From 91f2c3cf5e53c7b6fa26f0b479eb933882def2bc7636fa75dba20bf55f6c0884 Mon Sep 17 00:00:00 2001
From: Thorsten Kukuk <kukuk@suse.com>
Date: Wed, 26 Aug 2020 16:04:59 +0000
Subject: [PATCH] Accepting request 829803 from home:kukuk:container

OBS-URL: https://build.opensuse.org/request/show/829803
OBS-URL: https://build.opensuse.org/package/show/devel:kubic:containers/opensuse-openldap-image?expand=0&rev=1
---
 .gitattributes                  |  23 +++++
 .gitignore                      |   1 +
 LICENSE                         |  21 +++++
 README.md                       | 143 ++++++++++++++++++++++++++++++++
 _service                        |  34 ++++++++
 config.sh                       |  21 +++++
 entrypoint.tar.gz               |   3 +
 opensuse-openldap-image.changes |  16 ++++
 opensuse-openldap-image.kiwi    |  64 ++++++++++++++
 9 files changed, 326 insertions(+)
 create mode 100644 .gitattributes
 create mode 100644 .gitignore
 create mode 100644 LICENSE
 create mode 100644 README.md
 create mode 100644 _service
 create mode 100644 config.sh
 create mode 100644 entrypoint.tar.gz
 create mode 100644 opensuse-openldap-image.changes
 create mode 100644 opensuse-openldap-image.kiwi

diff --git a/.gitattributes b/.gitattributes
new file mode 100644
index 0000000..9b03811
--- /dev/null
+++ b/.gitattributes
@@ -0,0 +1,23 @@
+## Default LFS
+*.7z filter=lfs diff=lfs merge=lfs -text
+*.bsp filter=lfs diff=lfs merge=lfs -text
+*.bz2 filter=lfs diff=lfs merge=lfs -text
+*.gem filter=lfs diff=lfs merge=lfs -text
+*.gz filter=lfs diff=lfs merge=lfs -text
+*.jar filter=lfs diff=lfs merge=lfs -text
+*.lz filter=lfs diff=lfs merge=lfs -text
+*.lzma filter=lfs diff=lfs merge=lfs -text
+*.obscpio filter=lfs diff=lfs merge=lfs -text
+*.oxt filter=lfs diff=lfs merge=lfs -text
+*.pdf filter=lfs diff=lfs merge=lfs -text
+*.png filter=lfs diff=lfs merge=lfs -text
+*.rpm filter=lfs diff=lfs merge=lfs -text
+*.tbz filter=lfs diff=lfs merge=lfs -text
+*.tbz2 filter=lfs diff=lfs merge=lfs -text
+*.tgz filter=lfs diff=lfs merge=lfs -text
+*.ttf filter=lfs diff=lfs merge=lfs -text
+*.txz filter=lfs diff=lfs merge=lfs -text
+*.whl filter=lfs diff=lfs merge=lfs -text
+*.xz filter=lfs diff=lfs merge=lfs -text
+*.zip filter=lfs diff=lfs merge=lfs -text
+*.zst filter=lfs diff=lfs merge=lfs -text
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..57affb6
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+.osc
diff --git a/LICENSE b/LICENSE
new file mode 100644
index 0000000..488a7bc
--- /dev/null
+++ b/LICENSE
@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2020 Thorsten Kukuk
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..6594440
--- /dev/null
+++ b/README.md
@@ -0,0 +1,143 @@
+# OpenLDAP container
+
+- [Guide](#guide)
+  - [Create new ldap server](#create-new-ldap-server)
+  - [Data persistence](#data-persistence)
+  - [Server configuration](#server-configuration)
+  - [Seed ldap database with ldif](#seed-ldap-database-with-ldif)
+- [TLS](#tls)
+  - [Auto-generated certificate](#auto-generated-certificate)
+  - [Own certificate](#own-certificate)
+  - [Disable TLS](#disable-tls)
+- [Supported environment variables](#supported-environment-variables)
+  - [Generic variables](#generic-variables)
+  - [Variables for new database](#variables-for-new-database)
+  - [Variables for TLS](#variables-for-tls)
+  - [Various configuration variables](#various-configuration-variables)
+- [Data persistence volumes](#data-persistence-volumes)
+
+## Guide
+
+### Create new ldap server
+
+This is the default behavior when you run this image.
+It will create an empty ldap for the company **Example Inc.** and the domain **example.org**.
