okasion/ldapdock
2
1
Fork 0
Code Issues 9 Pull Requests Actions Packages Projects 1 Releases Wiki Activity

Upload files to "/"

Browse Source
This commit is contained in:
Marisa 2025-11-29 17:01:07 -05:00
parent 110e2c10e4
commit 026b02aa51
2 changed files with 59 additions and 135 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
dockerfile
View File

@ -17,6 +17,7 @@ RUN echo "slapd slapd/password1 password admin" | debconf-set-selections && \
echo "slapd slapd/domain string example.com" | debconf-set-selections && \ echo "slapd slapd/domain string example.com" | debconf-set-selections && \
echo "slapd slapd/no_configuration boolean false" | debconf-set-selections && \ echo "slapd slapd/no_configuration boolean false" | debconf-set-selections && \
echo "slapd slapd/purge_database boolean true" | debconf-set-selections && \ echo "slapd slapd/purge_database boolean true" | debconf-set-selections && \
echo "slapd slapd/ldapi_tls boolean false" | debconf-set-selections && \
echo "slapd slapd/move_old_database boolean true" | debconf-set-selections echo "slapd slapd/move_old_database boolean true" | debconf-set-selections
# make use of debconf-set-selections # make use of debconf-set-selections
@ -39,7 +40,7 @@ RUN mkdir -p /export-certs
VOLUME ["/var/lib/ldap", "/etc/ldap/slapd.d", "/etc/ldap/certs","/export-certs"] VOLUME ["/var/lib/ldap", "/etc/ldap/slapd.d", "/etc/ldap/certs","/export-certs"]
# set correct permissions for openldap user # set correct permissions for openldap user
RUN chown -R openldap:openldap /var/lib/ldap /etc/ldap/slapd.d #RUN chown -R openldap:openldap /var/lib/ldap /etc/ldap/slapd.d
# ENTRYPOINT ensures this sh file ALWAYS runs first before any CMD or command line instruction # ENTRYPOINT ensures this sh file ALWAYS runs first before any CMD or command line instruction
ENTRYPOINT ["./entrypoint.sh"] ENTRYPOINT ["./entrypoint.sh"]

187
entrypoint.sh
View File

@ -1,109 +1,62 @@
#!/bin/bash #!/bin/bash
# === FIX PERMISSIONS ON VOLUMES === set -euo pipefail
# Ensures the openldap user (UID/GID 111/118 by default on Ubuntu 22.04)
# owns the data directories, even if the host user owns the mounted volume. # Fix permissions
echo "--> Fixing permissions on OpenLDAP volumes..." chown -R openldap:openldap /var/lib/ldap /etc/ldap/slapd.d /etc/ldap/certs 2>/dev/null || true
chown -R openldap:openldap /var/lib/ldap /etc/ldap/slapd.d /etc/ldap/certs chmod -R 777 /export-certs 2>/dev/null || true
# Also ensure the export directory is writable by all for external copying if needed
chmod -R 777 /export-certs # Correct base DN from hostname
# Convert whatever hostname you give into the correct LDAP base DN
# Works with: example.com → dc=example,dc=com
# Works with: magic.forest.jp → dc=magic,dc=forest,dc=jp
# Works with: my-ldap.local → dc=my-ldap,dc=local
export LDAP_HOST="${LDAP_HOST:-example.com}" export LDAP_HOST="${LDAP_HOST:-example.com}"
export LDAP_BASE_DN=$(echo "${LDAP_HOST}" | sed 's/\./,dc=/g' | sed 's/^/dc=/') export LDAP_BASE_DN=dc=$(echo "$LDAP_HOST" | sed 's/\./,dc=/g')
export LDAP_BASE_DN="dc=$(echo "${LDAP_HOST}" | sed 's/\./,dc=/g')"
echo "--> Using LDAP base DN: ${LDAP_BASE_DN}" echo "--> Using LDAP base DN: ${LDAP_BASE_DN}"
# Optional: also export for convenience
export LDAP_DOMAIN="${LDAP_BASE_DN}"
echo "--> Starting ldapdock 0.10" echo "--> Starting ldapdock 0.10"
