rpm/opensuse-openldap-image
SHA256
1
0
Fork 0
forked from pool/opensuse-openldap-image
Code Pull Requests Activity

Accepting request 829803 from home:kukuk:container

Browse Source 
OBS-URL: https://build.opensuse.org/request/show/829803
OBS-URL: https://build.opensuse.org/package/show/devel:kubic:containers/opensuse-openldap-image?expand=0&rev=1
This commit is contained in:
Thorsten Kukuk 2020-08-26 16:04:59 +00:00 committed by Git OBS Bridge
commit 91f2c3cf5e
9 changed files with 326 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
.gitattributes vendored Normal file
View File

@ -0,0 +1,23 @@
## Default LFS
*.7z filter=lfs diff=lfs merge=lfs -text
*.bsp filter=lfs diff=lfs merge=lfs -text
*.bz2 filter=lfs diff=lfs merge=lfs -text
*.gem filter=lfs diff=lfs merge=lfs -text
*.gz filter=lfs diff=lfs merge=lfs -text
*.jar filter=lfs diff=lfs merge=lfs -text
*.lz filter=lfs diff=lfs merge=lfs -text
*.lzma filter=lfs diff=lfs merge=lfs -text
*.obscpio filter=lfs diff=lfs merge=lfs -text
*.oxt filter=lfs diff=lfs merge=lfs -text
*.pdf filter=lfs diff=lfs merge=lfs -text
*.png filter=lfs diff=lfs merge=lfs -text
*.rpm filter=lfs diff=lfs merge=lfs -text
*.tbz filter=lfs diff=lfs merge=lfs -text
*.tbz2 filter=lfs diff=lfs merge=lfs -text
*.tgz filter=lfs diff=lfs merge=lfs -text
*.ttf filter=lfs diff=lfs merge=lfs -text
*.txz filter=lfs diff=lfs merge=lfs -text
*.whl filter=lfs diff=lfs merge=lfs -text
*.xz filter=lfs diff=lfs merge=lfs -text
*.zip filter=lfs diff=lfs merge=lfs -text
*.zst filter=lfs diff=lfs merge=lfs -text

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
.osc

21
LICENSE Normal file
View File

@ -0,0 +1,21 @@
MIT License
Copyright (c) 2020 Thorsten Kukuk
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

