This commit is contained in:
Mauro Torrez
commit
093586313d
13
.drone.yml
13
.drone.yml
@ -3,6 +3,19 @@ kind: pipeline
|
||||
name: default
|
||||
|
||||
steps:
|
||||
- name: build image only
|
||||
image: plugins/docker
|
||||
settings:
|
||||
repo: eumau/openldap
|
||||
auto_tag: true
|
||||
dry_run: true
|
||||
when:
|
||||
ref:
|
||||
- refs/pull/**
|
||||
# event no anda (?)
|
||||
# event:
|
||||
# - pull_request
|
||||
|
||||
- name: build and publish image
|
||||
image: plugins/docker
|
||||
settings:
|
||||
|
||||
20
Dockerfile
20
Dockerfile
@ -1,25 +1,25 @@
|
||||
FROM eumau/debian:buster-slim
|
||||
|
||||
# admin CN => dn: cn=%%ADMIN_CN%%,%%DOMAIN_DN%%
|
||||
ENV LDAP_ADMIN_CN="admin"
|
||||
# admin CN, DN => cn=%%ADMIN_DN%%,%%DOMAIN_DN%%
|
||||
ENV LDAP_ADMIN_PASSWORD="admin"
|
||||
# password for cn=%%ADMIN_DN%%,%%DOMAIN_DN%%
|
||||
ENV LDAP_CONFIG_PASSWORD="${LDAP_ADMIN_PASSWORD}"
|
||||
ENV LDAP_ADMIN_PASSWORD="admin"
|
||||
# password for cn=admin,cn=config
|
||||
ENV LDAP_CONFIG_PASSWORD="${LDAP_ADMIN_PASSWORD}"
|
||||
# domain name (example.org)
|
||||
ENV LDAP_DOMAIN=""
|
||||
# domain O (example.org)
|
||||
ENV LDAP_DOMAIN_ACCESS="{0}to attrs=userPassword by self write by anonymous auth by * none\n{1}to attrs=shadowLastChange by self write by * read\n{2}to * by * read"
|
||||
# olcDbAccess attribute for domain entry (newline-separated)
|
||||
ENV LDAP_DOMAIN_DN=""
|
||||
ENV LDAP_DOMAIN_ACCESS="{0}to attrs=userPassword by self write by anonymous auth by * none\n{1}to attrs=shadowLastChange by self write by * read\n{2}to * by * read"
|
||||
# domain DN (dc=example,dc=org)
|
||||
ENV LDAP_DOMAIN_INDEX="cn,uid eq\nmember,memberUid eq\nobjectClass eq\nuidNumber,gidNumber eq"
|
||||
ENV LDAP_DOMAIN_DN=""
|
||||
# olcDbIndex attribute for domain entry (newline-separated)
|
||||
ENV LDAP_DOMAIN_OUS="People Alias Group"
|
||||
ENV LDAP_DOMAIN_INDEX="cn,uid eq\nmember,memberUid eq\nobjectClass eq\nuidNumber,gidNumber eq"
|
||||
# domain OUs (space-separated)
|
||||
ENV LDAP_MEMBEROF="true"
|
||||
ENV LDAP_DOMAIN_OUS="People Alias Group"
|
||||
# enable memberOf module
|
||||
ENV LDAP_SCHEMAS="core cosine inetorgperson misc nis"
|
||||
ENV LDAP_MEMBEROF="true"
|
||||
# space-separated list of schemas to load
|
||||
ENV LDAP_SCHEMAS="core cosine inetorgperson misc nis"
|
||||
|
||||
RUN apt-get update \
|
||||
&& DEBIAN_FRONTEND=noninteractive apt-get install -y \
|
||||
|
||||
171
entrypoint.sh
171
entrypoint.sh
@ -6,34 +6,45 @@ assert(){ [[ $? -eq 0 ]] || { [[ -n ${1} ]] && echo ${@} ; exit 1 ; } }
|
||||
# slapd is absurdly high. See https://github.com/docker/docker/issues/8231
|
||||
ulimit -n 8192
|
||||
|
||||
echo "I: running slapd for initial setup..."
|
||||
slapd -u openldap -g openldap -h ldapi:///
|
||||
assert "E: openldap died unexpectedly!"
|
||||
assert "FATAL: sldapd died unexpectedly!"
|
||||
|
||||
PIDFILE=$(ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" -s base \
|
||||
"" olcPidFile | grep olcPidFile | awk "{print $2}")
|
||||
echo "I: slapd running with PID ${PIDFILE}"
|
||||
echo "slapd running. pidfile = ${PIDFILE}"
|
||||
|
||||
[[ -n "${LDAP_DOMAIN}" ]]
|
||||
assert "FATAL: Please set LDAP_DOMAIN and retry."
|
||||
DN0="dc=${LDAP_DOMAIN//./,dc=}"
|
||||
LDAP_DOMAIN_DN=${LDAP_DOMAIN_DN:=${DN0}}
|
||||
|
||||
echo "setting up domain = ${LDAP_DOMAIN}, dn = ${LDAP_DOMAIN_DN}"
|
||||
|
||||
[[ -n "${LDAP_CONFIG_PASSWORD}" ]]
|
||||
assert "E: please set non-empty password in LDAP_CONFIG_PASSWORD and retry."
|
||||
assert "FATAL: Please set LDAP_CONFIG_PASSWORD and retry."
|
||||
LDAP_CONFIG_PWHASH=$(slappasswd -h "{SSHA}" -s "${LDAP_CONFIG_PASSWORD}")
|
||||
|
||||
HASHED_PW=$(slappasswd -h "{SSHA}" -s "${LDAP_CONFIG_PASSWORD}")
|
||||
[[ -n "${LDAP_ADMIN_PASSWORD}" ]]
|
||||
assert "FATAL: Please set LDAP_ADMIN_PASSWORD and retry."
|
||||
LDAP_ADMIN_PWHASH=$(slappasswd -h "{SSHA}" -s "${LDAP_ADMIN_PASSWORD}")
|
||||
|
||||
echo "I: Setting administrator password..."
|
||||
# TODO: verify password before updating =======================================
|
||||
|
||||
echo "Setting cn=admin,cn=config password"
|
||||
ldapmodify -Y EXTERNAL -H ldapi:/// <<EOF
|
||||
dn: olcDatabase={0}config,cn=config
|
||||
changetype: modify
|
||||
replace: olcRootPW
|
||||
olcRootPW: ${HASHED_PW}
|
||||
olcRootPW: ${LDAP_CONFIG_PWHASH}
|
||||
|
||||
EOF
|
||||
assert "FATAL: failure setting administrator password!"
|
||||
assert "FATAL: error setting cn=admin,cn=config password"
|
||||
|
||||
# find current schemas
|
||||
# SCHEMAS ---------------------------------------------------------------------
|
||||
eval "declare -A LOADED_SCHEMAS=( $(ldapsearch -LLL -Y EXTERNAL -H ldapi:/// \
|
||||
-b "cn=schema,cn=config" -s one cn \
|
||||
| sed -n 's/^cn:.*[{].*[}]\(.*\)$/[\1]=loaded/p') )"
|
||||
echo "I: currently loaded schemas: ${!LOADED_SCHEMAS[@]}"
|
||||
echo "Loaded schemas: ${!LOADED_SCHEMAS[@]}"
|
||||
|
||||
# load schemas
|
||||
# built-in: core, cosine, nis, inetorgperson
|
||||
@ -41,18 +52,22 @@ echo "I: currently loaded schemas: ${!LOADED_SCHEMAS[@]}"
|
||||
for schema in ${LDAP_SCHEMAS}
|
||||
do
|
||||
[[ -z "${LOADED_SCHEMAS[$schema]}" ]] || continue;
|
||||
echo "I: loading schema ${schema}..."
|
||||
[[ -f /etc/ldap/schema/${schema}.ldif ]]
|
||||
assert "E: schema /etc/ldap/schema/${schema}.ldif not found!"
