|
|
@@ -24,6 +24,12 @@ WAS_STARTED_WITH_TLS="/etc/ldap/slapd.d/docker-openldap-was-started-with-tls"
|
|
|
WAS_STARTED_WITH_TLS_ENFORCE="/etc/ldap/slapd.d/docker-openldap-was-started-with-tls-enforce"
|
|
|
WAS_STARTED_WITH_REPLICATION="/etc/ldap/slapd.d/docker-openldap-was-started-with-replication"
|
|
|
|
|
|
+LDAP_TLS_CA_CRT_PATH="${CONTAINER_SERVICE_DIR}/slapd/assets/certs/$LDAP_TLS_CA_CRT_FILENAME"
|
|
|
+LDAP_TLS_CRT_PATH="${CONTAINER_SERVICE_DIR}/slapd/assets/certs/$LDAP_TLS_CRT_FILENAME"
|
|
|
+LDAP_TLS_KEY_PATH="${CONTAINER_SERVICE_DIR}/slapd/assets/certs/$LDAP_TLS_KEY_FILENAME"
|
|
|
+LDAP_TLS_DH_PARAM_PATH="${CONTAINER_SERVICE_DIR}/slapd/assets/certs/dhparam.pem"
|
|
|
+
|
|
|
+
|
|
|
# CONTAINER_SERVICE_DIR and CONTAINER_STATE_DIR variables are set by
|
|
|
# the baseimage run tool more info : https://github.com/osixia/docker-light-baseimage
|
|
|
|
|
|
@@ -56,6 +62,17 @@ if [ ! -e "$FIRST_START_DONE" ]; then
|
|
|
fi
|
|
|
}
|
|
|
|
|
|
+ function ldap_add_or_modify (){
|
|
|
+ local LDIF_FILE=$1
|
|
|
+ sed -i "s|{{ LDAP_BASE_DN }}|${LDAP_BASE_DN}|g" $LDIF_FILE
|
|
|
+ sed -i "s|{{ LDAP_BACKEND }}|${LDAP_BACKEND}|g" $LDIF_FILE
|
|
|
+ if grep -iq changetype $LDIF_FILE ; then
|
|
|
+ ldapmodify -Y EXTERNAL -Q -H ldapi:/// -f $LDIF_FILE 2>&1 | log-helper debug || ldapmodify -h localhost -p 389 -D cn=admin,$LDAP_BASE_DN -w $LDAP_ADMIN_PASSWORD -f $LDIF_FILE 2>&1 | log-helper debug
|
|
|
+ else
|
|
|
+ ldapadd -Y EXTERNAL -Q -H ldapi:/// -f $LDIF_FILE |& log-helper debug
|
|
|
+ fi
|
|
|
+ }
|
|
|
+
|
|
|
#
|
|
|
# Global variables
|
|
|
#
|
|
|
@@ -71,7 +88,6 @@ if [ ! -e "$FIRST_START_DONE" ]; then
|
|
|
log-helper info "Database and config directory are empty..."
|
|
|
log-helper info "Init new ldap server..."
|
|
|
|
|
|
-
|
|
|
cat <<EOF | debconf-set-selections
|
|
|
slapd slapd/internal/generated_adminpw password ${LDAP_ADMIN_PASSWORD}
|
|
|
slapd slapd/internal/adminpw password ${LDAP_ADMIN_PASSWORD}
|
|
|
@@ -90,6 +106,24 @@ EOF
|
|
|
|
|
|
dpkg-reconfigure -f noninteractive slapd
|
|
|
|
|
|
+ # RFC2307bis schema
|
|
|
+ if [ "${LDAP_RFC2307BIS_SCHEMA,,}" == "true" ]; then
|
|
|
+
|
|
|
+ log-helper info "Switching schema to RFC2307bis..."
|
|
|
+ cp ${CONTAINER_SERVICE_DIR}/slapd/assets/config/bootstrap/schema/rfc2307bis.* /etc/ldap/schema/
|
|
|
+
|
|
|
+ rm -f /etc/ldap/slapd.d/cn=config/cn=schema/*
|
|
|
+
|
|
|
+ mkdir -p /tmp/schema
|
|
|
+ slaptest -f ${CONTAINER_SERVICE_DIR}/slapd/assets/config/bootstrap/schema/rfc2307bis.conf -F /tmp/schema
|
|
|
+ mv /tmp/schema/cn=config/cn=schema/* /etc/ldap/slapd.d/cn=config/cn=schema
|
|
|
+ rm -r /tmp/schema
|
|
|
+
|
|
|
+ chown -R openldap:openldap /etc/ldap/slapd.d/cn=config/cn=schema
|
|
|
+ fi
|
|
|
+
|
|
|
+ rm ${CONTAINER_SERVICE_DIR}/slapd/assets/config/bootstrap/schema/rfc2307bis.*
|
|
|
+
|
|
|
#
|
|
|
# Error: the database directory (/var/lib/ldap) is empty but not the config directory (/etc/ldap/slapd.d)
|
|
|
#
|
|
|
@@ -105,275 +139,282 @@ EOF
|
|
|
exit 1
|
|
|
fi
|
|
|
|
|
|
- #
|
|
|
- # start OpenLDAP
|
|
|
- #
|
|
|
-
|
|
|
- # get previous hostname if OpenLDAP was started with replication
|
|
|
- # to avoid configuration pbs
|
|
|
- PREVIOUS_HOSTNAME_PARAM=""
|
|
|
- if [ -e "$WAS_STARTED_WITH_REPLICATION" ]; then
|
|
|
+ if [ "${KEEP_EXISTING_CONFIG,,}" == "true" ]; then
|
|
|
+ log-helper info "/!\ KEEP_EXISTING_CONFIG = true configration will not be updated"
|
|
|
+ else
|
|
|
+ #
|
|
|
+ # start OpenLDAP
|
|
|
+ #
|
|
|
+
|
|
|
+ # get previous hostname if OpenLDAP was started with replication
|
|
|
+ # to avoid configuration pbs
|
|
|
+ PREVIOUS_HOSTNAME_PARAM=""
|
|
|
+ if [ -e "$WAS_STARTED_WITH_REPLICATION" ]; then
|
|
|
+
|
|
|
+ source $WAS_STARTED_WITH_REPLICATION
|
|
|
+
|
|
|
+ # if previous hostname != current hostname
|
|
|
+ # set previous hostname to a loopback ip in /etc/hosts
|
|
|
+ if [ "$PREVIOUS_HOSTNAME" != "$HOSTNAME" ]; then
|
|
|
+ echo "127.0.0.2 $PREVIOUS_HOSTNAME" >> /etc/hosts
|
|
|
+ PREVIOUS_HOSTNAME_PARAM="ldap://$PREVIOUS_HOSTNAME"
|
|
|
+ fi
|
|
|
+ fi
|
|
|
|
|
|
- source $WAS_STARTED_WITH_REPLICATION
|
|
|
+ # if the config was bootstraped with TLS
|
|
|
+ # to avoid error (#6) (#36) and (#44)
|
|
|
+ # we create fake temporary certificates if they do not exists
|
|
|
+ if [ -e "$WAS_STARTED_WITH_TLS" ]; then
|
|
|
+ source $WAS_STARTED_WITH_TLS
|
|
|
|
|
|
- # if previous hostname != current hostname
|
|
|
- # set previous hostname to a loopback ip in /etc/hosts
|
|
|
- if [ "$PREVIOUS_HOSTNAME" != "$HOSTNAME" ]; then
|
|
|
- echo "127.0.0.2 $PREVIOUS_HOSTNAME" >> /etc/hosts
|
|
|
- PREVIOUS_HOSTNAME_PARAM="ldap://$PREVIOUS_HOSTNAME"
|
|
|
- fi
|
|
|
- fi
|
|
|
+ log-helper debug "Check previous TLS certificates..."
