Release 6.8.0 - See CHANGELOG.md

tiredofit · Apr 15, 2020 · b99350e · b99350e
1 parent 4b51edb
commit b99350e
Show file tree

Hide file tree

Showing 6 changed files with 244 additions and 208 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,17 @@
+## 6.8.0 2020-04-15 <dave at tiredofit dot ca>
+
+   ### Added
+      - Environment Variables to control keysize of DH Param file
+      - New variables to define custom TLS Patches
+      - New variables to skip changing ownership on TLS Certificates
+
+   ### Changed
+      - Moved environment variable defaults to /assets/functions/10-openldap
+      - Cleanup of TLS functionality to support new environment variables
+      - Properly support ULIMIT_N environment variable
+      - Fix Default for Nginx
+
+
 ## 6.7.2 2020-03-04 <dave at tiredofit dot ca>
 
    ### Added

diff --git a/Dockerfile b/Dockerfile
@@ -1,35 +1,10 @@
 FROM tiredofit/alpine:3.11
-LABEL maintainer="Dave Conroy <dave@tiredofit.ca>"
+LABEL maintainer="Dave Conroy <dave at tiredofit dot ca>"
 
-ENV ADMIN_PASS=admin \
-    BACKEND=mdb \
-    BACKUP_CONFIG_CRON_PERIOD="0 4 * * *" \
-    BACKUP_DATA_CRON_PERIOD="0 4 * * *" \
-    BACKUP_TTL=15 \
-    CONFIG_PASS=config \
-    DOMAIN=example.org \
-    ENABLE_NGINX=false \
-    ENABLE_READONLY_USER=false \
-    ENABLE_REPLICATION=false \
-    ENABLE_SMTP=FALSE \
-    ENABLE_TLS=true \
-    LOG_LEVEL=256 \
-    OPENLDAP_VERSION=2.4.49 \
-    ORGANIZATION="Example Organization" \
-    READONLY_USER_PASS=readonly \
-    READONLY_USER_USER=readonly \
-    REMOVE_CONFIG_AFTER_SETUP=false \
+ENV OPENLDAP_VERSION=2.4.49 \
     SCHEMA2LDIF_VERSION=1.3 \
-    SCHEMA_TYPE=nis \
-    SSL_HELPER_PREFIX=ldap \
-    TLS_CA_CRT_FILENAME=ca.pem \
-    TLS_CIPHER_SUITE="ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:-DHE-DSS:-RSA:!aNULL:!MD5:!DSS:!SHA" \
-    TLS_CRT_FILENAME=cert.pem \
-    TLS_ENFORCE=false \
-    TLS_KEY_FILENAME=key.pem \
-    TLS_VERIFY_CLIENT=try \
-    ZABBIX_HOSTNAME=openldap-app
-
+    ZABBIX_HOSTNAME=openldap-app \
+    ENABLE_SMTP=FALSE
 
 COPY CHANGELOG.md /tiredofit/
 

diff --git a/README.md b/README.md
@@ -22,7 +22,7 @@ Upon starting this image it will give you a ready to run server with many config
 * Two Password Checking Modules - check_password.so and ppm.so
 * Zabbix Monitoring templates included
 
-* This Container uses a [customized Alpine Linux base](https://hub.docker.com/r/tiredofit/alpine) which includes [s6 overlay](https://github.com/just-containers/s6-overlay) enabled for PID 1 Init capabilities, [zabbix-agent](https://zabbix.org) based on 3.4 Packages for individual container monitoring, Cron also installed along with other tools (bash,curl, less, logrotate, mariadb-client, nano, vim) for easier management. It also supports sending to external SMTP servers..
+* This Container uses a [customized Alpine Linux base](https://hub.docker.com/r/tiredofit/alpine) which includes [s6 overlay](https://github.com/just-containers/s6-overlay) enabled for PID 1 Init capabilities, [zabbix-agent](https://zabbix.org) for individual container monitoring, Cron also installed along with other tools (bash,curl, less, logrotate, mariadb-client, nano, vim) for easier management. It also supports sending to external SMTP servers..
 
