Merge branch 'hotfix-1.1.1' into stable

CHANGELOG.md

@@ -1,5 +1,8 @@
 # Changelog
 
+## 1.1.1
+Update to light-baseimage:0.2.2
+
 ## 1.1.0
 Update to light-baseimage:0.2.1 :
   - Use \*.yaml.startup environment files to keep configuration secrets

Makefile

@@ -1,5 +1,5 @@
 NAME = osixia/openldap
-VERSION = 1.1.0
+VERSION = 1.1.1
 
 .PHONY: all build build-nocache test tag_latest release
 

README.md

@@ -1,6 +1,13 @@
 # osixia/openldap
 
-[![](https://badge.imagelayers.io/osixia/openldap:latest.svg)](https://imagelayers.io/?images=osixia/openldap:latest 'Get your own badge on imagelayers.io') | Latest release: 1.1.0 - OpenLDAP 2.4.40 -  [Changelog](CHANGELOG.md) | [Docker Hub](https://hub.docker.com/r/osixia/openldap/) 
+[![Docker Pulls](https://img.shields.io/docker/pulls/osixia/openldap.svg)][hub]
+[![Docker Stars](https://img.shields.io/docker/stars/osixia/openldap.svg)][hub]
+[![Image Size](https://img.shields.io/imagelayers/image-size/osixia/openldap/latest.svg)](https://imagelayers.io/?images=osixia/openldap:latest)
+[![Image Layers](https://img.shields.io/imagelayers/layers/osixia/openldap/latest.svg)](https://imagelayers.io/?images=osixia/openldap:latest)
+
+[hub]: https://hub.docker.com/r/osixia/openldap/
+
+Latest release: 1.1.1 - OpenLDAP 2.4.40 -  [Changelog](CHANGELOG.md) | [Docker Hub](https://hub.docker.com/r/osixia/openldap/) 
 
 A docker image to run OpenLDAP.
 
@@ -20,6 +27,7 @@ A docker image to run OpenLDAP.
 		- [Use your own certificate](#use-your-own-certificate)
 		- [Disable TLS](#disable-tls)
 	- [Multi master replication](#multi-master-replication)
+	- [Fix docker mounted file problems](#fix-docker-mounted-file-problems)
 	- [Debug](#debug)
 - [Environment Variables](#environment-variables)
 	- [Default.yaml](#defaultyaml)
@@ -29,7 +37,7 @@ A docker image to run OpenLDAP.
 		- [Link environment file](#link-environment-file)
 		- [Make your own image or extend this image](#make-your-own-image-or-extend-this-image)
 - [Advanced User Guide](#advanced-user-guide)
-	- [Extend osixia/openldap:1.1.0 image](#extend-osixiaopenldap110-image)
+	- [Extend osixia/openldap:1.1.1 image](#extend-osixiaopenldap111-image)
 	- [Make your own openldap image](#make-your-own-openldap-image)
 	- [Tests](#tests)
 	- [Kubernetes](#kubernetes)
@@ -47,7 +55,7 @@ If you find this image useful here's how you can help:
 ## Quick Start
 Run OpenLDAP docker image:
 
-	docker run --name my-openldap-container --detach osixia/openldap:1.1.0
+	docker run --name my-openldap-container --detach osixia/openldap:1.1.1
 
 This start a new container with OpenLDAP running inside. Let's make the first search in our LDAP container:
 
@@ -83,7 +91,7 @@ It will create an empty ldap for the company **Example Inc.** and the domain **e
 By default the admin has the password **admin**. All those default settings can be changed at the docker command line, for example:
 
 	docker run --env LDAP_ORGANISATION="My Company" --env LDAP_DOMAIN="my-company.com" \
-	--env LDAP_ADMIN_PASSWORD="JonSn0w" --detach osixia/openldap:1.1.0
+	--env LDAP_ADMIN_PASSWORD="JonSn0w" --detach osixia/openldap:1.1.1
 
 #### Data persistence
 
@@ -107,7 +115,7 @@ simply mount this directories as a volume to `/var/lib/ldap` and `/etc/ldap/slap
 
 	docker run --volume /data/slapd/database:/var/lib/ldap \
 	--volume /data/slapd/config:/etc/ldap/slapd.d
-	--detach osixia/openldap:1.1.0
+	--detach osixia/openldap:1.1.1
 
 You can also use data volume containers. Please refer to:
 > [https://docs.docker.com/userguide/dockervolumes/](https://docs.docker.com/userguide/dockervolumes/)
@@ -125,7 +133,7 @@ If you are looking for a simple solution to administrate your ldap server you ca
 #### Use auto-generated certificate
 By default TLS is enable, a certificate is created with the container hostname (it can be set by docker run --hostname option eg: ldap.example.org).
 
