#!/bin/bash #set -euo pipefail # Fix permissions chown -R openldap:openldap /var/lib/ldap /etc/ldap/slapd.d /etc/ldap/certs 2>/dev/null || true chmod -R 777 /export-certs 2>/dev/null || true #────────────────────────────────────────────────────────────── # Correct base DN and hostname export LDAP_HOST="${LDAP_HOST:-$(hostname)}" export LDAP_BASE_DN=$(echo "$LDAP_HOST" | sed 's/\.$[^.]*$/,dc=\1/g; s/^/dc=/') echo "--> Using LDAP base DN: ${LDAP_BASE_DN}" #────────────────────────────────────────────────────────────── echo "--> Starting ldapdock 0.10" # Temporarily "relax" strict security on start to configure stuff if [ -d "/etc/ldap/slapd.d" ] && ls /etc/ldap/slapd.d/* >/dev/null 2>&1; then echo "--> Temporarily relaxing security for init" slapd -h "ldap:/// ldapi:///" -u openldap -g openldap & sleep 6 ldapmodify -Y EXTERNAL -H ldapi:/// >/dev/null 2>&1 < Starting temporary slapd" slapd -h "ldap:/// ldapi:///" -u openldap -g openldap & SLAPD_PID=$! sleep 8 # Full tree with root entry cat > /tmp/base.ldif < Adding base structure" ldapadd -c -x -D "cn=admin,dc=example,dc=com" -w admin -f /tmp/base.ldif || true #────────────────────────────────────────────────────────────── # TLS BLOCK #────────────────────────────────────────────────────────────── if [ ! -f "/export-certs/mycacert.crt" ]; then echo "--> No CA found → generating certificates..." mkdir -p /etc/ldap/certs cd /etc/ldap/certs certtool --generate-privkey --bits 4096 --outfile ca-key.pem cat > ca.info < ldap01.info < ldap01_slapd_cert_full.pem chown root:openldap ldap01_slapd_cert_full.pem chmod 640 ldap01_slapd_cert_full.pem echo "--> Starting second temporary slapd to apply TLS config" slapd -h "ldap:/// ldapi:///" -u openldap -g openldap & sleep 4 cat > /tmp/certinfo.ldif < Exporting certificates to host volume..." cp /etc/ldap/certs/ca-cert.pem /export-certs/mycacert.crt cp /etc/ldap/certs/ldap01_slapd_cert_full.pem /export-certs/server-cert.pem else echo "--> Certificates already exist — skipping generation and using existing ones" fi export LDAPTLS_REQCERT=allow # ←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←← # NEW: Save and restore the LDIF — no changes to TLS block if [ ! -f "/export-certs/certinfo.ldif" ]; then echo "--> Saving TLS config LDIF for future restarts" cp /tmp/certinfo.ldif /export-certs/certinfo.ldif fi if [ -f "/export-certs/certinfo.ldif" ]; then echo "--> Restoring TLS config LDIF from persistent volume" cp /export-certs/certinfo.ldif /tmp/certinfo.ldif fi # ←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←← # Set Marisa password (full LDIF — so ldapmodify knows what to modify) echo "--> Setting Marisa password to 'MarisaNewPass2025' using Admin Bind" ADMIN_DN="cn=admin,${LDAP_BASE_DN}" ADMIN_PW="admin" slappasswd -h '{SSHA}' -s MarisaNewPass2025 | \ ldapmodify -x -D "$ADMIN_DN" -w "$ADMIN_PW" </dev/null 2>&1 dn: uid=marisa,ou=People,${LDAP_BASE_DN} changetype: modify replace: userPassword userPassword: $(< /dev/stdin) EOF # Kill temporary slapd kill $SLAPD_PID 2>/dev/null || true wait $SLAPD_PID 2>/dev/null || true # Kill any stray slapd that might be holding ports pkill -9 slapd 2>/dev/null || true sleep 2 # Start final OpenLDAP echo "--> Starting final OpenLDAP (background)" slapd -h "ldap:/// ldaps:/// ldapi:///" -u openldap -g openldap -d 0 & SLAPD_PID=$! sleep 