 
 [Changelog](CHANGELOG.md)
@@ -65,7 +65,7 @@ None.
 Automated builds of the image are available on [Registry](https://hub.docker.com/r/tiredofit/openldap) and is the recommended method of installation.
 
 ```bash
-docker pull registry.selfdesign.org/docker/openldap
+docker pull tiredofit/openldap
 ```
 
 # Quick Start
@@ -93,7 +93,7 @@ The following directories are used for configuration and can be mapped for persi
 | `/var/lib/openldap` | Data Directory |
 | `/etc/openldap/slapd.d` | Configuration Directory |
 | `/assets/custom-scripts/` | If you'd like to execute a script during the initialization process drop it here (Useful for using this image as a base)
-| `/assets/slapd/certs/` | Drop TLS Certificates here |
+| `/assets/slapd/certs/` | Drop TLS Certificates here (or use your own path) |
 | `/data/backup` | Backup Directory |   
 | `/www/html` | If you want to put a landing page if using Nginx for LetsEncrypt SSL Place it here |      
 
@@ -151,11 +151,19 @@ TLS options:
 | Variable | Description |
 |-----------|-------------|
 | `ENABLE_TLS` | Add TLS capabilities. Can't be removed once set to `true`. Defaults `true` |
-| `TLS_CRT_FILENAME` | Ldap ssl certificate filename. Default `cert.pem` |
-| `TLS_KEY_FILENAME` | Ldap ssl certificate private key filename. Default `key.pem` |
-| `TLS_CA_CRT_FILENAME` | Ldap ssl CA certificate filename. Default `ca.pem` |
-| `TLS_ENFORCE` | Enforce TLS. Can't be disabled once set to `true`. Defaults `false` |
+
+| `TLS_CA_CRT_FILENAME` | TLS CA certificate filename. Default `ca.pem` |
+| `TLS_CA_CRT_PATH` | TLS CA certificate path. Default `/assets/slapd/certs` |
 | `TLS_CIPHER_SUITE` | TLS cipher suite. Default `ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:-DHE-DSS:-RSA:!aNULL:!MD5:!DSS:!SHA` |
+| `TLS_CRT_FILENAME` | TLS certificate filename. Default `cert.pem` |
+| `TLS_CRT_PATH` | TLS certificate path. Default `/assets/slapd/certs` |
+| `TLS_DH_PARAM_FILENAME` | TLS DHParam Filename. Default `dhparam.pem` |
+| `TLS_DH_PARAM_KEYSIZE` | TLS DHParam Keysize. Default `2048` |
+| `TLS_DH_PARAM_PATH` | TLS DHParam path. Default `/assets/slapd/certs` |
+| `TLS_ENFORCE` | Enforce TLS. Can't be disabled once set to `true`. Defaults `false` |
+| `TLS_KEY_FILENAME` | TLS certificate private key filename. Default `key.pem` |
+| `TLS_KEY_PATH` | TLS certificate private key path. Default `/assets/slapd/certs` |
+| `TLS_RESET_PERMISSIONS` | Change ownership and reset permissions on Certificates on startup. Default `TRUE` |
 | `TLS_VERIFY_CLIENT` | TLS verify client. Default  `try`
 
