Merge branch 'hotfix-1.2.5' into stable

CHANGELOG.md

@@ -4,6 +4,16 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
+## [1.2.5] - 2019-08-16
+## Added
+  - Support for docker secrets #325. Thanks to @anagno !
+  - Add DISABLE_CHOWN environment variable #240
+  - pqChecker lib to check passwords strength with ppolicy pwdCheckModule
+
+### Fixed
+  - Fix of incorrectly positioned 'log-helper debug' command #327. Thanks to @turcan !
+  - Fix domain dn #341. Thanks to @obourdon !
+
 ## [1.2.4] - 2019-03-14
 ### Fixed
   - Excessive RAM usage on 1.2.2, increased 10x from 1.2.1 #242

Makefile

@@ -1,5 +1,5 @@
 NAME = osixia/openldap
-VERSION = 1.2.4
+VERSION = 1.2.5
 
 .PHONY: build build-nocache test tag-latest push push-latest release git-tag-version
 

README.md

@@ -4,7 +4,7 @@
 ![Docker Stars](https://img.shields.io/docker/stars/osixia/openldap.svg)
 ![](https://images.microbadger.com/badges/image/osixia/openldap.svg)
 
-Latest release: 1.2.4 - OpenLDAP 2.4.47 -  [Changelog](CHANGELOG.md) | [Docker Hub](https://hub.docker.com/r/osixia/openldap/) 
+Latest release: 1.2.5 - OpenLDAP 2.4.47 -  [Changelog](CHANGELOG.md) | [Docker Hub](https://hub.docker.com/r/osixia/openldap/) 
 
 **A docker image to run OpenLDAP.**
 
@@ -12,39 +12,40 @@ Latest release: 1.2.4 - OpenLDAP 2.4.47 -  [Changelog](CHANGELOG.md) | [Docker H
 
 
 - [osixia/openldap](#osixiaopenldap)
-	- [Contributing](#contributing)
-	- [Quick Start](#quick-start)
-	- [Beginner Guide](#beginner-guide)
-		- [Create new ldap server](#create-new-ldap-server)
-			- [Data persistence](#data-persistence)
-			- [Edit your server configuration](#edit-your-server-configuration)
-			- [Seed ldap database with ldif](#seed-ldap-database-with-ldif)
-		- [Use an existing ldap database](#use-an-existing-ldap-database)
-		- [Backup](#backup)
-		- [Administrate your ldap server](#administrate-your-ldap-server)
-		- [TLS](#tls)
-			- [Use auto-generated certificate](#use-auto-generated-certificate)
-			- [Use your own certificate](#use-your-own-certificate)
-			- [Disable TLS](#disable-tls)
-		- [Multi master replication](#multi-master-replication)
-		- [Fix docker mounted file problems](#fix-docker-mounted-file-problems)
-		- [Debug](#debug)
-	- [Environment Variables](#environment-variables)
-		- [Default.yaml](#defaultyaml)
-		- [Default.startup.yaml](#defaultstartupyaml)
-		- [Set your own environment variables](#set-your-own-environment-variables)
-			- [Use command line argument](#use-command-line-argument)
-			- [Link environment file](#link-environment-file)
-			- [Make your own image or extend this image](#make-your-own-image-or-extend-this-image)
-	- [Advanced User Guide](#advanced-user-guide)
-		- [Extend osixia/openldap:1.2.4 image](#extend-osixiaopenldap124-image)
-		- [Make your own openldap image](#make-your-own-openldap-image)
-		- [Tests](#tests)
-		- [Kubernetes](#kubernetes)
-		- [Under the hood: osixia/light-baseimage](#under-the-hood-osixialight-baseimage)
-	- [Security](#security)
-		- [Known security issues](#known-security-issues)
-	- [Changelog](#changelog)
+	- [Contributing](#Contributing)
+	- [Quick Start](#Quick-Start)
+	- [Beginner Guide](#Beginner-Guide)
+		- [Create new ldap server](#Create-new-ldap-server)
+			- [Data persistence](#Data-persistence)
+			- [Edit your server configuration](#Edit-your-server-configuration)
+			- [Seed ldap database with ldif](#Seed-ldap-database-with-ldif)
+		- [Use an existing ldap database](#Use-an-existing-ldap-database)
+		- [Backup](#Backup)
+		- [Administrate your ldap server](#Administrate-your-ldap-server)
+		- [TLS](#TLS)
+			- [Use auto-generated certificate](#Use-auto-generated-certificate)
+			- [Use your own certificate](#Use-your-own-certificate)
+			- [Disable TLS](#Disable-TLS)
+		- [Multi master replication](#Multi-master-replication)
+		- [Fix docker mounted file problems](#Fix-docker-mounted-file-problems)
+		- [Debug](#Debug)
+	- [Environment Variables](#Environment-Variables)
+		- [Default.yaml](#Defaultyaml)
+		- [Default.startup.yaml](#Defaultstartupyaml)
+		- [Set your own environment variables](#Set-your-own-environment-variables)
+			- [Use command line argument](#Use-command-line-argument)
+			- [Link environment file](#Link-environment-file)
+			- [Docker Secrets](#Docker-Secrets)
+			- [Make your own image or extend this image](#Make-your-own-image-or-extend-this-image)
+	- [Advanced User Guide](#Advanced-User-Guide)
+		- [Extend osixia/openldap:1.2.5 image](#Extend-osixiaopenldap125-dev-image)
+		- [Make your own openldap image](#Make-your-own-openldap-image)
+		- [Tests](#Tests)
+		- [Kubernetes](#Kubernetes)
+		- [Under the hood: osixia/light-baseimage](#Under-the-hood-osixialight-baseimage)
+	- [Security](#Security)
+		- [Known security issues](#Known-security-issues)
+	- [Changelog](#Changelog)
 
