mauro/docker-image-openldap
1
0
Fork 0
Code Issues Pull Requests Actions Releases Wiki Activity

WIP: add provider capability
All checks were successful
continuous-integration/drone/push Build is passing
Details
continuous-integration/drone/pr Build is passing
Details

Browse Source
This commit is contained in:
Mauro Torrez 2019-09-25 19:15:54 -03:00
parent 8da8da1c93
commit 65a781afa0
2 changed files with 252 additions and 139 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
Dockerfile
View File

@ -1,25 +1,31 @@
FROM eumau/debian:buster-slim FROM eumau/debian:buster-slim
# admin CN => dn: cn=%%ADMIN_CN%%,%%DOMAIN_DN%%
ENV LDAP_ADMIN_CN="admin" ENV LDAP_ADMIN_CN="admin"
# admin CN, DN => cn=%%ADMIN_DN%%,%%DOMAIN_DN%%
ENV LDAP_ADMIN_PASSWORD="admin"
# password for cn=%%ADMIN_DN%%,%%DOMAIN_DN%% # password for cn=%%ADMIN_DN%%,%%DOMAIN_DN%%
ENV LDAP_CONFIG_PASSWORD="${LDAP_ADMIN_PASSWORD}" ENV LDAP_ADMIN_PASSWORD="admin"
# password for cn=admin,cn=config # password for cn=admin,cn=config
ENV LDAP_CONFIG_PASSWORD="${LDAP_ADMIN_PASSWORD}"
# domain name (example.org)
ENV LDAP_DOMAIN="" ENV LDAP_DOMAIN=""
# domain O (example.org)
ENV LDAP_DOMAIN_ACCESS="{0}to attrs=userPassword by self write by anonymous auth by * none\n{1}to attrs=shadowLastChange by self write by * read\n{2}to * by * read"
# olcDbAccess attribute for domain entry (newline-separated) # olcDbAccess attribute for domain entry (newline-separated)
ENV LDAP_DOMAIN_DN="" ENV LDAP_DOMAIN_ACCESS="{0}to attrs=userPassword by self write by anonymous auth by * none\n{1}to attrs=shadowLastChange by self write by * read\n{2}to * by * read"
# domain DN (dc=example,dc=org) # domain DN (dc=example,dc=org)
ENV LDAP_DOMAIN_INDEX="cn,uid eq\nmember,memberUid eq\nobjectClass eq\nuidNumber,gidNumber eq" ENV LDAP_DOMAIN_DN=""
# olcDbIndex attribute for domain entry (newline-separated) # olcDbIndex attribute for domain entry (newline-separated)
ENV LDAP_DOMAIN_OUS="People Alias Group" ENV LDAP_DOMAIN_INDEX="cn,uid eq\nmember,memberUid eq\nobjectClass eq\nuidNumber,gidNumber eq"
# domain OUs (space-separated) # domain OUs (space-separated)
ENV LDAP_MEMBEROF="true" ENV LDAP_DOMAIN_OUS="People Alias Group"
# enable memberOf module # enable memberOf module
ENV LDAP_SCHEMAS="core cosine inetorgperson misc nis" ENV LDAP_MEMBEROF="true"
# enable replication provider
ENV LDAP_PROVIDER="false"
# replicator CN => dn: cn=%%REPLICATOR_CN%%,%%DOMAIN_DN%%
ENV LDAP_REPLICATOR_CN="replicator"
# replicator password
ENV LDAP_REPLICATOR_PASSWORD="${LDAP_ADMIN_PASSWORD}"
# space-separated list of schemas to load # space-separated list of schemas to load
ENV LDAP_SCHEMAS="core cosine inetorgperson misc nis"
RUN apt-get update \ RUN apt-get update \
&& DEBIAN_FRONTEND=noninteractive apt-get install -y \ && DEBIAN_FRONTEND=noninteractive apt-get install -y \

365
entrypoint.sh
View File

@ -6,34 +6,45 @@ assert(){ [[ $? -eq 0 ]] || { [[ -n ${1} ]] && echo ${@} ; exit 1 ; } }
# slapd is absurdly high. See https://github.com/docker/docker/issues/8231 # slapd is absurdly high. See https://github.com/docker/docker/issues/8231
ulimit -n 8192 ulimit -n 8192
echo "I: running slapd for initial setup..."
slapd -u openldap -g openldap -h ldapi:/// slapd -u openldap -g openldap -h ldapi:///
assert "E: openldap died unexpectedly!" assert "FATAL: sldapd died unexpectedly!"
