From a88c69654a8540d84ce48916a87e2d3985194ab9 Mon Sep 17 00:00:00 2001 From: Dave Conroy Date: Tue, 11 Aug 2020 07:21:00 -0700 Subject: [PATCH] Release 7.1.0 - See CHANGELOG.md --- CHANGELOG.md | 10 +++++ Dockerfile | 13 ++++-- LICENSE | 2 +- README.md | 8 ++-- examples/docker-compose.yml | 8 ++-- install/assets/defaults/10-openldap | 1 - install/assets/functions/10-openldap | 8 ++-- install/etc/cont-init.d/09-nginx | 24 ---------- install/etc/nginx/conf.d/default.conf | 10 ----- install/etc/nginx/nginx.conf | 50 --------------------- install/etc/services.available/09-nginx/run | 18 -------- install/www/html/README | 1 - 12 files changed, 31 insertions(+), 122 deletions(-) delete mode 100755 install/etc/cont-init.d/09-nginx delete mode 100644 install/etc/nginx/conf.d/default.conf delete mode 100644 install/etc/nginx/nginx.conf delete mode 100755 install/etc/services.available/09-nginx/run delete mode 100644 install/www/html/README diff --git a/CHANGELOG.md b/CHANGELOG.md index 8cc7256..d22f442 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,13 @@ +## 7.1.0 2020-08-11 + + ### Added + - Add SHA2 password support + - Add Argon password support + + ### Reverted + - Remove Nginx for Letsencrypt Certificate Generation - It served its purpose, there are better ways now. + + ## 7.0.3 2020-07-26 ### Added diff --git a/Dockerfile b/Dockerfile index 27bb51c..2252e4d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -29,6 +29,7 @@ RUN set -x && \ git \ groff \ openssl-dev \ + libsodium-dev \ libtool \ m4 \ mosquitto-dev \ @@ -45,7 +46,7 @@ RUN set -x && \ libltdl \ libuuid \ libintl \ - nginx \ + libsodium \ openssl \ perl \ pigz \ @@ -128,7 +129,11 @@ RUN set -x && \ make -j$(getconf _NPROCESSORS_ONLN) DESTDIR="" prefix=/usr libexec=/usr/lib -C contrib/slapd-modules/mqtt install && \ ## Build passwd pbkdf2. make -j$(getconf _NPROCESSORS_ONLN) DESTDIR="" prefix=/usr libexecdir=/usr/lib -C contrib/slapd-modules/passwd/pbkdf2 install && \ - #\ + ## Build passwd SHA2 + make -j$(getconf _NPROCESSORS_ONLN) DESTDIR="" prefix=/usr libexecdir=/usr/lib -C contrib/slapd-modules/passwd/sha2 install && \ + ## Build passwd Argon2 + make -j$(getconf _NPROCESSORS_ONLN) DESTDIR="" prefix=/usr libexecdir=/usr/lib -C contrib/slapd-modules/passwd/argon2 install && \ + # ## Build ppolicy-check Module cd /tiredofit/openldap:`head -n 1 /tiredofit/CHANGELOG.md | awk '{print $2'}`/ && \ make -j$(getconf _NPROCESSORS_ONLN) prefix=/usr libexecdir=/usr/lib -C contrib/slapd-modules/ppolicy-check-password LDAP_INC_PATH=/tiredofit/openldap:`head -n 1 /tiredofit/CHANGELOG.md | awk '{print $2'}` && \ @@ -137,7 +142,7 @@ RUN set -x && \ cd /tiredofit/openldap:`head -n 1 /tiredofit/CHANGELOG.md | awk '{print $2'}`/ && \ make prefix=/usr libexecdir=/usr/lib -C contrib/slapd-modules/ppm LDAP_INC_PATH=/tiredofit/openldap:`head -n 1 /tiredofit/CHANGELOG.md | awk '{print $2'}` && \ cp /tiredofit/openldap:`head -n 1 /tiredofit/CHANGELOG.md | awk '{print $2'}`/contrib/slapd-modules/ppm/ppm.so /usr/lib/openldap && \ - \ + ### OpenLDAP Setup ln -s /usr/lib/slapd /usr/sbin && \ mkdir -p /usr/share/doc/openldap && \ @@ -171,7 +176,7 @@ RUN set -x && \ /var/cache/apk/* ### Networking -EXPOSE 80 389 636 +EXPOSE 389 636 ### Add Assets ADD install / diff --git a/LICENSE b/LICENSE index 19527d4..d333478 100644 --- a/LICENSE +++ b/LICENSE @@ -1,6 +1,6 @@ The MIT License (MIT) -Copyright (c) 2017 Dave Conroy +Copyright (c) 2020 Dave Conroy Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal diff --git a/README.md b/README.md index 5e66f46..2f548e1 100644 --- a/README.md +++ b/README.md @@ -16,9 +16,9 @@ Upon starting this image it will give you a ready to run server with many config * All overlays compiled * Supports TLS encryption * Supports Replication -* Optional Web Server included to take advantage of Let's Encrypt certificates * Scheduled Backups of Data * Ability to choose NIS or rfc2307bis Schema +* Additional Password Modules (Argon, SHA2, PBKDF2) * Two Password Checking Modules - check_password.so and