|
|
|
|
|
|
- # if the config was bootstraped with TLS
|
|
|
- # to avoid error (#6) (#36) and (#44)
|
|
|
- # we create fake temporary certificates if they do not exists
|
|
|
- if [ -e "$WAS_STARTED_WITH_TLS" ]; then
|
|
|
- source $WAS_STARTED_WITH_TLS
|
|
|
+ # fix for #73
|
|
|
+ # image started with an existing database/config created before 1.1.5
|
|
|
+ [[ -z "$PREVIOUS_LDAP_TLS_CA_CRT_PATH" ]] && PREVIOUS_LDAP_TLS_CA_CRT_PATH="${CONTAINER_SERVICE_DIR}/slapd/assets/certs/$LDAP_TLS_CA_CRT_FILENAME"
|
|
|
+ [[ -z "$PREVIOUS_LDAP_TLS_CRT_PATH" ]] && PREVIOUS_LDAP_TLS_CRT_PATH="${CONTAINER_SERVICE_DIR}/slapd/assets/certs/$LDAP_TLS_CRT_FILENAME"
|
|
|
+ [[ -z "$PREVIOUS_LDAP_TLS_KEY_PATH" ]] && PREVIOUS_LDAP_TLS_KEY_PATH="${CONTAINER_SERVICE_DIR}/slapd/assets/certs/$LDAP_TLS_KEY_FILENAME"
|
|
|
+ [[ -z "$PREVIOUS_LDAP_TLS_DH_PARAM_PATH" ]] && PREVIOUS_LDAP_TLS_DH_PARAM_PATH="${CONTAINER_SERVICE_DIR}/slapd/assets/certs/dhparam.pem"
|
|
|
|
|
|
- log-helper debug "Check previous TLS certificates..."
|
|
|
+ ssl-helper $LDAP_SSL_HELPER_PREFIX $PREVIOUS_LDAP_TLS_CRT_PATH $PREVIOUS_LDAP_TLS_KEY_PATH $PREVIOUS_LDAP_TLS_CA_CRT_PATH
|
|
|
+ [ -f ${PREVIOUS_LDAP_TLS_DH_PARAM_PATH} ] || openssl dhparam -out ${LDAP_TLS_DH_PARAM_PATH} 2048
|
|
|
|
|
|
- # fix for #73
|
|
|
- # image started with an existing database/config created before 1.1.5
|
|
|
- [[ -z "$PREVIOUS_LDAP_TLS_CA_CRT_PATH" ]] && PREVIOUS_LDAP_TLS_CA_CRT_PATH="${CONTAINER_SERVICE_DIR}/slapd/assets/certs/$LDAP_TLS_CA_CRT_FILENAME"
|
|
|
- [[ -z "$PREVIOUS_LDAP_TLS_CRT_PATH" ]] && PREVIOUS_LDAP_TLS_CRT_PATH="${CONTAINER_SERVICE_DIR}/slapd/assets/certs/$LDAP_TLS_CRT_FILENAME"
|
|
|
- [[ -z "$PREVIOUS_LDAP_TLS_KEY_PATH" ]] && PREVIOUS_LDAP_TLS_KEY_PATH="${CONTAINER_SERVICE_DIR}/slapd/assets/certs/$LDAP_TLS_KEY_FILENAME"
|
|
|
- [[ -z "$PREVIOUS_LDAP_TLS_DH_PARAM_PATH" ]] && PREVIOUS_LDAP_TLS_DH_PARAM_PATH="${CONTAINER_SERVICE_DIR}/slapd/assets/certs/dhparam.pem"
|
|
|
+ chmod 600 ${PREVIOUS_LDAP_TLS_DH_PARAM_PATH}
|
|
|
+ chown openldap:openldap $PREVIOUS_LDAP_TLS_CRT_PATH $PREVIOUS_LDAP_TLS_KEY_PATH $PREVIOUS_LDAP_TLS_CA_CRT_PATH $PREVIOUS_LDAP_TLS_DH_PARAM_PATH
|
|
|
+ fi
|
|
|
|
|
|
- ssl-helper $LDAP_SSL_HELPER_PREFIX $PREVIOUS_LDAP_TLS_CRT_PATH $PREVIOUS_LDAP_TLS_KEY_PATH $PREVIOUS_LDAP_TLS_CA_CRT_PATH
|
|
|
- [ -f ${PREVIOUS_LDAP_TLS_DH_PARAM_PATH} ] || openssl dhparam -out ${LDAP_TLS_DH_PARAM_PATH} 2048
|
|
|
+ # start OpenLDAP
|
|
|
+ log-helper info "Start OpenLDAP..."
|
|
|
|
|
|
- chmod 600 ${PREVIOUS_LDAP_TLS_DH_PARAM_PATH}
|
|
|
- chown openldap:openldap $PREVIOUS_LDAP_TLS_CRT_PATH $PREVIOUS_LDAP_TLS_KEY_PATH $PREVIOUS_LDAP_TLS_CA_CRT_PATH $PREVIOUS_LDAP_TLS_DH_PARAM_PATH
|
|
|
- fi
|
|
|
+ if log-helper level ge debug; then
|
|
|
+ slapd -h "ldap://$HOSTNAME $PREVIOUS_HOSTNAME_PARAM ldap://localhost ldapi:///" -u openldap -g openldap -d $LDAP_LOG_LEVEL 2>&1 &
|
|
|
+ else
|
|
|
+ slapd -h "ldap://$HOSTNAME $PREVIOUS_HOSTNAME_PARAM ldap://localhost ldapi:///" -u openldap -g openldap
|
|
|
+ fi
|
|
|
|
|
|
- # start OpenLDAP
|
|
|
- log-helper info "Start OpenLDAP..."
|
|
|
|
|
|
- if log-helper level eq debug; then
|
|
|
- # debug
|
|
|
- slapd -h "ldap://$HOSTNAME $PREVIOUS_HOSTNAME_PARAM ldap://localhost ldapi:///" -u openldap -g openldap -d $LDAP_LOG_LEVEL 2>&1 &
|
|
|
- else
|
|
|
- slapd -h "ldap://$HOSTNAME $PREVIOUS_HOSTNAME_PARAM ldap://localhost ldapi:///" -u openldap -g openldap
|
|
|
- fi
|
|
|
+ log-helper info "Waiting for OpenLDAP to start..."
