Merge branch 'release-1.2.0' into stable

CHANGELOG.md

@@ -1,170 +1,220 @@
 # Changelog
+All notable changes to this project will be documented in this file.
 
-## 1.1.11
+The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
+and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
+
+## [1.2.0] - Unreleased
+### Changed
+  - Use mdb as default backend
+
+### Fixed
+  - startup.sh: Ensure SCHEMAS is sorted #193
+  - LDAP_ADMIN_PASSWORD with space breaks container setup #167
+
+## [1.1.11] - 2017-12-19
+### Added
   - Add krb5-kdc-ldap with doc examples #171
-  - Fix NFS issue #169
   - Add support of readonly user in custom bootstrap ldif #162
+
+### Fixed
+  - Fix NFS issue #169
   - Create schemas in a consistent order. #174
 
-## 1.1.10
-Fix:
+## [1.1.10] - 2017-11-09
+### Changed
+  - Upgrade baseimage to light-baseimage:1.1.1
+
+### Fixed
   - Readme #145 #148
   - Let ldapmodify and ldapadd use the same auth #146
   - Enable matching uid's and gid's in the host and container. #156
 
-Update to light-baseimage:1.1.1
-
-## 1.1.9
-Add :
+## [1.1.9] - 2017-07-19
+### Added
   - LDAP_RFC2307BIS_SCHEMA option to use rfc2307bis schema instead of nis default schema
   - KEEP_EXISTING_CONFIG option to not change the ldap config
 
-Update to light-baseimage:1.1.0 (debian stretch)
+### Changed
+  - Upgrade baseimage to light-baseimage:1.1.0 (debian stretch)
 
-## 1.1.8
-Fix :
+## [1.1.8] - 2017-02-16
+### Fixed
   - LDAP_ENFORCE_TLS is not working correctly #107
   - Unable to reuse volumes after LDAP_TLS_ENFORCE is true #92
 
-## 1.1.7
-Update to light-baseimage:0.2.6
+## [1.1.7] - 2016-11-09
+### Changed
+  - Upgrade baseimage to light-baseimage:0.2.6
 
-## 1.1.6
-Fix :
-  - Upgrade to 1.1.5 startup issues with cfssl-helper #73
+## [1.1.6] - 2016-09-02
+### Changed
+  - Upgrade baseimage to light-baseimage:0.2.5
 
-Update to light-baseimage:0.2.5
+### Fixed
+  - Upgrade to 1.1.5 startup issues with cfssl-helper #73
 
-## 1.1.5
-Fix :
+## [1.1.5] - 2016-08-02
+### Fixed
   - Restarting container with new environment #44
   - Cannot rerun with customized certificate at 1.1.1 #36
 
-## 1.1.4
-Fix :
+## [1.1.4] - 2016-07-26
+### Fixed
   - Remove environment variable LDAP_TLS_PROTOCOL_MIN as it takes no effect, see #69
   - Adjust default GnuTLS cipher string according to Red Hat's TLS hardening guide.
     This by default also restricts the TLS protocol version to 1.2. For reference,
     see #69
   - Fix Error in Adding "Billy" #71
   - Add docker-compose.yml example and update kubernetes examples #52
-
-Merge pull request :
   - Update LDAP_TLS_CIPHER_SUITE, remove LDAP_TLS_PROTOCOL_MIN #70
   - fixed LDAP_BACKEND for readonly user #62
 
-## 1.1.3
-Merge pull request :
-  - Use mdb over hdb #50
-  - Ignore lost+found directories #53
-  - Remove Volume command from Dockerfile #56
+## [1.1.3] - 2016-06-09
+In this version the new environment variable LDAP_BACKEND let you set the the backend used by your ldap database.
+By default it's hdb. In comming versions 1.2.x the default will be changed to mdb.
 
