Merge branch 'release-1.2.3' into stable

CHANGELOG.md

@@ -4,6 +4,21 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
+## [1.2.3] - 2019-01-21
++10M docker pulls 🎉🎉🎉 thanks to all contributors 💕
+
+### Added
+  - GCE statefulset #241
+  - Custom dhparam.pem via environment. #254
+
+### Changed
+  - Update openldap 2.4.44 to 2.4.47 #247
+  - Upgrade baseimage to light-baseimage:1.1.2
+
+### Fixed
+  - Ldaps port numbers in readme #281
+  - Replication after restart container #264
+
 ## [1.2.2] - 2018-09-04
 ### Added
   - Environment variable LDAP_NOFILE to setup a custom ulimit value #237
@@ -214,6 +229,8 @@ Environment variable LDAP_REPLICATION_HDB_SYNCPROV changed to LDAP_REPLICATION_D
 ## [0.10.0] - 2015-03-03
 New version initial release, no changelog before this sorry.
 
+[1.2.3]: https://github.com/osixia/docker-openldap/compare/v1.2.2...v1.2.3
+[1.2.2]: https://github.com/osixia/docker-openldap/compare/v1.2.1...v1.2.2
 [1.2.1]: https://github.com/osixia/docker-openldap/compare/v1.2.0...v1.2.1
 [1.2.0]: https://github.com/osixia/docker-openldap/compare/v1.1.11...v1.2.0
 [1.1.11]: https://github.com/osixia/docker-openldap/compare/v1.1.10...v1.1.11

Makefile

@@ -1,5 +1,5 @@
 NAME = osixia/openldap
-VERSION = 1.2.2
+VERSION = 1.2.3
 
 .PHONY: build build-nocache test tag-latest push push-latest release git-tag-version
 

README.md

@@ -4,45 +4,47 @@
 ![Docker Stars](https://img.shields.io/docker/stars/osixia/openldap.svg)
 ![](https://images.microbadger.com/badges/image/osixia/openldap.svg)
 
-Latest release: 1.2.2 - OpenLDAP 2.4.44 -  [Changelog](CHANGELOG.md) | [Docker Hub](https://hub.docker.com/r/osixia/openldap/) 
+Latest release: 1.2.3 - OpenLDAP 2.4.47 -  [Changelog](CHANGELOG.md) | [Docker Hub](https://hub.docker.com/r/osixia/openldap/) 
 
 **A docker image to run OpenLDAP.**
 
 > OpenLDAP website : [www.openldap.org](http://www.openldap.org/)
 
 
-- [Contributing](#contributing)
-- [Quick Start](#quick-start)
-- [Beginner Guide](#beginner-guide)
-	- [Create new ldap server](#create-new-ldap-server)
-		- [Data persistence](#data-persistence)
-		- [Edit your server configuration](#)
-	- [Use an existing ldap database](#use-an-existing-ldap-database)
-	- [Backup](#backup)
-	- [Administrate your ldap server](#administrate-your-ldap-server)
-	- [TLS](#tls)
-		- [Use auto-generated certificate](#use-auto-generated-certificate)
-		- [Use your own certificate](#use-your-own-certificate)
-		- [Disable TLS](#disable-tls)
-	- [Multi master replication](#multi-master-replication)
-	- [Fix docker mounted file problems](#fix-docker-mounted-file-problems)
-	- [Debug](#debug)
-- [Environment Variables](#environment-variables)
-	- [Default.yaml](#defaultyaml)
-	- [Default.startup.yaml](#defaultyamlstartup)
-	- [Set your own environment variables](#set-your-own-environment-variables)
-		- [Use command line argument](#use-command-line-argument)
-		- [Link environment file](#link-environment-file)
-		- [Make your own image or extend this image](#make-your-own-image-or-extend-this-image)
-- [Advanced User Guide](#advanced-user-guide)
-	- [Extend osixia/openldap:1.2.2 image](#extend-osixiaopenldap122-image)
-	- [Make your own openldap image](#make-your-own-openldap-image)
-	- [Tests](#tests)
-	- [Kubernetes](#kubernetes)
-	- [Under the hood: osixia/light-baseimage](#under-the-hood-osixialight-baseimage)
-- [Security](#security)
-	- [Known security issues](#known-security-issues)
-- [Changelog](#changelog)
+- [osixia/openldap](#osixiaopenldap)
+	- [Contributing](#contributing)
+	- [Quick Start](#quick-start)
+	- [Beginner Guide](#beginner-guide)
+		- [Create new ldap server](#create-new-ldap-server)
+			- [Data persistence](#data-persistence)
+			- [Edit your server configuration](#edit-your-server-configuration)
+			- [Seed ldap database with ldif](#seed-ldap-database-with-ldif)
+		- [Use an existing ldap database](#use-an-existing-ldap-database)
+		- [Backup](#backup)
+		- [Administrate your ldap server](#administrate-your-ldap-server)
+		- [TLS](#tls)
+			- [Use auto-generated certificate](#use-auto-generated-certificate)
+			- [Use your own certificate](#use-your-own-certificate)
+			- [Disable TLS](#disable-tls)
+		- [Multi master replication](#multi-master-replication)
+		- [Fix docker mounted file problems](#fix-docker-mounted-file-problems)
+		- [Debug](#debug)
+	- [Environment Variables](#environment-variables)
+		- [Default.yaml](#defaultyaml)
+		- [Default.startup.yaml](#defaultstartupyaml)
+		- [Set your own environment variables](#set-your-own-environment-variables)
+			- [Use command line argument](#use-command-line-argument)
+			- [Link environment file](#link-environment-file)
+			- [Make your own image or extend this image](#make-your-own-image-or-extend-this-image)
+	- [Advanced User Guide](#advanced-user-guide)
+		- [Extend osixia/openldap:1.2.3 image](#extend-osixiaopenldap123-image)
+		- [Make your own openldap image](#make-your-own-openldap-image)
+		- [Tests](#tests)
+		- [Kubernetes](#kubernetes)
+		- [Under the hood: osixia/light-baseimage](#under-the-hood-osixialight-baseimage)
+	- [Security](#security)
+		- [Known security issues](#known-security-issues)
+	- [Changelog](#changelog)
 
 ## Contributing
 
@@ -55,11 +57,11 @@ If you find this image useful here's how you can help:
 ## Quick Start
 Run OpenLDAP docker image:
 
-	docker run --name my-openldap-container --detach osixia/openldap:1.2.2
+	docker run --name my-openldap-container --detach osixia/openldap:1.2.3
 
-Do not forget to add the port mapping for both port 389 and 689 if you wish to access the ldap server from another machine.
+Do not forget to add the port mapping for both port 389 and 636 if you wish to access the ldap server from another machine.
 
-	docker run -p 389:389 -p 689:689 --name my-openldap-container --detach osixia/openldap:1.2.2
+	docker run -p 389:389 -p 636:636 --name my-openldap-container --detach osixia/openldap:1.2.3
 
 Either command starts a new container with OpenLDAP running inside. Let's make the first search in our LDAP container:
 
@@ -95,7 +97,7 @@ It will create an empty ldap for the company **Example Inc.** and the domain **e
 By default the admin has the password **admin**. All those default settings can be changed at the docker command line, for example:
 
 	docker run --env LDAP_ORGANISATION="My Company" --env LDAP_DOMAIN="my-company.com" \
-	--env LDAP_ADMIN_PASSWORD="JonSn0w" --detach osixia/openldap:1.2.2
+	--env LDAP_ADMIN_PASSWORD="JonSn0w" --detach osixia/openldap:1.2.3
 
 #### Data persistence
 
@@ -133,6 +135,7 @@ The startup script provides some substitutions in bootstrap ldif files. Followin
 
 - `{{ LDAP_BASE_DN }}`
 - `{{ LDAP_BACKEND }}`
+- `{{ LDAP_DOMAIN }}`
 - `{{ LDAP_READONLY_USER_USERNAME }}`
 - `{{ LDAP_READONLY_USER_PASSWORD_ENCRYPTED }}`
 
@@ -145,12 +148,12 @@ argument to entrypoint if you don't want to overwrite them.
 		# single file example:
 		docker run \
       --volume ./bootstrap.ldif:/container/service/slapd/assets/config/bootstrap/ldif/50-bootstrap.ldif \
-      osixia/openldap:1.2.2 --copy-service
+      osixia/openldap:1.2.3 --copy-service
 
 		#directory example:
 		docker run \
 	     --volume ./ldif:/container/service/slapd/assets/config/bootstrap/ldif/custom \
-	     osixia/openldap:1.2.2 --copy-service
+	     osixia/openldap:1.2.3 --copy-service
 
 ### Use an existing ldap database
 
@@ -161,7 +164,7 @@ simply mount this directories as a volume to `/var/lib/ldap` and `/etc/ldap/slap
 
 	docker run --volume /data/slapd/database:/var/lib/ldap \
 	--volume /data/slapd/config:/etc/ldap/slapd.d \
-	--detach osixia/openldap:1.2.2
+	--detach osixia/openldap:1.2.3
 
 You can also use data volume containers. Please refer to:
 > [https://docs.docker.com/engine/tutorials/dockervolumes/](https://docs.docker.com/engine/tutorials/dockervolumes/)
@@ -181,7 +184,7 @@ If you are looking for a simple solution to administrate your ldap server you ca
 #### Use auto-generated certificate
 By default, TLS is already configured and enabled, certificate is created using container hostname (it can be set by docker run --hostname option eg: ldap.example.org).
 
-	docker run --hostname ldap.my-company.com --detach osixia/openldap:1.2.2
+	docker run --hostname ldap.my-company.com --detach osixia/openldap:1.2.3
 
 #### Use your own certificate
 
@@ -191,24 +194,24 @@ You can set your custom certificate at run time, by mounting a directory contain
 	--env LDAP_TLS_CRT_FILENAME=my-ldap.crt \
 	--env LDAP_TLS_KEY_FILENAME=my-ldap.key \
 	--env LDAP_TLS_CA_CRT_FILENAME=the-ca.crt \
-	--detach osixia/openldap:1.2.2
+	--detach osixia/openldap:1.2.3
 
 Other solutions are available please refer to the [Advanced User Guide](#advanced-user-guide)
 
 #### Disable TLS
 Add --env LDAP_TLS=false to the run command:
 
-	docker run --env LDAP_TLS=false --detach osixia/openldap:1.2.2
+	docker run --env LDAP_TLS=false --detach osixia/openldap:1.2.3
 
 ### Multi master replication
 Quick example, with the default config.
 
 	#Create the first ldap server, save the container id in LDAP_CID and get its IP:
-	LDAP_CID=$(docker run --hostname ldap.example.org --env LDAP_REPLICATION=true --detach osixia/openldap:1.2.2)
+	LDAP_CID=$(docker run --hostname ldap.example.org --env LDAP_REPLICATION=true --detach osixia/openldap:1.2.3)
 	LDAP_IP=$(docker inspect -f "{{ .NetworkSettings.IPAddress }}" $LDAP_CID)
 
 	#Create the second ldap server, save the container id in LDAP2_CID and get its IP:
-	LDAP2_CID=$(docker run --hostname ldap2.example.org --env LDAP_REPLICATION=true --detach osixia/openldap:1.2.2)
+	LDAP2_CID=$(docker run --hostname ldap2.example.org --env LDAP_REPLICATION=true --detach osixia/openldap:1.2.3)
 	LDAP2_IP=$(docker inspect -f "{{ .NetworkSettings.IPAddress }}" $LDAP2_CID)
 
 	#Add the pair "ip hostname" to /etc/hosts on each containers,
@@ -244,7 +247,7 @@ You may have some problems with mounted files on some systems. The startup scrip
 
 To fix that run the container with `--copy-service` argument :
 
-		docker run [your options] osixia/openldap:1.2.2 --copy-service
+		docker run [your options] osixia/openldap:1.2.3 --copy-service
 
 ### Debug
 
@@ -253,11 +256,11 @@ Available levels are: `none`, `error`, `warning`, `info`, `debug` and `trace`.
 
 Example command to run the container in `debug` mode:
 
-	docker run --detach osixia/openldap:1.2.2 --loglevel debug
+	docker run --detach osixia/openldap:1.2.3 --loglevel debug
 
 See all command line options:
 
-	docker run osixia/openldap:1.2.2 --help
+	docker run osixia/openldap:1.2.3 --help
 
 
 ## Environment Variables
@@ -300,6 +303,7 @@ TLS options:
 - **LDAP_TLS**: Add openldap TLS capabilities. Can't be removed once set to true. Defaults to `true`.
 - **LDAP_TLS_CRT_FILENAME**: Ldap ssl certificate filename. Defaults to `ldap.crt`
 - **LDAP_TLS_KEY_FILENAME**: Ldap ssl certificate private key filename. Defaults to `ldap.key`
+- **LDAP_TLS_DH_PARAM_FILENAME**: Ldap ssl certificate dh param file. Defaults to `dhparam.pem`
 - **LDAP_TLS_CA_CRT_FILENAME**: Ldap ssl CA certificate  filename. Defaults to `ca.crt`
 - **LDAP_TLS_ENFORCE**: Enforce TLS but except ldapi connections. Can't be disabled once set to true. Defaults to `false`.
 - **LDAP_TLS_CIPHER_SUITE**: TLS cipher suite. Defaults to `SECURE256:+SECURE128:-VERS-TLS-ALL:+VERS-TLS1.2:-RSA:-DHE-DSS:-CAMELLIA-128-CBC:-CAMELLIA-256-CBC`, based on Red Hat's [TLS hardening guide](https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Hardening_TLS_Configuration.html)
@@ -322,7 +326,7 @@ Replication options:
 
 	If you want to set this variable at docker run command add the tag `#PYTHON2BASH:` and convert the yaml in python:
 
-		docker run --env LDAP_REPLICATION_HOSTS="#PYTHON2BASH:['ldap://ldap.example.org','ldap://ldap2.example.org']" --detach osixia/openldap:1.2.2
+		docker run --env LDAP_REPLICATION_HOSTS="#PYTHON2BASH:['ldap://ldap.example.org','ldap://ldap2.example.org']" --detach osixia/openldap:1.2.3
 
 	To convert yaml to python online: http://yaml-online-parser.appspot.com/
 
@@ -342,7 +346,7 @@ Other environment variables:
 Environment variables can be set by adding the --env argument in the command line, for example:
 
 	docker run --env LDAP_ORGANISATION="My company" --env LDAP_DOMAIN="my-company.com" \
-	--env LDAP_ADMIN_PASSWORD="JonSn0w" --detach osixia/openldap:1.2.2
+	--env LDAP_ADMIN_PASSWORD="JonSn0w" --detach osixia/openldap:1.2.3
 
 Be aware that environment variable added in command line will be available at any time
 in the container. In this example if someone manage to open a terminal in this container
@@ -353,14 +357,14 @@ he will be able to read the admin password in clear text from environment variab
 For example if your environment files **my-env.yaml** and **my-env.startup.yaml** are in /data/ldap/environment
 
 	docker run --volume /data/ldap/environment:/container/environment/01-custom \
-	--detach osixia/openldap:1.2.2
+	--detach osixia/openldap:1.2.3
 
 Take care to link your environment files folder to `/container/environment/XX-somedir` (with XX < 99 so they will be processed before default environment files) and not  directly to `/container/environment` because this directory contains predefined baseimage environment files to fix container environment (INITRD, LANG, LANGUAGE and LC_CTYPE).
 
 Note: the container will try to delete the **\*.startup.yaml** file after the end of startup files so the file will also be deleted on the docker host. To prevent that : use --volume /data/ldap/environment:/container/environment/01-custom**:ro** or set all variables in **\*.yaml** file and don't use **\*.startup.yaml**:
 
 	docker run --volume /data/ldap/environment/my-env.yaml:/container/environment/01-custom/env.yaml \
-	--detach osixia/openldap:1.2.2
+	--detach osixia/openldap:1.2.3
 
 #### Make your own image or extend this image
 
@@ -368,13 +372,13 @@ This is the best solution if you have a private registry. Please refer to the [A
 
 ## Advanced User Guide
 
-### Extend osixia/openldap:1.2.2 image
+### Extend osixia/openldap:1.2.3 image
 
 If you need to add your custom TLS certificate, bootstrap config or environment files the easiest way is to extends this image.
 
 Dockerfile example:
 
-	FROM osixia/openldap:1.2.2
+	FROM osixia/openldap:1.2.3
 	MAINTAINER Your Name <[email protected]>
 
 	ADD bootstrap /container/service/slapd/assets/config/bootstrap

example/docker-compose.yml

@@ -1,7 +1,7 @@
 version: '2'
 services:
   openldap:
-    image: osixia/openldap:1.2.2
+    image: osixia/openldap:1.2.3
     container_name: openldap
     environment:
       LDAP_LOG_LEVEL: "256"
@@ -18,6 +18,7 @@ services:
       LDAP_TLS: "true"
       LDAP_TLS_CRT_FILENAME: "ldap.crt"
       LDAP_TLS_KEY_FILENAME: "ldap.key"
+      LDAP_TLS_DH_PARAM_FILENAME: "dhparam.pem"
       LDAP_TLS_CA_CRT_FILENAME: "ca.crt"
       LDAP_TLS_ENFORCE: "false"
       LDAP_TLS_CIPHER_SUITE: "SECURE256:-VERS-SSL3.0"

example/extend-osixia-openldap/Dockerfile

@@ -1,4 +1,4 @@
-FROM osixia/openldap:1.2.2
+FROM osixia/openldap:1.2.3
 MAINTAINER Your Name <[email protected]>
 
 ADD bootstrap /container/service/slapd/assets/config/bootstrap

example/extend-osixia-openldap/environment/my-env.startup.yaml

@@ -20,6 +20,7 @@ LDAP_READONLY_USER_PASSWORD: passwr0rd!
 LDAP_TLS: true
 LDAP_TLS_CRT_FILENAME: cert.crt
 LDAP_TLS_KEY_FILENAME: cert.key
+LDAP_TLS_DH_PARAM_FILENAME: dhparam.pem
 LDAP_TLS_CA_CRT_FILENAME: ca.crt
 
 LDAP_TLS_ENFORCE: false

example/kubernetes/simple/ldap-deployment.yaml

@@ -13,7 +13,7 @@ spec:
     spec:
       containers:
         - name: ldap
-          image: osixia/openldap:1.2.2
+          image: osixia/openldap:1.2.3
           volumeMounts:
             - name: ldap-data
               mountPath: /var/lib/ldap
@@ -51,6 +51,8 @@ spec:
               value: "ldap.crt"
             - name: LDAP_TLS_KEY_FILENAME
               value: "ldap.key"
+            - name: LDAP_TLS_DH_PARAM_FILENAME
+              value: "dhparam.pem"
             - name: LDAP_TLS_CA_CRT_FILENAME
               value: "ca.crt"
             - name: LDAP_TLS_ENFORCE

example/kubernetes/using-secrets/environment/my-env.startup.yaml

@@ -27,6 +27,7 @@ LDAP_BACKEND: mdb
 LDAP_TLS: true
 LDAP_TLS_CRT_FILENAME: ldap.crt
 LDAP_TLS_KEY_FILENAME: ldap.key
+LDAP_TLS_DH_PARAM_FILENAME: dhparam.pem
 LDAP_TLS_CA_CRT_FILENAME: ca.crt
 
 LDAP_TLS_ENFORCE: false

example/kubernetes/using-secrets/gce-statefullset.yaml

@@ -0,0 +1,58 @@
+apiVersion: apps/v1beta1
+kind: StatefulSet
+metadata:
+    name: ldap
+spec:
+    serviceName: "ldap"
+    replicas: 1
+    template:
+        metadata:
+            labels:
+                pod: ldap
+        spec:
+            containers:
+            - name: azaldap
+              image: osixia/openldap:1.2.3
+              imagePullPolicy: IfNotPresent
+              #command: ["/bin/bash","-c","while [ 1 = 1 ] ; do sleep 1; date; done"]
+              ports:
+              - containerPort: 389
+              volumeMounts:
+              - mountPath: /var/lib/ldap
+                name: ldap-data
+              - mountPath: /etc/ldap/slapd.d
+                name: ldap-config
+              - mountPath: /container/service/slapd/assets/certs
+                name: ldap-certs
+              - mountPath: /container/environment/01-custom
+                name: secret-volume
+              - mountPath: /container/run
+                name: container-run
+            volumes:
+              - name: "secret-volume"
+                secret:
+                  secretName: "ldap-secret"
+              - name: container-run
+                emptyDir: {}
+    volumeClaimTemplates:
+    - metadata:
+        name: ldap-data
+      spec:
+        accessModes: ["ReadWriteOnce"]
+        resources:
+          requests:
+            storage: 1Gi
+    - metadata:
+        name: ldap-config
+      spec:
+        accessModes: ["ReadWriteOnce"]
+        resources:
+          requests:
+            storage: 10Mi
+    - metadata:
+        name: ldap-certs
+      spec:
+        accessModes: ["ReadWriteOnce"]
+        resources:
+          requests:
+            storage: 10Mi

example/kubernetes/using-secrets/ldap-deployment.yaml

@@ -13,7 +13,7 @@ spec:
     spec:
       containers:
         - name: ldap
-          image: osixia/openldap:1.2.2
+          image: osixia/openldap:1.2.3
           args: ["--copy-service"]
           volumeMounts:
             - name: ldap-data

image/Dockerfile

@@ -1,7 +1,6 @@
 # Use osixia/light-baseimage
 # sources: https://github.com/osixia/docker-light-baseimage
-FROM osixia/light-baseimage:1.1.1
-MAINTAINER Bertrand Gouny <[email protected]>
+FROM osixia/light-baseimage:1.1.2
 
 ARG LDAP_OPENLDAP_GID
 ARG LDAP_OPENLDAP_UID
@@ -11,12 +10,15 @@ ARG LDAP_OPENLDAP_UID
 RUN if [ -z "${LDAP_OPENLDAP_GID}" ]; then groupadd -r openldap; else groupadd -r -g ${LDAP_OPENLDAP_GID} openldap; fi \
     && if [ -z "${LDAP_OPENLDAP_UID}" ]; then useradd -r -g openldap openldap; else useradd -r -g openldap -u ${LDAP_OPENLDAP_UID} openldap; fi
 
-# Install OpenLDAP, ldap-utils and ssl-tools from baseimage and clean apt-get files
+# Add stretch-backports in preparation for downloading newer openldap components, especially sladp
+RUN echo "deb http://ftp.debian.org/debian stretch-backports main" >> /etc/apt/sources.list
+
+# Install OpenLDAP, ldap-utils and ssl-tools from the (backported) baseimage and clean apt-get files
 # sources: https://github.com/osixia/docker-light-baseimage/blob/stable/image/tool/add-service-available
 #          https://github.com/osixia/docker-light-baseimage/blob/stable/image/service-available/:ssl-tools/download.sh
 RUN echo "path-include /usr/share/doc/krb5*" >> /etc/dpkg/dpkg.cfg.d/docker && apt-get -y update \
     && /container/tool/add-service-available :ssl-tools \
-	  && LC_ALL=C DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
+	  && LC_ALL=C DEBIAN_FRONTEND=noninteractive apt-get -t stretch-backports install -y --no-install-recommends \
        ldap-utils \
        libsasl2-modules \
        libsasl2-modules-db \

image/environment/default.startup.yaml

@@ -27,6 +27,7 @@ LDAP_BACKEND: mdb
 LDAP_TLS: true
 LDAP_TLS_CRT_FILENAME: ldap.crt
 LDAP_TLS_KEY_FILENAME: ldap.key
+LDAP_TLS_DH_PARAM_FILENAME: dhparam.pem
 LDAP_TLS_CA_CRT_FILENAME: ca.crt
 
 LDAP_TLS_ENFORCE: false

image/service/slapd/assets/config/admin-pw/ldif/06-root-pw-change.ldif

@@ -0,0 +1,14 @@
+# Change config password
+dn: cn=config
+changeType: modify
+
+dn: olcDatabase={0}config,cn=config
+replace: olcRootPW
+olcRootPW: {{ LDAP_CONFIG_PASSWORD_ENCRYPTED }}
+
+# Change schema password
+
+dn: olcDatabase={1}{{ LDAP_BACKEND }},cn=config
+changetype: modify
+replace: olcRootPW
+olcRootPW: {{ LDAP_ADMIN_PASSWORD_ENCRYPTED }}

image/service/slapd/assets/config/admin-pw/ldif/07-admin-pw-change.ldif

@@ -0,0 +1,5 @@
+# Admin schema password
+dn: cn=admin,{{ LDAP_BASE_DN }}
+changetype: modify
+replace: userPassword
+userPassword: {{ LDAP_ADMIN_PASSWORD_ENCRYPTED }}

image/service/slapd/assets/config/replication/replication-disable.ldif

@@ -4,6 +4,8 @@ changetype: modify
 delete: olcSyncRepl
 -
 delete: olcMirrorMode
+-
+delete: olcLimits
 
 # Delete syncprov on backend
 dn: olcOverlay=syncprov,olcDatabase={1}{{ LDAP_BACKEND }},cn=config
@@ -24,3 +26,4 @@ changetype: delete
 dn: cn=config
 changeType: modify
 delete: olcServerID
+

image/service/slapd/startup.sh

@@ -23,11 +23,12 @@ FIRST_START_DONE="${CONTAINER_STATE_DIR}/slapd-first-start-done"
 WAS_STARTED_WITH_TLS="/etc/ldap/slapd.d/docker-openldap-was-started-with-tls"
 WAS_STARTED_WITH_TLS_ENFORCE="/etc/ldap/slapd.d/docker-openldap-was-started-with-tls-enforce"
 WAS_STARTED_WITH_REPLICATION="/etc/ldap/slapd.d/docker-openldap-was-started-with-replication"
+WAS_ADMIN_PASSWORD_SET="/etc/ldap/slapd.d/docker-openldap-was-admin-password-set"
 
 LDAP_TLS_CA_CRT_PATH="${CONTAINER_SERVICE_DIR}/slapd/assets/certs/$LDAP_TLS_CA_CRT_FILENAME"
 LDAP_TLS_CRT_PATH="${CONTAINER_SERVICE_DIR}/slapd/assets/certs/$LDAP_TLS_CRT_FILENAME"
 LDAP_TLS_KEY_PATH="${CONTAINER_SERVICE_DIR}/slapd/assets/certs/$LDAP_TLS_KEY_FILENAME"
-LDAP_TLS_DH_PARAM_PATH="${CONTAINER_SERVICE_DIR}/slapd/assets/certs/dhparam.pem"
+LDAP_TLS_DH_PARAM_PATH="${CONTAINER_SERVICE_DIR}/slapd/assets/certs/$LDAP_TLS_DH_PARAM_FILENAME"
 
 
 # CONTAINER_SERVICE_DIR and CONTAINER_STATE_DIR variables are set by
@@ -67,6 +68,7 @@ if [ ! -e "$FIRST_START_DONE" ]; then
     log-helper debug "Processing file ${LDIF_FILE}"
     sed -i "s|{{ LDAP_BASE_DN }}|${LDAP_BASE_DN}|g" $LDIF_FILE
     sed -i "s|{{ LDAP_BACKEND }}|${LDAP_BACKEND}|g" $LDIF_FILE
+    sed -i "s|{{ LDAP_DOMAIN }}|${LDAP_DOMAIN}|g" $LDIF_FILE
     if [ "${LDAP_READONLY_USER,,}" == "true" ]; then
       sed -i "s|{{ LDAP_READONLY_USER_USERNAME }}|${LDAP_READONLY_USER_USERNAME}|g" $LDIF_FILE
       sed -i "s|{{ LDAP_READONLY_USER_PASSWORD_ENCRYPTED }}|${LDAP_READONLY_USER_PASSWORD_ENCRYPTED}|g" $LDIF_FILE
@@ -197,7 +199,7 @@ EOF
       [[ -z "$PREVIOUS_LDAP_TLS_CA_CRT_PATH" ]] && PREVIOUS_LDAP_TLS_CA_CRT_PATH="${CONTAINER_SERVICE_DIR}/slapd/assets/certs/$LDAP_TLS_CA_CRT_FILENAME"
       [[ -z "$PREVIOUS_LDAP_TLS_CRT_PATH" ]] && PREVIOUS_LDAP_TLS_CRT_PATH="${CONTAINER_SERVICE_DIR}/slapd/assets/certs/$LDAP_TLS_CRT_FILENAME"
       [[ -z "$PREVIOUS_LDAP_TLS_KEY_PATH" ]] && PREVIOUS_LDAP_TLS_KEY_PATH="${CONTAINER_SERVICE_DIR}/slapd/assets/certs/$LDAP_TLS_KEY_FILENAME"
-      [[ -z "$PREVIOUS_LDAP_TLS_DH_PARAM_PATH" ]] && PREVIOUS_LDAP_TLS_DH_PARAM_PATH="${CONTAINER_SERVICE_DIR}/slapd/assets/certs/dhparam.pem"
+      [[ -z "$PREVIOUS_LDAP_TLS_DH_PARAM_PATH" ]] && PREVIOUS_LDAP_TLS_DH_PARAM_PATH="${CONTAINER_SERVICE_DIR}/slapd/assets/certs/$LDAP_TLS_DH_PARAM_FILENAME"
 
       ssl-helper $LDAP_SSL_HELPER_PREFIX $PREVIOUS_LDAP_TLS_CRT_PATH $PREVIOUS_LDAP_TLS_KEY_PATH $PREVIOUS_LDAP_TLS_CA_CRT_PATH
       [ -f ${PREVIOUS_LDAP_TLS_DH_PARAM_PATH} ] || openssl dhparam -out ${LDAP_TLS_DH_PARAM_PATH} 2048
@@ -398,6 +400,22 @@ EOF
 
     fi
 
+    if [[ -f "$WAS_ADMIN_PASSWORD_SET" ]]; then
+      LDAP_CONFIG_PASSWORD_ENCRYPTED=$(slappasswd -s "$LDAP_CONFIG_PASSWORD")
+      LDAP_ADMIN_PASSWORD_ENCRYPTED=$(slappasswd -s "$LDAP_ADMIN_PASSWORD")
+      sed -i "s|{{ LDAP_CONFIG_PASSWORD_ENCRYPTED }}|${LDAP_CONFIG_PASSWORD_ENCRYPTED}|g" ${CONTAINER_SERVICE_DIR}/slapd/assets/config/admin-pw/ldif/06-root-pw-change.ldif
+      sed -i "s|{{ LDAP_ADMIN_PASSWORD_ENCRYPTED }}|${LDAP_ADMIN_PASSWORD_ENCRYPTED}|g" ${CONTAINER_SERVICE_DIR}/slapd/assets/config/admin-pw/ldif/06-root-pw-change.ldif
+      sed -i "s|{{ LDAP_BACKEND }}|${LDAP_BACKEND}|g" ${CONTAINER_SERVICE_DIR}/slapd/assets/config/admin-pw/ldif/06-root-pw-change.ldif
+      sed -i "s|{{ LDAP_ADMIN_PASSWORD_ENCRYPTED }}|${LDAP_ADMIN_PASSWORD_ENCRYPTED}|g" ${CONTAINER_SERVICE_DIR}/slapd/assets/config/admin-pw/ldif/07-admin-pw-change.ldif
+      sed -i "s|{{ LDAP_BASE_DN }}|${LDAP_BASE_DN}|g" ${CONTAINER_SERVICE_DIR}/slapd/assets/config/admin-pw/ldif/07-admin-pw-change.ldif
+
+      for f in $(find ${CONTAINER_SERVICE_DIR}/slapd/assets/config/admin-pw/ldif -type f -name \*.ldif  | sort); do
+        ldap_add_or_modify "$f"
+      done
+    else
+       touch "$WAS_ADMIN_PASSWORD_SET"
+    fi
+
     #
     # stop OpenLDAP
     #

test/ssl/ldap-test.dhparam

@@ -0,0 +1,8 @@
+-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEA9GFVKDf67bPYjJB6ngTWhCSARE4KPg5/+LYMIA5mr137Iqatdk2K
+/QNyvW3EWmg9hSNcb8Zd7LFru/qt5te7lDBGS2uOhvxHQEJ8Lqv+KoM9TFTI1oH7
+9biVLVbUwMrD7LGTp5TQ9pbjyADW2mWf25hYmy95V0aKQBLJ10GcFaDTguO6OH3E
+E6hOl6gQzlTd/WCNrFf2ww4iveNNXbZArOf4BruqjYOkV1RSf+vdQwBlxtjjCEW4
+QUGO31rbD07R5Pv464vf18yGHttnPa0JBDq7P2alN49Of0k+qntUyUPxcrBd83qQ
+13KWi47KoR76gf4f87OZa9hXwk8AML1BCwIBAg==
+-----END DH PARAMETERS-----

test/test.bats

@@ -41,6 +41,17 @@ load test_helper
 
 }
 
+@test "ldapsearch new database with strict TLS and custom ca/crt and custom dhparam" {
+
+  run_image -h ldap.osixia.net -v $BATS_TEST_DIRNAME/ssl:/container/service/slapd/assets/certs -e LDAP_TLS_CRT_FILENAME=ldap-test.crt -e LDAP_TLS_KEY_FILENAME=ldap-test.key -e LDAP_TLS_DH_PARAM_FILENAME=ldap-test.dhparam -e LDAP_TLS_CA_CRT_FILENAME=ca-test.crt
+  wait_process slapd
+  run docker exec $CONTAINER_ID ldapsearch -x -h ldap.osixia.net -b dc=example,dc=org -ZZ -D "cn=admin,dc=example,dc=org" -w admin
+  clear_container
+
+  [ "$status" -eq 0 ]
+
+}
+
 @test "ldapsearch existing hdb database and config" {
 
   run_image -h ldap.example.org -e LDAP_TLS=false -e LDAP_BACKEND=hdb -v $BATS_TEST_DIRNAME/database:/container/test/database -v $BATS_TEST_DIRNAME/config:/container/test/config