add explicit template variables, add readonly user script

Author: BertrandGouny

README.md

@@ -177,7 +177,7 @@ TLS options :
 Replication options :
 - **LDAP_REPLICATION**: Add openldap replication capabilities. Defaults to `false`
 - **LDAP_REPLICATION_CONFIG_SYNCPROV**: olcSyncRepl options used for the config database. Without **rid** and **provider** which are automaticaly added based on LDAP_REPLICATION_HOSTS.  Defaults to `binddn="cn=admin,cn=config" bindmethod=simple credentials=$LDAP_CONFIG_PASSWORD searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1 starttls=critical`
-- **LDAP_REPLICATION_HDB_SYNCPROV**: olcSyncRepl options used for the HDB database. Without **rid** and **provider** which are automaticaly added based on LDAP_REPLICATION_HOSTS.  Defaults to `binddn="cn=admin,$BASE_DN" bindmethod=simple credentials=$LDAP_ADMIN_PASSWORD searchbase="$BASE_DN" type=refreshAndPersist interval=00:00:00:10 retry="5 5 300 5" timeout=1  starttls=critical`
+- **LDAP_REPLICATION_HDB_SYNCPROV**: olcSyncRepl options used for the HDB database. Without **rid** and **provider** which are automaticaly added based on LDAP_REPLICATION_HOSTS.  Defaults to `binddn="cn=admin,$LDAP_BASE_DN" bindmethod=simple credentials=$LDAP_ADMIN_PASSWORD searchbase="$LDAP_BASE_DN" type=refreshAndPersist interval=00:00:00:10 retry="5 5 300 5" timeout=1  starttls=critical`
 - **LDAP_REPLICATION_HOSTS**: list of replication hosts, must contains the current container hostname set by -h on docker run command. Defaults to `['ldap://ldap.example.org', 'ldap://ldap2.example.org']`
 
 ### Set environment variables at run time :

image/env.yaml

@@ -1,26 +1,29 @@
+# general container configuration
+# see table 5.1 in http://www.openldap.org/doc/admin24/slapdconf2.html for the available log levels.
+LDAP_LOG_LEVEL: 256
+
+# required and used for new ldap server only
 LDAP_ORGANISATION: Example Inc.
 LDAP_DOMAIN: example.org
 LDAP_ADMIN_PASSWORD: admin
 LDAP_CONFIG_PASSWORD: config
 
-#See table 5.1 in http://www.openldap.org/doc/admin24/slapdconf2.html for the available log levels.
-LDAP_LOG_LEVEL: 256
-
+# TLS
 LDAP_TLS: true
 LDAP_TLS_CRT_FILENAME: ldap.crt
 LDAP_TLS_KEY_FILENAME: ldap.key
 LDAP_TLS_CA_CRT_FILENAME: ca.crt
 
-
+# replication
 LDAP_REPLICATION: false
-# variables $BASE_DN, $LDAP_ADMIN_PASSWORD, $LDAP_CONFIG_PASSWORD
+# variables $LDAP_BASE_DN, $LDAP_ADMIN_PASSWORD, $LDAP_CONFIG_PASSWORD
 # are automaticaly replaced at run time
 
 # if you want to add replication to an existing ldap
 # adapt LDAP_REPLICATION_CONFIG_SYNCPROV and LDAP_REPLICATION_HDB_SYNCPROV to your configuration
-# avoid using $BASE_DN, $LDAP_ADMIN_PASSWORD and $LDAP_CONFIG_PASSWORD variables
+# avoid using $LDAP_BASE_DN, $LDAP_ADMIN_PASSWORD and $LDAP_CONFIG_PASSWORD variables
 LDAP_REPLICATION_CONFIG_SYNCPROV: binddn="cn=admin,cn=config" bindmethod=simple credentials=$LDAP_CONFIG_PASSWORD searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1 starttls=critical
-LDAP_REPLICATION_HDB_SYNCPROV: binddn="cn=admin,$BASE_DN" bindmethod=simple credentials=$LDAP_ADMIN_PASSWORD searchbase="$BASE_DN" type=refreshAndPersist interval=00:00:00:10 retry="5 5 300 5" timeout=1  starttls=critical
+LDAP_REPLICATION_HDB_SYNCPROV: binddn="cn=admin,$LDAP_BASE_DN" bindmethod=simple credentials=$LDAP_ADMIN_PASSWORD searchbase="$LDAP_BASE_DN" type=refreshAndPersist interval=00:00:00:10 retry="5 5 300 5" timeout=1  starttls=critical
 LDAP_REPLICATION_HOSTS:
   - ldap://ldap.example.org # The order must be the same on all ldap servers
   - ldap://ldap2.example.org

