diff --git a/CHANGELOG.md b/CHANGELOG.md index 1d93172..86be2de 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,17 @@ +## 6.8.0 2020-04-15 + + ### Added + - Environment Variables to control keysize of DH Param file + - New variables to define custom TLS Patches + - New variables to skip changing ownership on TLS Certificates + + ### Changed + - Moved environment variable defaults to /assets/functions/10-openldap + - Cleanup of TLS functionality to support new environment variables + - Properly support ULIMIT_N environment variable + - Fix Default for Nginx + + ## 6.7.2 2020-03-04 ### Added diff --git a/Dockerfile b/Dockerfile index 944c29d..344d5ae 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,35 +1,10 @@ FROM tiredofit/alpine:3.11 -LABEL maintainer="Dave Conroy " +LABEL maintainer="Dave Conroy " -ENV ADMIN_PASS=admin \ - BACKEND=mdb \ - BACKUP_CONFIG_CRON_PERIOD="0 4 * * *" \ - BACKUP_DATA_CRON_PERIOD="0 4 * * *" \ - BACKUP_TTL=15 \ - CONFIG_PASS=config \ - DOMAIN=example.org \ - ENABLE_NGINX=false \ - ENABLE_READONLY_USER=false \ - ENABLE_REPLICATION=false \ - ENABLE_SMTP=FALSE \ - ENABLE_TLS=true \ - LOG_LEVEL=256 \ - OPENLDAP_VERSION=2.4.49 \ - ORGANIZATION="Example Organization" \ - READONLY_USER_PASS=readonly \ - READONLY_USER_USER=readonly \ - REMOVE_CONFIG_AFTER_SETUP=false \ +ENV OPENLDAP_VERSION=2.4.49 \ SCHEMA2LDIF_VERSION=1.3 \ - SCHEMA_TYPE=nis \ - SSL_HELPER_PREFIX=ldap \ - TLS_CA_CRT_FILENAME=ca.pem \ - TLS_CIPHER_SUITE="ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:-DHE-DSS:-RSA:!aNULL:!MD5:!DSS:!SHA" \ - TLS_CRT_FILENAME=cert.pem \ - TLS_ENFORCE=false \ - TLS_KEY_FILENAME=key.pem \ - TLS_VERIFY_CLIENT=try \ - ZABBIX_HOSTNAME=openldap-app - + ZABBIX_HOSTNAME=openldap-app \ + ENABLE_SMTP=FALSE COPY CHANGELOG.md /tiredofit/ diff --git a/README.md b/README.md index 467976e..b9880c9 100644 --- a/README.md +++ b/README.md @@ -22,7 +22,7 @@ Upon starting this image it will give you a ready to run server with many config * Two Password Checking Modules - check_password.so and ppm.so * Zabbix Monitoring templates included -* This Container uses a [customized Alpine Linux base](https://hub.docker.com/r/tiredofit/alpine) which includes [s6 overlay](https://github.com/just-containers/s6-overlay) enabled for PID 1 Init capabilities, [zabbix-agent](https://zabbix.org) based on 3.4 Packages for individual container monitoring, Cron also installed along with other tools (bash,curl, less, logrotate, mariadb-client, nano, vim) for easier management. It also supports sending to external SMTP servers.. +* This Container uses a [customized Alpine Linux base](https://hub.docker.com/r/tiredofit/alpine) which includes [s6 overlay](https://github.com/just-containers/s6-overlay) enabled for PID 1 