more or less working entrypoint

2019-09-24 23:48:08 -03:00 · 2019-09-24 23:48:08 -03:00 · 214e40f367
commit 214e40f367
parent 0244610e28
2 changed files with 209 additions and 32 deletions
--- a/39
+++ b/39
@ -1,27 +1,40 @@
 FROM eumau/debian:buster-slim

-ENV OPENLDAP_ADMIN_PASSWORD="root"
+ENV LDAP_ADMIN_CN="admin"
+# admin CN, DN => cn=%%ADMIN_DN%%,%%DOMAIN_DN%%
+ENV LDAP_ADMIN_PASSWORD="admin"
+# password for cn=%%ADMIN_DN%%,%%DOMAIN_DN%%
+ENV LDAP_CONFIG_PASSWORD="${LDAP_ADMIN_PASSWORD}"
+# password for cn=admin,cn=config
+ENV LDAP_DOMAIN=""
+# domain O (example.org)
+ENV LDAP_DOMAIN_ACCESS="{0}to attrs=userPassword by self write by anonymous auth by * none\n{1}to attrs=shadowLastChange by self write by * read\n{2}to * by * read"
+# olcDbAccess attribute for domain entry (newline-separated)
+ENV LDAP_DOMAIN_DN=""
+# domain DN (dc=example,dc=org)
+ENV LDAP_DOMAIN_INDEX="cn,uid eq\nmember,memberUid eq\nobjectClass eq\nuidNumber,gidNumber eq"
+# olcDbIndex attribute for domain entry (newline-separated)
+ENV LDAP_DOMAIN_OUS="People Alias Group"
+# domain OUs (space-separated)
+ENV LDAP_MEMBEROF="true"
+# enable memberOf module
+ENV LDAP_SCHEMAS="core cosine inetorgperson misc nis"
+# space-separated list of schemas to load

-# space-separated list of schemas
-ENV OPENLDAP_SCHEMAS="misc"
-
-RUN apt-get update && \
-	DEBIAN_FRONTEND=noninteractive apt-get install -y \
+RUN apt-get update \
+	&& DEBIAN_FRONTEND=noninteractive apt-get install -y \
 	slapd \
        ldap-utils && \
 	apt-get clean && \
 	rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*

-COPY entrypoint.sh /entrypoint.sh
-
-# ADD my_custom_schema: install by setting OPENLDAP_SCHEMAS=my_custom_schema
-# COPY my_custom_schema.ldif /etc/ldap/schema/my_custom_schema.ldif
+ADD entrypoint.sh /

 EXPOSE 389

-VOLUME ["/etc/ldap/slapd.d", "/var/lib/ldap", "/var/backups/ldap"]
+VOLUME ["/etc/ldap/schema", "/etc/ldap/slapd.d", "/var/lib/ldap", "/var/backups/ldap"]
+
+ENTRYPOINT ["/entrypoint.sh"]

-ENTRYPOINT ["/bin/bash", "/entrypoint.sh"]
 # log level info:
-
 CMD ["slapd", "-d", "32768", "-u", "openldap", "-g", "openldap"]
--- a/entrypoint.sh
+++ b/entrypoint.sh
@ -1,28 +1,25 @@
 #!/bin/bash
-msg(){ ${VERBOSE:-true} && echo ${@} ; }
-assert(){ [[ $? -eq 0 ]] || { [[ -n ${1} ]] && msg ${@} ; exit 1 ; } }
+assert(){ [[ $? -eq 0 ]] || { [[ -n ${1} ]] && echo ${@} ; exit 1 ; } }

 # from https://github.com/dinkel/docker-openldap/blob/master/entrypoint.sh:
 # When not limiting the open file descritors limit, the memory consumption of
 # slapd is absurdly high. See https://github.com/docker/docker/issues/8231
 ulimit -n 8192

-msg "I: running slapd for initial setup..."
+echo "I: running slapd for initial setup..."
 slapd -u openldap -g openldap -h ldapi:///
 assert "E: openldap died unexpectedly!"

