Release 7.0.2 - See CHANGELOG.md and README.md

CHANGELOG.md

@@ -1,10 +1,4 @@
-## 7.0.1 2020-06-25 <dave at tiredofit dot ca>
-
-   ### Changed
-      - Patchup for READONLY user not adjusting LDIF properly
-
-
-## 7.0.0 2020-06-25 <dave at tiredofit dot ca>
+## 7.0.2 2020-06-25 <dave at tiredofit dot ca>
 
    ### Added
       - Rewrote entire image seperating into functions
@@ -21,7 +15,7 @@
       - Removed HDB Database functionality, only supporting mdb going forward
 
 
-## 6.9.2 2020-06-18 <tiredofit>
+## 6.9.2 2020-06-18 <dave at tiredofit dot ca>
 
    ### Changed
       - Fixed initialization script not pulling defaults properly

examples/docker-compose.yml

@@ -2,7 +2,7 @@ version: '3.7'
 services:
 
   openldap-app:
-    hostname: localhost
+    hostname: ldap.example.org
     image: tiredofit/openldap
     container_name: openldap-app
     ports:
@@ -14,21 +14,21 @@ services:
       - ./config:/etc/openldap/slapd.d
       - ./certs:/certs
     environment:
-      - HOSTNAME=localhost
-      - LOG_LEVEL=256,128
+      - HOSTNAME=ldap.example.org
+      - LOG_LEVEL=256
       - DOMAIN=example.org
+      - BASE_DN=dc=example,dc=org
       - ADMIN_PASS=admin
       - CONFIG_PASS=config
+      - DEBUG_MODE=FALSE
 
-      - BASE_DN=dc=example,dc=org
       - ENABLE_READONLY_USER=FALSE
       - READONLY_USER_USER=reader
       - READONLY_USER_PASS=reader
 
       - ENABLE_TLS=TRUE
       - TLS_CRT_FILENAME=cert.pem
       - TLS_KEY_FILENAME=key.pem
-      - TLS_CA_CRT_FILENAME=ca.pem
       - TLS_ENFORCE=FALSE
       - TLS_CIPHER_SUITE=ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:-DHE-DSS:-RSA:!aNULL:!MD5:!DSS:!SHA
       - TLS_VERIFY_CLIENT=never
@@ -41,9 +41,8 @@ services:
       - REMOVE_CONFIG_AFTER_SETUP=false
 
       - ENABLE_BACKUP=TRUE
-      - BACKUP_CONFIG_CRON_PERIOD=0 4 * * *
-      - BACKUP_DATA_CRON_PERIOD=0 4 * * *
-      - BACKUP_TTL=15
+      - BACKUP_INTERVAL=0400
+      - BACKUP_RETENTION=10080
 
       - ENABLE_ZABBIX=TRUE    
       - ZABBIX_HOSTNAME=openldap-app

install/assets/functions/10-openldap

@@ -361,8 +361,6 @@ EOF
           chown ldap:ldap $PREVIOUS_TLS_CRT_PATH $PREVIOUS_TLS_KEY_PATH $PREVIOUS_TLS_CA_CRT_PATH $PREVIOUS_TLS_DH_PARAM_PATH || true
           chmod 600 ${PREVIOUS_TLS_DH_PARAM_PATH}
         fi
-
-        #silent ssl-helper $SSL_HELPER_PREFIX $PREVIOUS_TLS_CRT_PATH $PREVIOUS_TLS_KEY_PATH $PREVIOUS_TLS_CA_CRT_PATH
       fi
 
       ### Replication Sanity Tester
@@ -397,7 +395,7 @@ EOF
 
       ### Start OpenLDAP
       print_debug "Starting OpenLDAP Initialization Sequence"
-      silent slapd -h "ldap://$HOSTNAME ldapi:///" -u ldap -g ldap -d $LOG_LEVEL &
+      silent slapd -h "ldap://$HOSTNAME ldapi:///" -u ldap -g ldap -d 256 &
       print_debug "Waiting for OpenLDAP to be ready"
       while [ ! -e /run/openldap/slapd.pid ]; do sleep 2.0; done
 
