diff --git a/dockerfile b/dockerfile index 366f162..0f6d98f 100644 --- a/dockerfile +++ b/dockerfile @@ -1,19 +1,20 @@ FROM ubuntu:22.04 -# set container hostname +# set container hostname and DN in case we don't set it on the docker build/run command ARG LDAP_HOST=example.com ENV LDAP_HOST=${LDAP_HOST} # set non-interactive TERM for docker ENV DEBIAN_FRONTEND=noninteractive - -# install slapd, ldap-utils, and packages needed for ldapdock to work +#────────────────────────────────────────────────────────────── +# install OpenLDAP, ldap-utils, and packages needed for ldapdock to work +#────────────────────────────────────────────────────────────── RUN apt-get update && apt-get install -y --no-install-recommends \ slapd ldap-utils gnutls-bin ssl-cert ca-certificates schema2ldif vim mc && apt-get clean -# ────────────────────────────────────────────────────────────── -# APACHE + PHP + everything phpLDAPadmin needs -# ────────────────────────────────────────────────────────────── +#────────────────────────────────────────────────────────────── +# APACHE && PHP && neccesary related software +#────────────────────────────────────────────────────────────── RUN apt-get update && apt-get install -y --no-install-recommends \ apache2 \ php libapache2-mod-php \ @@ -46,14 +47,16 @@ RUN dpkg-reconfigure -f noninteractive slapd COPY entrypoint.sh ./entrypoint.sh RUN chmod +x ./entrypoint.sh -# open up LDAP simple port +# open up LDAP StartTLS and SSL ports, and Apache ports EXPOSE 389 EXPOSE 636 EXPOSE 80 EXPOSE 443 +#────────────────────────────────────────────────────────────── # Create directory for exporting certs to host RUN mkdir -p /export-certs +#────────────────────────────────────────────────────────────── # set salvable volumes for LDAP data, configuration, certs VOLUME ["/var/lib/ldap", "/etc/ldap/slapd.d", "/etc/ldap/certs","/export-certs"] @@ -61,8 +64,10 @@ VOLUME ["/var/lib/ldap", "/etc/ldap/slapd.d", "/etc/ldap/certs","/export-certs"] # set correct permissions for openldap user #RUN chown -R openldap:openldap /var/lib/ldap /etc/ldap/slapd.d +#────────────────────────────────────────────────────────────── # ENTRYPOINT ensures this sh file ALWAYS runs first before any CMD or command line instruction ENTRYPOINT ["./entrypoint.sh"] +#────────────────────────────────────────────────────────────── # CMD provides the default command (/bin/bash) which is passed as an argument to the ENTRYPOINT script CMD ["/bin/bash"] diff --git a/entrypoint.sh b/entrypoint.sh index f917abe..770ab77 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -1,18 +1,20 @@ #!/bin/bash -set -euo pipefail +#set -euo pipefail # Fix permissions chown -R openldap:openldap /var/lib/ldap /etc/ldap/slapd.d /etc/ldap/certs 2>/dev/null || true chmod -R 777 /export-certs 2>/dev/null || true -# Correct base DN from hostname -export LDAP_HOST="${LDAP_HOST:-example.com}" -export LDAP_BASE_DN=dc=$(echo "$LDAP_HOST" | sed 's/\./,dc=/g') +#────────────────────────────────────────────────────────────── +# Correct base DN and hostname +export LDAP_HOST="${LDAP_HOST:-$(hostname)}" +export LDAP_BASE_DN=$(echo "$LDAP_HOST" | sed 's/\.\([^.]*\)/,dc=\1/g; s/^/dc=/') echo "--> Using LDAP base DN: ${LDAP_BASE_DN}" +#────────────────────────────────────────────────────────────── echo "--> Starting ldapdock 0.10" -# Temporarily relax strict security on restart +# Temporarily "relax" strict security on start to configure stuff if [ -d "/etc/ldap/slapd.d" ] && ls /etc/ldap/slapd.d/* >/dev/null 2>&1; then echo "--> Temporarily relaxing security for init" slapd -h "ldap:/// ldapi:///" -u openldap -g openldap & @@ -29,7 +31,7 @@ EOF sleep 2 fi -# Start temporary slapd for population +# Start temporary slapd for Users and Groups addition echo "--> Starting temporary slapd" slapd -h "ldap:/// ldapi:///" -u openldap -g