Merge branch 'release-0.2.0' into stable

Dockerfile

@@ -1,7 +1,16 @@
-FROM phusion/baseimage:0.9.8
-MAINTAINER Nick Stenning <[email protected]>
+FROM osixia-baseimage
+MAINTAINER Bertrand Gouny <[email protected]>
 
-ENV HOME /root
+# From Nick Stenning's work
+# https://github.com/nickstenning/docker-slapd
+
+# Default configuration: can be overridden at the docker command line
+ENV LDAP_ADMIN_PWD toor
+ENV LDAP_ORGANISATION Example Inc.
+ENV LDAP_DOMAIN example.com
+
+# /!\ To store the data outside the container, mount /var/lib/ldap as a data volume
+# add -v /some/host/directory:/var/lib/ldap to the run command
 
 # Disable SSH
 RUN rm -rf /etc/service/sshd /etc/my_init.d/00_regen_ssh_host_keys.sh
@@ -9,25 +18,25 @@ RUN rm -rf /etc/service/sshd /etc/my_init.d/00_regen_ssh_host_keys.sh
 # Use baseimage-docker's init system.
 CMD ["/sbin/my_init"]
 
-# Configure apt
-RUN echo 'deb http://us.archive.ubuntu.com/ubuntu/ precise universe' >> /etc/apt/sources.list
+# Resynchronize the package index files from their sources
 RUN apt-get -y update
 
-# Install slapd
-RUN LC_ALL=C DEBIAN_FRONTEND=noninteractive apt-get install -y slapd
-
-# Default configuration: can be overridden at the docker command line
-ENV LDAP_ROOTPASS toor
-ENV LDAP_ORGANISATION Acme Widgets Inc.
-ENV LDAP_DOMAIN example.com
+# Install openldap (slapd) and ldap-utils
+RUN LC_ALL=C DEBIAN_FRONTEND=noninteractive apt-get install -y slapd ldap-utils openssl
 
+# Expose ldap default port
 EXPOSE 389
 
+# Create TSL certificats directory
+RUN mkdir /etc/ldap/ssl
+
+# Add config directory 
+RUN mkdir /etc/ldap/config
+ADD config /etc/ldap/config
+
+# Add slapd deamon
 RUN mkdir /etc/service/slapd
 ADD slapd.sh /etc/service/slapd/run
 
-# To store the data outside the container, mount /var/lib/ldap as a data volume
-
+# Clear out the local repository of retrieved package files
 RUN apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
-
-# vim:ts=8:noet:

config/auto/tls.ldif

@@ -0,0 +1,17 @@
+dn: cn=config
+changetype: modify
+replace: olcTLSCACertificateFile
+olcTLSCACertificateFile: /etc/ldap/ssl/ca.crt
+-
+replace: olcTLSCertificateFile
+olcTLSCertificateFile: /etc/ldap/ssl/ldap.crt
+-
+replace: olcTLSCertificateKeyFile
+olcTLSCertificateKeyFile: /etc/ldap/ssl/ldap.key
+-
+replace: olcTLSDHParamFile
+olcTLSDHParamFile: /etc/ldap/ssl/dhparam.pem
+-
+replace: olcTLSVerifyClient
+olcTLSVerifyClient: never
+

config/logging.ldif

@@ -0,0 +1,4 @@
+dn: cn=config
+changetype: modify
+replace: olcLogLevel
+olcLogLevel: stats

slapd.sh

@@ -7,18 +7,19 @@ status () {
 }
 
 set -x
-: LDAP_ROOTPASS=${LDAP_ROOTPASS}
+: LDAP_ADMIN_PWD=${LDAP_ADMIN_PWD}
 : LDAP_DOMAIN=${LDAP_DOMAIN}
 : LDAP_ORGANISATION=${LDAP_ORGANISATION}
 
+############ Base config ############
 if [ ! -e /var/lib/ldap/docker_bootstrapped ]; then
   status "configuring slapd for first run"
 
   cat <<EOF | debconf-set-selections
-slapd slapd/internal/generated_adminpw password ${LDAP_ROOTPASS}
-slapd slapd/internal/adminpw password ${LDAP_ROOTPASS}
-slapd slapd/password2 password ${LDAP_ROOTPASS}
-slapd slapd/password1 password ${LDAP_ROOTPASS}
+slapd slapd/internal/generated_adminpw password ${LDAP_ADMIN_PWD}
+slapd slapd/internal/adminpw password ${LDAP_ADMIN_PWD}
+slapd slapd/password2 password ${LDAP_ADMIN_PWD}
+slapd slapd/password1 password ${LDAP_ADMIN_PWD}
 slapd slapd/dump_database_destdir string /var/backups/slapd-VERSION
 slapd slapd/domain string ${LDAP_DOMAIN}
 slapd shared/organization string ${LDAP_ORGANISATION}
@@ -33,10 +34,43 @@ EOF
   dpkg-reconfigure -f noninteractive slapd
 
   touch /var/lib/ldap/docker_bootstrapped
+
 else
   status "found already-configured slapd"
 fi
 
-status "starting slapd"
+############ Dynamic config ############
+slapd -h "ldap:/// ldapi:///" -u openldap -g openldap
+chown -R openldap:openldap /etc/ldap
+
+# TLS
+if [ -e /etc/ldap/ssl/ldap.crt ] && [ -e /etc/ldap/ssl/ldap.key ] && [ -e /etc/ldap/ssl/ca.crt ]; then
+  status "certificates found"
+
+  chmod 600 /etc/ldap/ssl/ldap.key
+
+  # create DHParamFile if not found
+  [ -f /etc/ldap/ssl/dhparam.pem ] || openssl dhparam -out /etc/ldap/ssl/dhparam.pem 2048
+
+  ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ldap/config/auto/tls_add.ldif 
+
+  # add fake dnsmasq route to certificate cn
+  cn=$(openssl x509 -in /etc/ldap/ssl/ldap.crt -subject -noout | sed -n 's/.*CN=\(.*\).\^*/\1/p')
+  echo "127.0.0.1	" $cn >> /etc/dhosts
+
+fi
+
+# Replication
+# todo
+
+# Other config files
+for f in $(find /etc/ldap/config -maxdepth 1 -name \*.ldif -type f); do
+  status "Processing file ${f}"
+  ldapmodify -Y EXTERNAL -H ldapi:/// -f $f
+done
+
+pkill slapd
+
+status "starting slapd on default port 389"
 set -x
-exec /usr/sbin/slapd -h "ldap:///" -u openldap -g openldap -d 0
+exec /usr/sbin/slapd -h "ldap:///" -u openldap -g openldap -d -1