-Update to light-baseimage:0.2.4
+Environment variable LDAP_REPLICATION_HDB_SYNCPROV changed to LDAP_REPLICATION_DB_SYNCPROV
 
-Release Note:
-  In this version the new environment variable LDAP_BACKEND let you set the the backend used by your ldap database.
-  By default it's hdb. In comming versions 1.2.x the default will be changed to mdb.
+### Added
+  - Use mdb over hdb #50
 
-  Environment variable LDAP_REPLICATION_HDB_SYNCPROV changed to LDAP_REPLICATION_DB_SYNCPROV
+### Changed
+  - Ignore lost+found directories #53
+  - LDAP_REPLICATION_HDB_SYNCPROV changed to LDAP_REPLICATION_DB_SYNCPROV
+  - Upgrade baseimage to light-baseimage:0.2.4
 
-## 1.1.2
-Merge pull request :
-  - Honor LDAP_LOG_LEVEL on startup #39
+### Removed
+  - Volume command from Dockerfile #56
 
-Fix :
+## [1.1.2] - 2016-03-18
+### Fixed
+  - Honor LDAP_LOG_LEVEL on startup #39
   - slapd tcp bind is network not interface, and so does not respond on overlay networks #35
   - specify base_dn without domain #37
 
-## 1.1.1
-Update to light-baseimage:0.2.2
+## [1.1.1] - 2016-02-20
+### Changed
+  - Upgrade baseimage to light-baseimage:0.2.2
 
-## 1.1.0
-Update to light-baseimage:0.2.1 :
+## [1.1.0] - 2016-01-25
+### Added
   - Use \*.startup.yaml environment files to keep configuration secrets
   - Use cfssl tool to generate tls certs
   - Use log-helper to write leveled log messages
   - Allow copy of /container/service and mounted files to /container/run/service dir usefull for write only filesystems and avoid file permissions problems
-
-New feature :
   - Add enforcing TLS options (#26)
 
-Fix :
+### Changed
+  - Upgrade baseimage to light-baseimage:0.2.1
+
+### Fixed
   - Should SSL certs be copied on load? (#25)
 
-## 1.0.9
-Update to light-baseimage:0.2.0
+## [1.0.9] - 2015-12-16
+### Added
+  - Makefile with build no cache
 
-Makefile with build no cache
+### Changed
+  - Upgrade baseimage to light-baseimage:0.2.0
 
-## 1.0.8
-Fix an other startup bug ! whuhu
+## [1.0.8] - 2015-11-23
+### Fixed
+  - An other startup bug ! whuhu
 
-## 1.0.7
-Fix startup bug
+## [1.0.7] - 2015-11-20
+### Fixed
+  - Startup bug
 
-## 1.0.6
-Use light-baseimage:0.1.5
+## [1.0.6] - 2015-11-20
+### Changed
+  - Upgrade baseimage to light-baseimage:0.1.5
 
-## 1.0.5
-Use light-baseimage:0.1.4
+## [1.0.5] - 2015-11-19
+### Changed
+  - Upgrade baseimage to light-baseimage:0.1.4
 
-Fix replication bug when the hostname was changed
+### Fixed
+  - Replication bug when the hostname was changed
 
-## 1.0.4
-Use light-baseimage:0.1.3
+## [1.0.4] - 2015-11-06
+### Changed
+  - Upgrade baseimage to light-baseimage:0.1.3
 
-## 1.0.3
-Use light-baseimage:0.1.2
+## [1.0.3] - 2015-10-26
+### Changed
+  - Upgrade baseimage to light-baseimage:0.1.2
 
-Fix :
+### Fixed
   - Re-running container with volumes won't start #19
 
-## 1.0.2
-
-Add TLS environment variable :
+## [1.0.2] - 2015-08-27
+### Added
   - LDAP_TLS_CIPHER_SUITE
   - LDAP_TLS_PROTOCOL_MIN
   - LDAP_TLS_VERIFY_CLIENT
 
-## 1.0.1
-
-Upgrade baseimage: light-baseimage:0.1.1
+## [1.0.1] - 2015-08-18
+### Changed
+  - Upgrade baseimage to light-baseimage:0.1.1
 
-Rename environment variables
-
-Fix :
+### Fixed
   - OpenLdap container won't start when dhparam.pem is missing in bound volume #13
 
-## 1.0.0
-
-Use light-baseimage
-
-Improve documentation
+## [1.0.0] - 2015-07-24
+### Added
+  - Improve documentation
 
-## 0.10.2
+### Changed
+  - Upgrade baseimage to light-baseimage
 
-New features :
+## [0.10.2] - 2015-07-14
+### Added
   - Bootstrap config, only on non existing slapd config
   - Limit max open file descriptors to fix slapd memory usage (#9)
   - Don't disable network access from outside (#8)
   - Make log level configurable via environment variable (#7)
   - Support for ldaps (#10)
 
