Kezdőlap Felfedezés Súgó
Regisztráció Bejelentkezés
Apq
/
docker-openldap
tükrözi: https://github.com/osixia/docker-openldap.git
1
0
Másolás 0
Fájlok Problémák 0 Wiki
Forráskód Böngészése

Merge branch 'hotfix-1.0.1' into stable

ofreax 10 éve
szülő
62596a8b7e 20147b02af
commit
b6586860dd
17 módosított fájl, 167 hozzáadás és 107 törlés
Osztott Nézet Diff Statisztika Mutatása
  1. 11 0
      CHANGELOG.md
  2. 1 1
      Makefile
  3. 30 23
      README.md
  4. 1 1
      image/Dockerfile
  5. 21 14
      image/env.yaml
  6. 2 0
      image/service/slapd/assets/certs/README.md
  7. 0 0
      image/service/slapd/assets/certs/dhparam.pem
  8. 1 1
      image/service/slapd/assets/config/bootstrap/ldif/01-config-password.ldif
  9. 3 9
      image/service/slapd/assets/config/bootstrap/ldif/02-security.ldif
  10. 2 0
      image/service/slapd/assets/config/bootstrap/ldif/04-index.ldif
  11. 7 0
      image/service/slapd/assets/config/bootstrap/ldif/readonly-user/readonly-user-acl.ldif
  12. 7 0
      image/service/slapd/assets/config/bootstrap/ldif/readonly-user/readonly-user.ldif
  13. 3 3
      image/service/slapd/assets/config/replication/replication-enable.ldif
  14. 7 4
      image/service/slapd/assets/config/tls/tls-enable.ldif
  15. 0 2
      image/service/slapd/assets/ssl/README.md
  16. 64 42
      image/service/slapd/container-start.sh
  17. 7 7
      test/test.bats

+ 11 - 0
CHANGELOG.md
Fájl Megtekintése 

@@ -1,5 +1,16 @@
 
 # Changelog
 
 
+## 1.0.1
 
+  - Upgrade baseimage: osixia/light-baseimage:0.1.1
 
+  - Rename environment variables
 
+
 
+  - Fixes :
 
+    - OpenLdap container won't start when dhparam.pem is missing in bound volume #13
 
+
 
+## 1.0.0
 
+  - Use light-baseimage
 
+  - Improve documentation
 
+
 
 ## 0.10.2
 
 
   - New features:

+ 1 - 1
Makefile
Fájl Megtekintése 

@@ -1,5 +1,5 @@
 
 NAME = osixia/openldap
 
-VERSION = 1.0.0
 
+VERSION = 1.0.1
 
 
 .PHONY: all build test tag_latest release

+ 30 - 23
README.md
Fájl Megtekintése 

@@ -84,7 +84,7 @@ simply mount this directories as a volume to `/var/lib/ldap` and `/etc/ldap/slap
 
 You can also use data volume containers. Please refer to :
 
 > [https://docs.docker.com/userguide/dockervolumes/](https://docs.docker.com/userguide/dockervolumes/)
 
 
-### Using TLS
 
+### TLS
 
 
 #### Use autogenerated certificate
 
 By default TLS is enable, a certificate is created with the container hostname (it can be set by docker run -h option eg: ldap.example.org).
 
@@ -93,37 +93,36 @@ By default TLS is enable, a certificate is created with the container hostname (
 
 
 #### Use your own certificate
 
 
-Add your custom certificate, private key and CA certificate in the directory **image/service/slapd/assets/ssl** adjust filename in **image/env.yaml** and rebuild the image ([see manual build](#manual-build)).
 
+Add your custom certificate, private key and CA certificate in the directory **image/service/slapd/assets/certs** adjust filename in **image/env.yaml** and rebuild the image ([see manual build](#manual-build)).
 
 
-Or you can set your custom certificate at run time, by mouting a directory containing thoses files to **/container/service/slapd/assets/ssl** and adjust there name with the following environment variables :
 
+Or you can set your custom certificate at run time, by mouting a directory containing thoses files to **/container/service/slapd/assets/certs** and adjust there name with the following environment variables :
 
 
-	docker run -h ldap.example.org -v /path/to/certifates:/container/service/slapd/assets/ssl \
 
-	-e SSL_CRT_FILENAME=my-ldap.crt \
 
-	-e SSL_KEY_FILENAME=my-ldap.key \
 
-	-e SSL_CA_CRT_FILENAME=the-ca.crt \
 
+	docker run -h ldap.example.org -v /path/to/certifates:/container/service/slapd/assets/certs \
 
+	-e LDAP_TLS_CRT_FILENAME=my-ldap.crt \
 
+	-e LDAP_TLS_KEY_FILENAME=my-ldap.key \
 
+	-e LDAP_TLS_CA_CRT_FILENAME=the-ca.crt \
 
 	-d osixia/openldap
 
 
 #### Disable TLS
 
-Add -e USE_TLS=false to the run command :
 
+Add -e LDAP_TLS=false to the run command :
 
 
-	docker run -e USE_TLS=false -d osixia/openldap
 
+	docker run -e LDAP_TLS=false -d osixia/openldap
 
 
 ### Multi master replication
 
 Quick example, with the default config.
 
