Merge branch 'stable' into feature-enable-runtime-uidgid
diff --git a/.gitignore b/.gitignore
index 6b3fce7..d43f726 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,2 @@
-/.*
!/.git*
/VOLUMES
diff --git a/.travis.yml b/.travis.yml
new file mode 100644
index 0000000..03befed
--- /dev/null
+++ b/.travis.yml
@@ -0,0 +1,109 @@
+language: bash
+
+services:
+ - docker
+env:
+ global:
+ - NAME="osixia/openldap"
+ - VERSION="${TRAVIS_BRANCH}-dev"
+ matrix:
+ - TARGET_ARCH=amd64 QEMU_ARCH=x86_64
+ - TARGET_ARCH=arm32v7 QEMU_ARCH=arm
+ - TARGET_ARCH=arm64v8 QEMU_ARCH=aarch64
+
+addons:
+ apt:
+ # The docker manifest command was added in docker-ee version 18.x
+ # So update our current installation and we also have to enable the experimental features.
+ sources:
+ - sourceline: "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
+ key_url: "https://download.docker.com/linux/ubuntu/gpg"
+ packages:
+ - docker-ce
+
+before_install:
+ - docker --version
+ - mkdir $HOME/.docker
+ - 'echo "{" > $HOME/.docker/config.json'
+ - 'echo " \"experimental\": \"enabled\"" >> $HOME/.docker/config.json'
+ - 'echo "}" >> $HOME/.docker/config.json'
+ - sudo service docker restart
+
+install:
+ # For cross buidling our images
+ # This is necessary because travis-ci.org has only x86_64 machines.
+ # If travis-ci.org gets native arm builds, probably this step is not
+ # necessary any more.
+ - docker run --rm --privileged multiarch/qemu-user-static:register --reset
+ # Bats is necessary for the UT
+ - curl -o bats.tar.gz -SL https://github.com/bats-core/bats-core/archive/v1.1.0.tar.gz
+ - mkdir bats-core && tar -xf bats.tar.gz -C bats-core --strip-components=1
+ - cd bats-core/
+ - sudo ./install.sh /usr/local
+ - cd ..
+
+before_script:
+ # Set baseimage.
+ - sed -i -e "s/FROM \(.*\)/FROM \1-${TARGET_ARCH}/g" image/Dockerfile;
+ # remove pqchecker if arch is not amd64
+ - if [[ "${TARGET_ARCH}" != 'amd64' ]]; then
+ sed -i -e "/PQCHECKER/Id" image/Dockerfile;
+ fi
+ - cat image/Dockerfile;
+ # If this is a tag then change the VERSION variable to only have the
+ # tag name and not also the commit hash.
+ - if [ -n "$TRAVIS_TAG" ]; then
+ VERSION=$(echo "${TRAVIS_TAG}" | sed -e 's/\(.*\)[-v]\(.*\)/\1\2/g');
+ fi
+ - if [ "${TRAVIS_BRANCH}" == 'stable' ]; then
+ VERSION="stable";
+ fi
+
+script:
+ - make build-nocache NAME=${NAME} VERSION=${VERSION}-${TARGET_ARCH}
+ # skip test "ldapsearch existing hdb database and config" if arch != amd64
+ - if [[ "${TARGET_ARCH}" != 'amd64' ]]; then
+ sed -i '/@test "ldapsearch existing hdb database and config"/a skip' test/test.bats;
+ fi
+ # Run the test and if the test fails mark the build as failed.
+ - make test NAME=${NAME} VERSION=${VERSION}-${TARGET_ARCH}
+
+before_deploy:
+ - docker run -d --name test_image ${NAME}:${VERSION}-${TARGET_ARCH} sleep 10
+ - sleep 5
+ - sudo docker ps | grep -q test_image
+ # To have `DOCKER_USER` and `DOCKER_PASS`
+ # use `travis env set`.
+ - docker login -u "$DOCKER_USER" -p "$DOCKER_PASS";
+ - make tag NAME=${NAME} VERSION=${VERSION}-${TARGET_ARCH}
+
+deploy:
+ provider: script
+ on:
+ all_branches: true
+ script: make push NAME=${NAME} VERSION=${VERSION}-${TARGET_ARCH}
+
+jobs:
+ include:
+ - stage: Manifest creation
+ install: skip
+ script: skip
+ after_deploy:
+ - docker login -u "$DOCKER_USER" -p "$DOCKER_PASS";
+ - docker manifest create ${NAME}:${VERSION} ${NAME}:${VERSION}-amd64 ${NAME}:${VERSION}-arm32v7 ${NAME}:${VERSION}-arm64v8;
+ docker manifest annotate ${NAME}:${VERSION} ${NAME}:${VERSION}-amd64 --os linux --arch amd64;
+ docker manifest annotate ${NAME}:${VERSION} ${NAME}:${VERSION}-arm32v7 --os linux --arch arm --variant v7;
+ docker manifest annotate ${NAME}:${VERSION} ${NAME}:${VERSION}-arm64v8 --os linux --arch arm64 --variant v8;
+
+ # The latest tag is coming from the stable branch of the repo
+ - if [ "${TRAVIS_BRANCH}" == 'stable' ]; then
+ docker manifest create ${NAME}:latest ${NAME}:${VERSION}-amd64 ${NAME}:${VERSION}-arm32v7 ${NAME}:${VERSION}-arm64v8;
+ docker manifest annotate ${NAME}:latest ${NAME}:${VERSION}-amd64 --os linux --arch amd64;
+ docker manifest annotate ${NAME}:latest ${NAME}:${VERSION}-arm32v7 --os linux --arch arm --variant v7;
+ docker manifest annotate ${NAME}:latest ${NAME}:${VERSION}-arm64v8 --os linux --arch arm64 --variant v8;
+ fi
+
+ - docker manifest push ${NAME}:${VERSION};
+ if [ "${TRAVIS_BRANCH}" == 'stable' ]; then
+ docker manifest push ${NAME}:latest;
+ fi
diff --git a/CHANGELOG.md b/CHANGELOG.md
index e0c2a69..1047dfb 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,24 @@
The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
+## [1.3.0] - 2019-09-29
+## Added
+ - Multiarch support
+
+## Changes
+ - Update openldap 2.4.47 to 2.4.48 #247
+ - Upgrade baseimage to light-baseimage:1.2.0 (debian buster)
+
+## [1.2.5] - 2019-08-16
+## Added
+ - Support for docker secrets #325. Thanks to @anagno !