|
|
|
+ while [ ! -e /run/slapd/slapd.pid ]; do sleep 0.1; done
|
|
|
|
|
|
+ #
|
|
|
+ # setup bootstrap config - Part 2
|
|
|
+ #
|
|
|
+ if $BOOTSTRAP; then
|
|
|
|
|
|
- log-helper info "Waiting for OpenLDAP to start..."
|
|
|
- while [ ! -e /run/slapd/slapd.pid ]; do sleep 0.1; done
|
|
|
+ log-helper info "Add bootstrap schemas..."
|
|
|
|
|
|
- #
|
|
|
- # setup bootstrap config - Part 2
|
|
|
- #
|
|
|
- if $BOOTSTRAP; then
|
|
|
-
|
|
|
- log-helper info "Add bootstrap schemas..."
|
|
|
-
|
|
|
- # add ppolicy schema
|
|
|
- ldapadd -c -Y EXTERNAL -Q -H ldapi:/// -f /etc/ldap/schema/ppolicy.ldif 2>&1 | log-helper debug
|
|
|
-
|
|
|
- # convert schemas to ldif
|
|
|
- SCHEMAS=""
|
|
|
- for f in $(find ${CONTAINER_SERVICE_DIR}/slapd/assets/config/bootstrap/schema -name \*.schema -type f); do
|
|
|
- SCHEMAS="$SCHEMAS ${f}"
|
|
|
- done
|
|
|
- ${CONTAINER_SERVICE_DIR}/slapd/assets/schema-to-ldif.sh "$SCHEMAS"
|
|
|
-
|
|
|
- # add converted schemas
|
|
|
- for f in $(find ${CONTAINER_SERVICE_DIR}/slapd/assets/config/bootstrap/schema -name \*.ldif -type f); do
|
|
|
- log-helper debug "Processing file ${f}"
|
|
|
- # add schema if not already exists
|
|
|
- SCHEMA=$(basename "${f}" .ldif)
|
|
|
- ADD_SCHEMA=$(is_new_schema $SCHEMA)
|
|
|
- if [ "$ADD_SCHEMA" -eq 1 ]; then
|
|
|
- ldapadd -c -Y EXTERNAL -Q -H ldapi:/// -f $f 2>&1 | log-helper debug
|
|
|
- else
|
|
|
- log-helper info "schema ${f} already exists"
|
|
|
- fi
|
|
|
- done
|
|
|
+ # add ppolicy schema
|
|
|
+ ldapadd -c -Y EXTERNAL -Q -H ldapi:/// -f /etc/ldap/schema/ppolicy.ldif 2>&1 | log-helper debug
|
|
|
|
|
|
- # set config password
|
|
|
- LDAP_CONFIG_PASSWORD_ENCRYPTED=$(slappasswd -s $LDAP_CONFIG_PASSWORD)
|
|
|
- sed -i "s|{{ LDAP_CONFIG_PASSWORD_ENCRYPTED }}|${LDAP_CONFIG_PASSWORD_ENCRYPTED}|g" ${CONTAINER_SERVICE_DIR}/slapd/assets/config/bootstrap/ldif/01-config-password.ldif
|
|
|
+ # convert schemas to ldif
|
|
|
+ SCHEMAS=""
|
|
|
+ for f in $(find ${CONTAINER_SERVICE_DIR}/slapd/assets/config/bootstrap/schema -name \*.schema -type f); do
|
|
|
+ SCHEMAS="$SCHEMAS ${f}"
|
|
|
+ done
|
|
|
+ ${CONTAINER_SERVICE_DIR}/slapd/assets/schema-to-ldif.sh "$SCHEMAS"
|
|
|
+
|
|
|
+ # add converted schemas
|
|
|
+ for f in $(find ${CONTAINER_SERVICE_DIR}/slapd/assets/config/bootstrap/schema -name \*.ldif -type f); do
|
|
|
+ log-helper debug "Processing file ${f}"
|
|
|
+ # add schema if not already exists
|
|
|
+ SCHEMA=$(basename "${f}" .ldif)
|
|
|
+ ADD_SCHEMA=$(is_new_schema $SCHEMA)
|
|
|
+ if [ "$ADD_SCHEMA" -eq 1 ]; then
|
|
|
+ ldapadd -c -Y EXTERNAL -Q -H ldapi:/// -f $f 2>&1 | log-helper debug
|
|
|
+ else
|
|
|
+ log-helper info "schema ${f} already exists"
|
|
|
+ fi
|
|
|
+ done
|
|
|
|
|
|
- # adapt security config file
|
|
|
- get_ldap_base_dn
|
|
|
- sed -i "s|{{ LDAP_BASE_DN }}|${LDAP_BASE_DN}|g" ${CONTAINER_SERVICE_DIR}/slapd/assets/config/bootstrap/ldif/02-security.ldif
|
|
|
+ # set config password
|
|
|
+ LDAP_CONFIG_PASSWORD_ENCRYPTED=$(slappasswd -s $LDAP_CONFIG_PASSWORD)
|
|
|
+ sed -i "s|{{ LDAP_CONFIG_PASSWORD_ENCRYPTED }}|${LDAP_CONFIG_PASSWORD_ENCRYPTED}|g" ${CONTAINER_SERVICE_DIR}/slapd/assets/config/bootstrap/ldif/01-config-password.ldif
|
|
|
|
|
|
- # process config files (*.ldif) in bootstrap directory (do no process files in subdirectories)
|
|
|
- log-helper info "Add bootstrap ldif..."
|
|
|
- for f in $(find ${CONTAINER_SERVICE_DIR}/slapd/assets/config/bootstrap/ldif -mindepth 1 -maxdepth 1 -type f -name \*.ldif | sort); do
|
|
|
- log-helper debug "Processing file ${f}"
|
|
|
- sed -i "s|{{ LDAP_BASE_DN }}|${LDAP_BASE_DN}|g" $f
|
|
|
- sed -i "s|{{ LDAP_BACKEND }}|${LDAP_BACKEND}|g" $f
|
|
|
- ldapmodify -Y EXTERNAL -Q -H ldapi:/// -f $f 2>&1 | log-helper debug || ldapmodify -h localhost -p 389 -D cn=admin,$LDAP_BASE_DN -w $LDAP_ADMIN_PASSWORD -f $f 2>&1 | log-helper debug
|
|
|
- done
|
|
|
+ # adapt security config file
|
|
|
+ get_ldap_base_dn
|
|
|
+ sed -i "s|{{ LDAP_BASE_DN }}|${LDAP_BASE_DN}|g" ${CONTAINER_SERVICE_DIR}/slapd/assets/config/bootstrap/ldif/02-security.ldif
|
|
|
|
|
|
- # read only user
|
|
|
- if [ "${LDAP_READONLY_USER,,}" == "true" ]; then
|
|
|
+ # process config files (*.ldif) in bootstrap directory (do no process files in subdirectories)
|
|
|
+ log-helper info "Add image bootstrap ldif..."