-
-Fix :
+### Fixed
   - Unable to start container with the following invocation. (#6)
 
-## 0.10.1
-
-New features :
-  - Add ldapi
-  - Add custom ldap schema
+## [0.10.1] - 2015-05-17
+### Added
+  - LDAPI
+  - Custom ldap schema
   - Auto convert .schema to .ldif
 
-
-Fix :
+### Fixed
   - Docker VOLUME is not needed to be able to stop a container without losing data (#2)
   - starting from old data (#3)
 
-## 0.10.0
-New version initial release
+## [0.10.0] - 2015-03-03
+New version initial release, no changelog before this sorry.
+
+[1.2.0]: https://github.com/osixia/docker-openldap/compare/v1.1.11...v1.2.0
+[1.1.11]: https://github.com/osixia/docker-openldap/compare/v1.1.10...v1.1.11
+[1.1.10]: https://github.com/osixia/docker-openldap/compare/v1.1.9...v1.1.10
+[1.1.9]: https://github.com/osixia/docker-openldap/compare/v1.1.8...v1.1.9
+[1.1.8]: https://github.com/osixia/docker-openldap/compare/v1.1.7...v1.1.8
+[1.1.7]: https://github.com/osixia/docker-openldap/compare/v1.1.6...v1.1.7
+[1.1.6]: https://github.com/osixia/docker-openldap/compare/v1.1.5...v1.1.6
+[1.1.5]: https://github.com/osixia/docker-openldap/compare/v1.1.4...v1.1.5
+[1.1.4]: https://github.com/osixia/docker-openldap/compare/v1.1.3...v1.1.4
+[1.1.3]: https://github.com/osixia/docker-openldap/compare/v1.1.2...v1.1.3
+[1.1.2]: https://github.com/osixia/docker-openldap/compare/v1.1.1...v1.1.2
+[1.1.1]: https://github.com/osixia/docker-openldap/compare/v1.1.0...v1.1.1
+[1.1.0]: https://github.com/osixia/docker-openldap/compare/v1.0.9...v1.1.0
+[1.0.9]: https://github.com/osixia/docker-openldap/compare/v1.0.8...v1.0.9
+[1.0.8]: https://github.com/osixia/docker-openldap/compare/v1.0.7...v1.0.8
+[1.0.7]: https://github.com/osixia/docker-openldap/compare/v1.0.6...v1.0.7
+[1.0.6]: https://github.com/osixia/docker-openldap/compare/v1.0.5...v1.0.6
+[1.0.5]: https://github.com/osixia/docker-openldap/compare/v1.0.4...v1.0.5
+[1.0.4]: https://github.com/osixia/docker-openldap/compare/v1.0.3...v1.0.4
+[1.0.3]: https://github.com/osixia/docker-openldap/compare/v1.0.2...v1.0.3
+[1.0.2]: https://github.com/osixia/docker-openldap/compare/v1.0.1...v1.0.2
+[1.0.1]: https://github.com/osixia/docker-openldap/compare/v1.0.0...v1.0.1
+[1.0.0]: https://github.com/osixia/docker-openldap/compare/v1.10.2...v1.0.0
+[0.10.2]: https://github.com/osixia/docker-openldap/compare/v0.10.1...v0.10.2
+[0.10.1]: https://github.com/osixia/docker-openldap/compare/v0.10.0...v0.10.1
+[0.10.0]: https://github.com/osixia/docker-openldap/compare/v0.1.0...v0.10.0

Makefile

@@ -1,5 +1,5 @@
 NAME = osixia/openldap
-VERSION = 1.1.11
+VERSION = 1.2.0
 
 .PHONY: build build-nocache test tag-latest push push-latest release git-tag-version
 

README.md

@@ -4,9 +4,7 @@
 ![Docker Stars](https://img.shields.io/docker/stars/osixia/openldap.svg)
 ![](https://images.microbadger.com/badges/image/osixia/openldap.svg)
 
-Latest release: 1.1.11 - OpenLDAP 2.4.44 -  [Changelog](CHANGELOG.md) | [Docker Hub](https://hub.docker.com/r/osixia/openldap/) 
-
-/!\ Security warning: Databases created with image version up to 1.1.11 creates two admin users with the same password, if you changed admin password after bootstrap you may be concerned by [issue #161](https://github.com/osixia/docker-openldap/issues/161).
+Latest release: 1.2.0 - OpenLDAP 2.4.44 -  [Changelog](CHANGELOG.md) | [Docker Hub](https://hub.docker.com/r/osixia/openldap/) 
 
