Merge branch 'pcolmer-stable' into release-1.4.0
diff --git a/example/docker-compose.yml b/example/docker-compose.yml
index b3225f8..cde8795 100644
--- a/example/docker-compose.yml
+++ b/example/docker-compose.yml
@@ -24,8 +24,8 @@
LDAP_TLS_CIPHER_SUITE: "SECURE256:-VERS-SSL3.0"
LDAP_TLS_VERIFY_CLIENT: "demand"
LDAP_REPLICATION: "false"
- #LDAP_REPLICATION_CONFIG_SYNCPROV: "binddn="cn=admin,cn=config" bindmethod=simple credentials=$LDAP_CONFIG_PASSWORD searchbase="cn=config" type=refreshAndPersist retry="60 +" timeout=1 starttls=critical"
- #LDAP_REPLICATION_DB_SYNCPROV: "binddn="cn=admin,$LDAP_BASE_DN" bindmethod=simple credentials=$LDAP_ADMIN_PASSWORD searchbase="$LDAP_BASE_DN" type=refreshAndPersist interval=00:00:00:10 retry="60 +" timeout=1 starttls=critical"
+ #LDAP_REPLICATION_CONFIG_SYNCPROV: "binddn="cn=admin,cn=config" bindmethod=simple credentials=$$LDAP_CONFIG_PASSWORD searchbase="cn=config" type=refreshAndPersist retry="60 +" timeout=1 starttls=critical"
+ #LDAP_REPLICATION_DB_SYNCPROV: "binddn="cn=admin,$$LDAP_BASE_DN" bindmethod=simple credentials=$$LDAP_ADMIN_PASSWORD searchbase="$$LDAP_BASE_DN" type=refreshAndPersist interval=00:00:00:10 retry="60 +" timeout=1 starttls=critical"
#LDAP_REPLICATION_HOSTS: "#PYTHON2BASH:['ldap://ldap.example.org','ldap://ldap2.example.org']"
KEEP_EXISTING_CONFIG: "false"
LDAP_REMOVE_CONFIG_AFTER_SETUP: "true"
@@ -39,8 +39,11 @@
ports:
- "389:389"
- "636:636"
- domainname: "example.org" # important: same as hostname
- hostname: "example.org"
+ # For replication to work correctly, domainname and hostname must be
+ # set correctly so that "hostname"."domainname" equates to the
+ # fully-qualified domain name for the host.
+ domainname: "example.org"
+ hostname: "ldap-server"
phpldapadmin:
image: osixia/phpldapadmin:latest
container_name: phpldapadmin
diff --git a/image/service/slapd/process.sh b/image/service/slapd/process.sh
index 449481f..e1a17bd 100755
--- a/image/service/slapd/process.sh
+++ b/image/service/slapd/process.sh
@@ -9,4 +9,8 @@
# see https://github.com/docker/docker/issues/8231
ulimit -n $LDAP_NOFILE
-exec /usr/sbin/slapd -h "ldap://$HOSTNAME:$LDAP_PORT ldaps://$HOSTNAME:$LDAPS_PORT ldapi:///" -u openldap -g openldap -d $LDAP_LOG_LEVEL
+# Call hostname to determine the fully qualified domain name. We want OpenLDAP to listen
+# to the named host for the ldap:// and ldaps:// protocols.
+FQDN="$(/bin/hostname --fqdn)"
+HOST_PARAM="ldap://$FQDN:$LDAP_PORT ldaps://$FQDN:$LDAP_PORT"
+exec /usr/sbin/slapd -h "$HOST_PARAM ldapi:///" -u openldap -g openldap -d "$LDAP_LOG_LEVEL"
diff --git a/image/service/slapd/startup.sh b/image/service/slapd/startup.sh
index 1ba6b15..bc5f716 100755
--- a/image/service/slapd/startup.sh
+++ b/image/service/slapd/startup.sh
@@ -12,25 +12,25 @@
# usage: file_env VAR
-# ie: file_env 'XYZ_DB_PASSWORD'
+# ie: file_env 'XYZ_DB_PASSWORD'
# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
file_env() {
- local var="$1"
- local fileVar="${var}_FILE"
+ local var="$1"
+ local fileVar="${var}_FILE"
# The variables are already defined from the docker-light-baseimage
# So if the _FILE variable is available we ovewrite them
- if [ "${!fileVar:-}" ]; then
+ if [ "${!fileVar:-}" ]; then
log-helper trace "${fileVar} was defined"
- val="$(< "${!fileVar}")"
+ val="$(< "${!fileVar}")"
log-helper debug "${var} was repalced with the contents of ${fileVar} (the value was: ${val})"
export "$var"="$val"
- fi
-
- unset "$fileVar"
+ fi
+
+ unset "$fileVar"
}
@@ -267,11 +267,11 @@
# start OpenLDAP
log-helper info "Start OpenLDAP..."
-
+ # At this stage, we can just listen to ldap:// and ldap:// without naming any names
if log-helper level ge debug; then
- slapd -h "ldap://$HOSTNAME $PREVIOUS_HOSTNAME_PARAM ldap://localhost ldapi:///" -u openldap -g openldap -d $LDAP_LOG_LEVEL 2>&1 &
+ slapd -h "ldap:/// ldapi:///" -u openldap -g openldap -d "$LDAP_LOG_LEVEL" 2>&1 &
else
- slapd -h "ldap://$HOSTNAME $PREVIOUS_HOSTNAME_PARAM ldap://localhost ldapi:///" -u openldap -g openldap
+ slapd -h "ldap:/// ldapi:///" -u openldap -g openldap
fi
@@ -365,7 +365,7 @@
# create DHParamFile if not found
[ -f ${LDAP_TLS_DH_PARAM_PATH} ] || openssl dhparam -out ${LDAP_TLS_DH_PARAM_PATH} 2048
-
+
# fix file permissions
if [ "${DISABLE_CHOWN,,}" == "false" ]; then
chmod 600 ${LDAP_TLS_DH_PARAM_PATH}
@@ -520,8 +520,17 @@
ln -sf ${CONTAINER_SERVICE_DIR}/slapd/assets/ldap.conf /etc/ldap/ldap.conf
# force OpenLDAP to listen on all interfaces
+# We need to make sure that /etc/hosts continues to include the
+# fully-qualified domain name and not just the specified hostname.
+# Without the FQDN, /bin/hostname --fqdn stops working.
+FQDN="$(/bin/hostname --fqdn)"
+if [ "$FQDN" != "$HOSTNAME" ]; then
+ FQDN_PARAM="$FQDN"
+else
+ FQDN_PARAM=""
+fi
ETC_HOSTS=$(cat /etc/hosts | sed "/$HOSTNAME/d")
-echo "0.0.0.0 $HOSTNAME" > /etc/hosts
+echo "0.0.0.0 $FQDN_PARAM $HOSTNAME" > /etc/hosts
echo "$ETC_HOSTS" >> /etc/hosts
exit 0