stackabletech · siegfriedweber · Oct 17, 2025 · Oct 16, 2025
diff --git a/tests/templates/kuttl/ldap/10-install-openldap.yaml b/tests/templates/kuttl/ldap/10-install-openldap.yaml
@@ -18,18 +18,42 @@ spec:
     spec:
       containers:
         - name: openldap
-          image: bitnamilegacy/openldap:2.5
+          image: bitnamilegacy/openldap:2.6
           env:
+            # LDAP baseDN of the LDAP tree
+            - name: LDAP_ROOT
+              value: dc=stackable,dc=tech
+            # LDAP database admin user
             - name: LDAP_ADMIN_USERNAME
               value: admin
+            # LDAP database admin password
             - name: LDAP_ADMIN_PASSWORD
               value: admin
+            # Comma separated list of LDAP users to create in the default LDAP tree
+            - name: LDAP_USERS
+              value: integrationtest
+            # Comma separated list of passwords to use for LDAP users
+            - name: LDAP_PASSWORDS
+              value: integrationtest
+            # Name for the user's organizational unit
+            - name: LDAP_USER_OU
+              value: users
+            # Name for the group's organizational unit
+            - name: LDAP_GROUP_OU
+              value: groups
+            # Group used to group created users
+            - name: LDAP_GROUP
+              value: testgroup
+            # Whether to enable TLS for traffic or not
             - name: LDAP_ENABLE_TLS
               value: "yes"
+            # File containing the certificate file for the TLS traffic
             - name: LDAP_TLS_CERT_FILE
               value: /tls/tls.crt
+            # File containing the key for certificate
             - name: LDAP_TLS_KEY_FILE
               value: /tls/tls.key
+            # File containing the CA of the certificate
             - name: LDAP_TLS_CA_FILE
               value: /tls/ca.crt
           ports:

diff --git a/tests/templates/kuttl/ldap/11-assert.yaml b/tests/templates/kuttl/ldap/11-assert.yaml
diff --git a/tests/templates/kuttl/ldap/11-create-ldap-user.yaml b/tests/templates/kuttl/ldap/11-create-ldap-user.yaml
diff --git a/tests/templates/kuttl/ldap/20_opensearch-security-config.yaml.j2 b/tests/templates/kuttl/ldap/20_opensearch-security-config.yaml.j2
@@ -34,6 +34,17 @@ stringData:
     config:
       dynamic:
         authc:
+          # Allow internal authentication for debugging purposes, so that OpenSearch Dashboards can
+          # be used which uses the internal user kibanaserver.
+          internal_auth:
+            order: 0
+            http_enabled: true
+            transport_enabled: true
+            http_authenticator:
+              type: basic
+              challenge: false
+            authentication_backend:
+              type: internal
           ldap:
             http_enabled: true
             transport_enabled: true
@@ -48,11 +59,28 @@ stringData:
                 hosts:
                   - openldap.$NAMESPACE.svc.cluster.local:1636
                 pemtrustedcas_filepath: {{ test_scenario['values']['opensearch_home'] }}/config/tls/ca.crt
-                userbase: ou=users,dc=example,dc=org
+                userbase: ou=users,dc=stackable,dc=tech
+                username_attribute: uid
+                usersearch: (cn={0})
+                verify_hostnames: true
+        authz:
+          ldap:
+            http_enabled: true
+            transport_enabled: true
+            authorization_backend:
+              type: ldap
+              config:
+                enable_ssl: true
+                hosts:
+                  - openldap.$NAMESPACE.svc.cluster.local:1636
+                pemtrustedcas_filepath: {{ test_scenario['values']['opensearch_home'] }}/config/tls/ca.crt
+                userbase: ou=users,dc=stackable,dc=tech
                 username_attribute: uid
                 usersearch: (cn={0})
                 verify_hostnames: true
-        authz: {}
+                rolesearch: (member={0})
+                rolebase: ou=groups,dc=stackable,dc=tech
+                rolename: cn
   internal_users.yml: |
     ---
     # The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh
@@ -82,6 +110,20 @@ stringData:
     _meta:
       type: roles
       config_version: 2
+
+    test-role:
+      reserved: false
+      cluster_permissions:
+        - indices:data/write/bulk*
+      index_permissions:
+        - index_patterns:
+            - "*"
+          allowed_actions:
+            - indices:admin/create
+            - indices:admin/delete
+            - indices:admin/mapping/put
+            - indices:data/write/bulk*
+            - indices:data/write/index
   roles_mapping.yml: |
     ---
     _meta:
@@ -92,13 +134,16 @@ stringData:
       reserved: false
       backend_roles:
         - admin
-      users:
-        - integrationtest
 
     kibana_server:
       reserved: true
       users:
         - kibanaserver
+
+    test-role:
+      reserved: false
+      backend_roles:
+        - testgroup
   tenants.yml: |
     ---
     _meta: