|
|
@@ -124,9 +124,16 @@ EOF
|
|
|
fi
|
|
|
|
|
|
# if the config was bootstraped with TLS
|
|
|
- # to avoid error (#6) we hard delete TLS config
|
|
|
+ # to avoid error (#6) (#36) and (#44)
|
|
|
+ # we create fake temporary certificates if they do not exists
|
|
|
if [ -e "$WAS_STARTED_WITH_TLS" ]; then
|
|
|
- sed -i '/olcTLS/d' /etc/ldap/slapd.d/cn\=config.ldif
|
|
|
+ source $WAS_STARTED_WITH_TLS
|
|
|
+
|
|
|
+ cfssl-helper $LDAP_CFSSL_PREFIX $PREVIOUS_LDAP_TLS_CRT_PATH $PREVIOUS_LDAP_TLS_KEY_PATH $PREVIOUS_LDAP_TLS_CA_CRT_PATH
|
|
|
+ [ -f ${PREVIOUS_LDAP_TLS_DH_PARAM_PATH} ] || openssl dhparam -out ${LDAP_TLS_DH_PARAM_PATH} 2048
|
|
|
+
|
|
|
+ chmod 600 ${PREVIOUS_LDAP_TLS_DH_PARAM_PATH}
|
|
|
+ chown openldap:openldap $PREVIOUS_LDAP_TLS_CRT_PATH $PREVIOUS_LDAP_TLS_KEY_PATH $PREVIOUS_LDAP_TLS_CA_CRT_PATH $PREVIOUS_LDAP_TLS_DH_PARAM_PATH
|
|
|
fi
|
|
|
|
|
|
# start OpenLDAP
|
|
|
@@ -247,7 +254,12 @@ EOF
|
|
|
sed -i "s|{{ LDAP_TLS_VERIFY_CLIENT }}|${LDAP_TLS_VERIFY_CLIENT}|g" ${CONTAINER_SERVICE_DIR}/slapd/assets/config/tls/tls-enable.ldif
|
|
|
|
|
|
ldapmodify -Y EXTERNAL -Q -H ldapi:/// -f ${CONTAINER_SERVICE_DIR}/slapd/assets/config/tls/tls-enable.ldif 2>&1 | log-helper debug
|
|
|
- touch $WAS_STARTED_WITH_TLS
|
|
|
+
|
|
|
+ [[ -f "$WAS_STARTED_WITH_TLS" ]] && rm -f "$WAS_STARTED_WITH_TLS"
|
|
|
+ echo "export PREVIOUS_LDAP_TLS_CA_CRT_PATH=${LDAP_TLS_CA_CRT_PATH}" > $WAS_STARTED_WITH_TLS
|
|
|
+ echo "export PREVIOUS_LDAP_TLS_CRT_PATH=${LDAP_TLS_CRT_PATH}" >> $WAS_STARTED_WITH_TLS
|
|
|
+ echo "export PREVIOUS_LDAP_TLS_KEY_PATH=${LDAP_TLS_KEY_PATH}" >> $WAS_STARTED_WITH_TLS
|
|
|
+ echo "export PREVIOUS_LDAP_TLS_DH_PARAM_PATH=${LDAP_TLS_DH_PARAM_PATH}" >> $WAS_STARTED_WITH_TLS
|
|
|
|
|
|
# ldap client config
|
|
|
sed -i --follow-symlinks "s,TLS_CACERT.*,TLS_CACERT ${LDAP_TLS_CA_CRT_PATH},g" /etc/ldap/ldap.conf
|
Bertrand Gouny