made changes on fnog.

Dockerfile

@@ -6,39 +6,35 @@ FROM alpine:latest
 # Define env variables
 ENV DOMAIN        ""
 ENV ORGANIZATION  ""
-#ENV DEBUG         1
+ENV DEBUG         1
 
 # Default env variables
-ENV USER          ldap
-ENV GROUP         ${USER}
+#ENV USER          ldap
+#ENV GROUP         ldap
 
 # Install openldap with MDB backend
 RUN apk add --update --no-cache \ 
-  pwgen \
   openldap \
   openldap-clients \
   openldap-back-mdb
 
 RUN mkdir /run/openldap
-RUN chown ${USER}:${GROUP} /run/openldap
+#RUN chown ${USER}:${GROUP} /run/openldap
 
-COPY ./slapd.conf /etc/openldap/slapd.conf
+#COPY ./slapd.conf /etc/openldap/slapd.conf
 #COPY ./setup.sh /setup.sh
 COPY ./entrypoint.sh /entrypoint.sh
 
-# Add schemas that are not initially in the installation
-#ADD samba.schema  /etc/openldap/schema/samba.schema
-
 # Add setup script
 #ADD setup.sh /setup.sh
 #RUN /setup.sh
 
-CMD /entrypoint.sh /usr/sbin/slapd -u ${USER} -g ${GROUP} -d ${DEBUG} -h "ldap:/// ldapi:///" -F /etc/openldap/slapd.d
+CMD /entrypoint.sh /usr/sbin/slapd -d ${DEBUG} -h "ldap:/// ldapi:///" -F /etc/openldap/slapd.d
 
 EXPOSE 389
 
 VOLUME /etc/openldap/slapd.d
 VOLUME /var/backups
-VOLUME /var/restore
+VOLUME /var/ldifs
 VOLUME /var/lib/openldap
 

entrypoint.sh

@@ -1,7 +1,9 @@
 #!/bin/sh
 
-# Log everything to this log file
-#exec &> $ENTRYLOG
+# Log everything to this log file. Use LOG env var or default /var/log/ldap.log
+ENTRYLOG=${LOG:-/var/log/ldap.log}
+echo Logfile: $ENTRYLOG
+exec &> $ENTRYLOG
 
 # Inspired by https://github.com/acobaugh/openldap-alpine
 
@@ -21,30 +23,18 @@ if [ ! -d '/etc/openldap/slapd.d/cn=config' ]; then
 	echo $SLAPD_CONFIG_ROOTPW > /etc/openldap/slapd.d/slapd_config_rootpw
 	chmod 400 /etc/openldap/slapd.d/slapd_config_rootpw
 	
-	# Check if all certificates and keys are present 
-	# if 	[ ! -f ${SSL_PATH}/slurm.ch-rootCA.crt ] || \
-	# 	[ ! -f ${SSL_PATH}/ldap.slurm.ch.crt ] || \
-	# 	[ ! -f ${SSL_PATH}/ldap.slurm.ch.key ]; then
-	# 	echo "Not all certificates and keys found for TLS."
-	# 	exit 1
-	# fi
-	
 	# Use the original slapd.conf file
 	cp /etc/openldap/slapd.conf /tmp/slapd.conf
 	
 	# Set the correct suffix
-	#sed -i -e "s/dc=my-domain,dc=com/${SUFFIX}/g" /tmp/slapd.conf
-	#sed -i -e "/core.schema/a include\t\t/etc/openldap/schema/cosine.schema" /tmp/slapd.conf
-	#sed -i -e "/cosine.schema/a include\t\t/etc/openldap/schema/inetorgperson.schema" /tmp/slapd.conf
+	sed -i -e "s/dc=my-domain,dc=com/${SUFFIX}/g" /tmp/slapd.conf
+
+	# Add more schemas
+	sed -i -e "/core.schema/a include\t\t/etc/openldap/schema/cosine.schema" /tmp/slapd.conf
+	sed -i -e "/cosine.schema/a include\t\t/etc/openldap/schema/inetorgperson.schema" /tmp/slapd.conf
 	
-	# Add configuration for TLS and set root password for config database.
 	cat <<-EOF >> /tmp/slapd.conf
 	
-	#TLSCACertificateFile ${SSL_PATH}/slurm.ch-rootCA.crt
-	#TLSCertificateFile ${SSL_PATH}/ldap.slurm.ch.crt
-	#TLSCertificateKeyFile ${SSL_PATH}/ldap.slurm.ch.key
-	#TLSCipherSuite HIGH:-SSLv2:-SSLv3
-
 #######################################################################
 # Dynamic config
 #######################################################################

ldifs/database.ldif

@@ -0,0 +1,11 @@
+dn: olcDatabase={1}hdb,cn=config
+changeType: modify
+replace: olcDbConfig
+olcDbConfig: {0}set_cachesize 0 2097152 0
+olcDbConfig: {1}set_lk_max_objects 1500
+olcDbConfig: {2}set_lk_max_locks 1500
+olcDbConfig: {3}set_lk_max_lockers 1500
+olcDbConfig: {4}set_flags DB_LOG_AUTOREMOVE
+-
+replace: olcRootPW
+olcRootPW: {{LDAP_ADMIN_HASH}}

