okasion/ldapdock
2
1
Fork 0
Code Issues 9 Pull Requests Actions Packages Projects 1 Releases Wiki Activity
eba28bef8d
ldapdock/entrypoint.sh
Marisa 4b25c3759f Update entrypoint.sh
2025-11-12 11:18:10 -05:00

151 lines
4.1 KiB
Bash
Raw Blame History

#!/bin/bash
# this script runs INSIDE the container
#!/bin/bash
#set -e # Exit on any error
echo "--> Starting ldapdock 0.9"
echo "--> Launching slapd (temp)..."
# Start slapd temporarily for setup
/usr/sbin/slapd -h "ldap:/// ldapi:///" -g openldap -u openldap &
sleep 3
# Populate with user & group
echo "--> Populating directory with marisa..."
cat > /tmp/add_content.ldif << 'EOF'
dn: ou=People,dc=example,dc=com
objectClass: organizationalUnit
ou: People
dn: ou=Groups,dc=example,dc=com
objectClass: organizationalUnit
ou: Groups
dn: cn=mages,ou=Groups,dc=example,dc=com
objectClass: posixGroup
cn: mages
gidNumber: 5000
memberUid: marisa
dn: uid=marisa,ou=People,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: marisa
sn: Kirisame
givenName: Marisa
cn: Marisa Kirisame
displayName: Marisa Kirisame
uidNumber: 10000
gidNumber: 5000
userPassword: {CRYPT}x
gecos: Marisa Kirisame
loginShell: /bin/bash
homeDirectory: /home/marisa
EOF
ldapadd -x -D "cn=admin,dc=example,dc=com" -w admin -f /tmp/add_content.ldif
ldappasswd -x -D "cn=admin,dc=example,dc=com" -w admin -s qwerty "uid=marisa,ou=People,dc=example,dc=com"
# Kill temp slapd
pkill slapd
sleep 2
# === CERTIFICATES: ONLY IF NOT ALREADY EXPORTED ===
if [ ! -f "/export-certs/mycacert.crt" ]; then
echo "--> No CA found in /export-certs → generating certificates..."
mkdir -p /etc/ldap/certs
cd /etc/ldap/certs
# CA
certtool --generate-privkey --bits 4096 --outfile ca-key.pem
cat > ca.info <<EOF
cn = Example Company CA
ca
cert_signing_key
expiration_days = 3650
EOF
certtool --generate-self-signed --load-privkey ca-key.pem --template ca.info --outfile ca-cert.pem
# Server
certtool --generate-privkey --bits 2048 --outfile ldap01_slapd_key.pem
cat > ldap01.info <<EOF
organization = Example Company
cn = example.com
tls_www_server
encryption_key
signing_key
expiration_days = 365
EOF
certtool --generate-certificate \
--load-privkey ldap01_slapd_key.pem \
--load-ca-certificate ca-cert.pem \
--load-ca-privkey ca-key.pem \
--template ldap01.info \
--outfile ldap01_slapd_cert.pem
# Permissions
chgrp openldap ldap01_slapd_key.pem
chmod 640 ldap01_slapd_key.pem
# Bundle
cat ldap01_slapd_cert.pem ca-cert.pem > ldap01_slapd_cert_full.pem
chown root:openldap ldap01_slapd_cert_full.pem
chmod 640 ldap01_slapd_cert_full.pem
# Start temp slapd to apply config
slapd -h "ldap:/// ldapi:///" -u openldap -g openldap &
sleep 3
# Apply TLS config
cat > /tmp/certinfo.ldif <<EOF
dn: cn=config
changetype: modify
replace: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/certs/ca-cert.pem
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/certs/ldap01_slapd_cert_full.pem
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/certs/ldap01_slapd_key.pem
EOF
ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/certinfo.ldif
# Trust locally
cp /etc/ldap/certs/ca-cert.pem /usr/local/share/ca-certificates/mycacert.crt
update-ca-certificates
# Kill temp
pkill slapd
sleep 2
# === EXPORT TO HOST (always, since volume is mounted) ===
echo "--> Exporting CA to /export-certs..."
cp /etc/ldap/certs/ca-cert.pem /export-certs/mycacert.crt
cp /etc/ldap/certs/ldap01_slapd_cert_full.pem /export-certs/server-cert.pem
echo "--> CA ready at ./hosts-certs/mycacert.crt on host"
else
echo "--> CA already exists at /export-certs/mycacert.crt → skipping generation"
fi
# === FINAL SLAPD START ===
echo "--> Starting final slapd with LDAPS..."
slapd -h "ldap:/// ldaps:/// ldapi:///" -u openldap -g openldap -d 0 &
sleep 3
# === ENABLE TLS FOR ALL CLIENT TOOLS INSIDE CONTAINER ===
export LDAPTLS_CACERT=/etc/ldap/certs/ca-cert.pem
echo "LDAPTLS_CACERT=$LDAPTLS_CACERT (all ldap* commands now work with TLS)"
echo "--> ldapdock framework ready."
# === KEEP CONTAINER ALIVE ===
# 'exec' replaces the script process with the command (e.g., /bin/bash),
# ensuring the container stays alive as long as that command runs interactively.
echo "Executing: $@"
exec "$@"
Reference in New Issue View Git Blame Copy Permalink