fixes #26 and #25

CHANGELOG.md

@@ -2,7 +2,7 @@
 
 ## 1.1.0
 Update to light-baseimage:0.2.1 :
-  - Use *.yaml.startup environment files to keep configuration secrets
+  - Use \*.yaml.startup environment files to keep configuration secrets
   - Use cfssl tool to generate tls certs
   - Use log-helper to write leveled log messages
   - Allow copy of /container/service and mounted files to /container/run/service dir usefull for write only filesystems and avoid file permissions problems

README.md

@@ -195,6 +195,10 @@ Example command to run the container in `debug` mode:
 
 	docker run --detach osixia/openldap:1.1.0 --loglevel debug
 
+See all command line options:
+
+	docker run --detach osixia/openldap:1.1.0 --help
+
 
 ## Environment Variables
 Environment variables defaults are set in **image/environment/default.yaml** and **image/environment/default.yaml.startup**.
@@ -229,6 +233,7 @@ TLS options:
 - **LDAP_TLS_CRT_FILENAME**: Ldap ssl certificate filename. Defaults to `ldap.crt`
 - **LDAP_TLS_KEY_FILENAME**: Ldap ssl certificate private key filename. Defaults to `ldap.key`
 - **LDAP_TLS_CA_CRT_FILENAME**: Ldap ssl CA certificate  filename. Defaults to `ca.crt`
+- **LDAP_TLS_ENFORCE**: Enforce TLS. Defaults to `false`
 - **LDAP_TLS_CIPHER_SUITE**: TLS cipher suite. Defaults to `SECURE256:-VERS-SSL3.0`
 - **LDAP_TLS_PROTOCOL_MIN**: TLS min protocol. Defaults to `3.1`
 - **LDAP_TLS_VERIFY_CLIENT**: TLS verify client. Defaults to `demand`
@@ -275,7 +280,7 @@ he will be able to read the admin password in clear text from environment variab
 	--volume /data/my-env.yaml.startup:/container/environment/01-custom/env.yaml.startup \
 	--detach osixia/openldap:1.1.0
 
-Note: the container will try to delete the **\*.yaml.startup** file after the end of startup files so the file will also be deleted on the docker host. Use --volume /data/my-env.yaml.startup:/container/environment/01-custom/env.yaml.startup**:ro** to prevent that or set all variables in **\*.yaml** file and don't mount **\*.yaml.startup**.
+Note: the container will try to delete the **\*.yaml.startup** file after the end of startup files so the file will also be deleted on the docker host. To prevent that : use --volume /data/my-env.yaml.startup:/container/environment/01-custom/env.yaml.startup**:ro** or set all variables in **\*.yaml** file and don't mount **\*.yaml.startup**.
 
 #### Make your own image or extend this image
 

example/extend-osixia-openldap/environment/my-env.yaml.startup

@@ -1,9 +1,9 @@
 # This is the default image startup configuration file
-# this file define environment variables used during the container **first start** in **startup scripts**.
+# this file define environment variables used during the container **first start** in **startup files**.
 
-# This file is deleted right after startup scripts are processed for the first time,
-# after that all theses values will not be available in the container environment.
-# That helps to keep your container configuration secret.
+# This file is deleted right after startup files are processed for the first time,
+# after that all these values will not be available in the container environment.
+# This helps to keep your container configuration secret.
 # more information : https://github.com/osixia/docker-light-baseimage
 
 # Required and used for new ldap server only
@@ -22,6 +22,7 @@ LDAP_TLS_CRT_FILENAME: cert.crt
 LDAP_TLS_KEY_FILENAME: cert.key
 LDAP_TLS_CA_CRT_FILENAME: ca.crt
 
+LDAP_TLS_ENFORCE: false
 LDAP_TLS_CIPHER_SUITE: SECURE256:-VERS-SSL3.0
 LDAP_TLS_PROTOCOL_MIN: 3.1
 LDAP_TLS_VERIFY_CLIENT: never

image/environment/default.yaml.startup

@@ -1,9 +1,9 @@
 # This is the default image startup configuration file
-# this file define environment variables used during the container **first start** in **startup scripts**.
+# this file define environment variables used during the container **first start** in **startup files**.
 
