2.4.56-debian-10-r60 release

bitnami/openldap/2/debian-10/Dockerfile

@@ -18,7 +18,7 @@ RUN chmod g+rwX /opt/bitnami
 COPY rootfs /
 RUN /opt/bitnami/scripts/openldap/postunpack.sh
 ENV BITNAMI_APP_NAME="openldap" \
-    BITNAMI_IMAGE_VERSION="2.4.56-debian-10-r59" \
+    BITNAMI_IMAGE_VERSION="2.4.56-debian-10-r60" \
     PATH="/opt/bitnami/openldap/bin:/opt/bitnami/openldap/sbin:/opt/bitnami/common/bin:$PATH"
 
 EXPOSE 1389 1636

bitnami/openldap/2/debian-10/rootfs/opt/bitnami/scripts/libopenldap.sh

@@ -35,6 +35,9 @@ export LDAP_ONLINE_CONF_DIR="${LDAP_VOLUME_DIR}/slapd.d"
 export LDAP_PID_FILE="${LDAP_BASE_DIR}/var/run/slapd.pid"
 export LDAP_CUSTOM_LDIF_DIR="${LDAP_CUSTOM_LDIF_DIR:-/ldifs}"
 export PATH="${LDAP_BIN_DIR}:${LDAP_SBIN_DIR}:$PATH"
+export LDAP_TLS_CERT_FILE="${LDAP_TLS_CERT_FILE:-}"
+export LDAP_TLS_KEY_FILE="${LDAP_TLS_KEY_FILE:-}"
+export LDAP_TLS_CA_FILE="${LDAP_TLS_CA_FILE:-}"
 # Users
 export LDAP_DAEMON_USER="slapd"
 export LDAP_DAEMON_GROUP="slapd"
@@ -51,6 +54,7 @@ export LDAP_USERS="${LDAP_USERS:-user01,user02}"
 export LDAP_PASSWORDS="${LDAP_PASSWORDS:-bitnami1,bitnami2}"
 export LDAP_USER_DC="${LDAP_USER_DC:-users}"
 export LDAP_GROUP="${LDAP_GROUP:-readers}"
+export LDAP_ENABLE_TLS="${LDAP_ENABLE_TLS:-no}"
 EOF
 }
 
@@ -80,9 +84,28 @@ ldap_validate() {
             print_validation_error "An invalid port was specified in the environment variable ${port_var}: ${err}."
         fi
     }
+    for var in LDAP_SKIP_DEFAULT_TREE LDAP_ENABLE_TLS; do
+        if ! is_yes_no_value "${!var}"; then
+            print_validation_error "The allowed values for $var are: yes or no"
+        fi
+    done
 
-    if ! is_yes_no_value "$LDAP_SKIP_DEFAULT_TREE"; then
-        print_validation_error "The values allowed for LDAP_SKIP_DEFAULT_TREE are: yes or no"
+    if is_boolean_yes "$LDAP_ENABLE_TLS"; then
+        if [[ -z "$LDAP_TLS_CERT_FILE" ]]; then
+            print_validation_error "You must provide a X.509 certificate in order to use TLS"
+        elif [[ ! -f "$LDAP_TLS_CERT_FILE" ]]; then
+            print_validation_error "The X.509 certificate file in the specified path ${LDAP_TLS_CERT_FILE} does not exist"
+        fi
+        if [[ -z "$LDAP_TLS_KEY_FILE" ]]; then
+            print_validation_error "You must provide a private key in order to use TLS"
+        elif [[ ! -f "$LDAP_TLS_KEY_FILE" ]]; then
+            print_validation_error "The private key file in the specified path ${LDAP_TLS_KEY_FILE} does not exist"
+        fi
+        if [[ -z "$LDAP_TLS_CA_FILE" ]]; then
+            print_validation_error "You must provide a CA X.509 certificate in order to use TLS"
+        elif [[ ! -f "$LDAP_TLS_CA_FILE" ]]; then
+            print_validation_error "The CA X.509 certificate file in the specified path ${LDAP_TLS_CA_FILE} does not exist"
+        fi
     fi
 
     read -r -a users <<< "$(tr ',;' ' ' <<< "${LDAP_USERS}")"
@@ -350,6 +373,9 @@ ldap_initialize() {
         ldap_create_online_configuration
         ldap_start_bg
         ldap_admin_credentials
+        if is_boolean_yes "$LDAP_ENABLE_TLS"; then
+            ldap_configure_tls
+        fi
         if is_boolean_yes "$LDAP_SKIP_DEFAULT_TREE"; then
             info "Skipping default schemas/tree structure"
         else
@@ -364,3 +390,30 @@ ldap_initialize() {
         ldap_stop
     fi
 }
+
+########################
+# OpenLDAP configure TLS
+# Globals:
+#   LDAP_*
+# Arguments:
+#   None
+# Returns:
+#   None
+#########################
+ldap_configure_tls() {
+    info "Configuring TLS"
+    cat > "${LDAP_SHARE_DIR}/certs.ldif" << EOF
+dn: cn=config
+changetype: modify
+replace: olcTLSCACertificateFile
+olcTLSCACertificateFile: $LDAP_TLS_CA_FILE
+-
+replace: olcTLSCertificateFile
+olcTLSCertificateFile: $LDAP_TLS_CERT_FILE
+-
+replace: olcTLSCertificateKeyFile
+olcTLSCertificateKeyFile: $LDAP_TLS_KEY_FILE
+
+EOF
+    debug_execute ldapmodify -Y EXTERNAL -H "ldapi:///" -f "${LDAP_SHARE_DIR}/certs.ldif"
+}

