├── .dockerignore ├── .github ├── FUNDING.yml ├── config.yml ├── ISSUE_TEMPLATE │ ├── feature_request.md │ └── bug_report.md └── workflows │ └── main.yml ├── .gitignore ├── rootfs ├── container │ ├── data │ │ └── openldap │ │ │ ├── config │ │ │ ├── bootstrap │ │ │ │ ├── README.md │ │ │ │ ├── schema │ │ │ │ │ └── rfc2307bis │ │ │ │ │ │ ├── rfc2307bis.conf │ │ │ │ │ │ ├── rfc2307bis.ldif │ │ │ │ │ │ └── rfc2307bis.schema │ │ │ │ ├── ldif │ │ │ │ │ ├── 05-index.ldif │ │ │ │ │ ├── readonly-user │ │ │ │ │ │ ├── readonly-user.ldif │ │ │ │ │ │ └── readonly-user-acl.ldif │ │ │ │ │ ├── 01-acls.ldif │ │ │ │ │ ├── 04-refint.ldif │ │ │ │ │ ├── 02-memberOf.ldif │ │ │ │ │ └── 03-nestgroup.ldif │ │ │ │ └── default │ │ │ │ │ └── default.sh │ │ │ ├── tls │ │ │ │ ├── tls-enforce-disable.ldif │ │ │ │ ├── tls-enforce-enable.ldif │ │ │ │ ├── tls-disable.ldif │ │ │ │ └── tls-enable.ldif │ │ │ ├── log │ │ │ │ ├── log-disable.ldif │ │ │ │ └── log-enable.ldif │ │ │ └── replication │ │ │ │ ├── replication-disable.ldif │ │ │ │ └── replication-enable.ldif │ │ │ └── schema-to-ldif.sh │ ├── init │ │ └── init.d │ │ │ └── 10-openldap │ ├── run │ │ └── available │ │ │ ├── 10-openldap │ │ │ └── run │ │ │ └── 20-openldap-backup │ │ │ └── run │ ├── defaults │ │ └── 10-openldap │ └── functions │ │ └── 10-openldap ├── etc │ └── zabbix │ │ └── zabbix_agentd.conf.d │ │ ├── openldap.conf │ │ └── scripts │ │ └── openldap-stats.sh └── usr │ └── local │ └── bin │ ├── backup-now │ ├── slapd-backup │ ├── change-password │ └── slapd-restore ├── LICENSE ├── examples └── compose.yml ├── Containerfile ├── zabbix_templates ├── app-openldap_backup.json └── app-openlap.json ├── CHANGELOG.md └── README.md /.dockerignore: -------------------------------------------------------------------------------- 1 | examples/ 2 | -------------------------------------------------------------------------------- /.github/FUNDING.yml: -------------------------------------------------------------------------------- 1 | github: [tiredofit] 2 | -------------------------------------------------------------------------------- /.github/config.yml: -------------------------------------------------------------------------------- 1 | blank_issues_enabled: false 2 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | /build-assets/* 2 | !/build-assets/.empty 3 | 4 | -------------------------------------------------------------------------------- /rootfs/container/data/openldap/config/bootstrap/README.md: -------------------------------------------------------------------------------- 1 | # Bootstrap config, for a container started without an existing ldap config. 2 | -------------------------------------------------------------------------------- /rootfs/container/data/openldap/config/tls/tls-enforce-disable.ldif: -------------------------------------------------------------------------------- 1 | dn: cn=config 2 | changetype: modify 3 | delete: olcSecurity 4 | - 5 | delete: olcLocalSSF 6 | -------------------------------------------------------------------------------- /rootfs/container/data/openldap/config/log/log-disable.ldif: -------------------------------------------------------------------------------- 1 | dn: cn=config 2 | changetype: modify 3 | delete: olcLogFile 4 | - 5 | delete: olcLogFileFormat 6 | - 7 | delete: olcLogFileOnly 8 | -------------------------------------------------------------------------------- /rootfs/container/data/openldap/config/tls/tls-enforce-enable.ldif: -------------------------------------------------------------------------------- 1 | dn: cn=config 2 | changetype: modify 3 | replace: olcSecurity 4 | olcSecurity: ssf=128 5 | - 6 | replace: olcLocalSSF 7 | olcLocalSSF: 128 8 | -------------------------------------------------------------------------------- /rootfs/container/data/openldap/config/bootstrap/schema/rfc2307bis/rfc2307bis.conf: -------------------------------------------------------------------------------- 1 | include /etc/openldap/schema/core.schema 2 | include /etc/openldap/schema/cosine.schema 3 | include /etc/openldap/schema/inetorgperson.schema 4 | include /etc/openldap/schema/rfc2307bis.schema 5 | -------------------------------------------------------------------------------- /rootfs/container/data/openldap/config/log/log-enable.ldif: -------------------------------------------------------------------------------- 1 | dn: cn=config 2 | changetype: modify 3 | replace: olcLogFile 4 | olcLogFile: {{slapd_log_file}} 5 | - 6 | replace: olcLogFileFormat 7 | olcLogFileFormat: {{slapd_log_prefix}} 8 | - 9 | replace: olcLogFileOnly 10 | olcLogFileOnly: {{slapd_log_type}} -------------------------------------------------------------------------------- /rootfs/container/data/openldap/config/tls/tls-disable.ldif: -------------------------------------------------------------------------------- 1 | dn: cn=config 2 | changetype: modify 3 | delete: olcTLSCipherSuite 4 | - 5 | delete: olcTLSCACertificateFile 6 | - 7 | delete: olcTLSCertificateFile 8 | - 9 | delete: olcTLSCertificateKeyFile 10 | {{TLS_DH_PARAM_LDIF_DISABLE}} 11 | delete: olcTLSVerifyClient 12 | -------------------------------------------------------------------------------- /rootfs/etc/zabbix/zabbix_agentd.conf.d/openldap.conf: -------------------------------------------------------------------------------- 1 | # OpenLDAP monitoring for Zabbix Agent 5.4+ 2 | # Get the template at https://github.com/nfrastack/container-openldap 3 | # Autoregister=openldap 4 | 5 | UserParameter=openldap.statistics.[*],/etc/zabbix/zabbix_agentd.conf.d/scripts/openldap-stats.sh "cn=$1,cn=$2,cn=monitor" "$3" -------------------------------------------------------------------------------- /rootfs/container/data/openldap/config/bootstrap/ldif/05-index.ldif: -------------------------------------------------------------------------------- 1 | # Add indexes 2 | dn: olcDatabase={1}mdb,cn=config 3 | changetype: modify 4 | replace: olcDbIndex 5 | olcDbIndex: uid eq 6 | olcDbIndex: mail eq 7 | olcDbIndex: memberOf eq 8 | olcDbIndex: entryCSN eq 9 | olcDbIndex: entryUUID eq 10 | olcDbIndex: objectClass eq 11 | -------------------------------------------------------------------------------- /rootfs/container/data/openldap/config/bootstrap/ldif/readonly-user/readonly-user.ldif: -------------------------------------------------------------------------------- 1 | dn: cn={{READONLY_USER_USER}},{{BASE_DN}} 2 | changetype: add 3 | cn: {{READONLY_USER_USER}} 4 | objectClass: simpleSecurityObject 5 | objectClass: organizationalRole 6 | userPassword: {{READONLY_USER_USER}} 7 | description: LDAP read only user (DSA) 8 | -------------------------------------------------------------------------------- /rootfs/container/data/openldap/config/bootstrap/ldif/01-acls.ldif: -------------------------------------------------------------------------------- 1 | dn: olcDatabase={1}mdb,cn=config 2 | changeType: modify 3 | add: olcAccess 4 | olcAccess: to attrs=userPassword,shadowLastChange by self =xw by dn="cn=admin,{{BASE_DN}}" write by anonymous auth by * none 5 | olcAccess: to * by self write by dn="cn=admin,{{BASE_DN}}" write by * read 6 | -------------------------------------------------------------------------------- /rootfs/usr/local/bin/backup-now: -------------------------------------------------------------------------------- 1 | #!/command/with-contenv bash 2 | # SPDX-FileCopyrightText: © 2025 Nfrastack 3 | # 4 | # SPDX-License-Identifier: MIT 5 | 6 | source /container/base/functions/container/init 7 | prepare_service 10-openldap 8 | 9 | echo '** Performing Manual Backup' 10 | /container/run/available/20-openldap-backup/run NOW 11 | -------------------------------------------------------------------------------- /rootfs/container/data/openldap/config/bootstrap/ldif/readonly-user/readonly-user-acl.ldif: -------------------------------------------------------------------------------- 1 | dn: olcDatabase={1}mdb,cn=config 2 | changetype: modify 3 | delete: olcAccess 4 | - 5 | add: olcAccess 6 | olcAccess: to attrs=userPassword,shadowLastChange by self =xw by dn="cn=admin,{{BASE_DN}}" write by anonymous auth by * none 7 | olcAccess: to * by self write by dn="cn=admin,{{BASE_DN}}" write by * read 8 | olcAccess: to * by self read by dn="cn=admin,{{BASE_DN}}" write by dn="cn={{READONLY_USER_USER}},{{BASE_DN}}" read by * none 9 | -------------------------------------------------------------------------------- /rootfs/container/init/init.d/10-openldap: -------------------------------------------------------------------------------- 1 | #!