From 65a781afa06edbd8a9581e2bc073566e73adab1d Mon Sep 17 00:00:00 2001
From: Mauro Torrez <mauro@qom>
Date: Wed, 25 Sep 2019 19:15:54 -0300
Subject: [PATCH] WIP: add provider capability

---
 Dockerfile    |  26 ++--
 entrypoint.sh | 365 ++++++++++++++++++++++++++++++++------------------
 2 files changed, 252 insertions(+), 139 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index db8139d..5fd9fa7 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,25 +1,31 @@
 FROM eumau/debian:buster-slim
 
+# admin CN => dn: cn=%%ADMIN_CN%%,%%DOMAIN_DN%%
 ENV LDAP_ADMIN_CN="admin"
-# admin CN, DN => cn=%%ADMIN_DN%%,%%DOMAIN_DN%%
-ENV LDAP_ADMIN_PASSWORD="admin"
 # password for cn=%%ADMIN_DN%%,%%DOMAIN_DN%%
-ENV LDAP_CONFIG_PASSWORD="${LDAP_ADMIN_PASSWORD}"
+ENV LDAP_ADMIN_PASSWORD="admin"
 # password for cn=admin,cn=config
+ENV LDAP_CONFIG_PASSWORD="${LDAP_ADMIN_PASSWORD}"
+# domain name (example.org)
 ENV LDAP_DOMAIN=""
-# domain O (example.org)
-ENV LDAP_DOMAIN_ACCESS="{0}to attrs=userPassword by self write by anonymous auth by * none\n{1}to attrs=shadowLastChange by self write by * read\n{2}to * by * read"
 # olcDbAccess attribute for domain entry (newline-separated)
-ENV LDAP_DOMAIN_DN=""
+ENV LDAP_DOMAIN_ACCESS="{0}to attrs=userPassword by self write by anonymous auth by * none\n{1}to attrs=shadowLastChange by self write by * read\n{2}to * by * read"
 # domain DN (dc=example,dc=org)
-ENV LDAP_DOMAIN_INDEX="cn,uid eq\nmember,memberUid eq\nobjectClass eq\nuidNumber,gidNumber eq"
+ENV LDAP_DOMAIN_DN=""
 # olcDbIndex attribute for domain entry (newline-separated)
-ENV LDAP_DOMAIN_OUS="People Alias Group"
+ENV LDAP_DOMAIN_INDEX="cn,uid eq\nmember,memberUid eq\nobjectClass eq\nuidNumber,gidNumber eq"
 # domain OUs (space-separated)
-ENV LDAP_MEMBEROF="true"
+ENV LDAP_DOMAIN_OUS="People Alias Group"
 # enable memberOf module
-ENV LDAP_SCHEMAS="core cosine inetorgperson misc nis"
+ENV LDAP_MEMBEROF="true"
+# enable replication provider
+ENV LDAP_PROVIDER="false"
+# replicator CN => dn: cn=%%REPLICATOR_CN%%,%%DOMAIN_DN%%
+ENV LDAP_REPLICATOR_CN="replicator"
+# replicator password
+ENV LDAP_REPLICATOR_PASSWORD="${LDAP_ADMIN_PASSWORD}"
 # space-separated list of schemas to load
+ENV LDAP_SCHEMAS="core cosine inetorgperson misc nis"
 
 RUN apt-get update \
 	&& DEBIAN_FRONTEND=noninteractive apt-get install -y \
diff --git a/entrypoint.sh b/entrypoint.sh
index b6b7d07..e42d7ae 100755
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -6,34 +6,45 @@ assert(){ [[ $? -eq 0 ]] || { [[ -n ${1} ]] && echo ${@} ; exit 1 ; } }
 # slapd is absurdly high. See https://github.com/docker/docker/issues/8231
 ulimit -n 8192
 
-echo "I: running slapd for initial setup..."
 slapd -u openldap -g openldap -h ldapi:///
-assert "E: openldap died unexpectedly!"
+assert "FATAL: sldapd died unexpectedly!"
 