 
 	#Create the first ldap server, save the container id in LDAP_CID and get its IP:
 
-	LDAP_CID=$(docker run -h ldap.example.org -e USE_REPLICATION=true -d osixia/openldap)
 
+	LDAP_CID=$(docker run -h ldap.example.org -e LDAP_REPLICATION=true -d osixia/openldap)
 
 	LDAP_IP=$(docker inspect -f "{{ .NetworkSettings.IPAddress }}" $LDAP_CID)
 
 
 	#Create the second ldap server, save the container id in LDAP2_CID and get its IP:
 
-	LDAP2_CID=$(docker run -h ldap2.example.org -e USE_REPLICATION=true -d osixia/openldap)
 
+	LDAP2_CID=$(docker run -h ldap2.example.org -e LDAP_REPLICATION=true -d osixia/openldap)
 
 	LDAP2_IP=$(docker inspect -f "{{ .NetworkSettings.IPAddress }}" $LDAP2_CID)
 
 
 	#Add the pair "ip hostname" to /etc/hosts on each containers,
 
 	#beacause ldap.example.org and ldap2.example.org are fake hostnames
 
-	docker exec $LDAP_CID /sbin/add-host $LDAP2_IP ldap2.example.org
 
-	docker exec $LDAP2_CID /sbin/add-host $LDAP_IP ldap.example.org
 
-
 
+	docker exec $LDAP_CID bash -c "echo $LDAP2_IP ldap2.example.org >> /etc/hosts"
 
+	docker exec $LDAP2_CID bash -c "echo $LDAP_IP ldap.example.org >> /etc/hosts"
 
 
 That's it ! But a litle test to be sure :
 
 
@@ -151,7 +150,7 @@ Search on the second ldap server, and billy should show up !
 
 If you are looking for a simple solution to administrate your ldap server you can take a look at our phpLDAPadmin docker image :
 
 > [osixia/phpldapadmin](https://github.com/osixia/docker-phpLDAPadmin)
 
 
-## Backups
 
+## Backup
 
 A simple solution to backup your ldap server, our openldap-backup docker image :
 
 > [osixia/openldap-backup](https://github.com/osixia/docker-openldap-backup)
 
 
@@ -167,18 +166,26 @@ Required and used for new ldap server only :
 
 - **LDAP_DOMAIN**: Ldap domain. Defaults to `example.org`
 
 - **LDAP_ADMIN_PASSWORD** Ldap Admin password. Defaults to `admin`
 
 - **LDAP_CONFIG_PASSWORD** Ldap Config password. Defaults to `config`
 
+ 
+- **LDAP_READONLY_USER** Add a read only user. Defaults to `false`
 
+- **LDAP_READONLY_USER_USERNAME** Read only user username. Defaults to `readonly`
 
+- **LDAP_READONLY_USER_PASSWORD** Read only user password. Defaults to `readonly`
 
 
 TLS options :
 
-- **USE_TLS**: Add openldap TLS capabilities. Defaults to `true`
 
-- **SSL_CRT_FILENAME**: Ldap ssl certificate filename. Defaults to `ldap.crt`
 
-- **SSL_KEY_FILENAME**: Ldap ssl certificate private key filename. Defaults to `ldap.key`
 
-- **SSL_CA_CRT_FILENAME**: Ldap ssl CA certificate  filename. Defaults to `ca.crt`
 
+- **LDAP_TLS**: Add openldap TLS capabilities. Defaults to `true`
 
+- **LDAP_TLS_CRT_FILENAME**: Ldap ssl certificate filename. Defaults to `ldap.crt`
 
+- **LDAP_TLS_KEY_FILENAME**: Ldap ssl certificate private key filename. Defaults to `ldap.key`
 
+- **LDAP_TLS_CA_CRT_FILENAME**: Ldap ssl CA certificate  filename. Defaults to `ca.crt`
 
 
 Replication options :
 
-- **USE_REPLICATION**: Add openldap replication capabilities. Defaults to `false`
 
-- **REPLICATION_CONFIG_SYNCPROV**: olcSyncRepl options used for the config database. Without **rid** and **provider** which are automaticaly added based on REPLICATION_HOSTS.  Defaults to `binddn="cn=admin,cn=config" bindmethod=simple credentials=$LDAP_CONFIG_PASSWORD searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1 starttls=critical`
 
-- **REPLICATION_HDB_SYNCPROV**: olcSyncRepl options used for the HDB database. Without **rid** and **provider** which are automaticaly added based on REPLICATION_HOSTS.  Defaults to `binddn="cn=admin,$BASE_DN" bindmethod=simple credentials=$LDAP_ADMIN_PASSWORD searchbase="$BASE_DN" type=refreshAndPersist interval=00:00:00:10 retry="5 5 300 5" timeout=1  starttls=critical`
 
-- **REPLICATION_HOSTS**: list of replication hosts, must contains the current container hostname set by -h on docker run command. Defaults to `['ldap://ldap.example.org', 'ldap://ldap2.example.org']`
 
+- **LDAP_REPLICATION**: Add openldap replication capabilities. Defaults to `false`
 
+
 
+- **LDAP_REPLICATION_CONFIG_SYNCPROV**: olcSyncRepl options used for the config database. Without **rid** and **provider** which are automaticaly added based on LDAP_REPLICATION_HOSTS.  Defaults to `binddn="cn=admin,cn=config" bindmethod=simple credentials=$LDAP_CONFIG_PASSWORD searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1 starttls=critical`
 
+
 
+- **LDAP_REPLICATION_HDB_SYNCPROV**: olcSyncRepl options used for the HDB database. Without **rid** and **provider** which are automaticaly added based on LDAP_REPLICATION_HOSTS.  Defaults to `binddn="cn=admin,$LDAP_BASE_DN" bindmethod=simple credentials=$LDAP_ADMIN_PASSWORD searchbase="$LDAP_BASE_DN" type=refreshAndPersist interval=00:00:00:10 retry="5 5 300 5" timeout=1  starttls=critical`
 
+
 
+
 
+- **LDAP_REPLICATION_HOSTS**: list of replication hosts, must contains the current container hostname set by -h on docker run command. Defaults to `['ldap://ldap.example.org', 'ldap://ldap2.example.org']`
 
 
 ### Set environment variables at run time :

+ 1 - 1
image/Dockerfile
Fájl Megtekintése 

@@ -1,4 +1,4 @@
 
-FROM osixia/light-baseimage:0.1.0
 
+FROM osixia/light-baseimage:0.1.1
 
 MAINTAINER Bertrand Gouny <[email protected]>
 
 
 # Use baseimage's init system.

+ 21 - 14
image/env.yaml
Fájl Megtekintése 

@@ -1,26 +1,33 @@
 
+# General container configuration
 
+# see table 5.1 in http://www.openldap.org/doc/admin24/slapdconf2.html for the available log levels.
 