143
README.md Normal file
View File

@ -0,0 +1,143 @@
# OpenLDAP container
- [Guide](#guide)
- [Create new ldap server](#create-new-ldap-server)
- [Data persistence](#data-persistence)
- [Server configuration](#server-configuration)
- [Seed ldap database with ldif](#seed-ldap-database-with-ldif)
- [TLS](#tls)
- [Auto-generated certificate](#auto-generated-certificate)
- [Own certificate](#own-certificate)
- [Disable TLS](#disable-tls)
- [Supported environment variables](#supported-environment-variables)
- [Generic variables](#generic-variables)
- [Variables for new database](#variables-for-new-database)
- [Variables for TLS](#variables-for-tls)
- [Various configuration variables](#various-configuration-variables)
- [Data persistence volumes](#data-persistence-volumes)
## Guide
### Create new ldap server
This is the default behavior when you run this image.
It will create an empty ldap for the company **Example Inc.** and the domain **example.org**.
Two passwords are required to startup the container:
- `LDAP_ADMIN_PASSWORD` Ldap admin password for `cn=admin,dc=example,dc=org`
- `LDAP_CONFIG_PASSWORD` Ldap admin password for `cn=admin,dc=example,dc=org`
The command to run this container is:
```sh
podman run -d --rm --name openldap -p 389:389 -p 636:636 -e LDAP_ADMIN_PASSWORD="admin" -e LDAP_CONFIG_PASSWORD="config" registry.opensuse.org/opensuse/openldap
```
To test the container a LDAP search could be issued:
```sh
podman exec -it openldap ldapsearch -x -W -H ldapi:/// -b dc=example,dc=org -D "cn=admin,dc=example,dc=org"
```
In all examples, `podman` can be replaced directly with `docker`.
### Data persistence
The directories `/var/lib/ldap` (LDAP database files) and
`/etc/openldap/slapd.d` (LDAP config files) are used to store the schema and
data information. They will be re-created at every container startup if they
are not mapped as volumes, means your ldap files are saved outside the
container. Normally this data should be stored, but for various use-cases it
could be usefull to throw them away afterwards.
If the UID and GID of the ldap user needs to match in the container and in the
host, the `LDAP_UID` and `LDAP_GID` environment variables needs to be set
explicitly:
```sh
podman run -d --rm --name openldap -p 389:389 -p 636:636 -e LDAP_UID=333 -e LDAP_GID=333 -e LDAP_ADMIN_PASSWORD="admin" -e LDAP_CONFIG_PASSWORD="config" registry.opensuse.org/opensuse/openldap
```
### Server configuration
Since slapd.conf is not used the ldap utils `ldapmodify`, `ldapadd` and
`ldapdelete` are required to adjust the server configuration.
### Seed ldap database with ldif
This image can load ldif and schema files at startup from an internal
path. This is useful if a continuous integration service mounts automatically
the working copy (sources) into a docker service, which has a relation to the
ci job.
In order to seed ldif or schema files from internal path you must set the
specific environment variable `LDAP_SEED_LDIF_PATH` and/or
`LDAP_SEED_SCHEMA_PATH`. If set this will copy any *.ldif or *.schema file
into the default seeding directories of this image.
## TLS
### Auto-generated certificate
TLS is be default configured and enabled. If no certificate is provided, a
self-signed one is created during container startup for the container
hostname. The container hostname can be set e.g. by
`podman run --hostname ldap.example.org ...`
### Own certificate
You can set your custom certificate at run time, by mounting a volume with the
certificates into the container and adjusting the following environment variables:
```sh
podman run --hostname ldap.example.org -v /srv/openldap/certs:/etc/openldap/certs:Z \
-e LDAP_TLS_CRT=/etc/openldap/certs/ldap.crt \
-e LDAP_TLS_KEY=/etc/openldap/certs/ldap.key \
-e LDAP_TLS_CA_CRT=/etc/openldap/certs/ca.crt \
-d registry.opensuse.org/opensuse/openldap:latest
```
### Disable TLS
Add --env LDAP_TLS=0 to the run command: `podman run -e LDAP_TLS=0 ...`
## Supported environment variables:
### Generic variables:
- `DEBUG=[0|1]` Enables "set -x" in the entrypoint script
- `TZ` Timezone to use in the container
### Variables for new database:
- `LDAP_DOMAIN` Ldap domain. Defaults to `example.org`
- `LDAP_BASE_DN` Ldap base DN. If empty automatically set from `LDAP_DOMAIN` value. Defaults to (`empty`)
- `LDAP_ORGANISATION` Organisation name. Defaults to `Example Inc.`
- `LDAP_ADMIN_PASSWORD` Ldap admin password. It's required to supply one if no database exists at startup.
- `LDAP_CONFIG_PASSWORD` Ldap config password. It's required to supply one if no database exists at startup.
- `LDAP_BACKEND` Database backend, defaults to `mdb`
- `LDAP_SEED_LDIF_PATH` Path with additional ldif files which will be loaded
- `LDAP_SEED_SCHEMA_PATH` Path with additional schema which will be loaded
### Variables for TLS:
- `LDAP_TLS=[1|0]` Enable TLS. Defaults to `1` (true).
- `LDAP_TLS_CA_CRT` LDAP ssl CA certificate. Defaults to `/etc/openldap/certs/ca.crt`.
- `LDAP_TLS_CA_KEY` Private LDAP CA key. Defaults to `/etc/openldap/certs/ca.key`.
- `LDAP_TLS_CRT` LDAP ssl certificate. Defaults to `/etc/openldap/certs/tls.crt`.
- `LDAP_TLS_KEY` Private LDAP ssl key. Defaults to `/etc/openldap/certs/tls.key`.
- `LDAP_TLS_DH_PARAM` LDAP ssl certificate dh param file.
- `LDAP_TLS_ENFORCE=[0|1]` Enforce TLS but except ldapi connections. Defaults to `0` (false).
- `LDAP_TLS_CIPHER_SUITE` TLS cipher suite.
- `LDAP_TLS_VERIFY_CLIENT` TLS verify client. Defaults to `demand`.
### Various configuration variables:
- `LDAP_NOFILE` Number of open files (ulimt -n), default `1024`
- `LDAP_PORT` Port for ldap:///, defaults to `389`
- `LDAPS_PORT` Port for ldaps:///, defaults to `636`
- `LDAPI_URL` Ldapi url, defaults to `ldapi:///run/slapd/ldapi`
- `LDAP_UID` UID of ldap user. All LDAP related files will be changed to this UID
- `LDAP_GID` GID of ldap group. All LDAP related files will be changed to this GID
- `LDAP_BACKEND` Database backend, defaults to `mdb`
- `SLAPD_LOG_LEVEL` Slapd debug devel, defaults to `0`
## Data persistence volumes
- `/etc/openldap/certs` TLS certificates for slapd
- `/etc/openldap/slapd.d` Slapd configuration files
- `/var/lib/ldap` OpenLDAP database

