comment tls disable / tls enforce disable

BertrandGouny · BertrandGouny · commit 0578ede275c6 · 2016-08-02T15:36:46.000+02:00
diff --git a/image/service/slapd/startup.sh b/image/service/slapd/startup.sh
@@ -21,6 +21,7 @@ chown -R openldap:openldap ${CONTAINER_SERVICE_DIR}/slapd
 
 FIRST_START_DONE="${CONTAINER_STATE_DIR}/slapd-first-start-done"
 WAS_STARTED_WITH_TLS="/etc/ldap/slapd.d/docker-openldap-was-started-with-tls"
+WAS_STARTED_WITH_TLS_ENFORCE="/etc/ldap/slapd.d/docker-openldap-was-started-with-tls-enforce"
 WAS_STARTED_WITH_REPLICATION="/etc/ldap/slapd.d/docker-openldap-was-started-with-replication"
 
 # CONTAINER_SERVICE_DIR and CONTAINER_STATE_DIR variables are set by
@@ -129,6 +130,8 @@ EOF
   if [ -e "$WAS_STARTED_WITH_TLS" ]; then
     source $WAS_STARTED_WITH_TLS
 
+    log-helper debug "Check previous TLS certificates..."
+
     cfssl-helper $LDAP_CFSSL_PREFIX $PREVIOUS_LDAP_TLS_CRT_PATH $PREVIOUS_LDAP_TLS_KEY_PATH $PREVIOUS_LDAP_TLS_CA_CRT_PATH
     [ -f ${PREVIOUS_LDAP_TLS_DH_PARAM_PATH} ] || openssl dhparam -out ${LDAP_TLS_DH_PARAM_PATH} 2048
 
@@ -224,6 +227,18 @@ EOF
   #
   # TLS config
   #
+  if [ -e "$WAS_STARTED_WITH_TLS" ] && [ "${LDAP_TLS,,}" != "true" ]; then
+    log-helper error "/!\ WARNING: LDAP_TLS=false but the container was previously started with LDAP_TLS=true"
+    log-helper error "TLS can't be disabled once added. Ignoring LDAP_TLS=false."
+    LDAP_TLS=true
+  fi
+
+  if [ -e "$WAS_STARTED_WITH_TLS_ENFORCE" ] && [ "${LDAP_TLS_ENFORCE,,}" != "true" ]; then
+    log-helper error "/!\ WARNING: LDAP_TLS_ENFORCE=false but the container was previously started with LDAP_TLS_ENFORCE=true"
+    log-helper error "TLS enforcing can't be disabled once added. Ignoring LDAP_TLS_ENFORCE=false."
+    LDAP_TLS_ENFORCE=true
+  fi
+
   if [ "${LDAP_TLS,,}" == "true" ]; then
 
     log-helper info "Add TLS config..."
@@ -275,18 +290,20 @@ EOF
     if [ "${LDAP_TLS_ENFORCE,,}" == "true" ]; then
       log-helper info "Add enforce TLS..."
       ldapmodify -Y EXTERNAL -Q -H ldapi:/// -f ${CONTAINER_SERVICE_DIR}/slapd/assets/config/tls/tls-enforce-enable.ldif 2>&1 | log-helper debug
+      touch $WAS_STARTED_WITH_TLS_ENFORCE
 
-    # disable tls enforcing
-    else
-      log-helper info "Disable enforce TLS..."
-      ldapmodify -Y EXTERNAL -Q -H ldapi:/// -f ${CONTAINER_SERVICE_DIR}/slapd/assets/config/tls/tls-enforce-disable.ldif 2>&1 | log-helper debug || true
+    # disable tls enforcing (not possible for now)
+    #else
+      #log-helper info "Disable enforce TLS..."
+      #ldapmodify -Y EXTERNAL -Q -H ldapi:/// -f ${CONTAINER_SERVICE_DIR}/slapd/assets/config/tls/tls-enforce-disable.ldif 2>&1 | log-helper debug || true
+      #[[ -f "$WAS_STARTED_WITH_TLS_ENFORCE" ]] && rm -f "$WAS_STARTED_WITH_TLS_ENFORCE"
     fi
 
-  else
-    log-helper info "Disable TLS config..."
-
-    ldapmodify -c -Y EXTERNAL -Q -H ldapi:/// -f ${CONTAINER_SERVICE_DIR}/slapd/assets/config/tls/tls-disable.ldif 2>&1 | log-helper debug || true
-    [[ -f "$WAS_STARTED_WITH_TLS" ]] && rm -f "$WAS_STARTED_WITH_TLS"
+  # disable tls (not possible for now)
+  #else
+    #log-helper info "Disable TLS config..."
+    #ldapmodify -c -Y EXTERNAL -Q -H ldapi:/// -f ${CONTAINER_SERVICE_DIR}/slapd/assets/config/tls/tls-disable.ldif 2>&1 | log-helper debug || true
+    #[[ -f "$WAS_STARTED_WITH_TLS" ]] && rm -f "$WAS_STARTED_WITH_TLS"
   fi
 
 
