|
|
@@ -24,6 +24,12 @@ WAS_STARTED_WITH_TLS="/etc/ldap/slapd.d/docker-openldap-was-started-with-tls"
|
|
|
WAS_STARTED_WITH_TLS_ENFORCE="/etc/ldap/slapd.d/docker-openldap-was-started-with-tls-enforce"
|
|
|
WAS_STARTED_WITH_REPLICATION="/etc/ldap/slapd.d/docker-openldap-was-started-with-replication"
|
|
|
|
|
|
+LDAP_TLS_CA_CRT_PATH="${CONTAINER_SERVICE_DIR}/slapd/assets/certs/$LDAP_TLS_CA_CRT_FILENAME"
|
|
|
+LDAP_TLS_CRT_PATH="${CONTAINER_SERVICE_DIR}/slapd/assets/certs/$LDAP_TLS_CRT_FILENAME"
|
|
|
+LDAP_TLS_KEY_PATH="${CONTAINER_SERVICE_DIR}/slapd/assets/certs/$LDAP_TLS_KEY_FILENAME"
|
|
|
+LDAP_TLS_DH_PARAM_PATH="${CONTAINER_SERVICE_DIR}/slapd/assets/certs/dhparam.pem"
|
|
|
+
|
|
|
+
|
|
|
# CONTAINER_SERVICE_DIR and CONTAINER_STATE_DIR variables are set by
|
|
|
# the baseimage run tool more info : https://github.com/osixia/docker-light-baseimage
|
|
|
|
|
|
@@ -269,11 +275,6 @@ EOF
|
|
|
|
|
|
log-helper info "Add TLS config..."
|
|
|
|
|
|
- LDAP_TLS_CA_CRT_PATH="${CONTAINER_SERVICE_DIR}/slapd/assets/certs/$LDAP_TLS_CA_CRT_FILENAME"
|
|
|
- LDAP_TLS_CRT_PATH="${CONTAINER_SERVICE_DIR}/slapd/assets/certs/$LDAP_TLS_CRT_FILENAME"
|
|
|
- LDAP_TLS_KEY_PATH="${CONTAINER_SERVICE_DIR}/slapd/assets/certs/$LDAP_TLS_KEY_FILENAME"
|
|
|
- LDAP_TLS_DH_PARAM_PATH="${CONTAINER_SERVICE_DIR}/slapd/assets/certs/dhparam.pem"
|
|
|
-
|
|
|
# generate a certificate and key with ssl-helper tool if LDAP_CRT and LDAP_KEY files don't exists
|
|
|
# https://github.com/osixia/docker-light-baseimage/blob/stable/image/service-available/:ssl-tools/assets/tool/ssl-helper
|
|
|
ssl-helper $LDAP_SSL_HELPER_PREFIX $LDAP_TLS_CRT_PATH $LDAP_TLS_KEY_PATH $LDAP_TLS_CA_CRT_PATH
|
|
|
@@ -302,16 +303,6 @@ EOF
|
|
|
echo "export PREVIOUS_LDAP_TLS_KEY_PATH=${LDAP_TLS_KEY_PATH}" >> $WAS_STARTED_WITH_TLS
|
|
|
echo "export PREVIOUS_LDAP_TLS_DH_PARAM_PATH=${LDAP_TLS_DH_PARAM_PATH}" >> $WAS_STARTED_WITH_TLS
|
|
|
|
|
|
- # ldap client config
|
|
|
- sed -i --follow-symlinks "s,TLS_CACERT.*,TLS_CACERT ${LDAP_TLS_CA_CRT_PATH},g" /etc/ldap/ldap.conf
|
|
|
- echo "TLS_REQCERT ${LDAP_TLS_VERIFY_CLIENT}" >> /etc/ldap/ldap.conf
|
|
|
- cp -f /etc/ldap/ldap.conf ${CONTAINER_SERVICE_DIR}/slapd/assets/ldap.conf
|
|
|
-
|
|
|
- [[ -f "$HOME/.ldaprc" ]] && rm -f $HOME/.ldaprc
|
|
|
- echo "TLS_CERT ${LDAP_TLS_CRT_PATH}" > $HOME/.ldaprc
|
|
|
- echo "TLS_KEY ${LDAP_TLS_KEY_PATH}" >> $HOME/.ldaprc
|
|
|
- cp -f $HOME/.ldaprc ${CONTAINER_SERVICE_DIR}/slapd/assets/.ldaprc
|
|
|
-
|
|
|
# enforce TLS
|
|
|
if [ "${LDAP_TLS_ENFORCE,,}" == "true" ]; then
|
|
|
log-helper info "Add enforce TLS..."
|
|
|
@@ -392,6 +383,21 @@ EOF
|
|
|
while [ -e /proc/$SLAPD_PID ]; do sleep 0.1; done # wait until slapd is terminated
|
|
|
fi
|
|
|
|
|
|
+ #
|
|
|
+ # ldap client config
|
|
|
+ #
|
|
|
+ if [ "${LDAP_TLS,,}" == "true" ]; then
|
|
|
+ log-helper info "Configure ldap client TLS configuration..."
|
|
|
+ sed -i --follow-symlinks "s,TLS_CACERT.*,TLS_CACERT ${LDAP_TLS_CA_CRT_PATH},g" /etc/ldap/ldap.conf
|
|
|
+ echo "TLS_REQCERT ${LDAP_TLS_VERIFY_CLIENT}" >> /etc/ldap/ldap.conf
|
|
|
+ cp -f /etc/ldap/ldap.conf ${CONTAINER_SERVICE_DIR}/slapd/assets/ldap.conf
|
|
|
+
|
|
|
+ [[ -f "$HOME/.ldaprc" ]] && rm -f $HOME/.ldaprc
|
|
|
+ echo "TLS_CERT ${LDAP_TLS_CRT_PATH}" > $HOME/.ldaprc
|
|
|
+ echo "TLS_KEY ${LDAP_TLS_KEY_PATH}" >> $HOME/.ldaprc
|
|
|
+ cp -f $HOME/.ldaprc ${CONTAINER_SERVICE_DIR}/slapd/assets/.ldaprc
|
|
|
+ fi
|
|
|
+
|
|
|
#
|
|
|
# remove container config files
|
|
|
#
|
Bertrand Gouny