Home Explore Help
Register Sign In
Apq
/
docker-openldap
mirror of https://github.com/osixia/docker-openldap.git
1
0
Fork 0
Files Issues 0 Wiki
Tree: a8dc78c5f4
Branches Tags
docker-openldap
/
image
/
service
/
slapd
/
container-start.sh

container-start.sh 12 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292 
  1. #!/bin/bash -e
    2. 

  2. 

  3. FIRST_START_DONE="/etc/docker-openldap-first-start-done"
    4. 

  4. WAS_STARTED_WITH_TLS="/etc/ldap/slapd.d/docker-openldap-was-started-with-tls"
    5. 

  5. WAS_STARTED_WITH_REPLICATION="/etc/ldap/slapd.d/docker-openldap-was-started-with-replication"
    6. 

  6. 

  7. # Reduce maximum number of number of open file descriptors to 1024
    8. 

  8. # otherwise slapd consumes two orders of magnitude more of RAM
    9. 

  9. # see https://github.com/docker/docker/issues/8231
    10. 

  10. ulimit -n 1024
    11. 

  11. 

  12. # fix file permissions
    13. 

  13. chown -R openldap:openldap /var/lib/ldap
    14. 

  14. chown -R openldap:openldap /etc/ldap
    15. 

  15. chown -R openldap:openldap /container/service/slapd
    16. 

  16. 

  17. # container first start
    18. 

  18. if [ ! -e "$FIRST_START_DONE" ]; then
    19. 

  19. 

  20.   function get_ldap_base_dn() {
    21. 

  21.     LDAP_BASE_DN=""
    22. 

  22.     IFS='.' read -ra LDAP_BASE_DN_TABLE <<< "$LDAP_DOMAIN"
    23. 

  23.     for i in "${LDAP_BASE_DN_TABLE[@]}"; do
    24. 

  24.       EXT="dc=$i,"
    25. 

  25.       LDAP_BASE_DN=$LDAP_BASE_DN$EXT
    26. 

  26.     done
    27. 

  27. 

  28.     LDAP_BASE_DN=${LDAP_BASE_DN::-1}
    29. 

  29.   }
    30. 

  30. 

  31.   function is_new_schema() {
    32. 

  32.     local COUNT=$(ldapsearch -Q -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config cn | grep -c $1)
    33. 

  33.     if [ "$COUNT" -eq 0 ]; then
    34. 

  34.       echo 1
    35. 

  35.     else
    36. 

  36.       echo 0
    37. 

  37.     fi
    38. 

  38.   }
    39. 

  39. 

  40.   function check_tls_files() {
    41. 

  41. 

  42.     local CA_CRT=$1
    43. 

  43.     local LDAP_CRT=$2
    44. 

  44.     local LDAP_KEY=$3
    45. 

  45. 

  46.     # check certificat and key or create it
    47. 

  47.     /sbin/ssl-helper "/container/service/slapd/assets/certs/$LDAP_CRT" "/container/service/slapd/assets/certs/$LDAP_KEY" --ca-crt=/container/service/slapd/assets/certs/$CA_CRT --gnutls
    48. 

  48. 

  49.     # create DHParamFile if not found
    50. 

  50.     [ -f /container/service/slapd/assets/certs/dhparam.pem ] || certtool --generate-dh-param --sec-param=high --outfile=/container/service/slapd/assets/certs/dhparam.pem
    51. 

  51.     chmod 600 /container/service/slapd/assets/certs/dhparam.pem
    52. 

  52. 

  53.     # fix file permissions
    54. 

  54.     chown -R openldap:openldap /container/service/slapd
    55. 

  55.   }
    56. 

  56. 

  57. 

  58.   BOOTSTRAP=false
    59. 

  59. 

  60.   # database and config directory are empty -> set bootstrap config
    61. 

  61.   if [ -z "$(ls -A /var/lib/ldap)" ] && [ -z "$(ls -A /etc/ldap/slapd.d)" ]; then
    62. 

  62. 

  63.     BOOTSTRAP=true
    64. 

  64.     echo "database and config directory are empty"
    65. 

  65.     echo "-> set bootstrap config"
    66. 

  66. 

  67.     cat <<EOF | debconf-set-selections
    68. 

  68. slapd slapd/internal/generated_adminpw password ${LDAP_ADMIN_PASSWORD}
    69. 

  69. slapd slapd/internal/adminpw password ${LDAP_ADMIN_PASSWORD}
    70. 

  70. slapd slapd/password2 password ${LDAP_ADMIN_PASSWORD}
    71. 

