From 7e534615258d31ee7c9b1a47e9c66fb89b4b05c7 Mon Sep 17 00:00:00 2001 From: Eduardo Santos Date: Thu, 6 Sep 2018 15:37:58 -0300 Subject: [PATCH 01/22] =?UTF-8?q?Desabilita=20valida=C3=A7=C3=A3o=20de=20p?= =?UTF-8?q?ermiss=C3=B5es?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- image/service/slapd/startup.sh | 22 +++++++++++++--------- test/test_helper.bash | 0 2 files changed, 13 insertions(+), 9 deletions(-) mode change 100644 => 100755 test/test_helper.bash diff --git a/image/service/slapd/startup.sh b/image/service/slapd/startup.sh index dd291b35..5dd5e3da 100755 --- a/image/service/slapd/startup.sh +++ b/image/service/slapd/startup.sh @@ -15,9 +15,10 @@ ulimit -n $LDAP_NOFILE [ -d /etc/ldap/slapd.d ] || mkdir -p /etc/ldap/slapd.d # fix file permissions -chown -R openldap:openldap /var/lib/ldap -chown -R openldap:openldap /etc/ldap -chown -R openldap:openldap ${CONTAINER_SERVICE_DIR}/slapd +if [ -z "$DISABLE_CHOWN" ]; then + chown -R openldap:openldap /var/lib/ldap + chown -R openldap:openldap /etc/ldap + chown -R openldap:openldap ${CONTAINER_SERVICE_DIR}/slapd FIRST_START_DONE="${CONTAINER_STATE_DIR}/slapd-first-start-done" WAS_STARTED_WITH_TLS="/etc/ldap/slapd.d/docker-openldap-was-started-with-tls" @@ -125,7 +126,8 @@ EOF mv /tmp/schema/cn=config/cn=schema/* /etc/ldap/slapd.d/cn=config/cn=schema rm -r /tmp/schema - chown -R openldap:openldap /etc/ldap/slapd.d/cn=config/cn=schema + if [ -z "$DISABLE_CHOWN" ]; then + chown -R openldap:openldap /etc/ldap/slapd.d/cn=config/cn=schema fi rm ${CONTAINER_SERVICE_DIR}/slapd/assets/config/bootstrap/schema/rfc2307bis.* @@ -202,8 +204,9 @@ EOF ssl-helper $LDAP_SSL_HELPER_PREFIX $PREVIOUS_LDAP_TLS_CRT_PATH $PREVIOUS_LDAP_TLS_KEY_PATH $PREVIOUS_LDAP_TLS_CA_CRT_PATH [ -f ${PREVIOUS_LDAP_TLS_DH_PARAM_PATH} ] || openssl dhparam -out ${LDAP_TLS_DH_PARAM_PATH} 2048 - chmod 600 ${PREVIOUS_LDAP_TLS_DH_PARAM_PATH} - chown openldap:openldap $PREVIOUS_LDAP_TLS_CRT_PATH $PREVIOUS_LDAP_TLS_KEY_PATH $PREVIOUS_LDAP_TLS_CA_CRT_PATH $PREVIOUS_LDAP_TLS_DH_PARAM_PATH + if [ -z "$DISABLE_CHOWN" ]; then + chmod 600 ${PREVIOUS_LDAP_TLS_DH_PARAM_PATH} + chown openldap:openldap $PREVIOUS_LDAP_TLS_CRT_PATH $PREVIOUS_LDAP_TLS_KEY_PATH $PREVIOUS_LDAP_TLS_CA_CRT_PATH $PREVIOUS_LDAP_TLS_DH_PARAM_PATH fi # start OpenLDAP @@ -306,10 +309,11 @@ EOF # create DHParamFile if not found [ -f ${LDAP_TLS_DH_PARAM_PATH} ] || openssl dhparam -out ${LDAP_TLS_DH_PARAM_PATH} 2048 - chmod 600 ${LDAP_TLS_DH_PARAM_PATH} - + # fix file permissions - chown -R openldap:openldap ${CONTAINER_SERVICE_DIR}/slapd + if [ -z "$DISABLE_CHOWN" ]; then + chmod 600 ${LDAP_TLS_DH_PARAM_PATH} + chown -R openldap:openldap ${CONTAINER_SERVICE_DIR}/slapd # adapt tls ldif sed -i "s|{{ LDAP_TLS_CA_CRT_PATH }}|${LDAP_TLS_CA_CRT_PATH}|g" ${CONTAINER_SERVICE_DIR}/slapd/assets/config/tls/tls-enable.ldif diff --git a/test/test_helper.bash b/test/test_helper.bash old mode 100644 new mode 100755 From 4b471d9d9bc276fc3a1936b7f8c5aa3dbd911b97 Mon Sep 17 00:00:00 2001 From: "Eduardo F. Santos" Date: Thu, 21 Mar 2019 14:27:14 -0300 Subject: [PATCH 02/22] Fix identation and clse fi --- image/service/slapd/startup.sh | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/image/service/slapd/startup.sh b/image/service/slapd/startup.sh index 5dd5e3da..e3ec010c 100755 --- a/image/service/slapd/startup.sh +++ b/image/service/slapd/startup.sh @@ -16,9 +16,10 @@ ulimit -n $LDAP_NOFILE # fix file permissions if [ -z "$DISABLE_CHOWN" ]; then - chown -R openldap:openldap /var/lib/ldap - chown -R openldap:openldap /etc/ldap - chown -R openldap:openldap ${CONTAINER_SERVICE_DIR}/slapd + chown -R openldap:openldap /var/lib/ldap + chown -R openldap:openldap /etc/ldap + chown -R openldap:openldap ${CONTAINER_SERVICE_DIR}/slapd +fi FIRST_START_DONE="${CONTAINER_STATE_DIR}/slapd-first-start-done" WAS_STARTED_WITH_TLS="/etc/ldap/slapd.d/docker-openldap-was-started-with-tls" From 9aec10a02f4fb9ec205295f4f5eeb852c48f74e6 Mon Sep 17 00:00:00 2001 From: "Eduardo F. Santos" Date: Thu, 21 Mar 2019 14:53:53 -0300 Subject: [PATCH 03/22] Update missing fi --- image/service/slapd/startup.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/image/service/slapd/startup.sh b/image/service/slapd/startup.sh index e3ec010c..16be005a 100755 --- a/image/service/slapd/startup.sh +++ b/image/service/slapd/startup.sh @@ -129,6 +129,7 @@ EOF if [ -z "$DISABLE_CHOWN" ]; then chown -R openldap:openldap /etc/ldap/slapd.d/cn=config/cn=schema + fi fi rm ${CONTAINER_SERVICE_DIR}/slapd/assets/config/bootstrap/schema/rfc2307bis.* @@ -208,6 +209,7 @@ EOF if [ -z "$DISABLE_CHOWN" ]; then chmod 600 ${PREVIOUS_LDAP_TLS_DH_PARAM_PATH} chown openldap:openldap $PREVIOUS_LDAP_TLS_CRT_PATH $PREVIOUS_LDAP_TLS_KEY_PATH $PREVIOUS_LDAP_TLS_CA_CRT_PATH $PREVIOUS_LDAP_TLS_DH_PARAM_PATH + fi fi # start OpenLDAP @@ -315,6 +317,7 @@ EOF if [ -z "$DISABLE_CHOWN" ]; then chmod 600 ${LDAP_TLS_DH_PARAM_PATH} chown -R openldap:openldap ${CONTAINER_SERVICE_DIR}/slapd + fi # adapt tls ldif sed -i "s|{{ LDAP_TLS_CA_CRT_PATH }}|${LDAP_TLS_CA_CRT_PATH}|g" ${CONTAINER_SERVICE_DIR}/slapd/assets/config/tls/tls-enable.ldif From d56054234a4382aa754e2b706efdd89c2438ad21 Mon Sep 17 00:00:00 2001 From: anagno Date: Fri, 31 May 2019 21:50:58 +0200 Subject: [PATCH 04/22] Adding the possibility of reading environmental variables from files An alternative to passing sensitive information via environmental variables is the use of the docker secrets. For that reason if a variable is appendend with _FILE now it will be read from a file instead. --- README.md | 12 ++++++++++++ image/service/slapd/startup.sh | 29 +++++++++++++++++++++++++++++ 2 files changed, 41 insertions(+) diff --git a/README.md b/README.md index db271283..19d99d74 100644 --- a/README.md +++ b/README.md @@ -35,6 +35,7 @@ Latest release: 1.2.4 - OpenLDAP 2.4.47 - [Changelog](CHANGELOG.md) | [Docker H - [Set your own environment variables](#set-your-own-environment-variables) - [Use command line argument](#use-command-line-argument) - [Link environment file](#link-environment-file) + - [Docker Secrets](#docker-secrets) - [Make your own image or extend this image](#make-your-own-image-or-extend-this-image) - [Advanced User Guide](#advanced-user-guide) - [Extend osixia/openldap:1.2.4 image](#extend-osixiaopenldap124-image) @@ -366,6 +367,17 @@ Note: the container will try to delete the **\*.startup.yaml** file after the en docker run --volume /data/ldap/environment/my-env.yaml:/container/environment/01-custom/env.yaml \ --detach osixia/openldap:1.2.4 +#### Docker Secrets + +As an alternative to passing sensitive information via environmental variables, _FILE may be appended to the listed variables, causing +the startup.sh script to load the values for those values from files presented in the container. This is particular usefull for loading +passwords using the [Docker secrets](https://docs.docker.com/engine/swarm/secrets/) mechanism. For example: + + docker run --env LDAP_ORGANISATION="My company" --env LDAP_DOMAIN="my-company.com" \ + --env LDAP_ADMIN_PASSWORD_FILE=/run/secrets/authentication_admin_pw --detach osixia/openldap:1.2.4 + +Currently this is only supported for