tomi
/
ldap-server


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081
							#!/bin/sh

# The setup follows the OpenLDAP admin guide on 
# http://www.openldap.org/doc/admin24/guide.html

# When not limiting the open file descriptors, the memory consumption
# of slapd is absurdly high. See https://github.com/docker/docker/issues/8231
ulimit -n 8192

# If there's no cn=config database, initialize one.
# Take the original slapd.ldif file as template.
if [ ! -d '/etc/openldap/slapd.d/cn=config' ]; then

	# Create the run directory
	if [ ! -d /var/lib/openldap/run ]; then
		mkdir -p /var/lib/openldap/run
		chown -R ${USER}:${GROUP} /var/lib/openldap/run
	fi

	# Use the original slapd.conf file as template
	cp /etc/openldap/slapd.ldif /tmp/slapd.ldif
	
	# Set the correct suffix
	# https://www.openldap.org/doc/admin24/quickstart.html 
	# Point 8ff
	sed -i "s/dc=my-domain,dc=com/${SUFFIX}/g" /tmp/slapd.ldif
	# Set the root password for the database
	sed -i "s|olcRootPW: secret|olcRootPW: ${LDAP_ROOT_HASH}|" /tmp/slapd.ldif
	# Remove those newlines, or slapadd will fail to initialize the DB.
	sed -i '/^olcRootDN/ {n; s/^[[:blank:]]*$/#/}' /tmp/slapd.ldif 
	sed -i '/^olcRootPW/ {n; s/^[[:blank:]]*$/#/}' /tmp/slapd.ldif 
	sed -i '/^olcDbDirectory/ {n; s/^[[:blank:]]*$/#/}' /tmp/slapd.ldif
	# Set up authentication patterns for -Y EXTERNAL over ldapi:/// (SASL).
	#sed -i "/^olcSuffix: ${SUFFIX}/a olcAccess: to * by * read" /tmp/slapd.ldif
	#sed -i "/^olcSuffix: ${SUFFIX}/a olcAccess: to attrs=userPassword by self write by anonymous auth by * none" /tmp/slapd.ldif
	#sed -i "/^olcSuffix: ${SUFFIX}/a olcAccess: to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break" /tmp/slapd.ldif

	# Add more schemas
	sed -i "/core.ldif/a include: file:///etc/openldap/schema/cosine.ldif" /tmp/slapd.ldif
	sed -i "/cosine.ldif/a include: file:///etc/openldap/schema/inetorgperson.ldif" /tmp/slapd.ldif

	# Create config admin to allow binding to config database.
	# https://www.openldap.org/doc/admin24/slapdconf2.html#Configuration%20Example
	# Lines 21ff
	sed -i "/^############/d" /tmp/slapd.ldif
	sed -i "/^# LMDB/i \
# Config settings\n\
#\n\
dn: olcDatabase=config,cn=config\n\
objectClass: olcDatabaseConfig\n\
olcDatabase: config\n\
# Don't allow access to cn=config with password, only over SASL via -Y EXTERNAL ldapi:///
#olcRootPW: ${LDAP_ADMIN_HASH}\n\
olcAccess: to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break\n\
olcAccess: to * by * none\n\
" /tmp/slapd.ldif
	
	# Generate config database from slapd.conf file.
	echo Generating configuration
	slapadd -n 0 -F /etc/openldap/slapd.d -l /tmp/slapd.ldif

	# Copy the generated slapd.ldif to the ldifs mount.
	cp /tmp/slapd.ldif /var/ldifs

	# if [ -f /etc/ssl/certs/sourceme ]; then
	# 	cp /var/ldifs/tls.ldif /tmp/tls.ldif
	# 	source /etc/ssl/certs/sourceme
	# 	sed -i -e "s#{{CA_CERT}}#${CA_CERT}#g" /tmp/tls.ldif
	# 	sed -i -e "s#{{LDAP_TLS_CERT}}#${LDAP_TLS_CERT}#g" /tmp/tls.ldif
	# 	sed -i -e "s#{{LDAP_TLS_KEY}}#${LDAP_TLS_KEY}#g" /tmp/tls.ldif

	# 	echo Adding TLS certificates to configuration
	# 	slapadd -n 0 -F /etc/openldap/slapd.d -l /tmp/tls.ldif
	# fi

	# Set all ownerships straight.
	chown -R ${USER}:${GROUP} /etc/openldap/slapd.d
fi

echo Starting slapd
exec /usr/sbin/slapd -u ${USER} -g ${GROUP} -d ${DEBUG} -h "ldap:/// ldapi:///" -F /etc/openldap/slapd.d