removed scripts from server, ready for TLS

Dockerfile

@@ -4,9 +4,9 @@ FROM alpine:latest
 # http://www.openldap.org/doc/admin24/guide.html
 
 # Define env variables
-ENV DOMAIN        "example.com"
-ENV ORGANIZATION  "Example Org."
-ENV SUFFIX        "dc=example,dc=org"
+ENV DOMAIN        example
+ENV LDAPROOT      dc=example,dc=org
+ENV ORGANIZATION  Example Org.
 ENV DEBUG         1
 ENV USER          ldap
 ENV GROUP         ldap
@@ -21,7 +21,9 @@ RUN apk add --update --no-cache \
   openldap-back-mdb
 
 RUN mkdir /run/openldap && \
-    chown ${USER}:${GROUP} /run/openldap
+  chown ${USER}:${GROUP} /run/openldap
+
+RUN echo "TLS_CACERT /etc/ssl/certs/ca_server.pem" >> /etc/openldap/ldap.conf
 
 COPY ./entrypoint.sh /entrypoint.sh
 
@@ -29,4 +31,4 @@ CMD /entrypoint.sh
 
 EXPOSE 389
 
-VOLUME /etc/openldap/slapd.d /var/backups /var/restore /var/ldifs /scripts /var/lib/openldap
+VOLUME /etc/openldap/slapd.d /var/lib/openldap /var/backups /var/restore /var/ldifs /scripts 

docker-compose.yml

@@ -1,23 +0,0 @@
-version: "3"
-
-services:
-  ldap-server:
-    build: .
-    container_name: ldap-server
-    #image: ldap-server
-    #restart: always
-    ports:
-      - "127.0.0.1:389:389"
-      - "636:636"
-    environment: 
-      - DOMAIN="slurm.ch"
-      - ORGANIZATION="Slurm - It's addictive!"
-      - SUFFIX="dc=slurm,dc=ch"
-    volumes: 
-      - ./scripts:/scripts
-      - ./ldifs:/var/ldifs
-      - ./backups:/var/backups
-      - ./restore:/var/restore
-      - ./certs:/etc/ssl/certs
-      - /etc/openldap/slapd.d
-      - /var/lib/openldap

entrypoint.sh

@@ -11,6 +11,14 @@ ulimit -n 8192
 # Take the original slapd.ldif file as template.
 if [ ! -d '/etc/openldap/slapd.d/cn=config' ]; then
 
+	echo "Didn't find a config, creating a new one."
+	SETUPDIR=/root/ldap-setup/
+	DATETIME=$(date +%Y%m%d%H%M%S)
+	ROOT_LDIF=${SETUPDIR}/slapd.ldif
+
+	mkdir -p ${SETUPDIR}
+	chmod 700 ${SETUPDIR}
+
 	# Create the run directory
 	if [ ! -d /var/lib/openldap/run ]; then
 		mkdir -p /var/lib/openldap/run
@@ -18,64 +26,52 @@ if [ ! -d '/etc/openldap/slapd.d/cn=config' ]; then
 	fi
 
 	# Use the original slapd.conf file as template
-	cp /etc/openldap/slapd.ldif /tmp/slapd.ldif
+	cp /etc/openldap/slapd.ldif ${ROOT_LDIF}
 	