+ - Add DISABLE_CHOWN environment variable #240
+ - pqChecker lib to check passwords strength with ppolicy pwdCheckModule
+
+### Fixed
+ - Fix of incorrectly positioned 'log-helper debug' command #327. Thanks to @turcan !
+ - Fix domain dn #341. Thanks to @obourdon !
+
## [1.2.4] - 2019-03-14
### Fixed
- Excessive RAM usage on 1.2.2, increased 10x from 1.2.1 #242
@@ -234,6 +252,8 @@
## [0.10.0] - 2015-03-03
New version initial release, no changelog before this sorry.
+[1.3.0]: https://github.com/osixia/docker-openldap/compare/v1.2.5...v1.3.0
+[1.2.5]: https://github.com/osixia/docker-openldap/compare/v1.2.4...v1.2.5
[1.2.4]: https://github.com/osixia/docker-openldap/compare/v1.2.3...v1.2.4
[1.2.3]: https://github.com/osixia/docker-openldap/compare/v1.2.2...v1.2.3
[1.2.2]: https://github.com/osixia/docker-openldap/compare/v1.2.1...v1.2.2
diff --git a/Makefile b/Makefile
index 340ca13..e1c79f7 100644
--- a/Makefile
+++ b/Makefile
@@ -1,5 +1,5 @@
NAME = osixia/openldap
-VERSION = 1.2.4
+VERSION = 1.3.0
.PHONY: build build-nocache test tag-latest push push-latest release git-tag-version
@@ -12,6 +12,9 @@
test:
env NAME=$(NAME) VERSION=$(VERSION) bats test/test.bats
+tag:
+ docker tag $(NAME):$(VERSION) $(NAME):$(VERSION)
+
tag-latest:
docker tag $(NAME):$(VERSION) $(NAME):latest
diff --git a/README.md b/README.md
index db27128..998aa79 100644
--- a/README.md
+++ b/README.md
@@ -4,7 +4,7 @@
![Docker Stars](https://img.shields.io/docker/stars/osixia/openldap.svg)
![](https://images.microbadger.com/badges/image/osixia/openldap.svg)
-Latest release: 1.2.4 - OpenLDAP 2.4.47 - [Changelog](CHANGELOG.md) | [Docker Hub](https://hub.docker.com/r/osixia/openldap/)
+Latest release: 1.3.0 - OpenLDAP 2.4.48 - [Changelog](CHANGELOG.md) | [Docker Hub](https://hub.docker.com/r/osixia/openldap/)
**A docker image to run OpenLDAP.**
@@ -35,9 +35,10 @@
- [Set your own environment variables](#set-your-own-environment-variables)
- [Use command line argument](#use-command-line-argument)
- [Link environment file](#link-environment-file)
+ - [Docker Secrets](#docker-secrets)
- [Make your own image or extend this image](#make-your-own-image-or-extend-this-image)
- [Advanced User Guide](#advanced-user-guide)
- - [Extend osixia/openldap:1.2.4 image](#extend-osixiaopenldap124-image)
+ - [Extend osixia/openldap:1.3.0 image](#extend-osixiaopenldap130-image)
- [Make your own openldap image](#make-your-own-openldap-image)
- [Tests](#tests)
- [Kubernetes](#kubernetes)
@@ -57,11 +58,11 @@
## Quick Start
Run OpenLDAP docker image:
- docker run --name my-openldap-container --detach osixia/openldap:1.2.4
+ docker run --name my-openldap-container --detach osixia/openldap:1.3.0
Do not forget to add the port mapping for both port 389 and 636 if you wish to access the ldap server from another machine.
- docker run -p 389:389 -p 636:636 --name my-openldap-container --detach osixia/openldap:1.2.4
+ docker run -p 389:389 -p 636:636 --name my-openldap-container --detach osixia/openldap:1.3.0
Either command starts a new container with OpenLDAP running inside. Let's make the first search in our LDAP container:
@@ -97,7 +98,7 @@
By default the admin has the password **admin**. All those default settings can be changed at the docker command line, for example:
docker run --env LDAP_ORGANISATION="My Company" --env LDAP_DOMAIN="my-company.com" \
- --env LDAP_ADMIN_PASSWORD="JonSn0w" --detach osixia/openldap:1.2.4
+ --env LDAP_ADMIN_PASSWORD="JonSn0w" --detach osixia/openldap:1.3.0
#### Data persistence
@@ -148,12 +149,12 @@
# single file example:
docker run \
--volume ./bootstrap.ldif:/container/service/slapd/assets/config/bootstrap/ldif/50-bootstrap.ldif \
- osixia/openldap:1.2.4 --copy-service
+ osixia/openldap:1.3.0 --copy-service
#directory example:
docker run \
--volume ./ldif:/container/service/slapd/assets/config/bootstrap/ldif/custom \
- osixia/openldap:1.2.4 --copy-service
+ osixia/openldap:1.3.0 --copy-service
### Use an existing ldap database
@@ -164,7 +165,7 @@
docker run --volume /data/slapd/database:/var/lib/ldap \
--volume /data/slapd/config:/etc/ldap/slapd.d \
- --detach osixia/openldap:1.2.4
+ --detach osixia/openldap:1.3.0
You can also use data volume containers. Please refer to:
> [https://docs.docker.com/engine/tutorials/dockervolumes/](https://docs.docker.com/engine/tutorials/dockervolumes/)
@@ -184,7 +185,7 @@
#### Use auto-generated certificate
By default, TLS is already configured and enabled, certificate is created using container hostname (it can be set by docker run --hostname option eg: ldap.example.org).
- docker run --hostname ldap.my-company.com --detach osixia/openldap:1.2.4
+ docker run --hostname ldap.my-company.com --detach osixia/openldap:1.3.0
#### Use your own certificate
@@ -194,24 +195,24 @@
--env LDAP_TLS_CRT_FILENAME=my-ldap.crt \
--env LDAP_TLS_KEY_FILENAME=my-ldap.key \
--env LDAP_TLS_CA_CRT_FILENAME=the-ca.crt \
- --detach osixia/openldap:1.2.4
+ --detach osixia/openldap:1.3.0
Other solutions are available please refer to the [Advanced User Guide](#advanced-user-guide)
#### Disable TLS
Add --env LDAP_TLS=false to the run command:
- docker run --env LDAP_TLS=false --detach osixia/openldap:1.2.4
+ docker run --env LDAP_TLS=false --detach osixia/openldap:1.3.0
### Multi master replication
Quick example, with the default config.
#Create the first ldap server, save the container id in LDAP_CID and get its IP:
- LDAP_CID=$(docker run --hostname ldap.example.org --env LDAP_REPLICATION=true --detach osixia/openldap:1.2.4)
+ LDAP_CID=$(docker run --hostname ldap.example.org --env LDAP_REPLICATION=true --detach osixia/openldap:1.3.0)
LDAP_IP=$(docker inspect -f "{{ .NetworkSettings.IPAddress }}" $LDAP_CID)
#Create the second ldap server, save the container id in LDAP2_CID and get its IP:
- LDAP2_CID=$(docker run --hostname ldap2.example.org --env LDAP_REPLICATION=true --detach osixia/openldap:1.2.4)
+ LDAP2_CID=$(docker run --hostname ldap2.example.org --env LDAP_REPLICATION=true --detach osixia/openldap:1.3.0)
LDAP2_IP=$(docker inspect -f "{{ .NetworkSettings.IPAddress }}" $LDAP2_CID)
#Add the pair "ip hostname" to /etc/hosts on each containers,
@@ -247,7 +248,7 @@
To fix that run the container with `--copy-service` argument :
- docker run [your options] osixia/openldap:1.2.4 --copy-service
+ docker run [your options] osixia/openldap:1.3.0 --copy-service
### Debug
@@ -256,11 +257,11 @@
Example command to run the container in `debug` mode:
- docker run --detach osixia/openldap:1.2.4 --loglevel debug
+ docker run --detach osixia/openldap:1.3.0 --loglevel debug
See all command line options:
- docker run osixia/openldap:1.2.4 --help
+ docker run osixia/openldap:1.3.0 --help
## Environment Variables
@@ -326,7 +327,7 @@
If you want to set this variable at docker run command add the tag `#PYTHON2BASH:` and convert the yaml in python:
- docker run --env LDAP_REPLICATION_HOSTS="#PYTHON2BASH:['ldap://ldap.example.org','ldap://ldap2.example.org']" --detach osixia/openldap:1.2.4
+ docker run --env LDAP_REPLICATION_HOSTS="#PYTHON2BASH:['ldap://ldap.example.org','ldap://ldap2.example.org']" --detach osixia/openldap:1.3.0
To convert yaml to python online: http://yaml-online-parser.appspot.com/
@@ -338,6 +339,7 @@
- **LDAP_REMOVE_CONFIG_AFTER_SETUP**: delete config folder after setup. Defaults to `true`
- **LDAP_SSL_HELPER_PREFIX**: ssl-helper environment variables prefix. Defaults to `ldap`, ssl-helper first search config from LDAP_SSL_HELPER_* variables, before SSL_HELPER_* variables.
- **HOSTNAME**: set the hostname of the running openldap server. Defaults to whatever docker creates.
