replication

image/env.yml

@@ -1,6 +1,7 @@
 LDAP_ORGANISATION: Example Inc.
 LDAP_DOMAIN: example.org
 LDAP_ADMIN_PASSWORD: admin
+LDAP_CONFIG_PASSWORD: config
 
 #See table 5.1 in http://www.openldap.org/doc/admin24/slapdconf2.html for the available log levels.
 LDAP_LOG_LEVEL: -1
@@ -12,16 +13,49 @@ SSL_CRT_FILENAME: ldap.crt
 SSL_KEY_FILENAME: ldap.key
 SSL_CA_CRT_FILENAME: ca.crt
 
-USE_REPLICATION: false
-REPLICATION_SERVER_ID: 1
-REPLICATOR_DN: cn=replicator,dc=example,dc=org
-REPLICATOR_PASSWORD: replicator
-
+USE_REPLICATION: true
 REPLICATION_HOSTS:
+  - ldap://ldap.example.org:
+    - server_id: 1
+    - syncprov_config:
+      - binddn: cn=admin,cn=config
+      - bindmethod: simple
+      - credentials: config
+      - searchbase: cn=config
+      - type: refreshAndPersist
+      - retry: 5 5 300 5
+      - timeout: 1
+      - starttls: critical
+      - tls_reqcert: demand
+    - syncprov_hdb:
+      - binddn: cn=admin,dc=example,dc=org
+      - bindmethod: simple
+      - credentials: test
+      - searchbase: dc=example,dc=org
+      - type: refreshAndPersist
+      - retry: 5 5 300 5
+      - timeout: 1
+      - starttls: critical
+      - tls_reqcert: demand
   - ldap://ldap2.example.org:
-    - server_id: 2
-    - syncprov:
-      - binddn: cn=replicator,dc=example,dc=org
-      - credentials: replicator
-      - starttls: yes
-      - tls_reqcert: never
+    - server_id: 1
+    - syncprov_config:
+      - binddn: cn=admin,cn=config
+      - bindmethod: simple
+      - credentials: config
+      - searchbase: cn=config
+      - type: refreshAndPersist
+      - retry: 5 5 300 5
+      - timeout: 1
+      - starttls: critical
+      - tls_reqcert: demand
+    - syncprov_hdb:
+      - binddn: cn=admin,dc=example,dc=org
+      - bindmethod: simple
+      - credentials: test
+      - searchbase: dc=example,dc=org
+      - type: refreshAndPersist
+      - retry: 5 5 300 5
+      - timeout: 1
+      - starttls: critical
+      - tls_reqcert: demand

image/service/slapd/assets/config/bootstrap/ldif/config-password.ldif

@@ -0,0 +1,7 @@
+# Set config password
+dn: cn=config
+changeType: modify
+
+dn: olcDatabase={0}config,cn=config
+add: olcRootPW
+olcRootPW: {{ CONFIG_PASSWORD_ENCRYPTED }}

image/service/slapd/assets/config/bootstrap/ldif/index.ldif

@@ -1,3 +1,4 @@
+# Add indexes
 dn: olcDatabase={1}hdb,cn=config
 changetype:  modify
 replace: olcDbIndex