 	# Set the correct suffix
 	# https://www.openldap.org/doc/admin24/quickstart.html 
 	# Point 8ff
-	sed -i "s/dc=my-domain,dc=com/${SUFFIX}/g" /tmp/slapd.ldif
+	sed -i "s/dc=my-domain,dc=com/${LDAPROOT}/g" ${ROOT_LDIF}
 	# Set the root password for the database
-	sed -i "s|olcRootPW: secret|olcRootPW: ${LDAP_ROOT_HASH}|" /tmp/slapd.ldif
+	sed -i "s|olcRootPW: secret|olcRootPW: ${LDAP_ROOT_HASH}|" ${ROOT_LDIF}
 	# Remove those newlines, or slapadd will fail to initialize the DB.
-	sed -i '/^olcRootDN/ {n; s/^[[:blank:]]*$/#/}' /tmp/slapd.ldif 
-	sed -i '/^olcRootPW/ {n; s/^[[:blank:]]*$/#/}' /tmp/slapd.ldif 
-	sed -i '/^olcDbDirectory/ {n; s/^[[:blank:]]*$/#/}' /tmp/slapd.ldif
+	sed -i '/^olcRootDN/ {n; s/^[[:blank:]]*$/#/}' ${ROOT_LDIF} 
+	sed -i '/^olcRootPW/ {n; s/^[[:blank:]]*$/#/}' ${ROOT_LDIF} 
+	sed -i '/^olcDbDirectory/ {n; s/^[[:blank:]]*$/#/}' ${ROOT_LDIF}
 	# Set up authentication patterns for -Y EXTERNAL over ldapi:/// (SASL).
-	#sed -i "/^olcSuffix: ${SUFFIX}/a olcAccess: to * by * read" /tmp/slapd.ldif
-	#sed -i "/^olcSuffix: ${SUFFIX}/a olcAccess: to attrs=userPassword by self write by anonymous auth by * none" /tmp/slapd.ldif
-	#sed -i "/^olcSuffix: ${SUFFIX}/a olcAccess: to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break" /tmp/slapd.ldif
+	sed -i "/^olcRootDN: cn=Manager,${LDAPROOT}/a olcAccess: to * by * read" ${ROOT_LDIF}
+	sed -i "/^olcRootDN: cn=Manager,${LDAPROOT}/a olcAccess: to attrs=userPassword by self write by anonymous auth by * none" ${ROOT_LDIF}
+	sed -i "/^olcRootDN: cn=Manager,${LDAPROOT}/a olcAccess: to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break" ${ROOT_LDIF}
 
 	# Add more schemas
-	sed -i "/core.ldif/a include: file:///etc/openldap/schema/cosine.ldif" /tmp/slapd.ldif
-	sed -i "/cosine.ldif/a include: file:///etc/openldap/schema/inetorgperson.ldif" /tmp/slapd.ldif
+	sed -i "/core.ldif/a include: file:///etc/openldap/schema/cosine.ldif" ${ROOT_LDIF}
+	sed -i "/cosine.ldif/a include: file:///etc/openldap/schema/inetorgperson.ldif" ${ROOT_LDIF}
 
 	# Create config admin to allow binding to config database.
 	# https://www.openldap.org/doc/admin24/slapdconf2.html#Configuration%20Example
 	# Lines 21ff
-	sed -i "/^############/d" /tmp/slapd.ldif
+	sed -i "/^############/d" ${ROOT_LDIF}
 	sed -i "/^# LMDB/i \
 # Config settings\n\
 #\n\
 dn: olcDatabase=config,cn=config\n\
 objectClass: olcDatabaseConfig\n\
 olcDatabase: config\n\
-# Don't allow access to cn=config with password, only over SASL via -Y EXTERNAL ldapi:///
-#olcRootPW: ${LDAP_ADMIN_HASH}\n\
+# Don't allow access to cn=config with password, only over SASL via -Y EXTERNAL ldapi:///\n\
 olcAccess: to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break\n\
 olcAccess: to * by * none\n\
-" /tmp/slapd.ldif
+" ${ROOT_LDIF}
 	
 	# Generate config database from slapd.conf file.
-	echo Generating configuration
-	slapadd -n 0 -F /etc/openldap/slapd.d -l /tmp/slapd.ldif
+	echo "Adding configuration to LDAP database."
+	slapadd -n 0 -F /etc/openldap/slapd.d -l ${ROOT_LDIF}
 
 	# Copy the generated slapd.ldif to the ldifs mount.
-	cp /tmp/slapd.ldif /var/ldifs
-
-	# if [ -f /etc/ssl/certs/sourceme ]; then
-	# 	cp /var/ldifs/tls.ldif /tmp/tls.ldif
-	# 	source /etc/ssl/certs/sourceme
-	# 	sed -i -e "s#{{CA_CERT}}#${CA_CERT}#g" /tmp/tls.ldif
-	# 	sed -i -e "s#{{LDAP_TLS_CERT}}#${LDAP_TLS_CERT}#g" /tmp/tls.ldif
-	# 	sed -i -e "s#{{LDAP_TLS_KEY}}#${LDAP_TLS_KEY}#g" /tmp/tls.ldif
-
-	# 	echo Adding TLS certificates to configuration
-	# 	slapadd -n 0 -F /etc/openldap/slapd.d -l /tmp/tls.ldif
-	# fi
+	cp ${ROOT_LDIF} /scripts
 