ppm.so * Zabbix Monitoring templates included @@ -100,7 +100,6 @@ The following directories are used for configuration and can be mapped for persi | `/assets/custom-scripts/` | If you'd like to execute a script during the initialization process drop it here (Useful for using this image as a base) | | `/certs/` | Drop TLS Certificates here (or use your own path) | | `/data/backup` | Backup Directory | -| `/www/html` | If you want to put a landing page if using Nginx for LetsEncrypt SSL Place it here | ### Environment Varables @@ -122,6 +121,7 @@ available options that can be used to customize your installation. | `SCHEMA_TYPE` | Use `nis` or `rfc2307bis` core schema. | `nis` | #### Logging Options + | Variable | Description | Default | | ----------- | ----------------------------- | -------------- | | `LOG_FILE` | Filename for logging | `openldap.log` | @@ -219,7 +219,6 @@ If you already have a check_password.conf or ppm.conf in /etc/openldap/ the foll | --------------------------- | ----------------------------------------------------------------------------------------- | ---------------------------------------------- | | `CONFIG_PATH` | Configuration files path | `/etc/openldap` | | `DB_PATH` | Data Files path | `/var/lib/openldap` | -| `ENABLE_NGINX` | If you want to use automatic LetsEncrypt certificates for your server, set this to `true` | `FALSE` | | `REMOVE_CONFIG_AFTER_SETUP` | Delete config folder after setup. | `true` | | `SLAPD_ARGS` | If you want to override slapd runtime arguments place here . Default (null) | | | `SLAPD_HOSTS` | Allow overriding the default listen parameters | `ldap://$HOSTNAME ldaps://$HOSTNAME ldapi:///` | @@ -231,8 +230,7 @@ The following ports are exposed and available to public interfaces | Port | Description | | ----- | --------------------------------------------- | -| `80` | Nginx - For Automatic LetsEncrypt Certficates | -| `389` | Unecrypted LDAP | +| `389` | LDAP | | `636` | TLS Encrypted LDAP | ## Maintenance diff --git a/examples/docker-compose.yml b/examples/docker-compose.yml index fdca5d8..dbb5f62 100644 --- a/examples/docker-compose.yml +++ b/examples/docker-compose.yml @@ -35,8 +35,8 @@ services: - SSL_HELPER_PREFIX=ldap - ENABLE_REPLICATION=FALSE - - REPLICATION_CONFIG_SYNCPROV=binddn="cn=admin,cn=config" bindmethod=simple credentials="admin" searchbase="cn=config" type=refreshAndPersist retry="60 +" timeout=1 - - REPLICATION_DB_SYNCPROV=binddn="cn=admin,dc=example,dc=org" bindmethod=simple credentials="admin" searchbase="dc=example,dc=org" type=refreshAndPersist interval=00:00:00:10 retry="60 +" timeout=1 + - REPLICATION_CONFIG_SYNCPROV=binddn="cn=admin,cn=config" bindmethod=simple credentials="admin" searchbase="cn=config" type=refreshAndPersist retry="5 5 60 +" timeout=1 + - REPLICATION_DB_SYNCPROV=binddn="cn=admin,dc=example,dc=org" bindmethod=simple credentials="admin" searchbase="dc=example,dc=org" type=refreshAndPersist interval=00:00:00:10 retry="5 5 60 +" timeout=1 - REPLICATION_HOSTS=ldap://ldap1.example.com ldap://ldap2.example.com ldap://ldap3.example.com - REMOVE_CONFIG_AFTER_SETUP=false @@ -44,9 +44,9 @@ services: - BACKUP_INTERVAL=0400 - BACKUP_RETENTION=10080 - - ENABLE_ZABBIX=TRUE + - ENABLE_ZABBIX=TRUE - ZABBIX_HOSTNAME=openldap-app - + networks: - internal - services diff --git a/install/assets/defaults/10-openldap b/install/assets/defaults/10-openldap index 9df1add..1a662cb 100755 --- a/install/assets/defaults/10-openldap +++ b/install/assets/defaults/10-openldap @@ -18,7 +18,6 @@ DB_PATH=${DB_PATH:-"/var/lib/openldap"} DOMAIN=${DOMAIN:-"example.org"} ENABLE_BACKUP=${ENABLE_BACKUP:-"TRUE"} ENABLE_MONITOR=${ENABLE_MONITOR:-"TRUE"} -ENABLE_NGINX=${ENABLE_NGINX:-"FALSE"} ENABLE_PPOLICY=${ENABLE_PPOLICY:-"TRUE"} ENABLE_READONLY_USER=${ENABLE_READONLY_USER:-"FALSE"} ENABLE_REPLICATION=${ENABLE_REPLICATION:-"FALSE"} diff --git a/install/assets/functions/10-openldap b/install/assets/functions/10-openldap index 4c63112..84e8fca 100755 --- a/install/assets/functions/10-openldap +++ b/install/assets/functions/10-openldap @@ -295,7 +295,7 @@ dn: olcDatabase=Monitor,cn=config objectClass: olcDatabaseConfig objectClass: olcMonitorConfig olcDatabase: Monitor -olcAccess: to dn.subtree="cn=Monitor" by dn.exact="cn=admin,${BASE_DN}" write by users read by * none +olcAccess: to dn.subtree="cn=Monitor" by dn.exact="cn=admin,${BASE_DN}" write by users read by * none EOF set +e @@ -445,7 +445,7 @@ EOF print_debug "Adding ppolicy Schema" /usr/bin/schema2ldif ${CONFIG_PATH}schema/ppolicy.schema >${CONFIG_PATH}schema/ppolicy.ldif ldap_add_or_modify ${CONFIG_PATH}schema/ppolicy.ldif - + # Custom LDIF injection if [ -d /assets/slapd/config/bootstrap/ldif/custom ]; then print_notice "Add custom bootstrap ldifs" @@ -544,7 +544,7 @@ EOF print_debug "Disabling replication config" replication_disable || true fi - + ## Execute Custom Scripts (To be used for example for tiredofit/openldap-fusiondirectory) if [ -d /assets/custom-scripts/ ]; then print_notice "Found custom scripts to execute" @@ -595,7 +595,7 @@ configure_logging() { for level in $log_level_array do log_level="${log_level} -d ${level} " - done + done } configure_ppolicy_check_modules() { diff --git a/install/etc/cont-init.d/09-nginx b/install/etc/cont-init.d/09-nginx deleted file mode 100755 index 65042a8..0000000 --- a/install/etc/cont-init.d/09-nginx +++ /dev/null @@ -1,24 +0,0 @@ -#!/usr/bin/with-contenv bash - -source /assets/functions/00-container -prepare_service 10-openldap -PROCESS_NAME="nginx" - -### Check to see if Enabled/Disabled -if var_false $ENABLE_NGINX ; then - print_notice "Disabling nginx" - service_stop 09-nginx - liftoff - exit 0 -fi - -### Adjust NGINX Runtime Variables -UPLOAD_MAX_SIZE=${UPLOAD_MAX_SIZE:="2G"} -sed -i -e "s//$UPLOAD_MAX_SIZE/g" /etc/nginx/nginx.conf - -mkdir -p /www/logs/nginx -chown -R nginx /www/logs/nginx -mkdir -p /tmp/nginx -chown -R nginx /tmp/nginx - -liftoff diff --git a/install/etc/nginx/conf.d/default.conf b/install/etc/nginx/conf.d/default.conf deleted file mode 100644 index 6360887..0000000 --- a/install/etc/nginx/conf.d/default.conf +++ /dev/null @@ -1,10 +0,0 @@ - server { - listen 80; - server_name localhost; - - location / { - root /www/html; - index index.html index.htm; - } - -} diff --git a/install/etc/nginx/nginx.conf b/install/etc/nginx/nginx.conf deleted file mode 100644 index b879852..0000000 --- a/install/etc/nginx/nginx.conf +++ /dev/null @@ -1,50 +0,0 @@ -daemon off; - -user nginx www-data; -worker_processes 1; - -error_log /www/logs/nginx/error.log warn; -pid /var/run/nginx.pid; - - -events { - worker_connections 1024; -} - - -http { - include /etc/nginx/mime.types; - default_type application/octet-stream; - - real_ip_header X-Forwarded-For; - set_real_ip_from 172.16.0.0/12; - - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; - - access_log /www/logs/nginx/access.log main; - - sendfile on; - #tcp_nopush on; - - keepalive_timeout 265; - - client_max_body_size ; - - server { - listen 73; - server_name 127.0.0.1; - - ## Zabbix - location /stub_status { - stub_status on; - access_log off; - allow 127.0.0.1; - deny all; - } - -} - -include /etc/nginx/conf.d/*.conf; -} diff --git a/install/etc/services.available/09-nginx/run b/install/etc/services.available/09-nginx/run deleted file mode 100755 index 9724d60..0000000 --- a/install/etc/services.available/09-nginx/run +++ /dev/null @@ -1,18 +0,0 @@ -#!/usr/bin/with-contenv bash - -source /assets/functions/00-container -PROCESS_NAME="nginx" -check_container_initialized -check_service_initialized init - -if [ ! -f /www/html/index.html ] ; then - print_notice "No Files found - Creating Blank index.html" - mkdir -p /www/html - touch /www/html/index.html - chown nginx /www/html -fi - -liftoff - -print_info "Starting nginx" -exec nginx diff --git a/install/www/html/README b/install/www/html/README deleted file mode 100644 index 426585f..0000000 --- a/install/www/html/README +++ /dev/null @@ -1 +0,0 @@ -Put a basic landing page here titled index.html so that you can take advantage of LetsEncrypt Certificates