/command/with-contenv bash 2 | # SPDX-FileCopyrightText: © 2025 Nfrastack 3 | # 4 | # SPDX-License-Identifier: MIT 5 | 6 | source /container/base/functions/container/init 7 | prepare_service 10-openldap 8 | SERVICE_NAME="openldap" 9 | 10 | openldap_bootstrap_filesystem 11 | openldap_configure_ldap_server 12 | openldap_configure_ldap_client 13 | openldap_configure_backup 14 | openldap_configure_networking 15 | openldap_configure_ppolicy_check_modules 16 | 17 | liftoff 18 | -------------------------------------------------------------------------------- /rootfs/container/data/openldap/config/bootstrap/ldif/04-refint.ldif: -------------------------------------------------------------------------------- 1 | # Load refint module 2 | dn: cn=module{0},cn=config 3 | changetype: modify 4 | add: olcModuleLoad 5 | olcModuleLoad: refint 6 | 7 | # Backend refint overlay 8 | dn: olcOverlay={2}refint,olcDatabase={1}mdb,cn=config 9 | changetype: add 10 | objectClass: olcOverlayConfig 11 | objectClass: olcRefintConfig 12 | olcOverlay: {2}refint 13 | olcRefintAttribute: owner 14 | olcRefintAttribute: manager 15 | olcRefintAttribute: uniqueMember 16 | olcRefintAttribute: member 17 | olcRefintAttribute: memberOf 18 | -------------------------------------------------------------------------------- /rootfs/container/data/openldap/config/bootstrap/ldif/02-memberOf.ldif: -------------------------------------------------------------------------------- 1 | # Load memberof module 2 | dn: cn=module{0},cn=config 3 | changetype: modify 4 | add: olcModuleLoad 5 | olcModuleLoad: memberof 6 | 7 | # Backend memberOf overlay 8 | dn: olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config 9 | changetype: add 10 | objectClass: olcOverlayConfig 11 | objectClass: olcMemberOf 12 | olcOverlay: {0}memberof 13 | olcMemberOfDangling: ignore 14 | olcMemberOfRefInt: TRUE 15 | olcMemberOfGroupOC: groupOfNames 16 | olcMemberOfMemberAD: Member 17 | olcMemberOfMemberOfAD: memberOf 18 | olcMemberOfAddCheck: TRUE -------------------------------------------------------------------------------- /rootfs/container/data/openldap/config/bootstrap/ldif/03-nestgroup.ldif: -------------------------------------------------------------------------------- 1 | # Load nestgroup module 2 | dn: cn=module{0},cn=config 3 | changetype: modify 4 | add: olcModuleLoad 5 | olcModuleLoad: nestgroup 6 | 7 | # Backend nestgroup overlay 8 | dn: olcOverlay={1}nestgroup,olcDatabase={1}mdb,cn=config 9 | changetype: add 10 | objectClass: olcOverlayConfig 11 | objectClass: olcNestGroupConfig 12 | olcOverlay: {1}nestgroup 13 | olcNestGroupBase: {{BASE_DN}} 14 | olcNestGroupFlags: member-values 15 | olcNestGroupFlags: member-filter 16 | olcNestGroupFlags: memberOf-values 17 | olcNestGroupFlags: memberOf-filter 18 | -------------------------------------------------------------------------------- /rootfs/container/data/openldap/config/tls/tls-enable.ldif: -------------------------------------------------------------------------------- 1 | dn: cn=config 2 | changetype: modify 3 | replace: olcTLSCipherSuite 4 | olcTLSCipherSuite: {{TLS_CIPHER_SUITE}} 5 | - 6 | replace: olcTLSCACertificateFile 7 | olcTLSCACertificateFile: {{TLS_CA_CERT_PATH}}/{{TLS_CA_CERT_FILE}} 8 | - 9 | replace: olcTLSCertificateFile 10 | olcTLSCertificateFile: {{TLS_CERT_PATH}}/{{TLS_CERT_FILE}} 11 | - 12 | replace: olcTLSCertificateKeyFile 13 | olcTLSCertificateKeyFile: {{TLS_KEY_PATH}}/{{TLS_KEY_FILE}} 14 | {{TLS_DH_PARAM_LDIF_ENABLE}} 15 | replace: olcTLSVerifyClient 16 | olcTLSVerifyClient: {{TLS_VERIFY_CLIENT}} 17 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/feature_request.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Feature request 3 | about: Suggest an idea or feature 4 | title: '' 5 | labels: enhancement 6 | assignees: '' 7 | 8 | --- 9 | 10 | --- 11 | name: Feature Request 12 | about: Suggest an idea for this project 13 | 14 | --- 15 | 16 | **Description of the feature** 17 | 18 | 19 | **Benftits of feature** 20 | 21 | 22 | **Additional context** 23 | 24 | -------------------------------------------------------------------------------- /rootfs/container/run/available/10-openldap/run: -------------------------------------------------------------------------------- 1 | #!/command/with-contenv bash 2 | # SPDX-FileCopyrightText: © 2025 Nfrastack 3 | # 4 | # SPDX-License-Identifier: MIT 5 | 6 | source /container/base/functions/container/init 7 | prepare_service 10-openldap 8 | 9 | SERVICE_NAME="openldap" 10 | check_container_initialized 11 | check_service_initialized init 12 | openldap_configure_logging 13 | ulimit -n ${ULIMIT_N} 14 | liftoff 15 | 16 | print_start "Starting OpenLDAP $(grep -o "ADD: OpenLDAP .* |" /container/build/${IMAGE_NAME/\//_}/build.log | awk '{print $3}')" 17 | exec slapd \ 18 | $SLAPD_ARGS -h "${SLAPD_HOSTS}" \ 19 | -u ldap \ 20 | -g ldap ${log_level} 21 | 22 | -------------------------------------------------------------------------------- /rootfs/usr/local/bin/slapd-backup: -------------------------------------------------------------------------------- 1 | #!/command/with-contenv bash 2 | # SPDX-FileCopyrightText: © 2025 Nfrastack 3 | # 4 | # SPDX-License-Identifier: MIT 5 | 6 | source /container/base/functions/container/init 7 | prepare_service 10-openldap 8 | 9 | slapd_backup() { 10 | local database=${1} 11 | local filename=${2} 12 | create_folder "${BACKUP_PATH%/}" ldap:ldap 750 13 | 14 | /usr/sbin/slapcat -F "${CONFIG_PATH%/}" -n ${database}| gzip | silent tee "${BACKUP_PATH%/}/"$(TZ=${TIMEZONE} date "+%Y%m%dT%H%M%S")-${filename}.gz 15 | exit 0 16 | } 17 | 18 | case "${1}" in 19 | config ) 20 | slapd_backup 0 config 21 | ;; 22 | data ) 23 | slapd_backup 1 data 24 | ;; 25 | esac -------------------------------------------------------------------------------- /rootfs/container/data/openldap/config/replication/replication-disable.ldif: -------------------------------------------------------------------------------- 1 | # Delete sync replication on backend 2 | dn: olcDatabase={1}mdb,cn=config 3 | changetype: modify 4 | delete: olcSyncRepl 5 | - 6 | delete: olcMultiProvider 7 | 8 | # Delete syncprov on backend 9 | dn: olcOverlay=syncprov,olcDatabase={1}mdb,cn=config 10 | changetype: delete 11 | 12 | # Delete sync replication on config 13 | dn: olcDatabase={0}config,cn=config 14 | changetype: modify 15 | delete: olcSyncRepl 16 | - 17 | delete: olcMultiProvider 18 | 19 | # Delete syncprov on config 20 | dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config 21 | changetype: delete 22 | 23 | # Delete server ID 24 | dn: cn=config 25 | changeType: modify 26 | delete: olcServerID 27 | -------------------------------------------------------------------------------- /rootfs/etc/zabbix/zabbix_agentd.conf.d/scripts/openldap-stats.sh: -------------------------------------------------------------------------------- 1 | #!/command/with-contenv bash 2 | # SPDX-FileCopyrightText: © 2025 Nfrastack 3 | # 4 | # SPDX-License-Identifier: MIT 5 | 6 | source /container/base/functions/container/init 7 | 8 | if [ -z "${BASE_DN}" ]; then 9 | IFS='.' read -ra BASE_DN_TABLE <<< "$DOMAIN" 10 | for i in "${BASE_DN_TABLE[@]}"; do 11 | EXT="dc=$i," 12 | BASE_DN=$BASE_DN$EXT 13 | done 14 | BASE_DN=${BASE_DN::-1} 15 | fi 16 | 17 | transform_var file \ 18 | ADMIN_PASS 19 | 20 | LDAP_PARAM="$1" 21 | LDAP_RESPONSE_KEY="${2:-monitorCounter}" 22 | COMMAND="ldapsearch -H ldap://$HOSTNAME:389 -b $LDAP_PARAM -D cn=admin,$BASE_DN -w $ADMIN_PASS" 23 | RAW=$($COMMAND -s base '(objectClass=*)' '*' '+') 24 | RESULT=$(eval "echo '$RAW' | sed -n 's/^[ \t]*$LDAP_RESPONSE_KEY:[ \t]*\(.*\)/\1/p'") 25 | echo ${RESULT} 26 | 27 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/bug_report.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Bug report 3 | about: If something isn't working right.. 4 | title: '' 5 | labels: bug 6 | assignees: '' 7 | 8 | --- 9 | 10 | ### Summary 11 | 12 | 13 | 14 | 15 | ### Steps to reproduce 16 | 17 | 18 | 19 | 20 | ### What is the expected *correct* behavior? 21 | 22 | 23 | 24 | 25 | ### Relevant logs and/or screenshots 26 | 27 | 28 | 29 | ### Environment 30 | 31 | 32 | - Image version / tag: 33 | - Host OS: 34 | 35 |
36 | Any logs | compose.yml 37 |
38 | 39 | 40 | 41 | ### Possible fixes 42 | 43 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) 2 | 3 | Copyright (c) 2025 Nfrastack 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /rootfs/container/data/openldap/config/replication/replication-enable.ldif: -------------------------------------------------------------------------------- 1 | # Load syncprov module 2 | dn: cn=module{0},cn=config 3 | changetype: modify 4 | add: olcModuleLoad 5 | olcModuleLoad: syncprov 6 | 7 | # Set server ID 8 | dn: cn=config 9 | changeType: modify 10 | add: olcServerID 11 | {{REPLICATION_HOSTS}} 12 | 13 | # Add syncprov on config 14 | dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config 15 | changetype: add 16 | objectClass: olcOverlayConfig 17 | objectClass: olcSyncProvConfig 18 | olcOverlay: syncprov 19 | 20 | # Add sync replication on config 21 | dn: olcDatabase={0}config,cn=config 22 | changetype: modify 23 | add: olcSyncRepl 24 | {{REPLICATION_HOSTS_CONFIG_SYNC_REPL}} 25 | - 26 | add: olcMultiProvider 27 | olcMultiProvider: TRUE 28 | 29 | # Add syncprov on backend 30 | dn: olcOverlay=syncprov,olcDatabase={1}mdb,cn=config 31 | changetype: add 32 | objectClass: olcOverlayConfig 33 | objectClass: olcSyncProvConfig 34 | olcOverlay: syncprov 35 | 36 | # Add sync replication on backend 37 | dn: olcDatabase={1}mdb,cn=config 38 | changetype: modify 39 | add: olcSyncRepl 40 | {{REPLICATION_HOSTS_DB_SYNC_REPL}} 41 | - 42 | add: olcMultiProvider 43 | olcMultiProvider: TRUE 44 | -------------------------------------------------------------------------------- /.github/workflows/main.yml: -------------------------------------------------------------------------------- 1 | on: 2 | push: 3 | paths: 4 | - '**' 5 | - '!CHANGELOG.md' 6 | - '!/examples/*' 7 | - '!LICENSE' 8 | - '!README.md' 9 | - '!