TLS

Dockerfile

@@ -22,14 +22,12 @@ CMD ["/sbin/my_init"]
 RUN apt-get -y update
 
 # Install openldap (slapd) and ldap-utils
-RUN LC_ALL=C DEBIAN_FRONTEND=noninteractive apt-get install -y slapd ldap-utils
+RUN LC_ALL=C DEBIAN_FRONTEND=noninteractive apt-get install -y slapd ldap-utils openssl
 
 # Expose ldap default port
 EXPOSE 389
 
 # Create TSL certificats directory
-# /!\ If used the deamon must be lauch with a hostname matching the certificat common mame
-# add -h my.hostname.com to the run command
 RUN mkdir /etc/ldap/ssl
 
 # Add config directory 

config/auto/tls.ldif

@@ -1,16 +1,17 @@
 dn: cn=config
-add: olcTLSCACertificateFile
+changetype: modify
+replace: olcTLSCACertificateFile
 olcTLSCACertificateFile: /etc/ldap/ssl/ca.crt
 -
-add: olcTLSCertificateFile
+replace: olcTLSCertificateFile
 olcTLSCertificateFile: /etc/ldap/ssl/ldap.crt
 -
-add: olcTLSCertificateKeyFile
+replace: olcTLSCertificateKeyFile
 olcTLSCertificateKeyFile: /etc/ldap/ssl/ldap.key
 -
-add: olcTLSDHParamFile
+replace: olcTLSDHParamFile
 olcTLSDHParamFile: /etc/ldap/ssl/dhparam.pem
 -
-add: olcTLSVerifyClient
+replace: olcTLSVerifyClient
 olcTLSVerifyClient: never
 

config/logging.ldif

@@ -1,4 +1,4 @@
 dn: cn=config
 changetype: modify
-add: olcLogLevel
+replace: olcLogLevel
 olcLogLevel: stats

slapd.sh

@@ -11,6 +11,7 @@ set -x
 : LDAP_DOMAIN=${LDAP_DOMAIN}
 : LDAP_ORGANISATION=${LDAP_ORGANISATION}
 
+############ Base config ############
 if [ ! -e /var/lib/ldap/docker_bootstrapped ]; then
   status "configuring slapd for first run"
 
@@ -31,32 +32,45 @@ slapd slapd/dump_database select when needed
 EOF
 
   dpkg-reconfigure -f noninteractive slapd
-  chown -R openldap:openldap /etc/ldap
 
-  # Lauch slapd deamon
-  slapd -h "ldap:///" -u openldap -g openldap
+  touch /var/lib/ldap/docker_bootstrapped
 
-  if [ -e /etc/ldap/ssl/ldap.crt ] && [ -e /etc/ldap/ssl/ldap.key ] && [ -e /etc/ldap/ssl/ca.crt ]; then
-    status "certificates found"
+else
+  status "found already-configured slapd"
+fi
 
-    chmod 600 /etc/ldap/ssl/ldap.key
+############ Dynamic config ############
+slapd -h "ldap:/// ldapi:///" -u openldap -g openldap
+chown -R openldap:openldap /etc/ldap
 
-    # create DHParamFile if not found
-    [ -f /etc/ldap/ssl/dhparam.pem ] || openssl dhparam -out /etc/ldap/ssl/dhparam.pem 2048
+# TLS
+if [ -e /etc/ldap/ssl/ldap.crt ] && [ -e /etc/ldap/ssl/ldap.key ] && [ -e /etc/ldap/ssl/ca.crt ]; then
+  status "certificates found"
 
-    ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ldap/config/auto/tls.ldif 
+  chmod 600 /etc/ldap/ssl/ldap.key
 
-  fi
+  # create DHParamFile if not found
+  [ -f /etc/ldap/ssl/dhparam.pem ] || openssl dhparam -out /etc/ldap/ssl/dhparam.pem 2048
 
-  # kill slapd deamon
-  pkill -f slapd
+  ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ldap/config/auto/tls_add.ldif 
 
-  touch /var/lib/ldap/docker_bootstrapped
+  # add fake dnsmasq route to certificate cn
+  cn=$(openssl x509 -in /etc/ldap/ssl/ldap.crt -subject -noout | sed -n 's/.*CN=\(.*\).\^*/\1/p')
+  echo "127.0.0.1	" $cn >> /etc/dhosts
 
-else
-  status "found already-configured slapd"
 fi
 
+# Replication
+# todo
+
+# Other config files
+for f in $(find /etc/ldap/config -maxdepth 1 -name \*.ldif -type f); do
+  status "Processing file ${f}"
+  ldapmodify -Y EXTERNAL -H ldapi:/// -f $f
+done
+
+pkill slapd
+
 status "starting slapd on default port 389"
 set -x
 exec /usr/sbin/slapd -h "ldap:///" -u openldap -g openldap -d -1