okasion/ldapdock
2
1
Fork 0
Code Issues 9 Pull Requests Actions Packages Projects 1 Releases Wiki Activity

Fixed Apache SSL

Browse Source
This commit is contained in:
Marisa 2025-12-07 12:37:09 -03:00
parent c4b53401de
commit 9ba26eebef
1 changed files with 67 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

77
entrypoint.sh
View File

@ -8,7 +8,7 @@ chmod -R 777 /export-certs 2>/dev/null || true
#────────────────────────────────────────────────────────────── #──────────────────────────────────────────────────────────────
# Correct base DN and hostname # Correct base DN and hostname
export LDAP_HOST="${LDAP_HOST:-$(hostname)}" export LDAP_HOST="${LDAP_HOST:-$(hostname)}"
export LDAP_BASE_DN=dc=$(echo "$LDAP_HOST" | sed 's/\./,dc=/g') export LDAP_BASE_DN=$(echo "$LDAP_HOST" | sed 's/\.\([^.]*\)/,dc=\1/g; s/^/dc=/')
echo "--> Using LDAP base DN: ${LDAP_BASE_DN}" echo "--> Using LDAP base DN: ${LDAP_BASE_DN}"
#────────────────────────────────────────────────────────────── #──────────────────────────────────────────────────────────────
@ -139,37 +139,94 @@ EOF
cp /etc/ldap/certs/ldap01_slapd_cert_full.pem /export-certs/server-cert.pem cp /etc/ldap/certs/ldap01_slapd_cert_full.pem /export-certs/server-cert.pem
else else
echo "--> Certificates already exist — skipping generation and using existing ones" echo "--> Certificates already exist — skipping generation and using existing ones"
export LDAPTLS_CACERT=/etc/ldap/certs/ca-cert.pem
fi fi
# Set a hardcoded password for Marisa to enable tests on the user export LDAPTLS_REQCERT=allow
echo "--> Setting Marisa password to 'MarisaNewPass2025' using Admin Bind"
# Define your Admin DN and Password from the Dockerfile # ←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←
# NEW: Save and restore the LDIF — no changes to TLS block
if [ ! -f "/export-certs/certinfo.ldif" ]; then
echo "--> Saving TLS config LDIF for future restarts"
cp /tmp/certinfo.ldif /export-certs/certinfo.ldif
fi
if [ -f "/export-certs/certinfo.ldif" ]; then
echo "--> Restoring TLS config LDIF from persistent volume"
cp /export-certs/certinfo.ldif /tmp/certinfo.ldif
fi
# ←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←
# Set Marisa password (full LDIF — so ldapmodify knows what to modify)
echo "--> Setting Marisa password to 'MarisaNewPass2025' using Admin Bind"
ADMIN_DN="cn=admin,${LDAP_BASE_DN}" ADMIN_DN="cn=admin,${LDAP_BASE_DN}"
ADMIN_PW="admin" ADMIN_PW="admin"
slappasswd -h '{SSHA}' -s MarisaNewPass2025 | \ slappasswd -h '{SSHA}' -s MarisaNewPass2025 | \
ldapmodify -x -D "$ADMIN_DN" -w "$ADMIN_PW" >/dev/null 2>&1 ldapmodify -x -D "$ADMIN_DN" -w "$ADMIN_PW" <<EOF >/dev/null 2>&1
dn: uid=marisa,ou=People,${LDAP_BASE_DN}
changetype: modify
replace: userPassword
userPassword: $(< /dev/stdin)
EOF
# Kill temporary slapd # Kill temporary slapd
kill $SLAPD_PID 2>/dev/null || true kill $SLAPD_PID 2>/dev/null || true
wait $SLAPD_PID 2>/dev/null || true wait $SLAPD_PID 2>/dev/null || true
# Start OpenLDAP in background # Kill any stray slapd that might be holding ports
pkill -9 slapd 2>/dev/null || true
sleep 2
# Start final OpenLDAP
echo "--> Starting final OpenLDAP (background)" echo "--> Starting final OpenLDAP (background)"
slapd -h "ldap:/// ldaps:/// ldapi:///" -u openldap -g openldap -d 0 & slapd -h "ldap:/// ldaps:/// ldapi:///" -u openldap -g openldap -d 0 &
SLAPD_PID=$! SLAPD_PID=$!
sleep 8
# Start Apache in background # Apply TLS config to final slapd
echo "--> Applying TLS config to final slapd"
ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/certinfo.ldif
# Restart slapd to load the new TLS config (required for OpenLDAP)
echo "--> Restarting slapd to load TLS config"
kill $SLAPD_PID 2>/dev/null || true
wait $SLAPD_PID 2>/dev/null || true
slapd -h "ldap:/// ldaps:/// ldapi:///" -u openldap -g openldap -d 0 &
SLAPD_PID=$!
sleep 8
# Make the container trust its own CA — every time
cp /etc/ldap/certs/ca-cert.pem /usr/local/share/ca-certificates/mycacert.crt 2>/dev/null || true
update-ca-certificates --fresh >/dev/null 2>&1 || true
# Start Apache inside APACHE_PID variable in background
echo "--> Starting Apache + PHP (background)" echo "--> Starting Apache + PHP (background)"
/usr/sbin/apache2ctl -D FOREGROUND & /usr/sbin/apache2ctl -D FOREGROUND &
APACHE_PID=$! APACHE_PID=$!
# HTTPS setup — using the real LDAP certificates
echo "--> Configuring Apache for HTTPS with real certificates"
export DEBIAN_FRONTEND=noninteractive # Silence a2ensite prompts
APACHE_CERT_FILE="/etc/ldap/certs/ldap01_slapd_cert_full.pem"
APACHE_KEY_FILE="/etc/ldap/certs/ldap01_slapd_key.pem"
# Enable the site silently
a2ensite default-ssl.conf >/dev/null 2>&1
# Replace the snakeoil certs with your real ones
sed -i -E "s|^\s*SSLCertificateFile\s+.*|SSLCertificateFile ${APACHE_CERT_FILE}|g" \
/etc/apache2/sites-available/default-ssl.conf
sed -i -E "s|^\s*SSLCertificateKeyFile\s+.*|SSLCertificateKeyFile ${APACHE_KEY_FILE}|g" \
/etc/apache2/sites-available/default-ssl.conf
# Reload Apache gracefully (updates config without killing)
apache2ctl graceful >/dev/null 2>&1
# Victory message # Victory message
echo "--> ldapdock ready — OpenLDAP + Apache + PHP running" echo "--> ldapdock ready — OpenLDAP + Apache + PHP running"
echo " → LDAP: 389/636" echo " → LDAP: 389/636"
echo " → PHPinfo: http://localhost/info.php" echo " → PHPinfo: https://localhost/info.php"
echo " → Shell: /bin/bash" echo " → Shell: /bin/bash"
echo " → Exit with CTRL+D or 'exit' command" echo " → Exit with CTRL+D or 'exit' command"