From c66a450ac050b04530156002593098948fdc01e30f3dba4cb9e6636c224968c7 Mon Sep 17 00:00:00 2001
From: Thorsten Kukuk <kukuk@suse.com>
Date: Fri, 16 Aug 2024 07:26:51 +0000
Subject: [PATCH] - Sync changes back to git - Adjust _service file

OBS-URL: https://build.opensuse.org/package/show/devel:kubic:containers/opensuse-openldap-image?expand=0&rev=15
---
 .gitattributes                  |  23 +++++
 .gitignore                      |   1 +
 LICENSE                         |  21 +++++
 README.md                       | 158 ++++++++++++++++++++++++++++++++
 _service                        |  51 +++++++++++
 _servicedata                    |   4 +
 common-scripts.tar.gz           |   3 +
 config.sh                       |  18 ++++
 entrypoint.tar.gz               |   3 +
 opensuse-openldap-image.changes |  83 +++++++++++++++++
 opensuse-openldap-image.kiwi    |  64 +++++++++++++
 root.obscpio                    |   3 +
 root.obsinfo                    |   4 +
 13 files changed, 436 insertions(+)
 create mode 100644 .gitattributes
 create mode 100644 .gitignore
 create mode 100644 LICENSE
 create mode 100644 README.md
 create mode 100644 _service
 create mode 100644 _servicedata
 create mode 100644 common-scripts.tar.gz
 create mode 100644 config.sh
 create mode 100644 entrypoint.tar.gz
 create mode 100644 opensuse-openldap-image.changes
 create mode 100644 opensuse-openldap-image.kiwi
 create mode 100644 root.obscpio
 create mode 100644 root.obsinfo

diff --git a/.gitattributes b/.gitattributes
new file mode 100644
index 0000000..9b03811
--- /dev/null
+++ b/.gitattributes
@@ -0,0 +1,23 @@
+## Default LFS
+*.7z filter=lfs diff=lfs merge=lfs -text
+*.bsp filter=lfs diff=lfs merge=lfs -text
+*.bz2 filter=lfs diff=lfs merge=lfs -text
+*.gem filter=lfs diff=lfs merge=lfs -text
+*.gz filter=lfs diff=lfs merge=lfs -text
+*.jar filter=lfs diff=lfs merge=lfs -text
+*.lz filter=lfs diff=lfs merge=lfs -text
+*.lzma filter=lfs diff=lfs merge=lfs -text
+*.obscpio filter=lfs diff=lfs merge=lfs -text
+*.oxt filter=lfs diff=lfs merge=lfs -text
+*.pdf filter=lfs diff=lfs merge=lfs -text
+*.png filter=lfs diff=lfs merge=lfs -text
+*.rpm filter=lfs diff=lfs merge=lfs -text
+*.tbz filter=lfs diff=lfs merge=lfs -text
+*.tbz2 filter=lfs diff=lfs merge=lfs -text
+*.tgz filter=lfs diff=lfs merge=lfs -text
+*.ttf filter=lfs diff=lfs merge=lfs -text
+*.txz filter=lfs diff=lfs merge=lfs -text
+*.whl filter=lfs diff=lfs merge=lfs -text
+*.xz filter=lfs diff=lfs merge=lfs -text
+*.zip filter=lfs diff=lfs merge=lfs -text
+*.zst filter=lfs diff=lfs merge=lfs -text
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..57affb6
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+.osc
diff --git a/LICENSE b/LICENSE
new file mode 100644
index 0000000..488a7bc
--- /dev/null
+++ b/LICENSE
@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2020 Thorsten Kukuk
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..abc3f2d
--- /dev/null
+++ b/README.md
@@ -0,0 +1,158 @@
+# OpenLDAP container
+
+- [Guide](#guide)
+  - [Create new ldap server](#create-new-ldap-server)
+  - [Data persistence](#data-persistence)
+  - [Server configuration](#server-configuration)
+  - [Seed ldap database with ldif](#seed-ldap-database-with-ldif)
+- [TLS](#tls)
+  - [Auto-generated certificate](#auto-generated-certificate)
+  - [Own certificate](#own-certificate)
+  - [Disable TLS](#disable-tls)
+- [Supported environment variables](#supported-environment-variables)
+  - [Generic variables](#generic-variables)
+  - [Variables for new database](#variables-for-new-database)
+  - [Variables for TLS](#variables-for-tls)
+  - [Various configuration variables](#various-configuration-variables)
+- [Data persistence volumes](#data-persistence-volumes)
+
+## Guide
+
+### Create new ldap server
+
+This is the default behavior when you run this image.