 **A docker image to run OpenLDAP.**
 
@@ -37,12 +35,13 @@ Latest release: 1.1.11 - OpenLDAP 2.4.44 -  [Changelog](CHANGELOG.md) | [Docker
 		- [Link environment file](#link-environment-file)
 		- [Make your own image or extend this image](#make-your-own-image-or-extend-this-image)
 - [Advanced User Guide](#advanced-user-guide)
-	- [Extend osixia/openldap:1.1.11 image](#extend-osixiaopenldap1111-image)
+	- [Extend osixia/openldap:1.2.0 image](#extend-osixiaopenldap120-image)
 	- [Make your own openldap image](#make-your-own-openldap-image)
 	- [Tests](#tests)
 	- [Kubernetes](#kubernetes)
 	- [Under the hood: osixia/light-baseimage](#under-the-hood-osixialight-baseimage)
 - [Security](#security)
+	- [Known security issues](#known-security-issues)
 - [Changelog](#changelog)
 
 ## Contributing
@@ -56,7 +55,7 @@ If you find this image useful here's how you can help:
 ## Quick Start
 Run OpenLDAP docker image:
 
-	docker run --name my-openldap-container --detach osixia/openldap:1.1.11
+	docker run --name my-openldap-container --detach osixia/openldap:1.2.0
 
 This start a new container with OpenLDAP running inside. Let's make the first search in our LDAP container:
 
@@ -92,7 +91,7 @@ It will create an empty ldap for the company **Example Inc.** and the domain **e
 By default the admin has the password **admin**. All those default settings can be changed at the docker command line, for example:
 
 	docker run --env LDAP_ORGANISATION="My Company" --env LDAP_DOMAIN="my-company.com" \
-	--env LDAP_ADMIN_PASSWORD="JonSn0w" --detach osixia/openldap:1.1.11
+	--env LDAP_ADMIN_PASSWORD="JonSn0w" --detach osixia/openldap:1.2.0
 
 #### Data persistence
 
@@ -142,12 +141,12 @@ argument to entrypoint if you don't want to overwrite them.
 		# single file example:
 		docker run \
       --volume ./bootstrap.ldif:/container/service/slapd/assets/config/bootstrap/ldif/50-bootstrap.ldif \
-      osixia/openldap:1.1.11 --copy-service
+      osixia/openldap:1.2.0 --copy-service
 
 		#directory example:
 		docker run \
-	     --volume ./ldif:/container/service/slapd/assets/config/bootstrap/ldif/custom \
-	     osixia/openldap:1.1.11 --copy-service
+	     --volume ./lidf:/container/service/slapd/assets/config/bootstrap/ldif/custom \
+	     osixia/openldap:1.2.0 --copy-service
 
 ### Use an existing ldap database
 
@@ -158,12 +157,12 @@ simply mount this directories as a volume to `/var/lib/ldap` and `/etc/ldap/slap
 
 	docker run --volume /data/slapd/database:/var/lib/ldap \
 	--volume /data/slapd/config:/etc/ldap/slapd.d \
-	--detach osixia/openldap:1.1.11
+	--detach osixia/openldap:1.2.0
 
 You can also use data volume containers. Please refer to:
 > [https://docs.docker.com/engine/tutorials/dockervolumes/](https://docs.docker.com/engine/tutorials/dockervolumes/)
 
-Note: By default this image is waiting an **hdb**  database backend, if you want to use any other database backend set backend type via the LDAP_BACKEND environement variable.
+Note: By default this image is waiting an **mdb**  database backend, if you want to use any other database backend set backend type via the LDAP_BACKEND environement variable.
 
 ### Backup
 A simple solution to backup your ldap server, is our openldap-backup docker image:
@@ -178,7 +177,7 @@ If you are looking for a simple solution to administrate your ldap server you ca
 #### Use auto-generated certificate
 By default, TLS is already configured and enabled, certificate is created using container hostname (it can be set by docker run --hostname option eg: ldap.example.org).
 
