

Feature/auth docker setup docs#12459
mahesh-wor wants to merge 13 commits into
masterfrom
feature/auth-docker-setup-docs

Conversation

@mahesh-wor

@mahesh-wor mahesh-wor commented Jun 5, 2026

Copy link
Copy Markdown
Contributor

Description

Please check if the PR fulfills these requirements

What kind of change does this PR introduce? (check one with "x", remove the others)

  • Bugfix
  • Feature
  • Code style update (formatting, local variables)
  • Refactoring (no functional changes, no api changes)
  • Build related changes
  • CI related changes
  • Docs/Setup Guide
  • Other... Please describe:

Issue

What is the current behavior?
Currently we only have setup instructions and docker compose for mapstore/postgres/proxy services.

https://github.com/geosolutions-it/DevOps/issues/1878

What is the new behavior?
This PR introduces optional docker/docker-compose.auth.yml that dev's and users can leverage to have working authentication integration for LDAP/Keycloak. Also includes sample environments and configurations.

Breaking change

Does this PR introduce a breaking change? (check one with "x", remove the other)

  • Yes, and I documented them in migration notes
  • No

Other useful information

@cla-bot cla-bot Bot added the CLA Ready label Jun 5, 2026
- Fix auth failures across ldap-direct, ldap-sync, and Keycloak login flows
- Update Jenkins build flow to support the LDAP_MODE parameter
- Align LDAP LDIFs, datadir config, sample env files, and compose settings
- Simplify LDAP and Keycloak healthchecks
- Replace sample secrets with disposable placeholder credentials
- Update docs with new requirements and setup procedure
@mahesh-wor mahesh-wor force-pushed the feature/auth-docker-setup-docs branch from 7114fa7 to 9cd7319 Compare June 9, 2026 13:55
@mahesh-wor mahesh-wor marked this pull request as draft June 10, 2026 06:53
@tdipisa tdipisa added this to the 2026.02.00 milestone Jun 22, 2026
@mahesh-wor mahesh-wor requested a review from offtherailz June 23, 2026 09:59
@mahesh-wor mahesh-wor force-pushed the feature/auth-docker-setup-docs branch from 1799b41 to cdf04bc Compare June 24, 2026 07:11
@mahesh-wor mahesh-wor marked this pull request as ready for review June 24, 2026 07:23
@mahesh-wor

Copy link
Copy Markdown
Contributor Author

hi @offtherailz i have fixed the lint issue, along with some docs and sample conf updates. It's ready to review now.

@offtherailz offtherailz left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See comments inline, there are some issues.

I see a sparse management of LDAP with 3 different implementation and a default in default override --> this is a problem, remove from it

Instead we should use only one LDAP image, properly active and maintained, with only one setup.

Of couse these changes have to be properly reflected in documentation produced for configuration

I can suggest to:

  • remove acme-ldap DockerFile
  • remove ldif/02-users.ldpf on gitignore and commit it directly, removing ldif.sample
  • replace osixia with bitnami/openldap, activiely maintained
  • remove changes on docker-compose-override , use a separate override / profile for that
  • update web/src/main/resources/ldap.properties from port 10389 a 389 (standard)

Comment thread docker-compose-override.yml Outdated
Comment on lines +5 to +19
ldap:
build:
context: ./tests/acme-ldap/
image: mapstore-test/acme-ldap
profiles:
- base
healthcheck:
test: ["CMD-SHELL", "bash -c '</dev/tcp/localhost/10389'"]
interval: 5s
timeout: 5s
retries: 30
start_period: 5s
networks:
- mapstore-network

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the stanard override file one. Start always mapstore with LDAP. This is not the base scenario.
Base is mapstore with DB. Then an override allows ldap and another overrided allows keycloak
This and the service_healthy on ldap imposes that the ldap is present on every installation. Please add an override file to apply in cascade, with another name, and remove these changes

@mahesh-wor mahesh-wor Jul 3, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

introduced tests/docker-compose-tests.yml. So docker-compose-override.yml is untouched for now. If the docker-compose-override.yml is only used for tests we can move it and later use it for meaningful use orther then just running test.
we don't know rn so just overriding currently.

Endpoint tests adds in new compose and will work this way now
docker compose --profile test -f docker-compose.yml -f docker-compose-override.yml -f tests/docker-compose-tests.yml up --build --exit-code-from sut

Comment thread docker-compose.yml Outdated
interval: 5s
timeout: 10s
retries: 120
platform: linux/amd64

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This fixes problems probably on mac, but can be a problem, should be removed

Comment thread docker-compose-override.yml Outdated
Comment on lines +36 to +37
ldap:
condition: service_healthy

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

in specific ldap override

Comment thread docker-compose-override.yml Outdated
condition: service_healthy
volumes:
- ./tests/geostore-datasource-ovr.properties:/mapstore/datadir/geostore-datasource-ovr.properties:rw
- ./tests/ldap.properties:/mapstore/datadir/ldap.properties:rw

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

in specific ldap override

@@ -0,0 +1,4 @@
FROM osixia/openldap:1.5.0

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

osixia/openldap is unmaintained

Alternatives:

  • bitnami/openldap similar API
  • gh.io/nitnelave/lldap light, web UI

We are using 3 different LDAP alternatives...

  • acme
  • osixia/openldap
  • geosolutions-it/openldap

I'd suggest to use only one implemntation, probably based to a maintained one.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

bitnami/openldap is private only, there seems an option to use bitnamilegacy/openldap but it's again legacy and no better than osixia/openldap. osixia/openldap does have v2 but it's in beta.

Writing a custom Dockerfile and init script for building image from scratch might be too much here. Maybe a seperate geosolutions-it/openldap would be nice, if we plan to use dockerized ldap setups.

For now i kept is the same.

@offtherailz offtherailz assigned mahesh-wor and unassigned offtherailz Jul 2, 2026
@offtherailz

Copy link
Copy Markdown
Member

Please @mahesh-wor look at my comments

@mahesh-wor

Copy link
Copy Markdown
Contributor Author

Thank you @offtherailz i will check it and update you.

@mahesh-wor mahesh-wor force-pushed the feature/auth-docker-setup-docs branch from f8a1dcf to 648fadb Compare July 3, 2026 15:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants