Acasă Explorează Ajutor
Înregistrare Autentificare
Apq
/
docker-openldap
oglindă de https://github.com/osixia/docker-openldap.git
1
0
Bifurcare 0
Fisiere Probleme 0 Wiki
Arbore: 2f574a7da1
Ramuri Etichete
docker-openldap
/
image
/
service
/
slapd
/
container-start.sh

container-start.sh 6.4 KB
Istoric Crud

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205 
  1. #!/bin/bash -e
    2. 

  2. 

  3. FIRST_START_DONE="/etc/docker-openldap-first-start-done"
    4. 

  4. WAS_STARTED_WITH_TLS="/etc/ldap/slapd.d/docker-openldap-was-started-with-tls"
    5. 

  5. 

  6. # Reduce maximum number of number of open file descriptors to 1024
    7. 

  7. # otherwise slapd consumes two orders of magnitude more of RAM
    8. 

  8. # see https://github.com/docker/docker/issues/8231
    9. 

  9. ulimit -n 1024
    10. 

  10. 

  11. #fix file permissions
    12. 

  12. chown -R openldap:openldap /var/lib/ldap
    13. 

  13. chown -R openldap:openldap /etc/ldap
    14. 

  14. chown -R openldap:openldap /osixia/slapd
    15. 

  15. 

  16. # container first start
    17. 

  17. if [ ! -e "$FIRST_START_DONE" ]; then
    18. 

  18. 

  19.   function get_base_dn() {
    20. 

  20.     BASE_DN=""
    21. 

  21.     IFS='.' read -ra BASE_DN_TABLE <<< "$LDAP_DOMAIN"
    22. 

  22.     for i in "${BASE_DN_TABLE[@]}"; do
    23. 

  23.       EXT="dc=$i,"
    24. 

  24.       BASE_DN=$BASE_DN$EXT
    25. 

  25.     done
    26. 

  26. 

  27.     BASE_DN=${BASE_DN::-1}
    28. 

  28.   }
    29. 

  29. 

  30.   function is_new_schema() {
    31. 

  31.     local COUNT=$(ldapsearch -Q -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config cn | grep -c $1)
    32. 

  32.     if [ "$COUNT" -eq 0 ]; then
    33. 

  33.       echo 1
    34. 

  34.     else
    35. 

  35.       echo 0
    36. 

  36.     fi
    37. 

  37.   }
    38. 

  38. 

  39.   function check_tls_files() {
    40. 

  40. 

  41.     local CA_CRT=$1
    42. 

  42.     local LDAP_CRT=$2
    43. 

  43.     local LDAP_KEY=$3
    44. 

  44. 

  45.     # check certificat and key or create it
    46. 

  46.     /sbin/ssl-kit "/osixia/slapd/ssl/$LDAP_CRT" "/osixia/slapd/ssl/$LDAP_KEY" --ca-crt=/osixia/slapd/ssl/$CA_CRT --gnutls
    47. 

  47. 

  48.     # create DHParamFile if not found
    49. 

  49.     [ -f /osixia/slapd/ssl/dhparam.pem ] || openssl dhparam -out /osixia/slapd/ssl/dhparam.pem 2048
    50. 

  50. 

  51.     # fix file permissions
    52. 

  52.     chown -R openldap:openldap /osixia/slapd
    53. 

  53.   }
    54. 

  54. 

  55. 

  56.   BOOTSTRAP=false
    57. 

  57. 

  58.   # database and config directory are empty -> set bootstrap config
    59. 

  59.   if [ -z "$(ls -A /var/lib/ldap)" ] && [ -z "$(ls -A /etc/ldap/slapd.d)" ]; then
    60. 

  60. 

  61.     BOOTSTRAP=true
    62. 

  62.     echo "database and config directory are empty"
    63. 

  63.     echo "-> set bootstrap config"
    64. 

  64. 

  65.     cat <<EOF | debconf-set-selections
    66. 

  66. slapd slapd/internal/generated_adminpw password ${LDAP_ADMIN_PASSWORD}
    67. 

  67. slapd slapd/internal/adminpw password ${LDAP_ADMIN_PASSWORD}
    68. 

  68. slapd slapd/password2 password ${LDAP_ADMIN_PASSWORD}
    69. 

  69. slapd slapd/password1 password ${LDAP_ADMIN_PASSWORD}
    70. 

  70. slapd slapd/dump_database_destdir string /var/backups/slapd-VERSION
    71. 

  71. slapd slapd/domain string ${LDAP_DOMAIN}
    72. 

  72. slapd shared/organization string ${LDAP_ORGANISATION}
    73. 

  73. slapd slapd/backend string HDB
    74. 

  74. slapd slapd/purge_database boolean true
    75. 

  75. slapd slapd/move_old_database boolean true
    76. 

  76. slapd slapd/allow_ldap_v2 boolean false
    77. 

  77. slapd slapd/no_configuration boolean false
    78. 

  78. slapd slapd/dump_database select when needed
    79. 

  79. EOF
    80. 

  80. 

  81.     dpkg-reconfigure -f noninteractive slapd
    82. 

  82. 

  83.   elif [ -z "$(ls -A /var/lib/ldap)" ] && [ ! -z "$(ls -A /etc/ldap/slapd.d)" ]; then
    84. 

  84.     echo "Error: the database directory (/var/lib/ldap) is empty but not the config directory (/etc/ldap/slapd.d)"
    85. 

  85.     exit 1
    86. 

  86.   elif [ ! -z "$(ls -A /var/lib/ldap)" ] && [ -z "$(ls -A /etc/ldap/slapd.d)" ]; then
    87. 

  87.     echo "the config directory (/etc/ldap/slapd.d) is empty but not the database directory (/var/lib/ldap)"
    88. 

  88.     exit 1
    89. 

  89. 

  90.   else
    91. 

  91.     # there is an existing database and config
    92. 

  92. 

  93.     # if the config was bootstraped with TLS
    94. 

  94.     # to avoid error (#6) we check tls files
    95. 

  95.     if [ -e "$WAS_STARTED_WITH_TLS" ]; then
    96. 

  96. 

  97.       . $WAS_STARTED_WITH_TLS
    98. 

  98. 

  99.       check_tls_files $PREVIOUS_SSL_CA_CRT_FILENAME $PREVIOUS_SSL_CRT_FILENAME $PREVIOUS_SSL_KEY_FILENAME
    100. 

  100.     fi
    101. 

  101.   fi
    102. 

  102. 

  103.   # start OpenLDAP
    104. 

  104.   echo "Starting openldap..."
    105. 

  105.   slapd -h "ldapi:///" -u openldap -g openldap
    106. 

  106.   echo "ok"
    107. 

  107. 

  108.   # set bootstrap config part 2
    109. 

  109.   if $BOOTSTRAP; then
    110. 

  110. 

  111.     # add ppolicy schema if not already exists
    112. 

  112.     ADD_PPOLICY=$(is_new_schema ppolicy)
    113. 

  113.     if [ "$ADD_PPOLICY" -eq 1 ]; then
    114. 

  114.       ldapadd -c -Y EXTERNAL -Q -H ldapi:/// -f /etc/ldap/schema/ppolicy.ldif
    115. 

  115.     fi
    116. 

  116. 

  117.     # convert schemas to ldif
    118. 

  118.     SCHEMAS=""
    119. 

  119.     for f in $(find /osixia/slapd/config/bootstrap/schema -name \*.schema -type f); do
    120. 

  120.       SCHEMAS="$SCHEMAS ${f}"
    121. 

  121.     done
    122. 

  122.     /osixia/slapd/schema-to-ldif.sh "$SCHEMAS"
    123. 

  123. 

  124.     # add schemas
    125. 

  125.     for f in $(find /osixia/slapd/config/bootstrap/schema -name \*.ldif -type f); do
    126. 

  126.       echo "Processing file ${f}"
    127. 

  127.       # add schema if not already exists
    128. 

  128.       SCHEMA=$(basename "${f}" .ldif)
    129. 

  129.       ADD_SCHEMA=$(is_new_schema $SCHEMA)
    130. 

  130.       if [ "$ADD_SCHEMA" -eq 1 ]; then
    131. 

  131.         echo "add schema ${SCHEMA}"
    132. 

  132.         ldapadd -c -Y EXTERNAL -Q -H ldapi:/// -f $f
    133. 

  133.       else
    134. 

  134.         echo "schema ${f} already exists"
    135. 

  135.       fi
    136. 

  136.     done
    137. 

  137. 

  138.     # adapt security config file
    139. 

  139.     get_base_dn
    140. 

  140.     sed -i "s|dc=example,dc=org|$BASE_DN|g" /osixia/slapd/config/bootstrap/security.ldif
    141. 

  141. 

  142.     # process config files
    143. 