|
||||
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/${schema}.ldif
|
||||
assert "E: failure loading schema ${schema}!"
|
||||
done
|
||||
|
||||
# enable memberof module
|
||||
echo "Loading ${schema} schema"
|
||||
|
||||
[[ -f /etc/ldap/schema/${schema}.ldif ]]
|
||||
assert "FATAL: schema file /etc/ldap/schema/${schema}.ldif not found!"
|
||||
|
||||
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/${schema}.ldif
|
||||
assert "FATAL: error loading schema ${schema}!"
|
||||
done
|
||||
# END SCHEMAS -----------------------------------------------------------------
|
||||
|
||||
# MEMBEROF MODULE -------------------------------------------------------------
|
||||
if ${LDAP_MEMBEROF}
|
||||
then
|
||||
echo "I: enabling memberof module ..."
|
||||
ldapmodify -Y EXTERNAL -H ldapi:/// <<EOF
|
||||
echo "Enabling memberof module"
|
||||
ldapmodify -Y EXTERNAL -H ldapi:/// <<-EOF
|
||||
dn: cn=module{0},cn=config
|
||||
changetype: modify
|
||||
add: olcModuleLoad
|
||||
@ -61,17 +76,12 @@ olcModuleLoad: memberof
|
||||
EOF
|
||||
RES=$?
|
||||
[[ $RES -eq 0 ]] || [[ $RES -eq 20 ]]
|
||||
assert "E: failed loading memberof module (${RES})"
|
||||
echo "I: module memberof enabled (${RES})"
|
||||
assert "FATAL: error loading memberof module (return status ${RES})"
|
||||
unset RES
|
||||
fi
|
||||
# END MEMBEROF MODULE ---------------------------------------------------------
|
||||
|
||||
# 0. calcular DN a partir del dominio
|
||||
|
||||
# 1.3.0 crear password admin
|
||||
ADMIN_PW_HASH=$(slappasswd -h "{SSHA}" -s "${LDAP_ADMIN_PASSWORD}")
|
||||
|
||||
# 1.2 buscar dominio
|
||||
# DOMAIN SETUP ----------------------------------------------------------------
|
||||
if ldapsearch -LLL -H ldapi:/// -Y EXTERNAL -s one -b "cn=config" \
|
||||
"(&(olcSuffix=\"${LDAP_DOMAIN_DN}\")(olcDatabase=mdb))" | \
|
||||
egrep -q '^dn: '
|
||||
@ -85,7 +95,7 @@ else
|
||||
|
||||
echo "Creating cn=config entry for ${LDAP_DOMAIN_DN}"
|
||||
|
||||
ldapadd -Y EXTERNAL -H ldapi:/// <<EOF
|
||||
ldapadd -Y EXTERNAL -H ldapi:/// <<-EOF
|
||||
dn: olcDatabase=mdb,cn=config
|
||||
objectClass: olcDatabaseConfig
|
||||
objectClass: olcMdbConfig
|
||||
@ -93,7 +103,7 @@ olcDbMaxSize: 1073741824
|
||||
olcSuffix: ${LDAP_DOMAIN_DN}
|
||||
olcDbDirectory: /var/lib/ldap/${LDAP_DOMAIN_DN}
|
||||
olcRootDN: cn=${LDAP_ADMIN_CN},${LDAP_DOMAIN_DN}
|
||||
olcRootPW: ${ADMIN_PW_HASH}
|
||||
olcRootPW: ${LDAP_ADMIN_PWHASH}
|
||||
$(echo -ne "${LDAP_DOMAIN_ACCESS}" | sed -e 's/^/olcAccess: /g')
|
||||
olcDbCheckpoint: 512 30
|
||||
olcLastMod: TRUE
|
||||