PIDFILE=$(ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" -s base \ PIDFILE=$(ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" -s base \
"" olcPidFile | grep olcPidFile | awk "{print $2}") "" olcPidFile | grep olcPidFile | awk "{print $2}")
echo "I: slapd running with PID ${PIDFILE}" echo "slapd running. pidfile = ${PIDFILE}"
[[ -n "${LDAP_DOMAIN}" ]]
assert "FATAL: Please set LDAP_DOMAIN and retry."
DN0="dc=${LDAP_DOMAIN//./,dc=}"
LDAP_DOMAIN_DN=${LDAP_DOMAIN_DN:=${DN0}}
echo "setting up domain = ${LDAP_DOMAIN}, dn = ${LDAP_DOMAIN_DN}"
[[ -n "${LDAP_CONFIG_PASSWORD}" ]] [[ -n "${LDAP_CONFIG_PASSWORD}" ]]
assert "E: please set non-empty password in LDAP_CONFIG_PASSWORD and retry." assert "FATAL: Please set LDAP_CONFIG_PASSWORD and retry."
LDAP_CONFIG_PWHASH=$(slappasswd -h "{SSHA}" -s "${LDAP_CONFIG_PASSWORD}")
HASHED_PW=$(slappasswd -h "{SSHA}" -s "${LDAP_CONFIG_PASSWORD}") [[ -n "${LDAP_ADMIN_PASSWORD}" ]]
assert "FATAL: Please set LDAP_ADMIN_PASSWORD and retry."
LDAP_ADMIN_PWHASH=$(slappasswd -h "{SSHA}" -s "${LDAP_ADMIN_PASSWORD}")
echo "I: Setting administrator password..." # TODO: verify password before updating =======================================
echo "Setting cn=admin,cn=config password"
ldapmodify -Y EXTERNAL -H ldapi:/// <<EOF ldapmodify -Y EXTERNAL -H ldapi:/// <<EOF
dn: olcDatabase={0}config,cn=config dn: olcDatabase={0}config,cn=config
changetype: modify changetype: modify
replace: olcRootPW replace: olcRootPW
olcRootPW: ${HASHED_PW} olcRootPW: ${LDAP_CONFIG_PWHASH}
EOF EOF
assert "FATAL: failure setting administrator password!" assert "FATAL: error setting cn=admin,cn=config password"
# find current schemas # SCHEMAS ---------------------------------------------------------------------
eval "declare -A LOADED_SCHEMAS=( $(ldapsearch -LLL -Y EXTERNAL -H ldapi:/// \ eval "declare -A LOADED_SCHEMAS=( $(ldapsearch -LLL -Y EXTERNAL -H ldapi:/// \
-b "cn=schema,cn=config" -s one cn \ -b "cn=schema,cn=config" -s one cn \
| sed -n 's/^cn:.*[{].*[}]\(.*\)$/[\1]=loaded/p') )" | sed -n 's/^cn:.*[{].*[}]\(.*\)$/[\1]=loaded/p') )"
echo "I: currently loaded schemas: ${!LOADED_SCHEMAS[@]}" echo "Loaded schemas: ${!LOADED_SCHEMAS[@]}"
# load schemas # load schemas
# built-in: core, cosine, nis, inetorgperson # built-in: core, cosine, nis, inetorgperson
@ -41,37 +52,140 @@ echo "I: currently loaded schemas: ${!LOADED_SCHEMAS[@]}"
for schema in ${LDAP_SCHEMAS} for schema in ${LDAP_SCHEMAS}
do do
[[ -z "${LOADED_SCHEMAS[$schema]}" ]] || continue; [[ -z "${LOADED_SCHEMAS[$schema]}" ]] || continue;
echo "I: loading schema ${schema}..."
[[ -f /etc/ldap/schema/${schema}.ldif ]]
assert "E: schema /etc/ldap/schema/${schema}.ldif not found!"
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/${schema}.ldif
assert "E: failure loading schema ${schema}!"
done
# enable memberof module echo "Loading ${schema} schema"
[[ -f /etc/ldap/schema/${schema}.ldif ]]
assert "FATAL: schema file /etc/ldap/schema/${schema}.ldif not found!"
