backend config

CHANGELOG.md

@@ -8,6 +8,12 @@ Merge pull request :
 
 Update to light-baseimage:0.2.4
 
+Release Note:
+  In this version the new environment variable LDAP_BACKEND let you set the the backend used by your ldap database.
+  By default it's hdb. In comming versions 1.2.x the default will be changed to mdb.
+
+  Environment variable LDAP_REPLICATION_HDB_SYNCPROV changed to LDAP_REPLICATION_DB_SYNCPROV
+
 ## 1.1.2
 Merge pull request :
   - Honor LDAP_LOG_LEVEL on startup #39

README.md

@@ -240,6 +240,11 @@ Required and used for new ldap server only:
 - **LDAP_READONLY_USER_USERNAME** Read only user username. Defaults to `readonly`
 - **LDAP_READONLY_USER_PASSWORD** Read only user password. Defaults to `readonly`
 
+Backend:
+- **LDAP_BACKEND**: Ldap backend. Defaults to `hdb` (In comming versions v1.2.x default will be mdb)
+
+	Help: http://www.openldap.org/doc/admin24/backends.html
+
 TLS options:
 - **LDAP_TLS**: Add openldap TLS capabilities. Defaults to `true`
 - **LDAP_TLS_CRT_FILENAME**: Ldap ssl certificate filename. Defaults to `ldap.crt`
@@ -257,7 +262,7 @@ Replication options:
 
 - **LDAP_REPLICATION_CONFIG_SYNCPROV**: olcSyncRepl options used for the config database. Without **rid** and **provider** which are automatically added based on LDAP_REPLICATION_HOSTS.  Defaults to `binddn="cn=admin,cn=config" bindmethod=simple credentials=$LDAP_CONFIG_PASSWORD searchbase="cn=config" type=refreshAndPersist retry="60 +" timeout=1 starttls=critical`
 
-- **LDAP_REPLICATION_HDB_SYNCPROV**: olcSyncRepl options used for the HDB database. Without **rid** and **provider** which are automatically added based on LDAP_REPLICATION_HOSTS.  Defaults to `binddn="cn=admin,$LDAP_BASE_DN" bindmethod=simple credentials=$LDAP_ADMIN_PASSWORD searchbase="$LDAP_BASE_DN" type=refreshAndPersist interval=00:00:00:10 retry="60 +" timeout=1 starttls=critical`
+- **LDAP_REPLICATION_DB_SYNCPROV**: olcSyncRepl options used for the database. Without **rid** and **provider** which are automatically added based on LDAP_REPLICATION_HOSTS.  Defaults to `binddn="cn=admin,$LDAP_BASE_DN" bindmethod=simple credentials=$LDAP_ADMIN_PASSWORD searchbase="$LDAP_BASE_DN" type=refreshAndPersist interval=00:00:00:10 retry="60 +" timeout=1 starttls=critical`
 
