Release 7.1.0 - See CHANGELOG.md

CHANGELOG.md

@@ -1,3 +1,13 @@
+## 7.1.0 2020-08-11 <dave at tiredofit dot ca>
+
+   ### Added
+      - Add SHA2 password support
+      - Add Argon password support
+
+   ### Reverted
+      - Remove Nginx for Letsencrypt Certificate Generation - It served its purpose, there are better ways now.
+
+
 ## 7.0.3 2020-07-26 <dave at tiredofit dot ca>
 
    ### Added

Dockerfile

@@ -29,6 +29,7 @@ RUN set -x && \
                 git \
                 groff \
                 openssl-dev \
+                libsodium-dev \
                 libtool \
                 m4 \
                 mosquitto-dev \
@@ -45,7 +46,7 @@ RUN set -x && \
                 libltdl \
                 libuuid \
                 libintl \
-                nginx \
+                libsodium \
                 openssl \
                 perl \
                 pigz \
@@ -128,7 +129,11 @@ RUN set -x && \
     make -j$(getconf _NPROCESSORS_ONLN) DESTDIR="" prefix=/usr libexec=/usr/lib -C contrib/slapd-modules/mqtt install && \
     ## Build passwd pbkdf2.
     make -j$(getconf _NPROCESSORS_ONLN) DESTDIR="" prefix=/usr libexecdir=/usr/lib -C contrib/slapd-modules/passwd/pbkdf2 install && \
-    #\
+    ## Build passwd SHA2
+    make -j$(getconf _NPROCESSORS_ONLN) DESTDIR="" prefix=/usr libexecdir=/usr/lib -C contrib/slapd-modules/passwd/sha2 install && \
+    ## Build passwd Argon2
+    make -j$(getconf _NPROCESSORS_ONLN) DESTDIR="" prefix=/usr libexecdir=/usr/lib -C contrib/slapd-modules/passwd/argon2 install && \
+    #
     ## Build ppolicy-check Module
     cd /tiredofit/openldap:`head -n 1 /tiredofit/CHANGELOG.md | awk '{print $2'}`/ && \
     make -j$(getconf _NPROCESSORS_ONLN) prefix=/usr libexecdir=/usr/lib -C contrib/slapd-modules/ppolicy-check-password LDAP_INC_PATH=/tiredofit/openldap:`head -n 1 /tiredofit/CHANGELOG.md | awk '{print $2'}` && \
@@ -137,7 +142,7 @@ RUN set -x && \
     cd /tiredofit/openldap:`head -n 1 /tiredofit/CHANGELOG.md | awk '{print $2'}`/ && \
     make prefix=/usr libexecdir=/usr/lib -C contrib/slapd-modules/ppm LDAP_INC_PATH=/tiredofit/openldap:`head -n 1 /tiredofit/CHANGELOG.md | awk '{print $2'}` && \
     cp /tiredofit/openldap:`head -n 1 /tiredofit/CHANGELOG.md | awk '{print $2'}`/contrib/slapd-modules/ppm/ppm.so /usr/lib/openldap && \
-    \
+
 ### OpenLDAP Setup
     ln -s /usr/lib/slapd /usr/sbin && \
     mkdir -p /usr/share/doc/openldap && \
@@ -171,7 +176,7 @@ RUN set -x && \
            /var/cache/apk/*
 
 ### Networking
-EXPOSE 80 389 636 
+EXPOSE 389 636
 
 ### Add Assets
 ADD install /

LICENSE

@@ -1,6 +1,6 @@
 The MIT License (MIT)
 
-Copyright (c) 2017 Dave Conroy
+Copyright (c) 2020 Dave Conroy
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

README.md

@@ -16,9 +16,9 @@ Upon starting this image it will give you a ready to run server with many config
 * All overlays compiled
 * Supports TLS encryption
 * Supports Replication
-* Optional Web Server included to take advantage of Let's Encrypt certificates
 * Scheduled Backups of Data
 * Ability to choose NIS or rfc2307bis Schema
+* Additional Password Modules (Argon, SHA2, PBKDF2)
 * Two Password Checking Modules - check_password.so and ppm.so
 * Zabbix Monitoring templates included
 
@@ -100,7 +100,6 @@ The following directories are used for configuration and can be mapped for persi
 | `/assets/custom-scripts/` | If you'd like to execute a script during the initialization process drop it here (Useful for using this image as a base) |
 | `/certs/`                 | Drop TLS Certificates here (or use your own path)                                                                        |
 | `/data/backup`            | Backup Directory                                                                                                         |
-| `/www/html`               | If you want to put a landing page if using Nginx for LetsEncrypt SSL Place it here                                       |
 
 ### Environment Varables
 
@@ -122,6 +121,7 @@ available options that can be used to customize your installation.
 | `SCHEMA_TYPE`          | Use `nis` or `rfc2307bis` core schema.                        | `nis`                  |
 