image/service/slapd/assets/add-readonly-user.sh

@@ -0,0 +1,35 @@
+#!/bin/bash -e
+
+# Usage :
+# ./add-readonly-user.sh LDAP_DOMAIN LDAP_ADMIN_PASSWORD LDAP_READONLY_USERNAME LDAP_READONLY_PASSWORD
+
+# Example :
+# ./add-readonly-user.sh example.org admin readonly readonly-password
+
+LDAP_DOMAIN=$1
+LDAP_ADMIN_PASSWORD=$2
+LDAP_READONLY_USERNAME=$3
+LDAP_READONLY_PASSWORD=$4
+
+function get_ldap_base_dn() {
+  LDAP_BASE_DN=""
+  IFS='.' read -ra LDAP_BASE_DN_TABLE <<< "$LDAP_DOMAIN"
+  for i in "${LDAP_BASE_DN_TABLE[@]}"; do
+    EXT="dc=$i,"
+    LDAP_BASE_DN=$LDAP_BASE_DN$EXT
+  done
+
+  LDAP_BASE_DN=${LDAP_BASE_DN::-1}
+}
+
+get_ldap_base_dn
+LDAP_READONLY_PASSWORD_ENCRYPTED=$(slappasswd -s $LDAP_READONLY_PASSWORD)
+sed -i "s|{{ LDAP_READONLY_USERNAME }}|${LDAP_READONLY_USERNAME}|g" /container/service/slapd/assets/config/readonly-user/readonly-user.ldif
+sed -i "s|{{ LDAP_READONLY_PASSWORD_ENCRYPTED }}|${LDAP_READONLY_PASSWORD_ENCRYPTED}|g" /container/service/slapd/assets/config/readonly-user/readonly-user.ldif
+sed -i "s|{{ LDAP_BASE_DN }}|${LDAP_BASE_DN}|g" /container/service/slapd/assets/config/readonly-user/readonly-user.ldif
+
+sed -i "s|{{ LDAP_READONLY_USERNAME }}|${LDAP_READONLY_USERNAME}|g" /container/service/slapd/assets/config/readonly-user/readonly-user-acl.ldif
+sed -i "s|{{ LDAP_BASE_DN }}|${LDAP_BASE_DN}|g" /container/service/slapd/assets/config/readonly-user/readonly-user-acl.ldif
+
+ldapmodify -h localhost -p 389 -D cn=admin,$LDAP_BASE_DN -w $LDAP_ADMIN_PASSWORD -f /container/service/slapd/assets/config/readonly-user/readonly-user.ldif
+ldapmodify -Y EXTERNAL -Q -H ldapi:/// -f /container/service/slapd/assets/config/readonly-user/readonly-user-acl.ldif

image/service/slapd/assets/config/bootstrap/ldif/01-config-password.ldif

@@ -4,4 +4,4 @@ changeType: modify
 
 dn: olcDatabase={0}config,cn=config
 add: olcRootPW
-olcRootPW: {{ CONFIG_PASSWORD_ENCRYPTED }}
+olcRootPW: {{ LDAP_CONFIG_PASSWORD_ENCRYPTED }}

