6.0 - See Changelog

CHANGELOG.md

@@ -1,3 +1,10 @@
+## 6.0 2018-08-18 <dave at tiredofit dot ca>
+
+* Stop relying on slapd.conf on first time initialization
+* Properly apply ACLs for ppolicy 
+* Generate Wordlist for ppm.so
+* Automatically generate check_password.conf and ppm.conf
+
 ## 5.5 2018-08-16 <dave at tiredofit dot ca>
 
 * Fix for ACLs not applying on initial boot 

Dockerfile

@@ -15,9 +15,11 @@ ENV ADMIN_PASS=admin \
     ENABLE_TLS=true \
     LOG_LEVEL=256 \
     OPENLDAP_VERSION=2.4.46 \
+    ORGANIZATION="Example Organization" \
     READONLY_USER_PASS=readonly \
     READONLY_USER_USER=readonly \
     REMOVE_CONFIG_AFTER_SETUP=false \
+    SCHEMA2LDIF_VERSION=1.3 \
     SCHEMA_TYPE=nis \
     SSL_HELPER_PREFIX=ldap \
     TLS_CA_CRT_FILENAME=ca.pem \
@@ -28,6 +30,7 @@ ENV ADMIN_PASS=admin \
     TLS_VERIFY_CLIENT=try \
     ZABBIX_HOSTNAME=openldap-app
 
+
 COPY CHANGELOG.md /tiredofit/
 
 RUN set -x && \
@@ -59,12 +62,12 @@ RUN set -x && \
         cyrus-sasl \
         coreutils \
         cracklib \
-        cracklib-words \
         libressl \
         libltdl \
         libuuid \
         libintl \
         nginx \
+        perl \
         sed \
         sudo \
         unixodbc \
@@ -159,10 +162,24 @@ RUN set -x && \
     curl -o /usr/sbin/cfssljson -SL https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 && \
     chmod 700 /usr/sbin/cfssljson && \
     \
+## Install Schema2LDIF
+    curl https://codeload.github.com/fusiondirectory/schema2ldif/tar.gz/${SCHEMA2LDIF_VERSION} | tar xvfz - --strip 1 -C /usr && \
+    rm -rf /usr/Changelog && \
+    rm -rf /usr/LICENSE && \
+    \
+## Create Cracklib Dictionary
+    mkdir -p /usr/share/dict && \
+    cd /usr/share/dict && \
+    wget https://github.com/cracklib/cracklib/releases/download/cracklib-2.9.6/cracklib-words-2.9.6.gz && \
+    create-cracklib-dict -o pw_dict cracklib-words-2.9.6.gz && \
+    rm -rf cracklib-words-2.9.6.gz && \
+    \
 ### Cleanup
+    apk del \
+        .openldap-build-deps \
+        && \
     rm -rf /tiredofit \
-           /var/cache/apk/* && \
-    apk del .openldap-build-deps
+           /var/cache/apk/*
 
 ### Add Assets
 ADD install /

README.md

@@ -109,6 +109,7 @@ Required and used for new ldap server only:
 | `BASE_DN` | LDAP base DN. If empty automatically set from `DOMAIN` value. Default  (empty) |
 | `ADMIN_PASS` | Ldap Admin password. Default  `admin` |
 | `CONFIG_PASS` | Ldap Config password. Default  `config` |
+| `ORGANIZATION` | Organization Name Default: `Example Organization` |
 | `ENABLE_READONLY_USER` | Add a read only user. Default`false` |
 | `READONLY_USER_USER` | Read only user username. Default `readonly |
 | `READONLY_USER_PASS` | Read only user password. Default `readonly` |
@@ -129,6 +130,17 @@ Backup Options:
 | `BACKUP_DATA_CRON_PERIOD` | Cron expression to schedule OpenLDAP data backup. Defaults `0 4 * * *`  Every day at 4am. |
 | `BACKUP_TTL ` | Automatically cleanup backup after how many days. Default `15` |
 