 PIDFILE=$(ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" -s base \
 		     "" olcPidFile | grep olcPidFile | awk "{print $2}")
-msg "I: slapd running with PID ${PIDFILE}"
+echo "I: slapd running with PID ${PIDFILE}"

-[[ -n "${OPENLDAP_ADMIN_PASSWORD}" ]]
-assert "E: please set non-empty password in OPENLDAP_ADMIN_PASSWORD and retry."
+[[ -n "${LDAP_CONFIG_PASSWORD}" ]]
+assert "E: please set non-empty password in LDAP_CONFIG_PASSWORD and retry."

-HASHED_PW=$(slappasswd -h {SSHA} -s "${OPENLDAP_ADMIN_PASSWORD}")
-[[ -n "${HASHED_PW}" ]]
-assert "E: password hash unexpectedly empty!"
+HASHED_PW=$(slappasswd -h "{SSHA}" -s "${LDAP_CONFIG_PASSWORD}")

-msg "I: Setting administrator password..."
+echo "I: Setting administrator password..."
 ldapmodify -Y EXTERNAL -H ldapi:/// <<EOF
 dn: olcDatabase={0}config,cn=config
 changetype: modify
@ -36,15 +33,15 @@ assert "FATAL: failure setting administrator password!"
 eval "declare -A LOADED_SCHEMAS=( $(ldapsearch -LLL -Y EXTERNAL -H ldapi:/// \
                                     -b "cn=schema,cn=config" -s one cn \
                          | sed -n 's/^cn:.*[{].*[}]\(.*\)$/[\1]=loaded/p') )"
-msg "I: currently loaded schemas: ${!LOADED_SCHEMAS[@]}"
+echo "I: currently loaded schemas: ${!LOADED_SCHEMAS[@]}"

 # load schemas
 # built-in: core, cosine, nis, inetorgperson
 # available: collective, corba, duaconf, dyngroup, java, misc, nis, openldap, pmi, ppolicy
-for schema in ${OPENLDAP_SCHEMAS}
+for schema in ${LDAP_SCHEMAS}
 do
    [[ -z "${LOADED_SCHEMAS[$schema]}" ]] || continue;
-    msg "I: loading schema ${schema}..."
+    echo "I: loading schema ${schema}..."
    [[ -f /etc/ldap/schema/${schema}.ldif ]]
    assert "E: schema /etc/ldap/schema/${schema}.ldif not found!"
    ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/${schema}.ldif
@ -52,9 +49,9 @@ do
 done

 # enable memberof module
-if ${OPENLDAP_ENABLE_MEMBEROF}
+if ${LDAP_MEMBEROF}
 then
-    msg "I: enabling memberof module ..."
+    echo "I: enabling memberof module ..."
    ldapmodify -Y EXTERNAL -H ldapi:/// <<EOF
 dn: cn=module{0},cn=config
 changetype: modify
@ -65,21 +62,188 @@ EOF
    RES=$?
    [[ $RES -eq 0 ]] || [[ $RES -eq 20 ]]
    assert "E: failed loading memberof module (${RES})"
-    msg "I: module memberof enabled (${RES})"
+    echo "I: module memberof enabled (${RES})"
    unset RES
 fi