Init capabilities, [zabbix-agent](https://zabbix.org) for individual container monitoring, Cron also installed along with other tools (bash,curl, less, logrotate, mariadb-client, nano, vim) for easier management. It also supports sending to external SMTP servers.. [Changelog](CHANGELOG.md) @@ -65,7 +65,7 @@ None. Automated builds of the image are available on [Registry](https://hub.docker.com/r/tiredofit/openldap) and is the recommended method of installation. ```bash -docker pull registry.selfdesign.org/docker/openldap +docker pull tiredofit/openldap ``` # Quick Start @@ -93,7 +93,7 @@ The following directories are used for configuration and can be mapped for persi | `/var/lib/openldap` | Data Directory | | `/etc/openldap/slapd.d` | Configuration Directory | | `/assets/custom-scripts/` | If you'd like to execute a script during the initialization process drop it here (Useful for using this image as a base) -| `/assets/slapd/certs/` | Drop TLS Certificates here | +| `/assets/slapd/certs/` | Drop TLS Certificates here (or use your own path) | | `/data/backup` | Backup Directory | | `/www/html` | If you want to put a landing page if using Nginx for LetsEncrypt SSL Place it here | @@ -151,11 +151,19 @@ TLS options: | Variable | Description | |-----------|-------------| | `ENABLE_TLS` | Add TLS capabilities. Can't be removed once set to `true`. Defaults `true` | -| `TLS_CRT_FILENAME` | Ldap ssl certificate filename. Default `cert.pem` | -| `TLS_KEY_FILENAME` | Ldap ssl certificate private key filename. Default `key.pem` | -| `TLS_CA_CRT_FILENAME` | Ldap ssl CA certificate filename. Default `ca.pem` | -| `TLS_ENFORCE` | Enforce TLS. Can't be disabled once set to `true`. Defaults `false` | + +| `TLS_CA_CRT_FILENAME` | TLS CA certificate filename. Default `ca.pem` | +| `TLS_CA_CRT_PATH` | TLS CA certificate path. Default `/assets/slapd/certs` | | `TLS_CIPHER_SUITE` | TLS cipher suite. Default `ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:-DHE-DSS:-RSA:!aNULL:!MD5:!DSS:!SHA` | +| `TLS_CRT_FILENAME` | TLS certificate filename. Default `cert.pem` | +| `TLS_CRT_PATH` | TLS certificate path. Default `/assets/slapd/certs` | +| `TLS_DH_PARAM_FILENAME` | TLS DHParam Filename. Default `dhparam.pem` | +| `TLS_DH_PARAM_KEYSIZE` | TLS DHParam Keysize. Default `2048` | +| `TLS_DH_PARAM_PATH` | TLS DHParam path. Default `/assets/slapd/certs` | +| `TLS_ENFORCE` | Enforce TLS. Can't be disabled once set to `true`. Defaults `false` | +| `TLS_KEY_FILENAME` | TLS certificate private key filename. Default `key.pem` | +| `TLS_KEY_PATH` | TLS certificate private key path. Default `/assets/slapd/certs` | +| `TLS_RESET_PERMISSIONS` | Change ownership and reset permissions on Certificates on startup. Default `TRUE` | | `TLS_VERIFY_CLIENT` | TLS verify client. Default `try` Help: http://www.openldap.org/doc/admin24/tls.html diff --git a/install/assets/functions/10-openldap b/install/assets/functions/10-openldap new file mode 100755 index 0000000..6e7263e --- /dev/null +++ b/install/assets/functions/10-openldap @@ -0,0 +1,183 @@ +#!/usr/bin/with-contenv bash + +### Set Defaults +ADMIN_PASS=${ADMIN_PASS:-"admin"} +BACKEND=${BACKEND:-"mdb"} +BACKUP_CONFIG_CRON_PERIOD=${BACKUP_CONFIG_CRON_PERIOD:-"0 4 * * *"} +BACKUP_DATA_CRON_PERIOD=${BACKUP_DATA_CRON_PERIOD:-"0 4 * * *"} +BACKUP_TTL=${BACKUP_TTL:-15} +CONFIG_PASS=${CONFIG_PASS:-"config"} +DOMAIN=${DOMAIN:-"example.org"} +ENABLE_NGINX=${ENABLE_NGINX:-"FALSE"} +ENABLE_READONLY_USER=${ENABLE_READONLY_USER:-"false"} +ENABLE_REPLICATION=${ENABLE_REPLICATION:-"false"} +ENABLE_TLS=${ENABLE_TLS:-"true"} +FIRST_START_DONE="/assets/state/slapd-first-start-done" +LOG_LEVEL=${LOG_LEVEL:-256} +ORGANIZATION=${ORGANIZATION:-"Example Organization"} +READONLY_USER_PASS=${READONLY_USER_PASS:-"readonly"} +READONLY_USER_USER=${READONLY_USER_USER:-"readonly"} +REMOVE_CONFIG_AFTER_SETUP=${REMOVE_CONFIG_AFTER_SETUP:-"false"} +SCHEMA_TYPE=${SCHEMA_TYPE:-"nis"} +SSL_HELPER_PREFIX=${SSL_HELPER_PREFIX:-"ldap"} +TLS_CA_CRT_FILENAME=${TLS_CA_CRT_FILENAME:-"ca.pem"} +TLS_CA_CRT_PATH=${TLS_CA_CRT_PATH:-"/assets/slapd/certs"} +TLS_CIPHER_SUITE=${TLS_CIPHER_SUITE:-"ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:-DHE-DSS:-RSA:!aNULL:!MD5:!DSS:!SHA"} +TLS_CRT_FILENAME=${TLS_CRT_FILENAME:-"cert.pem"} +TLS_CRT_PATH=${TLS_CRT_PATH:-"/assets/slapd/certs"} +TLS_DH_PARAM_FILENAME=${TLS_DH_PARAM_FILENAME:-"dhparam.pem"} +TLS_DH_PARAM_KEYSIZE=${TLS_DH_PARAM_KEYSIZE:-2048} +TLS_DH_PARAM_PATH=${TLS_DH_PARAM_PATH:-"/assets/slapd/certs"} +TLS_ENFORCE=${TLS_ENFORCE:-"false"} +TLS_KEY_FILENAME=${TLS_KEY_FILENAME:-"key.pem"} +TLS_KEY_PATH=${TLS_KEY_PATH:-"/assets/slapd/certs"} +TLS_RESET_PERMISSIONS=${TLS_RESET_PERMISSIONS:-"TRUE"} +TLS_VERIFY_CLIENT=${TLS_VERIFY_CLIENT:-"try"} +ULIMIT_N=${ULIMIT_N:-1024} +WAS_STARTED_WITH_REPLICATION="/etc/openldap/slapd.d/docker-openldap-was-started-with-replication" +WAS_STARTED_WITH_TLS="/etc/openldap/slapd.d/docker-openldap-was-started-with-tls" +WAS_STARTED_WITH_TLS_ENFORCE="/etc/openldap/slapd.d/docker-openldap-was-started-with-tls-enforce" + +### Functions +function get_ldap_base_dn() { + # if BASE_DN is empty set value from DOMAIN + if [ -z "$BASE_DN" ]; then + IFS='.' read -ra BASE_DN_TABLE <<< "$DOMAIN" + for i in "${BASE_DN_TABLE[@]}"; do + EXT="dc=$i," + BASE_DN=$BASE_DN$EXT + done + + IFS='.' read -a domain_elems <<< "${DOMAIN}" + SUFFIX="" + ROOT="" + + for elem in "${domain_elems[@]}" ; do + if [ "x${SUFFIX}" = x ] ; then + SUFFIX="dc=${elem}" + ROOT="${elem}" + fi + done + + BASE_DN=${BASE_DN::-1} + fi +} + +# usage: file_env VAR [DEFAULT] +# ie: file_env 'XYZ_DB_PASSWORD' 'example' +# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of +# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature) +function file_env () { + local var="$1" + local fileVar="${var}_FILE" + local def="${2:-}" + local val="$def" + if [ "${!fileVar:-}" ]; then + val="$(cat "${!fileVar}")" + elif [ "${!var:-}" ]; then + val="${!var}" + fi + if [ -z ${val} ]; then + print_error "error: neither $var nor $fileVar are set but are required" + exit 1 + fi + export "$var"="$val" + unset "$fileVar" +} + + IFS='.' read -a domain_elems <<< "${DOMAIN}" + SUFFIX="" + ROOT="" + + for elem in "${domain_elems[@]}" ; do + if [ "x${SUFFIX}" = x ] ; then + SUFFIX="dc=${elem}" + ROOT="${elem}" + else + BASE_DN="${SUFFIX},dc=${elem}" + fi + done + +function is_new_schema() { + local COUNT=$(ldapsearch -Q -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config cn | grep -c $1) + if [ "$COUNT" -eq 0 ]; then + echo 1 + else + echo 0 + fi +} + +function ldap_add_or_modify (){ + local LDIF_FILE=$1 + print_notice "Processing file ${LDIF_FILE}" + sed -i "s||${BASE_DN}|g" $LDIF_FILE + sed -i "s||${BACKEND}|g" $LDIF_FILE + if [ "${READONLY_USER,,}" == "true" ]; then + sed -i "s||${READONLY_USER_USER}|g" $LDIF_FILE + sed -i "s||${READONLY_USER_PASS_ENCRYPTED}|g" $LDIF_FILE + fi + if grep -iq changetype $LDIF_FILE ; then + silent ldapmodify -Y EXTERNAL -Q -H ldapi:/// -f $LDIF_FILE + else + silent ldapadd -Y EXTERNAL -Q -H ldapi:/// -f $LDIF_FILE + fi +} + +function schema2ldif (){ + SCHEMAS=$1 + +# Dual Schema Support + if [ "$SCHEMA_TYPE" = "rfc2307bis" ] || [ "$SCHEMA_TYPE" = "RFC2307BIS" ]; then + cp -R /assets/slapd/config/bootstrap/schema/rfc2307bis/rfc2307bis.schema /etc/openldap/schema/ + SCHEMA_TYPE="rfc2307bis" + else + SCHEMA_TYPE="nis" + fi + + tmpd=`mktemp -d` + pushd ${tmpd} >>/dev/null + + echo "include /etc/openldap/schema/core.schema" >> convert.dat + echo "include /etc/openldap/schema/cosine.schema" >> convert.dat + echo "include /etc/openldap/schema/${SCHEMA_TYPE}.schema" >> convert.dat + echo "include /etc/openldap/schema/inetorgperson.schema" >> convert.dat + + for schema in ${SCHEMAS} ; do + echo "include ${schema}" >> convert.dat + done + + silent slaptest -f convert.dat -F . + + if [ $? -ne 0 ] ; then + print_error "slaptest conversion failed!" + exit + fi + + for schema in ${SCHEMAS} ; do + fullpath=${schema} + schema_name=`basename ${fullpath} .schema` + schema_dir=`dirname ${fullpath}` + ldif_file=${schema_name}.ldif + + find . -name *\}${schema_name}.ldif -exec mv '{}' ./${ldif_file} \; + + # TODO: these sed invocations could all be combined + sed -i "/dn:/ c dn: cn=${schema_name},cn=schema,cn=config" ${ldif_file} + sed -i "/cn:/ c cn: ${schema_name}" ${ldif_file} + sed -i '/structuralObjectClass/ d' ${ldif_file} + sed -i '/entryUUID/ d' ${ldif_file} + sed -i '/creatorsName/ d' ${ldif_file} + sed -i '/createTimestamp/ d' ${ldif_file} + sed -i '/entryCSN/ d' ${ldif_file} + sed -i '/modifiersName/ d' ${ldif_file} + sed -i '/modifyTimestamp/ d' ${ldif_file} + + # slapd seems to be very sensitive to how a file ends. There should be no blank lines. + sed -i '/^ *$/d' ${ldif_file} + + mv ${ldif_file} ${schema_dir} + done + + popd >>/dev/null + rm -rf $tmpd +} diff --git a/install/assets/slapd/config/tls/tls-enable.ldif b/install/assets/slapd/config/tls/tls-enable.ldif index e78ea28..22d4a8c 100644 --- a/install/assets/slapd/config/tls/tls-enable.ldif +++ b/install/assets/slapd/config/tls/tls-enable.ldif @@ -4,16 +4,16 @@ replace: olcTLSCipherSuite olcTLSCipherSuite: - replace: olcTLSCACertificateFile -olcTLSCACertificateFile: +olcTLSCACertificateFile: / - replace: olcTLSCertificateFile -olcTLSCertificateFile: +olcTLSCertificateFile: / - replace: olcTLSCertificateKeyFile -olcTLSCertificateKeyFile: +olcTLSCertificateKeyFile: / - replace: olcTLSDHParamFile -olcTLSDHParamFile: +olcTLSDHParamFile: / - replace: olcTLSVerifyClient olcTLSVerifyClient: diff --git a/install/etc/cont-init.d/10-openldap b/install/etc/cont-init.d/10-openldap index c54df3c..1206214 100755 --- a/install/etc/cont-init.d/10-openldap +++ b/install/etc/cont-init.d/10-openldap @@ -3,155 +3,11 @@ for s in /assets/functions/*; do source $s; done PROCESS_NAME="openldap" -### Functions -function get_ldap_base_dn() { - # if BASE_DN is empty set value from DOMAIN - if [ -z "$BASE_DN" ]; then - IFS='.' read -ra BASE_DN_TABLE <<< "$DOMAIN" - for i in "${BASE_DN_TABLE[@]}"; do - EXT="dc=$i," - BASE_DN=$BASE_DN$EXT - done - - IFS='.' read -a domain_elems <<< "${DOMAIN}" - SUFFIX="" - ROOT="" - - for elem in "${domain_elems[@]}" ; do - if [ "x${SUFFIX}" = x ] ; then - SUFFIX="dc=${elem}" - ROOT="${elem}" - fi - done - - BASE_DN=${BASE_DN::-1} - fi -} - -# usage: file_env VAR [DEFAULT] -# ie: file_env 'XYZ_DB_PASSWORD' 'example' -# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of -# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature) -function file_env () { - local var="$1" - local fileVar="${var}_FILE" - local def="${2:-}" - local val="$def" - if [ "${!fileVar:-}" ]; then - val="$(cat "${!fileVar}")" - elif [ "${!var:-}" ]; then - val="${!var}" - fi - if [ -z ${val} ]; then - print_error "error: neither $var nor $fileVar are set but are required" - exit 1 - fi - export "$var"="$val" - unset "$fileVar" -} - - IFS='.' read -a domain_elems <<< "${DOMAIN}" - SUFFIX="" - ROOT="" - - for elem in "${domain_elems[@]}" ; do - if [ "x${SUFFIX}" = x ] ; then - SUFFIX="dc=${elem}" - ROOT="${elem}" - else - BASE_DN="${SUFFIX},dc=${elem}" - fi - done - -function is_new_schema() { - local COUNT=$(ldapsearch -Q -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config cn | grep -c $1) - if [ "$COUNT" -eq 0 ]; then - echo 1 - else - echo 0 - fi -} - -function ldap_add_or_modify (){ - local LDIF_FILE=$1 - print_notice "Processing file ${LDIF_FILE}" - sed -i "s||${BASE_DN}|g" $LDIF_FILE - sed -i "s||${BACKEND}|g" $LDIF_FILE - if [ "${READONLY_USER,,}" == "true" ]; then - sed -i "s||${READONLY_USER_USER}|g" $LDIF_FILE - sed -i "s||${READONLY_USER_PASS_ENCRYPTED}|g" $LDIF_FILE - fi - if grep -iq changetype $LDIF_FILE ; then - silent ldapmodify -Y EXTERNAL -Q -H ldapi:/// -f $LDIF_FILE - else - silent ldapadd -Y EXTERNAL -Q -H ldapi:/// -f $LDIF_FILE - fi -} - -function schema2ldif (){ - SCHEMAS=$1 - -# Dual Schema Support - if [ "$SCHEMA_TYPE" = "rfc2307bis" ] || [ "$SCHEMA_TYPE" = "RFC2307BIS" ]; then - cp -R /assets/slapd/config/bootstrap/schema/rfc2307bis/rfc2307bis.schema /etc/openldap/schema/ - SCHEMA_TYPE="rfc2307bis" - else - SCHEMA_TYPE="nis" - fi - - tmpd=`mktemp -d` - pushd ${tmpd} >>/dev/null - - echo "include /etc/openldap/schema/core.schema" >> convert.dat - echo "include /etc/openldap/schema/cosine.schema" >> convert.dat - echo "include /etc/openldap/schema/${SCHEMA_TYPE}.schema" >> convert.dat - echo "include /etc/openldap/schema/inetorgperson.schema" >> convert.dat - - for schema in ${SCHEMAS} ; do - echo "include ${schema}" >> convert.dat - done - - silent slaptest -f convert.dat -F . - - if [ $? -ne 0 ] ; then - print_error "slaptest conversion failed!" - exit - fi - - for schema in ${SCHEMAS} ; do - fullpath=${schema} - schema_name=`basename ${fullpath} .schema` - schema_dir=`dirname ${fullpath}` - ldif_file=${schema_name}.ldif - - find . -name *\}${schema_name}.ldif -exec mv '{}' ./${ldif_file} \; - - # TODO: these sed invocations could all be combined - sed -i "/dn:/ c dn: cn=${schema_name},cn=schema,cn=config" ${ldif_file} - sed -i "/cn:/ c cn: ${schema_name}" ${ldif_file} - sed -i '/structuralObjectClass/ d' ${ldif_file} - sed -i '/entryUUID/ d' ${ldif_file} - sed -i '/creatorsName/ d' ${ldif_file} - sed -i '/createTimestamp/ d' ${ldif_file} - sed -i '/entryCSN/ d' ${ldif_file} - sed -i '/modifiersName/ d' ${ldif_file} - sed -i '/modifyTimestamp/ d' ${ldif_file} - - # slapd seems to be very sensitive to how a file ends. There should be no blank lines. - sed -i '/^ *$/d' ${ldif_file} - - mv ${ldif_file} ${schema_dir} - done - - popd >>/dev/null - rm -rf $tmpd -} - set -e set -o pipefail ### Reduce maximum number of number of open file descriptors to 1024 otherwise slapd consumes two orders of magnitude more of RAM -ulimit -n 1024 +ulimit -n ${ULIMIT_N} ### Create data