+Password Policy Options (only if using check_password.so):
+
+| Variable | Description |
+|-----------|-------------|
+| `PPOLICY_MAX_CONSEC`| Maximu Consective Character Pattern - Default `0` |
+| `PPOLICY_MIN_DIGIT` | Minimum Digit Characters - Default `0` |
+| `PPOLICY_MIN_LOWER` | Minimum Lowercase Characters - Default `0` |
+| `PPOLICY_MIN_POINTS`| Minimum Points required to pass checker - Default `3` |
+| `PPOLICY_MIN_PUNCT` | Minimum Punctuation Characters - Default `0` |
+| `PPOLICY_MIN_UPPER` | Minimum Uppercase Characters - Default `0` |
+
 TLS options:
 
 | Variable | Description |

install/assets/slapd/config/bootstrap/ldif/01-config-password.ldif

@@ -1,7 +1,11 @@
-# Set config password
+dn: olcDatabase={0}config,cn=config
+changetype: modify
+add: olcRootDN
+olcRootDN: cn=admin,cn=config
+
 dn: cn=config
 changeType: modify
 
 dn: olcDatabase={0}config,cn=config
 add: olcRootPW
-olcRootPW: <CONFIG_PASS_ENCRYPTED>
+olcRootPW: <CONFIG_PASS_ENCRYPTED>

install/assets/slapd/config/bootstrap/ldif/02-security.ldif

@@ -1,5 +1,5 @@
 dn: olcDatabase={1}<BACKEND>,cn=config
 changeType: modify
 add: olcAccess
-olcAccess: to attrs=userPassword,shadowLastChange by self write by dn="cn=admin,<BASE_DN>" write by anonymous auth by * none
-olcAccess: to * by self write by dn="cn=admin,<BASE_DN>" write by * none
+olcAccess: to attrs=userPassword,shadowLastChange by self =xw by dn="cn=admin,<BASE_DN>" write by anonymous auth by * none
+olcAccess: to * by self write by dn="cn=admin,<BASE_DN>" write by * read

install/etc/cont-init.d/10-openldap

@@ -10,10 +10,35 @@ function get_ldap_base_dn() {
       BASE_DN=$BASE_DN$EXT
     done
 
+    IFS='.' read -a domain_elems <<< "${DOMAIN}"
+    SUFFIX=""
+    ROOT=""
+
+    for elem in "${domain_elems[@]}" ; do
+        if [ "x${SUFFIX}" = x ] ; then
+            SUFFIX="dc=${elem}"
+            ROOT="${elem}"
+        fi
+    done
+
     BASE_DN=${BASE_DN::-1}
   fi
 }
 
+
+  IFS='.' read -a domain_elems <<< "${DOMAIN}"
+  SUFFIX=""
+  ROOT=""
+
+  for elem in "${domain_elems[@]}" ; do
+      if [ "x${SUFFIX}" = x ] ; then
+          SUFFIX="dc=${elem}"
+          ROOT="${elem}"
+      else
+          BASE_DN="${SUFFIX},dc=${elem}"
+      fi
+  done
+
 function is_new_schema() {
   local COUNT=$(ldapsearch -Q -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config cn | grep -c $1)
   if [ "$COUNT" -eq 0 ]; then
@@ -42,12 +67,20 @@ function ldap_add_or_modify (){
 function schema2ldif (){
   SCHEMAS=$1
 
+# Dual Schema Support
+  if [ "$SCHEMA_TYPE" = "rfc2307bis" ] || [ "$SCHEMA_TYPE" = "RFC2307BIS" ]; then
+    cp -R /assets/slapd/config/bootstrap/schema/rfc2307bis/rfc2307bis.schema /etc/openldap/schema/
+    SCHEMA_TYPE="rfc2307bis"
+  else
+    SCHEMA_TYPE="nis"
+  fi
+
   tmpd=`mktemp -d`
   pushd ${tmpd} >>/dev/null
 
   echo "include /etc/openldap/schema/core.schema" >> convert.dat
   echo "include /etc/openldap/schema/cosine.schema" >> convert.dat
-  echo "include /etc/openldap/schema/nis.schema" >> convert.dat
+  echo "include /etc/openldap/schema/${SCHEMA_TYPE}.schema" >> convert.dat
   echo "include /etc/openldap/schema/inetorgperson.schema" >> convert.dat
 
   for schema in ${SCHEMAS} ; do
@@ -153,7 +186,7 @@ if [ ! -e "$FIRST_START_DONE" ]; then
     # RFC2307bis schema
     if [ "$SCHEMA_TYPE" = "rfc2307bis" ] || [ "$SCHEMA_TYPE" = "RFC2307BIS" ]; then
       echo "** [openldap] Using RFC2307BIS schema type"
-      cp /assets/slapd/config/bootstrap/schema/rfc2307bis/rfc2307bis.* /etc/openldap/schema/
+      cp -R /assets/slapd/config/bootstrap/schema/rfc2307bis/rfc2307bis.schema /etc/openldap/schema/
       SCHEMA_TYPE="rfc2307bis"
     else
       echo "** [openldap] Using NIS schema type"
@@ -163,45 +196,78 @@ if [ ! -e "$FIRST_START_DONE" ]; then
     get_ldap_base_dn
 
