okasion/ldapdock
2
1
Fork 0
Code Issues 9 Pull Requests Actions Packages Projects 1 Releases Wiki Activity

Upload files to "/"

Browse Source
This commit is contained in:
Marisa 2025-12-02 07:29:20 -05:00
parent ccd3ef1f44
commit 593fecbd65
2 changed files with 115 additions and 103 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
dockerfile
View File

@ -1,22 +1,43 @@
FROM ubuntu:22.04 FROM ubuntu:22.04
# set container hostname # set container hostname and DN in case we don't set it on the docker build/run command
ARG LDAP_HOST=example.com ARG LDAP_HOST=example.com
ENV LDAP_HOST=${LDAP_HOST} ENV LDAP_HOST=${LDAP_HOST}
# set non-interactive TERM for docker # set non-interactive TERM for docker
ENV DEBIAN_FRONTEND=noninteractive ENV DEBIAN_FRONTEND=noninteractive
#──────────────────────────────────────────────────────────────
# install slapd, ldap-utils, and packages needed for ldapdock to work # install OpenLDAP, ldap-utils, and packages needed for ldapdock to work
#──────────────────────────────────────────────────────────────
RUN apt-get update && apt-get install -y --no-install-recommends \ RUN apt-get update && apt-get install -y --no-install-recommends \
slapd ldap-utils gnutls-bin ssl-cert ca-certificates schema2ldif vim mc && apt-get clean slapd ldap-utils gnutls-bin ssl-cert ca-certificates schema2ldif vim mc && apt-get clean
#──────────────────────────────────────────────────────────────
# APACHE && PHP && neccesary related software
#──────────────────────────────────────────────────────────────
RUN apt-get update && apt-get install -y --no-install-recommends \
apache2 \
php libapache2-mod-php \
php-ldap php-mbstring php-xml php-curl php-intl wget \
&& rm -rf /var/lib/apt/lists/*
# Enable required Apache modules
RUN a2enmod rewrite headers ssl
# Use mpm_prefork (required for PHP)
RUN a2dismod mpm_event && a2enmod mpm_prefork
# Clean up default Apache site
RUN rm -rf /var/www/html/* && \
echo "<?php phpinfo(); ?>" > /var/www/html/info.php
# preconfigure slapd installation without using systemd # preconfigure slapd installation without using systemd
RUN echo "slapd slapd/password1 password admin" | debconf-set-selections && \ RUN echo "slapd slapd/password1 password admin" | debconf-set-selections && \
echo "slapd slapd/password2 password admin" | debconf-set-selections && \ echo "slapd slapd/password2 password admin" | debconf-set-selections && \
echo "slapd slapd/domain string example.com" | debconf-set-selections && \ echo "slapd slapd/domain string example.com" | debconf-set-selections && \
echo "slapd slapd/no_configuration boolean false" | debconf-set-selections && \ echo "slapd slapd/no_configuration boolean false" | debconf-set-selections && \
echo "slapd slapd/purge_database boolean true" | debconf-set-selections && \ echo "slapd slapd/purge_database boolean true" | debconf-set-selections && \
echo "slapd slapd/ldapi_tls boolean false" | debconf-set-selections && \
echo "slapd slapd/move_old_database boolean true" | debconf-set-selections echo "slapd slapd/move_old_database boolean true" | debconf-set-selections
# make use of debconf-set-selections # make use of debconf-set-selections
@ -26,21 +47,27 @@ RUN dpkg-reconfigure -f noninteractive slapd
COPY entrypoint.sh ./entrypoint.sh COPY entrypoint.sh ./entrypoint.sh
RUN chmod +x ./entrypoint.sh RUN chmod +x ./entrypoint.sh
# open up LDAP simple port # open up LDAP StartTLS and SSL ports, and Apache ports
EXPOSE 389 EXPOSE 389
EXPOSE 636 EXPOSE 636
EXPOSE 80
EXPOSE 443
#──────────────────────────────────────────────────────────────
# Create directory for exporting certs to host # Create directory for exporting certs to host
RUN mkdir -p /export-certs RUN mkdir -p /export-certs
#──────────────────────────────────────────────────────────────
