Add readonly user bootstrap option

README.md

@@ -167,6 +167,11 @@ Required and used for new ldap server only :
 - **LDAP_ADMIN_PASSWORD** Ldap Admin password. Defaults to `admin`
 - **LDAP_CONFIG_PASSWORD** Ldap Config password. Defaults to `config`
 
+
+- **LDAP_READONLY_USER** Add a read only user. Defaults to `false`
+- **LDAP_READONLY_USER_USERNAME** Read only user username. Defaults to `readonly`
+- **LDAP_READONLY_USER_PASSWORD** Read only user password. Defaults to `readonly`
+
 TLS options :
 - **LDAP_TLS**: Add openldap TLS capabilities. Defaults to `true`
 - **LDAP_TLS_CRT_FILENAME**: Ldap ssl certificate filename. Defaults to `ldap.crt`
@@ -175,8 +180,12 @@ TLS options :
 
 Replication options :
 - **LDAP_REPLICATION**: Add openldap replication capabilities. Defaults to `false`
+
 - **LDAP_REPLICATION_CONFIG_SYNCPROV**: olcSyncRepl options used for the config database. Without **rid** and **provider** which are automaticaly added based on LDAP_REPLICATION_HOSTS.  Defaults to `binddn="cn=admin,cn=config" bindmethod=simple credentials=$LDAP_CONFIG_PASSWORD searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1 starttls=critical`
+
 - **LDAP_REPLICATION_HDB_SYNCPROV**: olcSyncRepl options used for the HDB database. Without **rid** and **provider** which are automaticaly added based on LDAP_REPLICATION_HOSTS.  Defaults to `binddn="cn=admin,$LDAP_BASE_DN" bindmethod=simple credentials=$LDAP_ADMIN_PASSWORD searchbase="$LDAP_BASE_DN" type=refreshAndPersist interval=00:00:00:10 retry="5 5 300 5" timeout=1  starttls=critical`
+
+
 - **LDAP_REPLICATION_HOSTS**: list of replication hosts, must contains the current container hostname set by -h on docker run command. Defaults to `['ldap://ldap.example.org', 'ldap://ldap2.example.org']`
 
 ### Set environment variables at run time :

image/env.yaml

@@ -8,6 +8,10 @@ LDAP_DOMAIN: example.org
 LDAP_ADMIN_PASSWORD: admin
 LDAP_CONFIG_PASSWORD: config
 
+LDAP_READONLY_USER: true
+LDAP_READONLY_USER_USERNAME: readonly
+LDAP_READONLY_USER_PASSWORD: readonly
+
 # Tls
 LDAP_TLS: true
 LDAP_TLS_CRT_FILENAME: ldap.crt

image/service/slapd/assets/add-readonly-user.sh

@@ -1,35 +0,0 @@
-#!/bin/bash -e
-
-# Usage :
-# ./add-readonly-user.sh LDAP_DOMAIN LDAP_ADMIN_PASSWORD LDAP_READONLY_USERNAME LDAP_READONLY_PASSWORD
-
-# Example :
-# ./add-readonly-user.sh example.org admin readonly readonly-password
-
-LDAP_DOMAIN=$1
-LDAP_ADMIN_PASSWORD=$2
-LDAP_READONLY_USERNAME=$3
-LDAP_READONLY_PASSWORD=$4
-
-function get_ldap_base_dn() {
-  LDAP_BASE_DN=""
-  IFS='.' read -ra LDAP_BASE_DN_TABLE <<< "$LDAP_DOMAIN"
-  for i in "${LDAP_BASE_DN_TABLE[@]}"; do
-    EXT="dc=$i,"
-    LDAP_BASE_DN=$LDAP_BASE_DN$EXT
-  done
-
-  LDAP_BASE_DN=${LDAP_BASE_DN::-1}
-}
-
-get_ldap_base_dn
-LDAP_READONLY_PASSWORD_ENCRYPTED=$(slappasswd -s $LDAP_READONLY_PASSWORD)
-sed -i "s|{{ LDAP_READONLY_USERNAME }}|${LDAP_READONLY_USERNAME}|g" /container/service/slapd/assets/config/readonly-user/readonly-user.ldif
-sed -i "s|{{ LDAP_READONLY_PASSWORD_ENCRYPTED }}|${LDAP_READONLY_PASSWORD_ENCRYPTED}|g" /container/service/slapd/assets/config/readonly-user/readonly-user.ldif
-sed -i "s|{{ LDAP_BASE_DN }}|${LDAP_BASE_DN}|g" /container/service/slapd/assets/config/readonly-user/readonly-user.ldif
-
-sed -i "s|{{ LDAP_READONLY_USERNAME }}|${LDAP_READONLY_USERNAME}|g" /container/service/slapd/assets/config/readonly-user/readonly-user-acl.ldif
-sed -i "s|{{ LDAP_BASE_DN }}|${LDAP_BASE_DN}|g" /container/service/slapd/assets/config/readonly-user/readonly-user-acl.ldif
-
-ldapmodify -h localhost -p 389 -D cn=admin,$LDAP_BASE_DN -w $LDAP_ADMIN_PASSWORD -f /container/service/slapd/assets/config/readonly-user/readonly-user.ldif
-ldapmodify -Y EXTERNAL -Q -H ldapi:/// -f /container/service/slapd/assets/config/readonly-user/readonly-user-acl.ldif

image/service/slapd/assets/config/readonly-user/readonly-user-acl.ldif → image/service/slapd/assets/config/bootstrap/ldif/readonly-user/readonly-user-acl.ldif

