Rework initial setup for new deployments

2024-10-16 18:37:27 +11:00 · 2024-10-16 18:37:27 +11:00 · ccc9750b60
commit ccc9750b60
parent 6514308e4a
13 changed files with 116 additions and 38 deletions
--- a/certinfo.ldif
+++ b/certinfo.ldif
@ -1,9 +0,0 @@
 dn: cn=config
 add: olcTLSCACertificateFile
 olcTLSCACertificateFile: /etc/openldap/tls/ldap-ca.crts
 -
 add: olcTLSCertificateFile
 olcTLSCertificateFile: /etc/openldap/tls/ldap-server.crt
 -
 add: olcTLSCertificateKeyFile
 olcTLSCertificateKeyFile: /etc/openldap/tls/ldap-server.key
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@ -1,4 +1,4 @@
-# NAME leenooks/ldap
+# NAME local/ldap
 # VERSION latest
 FROM alpine
@ -8,30 +8,30 @@ RUN if [ -n ${HTTP_PROXY} ] ; then sed -i -e s'/https/http/' /etc/apk/repositori
 RUN apk add --no-cache bash openldap openldap-back-mdb openldap-clients openldap-overlay-syncprov openldap-overlay-accesslog
-ADD acl*.ldif samba.ldif wurley.ldif /etc/openldap/schema/
+ADD schema /etc/openldap/schema/custom
-ADD certinfo.ldif syncprov*ldif /etc/openldap/
+ADD tls /etc/openldap/tls
 RUN sed -i -e 's/dc=my-domain,dc=com/c=AU/' /etc/openldap/slapd.ldif \
 	&& sed -i -e 's/openldap-data/data/' /etc/openldap/slapd.ldif \
 	&& mv /var/lib/openldap/openldap-data /var/lib/openldap/data \
-	&& mkdir /etc/openldap/slapd.d \
+	&& mkdir /etc/openldap/slapd.d /etc/openldap/schema/add.d /etc/openldap/schema/modify.d \
-	&& slapadd -n 0 -F /etc/openldap/slapd.d -l /etc/openldap/slapd.ldif \
+	&& ln -s ../misc.ldif /etc/openldap/schema/add.d/01-misc.ldif \
-	&& slapadd -b cn=config -l /etc/openldap/schema/misc.ldif \
+	&& ln -s ../custom/samba.ldif /etc/openldap/schema/add.d/02-samba.ldif \
-	&& slapadd -b cn=config -l /etc/openldap/schema/samba.ldif \
+	&& ln -s ../custom/wurley.ldif /etc/openldap/schema/add.d/10-wurley.ldif \
-	&& slapadd -b cn=config -l /etc/openldap/schema/wurley.ldif \
+	&& ln -s ../custom/syncprov-enable.ldif /etc/openldap/schema/modify.d/20-syncprov-enable.ldif \
-	&& slapmodify -b cn=config -l /etc/openldap/certinfo.ldif \
+	&& ln -s ../custom/syncprov-options.ldif /etc/openldap/schema/modify.d/21-syncprov-options.ldif \
-	&& slapmodify -b cn=config -l /etc/openldap/syncprov-enable.ldif \
+	&& ln -s ../custom/syncprov-index.ldif /etc/openldap/schema/modify.d/22-syncprov-index.ldif \
-	&& slapmodify -b cn=config -l /etc/openldap/syncprov-options.ldif \