 ## Contributing
 
@@ -57,11 +58,11 @@ If you find this image useful here's how you can help:
 ## Quick Start
 Run OpenLDAP docker image:
 
-	docker run --name my-openldap-container --detach osixia/openldap:1.2.4
+	docker run --name my-openldap-container --detach osixia/openldap:1.2.5
 
 Do not forget to add the port mapping for both port 389 and 636 if you wish to access the ldap server from another machine.
 
-	docker run -p 389:389 -p 636:636 --name my-openldap-container --detach osixia/openldap:1.2.4
+	docker run -p 389:389 -p 636:636 --name my-openldap-container --detach osixia/openldap:1.2.5
 
 Either command starts a new container with OpenLDAP running inside. Let's make the first search in our LDAP container:
 
@@ -97,7 +98,7 @@ It will create an empty ldap for the company **Example Inc.** and the domain **e
 By default the admin has the password **admin**. All those default settings can be changed at the docker command line, for example:
 
 	docker run --env LDAP_ORGANISATION="My Company" --env LDAP_DOMAIN="my-company.com" \
-	--env LDAP_ADMIN_PASSWORD="JonSn0w" --detach osixia/openldap:1.2.4
+	--env LDAP_ADMIN_PASSWORD="JonSn0w" --detach osixia/openldap:1.2.5
 
 #### Data persistence
 
@@ -148,12 +149,12 @@ argument to entrypoint if you don't want to overwrite them.
 		# single file example:
 		docker run \
       --volume ./bootstrap.ldif:/container/service/slapd/assets/config/bootstrap/ldif/50-bootstrap.ldif \
-      osixia/openldap:1.2.4 --copy-service
+      osixia/openldap:1.2.5 --copy-service
 
 		#directory example:
 		docker run \
 	     --volume ./ldif:/container/service/slapd/assets/config/bootstrap/ldif/custom \
-	     osixia/openldap:1.2.4 --copy-service
+	     osixia/openldap:1.2.5 --copy-service
 
 ### Use an existing ldap database
 
@@ -164,7 +165,7 @@ simply mount this directories as a volume to `/var/lib/ldap` and `/etc/ldap/slap
 
 	docker run --volume /data/slapd/database:/var/lib/ldap \
 	--volume /data/slapd/config:/etc/ldap/slapd.d \
-	--detach osixia/openldap:1.2.4
+	--detach osixia/openldap:1.2.5
 
 You can also use data volume containers. Please refer to:
 > [https://docs.docker.com/engine/tutorials/dockervolumes/](https://docs.docker.com/engine/tutorials/dockervolumes/)
@@ -184,7 +185,7 @@ If you are looking for a simple solution to administrate your ldap server you ca
 #### Use auto-generated certificate
 By default, TLS is already configured and enabled, certificate is created using container hostname (it can be set by docker run --hostname option eg: ldap.example.org).
 
