пре 9 година · 72e6d9fc32
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,6 +8,12 @@ Merge pull request :
 
				 
			
 
				 Update to light-baseimage:0.2.4
			
 
				 
			
 
				+Release Note:
			
 
				+  In this version the new environment variable LDAP_BACKEND let you set the the backend used by your ldap database.
			
 
				+  By default it's hdb. In comming versions 1.2.x the default will be changed to mdb.
			
 
				+
			
 
				+  Environment variable LDAP_REPLICATION_HDB_SYNCPROV changed to LDAP_REPLICATION_DB_SYNCPROV
			
 
				+
			
 
				 ## 1.1.2
			
 
				 Merge pull request :
			
 
				   - Honor LDAP_LOG_LEVEL on startup #39
			
--- a/README.md
+++ b/README.md
@@ -240,6 +240,11 @@ Required and used for new ldap server only:
 
				 - **LDAP_READONLY_USER_USERNAME** Read only user username. Defaults to `readonly`
			
 
				 - **LDAP_READONLY_USER_PASSWORD** Read only user password. Defaults to `readonly`
			
 
				 
			
 
				+Backend:
			
 
				+- **LDAP_BACKEND**: Ldap backend. Defaults to `hdb` (In comming versions v1.2.x default will be mdb)
			
 
				+
			
 
				+	Help: http://www.openldap.org/doc/admin24/backends.html
			
 
				+
			
 
				 TLS options:
			
 
				 - **LDAP_TLS**: Add openldap TLS capabilities. Defaults to `true`
			
 
				 - **LDAP_TLS_CRT_FILENAME**: Ldap ssl certificate filename. Defaults to `ldap.crt`
			
@@ -257,7 +262,7 @@ Replication options:
 
				 
			
 
				 - **LDAP_REPLICATION_CONFIG_SYNCPROV**: olcSyncRepl options used for the config database. Without **rid** and **provider** which are automatically added based on LDAP_REPLICATION_HOSTS.  Defaults to `binddn="cn=admin,cn=config" bindmethod=simple credentials=$LDAP_CONFIG_PASSWORD searchbase="cn=config" type=refreshAndPersist retry="60 +" timeout=1 starttls=critical`
			
 
				 
			
 
				-- **LDAP_REPLICATION_HDB_SYNCPROV**: olcSyncRepl options used for the HDB database. Without **rid** and **provider** which are automatically added based on LDAP_REPLICATION_HOSTS.  Defaults to `binddn="cn=admin,$LDAP_BASE_DN" bindmethod=simple credentials=$LDAP_ADMIN_PASSWORD searchbase="$LDAP_BASE_DN" type=refreshAndPersist interval=00:00:00:10 retry="60 +" timeout=1 starttls=critical`
			
 
				+- **LDAP_REPLICATION_DB_SYNCPROV**: olcSyncRepl options used for the database. Without **rid** and **provider** which are automatically added based on LDAP_REPLICATION_HOSTS.  Defaults to `binddn="cn=admin,$LDAP_BASE_DN" bindmethod=simple credentials=$LDAP_ADMIN_PASSWORD searchbase="$LDAP_BASE_DN" type=refreshAndPersist interval=00:00:00:10 retry="60 +" timeout=1 starttls=critical`
			
 
				 
			
 
				 - **LDAP_REPLICATION_HOSTS**: list of replication hosts, must contain the current container hostname set by --hostname on docker run command. Defaults to :
			
 
				 	```yaml
			
--- a/example/extend-osixia-openldap/environment/my-env.yaml.startup
+++ b/example/extend-osixia-openldap/environment/my-env.yaml.startup
@@ -33,10 +33,10 @@ LDAP_REPLICATION: false
 
				 # are automaticaly replaced at run time
			
 
				 
			
 
				 # if you want to add replication to an existing ldap
			
 
				-# adapt LDAP_REPLICATION_CONFIG_SYNCPROV and LDAP_REPLICATION_HDB_SYNCPROV to your configuration
			
 
				+# adapt LDAP_REPLICATION_CONFIG_SYNCPROV and LDAP_REPLICATION_DB_SYNCPROV to your configuration
			
 
				 # avoid using $LDAP_BASE_DN, $LDAP_ADMIN_PASSWORD and $LDAP_CONFIG_PASSWORD variables
			
 
				 LDAP_REPLICATION_CONFIG_SYNCPROV: binddn="cn=admin,cn=config" bindmethod=simple credentials=$LDAP_CONFIG_PASSWORD searchbase="cn=config" type=refreshAndPersist retry="60 +" timeout=1 starttls=critical
			
 
				-LDAP_REPLICATION_HDB_SYNCPROV: binddn="cn=admin,$LDAP_BASE_DN" bindmethod=simple credentials=$LDAP_ADMIN_PASSWORD searchbase="$LDAP_BASE_DN" type=refreshAndPersist interval=00:00:00:10 retry="60 +" timeout=1 starttls=critical
			
 
				+LDAP_REPLICATION_DB_SYNCPROV: binddn="cn=admin,$LDAP_BASE_DN" bindmethod=simple credentials=$LDAP_ADMIN_PASSWORD searchbase="$LDAP_BASE_DN" type=refreshAndPersist interval=00:00:00:10 retry="60 +" timeout=1 starttls=critical
			
 
				 LDAP_REPLICATION_HOSTS:
			
 
				   - ldap://ldap.example.org # The order must be the same on all ldap servers
			
 
				   - ldap://ldap2.example.org
			
--- a/example/kubernetes/simple/ldap-rc.yaml
+++ b/example/kubernetes/simple/ldap-rc.yaml
@@ -63,7 +63,7 @@ spec:
 
				               value: "false"
			
 
				             - name: LDAP_REPLICATION_CONFIG_SYNCPROV
			
 
				               value: "binddn=\"cn=admin,cn=config\" bindmethod=simple credentials=$LDAP_CONFIG_PASSWORD searchbase=\"cn=config\" type=refreshAndPersist retry=\"60 +\" timeout=1 starttls=critical"
			
 
				-            - name: LDAP_REPLICATION_HDB_SYNCPROV
			
 
				+            - name: LDAP_REPLICATION_DB_SYNCPROV
			
 
				               value: "binddn=\"cn=admin,$LDAP_BASE_DN\" bindmethod=simple credentials=$LDAP_ADMIN_PASSWORD searchbase=\"$LDAP_BASE_DN\" type=refreshAndPersist interval=00:00:00:10 retry=\"60 +\" timeout=1 starttls=critical"
			
 
				             - name: LDAP_REPLICATION_HOSTS
			
 
				               value: "#PYTHON2BASH:['ldap://ldap-one-service', 'ldap://ldap-two-service']"
			
--- a/example/kubernetes/using-secrets/environment/my-env.yaml.startup
+++ b/example/kubernetes/using-secrets/environment/my-env.yaml.startup
@@ -33,10 +33,10 @@ LDAP_REPLICATION: false
 
				 # are automaticaly replaced at run time
			
 
				 
			
 
				 # if you want to add replication to an existing ldap
			
 
				-# adapt LDAP_REPLICATION_CONFIG_SYNCPROV and LDAP_REPLICATION_HDB_SYNCPROV to your configuration
			
 
				+# adapt LDAP_REPLICATION_CONFIG_SYNCPROV and LDAP_REPLICATION_DB_SYNCPROV to your configuration
			
 
				 # avoid using $LDAP_BASE_DN, $LDAP_ADMIN_PASSWORD and $LDAP_CONFIG_PASSWORD variables
			
 
				 LDAP_REPLICATION_CONFIG_SYNCPROV: binddn="cn=admin,cn=config" bindmethod=simple credentials=$LDAP_CONFIG_PASSWORD searchbase="cn=config" type=refreshAndPersist retry="60 +" timeout=1 starttls=critical
			
 
				-LDAP_REPLICATION_HDB_SYNCPROV: binddn="cn=admin,$LDAP_BASE_DN" bindmethod=simple credentials=$LDAP_ADMIN_PASSWORD searchbase="$LDAP_BASE_DN" type=refreshAndPersist interval=00:00:00:10 retry="60 +" timeout=1 starttls=critical
			
 
				+LDAP_REPLICATION_DB_SYNCPROV: binddn="cn=admin,$LDAP_BASE_DN" bindmethod=simple credentials=$LDAP_ADMIN_PASSWORD searchbase="$LDAP_BASE_DN" type=refreshAndPersist interval=00:00:00:10 retry="60 +" timeout=1 starttls=critical
			
 
				 LDAP_REPLICATION_HOSTS:
			
 
				   - ldap://ldap.example.org # The order must be the same on all ldap servers
			
 
				   - ldap://ldap2.example.org
			
--- a/image/environment/default.yaml.startup
+++ b/image/environment/default.yaml.startup
@@ -18,6 +18,9 @@ LDAP_READONLY_USER: false
 
				 LDAP_READONLY_USER_USERNAME: readonly
			
 
				 LDAP_READONLY_USER_PASSWORD: readonly
			
 
				 
			
 
				+# Backend
			
 
				+LDAP_BACKEND: hdb
			
 
				+
			
 
				 # Tls
			
 
				 LDAP_TLS: true
			
 
				 LDAP_TLS_CRT_FILENAME: ldap.crt
			
@@ -35,10 +38,10 @@ LDAP_REPLICATION: false
 
				 # are automaticaly replaced at run time
			
 
				 
			
 
				 # if you want to add replication to an existing ldap
			
 
				-# adapt LDAP_REPLICATION_CONFIG_SYNCPROV and LDAP_REPLICATION_HDB_SYNCPROV to your configuration
			
 
				+# adapt LDAP_REPLICATION_CONFIG_SYNCPROV and LDAP_REPLICATION_DB_SYNCPROV to your configuration
			
 
				 # avoid using $LDAP_BASE_DN, $LDAP_ADMIN_PASSWORD and $LDAP_CONFIG_PASSWORD variables
			
 
				 LDAP_REPLICATION_CONFIG_SYNCPROV: binddn="cn=admin,cn=config" bindmethod=simple credentials=$LDAP_CONFIG_PASSWORD searchbase="cn=config" type=refreshAndPersist retry="60 +" timeout=1 starttls=critical
			
 
				-LDAP_REPLICATION_HDB_SYNCPROV: binddn="cn=admin,$LDAP_BASE_DN" bindmethod=simple credentials=$LDAP_ADMIN_PASSWORD searchbase="$LDAP_BASE_DN" type=refreshAndPersist interval=00:00:00:10 retry="60 +" timeout=1 starttls=critical
			
 
				+LDAP_REPLICATION_DB_SYNCPROV: binddn="cn=admin,$LDAP_BASE_DN" bindmethod=simple credentials=$LDAP_ADMIN_PASSWORD searchbase="$LDAP_BASE_DN" type=refreshAndPersist interval=00:00:00:10 retry="60 +" timeout=1 starttls=critical
			
 
				 LDAP_REPLICATION_HOSTS:
			
 
				   - ldap://ldap.example.org # The order must be the same on all ldap servers
			
 
				   - ldap://ldap2.example.org
			
--- a/image/service/slapd/assets/config/bootstrap/ldif/02-security.ldif
+++ b/image/service/slapd/assets/config/bootstrap/ldif/02-security.ldif
@@ -1,4 +1,4 @@
 
				-dn: olcDatabase={1}mdb,cn=config
			
 
				+dn: olcDatabase={1}{{ LDAP_BACKEND }},cn=config
			
 
				 changetype: modify
			
 
				 delete: olcAccess
			
 
				 -
			
--- a/image/service/slapd/assets/config/bootstrap/ldif/03-memberOf.ldif
+++ b/image/service/slapd/assets/config/bootstrap/ldif/03-memberOf.ldif
@@ -5,7 +5,7 @@ add: olcModuleLoad
 
				 olcModuleLoad: memberof
			
 
				 
			
 
				 # Backend memberOf overlay
			
 
				-dn: olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config
			
 
				+dn: olcOverlay={0}memberof,olcDatabase={1}{{ LDAP_BACKEND }},cn=config
			
 
				 changetype: add
			
 
				 objectClass: olcOverlayConfig
			
 
				 objectClass: olcMemberOf
			
--- a/image/service/slapd/assets/config/bootstrap/ldif/04-refint.ldif
+++ b/image/service/slapd/assets/config/bootstrap/ldif/04-refint.ldif
@@ -5,7 +5,7 @@ add: olcModuleLoad
 
				 olcModuleLoad: refint
			
 
				 
			
 
				 # Backend refint overlay
			
 
				-dn: olcOverlay={1}refint,olcDatabase={1}mdb,cn=config
			
 
				+dn: olcOverlay={1}refint,olcDatabase={1}{{ LDAP_BACKEND }},cn=config
			
 
				 changetype: add
			
 
				 objectClass: olcOverlayConfig
			
 
				 objectClass: olcRefintConfig
			
--- a/image/service/slapd/assets/config/bootstrap/ldif/05-index.ldif
+++ b/image/service/slapd/assets/config/bootstrap/ldif/05-index.ldif
@@ -1,5 +1,5 @@
 
				 # Add indexes
			
 
				-dn: olcDatabase={1}mdb,cn=config
			
 
				+dn: olcDatabase={1}{{ LDAP_BACKEND }},cn=config
			
 
				 changetype:  modify
			
 
				 replace: olcDbIndex
			
 
				 olcDbIndex: uid eq
			
--- a/image/service/slapd/assets/config/bootstrap/ldif/readonly-user/readonly-user-acl.ldif
+++ b/image/service/slapd/assets/config/bootstrap/ldif/readonly-user/readonly-user-acl.ldif
@@ -1,4 +1,4 @@
 
				-dn: olcDatabase={1}mdb,cn=config
			
 
				+dn: olcDatabase={1}{{ LDAP_BACKEND }},cn=config
			
 
				 changetype: modify
			
 
				 delete: olcAccess
			
 
				 -
			
--- a/image/service/slapd/assets/config/replication/replication-disable.ldif
+++ b/image/service/slapd/assets/config/replication/replication-disable.ldif
@@ -1,12 +1,12 @@
 
				-# Delete sync replication on mdb
			
 
				-dn: olcDatabase={1}mdb,cn=config
			
 
				+# Delete sync replication on backend
			
 
				+dn: olcDatabase={1}{{ LDAP_BACKEND }},cn=config
			
 
				 changetype: modify
			
 
				 delete: olcSyncRepl
			
 
				 -
			
 
				 delete: olcMirrorMode
			
 
				 
			
 
				-# Delete syncprov on mdb
			
 
				-dn: olcOverlay=syncprov,olcDatabase={1}mdb,cn=config
			
 
				+# Delete syncprov on backend
			
 
				+dn: olcOverlay=syncprov,olcDatabase={1}{{ LDAP_BACKEND }},cn=config
			
 
				 changetype: delete
			
 
				 
			
 
				 # Delete sync replication on config
			
--- a/image/service/slapd/assets/config/replication/replication-enable.ldif
+++ b/image/service/slapd/assets/config/replication/replication-enable.ldif
@@ -26,18 +26,18 @@ add: olcSyncRepl
 
				 add: olcMirrorMode
			
 
				 olcMirrorMode: TRUE
			
 
				 
			
 
				-# Add syncprov on mdb
			
 
				-dn: olcOverlay=syncprov,olcDatabase={1}mdb,cn=config
			
 
				+# Add syncprov on backend
			
 
				+dn: olcOverlay=syncprov,olcDatabase={1}{{ LDAP_BACKEND }},cn=config
			
 
				 changetype: add
			
 
				 objectClass: olcOverlayConfig
			
 
				 objectClass: olcSyncProvConfig
			
 
				 olcOverlay: syncprov
			
 
				 
			
 
				-# Add sync replication on mdb
			
 
				-dn: olcDatabase={1}mdb,cn=config
			
 
				+# Add sync replication on backend
			
 
				+dn: olcDatabase={1}{{ LDAP_BACKEND }},cn=config
			
 
				 changetype: modify
			
 
				 add: olcSyncRepl
			
 
				-{{ LDAP_REPLICATION_HOSTS_HDB_SYNC_REPL }}
			
 
				+{{ LDAP_REPLICATION_HOSTS_DB_SYNC_REPL }}
			
 
				 -
			
 
				 add: olcMirrorMode
			
 
				 olcMirrorMode: TRUE
			
--- a/image/service/slapd/startup.sh
+++ b/image/service/slapd/startup.sh
@@ -66,7 +66,7 @@ if [ ! -e "$FIRST_START_DONE" ]; then
 
				     log-helper info "Database and config directory are empty..."
			
 
				     log-helper info "Init new ldap server..."
			
 
				 
			
 
				-    # Use mdb : http://www.openldap.org/doc/admin24/backends.html
			
 
				+
			
 
				     cat <<EOF | debconf-set-selections
			
 
				 slapd slapd/internal/generated_adminpw password ${LDAP_ADMIN_PASSWORD}
			
 
				 slapd slapd/internal/adminpw password ${LDAP_ADMIN_PASSWORD}
			
@@ -75,7 +75,7 @@ slapd slapd/password1 password ${LDAP_ADMIN_PASSWORD}
 
				 slapd slapd/dump_database_destdir string /var/backups/slapd-VERSION
			
 
				 slapd slapd/domain string ${LDAP_DOMAIN}
			
 
				 slapd shared/organization string ${LDAP_ORGANISATION}
			
 
				-slapd slapd/backend string MDB
			
 
				+slapd slapd/backend string ${LDAP_BACKEND^^}
			
 
				 slapd slapd/purge_database boolean true
			
 
				 slapd slapd/move_old_database boolean true
			
 
				 slapd slapd/allow_ldap_v2 boolean false
			
@@ -292,7 +292,7 @@ EOF
 
				     do
			
 
				       sed -i "s|{{ LDAP_REPLICATION_HOSTS }}|olcServerID: $i ${!host}\n{{ LDAP_REPLICATION_HOSTS }}|g" ${CONTAINER_SERVICE_DIR}/slapd/assets/config/replication/replication-enable.ldif
			
 
				       sed -i "s|{{ LDAP_REPLICATION_HOSTS_CONFIG_SYNC_REPL }}|olcSyncRepl: rid=00$i provider=${!host} ${LDAP_REPLICATION_CONFIG_SYNCPROV}\n{{ LDAP_REPLICATION_HOSTS_CONFIG_SYNC_REPL }}|g" ${CONTAINER_SERVICE_DIR}/slapd/assets/config/replication/replication-enable.ldif
			
 
				-      sed -i "s|{{ LDAP_REPLICATION_HOSTS_HDB_SYNC_REPL }}|olcSyncRepl: rid=10$i provider=${!host} ${LDAP_REPLICATION_HDB_SYNCPROV}\n{{ LDAP_REPLICATION_HOSTS_HDB_SYNC_REPL }}|g" ${CONTAINER_SERVICE_DIR}/slapd/assets/config/replication/replication-enable.ldif
			
 
				+      sed -i "s|{{ LDAP_REPLICATION_HOSTS_DB_SYNC_REPL }}|olcSyncRepl: rid=10$i provider=${!host} ${LDAP_REPLICATION_DB_SYNCPROV}\n{{ LDAP_REPLICATION_HOSTS_DB_SYNC_REPL }}|g" ${CONTAINER_SERVICE_DIR}/slapd/assets/config/replication/replication-enable.ldif
			
 
				 
			
 
				       ((i++))
			
 
				     done
			
@@ -304,7 +304,7 @@ EOF
 
				 
			
 
				     sed -i "/{{ LDAP_REPLICATION_HOSTS }}/d" ${CONTAINER_SERVICE_DIR}/slapd/assets/config/replication/replication-enable.ldif
			
 
				     sed -i "/{{ LDAP_REPLICATION_HOSTS_CONFIG_SYNC_REPL }}/d" ${CONTAINER_SERVICE_DIR}/slapd/assets/config/replication/replication-enable.ldif
			
 
				-    sed -i "/{{ LDAP_REPLICATION_HOSTS_HDB_SYNC_REPL }}/d" ${CONTAINER_SERVICE_DIR}/slapd/assets/config/replication/replication-enable.ldif
			
 
				+    sed -i "/{{ LDAP_REPLICATION_HOSTS_DB_SYNC_REPL }}/d" ${CONTAINER_SERVICE_DIR}/slapd/assets/config/replication/replication-enable.ldif
			
 
				 
			
 
				     ldapmodify -c -Y EXTERNAL -Q -H ldapi:/// -f ${CONTAINER_SERVICE_DIR}/slapd/assets/config/replication/replication-enable.ldif 2>&1 | log-helper debug || true