-	docker run --hostname ldap.my-company.com --detach osixia/openldap:1.1.0
+	docker run --hostname ldap.my-company.com --detach osixia/openldap:1.1.1
 
 #### Use your own certificate
 
@@ -135,24 +143,24 @@ You can set your custom certificate at run time, by mounting a directory contain
 	--env LDAP_TLS_CRT_FILENAME=my-ldap.crt \
 	--env LDAP_TLS_KEY_FILENAME=my-ldap.key \
 	--env LDAP_TLS_CA_CRT_FILENAME=the-ca.crt \
-	--detach osixia/openldap:1.1.0
+	--detach osixia/openldap:1.1.1
 
 Other solutions are available please refer to the [Advanced User Guide](#advanced-user-guide)
 
 #### Disable TLS
 Add --env LDAP_TLS=false to the run command:
 
-	docker run --env LDAP_TLS=false --detach osixia/openldap:1.1.0
+	docker run --env LDAP_TLS=false --detach osixia/openldap:1.1.1
 
 ### Multi master replication
 Quick example, with the default config.
 
 	#Create the first ldap server, save the container id in LDAP_CID and get its IP:
-	LDAP_CID=$(docker run --hostname ldap.example.org --env LDAP_REPLICATION=true --detach osixia/openldap:1.1.0)
+	LDAP_CID=$(docker run --hostname ldap.example.org --env LDAP_REPLICATION=true --detach osixia/openldap:1.1.1)
 	LDAP_IP=$(docker inspect -f "{{ .NetworkSettings.IPAddress }}" $LDAP_CID)
 
 	#Create the second ldap server, save the container id in LDAP2_CID and get its IP:
-	LDAP2_CID=$(docker run --hostname ldap2.example.org --env LDAP_REPLICATION=true --detach osixia/openldap:1.1.0)
+	LDAP2_CID=$(docker run --hostname ldap2.example.org --env LDAP_REPLICATION=true --detach osixia/openldap:1.1.1)
 	LDAP2_IP=$(docker inspect -f "{{ .NetworkSettings.IPAddress }}" $LDAP2_CID)
 
 	#Add the pair "ip hostname" to /etc/hosts on each containers,
@@ -182,6 +190,14 @@ Search on the second ldap server, and billy should show up!
 	objectClass: inetOrgPerson
 	[...]
 
+### Fix docker mounted file problems
+
+You may have some problems with mounted files on some systems. The startup script try to make some file adjustment and fix files owner and permissions, this can result in multiple errors. See [Docker documentation](https://docs.docker.com/v1.4/userguide/dockervolumes/#mount-a-host-file-as-a-data-volume).
+
+To fix that run the container with `--copy-service` argument :
+
+		docker run [your options] osixia/openldap:1.1.1 --copy-service
+
 ### Debug
 
 The container default log level is **info**.
@@ -189,11 +205,11 @@ Available levels are: `none`, `error`, `warning`, `info`, `debug` and `trace`.
 
 Example command to run the container in `debug` mode:
 
-	docker run --detach osixia/openldap:1.1.0 --loglevel debug
+	docker run --detach osixia/openldap:1.1.1 --loglevel debug
 
 See all command line options:
 
-	docker run osixia/openldap:1.1.0 --help
+	docker run osixia/openldap:1.1.1 --help
 
 
 ## Environment Variables
@@ -251,7 +267,7 @@ Replication options:
 
 	If you want to set this variable at docker run command add the tag `#PYTHON2BASH:` and convert the yaml in python:
 
-		docker run --env LDAP_REPLICATION_HOSTS="#PYTHON2BASH:['ldap://ldap.example.org','ldap://ldap2.example.org']" --detach osixia/openldap:1.1.0
+		docker run --env LDAP_REPLICATION_HOSTS="#PYTHON2BASH:['ldap://ldap.example.org','ldap://ldap2.example.org']" --detach osixia/openldap:1.1.1
 
 	To convert yaml to python online: http://yaml-online-parser.appspot.com/
 
@@ -266,7 +282,7 @@ Other environment variables:
 Environment variables can be set by adding the --env argument in the command line, for example:
 
 	docker run --env LDAP_ORGANISATION="My company" --env LDAP_DOMAIN="my-company.com" \
-	--env LDAP_ADMIN_PASSWORD="JonSn0w" --detach osixia/openldap:1.1.0
+	--env LDAP_ADMIN_PASSWORD="JonSn0w" --detach osixia/openldap:1.1.1
 