LDAP_ADMIN_PASSWORD, LDAP_CONFIG_PASSWORD, LDAP_READONLY_USER_PASSWORD + #### Make your own image or extend this image This is the best solution if you have a private registry. Please refer to the [Advanced User Guide](#advanced-user-guide) just below. diff --git a/image/service/slapd/startup.sh b/image/service/slapd/startup.sh index 75aa7b7e..53d05ab6 100755 --- a/image/service/slapd/startup.sh +++ b/image/service/slapd/startup.sh @@ -10,6 +10,34 @@ log-helper level eq trace && set -x # see https://github.com/docker/docker/issues/8231 ulimit -n $LDAP_NOFILE + +# usage: file_env VAR +# ie: file_env 'XYZ_DB_PASSWORD' +# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of +# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature) +file_env() { + local var="$1" + local fileVar="${var}_FILE" + + # The variables are already defined from the docker-light-baseimage + # So if the _FILE variable is available we ovewrite them + if [ "${!fileVar:-}" ]; then + log-helper trace "${fileVar} was defined" + + val="$(< "${!fileVar}")" + log-helper debug "${var} was repalced with the contents of ${fileVar} (the value was: ${val})" + + export "$var"="$val" + fi + + unset "$fileVar" +} + + +file_env 'LDAP_ADMIN_PASSWORD' +file_env 'LDAP_CONFIG_PASSWORD' +file_env 'LDAP_READONLY_USER_PASSWORD' + # create dir if they not already exists [ -d /var/lib/ldap ] || mkdir -p /var/lib/ldap [ -d /etc/ldap/slapd.d ] || mkdir -p /etc/ldap/slapd.d @@ -65,6 +93,7 @@ if [ ! -e "$FIRST_START_DONE" ]; then function ldap_add_or_modify (){ local LDIF_FILE=$1 + log-helper debug "Processing file ${LDIF_FILE}" sed -i "s|{{ LDAP_BASE_DN }}|${LDAP_BASE_DN}|g" $LDIF_FILE sed -i "s|{{ LDAP_BACKEND }}|${LDAP_BACKEND}|g" $LDIF_FILE From c2fae4264b1170f9e707ce01ba852cd616144c9e Mon Sep 17 00:00:00 2001 From: anagno Date: Sat, 1 Jun 2019 20:59:22 +0200 Subject: [PATCH 05/22] Adding a UT for testing the parsing of the environmental variables from files --- test/test.bats | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/test/test.bats b/test/test.bats index cf1073b0..6640aa60 100644 --- a/test/test.bats +++ b/test/test.bats @@ -38,6 +38,21 @@ load test_helper } +@test "ldapsearch database with password provided from file" { + + rm $PWD/password.txt && touch $PWD/password.txt + echo "strongPassword" >> $PWD/password.txt + + run_image -h ldap.osixia.net -e LDAP_ADMIN_PASSWORD_FILE=/run/secrets/admin_pw.txt --volume $PWD/password.txt:/run/secrets/admin_pw.txt + wait_process slapd + run docker exec $CONTAINER_ID ldapsearch -x -h ldap.osixia.net -b dc=example,dc=org -ZZ -D "cn=admin,dc=example,dc=org" -w strongPassword + clear_container + rm $PWD/password.txt + + [ "$status" -eq 0 ] +} + + @test "ldapsearch new database with strict TLS" { run_image -h ldap.example.org From c6214fed3458499500f24cb0b54c261afa30ca4f Mon Sep 17 00:00:00 2001 From: Zdenko Turcan Date: Sat, 8 Jun 2019 00:45:08 +1000 Subject: [PATCH 06/22] fix of incorrectly positioned 'log-helper debug' command that was clearing exit codes of ldapmodify and ldapadd commands --- image/service/slapd/startup.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/image/service/slapd/startup.sh b/image/service/slapd/startup.sh index 75aa7b7e..f73a5c8d 100755 --- a/image/service/slapd/startup.sh +++ b/image/service/slapd/startup.sh @@ -74,9 +74,9 @@ if [ ! -e "$FIRST_START_DONE" ]; then sed -i "s|{{ LDAP_READONLY_USER_PASSWORD_ENCRYPTED }}|${LDAP_READONLY_USER_PASSWORD_ENCRYPTED}|g" $LDIF_FILE fi if grep -iq changetype $LDIF_FILE ; then - ldapmodify -Y EXTERNAL -Q -H ldapi:/// -f $LDIF_FILE 2>&1 | log-helper debug || ldapmodify -h localhost -p 389 -D cn=admin,$LDAP_BASE_DN -w "$LDAP_ADMIN_PASSWORD" -f $LDIF_FILE 2>&1 | log-helper debug + ( ldapmodify -Y EXTERNAL -Q -H ldapi:/// -f $LDIF_FILE 2>&1 || ldapmodify -h localhost -p 389 -D cn=admin,$LDAP_BASE_DN -w "$LDAP_ADMIN_PASSWORD" -f $LDIF_FILE 2>&1 ) | log-helper debug else - ldapadd -Y EXTERNAL -Q -H ldapi:/// -f $LDIF_FILE |& log-helper debug || ldapadd -h localhost -p 389 -D cn=admin,$LDAP_BASE_DN -w "$LDAP_ADMIN_PASSWORD" -f $LDIF_FILE 2>&1 | log-helper debug + ( ldapadd -Y EXTERNAL -Q -H ldapi:/// -f $LDIF_FILE 2>&1 || ldapadd -h localhost -p 389 -D cn=admin,$LDAP_BASE_DN -w "$LDAP_ADMIN_PASSWORD" -f $LDIF_FILE 2>&1 ) | log-helper debug fi } From 6e83d20b1871940d5648de6647e510c8fd792399 Mon Sep 17 00:00:00 2001 From: Bertrand Gouny Date: Mon, 10 Jun 2019 12:21:41 +0200 Subject: [PATCH 07/22] [twgit] Init hotfix 'hotfix-1.2.5'. From 2b4bd3be714cba9cd67e06b74eeb3dd75677bc1d Mon Sep 17 00:00:00 2001 From: Bertrand Gouny Date: Mon, 10 Jun 2019 12:23:59 +0200 Subject: [PATCH 08/22] v1.2.5-dev --- Makefile | 2 +- README.md | 44 +++++++++---------- example/docker-compose.yml | 2 +- example/extend-osixia-openldap/Dockerfile | 2 +- .../kubernetes/simple/ldap-deployment.yaml | 2 +- .../using-secrets/gce-statefullset.yaml | 2 +- .../using-secrets/ldap-deployment.yaml | 2 +- 7 files changed, 28 insertions(+), 28 deletions(-) diff --git a/Makefile b/Makefile index 340ca134..a4ff102d 100644 --- a/Makefile +++ b/Makefile @@ -1,5 +1,5 @@ NAME = osixia/openldap -VERSION = 1.2.4 +VERSION = 1.2.5-dev .PHONY: build build-nocache test tag-latest push push-latest release git-tag-version diff --git a/README.md b/README.md index c261cda8..5f398d6f 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,7 @@ ![Docker Stars](https://img.shields.io/docker/stars/osixia/openldap.svg) ![](https://images.microbadger.com/badges/image/osixia/openldap.svg) -Latest release: 1.2.4 - OpenLDAP 2.4.47 - [Changelog](CHANGELOG.md) | [Docker Hub](https://hub.docker.com/r/osixia/openldap/)  +Latest release: 1.2.5-dev - OpenLDAP 2.4.47 - [Changelog](CHANGELOG.md) | [Docker Hub](https://hub.docker.com/r/osixia/openldap/)  **A docker image to run OpenLDAP.** @@ -37,7 +37,7 @@ Latest release: 1.2.4 - OpenLDAP 2.4.47 - [Changelog](CHANGELOG.md) | [Docker H - [Link environment file](#link-environment-file) - [Make your own image or extend this image](#make-your-own-image-or-extend-this-image) - [Advanced User Guide](#advanced-user-guide) - - [Extend osixia/openldap:1.2.4 image](#extend-osixiaopenldap124-image) + - [Extend osixia/openldap:1.2.5-dev image](#extend-osixiaopenldap125-dev-image) - [Make your own openldap image](#make-your-own-openldap-image) - [Tests](#tests) - [Kubernetes](#kubernetes) @@ -57,11 +57,11 @@ If you find this image useful here's how you can help: ## Quick Start Run OpenLDAP docker image: - docker run --name my-openldap-container --detach osixia/openldap:1.2.4 + docker run --name my-openldap-container --detach osixia/openldap:1.2.5-dev Do not forget to add the port mapping for both port 389 and 636 if you wish to access the ldap server from another machine. - docker run -p 389:389 -p 636:636 --name my-openldap-container --detach osixia/openldap:1.2.4 + docker run -p 389:389 -p 636:636 --name my-openldap-container --detach osixia/openldap:1.2.5-dev Either command starts a new container with OpenLDAP running inside. Let's make the first search in our LDAP container: @@ -97,7 +97,7 @@ It will create an empty ldap for the company **Example Inc.