  71. slapd slapd/password1 password ${LDAP_ADMIN_PASSWORD}
    72. 

  72. slapd slapd/dump_database_destdir string /var/backups/slapd-VERSION
    73. 

  73. slapd slapd/domain string ${LDAP_DOMAIN}
    74. 

  74. slapd shared/organization string ${LDAP_ORGANISATION}
    75. 

  75. slapd slapd/backend string HDB
    76. 

  76. slapd slapd/purge_database boolean true
    77. 

  77. slapd slapd/move_old_database boolean true
    78. 

  78. slapd slapd/allow_ldap_v2 boolean false
    79. 

  79. slapd slapd/no_configuration boolean false
    80. 

  80. slapd slapd/dump_database select when needed
    81. 

  81. EOF
    82. 

  82. 

  83.     dpkg-reconfigure -f noninteractive slapd
    84. 

  84. 

  85.   elif [ -z "$(ls -A /var/lib/ldap)" ] && [ ! -z "$(ls -A /etc/ldap/slapd.d)" ]; then
    86. 

  86.     echo "Error: the database directory (/var/lib/ldap) is empty but not the config directory (/etc/ldap/slapd.d)"
    87. 

  87.     exit 1
    88. 

  88.   elif [ ! -z "$(ls -A /var/lib/ldap)" ] && [ -z "$(ls -A /etc/ldap/slapd.d)" ]; then
    89. 

  89.     echo "the config directory (/etc/ldap/slapd.d) is empty but not the database directory (/var/lib/ldap)"
    90. 

  90.     exit 1
    91. 

  91. 

  92.   else
    93. 

  93.     # there is an existing database and config
    94. 

  94. 

  95.     # if the config was bootstraped with TLS
    96. 

  96.     # to avoid error (#6) we check tls files
    97. 

  97.     if [ -e "$WAS_STARTED_WITH_TLS" ]; then
    98. 

  98. 

  99.       . $WAS_STARTED_WITH_TLS
    100. 

  100. 

  101.       check_tls_files $PREVIOUS_LDAP_TLS_CA_CRT_FILENAME $PREVIOUS_LDAP_TLS_CRT_FILENAME $PREVIOUS_LDAP_TLS_KEY_FILENAME
    102. 

  102.     fi
    103. 

  103.   fi
    104. 

  104. 

  105.   # start OpenLDAP
    106. 

  106.   echo "Starting openldap..."
    107. 

  107. 

  108.   # start OpenLDAP with previous replication configuration
    109. 

  109.   if [ -e "$WAS_STARTED_WITH_REPLICATION" ]; then
    110. 

  110. 

  111.     . $WAS_STARTED_WITH_REPLICATION
    112. 

  112.     echo "127.0.0.2 $PREVIOUS_HOSTNAME" >> /etc/hosts
    113. 

  113. 

  114.     slapd -h "ldap://$HOSTNAME ldap://$PREVIOUS_HOSTNAME ldap://localhost ldapi:///" -u openldap -g openldap
    115. 

  115.   else
    116. 

  116.     #start openldap normaly
    117. 

  117.     slapd -h "ldap://$HOSTNAME ldap://localhost ldapi:///" -u openldap -g openldap
    118. 

  118.   fi
    119. 

  119. 

  120.   echo "[ok]"
    121. 

  121. 

  122.   # set bootstrap config part 2
    123. 

  123.   if $BOOTSTRAP; then
    124. 

  124. 

  125.     # add ppolicy schema
    126. 

  126.     ldapadd -c -Y EXTERNAL -Q -H ldapi:/// -f /etc/ldap/schema/ppolicy.ldif
    127. 

  127. 

  128.     # convert schemas to ldif
    129. 

  129.     SCHEMAS=""
    130. 

  130.     for f in $(find /container/service/slapd/assets/config/bootstrap/schema -name \*.schema -type f); do
    131. 

  131.       SCHEMAS="$SCHEMAS ${f}"
    132. 

  132.     done
    133. 

  133.     /container/service/slapd/assets/schema-to-ldif.sh "$SCHEMAS"
    134. 

  134. 

  135.     # add schemas
    136. 

  136.     for f in $(find /container/service/slapd/assets/config/bootstrap/schema -name \*.ldif -type f); do
    137. 

  137.       echo "Processing file ${f}"
    138. 

  138.       # add schema if not already exists
    139. 

  139.       SCHEMA=$(basename "${f}" .ldif)
    140. 

  140.       ADD_SCHEMA=$(is_new_schema $SCHEMA)
    141. 

  141.       if [ "$ADD_SCHEMA" -eq 1 ]; then
    142. 

