working container. Made it very easy to dynamically enable/disable starttls.

Author: AnalogJ

Dockerfile

@@ -1,5 +1,16 @@
 FROM debian:buster-slim
-MAINTAINER Rafael Römhild <[email protected]>
+MAINTAINER Jason Kulatunga <[email protected]>
+
+# Configuration Env Variables with defaults
+ENV DATA_DIR="/opt/openldap/bootstrap/data"
+ENV CONFIG_DIR="/opt/openldap/bootstrap/config"
+ENV LDAP_DOMAIN=planetexpress.com
+ENV LDAP_ORGANISATION="Planet Express, Inc."
+ENV LDAP_BINDDN="cn=admin,dc=planetexpress,dc=com"
+ENV LDAP_SECRET=GoodNewsEveryone
+ENV LDAP_SSL_KEY="/etc/ldap/ssl/ldap.key"
+ENV LDAP_SSL_CERT="/etc/ldap/ssl/ldap.crt"
+ENV LDAP_FORCE_STARTTLS="false"
 
 # Install slapd and requirements
 RUN apt-get update \
@@ -10,23 +21,20 @@ RUN apt-get update \
             ldap-utils \
             openssl \
             ca-certificates \
-            tini \
     && rm -rf /var/lib/apt/lists/* \
     && mkdir /etc/ldap/ssl /bootstrap
 
-# ADD bootstrap files
-ADD ./bootstrap /bootstrap
+# Add s6-overlay
+ADD https://github.com/just-containers/s6-overlay/releases/download/v2.2.0.1/s6-overlay-amd64-installer /tmp/
+RUN chmod +x /tmp/s6-overlay-amd64-installer && /tmp/s6-overlay-amd64-installer /
 
-# Initialize LDAP with data
-RUN /bin/bash /bootstrap/slapd-init.sh
+# ADD rootfs files
+ADD ./rootfs /
 
 VOLUME ["/etc/ldap/slapd.d", "/etc/ldap/ssl", "/var/lib/ldap", "/run/slapd"]
 
-EXPOSE 389 636
+EXPOSE 10389 10636
 
-USER openldap
-
-ENTRYPOINT ["/usr/bin/tini", "--", "/usr/sbin/slapd"]
-CMD ["-h", "ldapi:/// ldap://0.0.0.0:10389 ldaps://0.0.0.0:10636", "-d", "256"]
+CMD ["/init"]
 
 HEALTHCHECK CMD ldapsearch -H ldap://127.0.0.1:10389 -D cn=admin,dc=planetexpress,dc=com -w GoodNewsEveryone -b cn=admin,dc=planetexpress,dc=com