image/service/slapd/assets/config/replication/backup/replication-enable.ldif

@@ -1,72 +1,3 @@
-# Load syncprov module
-dn: cn=module{0},cn=config
-changetype: modify
-add: olcModuleLoad
-olcModuleLoad: syncprov
-
-# Set server ID
-dn: cn=config
-changeType: modify
-add: olcServerID
-olcServerID: {{ SERVER_ID }}
-
-# Set config password
-dn: cn=config
-changeType: modify
-
-dn: olcDatabase={0}config,cn=config
-add: olcRootPW
-olcRootPW: {{ CONFIG_PASSWORD_ENCRYPTED }}
-
-# Add config replication
-dn: cn=config
-changetype: modify
-replace: olcServerID
-olcServerID: 1 ldap://ldap1.gremaud.local
-olcServerID: 2 ldap://ldap2.gremaud.local
-olcServerID: 3 ldap://ldap3.gremaud.local
-{{ REPLICATION_SERVERS }}
-
-# Add syncprov on config
-dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config
-changetype: add
-objectClass: olcOverlayConfig
-objectClass: olcSyncProvConfig
-olcOverlay: syncprov
-
-# Add sync replication on config
-dn: olcDatabase={0}config,cn=config
-changetype: modify
-add: olcSyncRepl
-olcSyncRepl: rid=001 provider=ldap://ldap1.gremaud.local binddn="cn=admin,cn=config" bindmethod=simple credentials=secret searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1
-olcSyncRepl: rid=002 provider=ldap://ldap2.gremaud.local binddn="cn=admin,cn=config" bindmethod=simple credentials=secret searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1
-olcSyncRepl: rid=003 provider=ldap://ldap3.gremaud.local binddn="cn=admin,cn=config" bindmethod=simple credentials=secret searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1
-{{ REPLICATION_SERVERS_CONFIG_SYNC_REPL }}
--
-add: olcMirrorMode
-olcMirrorMode: TRUE
-
-# Add syncprov on hdb
-dn: olcOverlay=syncprov,olcDatabase={1}hdb,cn=config
-changetype: add
-objectClass: olcOverlayConfig
-objectClass: olcSyncProvConfig
-olcOverlay: syncprov
-
-# Add sync replication on hdb
-dn: olcDatabase={1}hdb,cn=config
-changetype: modify
-add: olcSyncRepl
-olcSyncRepl: rid=101 provider=ldap://ldap1.gremaud.local binddn="cn=admin,dc=gremaud,dc=local" bindmethod=simple credentials=secret searchbase="dc=gremaud,dc=local" type=refreshAndPersist interval=00:00:00:10 retry="5 5 300 5" timeout=1
-olcSyncRepl: rid=102 provider=ldap://ldap2.gremaud.local binddn="cn=admin,dc=gremaud,dc=local" bindmethod=simple credentials=secret searchbase="dc=gremaud,dc=local" type=refreshAndPersist interval=00:00:00:10 retry="5 5 300 5" timeout=1
-olcSyncRepl: rid=103 provider=ldap://ldap3.gremaud.local binddn="cn=admin,dc=gremaud,dc=local" bindmethod=simple credentials=secret searchbase="dc=gremaud,dc=local" type=refreshAndPersist interval=00:00:00:10 retry="5 5 300 5" timeout=1
-{{ REPLICATION_SERVERS_HDB_SYNC_REPL }}
-
-# Add olcMirrorMode
-dn: olcDatabase={1}hdb,cn=config
-changetype: modify
-add: olcMirrorMode
-olcMirrorMode: TRUE
 
 # Add indexes
 dn: olcDatabase={1}hdb,cn=config

image/service/slapd/assets/config/replication/repl-enable.ldif

@@ -1,15 +0,0 @@
-# add replicator user
-dn: $REPLICATOR_DN
-cn: replicator
-sn: user
-objectClass: person
-userPassword: $REPLICATOR_PASSWORD
-
-dn: $REPLICATOR_DN
-changetype: add
-objectClass: top
-objectClass: person
-cn: synchronisator
-sn: synchronisator
-description: LDAP synchronisator
-userPassword: {SSHA}hAUGoGZEFAyJnZg/Q/aTWGnpdDv9edCh