+- **DISABLE_CHOWN**: do not perform any chown to fix file ownership. Defaults to `false`
### Set your own environment variables
@@ -346,7 +348,7 @@
Environment variables can be set by adding the --env argument in the command line, for example:
docker run --env LDAP_ORGANISATION="My company" --env LDAP_DOMAIN="my-company.com" \
- --env LDAP_ADMIN_PASSWORD="JonSn0w" --detach osixia/openldap:1.2.4
+ --env LDAP_ADMIN_PASSWORD="JonSn0w" --detach osixia/openldap:1.3.0
Be aware that environment variable added in command line will be available at any time
in the container. In this example if someone manage to open a terminal in this container
@@ -357,14 +359,25 @@
For example if your environment files **my-env.yaml** and **my-env.startup.yaml** are in /data/ldap/environment
docker run --volume /data/ldap/environment:/container/environment/01-custom \
- --detach osixia/openldap:1.2.4
+ --detach osixia/openldap:1.3.0
Take care to link your environment files folder to `/container/environment/XX-somedir` (with XX < 99 so they will be processed before default environment files) and not directly to `/container/environment` because this directory contains predefined baseimage environment files to fix container environment (INITRD, LANG, LANGUAGE and LC_CTYPE).
Note: the container will try to delete the **\*.startup.yaml** file after the end of startup files so the file will also be deleted on the docker host. To prevent that : use --volume /data/ldap/environment:/container/environment/01-custom**:ro** or set all variables in **\*.yaml** file and don't use **\*.startup.yaml**:
docker run --volume /data/ldap/environment/my-env.yaml:/container/environment/01-custom/env.yaml \
- --detach osixia/openldap:1.2.4
+ --detach osixia/openldap:1.3.0
+
+#### Docker Secrets
+
+As an alternative to passing sensitive information via environmental variables, _FILE may be appended to the listed variables, causing
+the startup.sh script to load the values for those values from files presented in the container. This is particular usefull for loading
+passwords using the [Docker secrets](https://docs.docker.com/engine/swarm/secrets/) mechanism. For example:
+
+ docker run --env LDAP_ORGANISATION="My company" --env LDAP_DOMAIN="my-company.com" \
+ --env LDAP_ADMIN_PASSWORD_FILE=/run/secrets/authentication_admin_pw --detach osixia/openldap:1.2.4
+
+Currently this is only supported for LDAP_ADMIN_PASSWORD, LDAP_CONFIG_PASSWORD, LDAP_READONLY_USER_PASSWORD
#### Make your own image or extend this image
@@ -372,13 +385,13 @@
## Advanced User Guide
-### Extend osixia/openldap:1.2.4 image
+### Extend osixia/openldap:1.3.0 image
If you need to add your custom TLS certificate, bootstrap config or environment files the easiest way is to extends this image.
Dockerfile example:
- FROM osixia/openldap:1.2.4
+ FROM osixia/openldap:1.3.0
MAINTAINER Your Name <your@name.com>
ADD bootstrap /container/service/slapd/assets/config/bootstrap
@@ -420,7 +433,7 @@
We use **Bats** (Bash Automated Testing System) to test this image:
-> [https://github.com/sstephenson/bats](https://github.com/sstephenson/bats)
+> [https://github.com/bats-core/bats-core](https://github.com/bats-core/bats-core)
Install Bats, and in this project directory run:
diff --git a/example/docker-compose.yml b/example/docker-compose.yml
index ba646e7..f580b37 100644
--- a/example/docker-compose.yml
+++ b/example/docker-compose.yml
@@ -1,7 +1,7 @@
version: '2'
services:
openldap:
- image: osixia/openldap:1.2.4
+ image: osixia/openldap:1.3.0
container_name: openldap
environment:
LDAP_LOG_LEVEL: "256"
diff --git a/example/extend-osixia-openldap/Dockerfile b/example/extend-osixia-openldap/Dockerfile
index 645a8f7..19bce2c 100644
--- a/example/extend-osixia-openldap/Dockerfile
+++ b/example/extend-osixia-openldap/Dockerfile
@@ -1,4 +1,4 @@
-FROM osixia/openldap:1.2.4
+FROM osixia/openldap:1.3.0
MAINTAINER Your Name <your@name.com>
ADD bootstrap /container/service/slapd/assets/config/bootstrap
diff --git a/example/kubernetes/simple/ldap-deployment.yaml b/example/kubernetes/simple/ldap-deployment.yaml
index 116735e..9f33dfe 100644
--- a/example/kubernetes/simple/ldap-deployment.yaml
+++ b/example/kubernetes/simple/ldap-deployment.yaml
@@ -13,7 +13,7 @@
spec:
containers:
- name: ldap
- image: osixia/openldap:1.2.4
+ image: osixia/openldap:1.3.0
volumeMounts:
- name: ldap-data
mountPath: /var/lib/ldap
diff --git a/example/kubernetes/using-secrets/gce-statefullset.yaml b/example/kubernetes/using-secrets/gce-statefullset.yaml
index 78e43c4..e280b13 100644
--- a/example/kubernetes/using-secrets/gce-statefullset.yaml
+++ b/example/kubernetes/using-secrets/gce-statefullset.yaml
@@ -12,7 +12,7 @@
spec:
containers:
- name: azaldap
- image: osixia/openldap:1.2.4
+ image: osixia/openldap:1.3.0
imagePullPolicy: IfNotPresent
#command: ["/bin/bash","-c","while [ 1 = 1 ] ; do sleep 1; date; done"]
ports:
diff --git a/example/kubernetes/using-secrets/ldap-deployment.yaml b/example/kubernetes/using-secrets/ldap-deployment.yaml
index 9783b95..9d96c26 100644
--- a/example/kubernetes/using-secrets/ldap-deployment.yaml
+++ b/example/kubernetes/using-secrets/ldap-deployment.yaml
@@ -13,7 +13,7 @@
spec:
containers:
- name: ldap
- image: osixia/openldap:1.2.4
+ image: osixia/openldap:1.3.0
args: ["--copy-service"]
volumeMounts:
- name: ldap-data
diff --git a/image/Dockerfile b/image/Dockerfile
index b19d63d..925c3c9 100644
--- a/image/Dockerfile
+++ b/image/Dockerfile
@@ -1,34 +1,44 @@
# Use osixia/light-baseimage
# sources: https://github.com/osixia/docker-light-baseimage
-FROM osixia/light-baseimage:1.1.2
+FROM osixia/light-baseimage:release-1.2.0-dev
ARG LDAP_OPENLDAP_GID
ARG LDAP_OPENLDAP_UID
+ARG PQCHECKER_VERSION=2.0.0
+ARG PQCHECKER_MD5=c005ce596e97d13e39485e711dcbc7e1
+
# Add openldap user and group first to make sure their IDs get assigned consistently, regardless of whatever dependencies get added
