Merge branch 'release-0.10.0' into stable

CHANGELOG.md

@@ -0,0 +1,2 @@
+## 0.10.0 (release date: 2015-03-03)
+  - New version initial release

Makefile

@@ -1,21 +1,22 @@
 NAME = osixia/openldap
-VERSION = 0.9.2
+VERSION = 0.10.0
 
 .PHONY: all build test tag_latest release
 
 all: build
 
 build:
-	docker.io build -t $(NAME):$(VERSION) --rm .
+	docker build -t $(NAME):$(VERSION) --rm image
 
 test:
-	env NAME=$(NAME) VERSION=$(VERSION) ./test.sh debug
+	env NAME=$(NAME) VERSION=$(VERSION) bats test/test.bats
 
 tag_latest:
-	docker.io tag $(NAME):$(VERSION) $(NAME):latest
+	docker tag -f $(NAME):$(VERSION) $(NAME):latest
 
 release: build test tag_latest
-	@if ! docker.io images $(NAME) | awk '{ print $$2 }' | grep -q -F $(VERSION); then echo "$(NAME) version $(VERSION) is not yet built. Please run 'make build'"; false; fi
-	docker.io push $(NAME)
-	@echo "*** Don't forget to run 'twgit release finish' :)"
+	@if ! docker images $(NAME) | awk '{ print $$2 }' | grep -q -F $(VERSION); then echo "$(NAME) version $(VERSION) is not yet built. Please run 'make build'"; false; fi
+	@if ! head -n 1 CHANGELOG.md | grep -q 'release date'; then echo 'Please note the release date in Changelog.md.' && false; fi
+	docker push $(NAME)
+	@echo "*** Don't forget to run 'twgit release/hotfix finish' :)"
 

README.md

@@ -5,29 +5,4 @@ https://github.com/nickstenning/docker-slapd
 
 Add support of tls.
 
-### How to use tls
-
-Add `-v some/host/dir:/etc/ldap/ssl` and `--dns=127.0.0.1` to the run command.
-
-`some/host/dir` must contain a least 3 files :
-- `ca.crt` certificate authority certificate
-- `ldap.crt` ldap server certificate
-- `ldap.key` ldap server certificate private key
-
-and optionaly `dhparam.pem` this file is genereted automaticaly if not present.
-
-`--dns=127.0.0.1` allow to use the certificate cn correctly.
-
-
-### Example
-
-    docker run --dns=127.0.0.1 \
-               -v /data/ldap/db:/var/lib/ldap \
-               -v /data/ldap/config:/etc/ldap/slapd.d \
-               -v /data/ldap/ssl/:/etc/ldap/ssl \
-               -v /data/ldap/log/:/var/log \
-               -e LDAP_DOMAIN=example.com \
-               -e LDAP_ORGANISATION="Example Corp." \
-               -e LDAP_ROOTPASS=toor \
-               -p 389:389 -d osixia/openldap
-
+Use docker 1.5.0

image/Dockerfile

@@ -0,0 +1,34 @@
+FROM osixia/baseimage:0.10.3
+MAINTAINER Bertrand Gouny <[email protected]>
+
+# Use baseimage-docker's init system.
+CMD ["/sbin/my_init"]
+
+# Add openldap user and group first to make sure their IDs get assigned consistently, regardless of whatever dependencies get added
+RUN groupadd -r openldap && useradd -r -g openldap openldap
+
+# Install OpenLDAP and ldap-utils (and ssl-kit from baseimage), remove default ldap db
+RUN apt-get -y update && /sbin/enable-service ssl-kit \
+	&& LC_ALL=C DEBIAN_FRONTEND=noninteractive apt-get install -y --force-yes --no-install-recommends slapd ldap-utils \
+	&& rm -rf /var/lib/ldap
+
+# Add install script and OpenLDAP assets
+ADD service/install.sh /tmp/install.sh
+ADD service/slapd/assets /osixia/slapd
+
+# Run install script and clean all
+RUN ./tmp/install.sh \
+    && apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
+
+# Add default env variables
+ADD env.yml /etc/env.yml
+
+# Add OpenLDAP container start config & daemon
+ADD service/slapd/container-start.sh /etc/my_init.d/slapd
+ADD service/slapd/daemon.sh /etc/service/slapd/run
+
+# Set OpenLDAP data and config directories in a data volume
+VOLUME ["/var/lib/ldap", "/etc/ldap/slapd.d"]
+
+# Expose ldap default port
+EXPOSE 389

