Merge pull request #32 from AnalogJ/master

STARTTLS, custom/valid certificate support, runtime configuration  & other enhancements

Author: rroemhild

.github/workflows/docker-publish.yml

@@ -0,0 +1,63 @@
+name: Docker
+
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+on:
+  schedule:
+    - cron: '36 12 * * *'
+  push:
+    branches: [ master ]
+    # Publish semver tags as releases.
+    tags: [ 'v*.*.*' ]
+  pull_request:
+    branches: [ master ]
+
+env:
+  # Use docker.io for Docker Hub if empty
+  REGISTRY: ghcr.io
+  # github.repository as <account>/<repo>
+  IMAGE_NAME: ${{ github.repository }}
+
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v2
+
+      # Login against a Docker registry except on PR
+      # https://github.com/docker/login-action
+      - name: Log into registry ${{ env.REGISTRY }}
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      # Extract metadata (tags, labels) for Docker
+      # https://github.com/docker/metadata-action
+      - name: Extract Docker metadata
+        id: meta
+        uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+
+      # Build and push Docker image with Buildx (don't push on PR)
+      # https://github.com/docker/build-push-action
+      - name: Build and push Docker image
+        uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc
+        with:
+          context: .
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}

.gitignore

@@ -0,0 +1 @@
+certs

Dockerfile

@@ -1,5 +1,16 @@
 FROM debian:buster-slim
-MAINTAINER Rafael Römhild <[email protected]>
+
+# Configuration Env Variables with defaults
+ENV DATA_DIR="/opt/openldap/bootstrap/data"
+ENV CONFIG_DIR="/opt/openldap/bootstrap/config"
+ENV LDAP_DOMAIN=planetexpress.com
+ENV LDAP_ORGANISATION="Planet Express, Inc."
+ENV LDAP_BINDDN="cn=admin,dc=planetexpress,dc=com"
+ENV LDAP_SECRET=GoodNewsEveryone
+ENV LDAP_CA_CERT="/etc/ldap/ssl/fullchain.crt"
+ENV LDAP_SSL_KEY="/etc/ldap/ssl/ldap.key"
+ENV LDAP_SSL_CERT="/etc/ldap/ssl/ldap.crt"
+ENV LDAP_FORCE_STARTTLS="false"
 
 # Install slapd and requirements
 RUN apt-get update \
@@ -10,23 +21,20 @@ RUN apt-get update \
             ldap-utils \
             openssl \
             ca-certificates \
-            tini \
     && rm -rf /var/lib/apt/lists/* \
     && mkdir /etc/ldap/ssl /bootstrap
 
-# ADD bootstrap files
-ADD ./bootstrap /bootstrap
+# Add s6-overlay
+ADD https://github.com/just-containers/s6-overlay/releases/download/v2.2.0.1/s6-overlay-amd64-installer /tmp/
+RUN chmod +x /tmp/s6-overlay-amd64-installer && /tmp/s6-overlay-amd64-installer /
 
-# Initialize LDAP with data
-RUN /bin/bash /bootstrap/slapd-init.sh
+# ADD rootfs files
+ADD ./rootfs /
 
 VOLUME ["/etc/ldap/slapd.d", "/etc/ldap/ssl", "/var/lib/ldap", "/run/slapd"]
 
-EXPOSE 389 636
-
-USER openldap
+EXPOSE 10389 10636
 
-ENTRYPOINT ["/usr/bin/tini", "--", "/usr/sbin/slapd"]
-CMD ["-h", "ldapi:/// ldap://0.0.0.0:10389 ldaps://0.0.0.0:10636", "-d", "256"]
+CMD ["/init"]
 
-HEALTHCHECK CMD ldapsearch -H ldap://127.0.0.1:10389 -D cn=admin,dc=planetexpress,dc=com -w GoodNewsEveryone -b cn=admin,dc=planetexpress,dc=com
+HEALTHCHECK CMD ["ldapsearch", "-H", "ldap://127.0.0.1:10389", "-D", "${LDAP_BINDDN}", "-w", "${LDAP_SECRET}", "-b", "${LDAP_BINDDN}"]

LETSENCRYPT_CERTS.md

@@ -0,0 +1,40 @@
+# LetsEncrypt Certificates for OpenLDAP
+- Use https://github.com/matrix-org/docker-dehydrated#behaviour
+    ```
+    mkdir data
+    echo "ldap.customdomain.com" > data/domains.txt
+
+    # create a docker-compose.yml file
+    version: '2'
+    services:
+      dehydrated:
+        image: docker.io/matrixdotorg/dehydrated
+        restart: unless-stopped
+        volumes:
+          - ./data:/data
+        environment:
+          - DEHYDRATED_GENERATE_CONFIG=yes
+          - DEHYDRATED_CA="https://acme-v02.api.letsencrypt.org/directory"
+          # - DEHYDRATED_CA="https://acme-staging-v02.api.letsencrypt.org/directory"
+          - DEHYDRATED_CHALLENGE="dns-01"
+          - DEHYDRATED_KEYSIZE="4096"
+          - DEHYDRATED_HOOK="/usr/local/bin/lexicon-hook"
+          - DEHYDRATED_RENEW_DAYS="30"
+          - DEHYDRATED_KEY_RENEW="yes"
+          - DEHYDRATED_EMAIL="[email protected]"
+          - DEHYDRATED_ACCEPT_TERMS=yes
+          - PROVIDER=cloudflare
+          - LEXICON_CLOUDFLARE_USERNAME
+          - LEXICON_CLOUDFLARE_TOKEN
+
+
+    #run docker compose
+    docker-compose up
+    ```
+
+# Copy Certificates to correct directory
+```
+cp fullchain-*.pem ldap/fullchain.crt
+cp cert-*.pem ldap/ldap.crt
+cp privkey-1623520297.pem ldap/ldap.key
+```