+# 0. calcular DN a partir del dominio
+
+# 1.3.0 crear password admin
+ADMIN_PW_HASH=$(slappasswd -h "{SSHA}" -s "${LDAP_ADMIN_PASSWORD}")
+
+# 1.2 buscar dominio
+if ldapsearch -LLL -H ldapi:/// -Y EXTERNAL -s one -b "cn=config" \
+	      "(&(olcSuffix=\"${LDAP_DOMAIN_DN}\")(olcDatabase=mdb))" | \
+	egrep -q '^dn: '
+then
+    echo "Found cn=config entry for ${LDAP_DOMAIN_DN}"
+else
+    echo "No cn=config entry for ${LDAP_DOMAIN_DN}."
+    echo "Creating directory /var/lib/ldap/${LDAP_DOMAIN_DN}"
+    mkdir "/var/lib/ldap/${LDAP_DOMAIN_DN}"
+    chown -R openldap:openldap "/var/lib/ldap/${LDAP_DOMAIN_DN}"
+
+    echo "Creating cn=config entry for ${LDAP_DOMAIN_DN}"
+
+    ldapadd -Y EXTERNAL -H ldapi:/// <<EOF
+dn: olcDatabase=mdb,cn=config
+objectClass: olcDatabaseConfig
+objectClass: olcMdbConfig
+olcDbMaxSize: 1073741824
+olcSuffix: ${LDAP_DOMAIN_DN}
+olcDbDirectory: /var/lib/ldap/${LDAP_DOMAIN_DN}
+olcRootDN: cn=${LDAP_ADMIN_CN},${LDAP_DOMAIN_DN}
+olcRootPW: ${ADMIN_PW_HASH}
+$(echo -ne "${LDAP_DOMAIN_ACCESS}" | sed -e 's/^/olcAccess: /g')
+olcDbCheckpoint: 512 30
+olcLastMod: TRUE
+$(echo -ne "${LDAP_DOMAIN_INDEX}" | sed -e 's/^/olcDbIndex: /g')
+$(echo -ne "${LDAP_DOMAIN_LIMITS}" | sed -e 's/^/olcLimits: /g')
+EOF
+fi
+
+echo "Get DN of cn=config entry for ${LDAP_DOMAIN_DN}"
+CN_CONFIG_DN=$(ldapsearch -LLL -H ldapi:/// -Y EXTERNAL -s one -b cn=config "(&(olcSuffix=${LDAP_DOMAIN_DN})(olcDatabase=mdb))" | egrep '^dn: ' | sed -e 's/^dn: //g')
+
+if [[ -n ${CN_CONFIG_DN} ]]
+then echo "Found DN = ${CN_CONFIG_DN}"
+else
+    echo "FATAL: could not find cn=config entry for ${LDAP_DOMAIN_DN}"
+    echo "PLEASE NOTE: only MDB database format is supported (PR welcome :)"
+    exit 1
+fi
+
+# 2. olcovrlay memberof
+if [[ ${LDAP_MEMBEROF} ]]
+then
+    echo "Check if memberOf is enabled"
+    MEMBEROF_DN=$(ldapsearch -LLL -H ldapi:/// -Y EXTERNAL -s one -b "${CN_CONFIG_DN}" "(olcOverlay=memberOf)" | egrep '^dn: ' | sed -e 's/^dn: //g')
+
+    if [[ -n ${MEMBEROF_DN} ]]
+    then echo "memberOf overlay already enabled for ${CN_CONFIG_DN}"
+    else
+	echo "Enabling memberOf overlay"
+	ldapadd -Y EXTERNAL -H ldapi:/// <<EOF
+dn: olcOverlay=memberof,${CN_CONFIG_DN}
+objectClass: olcOverlayConfig
+objectClass: olcConfig
+objectClass: olcMemberOf
+olcMemberOfDangling: ignore
+olcMemberOfRefInt: FALSE
+olcMemberOfGroupOC: groupOfNames
+olcMemberOfMemberAD: member
+olcMemberOfMemberOfAD: memberOf
+EOF
+    fi
+fi
+
+[[ -n "${LDAP_ADMIN_PASSWORD}" ]]
+assert "E: please set non-empty password in LDAP_ADMIN_PASSWORD and retry."
+
+HASHED_PW=$(slappasswd -h "{SSHA}" -s "${LDAP_ADMIN_PASSWORD}")
+
+echo "I: Setting domain administrator password..."
+ldapmodify -Y EXTERNAL -H ldapi:/// <<EOF
+dn: ${CN_CONFIG_DN}
+changetype: modify
+replace: olcRootPW
+olcRootPW: ${HASHED_PW}
+
+EOF
+assert "FATAL: failure setting administrator password!"