+It will create an empty ldap for the company **Example Inc.** and the domain **example.org**.
+
+Two passwords are required to startup the container:
+
+  - `LDAP_ADMIN_PASSWORD` Ldap admin password for `cn=admin,dc=example,dc=org`
+  - `LDAP_CONFIG_PASSWORD` Ldap admin password for `cn=admin,dc=example,dc=org`
+
+The command to run this container is:
+
+```sh
+podman run -d --rm --name openldap -p 389:389 -p 636:636 -e LDAP_ADMIN_PASSWORD="admin" -e LDAP_CONFIG_PASSWORD="config" registry.opensuse.org/opensuse/openldap
+```
+
+To test the container a LDAP search could be issued:
+
+```sh
+podman exec -it openldap ldapsearch -x -W -H ldapi:/// -b dc=example,dc=org -D "cn=admin,dc=example,dc=org"
+```
+
+In all examples, `podman` can be replaced directly with `docker`.
+
+### Data persistence
+
+The directories `/var/lib/ldap` (LDAP database files) and
+`/etc/openldap/slapd.d` (LDAP config files) are used to store the schema and
+data information. They will be re-created at every container startup if they
+are not mapped as volumes, means your ldap files are saved outside the
+container. Normally this data should be stored, but for various use-cases it
+could be usefull to throw them away afterwards.
+
+If the UID and GID of the ldap user needs to match in the container and in the
+host, the `LDAP_UID` and `LDAP_GID` environment variables needs to be set
+explicitly:
+
+```sh
+podman run -d --rm --name openldap -p 389:389 -p 636:636 -e LDAP_UID=333 -e LDAP_GID=333 -e LDAP_ADMIN_PASSWORD="admin" -e LDAP_CONFIG_PASSWORD="config" registry.opensuse.org/opensuse/openldap
+```
+
+### Server configuration
+
+Since slapd.conf is not used the ldap utils `ldapmodify`, `ldapadd` and
+`ldapdelete` are required to adjust the server configuration.
+
+### Seed ldap database with ldif
+
+This image can load ldif and schema files at startup from an internal
+path. This is useful if a continuous integration service mounts automatically
+the working copy (sources) into a docker service, which has a relation to the
+ci job.
+
+In order to seed ldif or schema files from internal path you must set the
+specific environment variable `LDAP_SEED_LDIF_PATH` and/or
+`LDAP_SEED_SCHEMA_PATH`. If set this will copy any *.ldif or *.schema file
+into the default seeding directories of this image.
+
+## TLS
+### Auto-generated certificate
+
+TLS is be default configured and enabled. If no certificate is provided, a
+self-signed one is created during container startup for the container
+hostname. The container hostname can be set e.g. by
+`podman run --hostname ldap.example.org ...`
+
+### Own certificate
+
+You can set your custom certificate at run time, by mounting a volume with the
+certificates into the container and adjusting the following environment variables:
+
+```sh
+podman run -v /srv/openldap/certs:/etc/openldap/certs:Z \
+       -e LDAP_TLS_CRT=/etc/openldap/certs/ldap.crt \
+       -e LDAP_TLS_KEY=/etc/openldap/certs/ldap.key \
+       -e LDAP_TLS_CA_CRT=/etc/openldap/certs/ca.crt \
+       -d registry.opensuse.org/opensuse/openldap:latest
+```
+
+The variables `LDAP_TLS_CA_CRT`, `LDAP_TLS_CRT` and `LDAP_TLS_KEY` are stored
+during the first start of the container in the LDAP configuration. Changes to
+the variables on further starts will have no affect.