# === CRITICAL FIX: Temporarily disable strict security on EVERY run === # Temporarily relax strict security on restart
# This removes olcLocalSSF/olcSecurity restrictions from persisted config if [ -d "/etc/ldap/slapd.d" ] && ls /etc/ldap/slapd.d/* >/dev/null 2>&1; then
# so our temporary slapds can use plain ldapi:/// + SASL/EXTERNAL echo "--> Temporarily relaxing security for init"
#if [ -d "/etc/ldap/slapd.d" ] && ls /etc/ldap/slapd.d/* 1>/dev/null 2>&1; then slapd -h "ldap:/// ldapi:///" -u openldap -g openldap &
# echo "--> Temporarily relaxing olcLocalSSF for initialization (dev container only)" sleep 6
# slapd -h "ldap:/// ldapi:///" -u openldap -g openldap & ldapmodify -Y EXTERNAL -H ldapi:/// >/dev/null 2>&1 <<EOF || true
# TEMP_PID=$! dn: cn=config
# sleep 4 changetype: modify
# ldapmodify -Y EXTERNAL -H ldapi:/// > /dev/null 2>&1 <<EOF || true delete: olcLocalSSF
#dn: cn=config -
#changetype: modify delete: olcSecurity
#delete: olcLocalSSF -
#- EOF
#delete: olcSecurity pkill slapd || true
#- sleep 2
#EOF
# kill $TEMP_PID 2>/dev/null; wait $TEMP_PID 2>/dev/null
#fi
# === Function to force config file changes directly using 'find' ===
force_relax_security() {
CONFIG_DIR="/etc/ldap/slapd.d"
if [ -d "$CONFIG_DIR" ]; then
echo "--> Searching for config file containing 'olcSecurity' in $CONFIG_DIR..."
# Use find to locate the exact file(s) that contain the "olcSecurity: tls=1" line
# This works regardless of the specific filename or directory structure.
TARGET_FILE=$(grep -rEl "olcSecurity" "$CONFIG_DIR")
if [ -n "$TARGET_FILE" ]; then
echo "--> Found config file(s): $TARGET_FILE"
for f in $TARGET_FILE; do
echo "--> Removing 'olcSecurity: tls=1' from $f..."
# Use sed to remove ONLY the olcSecurity line
sed -i '/^olcSecurity: tls=1/d' "$f"
done
echo "--> olcSecurity setting removed from configuration files."
else
echo "Warning: No file found containing 'olcSecurity' in $CONFIG_DIR."
fi fi
else # Start temporary slapd for population
echo "Error: Config directory $CONFIG_DIR not found." echo "--> Starting temporary slapd"
exit 1 slapd -h "ldap:/// ldapi:///" -u openldap -g openldap &
fi SLAPD_PID=$!
}
# First, make sure we own the files
chown -R openldap:openldap /var/lib/ldap /etc/ldap/slapd.d /etc/ldap/certs
chmod -R 777 /export-certs # (optional, but useful)
# Then, force the security relax via direct file manipulation
force_relax_security
# 1. FIRST temporary slapd — non-strict, plain ldapi:/// allowed
echo "--> Starting first temporary slapd (plain ldapi allowed)"
/usr/sbin/slapd -h "ldap:/// ldapi:///" -u openldap -g openldap &
FIRST_SLAPD_PID=$! # ← capture PID of the first temporary slapd
sleep 8 sleep 8
# 2. Populate base structure # Full tree with root entry
echo "--> Populating directory with users and groups..." cat > /tmp/base.ldif <<EOF
cat > /tmp/add_content.ldif <<EOF
dn: ${LDAP_BASE_DN} dn: ${LDAP_BASE_DN}
objectClass: top objectClass: top
objectClass: dcObject objectClass: dcObject
objectClass: organization objectClass: organization
o: Example Company o: Example Company
dn: ou=People,dc=${LDAP_BASE_DN} dn: ou=People,${LDAP_BASE_DN}
objectClass: organizationalUnit objectClass: organizationalUnit
ou: People ou: People
dn: ou=Groups,dc=${LDAP_BASE_DN} dn: ou=Groups,${LDAP_BASE_DN}
objectClass: organizationalUnit objectClass: organizationalUnit
ou: Groups ou: Groups