image/env.yml

@@ -0,0 +1,10 @@
+LDAP_ORGANISATION: Example Inc.
+LDAP_DOMAIN: example.org
+LDAP_ADMIN_PASSWORD: admin
+
+SERVER_NAME: ldap.example.org
+
+USE_TLS: true
+SSL_CRT_FILENAME: ldap.crt
+SSL_KEY_FILENAME: ldap.key
+SSL_CA_CRT_FILENAME: ca.crt

image/service/install.sh

@@ -0,0 +1,6 @@
+#!/bin/bash -e
+# this script is run during the image build
+
+# Enable access only from docker default network and localhost
+echo "slapd: 172.17.0.0/255.255.0.0 127.0.0.1 : ALLOW" >> /etc/hosts.allow
+echo "slapd: ALL : DENY" >> /etc/hosts.allow

image/service/slapd/assets/config/README.md

@@ -0,0 +1 @@
+Add your ldif config file here

image/service/slapd/assets/config/logging.ldif

@@ -0,0 +1,4 @@
+dn: cn=config
+changetype: modify
+replace: olcLogLevel
+olcLogLevel: stats

image/service/slapd/assets/ssl/README.md

@@ -0,0 +1,2 @@
+Add your ssl crt, key and ca crt here
+or during docker run mount a data volume with thoses files to /osixia/slapd/ssl

image/service/slapd/assets/tls.ldif

@@ -0,0 +1,19 @@
+dn: cn=config
+changetype: modify
+add: olcTLSCipherSuite
+olcTLSCipherSuite: SECURE256:-VERS-SSL3.0
+-
+replace: olcTLSCACertificateFile
+olcTLSCACertificateFile: /osixia/slapd/ssl/ca.crt
+-
+replace: olcTLSCertificateFile
+olcTLSCertificateFile: /osixia/slapd/ssl/ldap.crt
+-
+replace: olcTLSCertificateKeyFile
+olcTLSCertificateKeyFile: /osixia/slapd/ssl/ldap.key
+-
+replace: olcTLSDHParamFile
+olcTLSDHParamFile: /osixia/slapd/ssl/dhparam.pem
+-
+replace: olcTLSVerifyClient
+olcTLSVerifyClient: never