     Help: http://www.openldap.org/doc/admin24/tls.html

diff --git a/install/assets/functions/10-openldap b/install/assets/functions/10-openldap
@@ -0,0 +1,183 @@
+#!/usr/bin/with-contenv bash
+
+### Set Defaults
+ADMIN_PASS=${ADMIN_PASS:-"admin"}
+BACKEND=${BACKEND:-"mdb"}
+BACKUP_CONFIG_CRON_PERIOD=${BACKUP_CONFIG_CRON_PERIOD:-"0 4 * * *"}
+BACKUP_DATA_CRON_PERIOD=${BACKUP_DATA_CRON_PERIOD:-"0 4 * * *"}
+BACKUP_TTL=${BACKUP_TTL:-15}
+CONFIG_PASS=${CONFIG_PASS:-"config"}
+DOMAIN=${DOMAIN:-"example.org"}
+ENABLE_NGINX=${ENABLE_NGINX:-"FALSE"}
+ENABLE_READONLY_USER=${ENABLE_READONLY_USER:-"false"}
+ENABLE_REPLICATION=${ENABLE_REPLICATION:-"false"}
+ENABLE_TLS=${ENABLE_TLS:-"true"}
+FIRST_START_DONE="/assets/state/slapd-first-start-done"
+LOG_LEVEL=${LOG_LEVEL:-256}
+ORGANIZATION=${ORGANIZATION:-"Example Organization"}
+READONLY_USER_PASS=${READONLY_USER_PASS:-"readonly"}
+READONLY_USER_USER=${READONLY_USER_USER:-"readonly"}
+REMOVE_CONFIG_AFTER_SETUP=${REMOVE_CONFIG_AFTER_SETUP:-"false"}
+SCHEMA_TYPE=${SCHEMA_TYPE:-"nis"}
+SSL_HELPER_PREFIX=${SSL_HELPER_PREFIX:-"ldap"}
+TLS_CA_CRT_FILENAME=${TLS_CA_CRT_FILENAME:-"ca.pem"}
+TLS_CA_CRT_PATH=${TLS_CA_CRT_PATH:-"/assets/slapd/certs"}
+TLS_CIPHER_SUITE=${TLS_CIPHER_SUITE:-"ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:-DHE-DSS:-RSA:!aNULL:!MD5:!DSS:!SHA"}
+TLS_CRT_FILENAME=${TLS_CRT_FILENAME:-"cert.pem"}
+TLS_CRT_PATH=${TLS_CRT_PATH:-"/assets/slapd/certs"}
+TLS_DH_PARAM_FILENAME=${TLS_DH_PARAM_FILENAME:-"dhparam.pem"}
+TLS_DH_PARAM_KEYSIZE=${TLS_DH_PARAM_KEYSIZE:-2048}
+TLS_DH_PARAM_PATH=${TLS_DH_PARAM_PATH:-"/assets/slapd/certs"}
+TLS_ENFORCE=${TLS_ENFORCE:-"false"}
+TLS_KEY_FILENAME=${TLS_KEY_FILENAME:-"key.pem"}
+TLS_KEY_PATH=${TLS_KEY_PATH:-"/assets/slapd/certs"}
+TLS_RESET_PERMISSIONS=${TLS_RESET_PERMISSIONS:-"TRUE"}
+TLS_VERIFY_CLIENT=${TLS_VERIFY_CLIENT:-"try"}
+ULIMIT_N=${ULIMIT_N:-1024}
+WAS_STARTED_WITH_REPLICATION="/etc/openldap/slapd.d/docker-openldap-was-started-with-replication"
+WAS_STARTED_WITH_TLS="/etc/openldap/slapd.d/docker-openldap-was-started-with-tls"
+WAS_STARTED_WITH_TLS_ENFORCE="/etc/openldap/slapd.d/docker-openldap-was-started-with-tls-enforce"
+
+### Functions
+function get_ldap_base_dn() {
+  # if BASE_DN is empty set value from DOMAIN
+  if [ -z "$BASE_DN" ]; then
+    IFS='.' read -ra BASE_DN_TABLE <<< "$DOMAIN"
+    for i in "${BASE_DN_TABLE[@]}"; do
+      EXT="dc=$i,"
+      BASE_DN=$BASE_DN$EXT
+    done
+
+    IFS='.' read -a domain_elems <<< "${DOMAIN}"
+    SUFFIX=""
+    ROOT=""
+
+    for elem in "${domain_elems[@]}" ; do
+        if [ "x${SUFFIX}" = x ] ; then
+            SUFFIX="dc=${elem}"
+            ROOT="${elem}"
+        fi
+    done
+
+    BASE_DN=${BASE_DN::-1}
+  fi
+}
+
+# usage: file_env VAR [DEFAULT]
+#    ie: file_env 'XYZ_DB_PASSWORD' 'example'
+# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
+#  "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
+function file_env () {
+  local var="$1"
+  local fileVar="${var}_FILE"
+  local def="${2:-}"
+  local val="$def"
+  if [ "${!fileVar:-}" ]; then
+    val="$(cat "${!fileVar}")"
+  elif [ "${!var:-}" ]; then
+    val="${!var}"
+  fi
+  if [ -z ${val} ]; then
+    print_error "error: neither $var nor $fileVar are set but are required"
+    exit 1
+  fi
+  export "$var"="$val"
+  unset "$fileVar"
+}
+
+  IFS='.' read -a domain_elems <<< "${DOMAIN}"
+  SUFFIX=""
+  ROOT=""
+
+  for elem in "${domain_elems[@]}" ; do
+      if [ "x${SUFFIX}" = x ] ; then
+          SUFFIX="dc=${elem}"
+          ROOT="${elem}"
+      else
+          BASE_DN="${SUFFIX},dc=${elem}"
