diff --git a/sso-mfa/k8s/keycape/create-secrets.sh b/sso-mfa/k8s/keycape/create-secrets.sh index 1b2300b..26c1f89 100644 --- a/sso-mfa/k8s/keycape/create-secrets.sh +++ b/sso-mfa/k8s/keycape/create-secrets.sh @@ -78,6 +78,8 @@ lldap: bindDN: "uid=admin,ou=people,dc=netkingdom,dc=local" bindPW: "${LLDAP_BIND_PW}" baseDN: "dc=netkingdom,dc=local" + userOU: "ou=people" + groupOU: "ou=groups" authelia: # Cluster-internal URL for server-side token exchange. diff --git a/sso-mfa/k8s/keycape/deployment.yaml b/sso-mfa/k8s/keycape/deployment.yaml index 13b1422..8b63d9f 100644 --- a/sso-mfa/k8s/keycape/deployment.yaml +++ b/sso-mfa/k8s/keycape/deployment.yaml @@ -54,7 +54,7 @@ spec: # 2026-05-24: direct-imported into railiance01 k3s for the # bootstrap-console OIDC/MFA rollout. Use IfNotPresent while the # HTTP registry push/pull path is being cleaned up. - image: 92.205.130.254:32166/coulomb/key-cape:main-937cb39 + image: 92.205.130.254:32166/coulomb/key-cape:main-06d20c3 imagePullPolicy: IfNotPresent ports: diff --git a/workplans/NET-WP-0015-platform-root-custody-and-openbao-identity-bootstrap.md b/workplans/NET-WP-0015-platform-root-custody-and-openbao-identity-bootstrap.md index 6f2d12a..699bd7a 100644 --- a/workplans/NET-WP-0015-platform-root-custody-and-openbao-identity-bootstrap.md +++ b/workplans/NET-WP-0015-platform-root-custody-and-openbao-identity-bootstrap.md @@ -201,6 +201,12 @@ without depending on token-list admin credentials. The live `keycape-config` now uses `realm: coulomb` and `requireForAll: true`, and Railiance runs image `main-937cb39`. +**2026-05-25:** Fixed the subsequent token-exchange `user not found` error. +Live LLDAP stores users under `ou=people`, while KeyCape's default lookup base +was `ou=users`. KeyCape commit `06d20c3` makes the LLDAP OU settings explicit +in YAML, live `keycape-config` now sets `userOU: ou=people` and +`groupOU: ou=groups`, and Railiance runs image `main-06d20c3`. + **2026-05-24:** Stepped back from ad hoc secret rollout and added the custodian age-key bootstrap model to the control surface. The UI now records the custodian public age recipient, a derived fingerprint, and a non-secret