     ### Create Sample Configuration to Populate Schema
-    cat <<EOF > /tmp/slapd.conf
-include   /etc/openldap/schema/core.schema
-include   /etc/openldap/schema/cosine.schema
-include   /etc/openldap/schema/inetorgperson.schema
-include   /etc/openldap/schema/${SCHEMA_TYPE}.schema
-pidfile   /run/openldap/slapd.pid
-argsfile  /run/openldap/slapd.args
-modulepath  /usr/lib/openldap
-moduleload  back_mdb.so
-
-disallow tls_2_anon 
-
-database  mdb
-maxsize   1073741824
-suffix    "${BASE_DN}"
-rootdn    "cn=admin,${BASE_DN}"
-rootpw    `slappasswd -s ${ADMIN_PASS}`
-directory /var/lib/openldap
-
-#sortvals uid
-
-database config
-rootdn "cn=admin,cn=config"
-access to *
+    cat <<EOF > /tmp/slapd.ldif
+dn: cn=config
+objectClass: olcGlobal
+cn: config
+olcPidFile: /run/openldap/slapd.pid
+olcArgsFile: /run/openldap/slapd.args
+
+dn: cn=module,cn=config
+objectClass: olcModuleList
+cn: module
+olcModulepath:  /usr/lib/openldap
+olcModuleload:  back_mdb.so
+
+dn: cn=schema,cn=config
+objectClass: olcSchemaConfig
+cn: schema
+
+include: file:///etc/openldap/schema/core.ldif
+include: file:///etc/openldap/schema/cosine.ldif
+include: file:///etc/openldap/schema/inetorgperson.ldif
+include: file:///etc/openldap/schema/${SCHEMA_TYPE}.ldif
+
+# Frontend settings
+dn: olcDatabase=frontend,cn=config
+objectClass: olcDatabaseConfig
+objectClass: olcFrontendConfig
+olcDatabase: frontend
+olcAccess: to dn.base="" by * read
+olcAccess: to dn.base="cn=Subschema" by * read
+olcAccess: to *
+  by self write
+  by users read
+  by anonymous auth
+
+# Config Settings
+dn: olcDatabase=config,cn=config
+objectClass: olcDatabaseConfig
+olcDatabase: config
+olcRootPW: `slappasswd -s ${CONFIG_PASS}`
+olcAccess: to *
   by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by break
   by * break
 
-database monitor
-access to dn.subtree="cn=Monitor"
-  by dn.exact="cn=admin,$BASE_DN" write
-  by users read
-  by * none 
+dn: olcDatabase=mdb,cn=config
+objectClass: olcDatabaseConfig
+objectClass: olcMdbConfig
+olcDatabase: mdb
+olcSuffix: ${BASE_DN}
+OlcDbMaxSize: 1073741824
+olcDbDirectory: /var/lib/openldap
+olcRootDN: cn=admin,${BASE_DN}
+olcRootPW: `slappasswd -s ${ADMIN_PASS}`
+olcDbIndex: objectClass eq
+
+dn: olcDatabase=Monitor,cn=config
+objectClass: olcDatabaseConfig
+objectClass: olcMonitorConfig
+olcDatabase: Monitor
+olcAccess: to dn.subtree="cn=Monitor" by dn.exact="cn=admin,${BASE_DN}" write by users read by * none 
 EOF
 
 set +e
-silent slaptest -f /tmp/slapd.conf -F /etc/openldap/slapd.d
-silent slaptest -f /tmp/slapd.conf -F /etc/openldap/slapd.d -u
-rm -rf /tmp/slapd.conf
+
+/usr/bin/schema2ldif /etc/openldap/schema/core.schema > /etc/openldap/schema/core.ldif
+/usr/bin/schema2ldif /etc/openldap/schema/cosine.schema > /etc/openldap/schema/cosine.ldif
+/usr/bin/schema2ldif /etc/openldap/schema/inetorgperson.schema > /etc/openldap/schema/inetorgperson.ldif
+/usr/bin/schema2ldif /etc/openldap/schema/${SCHEMA_TYPE}.schema > /etc/openldap/schema/${SCHEMA_TYPE}.ldif
+
+silent slapadd -n 0 -F /etc/openldap/slapd.d -l /tmp/slapd.ldif
+rm -rf /tmp/slapd.ldif
 set -e
+
 chown -R ldap:ldap /etc/openldap 
 
