More syncprov configuration, and enable SASL EXTERNAL auth

2023-05-17 23:07:11 +10:00 · 2023-05-17 23:07:11 +10:00 · 676c31a27a
commit 676c31a27a
parent a49ab8c40a
6 changed files with 35 additions and 3 deletions
--- a/10
+++ b/10
@ -8,8 +8,8 @@ RUN if [ -n ${HTTP_PROXY} ] ; then sed -i -e s'/https/http/' /etc/apk/repositori

 RUN apk add --no-cache bash openldap openldap-back-mdb openldap-clients openldap-overlay-syncprov

-ADD acl.ldif samba.ldif wurley.ldif /etc/openldap/schema/
-ADD certinfo.ldif /etc/openldap/
+ADD acl*.ldif samba.ldif wurley.ldif /etc/openldap/schema/
+ADD certinfo.ldif syncprov*ldif /etc/openldap/
 RUN sed -i -e 's/dc=my-domain,dc=com/c=AU/' /etc/openldap/slapd.ldif \
 	&& sed -i -e 's/openldap-data/data/' /etc/openldap/slapd.ldif \
 	&& mv /var/lib/openldap/openldap-data /var/lib/openldap/data \
@ -18,8 +18,12 @@ RUN sed -i -e 's/dc=my-domain,dc=com/c=AU/' /etc/openldap/slapd.ldif \
 	&& slapadd -b cn=config -l /etc/openldap/schema/misc.ldif \
 	&& slapadd -b cn=config -l /etc/openldap/schema/samba.ldif \
 	&& slapadd -b cn=config -l /etc/openldap/schema/wurley.ldif \
-	&& slapmodify -b cn=config -l /etc/openldap/schema/acl.ldif \
 	&& slapmodify -b cn=config -l /etc/openldap/certinfo.ldif \
+	&& slapmodify -b cn=config -l /etc/openldap/syncprov-enable.ldif \
+	&& slapmodify -b cn=config -l /etc/openldap/syncprov-options.ldif \
+	&& slapmodify -b cn=config -l /etc/openldap/syncprov-index.ldif \
+	&& slapmodify -b cn=config -l /etc/openldap/schema/acl-schema.ldif \
+	&& slapmodify -b cn=config -l /etc/openldap/schema/acl-data.ldif \
 	&& mkdir /var/lib/openldap/run \
 	&& chown -R ldap:ldap /etc/openldap/slapd.d /var/lib/openldap/data /var/lib/openldap/run

--- a/acl-data.ldif
+++ b/acl-data.ldif
@ -1,6 +1,9 @@
 dn: olcDatabase={1}mdb,cn=config
 changetype: modify
 replace: olcAccess
+olcAccess: to *
+  by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage
+  by * break
 olcAccess: to attrs=userPassword
  by self write
  by anonymous auth
--- a/acl-schema.ldif
+++ b/acl-schema.ldif
@ -0,0 +1,6 @@
+dn: olcDatabase={0}config,cn=config
+changetype: modify
+replace: olcAccess
+olcAccess: to *
+  by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage
+  by * break
--- a/syncprov-enable.ldif
+++ b/syncprov-enable.ldif
@ -0,0 +1,4 @@
+dn: cn=module{0},cn=config
+changetype: modify
+add: olcModuleLoad
+olcModuleLoad: syncprov.so
--- a/syncprov-index.ldif
+++ b/syncprov-index.ldif
@ -0,0 +1,7 @@
+dn: olcDatabase={1}mdb,cn=config
+changetype: modify
+add: olcDbIndex
+olcDbIndex: entryCSN eq
+-
+add: olcDbIndex
+olcDbIndex: entryUUID eq
--- a/syncprov-options.ldif
+++ b/syncprov-options.ldif
@ -0,0 +1,8 @@
+dn: olcOverlay=syncprov,olcDatabase={1}mdb,cn=config
+changetype: add
+objectClass: olcOverlayConfig
+objectClass: olcSyncProvConfig
+olcOverlay: syncprov
+olcSpNoPresent: TRUE
+olcSpCheckpoint: 100 10
+olcSpSessionlog: 100