-	docker run --hostname ldap.my-company.com --detach osixia/openldap:1.2.4
+	docker run --hostname ldap.my-company.com --detach osixia/openldap:1.2.5
 
 #### Use your own certificate
 
@@ -194,24 +195,24 @@ You can set your custom certificate at run time, by mounting a directory contain
 	--env LDAP_TLS_CRT_FILENAME=my-ldap.crt \
 	--env LDAP_TLS_KEY_FILENAME=my-ldap.key \
 	--env LDAP_TLS_CA_CRT_FILENAME=the-ca.crt \
-	--detach osixia/openldap:1.2.4
+	--detach osixia/openldap:1.2.5
 
 Other solutions are available please refer to the [Advanced User Guide](#advanced-user-guide)
 
 #### Disable TLS
 Add --env LDAP_TLS=false to the run command:
 
-	docker run --env LDAP_TLS=false --detach osixia/openldap:1.2.4
+	docker run --env LDAP_TLS=false --detach osixia/openldap:1.2.5
 
 ### Multi master replication
 Quick example, with the default config.
 
 	#Create the first ldap server, save the container id in LDAP_CID and get its IP:
-	LDAP_CID=$(docker run --hostname ldap.example.org --env LDAP_REPLICATION=true --detach osixia/openldap:1.2.4)
+	LDAP_CID=$(docker run --hostname ldap.example.org --env LDAP_REPLICATION=true --detach osixia/openldap:1.2.5)
 	LDAP_IP=$(docker inspect -f "{{ .NetworkSettings.IPAddress }}" $LDAP_CID)
 
 	#Create the second ldap server, save the container id in LDAP2_CID and get its IP:
-	LDAP2_CID=$(docker run --hostname ldap2.example.org --env LDAP_REPLICATION=true --detach osixia/openldap:1.2.4)
+	LDAP2_CID=$(docker run --hostname ldap2.example.org --env LDAP_REPLICATION=true --detach osixia/openldap:1.2.5)
 	LDAP2_IP=$(docker inspect -f "{{ .NetworkSettings.IPAddress }}" $LDAP2_CID)
 
 	#Add the pair "ip hostname" to /etc/hosts on each containers,
@@ -247,7 +248,7 @@ You may have some problems with mounted files on some systems. The startup scrip
 
 To fix that run the container with `--copy-service` argument :
 
-		docker run [your options] osixia/openldap:1.2.4 --copy-service
+		docker run [your options] osixia/openldap:1.2.5 --copy-service
 
 ### Debug
 
@@ -256,11 +257,11 @@ Available levels are: `none`, `error`, `warning`, `info`, `debug` and `trace`.
 
 Example command to run the container in `debug` mode:
 
-	docker run --detach osixia/openldap:1.2.4 --loglevel debug
+	docker run --detach osixia/openldap:1.2.5 --loglevel debug
 
 See all command line options:
 
-	docker run osixia/openldap:1.2.4 --help
+	docker run osixia/openldap:1.2.5 --help
 
 
 ## Environment Variables
@@ -326,7 +327,7 @@ Replication options:
 
 	If you want to set this variable at docker run command add the tag `#PYTHON2BASH:` and convert the yaml in python:
 
-		docker run --env LDAP_REPLICATION_HOSTS="#PYTHON2BASH:['ldap://ldap.example.org','ldap://ldap2.example.org']" --detach osixia/openldap:1.2.4
+		docker run --env LDAP_REPLICATION_HOSTS="#PYTHON2BASH:['ldap://ldap.example.org','ldap://ldap2.example.org']" --detach osixia/openldap:1.2.5
 
 	To convert yaml to python online: http://yaml-online-parser.appspot.com/
 
@@ -338,6 +339,7 @@ Other environment variables:
 - **LDAP_REMOVE_CONFIG_AFTER_SETUP**: delete config folder after setup. Defaults to `true`
 - **LDAP_SSL_HELPER_PREFIX**: ssl-helper environment variables prefix. Defaults to `ldap`, ssl-helper first search config from LDAP_SSL_HELPER_* variables, before SSL_HELPER_* variables.
 - **HOSTNAME**: set the hostname of the running openldap server. Defaults to whatever docker creates.
+- **DISABLE_CHOWN**: do not perform any chown to fix file ownership. Defaults to `false`
 
