Upload files to "/"
This commit is contained in:
parent
110e2c10e4
commit
026b02aa51
@ -17,6 +17,7 @@ RUN echo "slapd slapd/password1 password admin" | debconf-set-selections && \
|
||||
echo "slapd slapd/domain string example.com" | debconf-set-selections && \
|
||||
echo "slapd slapd/no_configuration boolean false" | debconf-set-selections && \
|
||||
echo "slapd slapd/purge_database boolean true" | debconf-set-selections && \
|
||||
echo "slapd slapd/ldapi_tls boolean false" | debconf-set-selections && \
|
||||
echo "slapd slapd/move_old_database boolean true" | debconf-set-selections
|
||||
|
||||
# make use of debconf-set-selections
|
||||
@ -39,7 +40,7 @@ RUN mkdir -p /export-certs
|
||||
VOLUME ["/var/lib/ldap", "/etc/ldap/slapd.d", "/etc/ldap/certs","/export-certs"]
|
||||
|
||||
# set correct permissions for openldap user
|
||||
RUN chown -R openldap:openldap /var/lib/ldap /etc/ldap/slapd.d
|
||||
#RUN chown -R openldap:openldap /var/lib/ldap /etc/ldap/slapd.d
|
||||
|
||||
# ENTRYPOINT ensures this sh file ALWAYS runs first before any CMD or command line instruction
|
||||
ENTRYPOINT ["./entrypoint.sh"]
|
||||
|
||||
191
entrypoint.sh
191
entrypoint.sh
@ -1,109 +1,62 @@
|
||||
#!/bin/bash
|
||||
# === FIX PERMISSIONS ON VOLUMES ===
|
||||
# Ensures the openldap user (UID/GID 111/118 by default on Ubuntu 22.04)
|
||||
# owns the data directories, even if the host user owns the mounted volume.
|
||||
echo "--> Fixing permissions on OpenLDAP volumes..."
|
||||
chown -R openldap:openldap /var/lib/ldap /etc/ldap/slapd.d /etc/ldap/certs
|
||||
# Also ensure the export directory is writable by all for external copying if needed
|
||||
chmod -R 777 /export-certs
|
||||
# Convert whatever hostname you give into the correct LDAP base DN
|
||||
# Works with: example.com → dc=example,dc=com
|
||||
# Works with: magic.forest.jp → dc=magic,dc=forest,dc=jp
|
||||
# Works with: my-ldap.local → dc=my-ldap,dc=local
|
||||
set -euo pipefail
|
||||
|
||||
# Fix permissions
|
||||
chown -R openldap:openldap /var/lib/ldap /etc/ldap/slapd.d /etc/ldap/certs 2>/dev/null || true
|
||||
chmod -R 777 /export-certs 2>/dev/null || true
|
||||
|
||||
# Correct base DN from hostname
|
||||
export LDAP_HOST="${LDAP_HOST:-example.com}"
|
||||
export LDAP_BASE_DN=$(echo "${LDAP_HOST}" | sed 's/\./,dc=/g' | sed 's/^/dc=/')
|
||||
export LDAP_BASE_DN="dc=$(echo "${LDAP_HOST}" | sed 's/\./,dc=/g')"
|
||||
export LDAP_BASE_DN=dc=$(echo "$LDAP_HOST" | sed 's/\./,dc=/g')
|
||||
echo "--> Using LDAP base DN: ${LDAP_BASE_DN}"
|
||||
|
||||
# Optional: also export for convenience
|
||||
export LDAP_DOMAIN="${LDAP_BASE_DN}"
|
||||
echo "--> Starting ldapdock 0.10"