@ -102,8 +112,10 @@ $(echo -ne "${LDAP_DOMAIN_LIMITS}" | sed -e 's/^/olcLimits: /g')
|
||||
EOF
|
||||
fi
|
||||
|
||||
echo "Get DN of cn=config entry for ${LDAP_DOMAIN_DN}"
|
||||
CN_CONFIG_DN=$(ldapsearch -LLL -H ldapi:/// -Y EXTERNAL -s one -b cn=config "(&(olcSuffix=${LDAP_DOMAIN_DN})(olcDatabase=mdb))" | egrep '^dn: ' | sed -e 's/^dn: //g')
|
||||
echo "Get cn=config entry for ${LDAP_DOMAIN_DN}"
|
||||
CN_CONFIG_DN=$(ldapsearch -LLL -H ldapi:/// -Y EXTERNAL -s one -b "cn=config" \
|
||||
"(&(olcSuffix=${LDAP_DOMAIN_DN})(olcDatabase=mdb))" \
|
||||
| egrep '^dn: ' | sed -e 's/^dn: //g')
|
||||
|
||||
if [[ -n ${CN_CONFIG_DN} ]]
|
||||
then echo "Found DN = ${CN_CONFIG_DN}"
|
||||
@ -113,17 +125,32 @@ else
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# 2. olcovrlay memberof
|
||||
# TODO: verify admin password before updating =================================
|
||||
|
||||
echo "Setting domain administrator password"
|
||||
ldapmodify -Y EXTERNAL -H ldapi:/// <<EOF
|
||||
dn: ${CN_CONFIG_DN}
|
||||
changetype: modify
|
||||
replace: olcRootPW
|
||||
olcRootPW: ${LDAP_ADMIN_PWHASH}
|
||||
|
||||
EOF
|
||||
assert "FATAL: could not set administrator password!"
|
||||
# END DOMAIN SETUP ------------------------------------------------------------
|
||||
|
||||
# MEMBEROF OVERLAY ------------------------------------------------------------
|
||||
if [[ ${LDAP_MEMBEROF} ]]
|
||||
then
|
||||
echo "Check if memberOf is enabled"
|
||||
MEMBEROF_DN=$(ldapsearch -LLL -H ldapi:/// -Y EXTERNAL -s one -b "${CN_CONFIG_DN}" "(olcOverlay=memberOf)" | egrep '^dn: ' | sed -e 's/^dn: //g')
|
||||
echo "Check if memberOf overlay is enabled"
|
||||
MEMBEROF_DN=$(ldapsearch -LLL -H ldapi:/// -Y EXTERNAL -s one -b \
|
||||
"${CN_CONFIG_DN}" "(olcOverlay=memberOf)" | \
|
||||
egrep '^dn: ' | sed -e 's/^dn: //g')
|
||||
|
||||
if [[ -n ${MEMBEROF_DN} ]]
|
||||
then echo "memberOf overlay already enabled for ${CN_CONFIG_DN}"
|
||||
else
|
||||
echo "Enabling memberOf overlay"
|
||||
ldapadd -Y EXTERNAL -H ldapi:/// <<EOF
|
||||
ldapadd -Y EXTERNAL -H ldapi:/// <<-EOF
|
||||
dn: olcOverlay=memberof,${CN_CONFIG_DN}
|
||||
objectClass: olcOverlayConfig
|
||||
objectClass: olcConfig
|
||||
@ -136,45 +163,20 @@ olcMemberOfMemberOfAD: memberOf
|
||||
EOF
|
||||
fi
|
||||
fi
|
||||
# END MEMBEROF OVERLAY --------------------------------------------------------
|
||||
|
||||
[[ -n "${LDAP_ADMIN_PASSWORD}" ]]
|
||||
assert "E: please set non-empty password in LDAP_ADMIN_PASSWORD and retry."
|
||||
|
||||
HASHED_PW=$(slappasswd -h "{SSHA}" -s "${LDAP_ADMIN_PASSWORD}")
|
||||
|
||||
echo "I: Setting domain administrator password..."
