replication

README.md

@@ -11,7 +11,7 @@ Add support of tls. Use docker 1.5.0
 ## Quick start
 Run OpenLDAP docker image :
 
-	docker run -d osixia/openldap
+	docker run -h ldap.example.org -d osixia/openldap
 
 This start a new container with a OpenLDAP server running inside.
 The odd string printed by this command is the `CONTAINER_ID`.
@@ -25,7 +25,7 @@ make sure to replace `CONTAINER_ID` by your container id :
 You should now be in the container terminal,
 and we can search on the ldap server :
 
-	ldapsearch -x -h 127.0.0.1 -b dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w admin
+	ldapsearch -x -h ldap.example.org -b dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w admin
 
 This should output :
 
@@ -56,7 +56,7 @@ It will create an empty ldap for the compagny **Example Inc.** and the domain **
 
 By default the admin has the password **admin**. All those default settings can be changed at the docker command line, for example :
 
-	docker run -e LDAP_ORGANISATION="My Compagny" -e LDAP_DOMAIN="my-compagny.com" \
+	docker run -h ldap.example.org -e LDAP_ORGANISATION="My Compagny" -e LDAP_DOMAIN="my-compagny.com" \
 	-e LDAP_ADMIN_PASSWORD="JonSn0w" -d osixia/openldap
 
 #### Data persitance
@@ -77,7 +77,7 @@ Assuming you have a LDAP database on your docker host in the directory `/data/sl
 and the corresponding LDAP config files on your docker host in the directory `/data/slapd/config`
 simply mount this directories as a volume to `/var/lib/ldap` and `/etc/ldap/slapd.d`:
 
-	docker run -v /data/slapd/database:/var/lib/ldap \
+	docker run -h ldap.example.org -v /data/slapd/database:/var/lib/ldap \
 	-v /data/slapd/config:/etc/ldap/slapd.d
 	-d osixia/openldap
 
@@ -87,9 +87,9 @@ You can also use data volume containers. Please refer to :
 ### Using TLS
 
 #### Use autogenerated certificate
-By default TLS is enable, a certificate is created for the CN (common name) ldap.example.org. To work properly on your server adjust SERVER_NAME environment variable to match the ldap server CN.
+By default TLS is enable, a certificate is created with the container hostname eg: ldap.example.org.
 
-	docker run -e SERVER_NAME=ldap.my-compagny.com -d osixia/openldap
+	docker run -h ldap.example.org -e SERVER_NAME=ldap.my-compagny.com -d osixia/openldap
 
 #### Use your own certificate
 
@@ -97,7 +97,7 @@ Add your custom certificate, private key and CA certificate in the directory **i
 
 Or you can set your custom certificate at run time, by mouting a directory containing thoses files to **/osixia/slapd/assets/ssl** and adjust there name with the following environment variables :
 
-	docker run -v /path/to/certifates:/osixia/slapd/assets/ssl \
+	docker run -h ldap.example.org -v /path/to/certifates:/osixia/slapd/assets/ssl \
 	-e SSL_CRT_FILENAME=my-ldap.crt \
 	-e SSL_KEY_FILENAME=my-ldap.key \
 	-e SSL_CA_CRT_FILENAME=the-ca.crt \
@@ -106,7 +106,7 @@ Or you can set your custom certificate at run time, by mouting a directory conta
 #### Disable TLS
 Add -e USE_TLS=false to the run command :
 
-	docker run -e USE_TLS=false -d osixia/openldap
+	docker run -h ldap.example.org  -e USE_TLS=false -d osixia/openldap
 
 ## Administrate your ldap server
 If you are looking for a simple solution to administrate your ldap server you can take a look at our phpLDAPadmin docker image :
@@ -129,18 +129,17 @@ TLS options :
 - **SSL_CRT_FILENAME**: Ldap ssl certificate filename. Defaults to `ldap.crt`
 - **SSL_KEY_FILENAME**: Ldap ssl certificate private key filename. Defaults to `ldap.key`
 - **SSL_CA_CRT_FILENAME**: Ldap ssl CA certificate  filename. Defaults to `ca.crt`
-- **SERVER_NAME**: Use by autogenerated certificate: Server CN. Defaults to `ldap.example.org`
 