bitnami/openldap/2/debian-10/rootfs/opt/bitnami/scripts/openldap/run.sh

@@ -12,10 +12,15 @@ set -o pipefail
 eval "$(ldap_env)"
 
 readonly command="$(command -v slapd)"
+
+flags=("-h" "ldap://:${LDAP_PORT_NUMBER}/ ldapi:///")
+
+# Add LDAPS URI when TLS is enabled
+is_boolean_yes "$LDAP_ENABLE_TLS" && flags=("-h" "ldap://:${LDAP_PORT_NUMBER}/ ldaps://:${LDAP_LDAPS_PORT_NUMBER}/ ldapi:///")
+
 # Add "@" so users can add extra command line flags
-flags=("-h" "ldap://:${LDAP_PORT_NUMBER}/ ldapi:///" "-F" "${LDAP_CONF_DIR}/slapd.d" "-d" "256" "$@")
+flags+=("-F" "${LDAP_CONF_DIR}/slapd.d" "-d" "256" "$@")
 
 info "** Starting slapd **"
 am_i_root && flags=("-u" "$LDAP_DAEMON_USER" "${flags[@]}")
 exec "${command}" "${flags[@]}"
-

bitnami/openldap/README.md

@@ -35,7 +35,7 @@ Non-root container images add an extra layer of security and are generally recom
 Learn more about the Bitnami tagging policy and the difference between rolling tags and immutable tags [in our documentation page](https://docs.bitnami.com/tutorials/understand-rolling-tags-containers/).
 
 
-* [`2`, `2-debian-10`, `2.4.56`, `2.4.56-debian-10-r59`, `latest` (2/debian-10/Dockerfile)](https://github.com/bitnami/bitnami-docker-openldap/blob/2.4.56-debian-10-r59/2/debian-10/Dockerfile)
+* [`2`, `2-debian-10`, `2.4.56`, `2.4.56-debian-10-r60`, `latest` (2/debian-10/Dockerfile)](https://github.com/bitnami/bitnami-docker-openldap/blob/2.4.56-debian-10-r60/2/debian-10/Dockerfile)
 
 Subscribe to project updates by watching the [bitnami/openldap GitHub repo](https://github.com/bitnami/bitnami-docker-openldap).
 
@@ -180,6 +180,51 @@ The Bitnami Docker OpenLDAP can be easily setup with the following environment v
 
 Check the official [OpenLDAP Configuration Reference](https://www.openldap.org/doc/admin24/guide.html) for more information about how to configure OpenLDAP.
 
+## Securing OpenLDAP traffic
+
+OpenLDAP clients and servers are capable of using the Transport Layer Security (TLS) framework to provide integrity and confidentiality protections and to support LDAP authentication using the SASL EXTERNAL mechanism. Should you desire to enable this optional feature, you may use the following enviroment variables to configure the application:
+
+ - `LDAP_TLS_ENABLED`: Whether to enable TLS for traffic or not. Defaults to `no`.
+ - `LDAP_LDAPS_PORT_NUMBER`: Port used for TLS secure traffic. Defaults to `1636`.
+ - `LDAP_TLS_CERT_FILE`: File containing the certificate file for the TSL traffic. No defaults.
+ - `LDAP_TLS_KEY_FILE`: File containing the key for certificate. No defaults.
+ - `LDAP_TLS_CA_FILE`: File containing the CA of the certificate. No defaults.
+
+This new feature is not mutually exclusive, which means it is possible to listen to both TLS and non-TLS connection simultaneously. To use TLS you can use the URI `ldaps://openldap:1636` or use the non-TLS URI forcing ldap to use TLS `ldap://openldap:1389 -ZZ`.
+
+1. Using `docker run`
+
+    ```console
+    $ docker run --name openldap \
+        -v /path/to/certs:/opt/bitnami/openldap/certs \
+        -v /path/to/openldap-data-persistence:/bitnami/openldap/data \
+        -e ALLOW_EMPTY_PASSWORD=yes \
+        -e LDAP_TLS_ENABLED=yes \
+        -e LDAP_TLS_CERT_FILE=/opt/bitnami/openldap/certs/openldap.crt \
+        -e LDAP_TLS_KEY_FILE=/opt/bitnami/openldap/certs/openldap.key \
+        -e LDAP_TLS_CA_FILE=/opt/bitnami/openldap/certs/openldapCA.crt \
+        bitnami/openldap:latest
+    ```
+
+2. Modifying the `docker-compose.yml` file present in this repository:
+
+    ```yaml
+    services:
+      openldap:
+      ...
+        environment:
+          ...
+          - LDAP_TLS_ENABLED=yes
+          - LDAP_TLS_CERT_FILE=/opt/bitnami/openldap/certs/openldap.crt
+          - LDAP_TLS_KEY_FILE=/opt/bitnami/openldap/certs/openldap.key
+          - LDAP_TLS_CA_FILE=/opt/bitnami/openldap/certs/openldapCA.crt
+        ...
+        volumes:
+          - /path/to/certs:/opt/bitnami/openldap/certs
+          - /path/to/openldap-data-persistence:/bitnami/openldap/data
+      ...
+    ```
+
 # Logging
 
 The Bitnami OpenLDAP Docker image sends the container logs to `stdout`. To view the logs: