Merge branch 'hotfix-1.0.2' into stable

BertrandGouny · BertrandGouny · commit e0831a338a53 · 2015-08-27T15:41:43.000+02:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,13 +1,22 @@
 # Changelog
 
+## 1.0.2
+
+  - Add TLS environment variable :
+      - LDAP_TLS_CIPHER_SUITE
+      - LDAP_TLS_PROTOCOL_MIN
+      - LDAP_TLS_VERIFY_CLIENT
+
 ## 1.0.1
+
   - Upgrade baseimage: osixia/light-baseimage:0.1.1
   - Rename environment variables
 
   - Fixes :
     - OpenLdap container won't start when dhparam.pem is missing in bound volume #13
 
 ## 1.0.0
+
   - Use light-baseimage
   - Improve documentation
 
diff --git a/Makefile b/Makefile
@@ -1,5 +1,5 @@
 NAME = osixia/openldap
-VERSION = 1.0.1
+VERSION = 1.0.2
 
 .PHONY: all build test tag_latest release
 
diff --git a/README.md b/README.md
@@ -166,7 +166,7 @@ Required and used for new ldap server only :
 - **LDAP_DOMAIN**: Ldap domain. Defaults to `example.org`
 - **LDAP_ADMIN_PASSWORD** Ldap Admin password. Defaults to `admin`
 - **LDAP_CONFIG_PASSWORD** Ldap Config password. Defaults to `config`
- 
+
 - **LDAP_READONLY_USER** Add a read only user. Defaults to `false`
 - **LDAP_READONLY_USER_USERNAME** Read only user username. Defaults to `readonly`
 - **LDAP_READONLY_USER_PASSWORD** Read only user password. Defaults to `readonly`
@@ -176,6 +176,11 @@ TLS options :
 - **LDAP_TLS_CRT_FILENAME**: Ldap ssl certificate filename. Defaults to `ldap.crt`
 - **LDAP_TLS_KEY_FILENAME**: Ldap ssl certificate private key filename. Defaults to `ldap.key`
 - **LDAP_TLS_CA_CRT_FILENAME**: Ldap ssl CA certificate  filename. Defaults to `ca.crt`
+- **LDAP_TLS_CIPHER_SUITE**: TLS cipher suite. Defaults to `SECURE256:-VERS-SSL3.0`
+- **LDAP_TLS_PROTOCOL_MIN**: TLS min protocol. Defaults to `3.1`
+- **LDAP_TLS_VERIFY_CLIENT**: TLS verify client. Defaults to `demand`
+
+	Help: http://www.openldap.org/doc/admin24/tls.html
 
 Replication options :
 - **LDAP_REPLICATION**: Add openldap replication capabilities. Defaults to `false`
@@ -209,7 +214,7 @@ Clone this project :
 Adapt Makefile, set your image NAME and VERSION, for example :
 
 	NAME = osixia/openldap
-	VERSION = 1.0.0
+	VERSION = 1.0.2
 
 	becomes :
 	NAME = billy-the-king/openldap
diff --git a/image/env.yaml b/image/env.yaml
@@ -18,6 +18,10 @@ LDAP_TLS_CRT_FILENAME: ldap.crt
 LDAP_TLS_KEY_FILENAME: ldap.key
 LDAP_TLS_CA_CRT_FILENAME: ca.crt
 
+LDAP_TLS_CIPHER_SUITE: SECURE256:-VERS-SSL3.0
+LDAP_TLS_PROTOCOL_MIN: 3.1
+LDAP_TLS_VERIFY_CLIENT: demand
+
 # Replication
 LDAP_REPLICATION: false
 # variables $LDAP_BASE_DN, $LDAP_ADMIN_PASSWORD, $LDAP_CONFIG_PASSWORD
diff --git a/image/service/slapd/assets/config/tls/tls-enable.ldif b/image/service/slapd/assets/config/tls/tls-enable.ldif
@@ -1,10 +1,10 @@
 dn: cn=config
 changetype: modify
 replace: olcTLSCipherSuite
-olcTLSCipherSuite: SECURE256:-VERS-SSL3.0
+olcTLSCipherSuite: {{ LDAP_TLS_CIPHER_SUITE }}
 -
 replace: olcTLSProtocolMin
-olcTLSProtocolMin: 3.1
+olcTLSProtocolMin: {{ LDAP_TLS_PROTOCOL_MIN }}
 -
 replace: olcTLSCACertificateFile
 olcTLSCACertificateFile: /container/service/slapd/assets/certs/{{ LDAP_TLS_CA_CRT_FILENAME }}
@@ -19,4 +19,4 @@ replace: olcTLSDHParamFile
 olcTLSDHParamFile: /container/service/slapd/assets/certs/dhparam.pem
 -
 replace: olcTLSVerifyClient
-olcTLSVerifyClient: demand
+olcTLSVerifyClient: {{ LDAP_TLS_VERIFY_CLIENT }}
diff --git a/image/service/slapd/container-start.sh b/image/service/slapd/container-start.sh
@@ -183,6 +183,10 @@ EOF
     sed -i "s|{{ LDAP_TLS_CRT_FILENAME }}|${LDAP_TLS_CRT_FILENAME}|g" /container/service/slapd/assets/config/tls/tls-enable.ldif
     sed -i "s|{{ LDAP_TLS_KEY_FILENAME }}|${LDAP_TLS_KEY_FILENAME}|g" /container/service/slapd/assets/config/tls/tls-enable.ldif
 
+    sed -i "s|{{ LDAP_TLS_CIPHER_SUITE }}|${LDAP_TLS_CIPHER_SUITE}|g" /container/service/slapd/assets/config/tls/tls-enable.ldif
+    sed -i "s|{{ LDAP_TLS_PROTOCOL_MIN }}|${LDAP_TLS_PROTOCOL_MIN}|g" /container/service/slapd/assets/config/tls/tls-enable.ldif
+    sed -i "s|{{ LDAP_TLS_VERIFY_CLIENT }}|${LDAP_TLS_VERIFY_CLIENT}|g" /container/service/slapd/assets/config/tls/tls-enable.ldif
+
     ldapmodify -Y EXTERNAL -Q -H ldapi:/// -f /container/service/slapd/assets/config/tls/tls-enable.ldif
 
     [[ -f "$WAS_STARTED_WITH_TLS" ]] && rm -f "$WAS_STARTED_WITH_TLS"

Original file line number	Diff line number	Diff line change
`@@ -1,10 +1,10 @@`
`1`	`1`	`dn: cn=config`
`2`	`2`	`changetype: modify`
`3`	`3`	`replace: olcTLSCipherSuite`
`4`		`-olcTLSCipherSuite: SECURE256:-VERS-SSL3.0`
	`4`	`+olcTLSCipherSuite: {{ LDAP_TLS_CIPHER_SUITE }}`
`5`	`5`	`-`
`6`	`6`	`replace: olcTLSProtocolMin`
`7`		`-olcTLSProtocolMin: 3.1`
	`7`	`+olcTLSProtocolMin: {{ LDAP_TLS_PROTOCOL_MIN }}`
`8`	`8`	`-`
`9`	`9`	`replace: olcTLSCACertificateFile`
`10`	`10`	`olcTLSCACertificateFile: /container/service/slapd/assets/certs/{{ LDAP_TLS_CA_CRT_FILENAME }}`
`@@ -19,4 +19,4 @@ replace: olcTLSDHParamFile`
`19`	`19`	`olcTLSDHParamFile: /container/service/slapd/assets/certs/dhparam.pem`
`20`	`20`	`-`
`21`	`21`	`replace: olcTLSVerifyClient`
`22`		`-olcTLSVerifyClient: demand`
	`22`	`+olcTLSVerifyClient: {{ LDAP_TLS_VERIFY_CLIENT }}`