# set salvable volumes for LDAP data, configuration, certs # set salvable volumes for LDAP data, configuration, certs
VOLUME ["/var/lib/ldap", "/etc/ldap/slapd.d", "/etc/ldap/certs","/export-certs"] VOLUME ["/var/lib/ldap", "/etc/ldap/slapd.d", "/etc/ldap/certs","/export-certs"]
# set correct permissions for openldap user # set correct permissions for openldap user
RUN chown -R openldap:openldap /var/lib/ldap /etc/ldap/slapd.d #RUN chown -R openldap:openldap /var/lib/ldap /etc/ldap/slapd.d
#──────────────────────────────────────────────────────────────
# ENTRYPOINT ensures this sh file ALWAYS runs first before any CMD or command line instruction # ENTRYPOINT ensures this sh file ALWAYS runs first before any CMD or command line instruction
ENTRYPOINT ["./entrypoint.sh"] ENTRYPOINT ["./entrypoint.sh"]
#──────────────────────────────────────────────────────────────
# CMD provides the default command (/bin/bash) which is passed as an argument to the ENTRYPOINT script # CMD provides the default command (/bin/bash) which is passed as an argument to the ENTRYPOINT script
CMD ["/bin/bash"] CMD ["/bin/bash"]

181
entrypoint.sh
View File

@ -1,32 +1,65 @@
#!/bin/bash #!/bin/bash
# this script runs INSIDE the container set -euo pipefail
# set -e # exit on any error?
# Fix permissions
chown -R openldap:openldap /var/lib/ldap /etc/ldap/slapd.d /etc/ldap/certs 2>/dev/null || true
chmod -R 777 /export-certs 2>/dev/null || true
#──────────────────────────────────────────────────────────────
# Correct base DN and hostname
#export LDAP_HOST="${LDAP_HOST:-example.com}"
export LDAP_HOST="${LDAP_HOST:-$(hostname)}"
export LDAP_BASE_DN=dc=$(echo "$LDAP_HOST" | sed 's/\./,dc=/g')
echo "--> Using LDAP base DN: ${LDAP_BASE_DN}"
#──────────────────────────────────────────────────────────────
echo "--> Starting ldapdock 0.10" echo "--> Starting ldapdock 0.10"
echo "--> Launching slapd (temp)..."
# start slapd temporarily for setup # Temporarily "relax" strict security on start to configure stuff
/usr/sbin/slapd -h "ldap:/// ldapi:///" -g openldap -u openldap & if [ -d "/etc/ldap/slapd.d" ] && ls /etc/ldap/slapd.d/* >/dev/null 2>&1; then
sleep 3 echo "--> Temporarily relaxing security for init"
slapd -h "ldap:/// ldapi:///" -u openldap -g openldap &
sleep 6
ldapmodify -Y EXTERNAL -H ldapi:/// >/dev/null 2>&1 <<EOF || true
dn: cn=config
changetype: modify
delete: olcLocalSSF
-
delete: olcSecurity
-
EOF
pkill slapd || true
sleep 2
fi
# populate with user & group # Start temporary slapd for Users and Groups addition
echo "--> Populating directory with users and groups..." echo "--> Starting temporary slapd"
cat > /tmp/add_content.ldif << EOF slapd -h "ldap:/// ldapi:///" -u openldap -g openldap &
dn: ou=People,dc=${LDAP_HOST} SLAPD_PID=$!
sleep 8
# Full tree with root entry
cat > /tmp/base.ldif <<EOF
dn: ${LDAP_BASE_DN}
objectClass: top
objectClass: dcObject
objectClass: organization
o: Example Company
dn: ou=People,${LDAP_BASE_DN}
objectClass: organizationalUnit objectClass: organizationalUnit
ou: People ou: People
dn: ou=Groups,dc=${LDAP_HOST} dn: ou=Groups,${LDAP_BASE_DN}
objectClass: organizationalUnit objectClass: organizationalUnit
ou: Groups ou: Groups
dn: cn=mages,ou=Groups,dc=${LDAP_HOST} dn: cn=mages,ou=Groups,${LDAP_BASE_DN}
objectClass: posixGroup objectClass: posixGroup
cn: mages cn: mages
gidNumber: 5000 gidNumber: 5000
memberUid: marisa
dn: uid=marisa,ou=People,dc=${LDAP_HOST} dn: uid=marisa,ou=People,${LDAP_BASE_DN}
objectClass: inetOrgPerson objectClass: inetOrgPerson
objectClass: posixAccount objectClass: posixAccount
objectClass: shadowAccount objectClass: shadowAccount
@ -38,64 +71,26 @@ displayName: Marisa Kirisame
uidNumber: 10000 uidNumber: 10000
gidNumber: 5000 gidNumber: 5000
userPassword: {CRYPT}x userPassword: {CRYPT}x
gecos: Marisa Kirisame
loginShell: /bin/bash loginShell: /bin/bash
homeDirectory: /home/marisa homeDirectory: /home/marisa
EOF gecos: Marisa Kirisame
sleep 2
# add the structure — ignore "already exists" errors only here
echo "--> Adding base structure..."