   # Error: the database directory (/var/lib/openldap) is empty but not the config directory (/etc/openldap/slapd.d)
@@ -338,11 +404,10 @@ chown -R ldap:ldap /etc/openldap
       echo "** [openldap] Processing file ${f}"
       ldap_add_or_modify "$f"
     done
-
 
     # Add ppolicy schema
     echo "** [openldap] Adding ppolicy Schema"
-    schema2ldif /etc/openldap/schema/ppolicy.schema && \
+    /usr/bin/schema2ldif /etc/openldap/schema/ppolicy.schema > /etc/openldap/schema/ppolicy.ldif && \
     silent ldapadd -c -Y EXTERNAL -Q -H ldapi:/// -f /etc/openldap/schema/ppolicy.ldif
 
     # Read only user
@@ -353,6 +418,7 @@ chown -R ldap:ldap /etc/openldap
       ldap_add_or_modify "/assets/slapd/config/bootstrap/ldif/readonly-user/readonly-user-acl.ldif"
     fi
 
+    # Custom LDIF injection
     if [ -d /assets/slapd/config/bootstrap/ldif/custom ]; then
       echo "** [openldap] Add custom bootstrap ldifs"
       for f in $(find /assets/slapd/config/bootstrap/ldif/custom -type f -name \*.ldif  | sort); do
@@ -466,6 +532,55 @@ chown -R ldap:ldap /etc/openldap
     done
   fi  
 
+
+  ## Configure PPolicy check_password.so + ppm.so module
+  PPOLICY_CHECK_RDN=${PPOLICY_CHECK_RDN:-0}
+  PPOLICY_MAX_CONSEC=${PPOLICY_MAX_CONSEC:-0}
+  PPOLICY_MAX_LENGTH=${PPOLICY_MAX_LENGTH:-0}
+  PPOLICY_MIN_DIGIT=${PPOLICY_MIN_DIGIT:-0}
+  PPOLICY_MIN_LOWER=${PPOLICY_MIN_LOWER:-0}
+  PPOLICY_MIN_POINTS=${PPOLICY_MIN_POINTS:-3}
+  PPOLICY_MIN_PUNCT=${PPOLICY_MIN_PUNCT:-0}
+  PPOLICY_MIN_UPPER=${PPOLICY_MIN_UPPER:-0}
+  PPOLICY_USE_CRACKLIB=${PPOLICY_USE_CRACKLIB:-1}
+
+  ### check_password.so
+  if [ ! -f /etc/openldap/check_password.conf ]; then
+    cat <<EOF > /etc/openldap/check_password.conf
+## check_password.conf
+## Auto Generated by Container, any changes will be reset on container restart!
+min_points $PPOLICY_MIN_POINTS
+min_upper $PPOLICY_MIN_UPPER
+min_lower $PPOLICY_MIN_LOWER
+min_digit $PPOLICY_MIN_DIGIT
+min_punct $PPOLICY_MIN_PUNCT
+max_consecutive_per_class $PPOLICY_MAX_CONSEC
+EOF
+
+    chown ldap. /etc/openldap/check_password.conf
+  fi
+
+  ### ppm.so
+  if [ ! -f /etc/openldap/ppm.conf ]; then
+    cat <<EOF > /etc/openldap/ppm.conf
+## ppm.conf
+## Auto Generated by Container, any changes will be reset on container restart!
+minQuality $PPOLICY_MIN_POINTS
+maxLength $PPOLICY_MAX_LENGTH
+checkRDN $$POLICY_CHECK_RDN
+forbiddenChars $PPOLICY_FORBIDDEN_CHARACTERS
+maxConsecutivePerClass $PPOLICY_MAX_CONSEC
+useCracklib $PPOLICY_USE_CRACKLIB
+cracklibDict /usr/share/dict/pw_dict
+class-upperCase ABCDEFGHIJKLMNOPQRSTUVWXYZ $PPOLICY_MIN_UPPER 1
+class-lowerCase abcdefghijklmnopqrstuvwxyz $PPOLICY_MIN_LOWER 1
+class-digit 0123456789 $PPOLICY_MIN_DIGIT 1
+class-special <>,?;.:/!§ù%*µ^¨$£²&é~"#'{([-|è`_\ç^à@)]°=}+ $PPOLICY_MIN_PUNCT 1
+EOF
+
+    chown ldap. /etc/openldap/ppm.conf  
+  fi
+
   # Stop OpenLDAP
   echo "** [openldap] Finished OpenLDAP Initialization"