 	# Set all ownerships straight.
 	chown -R ${USER}:${GROUP} /etc/openldap/slapd.d
 fi
 
 echo Starting slapd
-exec /usr/sbin/slapd -u ${USER} -g ${GROUP} -d ${DEBUG} -h "ldap:/// ldapi:///" -F /etc/openldap/slapd.d
+exec /usr/sbin/slapd -u ${USER} -g ${GROUP} -d ${DEBUG} -h "ldaps:/// ldapi:///" -F /etc/openldap/slapd.d

scripts/gen_certs.sh

@@ -1,76 +0,0 @@
-#!/bin/sh
-
-# Set the variables
-
-SERVER=${SERVER:-`hostname --fqdn`}
-DOMAIN=${SERVER#*.}
-LDAP_ROOT=""
-IFS="."
-for DC in ${DOMAIN}
-do
-  LDAP_ROOT="${LDAP_ROOT},dc=${DC}"
-done
-LDAP_ROOT="${LDAP_ROOT#,}"
-echo -e "
-\nServer:    ${SERVER}
-\nDomain:    ${DOMAIN}
-\nLDAP Root: ${LDAP_ROOT}
-"
-
-# Setup TLS certificate (self-signed) for LDAP
-
-if [ ! -d 'certs' ]
-then
-  mkdir certs
-fi
-CA_KEY="certs/CAself-key.pem"
-CA_INFO="certs/CAself.info"
-CA_CERT="certs/CAself-cert.pem"
-
-certtool --generate-privkey > "${CA_KEY}"
-cat > "${CA_INFO}" <<EOF
-cn = ${DOMAIN}
-ca
-cert_signing_key
-expiration_days = 8000
-EOF
-certtool \
-  --generate-self-signed \
-  --load-privkey "${CA_KEY}" \
-  --template "${CA_INFO}" \
-  --outfile "${CA_CERT}"
-chmod 0640 "${CA_KEY}"
-
-
-# Generate private key for LDAP service
-
-LDAP_TLS_KEY="certs/${SERVER}_slapd_key.pem"
-LDAP_TLS_INFO="certs/${SERVER}.info"
-LDAP_TLS_CERT="certs/${SERVER}_slapd_cert.pem"
-
-certtool --generate-privkey > "${LDAP_TLS_KEY}"
-cat > "${LDAP_TLS_INFO}" <<EOF
-organization = ${DOMAIN}
-cn = ${SERVER}
-tls_www_server
-encryption_key
-signing_key
-expiration_days = 8000
-EOF
-certtool \
-  --generate-certificate \
-  --load-privkey "${LDAP_TLS_KEY}" \
-  --load-ca-certificate "${CA_CERT}" \
-  --load-ca-privkey "${CA_KEY}" \
-  --template "${LDAP_TLS_INFO}" \
-  --outfile "${LDAP_TLS_CERT}"
-chmod 0640 "${LDAP_TLS_KEY}"
-
-cat > "certs/sourceme" <<EOF
-CA_KEY="certs/CAself-key.pem"
-CA_INFO="certs/CAself.info"
-CA_CERT="certs/CAself-cert.pem"
-LDAP_TLS_KEY="certs/${SERVER}_slapd_key.pem"
-LDAP_TLS_INFO="certs/${SERVER}.info"
-LDAP_TLS_CERT="certs/${SERVER}_slapd_cert.pem"
-EOF

scripts/gen_slapd_pw.sh

@@ -1,10 +0,0 @@
-#!/bin/sh
-
-# Generate a random password
-LDAP_ADMIN_PW=$(pwgen -s 10 1)
-echo -n "$LDAP_ADMIN_PW" > ldap_admin_pw.txt
-chmod 0600 ldap_admin_pw.txt
-LDAP_ADMIN_HASH=$(slappasswd -h '{SHA}' -T ldap_admin_pw.txt)
-echo LDAP admin password: $LDAP_ADMIN_PW >> passwords.txt
-
-chmod 600 passwords.txt