image/service/slapd/assets/config/bootstrap/ldif/02-security.ldif

@@ -1,13 +1,10 @@
-dn: olcDatabase={1}hdb,cn=config 
+dn: olcDatabase={1}hdb,cn=config
 changetype: modify
 delete: olcAccess
 -
 add: olcAccess
-olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=example,dc=org" write by * none
+olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by dn="cn=admin,{{ LDAP_BASE_DN }}" write by anonymous auth by * none
 -
 add: olcAccess
-olcAccess: {1}to dn.base="" by * read
+olcAccess: {1}to * by self write by dn="cn=admin,{{ LDAP_BASE_DN }}" write by * none
 -
-add: olcAccess
-olcAccess: {2}to * by self write by dn="cn=admin,dc=example,dc=org" write by * none
--

image/service/slapd/assets/config/readonly-user/readonly-user-acl.ldif

@@ -0,0 +1,10 @@
+dn: olcDatabase={1}hdb,cn=config
+changetype: modify
+delete: olcAccess
+-
+add: olcAccess
+olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by dn="cn=admin,{{ LDAP_BASE_DN }}" write by anonymous auth by * none
+-
+add: olcAccess
+olcAccess: {1}to * by self write by dn="cn=admin,{{ LDAP_BASE_DN }}" write by dn="cn={{ LDAP_READONLY_USERNAME }},{{ LDAP_BASE_DN }}" read by * none
+-

image/service/slapd/assets/config/readonly-user/readonly-user.ldif

@@ -0,0 +1,7 @@
+dn: cn={{ LDAP_READONLY_USERNAME }},{{ LDAP_BASE_DN }}
+changetype: add
+cn: {{ LDAP_READONLY_USERNAME }}
+objectClass: simpleSecurityObject
+objectClass: organizationalRole
+userPassword: {{ LDAP_READONLY_PASSWORD_ENCRYPTED }}
+description: LDAP read only user

image/service/slapd/assets/config/tls/tls-enable.ldif

@@ -4,13 +4,13 @@ replace: olcTLSCipherSuite
 olcTLSCipherSuite: SECURE256:-VERS-SSL3.0
 -
 replace: olcTLSCACertificateFile
-olcTLSCACertificateFile: /container/service/slapd/assets/certs/ca.crt
+olcTLSCACertificateFile: /container/service/slapd/assets/certs/{{ LDAP_TLS_CA_CRT_FILENAME }}
 -
 replace: olcTLSCertificateFile
-olcTLSCertificateFile: /container/service/slapd/assets/certs/ldap.crt
+olcTLSCertificateFile: /container/service/slapd/assets/certs/{{ LDAP_TLS_CRT_FILENAME }}
 -
 replace: olcTLSCertificateKeyFile
-olcTLSCertificateKeyFile: /container/service/slapd/assets/certs/ldap.key
+olcTLSCertificateKeyFile: /container/service/slapd/assets/certs/{{ LDAP_TLS_KEY_FILENAME }}
 -
 replace: olcTLSDHParamFile
 olcTLSDHParamFile: /container/service/slapd/assets/certs/dhparam.pem

image/service/slapd/container-start.sh

@@ -17,15 +17,15 @@ chown -R openldap:openldap /container/service/slapd
 # container first start
 if [ ! -e "$FIRST_START_DONE" ]; then
 
-  function get_base_dn() {
-    BASE_DN=""
-    IFS='.' read -ra BASE_DN_TABLE <<< "$LDAP_DOMAIN"
-    for i in "${BASE_DN_TABLE[@]}"; do
+  function get_ldap_base_dn() {
+    LDAP_BASE_DN=""
+    IFS='.' read -ra LDAP_BASE_DN_TABLE <<< "$LDAP_DOMAIN"
+    for i in "${LDAP_BASE_DN_TABLE[@]}"; do
       EXT="dc=$i,"
-      BASE_DN=$BASE_DN$EXT
+      LDAP_BASE_DN=$LDAP_BASE_DN$EXT
     done
 