/zabbix_templates/*' 10 | jobs: 11 | prepare: 12 | uses: nfrastack/gha/.github/workflows/artifacts-encrypt.yml@main 13 | secrets: inherit 14 | build: 15 | needs: prepare 16 | strategy: 17 | matrix: 18 | include: 19 | - { distro: "alpine", distro_variant: "3.22", latest: "true", distro_latest: "true", arch: "linux/amd64,linux/arm64" } 20 | uses: nfrastack/gha/.github/workflows/container-build_generic.yml@main 21 | with: 22 | base_image: "ghcr.io/nfrastack/container-base" 23 | distro: ${{ matrix.distro }} 24 | distro_variant: ${{ matrix.distro_variant }} 25 | image_variant: ${{ matrix.image_variant || '' }} 26 | tag: ${{ matrix.tag || '' }} 27 | latest: ${{ matrix.latest }} 28 | distro_latest: ${{ matrix.distro_latest }} 29 | platforms: ${{ matrix.arch }} 30 | push_dockerhub: ${{ matrix.push_dockerhub || true }} 31 | push_ghcr: ${{ matrix.push_ghcr || true }} 32 | secrets: inherit 33 | cleanup: 34 | needs: [ build ] 35 | uses: nfrastack/gha/.github/workflows/artifacts-remove.yml@main 36 | secrets: inherit 37 | 38 | -------------------------------------------------------------------------------- /rootfs/container/data/openldap/schema-to-ldif.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | SCHEMAS=$1 4 | 5 | tmpd=$(mktemp -d) 6 | pushd "${tmpd}" >>/dev/null 7 | 8 | echo "include /etc/openldap/schema/core.schema" | silent tee -a convert.dat 9 | echo "include /etc/openldap/schema/cosine.schema" | silent tee -a convert.dat 10 | echo "include /etc/openldap/schema/nis.schema" | silent tee -a convert.dat 11 | echo "include /etc/openldap/schema/inetorgperson.schema" | silent tee -a convert.dat 12 | 13 | for schema in ${SCHEMAS} ; do 14 | echo "include ${schema}" | silent tee -a convert.dat 15 | done 16 | 17 | slaptest -f convert.dat -F . 18 | 19 | if [ ${?} -ne 0 ] ; then 20 | echo "** [openldap] ERROR: slaptest conversion failed!" 21 | exit 22 | fi 23 | 24 | for schema in ${SCHEMAS} ; do 25 | fullpath=${schema} 26 | schema_name="$(basename ${fullpath} .schema)" 27 | schema_dir="$(dirname ${fullpath})" 28 | ldif_file=${schema_name}.ldif 29 | 30 | find . -name *\}${schema_name}.ldif -exec mv '{}' ./${ldif_file} \; 31 | 32 | sed -i \ 33 | -e "/dn:/ c dn: cn=${schema_name},cn=schema,cn=config" \ 34 | -e "/cn:/ c cn: ${schema_name}" \ 35 | -e "/structuralObjectClass/ d" \ 36 | -e "/entryUUID/ d" \ 37 | -e "/creatorsName/ d" \ 38 | -e "/createTimestamp/ d" \ 39 | -e "/entryCSN/ d" \ 40 | -e "/modifiersName/ d" \ 41 | -e "/modifyTimestamp/ d" \ 42 | "${ldif_file}" 43 | 44 | # slapd seems to be very sensitive to how a file ends. There should be no blank lines. 45 | sed -i '/^ *$/d' ${ldif_file} 46 | 47 | mv "${ldif_file}" "${schema_dir}" 48 | done 49 | 50 | popd >> /dev/null 51 | rm -rf "${tmpd}" 52 | -------------------------------------------------------------------------------- /rootfs/usr/local/bin/change-password: -------------------------------------------------------------------------------- 1 | #!/command/with-contenv bash 2 | # SPDX-FileCopyrightText: © 2025 Nfrastack 3 | # 4 | # SPDX-License-Identifier: MIT 5 | 6 | source /container/base/functions/container/init 7 | prepare_service 10-openldap 8 | 9 | question_change_choice() { 10 | echo "What password do you want to change? " 11 | read -p "(C)onfig or (S)chema: " change_choice 12 | 13 | case "${change_choice}" in 14 | "CONFIG" | "config" | "C" | "c") 15 | change_choice="config" 16 | ;; 17 | "SCHEMA" | "schema" | "S" | "s") 18 | change_choice="schema" 19 | ;; 20 | *) 21 | echo "Unknown Selection - Exiting.." 22 | exit 1 23 | ;; 24 | esac 25 | } 26 | 27 | create_password() { 28 | read -p "Enter Password: " password 29 | encrypted_password=$(slappasswd -s ${password}) 30 | } 31 | 32 | generate_ldif() { 33 | temp_ldif=$(mktemp -q) 34 | if [ "${change_choice}" = "config" ]; then 35 | cat < 3 | # 4 | # SPDX-License-Identifier: MIT 5 | 6 | source /container/base/functions/container/init 7 | prepare_service 10-openldap 8 | 9 | # Usage: slapd-restore dbnum file 10 | slapd_restore() { 11 | local dbnum=$1 12 | local filename=$2 13 | 14 | s6-svc -d /var/run/s6/legacy-services/10-openldap 15 | pkill -9 slapd 16 | 17 | tmp_backup_file="$(mktemp)" 18 | case "${filename##*.}" in 19 | gz ) 20 | gunzip -c "${filename}" | silent tee "${tmp_backup_file}" 21 | ;; 22 | zst ) 23 | zstd -d "${filename}" | silent tee "${tmp_backup_file}" 24 | ;; 25 | esac 26 | 27 | chown ldap:ldap "${tmp_backup_file}" 28 | 29 | case "${dbnum}" in 30 | 0 ) 31 | tmp_container_files="$(mktemp -d)" 32 | mv "${CONFIG_PATH%/}"/container-* "${tmp_container_files}"/ 33 | rm -rf "${CONFIG_PATH%/}"/* 34 | ;; 35 | 1 ) 36 | rm -rf "${DB_PATH:?}"/* 37 | ;; 38 | esac 39 | 40 | sudo -u ldap slapadd -v -F ${CONFIG_PATH%/} -n "${dbnum}" -l "${tmp_backup_file}" 41 | 42 | case "${dbnum}" in 43 | 0 ) 44 | mv "${tmp_container_files%/}"/* "${CONFIG_PATH%/}"/ 45 | rm -rf "${tmp_container_files}" 46 | ;; 47 | esac 48 | 49 | s6-svc -u /var/run/s6/legacy-services/10-openldap 50 | rm -rf "${tmp_backup_file}" 51 | exit 0 52 | } 53 | 54 | if [ -z "${1}" ] ; then 55 | echo "Syntax: $(basename "$0") dbnum[0|1] [filename]" 56 | exit 2 57 | elif [ -z "${2}" ] ; then 58 | echo "Need Filename to restore!" 59 | exit 2 60 | fi 61 | 62 | case "${1}" in 63 | config | 0) 64 | slapd_restore 0 "${1}" 65 | ;; 66 | data | 1) 67 | slapd_restore 1 "${2}" 68 | ;; 69 | esac -------------------------------------------------------------------------------- /rootfs/container/data/openldap/config/bootstrap/default/default.sh: -------------------------------------------------------------------------------- 1 | #!/command/with-contenv bash 2 | # SPDX-FileCopyrightText: © 2025 Nfrastack 3 | # 4 | # SPDX-License-Identifier: MIT 5 | 6 | source /container/base/functions/container/init 7 | prepare_service 10-openldap 8 | SERVICE_NAME="openldap" 9 | 10 | if [ -z "${BASE_DN}" ]; then 11 | IFS='.' read -ra BASE_DN_TABLE <<< "$DOMAIN" 12 | for i in "${BASE_DN_TABLE[@]}"; do 13 | EXT="dc=$i," 14 | BASE_DN=$BASE_DN$EXT 15 | done 16 | 17 | BASE_DN=${BASE_DN::-1} 18 | fi 19 | 20 | IFS='.' read -a domain_elems <<< "${DOMAIN}" 21 | SUFFIX="" 22 | ROOT="" 23 | 24 | for elem in "${domain_elems[@]}" ; do 25 | if [ "x${SUFFIX}" = x ] ; then 26 | SUFFIX="dc=${elem}" 27 | BASE_DN="${SUFFIX}" 28 | ROOT="${elem}" 29 | else 30 | BASE_DN="${BASE_DN},dc=${elem}" 31 | fi 32 | done 33 | 34 | transform_var file \ 35 | ADMIN_PASS \ 36 | READONLY_USER_USER \ 37 | READONLY_USER_PASS 38 | 39 | ADMIN_PASS_ENCRYPTED=$(slappasswd -s "${ADMIN_PASS}") 40 | READONLY_USER_PASS_ENCRYPTED=$(slappasswd -s "${READONLY_USER_PASS}") 41 | 42 | _ldap_default_data=$(mktemp) 43 | 44 | cat < 2 | # 3 | # SPDX-License-Identifier: MIT 4 | 5 | DATA_PATH=${DATA_PATH:-"/data/"} 6 | # 7 | BACKUP_PATH=${BACKUP_PATH:-"${DATA_PATH%/}/backup/"} 8 | # 9 | 10 | CONFIG_PATH=${CONFIG_PATH:-"${DATA_PATH%/}/config/"} 11 | DB_PATH=${DB_PATH:-"${DATA_PATH%/}/db/"} 12 | ADD_DEFAULT_DATA=${ADD_DEFAULT_DATA:-"TRUE"} 13 | ADMIN_PASS=${ADMIN_PASS:-"admin"} 14 | BACKUP_BEGIN=${BACKUP_BEGIN:-"0400"} 15 | BACKUP_COMPRESSION=${BACKUP_COMPRESSION:-"zstd"} 16 | BACKUP_COMPRESSION_LEVEL=${BACKUP_COMPRESSION_LEVEL:-"8"} 17 | BACKUP_CREATE_LATEST_SYMLINK=${BACKUP_CREATE_LATEST_SYMLINK:-"TRUE"} 18 | BACKUP_INTERVAL=${BACKUP_INTERVAL:-"1440"} 19 | BACKUP_ENABLE_CHECKSUM=${BACKUP_ENABLE_CHECKSUM:-"TRUE"} 20 | BACKUP_CHECKSUM=${BACKUP_CHECKSUM:-"md5"} 21 | BACKUP_PARALLEL_COMPRESSION=${BACKUP_PARALLEL_COMPRESSION:-"TRUE"} 22 | BACKUP_PATH_ARCHIVE=${BACKUP_PATH_ARCHIVE:-"${BACKUP_PATH%/}/archive/"} 23 | BACKUP_RETENTION=${BACKUP_RETENTION:-"10080"} 24 | BACKUP_SIZE_VALUE=${BACKUP_SIZE_VALUE:-"bytes"} 25 | BACKUP_TEMP_LOCATION=${BACKUP_TEMP_LOCATION:-"/tmp/backups"} 26 | BACKUP_TYPE=${BACKUP_TYPE:-"FILESYSTEM"} 27 | CONFIG_PASS=${CONFIG_PASS:-"config"} 28 | DOMAIN=${DOMAIN:-"example.org"} 29 | ENABLE_BACKUP=${ENABLE_BACKUP:-"TRUE"} 30 | ENABLE_MONITOR=${ENABLE_MONITOR:-"TRUE"} 31 | ENABLE_PPOLICY=${ENABLE_PPOLICY:-"TRUE"} 32 | ENABLE_READONLY_USER=${ENABLE_READONLY_USER:-"FALSE"} 33 | ENABLE_REPLICATION=${ENABLE_REPLICATION:-"FALSE"} 34 | ENABLE_TLS=${ENABLE_TLS:-"TRUE"} 35 | LOG_LEVEL=${LOG_LEVEL:-256} 36 | LOG_TYPE=${LOG_TYPE:-"FILE"} 37 | LOG_PATH=${LOG_PATH:-"/logs/"} 38 | LOG_FILE=${LOG_FILE:-"openldap.log"} 39 | LOG_PREFIX=${LOG_PREFIX:-"syslog-localtime"} 40 | ORGANIZATION=${ORGANIZATION:-"Example Organization"} 41 | PPOLICY_CHECK_RDN=${PPOLICY_CHECK_RDN:-0} 42 | PPOLICY_MAX_CONSEC=${PPOLICY_MAX_CONSEC:-0} 43 | PPOLICY_MAX_LENGTH=${PPOLICY_MAX_LENGTH:-0} 44 | PPOLICY_MIN_DIGIT=${PPOLICY_MIN_DIGIT:-0} 45 | PPOLICY_MIN_LOWER=${PPOLICY_MIN_LOWER:-0} 46 | PPOLICY_MIN_POINTS=${PPOLICY_MIN_POINTS:-3} 47 | PPOLICY_MIN_PUNCT=${PPOLICY_MIN_PUNCT:-0} 48 | PPOLICY_MIN_UPPER=${PPOLICY_MIN_UPPER:-0} 49 | PPOLICY_USE_CRACKLIB=${PPOLICY_USE_CRACKLIB:-1} 50 | READONLY_USER_PASS=${READONLY_USER_PASS:-"readonly"} 51 | READONLY_USER_USER=${READONLY_USER_USER:-"readonly"} 52 | REPLICATION_SAFETY_CHECK=${REPLICATION_SAFETY_CHECK:-"TRUE"} 53 | SCHEMA_TYPE=${SCHEMA_TYPE:-"nis"} 54 | SLAPD_ARGS=${SLAPD_ARGS:-""} 55 | SLAPD_HOSTS=${SLAPD_HOSTS:-"ldap://$HOSTNAME ldaps://$HOSTNAME ldapi:///"} 56 | # 57 | TLS_CA_NAME=${TLS_CA_NAME:-"ldap-nfrastack"} 58 | TLS_CA_SUBJECT=${TLS_CA_SUBJECT:-"/C=XX/ST=LDAP/L=LDAP/O=LDAP/CN="} 59 | TLS_CA_CERT_SUBJECT=${TLS_CA_CERT_SUBJECT:-"${TLS_CA_SUBJECT}${TLS_CA_NAME}"} 60 | TLS_CA_CERT_FILE=${TLS_CA_CERT_FILE:-"${TLS_CA_NAME}.crt"} 61 | TLS_CA_KEY_FILE=${TLS_CA_KEY_FILE:-"${TLS_CA_NAME}.key"} 62 | TLS_CA_CERT_PATH=${TLS_CA_CERT_PATH:-"/certs/${TLS_CA_NAME}/"} 63 | # 64 | TLS_CIPHER_SUITE=${TLS_CIPHER_SUITE:-"HIGH:!aNULL:!MD5:!3DES:!RC4:!DES:!eNULL"} 65 | TLS_CREATE_CA=${TLS_CREATE_CA:-"TRUE"} 66 | TLS_CERT_FILE=${TLS_CERT_FILE:-"cert.pem"} 67 | TLS_CERT_PATH=${TLS_CERT_PATH:-"/certs/"} 68 | TLS_DH_PARAM_FILE=${TLS_DH_PARAM_FILE:-"dhparam.pem"} 69 | TLS_DH_PARAM_KEYSIZE=${TLS_DH_PARAM_KEYSIZE:-2048} 70 | TLS_DH_PARAM_PATH=${TLS_DH_PARAM_PATH:-"/certs/"} 71 | TLS_ENFORCE=${TLS_ENFORCE:-"FALSE"} 72 | TLS_ENABLE_DH_PARAM=${TLS_ENABLE_DH_PARAM:-"TRUE"} 73 | TLS_KEY_FILE=${TLS_KEY_FILE:-"key.pem"} 74 | TLS_KEY_PATH=${TLS_KEY_PATH:-"/certs/"} 75 | TLS_RESET_PERMISSIONS=${TLS_RESET_PERMISSIONS:-"TRUE"} 76 | TLS_VERIFY_CLIENT=${TLS_VERIFY_CLIENT:-"try"} 77 | ULIMIT_N=${ULIMIT_N:-"1024"} 78 | WAIT_FOR_REPLICAS=${WAIT_FOR_REPLICAS:-"FALSE"} 79 | 80 | first_start_done="/container/state/slapd-first-start-done" 81 | was_started_with_replication="${CONFIG_PATH%/}/container-openldap-was-started-with-replication" 82 | was_started_with_tls="${CONFIG_PATH%/}/container-openldap-was-started-with-tls" 83 | was_started_with_tls_enforce="${CONFIG_PATH%/}/container-openldap-was-started-with-tls-enforce" 84 | -------------------------------------------------------------------------------- /rootfs/container/run/available/20-openldap-backup/run: -------------------------------------------------------------------------------- 1 | #!