  143.     for f in $(find /osixia/slapd/config/bootstrap -name \*.ldif -type f); do
    144. 

  144.       echo "Processing file ${f}"
    145. 

  145.       ldapmodify -Y EXTERNAL -Q -H ldapi:/// -f $f
    146. 

  146.     done
    147. 

  147. 

  148.   fi
    149. 

  149. 

  150.   # TLS config
    151. 

  151.   if [ "${USE_TLS,,}" == "true" ]; then
    152. 

  152. 

  153.     check_tls_files $SSL_CA_CRT_FILENAME $SSL_CRT_FILENAME $SSL_KEY_FILENAME
    154. 

  154. 

  155.     # adapt tls ldif
    156. 

  156.     sed -i "s,/osixia/slapd/ssl/ca.crt,/osixia/slapd/ssl/${SSL_CA_CRT_FILENAME},g" /osixia/slapd/config/tls/tls-enable.ldif
    157. 

  157.     sed -i "s,/osixia/slapd/ssl/ldap.crt,/osixia/slapd/ssl/${SSL_CRT_FILENAME},g" /osixia/slapd/config/tls/tls-enable.ldif
    158. 

  158.     sed -i "s,/osixia/slapd/ssl/ldap.key,/osixia/slapd/ssl/${SSL_KEY_FILENAME},g" /osixia/slapd/config/tls/tls-enable.ldif
    159. 

  159. 

  160.     ldapmodify -Y EXTERNAL -Q -H ldapi:/// -f /osixia/slapd/config/tls/tls-enable.ldif
    161. 

  161. 

  162.     [[ -f "$WAS_STARTED_WITH_TLS" ]] && rm -f "$WAS_STARTED_WITH_TLS"
    163. 

  163.     touch $WAS_STARTED_WITH_TLS
    164. 

  164.     echo "export PREVIOUS_SSL_CA_CRT_FILENAME=${SSL_CA_CRT_FILENAME}" >> $WAS_STARTED_WITH_TLS
    165. 

  165.     echo "export PREVIOUS_SSL_CRT_FILENAME=${SSL_CRT_FILENAME}" >> $WAS_STARTED_WITH_TLS
    166. 

  166.     echo "export PREVIOUS_SSL_KEY_FILENAME=${SSL_KEY_FILENAME}" >> $WAS_STARTED_WITH_TLS
    167. 

  167.     chmod +x $WAS_STARTED_WITH_TLS
    168. 

  168. 

  169.     # add localhost route to certificate cn (need docker 1.5.0)
    170. 

  170.     cn=$(openssl x509 -in /osixia/slapd/ssl/$SSL_CRT_FILENAME -subject -noout | sed -n 's/.*CN=\(.*\)\/*\(.*\)/\1/p')
    171. 

  171.     echo "127.0.0.1 $cn" >> /etc/hosts
    172. 

  172. 

  173.     # local ldap tls client config
    174. 

  174.     sed -i "s,TLS_CACERT.*,TLS_CACERT /osixia/slapd/ssl/${SSL_CA_CRT_FILENAME},g" /etc/ldap/ldap.conf
    175. 

  175. 

  176.   else
    177. 

  177. 

  178.     [[ -f "$WAS_STARTED_WITH_TLS" ]] && rm -f "$WAS_STARTED_WITH_TLS"
    179. 

  179.     ldapmodify -c -Y EXTERNAL -Q -H ldapi:/// -f /osixia/slapd/config/tls/tls-disable.ldif || true
    180. 

  180. 

  181.   fi
    182. 

  182. 

  183. 

  184.   # replication config
    185. 

  185.   if [ "${USE_REPLICATION,,}" == "true" ]; then
    186. 

  186. 

  187. 

  188.   else
    189. 

  189. 

  190.     # disable replication
    191. 

  191.     for f in $(find /osixia/slapd/config/replication -name \*-disable.ldif -type f); do
    192. 

  192.       echo "Processing file ${f}"
    193. 

  193.       ldapmodify -Y EXTERNAL -Q -H ldapi:/// -f $f
    194. 

  194.     done
    195. 

  195. 

  196.   fi
    197. 

  197. 

  198. 

  199.   # stop OpenLDAP
    200. 

  200.   kill -INT `cat /run/slapd/slapd.pid`
    201. 

  201. 

  202.   touch $FIRST_START_DONE
    203. 

  203. fi
    204. 

  204. 

  205. exit 0
    206.