@@ -4,4 +4,4 @@ delete: olcAccess
 -
 add: olcAccess
 olcAccess: to attrs=userPassword,shadowLastChange by self write by dn="cn=admin,{{ LDAP_BASE_DN }}" write by anonymous auth by * none
-olcAccess: to * by self write by dn="cn=admin,{{ LDAP_BASE_DN }}" write by dn="cn={{ LDAP_READONLY_USERNAME }},{{ LDAP_BASE_DN }}" read by * none
+olcAccess: to * by self write by dn="cn=admin,{{ LDAP_BASE_DN }}" write by dn="cn={{ LDAP_READONLY_USER_USERNAME }},{{ LDAP_BASE_DN }}" read by * none

image/service/slapd/assets/config/bootstrap/ldif/readonly-user/readonly-user.ldif

@@ -0,0 +1,7 @@
+dn: cn={{ LDAP_READONLY_USER_USERNAME }},{{ LDAP_BASE_DN }}
+changetype: add
+cn: {{ LDAP_READONLY_USER_USERNAME }}
+objectClass: simpleSecurityObject
+objectClass: organizationalRole
+userPassword: {{ LDAP_READONLY_USER_PASSWORD_ENCRYPTED }}
+description: LDAP read only user

image/service/slapd/assets/config/readonly-user/readonly-user.ldif

@@ -1,7 +0,0 @@
-dn: cn={{ LDAP_READONLY_USERNAME }},{{ LDAP_BASE_DN }}
-changetype: add
-cn: {{ LDAP_READONLY_USERNAME }}
-objectClass: simpleSecurityObject
-objectClass: organizationalRole
-userPassword: {{ LDAP_READONLY_PASSWORD_ENCRYPTED }}
-description: LDAP read only user

image/service/slapd/container-start.sh

@@ -104,7 +104,7 @@ EOF
 
   # start OpenLDAP
   echo "Starting openldap..."
-  slapd -h "ldapi:///" -u openldap -g openldap
+  slapd -h "ldap://localhost ldapi:///" -u openldap -g openldap
   echo "[ok]"
 
   # set bootstrap config part 2
@@ -142,12 +142,33 @@ EOF
     get_ldap_base_dn
     sed -i "s|{{ LDAP_BASE_DN }}|${LDAP_BASE_DN}|g" /container/service/slapd/assets/config/bootstrap/ldif/02-security.ldif
 
-    # process config files
-    for f in $(find /container/service/slapd/assets/config/bootstrap/ldif  -name \*.ldif -type f | sort); do
+    # process config files in bootstrap directory (do no process files in subdirectories)
+    for f in $(find /container/service/slapd/assets/config/bootstrap/ldif  -name \*.ldif -mindepth 1 -maxdepth 1 -type f | sort); do
       echo "Processing file ${f}"
       ldapmodify -Y EXTERNAL -Q -H ldapi:/// -f $f
     done
 
+    # read only user
+    if [ "${LDAP_READONLY_USER,,}" == "true" ]; then
+
+      echo "Add read only user"
+
+      LDAP_READONLY_USER_PASSWORD_ENCRYPTED=$(slappasswd -s $LDAP_READONLY_USER_PASSWORD)
+      sed -i "s|{{ LDAP_READONLY_USER_USERNAME }}|${LDAP_READONLY_USER_USERNAME}|g" /container/service/slapd/assets/config/bootstrap/ldif/readonly-user/readonly-user.ldif
+      sed -i "s|{{ LDAP_READONLY_USER_PASSWORD_ENCRYPTED }}|${LDAP_READONLY_USER_PASSWORD_ENCRYPTED}|g" /container/service/slapd/assets/config/bootstrap/ldif/readonly-user/readonly-user.ldif
+      sed -i "s|{{ LDAP_BASE_DN }}|${LDAP_BASE_DN}|g" /container/service/slapd/assets/config/bootstrap/ldif/readonly-user/readonly-user.ldif
+
+      sed -i "s|{{ LDAP_READONLY_USER_USERNAME }}|${LDAP_READONLY_USER_USERNAME}|g" /container/service/slapd/assets/config/bootstrap/ldif/readonly-user/readonly-user-acl.ldif
+      sed -i "s|{{ LDAP_BASE_DN }}|${LDAP_BASE_DN}|g" /container/service/slapd/assets/config/bootstrap/ldif/readonly-user/readonly-user-acl.ldif
+
+      echo "Processing file /container/service/slapd/assets/config/bootstrap/ldif/readonly-user/readonly-user.ldif"
+      ldapmodify -h localhost -p 389 -D cn=admin,$LDAP_BASE_DN -w $LDAP_ADMIN_PASSWORD -f /container/service/slapd/assets/config/bootstrap/ldif/readonly-user/readonly-user.ldif
+
+      echo "Processing file /container/service/slapd/assets/config/bootstrap/ldif/readonly-user/readonly-user-acl.ldif"
+      ldapmodify -Y EXTERNAL -Q -H ldapi:/// -f /container/service/slapd/assets/config/bootstrap/ldif/readonly-user/readonly-user-acl.ldif
+
+    fi
+
   fi
 
   # tls config