/command/with-contenv bash 2 | # SPDX-FileCopyrightText: © 2025 Nfrastack 3 | # 4 | # SPDX-License-Identifier: MIT 5 | 6 | source /container/base/functions/container/init 7 | prepare_service 8 | SERVICE_NAME="openldap-backup" 9 | check_container_initialized 10 | check_service_initialized init 10-openldap 11 | if [ "${1,,}" != "now" ] ; then liftoff; fi 12 | 13 | if var_true "${BACKUP_PARALLEL_COMPRESSION}"; then 14 | bzip="pbzip2 -${BACKUP_COMPRESSION_LEVEL}" 15 | gzip="pigz -${BACKUP_COMPRESSION_LEVEL}" 16 | xzip="pixz -${BACKUP_COMPRESSION_LEVEL}" 17 | zstd="zstd --rm -${BACKUP_COMPRESSION_LEVEL}" 18 | else 19 | bzip="bzip2 -${BACKUP_COMPRESSION_LEVEL}" 20 | gzip="gzip -${BACKUP_COMPRESSION_LEVEL}" 21 | xzip="xz -${BACKUP_COMPRESSION_LEVEL} " 22 | zstd="zstd --rm -${BACKUP_COMPRESSION_LEVEL}" 23 | fi 24 | 25 | backup_openldap() { 26 | print_notice "Backing up configuration schemas" 27 | target=config 28 | /usr/sbin/slapcat -F "${CONFIG_PATH}" -n 0 | silent tee "${BACKUP_TEMP_LOCATION}"/"${target}" 29 | exit_code=$? 30 | check_exit_code $target 31 | print_notice "Backing up user data" 32 | target=data 33 | /usr/sbin/slapcat -F "${CONFIG_PATH}" -n 1 | silent tee "${BACKUP_TEMP_LOCATION}"/"${target}" 34 | exit_code=$? 35 | check_exit_code $target 36 | target=${now}-openldap_${CONTAINER_NAME} 37 | compression 38 | generate_checksum 39 | move_backup 40 | } 41 | 42 | check_exit_code() { 43 | print_debug "OpenLDAP Backup Exit Code is ${exit_code}" 44 | case "${exit_code}" in 45 | 0) 46 | print_info "OpenLDAP Backup of '${1}' completed successfully" 47 | ;; 48 | *) 49 | print_error "OpenLDAP Backup of '${1}' reported errors" 50 | master_exit_code=1 51 | ;; 52 | esac 53 | } 54 | 55 | compression() { 56 | case "${BACKUP_COMPRESSION,,}" in 57 | bz*) 58 | print_notice "Compressing backup with bzip2" 59 | target=${target}.tar.bz2 60 | tar --use-compress-program="${bzip} " -cf "${BACKUP_TEMP_LOCATION}"/"${target}" -C "${BACKUP_TEMP_LOCATION}" config data --transform "s|config|${now}-openldap_${CONTAINER_NAME}/config|" --transform "s|data|${now}-openldap_${CONTAINER_NAME}/data|" 61 | ;; 62 | gz*) 63 | print_notice "Compressing backup with gzip" 64 | target=${target}.tar.gz 65 | tar --use-compress-program="${gzip} " -cf "${BACKUP_TEMP_LOCATION}"/"${target}" -C "${BACKUP_TEMP_LOCATION}" config data --transform "s|config|${now}-openldap_${CONTAINER_NAME}/config|" --transform "s|data|${now}-openldap_${CONTAINER_NAME}/data|" 66 | ;; 67 | "none" | "false") 68 | target=${target}.tar 69 | tar -cf "${BACKUP_TEMP_LOCATION}"/"${target}" -C "${BACKUP_TEMP_LOCATION}" config data --transform "s|config|${now}-openldap_${CONTAINER_NAME}/config|" --transform "s|data|${now}-openldap_${CONTAINER_NAME}/data|" 70 | ;; 71 | xz*) 72 | print_notice "Compressing backup with xzip" 73 | target=${target}.tar.xz 74 | tar --use-compress-program="${xzip} " -cf "${BACKUP_TEMP_LOCATION}"/"${target}" -C "${BACKUP_TEMP_LOCATION}" config data --transform "s|config|${now}-openldap_${CONTAINER_NAME}/config|" --transform "s|data|${now}-openldap_${CONTAINER_NAME}/data|" 75 | ;; 76 | zst*) 77 | print_notice "Compressing backup with zstd" 78 | target=${target}.tar.zst 79 | tar --use-compress-program="${zstd} " -cf "${BACKUP_TEMP_LOCATION}"/"${target}" -C "${BACKUP_TEMP_LOCATION}" config data --transform "s|config|${now}-openldap_${CONTAINER_NAME}/config|" --transform "s|data|${now}-openldap_${CONTAINER_NAME}/data|" 80 | ;; 81 | esac 82 | } 83 | 84 | generate_checksum() { 85 | if var_true "${BACKUP_ENABLE_CHECKSUM}"; then 86 | if [ "${exit_code}" = "0" ]; then 87 | case "${BACKUP_CHECKSUM,,}" in 88 | "md5") 89 | checksum_command="md5sum" 90 | checksum_extension="md5" 91 | ;; 92 | sha*) 93 | checksum_command="sha1sum" 94 | checksum_extension="sha1" 95 | ;; 96 | esac 97 | 98 | print_notice "Generating ${checksum_extension^^} for '${target}'" 99 | cd "${BACKUP_TEMP_LOCATION}" 100 | ${checksum_command} "${target}" >"${target}"."${checksum_extension}" 101 | checksum_value=$(${checksum_command} "${target}" | awk ' { print $1}') 102 | print_debug "${checksum_extension^^}: ${checksum_value} - ${target}" 103 | else 104 | print_error "Skipping Checksum creation because backup did not complete successfully" 105 | fi 106 | fi 107 | } 108 | 109 | move_backup() { 110 | case "${BACKUP_SIZE_VALUE,,}" in 111 | "b" | "bytes") 112 | BACKUP_SIZE_VALUE=1 113 | ;; 114 | "[kK]" | "[kK][bB]" | "kilobytes" | "[mM]" | "[mM][bB]" | "megabytes") 115 | BACKUP_SIZE_VALUE="-h" 116 | ;; 117 | *) 118 | BACKUP_SIZE_VALUE=1 119 | ;; 120 | esac 121 | if [ "$BACKUP_SIZE_VALUE" = "1" ]; then 122 | FILESIZE="$(stat -c%s "${BACKUP_TEMP_LOCATION}"/"${target}")" 123 | print_notice "Backup of ${target} created with the size of ${FILESIZE} bytes" 124 | else 125 | FILESIZE=$(du -h "${BACKUP_TEMP_LOCATION}"/"${target}" | awk '{ print $1}') 126 | print_notice "Backup of ${target} created with the size of ${FILESIZE}" 127 | fi 128 | 129 | case "${BACKUP_TYPE,,}" in 130 | file* ) 131 | mkdir -p "${BACKUP_PATH}" 132 | silent mv "${BACKUP_TEMP_LOCATION}"/*."${checksum_extension}" "${BACKUP_PATH%/}"/ 133 | mv "${BACKUP_TEMP_LOCATION}"/"${target}" "${BACKUP_PATH%/}"/"${target}" 134 | if var_true "${BACKUP_CREATE_LATEST_SYMLINK}"; then 135 | ln -sf "${BACKUP_PATH%/}"/"${target}" "${BACKUP_PATH%/}"/latest-openldap_"${CONTAINER_NAME}" 136 | fi 137 | if [ -n "${BACKUP_ARCHIVE_TIME}" ]; then 138 | mkdir -p "${BACKUP_PATH_ARCHIVE}" 139 | find "${BACKUP_PATH%/}"/ -maxdepth 1 -mmin +"${BACKUP_ARCHIVE_TIME}" -iname "*" -exec mv {} "${BACKUP_PATH_ARCHIVE}" \; 140 | fi 141 | ;; 142 | esac 143 | rm -rf "${BACKUP_TEMP_LOCATION}"/config 144 | rm -rf "${BACKUP_TEMP_LOCATION}"/data 145 | } 146 | 147 | if [ "${MODE,,}" = "manual" ] || [ "${1,,}" = "manual" ] || [ "${1,,}" = "now" ]; then 148 | sleep 1 149 | BACKUP_BEGIN=+0 150 | manual=TRUE 151 | print_debug "Detected Manual Mode" 152 | else 153 | sleep 5 154 | current_time=$(date +"%s") 155 | today=$(date +"%Y%m%d") 156 | if [[ $BACKUP_BEGIN =~ ^\+(.*)$ ]]; then 157 | waittime=$((${BASH_REMATCH[1]} * 60)) 158 | target_time=$(($current_time + $waittime)) 159 | else 160 | target_time=$(date --date="${today:0:4}-${today:4:2}-${today:6:2} ${BACKUP_BEGIN:0:2}:${BACKUP_BEGIN:2:2}" +"%s") 161 | if [[ "$target_time" < "$current_time" ]]; then 162 | target_time=$(($target_time + 24 * 60 * 60)) 163 | fi 164 | waittime=$(($target_time - $current_time)) 165 | fi 166 | 167 | print_debug "Wait Time: ${waittime} Target time: ${target_time} Current Time: ${current_time}" 168 | print_notice "Next Backup at $(date -d @${target_time} +"%Y-%m-%d %T %Z")" 169 | sleep ${waittime} 170 | fi 171 | 172 | while true; do 173 | mkdir -p "${BACKUP_TEMP_LOCATION}" 174 | backup_start_time=$(date +"%s") 175 | print_debug "Backup routines started time: $(date +'%Y-%m-%d %T %Z')" 176 | now=$(date +"%Y%m%d-%H%M%S") 177 | now_time=$(date +"%H:%M:%S") 178 | now_date=$(date +"%Y-%m-%d") 179 | backup_openldap 180 | backup_finish_time=$(date +"%s") 181 | backup_total_time=$(echo $((backup_finish_time - backup_start_time))) 182 | if [ -z "$master_exit_code" ]; then master_exit_code="0"; fi 183 | print_info "Backup routines finish time: $(date -d @${backup_finish_time} +"%Y-%m-%d %T %Z") with overall exit code ${master_exit_code}" 184 | print_notice "Backup routines time taken: $(echo ${backup_total_time} | awk '{printf "Hours: %d Minutes: %02d Seconds: %02d", $1/3600, ($1/60)%60, $1%60}')" 185 | 186 | if var_true "${CONTAINER_ENABLE_MONITORING}"; then 187 | case "${CONTAINER_MONITORING_BACKEND,,}" in 188 | zabbix ) 189 | if binary_exists zabbix_sender; then 190 | print_notice "Sending Backup Statistics to Zabbix" 191 | silent zabbix_sender -c /etc/zabbix/zabbix_agentd.conf -k openldap.backup.size -o "$(stat -c%s "${BACKUP_PATH%/}"/"${target}")" 192 | silent zabbix_sender -c /etc/zabbix/zabbix_agentd.conf -k openldap.backup.datetime -o "$(date -r "${BACKUP_PATH%/}"/"${target}" +'%s')" 193 | else 194 | print_error "Zabbix Sender not detected. Cannot send backup statistics to Zabbix Server" 195 | break 196 | fi 197 | ;; 198 | esac 199 | fi 200 | 201 | if [[ -n "${BACKUP_RETENTION}" ]]; then 202 | print_notice "Cleaning up old backups" 203 | find "${BACKUP_PATH%/}"/ -mmin +"${BACKUP_RETENTION}" -iname "*" -exec rm {} \; 204 | fi 205 | 206 | if [ -n "${POST_SCRIPT}" ]; then 207 | print_notice "Found POST_SCRIPT environment variable. Executing" 208 | eval "${POST_SCRIPT}" 209 | fi 210 | 211 | if var_true "${manual}"; then 212 | print_debug "Exiting due to manual mode" 213 | exit ${master_exit_code} 214 | else 