 
 ### Set your own environment variables
@@ -346,7 +348,7 @@ Other environment variables:
 Environment variables can be set by adding the --env argument in the command line, for example:
 
 	docker run --env LDAP_ORGANISATION="My company" --env LDAP_DOMAIN="my-company.com" \
-	--env LDAP_ADMIN_PASSWORD="JonSn0w" --detach osixia/openldap:1.2.4
+	--env LDAP_ADMIN_PASSWORD="JonSn0w" --detach osixia/openldap:1.2.5
 
 Be aware that environment variable added in command line will be available at any time
 in the container. In this example if someone manage to open a terminal in this container
@@ -357,14 +359,25 @@ he will be able to read the admin password in clear text from environment variab
 For example if your environment files **my-env.yaml** and **my-env.startup.yaml** are in /data/ldap/environment
 
 	docker run --volume /data/ldap/environment:/container/environment/01-custom \
-	--detach osixia/openldap:1.2.4
+	--detach osixia/openldap:1.2.5
 
 Take care to link your environment files folder to `/container/environment/XX-somedir` (with XX < 99 so they will be processed before default environment files) and not  directly to `/container/environment` because this directory contains predefined baseimage environment files to fix container environment (INITRD, LANG, LANGUAGE and LC_CTYPE).
 
 Note: the container will try to delete the **\*.startup.yaml** file after the end of startup files so the file will also be deleted on the docker host. To prevent that : use --volume /data/ldap/environment:/container/environment/01-custom**:ro** or set all variables in **\*.yaml** file and don't use **\*.startup.yaml**:
 
 	docker run --volume /data/ldap/environment/my-env.yaml:/container/environment/01-custom/env.yaml \
-	--detach osixia/openldap:1.2.4
+	--detach osixia/openldap:1.2.5
+
+#### Docker Secrets
+
+As an alternative to passing sensitive information via environmental variables, _FILE may be appended to the listed variables, causing 
+the startup.sh script to load the values for those values from files presented in the container. This is particular usefull for loading
+passwords using the [Docker secrets](https://docs.docker.com/engine/swarm/secrets/) mechanism. For example:
+
+	docker run --env LDAP_ORGANISATION="My company" --env LDAP_DOMAIN="my-company.com" \
+	--env LDAP_ADMIN_PASSWORD_FILE=/run/secrets/authentication_admin_pw --detach osixia/openldap:1.2.4
+
+Currently this is only supported for LDAP_ADMIN_PASSWORD, LDAP_CONFIG_PASSWORD, LDAP_READONLY_USER_PASSWORD
 
 #### Make your own image or extend this image
 
@@ -372,13 +385,13 @@ This is the best solution if you have a private registry. Please refer to the [A
 
 ## Advanced User Guide
 
-### Extend osixia/openldap:1.2.4 image
+### Extend osixia/openldap:1.2.5 image
 
 If you need to add your custom TLS certificate, bootstrap config or environment files the easiest way is to extends this image.
 
 Dockerfile example:
 
-	FROM osixia/openldap:1.2.4
+	FROM osixia/openldap:1.2.5
 	MAINTAINER Your Name <[email protected]>
 
 	ADD bootstrap /container/service/slapd/assets/config/bootstrap
@@ -420,7 +433,7 @@ Run your image:
 
 We use **Bats** (Bash Automated Testing System) to test this image:
 
-> [https://github.com/sstephenson/bats](https://github.com/sstephenson/bats)
+> [https://github.com/bats-core/bats-core](https://github.com/bats-core/bats-core)
 
 Install Bats, and in this project directory run:
 

example/docker-compose.yml

@@ -1,7 +1,7 @@
 version: '2'
 services:
   openldap:
-    image: osixia/openldap:1.2.4
+    image: osixia/openldap:1.2.5
     container_name: openldap
     environment:
       LDAP_LOG_LEVEL: "256"

example/extend-osixia-openldap/Dockerfile

@@ -1,4 +1,4 @@
-FROM osixia/openldap:1.2.4
+FROM osixia/openldap:1.2.5
 MAINTAINER Your Name <[email protected]>
 