openldap & SLAPD_PID=$! @@ -73,14 +75,13 @@ homeDirectory: /home/marisa gecos: Marisa Kirisame EOF + echo "--> Adding base structure" ldapadd -c -x -D "cn=admin,dc=example,dc=com" -w admin -f /tmp/base.ldif || true -echo "--> Setting Marisa password to 'MarisaNewPass2025'" -slappasswd -h '{SSHA}' -s MarisaNewPass2025 | \ -ldapmodify -Y EXTERNAL -H ldapi:/// >/dev/null 2>&1 || true - -# YOUR ORIGINAL TLS BLOCK — 100 % UNCHANGED +#────────────────────────────────────────────────────────────── +# TLS BLOCK +#────────────────────────────────────────────────────────────── if [ ! -f "/export-certs/mycacert.crt" ]; then echo "--> No CA found → generating certificates..." mkdir -p /etc/ldap/certs @@ -137,32 +138,81 @@ EOF cp /etc/ldap/certs/ca-cert.pem /export-certs/mycacert.crt cp /etc/ldap/certs/ldap01_slapd_cert_full.pem /export-certs/server-cert.pem else - echo "--> Certificates already exist — skipping generation" + echo "--> Certificates already exist — skipping generation and using existing ones" fi +export LDAPTLS_REQCERT=allow + +# ←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←← +# NEW: Save and restore the LDIF — no changes to TLS block +if [ ! -f "/export-certs/certinfo.ldif" ]; then + echo "--> Saving TLS config LDIF for future restarts" + cp /tmp/certinfo.ldif /export-certs/certinfo.ldif +fi + +if [ -f "/export-certs/certinfo.ldif" ]; then + echo "--> Restoring TLS config LDIF from persistent volume" + cp /export-certs/certinfo.ldif /tmp/certinfo.ldif +fi +# ←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←← + +# Set Marisa password (full LDIF — so ldapmodify knows what to modify) +echo "--> Setting Marisa password to 'MarisaNewPass2025' using Admin Bind" +ADMIN_DN="cn=admin,${LDAP_BASE_DN}" +ADMIN_PW="admin" +slappasswd -h '{SSHA}' -s MarisaNewPass2025 | \ +ldapmodify -x -D "$ADMIN_DN" -w "$ADMIN_PW" </dev/null 2>&1 +dn: uid=marisa,ou=People,${LDAP_BASE_DN} +changetype: modify +replace: userPassword +userPassword: $(< /dev/stdin) +EOF + # Kill temporary slapd kill $SLAPD_PID 2>/dev/null || true wait $SLAPD_PID 2>/dev/null || true -# Start OpenLDAP in background +# Kill any stray slapd that might be holding ports +pkill -9 slapd 2>/dev/null || true +sleep 2 + +# Start final OpenLDAP echo "--> Starting final OpenLDAP (background)" slapd -h "ldap:/// ldaps:/// ldapi:///" -u openldap -g openldap -d 0 & SLAPD_PID=$! +sleep 8 -# Start Apache in background +# Apply TLS config to final slapd +echo "--> Applying TLS config to final slapd" +ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/certinfo.ldif + +# Restart slapd to load the new TLS config (required for OpenLDAP) +echo "--> Restarting slapd to load TLS config" +kill $SLAPD_PID 2>/dev/null || true +wait $SLAPD_PID 2>/dev/null || true +slapd -h "ldap:/// ldaps:/// ldapi:///" -u openldap -g openldap -d 0 & +SLAPD_PID=$! +sleep 8 + +# Make the container trust its own CA — every time +cp /etc/ldap/certs/ca-cert.pem /usr/local/share/ca-certificates/mycacert.crt 2>/dev/null || true +update-ca-certificates --fresh >/dev/null 2>&1 || true + +# Start Apache inside APACHE_PID variable in background echo "--> Starting Apache + PHP (background)" -apache2ctl -D FOREGROUND & +/usr/sbin/apache2ctl -D FOREGROUND & APACHE_PID=$! # Victory message echo "--> ldapdock ready — OpenLDAP + Apache + PHP running" echo " → LDAP: 389/636" -echo " → Web: http://localhost/info.php" -echo " → Shell: you are here forever" -echo " → Stop with Ctrl+C" +echo " → PHPinfo: http://localhost/info.php" +echo " → Shell: /bin/bash" +echo " → Exit with CTRL+D or 'exit' command" -# THIS IS THE MAGIC LINE — explained below +# THIS IS THE MAGIC LINE THAT KILLS CHILD PROCESSES ON EXIT trap 'echo "Stopping services..."; kill $SLAPD_PID $APACHE_PID 2>/dev/null; wait' SIGINT SIGTERM # Give you your interactive shell — forever exec "$@" +