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/${schema}.ldif
assert "FATAL: error loading schema ${schema}!"
done
# END SCHEMAS -----------------------------------------------------------------
# MEMBEROF MODULE -------------------------------------------------------------
if ${LDAP_MEMBEROF} if ${LDAP_MEMBEROF}
then then
echo "I: enabling memberof module ..." echo "Enabling memberof module"
ldapmodify -Y EXTERNAL -H ldapi:/// <<EOF ldapmodify -Y EXTERNAL -H ldapi:/// <<-EOF
dn: cn=module{0},cn=config dn: cn=module{0},cn=config
changetype: modify changetype: modify
add: olcModuleLoad add: olcModuleLoad
olcModuleLoad: memberof olcModuleLoad: memberof
EOF EOF
RES=$? RES=$?
[[ $RES -eq 0 ]] || [[ $RES -eq 20 ]] [[ $RES -eq 0 ]] || [[ $RES -eq 20 ]]
assert "E: failed loading memberof module (${RES})" assert "FATAL: error loading memberof module (return status ${RES})"
echo "I: module memberof enabled (${RES})"
unset RES unset RES
fi fi
# END MEMBEROF MODULE ---------------------------------------------------------
# 0. calcular DN a partir del dominio # REPLICATION PROVIDER --------------------------------------------------------
if ${LDAP_PROVIDER}
then
echo "Enabling syncprov module"
ldapmodify -Y EXTERNAL -H ldapi:/// <<-EOF
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: syncprov
# 1.3.0 crear password admin EOF
ADMIN_PW_HASH=$(slappasswd -h "{SSHA}" -s "${LDAP_ADMIN_PASSWORD}") RES=$?
[[ $RES -eq 0 ]] || [[ $RES -eq 20 ]]
assert "FATAL: error loading syncprov module (return status ${RES})"
# 1.2 buscar dominio echo "Enabling accesslog module"
ldapmodify -Y EXTERNAL -H ldapi:/// <<-EOF
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: accesslog
EOF
RES=$?
[[ $RES -eq 0 ]] || [[ $RES -eq 20 ]]
assert "FATAL: error loading accesslog module (return status ${RES})"
unset RES
if ldapsearch -LLL -H ldapi:/// -Y EXTERNAL -s one -b "cn=config" \
"(&(olcSuffix=\"cn=accesslog\")(olcDatabase=mdb))" | \
egrep -q '^dn: '
then
echo "Found cn=config entry for cn=accesslog"
else
echo "No cn=config entry for cn=accesslog."
echo "Creating directory /var/lib/ldap/cn=accesslog"
mkdir "/var/lib/ldap/cn=accesslog"
chown -R openldap:openldap "/var/lib/ldap/cn=accesslog"
echo "Creating cn=config entry for cn=accesslog"
ldapadd -Y EXTERNAL -H ldapi:/// <<-EOF
dn: olcDatabase=mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcRootDN: cn=${LDAP_ADMIN_CN},${LDAP_DOMAIN_DN}
olcRootPW: ${LDAP_ADMIN_PWHASH}
olcDbMaxSize: 8589934592
olcSuffix: cn=accesslog
olcDbDirectory: /var/lib/ldap/cn=accesslog
olcAccess: {0}to * by dn="cn=${LDAP_REPLICATOR_CN},${LDAP_DOMAIN_DN}" read
olcLimits: {0}to dn.exact="cn=${LDAP_REPLICATOR_CN},${LDAP_DOMAIN_DN}" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited
olcLimits: {1}to dn.exact="cn=${LDAP_ADMIN_CN},${LDAP_DOMAIN_DN}" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited
EOF
fi
if ldapsearch -LLL -H ldapi:/// -Y EXTERNAL -s one -b "cn=config" \
"(&(olcSuffix=\"cn=accesslog\")(olcDatabase=mdb))" | \
egrep -q '^dn: '
then
echo "Found cn=config entry for cn=accesslog"
else
echo "No cn=config entry for cn=accesslog."
echo "Creating directory /var/lib/ldap/cn=accesslog"
mkdir "/var/lib/ldap/cn=accesslog"
chown -R openldap:openldap "/var/lib/ldap/cn=accesslog"
echo "Creating cn=config entry for cn=accesslog"
ldapadd -Y EXTERNAL -H ldapi:/// <<-EOF
dn: olcDatabase=mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcRootDN: cn=${LDAP_ADMIN_CN},${LDAP_DOMAIN_DN}
olcRootPW: ${LDAP_ADMIN_PWHASH}
olcDbMaxSize: 8589934592
olcSuffix: cn=accesslog
olcDbDirectory: /var/lib/ldap/cn=accesslog
olcAccess: {0}to * by dn="cn=${LDAP_REPLICATOR_CN},${LDAP_DOMAIN_DN}" read
olcLimits: {0}to dn.exact="cn=${LDAP_REPLICATOR_CN},${LDAP_DOMAIN_DN}" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited
olcLimits: {1}to dn.exact="cn=${LDAP_ADMIN_CN},${LDAP_DOMAIN_DN}" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited
EOF
fi
echo "Get DN of cn=config entry for cn=accesslog"
CN_CONFIG_DN=$(ldapsearch -LLL -H ldapi:/// -Y EXTERNAL -s one -b cn=config \
"(&(olcSuffix=cn=accesslog)(olcDatabase=mdb))" \
| egrep '^dn: ' | sed -e 's/^dn: //g')
if [[ -n ${CN_CONFIG_DN} ]]
then echo "Found DN = ${CN_CONFIG_DN}"
else
echo "FATAL: could not find cn=config entry for cn=accesslog"
echo "PLEASE NOTE: only MDB database format is supported (PR welcome :)"
exit 1
fi
# TODO: olcOverlay=syncprov ===============================================
# TODO: replication users (on domain setup?) ==============================
fi
# END REPLICATION PROVIDER ----------------------------------------------------
# DOMAIN SETUP ----------------------------------------------------------------
if ldapsearch -LLL -H ldapi:/// -Y EXTERNAL -s one -b "cn=config" \ if ldapsearch -LLL -H ldapi:/// -Y EXTERNAL -s one -b "cn=config" \
"(&(olcSuffix=\"${LDAP_DOMAIN_DN}\")(olcDatabase=mdb))" | \ "(&(olcSuffix=\"${LDAP_DOMAIN_DN}\")(olcDatabase=mdb))" | \
egrep -q '^dn: ' egrep -q '^dn: '
@ -85,25 +199,27 @@ else
echo "Creating cn=config entry for ${LDAP_DOMAIN_DN}" echo "Creating cn=config entry for ${LDAP_DOMAIN_DN}"
ldapadd -Y EXTERNAL -H ldapi:/// <<EOF ldapadd -Y EXTERNAL -H ldapi:/// <<-EOF
dn: olcDatabase=mdb,cn=config dn: olcDatabase=mdb,cn=config
objectClass: olcDatabaseConfig objectClass: olcDatabaseConfig
objectClass: olcMdbConfig objectClass: olcMdbConfig
olcDbMaxSize: 1073741824 olcDbMaxSize: 1073741824
olcSuffix: ${LDAP_DOMAIN_DN} olcSuffix: ${LDAP_DOMAIN_DN}
olcDbDirectory: /var/lib/ldap/${LDAP_DOMAIN_DN} olcDbDirectory: /var/lib/ldap/${LDAP_DOMAIN_DN}
olcRootDN: cn=${LDAP_ADMIN_CN},${LDAP_DOMAIN_DN} olcRootDN: cn=${LDAP_ADMIN_CN},${LDAP_DOMAIN_DN}
olcRootPW: ${ADMIN_PW_HASH} olcRootPW: ${LDAP_ADMIN_PWHASH}
$(echo -ne "${LDAP_DOMAIN_ACCESS}" | sed -e 's/^/olcAccess: /g') $(echo -ne "${LDAP_DOMAIN_ACCESS}" | sed -e 's/^/olcAccess: /g')
olcDbCheckpoint: 512 30 olcDbCheckpoint: 512 30
olcLastMod: TRUE olcLastMod: TRUE
$(echo -ne "${LDAP_DOMAIN_INDEX}" | sed -e 's/^/olcDbIndex: /g') $(echo -ne "${LDAP_DOMAIN_INDEX}" | sed -e 's/^/olcDbIndex: /g')
$(echo -ne "${LDAP_DOMAIN_LIMITS}" | sed -e 's/^/olcLimits: /g') $(echo -ne "${LDAP_DOMAIN_LIMITS}" | sed -e 's/^/olcLimits: /g')
EOF EOF
fi fi
echo "Get DN of cn=config entry for ${LDAP_DOMAIN_DN}" echo "Get cn=config entry for ${LDAP_DOMAIN_DN}"
CN_CONFIG_DN=$(ldapsearch -LLL -H ldapi:/// -Y EXTERNAL -s one -b cn=config "(&(olcSuffix=${LDAP_DOMAIN_DN})(olcDatabase=mdb))" | egrep '^dn: ' | sed -e 's/^dn: //g') CN_CONFIG_DN=$(ldapsearch -LLL -H ldapi:/// -Y EXTERNAL -s one -b "cn=config" \
"(&(olcSuffix=${LDAP_DOMAIN_DN})(olcDatabase=mdb))" \
| egrep '^dn: ' | sed -e 's/^dn: //g')
if [[ -n ${CN_CONFIG_DN} ]] if [[ -n ${CN_CONFIG_DN} ]]
then echo "Found DN = ${CN_CONFIG_DN}" then echo "Found DN = ${CN_CONFIG_DN}"
@ -113,137 +229,128 @@ else
exit 1 exit 1
fi fi
# 2. olcovrlay memberof # TODO: verify admin password before updating =================================
echo "Setting domain administrator password"
ldapmodify -Y EXTERNAL -H ldapi:/// <<EOF
dn: ${CN_CONFIG_DN}
changetype: modify
replace: olcRootPW
olcRootPW: ${LDAP_ADMIN_PWHASH}
EOF
assert "FATAL: could not set administrator password!"
# END DOMAIN SETUP ------------------------------------------------------------
# MEMBEROF OVERLAY ------------------------------------------------------------
if [[ ${LDAP_MEMBEROF} ]] if [[ ${LDAP_MEMBEROF} ]]
then then
echo "Check if memberOf is enabled" echo "Check if memberOf overlay is enabled"
MEMBEROF_DN=$(ldapsearch -LLL -H ldapi:/// -Y EXTERNAL -s one -b "${CN_CONFIG_DN}" "(olcOverlay=memberOf)" | egrep '^dn: ' | sed -e 's/^dn: //g') MEMBEROF_DN=$(ldapsearch -LLL -H ldapi:/// -Y EXTERNAL -s one -b \
"${CN_CONFIG_DN}" "(olcOverlay=memberOf)" | \
egrep '^dn: ' | sed -e 's/^dn: //g')
if [[ -n ${MEMBEROF_DN} ]] if [[ -n ${MEMBEROF_DN} ]]
then echo "memberOf overlay already enabled for ${CN_CONFIG_DN}" then echo "memberOf overlay already enabled for ${CN_CONFIG_DN}"
else else
echo "Enabling memberOf overlay" echo "Enabling memberOf overlay"
ldapadd -Y EXTERNAL -H ldapi:/// <<EOF ldapadd -Y EXTERNAL -H ldapi:/// <<-EOF
dn: olcOverlay=memberof,${CN_CONFIG_DN} dn: olcOverlay=memberof,${CN_CONFIG_DN}
objectClass: olcOverlayConfig objectClass: olcOverlayConfig
objectClass: olcConfig objectClass: olcConfig
objectClass: olcMemberOf objectClass: olcMemberOf
olcMemberOfDangling: ignore olcMemberOfDangling: ignore
olcMemberOfRefInt: FALSE olcMemberOfRefInt: FALSE
olcMemberOfGroupOC: groupOfNames olcMemberOfGroupOC: groupOfNames
olcMemberOfMemberAD: member olcMemberOfMemberAD: member
olcMemberOfMemberOfAD: memberOf olcMemberOfMemberOfAD: memberOf
EOF EOF
fi fi
fi fi
# END MEMBEROF OVERLAY --------------------------------------------------------
[[ -n "${LDAP_ADMIN_PASSWORD}" ]] # DIT ENTRIES -----------------------------------------------------------------
assert "E: please set non-empty password in LDAP_ADMIN_PASSWORD and retry."