-	docker run --hostname ldap.my-company.com --detach osixia/openldap:1.1.11
+	docker run --hostname ldap.my-company.com --detach osixia/openldap:1.2.0
 
 #### Use your own certificate
 
@@ -188,24 +187,24 @@ You can set your custom certificate at run time, by mounting a directory contain
 	--env LDAP_TLS_CRT_FILENAME=my-ldap.crt \
 	--env LDAP_TLS_KEY_FILENAME=my-ldap.key \
 	--env LDAP_TLS_CA_CRT_FILENAME=the-ca.crt \
-	--detach osixia/openldap:1.1.11
+	--detach osixia/openldap:1.2.0
 
 Other solutions are available please refer to the [Advanced User Guide](#advanced-user-guide)
 
 #### Disable TLS
 Add --env LDAP_TLS=false to the run command:
 
-	docker run --env LDAP_TLS=false --detach osixia/openldap:1.1.11
+	docker run --env LDAP_TLS=false --detach osixia/openldap:1.2.0
 
 ### Multi master replication
 Quick example, with the default config.
 
 	#Create the first ldap server, save the container id in LDAP_CID and get its IP:
-	LDAP_CID=$(docker run --hostname ldap.example.org --env LDAP_REPLICATION=true --detach osixia/openldap:1.1.11)
+	LDAP_CID=$(docker run --hostname ldap.example.org --env LDAP_REPLICATION=true --detach osixia/openldap:1.2.0)
 	LDAP_IP=$(docker inspect -f "{{ .NetworkSettings.IPAddress }}" $LDAP_CID)
 
 	#Create the second ldap server, save the container id in LDAP2_CID and get its IP:
-	LDAP2_CID=$(docker run --hostname ldap2.example.org --env LDAP_REPLICATION=true --detach osixia/openldap:1.1.11)
+	LDAP2_CID=$(docker run --hostname ldap2.example.org --env LDAP_REPLICATION=true --detach osixia/openldap:1.2.0)
 	LDAP2_IP=$(docker inspect -f "{{ .NetworkSettings.IPAddress }}" $LDAP2_CID)
 
 	#Add the pair "ip hostname" to /etc/hosts on each containers,
@@ -241,7 +240,7 @@ You may have some problems with mounted files on some systems. The startup scrip
 
 To fix that run the container with `--copy-service` argument :
 
-		docker run [your options] osixia/openldap:1.1.11 --copy-service
+		docker run [your options] osixia/openldap:1.2.0 --copy-service
 
 ### Debug
 
@@ -250,11 +249,11 @@ Available levels are: `none`, `error`, `warning`, `info`, `debug` and `trace`.
 
 Example command to run the container in `debug` mode:
 
-	docker run --detach osixia/openldap:1.1.11 --loglevel debug
+	docker run --detach osixia/openldap:1.2.0 --loglevel debug
 
 See all command line options:
 
-	docker run osixia/openldap:1.1.11 --help
+	docker run osixia/openldap:1.2.0 --help
 
 
 ## Environment Variables
@@ -289,7 +288,7 @@ Required and used for new ldap server only:
 - **LDAP_RFC2307BIS_SCHEMA** Use rfc2307bis schema instead of nis schema. Defaults to `false`
 
 Backend:
-- **LDAP_BACKEND**: Ldap backend. Defaults to `hdb` (In comming versions v1.2.x default will be mdb)
+- **LDAP_BACKEND**: Ldap backend. Defaults to `mdb` (previously hdb in image versions up to v1.1.10)
 
 	Help: http://www.openldap.org/doc/admin24/backends.html
 
@@ -319,7 +318,7 @@ Replication options:
 
 	If you want to set this variable at docker run command add the tag `#PYTHON2BASH:` and convert the yaml in python:
 
-		docker run --env LDAP_REPLICATION_HOSTS="#PYTHON2BASH:['ldap://ldap.example.org','ldap://ldap2.example.org']" --detach osixia/openldap:1.1.11
+		docker run --env LDAP_REPLICATION_HOSTS="#PYTHON2BASH:['ldap://ldap.example.org','ldap://ldap2.example.org']" --detach osixia/openldap:1.2.0
 