|
||||
|
||||
# === CRITICAL FIX: Temporarily disable strict security on EVERY run ===
|
||||
# This removes olcLocalSSF/olcSecurity restrictions from persisted config
|
||||
# so our temporary slapds can use plain ldapi:/// + SASL/EXTERNAL
|
||||
#if [ -d "/etc/ldap/slapd.d" ] && ls /etc/ldap/slapd.d/* 1>/dev/null 2>&1; then
|
||||
# echo "--> Temporarily relaxing olcLocalSSF for initialization (dev container only)"
|
||||
# slapd -h "ldap:/// ldapi:///" -u openldap -g openldap &
|
||||
# TEMP_PID=$!
|
||||
# sleep 4
|
||||
# ldapmodify -Y EXTERNAL -H ldapi:/// > /dev/null 2>&1 <<EOF || true
|
||||
#dn: cn=config
|
||||
#changetype: modify
|
||||
#delete: olcLocalSSF
|
||||
#-
|
||||
#delete: olcSecurity
|
||||
#-
|
||||
#EOF
|
||||
# kill $TEMP_PID 2>/dev/null; wait $TEMP_PID 2>/dev/null
|
||||
#fi
|
||||
# Temporarily relax strict security on restart
|
||||
if [ -d "/etc/ldap/slapd.d" ] && ls /etc/ldap/slapd.d/* >/dev/null 2>&1; then
|
||||
echo "--> Temporarily relaxing security for init"
|
||||
slapd -h "ldap:/// ldapi:///" -u openldap -g openldap &
|
||||
sleep 6
|
||||
ldapmodify -Y EXTERNAL -H ldapi:/// >/dev/null 2>&1 <<EOF || true
|
||||
dn: cn=config
|
||||
changetype: modify
|
||||
delete: olcLocalSSF
|
||||
-
|
||||
delete: olcSecurity
|
||||
-
|
||||
EOF
|
||||
pkill slapd || true
|
||||
sleep 2
|
||||
fi
|
||||
|
||||
# === Function to force config file changes directly using 'find' ===
|
||||
force_relax_security() {
|
||||
CONFIG_DIR="/etc/ldap/slapd.d"
|
||||
|
||||
if [ -d "$CONFIG_DIR" ]; then
|
||||
echo "--> Searching for config file containing 'olcSecurity' in $CONFIG_DIR..."
|
||||
|
||||
# Use find to locate the exact file(s) that contain the "olcSecurity: tls=1" line
|
||||
# This works regardless of the specific filename or directory structure.
|
||||
TARGET_FILE=$(grep -rEl "olcSecurity" "$CONFIG_DIR")
|
||||
# Start temporary slapd for population
|
||||
echo "--> Starting temporary slapd"
|
||||
slapd -h "ldap:/// ldapi:///" -u openldap -g openldap &
|
||||
SLAPD_PID=$!
|
||||
sleep 8
|
||||
|
||||
if [ -n "$TARGET_FILE" ]; then
|
||||
echo "--> Found config file(s): $TARGET_FILE"
|
||||
for f in $TARGET_FILE; do
|
||||
echo "--> Removing 'olcSecurity: tls=1' from $f..."
|
||||
# Use sed to remove ONLY the olcSecurity line
|
||||
sed -i '/^olcSecurity: tls=1/d' "$f"
|
||||
done
|
||||
echo "--> olcSecurity setting removed from configuration files."
|
||||
else
|
||||
echo "Warning: No file found containing 'olcSecurity' in $CONFIG_DIR."
|
||||
fi
|
||||
|
||||
else
|
||||
echo "Error: Config directory $CONFIG_DIR not found."
|
||||
exit 1
|
||||
fi
|
||||
}
|
||||
|
||||
# First, make sure we own the files
|
||||
chown -R openldap:openldap /var/lib/ldap /etc/ldap/slapd.d /etc/ldap/certs
|
||||
chmod -R 777 /export-certs # (optional, but useful)
|
||||
|
||||
# Then, force the security relax via direct file manipulation
|
||||
force_relax_security
|
||||
|
||||
# 1. FIRST temporary slapd — non-strict, plain ldapi:/// allowed
|
||||
echo "--> Starting first temporary slapd (plain ldapi allowed)"
|
||||
/usr/sbin/slapd -h "ldap:/// ldapi:///" -u openldap -g openldap &
|
||||
FIRST_SLAPD_PID=$! # ← capture PID of the first temporary slapd
|
||||
sleep 8
|
||||
|
||||
# 2. Populate base structure
|
||||
echo "--> Populating directory with users and groups..."