|
|
|
+ for f in $(find ${CONTAINER_SERVICE_DIR}/slapd/assets/config/bootstrap/ldif -mindepth 1 -maxdepth 1 -type f -name \*.ldif | sort); do
|
|
|
+ log-helper debug "Processing file ${f}"
|
|
|
+ ldap_add_or_modify "$f"
|
|
|
+ done
|
|
|
|
|
|
- log-helper info "Add read only user..."
|
|
|
+ log-helper info "Add custom bootstrap ldif..."
|
|
|
+ for f in $(find ${CONTAINER_SERVICE_DIR}/slapd/assets/config/bootstrap/ldif/custom -type f -name \*.ldif | sort); do
|
|
|
+ log-helper debug "Processing file ${f}"
|
|
|
+ ldap_add_or_modify "$f"
|
|
|
+ done
|
|
|
|
|
|
- LDAP_READONLY_USER_PASSWORD_ENCRYPTED=$(slappasswd -s $LDAP_READONLY_USER_PASSWORD)
|
|
|
- sed -i "s|{{ LDAP_READONLY_USER_USERNAME }}|${LDAP_READONLY_USER_USERNAME}|g" ${CONTAINER_SERVICE_DIR}/slapd/assets/config/bootstrap/ldif/readonly-user/readonly-user.ldif
|
|
|
- sed -i "s|{{ LDAP_READONLY_USER_PASSWORD_ENCRYPTED }}|${LDAP_READONLY_USER_PASSWORD_ENCRYPTED}|g" ${CONTAINER_SERVICE_DIR}/slapd/assets/config/bootstrap/ldif/readonly-user/readonly-user.ldif
|
|
|
- sed -i "s|{{ LDAP_BASE_DN }}|${LDAP_BASE_DN}|g" ${CONTAINER_SERVICE_DIR}/slapd/assets/config/bootstrap/ldif/readonly-user/readonly-user.ldif
|
|
|
+ # read only user
|
|
|
+ if [ "${LDAP_READONLY_USER,,}" == "true" ]; then
|
|
|
|
|
|
- sed -i "s|{{ LDAP_READONLY_USER_USERNAME }}|${LDAP_READONLY_USER_USERNAME}|g" ${CONTAINER_SERVICE_DIR}/slapd/assets/config/bootstrap/ldif/readonly-user/readonly-user-acl.ldif
|
|
|
- sed -i "s|{{ LDAP_BASE_DN }}|${LDAP_BASE_DN}|g" ${CONTAINER_SERVICE_DIR}/slapd/assets/config/bootstrap/ldif/readonly-user/readonly-user-acl.ldif
|
|
|
+ log-helper info "Add read only user..."
|
|
|
|
|
|
- sed -i "s|{{ LDAP_BACKEND }}|${LDAP_BACKEND}|g" ${CONTAINER_SERVICE_DIR}/slapd/assets/config/bootstrap/ldif/readonly-user/readonly-user-acl.ldif
|
|
|
+ LDAP_READONLY_USER_PASSWORD_ENCRYPTED=$(slappasswd -s $LDAP_READONLY_USER_PASSWORD)
|
|
|
+ sed -i "s|{{ LDAP_READONLY_USER_USERNAME }}|${LDAP_READONLY_USER_USERNAME}|g" ${CONTAINER_SERVICE_DIR}/slapd/assets/config/bootstrap/ldif/readonly-user/readonly-user.ldif
|
|
|
+ sed -i "s|{{ LDAP_READONLY_USER_PASSWORD_ENCRYPTED }}|${LDAP_READONLY_USER_PASSWORD_ENCRYPTED}|g" ${CONTAINER_SERVICE_DIR}/slapd/assets/config/bootstrap/ldif/readonly-user/readonly-user.ldif
|
|
|
+ sed -i "s|{{ LDAP_BASE_DN }}|${LDAP_BASE_DN}|g" ${CONTAINER_SERVICE_DIR}/slapd/assets/config/bootstrap/ldif/readonly-user/readonly-user.ldif
|
|
|
|
|
|
- log-helper debug "Processing file ${CONTAINER_SERVICE_DIR}/slapd/assets/config/bootstrap/ldif/readonly-user/readonly-user.ldif"
|
|
|
- ldapmodify -h localhost -p 389 -D cn=admin,$LDAP_BASE_DN -w $LDAP_ADMIN_PASSWORD -f ${CONTAINER_SERVICE_DIR}/slapd/assets/config/bootstrap/ldif/readonly-user/readonly-user.ldif 2>&1 | log-helper debug
|
|
|
+ sed -i "s|{{ LDAP_READONLY_USER_USERNAME }}|${LDAP_READONLY_USER_USERNAME}|g" ${CONTAINER_SERVICE_DIR}/slapd/assets/config/bootstrap/ldif/readonly-user/readonly-user-acl.ldif
|
|
|
+ sed -i "s|{{ LDAP_BASE_DN }}|${LDAP_BASE_DN}|g" ${CONTAINER_SERVICE_DIR}/slapd/assets/config/bootstrap/ldif/readonly-user/readonly-user-acl.ldif
|
|
|
|
|
|
- log-helper debug "Processing file ${CONTAINER_SERVICE_DIR}/slapd/assets/config/bootstrap/ldif/readonly-user/readonly-user-acl.ldif"
|
|
|
- ldapmodify -Y EXTERNAL -Q -H ldapi:/// -f ${CONTAINER_SERVICE_DIR}/slapd/assets/config/bootstrap/ldif/readonly-user/readonly-user-acl.ldif 2>&1 | log-helper debug
|
|
|
+ sed -i "s|{{ LDAP_BACKEND }}|${LDAP_BACKEND}|g" ${CONTAINER_SERVICE_DIR}/slapd/assets/config/bootstrap/ldif/readonly-user/readonly-user-acl.ldif
|
|
|
|
|
|
- fi
|
|
|
- fi
|
|
|
+ log-helper debug "Processing file ${CONTAINER_SERVICE_DIR}/slapd/assets/config/bootstrap/ldif/readonly-user/readonly-user.ldif"
|
|
|
+ ldapmodify -h localhost -p 389 -D cn=admin,$LDAP_BASE_DN -w $LDAP_ADMIN_PASSWORD -f ${CONTAINER_SERVICE_DIR}/slapd/assets/config/bootstrap/ldif/readonly-user/readonly-user.ldif 2>&1 | log-helper debug
|
|
|
|
|
|
- #
|
|
|
- # TLS config
|
|
|
- #
|
|
|
- if [ -e "$WAS_STARTED_WITH_TLS" ] && [ "${LDAP_TLS,,}" != "true" ]; then
|
|
|
- log-helper error "/!\ WARNING: LDAP_TLS=false but the container was previously started with LDAP_TLS=true"
|
|
|
- log-helper error "TLS can't be disabled once added. Ignoring LDAP_TLS=false."