** and the domain **e By default the admin has the password **admin**. All those default settings can be changed at the docker command line, for example: docker run --env LDAP_ORGANISATION="My Company" --env LDAP_DOMAIN="my-company.com" \ - --env LDAP_ADMIN_PASSWORD="JonSn0w" --detach osixia/openldap:1.2.4 + --env LDAP_ADMIN_PASSWORD="JonSn0w" --detach osixia/openldap:1.2.5-dev #### Data persistence @@ -148,12 +148,12 @@ argument to entrypoint if you don't want to overwrite them. # single file example: docker run \ --volume ./bootstrap.ldif:/container/service/slapd/assets/config/bootstrap/ldif/50-bootstrap.ldif \ - osixia/openldap:1.2.4 --copy-service + osixia/openldap:1.2.5-dev --copy-service #directory example: docker run \ --volume ./ldif:/container/service/slapd/assets/config/bootstrap/ldif/custom \ - osixia/openldap:1.2.4 --copy-service + osixia/openldap:1.2.5-dev --copy-service ### Use an existing ldap database @@ -164,7 +164,7 @@ simply mount this directories as a volume to `/var/lib/ldap` and `/etc/ldap/slap docker run --volume /data/slapd/database:/var/lib/ldap \ --volume /data/slapd/config:/etc/ldap/slapd.d \ - --detach osixia/openldap:1.2.4 + --detach osixia/openldap:1.2.5-dev You can also use data volume containers. Please refer to: > [https://docs.docker.com/engine/tutorials/dockervolumes/](https://docs.docker.com/engine/tutorials/dockervolumes/) @@ -184,7 +184,7 @@ If you are looking for a simple solution to administrate your ldap server you ca #### Use auto-generated certificate By default, TLS is already configured and enabled, certificate is created using container hostname (it can be set by docker run --hostname option eg: ldap.example.org). - docker run --hostname ldap.my-company.com --detach osixia/openldap:1.2.4 + docker run --hostname ldap.my-company.com --detach osixia/openldap:1.2.5-dev #### Use your own certificate @@ -194,24 +194,24 @@ You can set your custom certificate at run time, by mounting a directory contain --env LDAP_TLS_CRT_FILENAME=my-ldap.crt \ --env LDAP_TLS_KEY_FILENAME=my-ldap.key \ --env LDAP_TLS_CA_CRT_FILENAME=the-ca.crt \ - --detach osixia/openldap:1.2.4 + --detach osixia/openldap:1.2.5-dev Other solutions are available please refer to the [Advanced User Guide](#advanced-user-guide) #### Disable TLS Add --env LDAP_TLS=false to the run command: - docker run --env LDAP_TLS=false --detach osixia/openldap:1.2.4 + docker run --env LDAP_TLS=false --detach osixia/openldap:1.2.5-dev ### Multi master replication Quick example, with the default config. #Create the first ldap server, save the container id in LDAP_CID and get its IP: - LDAP_CID=$(docker run --hostname ldap.example.org --env LDAP_REPLICATION=true --detach osixia/openldap:1.2.4) + LDAP_CID=$(docker run --hostname ldap.example.org --env LDAP_REPLICATION=true --detach osixia/openldap:1.2.5-dev) LDAP_IP=$(docker inspect -f "{{ .NetworkSettings.IPAddress }}" $LDAP_CID) #Create the second ldap server, save the container id in LDAP2_CID and get its IP: - LDAP2_CID=$(docker run --hostname ldap2.example.org --env LDAP_REPLICATION=true --detach osixia/openldap:1.2.4) + LDAP2_CID=$(docker run --hostname ldap2.example.org --env LDAP_REPLICATION=true --detach osixia/openldap:1.2.5-dev) LDAP2_IP=$(docker inspect -f "{{ .NetworkSettings.IPAddress }}" $LDAP2_CID) #Add the pair "ip hostname" to /etc/hosts on each containers, @@ -247,7 +247,7 @@ You may have some problems with mounted files on some systems. The startup scrip To fix that run the container with `--copy-service` argument : - docker run [your options] osixia/openldap:1.2.4 --copy-service + docker run [your options] osixia/openldap:1.2.5-dev --copy-service ### Debug @@ -256,11 +256,11 @@ Available levels are: `none`, `error`, `warning`, `info`, `debug` and `trace`. Example command to run the container in `debug` mode: - docker run --detach osixia/openldap:1.2.4 --loglevel debug + docker run --detach osixia/openldap:1.2.5-dev --loglevel debug See all command line options: - docker run osixia/openldap:1.2.4 --help + docker run osixia/openldap:1.2.5-dev --help ## Environment Variables @@ -326,7 +326,7 @@ Replication options: If you want to set this variable at docker run command add the tag `#PYTHON2BASH:` and convert the yaml in python: - docker run --env LDAP_REPLICATION_HOSTS="#PYTHON2BASH:['ldap://ldap.example.org','ldap://ldap2.example.org']" --detach osixia/openldap:1.2.4 + docker run --env LDAP_REPLICATION_HOSTS="#PYTHON2BASH:['ldap://ldap.example.org','ldap://ldap2.example.org']" --detach osixia/openldap:1.2.5-dev To convert yaml to python online: http://yaml-online-parser.appspot.com/ @@ -346,7 +346,7 @@ Other environment variables: Environment variables can be set by adding the --env argument in the command line, for example: docker run --env LDAP_ORGANISATION="My company" --env LDAP_DOMAIN="my-company.com" \ - --env LDAP_ADMIN_PASSWORD="JonSn0w" --detach osixia/openldap:1.2.4 + --env LDAP_ADMIN_PASSWORD="JonSn0w" --detach osixia/openldap:1.2.5-dev Be aware that environment variable added in command line will be available at any time in the container. In this example if someone manage to open a terminal in this container @@ -357,14 +357,14 @@ he will be able to read the admin password in clear text from environment variab For example if your environment files **my-env.yaml** and **my-env.startup.yaml** are in /data/ldap/environment docker run --volume /data/ldap/environment:/container/environment/01-custom \ - --detach osixia/openldap:1.2.4 + --detach osixia/openldap:1.2.5-dev Take care to link your environment files folder to `/container/environment/XX-somedir` (with XX < 99 so they will be processed before default environment files) and not directly to `/container/environment` because this directory contains predefined baseimage environment files to fix container environment (INITRD, LANG, LANGUAGE and LC_CTYPE). Note: the container will try to delete the **\*.startup.yaml** file after the end of startup files so the file will also be deleted on the docker host. To prevent that : use --volume /data/ldap/environment:/container/environment/01-custom**:ro** or set all variables in **\*.yaml** file and don't use **\*.startup.yaml**: docker run --volume /data/ldap/environment/my-env.yaml:/container/environment/01-custom/env.yaml \ - --detach osixia/openldap:1.2.4 + --detach osixia/openldap:1.2.5-dev #### Make your own image or extend this image @@ -372,13 +372,13 @@ This is the best solution if you have a private registry. Please refer to the [A ## Advanced User Guide -### Extend osixia/openldap:1.2.4 image +### Extend osixia/openldap:1.2.5-dev image If you need to add your custom TLS certificate, bootstrap config or environment files the easiest way is to extends this image. Dockerfile example: - FROM osixia/openldap:1.2.4 + FROM osixia/openldap:1.2.5-dev MAINTAINER Your Name ADD bootstrap /container/service/slapd/assets/config/bootstrap diff --git a/example/docker-compose.yml b/example/docker-compose.yml index ba646e75..9008b553 100644 --- a/example/docker-compose.yml +++ b/example/docker-compose.yml @@ -1,7 +1,7 @@ version: '2' services: openldap: - image: osixia/openldap:1.2.4 + image: osixia/openldap:1.2.5-dev container_name: openldap environment: LDAP_LOG_LEVEL: "256" diff --git