Merge branch 'bjozet-dhparam-env' into release-1.2.3
diff --git a/README.md b/README.md
index 257b15f..1d0821d 100644
--- a/README.md
+++ b/README.md
@@ -296,6 +296,7 @@
- **LDAP_TLS**: Add openldap TLS capabilities. Can't be removed once set to true. Defaults to `true`.
- **LDAP_TLS_CRT_FILENAME**: Ldap ssl certificate filename. Defaults to `ldap.crt`
- **LDAP_TLS_KEY_FILENAME**: Ldap ssl certificate private key filename. Defaults to `ldap.key`
+- **LDAP_TLS_DH_PARAM_FILENAME**: Ldap ssl certificate dh param file. Defaults to `dhparam.pem`
- **LDAP_TLS_CA_CRT_FILENAME**: Ldap ssl CA certificate filename. Defaults to `ca.crt`
- **LDAP_TLS_ENFORCE**: Enforce TLS but except ldapi connections. Can't be disabled once set to true. Defaults to `false`.
- **LDAP_TLS_CIPHER_SUITE**: TLS cipher suite. Defaults to `SECURE256:+SECURE128:-VERS-TLS-ALL:+VERS-TLS1.2:-RSA:-DHE-DSS:-CAMELLIA-128-CBC:-CAMELLIA-256-CBC`, based on Red Hat's [TLS hardening guide](https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Hardening_TLS_Configuration.html)
diff --git a/example/docker-compose.yml b/example/docker-compose.yml
index e27c202..3d7dd26 100644
--- a/example/docker-compose.yml
+++ b/example/docker-compose.yml
@@ -18,6 +18,7 @@
LDAP_TLS: "true"
LDAP_TLS_CRT_FILENAME: "ldap.crt"
LDAP_TLS_KEY_FILENAME: "ldap.key"
+ LDAP_TLS_DH_PARAM_FILENAME: "dhparam.pem"
LDAP_TLS_CA_CRT_FILENAME: "ca.crt"
LDAP_TLS_ENFORCE: "false"
LDAP_TLS_CIPHER_SUITE: "SECURE256:-VERS-SSL3.0"
diff --git a/example/extend-osixia-openldap/environment/my-env.startup.yaml b/example/extend-osixia-openldap/environment/my-env.startup.yaml
index 411226e..336a8bf 100644
--- a/example/extend-osixia-openldap/environment/my-env.startup.yaml
+++ b/example/extend-osixia-openldap/environment/my-env.startup.yaml
@@ -20,6 +20,7 @@
LDAP_TLS: true
LDAP_TLS_CRT_FILENAME: cert.crt
LDAP_TLS_KEY_FILENAME: cert.key
+LDAP_TLS_DH_PARAM_FILENAME: dhparam.pem
LDAP_TLS_CA_CRT_FILENAME: ca.crt
LDAP_TLS_ENFORCE: false
diff --git a/example/kubernetes/simple/ldap-deployment.yaml b/example/kubernetes/simple/ldap-deployment.yaml
index e98bba0..89017fb 100644
--- a/example/kubernetes/simple/ldap-deployment.yaml
+++ b/example/kubernetes/simple/ldap-deployment.yaml
@@ -51,6 +51,8 @@
value: "ldap.crt"
- name: LDAP_TLS_KEY_FILENAME
value: "ldap.key"
+ - name: LDAP_TLS_DH_PARAM_FILENAME
+ value: "dhparam.pem"
- name: LDAP_TLS_CA_CRT_FILENAME
value: "ca.crt"
- name: LDAP_TLS_ENFORCE
diff --git a/example/kubernetes/using-secrets/environment/my-env.startup.yaml b/example/kubernetes/using-secrets/environment/my-env.startup.yaml
index 8225642..12a4a78 100644
--- a/example/kubernetes/using-secrets/environment/my-env.startup.yaml
+++ b/example/kubernetes/using-secrets/environment/my-env.startup.yaml
@@ -27,6 +27,7 @@
LDAP_TLS: true
LDAP_TLS_CRT_FILENAME: ldap.crt
LDAP_TLS_KEY_FILENAME: ldap.key
+LDAP_TLS_DH_PARAM_FILENAME: dhparam.pem
LDAP_TLS_CA_CRT_FILENAME: ca.crt
LDAP_TLS_ENFORCE: false
diff --git a/image/environment/default.startup.yaml b/image/environment/default.startup.yaml
index 6a027d4..95d0005 100644
--- a/image/environment/default.startup.yaml
+++ b/image/environment/default.startup.yaml
@@ -27,6 +27,7 @@
LDAP_TLS: true
LDAP_TLS_CRT_FILENAME: ldap.crt
LDAP_TLS_KEY_FILENAME: ldap.key
+LDAP_TLS_DH_PARAM_FILENAME: dhparam.pem
