diff --git a/entrypoint.sh b/entrypoint.sh index fd05313..f9b6a64 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -8,7 +8,7 @@ chmod -R 777 /export-certs 2>/dev/null || true #────────────────────────────────────────────────────────────── # Correct base DN and hostname export LDAP_HOST="${LDAP_HOST:-$(hostname)}" -export LDAP_BASE_DN=dc=$(echo "$LDAP_HOST" | sed 's/\./,dc=/g') +export LDAP_BASE_DN=$(echo "$LDAP_HOST" | sed 's/\.\([^.]*\)/,dc=\1/g; s/^/dc=/') echo "--> Using LDAP base DN: ${LDAP_BASE_DN}" #────────────────────────────────────────────────────────────── @@ -139,37 +139,94 @@ EOF cp /etc/ldap/certs/ldap01_slapd_cert_full.pem /export-certs/server-cert.pem else echo "--> Certificates already exist — skipping generation and using existing ones" - export LDAPTLS_CACERT=/etc/ldap/certs/ca-cert.pem fi -# Set a hardcoded password for Marisa to enable tests on the user -echo "--> Setting Marisa password to 'MarisaNewPass2025' using Admin Bind" +export LDAPTLS_REQCERT=allow -# Define your Admin DN and Password from the Dockerfile +# ←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←← +# NEW: Save and restore the LDIF — no changes to TLS block +if [ ! -f "/export-certs/certinfo.ldif" ]; then + echo "--> Saving TLS config LDIF for future restarts" + cp /tmp/certinfo.ldif /export-certs/certinfo.ldif +fi + +if [ -f "/export-certs/certinfo.ldif" ]; then + echo "--> Restoring TLS config LDIF from persistent volume" + cp /export-certs/certinfo.ldif /tmp/certinfo.ldif +fi +# ←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←← + +# Set Marisa password (full LDIF — so ldapmodify knows what to modify) +echo "--> Setting Marisa password to 'MarisaNewPass2025' using Admin Bind" ADMIN_DN="cn=admin,${LDAP_BASE_DN}" ADMIN_PW="admin" - slappasswd -h '{SSHA}' -s MarisaNewPass2025 | \ -ldapmodify -x -D "$ADMIN_DN" -w "$ADMIN_PW" >/dev/null 2>&1 +ldapmodify -x -D "$ADMIN_DN" -w "$ADMIN_PW" </dev/null 2>&1 +dn: uid=marisa,ou=People,${LDAP_BASE_DN} +changetype: modify +replace: userPassword +userPassword: $(< /dev/stdin) +EOF # Kill temporary slapd kill $SLAPD_PID 2>/dev/null || true wait $SLAPD_PID 2>/dev/null || true -# Start OpenLDAP in background +# Kill any stray slapd that might be holding ports +pkill -9 slapd 2>/dev/null || true +sleep 2 + +# Start final OpenLDAP echo "--> Starting final OpenLDAP (background)" slapd -h "ldap:/// ldaps:/// ldapi:///" -u openldap -g openldap -d 0 & SLAPD_PID=$! +sleep 8 -# Start Apache in background +# Apply TLS config to final slapd +echo "--> Applying TLS config to final slapd" +ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/certinfo.ldif + +# Restart slapd to load the new TLS config (required for OpenLDAP) +echo "--> Restarting slapd to load TLS config" +kill $SLAPD_PID 2>/dev/null || true +wait $SLAPD_PID 2>/dev/null || true +slapd -h "ldap:/// ldaps:/// ldapi:///" -u openldap -g openldap -d 0 & +SLAPD_PID=$! +sleep 8 + +# Make the container trust its own CA — every time +cp /etc/ldap/certs/ca-cert.pem /usr/local/share/ca-certificates/mycacert.crt 2>/dev/null || true +update-ca-certificates --fresh >/dev/null 2>&1 || true + +# Start Apache inside APACHE_PID variable in background echo "--> Starting Apache + PHP (background)" /usr/sbin/apache2ctl -D FOREGROUND & APACHE_PID=$! +# HTTPS setup — using the real LDAP certificates +echo "--> Configuring Apache for HTTPS with real certificates" + +export DEBIAN_FRONTEND=noninteractive # Silence a2ensite prompts + +APACHE_CERT_FILE="/etc/ldap/certs/ldap01_slapd_cert_full.pem" +APACHE_KEY_FILE="/etc/ldap/certs/ldap01_slapd_key.pem" + +# Enable the site silently +a2ensite default-ssl.conf >/dev/null 2>&1 + +# Replace the snakeoil certs with your real ones +sed -i -E "s|^\s*SSLCertificateFile\s+.*|SSLCertificateFile ${APACHE_CERT_FILE}|g" \ + /etc/apache2/sites-available/default-ssl.conf +sed -i -E "s|^\s*SSLCertificateKeyFile\s+.*|SSLCertificateKeyFile ${APACHE_KEY_FILE}|g" \ + /etc/apache2/sites-available/default-ssl.conf + +# Reload Apache gracefully (updates config without killing) +apache2ctl graceful >/dev/null 2>&1 + # Victory message echo "--> ldapdock ready — OpenLDAP + Apache + PHP running" echo " → LDAP: 389/636" -echo " → PHPinfo: http://localhost/info.php" +echo " → PHPinfo: https://localhost/info.php" echo " → Shell: /bin/bash" echo " → Exit with CTRL+D or 'exit' command"