#!/bin/sh # The setup follows the OpenLDAP admin guide on # http://www.openldap.org/doc/admin24/guide.html # When not limiting the open file descriptors, the memory consumption # of slapd is absurdly high. See https://github.com/docker/docker/issues/8231 ulimit -n 8192 # If there's no cn=config database, initialize one. # Take the original slapd.ldif file as template. if [ ! -d '/etc/openldap/slapd.d/cn=config' ]; then # Create the run directory if [ ! -d /var/lib/openldap/run ]; then mkdir -p /var/lib/openldap/run chown -R ${USER}:${GROUP} /var/lib/openldap/run fi # Use the original slapd.conf file as template cp /etc/openldap/slapd.ldif /tmp/slapd.ldif # Set the correct suffix # https://www.openldap.org/doc/admin24/quickstart.html # Point 8ff sed -i "s/dc=my-domain,dc=com/${SUFFIX}/g" /tmp/slapd.ldif # Set the root password for the database sed -i "s|olcRootPW: secret|olcRootPW: ${LDAP_ROOT_HASH}|" /tmp/slapd.ldif # Remove those newlines, or slapadd will fail to initialize the DB. sed -i '/^olcRootDN/ {n; s/^[[:blank:]]*$/#/}' /tmp/slapd.ldif sed -i '/^olcRootPW/ {n; s/^[[:blank:]]*$/#/}' /tmp/slapd.ldif sed -i '/^olcDbDirectory/ {n; s/^[[:blank:]]*$/#/}' /tmp/slapd.ldif # Set up authentication patterns for -Y EXTERNAL over ldapi:/// (SASL). #sed -i "/^olcSuffix: ${SUFFIX}/a olcAccess: to * by * read" /tmp/slapd.ldif #sed -i "/^olcSuffix: ${SUFFIX}/a olcAccess: to attrs=userPassword by self write by anonymous auth by * none" /tmp/slapd.ldif #sed -i "/^olcSuffix: ${SUFFIX}/a olcAccess: to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break" /tmp/slapd.ldif # Add more schemas sed -i "/core.ldif/a include: file:///etc/openldap/schema/cosine.ldif" /tmp/slapd.ldif sed -i "/cosine.ldif/a include: file:///etc/openldap/schema/inetorgperson.ldif" /tmp/slapd.ldif # Create config admin to allow binding to config database. # https://www.openldap.org/doc/admin24/slapdconf2.html#Configuration%20Example # Lines 21ff sed -i "/^############/d" /tmp/slapd.ldif sed -i "/^# LMDB/i \ # Config settings\n\ #\n\ dn: olcDatabase=config,cn=config\n\ objectClass: olcDatabaseConfig\n\ olcDatabase: config\n\ # Don't allow access to cn=config with password, only over SASL via -Y EXTERNAL ldapi:/// #olcRootPW: ${LDAP_ADMIN_HASH}\n\ olcAccess: to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break\n\ olcAccess: to * by * none\n\ " /tmp/slapd.ldif # Generate config database from slapd.conf file. echo Generating configuration slapadd -n 0 -F /etc/openldap/slapd.d -l /tmp/slapd.ldif # Copy the generated slapd.ldif to the ldifs mount. cp /tmp/slapd.ldif /var/ldifs # if [ -f /etc/ssl/certs/sourceme ]; then # cp /var/ldifs/tls.ldif /tmp/tls.ldif # source /etc/ssl/certs/sourceme # sed -i -e "s#{{CA_CERT}}#${CA_CERT}#g" /tmp/tls.ldif # sed -i -e "s#{{LDAP_TLS_CERT}}#${LDAP_TLS_CERT}#g" /tmp/tls.ldif # sed -i -e "s#{{LDAP_TLS_KEY}}#${LDAP_TLS_KEY}#g" /tmp/tls.ldif # echo Adding TLS certificates to configuration # slapadd -n 0 -F /etc/openldap/slapd.d -l /tmp/tls.ldif # fi # Set all ownerships straight. chown -R ${USER}:${GROUP} /etc/openldap/slapd.d fi echo Starting slapd exec /usr/sbin/slapd -u ${USER} -g ${GROUP} -d ${DEBUG} -h "ldap:/// ldapi:///" -F /etc/openldap/slapd.d