Fixed Apache SSL
This commit is contained in:
parent
c4b53401de
commit
9ba26eebef
@ -8,7 +8,7 @@ chmod -R 777 /export-certs 2>/dev/null || true
|
||||
#──────────────────────────────────────────────────────────────
|
||||
# Correct base DN and hostname
|
||||
export LDAP_HOST="${LDAP_HOST:-$(hostname)}"
|
||||
export LDAP_BASE_DN=dc=$(echo "$LDAP_HOST" | sed 's/\./,dc=/g')
|
||||
export LDAP_BASE_DN=$(echo "$LDAP_HOST" | sed 's/\.\([^.]*\)/,dc=\1/g; s/^/dc=/')
|
||||
echo "--> Using LDAP base DN: ${LDAP_BASE_DN}"
|
||||
#──────────────────────────────────────────────────────────────
|
||||
|
||||
@ -139,37 +139,94 @@ EOF
|
||||
cp /etc/ldap/certs/ldap01_slapd_cert_full.pem /export-certs/server-cert.pem
|
||||
else
|
||||
echo "--> Certificates already exist — skipping generation and using existing ones"
|
||||
export LDAPTLS_CACERT=/etc/ldap/certs/ca-cert.pem
|
||||
fi
|
||||
|
||||
# Set a hardcoded password for Marisa to enable tests on the user
|
||||
echo "--> Setting Marisa password to 'MarisaNewPass2025' using Admin Bind"
|
||||
export LDAPTLS_REQCERT=allow
|
||||
|
||||
# Define your Admin DN and Password from the Dockerfile
|
||||
# ←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←
|
||||
# NEW: Save and restore the LDIF — no changes to TLS block
|
||||
if [ ! -f "/export-certs/certinfo.ldif" ]; then
|
||||
echo "--> Saving TLS config LDIF for future restarts"
|
||||
cp /tmp/certinfo.ldif /export-certs/certinfo.ldif
|
||||
fi
|
||||
|
||||
if [ -f "/export-certs/certinfo.ldif" ]; then
|
||||
echo "--> Restoring TLS config LDIF from persistent volume"
|
||||
cp /export-certs/certinfo.ldif /tmp/certinfo.ldif
|
||||
fi
|
||||
# ←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←
|
||||
|
||||
# Set Marisa password (full LDIF — so ldapmodify knows what to modify)
|
||||
echo "--> Setting Marisa password to 'MarisaNewPass2025' using Admin Bind"
|
||||
ADMIN_DN="cn=admin,${LDAP_BASE_DN}"
|
||||
ADMIN_PW="admin"
|
||||
|
||||
slappasswd -h '{SSHA}' -s MarisaNewPass2025 | \
|
||||
ldapmodify -x -D "$ADMIN_DN" -w "$ADMIN_PW" >/dev/null 2>&1
|
||||
ldapmodify -x -D "$ADMIN_DN" -w "$ADMIN_PW" <<EOF >/dev/null 2>&1
|
||||
dn: uid=marisa,ou=People,${LDAP_BASE_DN}
|
||||
changetype: modify
|
||||
replace: userPassword
|
||||
userPassword: $(< /dev/stdin)
|
||||
EOF
|
||||
|
||||
# Kill temporary slapd
|
||||
kill $SLAPD_PID 2>/dev/null || true
|
||||
wait $SLAPD_PID 2>/dev/null || true
|
||||
|
||||
# Start OpenLDAP in background
|
||||
# Kill any stray slapd that might be holding ports
|
||||
pkill -9 slapd 2>/dev/null || true
|
||||
sleep 2
|
||||
|
||||
# Start final OpenLDAP
|
||||
echo "--> Starting final OpenLDAP (background)"
|
||||
slapd -h "ldap:/// ldaps:/// ldapi:///" -u openldap -g openldap -d 0 &
|
||||
SLAPD_PID=$!
|
||||
sleep 8
|
||||
|
||||
# Start Apache in background
|
||||
# Apply TLS config to final slapd
|
||||
echo "--> Applying TLS config to final slapd"
|
||||
ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/certinfo.ldif
|
||||
|
||||
# Restart slapd to load the new TLS config (required for OpenLDAP)
|
||||
echo "--> Restarting slapd to load TLS config"
|
||||
kill $SLAPD_PID 2>/dev/null || true
|
||||
wait $SLAPD_PID 2>/dev/null || true
|
||||
slapd -h "ldap:/// ldaps:/// ldapi:///" -u openldap -g openldap -d 0 &
|
||||
SLAPD_PID=$!
|
||||
sleep 8
|
||||
|
||||
# Make the container trust its own CA — every time
|
||||
cp /etc/ldap/certs/ca-cert.pem /usr/local/share/ca-certificates/mycacert.crt 2>/dev/null || true
|
||||
update-ca-certificates --fresh >/dev/null 2>&1 || true
|
||||
|
||||
# Start Apache inside APACHE_PID variable in background
|
||||
echo "--> Starting Apache + PHP (background)"
|
||||
/usr/sbin/apache2ctl -D FOREGROUND &
|
||||
APACHE_PID=$!
|
||||
|
||||
# HTTPS setup — using the real LDAP certificates
|
||||
echo "--> Configuring Apache for HTTPS with real certificates"
|
||||
|
||||
export DEBIAN_FRONTEND=noninteractive # Silence a2ensite prompts
|
||||
|
||||
APACHE_CERT_FILE="/etc/ldap/certs/ldap01_slapd_cert_full.pem"
|
||||
APACHE_KEY_FILE="/etc/ldap/certs/ldap01_slapd_key.pem"
|
||||
|
||||
# Enable the site silently
|
||||
a2ensite default-ssl.conf >/dev/null 2>&1
|
||||
|
||||
# Replace the snakeoil certs with your real ones
|
||||
sed -i -E "s|^\s*SSLCertificateFile\s+.*|SSLCertificateFile ${APACHE_CERT_FILE}|g" \
|
||||
/etc/apache2/sites-available/default-ssl.conf
|
||||
sed -i -E "s|^\s*SSLCertificateKeyFile\s+.*|SSLCertificateKeyFile ${APACHE_KEY_FILE}|g" \
|
||||
/etc/apache2/sites-available/default-ssl.conf
|
||||
|
||||
# Reload Apache gracefully (updates config without killing)
|
||||
apache2ctl graceful >/dev/null 2>&1
|
||||
|
||||
# Victory message
|
||||
echo "--> ldapdock ready — OpenLDAP + Apache + PHP running"
|
||||
echo " → LDAP: 389/636"
|
||||
echo " → PHPinfo: http://localhost/info.php"
|
||||
echo " → PHPinfo: https://localhost/info.php"
|
||||
echo " → Shell: /bin/bash"
|
||||
echo " → Exit with CTRL+D or 'exit' command"
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user