 - **LDAP_REPLICATION_HOSTS**: list of replication hosts, must contain the current container hostname set by --hostname on docker run command. Defaults to :
 	```yaml

example/extend-osixia-openldap/environment/my-env.yaml.startup

@@ -33,10 +33,10 @@ LDAP_REPLICATION: false
 # are automaticaly replaced at run time
 
 # if you want to add replication to an existing ldap
-# adapt LDAP_REPLICATION_CONFIG_SYNCPROV and LDAP_REPLICATION_HDB_SYNCPROV to your configuration
+# adapt LDAP_REPLICATION_CONFIG_SYNCPROV and LDAP_REPLICATION_DB_SYNCPROV to your configuration
 # avoid using $LDAP_BASE_DN, $LDAP_ADMIN_PASSWORD and $LDAP_CONFIG_PASSWORD variables
 LDAP_REPLICATION_CONFIG_SYNCPROV: binddn="cn=admin,cn=config" bindmethod=simple credentials=$LDAP_CONFIG_PASSWORD searchbase="cn=config" type=refreshAndPersist retry="60 +" timeout=1 starttls=critical
-LDAP_REPLICATION_HDB_SYNCPROV: binddn="cn=admin,$LDAP_BASE_DN" bindmethod=simple credentials=$LDAP_ADMIN_PASSWORD searchbase="$LDAP_BASE_DN" type=refreshAndPersist interval=00:00:00:10 retry="60 +" timeout=1 starttls=critical
+LDAP_REPLICATION_DB_SYNCPROV: binddn="cn=admin,$LDAP_BASE_DN" bindmethod=simple credentials=$LDAP_ADMIN_PASSWORD searchbase="$LDAP_BASE_DN" type=refreshAndPersist interval=00:00:00:10 retry="60 +" timeout=1 starttls=critical
 LDAP_REPLICATION_HOSTS:
   - ldap://ldap.example.org # The order must be the same on all ldap servers
   - ldap://ldap2.example.org

example/kubernetes/simple/ldap-rc.yaml

@@ -63,7 +63,7 @@ spec:
               value: "false"
             - name: LDAP_REPLICATION_CONFIG_SYNCPROV
               value: "binddn=\"cn=admin,cn=config\" bindmethod=simple credentials=$LDAP_CONFIG_PASSWORD searchbase=\"cn=config\" type=refreshAndPersist retry=\"60 +\" timeout=1 starttls=critical"
-            - name: LDAP_REPLICATION_HDB_SYNCPROV
+            - name: LDAP_REPLICATION_DB_SYNCPROV
               value: "binddn=\"cn=admin,$LDAP_BASE_DN\" bindmethod=simple credentials=$LDAP_ADMIN_PASSWORD searchbase=\"$LDAP_BASE_DN\" type=refreshAndPersist interval=00:00:00:10 retry=\"60 +\" timeout=1 starttls=critical"
             - name: LDAP_REPLICATION_HOSTS
               value: "#PYTHON2BASH:['ldap://ldap-one-service', 'ldap://ldap-two-service']"

example/kubernetes/using-secrets/environment/my-env.yaml.startup

@@ -33,10 +33,10 @@ LDAP_REPLICATION: false
 # are automaticaly replaced at run time
 
 # if you want to add replication to an existing ldap
-# adapt LDAP_REPLICATION_CONFIG_SYNCPROV and LDAP_REPLICATION_HDB_SYNCPROV to your configuration
+# adapt LDAP_REPLICATION_CONFIG_SYNCPROV and LDAP_REPLICATION_DB_SYNCPROV to your configuration
 # avoid using $LDAP_BASE_DN, $LDAP_ADMIN_PASSWORD and $LDAP_CONFIG_PASSWORD variables
 LDAP_REPLICATION_CONFIG_SYNCPROV: binddn="cn=admin,cn=config" bindmethod=simple credentials=$LDAP_CONFIG_PASSWORD searchbase="cn=config" type=refreshAndPersist retry="60 +" timeout=1 starttls=critical
-LDAP_REPLICATION_HDB_SYNCPROV: binddn="cn=admin,$LDAP_BASE_DN" bindmethod=simple credentials=$LDAP_ADMIN_PASSWORD searchbase="$LDAP_BASE_DN" type=refreshAndPersist interval=00:00:00:10 retry="60 +" timeout=1 starttls=critical
+LDAP_REPLICATION_DB_SYNCPROV: binddn="cn=admin,$LDAP_BASE_DN" bindmethod=simple credentials=$LDAP_ADMIN_PASSWORD searchbase="$LDAP_BASE_DN" type=refreshAndPersist interval=00:00:00:10 retry="60 +" timeout=1 starttls=critical
 LDAP_REPLICATION_HOSTS:
