Changed from Ubuntu 22 to Debian 12

2025-12-14 15:19:28 -03:00 · 2025-12-14 15:19:28 -03:00 · 8beb4b6055
commit 8beb4b6055
parent f1808995c3
3 changed files with 56 additions and 30 deletions
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -0,0 +1,29 @@
 version: '3.8'
 services:
  ldap:
    # Tells Compose to build the image from the Dockerfile in the current directory
    build:
      context: .
      args:
        - LDAP_HOST=example.com
    image: ldapdock
    container_name: ldapdock
    hostname: example.com
    stdin_open: true # Equivalent of -i
    tty: true        # Equivalent of -t
    ports:
      - "389:389"
      - "636:636"
      - "80:80"
      - "443:443"
    volumes:
      - ldap_data:/var/lib/ldap
      - ldap_config:/etc/ldap/slapd.d
      - ldap_certs:/etc/ldap/certs
      - ./hosts-certs:/export-certs
 volumes:
  ldap_data:
  ldap_config:
  ldap_certs:
--- a/29
+++ b/29
@ -1,4 +1,4 @@
-FROM ubuntu:22.04
+FROM debian:12
 # set container hostname and DN in case we don't set it on the docker build/run command
 ARG LDAP_HOST=example.com
@ -6,20 +6,25 @@ ENV LDAP_HOST=${LDAP_HOST}
 # set non-interactive TERM for docker
 ENV DEBIAN_FRONTEND=noninteractive
 #──────────────────────────────────────────────────────────────
 # install OpenLDAP, ldap-utils, and packages needed for ldapdock to work
 #──────────────────────────────────────────────────────────────
 RUN apt-get update && apt-get install -y --no-install-recommends \
 slapd ldap-utils gnutls-bin ssl-cert ca-certificates schema2ldif vim mc && apt-get clean
 #──────────────────────────────────────────────────────────────
-# APACHE && PHP && neccesary related software
+# Install ALL necessary packages in a single run for minimal image size
 #──────────────────────────────────────────────────────────────
-RUN apt-get update && apt-get install -y --no-install-recommends \
+RUN apt-get update && apt-get install -y --no-install-recommends gnupg lsb-release ca-certificates apt-transport-https software-properties-common wget \
-    apache2 \
+    # Add the repository for older PHP versions
-    php libapache2-mod-php \
+    && wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg \
-    php-ldap php-mbstring php-xml php-curl php-intl wget \
+    && echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/php.list \
-    && rm -rf /var/lib/apt/lists/*
+    # Update again to fetch packages from the new repository
    && apt-get update \
    # Install all packages, specifying PHP 8.1
    && apt-get install -y --no-install-recommends \
        apt-utils \
        slapd ldap-utils gnutls-bin ssl-cert schema2ldif vim mc \
        apache2 \
        php8.1 libapache2-mod-php8.1 \
        php8.1-ldap php8.1-mbstring php8.1-xml php8.1-curl php8.1-intl \
    # Clean up APT caches to reduce image size
    && apt-get clean && rm -rf /var/lib/apt/lists/*
 # Enable required Apache modules
 RUN a2enmod rewrite headers ssl
--- a/entrypoint.sh
+++ b/entrypoint.sh
@ -83,7 +83,7 @@ ldapadd -c -x -D "cn=admin,dc=example,dc=com" -w admin -f /tmp/base.ldif || true
 # TLS BLOCK 
 #──────────────────────────────────────────────────────────────
 if [ ! -f "/export-certs/mycacert.crt" ]; then
-    echo "--> No CA found → generating certificates..."
+    echo "--> No CA found, generating new certificates and TLS config..."
    mkdir -p /etc/ldap/certs
    cd /etc/ldap/certs
    certtool --generate-privkey --bits 4096 --outfile ca-key.pem
@ -94,7 +94,6 @@ cert_signing_key
 expiration_days = 3650
 EOF
    certtool --generate-self-signed --load-privkey ca-key.pem --template ca.info --outfile ca-cert.pem
    certtool --generate-privkey --bits 2048 --outfile ldap01_slapd_key.pem
    cat > ldap01.info <<EOF
 organization = Example Company
 cn = ${LDAP_HOST}
@ -103,6 +102,7 @@ encryption_key
 signing_key
 expiration_days = 365
 EOF
    certtool --generate-privkey --bits 2048 --outfile ldap01_slapd_key.pem
    certtool --generate-certificate \
      --load-privkey ldap01_slapd_key.pem \
      --load-ca-certificate ca-cert.pem \
@ -114,9 +114,8 @@ EOF
    cat ldap01_slapd_cert.pem ca-cert.pem > ldap01_slapd_cert_full.pem
    chown root:openldap ldap01_slapd_cert_full.pem
    chmod 640 ldap01_slapd_cert_full.pem
-    echo "--> Starting second temporary slapd to apply TLS config"
+
-    slapd -h "ldap:/// ldapi:///" -u openldap -g openldap &
+    # Generate the LDIF for TLS config now, but apply it later
    sleep 4
    cat > /tmp/certinfo.ldif <<EOF
 dn: cn=config
 changetype: modify
@ -129,14 +128,11 @@ olcTLSCertificateFile: /etc/ldap/certs/ldap01_slapd_cert_full.pem
 replace: olcTLSCertificateKeyFile
 olcTLSCertificateKeyFile: /etc/ldap/certs/ldap01_slapd_key.pem
 EOF
-    ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/certinfo.ldif
+
    cp /etc/ldap/certs/ca-cert.pem /usr/local/share/ca-certificates/mycacert.crt
    update-ca-certificates
    pkill slapd || true
    sleep 2
    echo "--> Exporting certificates to host volume..."
    cp /etc/ldap/certs/ca-cert.pem /export-certs/mycacert.crt
    cp /etc/ldap/certs/ldap01_slapd_cert_full.pem /export-certs/server-cert.pem
    cp /tmp/certinfo.ldif /export-certs/certinfo.ldif
 else
    echo "--> Certificates already exist — skipping generation and using existing ones"
 fi
@ -144,12 +140,6 @@ fi
 export LDAPTLS_REQCERT=allow
 # ←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←
 # NEW: Save and restore the LDIF — no changes to TLS block
 if [ ! -f "/export-certs/certinfo.ldif" ]; then
    echo "--> Saving TLS config LDIF for future restarts"
    cp /tmp/certinfo.ldif /export-certs/certinfo.ldif
 fi
 if [ -f "/export-certs/certinfo.ldif" ]; then
    echo "--> Restoring TLS config LDIF from persistent volume"
    cp /export-certs/certinfo.ldif /tmp/certinfo.ldif
@ -232,11 +222,14 @@ echo "--> Installing phpLDAPadmin"
 # Only install once — use a flag file
 if [ ! -f "/var/www/html/phpldapadmin-installed" ]; then
    # Clean up any previous partial installation
    rm -rf /var/www/html/phpldapadmin*
    cd /var/www/html
    # Download and extract (direct tarball, no git needed)
    wget -q -O phpldapadmin.tgz \
-      https://github.com/leenooks/phpLDAPadmin/archive/refs/tags/1.2.6.7.tar.gz
+      https://github.com/leenooks/phpLDAPadmin/archive/refs/tags/1.2.6.7.tar.gz || exit 1
    tar xzf phpldapadmin.tgz
    mv phpLDAPadmin-1.2.6.7 phpldapadmin
    rm phpldapadmin.tgz
@ -280,4 +273,3 @@ trap 'echo "Stopping services..."; kill $SLAPD_PID $APACHE_PID 2>/dev/null; wait
 # Give you your interactive shell — forever
 exec "$@"