-# This file is deleted right after startup scripts are processed for the first time,
-# after that all theses values will not be available in the container environment.
-# That helps to keep your container configuration secret.
+# This file is deleted right after startup files are processed for the first time,
+# after that all these values will not be available in the container environment.
+# This helps to keep your container configuration secret.
 # more information : https://github.com/osixia/docker-light-baseimage
 
 # Required and used for new ldap server only
@@ -22,6 +22,7 @@ LDAP_TLS_CRT_FILENAME: ldap.crt
 LDAP_TLS_KEY_FILENAME: ldap.key
 LDAP_TLS_CA_CRT_FILENAME: ca.crt
 
+LDAP_TLS_ENFORCE: false
 LDAP_TLS_CIPHER_SUITE: SECURE256:-VERS-SSL3.0
 LDAP_TLS_PROTOCOL_MIN: 3.1
 LDAP_TLS_VERIFY_CLIENT: demand

image/service/slapd/assets/config/tls/tls-enforce-disable.ldif

@@ -0,0 +1,4 @@
+dn: cn=config
+changetype:  modify
+delete: olcSecurity
+olcSecurity: tls=1

image/service/slapd/assets/config/tls/tls-enforce-enable.ldif

@@ -0,0 +1,4 @@
+dn: cn=config
+changetype:  modify
+add: olcSecurity
+olcSecurity: tls=1

image/service/slapd/startup.sh

@@ -15,7 +15,7 @@ chown -R openldap:openldap /var/lib/ldap
 chown -R openldap:openldap /etc/ldap
 chown -R openldap:openldap ${CONTAINER_SERVICE_DIR}/slapd
 
-FIRST_START_DONE="${CONTAINER_STATE_DIR}/slapd-first-start-setup-done"
+FIRST_START_DONE="${CONTAINER_STATE_DIR}/slapd-first-start-done"
 WAS_STARTED_WITH_TLS="/etc/ldap/slapd.d/docker-openldap-was-started-with-tls"
 WAS_STARTED_WITH_REPLICATION="/etc/ldap/slapd.d/docker-openldap-was-started-with-replication"
 
@@ -258,6 +258,17 @@ EOF
     echo "TLS_CERT ${LDAP_TLS_CRT_PATH}" >> $HOME/.ldaprc
     echo "TLS_KEY ${LDAP_TLS_KEY_PATH}" >> $HOME/.ldaprc
 
+    # enforce TLS
+    if [ "${LDAP_TLS_ENFORCE,,}" == "true" ]; then
+      log-helper info "Add enforce TLS..."
+      ldapmodify -Y EXTERNAL -Q -H ldapi:/// -f ${CONTAINER_SERVICE_DIR}/slapd/assets/config/tls/tls-enforce-enable.ldif 2>&1 | log-helper debug
+
+    # disable tls enforcing
+    else
+      log-helper info "Disable enforce TLS..."
+      ldapmodify -Y EXTERNAL -Q -H ldapi:/// -f ${CONTAINER_SERVICE_DIR}/slapd/assets/config/tls/tls-enforce-disable.ldif 2>&1 | log-helper debug || true
+    fi
+
   else
     log-helper info "Disable TLS config..."
 
@@ -333,7 +344,7 @@ EOF
   #
   # setup done :)
   #
-  log-helper info "First start setup is done :)"
+  log-helper info "First start is done..."
   touch $FIRST_START_DONE
 fi
 

test/test_helper.bash

@@ -91,7 +91,7 @@ wait_service_by_cid() {
   cid=$1
 
   # first wait image init end
-  while ! is_file_exists_by_cid $cid /container/run/state/start-done
+  while ! is_file_exists_by_cid $cid /container/run/state/startup-done
   do
     sleep 0.5
   done