image/service/slapd/assets/config/replication/replication-enable-template.ldif

@@ -0,0 +1,43 @@
+# Load syncprov module
+dn: cn=module{0},cn=config
+changetype: modify
+add: olcModuleLoad
+olcModuleLoad: syncprov
+
+# Set server ID
+dn: cn=config
+changeType: modify
+add: olcServerID
+{{ REPLICATION_HOSTS }}
+
+# Add syncprov on config
+dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config
+changetype: add
+objectClass: olcOverlayConfig
+objectClass: olcSyncProvConfig
+olcOverlay: syncprov
+
+# Add sync replication on config
+dn: olcDatabase={0}config,cn=config
+changetype: modify
+add: olcSyncRepl
+{{ REPLICATION_HOSTS_CONFIG_SYNC_REPL }}
+-
+add: olcMirrorMode
+olcMirrorMode: TRUE
+
+# Add syncprov on hdb
+dn: olcOverlay=syncprov,olcDatabase={1}hdb,cn=config
+changetype: add
+objectClass: olcOverlayConfig
+objectClass: olcSyncProvConfig
+olcOverlay: syncprov
+
+# Add sync replication on hdb
+dn: olcDatabase={1}hdb,cn=config
+changetype: modify
+add: olcSyncRepl
+{{ REPLICATION_HOSTS_HDB_SYNC_REPL }}
+-
+add: olcMirrorMode
+olcMirrorMode: TRUE

image/service/slapd/container-start.sh

@@ -137,12 +137,16 @@ EOF
       fi
     done
 
+    # adapt config password
+    CONFIG_PASSWORD_ENCRYPTED=$(slappasswd -s $LDAP_CONFIG_PASSWORD)
+    sed -i "s|{{ CONFIG_PASSWORD_ENCRYPTED }}|$CONFIG_PASSWORD_ENCRYPTED|g" /osixia/slapd/config/bootstrap/ldif/config-password.ldif
+
     # adapt security config file
     get_base_dn
-    sed -i "s|dc=example,dc=org|$BASE_DN|g" /osixia/slapd/config/bootstrap/security.ldif
+    sed -i "s|dc=example,dc=org|$BASE_DN|g" /osixia/slapd/config/bootstrap/ldif/security.ldif
 
     # process config files
-    for f in $(find /osixia/slapd/config/bootstrap -path /osixia/slapd/config/bootstrap/schema -prune -name \*.ldif -type f); do
+    for f in $(find /osixia/slapd/config/bootstrap/ldif  -name \*.ldif -type f); do
       echo "Processing file ${f}"
       ldapmodify -Y EXTERNAL -Q -H ldapi:/// -f $f
     done
@@ -192,8 +196,123 @@ EOF
 
     echo "Set replication"
 
