Halaman utama Jelajahi Bantuan
Daftar Masuk
tomi
/
docker-ldap-server
1
0
Fork 0
Berkas Masalah 0 Permintaan Tarik 0 Wiki
Cabang: master
Ranting Tag
docker-ldap-ser...
/
start.sh

start.sh 6.9 KB
Permalink Riwayat Mentahan

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249 
  1. #!/bin/sh -e
    2. 

  2. 

  3. function error() {
    4. 

  4.     echo "ERROR: $*" 1>&2
    5. 

  5.     exit
    6. 

  6. }
    7. 

  7. 

  8. # variables
    9. 

  9. DATE=$(date '+%Y%m%d%H%m')
    10. 

  10. if test -z "${DOMAIN}"; then
    11. 

  11.     error "Specifying a domain is mandatory, use -e DOMAIN=example.org"
    12. 

  12. fi
    13. 

  13. if test -z "${ORGANIZATION}"; then
    14. 

  14.     error "Specifying an organization is mandatory, use -e ORGANIZATION=\"Example Organization\""
    15. 

  15. fi
    16. 

  16. if test -z "${PASSWORD}"; then
    17. 

  17.     if test -e /etc/ldap/password; then
    18. 

  18.         export PASSWORD="$(cat /etc/ldap/password)"
    19. 

  19.     else
    20. 

  20.         export PASSWORD=$(pwgen 20 1)
    21. 

  21. 	echo "password: $PASSWORD"
    22. 

  22.         echo "$PASSWORD" > /etc/ldap/password
    23. 

  23. 	chmod go= /etc/ldap/password
    24. 

  24.     fi
    25. 

  25. fi
    26. 

  26. export BASEDN="dc=${DOMAIN//./,dc=}"
    27. 

  27. export PASSWD="$(slappasswd -h {SSHA} -s ${PASSWORD})"
    28. 

  28. 

  29. # configure
    30. 

  30. cat > /tmp/update-config.sed <<EOF
    31. 

  31. /^\s*suffix\b/csuffix\t\t"${BASEDN}"
    32. 

  32. /^\s*rootdn\b/crootdn\t\t"cn=admin,${BASEDN}"
    33. 

  33. /^\s*rootpw\b/crootpw\t\t${PASSWD}
    34. 

  34. /^\s*directory\b/cdirectory /var/lib/ldap
    35. 

  35. s/^\s*access/# &/
    36. 

  36. s/# \?\(\s*\(access to \*\|by self write\|by users read\|by anonymous auth\)\)/\1/
    37. 

  37. EOF
    38. 

  38. sed -f /tmp/update-config.sed /etc/openldap/slapd.conf > /etc/ldap/slapd.conf
    39. 

  39. if test "$MEMBEROF" -eq 1; then
    40. 

  40.     cat >> /etc/ldap/slapd.conf <<EOF
    41. 

  41. moduleload refint
    42. 

  42. overlay refint
    43. 

  43. refint_attributes member
    44. 

  44. refint_nothing "cn=admin,${BASEDN}"
    45. 

  45. moduleload memberof
    46. 

  46. overlay memberof
    47. 

  47. memberof-group-oc groupOfNames
    48. 

  48. memberof-member-ad member
    49. 

  49. memberof-memberof-ad memberOf
    50. 

  50. memberof-refint true
    51. 

  51. EOF
    52. 

  52. fi
    53. 

  53. rm /tmp/update-config.sed
    54. 

  54. for schema in $SCHEMAS; do
    55. 

  55.     echo "include /etc/openldap/schema/${schema}.schema" >> /etc/ldap/slapd.conf
    56. 

  56. done
    57. 

  57. if test -e /ssl/live/${DOMAIN}/chain.pem \
    58. 

  58.         -a -e /ssl/live/${DOMAIN}/privkey.pem \
    59. 

  59.         -a -e /ssl/live/${DOMAIN}/cert.pem; then
    60. 

  60.     cat >> /etc/ldap/slapd.conf <<EOF
    61. 

  61. TLSCipherSuite HIGH:MEDIUM:-SSLv2:-SSLv3
    62. 

  62. TLSCertificateFile /ssl/live/${DOMAIN}/cert.pem
    63. 

  63. TLSCertificateKeyFile /ssl/live/${DOMAIN}/privkey.pem
    64. 

  64. TLSCACertificateFile /ssl/live/${DOMAIN}/chain.pem
    65. 

  65. # apk add ca-certificates +:
    66. 

  66. #TLSCACertificatePath /usr/share/ca-certificates/mozilla
    67. 

  67. EOF
    68. 

  68.     SSL_HOSTS=" ldaps:/// ldapi:///"
    69. 

  69. else
    70. 

  70.     SSL_HOSTS=""
    71. 

  71. fi
    72. 

  72. 

  73. # backup status quo
    74. 

  74. if test -n "$(ls -A /var/lib/ldap)"; then
    75. 