 ### Set environment variables at run time :
 
 Environment variable can be set directly by adding the -e argument in the command line, for example :
 
-	docker run -e LDAP_ORGANISATION="My Compagny" -e LDAP_DOMAIN="my-compagny.com" \
+	docker run -h ldap.example.org -e LDAP_ORGANISATION="My Compagny" -e LDAP_DOMAIN="my-compagny.com" \
 	-e LDAP_ADMIN_PASSWORD="JonSn0w" -d osixia/openldap
 
 Or by setting your own `env.yml` file as a docker volume to `/etc/env.yml`
 
-	docker run -v /data/my-ldap-env.yml:/etc/env.yml \
+	docker run -h ldap.example.org -v /data/my-ldap-env.yml:/etc/env.yml \
 	-d osixia/openldap
 
 ## Manual build
@@ -165,7 +164,7 @@ Build your image :
 
 Run your image :
 
-	docker run -d billy-the-king/openldap:0.1.0
+	docker run -h ldap.example.org -d billy-the-king/openldap:0.1.0
 
 ## Tests
 

image/Dockerfile

@@ -13,7 +13,7 @@ RUN apt-get -y update && /sbin/enable-service ssl-kit \
 	slapd ldap-utils ntp \
 	&& rm -rf /var/lib/ldap /etc/ldap/slapd.d
 
-# Add services to /osixia
+# Add service directory to /osixia
 ADD service /osixia
 
 # Use baseimage service auto-install script and clean all

image/env.yml

@@ -13,14 +13,14 @@ SSL_CA_CRT_FILENAME: ca.crt
 
 
 USE_REPLICATION: false
-# variables $BASE_DN, $LDAP_ADMIN_PASSWORD and $LDAP_CONFIG_PASSWORD
+# variables $BASE_DN, $LDAP_ADMIN_PASSWORD, $LDAP_CONFIG_PASSWORD and $SSL_*
 # are automaticaly replaced at run time
 
 # if you want to add replication to an existing ldap
 # adapt REPLICATION_CONFIG_SYNCPROV and REPLICATION_HDB_SYNCPROV to your configuration
 # avoid using $BASE_DN, $LDAP_ADMIN_PASSWORD and $LDAP_CONFIG_PASSWORD variables
-REPLICATION_CONFIG_SYNCPROV: binddn="cn=admin,cn=config" bindmethod=simple credentials=$LDAP_CONFIG_PASSWORD searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1
-REPLICATION_HDB_SYNCPROV: binddn="cn=admin,$BASE_DN" bindmethod=simple credentials=$LDAP_ADMIN_PASSWORD searchbase="$BASE_DN" type=refreshAndPersist interval=00:00:00:10 retry="5 5 300 5" timeout=1
+REPLICATION_CONFIG_SYNCPROV: binddn="cn=admin,cn=config" bindmethod=simple credentials=$LDAP_CONFIG_PASSWORD searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1 starttls=critical
+REPLICATION_HDB_SYNCPROV: binddn="cn=admin,$BASE_DN" bindmethod=simple credentials=$LDAP_ADMIN_PASSWORD searchbase="$BASE_DN" type=refreshAndPersist interval=00:00:00:10 retry="5 5 300 5" timeout=1  starttls=critical
 REPLICATION_HOSTS:
   - ldap://ldap.example.org # The order must be the same on all ldap servers
   - ldap://ldap2.example.org

image/service/slapd/assets/config/replication/backup/repl-bdd-disable.ldif

@@ -1,8 +0,0 @@
-dn: olcDatabase={1}hdb,cn=config
-changetype: modify
-delete: olcSyncRepl
--
-delete: olcMirrorMode
-
-dn: olcOverlay=syncprov,olcDatabase={2}bdb,cn=config
-changetype: delete

