Merge branch 'hotfix-1.0.1' into stable

Author: BertrandGouny

CHANGELOG.md

@@ -1,5 +1,16 @@
 # Changelog
 
+## 1.0.1
+  - Upgrade baseimage: osixia/light-baseimage:0.1.1
+  - Rename environment variables
+
+  - Fixes :
+    - OpenLdap container won't start when dhparam.pem is missing in bound volume #13
+
+## 1.0.0
+  - Use light-baseimage
+  - Improve documentation
+
 ## 0.10.2
 
   - New features:

Makefile

@@ -1,5 +1,5 @@
 NAME = osixia/openldap
-VERSION = 1.0.0
+VERSION = 1.0.1
 
 .PHONY: all build test tag_latest release
 

README.md

@@ -84,7 +84,7 @@ simply mount this directories as a volume to `/var/lib/ldap` and `/etc/ldap/slap
 You can also use data volume containers. Please refer to :
 > [https://docs.docker.com/userguide/dockervolumes/](https://docs.docker.com/userguide/dockervolumes/)
 
-### Using TLS
+### TLS
 
 #### Use autogenerated certificate
 By default TLS is enable, a certificate is created with the container hostname (it can be set by docker run -h option eg: ldap.example.org).
@@ -93,37 +93,36 @@ By default TLS is enable, a certificate is created with the container hostname (
 
 #### Use your own certificate
 
-Add your custom certificate, private key and CA certificate in the directory **image/service/slapd/assets/ssl** adjust filename in **image/env.yaml** and rebuild the image ([see manual build](#manual-build)).
+Add your custom certificate, private key and CA certificate in the directory **image/service/slapd/assets/certs** adjust filename in **image/env.yaml** and rebuild the image ([see manual build](#manual-build)).
 
-Or you can set your custom certificate at run time, by mouting a directory containing thoses files to **/container/service/slapd/assets/ssl** and adjust there name with the following environment variables :
+Or you can set your custom certificate at run time, by mouting a directory containing thoses files to **/container/service/slapd/assets/certs** and adjust there name with the following environment variables :
 
-	docker run -h ldap.example.org -v /path/to/certifates:/container/service/slapd/assets/ssl \
-	-e SSL_CRT_FILENAME=my-ldap.crt \
-	-e SSL_KEY_FILENAME=my-ldap.key \
-	-e SSL_CA_CRT_FILENAME=the-ca.crt \
+	docker run -h ldap.example.org -v /path/to/certifates:/container/service/slapd/assets/certs \
+	-e LDAP_TLS_CRT_FILENAME=my-ldap.crt \
+	-e LDAP_TLS_KEY_FILENAME=my-ldap.key \
+	-e LDAP_TLS_CA_CRT_FILENAME=the-ca.crt \
 	-d osixia/openldap
 
 #### Disable TLS
-Add -e USE_TLS=false to the run command :
+Add -e LDAP_TLS=false to the run command :
 
-	docker run -e USE_TLS=false -d osixia/openldap
+	docker run -e LDAP_TLS=false -d osixia/openldap
 
 ### Multi master replication
 Quick example, with the default config.
 
 	#Create the first ldap server, save the container id in LDAP_CID and get its IP:
-	LDAP_CID=$(docker run -h ldap.example.org -e USE_REPLICATION=true -d osixia/openldap)
+	LDAP_CID=$(docker run -h ldap.example.org -e LDAP_REPLICATION=true -d osixia/openldap)
 	LDAP_IP=$(docker inspect -f "{{ .NetworkSettings.IPAddress }}" $LDAP_CID)
 
 	#Create the second ldap server, save the container id in LDAP2_CID and get its IP:
-	LDAP2_CID=$(docker run -h ldap2.example.org -e USE_REPLICATION=true -d osixia/openldap)
+	LDAP2_CID=$(docker run -h ldap2.example.org -e LDAP_REPLICATION=true -d osixia/openldap)
 	LDAP2_IP=$(docker inspect -f "{{ .NetworkSettings.IPAddress }}" $LDAP2_CID)
 
 	#Add the pair "ip hostname" to /etc/hosts on each containers,
 	#beacause ldap.example.org and ldap2.example.org are fake hostnames
-	docker exec $LDAP_CID /sbin/add-host $LDAP2_IP ldap2.example.org
-	docker exec $LDAP2_CID /sbin/add-host $LDAP_IP ldap.example.org
-
+	docker exec $LDAP_CID bash -c "echo $LDAP2_IP ldap2.example.org >> /etc/hosts"
+	docker exec $LDAP2_CID bash -c "echo $LDAP_IP ldap.example.org >> /etc/hosts"
 
 That's it ! But a litle test to be sure :
 
@@ -151,7 +150,7 @@ Search on the second ldap server, and billy should show up !
 If you are looking for a simple solution to administrate your ldap server you can take a look at our phpLDAPadmin docker image :
 > [osixia/phpldapadmin](https://github.com/osixia/docker-phpLDAPadmin)
 
