public_git
/
bitnami-containers
mirror of https://github.com/bitnami/containers.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

[bitnami/openldap] Release 2.5.16-debian-11-r17 (#45185) 

Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com>
This commit is contained in:
Bitnami Bot 2023-08-19 06:23:19 +02:00 committed by GitHub
parent f9cc98e0ed
commit f598f7655a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 136 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
bitnami/openldap/2.5/debian-11/Dockerfile
View File

@ -7,10 +7,10 @@ ARG TARGETARCH
LABEL com.vmware.cp.artifact.flavor="sha256:1e1b4657a77f0d47e9220f0c37b9bf7802581b93214fff7d1bd2364c8bf22e8e" \
org.opencontainers.image.base.name="docker.io/bitnami/minideb:bullseye" \
org.opencontainers.image.created="2023-08-15T07:29:03Z" \
org.opencontainers.image.created="2023-08-18T08:49:42Z" \
org.opencontainers.image.description="Application packaged by VMware, Inc" \
org.opencontainers.image.licenses="Apache-2.0" \
org.opencontainers.image.ref.name="2.5.16-debian-11-r14" \
org.opencontainers.image.ref.name="2.5.16-debian-11-r17" \
org.opencontainers.image.title="openldap" \
org.opencontainers.image.vendor="VMware, Inc." \
org.opencontainers.image.version="2.5.16"

132
bitnami/openldap/2.5/debian-11/rootfs/opt/bitnami/scripts/libopenldap.sh
View File

@ -67,9 +67,14 @@ export LDAP_PASSWORDS="${LDAP_PASSWORDS:-bitnami1,bitnami2}"
export LDAP_USER_DC="${LDAP_USER_DC:-users}"
export LDAP_GROUP="${LDAP_GROUP:-readers}"
export LDAP_ENABLE_TLS="${LDAP_ENABLE_TLS:-no}"
export LDAP_REQUIRE_TLS="${LDAP_REQUIRE_TLS:-no}"
export LDAP_ULIMIT_NOFILES="${LDAP_ULIMIT_NOFILES:-1024}"
export LDAP_ALLOW_ANON_BINDING="${LDAP_ALLOW_ANON_BINDING:-yes}"
export LDAP_LOGLEVEL="${LDAP_LOGLEVEL:-256}"
export LDAP_PASSWORD_HASH="${LDAP_PASSWORD_HASH:-{SSHA}}"
export LDAP_CONFIGURE_PPOLICY="${LDAP_CONFIGURE_PPOLICY:-no}"
export LDAP_PPOLICY_USE_LOCKOUT="${LDAP_PPOLICY_USE_LOCKOUT:-no}"
export LDAP_PPOLICY_HASH_CLEARTEXT="${LDAP_PPOLICY_HASH_CLEARTEXT:-no}"
# By setting an environment variable matching *_FILE to a file path, the prefixed environment
# variable will be overridden with the value specified in that file
@ -402,6 +407,11 @@ dn: cn=config
changetype: modify
add: olcDisallows
olcDisallows: bind_anon
dn: cn=config
changetype: modify
add: olcRequires
olcRequires: authc
EOF
debug_execute ldapmodify -Y EXTERNAL -H "ldapi:///" -f "${LDAP_SHARE_DIR}/disable_anon_bind.ldif"
}
@ -583,7 +593,7 @@ ldap_initialize() {
ldap_create_online_configuration
ldap_start_bg
ldap_admin_credentials
if [ "$LDAP_ALLOW_ANON_BINDING" == 'no' ]; then
if ! is_boolean_yes "$LDAP_ALLOW_ANON_BINDING"; then
ldap_disable_anon_binding
fi
if is_boolean_yes "$LDAP_ENABLE_TLS"; then
@ -606,6 +616,20 @@ ldap_initialize() {
else
info "Skipping default schemas/tree structure"
fi
# additional configuration
if [[ ! "$LDAP_PASSWORD_HASH" == "{SSHA}" ]]; then
ldap_configure_password_hash
fi
if is_boolean_yes "$LDAP_CONFIGURE_PPOLICY"; then
ldap_configure_ppolicy
fi
# enable tls
if is_boolean_yes "$LDAP_ENABLE_TLS"; then
ldap_configure_tls
if is_boolean_yes "$LDAP_REQUIRE_TLS"; then
ldap_configure_tls_required
fi
fi
ldap_stop
fi
}
@ -680,3 +704,109 @@ EOF
fi
debug_execute ldapmodify -Y EXTERNAL -H "ldapi:///" -f "${LDAP_SHARE_DIR}/certs.ldif"
}
########################
# OpenLDAP configure connections to require TLS
# Globals:
# LDAP_*
# Arguments:
# None
# Returns:
# None
#########################
ldap_configure_tls_required() {
info "Configuring LDAP connections to require TLS"
cat > "${LDAP_SHARE_DIR}/tls_required.ldif" << EOF
dn: cn=config
changetype: modify
add: olcSecurity
olcSecurity: tls=1
EOF
debug_execute ldapmodify -Y EXTERNAL -H "ldapi:///" -f "${LDAP_SHARE_DIR}/tls_required.ldif"
}
########################
# OpenLDAP enable module
# Globals:
# LDAP_*
# Arguments:
# $1: Module path
# $2: Module file name
# Returns:
# None
#########################
ldap_load_module() {
info "Enable LDAP $2 module from $1"
cat > "${LDAP_SHARE_DIR}/enable_module_$2.ldif" << EOF
dn: cn=module,cn=config
cn: module
objectClass: olcModuleList
olcModulePath: $1
olcModuleLoad: $2
EOF
debug_execute ldapadd -Y EXTERNAL -H "ldapi:///" -f "${LDAP_SHARE_DIR}/enable_module_$2.ldif"
}
########################
# OpenLDAP configure ppolicy
# Globals:
# LDAP_*
# Arguments:
# None
# Returns:
# None
#########################
ldap_configure_ppolicy() {
info "Configuring LDAP ppolicy"
ldap_load_module "/opt/bitnami/openldap/lib/openldap" "ppolicy.so"
# create configuration
cat > "${LDAP_SHARE_DIR}/ppolicy_create_configuration.ldif" << EOF
dn: olcOverlay={0}ppolicy,olcDatabase={2}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
olcOverlay: {0}ppolicy
EOF
debug_execute ldapadd -Q -Y EXTERNAL -H "ldapi:///" -f "${LDAP_SHARE_DIR}/ppolicy_create_configuration.ldif"
# enable ppolicy_hash_cleartext
if is_boolean_yes "$LDAP_PPOLICY_HASH_CLEARTEXT"; then
info "Enabling ppolicy_hash_cleartext"
cat > "${LDAP_SHARE_DIR}/ppolicy_configuration_hash_cleartext.ldif" << EOF
dn: olcOverlay={0}ppolicy,olcDatabase={2}mdb,cn=config
changetype: modify
add: olcPPolicyHashCleartext
olcPPolicyHashCleartext: TRUE
EOF
debug_execute ldapmodify -Q -Y EXTERNAL -H "ldapi:///" -f "${LDAP_SHARE_DIR}/ppolicy_configuration_hash_cleartext.ldif"
fi
# enable ppolicy_use_lockout
if is_boolean_yes "$LDAP_PPOLICY_USE_LOCKOUT"; then
info "Enabling ppolicy_use_lockout"
cat > "${LDAP_SHARE_DIR}/ppolicy_configuration_use_lockout.ldif" << EOF
dn: olcOverlay={0}ppolicy,olcDatabase={2}mdb,cn=config
changetype: modify
add: olcPPolicyUseLockout
olcPPolicyUseLockout: TRUE
EOF
debug_execute ldapmodify -Q -Y EXTERNAL -H "ldapi:///" -f "${LDAP_SHARE_DIR}/ppolicy_configuration_use_lockout.ldif"
fi
}
########################
# OpenLDAP configure olcPasswordHash
# Globals:
# LDAP_*
# Arguments:
# None
# Returns:
# None
#########################
ldap_configure_password_hash() {
info "Configuring LDAP olcPasswordHash"
cat > "${LDAP_SHARE_DIR}/password_hash.ldif" << EOF
dn: olcDatabase={-1}frontend,cn=config
changetype: modify
add: olcPasswordHash
olcPasswordHash: $LDAP_PASSWORD_HASH
EOF
debug_execute ldapmodify -Y EXTERNAL -H "ldapi:///" -f "${LDAP_SHARE_DIR}/password_hash.ldif"
}

6
bitnami/openldap/README.md
View File

@ -196,9 +196,9 @@ The Bitnami Docker OpenLDAP can be easily setup with the following environment v
* `LDAP_ALLOW_ANON_BINDING`: Allow anonymous bindings to the LDAP server. Default: **yes**.
* `LDAP_LOGLEVEL`: Set the loglevel for the OpenLDAP server (see <https://www.openldap.org/doc/admin26/slapdconfig.html> for possible values). Default: **256**.
* `LDAP_PASSWORD_HASH`: Hash to be used in generation of user passwords. Must be one of {SSHA}, {SHA}, {SMD5}, {MD5}, {CRYPT}, and {CLEARTEXT}. Default: **{SSHA}**.
* `LDAP_CONFIGURE_PPOLICY`: Enables the ppolicy module and creates an empty configuration. Default: **no**
* `LDAP_PPOLICY_USE_LOCKOUT`: Whether bind attempts to locked accounts will always return an error. Will only be applied with `LDAP_CONFIGURE_PPOLICY` active. Default: **no**
* `LDAP_PPOLICY_HASH_CLEARTEXT`: Whether plaintext passwords should be hashed automatically. Will only be applied with `LDAP_CONFIGURE_PPOLICY` active. Default: **no**
* `LDAP_CONFIGURE_PPOLICY`: Enables the ppolicy module and creates an empty configuration. Default: **no**.
* `LDAP_PPOLICY_USE_LOCKOUT`: Whether bind attempts to locked accounts will always return an error. Will only be applied with `LDAP_CONFIGURE_PPOLICY` active. Default: **no**.
* `LDAP_PPOLICY_HASH_CLEARTEXT`: Whether plaintext passwords should be hashed automatically. Will only be applied with `LDAP_CONFIGURE_PPOLICY` active. Default: **no**.
You can bootstrap the contents of your database by putting LDIF files in the directory `/ldifs` (or the one you define in `LDAP_CUSTOM_LDIF_DIR`). Those may only contain content underneath your base DN (set by `LDAP_ROOT`). You can **not** set configuration for e.g. `cn=config` in those files.