  75.     slapcat -f /etc/ldap/slapd.conf > /var/backups/${DATE}-startup-data.ldif
    76. 

  76. fi
    77. 

  77. 

  78. # restore if required
    79. 

  79. if test -e /var/restore/*data.ldif; then
    80. 

  80.     rm -r /var/lib/ldap/* || true
    81. 

  81.     slapadd -f /etc/ldap/slapd.conf -l /var/restore/*data.ldif 2> /dev/null
    82. 

  82.     mv /var/restore/*data.ldif /var/backups/${DATE}-restored-data.ldif
    83. 

  83. fi
    84. 

  84. 

  85. # run
    86. 

  86. chown -R ${USER}.${GROUP} /var/lib/ldap /etc/ldap
    87. 

  87. chmod 700 /var/lib/ldap
    88. 

  88. /usr/sbin/slapd -u $USER -g $GROUP -d ${DEBUG} -h "ldap:///${SSL_HOSTS}" -f /etc/ldap/slapd.conf
    89. 

  89. 

  90. function multimaster() {
    91. 

  91.     if test -z "$MULTI_MASTER_REPLICATION"; then
    92. 

  92.         return
    93. 

  93.     fi
    94. 

  94.     if test -z "$SERVER_NAME" || ! [[ " ${MULTI_MASTER_REPLICATION} " =~ " ${SERVER_NAME} " ]];  then
    95. 

  95.         error "SERVER_NAME must be one of ${MULTI_MASTER_REPLICATION} in MULTI_MASTER_REPLICATION"
    96. 

  96.     fi
    97. 

  97.     log "  --> multimaster ... "
    98. 

  98.     # load module
    99. 

  99.     log "module "
    100. 

  100.     ldapadd -c -Y external -H ldapi:/// > /dev/null 2> /dev/null <<EOF
    101. 

  101. dn: cn=module,cn=config
    102. 

  102. objectClass: olcModuleList
    103. 

  103. cn: module
    104. 

  104. olcModulePath: /usr/lib/ldap
    105. 

  105. olcModuleLoad: syncprov.la
    106. 

  106. EOF
    107. 

  107.     # config replication
    108. 

  108.     local masters=( ${MULTI_MASTER_REPLICATION} )
    109. 

  109.     local serverid=
    110. 

  110.     for ((i=0; i<${#masters[@]}; ++i)); do
    111. 

  111.         if test "${masters[$i]}" == "${SERVER_NAME}"; then
    112. 

  112.             serverid=$((i+1))
    113. 

  113.             break;
    114. 

  114.         fi
    115. 

  115.     done
    116. 

  116.     test -n "$serverid"
    117. 

  117.     log "config for ${SERVER_NAME} as $serverid "
    118. 

  118.     log "first "
    119. 

  119.     ldapmodify -Y EXTERNAL -H ldapi:/// <<EOF
    120. 

  120. dn: cn=config
    121. 

  121. changetype: modify
    122. 

  122. add: olcServerID
    123. 

  123. olcServerID: ${serverid}
    124. 

  124. EOF
    125. 

  125.     log "second "
    126. 

  126.     ldapmodify -Y EXTERNAL -H ldapi:/// <<EOF
    127. 

  127. dn: cn=config
    128. 

  128. changetype: modify
    129. 

  129. replace: olcServerID
    130. 

  130. $(
    131. 

  131.     for ((i=0; i<${#masters[@]}; ++i)); do
    132. 

  132.       echo "olcServerID: $((i+1)) ldap://${masters[$i]}"
    133. 

  133.     done
    134. 

  134. )
    135. 

  135. 

  136. dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config
    137. 

  137. changetype: add
    138. 

  138. objectClass: olcOverlayConfig
    139. 

  139. objectClass: olcSyncProvConfig
    140. 

  140. 

  141. dn: olcDatabase={0}config,cn=config
    142. 

  142. changetype: modify
    143. 

  143. add: olcSyncRepl
    144. 

  144. $(
    145. 

  145.     for ((i=0; i<${#masters[@]}; ++i)); do
    146. 

  146.       printf 'olcSyncRepl: rid=%03d provider=ldap://%s binddn="cn=config"\n' $((i+1)) ${masters[$i]};
    147. 

  147.       echo '  bindmethod=simple credentials=x searchbase="cn=config"'
    148. 

  148.       echo '  type=refreshAndPersist retry="5 5 300 5" timeout=1'
    149. 

  149.     done
    150. 

  150. )
    151. 

  151. -
    152. 

  152. add: olcMirrorMode
    153. 

  153. olcMirrorMode: TRUE
    154. 

  154. 

  155. EOF
    156. 

  156.     # database replication
    157. 

  157.     log "data "
    158. 

  158.     log "first "
    159. 

  159.     ldapmodify -Y EXTERNAL -H ldapi:/// <<EOF
    160. 

  160. dn: olcOverlay=syncprov,olcDatabase={1}hdb,cn=config
    161. 

  161. changetype: add
    162. 

  162. objectClass: olcOverlayConfig
    163. 

  163. objectClass: olcSyncProvConfig
    164. 

  164. olcOverlay: syncprov
    165. 

  165. EOF
    166. 

  166.     log "second "
    167. 

  167.     ldapmodify -Y EXTERNAL  -H ldapi:/// <<EOF
    168. 

  168. dn: olcDatabase={1}hdb,cn=config
    169. 

  169. changetype: modify
    170. 

  170. replace: olcSuffix
    171. 

  171. olcSuffix: dc=itzgeek,dc=local
    172. 

  172. -
    173. 

  173. replace: olcRootDN
    174. 

  174. olcRootDN: cn=ldapadm,dc=itzgeek,dc=local
    175. 

  175. -
    176. 

  176. replace: olcRootPW
    177. 

  177. olcRootPW: {SSHA}xtbbtC/1pJclCPzo1n3Szac9jqavSphk
    178. 

  178. -
    179. 

  179. add: olcSyncRepl
    180. 

  180. $(
    181. 

  181.     for ((i=0; i<${#masters[@]}; ++i)); do
    182. 

  182.       printf 'olcSyncRepl: rid=%03d provider=ldap://%s binddn="cn=admin,${BASEDN}"\n' $((i+1)) ${masters[$i]};
    183. 

  183.       echo '  credentials=x searchbase="${BASEDN}" type=refreshOnly'
    184. 

  184.       echo '  interval=00:00:00:10 retry="5 5 300 5" timeout=1'
    185. 

  185.     done
    186. 

  186. )
    187. 

  187. -
    188. 

  188. add: olcDbIndex
    189. 

  189. olcDbIndex: entryUUID  eq
    190. 

  190. -
    191. 

  191. add: olcDbIndex
    192. 

  192. olcDbIndex: entryCSN  eq
    193. 

  193. -
    194. 

  194. add: olcMirrorMode
    195. 

  195. olcMirrorMode: TRUE
    196. 

  196. EOF
    197. 

  197.     log "access "
    198. 

  198.     ldapmodify -Y EXTERNAL -H ldapi:/// <<EOF
    199. 

  199. dn: olcDatabase={1}monitor,cn=config
    200. 

  200. changetype: modify
    201. 

  201. replace: olcAccess
    202. 

  202. olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth" read by dn.base="cn=admin,${BASEDN}" read by * none
    203. 

  203. EOF
    204. 

  204.     logdone
    205. 

  205. }
    206. 

  206. 

  207. function memberof() {
    208. 

  208.     log "  --> memberof ... "
    209. 

  209.     if ! ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b olcOverlay={0}memberof,olcDatabase={1}hdb,cn=config 2> /dev/null > /dev/null; then
    210. 

  210.         log "module "
    211. 

  211.         ldapadd -c -Y external -H ldapi:/// > /dev/null 2> /dev/null <<EOF
    212. 

  212. dn: cn=module,cn=config
    213. 

  213. cn: module
    214. 

  214. objectClass: olcModuleList
    215. 

  215. olcModuleLoad: memberof
    216. 

  216. olcModulePath: /usr/lib/ldap
    217. 

  217. 

  218. dn: olcOverlay={0}memberof,olcDatabase={1}hdb,cn=config
    219. 

  219. objectClass: olcConfig
    220. 

  220. objectClass: olcMemberOf
    221. 

  221. objectClass: olcOverlayConfig
    222. 

  222. objectClass: top
    223. 

  223. olcOverlay: memberof
    224. 

  224. olcMemberOfDangling: ignore
    225. 

  225. olcMemberOfRefInt: TRUE
    226. 

  226. olcMemberOfGroupOC: groupOfNames
    227. 

  227. olcMemberOfMemberAD: member
    228. 

  228. olcMemberOfMemberOfAD: memberOf
    229. 

  229. EOF
    230. 

  230.         log "refint "
    231. 

  231.         ldapmodify -Y EXTERNAL -H ldapi:/// <<EOF
    232. 

  232. dn: cn=module{1},cn=config
    233. 

  233. add: olcmoduleload
    234. 

  234. olcmoduleload: refint
    235. 

  235. EOF
    236. 

  236.         ldapadd -c -Y external -H ldapi:/// > /dev/null 2> /dev/null <<EOF
    237. 

  237. dn: olcOverlay={1}refint,olcDatabase={1}hdb,cn=config
    238. 

  238. objectClass: olcConfig
    239. 

  239. objectClass: olcOverlayConfig
    240. 

  240. objectClass: olcRefintConfig
    241. 

  241. objectClass: top
    242. 

  242. olcOverlay: {1}refint
    243. 

  243. olcRefintAttribute: memberof member manager owner
    244. 

  244. EOF
    245. 

  245.         logdone
    246. 

  246.     else
    247. 

  247.         logdone "already configured"
    248. 

  248.     fi
    249. 

  249. }
    250.