  142.         echo "add schema ${SCHEMA}"
    143. 

  143.         ldapadd -c -Y EXTERNAL -Q -H ldapi:/// -f $f
    144. 

  144.       else
    145. 

  145.         echo "schema ${f} already exists"
    146. 

  146.       fi
    147. 

  147.     done
    148. 

  148. 

  149.     # set config password
    150. 

  150.     LDAP_CONFIG_PASSWORD_ENCRYPTED=$(slappasswd -s $LDAP_CONFIG_PASSWORD)
    151. 

  151.     sed -i "s|{{ LDAP_CONFIG_PASSWORD_ENCRYPTED }}|${LDAP_CONFIG_PASSWORD_ENCRYPTED}|g" /container/service/slapd/assets/config/bootstrap/ldif/01-config-password.ldif
    152. 

  152. 

  153.     # adapt security config file
    154. 

  154.     get_ldap_base_dn
    155. 

  155.     sed -i "s|{{ LDAP_BASE_DN }}|${LDAP_BASE_DN}|g" /container/service/slapd/assets/config/bootstrap/ldif/02-security.ldif
    156. 

  156. 

  157.     # process config files in bootstrap directory (do no process files in subdirectories)
    158. 

  158.     for f in $(find /container/service/slapd/assets/config/bootstrap/ldif  -name \*.ldif -mindepth 1 -maxdepth 1 -type f | sort); do
    159. 

  159.       echo "Processing file ${f}"
    160. 

  160.       ldapmodify -Y EXTERNAL -Q -H ldapi:/// -f $f
    161. 

  161.     done
    162. 

  162. 

  163.     # read only user
    164. 

  164.     if [ "${LDAP_READONLY_USER,,}" == "true" ]; then
    165. 

  165. 

  166.       echo "Add read only user"
    167. 

  167. 

  168.       LDAP_READONLY_USER_PASSWORD_ENCRYPTED=$(slappasswd -s $LDAP_READONLY_USER_PASSWORD)
    169. 

  169.       sed -i "s|{{ LDAP_READONLY_USER_USERNAME }}|${LDAP_READONLY_USER_USERNAME}|g" /container/service/slapd/assets/config/bootstrap/ldif/readonly-user/readonly-user.ldif
    170. 

  170.       sed -i "s|{{ LDAP_READONLY_USER_PASSWORD_ENCRYPTED }}|${LDAP_READONLY_USER_PASSWORD_ENCRYPTED}|g" /container/service/slapd/assets/config/bootstrap/ldif/readonly-user/readonly-user.ldif
    171. 

  171.       sed -i "s|{{ LDAP_BASE_DN }}|${LDAP_BASE_DN}|g" /container/service/slapd/assets/config/bootstrap/ldif/readonly-user/readonly-user.ldif
    172. 

  172. 

  173.       sed -i "s|{{ LDAP_READONLY_USER_USERNAME }}|${LDAP_READONLY_USER_USERNAME}|g" /container/service/slapd/assets/config/bootstrap/ldif/readonly-user/readonly-user-acl.ldif
    174. 

  174.       sed -i "s|{{ LDAP_BASE_DN }}|${LDAP_BASE_DN}|g" /container/service/slapd/assets/config/bootstrap/ldif/readonly-user/readonly-user-acl.ldif
    175. 

  175. 

  176.       echo "Processing file /container/service/slapd/assets/config/bootstrap/ldif/readonly-user/readonly-user.ldif"
    177. 

  177.       ldapmodify -h localhost -p 389 -D cn=admin,$LDAP_BASE_DN -w $LDAP_ADMIN_PASSWORD -f /container/service/slapd/assets/config/bootstrap/ldif/readonly-user/readonly-user.ldif
    178. 

  178. 

  179.       echo "Processing file /container/service/slapd/assets/config/bootstrap/ldif/readonly-user/readonly-user-acl.ldif"
    180. 

  180.       ldapmodify -Y EXTERNAL -Q -H ldapi:/// -f /container/service/slapd/assets/config/bootstrap/ldif/readonly-user/readonly-user-acl.ldif
    181. 

  181. 

  182.     fi
    183. 

  183. 

  184.   fi
    185. 

  185. 

  186.   # tls config
    187. 

  187.   if [ "${LDAP_TLS,,}" == "true" ]; then
    188. 

  188. 

  189.     echo "Use TLS"
    190. 

  190. 

  191.     check_tls_files $LDAP_TLS_CA_CRT_FILENAME $LDAP_TLS_CRT_FILENAME $LDAP_TLS_KEY_FILENAME
    192. 