# If explicit uid or gid is given, use it.
RUN if [ -z "${LDAP_OPENLDAP_GID}" ]; then groupadd -g 911 -r openldap; else groupadd -r -g ${LDAP_OPENLDAP_GID} openldap; fi \
&& if [ -z "${LDAP_OPENLDAP_UID}" ]; then useradd -u 911 -r -g openldap openldap; else useradd -r -g openldap -u ${LDAP_OPENLDAP_UID} openldap; fi
-# Add stretch-backports in preparation for downloading newer openldap components, especially sladp
-RUN echo "deb http://ftp.debian.org/debian stretch-backports main" >> /etc/apt/sources.list
+# Add buster-backports in preparation for downloading newer openldap components, especially sladp
+RUN echo "deb http://ftp.debian.org/debian buster-backports main" >> /etc/apt/sources.list
# Install OpenLDAP, ldap-utils and ssl-tools from the (backported) baseimage and clean apt-get files
# sources: https://github.com/osixia/docker-light-baseimage/blob/stable/image/tool/add-service-available
# https://github.com/osixia/docker-light-baseimage/blob/stable/image/service-available/:ssl-tools/download.sh
RUN echo "path-include /usr/share/doc/krb5*" >> /etc/dpkg/dpkg.cfg.d/docker && apt-get -y update \
&& /container/tool/add-service-available :ssl-tools \
- && LC_ALL=C DEBIAN_FRONTEND=noninteractive apt-get -t stretch-backports install -y --no-install-recommends \
- ldap-utils \
- libsasl2-modules \
- libsasl2-modules-db \
- libsasl2-modules-gssapi-mit \
- libsasl2-modules-ldap \
- libsasl2-modules-otp \
- libsasl2-modules-sql \
- openssl \
- slapd \
- krb5-kdc-ldap \
+ && LC_ALL=C DEBIAN_FRONTEND=noninteractive apt-get -t buster-backports install -y --no-install-recommends \
+ ca-certificates \
+ curl \
+ ldap-utils \
+ libsasl2-modules \
+ libsasl2-modules-db \
+ libsasl2-modules-gssapi-mit \
+ libsasl2-modules-ldap \
+ libsasl2-modules-otp \
+ libsasl2-modules-sql \
+ openssl \
+ slapd \
+ krb5-kdc-ldap \
+ && curl -o pqchecker.deb -SL http://www.meddeb.net/pub/pqchecker/deb/8/pqchecker_${PQCHECKER_VERSION}_amd64.deb \
+ && echo "${PQCHECKER_MD5} *pqchecker.deb" | md5sum -c - \
+ && dpkg -i pqchecker.deb \
+ && rm pqchecker.deb \
+ && apt-get remove -y --purge --auto-remove curl ca-certificates \
&& apt-get clean \
&& rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
diff --git a/image/environment/default.yaml b/image/environment/default.yaml
index 74a88fb..0eb9b71 100644
--- a/image/environment/default.yaml
+++ b/image/environment/default.yaml
@@ -10,4 +10,7 @@
LDAP_LOG_LEVEL: 256
# Ulimit
-LDAP_NOFILE: 1024
\ No newline at end of file
+LDAP_NOFILE: 1024
+
+# Do not perform any chown to fix file ownership
+DISABLE_CHOWN: false
\ No newline at end of file
diff --git a/image/service/slapd/startup.sh b/image/service/slapd/startup.sh
index c089175..1d7b8c9 100755
--- a/image/service/slapd/startup.sh
+++ b/image/service/slapd/startup.sh
@@ -10,6 +10,34 @@
# see https://github.com/docker/docker/issues/8231
ulimit -n $LDAP_NOFILE
+
+# usage: file_env VAR
+# ie: file_env 'XYZ_DB_PASSWORD'
+# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
+# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
+file_env() {
+ local var="$1"
+ local fileVar="${var}_FILE"
+
+ # The variables are already defined from the docker-light-baseimage