 ADD bootstrap /container/service/slapd/assets/config/bootstrap

example/kubernetes/simple/ldap-deployment.yaml

@@ -13,7 +13,7 @@ spec:
     spec:
       containers:
         - name: ldap
-          image: osixia/openldap:1.2.4
+          image: osixia/openldap:1.2.5
           volumeMounts:
             - name: ldap-data
               mountPath: /var/lib/ldap

example/kubernetes/using-secrets/gce-statefullset.yaml

@@ -12,7 +12,7 @@ spec:
         spec:
             containers:
             - name: azaldap
-              image: osixia/openldap:1.2.4
+              image: osixia/openldap:1.2.5
               imagePullPolicy: IfNotPresent
               #command: ["/bin/bash","-c","while [ 1 = 1 ] ; do sleep 1; date; done"]
               ports:

example/kubernetes/using-secrets/ldap-deployment.yaml

@@ -13,7 +13,7 @@ spec:
     spec:
       containers:
         - name: ldap
-          image: osixia/openldap:1.2.4
+          image: osixia/openldap:1.2.5
           args: ["--copy-service"]
           volumeMounts:
             - name: ldap-data

image/Dockerfile

@@ -5,6 +5,9 @@ FROM osixia/light-baseimage:1.1.2
 ARG LDAP_OPENLDAP_GID
 ARG LDAP_OPENLDAP_UID
 
+ARG PQCHECKER_VERSION=2.0.0
+ARG PQCHECKER_MD5=c005ce596e97d13e39485e711dcbc7e1
+
 # Add openldap user and group first to make sure their IDs get assigned consistently, regardless of whatever dependencies get added
 # If explicit uid or gid is given, use it.
 RUN if [ -z "${LDAP_OPENLDAP_GID}" ]; then groupadd -r openldap; else groupadd -r -g ${LDAP_OPENLDAP_GID} openldap; fi \
@@ -18,17 +21,24 @@ RUN echo "deb http://ftp.debian.org/debian stretch-backports main" >> /etc/apt/s
 #          https://github.com/osixia/docker-light-baseimage/blob/stable/image/service-available/:ssl-tools/download.sh
 RUN echo "path-include /usr/share/doc/krb5*" >> /etc/dpkg/dpkg.cfg.d/docker && apt-get -y update \
     && /container/tool/add-service-available :ssl-tools \
-	  && LC_ALL=C DEBIAN_FRONTEND=noninteractive apt-get -t stretch-backports install -y --no-install-recommends \
-       ldap-utils \
-       libsasl2-modules \
-       libsasl2-modules-db \
-       libsasl2-modules-gssapi-mit \
-       libsasl2-modules-ldap \
-       libsasl2-modules-otp \
-       libsasl2-modules-sql \
-       openssl \
-       slapd \
-       krb5-kdc-ldap \
+    && LC_ALL=C DEBIAN_FRONTEND=noninteractive apt-get -t stretch-backports install -y --no-install-recommends \
+    ca-certificates \
+    curl \
+    ldap-utils \
+    libsasl2-modules \
+    libsasl2-modules-db \
+    libsasl2-modules-gssapi-mit \
+    libsasl2-modules-ldap \
+    libsasl2-modules-otp \
+    libsasl2-modules-sql \
+    openssl \
+    slapd \
+    krb5-kdc-ldap \
+    && curl -o pqchecker.deb -SL http://www.meddeb.net/pub/pqchecker/deb/8/pqchecker_${PQCHECKER_VERSION}_amd64.deb \
+    && echo "${PQCHECKER_MD5} *pqchecker.deb" | md5sum -c - \
+    && dpkg -i pqchecker.deb \
+    && rm pqchecker.deb \
+    && apt-get remove -y --purge --auto-remove curl ca-certificates \
     && apt-get clean \
     && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
 

image/environment/default.yaml

@@ -10,4 +10,7 @@
 LDAP_LOG_LEVEL: 256
 
 # Ulimit
-LDAP_NOFILE: 1024
+LDAP_NOFILE: 1024
+
+# Do not perform any chown to fix file ownership
+DISABLE_CHOWN: false

image/service/slapd/startup.sh

@@ -10,14 +10,44 @@ log-helper level eq trace && set -x
 # see https://github.com/docker/docker/issues/8231
 ulimit -n $LDAP_NOFILE
 