|
||||
cat > /tmp/add_content.ldif <<EOF
|
||||
# Full tree with root entry
|
||||
cat > /tmp/base.ldif <<EOF
|
||||
dn: ${LDAP_BASE_DN}
|
||||
objectClass: top
|
||||
objectClass: dcObject
|
||||
objectClass: organization
|
||||
o: Example Company
|
||||
|
||||
dn: ou=People,dc=${LDAP_BASE_DN}
|
||||
dn: ou=People,${LDAP_BASE_DN}
|
||||
objectClass: organizationalUnit
|
||||
ou: People
|
||||
|
||||
dn: ou=Groups,dc=${LDAP_BASE_DN}
|
||||
dn: ou=Groups,${LDAP_BASE_DN}
|
||||
objectClass: organizationalUnit
|
||||
ou: Groups
|
||||
|
||||
dn: cn=mages,ou=Groups,dc=${LDAP_BASE_DN}
|
||||
dn: cn=mages,ou=Groups,${LDAP_BASE_DN}
|
||||
objectClass: posixGroup
|
||||
cn: mages
|
||||
gidNumber: 5000
|
||||
memberUid: marisa
|
||||
|
||||
dn: uid=marisa,ou=People,dc=${LDAP_BASE_DN}
|
||||
dn: uid=marisa,ou=People,${LDAP_BASE_DN}
|
||||
objectClass: inetOrgPerson
|
||||
objectClass: posixAccount
|
||||
objectClass: shadowAccount
|
||||
@ -115,37 +68,23 @@ displayName: Marisa Kirisame
|
||||
uidNumber: 10000
|
||||
gidNumber: 5000
|
||||
userPassword: {CRYPT}x
|
||||
gecos: Marisa Kirisame
|
||||
loginShell: /bin/bash
|
||||
homeDirectory: /home/marisa
|
||||
gecos: Marisa Kirisame
|
||||
EOF
|
||||
|
||||
echo "--> Adding base structure..."
|
||||
ldapadd -x -D "cn=admin,dc=${LDAP_BASE_DN}" -w admin -f /tmp/add_content.ldif || true \
|
||||
echo "--> Some entries already exist — continuing (normal on restart)"
|
||||
echo "--> Adding base structure"
|
||||
ldapadd -c -x -D "cn=admin,dc=example,dc=com" -w admin -f /tmp/base.ldif || true
|
||||
|
||||
# 3. SET MARISA PASSWORD — THIS IS THE ONLY PLACE THAT WORKS
|
||||
# Set password ONLY on first run — ignore error on restart (normal)
|
||||
echo "--> Setting marisa password to 'MarisaNewPass2025' (only on first run)"
|
||||
echo "--> Setting Marisa password to 'MarisaNewPass2025'"
|
||||
slappasswd -h '{SSHA}' -s MarisaNewPass2025 | \
|
||||
ldapmodify -Y EXTERNAL -H ldapi:/// > /dev/null 2>&1 <<EOF || true
|
||||
dn: uid=marisa,ou=People,${LDAP_BASE_DN}
|
||||
changetype: modify
|
||||
replace: userPassword
|
||||
userPassword: $(< /dev/stdin)
|
||||
EOF
|
||||
ldapmodify -Y EXTERNAL -H ldapi:/// >/dev/null 2>&1 || true
|
||||
|
||||
# 4. Show schemas (optional, just to prove ldapi works)
|
||||
echo "--> Schemas loaded by default..."
|
||||
ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config dn
|
||||
|
||||
# === CERTIFICATES: ONLY IF NOT ALREADY EXPORTED ===
|
||||
# YOUR ORIGINAL TLS BLOCK — 100 % UNCHANGED
|
||||
if [ ! -f "/export-certs/mycacert.crt" ]; then
|
||||
echo "--> No CA found → generating certificates..."