image/service/slapd/assets/config/replication/backup/repl-bdd-enable.ldif

@@ -1,14 +0,0 @@
-dn: olcDatabase={1}hdb,cn=config
-changetype: modify
-add: olcSyncRepl
-olcSyncRepl: rid=003 provider=ldap://ldap1.example.org binddn="cn=replicator,ou=Admins,dc=example,dc=org" bindmethod=simple credentials=Secret123 searchbase="dc=example,dc=org" type=refreshAndPersist retry="5 5 5 +" timeout=3 attrs="*,+"
-olcSyncRepl: rid=004 provider=ldap://ldap2.example.org binddn="cn=replicator,ou=Admins,dc=example,dc=org" bindmethod=simple credentials=Secret123 searchbase="dc=example,dc=org" type=refreshAndPersist retry="5 5 5 +" timeout=3 attrs="*,+"
--
-add: olcMirrorMode
-olcMirrorMode: TRUE
-
-dn: olcOverlay=syncprov,olcDatabase={2}bdb,cn=config
-changetype: add
-objectClass: olcOverlayConfig
-objectClass: olcSyncProvConfig
-olcOverlay: syncprov

image/service/slapd/assets/config/replication/backup/repl-config-disable.ldif

@@ -1,15 +0,0 @@
-#Specify ServerID for both the masters
-dn: cn=config
-changetype: modify
-delete: olcServerID
-
-#Enable Syncprov Overlay for config database
-dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config
-changetype: delete
-
-#Configure SyncRepl for config database
-dn: olcDatabase={0}config,cn=config
-changetype: modify
-delete: olcSyncRepl
--
-delete: olcMirrorMode

image/service/slapd/assets/config/replication/backup/repl-config-enable.ldif

@@ -1,23 +0,0 @@
-#Specify ServerID for both the masters
-dn: cn=config
-changetype: modify
-add: olcServerID
-olcServerID: 101 ldap://ldap1.example.org
-olcServerID: 201 ldap://ldap2.example.org
-
-#Enable Syncprov Overlay for config database
-dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config
-changetype: add
-objectclass: olcOverlayConfig
-objectclass: olcSyncProvConfig
-olcOverlay: syncprov
-
-#Configure SyncRepl for config database
-dn: olcDatabase={0}config,cn=config
-changetype: modify
-add: olcSyncRepl
-olcSyncRepl: rid=001 provider=ldap://ldap1.example.org binddn="cn=admin,cn=config" bindmethod=simple credentials=config searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1 attrs="*,+"
-olcSyncRepl: rid=002 provider=ldap://ldap2.example.org binddn="cn=admin,cn=config" bindmethod=simple credentials=config searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1 attrs="*,+"
--
-add: olcMirrorMode
-olcMirrorMode: TRUE

image/service/slapd/assets/config/replication/backup/repl-enable.ldif

@@ -1,4 +0,0 @@
-dn: cn=module,cn=config
-objectClass: olcModuleList
-cn: module
-olcModuleLoad: syncprov.la