image/service/slapd/container-start.sh

@@ -0,0 +1,78 @@
+#!/bin/bash -e
+
+FIRST_START_DONE="/etc/docker-openldap-first-start-done"
+
+#fix file permissions
+chown -R openldap:openldap /var/lib/ldap 
+chown -R openldap:openldap /etc/ldap
+
+# container first start
+if [ ! -e "$FIRST_START_DONE" ]; then
+
+  # database is uninitialized
+  if [ -z "$(ls -A /var/lib/ldap)" ]; then
+
+    cat <<EOF | debconf-set-selections
+slapd slapd/internal/generated_adminpw password ${LDAP_ADMIN_PASSWORD}
+slapd slapd/internal/adminpw password ${LDAP_ADMIN_PASSWORD}
+slapd slapd/password2 password ${LDAP_ADMIN_PASSWORD}
+slapd slapd/password1 password ${LDAP_ADMIN_PASSWORD}
+slapd slapd/dump_database_destdir string /var/backups/slapd-VERSION
+slapd slapd/domain string ${LDAP_DOMAIN}
+slapd shared/organization string ${LDAP_ORGANISATION}
+slapd slapd/backend string HDB
+slapd slapd/purge_database boolean true
+slapd slapd/move_old_database boolean true
+slapd slapd/allow_ldap_v2 boolean false
+slapd slapd/no_configuration boolean false
+slapd slapd/dump_database select when needed
+EOF
+
+    dpkg-reconfigure -f noninteractive slapd
+  fi
+
+
+  # start OpenLDAP
+  slapd -h "ldapi:///" -u openldap -g openldap
+
+  # TLS config
+  if [ "${USE_TLS,,}" == "true" ]; then
+
+    # check certificat and key or create it
+    /sbin/ssl-kit "/osixia/slapd/ssl/$SSL_CRT_FILENAME" "/osixia/slapd/ssl/$SSL_KEY_FILENAME" --ca-crt=/osixia/slapd/ssl/$SSL_CA_CRT_FILENAME --gnutls
+
+    # create DHParamFile if not found
+    [ -f /osixia/slapd/ssl/dhparam.pem ] || openssl dhparam -out /osixia/slapd/ssl/dhparam.pem 2048
+
+    # adapt tls ldif
+    sed -i "s,/osixia/slapd/ssl/ca.crt,/osixia/slapd/ssl/${SSL_CA_CRT_FILENAME},g" /osixia/slapd/tls.ldif
+    sed -i "s,/osixia/slapd/ssl/ldap.crt,/osixia/slapd/ssl/${SSL_CRT_FILENAME},g" /osixia/slapd/tls.ldif
+    sed -i "s,/osixia/slapd/ssl/ldap.key,/osixia/slapd/ssl/${SSL_KEY_FILENAME},g" /osixia/slapd/tls.ldif
+
+    # set tls config
+    ldapmodify -Y EXTERNAL -H ldapi:/// -f /osixia/slapd/tls.ldif -Q
+
+    # add localhost route to certificate cn (need docker 1.5.0)
+    cn=$(openssl x509 -in /osixia/slapd/ssl/$SSL_CRT_FILENAME -subject -noout | sed -n 's/.*CN=\(.*\)\/*\(.*\)/\1/p')
+    echo "127.0.0.1 $cn" >> /etc/hosts
+
+    # local ldap tls client config
+    sed -i "s,TLS_CACERT.*,TLS_CACERT /osixia/slapd/ssl/${SSL_CA_CRT_FILENAME},g" /etc/ldap/ldap.conf
+  fi
+
+  # OpenLDAP config 
+  for f in $(find /osixia/slapd/config -name \*.ldif -type f); do
+    status "Processing file ${f}"
+    ldapmodify -r -Y EXTERNAL -H ldapi:/// -f $f -Q
+  done
+
+  # stop OpenLDAP
+  kill -INT `cat /run/slapd/slapd.pid`
+
+  touch $FIRST_START_DONE
+fi
+
+# fix file permissions
+chown openldap:openldap -R /osixia/slapd
+
+exit 0

image/service/slapd/daemon.sh

@@ -0,0 +1,2 @@
+#!/bin/bash -e
+exec /usr/sbin/slapd -h "ldap:///" -u openldap -g openldap -d -1

test/config/cn=config.ldif

@@ -0,0 +1,16 @@
+# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
+# CRC32 e072c71d
+dn: cn=config
+objectClass: olcGlobal
+cn: config
+olcArgsFile: /var/run/slapd/slapd.args
+olcPidFile: /var/run/slapd/slapd.pid
+olcToolThreads: 1
+structuralObjectClass: olcGlobal
+entryUUID: db089696-51e1-1034-95ec-9d03bc6be361
+creatorsName: cn=config
+createTimestamp: 20150226090154Z
+olcLogLevel: stats
+entryCSN: 20150303142212.168245Z#000000#000#000000
+modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
+modifyTimestamp: 20150303142212Z

test/config/cn=config/cn=module{0}.ldif

@@ -0,0 +1,14 @@
+# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
+# CRC32 d5bd456a
+dn: cn=module{0}
+objectClass: olcModuleList
+cn: module{0}
+olcModulePath: /usr/lib/ldap
+olcModuleLoad: {0}back_hdb
+structuralObjectClass: olcModuleList
+entryUUID: db093e98-51e1-1034-95f4-9d03bc6be361
+creatorsName: cn=config
+createTimestamp: 20150226090154Z
+entryCSN: 20150226090154.826169Z#000000#000#000000
+modifiersName: cn=config
+modifyTimestamp: 20150226090154Z

test/config/cn=config/cn=schema.ldif

@@ -0,0 +1,12 @@
+# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
+# CRC32 deed6c98
+dn: cn=schema
+objectClass: olcSchemaConfig
+cn: schema
+structuralObjectClass: olcSchemaConfig
+entryUUID: db08b2b6-51e1-1034-95ef-9d03bc6be361
+creatorsName: cn=config
+createTimestamp: 20150226090154Z
+entryCSN: 20150226090154.822586Z#000000#000#000000
+modifiersName: cn=config
+modifyTimestamp: 20150226090154Z