   - ldap://ldap.example.org # The order must be the same on all ldap servers
   - ldap://ldap2.example.org

image/environment/default.yaml.startup

@@ -18,6 +18,9 @@ LDAP_READONLY_USER: false
 LDAP_READONLY_USER_USERNAME: readonly
 LDAP_READONLY_USER_PASSWORD: readonly
 
+# Backend
+LDAP_BACKEND: hdb
+
 # Tls
 LDAP_TLS: true
 LDAP_TLS_CRT_FILENAME: ldap.crt
@@ -35,10 +38,10 @@ LDAP_REPLICATION: false
 # are automaticaly replaced at run time
 
 # if you want to add replication to an existing ldap
-# adapt LDAP_REPLICATION_CONFIG_SYNCPROV and LDAP_REPLICATION_HDB_SYNCPROV to your configuration
+# adapt LDAP_REPLICATION_CONFIG_SYNCPROV and LDAP_REPLICATION_DB_SYNCPROV to your configuration
 # avoid using $LDAP_BASE_DN, $LDAP_ADMIN_PASSWORD and $LDAP_CONFIG_PASSWORD variables
 LDAP_REPLICATION_CONFIG_SYNCPROV: binddn="cn=admin,cn=config" bindmethod=simple credentials=$LDAP_CONFIG_PASSWORD searchbase="cn=config" type=refreshAndPersist retry="60 +" timeout=1 starttls=critical
-LDAP_REPLICATION_HDB_SYNCPROV: binddn="cn=admin,$LDAP_BASE_DN" bindmethod=simple credentials=$LDAP_ADMIN_PASSWORD searchbase="$LDAP_BASE_DN" type=refreshAndPersist interval=00:00:00:10 retry="60 +" timeout=1 starttls=critical
+LDAP_REPLICATION_DB_SYNCPROV: binddn="cn=admin,$LDAP_BASE_DN" bindmethod=simple credentials=$LDAP_ADMIN_PASSWORD searchbase="$LDAP_BASE_DN" type=refreshAndPersist interval=00:00:00:10 retry="60 +" timeout=1 starttls=critical
 LDAP_REPLICATION_HOSTS:
   - ldap://ldap.example.org # The order must be the same on all ldap servers
   - ldap://ldap2.example.org

image/service/slapd/assets/config/bootstrap/ldif/02-security.ldif

@@ -1,4 +1,4 @@
-dn: olcDatabase={1}mdb,cn=config
+dn: olcDatabase={1}{{ LDAP_BACKEND }},cn=config
 changetype: modify
 delete: olcAccess
 -

image/service/slapd/assets/config/bootstrap/ldif/03-memberOf.ldif

@@ -5,7 +5,7 @@ add: olcModuleLoad
 olcModuleLoad: memberof
 
 # Backend memberOf overlay
-dn: olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config
+dn: olcOverlay={0}memberof,olcDatabase={1}{{ LDAP_BACKEND }},cn=config
 changetype: add
 objectClass: olcOverlayConfig
 objectClass: olcMemberOf

image/service/slapd/assets/config/bootstrap/ldif/04-refint.ldif

@@ -5,7 +5,7 @@ add: olcModuleLoad
 olcModuleLoad: refint
 
 # Backend refint overlay
-dn: olcOverlay={1}refint,olcDatabase={1}mdb,cn=config
+dn: olcOverlay={1}refint,olcDatabase={1}{{ LDAP_BACKEND }},cn=config
 changetype: add
 objectClass: olcOverlayConfig
 objectClass: olcRefintConfig

image/service/slapd/assets/config/bootstrap/ldif/05-index.ldif

@@ -1,5 +1,5 @@
 # Add indexes
-dn: olcDatabase={1}mdb,cn=config
+dn: olcDatabase={1}{{ LDAP_BACKEND }},cn=config
 changetype:  modify
 replace: olcDbIndex
 olcDbIndex: uid eq

image/service/slapd/assets/config/bootstrap/ldif/readonly-user/readonly-user-acl.ldif

@@ -1,4 +1,4 @@
-dn: olcDatabase={1}mdb,cn=config
+dn: olcDatabase={1}{{ LDAP_BACKEND }},cn=config
 changetype: modify
 delete: olcAccess
 -

image/service/slapd/assets/config/replication/replication-disable.ldif

@@ -1,12 +1,12 @@
-# Delete sync replication on mdb
-dn: olcDatabase={1}mdb,cn=config
+# Delete sync replication on backend
+dn: olcDatabase={1}{{ LDAP_BACKEND }},cn=config
 changetype: modify
 delete: olcSyncRepl
 -
 delete: olcMirrorMode
 
-# Delete syncprov on mdb
-dn: olcOverlay=syncprov,olcDatabase={1}mdb,cn=config
+# Delete syncprov on backend
+dn: olcOverlay=syncprov,olcDatabase={1}{{ LDAP_BACKEND }},cn=config
 changetype: delete
 