+LDAP_LOG_LEVEL: 256
 
+
 
+# Required and used for new ldap server only
 
 LDAP_ORGANISATION: Example Inc.
 
 LDAP_DOMAIN: example.org
 
 LDAP_ADMIN_PASSWORD: admin
 
 LDAP_CONFIG_PASSWORD: config
 
 
-#See table 5.1 in http://www.openldap.org/doc/admin24/slapdconf2.html for the available log levels.
 
-LDAP_LOG_LEVEL: 256
 
-
 
-USE_TLS: true
 
-SSL_CRT_FILENAME: ldap.crt
 
-SSL_KEY_FILENAME: ldap.key
 
-SSL_CA_CRT_FILENAME: ca.crt
 
+LDAP_READONLY_USER: false
 
+LDAP_READONLY_USER_USERNAME: readonly
 
+LDAP_READONLY_USER_PASSWORD: readonly
 
 
+# Tls
 
+LDAP_TLS: true
 
+LDAP_TLS_CRT_FILENAME: ldap.crt
 
+LDAP_TLS_KEY_FILENAME: ldap.key
 
+LDAP_TLS_CA_CRT_FILENAME: ca.crt
 
 
-USE_REPLICATION: false
 
-# variables $BASE_DN, $LDAP_ADMIN_PASSWORD, $LDAP_CONFIG_PASSWORD
 
+# Replication
 
+LDAP_REPLICATION: false
 
+# variables $LDAP_BASE_DN, $LDAP_ADMIN_PASSWORD, $LDAP_CONFIG_PASSWORD
 
 # are automaticaly replaced at run time
 
 
 # if you want to add replication to an existing ldap
 
-# adapt REPLICATION_CONFIG_SYNCPROV and REPLICATION_HDB_SYNCPROV to your configuration
 
-# avoid using $BASE_DN, $LDAP_ADMIN_PASSWORD and $LDAP_CONFIG_PASSWORD variables
 
-REPLICATION_CONFIG_SYNCPROV: binddn="cn=admin,cn=config" bindmethod=simple credentials=$LDAP_CONFIG_PASSWORD searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1 starttls=critical
 
-REPLICATION_HDB_SYNCPROV: binddn="cn=admin,$BASE_DN" bindmethod=simple credentials=$LDAP_ADMIN_PASSWORD searchbase="$BASE_DN" type=refreshAndPersist interval=00:00:00:10 retry="5 5 300 5" timeout=1  starttls=critical
 
-REPLICATION_HOSTS:
 
+# adapt LDAP_REPLICATION_CONFIG_SYNCPROV and LDAP_REPLICATION_HDB_SYNCPROV to your configuration
 
+# avoid using $LDAP_BASE_DN, $LDAP_ADMIN_PASSWORD and $LDAP_CONFIG_PASSWORD variables
 
+LDAP_REPLICATION_CONFIG_SYNCPROV: binddn="cn=admin,cn=config" bindmethod=simple credentials=$LDAP_CONFIG_PASSWORD searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1 starttls=critical
 
+LDAP_REPLICATION_HDB_SYNCPROV: binddn="cn=admin,$LDAP_BASE_DN" bindmethod=simple credentials=$LDAP_ADMIN_PASSWORD searchbase="$LDAP_BASE_DN" type=refreshAndPersist interval=00:00:00:10 retry="5 5 300 5" timeout=1 starttls=critical
 
+LDAP_REPLICATION_HOSTS:
 
   - ldap://ldap.example.org # The order must be the same on all ldap servers
 
   - ldap://ldap2.example.org

+ 2 - 0
image/service/slapd/assets/certs/README.md
Fájl Megtekintése 

@@ -0,0 +1,2 @@
 
+Add your tls server certificate, key and the CA certificate (if any) here
 
+or during docker run mount a data volume with thoses files to /container/service/slapd/assets/certs

+ 0 - 0
image/service/slapd/assets/ssl/dhparam.pem → image/service/slapd/assets/certs/dhparam.pem
Fájl Megtekintése


+ 1 - 1
image/service/slapd/assets/config/bootstrap/ldif/01-config-password.ldif
Fájl Megtekintése 

@@ -4,4 +4,4 @@ changeType: modify
 
 
 dn: olcDatabase={0}config,cn=config
 
 add: olcRootPW
 
-olcRootPW: {{ CONFIG_PASSWORD_ENCRYPTED }}
 
+olcRootPW: {{ LDAP_CONFIG_PASSWORD_ENCRYPTED }}

+ 3 - 9
image/service/slapd/assets/config/bootstrap/ldif/02-security.ldif
Fájl Megtekintése 

@@ -1,13 +1,7 @@
 
-dn: olcDatabase={1}hdb,cn=config 
+dn: olcDatabase={1}hdb,cn=config
 
 changetype: modify
 
 delete: olcAccess
 
 -
 
 add: olcAccess
 
-olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=example,dc=org" write by * none
 