+	&& ln -s ../custom/certinfo.ldif /etc/openldap/schema/modify.d/23-certinfo.ldif \
-	&& slapmodify -b cn=config -l /etc/openldap/syncprov-index.ldif \
+	&& ln -s ../custom/acl-schema.ldif /etc/openldap/schema/modify.d/90-acl-schema.ldif \
-	&& slapmodify -b cn=config -l /etc/openldap/schema/acl-schema.ldif \
+	&& ln -s ../custom/acl-data.ldif /etc/openldap/schema/modify.d/91-acl-data.ldif \
 	&& slapmodify -b cn=config -l /etc/openldap/schema/acl-data.ldif \
 	&& mkdir /var/lib/openldap/run \
 	&& chown -R ldap:ldap /etc/openldap/slapd.d /var/lib/openldap/data /var/lib/openldap/run
-ENV SLAPD_CONFIG /etc/openldap/slapd.d/cn=config
+ENV SLAPD_CONFIG=/etc/openldap/slapd.d/cn=config
 RUN cp -pr ${SLAPD_CONFIG} ${SLAPD_CONFIG}.orig
 COPY docker/init-docker /sbin/
 # Starting
 ENTRYPOINT [ "/sbin/init-docker" ]
 VOLUME [ "/var/lib/openldap/data" ]
 EXPOSE 389 636
--- a/docker/init-docker
+++ b/docker/init-docker
@ -1,9 +1,14 @@
-#!/bin/bash
+#!/bin/sh
 set -e
 NAME="OPENLDAP"
-SLAPD_CONFIG=${SLAPD_CONFIG:-"/etc/openldap/slapd.d/cn=config"}
+
 SLAPD_BASE=${SLAPD_BASE:-"/etc/openldap/slapd.d"}
 SLAPD_CONFIG=${SLAPD_CONFIG:-"${SLAPD_BASE}/cn=config"}
 SLAPD_INIT=${SLAPD_INIT:="/etc/openldap/slapd.ldif"}
 SLAPD_DEBUG=${SLAPD_DEBUG:-0}
 SLAPD_URLS=${SLAPD_URLS:-"ldapi:/// ldap:/// ldaps:///"}
 SLAPD_OPTIONS="${SLAPD_OPTIONS} -d ${SLAPD_DEBUG}"
 function stop {
 	echo "Stopping ${NAME}"
@ -21,19 +26,39 @@ function mp() {
 trap 'stop' SIGTERM
 if [ -z "$@" ]; then
 	SLAPD_URLS="ldapi:/// ldap:/// ldaps:///"
 	SLAPD_OPTIONS="-d ${SLAPD_DEBUG}"
 	# If /etc/openldap is an external mount point
-	if mp ${SLAPD_CONFIG}; then
+	if [ -e ${SLAPD_CONFIG}/olcDatabase=\{0\}config.ldif ]; then
-		echo "* ${SLAPD_CONFIG} is mounted, checking for existing config"
+		echo "* [${SLAPD_CONFIG}] exists, ready to go"
 		if [ -f ${SLAPD_CONFIG}/olcDatabase=\{0\}config.ldif ]; then
 			echo "= ${SLAPD_CONFIG} existing configuration detected, aborting..."
 	else
-			echo "- ${SLAPD_CONFIG} populating default configuration"
+
-			cp -pr ${SLAPD_CONFIG}.orig/* ${SLAPD_CONFIG}
+		echo "- [${SLAPD_CONFIG}] rebuilding schema configuration"
-		fi
+
 		slapadd -n 0 -F ${SLAPD_BASE} -l ${SLAPD_INIT}
 		# Add custom schema definitions
 		for f in /etc/openldap/schema/add.d/*.ldif; do
 			[ -e "${f}" ] || continue
 			echo "- Processing SCHEMA item [${f}]"
