| 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677 |
- #!/bin/sh
- # The setup follows the OpenLDAP admin guide on
- # http://www.openldap.org/doc/admin24/guide.html
- # When not limiting the open file descriptors, the memory consumption
- # of slapd is absurdly high. See https://github.com/docker/docker/issues/8231
- ulimit -n 8192
- # If there's no cn=config database, initialize one.
- # Take the original slapd.ldif file as template.
- if [ ! -d '/etc/openldap/slapd.d/cn=config' ]; then
- echo "Didn't find a config, creating a new one."
- SETUPDIR=/root/ldap-setup/
- DATETIME=$(date +%Y%m%d%H%M%S)
- ROOT_LDIF=${SETUPDIR}/slapd.ldif
- mkdir -p ${SETUPDIR}
- chmod 700 ${SETUPDIR}
- # Create the run directory
- if [ ! -d /var/lib/openldap/run ]; then
- mkdir -p /var/lib/openldap/run
- chown -R ${USER}:${GROUP} /var/lib/openldap/run
- fi
- # Use the original slapd.conf file as template
- cp /etc/openldap/slapd.ldif ${ROOT_LDIF}
-
- # Set the correct suffix
- # https://www.openldap.org/doc/admin24/quickstart.html
- # Point 8ff
- sed -i "s/dc=my-domain,dc=com/${LDAPROOT}/g" ${ROOT_LDIF}
- # Set the root password for the database
- sed -i "s|olcRootPW: secret|olcRootPW: ${LDAP_ROOT_HASH}|" ${ROOT_LDIF}
- # Remove those newlines, or slapadd will fail to initialize the DB.
- sed -i '/^olcRootDN/ {n; s/^[[:blank:]]*$/#/}' ${ROOT_LDIF}
- sed -i '/^olcRootPW/ {n; s/^[[:blank:]]*$/#/}' ${ROOT_LDIF}
- sed -i '/^olcDbDirectory/ {n; s/^[[:blank:]]*$/#/}' ${ROOT_LDIF}
- # Set up authentication patterns for -Y EXTERNAL over ldapi:/// (SASL).
- sed -i "/^olcRootDN: cn=Manager,${LDAPROOT}/a olcAccess: to * by * read" ${ROOT_LDIF}
- sed -i "/^olcRootDN: cn=Manager,${LDAPROOT}/a olcAccess: to attrs=userPassword by self write by anonymous auth by * none" ${ROOT_LDIF}
- sed -i "/^olcRootDN: cn=Manager,${LDAPROOT}/a olcAccess: to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break" ${ROOT_LDIF}
- # Add more schemas
- sed -i "/core.ldif/a include: file:///etc/openldap/schema/cosine.ldif" ${ROOT_LDIF}
- sed -i "/cosine.ldif/a include: file:///etc/openldap/schema/inetorgperson.ldif" ${ROOT_LDIF}
- # Create config admin to allow binding to config database.
- # https://www.openldap.org/doc/admin24/slapdconf2.html#Configuration%20Example
- # Lines 21ff
- sed -i "/^############/d" ${ROOT_LDIF}
- sed -i "/^# LMDB/i \
- # Config settings\n\
- #\n\
- dn: olcDatabase=config,cn=config\n\
- objectClass: olcDatabaseConfig\n\
- olcDatabase: config\n\
- # Don't allow access to cn=config with password, only over SASL via -Y EXTERNAL ldapi:///\n\
- olcAccess: to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break\n\
- olcAccess: to * by * none\n\
- " ${ROOT_LDIF}
-
- # Generate config database from slapd.conf file.
- echo "Adding configuration to LDAP database."
- slapadd -n 0 -F /etc/openldap/slapd.d -l ${ROOT_LDIF}
- # Copy the generated slapd.ldif to the ldifs mount.
- cp ${ROOT_LDIF} /scripts
- # Set all ownerships straight.
- chown -R ${USER}:${GROUP} /etc/openldap/slapd.d
- fi
- echo Starting slapd
- exec /usr/sbin/slapd -u ${USER} -g ${GROUP} -d ${DEBUG} -h "ldaps:/// ldapi:///" -F /etc/openldap/slapd.d
|
