commit inicial

2019-04-07 23:44:01 -03:00
commit 978e630342
9 changed files with 1295 additions and 0 deletions
--- a/files/Dockerfile
+++ b/files/Dockerfile
@@ -0,0 +1,40 @@
+FROM debian:stable-slim
+
+MAINTAINER Mauro Torrez <contact@mau.ro>
+
+ENV OPENLDAP_ROOT_PASSWORD="root"
+
+# space-separated list of schemas
+ENV OPENLDAP_SCHEMAS="misc"
+
+ENV OPENLDAP_BACKUP_MIN="0"
+ENV OPENLDAP_BACKUP_HOUR="1"
+ENV OPENLDAP_BACKUP_DOM="*"
+ENV OPENLDAP_BACKUP_MON="*"
+ENV OPENLDAP_BACKUP_DOW="*"
+# TODO configurar Cron de backup
+
+RUN apt-get update && \
+	DEBIAN_FRONTEND=noninteractive apt-get install -y \
+	slapd \
+        ldap-utils && \
+	apt-get clean && \
+	rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
+
+COPY entrypoint.sh /entrypoint.sh
+
+# TODO backup and restore
+# ADD ldap_backup.sh /usr/local/sbin/ldap_backup.sh
+# ADD ldap_restore.sh /usr/local/sbin/ldap_restore.sh
+
+# add my_custom_schema: install by setting OPENLDAP_SCHEMAS=my_custom_schema
+# COPY my_custom_schema.ldif /etc/ldap/schema/my_custom_schema.ldif
+
+EXPOSE 389
+
+VOLUME ["/etc/ldap/slapd.d", "/var/lib/ldap", "/var/backups/ldap"]
+
+ENTRYPOINT ["/bin/bash", "/entrypoint.sh"]
+# log level info:
+
+CMD ["slapd", "-d", "32768", "-u", "openldap", "-g", "openldap"]
--- a/files/entrypoint.sh
+++ b/files/entrypoint.sh
@@ -0,0 +1,85 @@
+#!/bin/bash
+msg(){ ${VERBOSE:-true} && echo ${@} ; }
+assert(){ [[ $? -eq 0 ]] || { [[ -n ${1} ]] && msg ${@} ; exit 1 ; } }
+
+# from https://github.com/dinkel/docker-openldap/blob/master/entrypoint.sh:
+# When not limiting the open file descritors limit, the memory consumption of
+# slapd is absurdly high. See https://github.com/docker/docker/issues/8231
+ulimit -n 8192
+
+msg "I: running slapd for initial setup..."
+slapd -u openldap -g openldap -h ldapi:///
+assert "E: openldap died unexpectedly!"
+
+PIDFILE=$(ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" -s base \
+		     "" olcPidFile | grep olcPidFile | awk "{print $2}")
+msg "I: slapd running with PID ${PIDFILE}"
+
+[[ -n "${OPENLDAP_ADMIN_PASSWORD}" ]]
+assert "E: please set non-empty password in OPENLDAP_ADMIN_PASSWORD and retry."
+
+HASHED_PW=$(slappasswd -h {SSHA} -s "${OPENLDAP_ADMIN_PASSWORD}")
+[[ -n "${HASHED_PW}" ]]
+assert "E: password hash unexpectedly empty!"
+
+msg "I: Setting administrator password..."
+ldapmodify -Y EXTERNAL -H ldapi:/// <<EOF
+dn: olcDatabase={0}config,cn=config
+changetype: modify
+replace: olcRootPW
+olcRootPW: ${HASHED_PW}
+
+EOF
+assert "FATAL: failure setting administrator password!"
+
+# find current schemas
+eval "declare -A LOADED_SCHEMAS=( $(ldapsearch -LLL -Y EXTERNAL -H ldapi:/// \
+                                     -b "cn=schema,cn=config" -s one cn \
+                          | sed -n 's/^cn:.*[{].*[}]\(.*\)$/[\1]=loaded/p') )"
+msg "I: currently loaded schemas: ${!LOADED_SCHEMAS[@]}"
+
+# load schemas
+# built-in: core, cosine, nis, inetorgperson
+# available: collective, corba, duaconf, dyngroup, java, misc, nis, openldap, pmi, ppolicy
+for schema in ${OPENLDAP_SCHEMAS}
+do
+    [[ -z "${LOADED_SCHEMAS[$schema]}" ]] || continue;
+    msg "I: loading schema ${schema}..."
+    [[ -f /etc/ldap/schema/${schema}.ldif ]]
+    assert "E: schema /etc/ldap/schema/${schema}.ldif not found!"
+    ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/${schema}.ldif
+    assert "E: failure loading schema ${schema}!"
+done
+
+# enable memberof module
+if ${OPENLDAP_ENABLE_MEMBEROF}
+then
+    msg "I: enabling memberof module ..."
+    ldapmodify -LLL -Y EXTERNAL -H ldapi:/// <<EOF
+dn: cn=module{0},cn=config
+changetype: modify
+add: olcModuleLoad
+olcModuleLoad: memberof
+
+EOF
+    RES=$?
+    [[ $RES -eq 0 ]] || [[ $RES -eq 20 ]]
+    assert "E: failed loading memberof module (${RES})"
+    msg "I: module memberof enabled (${RES})"
+    unset RES
+fi
+
+# kill slapd after initial setup
+msg "I: killing initial server..."
+kill -INT $(cat ${PIDFILE})
+
+# unset sensitive variables
+unset OPENLDAP_ROOT_PASSWORD
+unset HASHED_PW
+unset LOADED_SCHEMAS
+unset PIDFILE
+
+# run Dockerfile CMD
+msg "I: running CMD $@"
+set -e
+exec "$@"