--
 
-add: olcAccess
 
-olcAccess: {1}to dn.base="" by * read
 
--
 
-add: olcAccess
 
-olcAccess: {2}to * by self write by dn="cn=admin,dc=example,dc=org" write by * none
 
--
 
+olcAccess: to attrs=userPassword,shadowLastChange by self write by dn="cn=admin,{{ LDAP_BASE_DN }}" write by anonymous auth by * none
 
+olcAccess: to * by self write by dn="cn=admin,{{ LDAP_BASE_DN }}" write by * none

+ 2 - 0
image/service/slapd/assets/config/bootstrap/ldif/04-index.ldif
Fájl Megtekintése 

@@ -3,6 +3,8 @@ dn: olcDatabase={1}hdb,cn=config
 
 changetype:  modify
 
 replace: olcDbIndex
 
 olcDbIndex: uid eq
 
+olcDbIndex: mail eq
 
 olcDbIndex: memberOf eq
 
 olcDbIndex: entryCSN eq
 
 olcDbIndex: entryUUID eq
 
+olcDbIndex: objectClass eq

+ 7 - 0
image/service/slapd/assets/config/bootstrap/ldif/readonly-user/readonly-user-acl.ldif
Fájl Megtekintése 

@@ -0,0 +1,7 @@
 
+dn: olcDatabase={1}hdb,cn=config
 
+changetype: modify
 
+delete: olcAccess
 
+-
 
+add: olcAccess
 
+olcAccess: to attrs=userPassword,shadowLastChange by self write by dn="cn=admin,{{ LDAP_BASE_DN }}" write by anonymous auth by * none
 
+olcAccess: to * by self write by dn="cn=admin,{{ LDAP_BASE_DN }}" write by dn="cn={{ LDAP_READONLY_USER_USERNAME }},{{ LDAP_BASE_DN }}" read by * none

+ 7 - 0
image/service/slapd/assets/config/bootstrap/ldif/readonly-user/readonly-user.ldif
Fájl Megtekintése 

@@ -0,0 +1,7 @@
 
+dn: cn={{ LDAP_READONLY_USER_USERNAME }},{{ LDAP_BASE_DN }}
 
+changetype: add
 
+cn: {{ LDAP_READONLY_USER_USERNAME }}
 
+objectClass: simpleSecurityObject
 
+objectClass: organizationalRole
 
+userPassword: {{ LDAP_READONLY_USER_PASSWORD_ENCRYPTED }}
 
+description: LDAP read only user

+ 3 - 3
image/service/slapd/assets/config/replication/replication-enable.ldif
Fájl Megtekintése 

@@ -8,7 +8,7 @@ olcModuleLoad: syncprov
 
 dn: cn=config
 
 changeType: modify
 
 add: olcServerID
 
-{{ REPLICATION_HOSTS }}
 
+{{ LDAP_REPLICATION_HOSTS }}
 
 
 # Add syncprov on config
 
 dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config
 
@@ -21,7 +21,7 @@ olcOverlay: syncprov
 
 dn: olcDatabase={0}config,cn=config
 
 changetype: modify
 
 add: olcSyncRepl
 
-{{ REPLICATION_HOSTS_CONFIG_SYNC_REPL }}
 
+{{ LDAP_REPLICATION_HOSTS_CONFIG_SYNC_REPL }}
 
 -
 
 add: olcMirrorMode
 
 olcMirrorMode: TRUE
 
@@ -37,7 +37,7 @@ olcOverlay: syncprov
 
 dn: olcDatabase={1}hdb,cn=config
 
 changetype: modify
 
 add: olcSyncRepl
 
-{{ REPLICATION_HOSTS_HDB_SYNC_REPL }}
 
+{{ LDAP_REPLICATION_HOSTS_HDB_SYNC_REPL }}
 
 -
 
 add: olcMirrorMode
 
 olcMirrorMode: TRUE

+ 7 - 4
image/service/slapd/assets/config/tls/tls-enable.ldif
Fájl Megtekintése 

@@ -3,17 +3,20 @@ changetype: modify
 
 replace: olcTLSCipherSuite
 
 olcTLSCipherSuite: SECURE256:-VERS-SSL3.0
 
 -
 
+replace: olcTLSProtocolMin
 
+olcTLSProtocolMin: 3.1
 
+-
 
 replace: olcTLSCACertificateFile
 
-olcTLSCACertificateFile: /container/service/slapd/assets/ssl/ca.crt
 
+olcTLSCACertificateFile: /container/service/slapd/assets/certs/{{ LDAP_TLS_CA_CRT_FILENAME }}
 
 -
 
 replace: olcTLSCertificateFile
 
-olcTLSCertificateFile: /container/service/slapd/assets/ssl/ldap.crt
 
+olcTLSCertificateFile: /container/service/slapd/assets/certs/{{ LDAP_TLS_CRT_FILENAME }}
 
 -
 
 replace: olcTLSCertificateKeyFile
 
-olcTLSCertificateKeyFile: /container/service/slapd/assets/ssl/ldap.key
 
+olcTLSCertificateKeyFile: /container/service/slapd/assets/certs/{{ LDAP_TLS_KEY_FILENAME }}
 
 -
 
 replace: olcTLSDHParamFile
 
-olcTLSDHParamFile: /container/service/slapd/assets/ssl/dhparam.pem
 
+olcTLSDHParamFile: /container/service/slapd/assets/certs/dhparam.pem
 
 -
 
 replace: olcTLSVerifyClient
 
 olcTLSVerifyClient: demand

+ 0 - 2
image/service/slapd/assets/ssl/README.md
Fájl Megtekintése 

@@ -1,2 +0,0 @@
 
-Add your ssl crt, key and ca crt here
 
-or during docker run mount a data volume with thoses files to /container/service/slapd/assets/ssl

