Merge branch 'lj020326-feature-enable-runtime-uidgid' into release-1.4.0
diff --git a/README.md b/README.md
index 9269020..78837f3 100644
--- a/README.md
+++ b/README.md
@@ -367,6 +367,8 @@
- **LDAP_SSL_HELPER_PREFIX**: ssl-helper environment variables prefix. Defaults to `ldap`, ssl-helper first search config from LDAP_SSL_HELPER_* variables, before SSL_HELPER_* variables.
- **HOSTNAME**: set the hostname of the running openldap server. Defaults to whatever docker creates.
- **DISABLE_CHOWN**: do not perform any chown to fix file ownership. Defaults to `false`
+- LDAP_OPENLDAP_UID: runtime docker user uid to run container as
+- LDAP_OPENLDAP_GID: runtime docker user gid to run container as
### Set your own environment variables
diff --git a/image/Dockerfile b/image/Dockerfile
index 029d7e1..9ecd974 100644
--- a/image/Dockerfile
+++ b/image/Dockerfile
@@ -10,8 +10,8 @@
# Add openldap user and group first to make sure their IDs get assigned consistently, regardless of whatever dependencies get added
# If explicit uid or gid is given, use it.
-RUN if [ -z "${LDAP_OPENLDAP_GID}" ]; then groupadd -r openldap; else groupadd -r -g ${LDAP_OPENLDAP_GID} openldap; fi \
- && if [ -z "${LDAP_OPENLDAP_UID}" ]; then useradd -r -g openldap openldap; else useradd -r -g openldap -u ${LDAP_OPENLDAP_UID} openldap; fi
+RUN if [ -z "${LDAP_OPENLDAP_GID}" ]; then groupadd -g 911 -r openldap; else groupadd -r -g ${LDAP_OPENLDAP_GID} openldap; fi \
+ && if [ -z "${LDAP_OPENLDAP_UID}" ]; then useradd -u 911 -r -g openldap openldap; else useradd -r -g openldap -u ${LDAP_OPENLDAP_UID} openldap; fi
# Add buster-backports in preparation for downloading newer openldap components, especially sladp
RUN echo "deb http://ftp.debian.org/debian buster-backports main" >> /etc/apt/sources.list
diff --git a/image/service/slapd/startup.sh b/image/service/slapd/startup.sh
index bc5f716..7182e94 100755
--- a/image/service/slapd/startup.sh
+++ b/image/service/slapd/startup.sh
@@ -56,8 +56,38 @@
[ -d /var/lib/ldap ] || mkdir -p /var/lib/ldap
[ -d /etc/ldap/slapd.d ] || mkdir -p /etc/ldap/slapd.d
+log-helper info "openldap user and group adjustments"
+LDAP_OPENLDAP_UID=${LDAP_OPENLDAP_UID:-911}
+LDAP_OPENLDAP_GID=${LDAP_OPENLDAP_GID:-911}
+
+log-helper info "get current openldap uid/gid info inside container"
+CUR_USER_GID=`id -g openldap || true`
+CUR_USER_UID=`id -u openldap || true`
+
+LDAP_UIDGID_CHANGED=false
+if [ "$LDAP_OPENLDAP_UID" != "$CUR_USER_UID" ]; then
+ log-helper info "CUR_USER_UID (${CUR_USER_UID}) does't match LDAP_OPENLDAP_UID (${LDAP_OPENLDAP_UID}), adjusting..."
+ usermod -o -u "$LDAP_OPENLDAP_UID" openldap
+ LDAP_UIDGID_CHANGED=true
+fi
+if [ "$LDAP_OPENLDAP_GID" != "$CUR_USER_GID" ]; then
+ log-helper info "CUR_USER_GID (${CUR_USER_GID}) does't match LDAP_OPENLDAP_GID (${LDAP_OPENLDAP_GID}), adjusting..."
+ groupmod -o -g "$LDAP_OPENLDAP_GID" openldap
+ LDAP_UIDGID_CHANGED=true
+fi
+
+log-helper info '-------------------------------------'
+log-helper info 'openldap GID/UID'
+log-helper info '-------------------------------------'
+log-helper info "User uid: $(id -u openldap)"
+log-helper info "User gid: $(id -g openldap)"
+log-helper info "uid/gid changed: ${LDAP_UIDGID_CHANGED}"
+log-helper info "-------------------------------------"
+
# fix file permissions
if [ "${DISABLE_CHOWN,,}" == "false" ]; then
+ log-helper info "updating file uid/gid ownership"
+ chown -R openldap:openldap /var/run/slapd
chown -R openldap:openldap /var/lib/ldap
chown -R openldap:openldap /etc/ldap
chown -R openldap:openldap ${CONTAINER_SERVICE_DIR}/slapd