|
|
|
- LDAP_TLS=true
|
|
|
- fi
|
|
|
+ log-helper debug "Processing file ${CONTAINER_SERVICE_DIR}/slapd/assets/config/bootstrap/ldif/readonly-user/readonly-user-acl.ldif"
|
|
|
+ ldapmodify -Y EXTERNAL -Q -H ldapi:/// -f ${CONTAINER_SERVICE_DIR}/slapd/assets/config/bootstrap/ldif/readonly-user/readonly-user-acl.ldif 2>&1 | log-helper debug
|
|
|
|
|
|
- if [ -e "$WAS_STARTED_WITH_TLS_ENFORCE" ] && [ "${LDAP_TLS_ENFORCE,,}" != "true" ]; then
|
|
|
- log-helper error "/!\ WARNING: LDAP_TLS_ENFORCE=false but the container was previously started with LDAP_TLS_ENFORCE=true"
|
|
|
- log-helper error "TLS enforcing can't be disabled once added. Ignoring LDAP_TLS_ENFORCE=false."
|
|
|
- LDAP_TLS_ENFORCE=true
|
|
|
- fi
|
|
|
+ fi
|
|
|
+ fi
|
|
|
|
|
|
- if [ "${LDAP_TLS,,}" == "true" ]; then
|
|
|
+ #
|
|
|
+ # TLS config
|
|
|
+ #
|
|
|
+ if [ -e "$WAS_STARTED_WITH_TLS" ] && [ "${LDAP_TLS,,}" != "true" ]; then
|
|
|
+ log-helper error "/!\ WARNING: LDAP_TLS=false but the container was previously started with LDAP_TLS=true"
|
|
|
+ log-helper error "TLS can't be disabled once added. Ignoring LDAP_TLS=false."
|
|
|
+ LDAP_TLS=true
|
|
|
+ fi
|
|
|
|
|
|
- log-helper info "Add TLS config..."
|
|
|
+ if [ -e "$WAS_STARTED_WITH_TLS_ENFORCE" ] && [ "${LDAP_TLS_ENFORCE,,}" != "true" ]; then
|
|
|
+ log-helper error "/!\ WARNING: LDAP_TLS_ENFORCE=false but the container was previously started with LDAP_TLS_ENFORCE=true"
|
|
|
+ log-helper error "TLS enforcing can't be disabled once added. Ignoring LDAP_TLS_ENFORCE=false."
|
|
|
+ LDAP_TLS_ENFORCE=true
|
|
|
+ fi
|
|
|
|
|
|
- LDAP_TLS_CA_CRT_PATH="${CONTAINER_SERVICE_DIR}/slapd/assets/certs/$LDAP_TLS_CA_CRT_FILENAME"
|
|
|
- LDAP_TLS_CRT_PATH="${CONTAINER_SERVICE_DIR}/slapd/assets/certs/$LDAP_TLS_CRT_FILENAME"
|
|
|
- LDAP_TLS_KEY_PATH="${CONTAINER_SERVICE_DIR}/slapd/assets/certs/$LDAP_TLS_KEY_FILENAME"
|
|
|
- LDAP_TLS_DH_PARAM_PATH="${CONTAINER_SERVICE_DIR}/slapd/assets/certs/dhparam.pem"
|
|
|
+ if [ "${LDAP_TLS,,}" == "true" ]; then
|
|
|
|
|
|
- # generate a certificate and key with ssl-helper tool if LDAP_CRT and LDAP_KEY files don't exists
|
|
|
- # https://github.com/osixia/docker-light-baseimage/blob/stable/image/service-available/:ssl-tools/assets/tool/ssl-helper
|
|
|
- ssl-helper $LDAP_SSL_HELPER_PREFIX $LDAP_TLS_CRT_PATH $LDAP_TLS_KEY_PATH $LDAP_TLS_CA_CRT_PATH
|
|
|
+ log-helper info "Add TLS config..."
|
|
|
|
|
|
- # create DHParamFile if not found
|
|
|
- [ -f ${LDAP_TLS_DH_PARAM_PATH} ] || openssl dhparam -out ${LDAP_TLS_DH_PARAM_PATH} 2048
|
|
|
- chmod 600 ${LDAP_TLS_DH_PARAM_PATH}
|
|
|
+ # generate a certificate and key with ssl-helper tool if LDAP_CRT and LDAP_KEY files don't exists
|
|
|
+ # https://github.com/osixia/docker-light-baseimage/blob/stable/image/service-available/:ssl-tools/assets/tool/ssl-helper
|
|
|
+ ssl-helper $LDAP_SSL_HELPER_PREFIX $LDAP_TLS_CRT_PATH $LDAP_TLS_KEY_PATH $LDAP_TLS_CA_CRT_PATH
|
|
|
|
|
|
- # fix file permissions
|
|
|
- chown -R openldap:openldap ${CONTAINER_SERVICE_DIR}/slapd
|
|
|
+ # create DHParamFile if not found
|
|
|
+ [ -f ${LDAP_TLS_DH_PARAM_PATH} ] || openssl dhparam -out ${LDAP_TLS_DH_PARAM_PATH} 2048
|
|
|
+ chmod 600 ${LDAP_TLS_DH_PARAM_PATH}
|
|
|
|
|
|
- # adapt tls ldif
|
|
|
- sed -i "s|{{ LDAP_TLS_CA_CRT_PATH }}|${LDAP_TLS_CA_CRT_PATH}|g" ${CONTAINER_SERVICE_DIR}/slapd/assets/config/tls/tls-enable.ldif
|
|
|
- sed -i "s|{{ LDAP_TLS_CRT_PATH }}|${LDAP_TLS_CRT_PATH}|g" ${CONTAINER_SERVICE_DIR}/slapd/assets/config/tls/tls-enable.ldif
|
|
|
- sed -i "s|{{ LDAP_TLS_KEY_PATH }}|${LDAP_TLS_KEY_PATH}|g" ${CONTAINER_SERVICE_DIR}/slapd/assets/config/tls/tls-enable.ldif
|
|
|
- sed -i "s|{{ LDAP_TLS_DH_PARAM_PATH }}|${LDAP_TLS_DH_PARAM_PATH}|g" ${CONTAINER_SERVICE_DIR}/slapd/assets/config/tls/tls-enable.ldif
|
|
|
+ # fix file permissions
|
|
|
+ chown -R openldap:openldap ${CONTAINER_SERVICE_DIR}/slapd
|
|
|
|
|
|
- sed -i "s|{{ LDAP_TLS_CIPHER_SUITE }}|${LDAP_TLS_CIPHER_SUITE}|g" ${CONTAINER_SERVICE_DIR}/slapd/assets/config/tls/tls-enable.ldif
