okasion/ldapdock
2
1
Fork 0
Code Issues 9 Pull Requests Actions Packages Projects 1 Releases Wiki Activity

Upload files to "/"

Browse Source
This commit is contained in:
Marisa 2025-11-29 11:58:52 -05:00
parent c004efafc9
commit e64b9e46d8
1 changed files with 131 additions and 90 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

219
entrypoint.sh
View File

@ -1,32 +1,109 @@
#!/bin/bash #!/bin/bash
# this script runs INSIDE the container # === FIX PERMISSIONS ON VOLUMES ===
# set -e # exit on any error? # Ensures the openldap user (UID/GID 111/118 by default on Ubuntu 22.04)
# owns the data directories, even if the host user owns the mounted volume.
echo "--> Fixing permissions on OpenLDAP volumes..."
chown -R openldap:openldap /var/lib/ldap /etc/ldap/slapd.d /etc/ldap/certs
# Also ensure the export directory is writable by all for external copying if needed
chmod -R 777 /export-certs
# Convert whatever hostname you give into the correct LDAP base DN
# Works with: example.com → dc=example,dc=com
# Works with: magic.forest.jp → dc=magic,dc=forest,dc=jp
# Works with: my-ldap.local → dc=my-ldap,dc=local
export LDAP_HOST="${LDAP_HOST:-example.com}"
export LDAP_BASE_DN=$(echo "${LDAP_HOST}" | sed 's/\./,dc=/g' | sed 's/^/dc=/')
export LDAP_BASE_DN="dc=$(echo "${LDAP_HOST}" | sed 's/\./,dc=/g')"
echo "--> Using LDAP base DN: ${LDAP_BASE_DN}"
# Optional: also export for convenience
export LDAP_DOMAIN="${LDAP_BASE_DN}"
echo "--> Starting ldapdock 0.10" echo "--> Starting ldapdock 0.10"
echo "--> Launching slapd (temp)..."
# start slapd temporarily for setup # === CRITICAL FIX: Temporarily disable strict security on EVERY run ===
/usr/sbin/slapd -h "ldap:/// ldapi:///" -g openldap -u openldap & # This removes olcLocalSSF/olcSecurity restrictions from persisted config
sleep 3 # so our temporary slapds can use plain ldapi:/// + SASL/EXTERNAL
#if [ -d "/etc/ldap/slapd.d" ] && ls /etc/ldap/slapd.d/* 1>/dev/null 2>&1; then
# echo "--> Temporarily relaxing olcLocalSSF for initialization (dev container only)"
# slapd -h "ldap:/// ldapi:///" -u openldap -g openldap &
# TEMP_PID=$!
# sleep 4
# ldapmodify -Y EXTERNAL -H ldapi:/// > /dev/null 2>&1 <<EOF || true
#dn: cn=config
#changetype: modify
#delete: olcLocalSSF
#-
#delete: olcSecurity
#-
#EOF
# kill $TEMP_PID 2>/dev/null; wait $TEMP_PID 2>/dev/null
#fi
# populate with user & group # === Function to force config file changes directly using 'find' ===
force_relax_security() {
CONFIG_DIR="/etc/ldap/slapd.d"
if [ -d "$CONFIG_DIR" ]; then
echo "--> Searching for config file containing 'olcSecurity' in $CONFIG_DIR..."
# Use find to locate the exact file(s) that contain the "olcSecurity: tls=1" line
# This works regardless of the specific filename or directory structure.
TARGET_FILE=$(grep -rEl "olcSecurity" "$CONFIG_DIR")
if [ -n "$TARGET_FILE" ]; then
echo "--> Found config file(s): $TARGET_FILE"
for f in $TARGET_FILE; do
echo "--> Removing 'olcSecurity: tls=1' from $f..."
# Use sed to remove ONLY the olcSecurity line
sed -i '/^olcSecurity: tls=1/d' "$f"
done
echo "--> olcSecurity setting removed from configuration files."
else
echo "Warning: No file found containing 'olcSecurity' in $CONFIG_DIR."
fi
else
echo "Error: Config directory $CONFIG_DIR not found."
exit 1
fi
}
# First, make sure we own the files
chown -R openldap:openldap /var/lib/ldap /etc/ldap/slapd.d /etc/ldap/certs
chmod -R 777 /export-certs # (optional, but useful)
# Then, force the security relax via direct file manipulation
force_relax_security
# 1. FIRST temporary slapd — non-strict, plain ldapi:/// allowed
echo "--> Starting first temporary slapd (plain ldapi allowed)"
/usr/sbin/slapd -h "ldap:/// ldapi:///" -u openldap -g openldap &
FIRST_SLAPD_PID=$! # ← capture PID of the first temporary slapd
sleep 8
# 2. Populate base structure
echo "--> Populating directory with users and groups..." echo "--> Populating directory with users and groups..."