@@ -424,6 +422,13 @@ EOF
           fi
         done
 
+        if var_true $ENABLE_READONLY_USER; then
+          READONLY_USER_PASS_ENCRYPTED=$(slappasswd -s $READONLY_USER_PASS)
+          sed -i "s|<BASE_DN>|${BASE_DN}|g" /assets/slapd/config/bootstrap/ldif/readonly-user/*.ldif
+          sed -i "s|<READONLY_USER_USER>|${READONLY_USER_USER}|g" /assets/slapd/config/bootstrap/ldif/readonly-user/*.ldif
+          sed -i "s|<READONLY_USER_PASS_ENCRYPTED>|${READONLY_USER_PASS_ENCRYPTED}|g" /assets/slapd/config/bootstrap/ldif/readonly-user/*.ldif
+        fi
+
         # Adapt security and ACLs
         print_notice "Setting Security and ACLs"
         get_ldap_base_dn
@@ -441,16 +446,6 @@ EOF
         /usr/bin/schema2ldif ${CONFIG_PATH}schema/ppolicy.schema >${CONFIG_PATH}schema/ppolicy.ldif
         ldap_add_or_modify ${CONFIG_PATH}schema/ppolicy.ldif
 
-        # Read only user
-        if var_true $ENABLE_READONLY_USER; then
-          print_notice "Adding read only (DSA) user"
-          READONLY_USER_PASS_ENCRYPTED=$(slappasswd -s $READONLY_USER_PASS)
-          sed -i "s|<READONLY_USER_USER>|${READONLY_USER_USER}|g" /assets/slapd/config/bootstrap/ldif/readonly-user/*.ldif
-          sed -i "s|<READONLY_USER_PASS_ENCRYPTED>|${READONLY_USER_PASS_ENCRYPTED}|g" /assets/slapd/config/bootstrap/ldif/readonly-user/*.ldif
-          ldap_add_or_modify "/assets/slapd/config/bootstrap/ldif/readonly-user/readonly-user.ldif"
-          ldap_add_or_modify "/assets/slapd/config/bootstrap/ldif/readonly-user/readonly-user-acl.ldif"
-        fi
-
         # Custom LDIF injection
         if [ -d /assets/slapd/config/bootstrap/ldif/custom ]; then
           print_notice "Add custom bootstrap ldifs"
@@ -563,6 +558,12 @@ EOF
           print_notice "Adding default top level data configuration"
           chmod +x /assets/slapd/config/bootstrap/default/default.sh
           /assets/slapd/config/bootstrap/default/default.sh
+        # Read only user
+        if var_true $ENABLE_READONLY_USER; then
+          print_notice "Adding read only (DSA) user"
+          ldap_add_or_modify "/assets/slapd/config/bootstrap/ldif/readonly-user/readonly-user.ldif"
+          ldapmodify -H 'ldapi:///' -f /assets/slapd/config/bootstrap/ldif/readonly-user/readonly-user-acl.ldif
+        fi
         fi
       fi
 

install/assets/slapd/config/bootstrap/ldif/readonly-user/readonly-user-acl.ldif

@@ -3,5 +3,6 @@ changetype: modify
 delete: olcAccess
 -
 add: olcAccess
-olcAccess: to attrs=userPassword,shadowLastChange by self write by dn="cn=admin,<BASE_DN>" write by anonymous auth by * none
+olcAccess: to attrs=userPassword,shadowLastChange by self =xw by dn="cn=admin,<BASE_DN>" write by anonymous auth by * none
+olcAccess: to * by self write by dn="cn=admin,<BASE_DN>" write by * read
 olcAccess: to * by self read by dn="cn=admin,<BASE_DN>" write by dn="cn=<READONLY_USER_USER>,<BASE_DN>" read by * none