ldifs/indices.ldif

@@ -0,0 +1,6 @@
+dn: olcDatabase={1}hdb,cn=config
+add: olcDbIndex
+olcDbIndex: cn eq,pres
+olcDbIndex: uid eq,pres
+olcDbIndex: uidNumber eq,pres
+olcDbIndex: gidNumber eq,pres

ldifs/krb_indices.ldif

@@ -0,0 +1,9 @@
+dn: oclDatabase={1}hdb,cn=config
+replace: olcAccess
+olcAccess: to attrs=userPassword,shadowLastChange,krbPrincipalKey by dn="krb-admin,{{LDAP_ROOT}}" write by anonymous auth by self write by * none
+-
+add: olcAccess
+olcAccess: to dn.base="" by * read
+-
+add: olcAccess
+olcAccess: to * by dn="cn=krb-admin,{{LDAP_ROOT}}" write by * read

ldifs/krb_structure.ldif

@@ -0,0 +1,13 @@
+dn: cn=krb-admin,{{LDAP_ROOT}}
+cn: krb-admin
+objectClass: organizationalRole
+objectClass: simpleSecurityObject
+userPassword: {{LDAP_KRBADMIN_HASH}}
+
+dn: ou=group,{{LDAP_ROOT}}
+objectClass: organizationalUnit
+ou: groups
+
+dn: ou=users,{{LDAP_ROOT}}
+objectClass: organizationalUnit
+ou: users

ldifs/loglevel.ldif

@@ -0,0 +1,4 @@
+dn: cn=config
+changeType: modify
+replace: olcLogLevel
+olcLogLevel: stats

ldifs/tls.ldif

@@ -0,0 +1,10 @@
+dn: cn=config
+changeType: modify
+add: olcTLSCACertificateFile
+olcTLSCACertificateFile: /etc/ssl/certs/{{CA_CERT}}
+-
+add: olcTLSCertificateFile
+olcTLSCertificateFile: /etc/ssl/certs/{{LDAP_TLS_CERT}}
+-
+add: olcTLSCertificateKeyFile
+olcTLSCertificateKeyFile: /etc/ssl/certs/{{LDAP_TLS_KEY}}

scripts/gen_certs.sh

@@ -0,0 +1,63 @@
+#!/bin/sh
+
+# Set the variables
+SERVER=${SERVER:-`hostname --fqdn`}
+DOMAIN=${SERVER#*.}
+LDAP_ROOT=""
+IFS="."
+for DC in $DOMAIN
+do
+  LDAP_ROOT="${LDAP_ROOT},dc=$DC"
+done
+LDAP_ROOT="${LDAP_ROOT#,}"
+echo -e "
+\nServer:    $SERVER
+\nDomain:    $DOMAIN
+\nLDAP Root: $LDAP_ROOT
+"
+
+# Setup TLS certificate (self-signed) for LDAP
+
+CA_KEY=certs/CAself-key.pem
+CA_INFO=certs=certs/CAself.info
+CA_CERT=certs/CAself-cert.pem
+
+certtool --generate-privkey > $CA_KEY
+cat > $CA_INFO <<EOF
+cn = $DOMAIN
+ca
+cert_signing_key
+expiration_days = 8000
+EOF
+certtool \
+  --generate-self-signed \
+  --load-privkey $CA_KEY \
+  --template $CA_INFO \
+  --outfile $CA_CERT
+chmod 0640 $CA_KEY
+
+
+# Generate private key for LDAP service
+
+LDAP_TLS_KEY=certs/$SERVER_slapd_key.pem
+LDAP_TLS_INFO=certs/$SERVER.info
+LDAP_TLS_CERT=certs/$SERVER_slapd_cert.pem
+
+certtool --generate-privkey > $LDAP_TLS_KEY
+cat > $LDAP_TLS_INFO <<EOF
+organization = $DOMAIN
+cn = $SERVER
+tls_www_server
+encryption_key
+signing_key
+expiration_days = 8000
+EOF
+certtool \
+  --generate-certificate \
+  --load-privkey $LDAP_TLS_KEY \
+  --load-ca-certificate $CA_CERT \
+  --load-ca-privkey $CA_KEY \
+  --template $LDAP_TLS_INFO \
+  --outfile $LDAP_TLS_CERT
+chmod 0640 $LDAP_TLS_KEY
+

scripts/gen_slapd_pw.sh

@@ -0,0 +1,10 @@
+#!/bin/sh
+
+# Generate a random password
+LDAP_ADMIN_PW=$(pwgen -s 10 1)
+echo -n "$LDAP_ADMIN_PW" > ldap_admin_pw.txt
+chmod 0600 ldap_admin_pw.txt
+LDAP_ADMIN_HASH=$(slappasswd -h '{SHA}' -T ldap_admin_pw.txt)
+echo LDAP admin password: $LDAP_ADMIN_PW >> passwords.txt
+
+chmod 600 passwords.txt