 Be aware that environment variable added in command line will be available at any time
 in the container. In this example if someone manage to open a terminal in this container
@@ -277,14 +293,14 @@ he will be able to read the admin password in clear text from environment variab
 For example if your environment files **my-env.yaml** and **my-env.yaml.startup** are in /data/ldap/environment
 
 	docker run --volume /data/ldap/environment:/container/environment/01-custom \
-	--detach osixia/openldap:1.1.0
+	--detach osixia/openldap:1.1.1
 
 Take care to link your environment files folder to `/container/environment/XX-somedir` (with XX < 99 so they will be processed before default environment files) and not  directly to `/container/environment` because this directory contains predefined baseimage environment files to fix container environment (INITRD, LANG, LANGUAGE and LC_CTYPE).
 
 Note: the container will try to delete the **\*.yaml.startup** file after the end of startup files so the file will also be deleted on the docker host. To prevent that : use --volume /data/ldap/environment:/container/environment/01-custom**:ro** or set all variables in **\*.yaml** file and don't use **\*.yaml.startup**:
 
 	docker run --volume /data/ldap/environment/my-env.yaml:/container/environment/01-custom/env.yaml \
-	--detach osixia/openldap:1.1.0
+	--detach osixia/openldap:1.1.1
 
 #### Make your own image or extend this image
 
@@ -292,13 +308,13 @@ This is the best solution if you have a private registry. Please refer to the [A
 
 ## Advanced User Guide
 
-### Extend osixia/openldap:1.1.0 image
+### Extend osixia/openldap:1.1.1 image
 
 If you need to add your custom TLS certificate, bootstrap config or environment files the easiest way is to extends this image.
 
 Dockerfile example:
 
-	FROM osixia/openldap:1.1.0
+	FROM osixia/openldap:1.1.1
 	MAINTAINER Your Name <[email protected]>
 
 	ADD bootstrap /container/service/slapd/assets/config/bootstrap
@@ -317,7 +333,7 @@ Clone this project:
 Adapt Makefile, set your image NAME and VERSION, for example:
 
 	NAME = osixia/openldap
-	VERSION = 1.1.0
+	VERSION = 1.1.1
 
 	become:
 	NAME = cool-guy/openldap

example/extend-osixia-openldap/Dockerfile

@@ -1,4 +1,4 @@
-FROM osixia/openldap:1.1.0
+FROM osixia/openldap:1.1.1
 MAINTAINER Your Name <[email protected]>
 
 ADD bootstrap /container/service/slapd/assets/config/bootstrap

example/kubernetes/simple/ldap-rc.yaml

@@ -15,7 +15,7 @@ spec:
     spec:
       containers:
         - name: ldap
-          image: osixia/openldap:1.1.0
+          image: osixia/openldap:1.1.1
           volumeMounts:
             - name: ldap-data
               mountPath: /var/lib/ldap
@@ -70,7 +70,7 @@ spec:
             - name: LDAP_REMOVE_CONFIG_AFTER_SETUP
               value: "true"
         - name: ldap-backup
-          image: osixia/openldap-backup:0.1.7
+          image: osixia/openldap-backup:0.1.8
           volumeMounts:
             - name: ldap-data
               mountPath: /var/lib/ldap

example/kubernetes/using-secrets/ldap-rc.yaml

@@ -15,7 +15,7 @@ spec:
     spec:
       containers:
         - name: ldap
-          image: osixia/openldap:1.1.0
+          image: osixia/openldap:1.1.1
           command:
           - --copy-service
           volumeMounts:
@@ -33,7 +33,7 @@ spec:
             - containerPort: 389
               name: openldap
         - name: ldap-backup
-          image: osixia/openldap-backup:0.1.7
+          image: osixia/openldap-backup:0.1.8
           volumeMounts:
             - name: ldap-data
               mountPath: /var/lib/ldap

image/Dockerfile

@@ -1,12 +1,12 @@
 # Use osixia/light-baseimage
 # sources: https://github.com/osixia/docker-light-baseimage
-FROM osixia/light-baseimage:0.2.1
+FROM osixia/light-baseimage:0.2.2
 MAINTAINER Bertrand Gouny <[email protected]>
 
 # Add openldap user and group first to make sure their IDs get assigned consistently, regardless of whatever dependencies get added
 RUN groupadd -r openldap && useradd -r -g openldap openldap
 