|
|
|
- sed -i "s|{{ LDAP_TLS_VERIFY_CLIENT }}|${LDAP_TLS_VERIFY_CLIENT}|g" ${CONTAINER_SERVICE_DIR}/slapd/assets/config/tls/tls-enable.ldif
|
|
|
+ # adapt tls ldif
|
|
|
+ sed -i "s|{{ LDAP_TLS_CA_CRT_PATH }}|${LDAP_TLS_CA_CRT_PATH}|g" ${CONTAINER_SERVICE_DIR}/slapd/assets/config/tls/tls-enable.ldif
|
|
|
+ sed -i "s|{{ LDAP_TLS_CRT_PATH }}|${LDAP_TLS_CRT_PATH}|g" ${CONTAINER_SERVICE_DIR}/slapd/assets/config/tls/tls-enable.ldif
|
|
|
+ sed -i "s|{{ LDAP_TLS_KEY_PATH }}|${LDAP_TLS_KEY_PATH}|g" ${CONTAINER_SERVICE_DIR}/slapd/assets/config/tls/tls-enable.ldif
|
|
|
+ sed -i "s|{{ LDAP_TLS_DH_PARAM_PATH }}|${LDAP_TLS_DH_PARAM_PATH}|g" ${CONTAINER_SERVICE_DIR}/slapd/assets/config/tls/tls-enable.ldif
|
|
|
|
|
|
- ldapmodify -Y EXTERNAL -Q -H ldapi:/// -f ${CONTAINER_SERVICE_DIR}/slapd/assets/config/tls/tls-enable.ldif 2>&1 | log-helper debug
|
|
|
+ sed -i "s|{{ LDAP_TLS_CIPHER_SUITE }}|${LDAP_TLS_CIPHER_SUITE}|g" ${CONTAINER_SERVICE_DIR}/slapd/assets/config/tls/tls-enable.ldif
|
|
|
+ sed -i "s|{{ LDAP_TLS_VERIFY_CLIENT }}|${LDAP_TLS_VERIFY_CLIENT}|g" ${CONTAINER_SERVICE_DIR}/slapd/assets/config/tls/tls-enable.ldif
|
|
|
|
|
|
- [[ -f "$WAS_STARTED_WITH_TLS" ]] && rm -f "$WAS_STARTED_WITH_TLS"
|
|
|
- echo "export PREVIOUS_LDAP_TLS_CA_CRT_PATH=${LDAP_TLS_CA_CRT_PATH}" > $WAS_STARTED_WITH_TLS
|
|
|
- echo "export PREVIOUS_LDAP_TLS_CRT_PATH=${LDAP_TLS_CRT_PATH}" >> $WAS_STARTED_WITH_TLS
|
|
|
- echo "export PREVIOUS_LDAP_TLS_KEY_PATH=${LDAP_TLS_KEY_PATH}" >> $WAS_STARTED_WITH_TLS
|
|
|
- echo "export PREVIOUS_LDAP_TLS_DH_PARAM_PATH=${LDAP_TLS_DH_PARAM_PATH}" >> $WAS_STARTED_WITH_TLS
|
|
|
+ ldapmodify -Y EXTERNAL -Q -H ldapi:/// -f ${CONTAINER_SERVICE_DIR}/slapd/assets/config/tls/tls-enable.ldif 2>&1 | log-helper debug
|
|
|
|
|
|
- # ldap client config
|
|
|
- sed -i --follow-symlinks "s,TLS_CACERT.*,TLS_CACERT ${LDAP_TLS_CA_CRT_PATH},g" /etc/ldap/ldap.conf
|
|
|
- echo "TLS_REQCERT ${LDAP_TLS_VERIFY_CLIENT}" >> /etc/ldap/ldap.conf
|
|
|
- cp -f /etc/ldap/ldap.conf ${CONTAINER_SERVICE_DIR}/slapd/assets/ldap.conf
|
|
|
+ [[ -f "$WAS_STARTED_WITH_TLS" ]] && rm -f "$WAS_STARTED_WITH_TLS"
|
|
|
+ echo "export PREVIOUS_LDAP_TLS_CA_CRT_PATH=${LDAP_TLS_CA_CRT_PATH}" > $WAS_STARTED_WITH_TLS
|
|
|
+ echo "export PREVIOUS_LDAP_TLS_CRT_PATH=${LDAP_TLS_CRT_PATH}" >> $WAS_STARTED_WITH_TLS
|
|
|
+ echo "export PREVIOUS_LDAP_TLS_KEY_PATH=${LDAP_TLS_KEY_PATH}" >> $WAS_STARTED_WITH_TLS
|
|
|
+ echo "export PREVIOUS_LDAP_TLS_DH_PARAM_PATH=${LDAP_TLS_DH_PARAM_PATH}" >> $WAS_STARTED_WITH_TLS
|
|
|
|
|
|
- [[ -f "$HOME/.ldaprc" ]] && rm -f $HOME/.ldaprc
|
|
|
- echo "TLS_CERT ${LDAP_TLS_CRT_PATH}" > $HOME/.ldaprc
|
|
|
- echo "TLS_KEY ${LDAP_TLS_KEY_PATH}" >> $HOME/.ldaprc
|
|
|
- cp -f $HOME/.ldaprc ${CONTAINER_SERVICE_DIR}/slapd/assets/.ldaprc
|
|
|
+ # enforce TLS
|
|
|
+ if [ "${LDAP_TLS_ENFORCE,,}" == "true" ]; then
|
|
|
+ log-helper info "Add enforce TLS..."
|
|
|
+ ldapmodify -Y EXTERNAL -Q -H ldapi:/// -f ${CONTAINER_SERVICE_DIR}/slapd/assets/config/tls/tls-enforce-enable.ldif 2>&1 | log-helper debug
|
|
|
+ touch $WAS_STARTED_WITH_TLS_ENFORCE
|
|
|
|
|
|
- # enforce TLS
|
|
|
- if [ "${LDAP_TLS_ENFORCE,,}" == "true" ]; then
|
|
|
- log-helper info "Add enforce TLS..."
|
|
|
- ldapmodify -Y EXTERNAL -Q -H ldapi:/// -f ${CONTAINER_SERVICE_DIR}/slapd/assets/config/tls/tls-enforce-enable.ldif 2>&1 | log-helper debug
|
|
|
- touch $WAS_STARTED_WITH_TLS_ENFORCE
|
|
|
+ # disable tls enforcing (not possible for now)
|
|
|
+ #else
|
|
|
+ #log-helper info "Disable enforce TLS..."
|
|
|
+ #ldapmodify -Y EXTERNAL -Q -H ldapi:/// -f ${CONTAINER_SERVICE_DIR}/slapd/assets/config/tls/tls-enforce-disable.ldif 2>&1 | log-helper debug || true
|
|
|
+ #[[ -f "$WAS_STARTED_WITH_TLS_ENFORCE" ]] && rm -f "$WAS_STARTED_WITH_TLS_ENFORCE"
|
|
|
+ fi
|
|
|
|
|
|
- # disable tls enforcing (not possible for now)
|
|
|
+ # disable tls (not possible for now)
|
|
|
#else
|
|
|
- #log-helper info "Disable enforce TLS..."