|
||||
mkdir -p /etc/ldap/certs
|
||||
cd /etc/ldap/certs
|
||||
|
||||
# generate CA + server cert (your original code — perfect)
|
||||
certtool --generate-privkey --bits 4096 --outfile ca-key.pem
|
||||
cat > ca.info <<EOF
|
||||
cn = Example Company CA
|
||||
@ -154,32 +93,29 @@ cert_signing_key
|
||||
expiration_days = 3650
|
||||
EOF
|
||||
certtool --generate-self-signed --load-privkey ca-key.pem --template ca.info --outfile ca-cert.pem
|
||||
|
||||
certtool --generate-privkey --bits 2048 --outfile ldap01_slapd_key.pem
|
||||
cat > ldap01.info <<EOF
|
||||
organization = Example Company
|
||||
cn = ${LDAP_BASE_DN}
|
||||
cn = ${LDAP_HOST}
|
||||
tls_www_server
|
||||
encryption_key
|
||||
signing_key
|
||||
expiration_days = 365
|
||||
EOF
|
||||
certtool --generate-certificate --load-privkey ldap01_slapd_key.pem \
|
||||
--load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem \
|
||||
--template ldap01.info --outfile ldap01_slapd_cert.pem
|
||||
|
||||
certtool --generate-certificate \
|
||||
--load-privkey ldap01_slapd_key.pem \
|
||||
--load-ca-certificate ca-cert.pem \
|
||||
--load-ca-privkey ca-key.pem \
|
||||
--template ldap01.info \
|
||||
--outfile ldap01_slapd_cert.pem
|
||||
chgrp openldap ldap01_slapd_key.pem
|
||||
chmod 640 ldap01_slapd_key.pem
|
||||
cat ldap01_slapd_cert.pem ca-cert.pem > ldap01_slapd_cert_full.pem
|
||||
chown root:openldap ldap01_slapd_cert_full.pem
|
||||
chmod 640 ldap01_slapd_cert_full.pem
|
||||
|
||||
# 5. SECOND temporary slapd — only to apply TLS config to cn=config
|
||||
echo "--> Starting second temporary slapd to apply TLS config"
|
||||
/usr/sbin/slapd -h "ldap:/// ldapi:///" -u openldap -g openldap &
|
||||
SECOND_SLAPD_PID=$!
|
||||
slapd -h "ldap:/// ldapi:///" -u openldap -g openldap &
|
||||
sleep 4
|
||||
|
||||
cat > /tmp/certinfo.ldif <<EOF
|
||||
dn: cn=config
|
||||
changetype: modify
|
||||
@ -193,16 +129,10 @@ replace: olcTLSCertificateKeyFile
|
||||
olcTLSCertificateKeyFile: /etc/ldap/certs/ldap01_slapd_key.pem
|
||||
EOF
|
||||
ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/certinfo.ldif
|
||||
|
||||
cp /etc/ldap/certs/ca-cert.pem /usr/local/share/ca-certificates/mycacert.crt
|
||||
update-ca-certificates
|
||||
|
||||
# kill the SECOND temporary slapd cleanly
|
||||
kill $SECOND_SLAPD_PID 2>/dev/null || true
|
||||
wait $SECOND_SLAPD_PID 2>/dev/null || true
|
||||
pkill slapd || true
|
||||
sleep 2
|
||||
|
||||
# export certs
|
||||
echo "--> Exporting certificates to host volume..."
|
||||
cp /etc/ldap/certs/ca-cert.pem /export-certs/mycacert.crt
|
||||
cp /etc/ldap/certs/ldap01_slapd_cert_full.pem /export-certs/server-cert.pem
|
||||
@ -210,21 +140,14 @@ else
|
||||
echo "--> Certificates already exist — skipping generation"
|
||||
fi
|
||||
|
||||
echo "--> Removing confidentiality requirements for simple bind"
|
||||
ldapmodify -Y EXTERNAL -H ldapi:/// > /dev/null 2>&1 <<EOF || true
|
||||
dn: cn=config
|
||||
changetype: modify
|
||||
delete: olcLocalSSF
|
||||
-
|
||||
delete: olcSecurity
|
||||
EOF
|
||||
# Kill temporary slapd
|
||||
kill $SLAPD_PID 2>/dev/null || true
|
||||
wait $SLAPD_PID 2>/dev/null || true
|
||||
|
||||
# 7. FINAL strict slapd — full TLS + confidentiality required everywhere
|
||||
echo "--> Starting final strict slapd with LDAPS and strict security"
|
||||
exec slapd -h "ldap:/// ldaps:/// ldapi:///" -u openldap -g openldap -d 0 &
|
||||
sleep 3
|
||||
# Final strict slapd + keep interactive shell (THE CORRECT WAY)
|
||||
echo "--> Starting final strict slapd — you keep your shell"
|
||||
slapd -h "ldap:/// ldaps:/// ldapi:///" -u openldap -g openldap -d 0 &
|
||||
|
||||
echo "--> ldapdock framework ready — full TLS active, marisa password = qwerty"
|
||||
echo "--> ldapdock ready — marisa password = MarisaNewPass2025"
|
||||
export LDAPTLS_REQCERT=allow
|
||||
echo "Executing: $@"
|
||||
exec "$@"
|
||||
|
||||
Loading…
Reference in New Issue
Block a user