|
||||
ldapmodify -Y EXTERNAL -H ldapi:/// <<EOF
|
||||
dn: ${CN_CONFIG_DN}
|
||||
changetype: modify
|
||||
replace: olcRootPW
|
||||
olcRootPW: ${HASHED_PW}
|
||||
|
||||
EOF
|
||||
assert "FATAL: failure setting administrator password!"
|
||||
|
||||
# -------------------------------------------
|
||||
|
||||
# create base dn
|
||||
|
||||
# DIT ENTRIES -----------------------------------------------------------------
|
||||
echo "Check if ${LDAP_DOMAIN_DN} exists"
|
||||
DOM_DN=$(ldapsearch -LLL -H ldapi:/// -D cn=${LDAP_ADMIN_CN},${LDAP_DOMAIN_DN} -w "${LDAP_ADMIN_PASSWORD}" -s base -b "${LDAP_DOMAIN_DN}" "(objectClass=*)" | egrep '^dn: ' | sed -e 's/^dn: //g')
|
||||
DOM_DN=$(ldapsearch -LLL -H ldapi:/// -D cn=${LDAP_ADMIN_CN},${LDAP_DOMAIN_DN} \
|
||||
-w "${LDAP_ADMIN_PASSWORD}" -s base -b "${LDAP_DOMAIN_DN}" \
|
||||
"(objectClass=*)" | egrep '^dn: ' | sed -e 's/^dn: //g')
|
||||
|
||||
if [[ -n ${DOM_DN} ]]
|
||||
then echo "${LDAP_DOMAIN_DN} already present"
|
||||
else
|
||||
|
||||
cat <<EOF
|
||||
dn: ${LDAP_DOMAIN_DN}
|
||||
objectClass: dcObject
|
||||
objectClass: organization
|
||||
objectClass: top
|
||||
dc: $(echo -n "${LDAP_DOMAIN_DN#dc=}" | sed 's/,.*$//g')
|
||||
o: ${LDAP_DOMAIN}
|
||||
|
||||
EOF
|
||||
|
||||
echo "Creating ${LDAP_DOMAIN_DN}"
|
||||
ldapadd -H ldapi:/// -D cn=${LDAP_ADMIN_CN},${LDAP_DOMAIN_DN} -w "${LDAP_ADMIN_PASSWORD}" <<EOF
|
||||
ldapadd -H ldapi:/// -D cn=${LDAP_ADMIN_CN},${LDAP_DOMAIN_DN} \
|
||||
-w "${LDAP_ADMIN_PASSWORD}" <<-EOF
|
||||
dn: ${LDAP_DOMAIN_DN}
|
||||
objectClass: dcObject
|
||||
objectClass: organization
|
||||
@ -185,17 +187,19 @@ o: ${LDAP_DOMAIN}
|
||||
EOF
|
||||
fi
|
||||
|
||||
# create admin user
|
||||
|
||||
# Admin user
|
||||
echo "Check if cn=${LDAP_ADMIN_CN},${LDAP_DOMAIN_DN} exists"
|
||||
ADM_DN=$(ldapsearch -LLL -H ldapi:/// -D cn=${LDAP_ADMIN_CN},${LDAP_DOMAIN_DN} -w "${LDAP_ADMIN_PASSWORD}" -s base -b "cn=${LDAP_ADMIN_CN},${LDAP_DOMAIN_DN}" "(objectClass=*)" | egrep '^dn: ' | sed -e 's/^dn: //g')
|
||||
ADM_DN=$(ldapsearch -LLL -H ldapi:/// -D cn=${LDAP_ADMIN_CN},${LDAP_DOMAIN_DN} \
|
||||
-w "${LDAP_ADMIN_PASSWORD}" -s base -b \
|
||||
"cn=${LDAP_ADMIN_CN},${LDAP_DOMAIN_DN}" "(objectClass=*)" \
|
||||
| egrep '^dn: ' | sed -e 's/^dn: //g')
|
||||
|
||||
if [[ -n ${ADM_DN} ]]
|
||||
then echo "cn=${LDAP_ADMIN_CN},${LDAP_DOMAIN_DN} already present"
|
||||
else
|
||||
|