README.md

@@ -17,9 +17,11 @@ The Flask extension [flask-ldapconn][flaskldapconn] use this image for unit test
 ## Features
 
 * Initialized with data from Futurama
-* Support for TLS (snake oil cert on build)
+* Support for LDAP over TLS (STARTTLS) using a self-signed cert, or valid certificates (LetsEncrypt, etc)
 * memberOf overlay support
 * MS-AD style groups support
+* Supports Forced STARTTLS 
+* Supports custom domain and custom directory structure
 
 
 ## Usage
@@ -29,6 +31,22 @@ docker pull rroemhild/test-openldap
 docker run --rm -p 10389:10389 -p 10636:10636 rroemhild/test-openldap
 ```
 
+## Testing
+
+```
+# List all Users
+ldapsearch -H ldap://localhost:10389 -x -b "ou=people,dc=planetexpress,dc=com" -D "cn=admin,dc=planetexpress,dc=com" -w GoodNewsEveryone "(objectClass=inetOrgPerson)"
+
+# Request StartTLS
+ldapsearch -H ldap://localhost:10389 -Z -x -b "ou=people,dc=planetexpress,dc=com" -D "cn=admin,dc=planetexpress,dc=com" -w GoodNewsEveryone "(objectClass=inetOrgPerson)"
+
+# Enforce StartTLS
+ldapsearch -H ldap://localhost:10389 -ZZ -x -b "ou=people,dc=planetexpress,dc=com" -D "cn=admin,dc=planetexpress,dc=com" -w GoodNewsEveryone "(objectClass=inetOrgPerson)"
+
+# Enforce StartTLS with self-signed cert
+LDAPTLS_REQCERT=never ldapsearch -H ldap://localhost:10389 -ZZ -x -b "ou=people,dc=planetexpress,dc=com" -D "cn=admin,dc=planetexpress,dc=com" -w GoodNewsEveryone "(objectClass=inetOrgPerson)"
+```
+
 ## Exposed ports
 
 * 10389 (ldap)

bootstrap/slapd-init.sh

@@ -5,16 +5,21 @@ services:
         container_name: ldap
         # use the image tag to pull directly from the repo
         # image: rroemhild/test-openldap
-
+        environment:
+            LDAP_FORCE_STARTTLS: "true"
+            LDAP_DOMAIN: "customdomain.com"
+            LDAP_BASEDN: "dc=customdomain,dc=com"
+            LDAP_ORGANISATION: "Custom Domain, Inc."
+            LDAP_BINDDN: "cn=admin,dc=customdomain,dc=com"
         # use build tag to use the local repo
         build:
             context: ./
             dockerfile: ./Dockerfile
         ports:
             - '10389:10389'
             - '10636:10636'
-        volumes:
-            - data_volume:/var/lib/ldap/
-
-volumes:
-    data_volume:
+#        volumes:
+#            - data_volume:/var/lib/ldap/
+#
+#volumes:
+#    data_volume:

docker-compose.yml

@@ -0,0 +1,21 @@
+#!/usr/bin/with-contenv bash
+set -eux
+
+echo "Reconfigure slapd..."
+cat <<EOL | debconf-set-selections
+slapd slapd/internal/generated_adminpw password ${LDAP_SECRET}
+slapd slapd/internal/adminpw password ${LDAP_SECRET}
+slapd slapd/password2 password ${LDAP_SECRET}
+slapd slapd/password1 password ${LDAP_SECRET}
+slapd slapd/dump_database_destdir string /var/backups/slapd-VERSION
+slapd slapd/domain string ${LDAP_DOMAIN}
+slapd shared/organization string ${LDAP_ORGANISATION}
+slapd slapd/backend string HDB
+slapd slapd/purge_database boolean true
+slapd slapd/move_old_database boolean true
+slapd slapd/allow_ldap_v2 boolean false
+slapd slapd/no_configuration boolean false
+slapd slapd/dump_database select when needed
+EOL
+
+DEBIAN_FRONTEND=noninteractive dpkg-reconfigure slapd

rootfs/etc/cont-init.d/000-slapd-package-config

@@ -0,0 +1,24 @@
+#!/usr/bin/with-contenv bash
+set -eux
+
+if [[ -f "$LDAP_SSL_KEY" ]]  && [[ -f "$LDAP_SSL_CERT" ]]; then
+    echo "TLS Certificates already present. Using provided certificates"
+
+    # TODO: validate the provided certs match domain
+
+else
+    echo "Make self-signed certificate for ${LDAP_DOMAIN}..."
+    openssl req -subj "/CN=${LDAP_DOMAIN}" \
+                -new \
+                -newkey rsa:2048 \
+                -days 365 \
+                -nodes \
+                -x509 \
+                -keyout ${LDAP_SSL_KEY} \
+                -out ${LDAP_SSL_CERT}
+
+    chmod 600 ${LDAP_SSL_KEY}
+fi
+
+
+

rootfs/etc/cont-init.d/010-tls-certificates

@@ -0,0 +1,4 @@
+#!/usr/bin/with-contenv bash
+set -eux
+
+chown -R openldap:openldap /etc/ldap