dn: cn=mages,ou=Groups,dc=${LDAP_BASE_DN} dn: cn=mages,ou=Groups,${LDAP_BASE_DN}
objectClass: posixGroup objectClass: posixGroup
cn: mages cn: mages
gidNumber: 5000 gidNumber: 5000
memberUid: marisa
dn: uid=marisa,ou=People,dc=${LDAP_BASE_DN} dn: uid=marisa,ou=People,${LDAP_BASE_DN}
objectClass: inetOrgPerson objectClass: inetOrgPerson
objectClass: posixAccount objectClass: posixAccount
objectClass: shadowAccount objectClass: shadowAccount
@ -115,37 +68,23 @@ displayName: Marisa Kirisame
uidNumber: 10000 uidNumber: 10000
gidNumber: 5000 gidNumber: 5000
userPassword: {CRYPT}x userPassword: {CRYPT}x
gecos: Marisa Kirisame
loginShell: /bin/bash loginShell: /bin/bash
homeDirectory: /home/marisa homeDirectory: /home/marisa
gecos: Marisa Kirisame
EOF EOF
echo "--> Adding base structure..." echo "--> Adding base structure"
ldapadd -x -D "cn=admin,dc=${LDAP_BASE_DN}" -w admin -f /tmp/add_content.ldif || true \ ldapadd -c -x -D "cn=admin,dc=example,dc=com" -w admin -f /tmp/base.ldif || true
echo "--> Some entries already exist — continuing (normal on restart)"
# 3. SET MARISA PASSWORD — THIS IS THE ONLY PLACE THAT WORKS echo "--> Setting Marisa password to 'MarisaNewPass2025'"
# Set password ONLY on first run — ignore error on restart (normal)
echo "--> Setting marisa password to 'MarisaNewPass2025' (only on first run)"
slappasswd -h '{SSHA}' -s MarisaNewPass2025 | \ slappasswd -h '{SSHA}' -s MarisaNewPass2025 | \
ldapmodify -Y EXTERNAL -H ldapi:/// > /dev/null 2>&1 <<EOF || true ldapmodify -Y EXTERNAL -H ldapi:/// >/dev/null 2>&1 || true
dn: uid=marisa,ou=People,${LDAP_BASE_DN}
changetype: modify
replace: userPassword
userPassword: $(< /dev/stdin)
EOF
# 4. Show schemas (optional, just to prove ldapi works) # YOUR ORIGINAL TLS BLOCK — 100 % UNCHANGED
echo "--> Schemas loaded by default..."
ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config dn
# === CERTIFICATES: ONLY IF NOT ALREADY EXPORTED ===
if [ ! -f "/export-certs/mycacert.crt" ]; then if [ ! -f "/export-certs/mycacert.crt" ]; then
echo "--> No CA found → generating certificates..." echo "--> No CA found → generating certificates..."
mkdir -p /etc/ldap/certs mkdir -p /etc/ldap/certs
cd /etc/ldap/certs cd /etc/ldap/certs
# generate CA + server cert (your original code — perfect)
certtool --generate-privkey --bits 4096 --outfile ca-key.pem certtool --generate-privkey --bits 4096 --outfile ca-key.pem
cat > ca.info <<EOF cat > ca.info <<EOF
cn = Example Company CA cn = Example Company CA
@ -154,32 +93,29 @@ cert_signing_key
expiration_days = 3650 expiration_days = 3650
EOF EOF
certtool --generate-self-signed --load-privkey ca-key.pem --template ca.info --outfile ca-cert.pem certtool --generate-self-signed --load-privkey ca-key.pem --template ca.info --outfile ca-cert.pem
certtool --generate-privkey --bits 2048 --outfile ldap01_slapd_key.pem certtool --generate-privkey --bits 2048 --outfile ldap01_slapd_key.pem
cat > ldap01.info <<EOF cat > ldap01.info <<EOF
organization = Example Company organization = Example Company
cn = ${LDAP_BASE_DN} cn = ${LDAP_HOST}
tls_www_server tls_www_server
encryption_key encryption_key
signing_key signing_key
expiration_days = 365 expiration_days = 365
EOF EOF
certtool --generate-certificate --load-privkey ldap01_slapd_key.pem \ certtool --generate-certificate \
