rpm/opensuse-openldap-image
SHA256
1
0
Fork 0
forked from pool/opensuse-openldap-image
Code Pull Requests Activity

- Sync changes back to git

Browse Source 
- Adjust _service file

OBS-URL: https://build.opensuse.org/package/show/devel:kubic:containers/opensuse-openldap-image?expand=0&rev=15
This commit is contained in:
Thorsten Kukuk 2024-08-16 07:26:51 +00:00 committed by Git OBS Bridge
commit c66a450ac0
13 changed files with 436 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
.gitattributes vendored Normal file
View File

@ -0,0 +1,23 @@
## Default LFS
*.7z filter=lfs diff=lfs merge=lfs -text
*.bsp filter=lfs diff=lfs merge=lfs -text
*.bz2 filter=lfs diff=lfs merge=lfs -text
*.gem filter=lfs diff=lfs merge=lfs -text
*.gz filter=lfs diff=lfs merge=lfs -text
*.jar filter=lfs diff=lfs merge=lfs -text
*.lz filter=lfs diff=lfs merge=lfs -text
*.lzma filter=lfs diff=lfs merge=lfs -text
*.obscpio filter=lfs diff=lfs merge=lfs -text
*.oxt filter=lfs diff=lfs merge=lfs -text
*.pdf filter=lfs diff=lfs merge=lfs -text
*.png filter=lfs diff=lfs merge=lfs -text
*.rpm filter=lfs diff=lfs merge=lfs -text
*.tbz filter=lfs diff=lfs merge=lfs -text
*.tbz2 filter=lfs diff=lfs merge=lfs -text
*.tgz filter=lfs diff=lfs merge=lfs -text
*.ttf filter=lfs diff=lfs merge=lfs -text
*.txz filter=lfs diff=lfs merge=lfs -text
*.whl filter=lfs diff=lfs merge=lfs -text
*.xz filter=lfs diff=lfs merge=lfs -text
*.zip filter=lfs diff=lfs merge=lfs -text
*.zst filter=lfs diff=lfs merge=lfs -text

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
.osc

21
LICENSE Normal file
View File

@ -0,0 +1,21 @@
MIT License
Copyright (c) 2020 Thorsten Kukuk
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

