Upload files to "/"

dockerfile

@@ -1,19 +1,20 @@
 FROM ubuntu:22.04
 
-# set container hostname
+# set container hostname and DN in case we don't set it on the docker build/run command
 ARG LDAP_HOST=example.com
 ENV LDAP_HOST=${LDAP_HOST}
 
 # set non-interactive TERM for docker
 ENV DEBIAN_FRONTEND=noninteractive
-
+#──────────────────────────────────────────────────────────────
-# install slapd, ldap-utils, and packages needed for ldapdock to work
+# install OpenLDAP, ldap-utils, and packages needed for ldapdock to work
+#──────────────────────────────────────────────────────────────
 RUN apt-get update && apt-get install -y --no-install-recommends \
 slapd ldap-utils gnutls-bin ssl-cert ca-certificates schema2ldif vim mc && apt-get clean
 
-# ──────────────────────────────────────────────────────────────
+#──────────────────────────────────────────────────────────────
-# APACHE + PHP + everything phpLDAPadmin needs
+# APACHE && PHP && neccesary related software
-# ──────────────────────────────────────────────────────────────
+#──────────────────────────────────────────────────────────────
 RUN apt-get update && apt-get install -y --no-install-recommends \
     apache2 \
     php libapache2-mod-php \
@@ -46,14 +47,16 @@ RUN dpkg-reconfigure -f noninteractive slapd
 COPY entrypoint.sh ./entrypoint.sh
 RUN chmod +x ./entrypoint.sh
 
-# open up LDAP simple port
+# open up LDAP StartTLS and SSL ports, and Apache ports
 EXPOSE 389
 EXPOSE 636
 EXPOSE 80
 EXPOSE 443
 
+#──────────────────────────────────────────────────────────────
 # Create directory for exporting certs to host
 RUN mkdir -p /export-certs
+#──────────────────────────────────────────────────────────────
 
 # set salvable volumes for LDAP data, configuration, certs
 VOLUME ["/var/lib/ldap", "/etc/ldap/slapd.d", "/etc/ldap/certs","/export-certs"]
@@ -61,8 +64,10 @@ VOLUME ["/var/lib/ldap", "/etc/ldap/slapd.d", "/etc/ldap/certs","/export-certs"]
 # set correct permissions for openldap user
 #RUN chown -R openldap:openldap /var/lib/ldap /etc/ldap/slapd.d
 
+#──────────────────────────────────────────────────────────────
 # ENTRYPOINT ensures this sh file ALWAYS runs first before any CMD or command line instruction
 ENTRYPOINT ["./entrypoint.sh"]
+#──────────────────────────────────────────────────────────────
 
 # CMD provides the default command (/bin/bash) which is passed as an argument to the ENTRYPOINT script
 CMD ["/bin/bash"]

entrypoint.sh

@@ -1,18 +1,20 @@
 #!/bin/bash
-set -euo pipefail
+#set -euo pipefail
 
 # Fix permissions
 chown -R openldap:openldap /var/lib/ldap /etc/ldap/slapd.d /etc/ldap/certs 2>/dev/null || true
 chmod -R 777 /export-certs 2>/dev/null || true
 
-# Correct base DN from hostname
+#──────────────────────────────────────────────────────────────
-export LDAP_HOST="${LDAP_HOST:-example.com}"
+# Correct base DN and hostname
-export LDAP_BASE_DN=dc=$(echo "$LDAP_HOST" | sed 's/\./,dc=/g')
+export LDAP_HOST="${LDAP_HOST:-$(hostname)}"
+export LDAP_BASE_DN=$(echo "$LDAP_HOST" | sed 's/\.\([^.]*\)/,dc=\1/g; s/^/dc=/')
 echo "--> Using LDAP base DN: ${LDAP_BASE_DN}"
+#──────────────────────────────────────────────────────────────
 
 echo "--> Starting ldapdock 0.10"
 
-# Temporarily relax strict security on restart
+# Temporarily "relax" strict security on start to configure stuff
 if [ -d "/etc/ldap/slapd.d" ] && ls /etc/ldap/slapd.d/* >/dev/null 2>&1; then
     echo "--> Temporarily relaxing security for init"
     slapd -h "ldap:/// ldapi:///" -u openldap -g openldap &
@@ -29,7 +31,7 @@ EOF
     sleep 2
 fi
 
-# Start temporary slapd for population
+# Start temporary slapd for Users and Groups addition
 echo "--> Starting temporary slapd"
 slapd -h "ldap:/// ldapi:///" -u openldap -g openldap &
 SLAPD_PID=$!
@@ -73,14 +75,13 @@ homeDirectory: /home/marisa
 gecos: Marisa Kirisame
 EOF
 
+
 echo "--> Adding base structure"
 ldapadd -c -x -D "cn=admin,dc=example,dc=com" -w admin -f /tmp/base.ldif || true
 
-echo "--> Setting Marisa password to 'MarisaNewPass2025'"
+#──────────────────────────────────────────────────────────────
-slappasswd -h '{SSHA}' -s MarisaNewPass2025 | \
+# TLS BLOCK 
-ldapmodify -Y EXTERNAL -H ldapi:/// >/dev/null 2>&1 || true
+#──────────────────────────────────────────────────────────────
-
-# YOUR ORIGINAL TLS BLOCK — 100 % UNCHANGED
 if [ ! -f "/export-certs/mycacert.crt" ]; then
     echo "--> No CA found → generating certificates..."
     mkdir -p /etc/ldap/certs
@@ -137,32 +138,81 @@ EOF
     cp /etc/ldap/certs/ca-cert.pem /export-certs/mycacert.crt
     cp /etc/ldap/certs/ldap01_slapd_cert_full.pem /export-certs/server-cert.pem
 else
-    echo "--> Certificates already exist — skipping generation"
+    echo "--> Certificates already exist — skipping generation and using existing ones"
 fi
 
+export LDAPTLS_REQCERT=allow
+
+# ←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←
+# NEW: Save and restore the LDIF — no changes to TLS block
+if [ ! -f "/export-certs/certinfo.ldif" ]; then
+    echo "--> Saving TLS config LDIF for future restarts"
+    cp /tmp/certinfo.ldif /export-certs/certinfo.ldif
+fi
+
+if [ -f "/export-certs/certinfo.ldif" ]; then
+    echo "--> Restoring TLS config LDIF from persistent volume"
+    cp /export-certs/certinfo.ldif /tmp/certinfo.ldif
+fi
+# ←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←
+
+# Set Marisa password (full LDIF — so ldapmodify knows what to modify)
+echo "--> Setting Marisa password to 'MarisaNewPass2025' using Admin Bind"
+ADMIN_DN="cn=admin,${LDAP_BASE_DN}"
+ADMIN_PW="admin"
+slappasswd -h '{SSHA}' -s MarisaNewPass2025 | \
+ldapmodify -x -D "$ADMIN_DN" -w "$ADMIN_PW" <<EOF >/dev/null 2>&1
+dn: uid=marisa,ou=People,${LDAP_BASE_DN}
+changetype: modify
+replace: userPassword
+userPassword: $(< /dev/stdin)
+EOF
+
 # Kill temporary slapd
 kill $SLAPD_PID 2>/dev/null || true
 wait $SLAPD_PID 2>/dev/null || true
 
-# Start OpenLDAP in background
+# Kill any stray slapd that might be holding ports
+pkill -9 slapd 2>/dev/null || true
+sleep 2
+
+# Start final OpenLDAP
 echo "--> Starting final OpenLDAP (background)"
 slapd -h "ldap:/// ldaps:/// ldapi:///" -u openldap -g openldap -d 0 &
 SLAPD_PID=$!
+sleep 8
 
-# Start Apache in background
+# Apply TLS config to final slapd
+echo "--> Applying TLS config to final slapd"
+ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/certinfo.ldif
+
+# Restart slapd to load the new TLS config (required for OpenLDAP)
+echo "--> Restarting slapd to load TLS config"
+kill $SLAPD_PID 2>/dev/null || true
+wait $SLAPD_PID 2>/dev/null || true
+slapd -h "ldap:/// ldaps:/// ldapi:///" -u openldap -g openldap -d 0 &
+SLAPD_PID=$!
+sleep 8
+
+# Make the container trust its own CA — every time
+cp /etc/ldap/certs/ca-cert.pem /usr/local/share/ca-certificates/mycacert.crt 2>/dev/null || true
+update-ca-certificates --fresh >/dev/null 2>&1 || true
+
+# Start Apache inside APACHE_PID variable in background
 echo "--> Starting Apache + PHP (background)"
-apache2ctl -D FOREGROUND &
+/usr/sbin/apache2ctl -D FOREGROUND  &
 APACHE_PID=$!
 
 # Victory message
 echo "--> ldapdock ready — OpenLDAP + Apache + PHP running"
 echo "   → LDAP: 389/636"
-echo "   → Web:  http://localhost/info.php"
+echo "   → PHPinfo: http://localhost/info.php"
-echo "   → Shell: you are here forever"
+echo "   → Shell: /bin/bash"
-echo "   → Stop with Ctrl+C"
+echo "   → Exit with CTRL+D or 'exit' command"
 
-# THIS IS THE MAGIC LINE — explained below
+# THIS IS THE MAGIC LINE THAT KILLS CHILD PROCESSES ON EXIT
 trap 'echo "Stopping services..."; kill $SLAPD_PID $APACHE_PID 2>/dev/null; wait' SIGINT SIGTERM
 
 # Give you your interactive shell — forever
 exec "$@"
+