 #### Logging Options
+
 | Variable    | Description                   | Default        |
 | ----------- | ----------------------------- | -------------- |
 | `LOG_FILE`  | Filename for logging          | `openldap.log` |
@@ -219,7 +219,6 @@ If you already have a check_password.conf or ppm.conf in /etc/openldap/ the foll
 | --------------------------- | ----------------------------------------------------------------------------------------- | ---------------------------------------------- |
 | `CONFIG_PATH`               | Configuration files path                                                                  | `/etc/openldap`                                |
 | `DB_PATH`                   | Data Files path                                                                           | `/var/lib/openldap`                            |
-| `ENABLE_NGINX`              | If you want to use automatic LetsEncrypt certificates for your server, set this to `true` | `FALSE`                                        |
 | `REMOVE_CONFIG_AFTER_SETUP` | Delete config folder after setup.                                                         | `true`                                         |
 | `SLAPD_ARGS`                | If you want to override slapd runtime arguments place here . Default (null)               |                                                |
 | `SLAPD_HOSTS`               | Allow overriding the default listen parameters                                            | `ldap://$HOSTNAME ldaps://$HOSTNAME ldapi:///` |
@@ -231,8 +230,7 @@ The following ports are exposed and available to public interfaces
 
 | Port  | Description                                   |
 | ----- | --------------------------------------------- |
-| `80`  | Nginx - For Automatic LetsEncrypt Certficates |
-| `389` | Unecrypted LDAP                               |
+| `389` | LDAP                                          |
 | `636` | TLS Encrypted LDAP                            |
 
 ## Maintenance

examples/docker-compose.yml

@@ -35,18 +35,18 @@ services:
       - SSL_HELPER_PREFIX=ldap
 
       - ENABLE_REPLICATION=FALSE
-      - REPLICATION_CONFIG_SYNCPROV=binddn="cn=admin,cn=config" bindmethod=simple credentials="admin" searchbase="cn=config" type=refreshAndPersist retry="60 +" timeout=1
-      - REPLICATION_DB_SYNCPROV=binddn="cn=admin,dc=example,dc=org" bindmethod=simple credentials="admin" searchbase="dc=example,dc=org" type=refreshAndPersist interval=00:00:00:10 retry="60 +" timeout=1
+      - REPLICATION_CONFIG_SYNCPROV=binddn="cn=admin,cn=config" bindmethod=simple credentials="admin" searchbase="cn=config" type=refreshAndPersist retry="5 5 60 +" timeout=1
+      - REPLICATION_DB_SYNCPROV=binddn="cn=admin,dc=example,dc=org" bindmethod=simple credentials="admin" searchbase="dc=example,dc=org" type=refreshAndPersist interval=00:00:00:10 retry="5 5 60 +" timeout=1
       - REPLICATION_HOSTS=ldap://ldap1.example.com ldap://ldap2.example.com ldap://ldap3.example.com
       - REMOVE_CONFIG_AFTER_SETUP=false
 
       - ENABLE_BACKUP=TRUE
       - BACKUP_INTERVAL=0400
       - BACKUP_RETENTION=10080
 
-      - ENABLE_ZABBIX=TRUE    
+      - ENABLE_ZABBIX=TRUE
       - ZABBIX_HOSTNAME=openldap-app
-    
+
     networks:
       - internal
       - services

install/assets/defaults/10-openldap

@@ -18,7 +18,6 @@ DB_PATH=${DB_PATH:-"/var/lib/openldap"}
 DOMAIN=${DOMAIN:-"example.org"}
 ENABLE_BACKUP=${ENABLE_BACKUP:-"TRUE"}
 ENABLE_MONITOR=${ENABLE_MONITOR:-"TRUE"}
-ENABLE_NGINX=${ENABLE_NGINX:-"FALSE"}
 ENABLE_PPOLICY=${ENABLE_PPOLICY:-"TRUE"}
 ENABLE_READONLY_USER=${ENABLE_READONLY_USER:-"FALSE"}
 ENABLE_REPLICATION=${ENABLE_REPLICATION:-"FALSE"}

install/assets/functions/10-openldap

@@ -295,7 +295,7 @@ dn: olcDatabase=Monitor,cn=config
 objectClass: olcDatabaseConfig
 objectClass: olcMonitorConfig
 olcDatabase: Monitor
-olcAccess: to dn.subtree="cn=Monitor" by dn.exact="cn=admin,${BASE_DN}" write by users read by * none 
+olcAccess: to dn.subtree="cn=Monitor" by dn.exact="cn=admin,${BASE_DN}" write by users read by * none
 EOF
 
       set +e
@@ -445,7 +445,7 @@ EOF
         print_debug "Adding ppolicy Schema"
         /usr/bin/schema2ldif ${CONFIG_PATH}schema/ppolicy.schema >${CONFIG_PATH}schema/ppolicy.ldif
         ldap_add_or_modify ${CONFIG_PATH}schema/ppolicy.ldif
-        
+
         # Custom LDIF injection
         if [ -d /assets/slapd/config/bootstrap/ldif/custom ]; then
           print_notice "Add custom bootstrap ldifs"
@@ -544,7 +544,7 @@ EOF
         print_debug "Disabling replication config"
         replication_disable || true
       fi
-      
+
       ## Execute Custom Scripts (To be used for example for tiredofit/openldap-fusiondirectory)
       if [ -d /assets/custom-scripts/ ]; then
         print_notice "Found custom scripts to execute"
@@ -595,7 +595,7 @@ configure_logging() {
   for level in $log_level_array
       do
       log_level="${log_level} -d ${level} "
-  done 
+  done
 }
 
 configure_ppolicy_check_modules() {