158
README.md Normal file
View File

@ -0,0 +1,158 @@
# OpenLDAP container
- [Guide](#guide)
- [Create new ldap server](#create-new-ldap-server)
- [Data persistence](#data-persistence)
- [Server configuration](#server-configuration)
- [Seed ldap database with ldif](#seed-ldap-database-with-ldif)
- [TLS](#tls)
- [Auto-generated certificate](#auto-generated-certificate)
- [Own certificate](#own-certificate)
- [Disable TLS](#disable-tls)
- [Supported environment variables](#supported-environment-variables)
- [Generic variables](#generic-variables)
- [Variables for new database](#variables-for-new-database)
- [Variables for TLS](#variables-for-tls)
- [Various configuration variables](#various-configuration-variables)
- [Data persistence volumes](#data-persistence-volumes)
## Guide
### Create new ldap server
This is the default behavior when you run this image.
It will create an empty ldap for the company **Example Inc.** and the domain **example.org**.
Two passwords are required to startup the container:
- `LDAP_ADMIN_PASSWORD` Ldap admin password for `cn=admin,dc=example,dc=org`
- `LDAP_CONFIG_PASSWORD` Ldap admin password for `cn=admin,dc=example,dc=org`
The command to run this container is:
```sh
podman run -d --rm --name openldap -p 389:389 -p 636:636 -e LDAP_ADMIN_PASSWORD="admin" -e LDAP_CONFIG_PASSWORD="config" registry.opensuse.org/opensuse/openldap
```
To test the container a LDAP search could be issued:
```sh
podman exec -it openldap ldapsearch -x -W -H ldapi:/// -b dc=example,dc=org -D "cn=admin,dc=example,dc=org"
```
In all examples, `podman` can be replaced directly with `docker`.
### Data persistence
The directories `/var/lib/ldap` (LDAP database files) and
`/etc/openldap/slapd.d` (LDAP config files) are used to store the schema and
data information. They will be re-created at every container startup if they
are not mapped as volumes, means your ldap files are saved outside the
container. Normally this data should be stored, but for various use-cases it
could be usefull to throw them away afterwards.
If the UID and GID of the ldap user needs to match in the container and in the
host, the `LDAP_UID` and `LDAP_GID` environment variables needs to be set
explicitly:
```sh
podman run -d --rm --name openldap -p 389:389 -p 636:636 -e LDAP_UID=333 -e LDAP_GID=333 -e LDAP_ADMIN_PASSWORD="admin" -e LDAP_CONFIG_PASSWORD="config" registry.opensuse.org/opensuse/openldap
```
### Server configuration
Since slapd.conf is not used the ldap utils `ldapmodify`, `ldapadd` and
`ldapdelete` are required to adjust the server configuration.
### Seed ldap database with ldif
This image can load ldif and schema files at startup from an internal
path. This is useful if a continuous integration service mounts automatically
the working copy (sources) into a docker service, which has a relation to the
ci job.
In order to seed ldif or schema files from internal path you must set the
specific environment variable `LDAP_SEED_LDIF_PATH` and/or
`LDAP_SEED_SCHEMA_PATH`. If set this will copy any *.ldif or *.schema file
into the default seeding directories of this image.
## TLS
### Auto-generated certificate
TLS is be default configured and enabled. If no certificate is provided, a
self-signed one is created during container startup for the container
hostname. The container hostname can be set e.g. by
`podman run --hostname ldap.example.org ...`
### Own certificate
You can set your custom certificate at run time, by mounting a volume with the
certificates into the container and adjusting the following environment variables:
```sh
podman run -v /srv/openldap/certs:/etc/openldap/certs:Z \
-e LDAP_TLS_CRT=/etc/openldap/certs/ldap.crt \
-e LDAP_TLS_KEY=/etc/openldap/certs/ldap.key \
-e LDAP_TLS_CA_CRT=/etc/openldap/certs/ca.crt \
-d registry.opensuse.org/opensuse/openldap:latest
```
The variables `LDAP_TLS_CA_CRT`, `LDAP_TLS_CRT` and `LDAP_TLS_KEY` are stored
during the first start of the container in the LDAP configuration. Changes to
the variables on further starts will have no affect.
An example with certificates from `Let's Encrypt`:
```sh
podman run -v /etc/letsencrypt:/etc/letsencrypt \
-e LDAP_TLS_CRT=/etc/letsencrypt/live/example.org/cert.pem \
-e LDAP_TLS_KEY=/etc/letsencrypt/live/example.org/privkey.pem \
-e LDAP_TLS_CA_CRT=/etc/letsencrypt/live/example.org/fullchain.pem \
-d registry.opensuse.org/opensuse/openldap:latest
```
### Disable TLS
Add --env LDAP_TLS=0 to the run command: `podman run -e LDAP_TLS=0 ...`
## Supported environment variables:
### Generic variables:
- `DEBUG=[0|1]` Enables "set -x" in the entrypoint script
- `TZ` Timezone to use in the container
### Variables for new database:
- `LDAP_DOMAIN` Ldap domain. Defaults to `example.org`
- `LDAP_BASE_DN` Ldap base DN. If empty automatically set from `LDAP_DOMAIN` value. Defaults to (`empty`)
- `LDAP_ORGANIZATION` Organization name. Defaults to `Example Inc.`
- `LDAP_ADMIN_PASSWORD` Ldap admin password. It's required to supply one if no database exists at startup.
- `LDAP_CONFIG_PASSWORD` Ldap config password. It's required to supply one if no database exists at startup.
- `LDAP_BACKEND` Database backend, defaults to `mdb`
- `LDAP_SEED_LDIF_PATH` Path with additional ldif files which will be loaded
- `LDAP_SEED_SCHEMA_PATH` Path with additional schema which will be loaded
### Variables for TLS:
- `LDAP_TLS=[1|0]` Enable TLS. Defaults to `1` (true).
- `LDAP_TLS_CA_CRT` LDAP ssl CA certificate. Defaults to `/etc/openldap/certs/openldap-ca.crt`.
- `LDAP_TLS_CA_KEY` Private LDAP CA key. Defaults to `/etc/openldap/certs/openldap-ca.key`.
- `LDAP_TLS_CRT` LDAP ssl certificate. Defaults to `/etc/openldap/certs/tls.crt`.
- `LDAP_TLS_KEY` Private LDAP ssl key. Defaults to `/etc/openldap/certs/tls.key`.
- `LDAP_TLS_DH_PARAM` LDAP ssl certificate dh param file.
- `LDAP_TLS_ENFORCE=[0|1]` Enforce TLS but except ldapi connections. Defaults to `0` (false).
- `LDAP_TLS_CIPHER_SUITE` TLS cipher suite.
- `LDAP_TLS_VERIFY_CLIENT` TLS verify client. Defaults to `demand`.
### Various configuration variables:
- `LDAP_NOFILE` Number of open files (ulimt -n), default `1024`
- `LDAP_PORT` Port for ldap:///, defaults to `389`
- `LDAPS_PORT` Port for ldaps:///, defaults to `636`
- `LDAPI_URL` Ldapi url, defaults to `ldapi:///run/slapd/ldapi`
- `LDAP_UID` UID of ldap user. All LDAP related files will be changed to this UID
- `LDAP_GID` GID of ldap group. All LDAP related files will be changed to this GID
- `LDAP_BACKEND` Database backend, defaults to `mdb`
- `SLAPD_LOG_LEVEL` Slapd debug devel, defaults to `0`
- `SETUP_FOR_MAILSERVER` The mail organization will be created (ldif/mailserver/), defaults to `0`
## Data persistence volumes
- `/etc/openldap/certs` TLS certificates for slapd
- `/etc/openldap/slapd.d` Slapd configuration files
- `/var/lib/ldap` OpenLDAP database