|
|
|
- #ldapmodify -Y EXTERNAL -Q -H ldapi:/// -f ${CONTAINER_SERVICE_DIR}/slapd/assets/config/tls/tls-enforce-disable.ldif 2>&1 | log-helper debug || true
|
|
|
- #[[ -f "$WAS_STARTED_WITH_TLS_ENFORCE" ]] && rm -f "$WAS_STARTED_WITH_TLS_ENFORCE"
|
|
|
+ #log-helper info "Disable TLS config..."
|
|
|
+ #ldapmodify -c -Y EXTERNAL -Q -H ldapi:/// -f ${CONTAINER_SERVICE_DIR}/slapd/assets/config/tls/tls-disable.ldif 2>&1 | log-helper debug || true
|
|
|
+ #[[ -f "$WAS_STARTED_WITH_TLS" ]] && rm -f "$WAS_STARTED_WITH_TLS"
|
|
|
fi
|
|
|
|
|
|
- # disable tls (not possible for now)
|
|
|
- #else
|
|
|
- #log-helper info "Disable TLS config..."
|
|
|
- #ldapmodify -c -Y EXTERNAL -Q -H ldapi:/// -f ${CONTAINER_SERVICE_DIR}/slapd/assets/config/tls/tls-disable.ldif 2>&1 | log-helper debug || true
|
|
|
- #[[ -f "$WAS_STARTED_WITH_TLS" ]] && rm -f "$WAS_STARTED_WITH_TLS"
|
|
|
- fi
|
|
|
|
|
|
|
|
|
+ #
|
|
|
+ # Replication config
|
|
|
+ #
|
|
|
|
|
|
- #
|
|
|
- # Replication config
|
|
|
- #
|
|
|
+ function disableReplication() {
|
|
|
+ sed -i "s|{{ LDAP_BACKEND }}|${LDAP_BACKEND}|g" ${CONTAINER_SERVICE_DIR}/slapd/assets/config/replication/replication-disable.ldif
|
|
|
+ ldapmodify -c -Y EXTERNAL -Q -H ldapi:/// -f ${CONTAINER_SERVICE_DIR}/slapd/assets/config/replication/replication-disable.ldif 2>&1 | log-helper debug || true
|
|
|
+ [[ -f "$WAS_STARTED_WITH_REPLICATION" ]] && rm -f "$WAS_STARTED_WITH_REPLICATION"
|
|
|
+ }
|
|
|
|
|
|
- function disableReplication() {
|
|
|
- sed -i "s|{{ LDAP_BACKEND }}|${LDAP_BACKEND}|g" ${CONTAINER_SERVICE_DIR}/slapd/assets/config/replication/replication-disable.ldif
|
|
|
- ldapmodify -c -Y EXTERNAL -Q -H ldapi:/// -f ${CONTAINER_SERVICE_DIR}/slapd/assets/config/replication/replication-disable.ldif 2>&1 | log-helper debug || true
|
|
|
- [[ -f "$WAS_STARTED_WITH_REPLICATION" ]] && rm -f "$WAS_STARTED_WITH_REPLICATION"
|
|
|
- }
|
|
|
+ if [ "${LDAP_REPLICATION,,}" == "true" ]; then
|
|
|
|
|
|
- if [ "${LDAP_REPLICATION,,}" == "true" ]; then
|
|
|
+ log-helper info "Add replication config..."
|
|
|
+ disableReplication || true
|
|
|
|
|
|
- log-helper info "Add replication config..."
|
|
|
- disableReplication || true
|
|
|
+ i=1
|
|
|
+ for host in $(complex-bash-env iterate LDAP_REPLICATION_HOSTS)
|
|
|
+ do
|
|
|
+ sed -i "s|{{ LDAP_REPLICATION_HOSTS }}|olcServerID: $i ${!host}\n{{ LDAP_REPLICATION_HOSTS }}|g" ${CONTAINER_SERVICE_DIR}/slapd/assets/config/replication/replication-enable.ldif
|
|
|
+ sed -i "s|{{ LDAP_REPLICATION_HOSTS_CONFIG_SYNC_REPL }}|olcSyncRepl: rid=00$i provider=${!host} ${LDAP_REPLICATION_CONFIG_SYNCPROV}\n{{ LDAP_REPLICATION_HOSTS_CONFIG_SYNC_REPL }}|g" ${CONTAINER_SERVICE_DIR}/slapd/assets/config/replication/replication-enable.ldif
|
|
|
+ sed -i "s|{{ LDAP_REPLICATION_HOSTS_DB_SYNC_REPL }}|olcSyncRepl: rid=10$i provider=${!host} ${LDAP_REPLICATION_DB_SYNCPROV}\n{{ LDAP_REPLICATION_HOSTS_DB_SYNC_REPL }}|g" ${CONTAINER_SERVICE_DIR}/slapd/assets/config/replication/replication-enable.ldif
|
|
|
|
|
|
- i=1
|
|
|
- for host in $(complex-bash-env iterate LDAP_REPLICATION_HOSTS)
|
|
|
- do
|
|
|
- sed -i "s|{{ LDAP_REPLICATION_HOSTS }}|olcServerID: $i ${!host}\n{{ LDAP_REPLICATION_HOSTS }}|g" ${CONTAINER_SERVICE_DIR}/slapd/assets/config/replication/replication-enable.ldif
|
|
|
- sed -i "s|{{ LDAP_REPLICATION_HOSTS_CONFIG_SYNC_REPL }}|olcSyncRepl: rid=00$i provider=${!host} ${LDAP_REPLICATION_CONFIG_SYNCPROV}\n{{ LDAP_REPLICATION_HOSTS_CONFIG_SYNC_REPL }}|g" ${CONTAINER_SERVICE_DIR}/slapd/assets/config/replication/replication-enable.ldif
|
|
|
- sed -i "s|{{ LDAP_REPLICATION_HOSTS_DB_SYNC_REPL }}|olcSyncRepl: rid=10$i provider=${!host} ${LDAP_REPLICATION_DB_SYNCPROV}\n{{ LDAP_REPLICATION_HOSTS_DB_SYNC_REPL }}|g" ${CONTAINER_SERVICE_DIR}/slapd/assets/config/replication/replication-enable.ldif
|
|
|
+ ((i++))
|
|
|
+ done
|
|
|
|
|
|
- ((i++))
|
|
|
- done
|
|
|
+ get_ldap_base_dn
|
|
|
+ sed -i "s|\$LDAP_BASE_DN|$LDAP_BASE_DN|g" ${CONTAINER_SERVICE_DIR}/slapd/assets/config/replication/replication-enable.ldif
|
|
|
+ sed -i "s|\$LDAP_ADMIN_PASSWORD|$LDAP_ADMIN_PASSWORD|g" ${CONTAINER_SERVICE_DIR}/slapd/assets/config/replication/replication-enable.ldif