a/example/extend-osixia-openldap/Dockerfile b/example/extend-osixia-openldap/Dockerfile index 645a8f73..7d08ae65 100644 --- a/example/extend-osixia-openldap/Dockerfile +++ b/example/extend-osixia-openldap/Dockerfile @@ -1,4 +1,4 @@ -FROM osixia/openldap:1.2.4 +FROM osixia/openldap:1.2.5-dev MAINTAINER Your Name ADD bootstrap /container/service/slapd/assets/config/bootstrap diff --git a/example/kubernetes/simple/ldap-deployment.yaml b/example/kubernetes/simple/ldap-deployment.yaml index 116735e0..64052883 100644 --- a/example/kubernetes/simple/ldap-deployment.yaml +++ b/example/kubernetes/simple/ldap-deployment.yaml @@ -13,7 +13,7 @@ spec: spec: containers: - name: ldap - image: osixia/openldap:1.2.4 + image: osixia/openldap:1.2.5-dev volumeMounts: - name: ldap-data mountPath: /var/lib/ldap diff --git a/example/kubernetes/using-secrets/gce-statefullset.yaml b/example/kubernetes/using-secrets/gce-statefullset.yaml index 78e43c4c..51c66d6e 100644 --- a/example/kubernetes/using-secrets/gce-statefullset.yaml +++ b/example/kubernetes/using-secrets/gce-statefullset.yaml @@ -12,7 +12,7 @@ spec: spec: containers: - name: azaldap - image: osixia/openldap:1.2.4 + image: osixia/openldap:1.2.5-dev imagePullPolicy: IfNotPresent #command: ["/bin/bash","-c","while [ 1 = 1 ] ; do sleep 1; date; done"] ports: diff --git a/example/kubernetes/using-secrets/ldap-deployment.yaml b/example/kubernetes/using-secrets/ldap-deployment.yaml index 9783b95e..8fb58c8d 100644 --- a/example/kubernetes/using-secrets/ldap-deployment.yaml +++ b/example/kubernetes/using-secrets/ldap-deployment.yaml @@ -13,7 +13,7 @@ spec: spec: containers: - name: ldap - image: osixia/openldap:1.2.4 + image: osixia/openldap:1.2.5-dev args: ["--copy-service"] volumeMounts: - name: ldap-data From a2ae1b599f975b782415d9ec641de701d499fce1 Mon Sep 17 00:00:00 2001 From: Bertrand Gouny Date: Mon, 10 Jun 2019 12:30:08 +0200 Subject: [PATCH 09/22] Fix of incorrectly positioned 'log-helper debug' command #327 --- CHANGELOG.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index e0c2a69d..50815777 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,10 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html). +## [1.2.5] - Unreleased +### Fixed + - Fix of incorrectly positioned 'log-helper debug' command #327. Thanks to @turcan ! + ## [1.2.4] - 2019-03-14 ### Fixed - Excessive RAM usage on 1.2.2, increased 10x from 1.2.1 #242 From bde6813013cc6f0bd58ef56e8d1f295f0863384c Mon Sep 17 00:00:00 2001 From: Bertrand Gouny Date: Mon, 10 Jun 2019 12:32:57 +0200 Subject: [PATCH 10/22] Support for docker secrets #325 --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 50815777..e37da0fc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,9 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html). ## [1.2.5] - Unreleased +## Added + - Support for docker secrets #325. Thanks to @anagno ! + ### Fixed - Fix of incorrectly positioned 'log-helper debug' command #327. Thanks to @turcan ! From 86b83760c8bbcaf1f30e4aa64cfd6e7678468d9c Mon Sep 17 00:00:00 2001 From: Bertrand Gouny Date: Sun, 7 Jul 2019 22:37:00 +0200 Subject: [PATCH 11/22] Add DISABLE_CHOWN environment variable #240 --- CHANGELOG.md | 1 + README.md | 69 +++++++++++++++++----------------- image/environment/default.yaml | 5 ++- image/service/slapd/startup.sh | 8 ++-- 4 files changed, 44 insertions(+), 39 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e37da0fc..3c5122d1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0. ## [1.2.5] - Unreleased ## Added - Support for docker secrets #325. Thanks to @anagno ! + - Add DISABLE_CHOWN environment variable #240 ### Fixed - Fix of incorrectly positioned 'log-helper debug' command #327. Thanks to @turcan ! diff --git a/README.md b/README.md index 71b7afbc..2f534fce 100644 --- a/README.md +++ b/README.md @@ -12,40 +12,40 @@ Latest release: 1.2.5-dev - OpenLDAP 2.4.47 - [Changelog](CHANGELOG.md) | [Dock - [osixia/openldap](#osixiaopenldap) - - [Contributing](#contributing) - - [Quick Start](#quick-start) - - [Beginner Guide](#beginner-guide) - - [Create new ldap server](#create-new-ldap-server) - - [Data persistence](#data-persistence) - - [Edit your server configuration](#edit-your-server-configuration) - - [Seed ldap database with ldif](#seed-ldap-database-with-ldif) - - [Use an existing ldap database](#use-an-existing-ldap-database) - - [Backup](#backup) - - [Administrate your ldap server](#administrate-your-ldap-server) - - [TLS](#tls) - - [Use auto-generated certificate](#use-auto-generated-certificate) - - [Use your own certificate](#use-your-own-certificate) - - [Disable TLS](#disable-tls) - - [Multi master replication](#multi-master-replication) - - [Fix docker mounted file problems](#fix-docker-mounted-file-problems) - - [Debug](#debug) - - [Environment Variables](#environment-variables) - - [Default.yaml](#defaultyaml) - - [Default.startup.yaml](#defaultstartupyaml) - - [Set your own environment variables](#set-your-own-environment-variables) - - [Use command line argument](#use-command-line-argument) - - [Link environment file](#link-environment-file) - - [Docker Secrets](#docker-secrets) - - [Make your own image or extend this image](#make-your-own-image-or-extend-this-image) - - [Advanced User Guide](#advanced-user-guide) - - [Extend osixia/openldap:1.2.5-dev image](#extend-osixiaopenldap125-dev-image) - - [Make your own openldap image](#make-your-own-openldap-image) - - [Tests](#tests) - - [Kubernetes](#kubernetes) - - [Under the hood: osixia/light-baseimage](#under-the-hood-osixialight-baseimage) - - [Security](#security) - - [Known security issues](#known-security-issues) - - [Changelog](#changelog) + - [Contributing](#Contributing) + - [Quick Start](#Quick-Start) + - [Beginner Guide](#Beginner-Guide) + - [Create new ldap server](#Create-new-ldap-server) + - [Data persistence](#Data-persistence) + - [Edit your server configuration](#Edit-your-server-configuration) + - [Seed ldap database with ldif](#Seed-ldap-database-with-ldif) + - [Use an existing ldap database](#Use-an-existing-ldap-database) + - [Backup](#Backup) + - [Administrate your ldap server](#Administrate-your-ldap-server) + - [TLS](#TLS) + - [Use auto-generated certificate](#Use-auto-generated-certificate) + - [Use your own certificate](#Use-your-own-certificate) + - [Disable TLS](#Disable-TLS) + - [Multi master replication](#Multi-master-replication) + - [Fix docker mounted file problems](#Fix-docker-mounted-file-problems) + - [Debug](#Debug) + - [Environment Variables](#Environment-Variables) + - [Default.yaml](#Defaultyaml) + - [Default.startup.yaml](#Defaultstartupyaml) + - [Set your own environment variables](#Set-your-own-environment-variables) + - [Use command line argument](#Use-command-line-argument) + - [Link environment file](#Link-environment-file) + - [Docker Secrets](#Docker-Secrets) + - [Make your own image or extend this image](#Make-your-own-image-or-extend-this-image) + - [Advanced User Guide](#Advanced-User-Guide) + - [Extend osixia/openldap:1.2.5-dev image](#Extend-osixiaopenldap125-dev-image) + - [Make your own openldap image](#Make-your-own-openldap-image) + - [Tests](#Tests) + - [Kubernetes](#Kubernetes) + - [Under