-    BASE_DN=${BASE_DN::-1}
+    LDAP_BASE_DN=${LDAP_BASE_DN::-1}
   }
 
   function is_new_schema() {
@@ -134,12 +134,12 @@ EOF
     done
 
     # set config password
-    CONFIG_PASSWORD_ENCRYPTED=$(slappasswd -s $LDAP_CONFIG_PASSWORD)
-    sed -i "s|{{ CONFIG_PASSWORD_ENCRYPTED }}|$CONFIG_PASSWORD_ENCRYPTED|g" /container/service/slapd/assets/config/bootstrap/ldif/01-config-password.ldif
+    LDAP_CONFIG_PASSWORD_ENCRYPTED=$(slappasswd -s $LDAP_CONFIG_PASSWORD)
+    sed -i "s|{{ LDAP_CONFIG_PASSWORD_ENCRYPTED }}|${LDAP_CONFIG_PASSWORD_ENCRYPTED}|g" /container/service/slapd/assets/config/bootstrap/ldif/01-config-password.ldif
 
     # adapt security config file
-    get_base_dn
-    sed -i "s|dc=example,dc=org|$BASE_DN|g" /container/service/slapd/assets/config/bootstrap/ldif/02-security.ldif
+    get_ldap_base_dn
+    sed -i "s|{{ LDAP_BASE_DN }}|${LDAP_BASE_DN}|g" /container/service/slapd/assets/config/bootstrap/ldif/02-security.ldif
 
     # process config files
     for f in $(find /container/service/slapd/assets/config/bootstrap/ldif  -name \*.ldif -type f | sort); do
@@ -157,9 +157,9 @@ EOF
     check_tls_files $LDAP_TLS_CA_CRT_FILENAME $LDAP_TLS_CRT_FILENAME $LDAP_TLS_KEY_FILENAME
 
     # adapt tls ldif
-    sed -i "s,/container/service/slapd/assets/certs/ca.crt,/container/service/slapd/assets/certs/${LDAP_TLS_CA_CRT_FILENAME},g" /container/service/slapd/assets/config/tls/tls-enable.ldif
-    sed -i "s,/container/service/slapd/assets/certs/ldap.crt,/container/service/slapd/assets/certs/${LDAP_TLS_CRT_FILENAME},g" /container/service/slapd/assets/config/tls/tls-enable.ldif
-    sed -i "s,/container/service/slapd/assets/certs/ldap.key,/container/service/slapd/assets/certs/${LDAP_TLS_KEY_FILENAME},g" /container/service/slapd/assets/config/tls/tls-enable.ldif
+    sed -i "s|{{ LDAP_TLS_CA_CRT_FILENAME }}|${LDAP_TLS_CA_CRT_FILENAME}|g" /container/service/slapd/assets/config/tls/tls-enable.ldif
+    sed -i "s|{{ LDAP_TLS_CRT_FILENAME }}|${LDAP_TLS_CRT_FILENAME}|g" /container/service/slapd/assets/config/tls/tls-enable.ldif
+    sed -i "s|{{ LDAP_TLS_KEY_FILENAME }}|${LDAP_TLS_KEY_FILENAME}|g" /container/service/slapd/assets/config/tls/tls-enable.ldif
 
     ldapmodify -Y EXTERNAL -Q -H ldapi:/// -f /container/service/slapd/assets/config/tls/tls-enable.ldif
 
@@ -212,8 +212,8 @@ EOF
         ((i++))
       done
 
-      get_base_dn
-      sed -i "s|\$BASE_DN|$BASE_DN|g" /container/service/slapd/assets/config/replication/replication-enable.ldif
+      get_ldap_base_dn
+      sed -i "s|\$LDAP_BASE_DN|$LDAP_BASE_DN|g" /container/service/slapd/assets/config/replication/replication-enable.ldif
       sed -i "s|\$LDAP_ADMIN_PASSWORD|$LDAP_ADMIN_PASSWORD|g" /container/service/slapd/assets/config/replication/replication-enable.ldif
       sed -i "s|\$LDAP_CONFIG_PASSWORD|$LDAP_CONFIG_PASSWORD|g" /container/service/slapd/assets/config/replication/replication-enable.ldif