 			slapadd -b cn=config -l ${f}
 		done
 		for f in /etc/openldap/schema/modify.d/*.ldif; do
 			[ -e "${f}" ] || continue
 			echo "- Processing SCHEMA item [${f}]"
 			slapmodify -b cn=config -l ${f}
 		done
 		# Add custom data definitions
 		for f in /etc/openldap/data/init.d/*.ldif; do
 			[ -e "${f}" ] || continue
 			echo "- Processing DATA items [${f}]"
 			slapadd -b cn=config -l ${f}
 		done
 		chown -R ldap:ldap ${SLAPD_CONFIG}*
 	fi
 	[ -x /usr/sbin/slapd ] && /usr/sbin/slapd -u ldap -h "${SLAPD_URLS}" $SLAPD_OPTIONS &
--- a/schema/acl-data.ldif
+++ b/schema/acl-data.ldif
--- a/schema/acl-schema.ldif
+++ b/schema/acl-schema.ldif
--- a/schema/certinfo.ldif
+++ b/schema/certinfo.ldif
@ -0,0 +1,9 @@
 dn: cn=config
 #add: olcTLSCACertificateFile
 #olcTLSCACertificateFile: /etc/openldap/tls/ldap-ca.crts
 #-
 add: olcTLSCertificateFile
 olcTLSCertificateFile: /etc/openldap/tls/default.crt
 -
 add: olcTLSCertificateKeyFile
 olcTLSCertificateKeyFile: /etc/openldap/tls/default.key
--- a/schema/samba.ldif
+++ b/schema/samba.ldif
--- a/schema/syncprov-enable.ldif
+++ b/schema/syncprov-enable.ldif
--- a/schema/syncprov-index.ldif
+++ b/schema/syncprov-index.ldif
--- a/schema/syncprov-options.ldif
+++ b/schema/syncprov-options.ldif
--- a/schema/wurley.ldif
+++ b/schema/wurley.ldif
--- a/tls/default.crt
+++ b/tls/default.crt
@ -0,0 +1,25 @@
 -----BEGIN CERTIFICATE-----
 MIIEKjCCAxKgAwIBAgIJALsoV61BAIR7MA0GCSqGSIb3DQEBCwUAMGAxCzAJBgNV
 BAYTAkFVMQwwCgYDVQQIEwNWSUMxEjAQBgNVBAcTCU1lbGJvdXJuZTENMAsGA1UE
 ChMEQUNNRTEMMAoGA1UECxMDV2ViMRIwEAYDVQQDEwlsb2NhbGhvc3QwHhcNMTgw
 NjE5MjAxNTE5WhcNMjgwNjE2MjAxNTE5WjBgMQswCQYDVQQGEwJBVTEMMAoGA1UE
 CBMDVklDMRIwEAYDVQQHEwlNZWxib3VybmUxDTALBgNVBAoTBEFDTUUxDDAKBgNV
 BAsTA1dlYjESMBAGA1UEAxMJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOC
 AQ8AMIIBCgKCAQEAv0hEQONbM1iz6nwTWwFuByY0sBK8hXlgyOTJftnQr+ffhKXn
 f30WovFmy1FBTUDa42T5Fsa6aihw+QAuLFtnMogZRIqp8Ow9ovGLv7Wo6KRoQ6Db
 JJ0FofUBiMVQy79/alUlgEYwuPlgjWwl7+pPZobXjaytAfK7WcGxMKiy6cBpFHMD
 LOGNsnjSyFDZtRSMyOd07SZDhS1J5IV25v76URsyYQU+kriqZK8AkC2emz/hkcVF
 10nlli2R6JsidiwN4JAPG1zKA3p0Ki0R6uG//1dQ9MuCIiCZkJklmg3ZmhjpBCY0
 n+nB+F3XSDsyYR7MWZvfRHyx3w/WVpGdVymmrwIDAQABo4HmMIHjMBEGCWCGSAGG
 +EIBAQQEAwIGQDAdBgNVHQ4EFgQUV31E9ULcEQkSmlgq1uQ0WiyR/DswgZIGA1Ud
 IwSBijCBh4AUV31E9ULcEQkSmlgq1uQ0WiyR/DuhZKRiMGAxCzAJBgNVBAYTAkFV