-# Install OpenLDAP, ldap-utils and cfssl from baseimage
+# Install OpenLDAP, ldap-utils and cfssl from baseimage and clean apt-get files
 # sources: https://github.com/osixia/docker-light-baseimage/blob/stable/image/tool/add-service-available
 #          https://github.com/osixia/docker-light-baseimage/blob/stable/image/service-available/:cfssl/download.sh
 RUN apt-get -y update \
@@ -14,16 +14,16 @@ RUN apt-get -y update \
 	  && LC_ALL=C DEBIAN_FRONTEND=noninteractive apt-get install -y --force-yes --no-install-recommends \
        ldap-utils \
        openssl \
-       slapd
+       slapd \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
 
 # Add service directory to /container/service
 ADD service /container/service
 
-# Use baseimage install-service script and clean all
+# Use baseimage install-service script
 # https://github.com/osixia/docker-light-baseimage/blob/stable/image/tool/install-service
-RUN /container/tool/install-service \
-    && apt-get clean \
-    && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
+RUN /container/tool/install-service
 
 # Add default env variables
 ADD environment /container/environment/99-default

image/service/slapd/assets/config/bootstrap/ldif/03-memberOf.ldif

@@ -3,3 +3,15 @@ dn: cn=module{0},cn=config
 changetype: modify
 add: olcModuleLoad
 olcModuleLoad: memberof
+
+# Backend memberOf overlay
+dn: olcOverlay={0}memberof,olcDatabase={1}hdb,cn=config
+changetype: add
+objectClass: olcOverlayConfig
+objectClass: olcMemberOf
+olcOverlay: {0}memberof
+olcMemberOfDangling: ignore
+olcMemberOfRefInt: TRUE
+olcMemberOfGroupOC: groupOfUniqueNames
+olcMemberOfMemberAD: uniqueMember
+olcMemberOfMemberOfAD: memberOf

image/service/slapd/assets/config/bootstrap/ldif/04-refint.ldif

@@ -0,0 +1,17 @@
+# Load refint module
+dn: cn=module{0},cn=config
+changetype: modify
+add: olcModuleLoad
+olcModuleLoad: refint
+
+# Backend refint overlay
+dn: olcOverlay={1}refint,olcDatabase={1}hdb,cn=config
+changetype: add
+objectClass: olcOverlayConfig
+objectClass: olcRefintConfig
+olcOverlay: {1}refint
+olcRefintAttribute: owner
+olcRefintAttribute: manager
+olcRefintAttribute: uniqueMember
+olcRefintAttribute: member
+olcRefintAttribute: memberOf

image/service/slapd/startup.sh

@@ -48,25 +48,6 @@ if [ ! -e "$FIRST_START_DONE" ]; then
     fi
   }
 
-  function check_tls_files() {
-
-    local CA_CRT=$1
-    local LDAP_CRT=$2
-    local LDAP_KEY=$3
-    local DH_PARAM=$4
-
-    # generate a certificate and key with cfssl tool if LDAP_CRT and LDAP_KEY files don't exists
-    # https://github.com/osixia/docker-light-baseimage/blob/stable/image/service-available/:cfssl/assets/tool/cfssl-helper
-    cfssl-helper $LDAP_CFSSL_PREFIX $LDAP_CRT $LDAP_KEY $CA_CRT
-
-    # create DHParamFile if not found
-    [ -f ${DH_PARAM} ] || openssl dhparam -out ${DH_PARAM} 2048
-    chmod 600 ${DH_PARAM}
-
-    # fix file permissions
-    chown -R openldap:openldap ${CONTAINER_SERVICE_DIR}/slapd
-  }
-
   #
   # Global variables
   #
@@ -113,17 +94,6 @@ EOF
   elif [ ! -z "$(ls -A /var/lib/ldap)" ] && [ -z "$(ls -A /etc/ldap/slapd.d)" ]; then
     log-helper error "Error: the config directory (/etc/ldap/slapd.d) is empty but not the database directory (/var/lib/ldap)"
     exit 1
-
-  #
-  # An existing database and config are provided
-  #
-  else
-    # if the config was bootstraped with TLS
-    # to avoid error (#6) we check tls files
-    if [ -e "$WAS_STARTED_WITH_TLS" ]; then
-      source $WAS_STARTED_WITH_TLS
-      check_tls_files $PREVIOUS_LDAP_TLS_CA_CRT_PATH $PREVIOUS_LDAP_TLS_CRT_PATH $PREVIOUS_LDAP_TLS_KEY_PATH $PREVIOUS_LDAP_TLS_DH_PARAM_PATH
-    fi
   fi
 
