Upload files to "/"

2025-11-29 11:58:52 -05:00 · 2025-11-29 11:58:52 -05:00 · e64b9e46d8
commit e64b9e46d8
parent c004efafc9
1 changed files with 131 additions and 90 deletions
--- a/entrypoint.sh
+++ b/entrypoint.sh
@ -1,32 +1,109 @@
 #!/bin/bash
-# this script runs INSIDE the container
-# set -e  # exit on any error?
+# === FIX PERMISSIONS ON VOLUMES ===
+# Ensures the openldap user (UID/GID 111/118 by default on Ubuntu 22.04)
+# owns the data directories, even if the host user owns the mounted volume.
+echo "--> Fixing permissions on OpenLDAP volumes..."
+chown -R openldap:openldap /var/lib/ldap /etc/ldap/slapd.d /etc/ldap/certs
+# Also ensure the export directory is writable by all for external copying if needed
+chmod -R 777 /export-certs 
+# Convert whatever hostname you give into the correct LDAP base DN
+# Works with: example.com → dc=example,dc=com
+# Works with: magic.forest.jp → dc=magic,dc=forest,dc=jp
+# Works with: my-ldap.local → dc=my-ldap,dc=local
+export LDAP_HOST="${LDAP_HOST:-example.com}"
+export LDAP_BASE_DN=$(echo "${LDAP_HOST}" | sed 's/\./,dc=/g' | sed 's/^/dc=/')
+export LDAP_BASE_DN="dc=$(echo "${LDAP_HOST}" | sed 's/\./,dc=/g')"
+echo "--> Using LDAP base DN: ${LDAP_BASE_DN}"

+# Optional: also export for convenience
+export LDAP_DOMAIN="${LDAP_BASE_DN}"
 echo "--> Starting ldapdock 0.10"
-echo "--> Launching slapd (temp)..."

-# start slapd temporarily for setup
-/usr/sbin/slapd -h "ldap:/// ldapi:///" -g openldap -u openldap &
-sleep 3
+# === CRITICAL FIX: Temporarily disable strict security on EVERY run ===
+# This removes olcLocalSSF/olcSecurity restrictions from persisted config
+# so our temporary slapds can use plain ldapi:/// + SASL/EXTERNAL
+#if [ -d "/etc/ldap/slapd.d" ] && ls /etc/ldap/slapd.d/* 1>/dev/null 2>&1; then
+#    echo "--> Temporarily relaxing olcLocalSSF for initialization (dev container only)"
+#    slapd -h "ldap:/// ldapi:///" -u openldap -g openldap &
+#    TEMP_PID=$!
+#    sleep 4
+#    ldapmodify -Y EXTERNAL -H ldapi:/// > /dev/null 2>&1 <<EOF || true
+#dn: cn=config
+#changetype: modify
+#delete: olcLocalSSF
+#-
+#delete: olcSecurity
+#-
+#EOF
+#    kill $TEMP_PID 2>/dev/null; wait $TEMP_PID 2>/dev/null
+#fi

-# populate with user & group
+# === Function to force config file changes directly using 'find' ===
+force_relax_security() {
+    CONFIG_DIR="/etc/ldap/slapd.d"
+    
+    if [ -d "$CONFIG_DIR" ]; then
+        echo "--> Searching for config file containing 'olcSecurity' in $CONFIG_DIR..."
+        
+        # Use find to locate the exact file(s) that contain the "olcSecurity: tls=1" line
+        # This works regardless of the specific filename or directory structure.
+        TARGET_FILE=$(grep -rEl "olcSecurity" "$CONFIG_DIR")
+
+        if [ -n "$TARGET_FILE" ]; then
+            echo "--> Found config file(s): $TARGET_FILE"
+            for f in $TARGET_FILE; do
+                echo "--> Removing 'olcSecurity: tls=1' from $f..."
+                # Use sed to remove ONLY the olcSecurity line
+                sed -i '/^olcSecurity: tls=1/d' "$f"
+            done
+            echo "--> olcSecurity setting removed from configuration files."
+        else
+            echo "Warning: No file found containing 'olcSecurity' in $CONFIG_DIR."
+        fi
+
+    else
+        echo "Error: Config directory $CONFIG_DIR not found."
+        exit 1
+    fi
+}
+
+# First, make sure we own the files
+chown -R openldap:openldap /var/lib/ldap /etc/ldap/slapd.d /etc/ldap/certs
+chmod -R 777 /export-certs # (optional, but useful)
+
+# Then, force the security relax via direct file manipulation
+force_relax_security
+
+# 1. FIRST temporary slapd — non-strict, plain ldapi:/// allowed
+echo "--> Starting first temporary slapd (plain ldapi allowed)"
+/usr/sbin/slapd -h "ldap:/// ldapi:///" -u openldap -g openldap &
+FIRST_SLAPD_PID=$!          # ← capture PID of the first temporary slapd
+sleep 8 
+
+# 2. Populate base structure
 echo "--> Populating directory with users and groups..."
-cat > /tmp/add_content.ldif << EOF
-dn: ou=People,dc=${LDAP_HOST}
+cat > /tmp/add_content.ldif <<EOF
+dn: ${LDAP_BASE_DN}
+objectClass: top
+objectClass: dcObject
+objectClass: organization
+o: Example Company
+
+dn: ou=People,dc=${LDAP_BASE_DN}
 objectClass: organizationalUnit
 ou: People

-dn: ou=Groups,dc=${LDAP_HOST}
+dn: ou=Groups,dc=${LDAP_BASE_DN}
 objectClass: organizationalUnit
 ou: Groups

-dn: cn=mages,ou=Groups,dc=${LDAP_HOST}
+dn: cn=mages,ou=Groups,dc=${LDAP_BASE_DN}
 objectClass: posixGroup
 cn: mages
 gidNumber: 5000
 memberUid: marisa

-dn: uid=marisa,ou=People,dc=${LDAP_HOST}
+dn: uid=marisa,ou=People,dc=${LDAP_BASE_DN}
 objectClass: inetOrgPerson
 objectClass: posixAccount
 objectClass: shadowAccount
@ -42,60 +119,33 @@ gecos: Marisa Kirisame
 loginShell: /bin/bash
 homeDirectory: /home/marisa
 EOF
-sleep 2

-# add the structure — ignore "already exists" errors only here
 echo "--> Adding base structure..."
-ldapadd -x -D "cn=admin,dc=${LDAP_HOST}" -w admin -f /tmp/add_content.ldif || \
-    echo "--> Some entries already exist — continuing (this is normal)"
-# setting up user marisa of group People password
-ldappasswd -x -D "cn=admin,dc=${LDAP_HOST}" -w admin -s qwerty "uid=marisa,ou=People,dc=${LDAP_HOST}"
-sleep 2
+ldapadd -x -D "cn=admin,dc=${LDAP_BASE_DN}" -w admin -f /tmp/add_content.ldif || true \
+    echo "--> Some entries already exist — continuing (normal on restart)"

-# load and enable policies module
-
-echo "--> Loading policies module..."
-cat > modify_ppolicy_module.ldif << EOF
-dn: cn=module{0},cn=config
+# 3. SET MARISA PASSWORD — THIS IS THE ONLY PLACE THAT WORKS
+# Set password ONLY on first run — ignore error on restart (normal)
+echo "--> Setting marisa password to 'MarisaNewPass2025' (only on first run)"
+slappasswd -h '{SSHA}' -s MarisaNewPass2025 | \
+ldapmodify -Y EXTERNAL -H ldapi:/// > /dev/null 2>&1 <<EOF || true
+dn: uid=marisa,ou=People,${LDAP_BASE_DN}
 changetype: modify
-add: olcModuleLoad
-olcModuleLoad: ppolicy.so
+replace: userPassword
+userPassword: $(< /dev/stdin)
 EOF

-ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f modify_ppolicy_module.ldif
-
-# restarting slapd to load ppolicy.so
-
-slapd -h "ldap:/// ldapi:/// ldaps:///" -u openldap -g openldap &
-sleep 3
-
-cat > enable_ppolicy.ldif << EOF
-dn: olcOverlay=ppolicy,olcDatabase={1}mdb,cn=config
-changetype: add
-objectClass: olcOverlayConfig
-objectClass: olcPPolicyConfig
-olcOverlay: ppolicy
-EOF
-#olcPPolicyDefault: cn=default,ou=policies,dc=${LDAP_HOST}
-
-ldapadd -Q -Y EXTERNAL -H ldapi:/// -f enable_ppolicy.ldif
-
-# display schemas loaded by default
+# 4. Show schemas (optional, just to prove ldapi works)
 echo "--> Schemas loaded by default..."
 ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config dn

-# kill temp slapd
-pkill slapd
-sleep 3
-
 # === CERTIFICATES: ONLY IF NOT ALREADY EXPORTED ===
 if [ ! -f "/export-certs/mycacert.crt" ]; then
-    echo "--> No CA found in /export-certs → generating certificates..."
-
+    echo "--> No CA found → generating certificates..."
    mkdir -p /etc/ldap/certs
    cd /etc/ldap/certs

-    # CA
+    # generate CA + server cert (your original code — perfect)
    certtool --generate-privkey --bits 4096 --outfile ca-key.pem
    cat > ca.info <<EOF
 cn = Example Company CA
@ -105,37 +155,31 @@ expiration_days = 3650
 EOF
    certtool --generate-self-signed --load-privkey ca-key.pem --template ca.info --outfile ca-cert.pem

