Skip to content

LLDAP read-only snapshot endpoint + Go account-sync SDK#28

Merged
hysyeah merged 5 commits into
mainfrom
feat/lldap-go-sync-sdk
Jun 4, 2026
Merged

LLDAP read-only snapshot endpoint + Go account-sync SDK#28
hysyeah merged 5 commits into
mainfrom
feat/lldap-go-sync-sdk

Conversation

@pengpeng

@pengpeng pengpeng commented May 30, 2026
edited
Loading

Copy link
Copy Markdown
Member

Summary

Adds a way for Olares apps (e.g. files) to consume LLDAP accounts without watching the K8s User CRD, by pairing a new unauthenticated read-only snapshot endpoint on LLDAP with a small Go SDK that reconciles against it.

  • Server: opt-in GET /readonly/snapshot on a separate listener (LLDAP_HTTP_READONLY_PORT), no auth (access is network-gated). JSON mirrors the GraphQL snapshot of users and groups, including their attributes, with an optional attribute denylist (LLDAP_HTTP_READONLY_DENY_ATTRIBUTES) and generic 500s so internals never leak.
  • Go SDK (clients/go): reconciles against that endpoint and consumes Olares' os.users / os.groups NATS JetStream events as triggers, delivering diffs (users, groups, memberships, attributes) to one idempotent OnChanges handler. User.IsAdmin() reports lldap_admin membership. Ships an example consumer and unit + smoke tests.
  • Dev stack (clients/dev): persistent lldap + nats + postgres compose stack plus lldapctl.sh for CRUD that also publishes the NATS triggers (simulating app-service). Defaults to the branch test image with avatar denylisted from the snapshot.
  • CI: a temporary workflow publishing a multi-arch beclab/lldap:go-sync-sdk-dev image so the dev stack works out of the box until the read-only port ships in a tagged release.

Notes / current limitations

  • Events are pure triggers; the snapshot is the source of truth, so any payload schema is tolerated. A periodic resync is the safety net.
  • Owner vs admin cannot yet be distinguished (both map to lldap_admin; the role lives only in the K8s User CR).
  • The first commit (fix(test)) repairs a pre-existing cargo test compile break independent of this feature.

Test plan

  • cargo test for the read-only server (DTO mapping + denylist filtering, incl. group attributes)
  • go build / go vet / gofmt -l / go test ./... in clients/go
  • End-to-end docker-compose smoke test (mutate via GraphQL, publish NATS trigger, SDK reconciles)

@pengpeng pengpeng force-pushed the feat/lldap-go-sync-sdk branch 3 times, most recently from d67080a to 5cede5f Compare May 30, 2026 15:32
@pengpeng pengpeng changed the title feat: event-driven LLDAP account sync (NATS + Go SDK) LLDAP read-only snapshot endpoint + Go account-sync SDK May 30, 2026
@pengpeng pengpeng marked this pull request as ready for review May 30, 2026 15:33
pengpeng and others added 5 commits May 31, 2026 13:19
@pengpeng @cursoragent
fix(test): repair pre-existing cargo test build
aea91c1 
The mocks for OpaqueHandler/BackendHandler were missing the
registration_password method, and two test-only User initializers were
missing the user_index/initialized fields, so `cargo test` failed to
compile even before this branch's changes. Add the missing pieces so the
test target builds.

Co-authored-by: Cursor <cursoragent@cursor.com>
@pengpeng @cursoragent
feat(server): add opt-in unauthenticated read-only snapshot endpoint
0ea5f3a 
Serve GET /readonly/snapshot on a separate, opt-in HTTP listener
(LLDAP_HTTP_READONLY_PORT) with no authentication, so a network-gated
consumer (the Go SDK) can fetch a full users/groups snapshot whose JSON
mirrors the GraphQL shape. User and group attributes are both exposed,
filtered by an optional denylist (LLDAP_HTTP_READONLY_DENY_ATTRIBUTES);
errors return a generic 500 to avoid leaking internals. Document the new
options in the config template.

Co-authored-by: Cursor <cursoragent@cursor.com>
@pengpeng @cursoragent
feat(sdk): add Go SDK for event-driven LLDAP account sync
440458d 
Add a Go client that reconciles against LLDAP's read-only snapshot
endpoint and consumes Olares' os.users / os.groups NATS triggers,
delivering diffs (users, groups, memberships, and their attributes) to an
idempotent OnChanges handler. User.IsAdmin() reports lldap_admin
membership; ships with an example consumer and unit/smoke tests.

Co-authored-by: Cursor <cursoragent@cursor.com>
@pengpeng @cursoragent
chore(dev): add local LLDAP dev stack and lldapctl helper
457fac5 
A persistent lldap + nats (JetStream) + postgres compose stack so apps can
develop against LLDAP locally, plus lldapctl.sh for user/group CRUD that
also publishes os.users / os.groups NATS triggers (simulating
app-service). Default to the go-sync-sdk-dev branch image so the read-only
port works out of the box, with avatar denylisted from the snapshot.

Co-authored-by: Cursor <cursoragent@cursor.com>
@pengpeng @cursoragent
ci: publish a temporary dev test image for this branch
fcb6862 
Build and push a multi-arch beclab/lldap:go-sync-sdk-dev image on pushes
to this branch so the dev stack can pull an image that already has the
read-only snapshot port. Remove once the port ships in a tagged release.

Co-authored-by: Cursor <cursoragent@cursor.com>
@pengpeng pengpeng force-pushed the feat/lldap-go-sync-sdk branch from 5cede5f to fcb6862 Compare May 31, 2026 05:19
@hysyeah hysyeah merged commit fcc9ab5 into main Jun 4, 2026
3 checks passed
@hysyeah hysyeah mentioned this pull request Jun 5, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pengpeng @hysyeah