Update entrypoint.sh

2025-11-12 11:18:10 -05:00 · 2025-11-12 11:18:10 -05:00 · 4b25c3759f
commit 4b25c3759f
parent 5ca1cc0516
1 changed files with 134 additions and 90 deletions
--- a/entrypoint.sh
+++ b/entrypoint.sh
@ -1,105 +1,149 @@
 #!/bin/bash
-# already INSIDE the container
-# start slapd in the background
-echo "Starting slapd service..."
+# this script runs INSIDE the container

-# slapd start command, running in the background (&)
-/usr/sbin/slapd -h "ldap:/// ldapi:///" -g openldap -u openldap -F /etc/ldap/slapd.d &
+#!/bin/bash
+#set -e  # Exit on any error

-# wait briefly for the service to start
+echo "--> Starting ldapdock 0.9"
+echo "--> Launching slapd (temp)..."
+
+# Start slapd temporarily for setup
+/usr/sbin/slapd -h "ldap:/// ldapi:///" -g openldap -u openldap &
 sleep 3

-# check if slapd started successfully
-SLAPD_PID=$!
-if kill -0 $SLAPD_PID 2>/dev/null; then
-    echo "OpenLDAP slapd service started successfully with PID: $SLAPD_PID"
+# Populate with user & group
+echo "--> Populating directory with marisa..."
+cat > /tmp/add_content.ldif << 'EOF'
+dn: ou=People,dc=example,dc=com
+objectClass: organizationalUnit
+ou: People
+
+dn: ou=Groups,dc=example,dc=com
+objectClass: organizationalUnit
+ou: Groups
+
+dn: cn=mages,ou=Groups,dc=example,dc=com
+objectClass: posixGroup
+cn: mages
+gidNumber: 5000
+memberUid: marisa
+
+dn: uid=marisa,ou=People,dc=example,dc=com
+objectClass: inetOrgPerson
+objectClass: posixAccount
+objectClass: shadowAccount
+uid: marisa
+sn: Kirisame
+givenName: Marisa
+cn: Marisa Kirisame
+displayName: Marisa Kirisame
+uidNumber: 10000
+gidNumber: 5000
+userPassword: {CRYPT}x
+gecos: Marisa Kirisame
+loginShell: /bin/bash
+homeDirectory: /home/marisa
+EOF
+
+ldapadd -x -D "cn=admin,dc=example,dc=com" -w admin -f /tmp/add_content.ldif
+ldappasswd -x -D "cn=admin,dc=example,dc=com" -w admin -s qwerty "uid=marisa,ou=People,dc=example,dc=com"
+
+# Kill temp slapd
+pkill slapd
+sleep 2
+
+# === CERTIFICATES: ONLY IF NOT ALREADY EXPORTED ===
+if [ ! -f "/export-certs/mycacert.crt" ]; then
+    echo "--> No CA found in /export-certs → generating certificates..."
+
+    mkdir -p /etc/ldap/certs
+    cd /etc/ldap/certs
+
+    # CA
+    certtool --generate-privkey --bits 4096 --outfile ca-key.pem
+    cat > ca.info <<EOF
+cn = Example Company CA
+ca
+cert_signing_key
+expiration_days = 3650
+EOF
+    certtool --generate-self-signed --load-privkey ca-key.pem --template ca.info --outfile ca-cert.pem
+
+    # Server
+    certtool --generate-privkey --bits 2048 --outfile ldap01_slapd_key.pem
+    cat > ldap01.info <<EOF
+organization = Example Company
+cn = example.com
+tls_www_server
+encryption_key
+signing_key
+expiration_days = 365
+EOF
+    certtool --generate-certificate \
+      --load-privkey ldap01_slapd_key.pem \
+      --load-ca-certificate ca-cert.pem \
+      --load-ca-privkey ca-key.pem \
+      --template ldap01.info \
+      --outfile ldap01_slapd_cert.pem
+
+    # Permissions
+    chgrp openldap ldap01_slapd_key.pem
+    chmod 640 ldap01_slapd_key.pem
+
+    # Bundle
+    cat ldap01_slapd_cert.pem ca-cert.pem > ldap01_slapd_cert_full.pem
+    chown root:openldap ldap01_slapd_cert_full.pem
+    chmod 640 ldap01_slapd_cert_full.pem
+
+    # Start temp slapd to apply config
+    slapd -h "ldap:/// ldapi:///" -u openldap -g openldap &
+    sleep 3
+
+    # Apply TLS config
+    cat > /tmp/certinfo.ldif <<EOF
+dn: cn=config
+changetype: modify
+replace: olcTLSCACertificateFile
+olcTLSCACertificateFile: /etc/ldap/certs/ca-cert.pem
+-
+replace: olcTLSCertificateFile
+olcTLSCertificateFile: /etc/ldap/certs/ldap01_slapd_cert_full.pem
+-
+replace: olcTLSCertificateKeyFile
+olcTLSCertificateKeyFile: /etc/ldap/certs/ldap01_slapd_key.pem
+EOF
+    ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/certinfo.ldif
+
+    # Trust locally
+    cp /etc/ldap/certs/ca-cert.pem /usr/local/share/ca-certificates/mycacert.crt
+    update-ca-certificates
+
+    # Kill temp
+    pkill slapd
+    sleep 2
+
+    # === EXPORT TO HOST (always, since volume is mounted) ===
+    echo "--> Exporting CA to /export-certs..."
+    cp /etc/ldap/certs/ca-cert.pem /export-certs/mycacert.crt
+    cp /etc/ldap/certs/ldap01_slapd_cert_full.pem /export-certs/server-cert.pem
+    echo "--> CA ready at ./hosts-certs/mycacert.crt on host"
 else
-    echo "OpenLDAP slapd already running with PID: $SLAPD_PID"
+    echo "--> CA already exists at /export-certs/mycacert.crt → skipping generation"
 fi