+
+An example with certificates from `Let's Encrypt`:
+
+```sh
+podman run -v /etc/letsencrypt:/etc/letsencrypt \
+       -e LDAP_TLS_CRT=/etc/letsencrypt/live/example.org/cert.pem \
+       -e LDAP_TLS_KEY=/etc/letsencrypt/live/example.org/privkey.pem \
+       -e LDAP_TLS_CA_CRT=/etc/letsencrypt/live/example.org/fullchain.pem \
+       -d registry.opensuse.org/opensuse/openldap:latest
+```
+
+### Disable TLS
+
+Add --env LDAP_TLS=0 to the run command: `podman run -e LDAP_TLS=0 ...`
+
+## Supported environment variables:
+### Generic variables:
+- `DEBUG=[0|1]`		   Enables "set -x" in the entrypoint script
+- `TZ`			   Timezone to use in the container
+
+### Variables for new database:
+- `LDAP_DOMAIN`		   Ldap domain. Defaults to `example.org`
+- `LDAP_BASE_DN`	   Ldap base DN. If empty automatically set from `LDAP_DOMAIN` value. Defaults to (`empty`)
+- `LDAP_ORGANIZATION`	   Organization name. Defaults to `Example Inc.`
+- `LDAP_ADMIN_PASSWORD`	   Ldap admin password. It's required to supply one if no database exists at startup.
+- `LDAP_CONFIG_PASSWORD`   Ldap config password. It's required to supply one if no database exists at startup.
+- `LDAP_BACKEND`	   Database backend, defaults to `mdb`
+- `LDAP_SEED_LDIF_PATH`    Path with additional ldif files which will be loaded
+- `LDAP_SEED_SCHEMA_PATH`  Path with additional schema which will be loaded
+
+### Variables for TLS:
+- `LDAP_TLS=[1|0]`	   Enable TLS. Defaults to `1` (true).
+- `LDAP_TLS_CA_CRT`	   LDAP ssl CA certificate. Defaults to `/etc/openldap/certs/openldap-ca.crt`.
+- `LDAP_TLS_CA_KEY`	   Private LDAP CA key. Defaults to `/etc/openldap/certs/openldap-ca.key`.
+- `LDAP_TLS_CRT`	   LDAP ssl certificate. Defaults to `/etc/openldap/certs/tls.crt`.
+- `LDAP_TLS_KEY`	   Private LDAP ssl key. Defaults to `/etc/openldap/certs/tls.key`.
+- `LDAP_TLS_DH_PARAM`	   LDAP ssl certificate dh param file.
+- `LDAP_TLS_ENFORCE=[0|1]` Enforce TLS but except ldapi connections. Defaults to `0` (false).
+- `LDAP_TLS_CIPHER_SUITE`  TLS cipher suite.
+- `LDAP_TLS_VERIFY_CLIENT` TLS verify client. Defaults to `demand`.
+
+### Various configuration variables:
+- `LDAP_NOFILE` 	   Number of open files (ulimt -n), default `1024`
+- `LDAP_PORT`   	   Port for ldap:///, defaults to `389`
+- `LDAPS_PORT`		   Port for ldaps:///, defaults to `636`
+- `LDAPI_URL`		   Ldapi url, defaults to `ldapi:///run/slapd/ldapi`
+- `LDAP_UID`               UID of ldap user. All LDAP related files will be changed to this UID
+- `LDAP_GID`		   GID of ldap group. All LDAP related files will be changed to this GID
+- `LDAP_BACKEND`	   Database backend, defaults to `mdb`
+- `SLAPD_LOG_LEVEL`        Slapd debug devel, defaults to `0`
+- `SETUP_FOR_MAILSERVER`   The mail organization will be created (ldif/mailserver/), defaults to `0`
+
+## Data persistence volumes
+- `/etc/openldap/certs`	   TLS certificates for slapd
+- `/etc/openldap/slapd.d`  Slapd configuration files
+- `/var/lib/ldap`	   OpenLDAP database
diff --git a/_service b/_service
new file mode 100644
index 0000000..448017e
--- /dev/null
+++ b/_service
@@ -0,0 +1,51 @@
+<services>
+    <service name="obs_scm" mode="manual">
+        <param name="url">https://github.com/thkukuk/containers-mailserver.git</param>
+        <param name="scm">git</param>
+        <param name="extract">LICENSE</param>
+        <param name="extract">openldap/README.md</param>
+        <param name="extract">openldap/opensuse-openldap-image.kiwi</param>
+        <param name="extract">openldap/config.sh</param>
+        <param name="revision">master</param>
+        <param name="version">_none_</param>
+    </service>
+    <service name="obs_scm" mode="manual">
+        <param name="url">https://github.com/thkukuk/containers-mailserver.git</param>
+        <param name="scm">git</param>
+        <param name="subdir">openldap</param>
+        <param name="filename">root</param>
+        <param name="include">entrypoint.sh</param>
+        <param name="version">_none_</param>
+        <param name="changesgenerate">enable</param>
+    </service>
+    <service name="tar_scm" mode="manual">
+        <param name="url">https://github.com/thkukuk/containers-mailserver.git</param>
+        <param name="scm">git</param>
+        <param name="version">_none_</param>
+        <param name="subdir">openldap</param>
+        <param name="filename">entrypoint</param>
+        <param name="include">slapd.init.ldif</param>
+        <param name="include">ldif</param>
+        <param name="include">tls</param>
+    </service>
+    <service name="tar_scm" mode="manual">
+        <param name="url">https://github.com/thkukuk/containers-mailserver.git</param>
+        <param name="scm">git</param>
+        <param name="version">_none_</param>
+        <param name="subdir">common</param>
+        <param name="filename">common-scripts</param>
+        <param name="include">ssl-helper</param>
+    </service>
+    <service name="recompress" mode="manual">
+        <param name="file">*.tar</param>
+        <param name="compression">gz</param>
+     </service>
+    <service mode="buildtime" name="kiwi_metainfo_helper"/>
+    <service mode="buildtime" name="kiwi_label_helper"/>
+    <service name="replace_using_package_version" mode="buildtime">
+        <param name="file">opensuse-openldap-image.kiwi</param>
+        <param name="regex">%PKG_VERSION%</param>
+        <param name="parse-version">patch</param>
+        <param name="package">openldap2</param>
+    </service>
+</services>
diff --git a/_servicedata b/_servicedata
new file mode 100644
index 0000000..87d9fec
--- /dev/null
+++ b/_servicedata
@@ -0,0 +1,4 @@
+<servicedata>
+<service name="tar_scm">
+                <param name="url">https://github.com/thkukuk/containers-mailserver.git</param>
+              <param name="changesrevision">b03b74f8a5a12b693fdfa155c7574199eed0179b</param></service></servicedata>
\ No newline at end of file
diff --git a/common-scripts.tar.gz b/common-scripts.tar.gz
new file mode 100644
index 0000000..fe4285f
--- /dev/null
+++ b/common-scripts.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:18688b3fcd2b0e532d57be72400fe1208b284b9fc77805fc2a922e0dca0e2625
+size 1252
diff --git a/config.sh b/config.sh
new file mode 100644
index 0000000..87be8ef
--- /dev/null
+++ b/config.sh
@@ -0,0 +1,18 @@
+#!/bin/sh
+  
+#======================================
+# Functions...
+#--------------------------------------
+test -f /.profile && . /.profile
+
+#======================================
+# Greeting...
+#--------------------------------------
+echo "Configure image: [$kiwi_iname]..."