 PIDFILE=$(ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" -s base \
 		     "" olcPidFile | grep olcPidFile | awk "{print $2}")
-echo "I: slapd running with PID ${PIDFILE}"
+echo "slapd running. pidfile = ${PIDFILE}"
+
+[[ -n "${LDAP_DOMAIN}" ]]
+assert "FATAL: Please set LDAP_DOMAIN and retry."
+DN0="dc=${LDAP_DOMAIN//./,dc=}"
+LDAP_DOMAIN_DN=${LDAP_DOMAIN_DN:=${DN0}}
+
+echo "setting up domain = ${LDAP_DOMAIN}, dn = ${LDAP_DOMAIN_DN}"
 
 [[ -n "${LDAP_CONFIG_PASSWORD}" ]]
-assert "E: please set non-empty password in LDAP_CONFIG_PASSWORD and retry."
+assert "FATAL: Please set LDAP_CONFIG_PASSWORD and retry."
+LDAP_CONFIG_PWHASH=$(slappasswd -h "{SSHA}" -s "${LDAP_CONFIG_PASSWORD}")
 
-HASHED_PW=$(slappasswd -h "{SSHA}" -s "${LDAP_CONFIG_PASSWORD}")
+[[ -n "${LDAP_ADMIN_PASSWORD}" ]]
+assert "FATAL: Please set LDAP_ADMIN_PASSWORD and retry."
+LDAP_ADMIN_PWHASH=$(slappasswd -h "{SSHA}" -s "${LDAP_ADMIN_PASSWORD}")
 
-echo "I: Setting administrator password..."
+# TODO: verify password before updating =======================================
+
+echo "Setting cn=admin,cn=config password"
 ldapmodify -Y EXTERNAL -H ldapi:/// <<EOF
 dn: olcDatabase={0}config,cn=config
 changetype: modify
 replace: olcRootPW
-olcRootPW: ${HASHED_PW}
+olcRootPW: ${LDAP_CONFIG_PWHASH}
 
 EOF
-assert "FATAL: failure setting administrator password!"
+assert "FATAL: error setting cn=admin,cn=config password"
 
-# find current schemas
+# SCHEMAS ---------------------------------------------------------------------
 eval "declare -A LOADED_SCHEMAS=( $(ldapsearch -LLL -Y EXTERNAL -H ldapi:/// \
                                      -b "cn=schema,cn=config" -s one cn \
                           | sed -n 's/^cn:.*[{].*[}]\(.*\)$/[\1]=loaded/p') )"
-echo "I: currently loaded schemas: ${!LOADED_SCHEMAS[@]}"
+echo "Loaded schemas: ${!LOADED_SCHEMAS[@]}"
 
 # load schemas
 # built-in: core, cosine, nis, inetorgperson
@@ -41,37 +52,140 @@ echo "I: currently loaded schemas: ${!LOADED_SCHEMAS[@]}"
 for schema in ${LDAP_SCHEMAS}
 do
     [[ -z "${LOADED_SCHEMAS[$schema]}" ]] || continue;
-    echo "I: loading schema ${schema}..."
-    [[ -f /etc/ldap/schema/${schema}.ldif ]]
-    assert "E: schema /etc/ldap/schema/${schema}.ldif not found!"
-    ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/${schema}.ldif
-    assert "E: failure loading schema ${schema}!"
-done
 
-# enable memberof module
+    echo "Loading ${schema} schema"
+
+    [[ -f /etc/ldap/schema/${schema}.ldif ]]
+    assert "FATAL: schema file /etc/ldap/schema/${schema}.ldif not found!"
+
+    ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/${schema}.ldif
+    assert "FATAL: error loading schema ${schema}!"
+done
+# END SCHEMAS -----------------------------------------------------------------
+
+# MEMBEROF MODULE -------------------------------------------------------------
 if ${LDAP_MEMBEROF}
 then
-    echo "I: enabling memberof module ..."
-    ldapmodify -Y EXTERNAL -H ldapi:/// <<EOF
-dn: cn=module{0},cn=config
-changetype: modify
-add: olcModuleLoad
-olcModuleLoad: memberof
+    echo "Enabling memberof module"
+    ldapmodify -Y EXTERNAL -H ldapi:/// <<-EOF
+	dn: cn=module{0},cn=config
+	changetype: modify
+	add: olcModuleLoad
+	olcModuleLoad: memberof
 
-EOF
+	EOF
     RES=$?
     [[ $RES -eq 0 ]] || [[ $RES -eq 20 ]]
-    assert "E: failed loading memberof module (${RES})"
-    echo "I: module memberof enabled (${RES})"
+    assert "FATAL: error loading memberof module (return status ${RES})"
     unset RES
 fi
+# END MEMBEROF MODULE ---------------------------------------------------------
 
-# 0. calcular DN a partir del dominio
+# REPLICATION PROVIDER --------------------------------------------------------
+if ${LDAP_PROVIDER}
+then
+    echo "Enabling syncprov module"
+    ldapmodify -Y EXTERNAL -H ldapi:/// <<-EOF
+	dn: cn=module{0},cn=config
+	changetype: modify
+	add: olcModuleLoad
+	olcModuleLoad: syncprov
 
-# 1.3.0 crear password admin
-ADMIN_PW_HASH=$(slappasswd -h "{SSHA}" -s "${LDAP_ADMIN_PASSWORD}")
+	EOF
+    RES=$?
+    [[ $RES -eq 0 ]] || [[ $RES -eq 20 ]]
+    assert "FATAL: error loading syncprov module (return status ${RES})"
 
-# 1.2 buscar dominio
+    echo "Enabling accesslog module"
+    ldapmodify -Y EXTERNAL -H ldapi:/// <<-EOF
+	dn: cn=module{0},cn=config
+	changetype: modify
+	add: olcModuleLoad
+	olcModuleLoad: accesslog
+
+	EOF
+    RES=$?
+    [[ $RES -eq 0 ]] || [[ $RES -eq 20 ]]
+    assert "FATAL: error loading accesslog module (return status ${RES})"
+    unset RES
+
+    if ldapsearch -LLL -H ldapi:/// -Y EXTERNAL -s one -b "cn=config" \
+	      "(&(olcSuffix=\"cn=accesslog\")(olcDatabase=mdb))" | \
+	egrep -q '^dn: '
+    then
+	echo "Found cn=config entry for cn=accesslog"
+    else
+	echo "No cn=config entry for cn=accesslog."
+
+	echo "Creating directory /var/lib/ldap/cn=accesslog"
+	mkdir "/var/lib/ldap/cn=accesslog"
+	chown -R openldap:openldap "/var/lib/ldap/cn=accesslog"
+
+	echo "Creating cn=config entry for cn=accesslog"
+	ldapadd -Y EXTERNAL -H ldapi:/// <<-EOF
+	dn: olcDatabase=mdb,cn=config
+	objectClass: olcDatabaseConfig
+	objectClass: olcMdbConfig
+	olcRootDN: cn=${LDAP_ADMIN_CN},${LDAP_DOMAIN_DN}
+	olcRootPW: ${LDAP_ADMIN_PWHASH}
+	olcDbMaxSize: 8589934592
+	olcSuffix: cn=accesslog
+	olcDbDirectory: /var/lib/ldap/cn=accesslog
+	olcAccess: {0}to * by dn="cn=${LDAP_REPLICATOR_CN},${LDAP_DOMAIN_DN}" read
+	olcLimits: {0}to dn.exact="cn=${LDAP_REPLICATOR_CN},${LDAP_DOMAIN_DN}" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited
+	olcLimits: {1}to dn.exact="cn=${LDAP_ADMIN_CN},${LDAP_DOMAIN_DN}" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited
+	EOF
+    fi
+
+    if ldapsearch -LLL -H ldapi:/// -Y EXTERNAL -s one -b "cn=config" \
+	      "(&(olcSuffix=\"cn=accesslog\")(olcDatabase=mdb))" | \
+	egrep -q '^dn: '
+    then
+	echo "Found cn=config entry for cn=accesslog"
+    else
+	echo "No cn=config entry for cn=accesslog."
+
+	echo "Creating directory /var/lib/ldap/cn=accesslog"
+	mkdir "/var/lib/ldap/cn=accesslog"
+	chown -R openldap:openldap "/var/lib/ldap/cn=accesslog"
+
+	echo "Creating cn=config entry for cn=accesslog"
+	ldapadd -Y EXTERNAL -H ldapi:/// <<-EOF
+	dn: olcDatabase=mdb,cn=config
+	objectClass: olcDatabaseConfig
+	objectClass: olcMdbConfig
+	olcRootDN: cn=${LDAP_ADMIN_CN},${LDAP_DOMAIN_DN}
+	olcRootPW: ${LDAP_ADMIN_PWHASH}
+	olcDbMaxSize: 8589934592
+	olcSuffix: cn=accesslog
+	olcDbDirectory: /var/lib/ldap/cn=accesslog
+	olcAccess: {0}to * by dn="cn=${LDAP_REPLICATOR_CN},${LDAP_DOMAIN_DN}" read
+	olcLimits: {0}to dn.exact="cn=${LDAP_REPLICATOR_CN},${LDAP_DOMAIN_DN}" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited
+	olcLimits: {1}to dn.exact="cn=${LDAP_ADMIN_CN},${LDAP_DOMAIN_DN}" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited
+	EOF
+    fi
+
+    echo "Get DN of cn=config entry for cn=accesslog"
+    CN_CONFIG_DN=$(ldapsearch -LLL -H ldapi:/// -Y EXTERNAL -s one -b cn=config \
+			  "(&(olcSuffix=cn=accesslog)(olcDatabase=mdb))" \
+		   | egrep '^dn: ' | sed -e 's/^dn: //g')
+
+    if [[ -n ${CN_CONFIG_DN} ]]
+    then echo "Found DN = ${CN_CONFIG_DN}"
+    else
+	echo "FATAL: could not find cn=config entry for cn=accesslog"
+	echo "PLEASE NOTE: only MDB database format is supported (PR welcome :)"
+	exit 1
+    fi
+
+    # TODO: olcOverlay=syncprov ===============================================
+
+    # TODO: replication users (on domain setup?) ==============================
+
+fi
+# END REPLICATION PROVIDER ----------------------------------------------------
+
+# DOMAIN SETUP ----------------------------------------------------------------
 if ldapsearch -LLL -H ldapi:/// -Y EXTERNAL -s one -b "cn=config" \
 	      "(&(olcSuffix=\"${LDAP_DOMAIN_DN}\")(olcDatabase=mdb))" | \
 	egrep -q '^dn: '
@@ -85,25 +199,27 @@ else
 
     echo "Creating cn=config entry for ${LDAP_DOMAIN_DN}"
 
-    ldapadd -Y EXTERNAL -H ldapi:/// <<EOF
-dn: olcDatabase=mdb,cn=config
-objectClass: olcDatabaseConfig
-objectClass: olcMdbConfig
-olcDbMaxSize: 1073741824
-olcSuffix: ${LDAP_DOMAIN_DN}
-olcDbDirectory: /var/lib/ldap/${LDAP_DOMAIN_DN}
-olcRootDN: cn=${LDAP_ADMIN_CN},${LDAP_DOMAIN_DN}
-olcRootPW: ${ADMIN_PW_HASH}
-$(echo -ne "${LDAP_DOMAIN_ACCESS}" | sed -e 's/^/olcAccess: /g')
-olcDbCheckpoint: 512 30
-olcLastMod: TRUE
-$(echo -ne "${LDAP_DOMAIN_INDEX}" | sed -e 's/^/olcDbIndex: /g')
-$(echo -ne "${LDAP_DOMAIN_LIMITS}" | sed -e 's/^/olcLimits: /g')
-EOF
+    ldapadd -Y EXTERNAL -H ldapi:/// <<-EOF
+	dn: olcDatabase=mdb,cn=config
+	objectClass: olcDatabaseConfig
+	objectClass: olcMdbConfig
+	olcDbMaxSize: 1073741824
+	olcSuffix: ${LDAP_DOMAIN_DN}
+	olcDbDirectory: /var/lib/ldap/${LDAP_DOMAIN_DN}
+	olcRootDN: cn=${LDAP_ADMIN_CN},${LDAP_DOMAIN_DN}
+	olcRootPW: ${LDAP_ADMIN_PWHASH}
+	$(echo -ne "${LDAP_DOMAIN_ACCESS}" | sed -e 's/^/olcAccess: /g')
+	olcDbCheckpoint: 512 30
+	olcLastMod: TRUE
+	$(echo -ne "${LDAP_DOMAIN_INDEX}" | sed -e 's/^/olcDbIndex: /g')
+	$(echo -ne "${LDAP_DOMAIN_LIMITS}" | sed -e 's/^/olcLimits: /g')
+	EOF
 fi
 
-echo "Get DN of cn=config entry for ${LDAP_DOMAIN_DN}"
-CN_CONFIG_DN=$(ldapsearch -LLL -H ldapi:/// -Y EXTERNAL -s one -b cn=config "(&(olcSuffix=${LDAP_DOMAIN_DN})(olcDatabase=mdb))" | egrep '^dn: ' | sed -e 's/^dn: //g')
+echo "Get cn=config entry for ${LDAP_DOMAIN_DN}"
+CN_CONFIG_DN=$(ldapsearch -LLL -H ldapi:/// -Y EXTERNAL -s one -b "cn=config" \
+			  "(&(olcSuffix=${LDAP_DOMAIN_DN})(olcDatabase=mdb))" \
+		   | egrep '^dn: ' | sed -e 's/^dn: //g')
 
 if [[ -n ${CN_CONFIG_DN} ]]
 then echo "Found DN = ${CN_CONFIG_DN}"
@@ -113,137 +229,128 @@ else
     exit 1
 fi
 
-# 2. olcovrlay memberof
+# TODO: verify admin password before updating =================================
+
+echo "Setting domain administrator password"
+ldapmodify -Y EXTERNAL -H ldapi:/// <<EOF
+dn: ${CN_CONFIG_DN}
+changetype: modify
+replace: olcRootPW
+olcRootPW: ${LDAP_ADMIN_PWHASH}
+
+EOF
+assert "FATAL: could not set administrator password!"
+# END DOMAIN SETUP ------------------------------------------------------------
+
+# MEMBEROF OVERLAY ------------------------------------------------------------
 if [[ ${LDAP_MEMBEROF} ]]
 then
-    echo "Check if memberOf is enabled"
-    MEMBEROF_DN=$(ldapsearch -LLL -H ldapi:/// -Y EXTERNAL -s one -b "${CN_CONFIG_DN}" "(olcOverlay=memberOf)" | egrep '^dn: ' | sed -e 's/^dn: //g')
+    echo "Check if memberOf overlay is enabled"
+    MEMBEROF_DN=$(ldapsearch -LLL -H ldapi:/// -Y EXTERNAL -s one -b \
+			     "${CN_CONFIG_DN}" "(olcOverlay=memberOf)" | \
+		      egrep '^dn: ' | sed -e 's/^dn: //g')
 
     if [[ -n ${MEMBEROF_DN} ]]
     then echo "memberOf overlay already enabled for ${CN_CONFIG_DN}"
     else
 	echo "Enabling memberOf overlay"
-	ldapadd -Y EXTERNAL -H ldapi:/// <<EOF
-dn: olcOverlay=memberof,${CN_CONFIG_DN}
-objectClass: olcOverlayConfig
-objectClass: olcConfig
-objectClass: olcMemberOf
-olcMemberOfDangling: ignore
-olcMemberOfRefInt: FALSE
-olcMemberOfGroupOC: groupOfNames
-olcMemberOfMemberAD: member
-olcMemberOfMemberOfAD: memberOf
-EOF
+	ldapadd -Y EXTERNAL -H ldapi:/// <<-EOF
+	dn: olcOverlay=memberof,${CN_CONFIG_DN}
+	objectClass: olcOverlayConfig
+	objectClass: olcConfig
+	objectClass: olcMemberOf
+	olcMemberOfDangling: ignore
+	olcMemberOfRefInt: FALSE
+	olcMemberOfGroupOC: groupOfNames
+	olcMemberOfMemberAD: member
+	olcMemberOfMemberOfAD: memberOf
+	EOF
     fi
 fi
+# END MEMBEROF OVERLAY --------------------------------------------------------
 
-[[ -n "${LDAP_ADMIN_PASSWORD}" ]]
-assert "E: please set non-empty password in LDAP_ADMIN_PASSWORD and retry."
-
-HASHED_PW=$(slappasswd -h "{SSHA}" -s "${LDAP_ADMIN_PASSWORD}")
-
-echo "I: Setting domain administrator password..."
-ldapmodify -Y EXTERNAL -H ldapi:/// <<EOF
-dn: ${CN_CONFIG_DN}
-changetype: modify
-replace: olcRootPW
-olcRootPW: ${HASHED_PW}
-
-EOF
-assert "FATAL: failure setting administrator password!"
-
-# -------------------------------------------
-
-# create base dn
-
+# DIT ENTRIES -----------------------------------------------------------------
 echo "Check if ${LDAP_DOMAIN_DN} exists"
-DOM_DN=$(ldapsearch -LLL -H ldapi:/// -D cn=${LDAP_ADMIN_CN},${LDAP_DOMAIN_DN} -w "${LDAP_ADMIN_PASSWORD}" -s base -b "${LDAP_DOMAIN_DN}" "(objectClass=*)" | egrep '^dn: ' | sed -e 's/^dn: //g')
+DOM_DN=$(ldapsearch -LLL -H ldapi:/// -D cn=${LDAP_ADMIN_CN},${LDAP_DOMAIN_DN} \
+		    -w "${LDAP_ADMIN_PASSWORD}" -s base -b "${LDAP_DOMAIN_DN}" \
+		    "(objectClass=*)" | egrep '^dn: ' | sed -e 's/^dn: //g')
 
 if [[ -n ${DOM_DN} ]]
 then echo "${LDAP_DOMAIN_DN} already present"
 else
-
-cat <<EOF
-dn: ${LDAP_DOMAIN_DN}
-objectClass: dcObject
-objectClass: organization
-objectClass: top
-dc: $(echo -n "${LDAP_DOMAIN_DN#dc=}" | sed 's/,.*$//g')
-o: ${LDAP_DOMAIN}
-
-EOF
-
     echo "Creating ${LDAP_DOMAIN_DN}"
-    ldapadd -H ldapi:/// -D cn=${LDAP_ADMIN_CN},${LDAP_DOMAIN_DN} -w "${LDAP_ADMIN_PASSWORD}" <<EOF
-dn: ${LDAP_DOMAIN_DN}
-objectClass: dcObject
-objectClass: organization
-objectClass: top
-dc: $(echo -n "${LDAP_DOMAIN_DN#dc=}" | sed 's/,.*$//g')
-o: ${LDAP_DOMAIN}
+    ldapadd -H ldapi:/// -D cn=${LDAP_ADMIN_CN},${LDAP_DOMAIN_DN} \
+	    -w "${LDAP_ADMIN_PASSWORD}" <<-EOF
+	dn: ${LDAP_DOMAIN_DN}
+	objectClass: dcObject
+	objectClass: organization
+	objectClass: top
+	dc: $(echo -n "${LDAP_DOMAIN_DN#dc=}" | sed 's/,.*$//g')
+	o: ${LDAP_DOMAIN}
 
-EOF
+	EOF
 fi
 
-# create admin user
-
+# Admin user
 echo "Check if cn=${LDAP_ADMIN_CN},${LDAP_DOMAIN_DN} exists"
-ADM_DN=$(ldapsearch -LLL -H ldapi:/// -D cn=${LDAP_ADMIN_CN},${LDAP_DOMAIN_DN} -w "${LDAP_ADMIN_PASSWORD}" -s base -b "cn=${LDAP_ADMIN_CN},${LDAP_DOMAIN_DN}" "(objectClass=*)" | egrep '^dn: ' | sed -e 's/^dn: //g')
+ADM_DN=$(ldapsearch -LLL -H ldapi:/// -D cn=${LDAP_ADMIN_CN},${LDAP_DOMAIN_DN} \
+		    -w "${LDAP_ADMIN_PASSWORD}" -s base -b \
+		    "cn=${LDAP_ADMIN_CN},${LDAP_DOMAIN_DN}" "(objectClass=*)" \
+	     | egrep '^dn: ' | sed -e 's/^dn: //g')
 
 if [[ -n ${ADM_DN} ]]
 then echo "cn=${LDAP_ADMIN_CN},${LDAP_DOMAIN_DN} already present"
 else
-
     echo "Creating cn=${LDAP_ADMIN_CN},${LDAP_DOMAIN_DN}"
-    ldapadd -H ldapi:/// -D cn=${LDAP_ADMIN_CN},${LDAP_DOMAIN_DN} -w "${LDAP_ADMIN_PASSWORD}" <<EOF
-dn: cn=${LDAP_ADMIN_CN},${LDAP_DOMAIN_DN}
-objectClass: organizationalRole
-objectClass: simpleSecurityObject
-cn: ${LDAP_ADMIN_CN}
-description: LDAP Administrator role for domain ${LDAP_DOMAIN}
-userPassword: ${ADMIN_PW_HASH}
+    ldapadd -H ldapi:/// -D cn=${LDAP_ADMIN_CN},${LDAP_DOMAIN_DN} \
+	    -w "${LDAP_ADMIN_PASSWORD}" <<-EOF
+	dn: cn=${LDAP_ADMIN_CN},${LDAP_DOMAIN_DN}
+	objectClass: organizationalRole
+	objectClass: simpleSecurityObject
+	cn: ${LDAP_ADMIN_CN}
+	description: LDAP Administrator role for domain ${LDAP_DOMAIN}
+	userPassword: ${ADMIN_PW_HASH}
 
-EOF
+	EOF
 fi
 
-# update admin password
-
-# TODO
+# TODO: update admin password =================================================
 
 # create OUs
-
 for OU in ${LDAP_DOMAIN_OUS}
 do
     echo "Check if ou=${OU},${LDAP_DOMAIN_DN} exists"
-    OU_DN=$(ldapsearch -LLL -H ldapi:/// -D cn=${LDAP_ADMIN_CN},${LDAP_DOMAIN_DN} -w "${LDAP_ADMIN_PASSWORD}" -s base -b "ou=${OU},${LDAP_DOMAIN_DN}" "(objectClass=*)" | egrep '^dn: ' | sed -e 's/^dn: //g')
+    OU_DN=$(ldapsearch -LLL -H ldapi:/// -D cn=${LDAP_ADMIN_CN},${LDAP_DOMAIN_DN} \
+		       -w "${LDAP_ADMIN_PASSWORD}" -s base \
+		       -b "ou=${OU},${LDAP_DOMAIN_DN}" "(objectClass=*)" \
+		| egrep '^dn: ' | sed -e 's/^dn: //g')
 
     if [[ -n ${OU_DN} ]]
     then echo "ou=${OU} already present in ${LDAP_DOMAIN_DN}"
     else
 	echo "Creating ou=${OU},${LDAP_DOMAIN_DN}"
-	ldapadd -H ldapi:/// -D cn=${LDAP_ADMIN_CN},${LDAP_DOMAIN_DN} -w "${LDAP_ADMIN_PASSWORD}" <<EOF
-dn: ou=${OU},${LDAP_DOMAIN_DN}
-objectClass: organizationalUnit
-objectClass: top
-ou: ${OU}
+	ldapadd -H ldapi:/// -D cn=${LDAP_ADMIN_CN},${LDAP_DOMAIN_DN} \
+		-w "${LDAP_ADMIN_PASSWORD}" <<-EOF
+	dn: ou=${OU},${LDAP_DOMAIN_DN}
+	objectClass: organizationalUnit
+	objectClass: top
+	ou: ${OU}
 
-EOF
+	EOF
     fi
 done
 
 # -------------------------------------------
 
 # kill slapd after initial setup
-echo "I: killing initial server..."
+echo "Killing initial server"
 kill -INT $(cat ${PIDFILE})
 
 # unset sensitive variables
-unset OPENLDAP_ADMIN_PASSWORD
-unset HASHED_PW
-unset LOADED_SCHEMAS
-unset PIDFILE
+unset LDAP_ADMIN_PASSWORD LDAP_CONFIG_PASSWORD LDAP_ADMIN_PWHASH \
+      LDAP_CONFIG_PWHASH LOADED_SCHEMAS PIDFILE
 
 # run Dockerfile CMD
-echo "I: running CMD $@"
+echo "Running CMD $@"
 set -e
 exec "$@"