Home Explore Help
Register Sign In
Apq
/
docker-openldap
mirror of https://github.com/osixia/docker-openldap.git
1
0
Fork 0
Files Issues 0 Wiki
Browse Source

add TLS by default

Bertrand Gouny 11 years ago
parent
9a3d247903
commit
79387d1f4e
7 changed files with 36 additions and 9 deletions
Split View Show Diff Stats
  1. 1 0
      Dockerfile
  2. 3 2
      service/mmc-agent/mmc-agent.sh
  3. 3 0
      service/slapd/assets/config/modify/auto/tls.ldif
  4. 25 7
      service/slapd/slapd.sh
  5. 2 0
      test/db.sh
  6. 1 0
      test/simple.sh
  7. 1 0
      test/tls.sh

+ 1 - 0
Dockerfile
View File 

@@ -5,6 +5,7 @@ MAINTAINER Bertrand Gouny <[email protected]>
 
 # https://github.com/nickstenning/docker-slapd
 
 
 # Default configuration: can be overridden at the docker command line
 
+ENV DOMAIN_NAME ldap.example.com
 
 ENV LDAP_DOMAIN example.com
 
 ENV LDAP_ADMIN_PWD toor
 
 ENV LDAP_ORGANISATION Example Inc.

+ 3 - 2
service/mmc-agent/mmc-agent.sh
View File 

@@ -37,6 +37,7 @@ if [ "$WITH_MMC_AGENT" = true ]; then
 
         done
 
       }
 
 
+      DOMAIN_NAME=${DOMAIN_NAME}
 
       WITH_MMC_AGENT=${WITH_MMC_AGENT}
 
       LDAP_DOMAIN=${LDAP_DOMAIN}
 
       LDAP_ADMIN_PWD=${LDAP_ADMIN_PWD}
 
@@ -44,13 +45,13 @@ if [ "$WITH_MMC_AGENT" = true ]; then
 
       MMC_AGENT_PASSWORD=${MMC_AGENT_PASSWORD}
 
 
       # mmc-agent config
 
-      sed -i -e "s/127.0.0.1/0.0.0.0/" /etc/mmc/agent/config.ini
 
+      sed -i -e "s/127.0.0.1/172.17.0.0/" /etc/mmc/agent/config.ini #listen on docker default network
 
       sed -i -e "s/login = mmc/login = $MMC_AGENT_LOGIN/" /etc/mmc/agent/config.ini
 
       sed -i -e "s/password = s3cr3t/password = $MMC_AGENT_PASSWORD/" /etc/mmc/agent/config.ini
 
 
       # generate ssl certificate
 
       rm /etc/mmc/agent/keys/cacert.pem /etc/mmc/agent/keys/localcert.pem
 
-      /sbin/create-ssl-cert $LDAP_DOMAIN /etc/mmc/agent/keys/cacert.pem /etc/mmc/agent/keys/localcert.pem
 
+      /sbin/create-ssl-cert $DOMAIN_NAME /etc/mmc/agent/keys/cacert.pem /etc/mmc/agent/keys/localcert.pem
 
 
       # Get base dn from ldap domain
 
       getBaseDn ${LDAP_DOMAIN}

+ 3 - 0
service/slapd/assets/config/modify/auto/tls.ldif
View File 

@@ -1,5 +1,8 @@
 
 dn: cn=config
 
 changetype: modify
 
+add: olcTLSCipherSuite
 
+olcTLSCipherSuite: SECURE256:-VERS-SSL3.0
 
+-
 
 replace: olcTLSCACertificateFile
 
 olcTLSCACertificateFile: /etc/ldap/ssl/ca.crt
 
 -

+ 25 - 7
service/slapd/slapd.sh
View File 

@@ -11,6 +11,7 @@ set -x
 
 : LDAP_ADMIN_PWD=${LDAP_ADMIN_PWD}
 
 : LDAP_DOMAIN=${LDAP_DOMAIN}
 
 : LDAP_ORGANISATION=${LDAP_ORGANISATION}
 
+: DOMAIN_NAME=${DOMAIN_NAME}
 
 
 