-## Backups
+## Backup
 A simple solution to backup your ldap server, our openldap-backup docker image :
 > [osixia/openldap-backup](https://github.com/osixia/docker-openldap-backup)
 
@@ -167,18 +166,26 @@ Required and used for new ldap server only :
 - **LDAP_DOMAIN**: Ldap domain. Defaults to `example.org`
 - **LDAP_ADMIN_PASSWORD** Ldap Admin password. Defaults to `admin`
 - **LDAP_CONFIG_PASSWORD** Ldap Config password. Defaults to `config`
+ 
+- **LDAP_READONLY_USER** Add a read only user. Defaults to `false`
+- **LDAP_READONLY_USER_USERNAME** Read only user username. Defaults to `readonly`
+- **LDAP_READONLY_USER_PASSWORD** Read only user password. Defaults to `readonly`
 
 TLS options :
-- **USE_TLS**: Add openldap TLS capabilities. Defaults to `true`
-- **SSL_CRT_FILENAME**: Ldap ssl certificate filename. Defaults to `ldap.crt`
-- **SSL_KEY_FILENAME**: Ldap ssl certificate private key filename. Defaults to `ldap.key`
-- **SSL_CA_CRT_FILENAME**: Ldap ssl CA certificate  filename. Defaults to `ca.crt`
+- **LDAP_TLS**: Add openldap TLS capabilities. Defaults to `true`
+- **LDAP_TLS_CRT_FILENAME**: Ldap ssl certificate filename. Defaults to `ldap.crt`
+- **LDAP_TLS_KEY_FILENAME**: Ldap ssl certificate private key filename. Defaults to `ldap.key`
+- **LDAP_TLS_CA_CRT_FILENAME**: Ldap ssl CA certificate  filename. Defaults to `ca.crt`
 
 Replication options :
-- **USE_REPLICATION**: Add openldap replication capabilities. Defaults to `false`
-- **REPLICATION_CONFIG_SYNCPROV**: olcSyncRepl options used for the config database. Without **rid** and **provider** which are automaticaly added based on REPLICATION_HOSTS.  Defaults to `binddn="cn=admin,cn=config" bindmethod=simple credentials=$LDAP_CONFIG_PASSWORD searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1 starttls=critical`
-- **REPLICATION_HDB_SYNCPROV**: olcSyncRepl options used for the HDB database. Without **rid** and **provider** which are automaticaly added based on REPLICATION_HOSTS.  Defaults to `binddn="cn=admin,$BASE_DN" bindmethod=simple credentials=$LDAP_ADMIN_PASSWORD searchbase="$BASE_DN" type=refreshAndPersist interval=00:00:00:10 retry="5 5 300 5" timeout=1  starttls=critical`
-- **REPLICATION_HOSTS**: list of replication hosts, must contains the current container hostname set by -h on docker run command. Defaults to `['ldap://ldap.example.org', 'ldap://ldap2.example.org']`
+- **LDAP_REPLICATION**: Add openldap replication capabilities. Defaults to `false`
+
+- **LDAP_REPLICATION_CONFIG_SYNCPROV**: olcSyncRepl options used for the config database. Without **rid** and **provider** which are automaticaly added based on LDAP_REPLICATION_HOSTS.  Defaults to `binddn="cn=admin,cn=config" bindmethod=simple credentials=$LDAP_CONFIG_PASSWORD searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1 starttls=critical`
+
+- **LDAP_REPLICATION_HDB_SYNCPROV**: olcSyncRepl options used for the HDB database. Without **rid** and **provider** which are automaticaly added based on LDAP_REPLICATION_HOSTS.  Defaults to `binddn="cn=admin,$LDAP_BASE_DN" bindmethod=simple credentials=$LDAP_ADMIN_PASSWORD searchbase="$LDAP_BASE_DN" type=refreshAndPersist interval=00:00:00:10 retry="5 5 300 5" timeout=1  starttls=critical`
+
+
+- **LDAP_REPLICATION_HOSTS**: list of replication hosts, must contains the current container hostname set by -h on docker run command. Defaults to `['ldap://ldap.example.org', 'ldap://ldap2.example.org']`
 
 ### Set environment variables at run time :
 

image/Dockerfile

@@ -1,4 +1,4 @@
-FROM osixia/light-baseimage:0.1.0
+FROM osixia/light-baseimage:0.1.1
 MAINTAINER Bertrand Gouny <[email protected]>
 
 # Use baseimage's init system.

image/env.yaml

@@ -1,26 +1,33 @@
+# General container configuration
+# see table 5.1 in http://www.openldap.org/doc/admin24/slapdconf2.html for the available log levels.
+LDAP_LOG_LEVEL: 256
+
+# Required and used for new ldap server only
 LDAP_ORGANISATION: Example Inc.
 LDAP_DOMAIN: example.org
 LDAP_ADMIN_PASSWORD: admin
 LDAP_CONFIG_PASSWORD: config
 