215 | print_notice "Sleeping for another $(($BACKUP_INTERVAL * 60 - backup_total_time)) seconds. Waking up at $(date -d@"$(($(date +%s) + $(($BACKUP_INTERVAL * 60 - backup_total_time))))" +"%Y-%m-%d %T %Z") " 216 | sleep $(($BACKUP_INTERVAL * 60 - backup_total_time)) 217 | fi 218 | done 219 | -------------------------------------------------------------------------------- /rootfs/container/data/openldap/config/bootstrap/schema/rfc2307bis/rfc2307bis.ldif: -------------------------------------------------------------------------------- 1 | # AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify. 2 | # CRC32 6b6ad917 3 | dn: cn=rfc2307bis,cn=schema,cn=config 4 | objectClass: olcSchemaConfig 5 | cn: rfc2307bis 6 | olcAttributeTypes: {0}( 1.3.6.1.1.1.1.2 NAME 'gecos' DESC 'The GECOS field; 7 | the common name' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch 8 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 9 | olcAttributeTypes: {1}( 1.3.6.1.1.1.1.3 NAME 'homeDirectory' DESC 'The absol 10 | ute path to the home directory' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4 11 | .1.1466.115.121.1.26 SINGLE-VALUE ) 12 | olcAttributeTypes: {2}( 1.3.6.1.1.1.1.4 NAME 'loginShell' DESC 'The path to 13 | the login shell' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121 14 | .1.26 SINGLE-VALUE ) 15 | olcAttributeTypes: {3}( 1.3.6.1.1.1.1.5 NAME 'shadowLastChange' EQUALITY int 16 | egerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.2 17 | 7 SINGLE-VALUE ) 18 | olcAttributeTypes: {4}( 1.3.6.1.1.1.1.6 NAME 'shadowMin' EQUALITY integerMat 19 | ch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGL 20 | E-VALUE ) 21 | olcAttributeTypes: {5}( 1.3.6.1.1.1.1.7 NAME 'shadowMax' EQUALITY integerMat 22 | ch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGL 23 | E-VALUE ) 24 | olcAttributeTypes: {6}( 1.3.6.1.1.1.1.8 NAME 'shadowWarning' EQUALITY intege 25 | rMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 S 26 | INGLE-VALUE ) 27 | olcAttributeTypes: {7}( 1.3.6.1.1.1.1.9 NAME 'shadowInactive' EQUALITY integ 28 | erMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 29 | SINGLE-VALUE ) 30 | olcAttributeTypes: {8}( 1.3.6.1.1.1.1.10 NAME 'shadowExpire' EQUALITY intege 31 | rMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 S 32 | INGLE-VALUE ) 33 | olcAttributeTypes: {9}( 1.3.6.1.1.1.1.11 NAME 'shadowFlag' EQUALITY integerM 34 | atch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SIN 35 | GLE-VALUE ) 36 | olcAttributeTypes: {10}( 1.3.6.1.1.1.1.12 NAME 'memberUid' EQUALITY caseExac 37 | tMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 38 | olcAttributeTypes: {11}( 1.3.6.1.1.1.1.13 NAME 'memberNisNetgroup' EQUALITY 39 | caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 40 | olcAttributeTypes: {12}( 1.3.6.1.1.1.1.14 NAME 'nisNetgroupTriple' DESC 'Net 41 | group triple' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYN 42 | TAX 1.3.6.1.4.1.1466.115.121.1.15 ) 43 | olcAttributeTypes: {13}( 1.3.6.1.1.1.1.15 NAME 'ipServicePort' DESC 'Service 44 | port number' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1. 45 | 3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 46 | olcAttributeTypes: {14}( 1.3.6.1.1.1.1.16 NAME 'ipServiceProtocol' DESC 'Ser 47 | vice protocol name' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.12 48 | 1.1.15 ) 49 | olcAttributeTypes: {15}( 1.3.6.1.1.1.1.17 NAME 'ipProtocolNumber' DESC 'IP p 50 | rotocol number' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 51 | 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 52 | olcAttributeTypes: {16}( 1.3.6.1.1.1.1.18 NAME 'oncRpcNumber' DESC 'ONC RPC 53 | number' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1. 54 | 4.1.1466.115.121.1.27 SINGLE-VALUE ) 55 | olcAttributeTypes: {17}( 1.3.6.1.1.1.1.19 NAME 'ipHostNumber' DESC 'IPv4 add 56 | resses as a dotted decimal omitting leading zeros or IPv6 add 57 | resses as defined in RFC2373' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4. 58 | 1.1466.115.121.1.26 ) 59 | olcAttributeTypes: {18}( 1.3.6.1.1.1.1.20 NAME 'ipNetworkNumber' DESC 'IP ne 60 | twork omitting leading zeros, eg. 192.168' EQUALITY caseIgnoreIA5Match SYNT 61 | AX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) 62 | olcAttributeTypes: {19}( 1.3.6.1.1.1.1.21 NAME 'ipNetmaskNumber' DESC 'IP ne 63 | tmask omitting leading zeros, eg. 255.255.255.0' EQUALITY caseIgnoreIA5Matc 64 | h SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) 65 | olcAttributeTypes: {20}( 1.3.6.1.1.1.1.22 NAME 'macAddress' DESC 'MAC addres 66 | s in maximal, colon separated hex notation, eg. 00:00:92:90:e 67 | e:e2' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) 68 | olcAttributeTypes: {21}( 1.3.6.1.1.1.1.23 NAME 'bootParameter' DESC 'rpc.boo 69 | tparamd parameter' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.1 70 | 21.1.26 ) 71 | olcAttributeTypes: {22}( 1.3.6.1.1.1.1.24 NAME 'bootFile' DESC 'Boot image n 72 | ame' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) 73 | olcAttributeTypes: {23}( 1.3.6.1.1.1.1.26 NAME 'nisMapName' DESC 'Name of a 74 | generic NIS map' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1 75 | .15{64} ) 76 | olcAttributeTypes: {24}( 1.3.6.1.1.1.1.27 NAME 'nisMapEntry' DESC 'A generic 77 | NIS entry' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{10 78 | 24} SINGLE-VALUE ) 79 | olcAttributeTypes: {25}( 1.3.6.1.1.1.1.28 NAME 'nisPublicKey' DESC 'NIS publ 80 | ic key' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SING 81 | LE-VALUE ) 82 | olcAttributeTypes: {26}( 1.3.6.1.1.1.1.29 NAME 'nisSecretKey' DESC 'NIS secr 83 | et key' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SING 84 | LE-VALUE ) 85 | olcAttributeTypes: {27}( 1.3.6.1.1.1.1.30 NAME 'nisDomain' DESC 'NIS domain' 86 | EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) 87 | olcAttributeTypes: {28}( 1.3.6.1.1.1.1.31 NAME 'automountMapName' DESC 'auto 88 | mount Map Name' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.1 89 | 5 SINGLE-VALUE ) 90 | olcAttributeTypes: {29}( 1.3.6.1.1.1.1.32 NAME 'automountKey' DESC 'Automoun 91 | t Key value' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 S 92 | INGLE-VALUE ) 93 | olcAttributeTypes: {30}( 1.3.6.1.1.1.1.33 NAME 'automountInformation' DESC ' 94 | Automount information' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115. 95 | 121.1.15 SINGLE-VALUE ) 96 | olcObjectClasses: {0}( 1.3.6.1.1.1.2.0 NAME 'posixAccount' DESC 'Abstraction 97 | of an account with POSIX attributes' SUP top AUXILIARY MUST ( cn $ uid $ u 98 | idNumber $ gidNumber $ homeDirectory ) MAY ( userPassword $ loginShell $ ge 99 | cos $ description ) ) 100 | olcObjectClasses: {1}( 1.3.6.1.1.1.2.1 NAME 'shadowAccount' DESC 'Additional 101 | attributes for shadow passwords' SUP top AUXILIARY MUST uid MAY ( userPass 102 | word $ description $ shadowLastChange $ shadowMin $ shadowMax $ shadowWarni 103 | ng $ shadowInactive $ shadowExpire $ shadowFlag ) ) 104 | olcObjectClasses: {2}( 1.3.6.1.1.1.2.2 NAME 'posixGroup' DESC 'Abstraction o 105 | f a group of accounts' SUP top AUXILIARY MUST gidNumber MAY ( userPassword 106 | $ memberUid $ description ) ) 107 | olcObjectClasses: {3}( 1.3.6.1.1.1.2.3 NAME 'ipService' DESC 'Abstraction an 108 | Internet Protocol service. Maps an IP port and protocol (suc 109 | h as tcp or udp) to one or more names; the distinguished valu 110 | e of the cn attribute denotes the services canonical 111 | name' SUP top STRUCTURAL MUST ( cn $ ipServicePort $ ipServiceProtoco 112 | l ) MAY description ) 113 | olcObjectClasses: {4}( 1.3.6.1.1.1.2.4 NAME 'ipProtocol' DESC 'Abstraction o 114 | f an IP protocol. Maps a protocol number to one or more names 115 | . The distinguished value of the cn attribute denotes the pro 116 | tocol canonical name' SUP top STRUCTURAL MUST ( cn $ ipProtocolNumber ) MAY 117 | description ) 118 | olcObjectClasses: {5}( 1.3.6.1.1.1.2.5 NAME 'oncRpc' DESC 'Abstraction of an 119 | Open Network Computing (ONC) [RFC1057] Remote Procedure Call 120 | (RPC) binding. This class maps an ONC RPC number to a name. 121 | The distinguished value of the cn attribute denotes 122 | the RPC service canonical name' SUP top STRUCTURAL MUST ( cn $ oncRpcNumbe 123 | r ) MAY description ) 124 | olcObjectClasses: {6}( 1.3.6.1.1.1.2.6 NAME 'ipHost' DESC 'Abstraction of a 125 | host, an IP device. The distinguished value of the cn attribu 126 | te denotes the hosts canonical name. Device SHOULD be used as a 127 | structural class' SUP top AUXILIARY MUST ( cn $ ipHostNumber ) MAY ( userPa 128 | ssword $ l $ description $ manager ) ) 129 | olcObjectClasses: {7}( 1.3.6.1.1.1.2.7 NAME 'ipNetwork' DESC 'Abstraction of 130 | a network. The distinguished value of the cn attribute denot 131 | es the network canonical name' SUP top STRUCTURAL MUST ipNetworkNumber MAY 132 | ( cn $ ipNetmaskNumber $ l $ description $ manager ) ) 133 | olcObjectClasses: {8}( 1.3.6.1.1.1.2.8 NAME 'nisNetgroup' DESC 'Abstraction 134 | of a netgroup. May refer to other netgroups' SUP top STRUCTUR 135 | AL MUST cn MAY ( nisNetgroupTriple $ memberNisNetgroup $ description ) ) 136 | olcObjectClasses: {9}( 1.3.6.1.1.1.2.9 NAME 'nisMap' DESC 'A generic abstrac 137 | tion of a NIS map' SUP top STRUCTURAL MUST nisMapName MAY description ) 138 | olcObjectClasses: {10}( 1.3.6.1.1.1.2.10 NAME 'nisObject' DESC 'An entry in 139 | a NIS map' SUP top STRUCTURAL MUST ( cn $ nisMapEntry $ nisMapName ) ) 140 | olcObjectClasses: {11}( 1.3.6.1.1.1.2.11 NAME 'ieee802Device' DESC 'A device 