||||
echo "Creating cn=${LDAP_ADMIN_CN},${LDAP_DOMAIN_DN}"
|
||||
ldapadd -H ldapi:/// -D cn=${LDAP_ADMIN_CN},${LDAP_DOMAIN_DN} -w "${LDAP_ADMIN_PASSWORD}" <<EOF
|
||||
ldapadd -H ldapi:/// -D cn=${LDAP_ADMIN_CN},${LDAP_DOMAIN_DN} \
|
||||
-w "${LDAP_ADMIN_PASSWORD}" <<-EOF
|
||||
dn: cn=${LDAP_ADMIN_CN},${LDAP_DOMAIN_DN}
|
||||
objectClass: organizationalRole
|
||||
objectClass: simpleSecurityObject
|
||||
@ -206,22 +210,23 @@ userPassword: ${ADMIN_PW_HASH}
|
||||
EOF
|
||||
fi
|
||||
|
||||
# update admin password
|
||||
|
||||
# TODO
|
||||
# TODO: update admin password =================================================
|
||||
|
||||
# create OUs
|
||||
|
||||
for OU in ${LDAP_DOMAIN_OUS}
|
||||
do
|
||||
echo "Check if ou=${OU},${LDAP_DOMAIN_DN} exists"
|
||||
OU_DN=$(ldapsearch -LLL -H ldapi:/// -D cn=${LDAP_ADMIN_CN},${LDAP_DOMAIN_DN} -w "${LDAP_ADMIN_PASSWORD}" -s base -b "ou=${OU},${LDAP_DOMAIN_DN}" "(objectClass=*)" | egrep '^dn: ' | sed -e 's/^dn: //g')
|
||||
OU_DN=$(ldapsearch -LLL -H ldapi:/// -D cn=${LDAP_ADMIN_CN},${LDAP_DOMAIN_DN} \
|
||||
-w "${LDAP_ADMIN_PASSWORD}" -s base \
|
||||
-b "ou=${OU},${LDAP_DOMAIN_DN}" "(objectClass=*)" \
|
||||
| egrep '^dn: ' | sed -e 's/^dn: //g')
|
||||
|
||||
if [[ -n ${OU_DN} ]]
|
||||
then echo "ou=${OU} already present in ${LDAP_DOMAIN_DN}"
|
||||
else
|
||||
echo "Creating ou=${OU},${LDAP_DOMAIN_DN}"
|
||||
ldapadd -H ldapi:/// -D cn=${LDAP_ADMIN_CN},${LDAP_DOMAIN_DN} -w "${LDAP_ADMIN_PASSWORD}" <<EOF
|
||||
ldapadd -H ldapi:/// -D cn=${LDAP_ADMIN_CN},${LDAP_DOMAIN_DN} \
|
||||
-w "${LDAP_ADMIN_PASSWORD}" <<-EOF
|
||||
dn: ou=${OU},${LDAP_DOMAIN_DN}
|
||||
objectClass: organizationalUnit
|
||||
objectClass: top
|
||||
@ -234,16 +239,14 @@ done
|
||||
# -------------------------------------------
|
||||
|
||||
# kill slapd after initial setup
|
||||
echo "I: killing initial server..."
|
||||
echo "Killing initial server"
|
||||
kill -INT $(cat ${PIDFILE})
|
||||
|
||||
# unset sensitive variables
|
||||
unset OPENLDAP_ADMIN_PASSWORD
|
||||
unset HASHED_PW
|
||||
unset LOADED_SCHEMAS
|
||||
unset PIDFILE
|
||||
unset LDAP_ADMIN_PASSWORD LDAP_CONFIG_PASSWORD LDAP_ADMIN_PWHASH \
|
||||
LDAP_CONFIG_PWHASH LOADED_SCHEMAS PIDFILE
|
||||
|
||||
# run Dockerfile CMD
|
||||
echo "I: running CMD $@"
|
||||
echo "Running CMD $@"
|
||||
set -e
|
||||
exec "$@"
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user