 	To convert yaml to python online: http://yaml-online-parser.appspot.com/
 
@@ -339,7 +338,7 @@ Other environment variables:
 Environment variables can be set by adding the --env argument in the command line, for example:
 
 	docker run --env LDAP_ORGANISATION="My company" --env LDAP_DOMAIN="my-company.com" \
-	--env LDAP_ADMIN_PASSWORD="JonSn0w" --detach osixia/openldap:1.1.11
+	--env LDAP_ADMIN_PASSWORD="JonSn0w" --detach osixia/openldap:1.2.0
 
 Be aware that environment variable added in command line will be available at any time
 in the container. In this example if someone manage to open a terminal in this container
@@ -350,14 +349,14 @@ he will be able to read the admin password in clear text from environment variab
 For example if your environment files **my-env.yaml** and **my-env.startup.yaml** are in /data/ldap/environment
 
 	docker run --volume /data/ldap/environment:/container/environment/01-custom \
-	--detach osixia/openldap:1.1.11
+	--detach osixia/openldap:1.2.0
 
 Take care to link your environment files folder to `/container/environment/XX-somedir` (with XX < 99 so they will be processed before default environment files) and not  directly to `/container/environment` because this directory contains predefined baseimage environment files to fix container environment (INITRD, LANG, LANGUAGE and LC_CTYPE).
 
 Note: the container will try to delete the **\*.startup.yaml** file after the end of startup files so the file will also be deleted on the docker host. To prevent that : use --volume /data/ldap/environment:/container/environment/01-custom**:ro** or set all variables in **\*.yaml** file and don't use **\*.startup.yaml**:
 
 	docker run --volume /data/ldap/environment/my-env.yaml:/container/environment/01-custom/env.yaml \
-	--detach osixia/openldap:1.1.11
+	--detach osixia/openldap:1.2.0
 
 #### Make your own image or extend this image
 
@@ -365,13 +364,13 @@ This is the best solution if you have a private registry. Please refer to the [A
 
 ## Advanced User Guide
 
-### Extend osixia/openldap:1.1.11 image
+### Extend osixia/openldap:1.2.0 image
 
 If you need to add your custom TLS certificate, bootstrap config or environment files the easiest way is to extends this image.
 
 Dockerfile example:
 
-	FROM osixia/openldap:1.1.11
+	FROM osixia/openldap:1.2.0
 	MAINTAINER Your Name <[email protected]>
 
 	ADD bootstrap /container/service/slapd/assets/config/bootstrap
@@ -446,6 +445,9 @@ If you discover a security vulnerability within this docker image, please send a
 
 Please include as many details as possible.
 
+### Known security issues
+Openldap on debian creates two admin users with the same password, if you changed admin password after bootstrap you may be concerned by issue #161.
+
 ## Changelog
 
 Please refer to: [CHANGELOG.md](CHANGELOG.md)

example/docker-compose.yml

@@ -1,7 +1,7 @@
 version: '2'
 services:
   openldap:
-    image: osixia/openldap:1.1.11
+    image: osixia/openldap:1.2.0
     container_name: openldap
     environment:
       LDAP_LOG_LEVEL: "256"
@@ -14,7 +14,7 @@ services:
       #LDAP_READONLY_USER_USERNAME: "readonly"
       #LDAP_READONLY_USER_PASSWORD: "readonly"
       LDAP_RFC2307BIS_SCHEMA: "false"
-      LDAP_BACKEND: "hdb"
+      LDAP_BACKEND: "mdb"
       LDAP_TLS: "true"
       LDAP_TLS_CRT_FILENAME: "ldap.crt"
       LDAP_TLS_KEY_FILENAME: "ldap.key"

example/extend-osixia-openldap/Dockerfile

@@ -1,4 +1,4 @@
-FROM osixia/openldap:1.1.11
+FROM osixia/openldap:1.2.0
 MAINTAINER Your Name <[email protected]>
 
 ADD bootstrap /container/service/slapd/assets/config/bootstrap

example/kubernetes/simple/ldap-deployment.yaml

@@ -13,7 +13,7 @@ spec:
     spec:
       containers:
         - name: ldap
-          image: osixia/openldap:1.1.11
+          image: osixia/openldap:1.2.0
           volumeMounts:
             - name: ldap-data
               mountPath: /var/lib/ldap
@@ -44,7 +44,7 @@ spec:
             - name: LDAP_RFC2307BIS_SCHEMA
               value: "false"
             - name: LDAP_BACKEND
-              value: "hdb"
+              value: "mdb"
             - name: LDAP_TLS
               value: "true"
             - name: LDAP_TLS_CRT_FILENAME

example/kubernetes/using-secrets/environment/my-env.startup.yaml

@@ -21,7 +21,7 @@ LDAP_READONLY_USER_PASSWORD: readonly
 LDAP_RFC2307BIS_SCHEMA: false
 