8 # Apply TLS config to final slapd echo "--> Applying TLS config to final slapd" ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/certinfo.ldif # Restart slapd to load the new TLS config (required for OpenLDAP) echo "--> Restarting slapd to load TLS config" kill $SLAPD_PID 2>/dev/null || true wait $SLAPD_PID 2>/dev/null || true slapd -h "ldap:/// ldaps:/// ldapi:///" -u openldap -g openldap -d 0 & SLAPD_PID=$! sleep 8 # Make the container trust its own CA — every time cp /etc/ldap/certs/ca-cert.pem /usr/local/share/ca-certificates/mycacert.crt 2>/dev/null || true update-ca-certificates --fresh >/dev/null 2>&1 || true # Start Apache inside APACHE_PID variable in background echo "--> Starting Apache + PHP (background)" /usr/sbin/apache2ctl -D FOREGROUND & APACHE_PID=$! sleep 5 # HTTPS setup — using the real LDAP certificates echo "--> Configuring Apache for HTTPS with real certificates" export DEBIAN_FRONTEND=noninteractive # Silence a2ensite prompts APACHE_CERT_FILE="/etc/ldap/certs/ldap01_slapd_cert_full.pem" APACHE_KEY_FILE="/etc/ldap/certs/ldap01_slapd_key.pem" # Enable the site silently a2ensite default-ssl.conf >/dev/null 2>&1 # Replace the snakeoil certs with your real ones sed -i -E "s|^\s*SSLCertificateFile\s+.*|SSLCertificateFile ${APACHE_CERT_FILE}|g" \ /etc/apache2/sites-available/default-ssl.conf sed -i -E "s|^\s*SSLCertificateKeyFile\s+.*|SSLCertificateKeyFile ${APACHE_KEY_FILE}|g" \ /etc/apache2/sites-available/default-ssl.conf # Reload Apache gracefully (updates config without killing) apache2ctl graceful >/dev/null 2>&1 sleep 5 # ────────────────────────────── # phpLDAPadmin — auto-installed, no rebuild, works forever # ────────────────────────────── echo "--> Installing phpLDAPadmin" # Only install once — use a flag file if [ ! -f "/var/www/html/phpldapadmin-installed" ]; then cd /var/www/html # Download and extract (direct tarball, no git needed) wget -q -O phpldapadmin.tgz \ https://github.com/leenooks/phpLDAPadmin/archive/refs/tags/1.2.6.7.tar.gz tar xzf phpldapadmin.tgz mv phpLDAPadmin-1.2.6.7 phpldapadmin rm phpldapadmin.tgz # Copy config and apply minimal working settings cp phpldapadmin/config/config.php.example phpldapadmin/config/config.php cat > phpldapadmin/config/config.php <newServer('ldap_pla'); \$servers->setValue('server','name','Local OpenLDAP'); \$servers->setValue('server','host','127.0.0.1'); \$servers->setValue('server','port',389); \$servers->setValue('server','base',array('${LDAP_BASE_DN}')); \$servers->setValue('server','tls',true); \$servers->setValue('login','auth_type','session'); \$servers->setValue('login','bind_id','cn=admin,${LDAP_BASE_DN}'); \$servers->setValue('login','bind_pass','admin'); ?> EOF # Mark as installed touch /var/www/html/phpldapadmin-installed echo "--> phpLDAPadmin installed → https://localhost/phpldapadmin" else echo "--> phpLDAPadmin already installed" fi # Victory message echo "--> ldapdock ready — OpenLDAP + Apache + PHP running" echo " → LDAP: 389/636" echo " → PHPinfo: https://localhost/info.php" echo " → Shell: /bin/bash" echo " → Exit with CTRL+D or 'exit' command" # THIS IS THE MAGIC LINE THAT KILLS CHILD PROCESSES ON EXIT trap 'echo "Stopping services..."; kill $SLAPD_PID $APACHE_PID 2>/dev/null; wait' SIGINT SIGTERM # Give you your interactive shell — forever exec "$@"