+ 64 - 42
image/service/slapd/container-start.sh
Fájl Megtekintése 

@@ -9,7 +9,7 @@ WAS_STARTED_WITH_REPLICATION="/etc/ldap/slapd.d/docker-openldap-was-started-with
 
 # see https://github.com/docker/docker/issues/8231
 
 ulimit -n 1024
 
 
-#fix file permissions
 
+# fix file permissions
 
 chown -R openldap:openldap /var/lib/ldap
 
 chown -R openldap:openldap /etc/ldap
 
 chown -R openldap:openldap /container/service/slapd
 
@@ -17,15 +17,15 @@ chown -R openldap:openldap /container/service/slapd
 
 # container first start
 
 if [ ! -e "$FIRST_START_DONE" ]; then
 
 
-  function get_base_dn() {
 
-    BASE_DN=""
 
-    IFS='.' read -ra BASE_DN_TABLE <<< "$LDAP_DOMAIN"
 
-    for i in "${BASE_DN_TABLE[@]}"; do
 
+  function get_ldap_base_dn() {
 
+    LDAP_BASE_DN=""
 
+    IFS='.' read -ra LDAP_BASE_DN_TABLE <<< "$LDAP_DOMAIN"
 
+    for i in "${LDAP_BASE_DN_TABLE[@]}"; do
 
       EXT="dc=$i,"
 
-      BASE_DN=$BASE_DN$EXT
 
+      LDAP_BASE_DN=$LDAP_BASE_DN$EXT
 
     done
 
 
-    BASE_DN=${BASE_DN::-1}
 
+    LDAP_BASE_DN=${LDAP_BASE_DN::-1}
 
   }
 
 
   function is_new_schema() {
 
@@ -44,10 +44,11 @@ if [ ! -e "$FIRST_START_DONE" ]; then
 
     local LDAP_KEY=$3
 
 
     # check certificat and key or create it
 
-    /sbin/ssl-helper "/container/service/slapd/assets/ssl/$LDAP_CRT" "/container/service/slapd/assets/ssl/$LDAP_KEY" --ca-crt=/container/service/slapd/assets/ssl/$CA_CRT --gnutls
 
+    /sbin/ssl-helper "/container/service/slapd/assets/certs/$LDAP_CRT" "/container/service/slapd/assets/certs/$LDAP_KEY" --ca-crt=/container/service/slapd/assets/certs/$CA_CRT --gnutls
 
 
     # create DHParamFile if not found
 
-    [ -f /container/service/slapd/assets/ssl/dhparam.pem ] || openssl dhparam -out /container/service/slapd/assets/ssl/dhparam.pem 2048
 
+    [ -f /container/service/slapd/assets/certs/dhparam.pem ] || certtool --generate-dh-param --sec-param=high --outfile=/container/service/slapd/assets/certs/dhparam.pem
 
+    chmod 600 /container/service/slapd/assets/certs/dhparam.pem
 
 
     # fix file permissions
 
     chown -R openldap:openldap /container/service/slapd
 
@@ -97,13 +98,13 @@ EOF
 
 
       . $WAS_STARTED_WITH_TLS
 
 
-      check_tls_files $PREVIOUS_SSL_CA_CRT_FILENAME $PREVIOUS_SSL_CRT_FILENAME $PREVIOUS_SSL_KEY_FILENAME
 
+      check_tls_files $PREVIOUS_LDAP_TLS_CA_CRT_FILENAME $PREVIOUS_LDAP_TLS_CRT_FILENAME $PREVIOUS_LDAP_TLS_KEY_FILENAME
 
     fi
 
   fi
 
 
   # start OpenLDAP
 
   echo "Starting openldap..."
 
-  slapd -h "ldapi:///" -u openldap -g openldap
 
+  slapd -h "ldap://localhost ldapi:///" -u openldap -g openldap
 
   echo "[ok]"
 
 
   # set bootstrap config part 2
 
@@ -134,50 +135,71 @@ EOF
 
     done
 
 
     # set config password
 
-    CONFIG_PASSWORD_ENCRYPTED=$(slappasswd -s $LDAP_CONFIG_PASSWORD)
 
-    sed -i "s|{{ CONFIG_PASSWORD_ENCRYPTED }}|$CONFIG_PASSWORD_ENCRYPTED|g" /container/service/slapd/assets/config/bootstrap/ldif/01-config-password.ldif
 
+    LDAP_CONFIG_PASSWORD_ENCRYPTED=$(slappasswd -s $LDAP_CONFIG_PASSWORD)
 
+    sed -i "s|{{ LDAP_CONFIG_PASSWORD_ENCRYPTED }}|${LDAP_CONFIG_PASSWORD_ENCRYPTED}|g" /container/service/slapd/assets/config/bootstrap/ldif/01-config-password.ldif
 
 
     # adapt security config file
 
-    get_base_dn
 
-    sed -i "s|dc=example,dc=org|$BASE_DN|g" /container/service/slapd/assets/config/bootstrap/ldif/02-security.ldif
 
+    get_ldap_base_dn
 
+    sed -i "s|{{ LDAP_BASE_DN }}|${LDAP_BASE_DN}|g" /container/service/slapd/assets/config/bootstrap/ldif/02-security.ldif
 
 
-    # process config files
 
-    for f in $(find /container/service/slapd/assets/config/bootstrap/ldif  -name \*.ldif -type f | sort); do
 
