okasion/ldapdock
2
1
Fork 0
Code Issues 9 Pull Requests Actions Packages Projects 1 Releases Wiki Activity

Upload files to "/"

Browse Source
This commit is contained in:
Marisa 2025-11-19 15:41:47 -05:00
parent 86a8593c71
commit 01c80ddfc0
1 changed files with 67 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

95
entrypoint.sh
View File

@ -1,34 +1,32 @@
#!/bin/bash #!/bin/bash
# this script runs INSIDE the container # this script runs INSIDE the container
# set -e # exit on any error?
#!/bin/bash echo "--> Starting ldapdock 0.10"
#set -e # Exit on any error
echo "--> Starting ldapdock 0.9"
echo "--> Launching slapd (temp)..." echo "--> Launching slapd (temp)..."
# Start slapd temporarily for setup # start slapd temporarily for setup
/usr/sbin/slapd -h "ldap:/// ldapi:///" -g openldap -u openldap & /usr/sbin/slapd -h "ldap:/// ldapi:///" -g openldap -u openldap &
sleep 3 sleep 3
# Populate with user & group # populate with user & group
echo "--> Populating directory with marisa..." echo "--> Populating directory with users and groups..."
cat > /tmp/add_content.ldif << 'EOF' cat > /tmp/add_content.ldif << EOF
dn: ou=People,dc=example,dc=com dn: ou=People,dc=${LDAP_HOST}
objectClass: organizationalUnit objectClass: organizationalUnit
ou: People ou: People
dn: ou=Groups,dc=example,dc=com dn: ou=Groups,dc=${LDAP_HOST}
objectClass: organizationalUnit objectClass: organizationalUnit
ou: Groups ou: Groups
dn: cn=mages,ou=Groups,dc=example,dc=com dn: cn=mages,ou=Groups,dc=${LDAP_HOST}
objectClass: posixGroup objectClass: posixGroup
cn: mages cn: mages
gidNumber: 5000 gidNumber: 5000
memberUid: marisa memberUid: marisa
dn: uid=marisa,ou=People,dc=example,dc=com dn: uid=marisa,ou=People,dc=${LDAP_HOST}
objectClass: inetOrgPerson objectClass: inetOrgPerson
objectClass: posixAccount objectClass: posixAccount
objectClass: shadowAccount objectClass: shadowAccount
@ -44,14 +42,52 @@ gecos: Marisa Kirisame
loginShell: /bin/bash loginShell: /bin/bash
homeDirectory: /home/marisa homeDirectory: /home/marisa
EOF EOF
ldapadd -x -D "cn=admin,dc=example,dc=com" -w admin -f /tmp/add_content.ldif
ldappasswd -x -D "cn=admin,dc=example,dc=com" -w admin -s qwerty "uid=marisa,ou=People,dc=example,dc=com"
# Kill temp slapd
pkill slapd
sleep 2 sleep 2
# add the structure — ignore "already exists" errors only here
echo "--> Adding base structure..."
ldapadd -x -D "cn=admin,dc=${LDAP_HOST}" -w admin -f /tmp/add_content.ldif || \
echo "--> Some entries already exist — continuing (this is normal)"
# setting up user marisa of group People password
ldappasswd -x -D "cn=admin,dc=${LDAP_HOST}" -w admin -s qwerty "uid=marisa,ou=People,dc=${LDAP_HOST}"
sleep 2
# load and enable policies module
echo "--> Loading policies module..."
cat > modify_ppolicy_module.ldif << EOF
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: ppolicy.so
EOF
ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f modify_ppolicy_module.ldif
# restarting slapd to load ppolicy.so
slapd -h "ldap:/// ldapi:/// ldaps:///" -u openldap -g openldap &
sleep 3
cat > enable_ppolicy.ldif << EOF
dn: olcOverlay=ppolicy,olcDatabase={1}mdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
olcOverlay: ppolicy
EOF
#olcPPolicyDefault: cn=default,ou=policies,dc=${LDAP_HOST}
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f enable_ppolicy.ldif
# display schemas loaded by default
echo "--> Schemas loaded by default..."
ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config dn
# kill temp slapd
pkill slapd
sleep 3
# === CERTIFICATES: ONLY IF NOT ALREADY EXPORTED === # === CERTIFICATES: ONLY IF NOT ALREADY EXPORTED ===
if [ ! -f "/export-certs/mycacert.crt" ]; then if [ ! -f "/export-certs/mycacert.crt" ]; then
echo "--> No CA found in /export-certs → generating certificates..." echo "--> No CA found in /export-certs → generating certificates..."
@ -69,11 +105,11 @@ expiration_days = 3650
EOF EOF
certtool --generate-self-signed --load-privkey ca-key.pem --template ca.info --outfile ca-cert.pem certtool --generate-self-signed --load-privkey ca-key.pem --template ca.info --outfile ca-cert.pem
# Server # server
certtool --generate-privkey --bits 2048 --outfile ldap01_slapd_key.pem certtool --generate-privkey --bits 2048 --outfile ldap01_slapd_key.pem
cat > ldap01.info <<EOF cat > ldap01.info <<EOF
organization = Example Company organization = Example Company
cn = example.com cn = ${LDAP_HOST}
tls_www_server tls_www_server
encryption_key encryption_key
signing_key signing_key
@ -86,20 +122,20 @@ EOF
--template ldap01.info \ --template ldap01.info \
--outfile ldap01_slapd_cert.pem --outfile ldap01_slapd_cert.pem
# Permissions # permissions
chgrp openldap ldap01_slapd_key.pem chgrp openldap ldap01_slapd_key.pem
chmod 640 ldap01_slapd_key.pem chmod 640 ldap01_slapd_key.pem
# Bundle # bundle
cat ldap01_slapd_cert.pem ca-cert.pem > ldap01_slapd_cert_full.pem cat ldap01_slapd_cert.pem ca-cert.pem > ldap01_slapd_cert_full.pem
chown root:openldap ldap01_slapd_cert_full.pem chown root:openldap ldap01_slapd_cert_full.pem
chmod 640 ldap01_slapd_cert_full.pem chmod 640 ldap01_slapd_cert_full.pem
# Start temp slapd to apply config # start temp slapd to apply config
slapd -h "ldap:/// ldapi:///" -u openldap -g openldap & slapd -h "ldap:/// ldapi:///" -u openldap -g openldap &
sleep 3 sleep 3
# Apply TLS config # apply TLS config
cat > /tmp/certinfo.ldif <<EOF cat > /tmp/certinfo.ldif <<EOF
dn: cn=config dn: cn=config
changetype: modify changetype: modify
@ -114,11 +150,11 @@ olcTLSCertificateKeyFile: /etc/ldap/certs/ldap01_slapd_key.pem
EOF EOF
ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/certinfo.ldif ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/certinfo.ldif
# Trust locally # trust locally
cp /etc/ldap/certs/ca-cert.pem /usr/local/share/ca-certificates/mycacert.crt cp /etc/ldap/certs/ca-cert.pem /usr/local/share/ca-certificates/mycacert.crt
update-ca-certificates update-ca-certificates
# Kill temp # kill temp
pkill slapd pkill slapd
sleep 2 sleep 2
@ -126,7 +162,7 @@ EOF
echo "--> Exporting CA to /export-certs..." echo "--> Exporting CA to /export-certs..."
cp /etc/ldap/certs/ca-cert.pem /export-certs/mycacert.crt cp /etc/ldap/certs/ca-cert.pem /export-certs/mycacert.crt
cp /etc/ldap/certs/ldap01_slapd_cert_full.pem /export-certs/server-cert.pem cp /etc/ldap/certs/ldap01_slapd_cert_full.pem /export-certs/server-cert.pem
echo "--> CA ready at ./hosts-certs/mycacert.crt on host" echo "--> Certificate READY at ./hosts-certs/mycacert.crt on host"
else else
echo "--> CA already exists at /export-certs/mycacert.crt → skipping generation" echo "--> CA already exists at /export-certs/mycacert.crt → skipping generation"
fi fi
@ -139,12 +175,15 @@ sleep 3
# === ENABLE TLS FOR ALL CLIENT TOOLS INSIDE CONTAINER === # === ENABLE TLS FOR ALL CLIENT TOOLS INSIDE CONTAINER ===
export LDAPTLS_CACERT=/etc/ldap/certs/ca-cert.pem export LDAPTLS_CACERT=/etc/ldap/certs/ca-cert.pem
echo "LDAPTLS_CACERT=$LDAPTLS_CACERT (all ldap* commands now work with TLS)" echo "LDAPTLS_CACERT=$LDAPTLS_CACERT (all ldap* commands now work with TLS)"
echo 'export LDAPTLS_CACERT=/etc/ldap/certs/ca-cert.pem' >> ~/.bashrc
source ~/.bashrc
echo "--> ldapdock framework ready." echo "--> ldapdock framework ready."
# === KEEP CONTAINER ALIVE === # === KEEP CONTAINER ALIVE AND CONTINUE ===
# 'exec' replaces the script process with the command (e.g., /bin/bash), # 'exec' replaces the script process with the command (e.g., /bin/bash),
# ensuring the container stays alive as long as that command runs interactively. # ensuring the container stays alive as long as that command runs interactively.
echo "Executing: $@" echo "Executing: $@"
exec "$@" exec "$@"