 MQwwCgYDVQQIEwNWSUMxEjAQBgNVBAcTCU1lbGJvdXJuZTENMAsGA1UEChMEQUNN
 RTEMMAoGA1UECxMDV2ViMRIwEAYDVQQDEwlsb2NhbGhvc3SCCQC7KFetQQCEezAa
 BgNVHREEEzARhwR/AAABgglsb2NhbGhvc3QwDQYJKoZIhvcNAQELBQADggEBAAZL
 WWeY7sbVX6noNjiQWe9jzBKG994f5/Q5dpqT6ZHpLsSU2AQ85QfUXma3rAPwSj0+
 C4V7IRlrwlFXXqe8LxWxEJo0DlHOqDZTxQpHvmwATRxTBHDOS4kMjbj5oAwq0yXz
 dNxxOI5Pv9j6VIMMIgW6dFnh/GRG5w5lndtWisCU8ydG/PkeMkvi3OTQDTq64qgp
 lt0OTDkTyoWmpq46k3NDR2n6ar7DwEmamMWPkR9rNLjOde2AlKMuNZ4wUMVAYasr
 xDMmMCe/matHd6Ry2kvBkBRFkFaJyR2+D2vpYSbT8fSFOKv6w+5qJI8pOQ1Yn+Di
 3+EttBcVhrZfxoL8jYw=
 -----END CERTIFICATE-----
--- a/tls/default.key
+++ b/tls/default.key
@ -0,0 +1,28 @@
 -----BEGIN PRIVATE KEY-----
 MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC/SERA41szWLPq
 fBNbAW4HJjSwEryFeWDI5Ml+2dCv59+Eped/fRai8WbLUUFNQNrjZPkWxrpqKHD5
 AC4sW2cyiBlEiqnw7D2i8Yu/tajopGhDoNsknQWh9QGIxVDLv39qVSWARjC4+WCN
 bCXv6k9mhteNrK0B8rtZwbEwqLLpwGkUcwMs4Y2yeNLIUNm1FIzI53TtJkOFLUnk
 hXbm/vpRGzJhBT6SuKpkrwCQLZ6bP+GRxUXXSeWWLZHomyJ2LA3gkA8bXMoDenQq
 LRHq4b//V1D0y4IiIJmQmSWaDdmaGOkEJjSf6cH4XddIOzJhHsxZm99EfLHfD9ZW
 kZ1XKaavAgMBAAECggEAaJje4dCxZVGDCJ0ShHgyr2wf8Yw9VIt79j7NRDVdXWNh
 IYsLHPbM8wsoV9O17sWhLClh4CeJdlVo+XA0z4Kn2sT7dDSTGzBDwB9veMSgeZ61
 eQ2z58CJfPeaAC1NsiykQwQOfqdjKzMKrirOT/QDuR/RLSKYdHFEK5+0AdSuCQ2A
 PV68FX6BnKfR/LDt6auN43ISdrnXRFna5Helyel2l3Jv/ooz9FeeTbXUa9cQcrXM
 tMvd8GMr4oLnhKROcec0bTOy/3ZymbEvjjQvgxukivLLOUbQiwp2lfQWcFna4cOL
 apGeameOHQceF4iIibnbDo073jS3m02WBH0ScRsj2QKBgQDxRWZWSGuJkFQOoW/b
 uuwu26RAFdXLsxr2G9XMIZR+rpmhq5EoM4CL/YI5syChgYgxAj8UfwYg93wuGkN8
 5VPhuytH5MIDsXq9Ci2b+WQrF5sxDK3MA3FieFZByVX80JNXtVUudzqQ6wJ1OEsY
 wB+h2Uu9zssNZVugPh3wb5BsLQKBgQDK9aN97C3JtLW+xOoEYW1iCputwoDWIIqk
 i6fi0mTQiQ+YbliaXWS/F7tJrUHvFFgJLZcpDKaEaN5WFjFHU+1zUDtotEiJ7bTQ
 fuoyWY/8VpWn6RKwukL+mfIm2n7ZT6FC8YBU6lRPEmuGwrvuUstmIcKaAJ2bPvRt
 vhRRY3u7ywKBgDIjPOADTq2Ym48qxyb/UiNuq1RR9UrOXnT0VdqEw+oLeIubLqAP
 C9CLjutUqRxG4bllgRxORUTGiTy/YnTq5yKKlbTr+dFwqVPtcIrwKXu2/R4VR2yU
 7pQK88naAA94fJYGbbwpNLd2ztzzJM/w5OHqWQ4JkjKndIH5Rpl3ZajFAoGABWqa
 y2CDNE/bTdUJfcZv2d74mqGHOK+zo4KKn3YH9LzDqsi/GpeFecgTWnsCOHQtiUkr
 MJBC3WPDEz8SX5nwy1QH0dqF2RB789h/PYrAWfahldKVihveb9cB7GGGYxxJ7HRv
 fVSnnVibgAQwacLR5M7f16ZOjncWpNsexbFG+xMCgYEAj1V64k9Lz554EDCNZMQS
 mzgqYg6ck+GYL/W6hdE/N3zc+KJKF4ztM/c987BbFgpJQp+uYF43jRmOcv1Oab43
 mpuvZ2rDSPqrqM+fdHIx2oLPNBdBc9abTX7sQtK4WSTp16gs+MqfMWRklxWsMwWE
 fO6SmAU27aAzfOccuvx3glQ=
 -----END PRIVATE KEY-----