 # Backend
-LDAP_BACKEND: hdb
+LDAP_BACKEND: mdb
 
 # Tls
 LDAP_TLS: true

example/kubernetes/using-secrets/ldap-deployment.yaml

@@ -13,7 +13,7 @@ spec:
     spec:
       containers:
         - name: ldap
-          image: osixia/openldap:1.1.11
+          image: osixia/openldap:1.2.0
           args: ["--copy-service"]
           volumeMounts:
             - name: ldap-data

image/Dockerfile

@@ -42,3 +42,6 @@ ADD environment /container/environment/99-default
 
 # Expose default ldap and ldaps ports
 EXPOSE 389 636
+
+# Put ldap config and database dir in a volume to persist data.
+# VOLUME /etc/ldap/slapd.d /var/lib/ldap

image/environment/default.startup.yaml

@@ -21,7 +21,7 @@ LDAP_READONLY_USER_PASSWORD: readonly
 LDAP_RFC2307BIS_SCHEMA: false
 
 # Backend
-LDAP_BACKEND: hdb
+LDAP_BACKEND: mdb
 
 # Tls
 LDAP_TLS: true
@@ -41,8 +41,8 @@ LDAP_REPLICATION: false
 # if you want to add replication to an existing ldap
 # adapt LDAP_REPLICATION_CONFIG_SYNCPROV and LDAP_REPLICATION_DB_SYNCPROV to your configuration
 # avoid using $LDAP_BASE_DN, $LDAP_ADMIN_PASSWORD and $LDAP_CONFIG_PASSWORD variables
-LDAP_REPLICATION_CONFIG_SYNCPROV: binddn="cn=admin,cn=config" bindmethod=simple credentials=$LDAP_CONFIG_PASSWORD searchbase="cn=config" type=refreshAndPersist retry="60 +" timeout=1 starttls=critical
-LDAP_REPLICATION_DB_SYNCPROV: binddn="cn=admin,$LDAP_BASE_DN" bindmethod=simple credentials=$LDAP_ADMIN_PASSWORD searchbase="$LDAP_BASE_DN" type=refreshAndPersist interval=00:00:00:10 retry="60 +" timeout=1 starttls=critical
+LDAP_REPLICATION_CONFIG_SYNCPROV: binddn="cn=admin,cn=config" bindmethod=simple credentials="$LDAP_CONFIG_PASSWORD" searchbase="cn=config" type=refreshAndPersist retry="60 +" timeout=1 starttls=critical
+LDAP_REPLICATION_DB_SYNCPROV: binddn="cn=admin,$LDAP_BASE_DN" bindmethod=simple credentials="$LDAP_ADMIN_PASSWORD" searchbase="$LDAP_BASE_DN" type=refreshAndPersist interval=00:00:00:10 retry="60 +" timeout=1 starttls=critical
 LDAP_REPLICATION_HOSTS:
   - ldap://ldap.example.org # The order must be the same on all ldap servers
   - ldap://ldap2.example.org

image/service/slapd/startup.sh

@@ -72,9 +72,9 @@ if [ ! -e "$FIRST_START_DONE" ]; then
       sed -i "s|{{ LDAP_READONLY_USER_PASSWORD_ENCRYPTED }}|${LDAP_READONLY_USER_PASSWORD_ENCRYPTED}|g" $LDIF_FILE
     fi
     if grep -iq changetype $LDIF_FILE ; then
-        ldapmodify -Y EXTERNAL -Q -H ldapi:/// -f $LDIF_FILE 2>&1 | log-helper debug || ldapmodify -h localhost -p 389 -D cn=admin,$LDAP_BASE_DN -w $LDAP_ADMIN_PASSWORD -f $LDIF_FILE 2>&1 | log-helper debug
+        ldapmodify -Y EXTERNAL -Q -H ldapi:/// -f $LDIF_FILE 2>&1 | log-helper debug || ldapmodify -h localhost -p 389 -D cn=admin,$LDAP_BASE_DN -w "$LDAP_ADMIN_PASSWORD" -f $LDIF_FILE 2>&1 | log-helper debug
     else
-        ldapadd -Y EXTERNAL -Q -H ldapi:/// -f $LDIF_FILE |& log-helper debug || ldapadd -h localhost -p 389 -D cn=admin,$LDAP_BASE_DN -w $LDAP_ADMIN_PASSWORD -f $LDIF_FILE 2>&1 | log-helper debug
+        ldapadd -Y EXTERNAL -Q -H ldapi:/// -f $LDIF_FILE |& log-helper debug || ldapadd -h localhost -p 389 -D cn=admin,$LDAP_BASE_DN -w "$LDAP_ADMIN_PASSWORD" -f $LDIF_FILE 2>&1 | log-helper debug
     fi
   }
 