HASHED_PW=$(slappasswd -h "{SSHA}" -s "${LDAP_ADMIN_PASSWORD}")
echo "I: Setting domain administrator password..."
ldapmodify -Y EXTERNAL -H ldapi:/// <<EOF
dn: ${CN_CONFIG_DN}
changetype: modify
replace: olcRootPW
olcRootPW: ${HASHED_PW}
EOF
assert "FATAL: failure setting administrator password!"
# -------------------------------------------
# create base dn
echo "Check if ${LDAP_DOMAIN_DN} exists" echo "Check if ${LDAP_DOMAIN_DN} exists"
DOM_DN=$(ldapsearch -LLL -H ldapi:/// -D cn=${LDAP_ADMIN_CN},${LDAP_DOMAIN_DN} -w "${LDAP_ADMIN_PASSWORD}" -s base -b "${LDAP_DOMAIN_DN}" "(objectClass=*)" | egrep '^dn: ' | sed -e 's/^dn: //g') DOM_DN=$(ldapsearch -LLL -H ldapi:/// -D cn=${LDAP_ADMIN_CN},${LDAP_DOMAIN_DN} \
-w "${LDAP_ADMIN_PASSWORD}" -s base -b "${LDAP_DOMAIN_DN}" \
"(objectClass=*)" | egrep '^dn: ' | sed -e 's/^dn: //g')
if [[ -n ${DOM_DN} ]] if [[ -n ${DOM_DN} ]]
then echo "${LDAP_DOMAIN_DN} already present" then echo "${LDAP_DOMAIN_DN} already present"
else else
cat <<EOF
dn: ${LDAP_DOMAIN_DN}
objectClass: dcObject
objectClass: organization
objectClass: top
dc: $(echo -n "${LDAP_DOMAIN_DN#dc=}" | sed 's/,.*$//g')
o: ${LDAP_DOMAIN}
EOF
echo "Creating ${LDAP_DOMAIN_DN}" echo "Creating ${LDAP_DOMAIN_DN}"
ldapadd -H ldapi:/// -D cn=${LDAP_ADMIN_CN},${LDAP_DOMAIN_DN} -w "${LDAP_ADMIN_PASSWORD}" <<EOF ldapadd -H ldapi:/// -D cn=${LDAP_ADMIN_CN},${LDAP_DOMAIN_DN} \
dn: ${LDAP_DOMAIN_DN} -w "${LDAP_ADMIN_PASSWORD}" <<-EOF
objectClass: dcObject dn: ${LDAP_DOMAIN_DN}
objectClass: organization objectClass: dcObject
objectClass: top objectClass: organization
dc: $(echo -n "${LDAP_DOMAIN_DN#dc=}" | sed 's/,.*$//g') objectClass: top
o: ${LDAP_DOMAIN} dc: $(echo -n "${LDAP_DOMAIN_DN#dc=}" | sed 's/,.*$//g')
o: ${LDAP_DOMAIN}
EOF EOF
fi fi
# create admin user # Admin user
echo "Check if cn=${LDAP_ADMIN_CN},${LDAP_DOMAIN_DN} exists" echo "Check if cn=${LDAP_ADMIN_CN},${LDAP_DOMAIN_DN} exists"
ADM_DN=$(ldapsearch -LLL -H ldapi:/// -D cn=${LDAP_ADMIN_CN},${LDAP_DOMAIN_DN} -w "${LDAP_ADMIN_PASSWORD}" -s base -b "cn=${LDAP_ADMIN_CN},${LDAP_DOMAIN_DN}" "(objectClass=*)" | egrep '^dn: ' | sed -e 's/^dn: //g') ADM_DN=$(ldapsearch -LLL -H ldapi:/// -D cn=${LDAP_ADMIN_CN},${LDAP_DOMAIN_DN} \
-w "${LDAP_ADMIN_PASSWORD}" -s base -b \
"cn=${LDAP_ADMIN_CN},${LDAP_DOMAIN_DN}" "(objectClass=*)" \
| egrep '^dn: ' | sed -e 's/^dn: //g')
if [[ -n ${ADM_DN} ]] if [[ -n ${ADM_DN} ]]
then echo "cn=${LDAP_ADMIN_CN},${LDAP_DOMAIN_DN} already present" then echo "cn=${LDAP_ADMIN_CN},${LDAP_DOMAIN_DN} already present"
else else
echo "Creating cn=${LDAP_ADMIN_CN},${LDAP_DOMAIN_DN}" echo "Creating cn=${LDAP_ADMIN_CN},${LDAP_DOMAIN_DN}"