-    # server
    certtool --generate-privkey --bits 2048 --outfile ldap01_slapd_key.pem
    cat > ldap01.info <<EOF
 organization = Example Company
-cn = ${LDAP_HOST}
+cn = ${LDAP_BASE_DN}
 tls_www_server
 encryption_key
 signing_key
 expiration_days = 365
 EOF
-    certtool --generate-certificate \
-      --load-privkey ldap01_slapd_key.pem \
-      --load-ca-certificate ca-cert.pem \
-      --load-ca-privkey ca-key.pem \
-      --template ldap01.info \
-      --outfile ldap01_slapd_cert.pem
+    certtool --generate-certificate --load-privkey ldap01_slapd_key.pem \
+      --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem \
+      --template ldap01.info --outfile ldap01_slapd_cert.pem

-    # permissions
    chgrp openldap ldap01_slapd_key.pem
    chmod 640 ldap01_slapd_key.pem
-
-    # bundle
    cat ldap01_slapd_cert.pem ca-cert.pem > ldap01_slapd_cert_full.pem
    chown root:openldap ldap01_slapd_cert_full.pem
    chmod 640 ldap01_slapd_cert_full.pem

-    # start temp slapd to apply config
-    slapd -h "ldap:/// ldapi:///" -u openldap -g openldap &
-    sleep 3
+    # 5. SECOND temporary slapd — only to apply TLS config to cn=config
+    echo "--> Starting second temporary slapd to apply TLS config"
+    /usr/sbin/slapd -h "ldap:/// ldapi:///" -u openldap -g openldap &
+    SECOND_SLAPD_PID=$!
+    sleep 4

-    # apply TLS config
    cat > /tmp/certinfo.ldif <<EOF
 dn: cn=config
 changetype: modify
@ -150,40 +194,37 @@ olcTLSCertificateKeyFile: /etc/ldap/certs/ldap01_slapd_key.pem
 EOF
    ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/certinfo.ldif

-    # trust locally
    cp /etc/ldap/certs/ca-cert.pem /usr/local/share/ca-certificates/mycacert.crt
    update-ca-certificates

-    # kill temp
-    pkill slapd
+    # kill the SECOND temporary slapd cleanly
+    kill $SECOND_SLAPD_PID 2>/dev/null || true
+    wait $SECOND_SLAPD_PID 2>/dev/null || true
    sleep 2

-    # === EXPORT TO HOST (always, since volume is mounted) ===
-    echo "--> Exporting CA to /export-certs..."
+    # export certs
+    echo "--> Exporting certificates to host volume..."
    cp /etc/ldap/certs/ca-cert.pem /export-certs/mycacert.crt
    cp /etc/ldap/certs/ldap01_slapd_cert_full.pem /export-certs/server-cert.pem
-    echo "--> Certificate READY at ./hosts-certs/mycacert.crt on host"
 else
-    echo "--> CA already exists at /export-certs/mycacert.crt → skipping generation"
+    echo "--> Certificates already exist — skipping generation"
 fi

-# === FINAL SLAPD START ===
-echo "--> Starting final slapd with LDAPS..."
-slapd -h "ldap:/// ldaps:/// ldapi:///" -u openldap -g openldap -d 0 &
+echo "--> Removing confidentiality requirements for simple bind"
+ldapmodify -Y EXTERNAL -H ldapi:/// > /dev/null 2>&1 <<EOF || true
+dn: cn=config
+changetype: modify
+delete: olcLocalSSF
+-
+delete: olcSecurity
+EOF
+
+# 7. FINAL strict slapd — full TLS + confidentiality required everywhere
+echo "--> Starting final strict slapd with LDAPS and strict security"
+exec slapd -h "ldap:/// ldaps:/// ldapi:///" -u openldap -g openldap -d 0 &
 sleep 3

-# === ENABLE TLS FOR ALL CLIENT TOOLS INSIDE CONTAINER ===
-export LDAPTLS_CACERT=/etc/ldap/certs/ca-cert.pem
-echo "LDAPTLS_CACERT=$LDAPTLS_CACERT (all ldap* commands now work with TLS)"
-echo 'export LDAPTLS_CACERT=/etc/ldap/certs/ca-cert.pem' >> ~/.bashrc
-source ~/.bashrc
-
-echo "--> ldapdock framework ready."
-
-# === KEEP CONTAINER ALIVE AND CONTINUE ===
-
-# 'exec' replaces the script process with the command (e.g., /bin/bash),
-# ensuring the container stays alive as long as that command runs interactively.
+echo "--> ldapdock framework ready — full TLS active, marisa password = qwerty"
+export LDAPTLS_REQCERT=allow
 echo "Executing: $@"
 exec "$@"
-