+ # So if the _FILE variable is available we ovewrite them
+ if [ "${!fileVar:-}" ]; then
+ log-helper trace "${fileVar} was defined"
+
+ val="$(< "${!fileVar}")"
+ log-helper debug "${var} was repalced with the contents of ${fileVar} (the value was: ${val})"
+
+ export "$var"="$val"
+ fi
+
+ unset "$fileVar"
+}
+
+
+file_env 'LDAP_ADMIN_PASSWORD'
+file_env 'LDAP_CONFIG_PASSWORD'
+file_env 'LDAP_READONLY_USER_PASSWORD'
+
# create dir if they not already exists
[ -d /var/lib/ldap ] || mkdir -p /var/lib/ldap
[ -d /etc/ldap/slapd.d ] || mkdir -p /etc/ldap/slapd.d
@@ -42,11 +70,14 @@
log-helper info "uid/gid changed: ${LDAP_UIDGID_CHANGED}"
log-helper info "-------------------------------------"
-log-helper info "updating file uid/gid ownership"
-chown -R openldap:openldap /var/run/slapd
-chown -R openldap:openldap /var/lib/ldap
-chown -R openldap:openldap /etc/ldap
-chown -R openldap:openldap ${CONTAINER_SERVICE_DIR}/slapd
+# fix file permissions
+if [ "${DISABLE_CHOWN,,}" == "false" ]; then
+ log-helper info "updating file uid/gid ownership"
+ chown -R openldap:openldap /var/run/slapd
+ chown -R openldap:openldap /var/lib/ldap
+ chown -R openldap:openldap /etc/ldap
+ chown -R openldap:openldap ${CONTAINER_SERVICE_DIR}/slapd
+fi
FIRST_START_DONE="${CONTAINER_STATE_DIR}/slapd-first-start-done"
WAS_STARTED_WITH_TLS="/etc/ldap/slapd.d/docker-openldap-was-started-with-tls"
@@ -80,7 +111,15 @@
LDAP_BASE_DN=${LDAP_BASE_DN::-1}
fi
-
+ # Check that LDAP_BASE_DN and LDAP_DOMAIN are in sync
+ domain_from_base_dn=$(echo $LDAP_BASE_DN | tr ',' '\n' | sed -e 's/^.*=//' | tr '\n' '.' | sed -e 's/\.$//')
+ set +e
+ echo "$domain_from_base_dn" | egrep -q ".*$LDAP_DOMAIN\$"
+ if [ $? -ne 0 ]; then
+ log-helper error "Error: domain $domain_from_base_dn derived from LDAP_BASE_DN $LDAP_BASE_DN does not match LDAP_DOMAIN $LDAP_DOMAIN"
+ exit 1
+ fi
+ set -e
}
function is_new_schema() {
@@ -94,6 +133,7 @@
function ldap_add_or_modify (){
local LDIF_FILE=$1
+
log-helper debug "Processing file ${LDIF_FILE}"
sed -i "s|{{ LDAP_BASE_DN }}|${LDAP_BASE_DN}|g" $LDIF_FILE
sed -i "s|{{ LDAP_BACKEND }}|${LDAP_BACKEND}|g" $LDIF_FILE
@@ -103,9 +143,9 @@
sed -i "s|{{ LDAP_READONLY_USER_PASSWORD_ENCRYPTED }}|${LDAP_READONLY_USER_PASSWORD_ENCRYPTED}|g" $LDIF_FILE
fi
if grep -iq changetype $LDIF_FILE ; then
- ldapmodify -Y EXTERNAL -Q -H ldapi:/// -f $LDIF_FILE 2>&1 | log-helper debug || ldapmodify -h localhost -p 389 -D cn=admin,$LDAP_BASE_DN -w "$LDAP_ADMIN_PASSWORD" -f $LDIF_FILE 2>&1 | log-helper debug
+ ( ldapmodify -Y EXTERNAL -Q -H ldapi:/// -f $LDIF_FILE 2>&1 || ldapmodify -h localhost -p 389 -D cn=admin,$LDAP_BASE_DN -w "$LDAP_ADMIN_PASSWORD" -f $LDIF_FILE 2>&1 ) | log-helper debug
else
- ldapadd -Y EXTERNAL -Q -H ldapi:/// -f $LDIF_FILE |& log-helper debug || ldapadd -h localhost -p 389 -D cn=admin,$LDAP_BASE_DN -w "$LDAP_ADMIN_PASSWORD" -f $LDIF_FILE 2>&1 | log-helper debug
+ ( ldapadd -Y EXTERNAL -Q -H ldapi:/// -f $LDIF_FILE 2>&1 || ldapadd -h localhost -p 389 -D cn=admin,$LDAP_BASE_DN -w "$LDAP_ADMIN_PASSWORD" -f $LDIF_FILE 2>&1 ) | log-helper debug
fi
}
@@ -125,6 +165,7 @@
log-helper info "Database and config directory are empty..."
log-helper info "Init new ldap server..."