ldapadd -H ldapi:/// -D cn=${LDAP_ADMIN_CN},${LDAP_DOMAIN_DN} -w "${LDAP_ADMIN_PASSWORD}" <<EOF ldapadd -H ldapi:/// -D cn=${LDAP_ADMIN_CN},${LDAP_DOMAIN_DN} \
dn: cn=${LDAP_ADMIN_CN},${LDAP_DOMAIN_DN} -w "${LDAP_ADMIN_PASSWORD}" <<-EOF
objectClass: organizationalRole dn: cn=${LDAP_ADMIN_CN},${LDAP_DOMAIN_DN}
objectClass: simpleSecurityObject objectClass: organizationalRole
cn: ${LDAP_ADMIN_CN} objectClass: simpleSecurityObject
description: LDAP Administrator role for domain ${LDAP_DOMAIN} cn: ${LDAP_ADMIN_CN}
userPassword: ${ADMIN_PW_HASH} description: LDAP Administrator role for domain ${LDAP_DOMAIN}
userPassword: ${ADMIN_PW_HASH}
EOF EOF
fi fi
# update admin password # TODO: update admin password =================================================
# TODO
# create OUs # create OUs
for OU in ${LDAP_DOMAIN_OUS} for OU in ${LDAP_DOMAIN_OUS}
do do
echo "Check if ou=${OU},${LDAP_DOMAIN_DN} exists" echo "Check if ou=${OU},${LDAP_DOMAIN_DN} exists"
OU_DN=$(ldapsearch -LLL -H ldapi:/// -D cn=${LDAP_ADMIN_CN},${LDAP_DOMAIN_DN} -w "${LDAP_ADMIN_PASSWORD}" -s base -b "ou=${OU},${LDAP_DOMAIN_DN}" "(objectClass=*)" | egrep '^dn: ' | sed -e 's/^dn: //g') OU_DN=$(ldapsearch -LLL -H ldapi:/// -D cn=${LDAP_ADMIN_CN},${LDAP_DOMAIN_DN} \
-w "${LDAP_ADMIN_PASSWORD}" -s base \
-b "ou=${OU},${LDAP_DOMAIN_DN}" "(objectClass=*)" \
| egrep '^dn: ' | sed -e 's/^dn: //g')
if [[ -n ${OU_DN} ]] if [[ -n ${OU_DN} ]]
then echo "ou=${OU} already present in ${LDAP_DOMAIN_DN}" then echo "ou=${OU} already present in ${LDAP_DOMAIN_DN}"
else else
echo "Creating ou=${OU},${LDAP_DOMAIN_DN}" echo "Creating ou=${OU},${LDAP_DOMAIN_DN}"
ldapadd -H ldapi:/// -D cn=${LDAP_ADMIN_CN},${LDAP_DOMAIN_DN} -w "${LDAP_ADMIN_PASSWORD}" <<EOF ldapadd -H ldapi:/// -D cn=${LDAP_ADMIN_CN},${LDAP_DOMAIN_DN} \
dn: ou=${OU},${LDAP_DOMAIN_DN} -w "${LDAP_ADMIN_PASSWORD}" <<-EOF
objectClass: organizationalUnit dn: ou=${OU},${LDAP_DOMAIN_DN}
objectClass: top objectClass: organizationalUnit
ou: ${OU} objectClass: top
ou: ${OU}
EOF EOF
fi fi
done done
# ------------------------------------------- # -------------------------------------------
# kill slapd after initial setup # kill slapd after initial setup
echo "I: killing initial server..." echo "Killing initial server"
kill -INT $(cat ${PIDFILE}) kill -INT $(cat ${PIDFILE})
# unset sensitive variables # unset sensitive variables
unset OPENLDAP_ADMIN_PASSWORD unset LDAP_ADMIN_PASSWORD LDAP_CONFIG_PASSWORD LDAP_ADMIN_PWHASH \
unset HASHED_PW LDAP_CONFIG_PWHASH LOADED_SCHEMAS PIDFILE
unset LOADED_SCHEMAS
unset PIDFILE
# run Dockerfile CMD # run Dockerfile CMD
echo "I: running CMD $@" echo "Running CMD $@"
set -e set -e
exec "$@" exec "$@"