From befe7c5b26408dbea9d197749fac79cff3aed024 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Luginb=C3=BChl?= Date: Wed, 18 Feb 2015 16:23:34 +0100 Subject: [PATCH] Initial version --- Dockerfile | 22 +++++++++++++++++ LICENSE | 21 +++++++++++++++++ README.md | 65 +++++++++++++++++++++++++++++++++++++++++++++++++++ entrypoint.sh | 50 +++++++++++++++++++++++++++++++++++++++ 4 files changed, 158 insertions(+) create mode 100644 Dockerfile create mode 100644 LICENSE create mode 100644 README.md create mode 100755 entrypoint.sh diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..6495335 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,22 @@ +FROM debian:wheezy + +MAINTAINER Christian Luginbühl + +ENV OPENLDAP_VERSION 2.4.31 + +RUN apt-get update && \ + DEBIAN_FRONTEND=noninteractive apt-get install -y \ + slapd=${OPENLDAP_VERSION}* \ + ldap-utils=${OPENLDAP_VERSION}* && \ + apt-get clean && \ + rm -rf /var/lib/apt/lists/* + +EXPOSE 389 + +VOLUME ["/var/lib/ldap"] + +COPY entrypoint.sh /entrypoint.sh + +ENTRYPOINT ["/entrypoint.sh"] + +CMD ["slapd", "-d", "32768"] diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..4cc3355 --- /dev/null +++ b/LICENSE @@ -0,0 +1,21 @@ +The MIT License (MIT) + +Copyright (c) 2015, Christian Luginbühl + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/README.md b/README.md new file mode 100644 index 0000000..3fc3e85 --- /dev/null +++ b/README.md @@ -0,0 +1,65 @@ +docker-openldap +=============== + +A Docker image running OpenLDAP on Debian stable ("wheezy" at the moment). The +Dockerfile is inspired by the well written one from +[cnry/openldap](https://registry.hub.docker.com/u/cnry/openldap/), but as said +before, running a stable Debian and be a little less verbose, but more complete +in the configuration. + +NOTE: On purpose, there is no secured channel (TLS/SSL), because I believe that +this service should never be exposed to the internet, but only be used directly +by Docker containers using the `--link` option. + +Usage +----- + +The most simple form would be to start the application like so (however this is +not the recommended way - see above): + + docker run -d -p 389:389 -e SLAPD_PASSWORD=mysecretpassword -e SLAPD_DOMAIN=ldap.example.org dinkel/openldap + +To get the full potential this image offers, one should first create a data-only +container (see "Data persistence" below), start the OpenLDAP daemon as follows: + + docker run -d -name openldap --volumes-from your-data-container dinkel/openldap + +An application talking to OpenLDAP should then `--link` the container: + + docker run -d --link openldap:openldap image-using-openldap + +The name after the colon in the `--link` section is the hostname where the +OpenLDAP daemon is listening to (the port is the default port `389`). + +Configuration (environment variables) +------------------------------------- + +For the first run one has to set at least two envrironment variables. The first + + SLAPD_PASSWORD + +sets the password for the `admin` user. + +The second + + SLAPD_DOMAIN + +sets the DC (Domain component) parts. E.g. if one sets it to `ldap.example.org`, +the generated base DC parts would be `...,dc=ldap,dc=example,dc=org`. + +There is an optinal third variable + + SLAPD_ORGANIZATION (defaults to $SLAPD_DOMAIN) + +that represents the human readable company name (e.g. `Example Inc.`). + +After the first start of the image (and the initial configuration), these +envirnonment variables are not evaluated anymore. + +Data persistence +---------------- + +The image exposes the directory, where the data is written +(`VOLUME ["/var/lib/ldap"`). Please make sure that +these directories are saved (in a data-only container or alike) in order to make +sure that everything is restored after a new restart of the application. diff --git a/entrypoint.sh b/entrypoint.sh new file mode 100755 index 0000000..c60b873 --- /dev/null +++ b/entrypoint.sh @@ -0,0 +1,50 @@ +#!/bin/bash +set -e + +chown -R openldap:openldap /var/lib/ldap/ + +if [[ ! -f /etc/ldap/docker-configured ]]; then + if [[ -z "$SLAPD_PASSWORD" ]]; then + echo >&2 "Error: slapd not configured and SLAPD_PASSWORD not set" + echo >&2 "Did you forget to add -e SLAPD_PASSWORD=... ?" + exit 1 + fi + + if [[ -z "$SLAPD_DOMAIN" ]]; then + echo >&2 "Error: slapd not configured and SLAPD_DOMAIN not set" + echo >&2 "Did you forget to add -e SLAPD_DOMAIN=... ?" + exit 1 + fi + + SLAPD_ORGANIZATION="${SLAPD_ORGANIZATION:-${SLAPD_DOMAIN}}" + + cat <<-EOF | debconf-set-selections + slapd slapd/no_configuration boolean false + slapd slapd/password1 password $SLAPD_PASSWORD + slapd slapd/password2 password $SLAPD_PASSWORD + slapd shared/organization string $SLAPD_ORGANIZATION + slapd slapd/domain string $SLAPD_DOMAIN + slapd slapd/backend select hdb + slapd slapd/allow_ldap_v2 boolean false + slapd slapd/purge_database boolean false + slapd slapd/move_old_database boolean true +EOF + + dpkg-reconfigure -fnoninteractive slapd >/dev/null 2>&1 + + dc_string="" + + IFS="."; declare -a dc_parts=($SLAPD_DOMAIN) + + for dc_part in "${dc_parts[@]}"; do + dc_string="$dc_string,dc=$dc_part" + done + + base_string="BASE ${dc_string:1}" + + sed -i "s/^#BASE.*/${base_string}/g" /etc/ldap/ldap.conf + + touch /etc/ldap/docker-configured +fi + +exec "$@"