  192. 

  193.     # adapt tls ldif
    194. 

  194.     sed -i "s|{{ LDAP_TLS_CA_CRT_FILENAME }}|${LDAP_TLS_CA_CRT_FILENAME}|g" /container/service/slapd/assets/config/tls/tls-enable.ldif
    195. 

  195.     sed -i "s|{{ LDAP_TLS_CRT_FILENAME }}|${LDAP_TLS_CRT_FILENAME}|g" /container/service/slapd/assets/config/tls/tls-enable.ldif
    196. 

  196.     sed -i "s|{{ LDAP_TLS_KEY_FILENAME }}|${LDAP_TLS_KEY_FILENAME}|g" /container/service/slapd/assets/config/tls/tls-enable.ldif
    197. 

  197. 

  198.     sed -i "s|{{ LDAP_TLS_CIPHER_SUITE }}|${LDAP_TLS_CIPHER_SUITE}|g" /container/service/slapd/assets/config/tls/tls-enable.ldif
    199. 

  199.     sed -i "s|{{ LDAP_TLS_PROTOCOL_MIN }}|${LDAP_TLS_PROTOCOL_MIN}|g" /container/service/slapd/assets/config/tls/tls-enable.ldif
    200. 

  200.     sed -i "s|{{ LDAP_TLS_VERIFY_CLIENT }}|${LDAP_TLS_VERIFY_CLIENT}|g" /container/service/slapd/assets/config/tls/tls-enable.ldif
    201. 

  201. 

  202.     ldapmodify -Y EXTERNAL -Q -H ldapi:/// -f /container/service/slapd/assets/config/tls/tls-enable.ldif
    203. 

  203. 

  204.     [[ -f "$WAS_STARTED_WITH_TLS" ]] && rm -f "$WAS_STARTED_WITH_TLS"
    205. 

  205.     touch $WAS_STARTED_WITH_TLS
    206. 

  206.     echo "export PREVIOUS_LDAP_TLS_CA_CRT_FILENAME=${LDAP_TLS_CA_CRT_FILENAME}" >> $WAS_STARTED_WITH_TLS
    207. 

  207.     echo "export PREVIOUS_LDAP_TLS_CRT_FILENAME=${LDAP_TLS_CRT_FILENAME}" >> $WAS_STARTED_WITH_TLS
    208. 

  208.     echo "export PREVIOUS_LDAP_TLS_KEY_FILENAME=${LDAP_TLS_KEY_FILENAME}" >> $WAS_STARTED_WITH_TLS
    209. 

  209.     chmod +x $WAS_STARTED_WITH_TLS
    210. 

  210. 

  211.     # ldap client config
    212. 

  212.     sed -i "s,TLS_CACERT.*,TLS_CACERT /container/service/slapd/assets/certs/${LDAP_TLS_CA_CRT_FILENAME},g" /etc/ldap/ldap.conf
    213. 

  213.     echo "TLS_REQCERT demand" >> /etc/ldap/ldap.conf
    214. 

  214. 

  215.     [[ -f "$HOME/.ldaprc" ]] && rm -f $HOME/.ldaprc
    216. 

  216.     touch $HOME/.ldaprc
    217. 

  217.     echo "TLS_CERT /container/service/slapd/assets/certs/${LDAP_TLS_CRT_FILENAME}" >> $HOME/.ldaprc
    218. 

  218.     echo "TLS_KEY /container/service/slapd/assets/certs/${LDAP_TLS_KEY_FILENAME}" >> $HOME/.ldaprc
    219. 

  219. 

  220.   else
    221. 

  221. 

  222.     echo "Don't use TLS"
    223. 

  223. 

  224.     ldapmodify -c -Y EXTERNAL -Q -H ldapi:/// -f /container/service/slapd/assets/config/tls/tls-disable.ldif || true
    225. 

  225.     [[ -f "$WAS_STARTED_WITH_TLS" ]] && rm -f "$WAS_STARTED_WITH_TLS"
    226. 

  226. 

  227.   fi
    228. 

  228. 

  229. 

  230.   function disableReplication() {
    231. 

  231.     echo "Try to disable replication if needed"
    232. 

  232.     ldapmodify -c -Y EXTERNAL -Q -H ldapi:/// -f /container/service/slapd/assets/config/replication/replication-disable.ldif || true
    233. 

  233.     [[ -f "$WAS_STARTED_WITH_REPLICATION" ]] && rm -f "$WAS_STARTED_WITH_REPLICATION"
    234. 

  234.   }
    235. 

  235. 