+
+Two passwords are required to startup the container:
+
+  - `LDAP_ADMIN_PASSWORD` Ldap admin password for `cn=admin,dc=example,dc=org`
+  - `LDAP_CONFIG_PASSWORD` Ldap admin password for `cn=admin,dc=example,dc=org`
+
+The command to run this container is:
+
+```sh
+podman run -d --rm --name openldap -p 389:389 -p 636:636 -e LDAP_ADMIN_PASSWORD="admin" -e LDAP_CONFIG_PASSWORD="config" registry.opensuse.org/opensuse/openldap
+```
+
+To test the container a LDAP search could be issued:
+
+```sh
+podman exec -it openldap ldapsearch -x -W -H ldapi:/// -b dc=example,dc=org -D "cn=admin,dc=example,dc=org"
+```
+
+In all examples, `podman` can be replaced directly with `docker`.
+
+### Data persistence
+
+The directories `/var/lib/ldap` (LDAP database files) and
+`/etc/openldap/slapd.d` (LDAP config files) are used to store the schema and
+data information. They will be re-created at every container startup if they
+are not mapped as volumes, means your ldap files are saved outside the
+container. Normally this data should be stored, but for various use-cases it
+could be usefull to throw them away afterwards.
+
+If the UID and GID of the ldap user needs to match in the container and in the
+host, the `LDAP_UID` and `LDAP_GID` environment variables needs to be set
+explicitly:
+
+```sh
+podman run -d --rm --name openldap -p 389:389 -p 636:636 -e LDAP_UID=333 -e LDAP_GID=333 -e LDAP_ADMIN_PASSWORD="admin" -e LDAP_CONFIG_PASSWORD="config" registry.opensuse.org/opensuse/openldap
+```
+
+### Server configuration
+
+Since slapd.conf is not used the ldap utils `ldapmodify`, `ldapadd` and
+`ldapdelete` are required to adjust the server configuration.
+
+### Seed ldap database with ldif
+
+This image can load ldif and schema files at startup from an internal
+path. This is useful if a continuous integration service mounts automatically
+the working copy (sources) into a docker service, which has a relation to the
+ci job.
+
+In order to seed ldif or schema files from internal path you must set the
+specific environment variable `LDAP_SEED_LDIF_PATH` and/or
+`LDAP_SEED_SCHEMA_PATH`. If set this will copy any *.ldif or *.schema file
+into the default seeding directories of this image.
+
+## TLS
+### Auto-generated certificate
+
+TLS is be default configured and enabled. If no certificate is provided, a
+self-signed one is created during container startup for the container
+hostname. The container hostname can be set e.g. by
+`podman run --hostname ldap.example.org ...`
+
+### Own certificate
+
+You can set your custom certificate at run time, by mounting a volume with the
+certificates into the container and adjusting the following environment variables:
+
+```sh
+podman run --hostname ldap.example.org -v /srv/openldap/certs:/etc/openldap/certs:Z \
+       -e LDAP_TLS_CRT=/etc/openldap/certs/ldap.crt \
+       -e LDAP_TLS_KEY=/etc/openldap/certs/ldap.key \
+       -e LDAP_TLS_CA_CRT=/etc/openldap/certs/ca.crt \
+       -d registry.opensuse.org/opensuse/openldap:latest
+```
+
+### Disable TLS
+
+Add --env LDAP_TLS=0 to the run command: `podman run -e LDAP_TLS=0 ...`
+
+## Supported environment variables:
+### Generic variables:
+- `DEBUG=[0|1]`	Enables "set -x" in the entrypoint script
+- `TZ`			Timezone to use in the container
+
+### Variables for new database:
+- `LDAP_DOMAIN`		Ldap domain. Defaults to `example.org`
+- `LDAP_BASE_DN`	Ldap base DN. If empty automatically set from `LDAP_DOMAIN` value. Defaults to (`empty`)
+- `LDAP_ORGANISATION`	Organisation name. Defaults to `Example Inc.`
+- `LDAP_ADMIN_PASSWORD`	Ldap admin password. It's required to supply one if no database exists at startup.
+- `LDAP_CONFIG_PASSWORD`	Ldap config password. It's required to supply one if no database exists at startup.
+- `LDAP_BACKEND`	Database backend, defaults to `mdb`
+- `LDAP_SEED_LDIF_PATH` Path with additional ldif files which will be loaded
+- `LDAP_SEED_SCHEMA_PATH`	Path with additional schema which will be loaded
+
+### Variables for TLS:
+- `LDAP_TLS=[1|0]`	Enable TLS. Defaults to `1` (true).