141 | with a MAC address; device SHOULD be used as a structural cl 142 | ass' SUP top AUXILIARY MAY macAddress ) 143 | olcObjectClasses: {12}( 1.3.6.1.1.1.2.12 NAME 'bootableDevice' DESC 'A devic 144 | e with boot parameters; device SHOULD be used as a structural 145 | class' SUP top AUXILIARY MAY ( bootFile $ bootParameter ) ) 146 | olcObjectClasses: {13}( 1.3.6.1.1.1.2.14 NAME 'nisKeyObject' DESC 'An object 147 | with a public and secret key' SUP top AUXILIARY MUST ( cn $ nisPublicKey $ 148 | nisSecretKey ) MAY ( uidNumber $ description ) ) 149 | olcObjectClasses: {14}( 1.3.6.1.1.1.2.15 NAME 'nisDomainObject' DESC 'Associ 150 | ates a NIS domain with a naming context' SUP top AUXILIARY MUST nisDomain ) 151 | olcObjectClasses: {15}( 1.3.6.1.1.1.2.16 NAME 'automountMap' SUP top STRUCTU 152 | RAL MUST automountMapName MAY description ) 153 | olcObjectClasses: {16}( 1.3.6.1.1.1.2.17 NAME 'automount' DESC 'Automount in 154 | formation' SUP top STRUCTURAL MUST ( automountKey $ automountInformation ) 155 | MAY description ) 156 | olcObjectClasses: {17}( 1.3.6.1.1.1.2.18 NAME 'groupOfMembers' DESC 'A group 157 | with members (DNs)' SUP top STRUCTURAL MUST cn MAY ( businessCategory $ se 158 | eAlso $ owner $ ou $ o $ description $ member ) ) 159 | 160 | -------------------------------------------------------------------------------- /Containerfile: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 Nfrastack 2 | # 3 | # SPDX-License-Identifier: MIT 4 | 5 | ARG \ 6 | BASE_IMAGE 7 | 8 | FROM ${BASE_IMAGE} 9 | 10 | LABEL \ 11 | org.opencontainers.image.title="OpenLDAP" \ 12 | org.opencontainers.image.description="Directory Server" \ 13 | org.opencontainers.image.url="https://hub.docker.com/r/nfrastack/openldap" \ 14 | org.opencontainers.image.documentation="https://github.com/nfrastack/container-openldap/blob/main/README.md" \ 15 | org.opencontainers.image.source="https://github.com/nfrastack/container-openldap.git" \ 16 | org.opencontainers.image.authors="Nfrastack " \ 17 | org.opencontainers.image.vendor="Nfrastack " \ 18 | org.opencontainers.image.licenses="MIT" 19 | 20 | ARG OPENLDAP_VERSION="2.6.10" \ 21 | CRACKLIB_VERSION="2.10.3" \ 22 | CRACKLIB_REPO_URL="https://github.com/cracklib/cracklib" \ 23 | SCHEMA2LDIF_VERSION="1.3" 24 | 25 | COPY CHANGELOG.md /usr/src/container/CHANGELOG.md 26 | COPY LICENSE /usr/src/container/LICENSE 27 | COPY README.md /usr/src/container/README.md 28 | 29 | EXPOSE 389 636 30 | 31 | ENV \ 32 | CONTAINER_ENABLE_SCHEDULING=TRUE \ 33 | IMAGE_NAME="nfrastack/openldap" \ 34 | IMAGE_REPO_URL="https://github.com/nfrastack/container-openldap/" 35 | 36 | RUN echo "" && \ 37 | OPENLDAP_BUILD_DEPS_ALPINE=" \ 38 | alpine-sdk \ 39 | autoconf \ 40 | automake \ 41 | build-base \ 42 | bzip2-dev \ 43 | cracklib-dev \ 44 | cyrus-sasl-dev \ 45 | db-dev \ 46 | git \ 47 | groff \ 48 | heimdal-dev \ 49 | libarchive-dev \ 50 | libevent-dev \ 51 | libsodium-dev \ 52 | libtool \ 53 | m4 \ 54 | mosquitto-dev \ 55 | openssl-dev \ 56 | unixodbc-dev \ 57 | util-linux-dev \ 58 | xz-dev \ 59 | " \ 60 | && \ 61 | OPENLDAP_RUN_DEPS_ALPINE=" \ 62 | bzip2 \ 63 | ca-certificates \ 64 | cyrus-sasl \ 65 | coreutils \ 66 | cracklib \ 67 | iptables \ 68 | libevent \ 69 | libltdl \ 70 | libuuid \ 71 | libintl \ 72 | libsasl \ 73 | libsodium \ 74 | libuuid \ 75 | openssl \ 76 | perl \ 77 | pigz \ 78 | pixz \ 79 | sed \ 80 | tar \ 81 | unixodbc \ 82 | xz \ 83 | zstd \ 84 | " \ 85 | && \ 86 | \ 87 | source /container/base/functions/container/build && \ 88 | container_build_log image && \ 89 | create_user ldap 389 ldap 389 /var/lib/openldap && \ 90 | package update && \ 91 | package upgrade && \ 92 | package install \ 93 | OPENLDAP_BUILD_DEPS \ 94 | OPENLDAP_RUN_DEPS \ 95 | && \ 96 | \ 97 | mkdir -p /usr/src/pbzip2 && \ 98 | curl -ssL https://launchpad.net/pbzip2/1.1/1.1.13/+download/pbzip2-1.1.13.tar.gz | tar xfz - --strip=1 -C /usr/src/pbzip2 && \ 99 | cd /usr/src/pbzip2 && \ 100 | make -j$(( $nproc -1 )) && \ 101 | make install && \ 102 | container_build_log add "PBZip2" "1.1.13" "launchpad.net/pbzip2" && \ 103 | \ 104 | mkdir -p /nfrastack/openldap:$(head -n 1 /container/build/"${IMAGE_NAME/\//_}"/CHANGELOG.md | awk '{print $2}')/ && \ 105 | curl -sSL https://openldap.org/software/download/OpenLDAP/openldap-release/openldap-${OPENLDAP_VERSION}.tgz | tar xfz - --strip 1 -C /nfrastack/openldap:$(head -n 1 /container/build/"${IMAGE_NAME/\//_}"/CHANGELOG.md | awk '{print $2}')/ && \ 106 | git clone --depth 1 git://git.alpinelinux.org/aports.git /nfrastack/openldap:$(head -n 1 /container/build/"${IMAGE_NAME/\//_}"/CHANGELOG.md | awk '{print $2}')/alpine && \ 107 | mkdir -p contrib/slapd-modules/ppolicy-check-password && \ 108 | git clone https://github.com/cedric-dufour/ppolicy-check-password /nfrastack/openldap:$(head -n 1 /container/build/"${IMAGE_NAME/\//_}"/CHANGELOG.md | awk '{print $2}')/contrib/slapd-modules/ppolicy-check-password && \ 109 | rm -rf /nfrastack/openldap:$(head -n 1 /container/build/"${IMAGE_NAME/\//_}"/CHANGELOG.md | awk '{print $2}')/contrib/slapd-modules/ppm && \ 110 | git clone https://github.com/ltb-project/ppm /nfrastack/openldap:$(head -n 1 /container/build/"${IMAGE_NAME/\//_}"/CHANGELOG.md | awk '{print $2}')/contrib/slapd-modules/ppm && \ 111 | cd /nfrastack/openldap:$(head -n 1 /container/build/"${IMAGE_NAME/\//_}"/CHANGELOG.md | awk '{print $2}')/alpine && \ 112 | git filter-branch --prune-empty --subdirectory-filter main/openldap HEAD && \ 113 | \ 114 | cd /nfrastack/openldap:$(head -n 1 /container/build/"${IMAGE_NAME/\//_}"/CHANGELOG.md | awk '{print $2}')/ && \ 115 | rm -rf ./alpine/tests-make-add-missing-dependency.patch && \ 116 | for patch in ./alpine/*.patch; do echo "** Applying $patch"; patch -p1 < $patch; done && \ 117 | cd /nfrastack/openldap:$(head -n 1 /container/build/"${IMAGE_NAME/\//_}"/CHANGELOG.md | awk '{print $2}')/ && \ 118 | sed -i '/^STRIP/s,-s,,g' build/top.mk && \ 119 | \ 120 | AUTOMAKE=/bin/true autoreconf -fi && \ 121 | ./configure \ 122 | --build=$CBUILD \ 123 | --host=$CHOST \ 124 | --prefix=/usr \ 125 | --libexecdir=/usr/lib \ 126 | --sysconfdir=/etc \ 127 | --mandir=/usr/share/man \ 128 | --localstatedir=/run/openldap \ 129 | --enable-argon2 \ 130 | --enable-asyncmeta=mod \ 131 | --enable-auditlog=mod \ 132 | --enable-balancer=yes \ 133 | --enable-constraint=mod \ 134 | --enable-crypt \ 135 | --enable-deref=mod \ 136 | --enable-dnssrv=mod \ 137 | --enable-dyngroup=mod \ 138 | --enable-dynlist=mod \ 139 | --enable-dynamic \ 140 | --enable-ldap=mod \ 141 | --enable-lload=mod \ 142 | --enable-mdb=mod \ 143 | --enable-meta=mod \ 144 | --enable-modules \ 145 | --enable-monitor=yes \ 146 | --enable-nestgroup=mod \ 147 | --enable-null=mod \ 148 | --enable-overlays=mod \ 149 | --enable-proxycache=mod \ 150 | --enable-passwd=mod \ 151 | --enable-relay=mod \ 152 | --enable-spasswd \ 153 | --enable-slapd \ 154 | --enable-sock=mod \ 155 | --enable-sql=mod \ 156 | --enable-syslog \ 157 | --enable-valsort=mod \ 158 | --with-cyrus-sasl \ 159 | --with-systemd=no \ 160 | --with-tls=openssl \ 161 | && \ 162 | make \ 163 | -j $(( $(nproc) > 1 ? $(nproc) - 1 : 1 )) \ 164 | DESTDIR="" \ 165 | install \ 166 | && \ 167 | \ 168 | container_build_log add "OpenLDAP" "${OPENLDAP_VERSION}" "openldap.org" && \ 169 | cd /nfrastack/openldap:$(head -n 1 /container/build/"${IMAGE_NAME/\//_}"/CHANGELOG.md | awk '{print $2}')/ && \ 170 | for module in autogroup lastbind mqtt passwd/pbkdf2 passwd/sha2 smbk5pwd; do \ 171 | make \ 172 | -j $(( $(nproc) > 1 ? $(nproc) - 1 : 1 )) \ 173 | DESTDIR="" \ 174 | prefix=/usr \ 175 | libexecdir=/usr/lib \ 176 | -C contrib/slapd-modules/${module} \ 177 | install \ 178 | ; \ 179 | done && \ 180 | for module in ppolicy-check-password ppm; do \ 181 | make \ 182 | -j $(( $(nproc) > 1 ? $(nproc) - 1 : 1 )) \ 183 | prefix=/usr \ 184 | libexecdir=/usr/lib \ 185 | -C contrib/slapd-modules/${module} \ 186 | LDAP_INC_PATH=/nfrastack/openldap:$(head -n 1 /container/build/"${IMAGE_NAME/\//_}"/CHANGELOG.md | awk '{print $2}') \ 187 | ; \ 188 | cp /nfrastack/openldap:$(head -n 1 /container/build/"${IMAGE_NAME/\//_}"/CHANGELOG.md | awk '{print $2}')/contrib/slapd-modules/${module}/*.so /usr/lib/openldap ; \ 189 | done && \ 190 | ln -s /usr/lib/slapd /usr/sbin && \ 191 | mkdir -p /usr/share/doc/openldap && \ 192 | mv /etc/openldap/*.default /usr/share/doc/openldap && \ 193 | rm -rf /etc/openldap/* && \ 194 | mkdir -p /etc/openldap/sasl2 && \ 195 | echo "mech_list: plain external" > /etc/openldap/sasl2/slapd.conf && \ 196 | mkdir -p /etc/openldap/schema && \ 197 | cp -R /nfrastack/openldap:$(head -n 1 /container/build/"${IMAGE_NAME/\//_}"/CHANGELOG.md | awk '{print $2}')/servers/slapd/schema/*.schema /etc/openldap/schema && \ 198 | mkdir -p /run/openldap && \ 199 | chown -R ldap:ldap /run/openldap && \ 200 | \ 201 | curl https://codeload.github.com/fusiondirectory/schema2ldif/tar.gz/${SCHEMA2LDIF_VERSION} | tar xvfz - --strip 1 -C /usr && \ 202 | container_build_log add "Schema2LDIF" "${SCHEMA2LDIF_VERSION}" "https://github.com/fusiondirectory/schema2ldif" && \ 203 | rm -rf /usr/Changelog && \ 204 | rm -rf /usr/LICENSE && \ 205 | \ 206 | curl -sSL https://raw.githubusercontent.com/perl-ldap/perl-ldap/refs/heads/master/contrib/ldifsort.pl -o /usr/local/bin/ldifsort.pl && \ 207 | chmod +x /usr/local/bin/ldifsort.pl && \ 208 | \ 209 | mkdir -p /usr/share/dict && \ 210 | cd /usr/share/dict && \ 211 | wget ${CRACKLIB_REPO_URL%/}/releases/download/v${CRACKLIB_VERSION}/cracklib-words-${CRACKLIB_VERSION}.gz && \ 