   #
@@ -145,6 +115,12 @@ EOF
     fi
   fi
 
+  # if the config was bootstraped with TLS
+  # to avoid error (#6) we hard delete TLS config
+  if [ -e "$WAS_STARTED_WITH_TLS" ]; then
+    sed -i '/olcTLS/d' /etc/ldap/slapd.d/cn\=config.ldif
+  fi
+
   # start OpenLDAP
   log-helper info "Start OpenLDAP..."
   slapd -h "ldap://$HOSTNAME $PREVIOUS_HOSTNAME_PARAM ldap://localhost ldapi:///" -u openldap -g openldap
@@ -192,6 +168,7 @@ EOF
     log-helper info "Add bootstrap ldif..."
     for f in $(find ${CONTAINER_SERVICE_DIR}/slapd/assets/config/bootstrap/ldif -mindepth 1 -maxdepth 1 -type f -name \*.ldif  | sort); do
       log-helper debug "Processing file ${f}"
+      sed -i "s|{{ LDAP_BASE_DN }}|${LDAP_BASE_DN}|g" $f
       ldapmodify -Y EXTERNAL -Q -H ldapi:/// -f $f 2>&1 | log-helper debug || ldapmodify -h localhost -p 389 -D cn=admin,$LDAP_BASE_DN -w $LDAP_ADMIN_PASSWORD -f $f 2>&1 | log-helper debug
     done
 
@@ -229,7 +206,16 @@ EOF
     LDAP_TLS_KEY_PATH="${CONTAINER_SERVICE_DIR}/slapd/assets/certs/$LDAP_TLS_KEY_FILENAME"
     LDAP_TLS_DH_PARAM_PATH="${CONTAINER_SERVICE_DIR}/slapd/assets/certs/dhparam.pem"
 
-    check_tls_files $LDAP_TLS_CA_CRT_PATH $LDAP_TLS_CRT_PATH $LDAP_TLS_KEY_PATH $LDAP_TLS_DH_PARAM_PATH
+    # generate a certificate and key with cfssl tool if LDAP_CRT and LDAP_KEY files don't exists
+    # https://github.com/osixia/docker-light-baseimage/blob/stable/image/service-available/:cfssl/assets/tool/cfssl-helper
+    cfssl-helper $LDAP_CFSSL_PREFIX $LDAP_TLS_CRT_PATH $LDAP_TLS_KEY_PATH $LDAP_TLS_CA_CRT_PATH
+
+    # create DHParamFile if not found
+    [ -f ${LDAP_TLS_DH_PARAM_PATH} ] || openssl dhparam -out ${LDAP_TLS_DH_PARAM_PATH} 2048
+    chmod 600 ${LDAP_TLS_DH_PARAM_PATH}
+
+    # fix file permissions
+    chown -R openldap:openldap ${CONTAINER_SERVICE_DIR}/slapd
 
     # adapt tls ldif
     sed -i "s|{{ LDAP_TLS_CA_CRT_PATH }}|${LDAP_TLS_CA_CRT_PATH}|g" ${CONTAINER_SERVICE_DIR}/slapd/assets/config/tls/tls-enable.ldif
@@ -242,12 +228,7 @@ EOF
     sed -i "s|{{ LDAP_TLS_VERIFY_CLIENT }}|${LDAP_TLS_VERIFY_CLIENT}|g" ${CONTAINER_SERVICE_DIR}/slapd/assets/config/tls/tls-enable.ldif
 
     ldapmodify -Y EXTERNAL -Q -H ldapi:/// -f ${CONTAINER_SERVICE_DIR}/slapd/assets/config/tls/tls-enable.ldif 2>&1 | log-helper debug
-
-    [[ -f "$WAS_STARTED_WITH_TLS" ]] && rm -f "$WAS_STARTED_WITH_TLS"
-    echo "export PREVIOUS_LDAP_TLS_CA_CRT_PATH=${LDAP_TLS_CA_CRT_PATH}" > $WAS_STARTED_WITH_TLS
-    echo "export PREVIOUS_LDAP_TLS_CRT_PATH=${LDAP_TLS_CRT_PATH}" >> $WAS_STARTED_WITH_TLS
-    echo "export PREVIOUS_LDAP_TLS_KEY_PATH=${LDAP_TLS_KEY_PATH}" >> $WAS_STARTED_WITH_TLS
-    echo "export PREVIOUS_LDAP_TLS_DH_PARAM_PATH=${LDAP_TLS_DH_PARAM_PATH}" >> $WAS_STARTED_WITH_TLS
+    touch $WAS_STARTED_WITH_TLS
 
     # ldap client config
     sed -i --follow-symlinks "s,TLS_CACERT.*,TLS_CACERT ${LDAP_TLS_CA_CRT_PATH},g" /etc/ldap/ldap.conf