+    # process config files in bootstrap directory (do no process files in subdirectories)
 
+    for f in $(find /container/service/slapd/assets/config/bootstrap/ldif  -name \*.ldif -mindepth 1 -maxdepth 1 -type f | sort); do
 
       echo "Processing file ${f}"
 
       ldapmodify -Y EXTERNAL -Q -H ldapi:/// -f $f
 
     done
 
 
+    # read only user
 
+    if [ "${LDAP_READONLY_USER,,}" == "true" ]; then
 
+
 
+      echo "Add read only user"
 
+
 
+      LDAP_READONLY_USER_PASSWORD_ENCRYPTED=$(slappasswd -s $LDAP_READONLY_USER_PASSWORD)
 
+      sed -i "s|{{ LDAP_READONLY_USER_USERNAME }}|${LDAP_READONLY_USER_USERNAME}|g" /container/service/slapd/assets/config/bootstrap/ldif/readonly-user/readonly-user.ldif
 
+      sed -i "s|{{ LDAP_READONLY_USER_PASSWORD_ENCRYPTED }}|${LDAP_READONLY_USER_PASSWORD_ENCRYPTED}|g" /container/service/slapd/assets/config/bootstrap/ldif/readonly-user/readonly-user.ldif
 
+      sed -i "s|{{ LDAP_BASE_DN }}|${LDAP_BASE_DN}|g" /container/service/slapd/assets/config/bootstrap/ldif/readonly-user/readonly-user.ldif
 
+
 
+      sed -i "s|{{ LDAP_READONLY_USER_USERNAME }}|${LDAP_READONLY_USER_USERNAME}|g" /container/service/slapd/assets/config/bootstrap/ldif/readonly-user/readonly-user-acl.ldif
 
+      sed -i "s|{{ LDAP_BASE_DN }}|${LDAP_BASE_DN}|g" /container/service/slapd/assets/config/bootstrap/ldif/readonly-user/readonly-user-acl.ldif
 
+
 
+      echo "Processing file /container/service/slapd/assets/config/bootstrap/ldif/readonly-user/readonly-user.ldif"
 
+      ldapmodify -h localhost -p 389 -D cn=admin,$LDAP_BASE_DN -w $LDAP_ADMIN_PASSWORD -f /container/service/slapd/assets/config/bootstrap/ldif/readonly-user/readonly-user.ldif
 
+
 
+      echo "Processing file /container/service/slapd/assets/config/bootstrap/ldif/readonly-user/readonly-user-acl.ldif"
 
+      ldapmodify -Y EXTERNAL -Q -H ldapi:/// -f /container/service/slapd/assets/config/bootstrap/ldif/readonly-user/readonly-user-acl.ldif
 
+
 
+    fi
 
+
 
   fi
 
 
-  # TLS config
 
-  if [ "${USE_TLS,,}" == "true" ]; then
 
+  # tls config
 
+  if [ "${LDAP_TLS,,}" == "true" ]; then
 
 
     echo "Use TLS"
 
 
-    check_tls_files $SSL_CA_CRT_FILENAME $SSL_CRT_FILENAME $SSL_KEY_FILENAME
 
+    check_tls_files $LDAP_TLS_CA_CRT_FILENAME $LDAP_TLS_CRT_FILENAME $LDAP_TLS_KEY_FILENAME
 
 
     # adapt tls ldif
 
-    sed -i "s,/container/service/slapd/assets/ssl/ca.crt,/container/service/slapd/assets/ssl/${SSL_CA_CRT_FILENAME},g" /container/service/slapd/assets/config/tls/tls-enable.ldif
 
-    sed -i "s,/container/service/slapd/assets/ssl/ldap.crt,/container/service/slapd/assets/ssl/${SSL_CRT_FILENAME},g" /container/service/slapd/assets/config/tls/tls-enable.ldif
 
-    sed -i "s,/container/service/slapd/assets/ssl/ldap.key,/container/service/slapd/assets/ssl/${SSL_KEY_FILENAME},g" /container/service/slapd/assets/config/tls/tls-enable.ldif
 
+    sed -i "s|{{ LDAP_TLS_CA_CRT_FILENAME }}|${LDAP_TLS_CA_CRT_FILENAME}|g" /container/service/slapd/assets/config/tls/tls-enable.ldif
 
+    sed -i "s|{{ LDAP_TLS_CRT_FILENAME }}|${LDAP_TLS_CRT_FILENAME}|g" /container/service/slapd/assets/config/tls/tls-enable.ldif
 
+    sed -i "s|{{ LDAP_TLS_KEY_FILENAME }}|${LDAP_TLS_KEY_FILENAME}|g" /container/service/slapd/assets/config/tls/tls-enable.ldif
 
 
     ldapmodify -Y EXTERNAL -Q -H ldapi:/// -f /container/service/slapd/assets/config/tls/tls-enable.ldif
 