 ############ Base config ############
 
@@ -35,6 +36,10 @@ EOF
 
 
   dpkg-reconfigure -f noninteractive slapd
 
 
+  # Enable access only from docker default network and localhost
 
+  echo "slapd: 172.17.0.0/255.255.0.0 127.0.0.1 : ALLOW" >> /etc/hosts.allow
 
+  echo "slapd: ALL : DENY" >> /etc/hosts.allow
 
+
 
   touch /var/lib/ldap/docker_bootstrapped
 
 
 else
 
@@ -69,18 +74,31 @@ if [ ! -e /etc/ldap/slapd.d/docker_bootstrapped ]; then
 
     status "certificates found"
 
 
     chmod 600 /etc/ldap/ssl/ldap.key
 
+  else
 
 
-    # create DHParamFile if not found
 
-    [ -f /etc/ldap/ssl/dhparam.pem ] || openssl dhparam -out /etc/ldap/ssl/dhparam.pem 2048
 
-
 
-    ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ldap/config/modify/auto/tls.ldif -Q 
+    #generate default tls certificates / set domain name
 
+    DOMAIN_ESC=`echo $DOMAIN_NAME | sed 's/\./_/g'`
 
+    DOMAIN_ESC_UPPER=`echo $DOMAIN_ESC | tr '[a-z]' '[A-Z]'`
 
+    export SSL_${DOMAIN_ESC_UPPER}_COMMON_NAME=${DOMAIN_NAME}
 
+    export SSL_${DOMAIN_ESC_UPPER}_ORGANIZATION="${LDAP_ORGANISATION}"
 
 
-    # add fake dnsmasq route to certificate cn
 
-    cn=$(openssl x509 -in /etc/ldap/ssl/ldap.crt -subject -noout | sed -n 's/.*CN=\(.*\)\/*\(.*\)/\1/p')
 
-    echo "127.0.0.1	" $cn >> /etc/dhosts
 
+    /sbin/create-ssl-cert $DOMAIN_NAME /etc/ldap/ssl/ldap.crt /etc/ldap/ssl/ldap.key
 
+    cp /etc/ldap/ssl/ldap.crt /etc/ldap/ssl/ca.crt
 
 
   fi
 
 
+  # Fix permission on certificates
 
+  chown openldap:openldap -R /etc/ldap/ssl
 
+
 
+  # create DHParamFile if not found
 
+  [ -f /etc/ldap/ssl/dhparam.pem ] || openssl dhparam -out /etc/ldap/ssl/dhparam.pem 2048
 
+
 
+  ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ldap/config/modify/auto/tls.ldif -Q 
+
 
+  # add fake dnsmasq route to certificate cn
 
+  cn=$(openssl x509 -in /etc/ldap/ssl/ldap.crt -subject -noout | sed -n 's/.*CN=\(.*\)\/*\(.*\)/\1/p')
 
+  echo "127.0.0.1	" $cn >> /etc/dhosts
 
+
 
   # Replication
 
   # todo :)

+ 2 - 0
test/db.sh
View File 

@@ -12,10 +12,12 @@ mkdir $testDir/config
 
 
 runOptions="-e LDAP_DOMAIN=otherdomain.com -v $testDir/db:/var/lib/ldap -v $testDir/config:/etc/ldap/slapd.d"
 
 . $dir/tools/run-container.sh
 
+sleep 30
 
 $dir/tools/delete-container.sh
 
 
 runOptions="-v $testDir/db:/var/lib/ldap -v $testDir/config:/etc/ldap/slapd.d"
 
 . $dir/tools/run-container.sh
 
+sleep 30
 
 echo "ldapsearch -x -h $IP -b dc=otherdomain,dc=com"
 
 ldapsearch -x -h $IP -b dc=otherdomain,dc=com

+ 1 - 0
test/simple.sh
View File 

@@ -4,6 +4,7 @@ dir=$(dirname $0)
 
 . $dir/tools/run-container.sh
 
 
 echo "ldapsearch -x -h $IP -b dc=example,dc=com"
 
+sleep 30
 
 ldapsearch -x -h $IP -b dc=example,dc=com
 
 
 $dir/tools/delete-container.sh

+ 1 - 0
test/tls.sh
View File 

@@ -4,6 +4,7 @@ dir=$(dirname $0)
 
 . $dir/tls/run.sh
 
 
 echo "ldapsearch -x -h $certCN -b dc=example,dc=com -ZZ"
 
+sleep 30
 
 ldapsearch -x -h $certCN -b dc=example,dc=com -ZZ
 
 
 . $dir/tls/end.sh