From f598f7655a349d403b97baa3a56c1fd8e4a2d6b5 Mon Sep 17 00:00:00 2001
From: Bitnami Bot <bitnami-bot@vmware.com>
Date: Sat, 19 Aug 2023 06:23:19 +0200
Subject: [PATCH] [bitnami/openldap] Release 2.5.16-debian-11-r17 (#45185)

Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com>
---
 bitnami/openldap/2.5/debian-11/Dockerfile     |   4 +-
 .../rootfs/opt/bitnami/scripts/libopenldap.sh | 132 +++++++++++++++++-
 bitnami/openldap/README.md                    |   6 +-
 3 files changed, 136 insertions(+), 6 deletions(-)

diff --git a/bitnami/openldap/2.5/debian-11/Dockerfile b/bitnami/openldap/2.5/debian-11/Dockerfile
index fad45fe69382..3502baafe7fe 100644
--- a/bitnami/openldap/2.5/debian-11/Dockerfile
+++ b/bitnami/openldap/2.5/debian-11/Dockerfile
@@ -7,10 +7,10 @@ ARG TARGETARCH
 
 LABEL com.vmware.cp.artifact.flavor="sha256:1e1b4657a77f0d47e9220f0c37b9bf7802581b93214fff7d1bd2364c8bf22e8e" \
       org.opencontainers.image.base.name="docker.io/bitnami/minideb:bullseye" \
-      org.opencontainers.image.created="2023-08-15T07:29:03Z" \
+      org.opencontainers.image.created="2023-08-18T08:49:42Z" \
       org.opencontainers.image.description="Application packaged by VMware, Inc" \
       org.opencontainers.image.licenses="Apache-2.0" \
-      org.opencontainers.image.ref.name="2.5.16-debian-11-r14" \
+      org.opencontainers.image.ref.name="2.5.16-debian-11-r17" \
       org.opencontainers.image.title="openldap" \
       org.opencontainers.image.vendor="VMware, Inc." \
       org.opencontainers.image.version="2.5.16"
diff --git a/bitnami/openldap/2.5/debian-11/rootfs/opt/bitnami/scripts/libopenldap.sh b/bitnami/openldap/2.5/debian-11/rootfs/opt/bitnami/scripts/libopenldap.sh
index 1538b09a19c2..951ecf8b9345 100644
--- a/bitnami/openldap/2.5/debian-11/rootfs/opt/bitnami/scripts/libopenldap.sh
+++ b/bitnami/openldap/2.5/debian-11/rootfs/opt/bitnami/scripts/libopenldap.sh
@@ -67,9 +67,14 @@ export LDAP_PASSWORDS="${LDAP_PASSWORDS:-bitnami1,bitnami2}"
 export LDAP_USER_DC="${LDAP_USER_DC:-users}"
 export LDAP_GROUP="${LDAP_GROUP:-readers}"
 export LDAP_ENABLE_TLS="${LDAP_ENABLE_TLS:-no}"
+export LDAP_REQUIRE_TLS="${LDAP_REQUIRE_TLS:-no}"
 export LDAP_ULIMIT_NOFILES="${LDAP_ULIMIT_NOFILES:-1024}"
 export LDAP_ALLOW_ANON_BINDING="${LDAP_ALLOW_ANON_BINDING:-yes}"
 export LDAP_LOGLEVEL="${LDAP_LOGLEVEL:-256}"
+export LDAP_PASSWORD_HASH="${LDAP_PASSWORD_HASH:-{SSHA}}"
+export LDAP_CONFIGURE_PPOLICY="${LDAP_CONFIGURE_PPOLICY:-no}"
+export LDAP_PPOLICY_USE_LOCKOUT="${LDAP_PPOLICY_USE_LOCKOUT:-no}"
+export LDAP_PPOLICY_HASH_CLEARTEXT="${LDAP_PPOLICY_HASH_CLEARTEXT:-no}"
 
 # By setting an environment variable matching *_FILE to a file path, the prefixed environment
 # variable will be overridden with the value specified in that file
@@ -402,6 +407,11 @@ dn: cn=config
 changetype: modify
 add: olcDisallows
 olcDisallows: bind_anon
+
+dn: cn=config
+changetype: modify
+add: olcRequires
+olcRequires: authc
 EOF
     debug_execute ldapmodify -Y EXTERNAL -H "ldapi:///" -f "${LDAP_SHARE_DIR}/disable_anon_bind.ldif"
 }
@@ -583,7 +593,7 @@ ldap_initialize() {
         ldap_create_online_configuration
         ldap_start_bg
         ldap_admin_credentials
-        if [ "$LDAP_ALLOW_ANON_BINDING" == 'no' ]; then
+        if ! is_boolean_yes "$LDAP_ALLOW_ANON_BINDING"; then
             ldap_disable_anon_binding
         fi
         if is_boolean_yes "$LDAP_ENABLE_TLS"; then
@@ -606,6 +616,20 @@ ldap_initialize() {
         else
             info "Skipping default schemas/tree structure"
         fi
+        # additional configuration
+        if [[ ! "$LDAP_PASSWORD_HASH" == "{SSHA}" ]]; then
+            ldap_configure_password_hash
+        fi
+        if is_boolean_yes "$LDAP_CONFIGURE_PPOLICY"; then
+            ldap_configure_ppolicy
+        fi
+        # enable tls
+        if is_boolean_yes "$LDAP_ENABLE_TLS"; then
+            ldap_configure_tls
+            if is_boolean_yes "$LDAP_REQUIRE_TLS"; then
+                ldap_configure_tls_required
+            fi
+        fi
         ldap_stop
     fi
 }
@@ -680,3 +704,109 @@ EOF
     fi
     debug_execute ldapmodify -Y EXTERNAL -H "ldapi:///" -f "${LDAP_SHARE_DIR}/certs.ldif"
 }
+
+########################
+# OpenLDAP configure connections to require TLS
+# Globals:
+#   LDAP_*
+# Arguments:
+#   None
+# Returns:
+#   None
+#########################
+ldap_configure_tls_required() {
+    info "Configuring LDAP connections to require TLS"
+    cat > "${LDAP_SHARE_DIR}/tls_required.ldif" << EOF
+dn: cn=config
+changetype: modify
+add: olcSecurity
+olcSecurity: tls=1
+EOF
+    debug_execute ldapmodify -Y EXTERNAL -H "ldapi:///" -f "${LDAP_SHARE_DIR}/tls_required.ldif"
+}
+
+########################
+# OpenLDAP enable module
+# Globals:
+#   LDAP_*
+# Arguments:
+#   $1: Module path
+#   $2: Module file name
+# Returns:
+#   None
+#########################
+ldap_load_module() {
+    info "Enable LDAP $2 module from $1"
+    cat > "${LDAP_SHARE_DIR}/enable_module_$2.ldif" << EOF
+dn: cn=module,cn=config
+cn: module
+objectClass: olcModuleList
+olcModulePath: $1
+olcModuleLoad: $2
+EOF
+    debug_execute ldapadd -Y EXTERNAL -H "ldapi:///" -f "${LDAP_SHARE_DIR}/enable_module_$2.ldif"
+}
+
+########################
+# OpenLDAP configure ppolicy
+# Globals:
+#   LDAP_*
+# Arguments:
+#   None
+# Returns:
+#   None
+#########################
+ldap_configure_ppolicy() {
+    info "Configuring LDAP ppolicy"
+    ldap_load_module "/opt/bitnami/openldap/lib/openldap" "ppolicy.so"
+    # create configuration
+    cat > "${LDAP_SHARE_DIR}/ppolicy_create_configuration.ldif" << EOF
+dn: olcOverlay={0}ppolicy,olcDatabase={2}mdb,cn=config
+objectClass: olcOverlayConfig
+objectClass: olcPPolicyConfig
+olcOverlay: {0}ppolicy
+EOF
+    debug_execute ldapadd -Q -Y EXTERNAL -H "ldapi:///" -f "${LDAP_SHARE_DIR}/ppolicy_create_configuration.ldif"
+    # enable ppolicy_hash_cleartext
+    if is_boolean_yes "$LDAP_PPOLICY_HASH_CLEARTEXT"; then