+
+echo "Move /etc/sysconfig/openldap away"
+mv /etc/sysconfig/openldap /etc/sysconfig/openldap.example
+
+# No default domain and standard password ...
+rm /etc/openldap/slapd.conf
+
diff --git a/entrypoint.tar.gz b/entrypoint.tar.gz
new file mode 100644
index 0000000..4a1adc7
--- /dev/null
+++ b/entrypoint.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:83bb265445066c25ce21b298f428e842f41e4b2ede422832a413da78d7604678
+size 3522
diff --git a/opensuse-openldap-image.changes b/opensuse-openldap-image.changes
new file mode 100644
index 0000000..86f2d00
--- /dev/null
+++ b/opensuse-openldap-image.changes
@@ -0,0 +1,83 @@
+-------------------------------------------------------------------
+Fri Aug 16 07:25:54 UTC 2024 - Thorsten Kukuk <kukuk@suse.com>
+
+- Sync changes back to git
+- Adjust _service file
+
+-------------------------------------------------------------------
+Wed Apr 17 14:55:50 UTC 2024 - Bernhard Wiedemann <bwiedemann@suse.com>
+
+- update kiwi schemaversion to 7.4
+
+-------------------------------------------------------------------
+Tue Apr  5 12:37:28 UTC 2022 - Dominique Leuenberger <dimstar@opensuse.org>
+
+- Drop dependency on openldap2-ppolicy-check-password: this package
+  no longer exists since openldap 2.5.x.
+
+-------------------------------------------------------------------
+Mon Aug 02 13:31:30 UTC 2021 - kukuk@suse.com
+
+- Update to version 1627911062.7e4f725:
+  * Re-add entrypoint directory
+
+-------------------------------------------------------------------
+Mon Aug 02 13:27:36 UTC 2021 - kukuk@suse.com
+
+- Build changes file from git
+- Update to version 1627910174.bbff2ac:
+  * Include busybox-findutils, adjust entrypoint location
+
+-------------------------------------------------------------------
+Mon Aug  2 09:52:10 UTC 2021 - Thorsten Kukuk <kukuk@suse.com>
+
+- Re-add busybox-findutils
+
+-------------------------------------------------------------------
+Mon Dec 21 13:33:21 UTC 2020 - Thorsten Kukuk <kukuk@suse.com>
+
+- Install misc.schema by default (ldap mail alias)
+
+-------------------------------------------------------------------
+Fri Dec 18 21:11:07 UTC 2020 - Thorsten Kukuk <kukuk@suse.com>
+
+- Fix error caused by uninitialized DEBUG variable
+
+-------------------------------------------------------------------
+Wed Nov  4 17:52:32 UTC 2020 - Thorsten Kukuk <kukuk@suse.com>
+
+- Add common scripts tar archive now containing ssl-helper
+
+-------------------------------------------------------------------
+Mon Oct 26 12:42:00 UTC 2020 - Thorsten Kukuk <kukuk@suse.com>
+
+- Check for errors when importing ldif files
+- Add support to import ldif files for mailserver setup
+
+-------------------------------------------------------------------
+Mon Sep 28 18:50:23 UTC 2020 - Thorsten Kukuk <kukuk@suse.com>
+
+- Add timezone package 
+
+-------------------------------------------------------------------
+Thu Aug 27 08:16:26 UTC 2020 - Thorsten Kukuk <kukuk@suse.com>
+
+- Load postfix.ldif by default, delete duplicate file
+- Pre-process mailserver/*.ldif files
+
+-------------------------------------------------------------------
+Wed Aug 26 15:57:24 UTC 2020 - Thorsten Kukuk <kukuk@suse.com>
+
+- config.sh: fix /etc/ssl/certs symlink
+
+-------------------------------------------------------------------
+Tue Aug 25 13:12:06 UTC 2020 - Thorsten Kukuk <kukuk@suse.com>
+
+- Update docu
+- Add TLS support