+- `LDAP_TLS_CA_CRT`	LDAP ssl CA certificate. Defaults to `/etc/openldap/certs/ca.crt`.
+- `LDAP_TLS_CA_KEY`	Private LDAP CA key. Defaults to `/etc/openldap/certs/ca.key`.
+- `LDAP_TLS_CRT`	LDAP ssl certificate. Defaults to `/etc/openldap/certs/tls.crt`.
+- `LDAP_TLS_KEY`	Private LDAP ssl key. Defaults to `/etc/openldap/certs/tls.key`.
+- `LDAP_TLS_DH_PARAM`	LDAP ssl certificate dh param file.
+- `LDAP_TLS_ENFORCE=[0|1]`   Enforce TLS but except ldapi connections. Defaults to `0` (false).
+- `LDAP_TLS_CIPHER_SUITE`    TLS cipher suite.
+- `LDAP_TLS_VERIFY_CLIENT`   TLS verify client. Defaults to `demand`.
+
+### Various configuration variables:
+- `LDAP_NOFILE` 	Number of open files (ulimt -n), default `1024`
+- `LDAP_PORT`   	Port for ldap:///, defaults to `389`
+- `LDAPS_PORT`		Port for ldaps:///, defaults to `636`
+- `LDAPI_URL`		Ldapi url, defaults to `ldapi:///run/slapd/ldapi`
+- `LDAP_UID`            UID of ldap user. All LDAP related files will be changed to this UID
+- `LDAP_GID`		GID of ldap group. All LDAP related files will be changed to this GID
+- `LDAP_BACKEND`	Database backend, defaults to `mdb`
+- `SLAPD_LOG_LEVEL`     Slapd debug devel, defaults to `0`
+
+## Data persistence volumes
+- `/etc/openldap/certs`		TLS certificates for slapd
+- `/etc/openldap/slapd.d`	Slapd configuration files
+- `/var/lib/ldap`		OpenLDAP database
diff --git a/_service b/_service
new file mode 100644
index 0000000..eabc0e5
--- /dev/null
+++ b/_service
@@ -0,0 +1,34 @@
+<services>
+    <service name="obs_scm" mode="disabled">
+        <param name="url">https://github.com/thkukuk/containers-mailserver.git</param>
+        <param name="scm">git</param>
+        <param name="extract">LICENSE</param>
+        <param name="extract">openldap/README.md</param>
+        <param name="extract">openldap/opensuse-openldap-image.kiwi</param>
+        <param name="extract">openldap/opensuse-openldap-image.changes</param>
+        <param name="extract">openldap/config.sh</param>
+        <param name="revision">master</param>
+        <param name="versionformat">%cd.%h</param>
+    </service>
+    <service name="tar" mode="disabled">
+        <param name="subdir">openldap</param>
+        <param name="filename">entrypoint</param>
+        <param name="include">entrypoint.sh</param>
+        <param name="include">ssl-helper</param>
+        <param name="include">slapd.init.ldif</param>
+        <param name="include">ldif</param>
+        <param name="include">tls</param>
+    </service>
+    <service name="recompress" mode="disabled">
+        <param name="file">*.tar</param>
+        <param name="compression">gz</param>
+     </service>
+    <service mode="buildtime" name="kiwi_metainfo_helper"/>
+    <service mode="buildtime" name="kiwi_label_helper"/>
+    <service name="replace_using_package_version" mode="buildtime">
+        <param name="file">opensuse-openldap-image.kiwi</param>
+        <param name="regex">%PKG_VERSION%</param>
+        <param name="parse-version">patch</param>
+        <param name="package">openldap2</param>
+    </service>
+</services>
diff --git a/config.sh b/config.sh
new file mode 100644
index 0000000..a525a27
--- /dev/null
+++ b/config.sh
@@ -0,0 +1,21 @@
+#!/bin/sh
+  
+#======================================
+# Functions...
+#--------------------------------------
+test -f /.profile && . /.profile
+
+#======================================
+# Greeting...
+#--------------------------------------
+echo "Configure image: [$kiwi_iname]..."
+
+echo "Move /etc/sysconfig/openldap away"
+mv /etc/sysconfig/openldap /etc/sysconfig/openldap.example
+
+# No default domain and standard password ...