 # Delete sync replication on config

image/service/slapd/assets/config/replication/replication-enable.ldif

@@ -26,18 +26,18 @@ add: olcSyncRepl
 add: olcMirrorMode
 olcMirrorMode: TRUE
 
-# Add syncprov on mdb
-dn: olcOverlay=syncprov,olcDatabase={1}mdb,cn=config
+# Add syncprov on backend
+dn: olcOverlay=syncprov,olcDatabase={1}{{ LDAP_BACKEND }},cn=config
 changetype: add
 objectClass: olcOverlayConfig
 objectClass: olcSyncProvConfig
 olcOverlay: syncprov
 
-# Add sync replication on mdb
-dn: olcDatabase={1}mdb,cn=config
+# Add sync replication on backend
+dn: olcDatabase={1}{{ LDAP_BACKEND }},cn=config
 changetype: modify
 add: olcSyncRepl
-{{ LDAP_REPLICATION_HOSTS_HDB_SYNC_REPL }}
+{{ LDAP_REPLICATION_HOSTS_DB_SYNC_REPL }}
 -
 add: olcMirrorMode
 olcMirrorMode: TRUE

image/service/slapd/startup.sh

@@ -66,7 +66,7 @@ if [ ! -e "$FIRST_START_DONE" ]; then
     log-helper info "Database and config directory are empty..."
     log-helper info "Init new ldap server..."
 
-    # Use mdb : http://www.openldap.org/doc/admin24/backends.html
+
     cat <<EOF | debconf-set-selections
 slapd slapd/internal/generated_adminpw password ${LDAP_ADMIN_PASSWORD}
 slapd slapd/internal/adminpw password ${LDAP_ADMIN_PASSWORD}
@@ -75,7 +75,7 @@ slapd slapd/password1 password ${LDAP_ADMIN_PASSWORD}
 slapd slapd/dump_database_destdir string /var/backups/slapd-VERSION
 slapd slapd/domain string ${LDAP_DOMAIN}
 slapd shared/organization string ${LDAP_ORGANISATION}
-slapd slapd/backend string MDB
+slapd slapd/backend string ${LDAP_BACKEND^^}
 slapd slapd/purge_database boolean true
 slapd slapd/move_old_database boolean true
 slapd slapd/allow_ldap_v2 boolean false
@@ -292,7 +292,7 @@ EOF
     do
       sed -i "s|{{ LDAP_REPLICATION_HOSTS }}|olcServerID: $i ${!host}\n{{ LDAP_REPLICATION_HOSTS }}|g" ${CONTAINER_SERVICE_DIR}/slapd/assets/config/replication/replication-enable.ldif
       sed -i "s|{{ LDAP_REPLICATION_HOSTS_CONFIG_SYNC_REPL }}|olcSyncRepl: rid=00$i provider=${!host} ${LDAP_REPLICATION_CONFIG_SYNCPROV}\n{{ LDAP_REPLICATION_HOSTS_CONFIG_SYNC_REPL }}|g" ${CONTAINER_SERVICE_DIR}/slapd/assets/config/replication/replication-enable.ldif
-      sed -i "s|{{ LDAP_REPLICATION_HOSTS_HDB_SYNC_REPL }}|olcSyncRepl: rid=10$i provider=${!host} ${LDAP_REPLICATION_HDB_SYNCPROV}\n{{ LDAP_REPLICATION_HOSTS_HDB_SYNC_REPL }}|g" ${CONTAINER_SERVICE_DIR}/slapd/assets/config/replication/replication-enable.ldif
+      sed -i "s|{{ LDAP_REPLICATION_HOSTS_DB_SYNC_REPL }}|olcSyncRepl: rid=10$i provider=${!host} ${LDAP_REPLICATION_DB_SYNCPROV}\n{{ LDAP_REPLICATION_HOSTS_DB_SYNC_REPL }}|g" ${CONTAINER_SERVICE_DIR}/slapd/assets/config/replication/replication-enable.ldif
 
       ((i++))
     done
@@ -304,7 +304,7 @@ EOF
 
     sed -i "/{{ LDAP_REPLICATION_HOSTS }}/d" ${CONTAINER_SERVICE_DIR}/slapd/assets/config/replication/replication-enable.ldif
     sed -i "/{{ LDAP_REPLICATION_HOSTS_CONFIG_SYNC_REPL }}/d" ${CONTAINER_SERVICE_DIR}/slapd/assets/config/replication/replication-enable.ldif
-    sed -i "/{{ LDAP_REPLICATION_HOSTS_HDB_SYNC_REPL }}/d" ${CONTAINER_SERVICE_DIR}/slapd/assets/config/replication/replication-enable.ldif
+    sed -i "/{{ LDAP_REPLICATION_HOSTS_DB_SYNC_REPL }}/d" ${CONTAINER_SERVICE_DIR}/slapd/assets/config/replication/replication-enable.ldif
 
     ldapmodify -c -Y EXTERNAL -Q -H ldapi:/// -f ${CONTAINER_SERVICE_DIR}/slapd/assets/config/replication/replication-enable.ldif 2>&1 | log-helper debug || true