ldapadd -x -D "cn=admin,dc=${LDAP_HOST}" -w admin -f /tmp/add_content.ldif || \
echo "--> Some entries already exist — continuing (this is normal)"
# setting up user marisa of group People password
ldappasswd -x -D "cn=admin,dc=${LDAP_HOST}" -w admin -s qwerty "uid=marisa,ou=People,dc=${LDAP_HOST}"
sleep 2
# load and enable policies module
echo "--> Loading policies module..."
cat > modify_ppolicy_module.ldif << EOF
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: ppolicy.so
EOF EOF
ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f modify_ppolicy_module.ldif echo "--> Adding base structure"
ldapadd -c -x -D "cn=admin,dc=example,dc=com" -w admin -f /tmp/base.ldif || true
# restarting slapd to load ppolicy.so # Set a hardcoded password for Marisa to enable tests on the user
echo "--> Setting Marisa password to 'MarisaNewPass2025'"
slappasswd -h '{SSHA}' -s MarisaNewPass2025 | \
ldapmodify -Y EXTERNAL -H ldapi:/// >/dev/null 2>&1 || true
slapd -h "ldap:/// ldapi:/// ldaps:///" -u openldap -g openldap & #──────────────────────────────────────────────────────────────
sleep 3 # TLS BLOCK
#──────────────────────────────────────────────────────────────
cat > enable_ppolicy.ldif << EOF
dn: olcOverlay=ppolicy,olcDatabase={1}mdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
olcOverlay: ppolicy
EOF
#olcPPolicyDefault: cn=default,ou=policies,dc=${LDAP_HOST}
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f enable_ppolicy.ldif
# display schemas loaded by default
echo "--> Schemas loaded by default..."
ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config dn
# kill temp slapd
pkill slapd
sleep 3
# === CERTIFICATES: ONLY IF NOT ALREADY EXPORTED ===
if [ ! -f "/export-certs/mycacert.crt" ]; then if [ ! -f "/export-certs/mycacert.crt" ]; then
echo "--> No CA found in /export-certs → generating certificates..." echo "--> No CA found → generating certificates..."
mkdir -p /etc/ldap/certs mkdir -p /etc/ldap/certs
cd /etc/ldap/certs cd /etc/ldap/certs
# CA
certtool --generate-privkey --bits 4096 --outfile ca-key.pem certtool --generate-privkey --bits 4096 --outfile ca-key.pem
cat > ca.info <<EOF cat > ca.info <<EOF
cn = Example Company CA cn = Example Company CA
@ -104,8 +99,6 @@ cert_signing_key
expiration_days = 3650 expiration_days = 3650
EOF EOF
certtool --generate-self-signed --load-privkey ca-key.pem --template ca.info --outfile ca-cert.pem certtool --generate-self-signed --load-privkey ca-key.pem --template ca.info --outfile ca-cert.pem
# server
certtool --generate-privkey --bits 2048 --outfile ldap01_slapd_key.pem certtool --generate-privkey --bits 2048 --outfile ldap01_slapd_key.pem
cat > ldap01.info <<EOF cat > ldap01.info <<EOF
organization = Example Company organization = Example Company
@ -121,21 +114,14 @@ EOF
--load-ca-privkey ca-key.pem \ --load-ca-privkey ca-key.pem \
--template ldap01.info \ --template ldap01.info \
--outfile ldap01_slapd_cert.pem --outfile ldap01_slapd_cert.pem
# permissions
chgrp openldap ldap01_slapd_key.pem chgrp openldap ldap01_slapd_key.pem
chmod 640 ldap01_slapd_key.pem chmod 640 ldap01_slapd_key.pem
# bundle
cat ldap01_slapd_cert.pem ca-cert.pem > ldap01_slapd_cert_full.pem cat ldap01_slapd_cert.pem ca-cert.pem > ldap01_slapd_cert_full.pem