+
+# -------------------------------------------
+
+# create base dn
+
+echo "Check if ${LDAP_DOMAIN_DN} exists"
+DOM_DN=$(ldapsearch -LLL -H ldapi:/// -D cn=${LDAP_ADMIN_CN},${LDAP_DOMAIN_DN} -w "${LDAP_ADMIN_PASSWORD}" -s base -b "${LDAP_DOMAIN_DN}" "(objectClass=*)" | egrep '^dn: ' | sed -e 's/^dn: //g')
+
+if [[ -n ${DOM_DN} ]]
+then echo "${LDAP_DOMAIN_DN} already present"
+else
+
+cat <<EOF
+dn: ${LDAP_DOMAIN_DN}
+objectClass: dcObject
+objectClass: organization
+objectClass: top
+dc: $(echo -n "${LDAP_DOMAIN_DN#dc=}" | sed 's/,.*$//g')
+o: ${LDAP_DOMAIN}
+
+EOF
+
+    echo "Creating ${LDAP_DOMAIN_DN}"
+    ldapadd -H ldapi:/// -D cn=${LDAP_ADMIN_CN},${LDAP_DOMAIN_DN} -w "${LDAP_ADMIN_PASSWORD}" <<EOF
+dn: ${LDAP_DOMAIN_DN}
+objectClass: dcObject
+objectClass: organization
+objectClass: top
+dc: $(echo -n "${LDAP_DOMAIN_DN#dc=}" | sed 's/,.*$//g')
+o: ${LDAP_DOMAIN}
+
+EOF
+fi
+
+# create admin user
+
+echo "Check if cn=${LDAP_ADMIN_CN},${LDAP_DOMAIN_DN} exists"
+ADM_DN=$(ldapsearch -LLL -H ldapi:/// -D cn=${LDAP_ADMIN_CN},${LDAP_DOMAIN_DN} -w "${LDAP_ADMIN_PASSWORD}" -s base -b "cn=${LDAP_ADMIN_CN},${LDAP_DOMAIN_DN}" "(objectClass=*)" | egrep '^dn: ' | sed -e 's/^dn: //g')
+
+if [[ -n ${ADM_DN} ]]
+then echo "cn=${LDAP_ADMIN_CN},${LDAP_DOMAIN_DN} already present"
+else
+
+    echo "Creating cn=${LDAP_ADMIN_CN},${LDAP_DOMAIN_DN}"
+    ldapadd -H ldapi:/// -D cn=${LDAP_ADMIN_CN},${LDAP_DOMAIN_DN} -w "${LDAP_ADMIN_PASSWORD}" <<EOF
+dn: cn=${LDAP_ADMIN_CN},${LDAP_DOMAIN_DN}
+objectClass: organizationalRole
+objectClass: simpleSecurityObject
+cn: ${LDAP_ADMIN_CN}
+description: LDAP Administrator role for domain ${LDAP_DOMAIN}
+userPassword: ${ADMIN_PW_HASH}
+
+EOF
+fi
+
+# update admin password
+
+# TODO
+
+# create OUs
+
+for OU in ${LDAP_DOMAIN_OUS}
+do
+    echo "Check if ou=${OU},${LDAP_DOMAIN_DN} exists"
+    OU_DN=$(ldapsearch -LLL -H ldapi:/// -D cn=${LDAP_ADMIN_CN},${LDAP_DOMAIN_DN} -w "${LDAP_ADMIN_PASSWORD}" -s base -b "ou=${OU},${LDAP_DOMAIN_DN}" "(objectClass=*)" | egrep '^dn: ' | sed -e 's/^dn: //g')
+
+    if [[ -n ${OU_DN} ]]
+    then echo "ou=${OU} already present in ${LDAP_DOMAIN_DN}"
+    else
+	echo "Creating ou=${OU},${LDAP_DOMAIN_DN}"
+	ldapadd -H ldapi:/// -D cn=${LDAP_ADMIN_CN},${LDAP_DOMAIN_DN} -w "${LDAP_ADMIN_PASSWORD}" <<EOF
+dn: ou=${OU},${LDAP_DOMAIN_DN}
+objectClass: organizationalUnit
+objectClass: top
+ou: ${OU}
+
+EOF
+    fi
+done
+
+# -------------------------------------------
+
 # kill slapd after initial setup
-msg "I: killing initial server..."
+echo "I: killing initial server..."
 kill -INT $(cat ${PIDFILE})

 # unset sensitive variables
-unset OPENLDAP_ROOT_PASSWORD
+unset OPENLDAP_ADMIN_PASSWORD
 unset HASHED_PW
 unset LOADED_SCHEMAS
 unset PIDFILE

 # run Dockerfile CMD
-msg "I: running CMD $@"
+echo "I: running CMD $@"
 set -e
 exec "$@"