Delete index.php.tls

INSTALL.md

@@ -366,26 +366,65 @@ root@example:/etc/ldap/certs# export LDAPTLS_CACERT=/etc/ldap/certs/ca-cert.pem
 root@example:/etc/ldap/certs# echo 'export LDAPTLS_CACERT=/etc/ldap/certs/ca-cert.pem' >> ~/.bashrc
 root@example:/etc/ldap/certs# source ~/.bashrc
 ```
-\
-Check STARTTLS
-```
-root@example:/etc/ldap/certs# ldapwhoami -x -ZZ -H ldap://${LDAP_HOST}
-```
-Check SSL/ldaps
-```
-root@example:/etc/ldap/certs# ldapwhoami -x -H ldaps://${LDAP_HOST}
-```
-Both should return Anonymous.
+## _6- Connect to OpenLDAP server via StartTLS/SSL_
 
-Another example to try STARTTLS/ldap it is working:
+Vital checks of different levels to test **openLDAP's StartTLS and SSL**:\
+1.Check StartTLS and SSL, both should output "anonymous"
 ```
-openssl s_client -connect ${LDAP_HOST}:389 -starttls ldap -servername ${LDAP_HOST}
+root@example:/# ldapwhoami -x -ZZ -H ldap://${LDAP_HOST}
+anonymous
+root@example:/# ldapwhoami -x -H ldaps://${LDAP_HOST}
+anonymous
 ```
-SSL/ldaps
+\
+2.Check direct connection via openssl to confirm certificates are working properly:
 ```
-openssl s_client -connect ${LDAP_HOST}:636 -servername ${LDAP_HOST}
+root@example:/# openssl s_client -connect ${LDAP_HOST}:389 -starttls ldap -servername ${LDAP_HOST} #StartTLS
+CONNECTED(00000003)
+depth=1 CN = Example Company CA
+verify return:1
+depth=0 O = Example Company, CN = example.com
+verify return:1
+...
+SSL handshake has read 2977 bytes and written 424 bytes
+Verification: OK
+---
+New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
+Server public key is 2048 bit
+Secure Renegotiation IS NOT supported
+Compression: NONE
+Expansion: NONE
+No ALPN negotiated
+Early data was not sent
+Verify return code: 0 (ok)
+root@example:/# openssl s_client -connect ${LDAP_HOST}:636 -servername ${LDAP_HOST} #SSL
+CONNECTED(00000003)
+depth=1 CN = Example Company CA
+verify return:1
+depth=0 O = Example Company, CN = example.com
+verify return:1
+...
+SSL handshake has read 2963 bytes and written 393 bytes
+Verification: OK
+---
+New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
+Server public key is 2048 bit
+Secure Renegotiation IS NOT supported
+Compression: NONE
+Expansion: NONE
+No ALPN negotiated
+Early data was not sent
+Verify return code: 0 (ok)
+```
+The output of both of these commands should be similar. Also, both will show the openLDAP's server CN (example.com in this case). You can terminate the connection with Ctrl+C.
+
+3.A very important check is to make sure connections as users from the OpenLDAP's tree other than admin works: 
+```
+root@example:/# ldapwhoami -x -D "uid=marisa,ou=People,dc=example,dc=com" -w MarisaNewPass2025 -H ldap://127.0.0.1 #StartTLS
+dn:uid=marisa,ou=People,dc=example,dc=com
+root@example:/# ldapwhoami -x -D "uid=marisa,ou=People,dc=example,dc=com" -w MarisaNewPass2025 -H ldap://127.0.0.1 #SSL
+dn:uid=marisa,ou=People,dc=example,dc=com 
 ```
-Both will show the connection to the openLDAP server showing the CN(dc=example,dc=com)
 
 To connect to the server via `STARTTLS`, use port 389, to connect to the server via `SSL`, use port 636, both auth method Simple. 
 If asked, accept the certificate as with any certificate, or copy the CA file that resides inside ldapdock from out of the container to our host system certificate trust directory (/usr/local/share/ca-certificates/ works for any Debian based distribution):
@@ -395,5 +434,9 @@ If asked, accept the certificate as with any certificate, or copy the CA file th
 > sudo update-ca-certificates
 ```
 In both cases, providing -h ${LDAP_HOST}, by default the login "user" and password are:\
-BIND DN=cn=admin,dc=example,dc=com\
+As admin:
+BIND DN="cn=admin,dc=example,dc=com"\
 BIND password=admin
+As marisa:
+BIND DN="uid=marisa,ou=People,dc=example,dc=com"\
+BIND password=MarisaNewPass2025