+ get_ldap_base_dn
cat <<EOF | debconf-set-selections
slapd slapd/internal/generated_adminpw password ${LDAP_ADMIN_PASSWORD}
slapd slapd/internal/adminpw password ${LDAP_ADMIN_PASSWORD}
@@ -156,7 +197,9 @@
mv /tmp/schema/cn=config/cn=schema/* /etc/ldap/slapd.d/cn=config/cn=schema
rm -r /tmp/schema
- chown -R openldap:openldap /etc/ldap/slapd.d/cn=config/cn=schema
+ if [ "${DISABLE_CHOWN,,}" == "false" ]; then
+ chown -R openldap:openldap /etc/ldap/slapd.d/cn=config/cn=schema
+ fi
fi
rm ${CONTAINER_SERVICE_DIR}/slapd/assets/config/bootstrap/schema/rfc2307bis.*
@@ -233,8 +276,10 @@
ssl-helper $LDAP_SSL_HELPER_PREFIX $PREVIOUS_LDAP_TLS_CRT_PATH $PREVIOUS_LDAP_TLS_KEY_PATH $PREVIOUS_LDAP_TLS_CA_CRT_PATH
[ -f ${PREVIOUS_LDAP_TLS_DH_PARAM_PATH} ] || openssl dhparam -out ${LDAP_TLS_DH_PARAM_PATH} 2048
- chmod 600 ${PREVIOUS_LDAP_TLS_DH_PARAM_PATH}
- chown openldap:openldap $PREVIOUS_LDAP_TLS_CRT_PATH $PREVIOUS_LDAP_TLS_KEY_PATH $PREVIOUS_LDAP_TLS_CA_CRT_PATH $PREVIOUS_LDAP_TLS_DH_PARAM_PATH
+ if [ "${DISABLE_CHOWN,,}" == "false" ]; then
+ chmod 600 ${PREVIOUS_LDAP_TLS_DH_PARAM_PATH}
+ chown openldap:openldap $PREVIOUS_LDAP_TLS_CRT_PATH $PREVIOUS_LDAP_TLS_KEY_PATH $PREVIOUS_LDAP_TLS_CA_CRT_PATH $PREVIOUS_LDAP_TLS_DH_PARAM_PATH
+ fi
fi
# start OpenLDAP
@@ -337,10 +382,12 @@
# create DHParamFile if not found
[ -f ${LDAP_TLS_DH_PARAM_PATH} ] || openssl dhparam -out ${LDAP_TLS_DH_PARAM_PATH} 2048
- chmod 600 ${LDAP_TLS_DH_PARAM_PATH}
-
+
# fix file permissions
- chown -R openldap:openldap ${CONTAINER_SERVICE_DIR}/slapd
+ if [ "${DISABLE_CHOWN,,}" == "false" ]; then
+ chmod 600 ${LDAP_TLS_DH_PARAM_PATH}
+ chown -R openldap:openldap ${CONTAINER_SERVICE_DIR}/slapd
+ fi
# adapt tls ldif
sed -i "s|{{ LDAP_TLS_CA_CRT_PATH }}|${LDAP_TLS_CA_CRT_PATH}|g" ${CONTAINER_SERVICE_DIR}/slapd/assets/config/tls/tls-enable.ldif
diff --git a/test/test.bats b/test/test.bats
index cf1073b..0c23e14 100644
--- a/test/test.bats
+++ b/test/test.bats
@@ -12,6 +12,9 @@
run_image -h ldap.example.org -e LDAP_TLS=false
wait_process slapd
+
+ sleep 5
+
run docker exec $CONTAINER_ID ldapsearch -x -h ldap.example.org -b dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w admin
clear_container
@@ -19,29 +22,99 @@
}
+@test "ldap domain with ldap base dn" {
+
+ run_image -h ldap.example.org -e LDAP_TLS=false -e LDAP_DOMAIN=example.com -e LDAP_BASE_DN="dc=example,dc=org"
+
+ sleep 5
+
+ CSTATUS=$(check_container)
+ clear_container
+
+ [ "$CSTATUS" != "running 0" ]
+
+}
+
+@test "ldap domain with ldap base dn subdomain" {
+
+ run_image -h ldap.example.fr -e LDAP_TLS=false -e LDAP_DOMAIN=example.fr -e LDAP_BASE_DN="ou=myou,o=example,c=fr"
+
+ sleep 5
+
+ CSTATUS=$(check_container)
+ clear_container
+
+ [ "$CSTATUS" == "running 0" ]
+
+}
+
+@test "ldap domain with ldap base dn subdomain included" {
+
+ run_image -h ldap.example.com -e LDAP_TLS=false -e LDAP_DOMAIN=example.com -e LDAP_BASE_DN="ou=myou,o=example,dc=com,c=fr"
+
+ sleep 5
+
+ CSTATUS=$(check_container)
+ clear_container
+
+ [ "$CSTATUS" != "running 0" ]
+
+}
+
@test "ldapsearch database from created volumes" {
rm -rf VOLUMES && mkdir -p VOLUMES/config VOLUMES/database
LDAP_CID=$(docker run -h ldap.example.org -e LDAP_TLS=false --volume $PWD/VOLUMES/database:/var/lib/ldap --volume $PWD/VOLUMES/config:/etc/ldap/slapd.d -d $NAME:$VERSION)
wait_process_by_cid $LDAP_CID slapd
+
+ sleep 5
+
run docker exec $LDAP_CID ldapsearch -x -h ldap.example.org -b dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w admin
docker kill $LDAP_CID
+ clear_containers_by_cid $LDAP_CID
+
[ "$status" -eq 0 ]
+
LDAP_CID=$(docker run -h ldap.example.org -e LDAP_TLS=false --volume $PWD/VOLUMES/database:/var/lib/ldap --volume $PWD/VOLUMES/config:/etc/ldap/slapd.d -d $NAME:$VERSION)
wait_process_by_cid $LDAP_CID slapd
+
+ sleep 5
+