image/service/slapd/assets/config/replication/backup/repl-module-enable.ldif

@@ -1,76 +0,0 @@
-# add replicator user
-dn: $REPLICATOR_DN
-cn: replicator
-sn: user
-objectClass: person
-userPassword: $REPLICATOR_PASSWORD
-
-# sets up the config database
-dn: cn=config
-objectClass: olcGlobal
-cn: config
-olcServerID: $SERVER_ID ldap://$SERVER_NAME
-
-# sets up syncrepl as a provider
-dn: cn=module,cn=config
-objectClass: olcModuleList
-cn: module
-olcModuleLoad: syncprov.la
-
-dn: cn=config
-changetype: modify
-replace: olcServerID
-olcServerID: 1 $URI1
-olcServerID: 2 $URI2
-olcServerID: 3 $URI3
-
-dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config
-changetype: add
-objectClass: olcOverlayConfig
-objectClass: olcSyncProvConfig
-olcOverlay: syncprov
-
-dn: olcDatabase={0}config,cn=config
-changetype: modify
-add: olcSyncRepl
-olcSyncRepl: rid=001 provider=$URI1 binddn="cn=config" bindmethod=simple
- credentials=secret searchbase="cn=config" type=refreshAndPersist
- retry="5 5 300 5" timeout=1
-
-olcSyncRepl: rid=002 provider=$URI2 binddn="cn=config" bindmethod=simple
- credentials=secret searchbase="cn=config" type=refreshAndPersist
- retry="5 5 300 5" timeout=1
-
-olcSyncRepl: rid=003 provider=$URI3 binddn="cn=config" bindmethod=simple
- credentials=secret searchbase="cn=config" type=refreshAndPersist
- retry="5 5 300 5" timeout=1
--
-add: olcMirrorMode
-olcMirrorMode: TRUE
-
-
-dn: olcDatabase={1}$BACKEND,cn=config
-objectClass: olcDatabaseConfig
-objectClass: olc${BACKEND}Config
-olcDatabase: {1}$BACKEND
-olcSuffix: $BASEDN
-olcDbDirectory: ./db
-olcRootDN: $MANAGERDN
-olcRootPW: $PASSWD
-olcLimits: dn.exact="$MANAGERDN" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited
-olcSyncRepl: rid=004 provider=$URI1 binddn="$MANAGERDN" bindmethod=simple
- credentials=$PASSWD searchbase="$BASEDN" type=refreshOnly
- interval=00:00:00:10 retry="5 5 300 5" timeout=1
-olcSyncRepl: rid=005 provider=$URI2 binddn="$MANAGERDN" bindmethod=simple
- credentials=$PASSWD searchbase="$BASEDN" type=refreshOnly
- interval=00:00:00:10 retry="5 5 300 5" timeout=1
-olcSyncRepl: rid=006 provider=$URI3 binddn="$MANAGERDN" bindmethod=simple
- credentials=$PASSWD searchbase="$BASEDN" type=refreshOnly
- interval=00:00:00:10 retry="5 5 300 5" timeout=1
-olcMirrorMode: TRUE
-
-dn: olcOverlay=syncprov,olcDatabase={1}${BACKEND},cn=config
-changetype: add
-objectClass: olcOverlayConfig
-objectClass: olcSyncProvConfig
-olcOverlay: syncprov

image/service/slapd/assets/config/replication/backup/repl-user-disable.ldif

@@ -1,2 +0,0 @@
-dn: cn=replicator,dc=example,dc=org
-changetype: delete

image/service/slapd/assets/config/replication/backup/repl-user-enable.ldif

@@ -1,8 +0,0 @@
-dn: cn=replicator,dc=example,dc=org
-changetype: add
-objectClass: top
-objectClass: person
-cn: synchronisator
-sn: synchronisator
-description: LDAP synchronisator
-userPassword: {SSHA}hAUGoGZEFAyJnZg/Q/aTWGnpdDv9edCh