+
+# usage: file_env VAR
+#    ie: file_env 'XYZ_DB_PASSWORD' 
+# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
+#  "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
+file_env() {
+	local var="$1"
+	local fileVar="${var}_FILE"
+
+  # The variables are already defined from the docker-light-baseimage
+  # So if the _FILE variable is available we ovewrite them
+	if [ "${!fileVar:-}" ]; then
+    log-helper trace "${fileVar} was defined"
+
+		val="$(< "${!fileVar}")"
+    log-helper debug "${var} was repalced with the contents of ${fileVar} (the value was: ${val})"
+
+    export "$var"="$val"
+	fi
+	
+	unset "$fileVar"
+}
+
+
+file_env 'LDAP_ADMIN_PASSWORD'
+file_env 'LDAP_CONFIG_PASSWORD'
+file_env 'LDAP_READONLY_USER_PASSWORD'
+
 # create dir if they not already exists
 [ -d /var/lib/ldap ] || mkdir -p /var/lib/ldap
 [ -d /etc/ldap/slapd.d ] || mkdir -p /etc/ldap/slapd.d
 
 # fix file permissions
-chown -R openldap:openldap /var/lib/ldap
-chown -R openldap:openldap /etc/ldap
-chown -R openldap:openldap ${CONTAINER_SERVICE_DIR}/slapd
+if [ "${DISABLE_CHOWN,,}" == "false" ]; then
+  chown -R openldap:openldap /var/lib/ldap
+  chown -R openldap:openldap /etc/ldap
+  chown -R openldap:openldap ${CONTAINER_SERVICE_DIR}/slapd
+fi
 
 FIRST_START_DONE="${CONTAINER_STATE_DIR}/slapd-first-start-done"
 WAS_STARTED_WITH_TLS="/etc/ldap/slapd.d/docker-openldap-was-started-with-tls"
@@ -51,7 +81,15 @@ if [ ! -e "$FIRST_START_DONE" ]; then
 
       LDAP_BASE_DN=${LDAP_BASE_DN::-1}
     fi
-
+    # Check that LDAP_BASE_DN and LDAP_DOMAIN are in sync
+    domain_from_base_dn=$(echo $LDAP_BASE_DN | tr ',' '\n' | sed -e 's/^.*=//' | tr '\n' '.' | sed -e 's/\.$//')
+    set +e
+    echo "$domain_from_base_dn" | egrep -q ".*$LDAP_DOMAIN\$"
+    if [ $? -ne 0 ]; then
+      log-helper error "Error: domain $domain_from_base_dn derived from LDAP_BASE_DN $LDAP_BASE_DN does not match LDAP_DOMAIN $LDAP_DOMAIN"
+      exit 1
+    fi
+    set -e
   }
 
   function is_new_schema() {
@@ -65,6 +103,7 @@ if [ ! -e "$FIRST_START_DONE" ]; then
 
   function ldap_add_or_modify (){
     local LDIF_FILE=$1
+
     log-helper debug "Processing file ${LDIF_FILE}"
     sed -i "s|{{ LDAP_BASE_DN }}|${LDAP_BASE_DN}|g" $LDIF_FILE
     sed -i "s|{{ LDAP_BACKEND }}|${LDAP_BACKEND}|g" $LDIF_FILE
@@ -74,9 +113,9 @@ if [ ! -e "$FIRST_START_DONE" ]; then
       sed -i "s|{{ LDAP_READONLY_USER_PASSWORD_ENCRYPTED }}|${LDAP_READONLY_USER_PASSWORD_ENCRYPTED}|g" $LDIF_FILE
     fi
     if grep -iq changetype $LDIF_FILE ; then
-        ldapmodify -Y EXTERNAL -Q -H ldapi:/// -f $LDIF_FILE 2>&1 | log-helper debug || ldapmodify -h localhost -p 389 -D cn=admin,$LDAP_BASE_DN -w "$LDAP_ADMIN_PASSWORD" -f $LDIF_FILE 2>&1 | log-helper debug
+        ( ldapmodify -Y EXTERNAL -Q -H ldapi:/// -f $LDIF_FILE 2>&1 || ldapmodify -h localhost -p 389 -D cn=admin,$LDAP_BASE_DN -w "$LDAP_ADMIN_PASSWORD" -f $LDIF_FILE 2>&1 ) | log-helper debug
     else
-        ldapadd -Y EXTERNAL -Q -H ldapi:/// -f $LDIF_FILE |& log-helper debug || ldapadd -h localhost -p 389 -D cn=admin,$LDAP_BASE_DN -w "$LDAP_ADMIN_PASSWORD" -f $LDIF_FILE 2>&1 | log-helper debug
+        ( ldapadd -Y EXTERNAL -Q -H ldapi:/// -f $LDIF_FILE 2>&1 || ldapadd -h localhost -p 389 -D cn=admin,$LDAP_BASE_DN -w "$LDAP_ADMIN_PASSWORD" -f $LDIF_FILE 2>&1 ) | log-helper debug
     fi
   }
 