README.md

@@ -29,6 +29,24 @@ docker pull rroemhild/test-openldap
 docker run --rm -p 10389:10389 -p 10636:10636 rroemhild/test-openldap
 ```
 
+## Testing
+
+```
+# List all Users
+ldapsearch -H ldap://localhost:10389 -x -b "ou=people,dc=planetexpress,dc=com" -D "cn=admin,dc=planetexpress,dc=com" -w GoodNewsEveryone "(objectClass=inetOrgPerson)"
+
+# Request StartTLS
+ldapsearch -H ldap://localhost:10389 -Z -x -b "ou=people,dc=planetexpress,dc=com" -D "cn=admin,dc=planetexpress,dc=com" -w GoodNewsEveryone "(objectClass=inetOrgPerson)"
+
+# Enforce StartTLS
+ldapsearch -H ldap://localhost:10389 -ZZ -x -b "ou=people,dc=planetexpress,dc=com" -D "cn=admin,dc=planetexpress,dc=com" -w GoodNewsEveryone "(objectClass=inetOrgPerson)"
+
+# Enforce StartTLS with self-signed cert
+LDAPTLS_REQCERT=never ldapsearch -H ldap://localhost:10389 -ZZ -x -b "ou=people,dc=planetexpress,dc=com" -D "cn=admin,dc=planetexpress,dc=com" -w GoodNewsEveryone "(objectClass=inetOrgPerson)"
+
+
+```
+
 ## Exposed ports
 
 * 10389 (ldap)

bootstrap/slapd-init.sh

@@ -5,6 +5,8 @@ services:
         container_name: ldap
         # use the image tag to pull directly from the repo
         # image: rroemhild/test-openldap
+        environment:
+            LDAP_FORCE_STARTTLS: "true"
 
         # use build tag to use the local repo
         build:
@@ -13,8 +15,8 @@ services:
         ports:
             - '10389:10389'
             - '10636:10636'
-        volumes:
-            - data_volume:/var/lib/ldap/
-
-volumes:
-    data_volume:
+#        volumes:
+#            - data_volume:/var/lib/ldap/
+#
+#volumes:
+#    data_volume:

docker-compose.yml

@@ -0,0 +1,21 @@
+#!/usr/bin/with-contenv bash
+set -eux
+
+echo "Reconfigure slapd..."
+cat <<EOL | debconf-set-selections
+slapd slapd/internal/generated_adminpw password ${LDAP_SECRET}
+slapd slapd/internal/adminpw password ${LDAP_SECRET}
+slapd slapd/password2 password ${LDAP_SECRET}
+slapd slapd/password1 password ${LDAP_SECRET}
+slapd slapd/dump_database_destdir string /var/backups/slapd-VERSION
+slapd slapd/domain string ${LDAP_DOMAIN}
+slapd shared/organization string ${LDAP_ORGANISATION}
+slapd slapd/backend string HDB
+slapd slapd/purge_database boolean true
+slapd slapd/move_old_database boolean true
+slapd slapd/allow_ldap_v2 boolean false
+slapd slapd/no_configuration boolean false
+slapd slapd/dump_database select when needed
+EOL
+
+DEBIAN_FRONTEND=noninteractive dpkg-reconfigure slapd

rootfs/etc/cont-init.d/000-slapd-package-config

@@ -0,0 +1,24 @@
+#!/usr/bin/with-contenv bash
+set -eux
+
+if [[ -f "$LDAP_SSL_KEY" ]]  && [[ -f "$LDAP_SSL_CERT" ]]; then
+    echo "TLS Certificates already present. Using provided certificates"
+
+    # TODO: validate the provided certs match domain
+
+else
+    echo "Make self-signed certificate for ${LDAP_DOMAIN}..."
+    openssl req -subj "/CN=${LDAP_DOMAIN}" \
+                -new \
+                -newkey rsa:2048 \
+                -days 365 \
+                -nodes \
+                -x509 \
+                -keyout ${LDAP_SSL_KEY} \
+                -out ${LDAP_SSL_CERT}
+
+    chmod 600 ${LDAP_SSL_KEY}
+fi
+
+
+

rootfs/etc/cont-init.d/010-tls-certificates

@@ -0,0 +1,4 @@
+#!/usr/bin/with-contenv bash
+set -eux
+
+chown -R openldap:openldap /etc/ldap

rootfs/etc/cont-init.d/020-filesystem-perms

@@ -0,0 +1,67 @@
+#!/usr/bin/with-contenv bash
+set -eux
+
+configure_tls() {
+    echo "Configure TLS..."
+    ldapmodify -Y EXTERNAL -H ldapi:/// -f ${CONFIG_DIR}/tls.ldif -Q
+}
+
+
+configure_logging() {
+    echo "Configure logging..."
+    ldapmodify -Y EXTERNAL -H ldapi:/// -f ${CONFIG_DIR}/logging.ldif -Q
+}
+
+configure_msad_features(){
+  echo "Configure MS-AD Extensions"
+  ldapmodify -Y EXTERNAL -H ldapi:/// -f ${CONFIG_DIR}/msad.ldif -Q
+}
+
+configure_admin_config_pw(){
+  echo "Configure admin config password..."
+  adminpw=$(slappasswd -h {SSHA} -s "${LDAP_SECRET}")
+  adminpw=$(printf '%s\n' "$adminpw" | sed -e 's/[\/&]/\\&/g')
+  sed -i s/ADMINPW/${adminpw}/g ${CONFIG_DIR}/configadminpw.ldif
+  ldapmodify -Y EXTERNAL -H ldapi:/// -f ${CONFIG_DIR}/configadminpw.ldif -Q
+}
+
+configure_memberof_overlay(){
+  echo "Configure memberOf overlay..."
+  ldapmodify -Y EXTERNAL -H ldapi:/// -f ${CONFIG_DIR}/memberof.ldif -Q
+}
+
+force_starttls(){
+  echo "Force StartTLS..."
+  ldapmodify -Y EXTERNAL -H ldapi:/// -f ${CONFIG_DIR}/force-starttls.ldif -Q
+}
+
+load_initial_data() {
+    echo "Load data..."
+    local data=$(find ${DATA_DIR} -maxdepth 1 -name \*_\*.ldif -type f | sort)
+    for ldif in ${data}; do
+        echo "Processing file ${ldif}..."
+        ldapadd -x -H ldapi:/// \
+          -D ${LDAP_BINDDN} \
+          -w ${LDAP_SECRET} \
+          -f ${ldif}
+    done
+}
+
+
+## Init
+
+
+slapd -h "ldapi:///" -u openldap -g openldap
+
+configure_msad_features
+configure_tls
+configure_logging
+configure_memberof_overlay
+configure_admin_config_pw
+load_initial_data
+if [ "$LDAP_FORCE_STARTTLS" == "true" ]; then
+    force_starttls
+fi
+
+# Shutdown openldap daemon
+kill -INT `cat /run/slapd/slapd.pid` && sleep 1

rootfs/etc/cont-init.d/050-openldap-populate

@@ -0,0 +1,4 @@
+#!/usr/bin/with-contenv bash
+
+echo "starting slapd"
+/usr/sbin/slapd -h "ldapi:/// ldap://0.0.0.0:10389 ldaps://0.0.0.0:10636" -d 256