212 | create-cracklib-dict -o pw_dict cracklib-words-${CRACKLIB_VERSION}.gz && \ 213 | rm -rf cracklib-words-${CRACKLIB_VERSION}.gz && \ 214 | container_build_log add "Cracklib Words" "${CRACKLIB_VERSION}" "${CRACKLIB_REPO_URL}" && \ 215 | rm -rf /nfrastack && \ 216 | package remove \ 217 | OPENLDAP_BUILD_DEPS \ 218 | && \ 219 | \ 220 | package cleanup 221 | 222 | COPY rootfs / 223 | -------------------------------------------------------------------------------- /zabbix_templates/app-openldap_backup.json: -------------------------------------------------------------------------------- 1 | { 2 | "zabbix_export": { 3 | "version": "6.2", 4 | "date": "2023-03-30T18:32:26Z", 5 | "template_groups": [ 6 | { 7 | "uuid": "fa56524b5dbb4ec09d9777a6f7ccfbe4", 8 | "name": "DB/Backup" 9 | }, 10 | { 11 | "uuid": "748ad4d098d447d492bb935c907f652f", 12 | "name": "Templates/Databases" 13 | } 14 | ], 15 | "templates": [ 16 | { 17 | "uuid": "b91f579b2d02424981425412d257ffd5", 18 | "template": "OpenLDAP Backup", 19 | "name": "OpenLDAP Backup", 20 | "description": "Template for OpenLDAP Backup\n\nMeant for use specifically with https://github.com/nfrastack/container-openldap", 21 | "groups": [ 22 | { 23 | "name": "DB/Backup" 24 | }, 25 | { 26 | "name": "Templates/Databases" 27 | } 28 | ], 29 | "items": [ 30 | { 31 | "uuid": "1d185ba7eb684da0b5d24513abfe749f", 32 | "name": "OpenLDAP Backup: Backup Size", 33 | "type": "TRAP", 34 | "key": "dbbackup.size", 35 | "delay": "0", 36 | "history": "7d", 37 | "units": "B", 38 | "request_method": "POST", 39 | "tags": [ 40 | { 41 | "tag": "Application", 42 | "value": "OpenLDAP Backup" 43 | } 44 | ], 45 | "triggers": [ 46 | { 47 | "uuid": "3955db038ca2409693f7149be8710e4a", 48 | "expression": "last(/OpenLDAP Backup/dbbackup.size)/last(/OpenLDAP Backup/dbbackup.size,#2)>1.2", 49 | "name": "OpenLDAP Backup: 20% Greater in Size", 50 | "priority": "WARNING", 51 | "manual_close": "YES" 52 | }, 53 | { 54 | "uuid": "f31f4eac5dfd486aaf87300fcad746a3", 55 | "expression": "last(/OpenLDAP Backup/dbbackup.size)/last(/OpenLDAP Backup/dbbackup.size,#2)<0.2", 56 | "name": "OpenLDAP Backup: 20% Smaller in Size", 57 | "priority": "WARNING", 58 | "manual_close": "YES" 59 | }, 60 | { 61 | "uuid": "7a82cf37d0f2488a8d0596104a90b0db", 62 | "expression": "last(/OpenLDAP Backup/dbbackup.size)<1K", 63 | "name": "OpenLDAP Backup: empty", 64 | "priority": "HIGH" 65 | } 66 | ] 67 | }, 68 | { 69 | "uuid": "9a788c5f12414f69a45e87d41ece732b", 70 | "name": "OpenLDAP Backup: Backup Duration", 71 | "type": "TRAP", 72 | "key": "openldap.backup.backup_duration", 73 | "delay": "0", 74 | "history": "7d", 75 | "units": "uptime", 76 | "description": "How long the backup took", 77 | "tags": [ 78 | { 79 | "tag": "Application", 80 | "value": "OpenLDAP Backup" 81 | } 82 | ] 83 | }, 84 | { 85 | "uuid": "5e8727e6cc5e4e5d90765d2b0636a881", 86 | "name": "OpenLDAP Backup: Backup Time", 87 | "type": "TRAP", 88 | "key": "openldap.backup.datetime", 89 | "delay": "0", 90 | "history": "7d", 91 | "units": "unixtime", 92 | "request_method": "POST", 93 | "tags": [ 94 | { 95 | "tag": "Application", 96 | "value": "OpenLDAP Backup" 97 | } 98 | ], 99 | "triggers": [ 100 | { 101 | "uuid": "febb127a42d44ece975fe8c3c942e174", 102 | "expression": "nodata(/OpenLDAP Backup/openldap.backup.datetime,2d)=1", 103 | "name": "OpenLDAP Backup: No backups detected in 2 days", 104 | "priority": "DISASTER", 105 | "manual_close": "YES" 106 | }, 107 | { 108 | "uuid": "4df7ad82b2884d60b1c99b7cb99b7f35", 109 | "expression": "fuzzytime(/OpenLDAP Backup/openldap.backup.datetime,172800s)=0 and fuzzytime(/OpenLDAP Backup/openldap.backup.datetime,259200s)<>0 and fuzzytime(/OpenLDAP Backup/openldap.backup.datetime,345600s)<>0 and fuzzytime(/OpenLDAP Backup/openldap.backup.datetime,432800s)<>0", 110 | "name": "OpenLDAP Backup: No Backups occurred in 2 days", 111 | "priority": "AVERAGE" 112 | }, 113 | { 114 | "uuid": "cb9eeb35b9a64ac2a6eca1602a1abd28", 115 | "expression": "fuzzytime(/OpenLDAP Backup/openldap.backup.datetime,172800s)<>0 and fuzzytime(/OpenLDAP Backup/openldap.backup.datetime,259200s)=0 and fuzzytime(/OpenLDAP Backup/openldap.backup.datetime,345600s)<>0 and fuzzytime(/OpenLDAP Backup/openldap.backup.datetime,432800s)<>0", 116 | "name": "OpenLDAP Backup: No Backups occurred in 3 days", 117 | "priority": "AVERAGE" 118 | }, 119 | { 120 | "uuid": "3fc9786a491c45398d3918feb0bc1079", 121 | "expression": "fuzzytime(/OpenLDAP Backup/openldap.backup.datetime,172800s)<>0 and fuzzytime(/OpenLDAP Backup/openldap.backup.datetime,259200s)<>0 and fuzzytime(/OpenLDAP Backup/openldap.backup.datetime,345600s)=0 and fuzzytime(/OpenLDAP Backup/openldap.backup.datetime,432800s)<>0", 122 | "name": "OpenLDAP Backup: No Backups occurred in 4 days", 123 | "priority": "AVERAGE" 124 | }, 125 | { 126 | "uuid": "b4dcc109d512408c83f8b67904d47e96", 127 | "expression": "fuzzytime(/OpenLDAP Backup/openldap.backup.datetime,172800s)<>0 and fuzzytime(/OpenLDAP Backup/openldap.backup.datetime,259200s)<>0 and fuzzytime(/OpenLDAP Backup/openldap.backup.datetime,345600s)<>0 and fuzzytime(/OpenLDAP Backup/openldap.backup.datetime,432800s)=0", 128 | "name": "OpenLDAP Backup: No Backups occurred in 5 days or more", 129 | "priority": "HIGH" 130 | } 131 | ] 132 | }, 133 | { 134 | "uuid": "a17a4927f0ad4471ae6b040a31570583", 135 | "name": "OpenLDAP Backup: Last Backup Status", 136 | "type": "TRAP", 137 | "key": "openldap.backup.status", 138 | "delay": "0", 139 | "history": "7d", 140 | "description": "Maps Exit Codes received by backup applications", 141 | "tags": [ 142 | { 143 | "tag": "Application", 144 | "value": "OpenLDAP Backup" 145 | } 146 | ], 147 | "triggers": [ 148 | { 149 | "uuid": "ecd3f445189d4c7d900f1e9d8ed73d83", 150 | "expression": "last(/OpenLDAP Backup/openldap.backup.status)=1", 151 | "name": "OpenLDAP Backup: Failed Backup Detected", 152 | "priority": "HIGH", 153 | "manual_close": "YES" 154 | } 155 | ] 156 | } 157 | ], 158 | "tags": [ 159 | { 160 | "tag": "Service", 161 | "value": "Backup" 162 | }, 163 | { 164 | "tag": "Service", 165 | "value": "Database" 166 | } 167 | ], 168 | "valuemaps": [ 169 | { 170 | "uuid": "15430865d6ed400cbed054efed687225", 171 | "name": "OpenLDAP Backup Status", 172 | "mappings": [ 173 | { 174 | "value": "0", 175 | "newvalue": "OK" 176 | }, 177 | { 178 | "type": "GREATER_OR_EQUAL", 179 | "value": "1", 180 | "newvalue": "FAIL" 181 | } 182 | ] 183 | } 184 | ] 185 | } 186 | ], 187 | "graphs": [ 188 | { 189 | "uuid": "5ff167e7d1964e02842868988a6b8892", 190 | "name": "OpenLDAP Backup: Backup Duration", 191 | "graph_items": [ 192 | { 193 | "color": "199C0D", 194 | "item": { 195 | "host": "OpenLDAP Backup", 196 | "key": "openldap.backup.backup_duration" 197 | } 198 | } 199 | ] 200 | }, 201 | { 202 | "uuid": "b9830cb151334f7081ee90182051dc34", 203 | "name": "OpenLDAP Backup: Backup Size", 204 | "type": "STACKED", 205 | "graph_items": [ 206 | { 207 | "sortorder": "1", 208 | "color": "1A7C11", 209 | "item": { 210 | "host": "OpenLDAP Backup", 211 | "key": "dbbackup.size" 212 | } 213 | } 214 | ] 215 | } 216 | ] 217 | } 218 | } -------------------------------------------------------------------------------- /rootfs/container/data/openldap/config/bootstrap/schema/rfc2307bis/rfc2307bis.schema: -------------------------------------------------------------------------------- 1 | # 2 | # rfc2307bis.schema 3 | # 4 | # Extracted from http://tools.ietf.org/id/draft-howard-rfc2307bis-02.txt 5 | # as of 2012/05/25, by Robin H. Johnson 6 | # Found at http://dev.gentoo.org/~robbat2/distfiles/rfc2307bis.schema-20120525 7 | # 8 | # Changed so that OpenLDAP 2.4.39 is able to import the schema 9 | # on 2014/11/28 by Stijn Hoop 10 | # 11 | #attributetype ( 1.3.6.1.1.1.1.0 NAME 'uidNumber' 12 | # DESC 'An integer uniquely identifying a user in an 13 | # administrative domain' 14 | # EQUALITY integerMatch 15 | # ORDERING integerOrderingMatch 16 | # SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 17 | # SINGLE-VALUE ) 18 | # 19 | # 20 | #attributetype ( 1.3.6.1.1.1.1.1 NAME 'gidNumber' 21 | # DESC 'An integer uniquely identifying a group in an 22 | # administrative domain' 23 | # EQUALITY integerMatch 24 | # ORDERING integerOrderingMatch 25 | # SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 26 | # SINGLE-VALUE ) 27 | 28 | 29 | attributetype ( 1.3.6.1.1.1.1.2 NAME 'gecos' 30 | DESC 'The GECOS field; the common name' 31 | EQUALITY caseIgnoreMatch 32 | SUBSTR caseIgnoreSubstringsMatch 33 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 34 | SINGLE-VALUE ) 35 | 36 | 37 | attributetype ( 1.3.6.1.1.1.1.3 NAME 'homeDirectory' 38 | DESC 'The absolute path to the home directory' 39 | EQUALITY caseExactIA5Match 40 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 41 | SINGLE-VALUE ) 42 | 43 | 44 | attributetype ( 1.3.6.1.1.1.1.4 NAME 'loginShell' 45 | DESC 'The path to the login shell' 46 | EQUALITY caseExactIA5Match 47 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 48 | SINGLE-VALUE ) 49 | 50 | attributetype ( 1.3.6.1.1.1.1.5 NAME 'shadowLastChange' 51 | EQUALITY integerMatch 52 | ORDERING integerOrderingMatch 53 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 54 | SINGLE-VALUE ) 55 | 56 | 57 | attributetype ( 1.3.6.1.1.1.1.6 NAME 'shadowMin' 58 | EQUALITY integerMatch 59 | ORDERING integerOrderingMatch 60 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 61 | SINGLE-VALUE ) 62 | 63 | 64 | attributetype ( 1.3.6.1.1.1.1.7 NAME 'shadowMax' 65 | EQUALITY integerMatch 66 | ORDERING integerOrderingMatch 