the hood: osixia/light-baseimage](#Under-the-hood-osixialight-baseimage) + - [Security](#Security) + - [Known security issues](#Known-security-issues) + - [Changelog](#Changelog) ## Contributing @@ -339,6 +339,7 @@ Other environment variables: - **LDAP_REMOVE_CONFIG_AFTER_SETUP**: delete config folder after setup. Defaults to `true` - **LDAP_SSL_HELPER_PREFIX**: ssl-helper environment variables prefix. Defaults to `ldap`, ssl-helper first search config from LDAP_SSL_HELPER_* variables, before SSL_HELPER_* variables. - **HOSTNAME**: set the hostname of the running openldap server. Defaults to whatever docker creates. +- **DISABLE_CHOWN**: do not perform any chown to fix file ownership. Defaults to `false` ### Set your own environment variables diff --git a/image/environment/default.yaml b/image/environment/default.yaml index 74a88fbf..0eb9b716 100644 --- a/image/environment/default.yaml +++ b/image/environment/default.yaml @@ -10,4 +10,7 @@ LDAP_LOG_LEVEL: 256 # Ulimit -LDAP_NOFILE: 1024 \ No newline at end of file +LDAP_NOFILE: 1024 + +# Do not perform any chown to fix file ownership +DISABLE_CHOWN: false \ No newline at end of file diff --git a/image/service/slapd/startup.sh b/image/service/slapd/startup.sh index 9fde4708..dcebb5a7 100755 --- a/image/service/slapd/startup.sh +++ b/image/service/slapd/startup.sh @@ -43,7 +43,7 @@ file_env 'LDAP_READONLY_USER_PASSWORD' [ -d /etc/ldap/slapd.d ] || mkdir -p /etc/ldap/slapd.d # fix file permissions -if [ -z "$DISABLE_CHOWN" ]; then +if [ "${DISABLE_CHOWN,,}" == "true" ]; then chown -R openldap:openldap /var/lib/ldap chown -R openldap:openldap /etc/ldap chown -R openldap:openldap ${CONTAINER_SERVICE_DIR}/slapd @@ -158,7 +158,7 @@ EOF mv /tmp/schema/cn=config/cn=schema/* /etc/ldap/slapd.d/cn=config/cn=schema rm -r /tmp/schema - if [ -z "$DISABLE_CHOWN" ]; then + if [ "${DISABLE_CHOWN,,}" == "true" ]; then chown -R openldap:openldap /etc/ldap/slapd.d/cn=config/cn=schema fi fi @@ -237,7 +237,7 @@ EOF ssl-helper $LDAP_SSL_HELPER_PREFIX $PREVIOUS_LDAP_TLS_CRT_PATH $PREVIOUS_LDAP_TLS_KEY_PATH $PREVIOUS_LDAP_TLS_CA_CRT_PATH [ -f ${PREVIOUS_LDAP_TLS_DH_PARAM_PATH} ] || openssl dhparam -out ${LDAP_TLS_DH_PARAM_PATH} 2048 - if [ -z "$DISABLE_CHOWN" ]; then + if [ "${DISABLE_CHOWN,,}" == "true" ]; then chmod 600 ${PREVIOUS_LDAP_TLS_DH_PARAM_PATH} chown openldap:openldap $PREVIOUS_LDAP_TLS_CRT_PATH $PREVIOUS_LDAP_TLS_KEY_PATH $PREVIOUS_LDAP_TLS_CA_CRT_PATH $PREVIOUS_LDAP_TLS_DH_PARAM_PATH fi @@ -345,7 +345,7 @@ EOF [ -f ${LDAP_TLS_DH_PARAM_PATH} ] || openssl dhparam -out ${LDAP_TLS_DH_PARAM_PATH} 2048 # fix file permissions - if [ -z "$DISABLE_CHOWN" ]; then + if [ "${DISABLE_CHOWN,,}" == "true" ]; then chmod 600 ${LDAP_TLS_DH_PARAM_PATH} chown -R openldap:openldap ${CONTAINER_SERVICE_DIR}/slapd fi From 25177f45e835dae568631ca31e2fe7c8e04bffcb Mon Sep 17 00:00:00 2001 From: anagno Date: Tue, 9 Jul 2019 18:22:05 +0200 Subject: [PATCH 12/22] Updating the reference to the bats automated testing system --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 2f534fce..387949c0 100644 --- a/README.md +++ b/README.md @@ -433,7 +433,7 @@ Run your image: We use **Bats** (Bash Automated Testing System) to test this image: -> [https://github.com/sstephenson/bats](https://github.com/sstephenson/bats) +> [https://github.com/bats-core/bats-core](https://github.com/bats-core/bats-core) Install Bats, and in this project directory run: From ea6f2e446c4247517e93748aab1977b87ee1e2d7 Mon Sep 17 00:00:00 2001 From: anagno Date: Fri, 12 Jul 2019 00:26:31 +0200 Subject: [PATCH 13/22] Changing the DISABLE_CHOWN comparison because the UT were failing By mistake the "${DISABLE_CHOWN,,}" was compared to true, which means that if we wanted to disable the change of the permissions we had to set the variable to false. --- image/service/slapd/startup.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/image/service/slapd/startup.sh b/image/service/slapd/startup.sh index dcebb5a7..35e9f1cd 100755 --- a/image/service/slapd/startup.sh +++ b/image/service/slapd/startup.sh @@ -43,7 +43,7 @@ file_env 'LDAP_READONLY_USER_PASSWORD' [ -d /etc/ldap/slapd.d ] || mkdir -p /etc/ldap/slapd.d # fix file permissions -if [ "${DISABLE_CHOWN,,}" == "true" ]; then +if [ "${DISABLE_CHOWN,,}" == "false" ]; then chown -R openldap:openldap /var/lib/ldap chown -R openldap:openldap /etc/ldap chown -R openldap:openldap ${CONTAINER_SERVICE_DIR}/slapd @@ -158,7 +158,7 @@ EOF mv /tmp/schema/cn=config/cn=schema/* /etc/ldap/slapd.d/cn=config/cn=schema rm -r /tmp/schema - if [ "${DISABLE_CHOWN,,}" == "true" ]; then + if [ "${DISABLE_CHOWN,,}" == "false" ]; then chown -R openldap:openldap /etc/ldap/slapd.d/cn=config/cn=schema fi fi @@ -237,7 +237,7 @@ EOF ssl-helper $LDAP_SSL_HELPER_PREFIX $PREVIOUS_LDAP_TLS_CRT_PATH $PREVIOUS_LDAP_TLS_KEY_PATH $PREVIOUS_LDAP_TLS_CA_CRT_PATH [ -f ${PREVIOUS_LDAP_TLS_DH_PARAM_PATH} ] || openssl dhparam -out ${LDAP_TLS_DH_PARAM_PATH} 2048 - if [ "${DISABLE_CHOWN,,}" == "true" ]; then + if [ "${DISABLE_CHOWN,,}" == "false" ]; then chmod 600 ${PREVIOUS_LDAP_TLS_DH_PARAM_PATH} chown openldap:openldap $PREVIOUS_LDAP_TLS_CRT_PATH $PREVIOUS_LDAP_TLS_KEY_PATH $PREVIOUS_LDAP_TLS_CA_CRT_PATH $PREVIOUS_LDAP_TLS_DH_PARAM_PATH fi @@ -345,7 +345,7 @@ EOF [ -f ${LDAP_TLS_DH_PARAM_PATH} ] || openssl dhparam -out ${LDAP_TLS_DH_PARAM_PATH} 2048 # fix file permissions - if [ "${DISABLE_CHOWN,,}" == "true" ]; then + if [ "${DISABLE_CHOWN,,}" == "false" ]; then chmod 600 ${LDAP_TLS_DH_PARAM_PATH} chown -R openldap:openldap ${CONTAINER_SERVICE_DIR}/slapd fi From 937a4208e66a463829af6711f436fe8179248880 Mon Sep 17 00:00:00 2001 From: Olivier Bourdon Date: Mon, 29 Jul 2019 06:56:37 +0200 Subject: [PATCH 14/22] Add extra environment args to docker test container By setting EXTRA_DOCKER_RUN_FLAGS, for example to --loglevel debug the user will be able to debug tests for failure analyzis --- test/test_helper.bash | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/test_helper.bash b/test/test_helper.bash index 45df68ca..cc6bcdb5 100644 --- a/test/test_helper.bash +++ b/test/test_helper.bash @@ -9,7 +9,7 @@ build_image() { } run_image() { - CONTAINER_ID=$(docker run $@ -d $IMAGE_NAME --copy-service -c "/container/service/slapd/test.sh") + CONTAINER_ID=$(docker run $@ -d $IMAGE_NAME --copy-service -c "/container/service/slapd/test.sh" $EXTRA_DOCKER_RUN_FLAGS) CONTAINER_IP=$(get_container_ip_by_cid $CONTAINER_ID) } From 243b3fb333bba8b796e3848753ac5a27931741d6 Mon Sep 17 00:00:00 2001 From: Olivier Bourdon Date: Mon, 29 Jul 2019 08:18:25 +0200 Subject: [PATCH 15/22] Cleanup docker container list This cleans up the list of container which have be run for tests completely. --- test/test.bats | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/test/test.bats b/test/test.bats index cf1073b0..d2e6fe14 100644 --- a/test/test.bats +++ b/test/test.bats @@ -26,13 +26,17 @@ load test_helper wait_process_by_cid $LDAP_CID slapd run docker exec $LDAP_CID ldapsearch -x -h ldap.example.org -b dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w admin docker kill $LDAP_CID + clear_containers_by_cid $LDAP_CID + [ "$status" -eq 0 ] + LDAP_CID=$(docker run -h