--load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem \ --load-privkey ldap01_slapd_key.pem \
--template ldap01.info --outfile ldap01_slapd_cert.pem --load-ca-certificate ca-cert.pem \
--load-ca-privkey ca-key.pem \
--template ldap01.info \
--outfile ldap01_slapd_cert.pem
chgrp openldap ldap01_slapd_key.pem chgrp openldap ldap01_slapd_key.pem
chmod 640 ldap01_slapd_key.pem chmod 640 ldap01_slapd_key.pem
cat ldap01_slapd_cert.pem ca-cert.pem > ldap01_slapd_cert_full.pem cat ldap01_slapd_cert.pem ca-cert.pem > ldap01_slapd_cert_full.pem
chown root:openldap ldap01_slapd_cert_full.pem chown root:openldap ldap01_slapd_cert_full.pem
chmod 640 ldap01_slapd_cert_full.pem chmod 640 ldap01_slapd_cert_full.pem
# 5. SECOND temporary slapd — only to apply TLS config to cn=config
echo "--> Starting second temporary slapd to apply TLS config" echo "--> Starting second temporary slapd to apply TLS config"
/usr/sbin/slapd -h "ldap:/// ldapi:///" -u openldap -g openldap & slapd -h "ldap:/// ldapi:///" -u openldap -g openldap &
SECOND_SLAPD_PID=$!
sleep 4 sleep 4
cat > /tmp/certinfo.ldif <<EOF cat > /tmp/certinfo.ldif <<EOF
dn: cn=config dn: cn=config
changetype: modify changetype: modify
@ -193,16 +129,10 @@ replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/certs/ldap01_slapd_key.pem olcTLSCertificateKeyFile: /etc/ldap/certs/ldap01_slapd_key.pem
EOF EOF
ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/certinfo.ldif ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/certinfo.ldif
cp /etc/ldap/certs/ca-cert.pem /usr/local/share/ca-certificates/mycacert.crt cp /etc/ldap/certs/ca-cert.pem /usr/local/share/ca-certificates/mycacert.crt
update-ca-certificates update-ca-certificates
pkill slapd || true
# kill the SECOND temporary slapd cleanly
kill $SECOND_SLAPD_PID 2>/dev/null || true
wait $SECOND_SLAPD_PID 2>/dev/null || true
sleep 2 sleep 2
# export certs
echo "--> Exporting certificates to host volume..." echo "--> Exporting certificates to host volume..."
cp /etc/ldap/certs/ca-cert.pem /export-certs/mycacert.crt cp /etc/ldap/certs/ca-cert.pem /export-certs/mycacert.crt
cp /etc/ldap/certs/ldap01_slapd_cert_full.pem /export-certs/server-cert.pem cp /etc/ldap/certs/ldap01_slapd_cert_full.pem /export-certs/server-cert.pem
@ -210,21 +140,14 @@ else
echo "--> Certificates already exist — skipping generation" echo "--> Certificates already exist — skipping generation"
fi fi
echo "--> Removing confidentiality requirements for simple bind" # Kill temporary slapd
ldapmodify -Y EXTERNAL -H ldapi:/// > /dev/null 2>&1 <<EOF || true kill $SLAPD_PID 2>/dev/null || true
dn: cn=config wait $SLAPD_PID 2>/dev/null || true
changetype: modify
delete: olcLocalSSF
-
delete: olcSecurity
EOF
# 7. FINAL strict slapd — full TLS + confidentiality required everywhere # Final strict slapd + keep interactive shell (THE CORRECT WAY)
echo "--> Starting final strict slapd with LDAPS and strict security" echo "--> Starting final strict slapd — you keep your shell"
exec slapd -h "ldap:/// ldaps:/// ldapi:///" -u openldap -g openldap -d 0 & slapd -h "ldap:/// ldaps:/// ldapi:///" -u openldap -g openldap -d 0 &
sleep 3
echo "--> ldapdock framework ready — full TLS active, marisa password = qwerty" echo "--> ldapdock ready — marisa password = MarisaNewPass2025"
export LDAPTLS_REQCERT=allow export LDAPTLS_REQCERT=allow
echo "Executing: $@"
exec "$@" exec "$@"