docker-compose.yml

@@ -0,0 +1,29 @@
+version: '3.8'
+
+services:
+  ldap:
+    # Tells Compose to build the image from the Dockerfile in the current directory
+    build:
+      context: .
+      args:
+        - LDAP_HOST=example.com
+    image: ldapdock
+    container_name: ldapdock
+    hostname: example.com
+    stdin_open: true # Equivalent of -i
+    tty: true        # Equivalent of -t
+    ports:
+      - "389:389"
+      - "636:636"
+      - "80:80"
+      - "443:443"
+    volumes:
+      - ldap_data:/var/lib/ldap
+      - ldap_config:/etc/ldap/slapd.d
+      - ldap_certs:/etc/ldap/certs
+      - ./hosts-certs:/export-certs
+
+volumes:
+  ldap_data:
+  ldap_config:
+  ldap_certs:

dockerfile

@@ -1,4 +1,4 @@
-FROM ubuntu:22.04
+FROM debian:12
 
 # set container hostname and DN in case we don't set it on the docker build/run command
 ARG LDAP_HOST=example.com
@@ -6,20 +6,25 @@ ENV LDAP_HOST=${LDAP_HOST}
 
 # set non-interactive TERM for docker
 ENV DEBIAN_FRONTEND=noninteractive
-#──────────────────────────────────────────────────────────────
-# install OpenLDAP, ldap-utils, and packages needed for ldapdock to work
-#──────────────────────────────────────────────────────────────
-RUN apt-get update && apt-get install -y --no-install-recommends \
-slapd ldap-utils gnutls-bin ssl-cert ca-certificates schema2ldif vim mc && apt-get clean
 
 #──────────────────────────────────────────────────────────────
-# APACHE && PHP && neccesary related software
+# Install ALL necessary packages in a single run for minimal image size
 #──────────────────────────────────────────────────────────────
-RUN apt-get update && apt-get install -y --no-install-recommends \
-    apache2 \
-    php libapache2-mod-php \
-    php-ldap php-mbstring php-xml php-curl php-intl wget \
-    && rm -rf /var/lib/apt/lists/*
+RUN apt-get update && apt-get install -y --no-install-recommends gnupg lsb-release ca-certificates apt-transport-https software-properties-common wget \
+    # Add the repository for older PHP versions
+    && wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg \
+    && echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/php.list \
+    # Update again to fetch packages from the new repository
+    && apt-get update \
+    # Install all packages, specifying PHP 8.1
+    && apt-get install -y --no-install-recommends \
+        apt-utils \
+        slapd ldap-utils gnutls-bin ssl-cert schema2ldif vim mc \
+        apache2 \
+        php8.1 libapache2-mod-php8.1 \
+        php8.1-ldap php8.1-mbstring php8.1-xml php8.1-curl php8.1-intl \
+    # Clean up APT caches to reduce image size
+    && apt-get clean && rm -rf /var/lib/apt/lists/*
 
 # Enable required Apache modules
 RUN a2enmod rewrite headers ssl

entrypoint.sh

@@ -83,7 +83,7 @@ ldapadd -c -x -D "cn=admin,dc=example,dc=com" -w admin -f /tmp/base.ldif || true
 # TLS BLOCK 
 #──────────────────────────────────────────────────────────────
 if [ ! -f "/export-certs/mycacert.crt" ]; then
-    echo "--> No CA found → generating certificates..."
+    echo "--> No CA found, generating new certificates and TLS config..."
     mkdir -p /etc/ldap/certs
     cd /etc/ldap/certs
     certtool --generate-privkey --bits 4096 --outfile ca-key.pem
@@ -94,7 +94,6 @@ cert_signing_key
 expiration_days = 3650
 EOF
     certtool --generate-self-signed --load-privkey ca-key.pem --template ca.info --outfile ca-cert.pem
-    certtool --generate-privkey --bits 2048 --outfile ldap01_slapd_key.pem
     cat > ldap01.info <<EOF
 organization = Example Company
 cn = ${LDAP_HOST}
@@ -103,6 +102,7 @@ encryption_key
 signing_key
 expiration_days = 365
 EOF
+    certtool --generate-privkey --bits 2048 --outfile ldap01_slapd_key.pem
     certtool --generate-certificate \
       --load-privkey ldap01_slapd_key.pem \
       --load-ca-certificate ca-cert.pem \
@@ -114,9 +114,8 @@ EOF
     cat ldap01_slapd_cert.pem ca-cert.pem > ldap01_slapd_cert_full.pem
     chown root:openldap ldap01_slapd_cert_full.pem
     chmod 640 ldap01_slapd_cert_full.pem
-    echo "--> Starting second temporary slapd to apply TLS config"
-    slapd -h "ldap:/// ldapi:///" -u openldap -g openldap &
-    sleep 4
+
+    # Generate the LDIF for TLS config now, but apply it later
     cat > /tmp/certinfo.ldif <<EOF
 dn: cn=config
 changetype: modify
@@ -129,14 +128,11 @@ olcTLSCertificateFile: /etc/ldap/certs/ldap01_slapd_cert_full.pem
 replace: olcTLSCertificateKeyFile
 olcTLSCertificateKeyFile: /etc/ldap/certs/ldap01_slapd_key.pem
 EOF
-    ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/certinfo.ldif
-    cp /etc/ldap/certs/ca-cert.pem /usr/local/share/ca-certificates/mycacert.crt
-    update-ca-certificates
-    pkill slapd || true
-    sleep 2
+
     echo "--> Exporting certificates to host volume..."
     cp /etc/ldap/certs/ca-cert.pem /export-certs/mycacert.crt
     cp /etc/ldap/certs/ldap01_slapd_cert_full.pem /export-certs/server-cert.pem
+    cp /tmp/certinfo.ldif /export-certs/certinfo.ldif
 else
     echo "--> Certificates already exist — skipping generation and using existing ones"
 fi
@@ -144,12 +140,6 @@ fi
 export LDAPTLS_REQCERT=allow
 
 # ←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←
-# NEW: Save and restore the LDIF — no changes to TLS block
-if [ ! -f "/export-certs/certinfo.ldif" ]; then
-    echo "--> Saving TLS config LDIF for future restarts"
-    cp /tmp/certinfo.ldif /export-certs/certinfo.ldif
-fi
-
 if [ -f "/export-certs/certinfo.ldif" ]; then
     echo "--> Restoring TLS config LDIF from persistent volume"
     cp /export-certs/certinfo.ldif /tmp/certinfo.ldif
@@ -232,11 +222,14 @@ echo "--> Installing phpLDAPadmin"
 
 # Only install once — use a flag file
 if [ ! -f "/var/www/html/phpldapadmin-installed" ]; then
+    # Clean up any previous partial installation
+    rm -rf /var/www/html/phpldapadmin*
+
     cd /var/www/html
 
     # Download and extract (direct tarball, no git needed)
     wget -q -O phpldapadmin.tgz \
-      https://github.com/leenooks/phpLDAPadmin/archive/refs/tags/1.2.6.7.tar.gz
+      https://github.com/leenooks/phpLDAPadmin/archive/refs/tags/1.2.6.7.tar.gz || exit 1
     tar xzf phpldapadmin.tgz
     mv phpLDAPadmin-1.2.6.7 phpldapadmin
     rm phpldapadmin.tgz
@@ -280,4 +273,3 @@ trap 'echo "Stopping services..."; kill $SLAPD_PID $APACHE_PID 2>/dev/null; wait
 
 # Give you your interactive shell — forever
 exec "$@"
-

index.php.tls

@@ -1,55 +0,0 @@
-<?php
-$host = $_SERVER['HTTP_HOST'];   // works for example.com or any LDAP_HOST
-$msg = '';
-if ($_SERVER['REQUEST_METHOD'] === 'POST') {
-    $uid = trim($_POST['uid'] ?? '');
-    $password = $_POST['password'] ?? '';
-
-    if ($uid && $password) {
-        // DIRECT LDAPS CONNECTION — NO STARTTLS NEEDED
-        $ldap = ldap_connect("ldaps://127.0.0.1:636");
-	// Allow self-signed cert for ldaps://
-	putenv('LDAPTLS_REQCERT=allow');
-        if (!$ldap) {
-            $msg = "<p style='color:red'>Cannot connect to LDAP server</p>";
-        } else {
-            ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
-            ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
-
-            $bind_dn = "uid=$uid,ou=People,dc=$host";
-            if (@ldap_bind($ldap, $bind_dn, $password)) {
-                $msg = "<p style='color:green;font-weight:bold'>Login successful! Welcome $uid 🎉</p>";
-            } else {
-                $msg = "<p style='color:red'>Invalid credentials</p>";
-            }
-            ldap_close($ldap);
-        }
-    } else {
-        $msg = "<p style='color:red'>uid=$uid,ou=People,dc=$host Please fill both fields</p>";
-    }
-}
-?>
-
-<!DOCTYPE html>
-<html>
-<head>
-    <title>ldapdock – LDAP login</title>
-    <style>
-        body { font-family: Arial, sans-serif; max-width: 400px; margin: 100px auto; text-align: center; }
-        input, button { padding: 10px; margin: 5px; width: 100%; font-size: 16px; }
-        button { background: #007cba; color: white; cursor: pointer; }
-    </style>
-</head>
-<body>
-    <h1>ldapdock login</h1>
-    <p>Server: <strong><?= htmlspecialchars($host) ?></strong></p>
-    <?= $msg ?>
-    <form method="post">
-        <input type="text" name="uid" placeholder="uid (e.g. marisa)" required autofocus><br>
-        <input type="password" name="password" placeholder="password" required><br>
-        <button type="submit">Login</button>
-    </form>
-    <hr>
-    <small>Test user: marisa / q*****</small>
-</body>
-</html>