+rm /etc/openldap/slapd.conf
+
+# Fix path so that update-ca-certificates does not complain
+# [bsc#1175340]
+rm /etc/ssl/certs && ln -sf /var/lib/ca-certificates/pem /etc/ssl/certs
diff --git a/entrypoint.tar.gz b/entrypoint.tar.gz
new file mode 100644
index 0000000..26b8edd
--- /dev/null
+++ b/entrypoint.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:731c4a9b3ae55f5f54396c5d0da49dcee67e84efada7bc040d3debc6102c4658
+size 8427
diff --git a/opensuse-openldap-image.changes b/opensuse-openldap-image.changes
new file mode 100644
index 0000000..610d7a6
--- /dev/null
+++ b/opensuse-openldap-image.changes
@@ -0,0 +1,16 @@
+-------------------------------------------------------------------
+Wed Aug 26 15:57:24 UTC 2020 - Thorsten Kukuk <kukuk@suse.com>
+
+- config.sh: fix /etc/ssl/certs symlink
+
+-------------------------------------------------------------------
+Tue Aug 25 13:12:06 UTC 2020 - Thorsten Kukuk <kukuk@suse.com>
+
+- Update docu
+- Add TLS support
+- Example ldif files for mailserver
+
+-------------------------------------------------------------------
+Fri Aug 14 20:49:32 UTC 2020 - Thorsten Kukuk <kukuk@suse.com>
+
+- Initial version 
diff --git a/opensuse-openldap-image.kiwi b/opensuse-openldap-image.kiwi
new file mode 100644
index 0000000..1e9bcf9
--- /dev/null
+++ b/opensuse-openldap-image.kiwi
@@ -0,0 +1,64 @@
+<?xml version="1.0" encoding="utf-8"?>
+
+<!-- OBS-ExcludeArch: i586 s390 -->
+
+<image schemaversion="6.9" name="opensuse-openldap-image" xmlns:suse_label_helper="com.suse.label_helper">
+  <description type="system">
+    <author>Thorsten Kukuk</author>
+    <contact>kukuk@suse.com</contact>
+    <specification>openSUSE image containing OpenLDAP as ldap server.</specification>
+  </description>
+  <preferences>
+    <type
+      image="docker"
+      derived_from="obsrepositories:/opensuse/busybox#latest">
+      <containerconfig
+        name="opensuse/openldap"
+        tag="latest"
+        additionaltags="%PKG_VERSION%,%PKG_VERSION%-%RELEASE%"
+        maintainer="Thorsten Kukuk &lt;kukuk@suse.com&gt;">
+	<entrypoint execute="/entrypoint/entrypoint.sh"/>
+        <subcommand execute="/usr/sbin/slapd">
+          <!--argument name="start"/-->
+        </subcommand>
+	<expose>
+	  <port number='389'/>
+          <port number='636'/>
+	</expose>
+        <volumes>
+          <volume name="/var/lib/ldap"/>
+          <volume name="/etc/openldap/slapd.d"/>
+        </volumes>
+        <labels>
+          <suse_label_helper:add_prefix prefix="org.opensuse.openldap">
+            <label name="org.opencontainers.image.title" value="openSUSE OpenLDAP container"/>
+            <label name="org.opencontainers.image.description" value="Image containing OpenLDAP daemon."/>
+            <label name="org.opencontainers.image.version" value="%PKG_VERSION%-%RELEASE%"/>
+            <label name="org.opencontainers.image.created" value="%BUILDTIME%"/>
+            <label name="org.opensuse.reference" value="registry.opensuse.org/opensuse/openldap:%PKG_VERSION%-%RELEASE%"/>
+            <label name="org.openbuildservice.disturl" value="%DISTURL%"/>
+          </suse_label_helper:add_prefix>
+        </labels>
+        <history author="Thorsten Kukuk &lt;kukuk@suse.com&gt;">openSUSE OpenLDAP container</history>
+      </containerconfig>
+    </type>
+    <version>1.0.0</version>
+    <packagemanager>zypper</packagemanager>
+    <rpm-excludedocs>false</rpm-excludedocs>
+  </preferences>
+  <repository>
+    <source path="obsrepositories:/"/>
+  </repository>
+  <packages type="bootstrap">
+    <package name="openldap2"/>
+    <package name="openldap2-client"/>
+    <package name="openldap2-ppolicy-check-password"/>
+    <package name="openssl"/>
+    <package name="mandoc"/>
+    <package name="ca-certificates"/>
+    <package name="ca-certificates-mozilla"/>
+    <package name="-busybox-findutils"/>
+    <package name="-busybox-man"/>
+    <archive name="entrypoint.tar.gz"/>
+  </packages>
+</image>