 
     [[ -f "$WAS_STARTED_WITH_TLS" ]] && rm -f "$WAS_STARTED_WITH_TLS"
 
     touch $WAS_STARTED_WITH_TLS
 
-    echo "export PREVIOUS_SSL_CA_CRT_FILENAME=${SSL_CA_CRT_FILENAME}" >> $WAS_STARTED_WITH_TLS
 
-    echo "export PREVIOUS_SSL_CRT_FILENAME=${SSL_CRT_FILENAME}" >> $WAS_STARTED_WITH_TLS
 
-    echo "export PREVIOUS_SSL_KEY_FILENAME=${SSL_KEY_FILENAME}" >> $WAS_STARTED_WITH_TLS
 
+    echo "export PREVIOUS_LDAP_TLS_CA_CRT_FILENAME=${LDAP_TLS_CA_CRT_FILENAME}" >> $WAS_STARTED_WITH_TLS
 
+    echo "export PREVIOUS_LDAP_TLS_CRT_FILENAME=${LDAP_TLS_CRT_FILENAME}" >> $WAS_STARTED_WITH_TLS
 
+    echo "export PREVIOUS_LDAP_TLS_KEY_FILENAME=${LDAP_TLS_KEY_FILENAME}" >> $WAS_STARTED_WITH_TLS
 
     chmod +x $WAS_STARTED_WITH_TLS
 
 
     # ldap client config
 
-    sed -i "s,TLS_CACERT.*,TLS_CACERT /container/service/slapd/assets/ssl/${SSL_CA_CRT_FILENAME},g" /etc/ldap/ldap.conf
 
+    sed -i "s,TLS_CACERT.*,TLS_CACERT /container/service/slapd/assets/certs/${LDAP_TLS_CA_CRT_FILENAME},g" /etc/ldap/ldap.conf
 
     echo "TLS_REQCERT demand" >> /etc/ldap/ldap.conf
 
 
     [[ -f "$HOME/.ldaprc" ]] && rm -f $HOME/.ldaprc
 
     touch $HOME/.ldaprc
 
-    echo "TLS_CERT /container/service/slapd/assets/ssl/${SSL_CRT_FILENAME}" >> $HOME/.ldaprc
 
-    echo "TLS_KEY /container/service/slapd/assets/ssl/${SSL_KEY_FILENAME}" >> $HOME/.ldaprc
 
+    echo "TLS_CERT /container/service/slapd/assets/certs/${LDAP_TLS_CRT_FILENAME}" >> $HOME/.ldaprc
 
+    echo "TLS_KEY /container/service/slapd/assets/certs/${LDAP_TLS_KEY_FILENAME}" >> $HOME/.ldaprc
 
 
   else
 
 
@@ -190,36 +212,36 @@ EOF
 
 
 
   # replication config
 
-  if [ "${USE_REPLICATION,,}" == "true" ]; then
 
+  if [ "${LDAP_REPLICATION,,}" == "true" ]; then
 
 
     if [ -e "$WAS_STARTED_WITH_REPLICATION" ]; then
 
       echo "Replication already set"
 
     else
 
       echo "Use replication"
 
 
-      REPLICATION_HOSTS=($REPLICATION_HOSTS)
 
+      LDAP_REPLICATION_HOSTS=($LDAP_REPLICATION_HOSTS)
 
       i=1
 
-      for host in "${REPLICATION_HOSTS[@]}"
 
+      for host in "${LDAP_REPLICATION_HOSTS[@]}"
 
       do
 
 
-        #host var contain a variable name, we access to the variable value
 
+        # host var contain a variable name, we access to the variable value
 
         host=${!host}
 
 
-        sed -i "s|{{ REPLICATION_HOSTS }}|olcServerID: $i ${host}\n{{ REPLICATION_HOSTS }}|g" /container/service/slapd/assets/config/replication/replication-enable.ldif
 
-        sed -i "s|{{ REPLICATION_HOSTS_CONFIG_SYNC_REPL }}|olcSyncRepl: rid=00$i provider=${host} ${REPLICATION_CONFIG_SYNCPROV}\n{{ REPLICATION_HOSTS_CONFIG_SYNC_REPL }}|g" /container/service/slapd/assets/config/replication/replication-enable.ldif
 
-        sed -i "s|{{ REPLICATION_HOSTS_HDB_SYNC_REPL }}|olcSyncRepl: rid=10$i provider=${host} ${REPLICATION_HDB_SYNCPROV}\n{{ REPLICATION_HOSTS_HDB_SYNC_REPL }}|g" /container/service/slapd/assets/config/replication/replication-enable.ldif
 
+        sed -i "s|{{ LDAP_REPLICATION_HOSTS }}|olcServerID: $i ${host}\n{{ LDAP_REPLICATION_HOSTS }}|g" /container/service/slapd/assets/config/replication/replication-enable.ldif
 
+        sed -i "s|{{ LDAP_REPLICATION_HOSTS_CONFIG_SYNC_REPL }}|olcSyncRepl: rid=00$i provider=${host} ${LDAP_REPLICATION_CONFIG_SYNCPROV}\n{{ LDAP_REPLICATION_HOSTS_CONFIG_SYNC_REPL }}|g" /container/service/slapd/assets/config/replication/replication-enable.ldif
 
+        sed -i "s|{{ LDAP_REPLICATION_HOSTS_HDB_SYNC_REPL }}|olcSyncRepl: rid=10$i provider=${host} ${LDAP_REPLICATION_HDB_SYNCPROV}\n{{ LDAP_REPLICATION_HOSTS_HDB_SYNC_REPL }}|g" /container/service/slapd/assets/config/replication/replication-enable.ldif
 
 
         ((i++))
 
       done
 
 
-      get_base_dn
 
-      sed -i "s|\$BASE_DN|$BASE_DN|g" /container/service/slapd/assets/config/replication/replication-enable.ldif
 
+      get_ldap_base_dn
 
+      sed -i "s|\$LDAP_BASE_DN|$LDAP_BASE_DN|g" /container/service/slapd/assets/config/replication/replication-enable.ldif
 
       sed -i "s|\$LDAP_ADMIN_PASSWORD|$LDAP_ADMIN_PASSWORD|g" /container/service/slapd/assets/config/replication/replication-enable.ldif
 
       sed -i "s|\$LDAP_CONFIG_PASSWORD|$LDAP_CONFIG_PASSWORD|g" /container/service/slapd/assets/config/replication/replication-enable.ldif
 