chown root:openldap ldap01_slapd_cert_full.pem chown root:openldap ldap01_slapd_cert_full.pem
chmod 640 ldap01_slapd_cert_full.pem chmod 640 ldap01_slapd_cert_full.pem
echo "--> Starting second temporary slapd to apply TLS config"
# start temp slapd to apply config
slapd -h "ldap:/// ldapi:///" -u openldap -g openldap & slapd -h "ldap:/// ldapi:///" -u openldap -g openldap &
sleep 3 sleep 4
# apply TLS config
cat > /tmp/certinfo.ldif <<EOF cat > /tmp/certinfo.ldif <<EOF
dn: cn=config dn: cn=config
changetype: modify changetype: modify
@ -149,41 +135,40 @@ replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/certs/ldap01_slapd_key.pem olcTLSCertificateKeyFile: /etc/ldap/certs/ldap01_slapd_key.pem
EOF EOF
ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/certinfo.ldif ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/certinfo.ldif
# trust locally
cp /etc/ldap/certs/ca-cert.pem /usr/local/share/ca-certificates/mycacert.crt cp /etc/ldap/certs/ca-cert.pem /usr/local/share/ca-certificates/mycacert.crt
update-ca-certificates update-ca-certificates
pkill slapd || true
# kill temp
pkill slapd
sleep 2 sleep 2
echo "--> Exporting certificates to host volume..."
# === EXPORT TO HOST (always, since volume is mounted) ===
echo "--> Exporting CA to /export-certs..."
cp /etc/ldap/certs/ca-cert.pem /export-certs/mycacert.crt cp /etc/ldap/certs/ca-cert.pem /export-certs/mycacert.crt
cp /etc/ldap/certs/ldap01_slapd_cert_full.pem /export-certs/server-cert.pem cp /etc/ldap/certs/ldap01_slapd_cert_full.pem /export-certs/server-cert.pem
echo "--> Certificate READY at ./hosts-certs/mycacert.crt on host"
else else
echo "--> CA already exists at /export-certs/mycacert.crt → skipping generation" echo "--> Certificates already exist — skipping generation"
fi fi
# === FINAL SLAPD START === # Kill temporary slapd
echo "--> Starting final slapd with LDAPS..." kill $SLAPD_PID 2>/dev/null || true
wait $SLAPD_PID 2>/dev/null || true
# Start OpenLDAP in background
echo "--> Starting final OpenLDAP (background)"
slapd -h "ldap:/// ldaps:/// ldapi:///" -u openldap -g openldap -d 0 & slapd -h "ldap:/// ldaps:/// ldapi:///" -u openldap -g openldap -d 0 &
sleep 3 SLAPD_PID=$!
# === ENABLE TLS FOR ALL CLIENT TOOLS INSIDE CONTAINER === # Start Apache in background
export LDAPTLS_CACERT=/etc/ldap/certs/ca-cert.pem echo "--> Starting Apache + PHP (background)"
echo "LDAPTLS_CACERT=$LDAPTLS_CACERT (all ldap* commands now work with TLS)" apache2ctl -D FOREGROUND &
echo 'export LDAPTLS_CACERT=/etc/ldap/certs/ca-cert.pem' >> ~/.bashrc APACHE_PID=$!
source ~/.bashrc
echo "--> ldapdock framework ready." # Victory message
echo "--> ldapdock ready — OpenLDAP + Apache + PHP running"
echo " → LDAP: 389/636"
echo " → Web: http://localhost/info.php"
echo " → Shell: you are here forever"
echo " → Stop with Ctrl+C"
# === KEEP CONTAINER ALIVE AND CONTINUE === # THIS IS THE MAGIC LINE THAT KILLS CHILD PROCESSES ON EXIT
trap 'echo "Stopping services..."; kill $SLAPD_PID $APACHE_PID 2>/dev/null; wait' SIGINT SIGTERM
# 'exec' replaces the script process with the command (e.g., /bin/bash), # Give you your interactive shell — forever
# ensuring the container stays alive as long as that command runs interactively.
echo "Executing: $@"
exec "$@" exec "$@"