|
|
|
+ sed -i "s|\$LDAP_CONFIG_PASSWORD|$LDAP_CONFIG_PASSWORD|g" ${CONTAINER_SERVICE_DIR}/slapd/assets/config/replication/replication-enable.ldif
|
|
|
|
|
|
- get_ldap_base_dn
|
|
|
- sed -i "s|\$LDAP_BASE_DN|$LDAP_BASE_DN|g" ${CONTAINER_SERVICE_DIR}/slapd/assets/config/replication/replication-enable.ldif
|
|
|
- sed -i "s|\$LDAP_ADMIN_PASSWORD|$LDAP_ADMIN_PASSWORD|g" ${CONTAINER_SERVICE_DIR}/slapd/assets/config/replication/replication-enable.ldif
|
|
|
- sed -i "s|\$LDAP_CONFIG_PASSWORD|$LDAP_CONFIG_PASSWORD|g" ${CONTAINER_SERVICE_DIR}/slapd/assets/config/replication/replication-enable.ldif
|
|
|
+ sed -i "/{{ LDAP_REPLICATION_HOSTS }}/d" ${CONTAINER_SERVICE_DIR}/slapd/assets/config/replication/replication-enable.ldif
|
|
|
+ sed -i "/{{ LDAP_REPLICATION_HOSTS_CONFIG_SYNC_REPL }}/d" ${CONTAINER_SERVICE_DIR}/slapd/assets/config/replication/replication-enable.ldif
|
|
|
+ sed -i "/{{ LDAP_REPLICATION_HOSTS_DB_SYNC_REPL }}/d" ${CONTAINER_SERVICE_DIR}/slapd/assets/config/replication/replication-enable.ldif
|
|
|
|
|
|
- sed -i "/{{ LDAP_REPLICATION_HOSTS }}/d" ${CONTAINER_SERVICE_DIR}/slapd/assets/config/replication/replication-enable.ldif
|
|
|
- sed -i "/{{ LDAP_REPLICATION_HOSTS_CONFIG_SYNC_REPL }}/d" ${CONTAINER_SERVICE_DIR}/slapd/assets/config/replication/replication-enable.ldif
|
|
|
- sed -i "/{{ LDAP_REPLICATION_HOSTS_DB_SYNC_REPL }}/d" ${CONTAINER_SERVICE_DIR}/slapd/assets/config/replication/replication-enable.ldif
|
|
|
+ sed -i "s|{{ LDAP_BACKEND }}|${LDAP_BACKEND}|g" ${CONTAINER_SERVICE_DIR}/slapd/assets/config/replication/replication-enable.ldif
|
|
|
|
|
|
- sed -i "s|{{ LDAP_BACKEND }}|${LDAP_BACKEND}|g" ${CONTAINER_SERVICE_DIR}/slapd/assets/config/replication/replication-enable.ldif
|
|
|
+ ldapmodify -c -Y EXTERNAL -Q -H ldapi:/// -f ${CONTAINER_SERVICE_DIR}/slapd/assets/config/replication/replication-enable.ldif 2>&1 | log-helper debug || true
|
|
|
|
|
|
- ldapmodify -c -Y EXTERNAL -Q -H ldapi:/// -f ${CONTAINER_SERVICE_DIR}/slapd/assets/config/replication/replication-enable.ldif 2>&1 | log-helper debug || true
|
|
|
+ [[ -f "$WAS_STARTED_WITH_REPLICATION" ]] && rm -f "$WAS_STARTED_WITH_REPLICATION"
|
|
|
+ echo "export PREVIOUS_HOSTNAME=${HOSTNAME}" > $WAS_STARTED_WITH_REPLICATION
|
|
|
|
|
|
- [[ -f "$WAS_STARTED_WITH_REPLICATION" ]] && rm -f "$WAS_STARTED_WITH_REPLICATION"
|
|
|
- echo "export PREVIOUS_HOSTNAME=${HOSTNAME}" > $WAS_STARTED_WITH_REPLICATION
|
|
|
+ else
|
|
|
|
|
|
- else
|
|
|
+ log-helper info "Disable replication config..."
|
|
|
+ disableReplication || true
|
|
|
+
|
|
|
+ fi
|
|
|
|
|
|
- log-helper info "Disable replication config..."
|
|
|
- disableReplication || true
|
|
|
+ #
|
|
|
+ # stop OpenLDAP
|
|
|
+ #
|
|
|
+ log-helper info "Stop OpenLDAP..."
|
|
|
|
|
|
+ SLAPD_PID=$(cat /run/slapd/slapd.pid)
|
|
|
+ kill -15 $SLAPD_PID
|
|
|
+ while [ -e /proc/$SLAPD_PID ]; do sleep 0.1; done # wait until slapd is terminated
|
|
|
fi
|
|
|
|
|
|
#
|
|
|
- # stop OpenLDAP
|
|
|
+ # ldap client config
|
|
|
#
|
|
|
- log-helper info "Stop OpenLDAP..."
|
|
|
+ if [ "${LDAP_TLS,,}" == "true" ]; then
|
|
|
+ log-helper info "Configure ldap client TLS configuration..."
|
|
|
+ sed -i --follow-symlinks "s,TLS_CACERT.*,TLS_CACERT ${LDAP_TLS_CA_CRT_PATH},g" /etc/ldap/ldap.conf
|
|
|
+ echo "TLS_REQCERT ${LDAP_TLS_VERIFY_CLIENT}" >> /etc/ldap/ldap.conf
|
|
|
+ cp -f /etc/ldap/ldap.conf ${CONTAINER_SERVICE_DIR}/slapd/assets/ldap.conf
|
|
|
|
|
|
- SLAPD_PID=$(cat /run/slapd/slapd.pid)
|
|
|
- kill -15 $SLAPD_PID
|
|
|
- while [ -e /proc/$SLAPD_PID ]; do sleep 0.1; done # wait until slapd is terminated
|
|
|
+ [[ -f "$HOME/.ldaprc" ]] && rm -f $HOME/.ldaprc
|
|
|
+ echo "TLS_CERT ${LDAP_TLS_CRT_PATH}" > $HOME/.ldaprc
|
|
|
+ echo "TLS_KEY ${LDAP_TLS_KEY_PATH}" >> $HOME/.ldaprc
|
|
|
+ cp -f $HOME/.ldaprc ${CONTAINER_SERVICE_DIR}/slapd/assets/.ldaprc
|
|
|
+ fi
|
|
|
|
|
|
#
|
|
|
- # remove config files
|
|
|
+ # remove container config files
|
|
|
#
|
|
|
if [ "${LDAP_REMOVE_CONFIG_AFTER_SETUP,,}" == "true" ]; then
|
|
|
log-helper info "Remove config files..."
|
Bertrand Gouny