ldap.example.org -e LDAP_TLS=false --volume $PWD/VOLUMES/database:/var/lib/ldap --volume $PWD/VOLUMES/config:/etc/ldap/slapd.d -d $NAME:$VERSION) wait_process_by_cid $LDAP_CID slapd run docker exec $LDAP_CID ldapsearch -x -h ldap.example.org -b dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w admin run docker exec $LDAP_CID chown -R $UID:$UID /var/lib/ldap /etc/ldap/slapd.d docker kill $LDAP_CID rm -rf VOLUMES + clear_containers_by_cid $LDAP_CID [ "$status" -eq 0 ] From ca45bbf58f7753b94d2537517edf6ba9ef29e657 Mon Sep 17 00:00:00 2001 From: Olivier Bourdon Date: Mon, 29 Jul 2019 08:19:53 +0200 Subject: [PATCH 16/22] Add stronger test for LDAP_DOMAIN and LDAP_BASE_DN This will check the perfect match between values given by user in LDAP_DOMAIN and LDAP_BASE_DN and make the container run fail if they do not match Test added to check this enforcement --- image/service/slapd/startup.sh | 7 ++++++- test/test.bats | 13 +++++++++++++ test/test_helper.bash | 6 ++++++ 3 files changed, 25 insertions(+), 1 deletion(-) diff --git a/image/service/slapd/startup.sh b/image/service/slapd/startup.sh index 75aa7b7e..affc2e83 100755 --- a/image/service/slapd/startup.sh +++ b/image/service/slapd/startup.sh @@ -51,7 +51,12 @@ if [ ! -e "$FIRST_START_DONE" ]; then LDAP_BASE_DN=${LDAP_BASE_DN::-1} fi - + # Check that LDAP_BASE_DN and LDAP_DOMAIN are in sync + domain_from_base_dn=$(echo $LDAP_BASE_DN | tr ',' '\n' | sed -e 's/^.*=//' | tr '\n' '.' | sed -e 's/\.$//') + if [ "$domain_from_base_dn" != "$LDAP_DOMAIN" ]; then + log-helper error "Error: domain $domain_from_base_dn derived from LDAP_BASE_DN $LDAP_BASE_DN does not match LDAP_DOMAIN $LDAP_DOMAIN" + exit 1 + fi } function is_new_schema() { diff --git a/test/test.bats b/test/test.bats index d2e6fe14..6826544d 100644 --- a/test/test.bats +++ b/test/test.bats @@ -19,6 +19,19 @@ load test_helper } +@test "ldap domain with ldap base dn" { + + run_image -h ldap.example.org -e LDAP_TLS=false -e LDAP_DOMAIN=example.com -e LDAP_BASE_DN="dc=example,dc=org" + + sleep 2 + + CSTATUS=$(check_container) + clear_container + + [ "$CSTATUS" != "running 0" ] + +} + @test "ldapsearch database from created volumes" { rm -rf VOLUMES && mkdir -p VOLUMES/config VOLUMES/database diff --git a/test/test_helper.bash b/test/test_helper.bash index cc6bcdb5..ebc317e2 100644 --- a/test/test_helper.bash +++ b/test/test_helper.bash @@ -34,6 +34,12 @@ wait_process() { wait_process_by_cid $CONTAINER_ID $@ } +check_container() { + # "Status" = "exited", and "ExitCode" != 0, + local CSTAT=$(docker inspect -f "{{ .State.Status }} {{ .State.ExitCode }}" $CONTAINER_ID) + echo "$CSTAT" +} + # generic functions get_container_ip_by_cid() { local IP=$(docker inspect -f "{{ .NetworkSettings.IPAddress }}" $1) From b00902e13406ad5daad8fa20988ab0e37cc2f469 Mon Sep 17 00:00:00 2001 From: Olivier Bourdon Date: Mon, 29 Jul 2019 12:18:24 +0200 Subject: [PATCH 17/22] Allow support for subdomains Added 2 more test cases to enforce proper behaviour --- image/service/slapd/startup.sh | 3 ++- test/test.bats | 26 ++++++++++++++++++++++++++ 2 files changed, 28 insertions(+), 1 deletion(-) diff --git a/image/service/slapd/startup.sh b/image/service/slapd/startup.sh index affc2e83..c6d9d9bb 100755 --- a/image/service/slapd/startup.sh +++ b/image/service/slapd/startup.sh @@ -53,7 +53,8 @@ if [ ! -e "$FIRST_START_DONE" ]; then fi # Check that LDAP_BASE_DN and LDAP_DOMAIN are in sync domain_from_base_dn=$(echo $LDAP_BASE_DN | tr ',' '\n' | sed -e 's/^.*=//' | tr '\n' '.' | sed -e 's/\.$//') - if [ "$domain_from_base_dn" != "$LDAP_DOMAIN" ]; then + echo "$domain_from_base_dn" | egrep -q ".*$LDAP_DOMAIN\$" + if [ $? -ne 0 ]; then log-helper error "Error: domain $domain_from_base_dn derived from LDAP_BASE_DN $LDAP_BASE_DN does not match LDAP_DOMAIN $LDAP_DOMAIN" exit 1 fi diff --git a/test/test.bats b/test/test.bats index 6826544d..66ed5d16 100644 --- a/test/test.bats +++ b/test/test.bats @@ -32,6 +32,32 @@ load test_helper } +@test "ldap domain with ldap base dn subdomain" { + + run_image -h ldap.example.fr -e LDAP_TLS=false -e LDAP_DOMAIN=example.fr -e LDAP_BASE_DN="ou=myou,o=example,c=fr" + + sleep 2 + + CSTATUS=$(check_container) + clear_container + + [ "$CSTATUS" == "running 0" ] + +} + +@test "ldap domain with ldap base dn subdomain included" { + + run_image -h ldap.example.com -e LDAP_TLS=false -e LDAP_DOMAIN=example.com -e LDAP_BASE_DN="ou=myou,o=example,dc=com,c=fr" + + sleep 2 + + CSTATUS=$(check_container) + clear_container + + [ "$CSTATUS" != "running 0" ] + +} + @test "ldapsearch database from created volumes" { rm -rf VOLUMES && mkdir -p VOLUMES/config VOLUMES/database From afb920c147ae8d2988d6b2b38ed1ccf5e3a3e808 Mon Sep 17 00:00:00 2001 From: Olivier Bourdon Date: Mon, 29 Jul 2019 13:50:00 +0200 Subject: [PATCH 18/22] Prevent failure due to -e flag used Call get_ldap_base_dn to detect failure very early --- image/service/slapd/startup.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/image/service/slapd/startup.sh b/image/service/slapd/startup.sh index c6d9d9bb..0a56f0e3 100755 --- a/image/service/slapd/startup.sh +++ b/image/service/slapd/startup.sh @@ -53,11 +53,13 @@ if [ ! -e "$FIRST_START_DONE" ]; then fi # Check that LDAP_BASE_DN and LDAP_DOMAIN are in sync domain_from_base_dn=$(echo $LDAP_BASE_DN | tr ',' '\n' | sed -e 's/^.*=//' | tr '\n' '.' | sed -e 's/\.$//') + set +e echo "$domain_from_base_dn" | egrep -q ".*$LDAP_DOMAIN\$" if [ $? -ne 0 ]; then log-helper error "Error: domain $domain_from_base_dn derived from LDAP_BASE_DN $LDAP_BASE_DN does not match LDAP_DOMAIN $LDAP_DOMAIN" exit 1 fi + set -e } function is_new_schema() { @@ -102,6 +104,7 @@ if [ ! -e "$FIRST_START_DONE" ]; then log-helper info "Database and config directory are empty..." log-helper info "Init new ldap server..." + get_ldap_base_dn cat < Date: Thu, 1 Aug 2019 14:28:58 +0200 Subject: [PATCH 19/22] bats link --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 2f534fce..387949c0 100644 --- a/README.md +++ b/README.md @@ -433,7 +433,7 @@ Run your image: We use **Bats** (Bash Automated Testing System) to test this image: -> [https://github.com/sstephenson/bats](https://github.com/sstephenson/bats) +> [https://github.com/bats-core/bats-core](https://github.com/bats-core/bats-core) Install Bats, and in this project directory run: From f793a96a47e1fc9052979ffe7f0c7ddab85427ff Mon Sep 17 00:00:00 2001 From: Bertrand Gouny Date: Thu, 1 Aug 2019 14:32:29 +0200 Subject: [PATCH 20/22] Fix domain dn #341 --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3c5122d1..7ab33bac 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,6 +11,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0. ### Fixed - Fix of incorrectly positioned 'log-helper debug' command #327. Thanks to @turcan ! + - Fix domain dn #341. Thanks to @obourdon ! ## [1.2.4] - 2019-03-14 ### Fixed From 14ca0001ba8cc0d41c5a60c61b75af53269a34b1 Mon Sep 17 00:00:00 2001 From: Bertrand Gouny Date: Thu, 1 Aug 2019 17:39:26 +0200 Subject: [PATCH 21/22] add pqChecker --- CHANGELOG.md | 1 + image/Dockerfile | 32 +++++++++++++++++++++----------- 2 files changed, 22 insertions(+), 11 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7ab33bac..8c7c1701 