-echo "Creating and enabling Administrator user..."
-
-# get a hashed password
-HASH_PWD="$(sh -c 'slappasswd -s 0p3nLd4p!')"
-
-# create the .ldif file to create the admin user with the hashed password
-cat > create_admin.ldif << EOF
-dn: cn=admin,dc=example,dc=com
-changetype: add
-objectClass: organizationalRole
-objectClass: simpleSecurityObject
-cn: admin
-description: LDAP administrator
-userPassword: ${HASH_PWD}
-EOF
-
-# call the LDAP server to add it
-ldapadd -x -H ldap:/// -D "cn=admin,dc=example,dc=com" -w admin -f create_admin.ldif
-
-echo "Loading and enabling policies module..."
-
-# create a .ldif file to specify we are going to load the policies module
-cat > modify_ppolicy_module.ldif << EOF
-dn: cn=module{0},cn=config
-changetype: modify
-add: olcModuleLoad
-olcModuleLoad: ppolicy.so
-EOF
-
-# load the policies module in our openLDAP server
-ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f modify_ppolicy_module.ldif
-
-# we need to restart the openLDAP in order to enable the new module
-echo "Restarting slapd service to enable policies..."
-# we look for the pid of slapd, and kill it
-kill $(pidof slapd)
-# wait 3 seconds and restart it in background mode
-sleep 3
-/usr/sbin/slapd -h "ldap:/// ldapi:///" -g openldap -u openldap -F /etc/ldap/slapd.d &
-# we wait 3 more seconds to continue
+# === FINAL SLAPD START ===
+echo "--> Starting final slapd with LDAPS..."
+slapd -h "ldap:/// ldaps:/// ldapi:///" -u openldap -g openldap -d 0 &
 sleep 3

-# we prepare the .ldif file to enable the policies module already loaded
-cat > enable_ppolicy.ldif << EOF
-dn: olcOverlay=ppolicy,olcDatabase={1}mdb,cn=config
-changetype: add
-objectClass: olcOverlayConfig
-objectClass: olcPPolicyConfig
-olcOverlay: ppolicy
-olcPPolicyDefault: cn=default,ou=policies,dc=example,dc=com
-EOF
+# === ENABLE TLS FOR ALL CLIENT TOOLS INSIDE CONTAINER ===
+export LDAPTLS_CACERT=/etc/ldap/certs/ca-cert.pem
+echo "LDAPTLS_CACERT=$LDAPTLS_CACERT (all ldap* commands now work with TLS)"

-# enable the policies module
-ldapadd -Q -Y EXTERNAL -H ldapi:/// -f enable_ppolicy.ldif
+echo "--> ldapdock framework ready."

-echo "Preparing the basic password overlay..."
+# === KEEP CONTAINER ALIVE ===

-# prepare the .ldif files to create a basic overlay of password policies
-cat > passwd_ppolicy_overlay.ldif << EOF
-dn: cn=default,ou=policies,dc=example,dc=com
-objectClass: pwdPolicy
-objectClass: organizationalRole
-cn: default
-pwdAttribute: userPassword
-pwdMinLength: 8
-pwdCheckQuality: 2
-EOF
-
-cat > policies_ou.ldif << EOF
-dn: ou=policies,dc=example,dc=com
-objectClass: top
-objectClass: organizationalUnit
-ou: policies
-EOF
-
-# enable the overlay
-ldapadd -D "cn=admin,dc=example,dc=com" -w admin -H ldapi:/// -f policies_ou.ldif
-
-ldapadd -x -D "cn=admin,dc=example,dc=com" -w admin -H ldapi:/// -f passwd_ppolicy_overlay.ldif
-
-echo "openLDAP framework ready."
-
-# execute the command passed to the container
 # 'exec' replaces the script process with the command (e.g., /bin/bash),
 # ensuring the container stays alive as long as that command runs interactively.
 echo "Executing: $@"