51
_service Normal file
View File

@ -0,0 +1,51 @@
<services>
<service name="obs_scm" mode="manual">
<param name="url">https://github.com/thkukuk/containers-mailserver.git</param>
<param name="scm">git</param>
<param name="extract">LICENSE</param>
<param name="extract">openldap/README.md</param>
<param name="extract">openldap/opensuse-openldap-image.kiwi</param>
<param name="extract">openldap/config.sh</param>
<param name="revision">master</param>
<param name="version">_none_</param>
</service>
<service name="obs_scm" mode="manual">
<param name="url">https://github.com/thkukuk/containers-mailserver.git</param>
<param name="scm">git</param>
<param name="subdir">openldap</param>
<param name="filename">root</param>
<param name="include">entrypoint.sh</param>
<param name="version">_none_</param>
<param name="changesgenerate">enable</param>
</service>
<service name="tar_scm" mode="manual">
<param name="url">https://github.com/thkukuk/containers-mailserver.git</param>
<param name="scm">git</param>
<param name="version">_none_</param>
<param name="subdir">openldap</param>
<param name="filename">entrypoint</param>
<param name="include">slapd.init.ldif</param>
<param name="include">ldif</param>
<param name="include">tls</param>
</service>
<service name="tar_scm" mode="manual">
<param name="url">https://github.com/thkukuk/containers-mailserver.git</param>
<param name="scm">git</param>
<param name="version">_none_</param>
<param name="subdir">common</param>
<param name="filename">common-scripts</param>
<param name="include">ssl-helper</param>
</service>
<service name="recompress" mode="manual">
<param name="file">*.tar</param>
<param name="compression">gz</param>
</service>
<service mode="buildtime" name="kiwi_metainfo_helper"/>
<service mode="buildtime" name="kiwi_label_helper"/>
<service name="replace_using_package_version" mode="buildtime">
<param name="file">opensuse-openldap-image.kiwi</param>
<param name="regex">%PKG_VERSION%</param>
<param name="parse-version">patch</param>
<param name="package">openldap2</param>
</service>
</services>