run docker exec $LDAP_CID ldapsearch -x -h ldap.example.org -b dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w admin
run docker exec $LDAP_CID chown -R $UID:$UID /var/lib/ldap /etc/ldap/slapd.d
docker kill $LDAP_CID
rm -rf VOLUMES
+ clear_containers_by_cid $LDAP_CID
[ "$status" -eq 0 ]
}
+@test "ldapsearch database with password provided from file" {
+
+ echo "strongPassword" > $PWD/password.txt
+
+ run_image -h ldap.osixia.net -e LDAP_ADMIN_PASSWORD_FILE=/run/secrets/admin_pw.txt --volume $PWD/password.txt:/run/secrets/admin_pw.txt
+ wait_process slapd
+
+ sleep 5
+
+ run docker exec $CONTAINER_ID ldapsearch -x -h ldap.osixia.net -b dc=example,dc=org -ZZ -D "cn=admin,dc=example,dc=org" -w strongPassword
+ clear_container
+
+ rm $PWD/password.txt
+
+ [ "$status" -eq 0 ]
+}
+
+
@test "ldapsearch new database with strict TLS" {
run_image -h ldap.example.org
wait_process slapd
+
+ sleep 5
+
run docker exec $CONTAINER_ID ldapsearch -x -h ldap.example.org -b dc=example,dc=org -ZZ -D "cn=admin,dc=example,dc=org" -w admin
clear_container
@@ -53,6 +126,9 @@
run_image -h ldap.osixia.net -v $BATS_TEST_DIRNAME/ssl:/container/service/slapd/assets/certs -e LDAP_TLS_CRT_FILENAME=ldap-test.crt -e LDAP_TLS_KEY_FILENAME=ldap-test.key -e LDAP_TLS_CA_CRT_FILENAME=ca-test.crt
wait_process slapd
+
+ sleep 5
+
run docker exec $CONTAINER_ID ldapsearch -x -h ldap.osixia.net -b dc=example,dc=org -ZZ -D "cn=admin,dc=example,dc=org" -w admin
clear_container
@@ -64,6 +140,9 @@
run_image -h ldap.osixia.net -v $BATS_TEST_DIRNAME/ssl:/container/service/slapd/assets/certs -e LDAP_TLS_CRT_FILENAME=ldap-test.crt -e LDAP_TLS_KEY_FILENAME=ldap-test.key -e LDAP_TLS_DH_PARAM_FILENAME=ldap-test.dhparam -e LDAP_TLS_CA_CRT_FILENAME=ca-test.crt
wait_process slapd
+
+ sleep 5
+
run docker exec $CONTAINER_ID ldapsearch -x -h ldap.osixia.net -b dc=example,dc=org -ZZ -D "cn=admin,dc=example,dc=org" -w admin
clear_container
@@ -75,6 +154,9 @@
run_image -h ldap.example.org -e LDAP_TLS=false -e LDAP_BACKEND=hdb -v $BATS_TEST_DIRNAME/database:/container/test/database -v $BATS_TEST_DIRNAME/config:/container/test/config
wait_process slapd
+
+ sleep 5
+
run docker exec $CONTAINER_ID ldapsearch -x -h ldap.example.org -b dc=osixia,dc=net -D "cn=admin,dc=osixia,dc=net" -w admin
clear_container
@@ -91,7 +173,7 @@
LDAP_REPL_CID=$(docker run -h ldap2.example.org -e LDAP_REPLICATION=true -d $NAME:$VERSION)
LDAP_REPL_IP=$(get_container_ip_by_cid $LDAP_REPL_CID)
- sleep 2
+ sleep 5
# ldap server
run_image -h ldap.example.org -e LDAP_REPLICATION=true
@@ -104,7 +186,7 @@
wait_process slapd
wait_process_by_cid $LDAP_REPL_CID slapd
- sleep 2
+ sleep 5
# add user on ldap2.example.org
docker exec $LDAP_REPL_CID ldapadd -x -D "cn=admin,dc=example,dc=org" -w admin -f /container/service/slapd/assets/test/new-user.ldif -h ldap2.example.org -ZZ
diff --git a/test/test_helper.bash b/test/test_helper.bash
old mode 100644
new mode 100755
index 45df68c..726833e
--- a/test/test_helper.bash
+++ b/test/test_helper.bash
@@ -9,7 +9,7 @@
}
run_image() {
- CONTAINER_ID=$(docker run $@ -d $IMAGE_NAME --copy-service -c "/container/service/slapd/test.sh")
+ CONTAINER_ID=$(docker run $@ -d $IMAGE_NAME --copy-service -c "/container/service/slapd/test.sh" $EXTRA_DOCKER_RUN_FLAGS)
CONTAINER_IP=$(get_container_ip_by_cid $CONTAINER_ID)
}
@@ -22,7 +22,7 @@
}
remove_container() {
- remove_containers_by_cid $CONTAINER_ID
+ remove_containers_by_cid $CONTAINER_ID
}
clear_container() {
@@ -34,6 +34,12 @@
wait_process_by_cid $CONTAINER_ID $@
}
+check_container() {
+ # "Status" = "exited", and "ExitCode" != 0,
+ local CSTAT=$(docker inspect -f "{{ .State.Status }} {{ .State.ExitCode }}" $CONTAINER_ID)
+ echo "$CSTAT"
+}
+
# generic functions
get_container_ip_by_cid() {
local IP=$(docker inspect -f "{{ .NetworkSettings.IPAddress }}" $1)