@@ -143,6 +143,23 @@ EOF
   elif [ ! -z "$(ls -A -I lost+found -I .rmtab /var/lib/ldap)" ] && [ -z "$(ls -A -I lost+found -I .rmtab /etc/ldap/slapd.d)" ]; then
     log-helper error "Error: the config directory (/etc/ldap/slapd.d) is empty but not the database directory (/var/lib/ldap)"
     exit 1
+
+  #
+  # We have a database and config directory
+  #
+  else
+
+    # try to detect if ldap backend is hdb but LDAP_BACKEND environment variable is mdb
+    # due to default switch from hdb to mdb in 1.2.x
+    if [ "${LDAP_BACKEND}" = "mdb" ]; then
+      if [ -e "/etc/ldap/slapd.d/cn=config/olcDatabase={1}hdb.ldif" ]; then
+        log-helper warning -e "\n\n\nWarning: LDAP_BACKEND environment variable is set to mdb but hdb backend is detected."
+        log-helper warning "Going to use hdb as LDAP_BACKEND. Set LDAP_BACKEND=hdb to discard this message."
+        log-helper warning -e "https://github.com/osixia/docker-openldap#set-your-own-environment-variables\n\n\n"
+        LDAP_BACKEND="hdb"
+      fi
+    fi
+
   fi
 
   if [ "${KEEP_EXISTING_CONFIG,,}" == "true" ]; then
@@ -214,7 +231,7 @@ EOF
 
       # convert schemas to ldif
       SCHEMAS=""
-      for f in $(find ${CONTAINER_SERVICE_DIR}/slapd/assets/config/bootstrap/schema -name \*.schema -type f); do
+      for f in $(find ${CONTAINER_SERVICE_DIR}/slapd/assets/config/bootstrap/schema -name \*.schema -type f|sort); do
         SCHEMAS="$SCHEMAS ${f}"
       done
       ${CONTAINER_SERVICE_DIR}/slapd/assets/schema-to-ldif.sh "$SCHEMAS"
@@ -233,7 +250,7 @@ EOF
       done
 
       # set config password
-      LDAP_CONFIG_PASSWORD_ENCRYPTED=$(slappasswd -s $LDAP_CONFIG_PASSWORD)
+      LDAP_CONFIG_PASSWORD_ENCRYPTED=$(slappasswd -s "$LDAP_CONFIG_PASSWORD")
       sed -i "s|{{ LDAP_CONFIG_PASSWORD_ENCRYPTED }}|${LDAP_CONFIG_PASSWORD_ENCRYPTED}|g" ${CONTAINER_SERVICE_DIR}/slapd/assets/config/bootstrap/ldif/01-config-password.ldif
 
       # adapt security config file

test/test.bats

@@ -41,9 +41,9 @@ load test_helper
 
 }
 
-@test "ldapsearch existing database and config" {
+@test "ldapsearch existing hdb database and config" {
 
-  run_image -h ldap.example.org -e LDAP_TLS=false -v $BATS_TEST_DIRNAME/database:/container/test/database -v $BATS_TEST_DIRNAME/config:/container/test/config
+  run_image -h ldap.example.org -e LDAP_TLS=false -e LDAP_BACKEND=hdb -v $BATS_TEST_DIRNAME/database:/container/test/database -v $BATS_TEST_DIRNAME/config:/container/test/config
   wait_process slapd
   run docker exec $CONTAINER_ID ldapsearch -x -h ldap.example.org -b dc=osixia,dc=net -D "cn=admin,dc=osixia,dc=net" -w admin
   clear_container