directories if they don't already exist [ -d /var/lib/openldap ] || mkdir -p /var/lib/openldap @@ -164,14 +20,6 @@ chown -R ldap:ldap /etc/openldap chown -R ldap:ldap /assets/slapd ### Sanity Testers -FIRST_START_DONE="/assets/state/slapd-first-start-done" -WAS_STARTED_WITH_TLS="/etc/openldap/slapd.d/docker-openldap-was-started-with-tls" -WAS_STARTED_WITH_TLS_ENFORCE="/etc/openldap/slapd.d/docker-openldap-was-started-with-tls-enforce" -WAS_STARTED_WITH_REPLICATION="/etc/openldap/slapd.d/docker-openldap-was-started-with-replication" -TLS_CA_CRT_PATH="/assets/slapd/certs/$TLS_CA_CRT_FILENAME" -TLS_CRT_PATH="/assets/slapd/certs/$TLS_CRT_FILENAME" -TLS_KEY_PATH="/assets/slapd/certs/$TLS_KEY_FILENAME" -TLS_DH_PARAM_PATH="/assets/slapd/certs/dhparam.pem" ### Container first start if [ ! -e "$FIRST_START_DONE" ]; then @@ -319,16 +167,18 @@ chown -R ldap:ldap /etc/openldap print_info "Checking previous TLS certificates.." - [[ -z "$PREVIOUS_TLS_CA_CRT_PATH" ]] && PREVIOUS_TLS_CA_CRT_PATH="/assets/slapd/certs/TLS_CA_CRT_FILENAME" - [[ -z "$PREVIOUS_TLS_CRT_PATH" ]] && PREVIOUS_TLS_CRT_PATH="/assets/slapd/certs/TLS_CRT_FILENAME" - [[ -z "$PREVIOUS_TLS_KEY_PATH" ]] && PREVIOUS_TLS_KEY_PATH="/assets/slapd/certs/TLS_KEY_FILENAME" - [[ -z "$PREVIOUS_TLS_DH_PARAM_PATH" ]] && PREVIOUS_TLS_DH_PARAM_PATH="/assets/slapd/certs/dhparam.pem" + [[ -z "$PREVIOUS_TLS_CA_CRT_PATH" ]] && PREVIOUS_TLS_CA_CRT_PATH="${TLS_CA_CRT_PATH}/${TLS_CA_CRT_FILENAME}" + [[ -z "$PREVIOUS_TLS_CRT_PATH" ]] && PREVIOUS_TLS_CRT_PATH="${TLS_CRT_PATH}/${TLS_CRT_FILENAME}" + [[ -z "$PREVIOUS_TLS_KEY_PATH" ]] && PREVIOUS_TLS_KEY_PATH="${TLS_KEY_PATH}/${TLS_KEY_FILENAME}" + [[ -z "$PREVIOUS_TLS_DH_PARAM_PATH" ]] && PREVIOUS_TLS_DH_PARAM_PATH="${TLS_DHPARAM_PATH}/${TLS_DH_PARAM_FILENAME}" silent ssl-helper $SSL_HELPER_PREFIX $PREVIOUS_TLS_CRT_PATH $PREVIOUS_TLS_KEY_PATH $PREVIOUS_TLS_CA_CRT_PATH - [ -f ${PREVIOUS_TLS_DH_PARAM_PATH} ] || silent libressl dhparam -out ${LDAP_TLS_DH_PARAM_PATH} 2048 + [ -f ${PREVIOUS_TLS_DH_PARAM_PATH} ] || silent libressl dhparam -out ${TLS_DH_PARAM_PATH}/${TLS_DH_PARAM_FILENAME} ${TLS_DH_PARAM_KEYSIZE} - chmod 600 ${PREVIOUS_TLS_DH_PARAM_PATH} - chown ldap:ldap $PREVIOUS_TLS_CRT_PATH $PREVIOUS_TLS_KEY_PATH $PREVIOUS_TLS_CA_CRT_PATH $PREVIOUS_TLS_DH_PARAM_PATH + if [ "${TLS_RESET_PERMISSIONS}" = "TRUE" ] || [ "${TLS_RESET_PERMISSIONS}" = "TRUE" ] ; then + chmod 600 ${PREVIOUS_TLS_DH_PARAM_PATH} + chown ldap:ldap $PREVIOUS_TLS_CRT_PATH $PREVIOUS_TLS_KEY_PATH $PREVIOUS_TLS_CA_CRT_PATH $PREVIOUS_TLS_DH_PARAM_PATH + fi fi ### Replication Sanity Tester @@ -452,20 +302,26 @@ chown -R ldap:ldap /etc/openldap print_info "Starting TLS configuration. Please wait..." # Generate a certificate and key with ssl-helper tool if LDAP_CRT and LDAP_KEY