-#See table 5.1 in http://www.openldap.org/doc/admin24/slapdconf2.html for the available log levels.
-LDAP_LOG_LEVEL: 256
-
-USE_TLS: true
-SSL_CRT_FILENAME: ldap.crt
-SSL_KEY_FILENAME: ldap.key
-SSL_CA_CRT_FILENAME: ca.crt
+LDAP_READONLY_USER: false
+LDAP_READONLY_USER_USERNAME: readonly
+LDAP_READONLY_USER_PASSWORD: readonly
 
+# Tls
+LDAP_TLS: true
+LDAP_TLS_CRT_FILENAME: ldap.crt
+LDAP_TLS_KEY_FILENAME: ldap.key
+LDAP_TLS_CA_CRT_FILENAME: ca.crt
 
-USE_REPLICATION: false
-# variables $BASE_DN, $LDAP_ADMIN_PASSWORD, $LDAP_CONFIG_PASSWORD
+# Replication
+LDAP_REPLICATION: false
+# variables $LDAP_BASE_DN, $LDAP_ADMIN_PASSWORD, $LDAP_CONFIG_PASSWORD
 # are automaticaly replaced at run time
 
 # if you want to add replication to an existing ldap
-# adapt REPLICATION_CONFIG_SYNCPROV and REPLICATION_HDB_SYNCPROV to your configuration
-# avoid using $BASE_DN, $LDAP_ADMIN_PASSWORD and $LDAP_CONFIG_PASSWORD variables
-REPLICATION_CONFIG_SYNCPROV: binddn="cn=admin,cn=config" bindmethod=simple credentials=$LDAP_CONFIG_PASSWORD searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1 starttls=critical
-REPLICATION_HDB_SYNCPROV: binddn="cn=admin,$BASE_DN" bindmethod=simple credentials=$LDAP_ADMIN_PASSWORD searchbase="$BASE_DN" type=refreshAndPersist interval=00:00:00:10 retry="5 5 300 5" timeout=1  starttls=critical
-REPLICATION_HOSTS:
+# adapt LDAP_REPLICATION_CONFIG_SYNCPROV and LDAP_REPLICATION_HDB_SYNCPROV to your configuration
+# avoid using $LDAP_BASE_DN, $LDAP_ADMIN_PASSWORD and $LDAP_CONFIG_PASSWORD variables
+LDAP_REPLICATION_CONFIG_SYNCPROV: binddn="cn=admin,cn=config" bindmethod=simple credentials=$LDAP_CONFIG_PASSWORD searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1 starttls=critical
+LDAP_REPLICATION_HDB_SYNCPROV: binddn="cn=admin,$LDAP_BASE_DN" bindmethod=simple credentials=$LDAP_ADMIN_PASSWORD searchbase="$LDAP_BASE_DN" type=refreshAndPersist interval=00:00:00:10 retry="5 5 300 5" timeout=1 starttls=critical
+LDAP_REPLICATION_HOSTS:
   - ldap://ldap.example.org # The order must be the same on all ldap servers
   - ldap://ldap2.example.org

image/service/slapd/assets/certs/README.md

@@ -0,0 +1,2 @@
+Add your tls server certificate, key and the CA certificate (if any) here
+or during docker run mount a data volume with thoses files to /container/service/slapd/assets/certs

…age/service/slapd/assets/ssl/dhparam.pem …e/service/slapd/assets/certs/dhparam.pemimage/service/slapd/assets/ssl/dhparam.pem renamed to image/service/slapd/assets/certs/dhparam.pem image/service/slapd/assets/ssl/dhparam.pem renamed to image/service/slapd/assets/certs/dhparam.pem

@@ -4,4 +4,4 @@ changeType: modify
 
 dn: olcDatabase={0}config,cn=config
 add: olcRootPW
-olcRootPW: {{ CONFIG_PASSWORD_ENCRYPTED }}
+olcRootPW: {{ LDAP_CONFIG_PASSWORD_ENCRYPTED }}

image/service/slapd/assets/config/bootstrap/ldif/01-config-password.ldif

@@ -1,13 +1,7 @@
-dn: olcDatabase={1}hdb,cn=config 
+dn: olcDatabase={1}hdb,cn=config
 changetype: modify
 delete: olcAccess
 -
 add: olcAccess
-olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=example,dc=org" write by * none
--
-add: olcAccess
-olcAccess: {1}to dn.base="" by * read
--
-add: olcAccess
-olcAccess: {2}to * by self write by dn="cn=admin,dc=example,dc=org" write by * none
--
+olcAccess: to attrs=userPassword,shadowLastChange by self write by dn="cn=admin,{{ LDAP_BASE_DN }}" write by anonymous auth by * none
+olcAccess: to * by self write by dn="cn=admin,{{ LDAP_BASE_DN }}" write by * none

image/service/slapd/assets/config/bootstrap/ldif/02-security.ldif

@@ -3,6 +3,8 @@ dn: olcDatabase={1}hdb,cn=config
 changetype:  modify
 replace: olcDbIndex
 olcDbIndex: uid eq
+olcDbIndex: mail eq
 olcDbIndex: memberOf eq
 olcDbIndex: entryCSN eq
 olcDbIndex: entryUUID eq
+olcDbIndex: objectClass eq