+- Example ldif files for mailserver
+
+-------------------------------------------------------------------
+Fri Aug 14 20:49:32 UTC 2020 - Thorsten Kukuk <kukuk@suse.com>
+
+- Initial version
diff --git a/opensuse-openldap-image.kiwi b/opensuse-openldap-image.kiwi
new file mode 100644
index 0000000..a4e4ed3
--- /dev/null
+++ b/opensuse-openldap-image.kiwi
@@ -0,0 +1,64 @@
+<?xml version="1.0" encoding="utf-8"?>
+
+<!-- OBS-ExcludeArch: i586 s390 -->
+
+<image schemaversion="7.4" name="opensuse-openldap-image">
+  <description type="system">
+    <author>Thorsten Kukuk</author>
+    <contact>kukuk@suse.com</contact>
+    <specification>OpenLDAP stand-alone LDAP daemon</specification>
+  </description>
+  <preferences>
+    <type
+      image="docker"
+      derived_from="obsrepositories:/opensuse/busybox#latest">
+      <containerconfig
+        name="opensuse/openldap"
+        tag="latest"
+        additionaltags="%PKG_VERSION%,%PKG_VERSION%-%RELEASE%"
+        maintainer="Thorsten Kukuk &lt;kukuk@suse.com&gt;">
+	<entrypoint execute="/entrypoint.sh"/>
+        <subcommand execute="/usr/sbin/slapd">
+          <!--argument name="start"/-->
+        </subcommand>
+	<expose>
+	  <port number='389'/>
+          <port number='636'/>
+	</expose>
+        <volumes>
+          <volume name="/var/lib/ldap"/>
+          <volume name="/etc/openldap/slapd.d"/>
+        </volumes>
+        <labels>
+          <suse_label_helper:add_prefix xmlns:suse_label_helper="com.suse.label_helper" prefix="org.opensuse.openldap">
+            <label name="org.opencontainers.image.title" value="OpenLDAP stand-alone LDAPv3 daemon."/>
+            <label name="org.opencontainers.image.description" value="Image containing OpenLDAP daemon."/>
+            <label name="org.opencontainers.image.version" value="%PKG_VERSION%-%RELEASE%"/>
+            <label name="org.opencontainers.image.created" value="%BUILDTIME%"/>
+            <label name="org.opensuse.reference" value="registry.opensuse.org/opensuse/openldap:%PKG_VERSION%-%RELEASE%"/>
+            <label name="org.openbuildservice.disturl" value="%DISTURL%"/>
+          </suse_label_helper:add_prefix>
+        </labels>
+        <history author="Thorsten Kukuk &lt;kukuk@suse.com&gt;">OpenLDAP container</history>
+      </containerconfig>
+    </type>
+    <version>1.0.0</version>
+    <packagemanager>zypper</packagemanager>
+    <rpm-excludedocs>false</rpm-excludedocs>
+  </preferences>
+  <repository>
+    <source path="obsrepositories:/"/>
+  </repository>
+  <packages type="bootstrap">
+    <package name="openldap2"/>
+    <package name="openldap2-client"/>
+    <package name="openssl"/>
+    <package name="timezone"/>
+    <package name="mandoc"/>
+    <package name="ca-certificates"/>
+    <package name="ca-certificates-mozilla"/>
+    <package name="-busybox-man"/>
+    <archive name="common-scripts.tar.gz"/>
+    <archive name="entrypoint.tar.gz"/>
+  </packages>
+</image>
diff --git a/root.obscpio b/root.obscpio
new file mode 100644
index 0000000..7c96b57
--- /dev/null
+++ b/root.obscpio
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:98b573e414a3fb3f071bf612a7df39ecd99ac5a672fbf5c0dc6e6235ff26483c
+size 15370
diff --git a/root.obsinfo b/root.obsinfo
new file mode 100644
index 0000000..2a82bd0
--- /dev/null
+++ b/root.obsinfo
@@ -0,0 +1,4 @@
+name: root
+version: 
+mtime: 1723616870
+commit: 11d144f9fa673fada91786f5d457f17189bdacc8