+        info "Enabling ppolicy_hash_cleartext"
+        cat > "${LDAP_SHARE_DIR}/ppolicy_configuration_hash_cleartext.ldif" << EOF
+dn: olcOverlay={0}ppolicy,olcDatabase={2}mdb,cn=config
+changetype: modify
+add: olcPPolicyHashCleartext
+olcPPolicyHashCleartext: TRUE
+EOF
+    debug_execute ldapmodify -Q -Y EXTERNAL -H "ldapi:///" -f "${LDAP_SHARE_DIR}/ppolicy_configuration_hash_cleartext.ldif"
+    fi
+    # enable ppolicy_use_lockout
+    if is_boolean_yes "$LDAP_PPOLICY_USE_LOCKOUT"; then
+        info "Enabling ppolicy_use_lockout"
+        cat > "${LDAP_SHARE_DIR}/ppolicy_configuration_use_lockout.ldif" << EOF
+dn: olcOverlay={0}ppolicy,olcDatabase={2}mdb,cn=config
+changetype: modify
+add: olcPPolicyUseLockout
+olcPPolicyUseLockout: TRUE
+EOF
+        debug_execute ldapmodify -Q -Y EXTERNAL -H "ldapi:///" -f "${LDAP_SHARE_DIR}/ppolicy_configuration_use_lockout.ldif"
+    fi
+}
+
+########################
+# OpenLDAP configure olcPasswordHash
+# Globals:
+#   LDAP_*
+# Arguments:
+#   None
+# Returns:
+#   None
+#########################
+ldap_configure_password_hash() {
+    info "Configuring LDAP olcPasswordHash"
+    cat > "${LDAP_SHARE_DIR}/password_hash.ldif" << EOF
+dn: olcDatabase={-1}frontend,cn=config
+changetype: modify
+add: olcPasswordHash
+olcPasswordHash: $LDAP_PASSWORD_HASH
+EOF
+    debug_execute ldapmodify -Y EXTERNAL -H "ldapi:///" -f "${LDAP_SHARE_DIR}/password_hash.ldif"
+}
diff --git a/bitnami/openldap/README.md b/bitnami/openldap/README.md
index f4a527baf9e6..b7940d261373 100644
--- a/bitnami/openldap/README.md
+++ b/bitnami/openldap/README.md
@@ -196,9 +196,9 @@ The Bitnami Docker OpenLDAP can be easily setup with the following environment v
 * `LDAP_ALLOW_ANON_BINDING`: Allow anonymous bindings to the LDAP server. Default: **yes**.
 * `LDAP_LOGLEVEL`: Set the loglevel for the OpenLDAP server (see <https://www.openldap.org/doc/admin26/slapdconfig.html> for possible values). Default: **256**.
 * `LDAP_PASSWORD_HASH`: Hash to be used in generation of user passwords. Must be one of {SSHA}, {SHA}, {SMD5}, {MD5}, {CRYPT}, and {CLEARTEXT}. Default: **{SSHA}**.
-* `LDAP_CONFIGURE_PPOLICY`: Enables the ppolicy module and creates an empty configuration. Default: **no**
-* `LDAP_PPOLICY_USE_LOCKOUT`: Whether bind attempts to locked accounts will always return an error. Will only be applied with `LDAP_CONFIGURE_PPOLICY` active. Default: **no**
-* `LDAP_PPOLICY_HASH_CLEARTEXT`: Whether plaintext passwords should be hashed automatically. Will only be applied with `LDAP_CONFIGURE_PPOLICY` active. Default: **no**
+* `LDAP_CONFIGURE_PPOLICY`: Enables the ppolicy module and creates an empty configuration. Default: **no**.
+* `LDAP_PPOLICY_USE_LOCKOUT`: Whether bind attempts to locked accounts will always return an error. Will only be applied with `LDAP_CONFIGURE_PPOLICY` active. Default: **no**.
+* `LDAP_PPOLICY_HASH_CLEARTEXT`: Whether plaintext passwords should be hashed automatically. Will only be applied with `LDAP_CONFIGURE_PPOLICY` active. Default: **no**.
 
 You can bootstrap the contents of your database by putting LDIF files in the directory `/ldifs` (or the one you define in `LDAP_CUSTOM_LDIF_DIR`). Those may only contain content underneath your base DN (set by `LDAP_ROOT`). You can **not** set configuration for e.g. `cn=config` in those files.