34
_service Normal file
View File

@ -0,0 +1,34 @@
<services>
<service name="obs_scm" mode="disabled">
<param name="url">https://github.com/thkukuk/containers-mailserver.git</param>
<param name="scm">git</param>
<param name="extract">LICENSE</param>
<param name="extract">openldap/README.md</param>
<param name="extract">openldap/opensuse-openldap-image.kiwi</param>
<param name="extract">openldap/opensuse-openldap-image.changes</param>
<param name="extract">openldap/config.sh</param>
<param name="revision">master</param>
<param name="versionformat">%cd.%h</param>
</service>
<service name="tar" mode="disabled">
<param name="subdir">openldap</param>
<param name="filename">entrypoint</param>
<param name="include">entrypoint.sh</param>
<param name="include">ssl-helper</param>
<param name="include">slapd.init.ldif</param>
<param name="include">ldif</param>
<param name="include">tls</param>
</service>
<service name="recompress" mode="disabled">
<param name="file">*.tar</param>
<param name="compression">gz</param>
</service>
<service mode="buildtime" name="kiwi_metainfo_helper"/>
<service mode="buildtime" name="kiwi_label_helper"/>
<service name="replace_using_package_version" mode="buildtime">
<param name="file">opensuse-openldap-image.kiwi</param>
<param name="regex">%PKG_VERSION%</param>
<param name="parse-version">patch</param>
<param name="package">openldap2</param>
</service>
</services>

21
config.sh Normal file
View File

@ -0,0 +1,21 @@
#!/bin/sh
#======================================
# Functions...
#--------------------------------------
test -f /.profile && . /.profile
#======================================
# Greeting...
#--------------------------------------
echo "Configure image: [$kiwi_iname]..."
echo "Move /etc/sysconfig/openldap away"
mv /etc/sysconfig/openldap /etc/sysconfig/openldap.example
# No default domain and standard password ...
rm /etc/openldap/slapd.conf
# Fix path so that update-ca-certificates does not complain
# [bsc#1175340]
rm /etc/ssl/certs && ln -sf /var/lib/ca-certificates/pem /etc/ssl/certs

3
entrypoint.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:731c4a9b3ae55f5f54396c5d0da49dcee67e84efada7bc040d3debc6102c4658
size 8427

16
opensuse-openldap-image.changes Normal file
View File

@ -0,0 +1,16 @@
-------------------------------------------------------------------
Wed Aug 26 15:57:24 UTC 2020 - Thorsten Kukuk <kukuk@suse.com>
- config.sh: fix /etc/ssl/certs symlink
-------------------------------------------------------------------
Tue Aug 25 13:12:06 UTC 2020 - Thorsten Kukuk <kukuk@suse.com>
- Update docu
- Add TLS support
- Example ldif files for mailserver
-------------------------------------------------------------------
Fri Aug 14 20:49:32 UTC 2020 - Thorsten Kukuk <kukuk@suse.com>
- Initial version

64
opensuse-openldap-image.kiwi Normal file
View File

@ -0,0 +1,64 @@
<?xml version="1.0" encoding="utf-8"?>
<!-- OBS-ExcludeArch: i586 s390 -->
<image schemaversion="6.9" name="opensuse-openldap-image" xmlns:suse_label_helper="com.suse.label_helper">
<description type="system">
<author>Thorsten Kukuk</author>
<contact>kukuk@suse.com</contact>
<specification>openSUSE image containing OpenLDAP as ldap server.</specification>
</description>
<preferences>
<type
image="docker"
derived_from="obsrepositories:/opensuse/busybox#latest">
<containerconfig
name="opensuse/openldap"
tag="latest"
additionaltags="%PKG_VERSION%,%PKG_VERSION%-%RELEASE%"
maintainer="Thorsten Kukuk &lt;kukuk@suse.com&gt;">
<entrypoint execute="/entrypoint/entrypoint.sh"/>
<subcommand execute="/usr/sbin/slapd">
<!--argument name="start"/-->
</subcommand>
<expose>
<port number='389'/>
<port number='636'/>
</expose>
<volumes>
<volume name="/var/lib/ldap"/>
<volume name="/etc/openldap/slapd.d"/>
</volumes>
<labels>
<suse_label_helper:add_prefix prefix="org.opensuse.openldap">
<label name="org.opencontainers.image.title" value="openSUSE OpenLDAP container"/>
<label name="org.opencontainers.image.description" value="Image containing OpenLDAP daemon."/>
<label name="org.opencontainers.image.version" value="%PKG_VERSION%-%RELEASE%"/>
<label name="org.opencontainers.image.created" value="%BUILDTIME%"/>
<label name="org.opensuse.reference" value="registry.opensuse.org/opensuse/openldap:%PKG_VERSION%-%RELEASE%"/>
<label name="org.openbuildservice.disturl" value="%DISTURL%"/>
</suse_label_helper:add_prefix>
</labels>
<history author="Thorsten Kukuk &lt;kukuk@suse.com&gt;">openSUSE OpenLDAP container</history>
</containerconfig>
</type>
<version>1.0.0</version>
<packagemanager>zypper</packagemanager>
<rpm-excludedocs>false</rpm-excludedocs>
</preferences>
<repository>
<source path="obsrepositories:/"/>
</repository>
<packages type="bootstrap">
<package name="openldap2"/>
<package name="openldap2-client"/>
<package name="openldap2-ppolicy-check-password"/>
<package name="openssl"/>
<package name="mandoc"/>
<package name="ca-certificates"/>
<package name="ca-certificates-mozilla"/>
<package name="-busybox-findutils"/>
<package name="-busybox-man"/>
<archive name="entrypoint.tar.gz"/>
</packages>
</image>