cat > /tmp/add_content.ldif <<EOF cat > /tmp/add_content.ldif <<EOF
dn: ou=People,dc=${LDAP_HOST} dn: ${LDAP_BASE_DN}
objectClass: top
objectClass: dcObject
objectClass: organization
o: Example Company
dn: ou=People,dc=${LDAP_BASE_DN}
objectClass: organizationalUnit objectClass: organizationalUnit
ou: People ou: People
dn: ou=Groups,dc=${LDAP_HOST} dn: ou=Groups,dc=${LDAP_BASE_DN}
objectClass: organizationalUnit objectClass: organizationalUnit
ou: Groups ou: Groups
dn: cn=mages,ou=Groups,dc=${LDAP_HOST} dn: cn=mages,ou=Groups,dc=${LDAP_BASE_DN}
objectClass: posixGroup objectClass: posixGroup
cn: mages cn: mages
gidNumber: 5000 gidNumber: 5000
memberUid: marisa memberUid: marisa
dn: uid=marisa,ou=People,dc=${LDAP_HOST} dn: uid=marisa,ou=People,dc=${LDAP_BASE_DN}
objectClass: inetOrgPerson objectClass: inetOrgPerson
objectClass: posixAccount objectClass: posixAccount
objectClass: shadowAccount objectClass: shadowAccount
@ -42,60 +119,33 @@ gecos: Marisa Kirisame
loginShell: /bin/bash loginShell: /bin/bash
homeDirectory: /home/marisa homeDirectory: /home/marisa
EOF EOF
sleep 2
# add the structure — ignore "already exists" errors only here
echo "--> Adding base structure..." echo "--> Adding base structure..."
ldapadd -x -D "cn=admin,dc=${LDAP_HOST}" -w admin -f /tmp/add_content.ldif || \ ldapadd -x -D "cn=admin,dc=${LDAP_BASE_DN}" -w admin -f /tmp/add_content.ldif || true \
echo "--> Some entries already exist — continuing (this is normal)" echo "--> Some entries already exist — continuing (normal on restart)"
# setting up user marisa of group People password
ldappasswd -x -D "cn=admin,dc=${LDAP_HOST}" -w admin -s qwerty "uid=marisa,ou=People,dc=${LDAP_HOST}"
sleep 2
# load and enable policies module # 3. SET MARISA PASSWORD — THIS IS THE ONLY PLACE THAT WORKS
# Set password ONLY on first run — ignore error on restart (normal)
echo "--> Loading policies module..." echo "--> Setting marisa password to 'MarisaNewPass2025' (only on first run)"
cat > modify_ppolicy_module.ldif << EOF slappasswd -h '{SSHA}' -s MarisaNewPass2025 | \
dn: cn=module{0},cn=config ldapmodify -Y EXTERNAL -H ldapi:/// > /dev/null 2>&1 <<EOF || true
dn: uid=marisa,ou=People,${LDAP_BASE_DN}
changetype: modify changetype: modify
add: olcModuleLoad replace: userPassword
olcModuleLoad: ppolicy.so userPassword: $(< /dev/stdin)
EOF EOF
ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f modify_ppolicy_module.ldif # 4. Show schemas (optional, just to prove ldapi works)
# restarting slapd to load ppolicy.so
slapd -h "ldap:/// ldapi:/// ldaps:///" -u openldap -g openldap &
sleep 3
cat > enable_ppolicy.ldif << EOF
dn: olcOverlay=ppolicy,olcDatabase={1}mdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
olcOverlay: ppolicy
EOF
#olcPPolicyDefault: cn=default,ou=policies,dc=${LDAP_HOST}
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f enable_ppolicy.ldif
# display schemas loaded by default
echo "--> Schemas loaded by default..." echo "--> Schemas loaded by default..."
ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config dn ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config dn
# kill temp slapd
pkill slapd
sleep 3
# === CERTIFICATES: ONLY IF NOT ALREADY EXPORTED === # === CERTIFICATES: ONLY IF NOT ALREADY EXPORTED ===
if [ ! -f "/export-certs/mycacert.crt" ]; then if [ ! -f "/export-certs/mycacert.crt" ]; then
echo "--> No CA found in /export-certs → generating certificates..." echo "--> No CA found → generating certificates..."