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0. ## Added - Support for docker secrets #325. Thanks to @anagno ! - Add DISABLE_CHOWN environment variable #240 + - pqChecker lib to check passwords strength with ppolicy pwdCheckModule ### Fixed - Fix of incorrectly positioned 'log-helper debug' command #327. Thanks to @turcan ! diff --git a/image/Dockerfile b/image/Dockerfile index 80f8949f..f51e43f9 100644 --- a/image/Dockerfile +++ b/image/Dockerfile @@ -5,6 +5,9 @@ FROM osixia/light-baseimage:1.1.2 ARG LDAP_OPENLDAP_GID ARG LDAP_OPENLDAP_UID +ARG PQCHECKER_VERSION=2.0.0 +ARG PQCHECKER_MD5=c005ce596e97d13e39485e711dcbc7e1 + # Add openldap user and group first to make sure their IDs get assigned consistently, regardless of whatever dependencies get added # If explicit uid or gid is given, use it. RUN if [ -z "${LDAP_OPENLDAP_GID}" ]; then groupadd -r openldap; else groupadd -r -g ${LDAP_OPENLDAP_GID} openldap; fi \ @@ -18,17 +21,24 @@ RUN echo "deb http://ftp.debian.org/debian stretch-backports main" >> /etc/apt/s #  https://github.com/osixia/docker-light-baseimage/blob/stable/image/service-available/:ssl-tools/download.sh RUN echo "path-include /usr/share/doc/krb5*" >> /etc/dpkg/dpkg.cfg.d/docker && apt-get -y update \ && /container/tool/add-service-available :ssl-tools \ - && LC_ALL=C DEBIAN_FRONTEND=noninteractive apt-get -t stretch-backports install -y --no-install-recommends \ - ldap-utils \ - libsasl2-modules \ - libsasl2-modules-db \ - libsasl2-modules-gssapi-mit \ - libsasl2-modules-ldap \ - libsasl2-modules-otp \ - libsasl2-modules-sql \ - openssl \ - slapd \ - krb5-kdc-ldap \ + && LC_ALL=C DEBIAN_FRONTEND=noninteractive apt-get -t stretch-backports install -y --no-install-recommends \ + ca-certificates \ + curl \ + ldap-utils \ + libsasl2-modules \ + libsasl2-modules-db \ + libsasl2-modules-gssapi-mit \ + libsasl2-modules-ldap \ + libsasl2-modules-otp \ + libsasl2-modules-sql \ + openssl \ + slapd \ + krb5-kdc-ldap \ + && curl -o pqchecker.deb -SL http://www.meddeb.net/pub/pqchecker/deb/8/pqchecker_${PQCHECKER_VERSION}_amd64.deb \ + && echo "${PQCHECKER_MD5} *pqchecker.deb" | md5sum -c - \ + && dpkg -i pqchecker.deb \ + && rm pqchecker.deb \ + && apt-get remove -y --purge --auto-remove curl ca-certificates \ && apt-get clean \ && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* From 5e10294f985c0eb4eac9dddf0f57a7b6f41332b5 Mon Sep 17 00:00:00 2001 From: Bertrand Gouny Date: Fri, 16 Aug 2019 10:46:09 +0200 Subject: [PATCH 22/22] v1.2.5 --- CHANGELOG.md | 2 +- Makefile | 2 +- README.md | 44 +++++++++---------- example/docker-compose.yml | 2 +- example/extend-osixia-openldap/Dockerfile | 2 +- .../kubernetes/simple/ldap-deployment.yaml | 2 +- .../using-secrets/gce-statefullset.yaml | 2 +- .../using-secrets/ldap-deployment.yaml | 2 +- 8 files changed, 29 insertions(+), 29 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8c7c1701..b9ea3139 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,7 +4,7 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html). -## [1.2.5] - Unreleased +## [1.2.5] - 2019-08-16 ## Added - Support for docker secrets #325. Thanks to @anagno ! - Add DISABLE_CHOWN environment variable #240 diff --git a/Makefile b/Makefile index a4ff102d..fd47c226 100644 --- a/Makefile +++ b/Makefile @@ -1,5 +1,5 @@ NAME = osixia/openldap -VERSION = 1.2.5-dev +VERSION = 1.2.5 .PHONY: build build-nocache test tag-latest push push-latest release git-tag-version diff --git a/README.md b/README.md index 387949c0..30f1c170 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,7 @@ ![Docker Stars](https://img.shields.io/docker/stars/osixia/openldap.svg) ![](https://images.microbadger.com/badges/image/osixia/openldap.svg) -Latest release: 1.2.5-dev - OpenLDAP 2.4.47 - [Changelog](CHANGELOG.md) | [Docker Hub](https://hub.docker.com/r/osixia/openldap/)  +Latest release: 1.2.5 - OpenLDAP 2.4.47 - [Changelog](CHANGELOG.md) | [Docker Hub](https://hub.docker.com/r/osixia/openldap/)  **A docker image to run OpenLDAP.** @@ -38,7 +38,7 @@ Latest release: 1.2.5-dev - OpenLDAP 2.4.47 - [Changelog](CHANGELOG.md) | [Dock - [Docker Secrets](#Docker-Secrets) - [Make your own image or extend this image](#Make-your-own-image-or-extend-this-image) - [Advanced User Guide](#Advanced-User-Guide) - - [Extend osixia/openldap:1.2.5-dev image](#Extend-osixiaopenldap125-dev-image) + - [Extend osixia/openldap:1.2.5 image](#Extend-osixiaopenldap125-dev-image) - [Make your own openldap image](#Make-your-own-openldap-image) - [Tests](#Tests) - [Kubernetes](#Kubernetes) @@ -58,11 +58,11 @@ If you find this image useful here's how you can help: ## Quick Start Run OpenLDAP docker image: - docker run --name my-openldap-container --detach osixia/openldap:1.2.5-dev + docker run --name my-openldap-container --detach osixia/openldap:1.2.5 Do not forget to add the port mapping for both port 389 and 636 if you wish to access the ldap server from another machine. - docker run -p 389:389 -p 636:636 --name my-openldap-container --detach osixia/openldap:1.2.5-dev + docker run -p 389:389 -p 636:636 --name my-openldap-container --detach osixia/openldap:1.2.5 Either command starts a new container with OpenLDAP running inside. Let's make the first search in our LDAP container: @@ -98,7 +98,7 @@ It will create an empty ldap for the company **Example Inc.** and the domain **e By default the admin has the password **admin**. All those default settings can be changed at the docker command line, for example: docker run --env LDAP_ORGANISATION="My Company" --env LDAP_DOMAIN="my-company.com" \ - --env LDAP_ADMIN_PASSWORD="JonSn0w" --detach osixia/openldap:1.2.5-dev + --env LDAP_ADMIN_PASSWORD="JonSn0w" --detach osixia/openldap:1.2.5 #### Data persistence @@ -149,12 +149,12 @@ argument to entrypoint if you don't want to overwrite them. # single file example: docker run \ --volume ./bootstrap.ldif:/container/service/slapd/assets/config/bootstrap/ldif/50-bootstrap.ldif \ - osixia/openldap:1.2.5-dev --copy-service + osixia/openldap:1.2.5 --copy-service #directory example: docker run \ --volume ./ldif:/container/service/slapd/assets/config/bootstrap/ldif/custom \ - osixia/openldap:1.2.5-dev --copy-service + osixia/openldap:1.2.5 --copy-service ### Use an existing ldap database @@ -165,7 +165,7 @@ simply mount this directories as a volume to `/var/lib/ldap` and `/etc/ldap/slap docker run --volume /data/slapd/database:/var/lib/ldap \ --volume /data/slapd/config:/etc/ldap/slapd.d \ - --detach osixia/openldap:1.2.5-dev + --detach osixia/openldap:1.2.5 You can also use data volume containers. Please refer to: > [https://docs.docker.com/engine/tutorials/dockervolumes/](https://docs.docker.com/engine/tutorials/dockervolumes/) @@ -185,7 +185,7 @@ If you are looking for a simple solution to administrate your ldap server you ca #### Use auto-generated certificate By default, TLS is already configured and enabled, certificate is created using container hostname (it can be set by docker run --hostname option eg: ldap.example.org). - docker run --hostname ldap.my-company.com --detach osixia/openldap:1.2.5-dev + docker run --hostname ldap.my-company.com --detach