ldapdock/entrypoint.sh

#!/bin/bash
#set -euo pipefail

# Fix permissions
chown -R openldap:openldap /var/lib/ldap /etc/ldap/slapd.d /etc/ldap/certs 2>/dev/null || true
chmod -R 777 /export-certs 2>/dev/null || true

#──────────────────────────────────────────────────────────────
# Correct base DN and hostname
export LDAP_HOST="${LDAP_HOST:-$(hostname)}"
export LDAP_BASE_DN=dc=$(echo "$LDAP_HOST" | sed 's/\./,dc=/g')
echo "--> Using LDAP base DN: ${LDAP_BASE_DN}"
#──────────────────────────────────────────────────────────────

echo "--> Starting ldapdock 0.10"

# Temporarily "relax" strict security on start to configure stuff
if [ -d "/etc/ldap/slapd.d" ] && ls /etc/ldap/slapd.d/* >/dev/null 2>&1; then
    echo "--> Temporarily relaxing security for init"
    slapd -h "ldap:/// ldapi:///" -u openldap -g openldap &
    sleep 6
    ldapmodify -Y EXTERNAL -H ldapi:/// >/dev/null 2>&1 <<EOF || true
dn: cn=config
changetype: modify
delete: olcLocalSSF
-
delete: olcSecurity
-
EOF
    pkill slapd || true
    sleep 2
fi

# Start temporary slapd for Users and Groups addition
echo "--> Starting temporary slapd"
slapd -h "ldap:/// ldapi:///" -u openldap -g openldap &
SLAPD_PID=$!
sleep 8

# Full tree with root entry
cat > /tmp/base.ldif <<EOF
dn: ${LDAP_BASE_DN}
objectClass: top
objectClass: dcObject
objectClass: organization
o: Example Company

dn: ou=People,${LDAP_BASE_DN}
objectClass: organizationalUnit
ou: People

dn: ou=Groups,${LDAP_BASE_DN}
objectClass: organizationalUnit
ou: Groups

dn: cn=mages,ou=Groups,${LDAP_BASE_DN}
objectClass: posixGroup
cn: mages
gidNumber: 5000

dn: uid=marisa,ou=People,${LDAP_BASE_DN}
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: marisa
sn: Kirisame
givenName: Marisa
cn: Marisa Kirisame
displayName: Marisa Kirisame
uidNumber: 10000
gidNumber: 5000
userPassword: {CRYPT}x
loginShell: /bin/bash
homeDirectory: /home/marisa
gecos: Marisa Kirisame
EOF


echo "--> Adding base structure"
ldapadd -c -x -D "cn=admin,dc=example,dc=com" -w admin -f /tmp/base.ldif || true

#ADMIN_DN="cn=admin,${LDAP_BASE_DN}"
#ADMIN_PW="admin"
#slappasswd -h '{SSHA}' -s MarisaNewPass2025 | \
#ldapmodify -x -D "$ADMIN_DN" -w "$ADMIN_PW" >/dev/null 2>&1 
#if [ $? -ne 0 ]; then
#    echo "--> CRITICAL ERROR: Failed to set Marisa's password with Admin credentials. Check ACLs or admin password."
#fi

# Set a hardcoded password for Marisa to enable tests on the user
#echo "--> Setting Marisa password to 'MarisaNewPass2025'"
#slappasswd -h '{SSHA}' -s MarisaNewPass2025 | \
#ldapmodify -Y EXTERNAL -H ldapi:/// >/dev/null 2>&1 || true

#──────────────────────────────────────────────────────────────
# TLS BLOCK 
#──────────────────────────────────────────────────────────────
if [ ! -f "/export-certs/mycacert.crt" ]; then
    echo "--> No CA found → generating certificates..."
    mkdir -p /etc/ldap/certs
    cd /etc/ldap/certs
    certtool --generate-privkey --bits 4096 --outfile ca-key.pem
    cat > ca.info <<EOF
cn = Example Company CA
ca
cert_signing_key
expiration_days = 3650
EOF
    certtool --generate-self-signed --load-privkey ca-key.pem --template ca.info --outfile ca-cert.pem
    certtool --generate-privkey --bits 2048 --outfile ldap01_slapd_key.pem
    cat > ldap01.info <<EOF
organization = Example Company
cn = ${LDAP_HOST}
tls_www_server
encryption_key
signing_key
expiration_days = 365
EOF
    certtool --generate-certificate \
      --load-privkey ldap01_slapd_key.pem \
      --load-ca-certificate ca-cert.pem \
      --load-ca-privkey ca-key.pem \
      --template ldap01.info \
      --outfile ldap01_slapd_cert.pem
    chgrp openldap ldap01_slapd_key.pem
    chmod 640 ldap01_slapd_key.pem
    cat ldap01_slapd_cert.pem ca-cert.pem > ldap01_slapd_cert_full.pem
    chown root:openldap ldap01_slapd_cert_full.pem
    chmod 640 ldap01_slapd_cert_full.pem
    echo "--> Starting second temporary slapd to apply TLS config"
    slapd -h "ldap:/// ldapi:///" -u openldap -g openldap &
    sleep 4
    cat > /tmp/certinfo.ldif <<EOF
dn: cn=config
changetype: modify
replace: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/certs/ca-cert.pem
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/certs/ldap01_slapd_cert_full.pem
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/certs/ldap01_slapd_key.pem
EOF
    ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/certinfo.ldif
    cp /etc/ldap/certs/ca-cert.pem /usr/local/share/ca-certificates/mycacert.crt
    update-ca-certificates
    pkill slapd || true
    sleep 2
    echo "--> Exporting certificates to host volume..."
    cp /etc/ldap/certs/ca-cert.pem /export-certs/mycacert.crt
    cp /etc/ldap/certs/ldap01_slapd_cert_full.pem /export-certs/server-cert.pem
else
    echo "--> Certificates already exist — skipping generation and using existing ones"
    export LDAPTLS_CACERT=/etc/ldap/certs/ca-cert.pem    
fi

# Set a hardcoded password for Marisa to enable tests on the user
echo "--> Setting Marisa password to 'MarisaNewPass2025' using Admin Bind"

# Define your Admin DN and Password from the Dockerfile
ADMIN_DN="cn=admin,${LDAP_BASE_DN}"
ADMIN_PW="admin"

slappasswd -h '{SSHA}' -s MarisaNewPass2025 | \
ldapmodify -x -D "$ADMIN_DN" -w "$ADMIN_PW" >/dev/null 2>&1

# Kill temporary slapd
kill $SLAPD_PID 2>/dev/null || true
wait $SLAPD_PID 2>/dev/null || true

# Start OpenLDAP in background
echo "--> Starting final OpenLDAP (background)"
slapd -h "ldap:/// ldaps:/// ldapi:///" -u openldap -g openldap -d 0 &
SLAPD_PID=$!

# Start Apache in background
echo "--> Starting Apache + PHP (background)"
/usr/sbin/apache2ctl -D FOREGROUND  &
APACHE_PID=$!

# Victory message
echo "--> ldapdock ready — OpenLDAP + Apache + PHP running"
echo "   → LDAP: 389/636"
echo "   → Web:  http://localhost/info.php"
echo "   → Shell: you are here forever"
echo "   → Stop with Ctrl+C"

# THIS IS THE MAGIC LINE THAT KILLS CHILD PROCESSES ON EXIT
trap 'echo "Stopping services..."; kill $SLAPD_PID $APACHE_PID 2>/dev/null; wait' SIGINT SIGTERM

# Give you your interactive shell — forever
exec "$@"