Merge branch 'bjozet-dhparam-env' into release-1.2.3

README.md

@@ -296,6 +296,7 @@ TLS options:
 - **LDAP_TLS**: Add openldap TLS capabilities. Can't be removed once set to true. Defaults to `true`.
 - **LDAP_TLS_CRT_FILENAME**: Ldap ssl certificate filename. Defaults to `ldap.crt`
 - **LDAP_TLS_KEY_FILENAME**: Ldap ssl certificate private key filename. Defaults to `ldap.key`
+- **LDAP_TLS_DH_PARAM_FILENAME**: Ldap ssl certificate dh param file. Defaults to `dhparam.pem`
 - **LDAP_TLS_CA_CRT_FILENAME**: Ldap ssl CA certificate  filename. Defaults to `ca.crt`
 - **LDAP_TLS_ENFORCE**: Enforce TLS but except ldapi connections. Can't be disabled once set to true. Defaults to `false`.
 - **LDAP_TLS_CIPHER_SUITE**: TLS cipher suite. Defaults to `SECURE256:+SECURE128:-VERS-TLS-ALL:+VERS-TLS1.2:-RSA:-DHE-DSS:-CAMELLIA-128-CBC:-CAMELLIA-256-CBC`, based on Red Hat's [TLS hardening guide](https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Hardening_TLS_Configuration.html)

example/docker-compose.yml

@@ -18,6 +18,7 @@ services:
       LDAP_TLS: "true"
       LDAP_TLS_CRT_FILENAME: "ldap.crt"
       LDAP_TLS_KEY_FILENAME: "ldap.key"
+      LDAP_TLS_DH_PARAM_FILENAME: "dhparam.pem"
       LDAP_TLS_CA_CRT_FILENAME: "ca.crt"
       LDAP_TLS_ENFORCE: "false"
       LDAP_TLS_CIPHER_SUITE: "SECURE256:-VERS-SSL3.0"

example/extend-osixia-openldap/environment/my-env.startup.yaml

@@ -20,6 +20,7 @@ LDAP_READONLY_USER_PASSWORD: passwr0rd!
 LDAP_TLS: true
 LDAP_TLS_CRT_FILENAME: cert.crt
 LDAP_TLS_KEY_FILENAME: cert.key
+LDAP_TLS_DH_PARAM_FILENAME: dhparam.pem
 LDAP_TLS_CA_CRT_FILENAME: ca.crt
 
 LDAP_TLS_ENFORCE: false

example/kubernetes/simple/ldap-deployment.yaml

@@ -51,6 +51,8 @@ spec:
               value: "ldap.crt"
             - name: LDAP_TLS_KEY_FILENAME
               value: "ldap.key"
+            - name: LDAP_TLS_DH_PARAM_FILENAME
+              value: "dhparam.pem"
             - name: LDAP_TLS_CA_CRT_FILENAME
               value: "ca.crt"
             - name: LDAP_TLS_ENFORCE

example/kubernetes/using-secrets/environment/my-env.startup.yaml

@@ -27,6 +27,7 @@ LDAP_BACKEND: mdb
 LDAP_TLS: true
 LDAP_TLS_CRT_FILENAME: ldap.crt
 LDAP_TLS_KEY_FILENAME: ldap.key
+LDAP_TLS_DH_PARAM_FILENAME: dhparam.pem
 LDAP_TLS_CA_CRT_FILENAME: ca.crt
 
 LDAP_TLS_ENFORCE: false

image/environment/default.startup.yaml

@@ -27,6 +27,7 @@ LDAP_BACKEND: mdb
 LDAP_TLS: true
 LDAP_TLS_CRT_FILENAME: ldap.crt
 LDAP_TLS_KEY_FILENAME: ldap.key
+LDAP_TLS_DH_PARAM_FILENAME: dhparam.pem
 LDAP_TLS_CA_CRT_FILENAME: ca.crt
 
 LDAP_TLS_ENFORCE: false

image/service/slapd/startup.sh

@@ -28,7 +28,7 @@ WAS_ADMIN_PASSWORD_SET="/etc/ldap/slapd.d/docker-openldap-was-admin-password-set
 LDAP_TLS_CA_CRT_PATH="${CONTAINER_SERVICE_DIR}/slapd/assets/certs/$LDAP_TLS_CA_CRT_FILENAME"
 LDAP_TLS_CRT_PATH="${CONTAINER_SERVICE_DIR}/slapd/assets/certs/$LDAP_TLS_CRT_FILENAME"
 LDAP_TLS_KEY_PATH="${CONTAINER_SERVICE_DIR}/slapd/assets/certs/$LDAP_TLS_KEY_FILENAME"
-LDAP_TLS_DH_PARAM_PATH="${CONTAINER_SERVICE_DIR}/slapd/assets/certs/dhparam.pem"
+LDAP_TLS_DH_PARAM_PATH="${CONTAINER_SERVICE_DIR}/slapd/assets/certs/$LDAP_TLS_DH_PARAM_FILENAME"
 
