Merge branch 'lj020326-feature-enable-runtime-uidgid' into release-1.4.0
diff --git a/.gitignore b/.gitignore
index d43f726..aa7b748 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,3 @@
+.DS_Store
!/.git*
/VOLUMES
diff --git a/README.md b/README.md
index 7d5a9d7..78837f3 100644
--- a/README.md
+++ b/README.md
@@ -19,6 +19,7 @@
- [Data persistence](#data-persistence)
- [Edit your server configuration](#edit-your-server-configuration)
- [Seed ldap database with ldif](#seed-ldap-database-with-ldif)
+ - [Seed from internal path](#seed-from-internal-path)
- [Use an existing ldap database](#use-an-existing-ldap-database)
- [Backup](#backup)
- [Administrate your ldap server](#administrate-your-ldap-server)
@@ -120,6 +121,14 @@
> [https://docs.docker.com/engine/tutorials/dockervolumes/](https://docs.docker.com/engine/tutorials/dockervolumes/)
+#### Firewall issues on RHEL/CentOS
+Docker Engine doesn't work well with firewall-cmd and can cause issues if you're connecting to the LDAP server from another container on the same machine. You can fix this by running:
+```
+$ firewall-cmd --add-port=389/tcp --permanent
+$ firewall-cmd --add-port=636/tcp --permanent
+$ firewall-cmd --reload
+```
+Learn more about this issue at https://github.com/moby/moby/issues/32138
#### Edit your server configuration
@@ -156,6 +165,24 @@
--volume ./ldif:/container/service/slapd/assets/config/bootstrap/ldif/custom \
osixia/openldap:1.3.0 --copy-service
+#### Seed from internal path
+
+This image can load ldif and schema files at startup from an internal path. This is useful if a continuous integration service mounts automatically the working copy (sources) into a docker service, which has a relation to the ci job.
+
+For example: Gitlab is not capable of mounting custom paths into docker services of a ci job, but gitlab automatically mounts the working copy in every service container. So the working copy (sources) are accessible under `/builds` in every services
+of a ci job. The path to the working copy can be obtained via `${CI_PROJECT_DIR}`. See also: https://docs.gitlab.com/runner/executors/docker.html#build-directory-in-service
+
+This may also work with other CI services, if they automatically mount the working directory to the services of a ci job like gitlab ci does.
+
+In order to seed ldif or schema files from internal path you must set the specific environment variable `LDAP_SEED_INTERNAL_LDIF_PATH` and/or `LDAP_SEED_INTERNAL_SCHEMA_PATH`. If set this will copy any *.ldif or *.schema file into the default seeding
+directories of this image.
+
+Example variables defined in gitlab-ci.yml:
+
+ variables:
+ LDAP_SEED_INTERNAL_LDIF_PATH: "${CI_PROJECT_DIR}/docker/openldap/ldif"
+ LDAP_SEED_INTERNAL_SCHEMA_PATH: "${CI_PROJECT_DIR}/docker/openldap/schema"
+
### Use an existing ldap database
This can be achieved by mounting host directories as volume.
diff --git a/example/docker-compose.yml b/example/docker-compose.yml
index f580b37..cde8795 100644
--- a/example/docker-compose.yml
+++ b/example/docker-compose.yml
@@ -22,11 +22,10 @@
LDAP_TLS_CA_CRT_FILENAME: "ca.crt"
LDAP_TLS_ENFORCE: "false"
LDAP_TLS_CIPHER_SUITE: "SECURE256:-VERS-SSL3.0"
- LDAP_TLS_PROTOCOL_MIN: "3.1"
LDAP_TLS_VERIFY_CLIENT: "demand"
LDAP_REPLICATION: "false"
- #LDAP_REPLICATION_CONFIG_SYNCPROV: "binddn="cn=admin,cn=config" bindmethod=simple credentials=$LDAP_CONFIG_PASSWORD searchbase="cn=config" type=refreshAndPersist retry="60 +" timeout=1 starttls=critical"
- #LDAP_REPLICATION_DB_SYNCPROV: "binddn="cn=admin,$LDAP_BASE_DN" bindmethod=simple credentials=$LDAP_ADMIN_PASSWORD searchbase="$LDAP_BASE_DN" type=refreshAndPersist interval=00:00:00:10 retry="60 +" timeout=1 starttls=critical"
+ #LDAP_REPLICATION_CONFIG_SYNCPROV: "binddn="cn=admin,cn=config" bindmethod=simple credentials=$$LDAP_CONFIG_PASSWORD searchbase="cn=config" type=refreshAndPersist retry="60 +" timeout=1 starttls=critical"
+ #LDAP_REPLICATION_DB_SYNCPROV: "binddn="cn=admin,$$LDAP_BASE_DN" bindmethod=simple credentials=$$LDAP_ADMIN_PASSWORD searchbase="$$LDAP_BASE_DN" type=refreshAndPersist interval=00:00:00:10 retry="60 +" timeout=1 starttls=critical"
#LDAP_REPLICATION_HOSTS: "#PYTHON2BASH:['ldap://ldap.example.org','ldap://ldap2.example.org']"
KEEP_EXISTING_CONFIG: "false"
LDAP_REMOVE_CONFIG_AFTER_SETUP: "true"
@@ -40,8 +39,11 @@
ports:
- "389:389"
- "636:636"
- domainname: "example.org" # important: same as hostname
- hostname: "example.org"
+ # For replication to work correctly, domainname and hostname must be
+ # set correctly so that "hostname"."domainname" equates to the
+ # fully-qualified domain name for the host.
+ domainname: "example.org"
+ hostname: "ldap-server"
phpldapadmin:
image: osixia/phpldapadmin:latest
container_name: phpldapadmin
diff --git a/image/Dockerfile b/image/Dockerfile
index 925c3c9..9ecd974 100644
--- a/image/Dockerfile
+++ b/image/Dockerfile
@@ -33,11 +33,13 @@
libsasl2-modules-sql \
openssl \
slapd \
+ slapd-contrib \
krb5-kdc-ldap \
&& curl -o pqchecker.deb -SL http://www.meddeb.net/pub/pqchecker/deb/8/pqchecker_${PQCHECKER_VERSION}_amd64.deb \
&& echo "${PQCHECKER_MD5} *pqchecker.deb" | md5sum -c - \
&& dpkg -i pqchecker.deb \
&& rm pqchecker.deb \
+ && update-ca-certificates \
&& apt-get remove -y --purge --auto-remove curl ca-certificates \
&& apt-get clean \
&& rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
diff --git a/image/environment/default.startup.yaml b/image/environment/default.startup.yaml
index 1036a08..f2acf5c 100644
--- a/image/environment/default.startup.yaml
+++ b/image/environment/default.startup.yaml
@@ -61,3 +61,7 @@
LDAP_SSL_HELPER_PREFIX: ldap # ssl-helper first search config from LDAP_SSL_HELPER_* variables, before SSL_HELPER_* variables.
SSL_HELPER_AUTO_RENEW_SERVICES_IMPACTED: slapd
+
+# Internal seeding. For example, for services in Gitlab CI.
+LDAP_SEED_INTERNAL_LDIF_PATH:
+LDAP_SEED_INTERNAL_SCHEMA_PATH:
\ No newline at end of file
diff --git a/image/environment/default.yaml b/image/environment/default.yaml
index 0eb9b71..5cef81e 100644
--- a/image/environment/default.yaml
+++ b/image/environment/default.yaml
@@ -13,4 +13,8 @@
LDAP_NOFILE: 1024
# Do not perform any chown to fix file ownership
-DISABLE_CHOWN: false
\ No newline at end of file
+DISABLE_CHOWN: false
+
+# Default port to bind slapd
+LDAP_PORT: 389
+LDAPS_PORT: 636
\ No newline at end of file
diff --git a/image/service/slapd/assets/config/bootstrap/ldif/02-security.ldif b/image/service/slapd/assets/config/bootstrap/ldif/02-security.ldif
index 3a3a458..a04e686 100644
--- a/image/service/slapd/assets/config/bootstrap/ldif/02-security.ldif
+++ b/image/service/slapd/assets/config/bootstrap/ldif/02-security.ldif
@@ -3,5 +3,6 @@
delete: olcAccess
-
add: olcAccess
+olcAccess: to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
olcAccess: to attrs=userPassword,shadowLastChange by self write by dn="cn=admin,{{ LDAP_BASE_DN }}" write by anonymous auth by * none
olcAccess: to * by self read by dn="cn=admin,{{ LDAP_BASE_DN }}" write by * none
diff --git a/image/service/slapd/assets/config/bootstrap/ldif/readonly-user/readonly-user-acl.ldif b/image/service/slapd/assets/config/bootstrap/ldif/readonly-user/readonly-user-acl.ldif
index 56f7728..e5123e6 100644
--- a/image/service/slapd/assets/config/bootstrap/ldif/readonly-user/readonly-user-acl.ldif
+++ b/image/service/slapd/assets/config/bootstrap/ldif/readonly-user/readonly-user-acl.ldif
@@ -3,5 +3,6 @@
delete: olcAccess
-
add: olcAccess
+olcAccess: to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
olcAccess: to attrs=userPassword,shadowLastChange by self write by dn="cn=admin,{{ LDAP_BASE_DN }}" write by anonymous auth by * none
olcAccess: to * by self read by dn="cn=admin,{{ LDAP_BASE_DN }}" write by dn="cn={{ LDAP_READONLY_USER_USERNAME }},{{ LDAP_BASE_DN }}" read by * none
diff --git a/image/service/slapd/process.sh b/image/service/slapd/process.sh
index 4fc5414..e1a17bd 100755
--- a/image/service/slapd/process.sh
+++ b/image/service/slapd/process.sh
@@ -9,4 +9,8 @@
# see https://github.com/docker/docker/issues/8231
ulimit -n $LDAP_NOFILE
-exec /usr/sbin/slapd -h "ldap://$HOSTNAME ldaps://$HOSTNAME ldapi:///" -u openldap -g openldap -d $LDAP_LOG_LEVEL
+# Call hostname to determine the fully qualified domain name. We want OpenLDAP to listen
+# to the named host for the ldap:// and ldaps:// protocols.
+FQDN="$(/bin/hostname --fqdn)"
+HOST_PARAM="ldap://$FQDN:$LDAP_PORT ldaps://$FQDN:$LDAP_PORT"
+exec /usr/sbin/slapd -h "$HOST_PARAM ldapi:///" -u openldap -g openldap -d "$LDAP_LOG_LEVEL"
diff --git a/image/service/slapd/startup.sh b/image/service/slapd/startup.sh
index 1d7b8c9..7182e94 100755
--- a/image/service/slapd/startup.sh
+++ b/image/service/slapd/startup.sh
@@ -12,25 +12,25 @@
# usage: file_env VAR
-# ie: file_env 'XYZ_DB_PASSWORD'
+# ie: file_env 'XYZ_DB_PASSWORD'
# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
file_env() {
- local var="$1"
- local fileVar="${var}_FILE"
+ local var="$1"
+ local fileVar="${var}_FILE"
# The variables are already defined from the docker-light-baseimage
# So if the _FILE variable is available we ovewrite them
- if [ "${!fileVar:-}" ]; then
+ if [ "${!fileVar:-}" ]; then
log-helper trace "${fileVar} was defined"
- val="$(< "${!fileVar}")"
+ val="$(< "${!fileVar}")"
log-helper debug "${var} was repalced with the contents of ${fileVar} (the value was: ${val})"
export "$var"="$val"
- fi
-
- unset "$fileVar"
+ fi
+
+ unset "$fileVar"
}
@@ -38,6 +38,20 @@
file_env 'LDAP_CONFIG_PASSWORD'
file_env 'LDAP_READONLY_USER_PASSWORD'
+# Seed ldif from internal path if specified
+file_env 'LDAP_SEED_INTERNAL_LDIF_PATH'
+if [ ! -z "${LDAP_SEED_INTERNAL_LDIF_PATH}" ]; then
+ mkdir -p /container/service/slapd/assets/config/bootstrap/ldif/custom/
+ cp -R ${LDAP_SEED_INTERNAL_LDIF_PATH}/*.ldif /container/service/slapd/assets/config/bootstrap/ldif/custom/
+fi
+
+# Seed schema from internal path if specified
+file_env 'LDAP_SEED_INTERNAL_SCHEMA_PATH'
+if [ ! -z "${LDAP_SEED_INTERNAL_SCHEMA_PATH}" ]; then
+ mkdir -p /container/service/slapd/assets/config/bootstrap/schema/custom/
+ cp -R ${LDAP_SEED_INTERNAL_SCHEMA_PATH}/*.schema /container/service/slapd/assets/config/bootstrap/schema/custom/
+fi
+
# create dir if they not already exists
[ -d /var/lib/ldap ] || mkdir -p /var/lib/ldap
[ -d /etc/ldap/slapd.d ] || mkdir -p /etc/ldap/slapd.d
@@ -113,13 +127,12 @@
fi
# Check that LDAP_BASE_DN and LDAP_DOMAIN are in sync
domain_from_base_dn=$(echo $LDAP_BASE_DN | tr ',' '\n' | sed -e 's/^.*=//' | tr '\n' '.' | sed -e 's/\.$//')
- set +e
- echo "$domain_from_base_dn" | egrep -q ".*$LDAP_DOMAIN\$"
- if [ $? -ne 0 ]; then
+ if `echo "$domain_from_base_dn" | egrep -q ".*$LDAP_DOMAIN\$" || echo $LDAP_DOMAIN | egrep -q ".*$domain_from_base_dn\$"`; then
+ : # pass
+ else
log-helper error "Error: domain $domain_from_base_dn derived from LDAP_BASE_DN $LDAP_BASE_DN does not match LDAP_DOMAIN $LDAP_DOMAIN"
exit 1
fi
- set -e
}
function is_new_schema() {
@@ -284,11 +297,11 @@
# start OpenLDAP
log-helper info "Start OpenLDAP..."
-
+ # At this stage, we can just listen to ldap:// and ldap:// without naming any names
if log-helper level ge debug; then
- slapd -h "ldap://$HOSTNAME $PREVIOUS_HOSTNAME_PARAM ldap://localhost ldapi:///" -u openldap -g openldap -d $LDAP_LOG_LEVEL 2>&1 &
+ slapd -h "ldap:/// ldapi:///" -u openldap -g openldap -d "$LDAP_LOG_LEVEL" 2>&1 &
else
- slapd -h "ldap://$HOSTNAME $PREVIOUS_HOSTNAME_PARAM ldap://localhost ldapi:///" -u openldap -g openldap
+ slapd -h "ldap:/// ldapi:///" -u openldap -g openldap
fi
@@ -382,7 +395,7 @@
# create DHParamFile if not found
[ -f ${LDAP_TLS_DH_PARAM_PATH} ] || openssl dhparam -out ${LDAP_TLS_DH_PARAM_PATH} 2048
-
+
# fix file permissions
if [ "${DISABLE_CHOWN,,}" == "false" ]; then
chmod 600 ${LDAP_TLS_DH_PARAM_PATH}
@@ -537,8 +550,17 @@
ln -sf ${CONTAINER_SERVICE_DIR}/slapd/assets/ldap.conf /etc/ldap/ldap.conf
# force OpenLDAP to listen on all interfaces
+# We need to make sure that /etc/hosts continues to include the
+# fully-qualified domain name and not just the specified hostname.
+# Without the FQDN, /bin/hostname --fqdn stops working.
+FQDN="$(/bin/hostname --fqdn)"
+if [ "$FQDN" != "$HOSTNAME" ]; then
+ FQDN_PARAM="$FQDN"
+else
+ FQDN_PARAM=""
+fi
ETC_HOSTS=$(cat /etc/hosts | sed "/$HOSTNAME/d")
-echo "0.0.0.0 $HOSTNAME" > /etc/hosts
+echo "0.0.0.0 $FQDN_PARAM $HOSTNAME" > /etc/hosts
echo "$ETC_HOSTS" >> /etc/hosts
exit 0
diff --git a/test/test.bats b/test/test.bats
index 0c23e14..8902921 100644
--- a/test/test.bats
+++ b/test/test.bats
@@ -22,7 +22,7 @@
}
-@test "ldap domain with ldap base dn" {
+@test "ldap domain with non-matching ldap base dn" {
run_image -h ldap.example.org -e LDAP_TLS=false -e LDAP_DOMAIN=example.com -e LDAP_BASE_DN="dc=example,dc=org"
@@ -35,7 +35,7 @@
}
-@test "ldap domain with ldap base dn subdomain" {
+@test "ldap domain with matching ldap base dn subdomain" {
run_image -h ldap.example.fr -e LDAP_TLS=false -e LDAP_DOMAIN=example.fr -e LDAP_BASE_DN="ou=myou,o=example,c=fr"
@@ -48,6 +48,19 @@
}
+@test "ldap base dn domain with matching ldap subdomain" {
+
+ run_image -h ldap.example.fr -e LDAP_TLS=false -e LDAP_DOMAIN=mysub.example.fr -e LDAP_BASE_DN="o=example,c=fr"
+
+ sleep 5
+
+ CSTATUS=$(check_container)
+ clear_container
+
+ [ "$CSTATUS" == "running 0" ]
+
+}
+
@test "ldap domain with ldap base dn subdomain included" {
run_image -h ldap.example.com -e LDAP_TLS=false -e LDAP_DOMAIN=example.com -e LDAP_BASE_DN="ou=myou,o=example,dc=com,c=fr"