 
-      sed -i "/{{ REPLICATION_HOSTS }}/d" /container/service/slapd/assets/config/replication/replication-enable.ldif
 
-      sed -i "/{{ REPLICATION_HOSTS_CONFIG_SYNC_REPL }}/d" /container/service/slapd/assets/config/replication/replication-enable.ldif
 
-      sed -i "/{{ REPLICATION_HOSTS_HDB_SYNC_REPL }}/d" /container/service/slapd/assets/config/replication/replication-enable.ldif
 
+      sed -i "/{{ LDAP_REPLICATION_HOSTS }}/d" /container/service/slapd/assets/config/replication/replication-enable.ldif
 
+      sed -i "/{{ LDAP_REPLICATION_HOSTS_CONFIG_SYNC_REPL }}/d" /container/service/slapd/assets/config/replication/replication-enable.ldif
 
+      sed -i "/{{ LDAP_REPLICATION_HOSTS_HDB_SYNC_REPL }}/d" /container/service/slapd/assets/config/replication/replication-enable.ldif
 
 
       ldapmodify -c -Y EXTERNAL -Q -H ldapi:/// -f /container/service/slapd/assets/config/replication/replication-enable.ldif
 
       touch $WAS_STARTED_WITH_REPLICATION
 
@@ -238,7 +260,7 @@ EOF
 
   # stop OpenLDAP
 
   SLAPD_PID=$(cat /run/slapd/slapd.pid)
 
   echo "Kill slapd, pid: $SLAPD_PID"
 
-  kill -INT $SLAPD_PID
 
+  kill $SLAPD_PID
 
   echo "[ok]"
 
 
   sleep 3

+ 7 - 7
test/test.bats
Fájl Megtekintése 

@@ -10,7 +10,7 @@ load test_helper
 
 
 @test "ldapsearch new database" {
 
 
-  run_image -h ldap.example.org -e USE_TLS=false
 
+  run_image -h ldap.example.org -e LDAP_TLS=false
 
   wait_service slapd
 
   run docker exec $CONTAINER_ID ldapsearch -x -h ldap.example.org -b dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w admin
 
   clear_container
 
@@ -32,7 +32,7 @@ load test_helper
 
 
 @test "ldapsearch new database with strict TLS and custom ca/crt" {
 
 
-  run_image -h ldap.osixia.net -v $BATS_TEST_DIRNAME/ssl:/container/service/slapd/assets/ssl -e SSL_CRT_FILENAME=ldap-test.crt -e SSL_KEY_FILENAME=ldap-test.key -e SSL_CA_CRT_FILENAME=ca-test.crt
 
+  run_image -h ldap.osixia.net -v $BATS_TEST_DIRNAME/ssl:/container/service/slapd/assets/certs -e LDAP_TLS_CRT_FILENAME=ldap-test.crt -e LDAP_TLS_KEY_FILENAME=ldap-test.key -e LDAP_TLS_CA_CRT_FILENAME=ca-test.crt
 
   wait_service slapd
 
   run docker exec $CONTAINER_ID ldapsearch -x -h ldap.osixia.net -b dc=example,dc=org -ZZ -D "cn=admin,dc=example,dc=org" -w admin
 
   clear_container
 
@@ -45,7 +45,7 @@ load test_helper
 
 
 @test "ldapsearch existing database and config" {
 
 
-  run_image -h ldap.example.org -e USE_TLS=false -v $BATS_TEST_DIRNAME/database:/var/lib/ldap -v $BATS_TEST_DIRNAME/config:/etc/ldap/slapd.d
 
+  run_image -h ldap.example.org -e LDAP_TLS=false -v $BATS_TEST_DIRNAME/database:/var/lib/ldap -v $BATS_TEST_DIRNAME/config:/etc/ldap/slapd.d
 
   wait_service slapd
 
   run docker exec $CONTAINER_ID ldapsearch -x -h ldap.example.org -b dc=osixia,dc=net -D "cn=admin,dc=osixia,dc=net" -w admin
 
   clear_container
 
@@ -62,17 +62,17 @@ load test_helper
 
   tmp_file="$BATS_TMPDIR/docker-test"
 
 
   # replication ldap server
 
-  LDAP_REPL_CID=$(docker run -h ldap2.example.org -e USE_REPLICATION=true -e IS_REPLICATION_TEST=true -d $NAME:$VERSION)
 
+  LDAP_REPL_CID=$(docker run -h ldap2.example.org -e LDAP_REPLICATION=true -e IS_REPLICATION_TEST=true -d $NAME:$VERSION)
 
   LDAP_REPL_IP=$(get_container_ip_by_cid $LDAP_REPL_CID)
 
 
   sleep 2
 
 
   # ldap server
 
-  run_image -h ldap.example.org -e USE_REPLICATION=true -e IS_REPLICATION_TEST=true
 
+  run_image -h ldap.example.org -e LDAP_REPLICATION=true -e IS_REPLICATION_TEST=true
 
 
   # add route to hosts
 
-  docker exec $LDAP_REPL_CID /sbin/add-host $CONTAINER_IP ldap.example.org
 
-  docker exec $CONTAINER_ID /sbin/add-host $LDAP_REPL_IP ldap2.example.org
 
+  docker exec $CONTAINER_ID bash -c "echo $LDAP_REPL_IP ldap2.example.org >> /etc/hosts"
 
+	docker exec $LDAP_REPL_CID bash -c "echo $CONTAINER_IP ldap.example.org >> /etc/hosts"
 
 
   # wait services on both servers
 
   wait_service slapd