4
_servicedata Normal file
View File

@ -0,0 +1,4 @@
<servicedata>
<service name="tar_scm">
<param name="url">https://github.com/thkukuk/containers-mailserver.git</param>
<param name="changesrevision">b03b74f8a5a12b693fdfa155c7574199eed0179b</param></service></servicedata>

3
common-scripts.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:18688b3fcd2b0e532d57be72400fe1208b284b9fc77805fc2a922e0dca0e2625
size 1252

18
config.sh Normal file
View File

@ -0,0 +1,18 @@
#!/bin/sh
#======================================
# Functions...
#--------------------------------------
test -f /.profile && . /.profile
#======================================
# Greeting...
#--------------------------------------
echo "Configure image: [$kiwi_iname]..."
echo "Move /etc/sysconfig/openldap away"
mv /etc/sysconfig/openldap /etc/sysconfig/openldap.example
# No default domain and standard password ...
rm /etc/openldap/slapd.conf

3
entrypoint.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:83bb265445066c25ce21b298f428e842f41e4b2ede422832a413da78d7604678
size 3522

83
opensuse-openldap-image.changes Normal file
View File

@ -0,0 +1,83 @@
-------------------------------------------------------------------
Fri Aug 16 07:25:54 UTC 2024 - Thorsten Kukuk <kukuk@suse.com>
- Sync changes back to git
- Adjust _service file
-------------------------------------------------------------------
Wed Apr 17 14:55:50 UTC 2024 - Bernhard Wiedemann <bwiedemann@suse.com>
- update kiwi schemaversion to 7.4
-------------------------------------------------------------------
Tue Apr 5 12:37:28 UTC 2022 - Dominique Leuenberger <dimstar@opensuse.org>
- Drop dependency on openldap2-ppolicy-check-password: this package
no longer exists since openldap 2.5.x.
-------------------------------------------------------------------
Mon Aug 02 13:31:30 UTC 2021 - kukuk@suse.com
- Update to version 1627911062.7e4f725:
* Re-add entrypoint directory
-------------------------------------------------------------------
Mon Aug 02 13:27:36 UTC 2021 - kukuk@suse.com
- Build changes file from git
- Update to version 1627910174.bbff2ac:
* Include busybox-findutils, adjust entrypoint location
-------------------------------------------------------------------
Mon Aug 2 09:52:10 UTC 2021 - Thorsten Kukuk <kukuk@suse.com>
- Re-add busybox-findutils
-------------------------------------------------------------------
Mon Dec 21 13:33:21 UTC 2020 - Thorsten Kukuk <kukuk@suse.com>
- Install misc.schema by default (ldap mail alias)
-------------------------------------------------------------------
Fri Dec 18 21:11:07 UTC 2020 - Thorsten Kukuk <kukuk@suse.com>
- Fix error caused by uninitialized DEBUG variable
-------------------------------------------------------------------
Wed Nov 4 17:52:32 UTC 2020 - Thorsten Kukuk <kukuk@suse.com>
- Add common scripts tar archive now containing ssl-helper
-------------------------------------------------------------------
Mon Oct 26 12:42:00 UTC 2020 - Thorsten Kukuk <kukuk@suse.com>
- Check for errors when importing ldif files
- Add support to import ldif files for mailserver setup
-------------------------------------------------------------------
Mon Sep 28 18:50:23 UTC 2020 - Thorsten Kukuk <kukuk@suse.com>
- Add timezone package
-------------------------------------------------------------------
Thu Aug 27 08:16:26 UTC 2020 - Thorsten Kukuk <kukuk@suse.com>
- Load postfix.ldif by default, delete duplicate file
- Pre-process mailserver/*.ldif files
-------------------------------------------------------------------
Wed Aug 26 15:57:24 UTC 2020 - Thorsten Kukuk <kukuk@suse.com>
- config.sh: fix /etc/ssl/certs symlink
-------------------------------------------------------------------
Tue Aug 25 13:12:06 UTC 2020 - Thorsten Kukuk <kukuk@suse.com>
- Update docu
- Add TLS support
- Example ldif files for mailserver
-------------------------------------------------------------------
Fri Aug 14 20:49:32 UTC 2020 - Thorsten Kukuk <kukuk@suse.com>
- Initial version