@@ -96,6 +135,7 @@ if [ ! -e "$FIRST_START_DONE" ]; then
     log-helper info "Database and config directory are empty..."
     log-helper info "Init new ldap server..."
 
+    get_ldap_base_dn
     cat <<EOF | debconf-set-selections
 slapd slapd/internal/generated_adminpw password ${LDAP_ADMIN_PASSWORD}
 slapd slapd/internal/adminpw password ${LDAP_ADMIN_PASSWORD}
@@ -127,7 +167,9 @@ EOF
       mv /tmp/schema/cn=config/cn=schema/* /etc/ldap/slapd.d/cn=config/cn=schema
       rm -r /tmp/schema
 
-      chown -R openldap:openldap /etc/ldap/slapd.d/cn=config/cn=schema
+      if [ "${DISABLE_CHOWN,,}" == "false" ]; then
+        chown -R openldap:openldap /etc/ldap/slapd.d/cn=config/cn=schema
+      fi
     fi
 
     rm ${CONTAINER_SERVICE_DIR}/slapd/assets/config/bootstrap/schema/rfc2307bis.*
@@ -204,8 +246,10 @@ EOF
       ssl-helper $LDAP_SSL_HELPER_PREFIX $PREVIOUS_LDAP_TLS_CRT_PATH $PREVIOUS_LDAP_TLS_KEY_PATH $PREVIOUS_LDAP_TLS_CA_CRT_PATH
       [ -f ${PREVIOUS_LDAP_TLS_DH_PARAM_PATH} ] || openssl dhparam -out ${LDAP_TLS_DH_PARAM_PATH} 2048
 
-      chmod 600 ${PREVIOUS_LDAP_TLS_DH_PARAM_PATH}
-      chown openldap:openldap $PREVIOUS_LDAP_TLS_CRT_PATH $PREVIOUS_LDAP_TLS_KEY_PATH $PREVIOUS_LDAP_TLS_CA_CRT_PATH $PREVIOUS_LDAP_TLS_DH_PARAM_PATH
+      if [ "${DISABLE_CHOWN,,}" == "false" ]; then
+        chmod 600 ${PREVIOUS_LDAP_TLS_DH_PARAM_PATH}
+        chown openldap:openldap $PREVIOUS_LDAP_TLS_CRT_PATH $PREVIOUS_LDAP_TLS_KEY_PATH $PREVIOUS_LDAP_TLS_CA_CRT_PATH $PREVIOUS_LDAP_TLS_DH_PARAM_PATH
+      fi
     fi
 
     # start OpenLDAP
@@ -308,10 +352,12 @@ EOF
 
       # create DHParamFile if not found
       [ -f ${LDAP_TLS_DH_PARAM_PATH} ] || openssl dhparam -out ${LDAP_TLS_DH_PARAM_PATH} 2048
-      chmod 600 ${LDAP_TLS_DH_PARAM_PATH}
-
+      
       # fix file permissions
-      chown -R openldap:openldap ${CONTAINER_SERVICE_DIR}/slapd
+      if [ "${DISABLE_CHOWN,,}" == "false" ]; then
+        chmod 600 ${LDAP_TLS_DH_PARAM_PATH}
+        chown -R openldap:openldap ${CONTAINER_SERVICE_DIR}/slapd
+      fi
 
       # adapt tls ldif
       sed -i "s|{{ LDAP_TLS_CA_CRT_PATH }}|${LDAP_TLS_CA_CRT_PATH}|g" ${CONTAINER_SERVICE_DIR}/slapd/assets/config/tls/tls-enable.ldif

test/test.bats

@@ -19,6 +19,45 @@ load test_helper
 
 }
 
+@test "ldap domain with ldap base dn" {
+
+  run_image -h ldap.example.org -e LDAP_TLS=false -e LDAP_DOMAIN=example.com -e LDAP_BASE_DN="dc=example,dc=org"
+
+  sleep 2
+
+  CSTATUS=$(check_container)
+  clear_container
+
+  [ "$CSTATUS" != "running 0" ]
+
+}
+
+@test "ldap domain with ldap base dn subdomain" {
+
+  run_image -h ldap.example.fr -e LDAP_TLS=false -e LDAP_DOMAIN=example.fr -e LDAP_BASE_DN="ou=myou,o=example,c=fr"
+
+  sleep 2
+
+  CSTATUS=$(check_container)
+  clear_container
+
+  [ "$CSTATUS" == "running 0" ]
+
+}
+
+@test "ldap domain with ldap base dn subdomain included" {
+
+  run_image -h ldap.example.com -e LDAP_TLS=false -e LDAP_DOMAIN=example.com -e LDAP_BASE_DN="ou=myou,o=example,dc=com,c=fr"
+
+  sleep 2
+
+  CSTATUS=$(check_container)
+  clear_container
+
+  [ "$CSTATUS" != "running 0" ]
+
+}
+
 @test "ldapsearch database from created volumes" {
 
   rm -rf VOLUMES && mkdir -p VOLUMES/config VOLUMES/database
@@ -26,18 +65,37 @@ load test_helper
   wait_process_by_cid $LDAP_CID slapd
   run docker exec $LDAP_CID ldapsearch -x -h ldap.example.org -b dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w admin
   docker kill $LDAP_CID
+  clear_containers_by_cid $LDAP_CID
+
   [ "$status" -eq 0 ]
+
   LDAP_CID=$(docker run -h ldap.example.org -e LDAP_TLS=false --volume $PWD/VOLUMES/database:/var/lib/ldap --volume $PWD/VOLUMES/config:/etc/ldap/slapd.d -d $NAME:$VERSION)
   wait_process_by_cid $LDAP_CID slapd
   run docker exec $LDAP_CID ldapsearch -x -h ldap.example.org -b dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w admin
   run docker exec $LDAP_CID chown -R $UID:$UID /var/lib/ldap /etc/ldap/slapd.d
   docker kill $LDAP_CID
   rm -rf VOLUMES
+  clear_containers_by_cid $LDAP_CID
 
   [ "$status" -eq 0 ]
 
 }
 
+@test "ldapsearch database with password provided from file" {
+
+  rm $PWD/password.txt && touch $PWD/password.txt 
+  echo "strongPassword" >> $PWD/password.txt
+
+  run_image -h ldap.osixia.net -e LDAP_ADMIN_PASSWORD_FILE=/run/secrets/admin_pw.txt --volume $PWD/password.txt:/run/secrets/admin_pw.txt
+  wait_process slapd
+  run docker exec $CONTAINER_ID ldapsearch -x -h ldap.osixia.net -b dc=example,dc=org -ZZ -D "cn=admin,dc=example,dc=org" -w strongPassword
+  clear_container
+  rm $PWD/password.txt
+
+  [ "$status" -eq 0 ]
+}
+
+
 @test "ldapsearch new database with strict TLS" {
 
   run_image -h ldap.example.org

test/test_helper.bash

@@ -9,7 +9,7 @@ build_image() {
 }
 
 run_image() {
-  CONTAINER_ID=$(docker run $@ -d $IMAGE_NAME --copy-service -c "/container/service/slapd/test.sh")
+  CONTAINER_ID=$(docker run $@ -d $IMAGE_NAME --copy-service -c "/container/service/slapd/test.sh" $EXTRA_DOCKER_RUN_FLAGS)
   CONTAINER_IP=$(get_container_ip_by_cid $CONTAINER_ID)
 }
 
@@ -34,6 +34,12 @@ wait_process() {
   wait_process_by_cid $CONTAINER_ID $@
 }
 
+check_container() {
+  # "Status" = "exited", and "ExitCode" != 0,
+  local CSTAT=$(docker inspect -f "{{ .State.Status }} {{ .State.ExitCode }}" $CONTAINER_ID)
+  echo "$CSTAT"
+}
+
 # generic functions
 get_container_ip_by_cid() {
   local IP=$(docker inspect -f "{{ .NetworkSettings.IPAddress }}" $1)