image/service/slapd/assets/config/replication/backup/replication-enable.ldif

@@ -1,74 +0,0 @@
-
-# Add indexes
-dn: olcDatabase={1}hdb,cn=config
-changetype:  modify
-replace: olcDbIndex
-olcDbIndex: entryCSN eq
-olcDbIndex: entryUUID eq
-
-
-# Add indexes to the frontend db.
-dn: olcDatabase={1}hdb,cn=config
-changetype: modify
-add: olcDbIndex
-olcDbIndex: entryCSN eq
--
-add: olcDbIndex
-olcDbIndex: entryUUID eq
--
-add: olcSyncRepl
-olcSyncRepl: rid=0 provider=ldap://ldap01.exemple.com bindmethod=simple binddn="cn=admin,dc=exemple,dc=com"
- credentials=secret searchbase="dc=exemple,dc=com" logbase="cn=accesslog"
- logfilter="(&(objectClass=auditWriteObject)(reqResult=0))" schemachecking=on
- type=refreshAndPersist retry="60 +" syncdata=accesslog
--
-add: olcMirrorMode
-olcMirrorMode: TRUE
-
-#Load the syncprov and accesslog modules.
-dn: cn=module{0},cn=config
-changetype: modify
-add: olcModuleLoad
-olcModuleLoad: syncprov
--
-add: olcModuleLoad
-olcModuleLoad: accesslog
-
-# Accesslog database definitions
-dn: olcDatabase={2}hdb,cn=config
-objectClass: olcDatabaseConfig
-objectClass: olcHdbConfig
-olcDatabase: {2}hdb
-olcDbDirectory: /var/lib/ldap/accesslog
-olcSuffix: cn=accesslog
-olcRootDN: cn=admin,dc=example,dc=com
-olcDbIndex: default eq
-olcDbIndex: entryCSN,objectClass,reqEnd,reqResult,reqStart
-
-# Accesslog db syncprov.
-dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
-changetype: add
-objectClass: olcOverlayConfig
-objectClass: olcSyncProvConfig
-olcOverlay: syncprov
-olcSpNoPresent: TRUE
-olcSpReloadHint: TRUE
-
-# syncrepl Provider for primary db
-dn: olcOverlay=syncprov,olcDatabase={1}hdb,cn=config
-changetype: add
-objectClass: olcOverlayConfig
-objectClass: olcSyncProvConfig
-olcOverlay: syncprov
-olcSpNoPresent: TRUE
-
-# accesslog overlay definitions for primary db
-dn: olcOverlay=accesslog,olcDatabase={1}hdb,cn=config
-objectClass: olcOverlayConfig
-objectClass: olcAccessLogConfig
-olcOverlay: accesslog
-olcAccessLogDB: cn=accesslog
-olcAccessLogOps: writes
-olcAccessLogSuccess: TRUE
-# scan the accesslog DB every day, and purge entries older than 7 days
-olcAccessLogPurge: 07+00:00 01+00:00

image/service/slapd/assets/config/replication/replication-disable.ldif

@@ -0,0 +1,26 @@
+# Delete sync replication on hdb
+dn: olcDatabase={1}hdb,cn=config
+changetype: modify
+delete: olcSyncRepl
+-
+delete: olcMirrorMode
+
+# Delete syncprov on hdb
+dn: olcOverlay=syncprov,olcDatabase={1}hdb,cn=config
+changetype: delete
+
+# Delete sync replication on config
+dn: olcDatabase={0}config,cn=config
+changetype: modify
+delete: olcSyncRepl
+-
+delete: olcMirrorMode
+
+# Delete syncprov on config
+dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config
+changetype: delete
+
+# Delete server ID
+dn: cn=config
+changeType: modify
+delete: olcServerID

image/service/slapd/assets/config/tls/tls-enable.ldif

@@ -16,4 +16,4 @@ replace: olcTLSDHParamFile
 olcTLSDHParamFile: /osixia/slapd/assets/ssl/dhparam.pem
 -
 replace: olcTLSVerifyClient
-olcTLSVerifyClient: never
+olcTLSVerifyClient: demand

image/service/slapd/container-start.sh

@@ -138,7 +138,7 @@ EOF
       fi
     done
 
-    # adapt config password
+    # set config password
     CONFIG_PASSWORD_ENCRYPTED=$(slappasswd -s $LDAP_CONFIG_PASSWORD)
     sed -i "s|{{ CONFIG_PASSWORD_ENCRYPTED }}|$CONFIG_PASSWORD_ENCRYPTED|g" /osixia/slapd/assets/config/bootstrap/ldif/config-password.ldif
 
@@ -175,8 +175,14 @@ EOF
     echo "export PREVIOUS_SSL_KEY_FILENAME=${SSL_KEY_FILENAME}" >> $WAS_STARTED_WITH_TLS
     chmod +x $WAS_STARTED_WITH_TLS
 
