From 45564fa83e7ed2b2436ca7b1899b1278547d7878 Mon Sep 17 00:00:00 2001 From: Marisa Date: Thu, 18 Dec 2025 07:25:35 -0500 Subject: [PATCH] Small fixes from Ubuntu 22 -> Debian 12 switch --- entrypoint.sh | 34 +++++++++++++++++++++------------- 1 file changed, 21 insertions(+), 13 deletions(-) diff --git a/entrypoint.sh b/entrypoint.sh index 909771d..c27c3aa 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -75,15 +75,17 @@ homeDirectory: /home/marisa gecos: Marisa Kirisame EOF +ADMIN_DN="cn=admin,${LDAP_BASE_DN}" +ADMIN_PW="admin" echo "--> Adding base structure" -ldapadd -c -x -D "cn=admin,dc=example,dc=com" -w admin -f /tmp/base.ldif || true +ldapadd -c -x -D "$ADMIN_DN" -w "$ADMIN_PW" -f /tmp/base.ldif || true #────────────────────────────────────────────────────────────── # TLS BLOCK #────────────────────────────────────────────────────────────── if [ ! -f "/export-certs/mycacert.crt" ]; then - echo "--> No CA found, generating new certificates and TLS config..." + echo "--> No CA found → generating certificates..." mkdir -p /etc/ldap/certs cd /etc/ldap/certs certtool --generate-privkey --bits 4096 --outfile ca-key.pem @@ -94,6 +96,7 @@ cert_signing_key expiration_days = 3650 EOF certtool --generate-self-signed --load-privkey ca-key.pem --template ca.info --outfile ca-cert.pem + certtool --generate-privkey --bits 2048 --outfile ldap01_slapd_key.pem cat > ldap01.info < ldap01_slapd_cert_full.pem chown root:openldap ldap01_slapd_cert_full.pem chmod 640 ldap01_slapd_cert_full.pem - - # Generate the LDIF for TLS config now, but apply it later + echo "--> Starting second temporary slapd to apply TLS config" + slapd -h "ldap:/// ldapi:///" -u openldap -g openldap & + sleep 4 cat > /tmp/certinfo.ldif < Exporting certificates to host volume..." cp /etc/ldap/certs/ca-cert.pem /export-certs/mycacert.crt cp /etc/ldap/certs/ldap01_slapd_cert_full.pem /export-certs/server-cert.pem - cp /tmp/certinfo.ldif /export-certs/certinfo.ldif else echo "--> Certificates already exist — skipping generation and using existing ones" fi @@ -140,6 +146,12 @@ fi export LDAPTLS_REQCERT=allow # ←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←← +# NEW: Save and restore the LDIF — no changes to TLS block +if [ ! -f "/export-certs/certinfo.ldif" ]; then + echo "--> Saving TLS config LDIF for future restarts" + cp /tmp/certinfo.ldif /export-certs/certinfo.ldif +fi + if [ -f "/export-certs/certinfo.ldif" ]; then echo "--> Restoring TLS config LDIF from persistent volume" cp /export-certs/certinfo.ldif /tmp/certinfo.ldif @@ -148,8 +160,6 @@ fi # Set Marisa password (full LDIF — so ldapmodify knows what to modify) echo "--> Setting Marisa password to 'MarisaNewPass2025' using Admin Bind" -ADMIN_DN="cn=admin,${LDAP_BASE_DN}" -ADMIN_PW="admin" slappasswd -h '{SSHA}' -s MarisaNewPass2025 | \ ldapmodify -x -D "$ADMIN_DN" -w "$ADMIN_PW" </dev/null 2>&1 dn: uid=marisa,ou=People,${LDAP_BASE_DN} @@ -222,14 +232,11 @@ echo "--> Installing phpLDAPadmin" # Only install once — use a flag file if [ ! -f "/var/www/html/phpldapadmin-installed" ]; then - # Clean up any previous partial installation - rm -rf /var/www/html/phpldapadmin* - cd /var/www/html # Download and extract (direct tarball, no git needed) wget -q -O phpldapadmin.tgz \ - https://github.com/leenooks/phpLDAPadmin/archive/refs/tags/1.2.6.7.tar.gz || exit 1 + https://github.com/leenooks/phpLDAPadmin/archive/refs/tags/1.2.6.7.tar.gz tar xzf phpldapadmin.tgz mv phpLDAPadmin-1.2.6.7 phpldapadmin rm phpldapadmin.tgz @@ -273,3 +280,4 @@ trap 'echo "Stopping services..."; kill $SLAPD_PID $APACHE_PID 2>/dev/null; wait # Give you your interactive shell — forever exec "$@" +