+      fi
+  done
+
+function is_new_schema() {
+  local COUNT=$(ldapsearch -Q -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config cn | grep -c $1)
+  if [ "$COUNT" -eq 0 ]; then
+    echo 1
+  else
+    echo 0
+  fi
+}
+
+function ldap_add_or_modify (){
+  local LDIF_FILE=$1
+  print_notice "Processing file ${LDIF_FILE}"
+  sed -i "s|<BASE_DN>|${BASE_DN}|g" $LDIF_FILE
+  sed -i "s|<BACKEND>|${BACKEND}|g" $LDIF_FILE
+  if [ "${READONLY_USER,,}" == "true" ]; then
+    sed -i "s|<READONLY_USER_USER>|${READONLY_USER_USER}|g" $LDIF_FILE
+    sed -i "s|<READONLY_USER_PASS_ENCRYPTED>|${READONLY_USER_PASS_ENCRYPTED}|g" $LDIF_FILE
+  fi
+  if grep -iq changetype $LDIF_FILE ; then
+      silent ldapmodify -Y EXTERNAL -Q -H ldapi:/// -f $LDIF_FILE
+  else
+      silent ldapadd -Y EXTERNAL -Q -H ldapi:/// -f $LDIF_FILE 
+  fi
+}
+
+function schema2ldif (){
+  SCHEMAS=$1
+
+# Dual Schema Support
+  if [ "$SCHEMA_TYPE" = "rfc2307bis" ] || [ "$SCHEMA_TYPE" = "RFC2307BIS" ]; then
+    cp -R /assets/slapd/config/bootstrap/schema/rfc2307bis/rfc2307bis.schema /etc/openldap/schema/
+    SCHEMA_TYPE="rfc2307bis"
+  else
+    SCHEMA_TYPE="nis"
+  fi
+
+  tmpd=`mktemp -d`
+  pushd ${tmpd} >>/dev/null
+
+  echo "include /etc/openldap/schema/core.schema" >> convert.dat
+  echo "include /etc/openldap/schema/cosine.schema" >> convert.dat
+  echo "include /etc/openldap/schema/${SCHEMA_TYPE}.schema" >> convert.dat
+  echo "include /etc/openldap/schema/inetorgperson.schema" >> convert.dat
+
+  for schema in ${SCHEMAS} ; do
+      echo "include ${schema}" >> convert.dat
+  done
+
+  silent slaptest -f convert.dat -F .
+
+  if [ $? -ne 0 ] ; then
+      print_error "slaptest conversion failed!"
+      exit
+  fi
+
+  for schema in ${SCHEMAS} ; do
+      fullpath=${schema}
+      schema_name=`basename ${fullpath} .schema`
+      schema_dir=`dirname ${fullpath}`
+      ldif_file=${schema_name}.ldif
+
+      find . -name *\}${schema_name}.ldif -exec mv '{}' ./${ldif_file} \;
+
+      # TODO: these sed invocations could all be combined
+      sed -i "/dn:/ c dn: cn=${schema_name},cn=schema,cn=config" ${ldif_file}
+      sed -i "/cn:/ c cn: ${schema_name}" ${ldif_file}
+      sed -i '/structuralObjectClass/ d' ${ldif_file}
+      sed -i '/entryUUID/ d' ${ldif_file}
+      sed -i '/creatorsName/ d' ${ldif_file}
+      sed -i '/createTimestamp/ d' ${ldif_file}
+      sed -i '/entryCSN/ d' ${ldif_file}
+      sed -i '/modifiersName/ d' ${ldif_file}
+      sed -i '/modifyTimestamp/ d' ${ldif_file}
+
+      # slapd seems to be very sensitive to how a file ends. There should be no blank lines.
+      sed -i '/^ *$/d' ${ldif_file}
+
+      mv ${ldif_file} ${schema_dir}
+  done
+
+  popd >>/dev/null
+  rm -rf $tmpd
+}
diff --git a/install/assets/slapd/config/tls/tls-enable.ldif b/install/assets/slapd/config/tls/tls-enable.ldif
@@ -4,16 +4,16 @@ replace: olcTLSCipherSuite
 olcTLSCipherSuite: <TLS_CIPHER_SUITE>
 -
 replace: olcTLSCACertificateFile
-olcTLSCACertificateFile: <TLS_CA_CRT_PATH>
+olcTLSCACertificateFile: <TLS_CA_CRT_PATH>/<TLS_CA_CRT_FILENAME>
 -
 replace: olcTLSCertificateFile
-olcTLSCertificateFile: <TLS_CRT_PATH>
+olcTLSCertificateFile: <TLS_CRT_PATH>/<TLS_CRT_FILENAME>
 -
 replace: olcTLSCertificateKeyFile
-olcTLSCertificateKeyFile: <TLS_KEY_PATH>
+olcTLSCertificateKeyFile: <TLS_KEY_PATH>/<TLS_KEY_FILENAME>
 -
 replace: olcTLSDHParamFile
-olcTLSDHParamFile: <TLS_DH_PARAM_PATH>
+olcTLSDHParamFile: <TLS_DH_PARAM_PATH>/<TLS_DHPARAM_FILENAME>
 -
 replace: olcTLSVerifyClient
 olcTLSVerifyClient: <TLS_VERIFY_CLIENT>