must fix #44 and fix #36)

BertrandGouny · BertrandGouny · commit 911505de91e0 · 2016-08-02T14:29:28.000+02:00
diff --git a/image/service/slapd/startup.sh b/image/service/slapd/startup.sh
@@ -124,9 +124,16 @@ EOF
   fi
 
   # if the config was bootstraped with TLS
-  # to avoid error (#6) we hard delete TLS config
+  # to avoid error (#6) (#36) and (#44)
+  # we create fake temporary certificates if they do not exists
   if [ -e "$WAS_STARTED_WITH_TLS" ]; then
-    sed -i '/olcTLS/d' /etc/ldap/slapd.d/cn\=config.ldif
+    source $WAS_STARTED_WITH_TLS
+
+    cfssl-helper $LDAP_CFSSL_PREFIX $PREVIOUS_LDAP_TLS_CRT_PATH $PREVIOUS_LDAP_TLS_KEY_PATH $PREVIOUS_LDAP_TLS_CA_CRT_PATH
+    [ -f ${PREVIOUS_LDAP_TLS_DH_PARAM_PATH} ] || openssl dhparam -out ${LDAP_TLS_DH_PARAM_PATH} 2048
+
+    chmod 600 ${PREVIOUS_LDAP_TLS_DH_PARAM_PATH}
+    chown openldap:openldap $PREVIOUS_LDAP_TLS_CRT_PATH $PREVIOUS_LDAP_TLS_KEY_PATH $PREVIOUS_LDAP_TLS_CA_CRT_PATH $PREVIOUS_LDAP_TLS_DH_PARAM_PATH
   fi
 
   # start OpenLDAP
@@ -247,7 +254,12 @@ EOF
     sed -i "s|{{ LDAP_TLS_VERIFY_CLIENT }}|${LDAP_TLS_VERIFY_CLIENT}|g" ${CONTAINER_SERVICE_DIR}/slapd/assets/config/tls/tls-enable.ldif
 
     ldapmodify -Y EXTERNAL -Q -H ldapi:/// -f ${CONTAINER_SERVICE_DIR}/slapd/assets/config/tls/tls-enable.ldif 2>&1 | log-helper debug
-    touch $WAS_STARTED_WITH_TLS
+
+    [[ -f "$WAS_STARTED_WITH_TLS" ]] && rm -f "$WAS_STARTED_WITH_TLS"
+    echo "export PREVIOUS_LDAP_TLS_CA_CRT_PATH=${LDAP_TLS_CA_CRT_PATH}" > $WAS_STARTED_WITH_TLS
+    echo "export PREVIOUS_LDAP_TLS_CRT_PATH=${LDAP_TLS_CRT_PATH}" >> $WAS_STARTED_WITH_TLS
+    echo "export PREVIOUS_LDAP_TLS_KEY_PATH=${LDAP_TLS_KEY_PATH}" >> $WAS_STARTED_WITH_TLS
+    echo "export PREVIOUS_LDAP_TLS_DH_PARAM_PATH=${LDAP_TLS_DH_PARAM_PATH}" >> $WAS_STARTED_WITH_TLS
 
     # ldap client config
     sed -i --follow-symlinks "s,TLS_CACERT.*,TLS_CACERT ${LDAP_TLS_CA_CRT_PATH},g" /etc/ldap/ldap.conf
