okasion/ldapdock
2
1
Fork 0
Code Issues 9 Pull Requests Actions Packages Projects 1 Releases Wiki Activity
593fecbd65
ldapdock/entrypoint.sh
Marisa 593fecbd65 Upload files to "/"
2025-12-02 07:29:20 -05:00

175 lines
5.7 KiB
Bash
Raw Blame History

#!/bin/bash
set -euo pipefail
# Fix permissions
chown -R openldap:openldap /var/lib/ldap /etc/ldap/slapd.d /etc/ldap/certs 2>/dev/null || true
chmod -R 777 /export-certs 2>/dev/null || true
#──────────────────────────────────────────────────────────────
# Correct base DN and hostname
#export LDAP_HOST="${LDAP_HOST:-example.com}"
export LDAP_HOST="${LDAP_HOST:-$(hostname)}"
export LDAP_BASE_DN=dc=$(echo "$LDAP_HOST" | sed 's/\./,dc=/g')
echo "--> Using LDAP base DN: ${LDAP_BASE_DN}"
#──────────────────────────────────────────────────────────────
echo "--> Starting ldapdock 0.10"
# Temporarily "relax" strict security on start to configure stuff
if [ -d "/etc/ldap/slapd.d" ] && ls /etc/ldap/slapd.d/* >/dev/null 2>&1; then
echo "--> Temporarily relaxing security for init"
slapd -h "ldap:/// ldapi:///" -u openldap -g openldap &
sleep 6
ldapmodify -Y EXTERNAL -H ldapi:/// >/dev/null 2>&1 <<EOF || true
dn: cn=config
changetype: modify
delete: olcLocalSSF
-
delete: olcSecurity
-
EOF
pkill slapd || true
sleep 2
fi
# Start temporary slapd for Users and Groups addition
echo "--> Starting temporary slapd"
slapd -h "ldap:/// ldapi:///" -u openldap -g openldap &
SLAPD_PID=$!
sleep 8
# Full tree with root entry
cat > /tmp/base.ldif <<EOF
dn: ${LDAP_BASE_DN}
objectClass: top
objectClass: dcObject
objectClass: organization
o: Example Company
dn: ou=People,${LDAP_BASE_DN}
objectClass: organizationalUnit
ou: People
dn: ou=Groups,${LDAP_BASE_DN}
objectClass: organizationalUnit
ou: Groups
dn: cn=mages,ou=Groups,${LDAP_BASE_DN}
objectClass: posixGroup
cn: mages
gidNumber: 5000
dn: uid=marisa,ou=People,${LDAP_BASE_DN}
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: marisa
sn: Kirisame
givenName: Marisa
cn: Marisa Kirisame
displayName: Marisa Kirisame
uidNumber: 10000
gidNumber: 5000
userPassword: {CRYPT}x
loginShell: /bin/bash
homeDirectory: /home/marisa
gecos: Marisa Kirisame
EOF
echo "--> Adding base structure"
ldapadd -c -x -D "cn=admin,dc=example,dc=com" -w admin -f /tmp/base.ldif || true
# Set a hardcoded password for Marisa to enable tests on the user
echo "--> Setting Marisa password to 'MarisaNewPass2025'"
slappasswd -h '{SSHA}' -s MarisaNewPass2025 | \
ldapmodify -Y EXTERNAL -H ldapi:/// >/dev/null 2>&1 || true
#──────────────────────────────────────────────────────────────
# TLS BLOCK
#──────────────────────────────────────────────────────────────
if [ ! -f "/export-certs/mycacert.crt" ]; then
echo "--> No CA found → generating certificates..."
mkdir -p /etc/ldap/certs
cd /etc/ldap/certs
certtool --generate-privkey --bits 4096 --outfile ca-key.pem
cat > ca.info <<EOF
cn = Example Company CA
ca
cert_signing_key
expiration_days = 3650
EOF
certtool --generate-self-signed --load-privkey ca-key.pem --template ca.info --outfile ca-cert.pem
certtool --generate-privkey --bits 2048 --outfile ldap01_slapd_key.pem
cat > ldap01.info <<EOF
organization = Example Company
cn = ${LDAP_HOST}
tls_www_server
encryption_key
signing_key
expiration_days = 365
EOF
certtool --generate-certificate \
--load-privkey ldap01_slapd_key.pem \
--load-ca-certificate ca-cert.pem \
--load-ca-privkey ca-key.pem \
--template ldap01.info \
--outfile ldap01_slapd_cert.pem
chgrp openldap ldap01_slapd_key.pem
chmod 640 ldap01_slapd_key.pem
cat ldap01_slapd_cert.pem ca-cert.pem > ldap01_slapd_cert_full.pem
chown root:openldap ldap01_slapd_cert_full.pem
chmod 640 ldap01_slapd_cert_full.pem
echo "--> Starting second temporary slapd to apply TLS config"
slapd -h "ldap:/// ldapi:///" -u openldap -g openldap &
sleep 4
cat > /tmp/certinfo.ldif <<EOF
dn: cn=config
changetype: modify
replace: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/certs/ca-cert.pem
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/certs/ldap01_slapd_cert_full.pem
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/certs/ldap01_slapd_key.pem
EOF
ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/certinfo.ldif
cp /etc/ldap/certs/ca-cert.pem /usr/local/share/ca-certificates/mycacert.crt
update-ca-certificates
pkill slapd || true
sleep 2
echo "--> Exporting certificates to host volume..."
cp /etc/ldap/certs/ca-cert.pem /export-certs/mycacert.crt
cp /etc/ldap/certs/ldap01_slapd_cert_full.pem /export-certs/server-cert.pem
else
echo "--> Certificates already exist — skipping generation"
fi
# Kill temporary slapd
kill $SLAPD_PID 2>/dev/null || true
wait $SLAPD_PID 2>/dev/null || true
# Start OpenLDAP in background
echo "--> Starting final OpenLDAP (background)"
slapd -h "ldap:/// ldaps:/// ldapi:///" -u openldap -g openldap -d 0 &
SLAPD_PID=$!
# Start Apache in background
echo "--> Starting Apache + PHP (background)"
apache2ctl -D FOREGROUND &
APACHE_PID=$!
# Victory message
echo "--> ldapdock ready — OpenLDAP + Apache + PHP running"
echo " → LDAP: 389/636"
echo " → Web: http://localhost/info.php"
echo " → Shell: you are here forever"
echo " → Stop with Ctrl+C"
# THIS IS THE MAGIC LINE THAT KILLS CHILD PROCESSES ON EXIT
trap 'echo "Stopping services..."; kill $SLAPD_PID $APACHE_PID 2>/dev/null; wait' SIGINT SIGTERM
# Give you your interactive shell — forever
exec "$@"
Reference in New Issue View Git Blame Copy Permalink