-    #cp /var/lib/ldap/DB_CONFIG /var/lib/ldap/accesslog
-    #chown openldap:openldap /var/lib/ldap/accesslog
+    # copy template file
+    cp /osixia/slapd/config/replication/replication-enable-template.ldif /osixia/slapd/config/replication/replication-enable.ldif
+
+    function addReplicationSyncRepl() {
+
+      local TYPE=$1
+      local HOST=$2
+      local INFOS=(${3})
+
+      olcSyncReplLine="olcSyncRepl:"
+
+      if [ "$TYPE" == "CONFIG" ]; then
+        olcSyncReplLine="$olcSyncReplLine rid=00$i"
+      else
+        olcSyncReplLine="$olcSyncReplLine rid=10$i"
+      fi
+
+      olcSyncReplLine="$olcSyncReplLine provider=$HOST"
+
+      for info in "${INFOS[@]}"
+      do
+
+        info=($info)
+        local key_value_pair=(${!info[0]})
+        local key=${!key_value_pair[0]}
+        local value=${!key_value_pair[1]}
+
+        olcSyncReplLine="$olcSyncReplLine $key=\"$value\""
+
+      done
+
+      if [ "$TYPE" == "CONFIG" ]; then
+        sed -i "s|{{ REPLICATION_HOSTS_CONFIG_SYNC_REPL }}|$olcSyncReplLine\n{{ REPLICATION_HOSTS_CONFIG_SYNC_REPL }}|g" /osixia/slapd/config/replication/replication-enable.ldif
+      else
+        sed -i "s|{{ REPLICATION_HOSTS_HDB_SYNC_REPL }}|$olcSyncReplLine\n{{ REPLICATION_HOSTS_HDB_SYNC_REPL }}|g" /osixia/slapd/config/replication/replication-enable.ldif
+      fi
+    }
+
+
+    # replication hosts config
+    function addReplicationHost() {
+
+      local HOST=$1
+      local INFOS=(${!2})
+
+      local SERVER_ID_FOUND=false
+      local SYNCPROV_CONFIG_OBJECT_FOUND=false
+      local SYNCPROV_HDB_OBJECT_FOUND=false
+
+      for info in "${INFOS[@]}"
+      do
+        info=($info)
+        local key_value_pair=(${!info[0]})
+        local key=${!key_value_pair[0]}
+        local value=${!key_value_pair[1]}
+
+        # olcServerID
+        if [ "$key" == "server_id" ]; then
+          sed -i "s|{{ REPLICATION_HOSTS }}|olcServerID: $value $HOST\n{{ REPLICATION_HOSTS }}|g" /osixia/slapd/config/replication/replication-enable.ldif
+          SERVER_ID_FOUND=true
+
+        # olcSyncRepl for config and hdb
+        elif [ "$key" == "syncprov_config" ]; then
+          addReplicationSyncRepl CONFIG $HOST "$value"
+          SYNCPROV_CONFIG_OBJECT_FOUND=true
+
+        elif [ "$key" == "syncprov_hdb" ]; then
+          addReplicationSyncRepl HDB $HOST "$value"
+          SYNCPROV_HDB_OBJECT_FOUND=true
+
+        fi
+      done
+
+      if ! $SERVER_ID_FOUND; then
+        echo "Error: Replication host ${HOST} must define a server_id"
+        exit 1
+      fi
+
+      if ! $SYNCPROV_CONFIG_OBJECT_FOUND; then
+        echo "Error: Replication host ${HOST} must define a syncprov_config object"
+        exit 1
+      fi
+
+      if ! $SYNCPROV_HDB_OBJECT_FOUND; then
+        echo "Error: Replication host ${HOST} must define a syncprov_hdb object"
+        exit 1
+      fi
+    }
+
+    REPLICATION_HOSTS=($REPLICATION_HOSTS)
+    i=1
+    for host in "${REPLICATION_HOSTS[@]}"
+    do
+
+      #host var contain a variable name, we access to the variable value and cast it to a table
+      infos=(${!host})
+
+      # it's a table of infos
+      if [ "${#infos[@]}" -gt "1" ]; then
+
+        addReplicationHost ${!infos[0]} ${infos[1]}
+
+      else
+        echo "Error: Replication host ${!host} must define a server_id, syncprov_config and syncprov_hdb object"
+        exit 1
+      fi
+
+      ((i++))
+    done
+
+
+    sed -i "/{{ REPLICATION_HOSTS }}/d" /osixia/slapd/config/replication/replication-enable.ldif
+    sed -i "/{{ REPLICATION_HOSTS_CONFIG_SYNC_REPL }}/d" /osixia/slapd/config/replication/replication-enable.ldif
+    sed -i "/{{ REPLICATION_HOSTS_HDB_SYNC_REPL }}/d" /osixia/slapd/config/replication/replication-enable.ldif
+
+    cat /osixia/slapd/config/replication/replication-enable.ldif
+    ldapmodify -c -Y EXTERNAL -Q -H ldapi:/// -f /osixia/slapd/config/replication/replication-enable.ldif -v -d -1
 
   else
 

image/service/slapd/daemon.sh

@@ -5,4 +5,4 @@
 # see https://github.com/docker/docker/issues/8231
 ulimit -n 1024
 
-exec /usr/sbin/slapd -h "ldap:/// ldaps:/// ldapi:///" -u openldap -g openldap -d "$LDAP_LOG_LEVEL"
+exec /usr/sbin/slapd -h "ldap://$SERVER_NAME ldaps://$SERVER_NAME ldapi:///" -u openldap -g openldap -d "$LDAP_LOG_LEVEL"