osixia/openldap:1.2.5 #### Use your own certificate @@ -195,24 +195,24 @@ You can set your custom certificate at run time, by mounting a directory contain --env LDAP_TLS_CRT_FILENAME=my-ldap.crt \ --env LDAP_TLS_KEY_FILENAME=my-ldap.key \ --env LDAP_TLS_CA_CRT_FILENAME=the-ca.crt \ - --detach osixia/openldap:1.2.5-dev + --detach osixia/openldap:1.2.5 Other solutions are available please refer to the [Advanced User Guide](#advanced-user-guide) #### Disable TLS Add --env LDAP_TLS=false to the run command: - docker run --env LDAP_TLS=false --detach osixia/openldap:1.2.5-dev + docker run --env LDAP_TLS=false --detach osixia/openldap:1.2.5 ### Multi master replication Quick example, with the default config. #Create the first ldap server, save the container id in LDAP_CID and get its IP: - LDAP_CID=$(docker run --hostname ldap.example.org --env LDAP_REPLICATION=true --detach osixia/openldap:1.2.5-dev) + LDAP_CID=$(docker run --hostname ldap.example.org --env LDAP_REPLICATION=true --detach osixia/openldap:1.2.5) LDAP_IP=$(docker inspect -f "{{ .NetworkSettings.IPAddress }}" $LDAP_CID) #Create the second ldap server, save the container id in LDAP2_CID and get its IP: - LDAP2_CID=$(docker run --hostname ldap2.example.org --env LDAP_REPLICATION=true --detach osixia/openldap:1.2.5-dev) + LDAP2_CID=$(docker run --hostname ldap2.example.org --env LDAP_REPLICATION=true --detach osixia/openldap:1.2.5) LDAP2_IP=$(docker inspect -f "{{ .NetworkSettings.IPAddress }}" $LDAP2_CID) #Add the pair "ip hostname" to /etc/hosts on each containers, @@ -248,7 +248,7 @@ You may have some problems with mounted files on some systems. The startup scrip To fix that run the container with `--copy-service` argument : - docker run [your options] osixia/openldap:1.2.5-dev --copy-service + docker run [your options] osixia/openldap:1.2.5 --copy-service ### Debug @@ -257,11 +257,11 @@ Available levels are: `none`, `error`, `warning`, `info`, `debug` and `trace`. Example command to run the container in `debug` mode: - docker run --detach osixia/openldap:1.2.5-dev --loglevel debug + docker run --detach osixia/openldap:1.2.5 --loglevel debug See all command line options: - docker run osixia/openldap:1.2.5-dev --help + docker run osixia/openldap:1.2.5 --help ## Environment Variables @@ -327,7 +327,7 @@ Replication options: If you want to set this variable at docker run command add the tag `#PYTHON2BASH:` and convert the yaml in python: - docker run --env LDAP_REPLICATION_HOSTS="#PYTHON2BASH:['ldap://ldap.example.org','ldap://ldap2.example.org']" --detach osixia/openldap:1.2.5-dev + docker run --env LDAP_REPLICATION_HOSTS="#PYTHON2BASH:['ldap://ldap.example.org','ldap://ldap2.example.org']" --detach osixia/openldap:1.2.5 To convert yaml to python online: http://yaml-online-parser.appspot.com/ @@ -348,7 +348,7 @@ Other environment variables: Environment variables can be set by adding the --env argument in the command line, for example: docker run --env LDAP_ORGANISATION="My company" --env LDAP_DOMAIN="my-company.com" \ - --env LDAP_ADMIN_PASSWORD="JonSn0w" --detach osixia/openldap:1.2.5-dev + --env LDAP_ADMIN_PASSWORD="JonSn0w" --detach osixia/openldap:1.2.5 Be aware that environment variable added in command line will be available at any time in the container. In this example if someone manage to open a terminal in this container @@ -359,14 +359,14 @@ he will be able to read the admin password in clear text from environment variab For example if your environment files **my-env.yaml** and **my-env.startup.yaml** are in /data/ldap/environment docker run --volume /data/ldap/environment:/container/environment/01-custom \ - --detach osixia/openldap:1.2.5-dev + --detach osixia/openldap:1.2.5 Take care to link your environment files folder to `/container/environment/XX-somedir` (with XX < 99 so they will be processed before default environment files) and not directly to `/container/environment` because this directory contains predefined baseimage environment files to fix container environment (INITRD, LANG, LANGUAGE and LC_CTYPE). Note: the container will try to delete the **\*.startup.yaml** file after the end of startup files so the file will also be deleted on the docker host. To prevent that : use --volume /data/ldap/environment:/container/environment/01-custom**:ro** or set all variables in **\*.yaml** file and don't use **\*.startup.yaml**: docker run --volume /data/ldap/environment/my-env.yaml:/container/environment/01-custom/env.yaml \ - --detach osixia/openldap:1.2.5-dev + --detach osixia/openldap:1.2.5 #### Docker Secrets @@ -385,13 +385,13 @@ This is the best solution if you have a private registry. Please refer to the [A ## Advanced User Guide -### Extend osixia/openldap:1.2.5-dev image +### Extend osixia/openldap:1.2.5 image If you need to add your custom TLS certificate, bootstrap config or environment files the easiest way is to extends this image. Dockerfile example: - FROM osixia/openldap:1.2.5-dev + FROM osixia/openldap:1.2.5 MAINTAINER Your Name ADD bootstrap /container/service/slapd/assets/config/bootstrap diff --git a/example/docker-compose.yml b/example/docker-compose.yml index 9008b553..03a06250 100644 --- a/example/docker-compose.yml +++ b/example/docker-compose.yml @@ -1,7 +1,7 @@ version: '2' services: openldap: - image: osixia/openldap:1.2.5-dev + image: osixia/openldap:1.2.5 container_name: openldap environment: LDAP_LOG_LEVEL: "256" diff --git a/example/extend-osixia-openldap/Dockerfile b/example/extend-osixia-openldap/Dockerfile index 7d08ae65..b67d7f1c 100644 --- a/example/extend-osixia-openldap/Dockerfile +++ b/example/extend-osixia-openldap/Dockerfile @@ -1,4 +1,4 @@ -FROM osixia/openldap:1.2.5-dev +FROM osixia/openldap:1.2.5 MAINTAINER Your Name ADD bootstrap /container/service/slapd/assets/config/bootstrap diff --git a/example/kubernetes/simple/ldap-deployment.yaml b/example/kubernetes/simple/ldap-deployment.yaml index 64052883..722a1021 100644 --- a/example/kubernetes/simple/ldap-deployment.yaml +++ b/example/kubernetes/simple/ldap-deployment.yaml @@ -13,7 +13,7 @@ spec: spec: containers: - name: ldap - image: osixia/openldap:1.2.5-dev + image: osixia/openldap:1.2.5 volumeMounts: - name: ldap-data mountPath: /var/lib/ldap diff --git a/example/kubernetes/using-secrets/gce-statefullset.yaml b/example/kubernetes/using-secrets/gce-statefullset.yaml index 51c66d6e..051edbea 100644 --- a/example/kubernetes/using-secrets/gce-statefullset.yaml +++ b/example/kubernetes/using-secrets/gce-statefullset.yaml @@ -12,7 +12,7 @@ spec: spec: containers: - name: azaldap - image: osixia/openldap:1.2.5-dev + image: osixia/openldap:1.2.5 imagePullPolicy: IfNotPresent #command: ["/bin/bash","-c","while [ 1 = 1 ] ; do sleep 1; date; done"] ports: diff --git a/example/kubernetes/using-secrets/ldap-deployment.yaml b/example/kubernetes/using-secrets/ldap-deployment.yaml index 8fb58c8d..a43762eb 100644 --- a/example/kubernetes/using-secrets/ldap-deployment.yaml +++ b/example/kubernetes/using-secrets/ldap-deployment.yaml @@ -13,7 +13,7 @@ spec: spec: containers: - name: ldap - image: osixia/openldap:1.2.5-dev + image: osixia/openldap:1.2.5 args: ["--copy-service"] volumeMounts: - name: ldap-data