mkdir -p /etc/ldap/certs mkdir -p /etc/ldap/certs
cd /etc/ldap/certs cd /etc/ldap/certs
# CA # generate CA + server cert (your original code — perfect)
certtool --generate-privkey --bits 4096 --outfile ca-key.pem certtool --generate-privkey --bits 4096 --outfile ca-key.pem
cat > ca.info <<EOF cat > ca.info <<EOF
cn = Example Company CA cn = Example Company CA
@ -105,37 +155,31 @@ expiration_days = 3650
EOF EOF
certtool --generate-self-signed --load-privkey ca-key.pem --template ca.info --outfile ca-cert.pem certtool --generate-self-signed --load-privkey ca-key.pem --template ca.info --outfile ca-cert.pem
# server
certtool --generate-privkey --bits 2048 --outfile ldap01_slapd_key.pem certtool --generate-privkey --bits 2048 --outfile ldap01_slapd_key.pem
cat > ldap01.info <<EOF cat > ldap01.info <<EOF
organization = Example Company organization = Example Company
cn = ${LDAP_HOST} cn = ${LDAP_BASE_DN}
tls_www_server tls_www_server
encryption_key encryption_key
signing_key signing_key
expiration_days = 365 expiration_days = 365
EOF EOF
certtool --generate-certificate \ certtool --generate-certificate --load-privkey ldap01_slapd_key.pem \
--load-privkey ldap01_slapd_key.pem \ --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem \
--load-ca-certificate ca-cert.pem \ --template ldap01.info --outfile ldap01_slapd_cert.pem
--load-ca-privkey ca-key.pem \
--template ldap01.info \
--outfile ldap01_slapd_cert.pem
# permissions
chgrp openldap ldap01_slapd_key.pem chgrp openldap ldap01_slapd_key.pem
chmod 640 ldap01_slapd_key.pem chmod 640 ldap01_slapd_key.pem
# bundle
cat ldap01_slapd_cert.pem ca-cert.pem > ldap01_slapd_cert_full.pem cat ldap01_slapd_cert.pem ca-cert.pem > ldap01_slapd_cert_full.pem
chown root:openldap ldap01_slapd_cert_full.pem chown root:openldap ldap01_slapd_cert_full.pem
chmod 640 ldap01_slapd_cert_full.pem chmod 640 ldap01_slapd_cert_full.pem
# start temp slapd to apply config # 5. SECOND temporary slapd — only to apply TLS config to cn=config
slapd -h "ldap:/// ldapi:///" -u openldap -g openldap & echo "--> Starting second temporary slapd to apply TLS config"
sleep 3 /usr/sbin/slapd -h "ldap:/// ldapi:///" -u openldap -g openldap &
SECOND_SLAPD_PID=$!
sleep 4
# apply TLS config
cat > /tmp/certinfo.ldif <<EOF cat > /tmp/certinfo.ldif <<EOF
dn: cn=config dn: cn=config
changetype: modify changetype: modify
@ -150,40 +194,37 @@ olcTLSCertificateKeyFile: /etc/ldap/certs/ldap01_slapd_key.pem
EOF EOF
ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/certinfo.ldif ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/certinfo.ldif
# trust locally
cp /etc/ldap/certs/ca-cert.pem /usr/local/share/ca-certificates/mycacert.crt cp /etc/ldap/certs/ca-cert.pem /usr/local/share/ca-certificates/mycacert.crt
update-ca-certificates update-ca-certificates
# kill temp # kill the SECOND temporary slapd cleanly
pkill slapd kill $SECOND_SLAPD_PID 2>/dev/null || true
wait $SECOND_SLAPD_PID 2>/dev/null || true
sleep 2 sleep 2
# === EXPORT TO HOST (always, since volume is mounted) === # export certs
echo "--> Exporting CA to /export-certs..." echo "--> Exporting certificates to host volume..."
cp /etc/ldap/certs/ca-cert.pem /export-certs/mycacert.crt cp /etc/ldap/certs/ca-cert.pem /export-certs/mycacert.crt
cp /etc/ldap/certs/ldap01_slapd_cert_full.pem /export-certs/server-cert.pem cp /etc/ldap/certs/ldap01_slapd_cert_full.pem /export-certs/server-cert.pem
echo "--> Certificate READY at ./hosts-certs/mycacert.crt on host"
else else
echo "--> CA already exists at /export-certs/mycacert.crt → skipping generation" echo "--> Certificates already exist — skipping generation"
fi fi
# === FINAL SLAPD START === echo "--> Removing confidentiality requirements for simple bind"
echo "--> Starting final slapd with LDAPS..." ldapmodify -Y EXTERNAL -H ldapi:/// > /dev/null 2>&1 <<EOF || true
slapd -h "ldap:/// ldaps:/// ldapi:///" -u openldap -g openldap -d 0 & dn: cn=config
changetype: modify
delete: olcLocalSSF
-
delete: olcSecurity
EOF
# 7. FINAL strict slapd — full TLS + confidentiality required everywhere
echo "--> Starting final strict slapd with LDAPS and strict security"
exec slapd -h "ldap:/// ldaps:/// ldapi:///" -u openldap -g openldap -d 0 &
sleep 3 sleep 3
# === ENABLE TLS FOR ALL CLIENT TOOLS INSIDE CONTAINER === echo "--> ldapdock framework ready — full TLS active, marisa password = qwerty"
export LDAPTLS_CACERT=/etc/ldap/certs/ca-cert.pem export LDAPTLS_REQCERT=allow
echo "LDAPTLS_CACERT=$LDAPTLS_CACERT (all ldap* commands now work with TLS)"
echo 'export LDAPTLS_CACERT=/etc/ldap/certs/ca-cert.pem' >> ~/.bashrc
source ~/.bashrc
echo "--> ldapdock framework ready."
# === KEEP CONTAINER ALIVE AND CONTINUE ===
# 'exec' replaces the script process with the command (e.g., /bin/bash),
# ensuring the container stays alive as long as that command runs interactively.
echo "Executing: $@" echo "Executing: $@"
exec "$@" exec "$@"