64
opensuse-openldap-image.kiwi Normal file
View File

@ -0,0 +1,64 @@
<?xml version="1.0" encoding="utf-8"?>
<!-- OBS-ExcludeArch: i586 s390 -->
<image schemaversion="7.4" name="opensuse-openldap-image">
<description type="system">
<author>Thorsten Kukuk</author>
<contact>kukuk@suse.com</contact>
<specification>OpenLDAP stand-alone LDAP daemon</specification>
</description>
<preferences>
<type
image="docker"
derived_from="obsrepositories:/opensuse/busybox#latest">
<containerconfig
name="opensuse/openldap"
tag="latest"
additionaltags="%PKG_VERSION%,%PKG_VERSION%-%RELEASE%"
maintainer="Thorsten Kukuk &lt;kukuk@suse.com&gt;">
<entrypoint execute="/entrypoint.sh"/>
<subcommand execute="/usr/sbin/slapd">
<!--argument name="start"/-->
</subcommand>
<expose>
<port number='389'/>
<port number='636'/>
</expose>
<volumes>
<volume name="/var/lib/ldap"/>
<volume name="/etc/openldap/slapd.d"/>
</volumes>
<labels>
<suse_label_helper:add_prefix xmlns:suse_label_helper="com.suse.label_helper" prefix="org.opensuse.openldap">
<label name="org.opencontainers.image.title" value="OpenLDAP stand-alone LDAPv3 daemon."/>
<label name="org.opencontainers.image.description" value="Image containing OpenLDAP daemon."/>
<label name="org.opencontainers.image.version" value="%PKG_VERSION%-%RELEASE%"/>
<label name="org.opencontainers.image.created" value="%BUILDTIME%"/>
<label name="org.opensuse.reference" value="registry.opensuse.org/opensuse/openldap:%PKG_VERSION%-%RELEASE%"/>
<label name="org.openbuildservice.disturl" value="%DISTURL%"/>
</suse_label_helper:add_prefix>
</labels>
<history author="Thorsten Kukuk &lt;kukuk@suse.com&gt;">OpenLDAP container</history>
</containerconfig>
</type>
<version>1.0.0</version>
<packagemanager>zypper</packagemanager>
<rpm-excludedocs>false</rpm-excludedocs>
</preferences>
<repository>
<source path="obsrepositories:/"/>
</repository>
<packages type="bootstrap">
<package name="openldap2"/>
<package name="openldap2-client"/>
<package name="openssl"/>
<package name="timezone"/>
<package name="mandoc"/>
<package name="ca-certificates"/>
<package name="ca-certificates-mozilla"/>
<package name="-busybox-man"/>
<archive name="common-scripts.tar.gz"/>
<archive name="entrypoint.tar.gz"/>
</packages>
</image>

3
root.obscpio Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:98b573e414a3fb3f071bf612a7df39ecd99ac5a672fbf5c0dc6e6235ff26483c
size 15370

4
root.obsinfo Normal file
View File

@ -0,0 +1,4 @@
name: root
version:
mtime: 1723616870
commit: 11d144f9fa673fada91786f5d457f17189bdacc8