add TLS by default

Dockerfile

@@ -5,6 +5,7 @@ MAINTAINER Bertrand Gouny <[email protected]>
 # https://github.com/nickstenning/docker-slapd
 
 # Default configuration: can be overridden at the docker command line
+ENV DOMAIN_NAME ldap.example.com
 ENV LDAP_DOMAIN example.com
 ENV LDAP_ADMIN_PWD toor
 ENV LDAP_ORGANISATION Example Inc.

service/mmc-agent/mmc-agent.sh

@@ -37,6 +37,7 @@ if [ "$WITH_MMC_AGENT" = true ]; then
         done
       }
 
+      DOMAIN_NAME=${DOMAIN_NAME}
       WITH_MMC_AGENT=${WITH_MMC_AGENT}
       LDAP_DOMAIN=${LDAP_DOMAIN}
       LDAP_ADMIN_PWD=${LDAP_ADMIN_PWD}
@@ -44,13 +45,13 @@ if [ "$WITH_MMC_AGENT" = true ]; then
       MMC_AGENT_PASSWORD=${MMC_AGENT_PASSWORD}
 
       # mmc-agent config
-      sed -i -e "s/127.0.0.1/0.0.0.0/" /etc/mmc/agent/config.ini
+      sed -i -e "s/127.0.0.1/172.17.0.0/" /etc/mmc/agent/config.ini #listen on docker default network
       sed -i -e "s/login = mmc/login = $MMC_AGENT_LOGIN/" /etc/mmc/agent/config.ini
       sed -i -e "s/password = s3cr3t/password = $MMC_AGENT_PASSWORD/" /etc/mmc/agent/config.ini
 
       # generate ssl certificate
       rm /etc/mmc/agent/keys/cacert.pem /etc/mmc/agent/keys/localcert.pem
-      /sbin/create-ssl-cert $LDAP_DOMAIN /etc/mmc/agent/keys/cacert.pem /etc/mmc/agent/keys/localcert.pem
+      /sbin/create-ssl-cert $DOMAIN_NAME /etc/mmc/agent/keys/cacert.pem /etc/mmc/agent/keys/localcert.pem
 
       # Get base dn from ldap domain
       getBaseDn ${LDAP_DOMAIN}

service/slapd/assets/config/modify/auto/tls.ldif

@@ -1,5 +1,8 @@
 dn: cn=config
 changetype: modify
+add: olcTLSCipherSuite
+olcTLSCipherSuite: SECURE256:-VERS-SSL3.0
+-
 replace: olcTLSCACertificateFile
 olcTLSCACertificateFile: /etc/ldap/ssl/ca.crt
 -

service/slapd/slapd.sh

@@ -11,6 +11,7 @@ set -x
 : LDAP_ADMIN_PWD=${LDAP_ADMIN_PWD}
 : LDAP_DOMAIN=${LDAP_DOMAIN}
 : LDAP_ORGANISATION=${LDAP_ORGANISATION}
+: DOMAIN_NAME=${DOMAIN_NAME}
 
 
 ############ Base config ############
@@ -35,6 +36,10 @@ EOF
 
   dpkg-reconfigure -f noninteractive slapd
 
+  # Enable access only from docker default network and localhost
+  echo "slapd: 172.17.0.0/255.255.0.0 127.0.0.1 : ALLOW" >> /etc/hosts.allow
+  echo "slapd: ALL : DENY" >> /etc/hosts.allow
+
   touch /var/lib/ldap/docker_bootstrapped
 
 else
@@ -69,18 +74,31 @@ if [ ! -e /etc/ldap/slapd.d/docker_bootstrapped ]; then
     status "certificates found"
 
     chmod 600 /etc/ldap/ssl/ldap.key
+  else
 
-    # create DHParamFile if not found
-    [ -f /etc/ldap/ssl/dhparam.pem ] || openssl dhparam -out /etc/ldap/ssl/dhparam.pem 2048
-
-    ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ldap/config/modify/auto/tls.ldif -Q 
+    #generate default tls certificates / set domain name
+    DOMAIN_ESC=`echo $DOMAIN_NAME | sed 's/\./_/g'`
+    DOMAIN_ESC_UPPER=`echo $DOMAIN_ESC | tr '[a-z]' '[A-Z]'`
+    export SSL_${DOMAIN_ESC_UPPER}_COMMON_NAME=${DOMAIN_NAME}
+    export SSL_${DOMAIN_ESC_UPPER}_ORGANIZATION="${LDAP_ORGANISATION}"
 
-    # add fake dnsmasq route to certificate cn
-    cn=$(openssl x509 -in /etc/ldap/ssl/ldap.crt -subject -noout | sed -n 's/.*CN=\(.*\)\/*\(.*\)/\1/p')
-    echo "127.0.0.1	" $cn >> /etc/dhosts
+    /sbin/create-ssl-cert $DOMAIN_NAME /etc/ldap/ssl/ldap.crt /etc/ldap/ssl/ldap.key
+    cp /etc/ldap/ssl/ldap.crt /etc/ldap/ssl/ca.crt
 
   fi
 
+  # Fix permission on certificates
+  chown openldap:openldap -R /etc/ldap/ssl
+
+  # create DHParamFile if not found
+  [ -f /etc/ldap/ssl/dhparam.pem ] || openssl dhparam -out /etc/ldap/ssl/dhparam.pem 2048
+
+  ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ldap/config/modify/auto/tls.ldif -Q 
+
+  # add fake dnsmasq route to certificate cn
+  cn=$(openssl x509 -in /etc/ldap/ssl/ldap.crt -subject -noout | sed -n 's/.*CN=\(.*\)\/*\(.*\)/\1/p')
+  echo "127.0.0.1	" $cn >> /etc/dhosts
+
   # Replication
   # todo :)
 

test/db.sh

@@ -12,10 +12,12 @@ mkdir $testDir/config
 
 runOptions="-e LDAP_DOMAIN=otherdomain.com -v $testDir/db:/var/lib/ldap -v $testDir/config:/etc/ldap/slapd.d"
 . $dir/tools/run-container.sh
+sleep 30
 $dir/tools/delete-container.sh
 
 runOptions="-v $testDir/db:/var/lib/ldap -v $testDir/config:/etc/ldap/slapd.d"
 . $dir/tools/run-container.sh
+sleep 30
 echo "ldapsearch -x -h $IP -b dc=otherdomain,dc=com"
 ldapsearch -x -h $IP -b dc=otherdomain,dc=com
 

test/simple.sh

@@ -4,6 +4,7 @@ dir=$(dirname $0)
 . $dir/tools/run-container.sh
 
 echo "ldapsearch -x -h $IP -b dc=example,dc=com"
+sleep 30
 ldapsearch -x -h $IP -b dc=example,dc=com
 
 $dir/tools/delete-container.sh

test/tls.sh

@@ -4,6 +4,7 @@ dir=$(dirname $0)
 . $dir/tls/run.sh
 
 echo "ldapsearch -x -h $certCN -b dc=example,dc=com -ZZ"
+sleep 30
 ldapsearch -x -h $certCN -b dc=example,dc=com -ZZ
 
 . $dir/tls/end.sh