files don't exist - silent ssl-helper $SSL_HELPER_PREFIX $TLS_CRT_PATH $TLS_KEY_PATH $TLS_CA_CRT_PATH + silent ssl-helper $SSL_HELPER_PREFIX ${TLS_CRT_PATH}/${TLS_CRT_FILENAME} ${TLS_KEY_PATH}/${TLS_KEY_FILENAME} ${TLS_CA_CRT_PATH}/${TLS_CA_CRT_FILENAME} # Create DHParamFile if not found - [ -f ${TLS_DH_PARAM_PATH} ] || silent libressl dhparam -out ${TLS_DH_PARAM_PATH} 2048 - chmod 600 ${TLS_DH_PARAM_PATH} + [ -f ${TLS_DH_PARAM_PATH}/${TLS_DH_PARAM_FILENAME} ] || silent libressl dhparam -out ${TLS_DH_PARAM_PATH}${TLS_DH_PARAM_FILENAME} ${TLS_DH_PARAM_KEYSIZE} + if [ "${TLS_RESET_PERMISSIONS}" = "TRUE" ] || [ "${TLS_RESET_PERMISSIONS}" = "TRUE" ] ; then + chmod 600 ${TLS_DH_PARAM_PATH}/${TLS_DH_PARAM_FILENAME} + fi # Fix file permissions chown -R ldap:ldap /assets/slapd # Adapt TLS ldif sed -i "s||${TLS_CA_CRT_PATH}|g" /assets/slapd/config/tls/tls-enable.ldif + sed -i "s||${TLS_CA_CRT_FILENAME}|g" /assets/slapd/config/tls/tls-enable.ldif sed -i "s||${TLS_CRT_PATH}|g" /assets/slapd/config/tls/tls-enable.ldif + sed -i "s||${TLS_CRT_FILENAME}|g" /assets/slapd/config/tls/tls-enable.ldif sed -i "s||${TLS_KEY_PATH}|g" /assets/slapd/config/tls/tls-enable.ldif + sed -i "s||${TLS_KEY_FILENAME}|g" /assets/slapd/config/tls/tls-enable.ldif sed -i "s||${TLS_DH_PARAM_PATH}|g" /assets/slapd/config/tls/tls-enable.ldif + sed -i "s||${TLS_DH_PARAM_FILENAME}|g" /assets/slapd/config/tls/tls-enable.ldif sed -i "s||${TLS_CIPHER_SUITE}|g" /assets/slapd/config/tls/tls-enable.ldif sed -i "s||${TLS_VERIFY_CLIENT}|g" /assets/slapd/config/tls/tls-enable.ldif @@ -473,10 +329,10 @@ chown -R ldap:ldap /etc/openldap silent ldapmodify -Y EXTERNAL -Q -H ldapi:/// -f /assets/slapd/config/tls/tls-enable.ldif [[ -f "$WAS_STARTED_WITH_TLS" ]] && rm -f "$WAS_STARTED_WITH_TLS" - echo "export PREVIOUS_TLS_CA_CRT_PATH=${TLS_CA_CRT_PATH}" > $WAS_STARTED_WITH_TLS - echo "export PREVIOUS_TLS_CRT_PATH=${TLS_CRT_PATH}" >> $WAS_STARTED_WITH_TLS - echo "export PREVIOUS_TLS_KEY_PATH=${TLS_KEY_PATH}" >> $WAS_STARTED_WITH_TLS - echo "export PREVIOUS_TLS_DH_PARAM_PATH=${TLS_DH_PARAM_PATH}" >> $WAS_STARTED_WITH_TLS + echo "export PREVIOUS_TLS_CA_CRT_PATH=${TLS_CA_CRT_PATH}/${TLS_CA_CRT_FILENAME}" > $WAS_STARTED_WITH_TLS + echo "export PREVIOUS_TLS_CRT_PATH=${TLS_CRT_PATH}/${TLS_CRT_FILENAME}" >> $WAS_STARTED_WITH_TLS + echo "export PREVIOUS_TLS_KEY_PATH=${TLS_KEY_PATH}/${TLS_KEY_FILENAME}" >> $WAS_STARTED_WITH_TLS + echo "export PREVIOUS_TLS_DH_PARAM_PATH=${TLS_DH_PARAM_PATH}/${TLS_DH_PARAM_FILENAME}" >> $WAS_STARTED_WITH_TLS # Enforce TLS if [ "${TLS_ENFORCE,,}" == "true" ]; then @@ -638,4 +494,4 @@ ETC_HOSTS=$(cat /etc/hosts | sed "/$HOSTNAME/d") echo "0.0.0.0 $HOSTNAME" > /etc/hosts echo "$ETC_HOSTS" >> /etc/hosts -liftoff \ No newline at end of file +liftoff