LDAP_TLS_CA_CRT_FILENAME: ca.crt
LDAP_TLS_ENFORCE: false
diff --git a/image/service/slapd/startup.sh b/image/service/slapd/startup.sh
index 762b425..25656ed 100755
--- a/image/service/slapd/startup.sh
+++ b/image/service/slapd/startup.sh
@@ -28,7 +28,7 @@
LDAP_TLS_CA_CRT_PATH="${CONTAINER_SERVICE_DIR}/slapd/assets/certs/$LDAP_TLS_CA_CRT_FILENAME"
LDAP_TLS_CRT_PATH="${CONTAINER_SERVICE_DIR}/slapd/assets/certs/$LDAP_TLS_CRT_FILENAME"
LDAP_TLS_KEY_PATH="${CONTAINER_SERVICE_DIR}/slapd/assets/certs/$LDAP_TLS_KEY_FILENAME"
-LDAP_TLS_DH_PARAM_PATH="${CONTAINER_SERVICE_DIR}/slapd/assets/certs/dhparam.pem"
+LDAP_TLS_DH_PARAM_PATH="${CONTAINER_SERVICE_DIR}/slapd/assets/certs/$LDAP_TLS_DH_PARAM_FILENAME"
# CONTAINER_SERVICE_DIR and CONTAINER_STATE_DIR variables are set by
@@ -198,7 +198,7 @@
[[ -z "$PREVIOUS_LDAP_TLS_CA_CRT_PATH" ]] && PREVIOUS_LDAP_TLS_CA_CRT_PATH="${CONTAINER_SERVICE_DIR}/slapd/assets/certs/$LDAP_TLS_CA_CRT_FILENAME"
[[ -z "$PREVIOUS_LDAP_TLS_CRT_PATH" ]] && PREVIOUS_LDAP_TLS_CRT_PATH="${CONTAINER_SERVICE_DIR}/slapd/assets/certs/$LDAP_TLS_CRT_FILENAME"
[[ -z "$PREVIOUS_LDAP_TLS_KEY_PATH" ]] && PREVIOUS_LDAP_TLS_KEY_PATH="${CONTAINER_SERVICE_DIR}/slapd/assets/certs/$LDAP_TLS_KEY_FILENAME"
- [[ -z "$PREVIOUS_LDAP_TLS_DH_PARAM_PATH" ]] && PREVIOUS_LDAP_TLS_DH_PARAM_PATH="${CONTAINER_SERVICE_DIR}/slapd/assets/certs/dhparam.pem"
+ [[ -z "$PREVIOUS_LDAP_TLS_DH_PARAM_PATH" ]] && PREVIOUS_LDAP_TLS_DH_PARAM_PATH="${CONTAINER_SERVICE_DIR}/slapd/assets/certs/$LDAP_TLS_DH_PARAM_FILENAME"
ssl-helper $LDAP_SSL_HELPER_PREFIX $PREVIOUS_LDAP_TLS_CRT_PATH $PREVIOUS_LDAP_TLS_KEY_PATH $PREVIOUS_LDAP_TLS_CA_CRT_PATH
[ -f ${PREVIOUS_LDAP_TLS_DH_PARAM_PATH} ] || openssl dhparam -out ${LDAP_TLS_DH_PARAM_PATH} 2048
diff --git a/test/ssl/ldap-test.dhparam b/test/ssl/ldap-test.dhparam
new file mode 100644
index 0000000..eccad10
--- /dev/null
+++ b/test/ssl/ldap-test.dhparam
@@ -0,0 +1,8 @@
+-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEA9GFVKDf67bPYjJB6ngTWhCSARE4KPg5/+LYMIA5mr137Iqatdk2K
+/QNyvW3EWmg9hSNcb8Zd7LFru/qt5te7lDBGS2uOhvxHQEJ8Lqv+KoM9TFTI1oH7
+9biVLVbUwMrD7LGTp5TQ9pbjyADW2mWf25hYmy95V0aKQBLJ10GcFaDTguO6OH3E
+E6hOl6gQzlTd/WCNrFf2ww4iveNNXbZArOf4BruqjYOkV1RSf+vdQwBlxtjjCEW4
+QUGO31rbD07R5Pv464vf18yGHttnPa0JBDq7P2alN49Of0k+qntUyUPxcrBd83qQ
+13KWi47KoR76gf4f87OZa9hXwk8AML1BCwIBAg==
+-----END DH PARAMETERS-----
diff --git a/test/test.bats b/test/test.bats
index 9256e88..45a9722 100644
--- a/test/test.bats
+++ b/test/test.bats
@@ -41,6 +41,17 @@
}
+@test "ldapsearch new database with strict TLS and custom ca/crt and custom dhparam" {
+
+ run_image -h ldap.osixia.net -v $BATS_TEST_DIRNAME/ssl:/container/service/slapd/assets/certs -e LDAP_TLS_CRT_FILENAME=ldap-test.crt -e LDAP_TLS_KEY_FILENAME=ldap-test.key -e LDAP_TLS_DH_PARAM_FILENAME=ldap-test.dhparam -e LDAP_TLS_CA_CRT_FILENAME=ca-test.crt
+ wait_process slapd
+ run docker exec $CONTAINER_ID ldapsearch -x -h ldap.osixia.net -b dc=example,dc=org -ZZ -D "cn=admin,dc=example,dc=org" -w admin
+ clear_container
+
+ [ "$status" -eq 0 ]
+
+}
+
@test "ldapsearch existing hdb database and config" {
run_image -h ldap.example.org -e LDAP_TLS=false -e LDAP_BACKEND=hdb -v $BATS_TEST_DIRNAME/database:/container/test/database -v $BATS_TEST_DIRNAME/config:/container/test/config
