Merge branch 'anagno-stable' into hotfix-1.2.5

README.md

@@ -35,6 +35,7 @@ Latest release: 1.2.5-dev - OpenLDAP 2.4.47 -  [Changelog](CHANGELOG.md) | [Dock
 		- [Set your own environment variables](#set-your-own-environment-variables)
 			- [Use command line argument](#use-command-line-argument)
 			- [Link environment file](#link-environment-file)
+			- [Docker Secrets](#docker-secrets)
 			- [Make your own image or extend this image](#make-your-own-image-or-extend-this-image)
 	- [Advanced User Guide](#advanced-user-guide)
 		- [Extend osixia/openldap:1.2.5-dev image](#extend-osixiaopenldap125-dev-image)
@@ -366,6 +367,17 @@ Note: the container will try to delete the **\*.startup.yaml** file after the en
 	docker run --volume /data/ldap/environment/my-env.yaml:/container/environment/01-custom/env.yaml \
 	--detach osixia/openldap:1.2.5-dev
 
+#### Docker Secrets
+
+As an alternative to passing sensitive information via environmental variables, _FILE may be appended to the listed variables, causing 
+the startup.sh script to load the values for those values from files presented in the container. This is particular usefull for loading
+passwords using the [Docker secrets](https://docs.docker.com/engine/swarm/secrets/) mechanism. For example:
+
+	docker run --env LDAP_ORGANISATION="My company" --env LDAP_DOMAIN="my-company.com" \
+	--env LDAP_ADMIN_PASSWORD_FILE=/run/secrets/authentication_admin_pw --detach osixia/openldap:1.2.4
+
+Currently this is only supported for LDAP_ADMIN_PASSWORD, LDAP_CONFIG_PASSWORD, LDAP_READONLY_USER_PASSWORD
+
 #### Make your own image or extend this image
 
 This is the best solution if you have a private registry. Please refer to the [Advanced User Guide](#advanced-user-guide) just below.

image/service/slapd/startup.sh

@@ -10,6 +10,34 @@ log-helper level eq trace && set -x
 # see https://github.com/docker/docker/issues/8231
 ulimit -n $LDAP_NOFILE
 
+
+# usage: file_env VAR
+#    ie: file_env 'XYZ_DB_PASSWORD' 
+# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
+#  "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
+file_env() {
+	local var="$1"
+	local fileVar="${var}_FILE"
+
+  # The variables are already defined from the docker-light-baseimage
+  # So if the _FILE variable is available we ovewrite them
+	if [ "${!fileVar:-}" ]; then
+    log-helper trace "${fileVar} was defined"
+
+		val="$(< "${!fileVar}")"
+    log-helper debug "${var} was repalced with the contents of ${fileVar} (the value was: ${val})"
+
+    export "$var"="$val"
+	fi
+	
+	unset "$fileVar"
+}
+
+
+file_env 'LDAP_ADMIN_PASSWORD'
+file_env 'LDAP_CONFIG_PASSWORD'
+file_env 'LDAP_READONLY_USER_PASSWORD'
+
 # create dir if they not already exists
 [ -d /var/lib/ldap ] || mkdir -p /var/lib/ldap
 [ -d /etc/ldap/slapd.d ] || mkdir -p /etc/ldap/slapd.d
@@ -65,6 +93,7 @@ if [ ! -e "$FIRST_START_DONE" ]; then
 
   function ldap_add_or_modify (){
     local LDIF_FILE=$1
+
     log-helper debug "Processing file ${LDIF_FILE}"
     sed -i "s|{{ LDAP_BASE_DN }}|${LDAP_BASE_DN}|g" $LDIF_FILE
     sed -i "s|{{ LDAP_BACKEND }}|${LDAP_BACKEND}|g" $LDIF_FILE

test/test.bats

@@ -38,6 +38,21 @@ load test_helper
 
 }
 
+@test "ldapsearch database with password provided from file" {
+
+  rm $PWD/password.txt && touch $PWD/password.txt 
+  echo "strongPassword" >> $PWD/password.txt
+
+  run_image -h ldap.osixia.net -e LDAP_ADMIN_PASSWORD_FILE=/run/secrets/admin_pw.txt --volume $PWD/password.txt:/run/secrets/admin_pw.txt
+  wait_process slapd
+  run docker exec $CONTAINER_ID ldapsearch -x -h ldap.osixia.net -b dc=example,dc=org -ZZ -D "cn=admin,dc=example,dc=org" -w strongPassword
+  clear_container
+  rm $PWD/password.txt
+
+  [ "$status" -eq 0 ]
+}
+
+
 @test "ldapsearch new database with strict TLS" {
 
   run_image -h ldap.example.org