  236.   # replication config
    237. 

  237.   if [ "${LDAP_REPLICATION,,}" == "true" ]; then
    238. 

  238. 

  239.     echo "Use replication"
    240. 

  240.     disableReplication || true
    241. 

  241. 

  242.     LDAP_REPLICATION_HOSTS=($LDAP_REPLICATION_HOSTS)
    243. 

  243.     i=1
    244. 

  244.     for host in "${LDAP_REPLICATION_HOSTS[@]}"
    245. 

  245.     do
    246. 

  246. 

  247.       # host var contain a variable name, we access to the variable value
    248. 

  248.       host=${!host}
    249. 

  249. 

  250.       sed -i "s|{{ LDAP_REPLICATION_HOSTS }}|olcServerID: $i ${host}\n{{ LDAP_REPLICATION_HOSTS }}|g" /container/service/slapd/assets/config/replication/replication-enable.ldif
    251. 

  251.       sed -i "s|{{ LDAP_REPLICATION_HOSTS_CONFIG_SYNC_REPL }}|olcSyncRepl: rid=00$i provider=${host} ${LDAP_REPLICATION_CONFIG_SYNCPROV}\n{{ LDAP_REPLICATION_HOSTS_CONFIG_SYNC_REPL }}|g" /container/service/slapd/assets/config/replication/replication-enable.ldif
    252. 

  252.       sed -i "s|{{ LDAP_REPLICATION_HOSTS_HDB_SYNC_REPL }}|olcSyncRepl: rid=10$i provider=${host} ${LDAP_REPLICATION_HDB_SYNCPROV}\n{{ LDAP_REPLICATION_HOSTS_HDB_SYNC_REPL }}|g" /container/service/slapd/assets/config/replication/replication-enable.ldif
    253. 

  253. 

  254.       ((i++))
    255. 

  255.     done
    256. 

  256. 

  257.     get_ldap_base_dn
    258. 

  258.     sed -i "s|\$LDAP_BASE_DN|$LDAP_BASE_DN|g" /container/service/slapd/assets/config/replication/replication-enable.ldif
    259. 

  259.     sed -i "s|\$LDAP_ADMIN_PASSWORD|$LDAP_ADMIN_PASSWORD|g" /container/service/slapd/assets/config/replication/replication-enable.ldif
    260. 

  260.     sed -i "s|\$LDAP_CONFIG_PASSWORD|$LDAP_CONFIG_PASSWORD|g" /container/service/slapd/assets/config/replication/replication-enable.ldif
    261. 

  261. 

  262.     sed -i "/{{ LDAP_REPLICATION_HOSTS }}/d" /container/service/slapd/assets/config/replication/replication-enable.ldif
    263. 

  263.     sed -i "/{{ LDAP_REPLICATION_HOSTS_CONFIG_SYNC_REPL }}/d" /container/service/slapd/assets/config/replication/replication-enable.ldif
    264. 

  264.     sed -i "/{{ LDAP_REPLICATION_HOSTS_HDB_SYNC_REPL }}/d" /container/service/slapd/assets/config/replication/replication-enable.ldif
    265. 

  265. 

  266.     echo "Enable replication"
    267. 

  267.     ldapmodify -c -Y EXTERNAL -Q -H ldapi:/// -f /container/service/slapd/assets/config/replication/replication-enable.ldif || true
    268. 

  268. 

  269.     [[ -f "$WAS_STARTED_WITH_REPLICATION" ]] && rm -f "$WAS_STARTED_WITH_REPLICATION"
    270. 

  270.     touch $WAS_STARTED_WITH_REPLICATION
    271. 

  271.     echo "export PREVIOUS_HOSTNAME=${HOSTNAME}" >> $WAS_STARTED_WITH_REPLICATION
    272. 

  272.     chmod +x $WAS_STARTED_WITH_REPLICATION
    273. 

  273. 

  274.   else
    275. 

  275. 

  276.     echo "Don't use replication"
    277. 

  277.     disableReplication || true
    278. 

  278. 

  279.   fi
    280. 

  280. 

  281.   # stop OpenLDAP
    282. 

  282.   SLAPD_PID=$(cat /run/slapd/slapd.pid)
    283. 

  283.   echo "Kill slapd, pid: $SLAPD_PID"
    284. 

  284.   kill -9 $SLAPD_PID
    285. 

  285.   echo "[ok]"
    286. 

  286. 

  287.   sleep 3
    288. 

  288. 

  289.   touch $FIRST_START_DONE
    290. 

  290. fi
    291. 

  291. 

  292. exit 0
    293.