-    # local ldap tls client config
+    # ldap client config
     sed -i "s,TLS_CACERT.*,TLS_CACERT /osixia/slapd/assets/ssl/${SSL_CA_CRT_FILENAME},g" /etc/ldap/ldap.conf
+    echo "TLS_REQCERT demand" >> /etc/ldap/ldap.conf
+
+    [[ -f "$HOME/.ldaprc" ]] && rm -f $HOME/.ldaprc
+    touch $HOME/.ldaprc
+    echo "TLS_CERT /osixia/slapd/assets/ssl/${SSL_CRT_FILENAME}" >> $HOME/.ldaprc
+    echo "TLS_KEY /osixia/slapd/assets/ssl/${SSL_KEY_FILENAME}" >> $HOME/.ldaprc
 
   else
 

image/service/test/add-host.sh

@@ -0,0 +1,2 @@
+#!/bin/bash -e
+echo $@ >> /etc/hosts

image/service/test/new-user.ldif

@@ -0,0 +1,14 @@
+dn: uid=billy,dc=example,dc=org
+uid: billy
+cn: billy
+sn: 3
+objectClass: top
+objectClass: posixAccount
+objectClass: inetOrgPerson
+loginShell: /bin/bash
+homeDirectory: /home/billy
+uidNumber: 14583102
+gidNumber: 14564100
+userPassword: {SSHA}j3lBh1Seqe4rqF1+NuWmjhvtAni1JC5A
+mail: [email protected]
+gecos: Billy User

test/test.bats

@@ -44,7 +44,7 @@ load test_helper
 }
 
 @test "ldapsearch existing database and config" {
-
+skip
   run_image -h ldap.example.org -e USE_TLS=false -v $BATS_TEST_DIRNAME/database:/var/lib/ldap -v $BATS_TEST_DIRNAME/config:/etc/ldap/slapd.d
   wait_service slapd
   run docker exec $CONTAINER_ID ldapsearch -x -h ldap.example.org -b dc=osixia,dc=net -D "cn=admin,dc=osixia,dc=net" -w admin
@@ -55,3 +55,50 @@ load test_helper
   [ "$status" -eq 0 ]
 
 }
+
+
+@test "replication with new databases and strict TLS" {
+
+  tmp_file="$BATS_TMPDIR/docker-test"
+
+  # replication ldap server
+  LDAP_REPL_CID=$(docker run -h ldap2.example.org -e USE_REPLICATION=true -d $IMAGE_NAME)
+  LDAP_REPL_IP=$(get_container_ip_by_cid $LDAP_REPL_CID)
+
+  # ldap server
+  run_image -h ldap.example.org -e USE_REPLICATION=true
+
+  # add route to hosts
+  docker exec $LDAP_REPL_CID /osixia/test/add-host.sh $CONTAINER_IP ldap.example.org
+  docker exec $CONTAINER_ID /osixia/test/add-host.sh $LDAP_REPL_IP ldap2.example.org
+
+  # wait services on both servers
+  wait_service slapd
+  wait_service_by_cid $LDAP_REPL_CID slapd
+
+  # restart slapd
+  docker exec $LDAP_REPL_CID pkill slapd
+  docker exec $CONTAINER_ID pkill slapd
+
+  # wait services on both servers
+  wait_service slapd
+  wait_service_by_cid $LDAP_REPL_CID slapd
+
+  # add user on ldap2.example.org
+  docker exec $LDAP_REPL_CID ldapadd -x -D "cn=admin,dc=example,dc=org" -w admin -f /osixia/test/new-user.ldif -h ldap2.example.org -ZZ
+
+  sleep 5
+
+  # search user on ldap.example.org
+  docker exec $CONTAINER_ID ldapsearch -x -h ldap.example.org -b dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w admin -ZZ >> $tmp_file
+  run grep -c "billy" $tmp_file
+
+  rm $tmp_file
+  clear_container
+
+  clear_containers_by_cid $LDAP_REPL_CID
+
+  [ "$status" -eq 0 ]
+  [ "$output" = "6" ]
+
+}