 
 # CONTAINER_SERVICE_DIR and CONTAINER_STATE_DIR variables are set by
@@ -198,7 +198,7 @@ EOF
       [[ -z "$PREVIOUS_LDAP_TLS_CA_CRT_PATH" ]] && PREVIOUS_LDAP_TLS_CA_CRT_PATH="${CONTAINER_SERVICE_DIR}/slapd/assets/certs/$LDAP_TLS_CA_CRT_FILENAME"
       [[ -z "$PREVIOUS_LDAP_TLS_CRT_PATH" ]] && PREVIOUS_LDAP_TLS_CRT_PATH="${CONTAINER_SERVICE_DIR}/slapd/assets/certs/$LDAP_TLS_CRT_FILENAME"
       [[ -z "$PREVIOUS_LDAP_TLS_KEY_PATH" ]] && PREVIOUS_LDAP_TLS_KEY_PATH="${CONTAINER_SERVICE_DIR}/slapd/assets/certs/$LDAP_TLS_KEY_FILENAME"
-      [[ -z "$PREVIOUS_LDAP_TLS_DH_PARAM_PATH" ]] && PREVIOUS_LDAP_TLS_DH_PARAM_PATH="${CONTAINER_SERVICE_DIR}/slapd/assets/certs/dhparam.pem"
+      [[ -z "$PREVIOUS_LDAP_TLS_DH_PARAM_PATH" ]] && PREVIOUS_LDAP_TLS_DH_PARAM_PATH="${CONTAINER_SERVICE_DIR}/slapd/assets/certs/$LDAP_TLS_DH_PARAM_FILENAME"
 
       ssl-helper $LDAP_SSL_HELPER_PREFIX $PREVIOUS_LDAP_TLS_CRT_PATH $PREVIOUS_LDAP_TLS_KEY_PATH $PREVIOUS_LDAP_TLS_CA_CRT_PATH
       [ -f ${PREVIOUS_LDAP_TLS_DH_PARAM_PATH} ] || openssl dhparam -out ${LDAP_TLS_DH_PARAM_PATH} 2048

test/ssl/ldap-test.dhparam

@@ -0,0 +1,8 @@
+-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEA9GFVKDf67bPYjJB6ngTWhCSARE4KPg5/+LYMIA5mr137Iqatdk2K
+/QNyvW3EWmg9hSNcb8Zd7LFru/qt5te7lDBGS2uOhvxHQEJ8Lqv+KoM9TFTI1oH7
+9biVLVbUwMrD7LGTp5TQ9pbjyADW2mWf25hYmy95V0aKQBLJ10GcFaDTguO6OH3E
+E6hOl6gQzlTd/WCNrFf2ww4iveNNXbZArOf4BruqjYOkV1RSf+vdQwBlxtjjCEW4
+QUGO31rbD07R5Pv464vf18yGHttnPa0JBDq7P2alN49Of0k+qntUyUPxcrBd83qQ
+13KWi47KoR76gf4f87OZa9hXwk8AML1BCwIBAg==
+-----END DH PARAMETERS-----

test/test.bats

@@ -41,6 +41,17 @@ load test_helper
 
 }
 
+@test "ldapsearch new database with strict TLS and custom ca/crt and custom dhparam" {
+
+  run_image -h ldap.osixia.net -v $BATS_TEST_DIRNAME/ssl:/container/service/slapd/assets/certs -e LDAP_TLS_CRT_FILENAME=ldap-test.crt -e LDAP_TLS_KEY_FILENAME=ldap-test.key -e LDAP_TLS_DH_PARAM_FILENAME=ldap-test.dhparam -e LDAP_TLS_CA_CRT_FILENAME=ca-test.crt
+  wait_process slapd
+  run docker exec $CONTAINER_ID ldapsearch -x -h ldap.osixia.net -b dc=example,dc=org -ZZ -D "cn=admin,dc=example,dc=org" -w admin
+  clear_container
+
+  [ "$status" -eq 0 ]
+
+}
+
 @test "ldapsearch existing hdb database and config" {
 
   run_image -h ldap.example.org -e LDAP_TLS=false -e LDAP_BACKEND=hdb -v $BATS_TEST_DIRNAME/database:/container/test/database -v $BATS_TEST_DIRNAME/config:/container/test/config