67 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 68 | SINGLE-VALUE ) 69 | 70 | 71 | attributetype ( 1.3.6.1.1.1.1.8 NAME 'shadowWarning' 72 | EQUALITY integerMatch 73 | ORDERING integerOrderingMatch 74 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 75 | SINGLE-VALUE ) 76 | 77 | 78 | attributetype ( 1.3.6.1.1.1.1.9 NAME 'shadowInactive' 79 | EQUALITY integerMatch 80 | ORDERING integerOrderingMatch 81 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 82 | SINGLE-VALUE ) 83 | 84 | 85 | attributetype ( 1.3.6.1.1.1.1.10 NAME 'shadowExpire' 86 | EQUALITY integerMatch 87 | ORDERING integerOrderingMatch 88 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 89 | SINGLE-VALUE ) 90 | 91 | 92 | attributetype ( 1.3.6.1.1.1.1.11 NAME 'shadowFlag' 93 | EQUALITY integerMatch 94 | ORDERING integerOrderingMatch 95 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 96 | SINGLE-VALUE ) 97 | 98 | 99 | 100 | 101 | attributetype ( 1.3.6.1.1.1.1.12 NAME 'memberUid' 102 | EQUALITY caseExactMatch 103 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 104 | 105 | 106 | attributetype ( 1.3.6.1.1.1.1.13 NAME 'memberNisNetgroup' 107 | EQUALITY caseExactMatch 108 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 109 | 110 | 111 | attributetype ( 1.3.6.1.1.1.1.14 NAME 'nisNetgroupTriple' 112 | DESC 'Netgroup triple' 113 | EQUALITY caseIgnoreMatch 114 | SUBSTR caseIgnoreSubstringsMatch 115 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 116 | 117 | 118 | attributetype ( 1.3.6.1.1.1.1.15 NAME 'ipServicePort' 119 | DESC 'Service port number' 120 | EQUALITY integerMatch 121 | ORDERING integerOrderingMatch 122 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 123 | SINGLE-VALUE ) 124 | 125 | 126 | attributetype ( 1.3.6.1.1.1.1.16 NAME 'ipServiceProtocol' 127 | DESC 'Service protocol name' 128 | EQUALITY caseIgnoreMatch 129 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 130 | 131 | 132 | attributetype ( 1.3.6.1.1.1.1.17 NAME 'ipProtocolNumber' 133 | DESC 'IP protocol number' 134 | EQUALITY integerMatch 135 | ORDERING integerOrderingMatch 136 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 137 | SINGLE-VALUE ) 138 | 139 | 140 | attributetype ( 1.3.6.1.1.1.1.18 NAME 'oncRpcNumber' 141 | DESC 'ONC RPC number' 142 | EQUALITY integerMatch 143 | ORDERING integerOrderingMatch 144 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 145 | SINGLE-VALUE ) 146 | 147 | 148 | 149 | 150 | 151 | 152 | 153 | 154 | attributetype ( 1.3.6.1.1.1.1.19 NAME 'ipHostNumber' 155 | DESC 'IPv4 addresses as a dotted decimal omitting leading 156 | zeros or IPv6 addresses as defined in RFC2373' 157 | EQUALITY caseIgnoreIA5Match 158 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) 159 | 160 | 161 | attributetype ( 1.3.6.1.1.1.1.20 NAME 'ipNetworkNumber' 162 | DESC 'IP network omitting leading zeros, eg. 192.168' 163 | EQUALITY caseIgnoreIA5Match 164 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 165 | SINGLE-VALUE ) 166 | 167 | 168 | attributetype ( 1.3.6.1.1.1.1.21 NAME 'ipNetmaskNumber' 169 | DESC 'IP netmask omitting leading zeros, eg. 255.255.255.0' 170 | EQUALITY caseIgnoreIA5Match 171 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 172 | SINGLE-VALUE ) 173 | 174 | 175 | attributetype ( 1.3.6.1.1.1.1.22 NAME 'macAddress' 176 | DESC 'MAC address in maximal, colon separated hex 177 | notation, eg. 00:00:92:90:ee:e2' 178 | EQUALITY caseIgnoreIA5Match 179 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) 180 | 181 | 182 | attributetype ( 1.3.6.1.1.1.1.23 NAME 'bootParameter' 183 | DESC 'rpc.bootparamd parameter' 184 | EQUALITY caseExactIA5Match 185 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) 186 | 187 | 188 | attributetype ( 1.3.6.1.1.1.1.24 NAME 'bootFile' 189 | DESC 'Boot image name' 190 | EQUALITY caseExactIA5Match 191 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) 192 | 193 | 194 | attributetype ( 1.3.6.1.1.1.1.26 NAME 'nisMapName' 195 | DESC 'Name of a generic NIS map' 196 | EQUALITY caseIgnoreMatch 197 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{64} ) 198 | 199 | 200 | 201 | 202 | 203 | 204 | 205 | 206 | 207 | attributetype ( 1.3.6.1.1.1.1.27 NAME 'nisMapEntry' 208 | DESC 'A generic NIS entry' 209 | EQUALITY caseExactMatch 210 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} 211 | SINGLE-VALUE ) 212 | 213 | 214 | attributetype ( 1.3.6.1.1.1.1.28 NAME 'nisPublicKey' 215 | DESC 'NIS public key' 216 | EQUALITY octetStringMatch 217 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 218 | SINGLE-VALUE ) 219 | 220 | 221 | attributetype ( 1.3.6.1.1.1.1.29 NAME 'nisSecretKey' 222 | DESC 'NIS secret key' 223 | EQUALITY octetStringMatch 224 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 225 | SINGLE-VALUE ) 226 | 227 | 228 | attributetype ( 1.3.6.1.1.1.1.30 NAME 'nisDomain' 229 | DESC 'NIS domain' 230 | EQUALITY caseIgnoreIA5Match 231 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) 232 | 233 | 234 | attributetype ( 1.3.6.1.1.1.1.31 NAME 'automountMapName' 235 | DESC 'automount Map Name' 236 | EQUALITY caseExactMatch 237 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 238 | SINGLE-VALUE ) 239 | 240 | 241 | attributetype ( 1.3.6.1.1.1.1.32 NAME 'automountKey' 242 | DESC 'Automount Key value' 243 | EQUALITY caseExactMatch 244 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 245 | SINGLE-VALUE ) 246 | 247 | 248 | attributetype ( 1.3.6.1.1.1.1.33 NAME 'automountInformation' 249 | DESC 'Automount information' 250 | EQUALITY caseExactMatch 251 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 252 | SINGLE-VALUE ) 253 | 254 | 255 | 256 | objectclass ( 1.3.6.1.1.1.2.0 NAME 'posixAccount' SUP top AUXILIARY 257 | DESC 'Abstraction of an account with POSIX attributes' 258 | MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory ) 259 | MAY ( userPassword $ loginShell $ gecos $ 260 | description ) ) 261 | 262 | 263 | objectclass ( 1.3.6.1.1.1.2.1 NAME 'shadowAccount' SUP top AUXILIARY 264 | DESC 'Additional attributes for shadow passwords' 265 | MUST uid 266 | MAY ( userPassword $ description $ 267 | shadowLastChange $ shadowMin $ shadowMax $ 268 | shadowWarning $ shadowInactive $ 269 | shadowExpire $ shadowFlag ) ) 270 | 271 | 272 | objectclass ( 1.3.6.1.1.1.2.2 NAME 'posixGroup' SUP top AUXILIARY 273 | DESC 'Abstraction of a group of accounts' 274 | MUST gidNumber 275 | MAY ( userPassword $ memberUid $ 276 | description ) ) 277 | 278 | 279 | objectclass ( 1.3.6.1.1.1.2.3 NAME 'ipService' SUP top STRUCTURAL 280 | DESC 'Abstraction an Internet Protocol service. 281 | Maps an IP port and protocol (such as tcp or udp) 282 | to one or more names; the distinguished value of 283 | the cn attribute denotes the services canonical 284 | name' 285 | MUST ( cn $ ipServicePort $ ipServiceProtocol ) 286 | MAY description ) 287 | 288 | 289 | objectclass ( 1.3.6.1.1.1.2.4 NAME 'ipProtocol' SUP top STRUCTURAL 290 | DESC 'Abstraction of an IP protocol. Maps a protocol number 291 | to one or more names. The distinguished value of the cn 292 | attribute denotes the protocol canonical name' 293 | MUST ( cn $ ipProtocolNumber ) 294 | MAY description ) 295 | 296 | 297 | 298 | 299 | 300 | objectclass ( 1.3.6.1.1.1.2.5 NAME 'oncRpc' SUP top STRUCTURAL 301 | DESC 'Abstraction of an Open Network Computing (ONC) 302 | [RFC1057] Remote Procedure Call (RPC) binding. 303 | This class maps an ONC RPC number to a name. 304 | The distinguished value of the cn attribute denotes 305 | the RPC service canonical name' 306 | MUST ( cn $ oncRpcNumber ) 307 | MAY description ) 308 | 309 | 310 | objectclass ( 1.3.6.1.1.1.2.6 NAME 'ipHost' SUP top AUXILIARY 311 | DESC 'Abstraction of a host, an IP device. The distinguished 312 | value of the cn attribute denotes the hosts canonical 313 | name. Device SHOULD be used as a structural class' 314 | MUST ( cn $ ipHostNumber ) 315 | MAY ( userPassword $ l $ description $ 316 | manager ) ) 317 | 318 | 319 | objectclass ( 1.3.6.1.1.1.2.7 NAME 'ipNetwork' SUP top STRUCTURAL 320 | DESC 'Abstraction of a network. The distinguished value of 321 | the cn attribute denotes the network canonical name' 322 | MUST ipNetworkNumber 323 | MAY ( cn $ ipNetmaskNumber $ l $ description $ manager ) ) 324 | 325 | 326 | objectclass ( 1.3.6.1.1.1.2.8 NAME 'nisNetgroup' SUP top STRUCTURAL 327 | DESC 'Abstraction of a netgroup. May refer to other 328 | netgroups' 329 | MUST cn 330 | MAY ( nisNetgroupTriple $ memberNisNetgroup $ description ) ) 331 | 332 | 333 | objectclass ( 1.3.6.1.1.1.2.9 NAME 'nisMap' SUP top STRUCTURAL 334 | DESC 'A generic abstraction of a NIS map' 335 | MUST nisMapName 336 | MAY description ) 337 | 338 | 339 | objectclass ( 1.3.6.1.1.1.2.10 NAME 'nisObject' SUP top STRUCTURAL 340 | DESC 'An entry in a NIS map' 341 | MUST ( cn $ nisMapEntry $ nisMapName ) ) 342 | 343 | 344 | objectclass ( 1.3.6.1.1.1.2.11 NAME 'ieee802Device' SUP top AUXILIARY 345 | DESC 'A device with a MAC address; device SHOULD be 346 | used as a structural class' 347 | MAY macAddress ) 348 | 349 | 350 | 351 | 352 | 353 | objectclass ( 1.3.6.1.1.1.2.12 NAME 'bootableDevice' SUP top AUXILIARY 354 | DESC 'A device with boot parameters; device SHOULD be 355 | used as a structural class' 356 | MAY ( bootFile $ bootParameter ) ) 357 | 358 | 359 | objectclass ( 1.3.6.1.1.1.2.14 NAME 'nisKeyObject' SUP top AUXILIARY 360 | DESC 'An object with a public and secret key' 361 | MUST ( cn $ nisPublicKey $ nisSecretKey ) 362 | MAY ( uidNumber $ description ) ) 363 | 364 | 365 | objectclass ( 1.3.6.1.1.1.2.15 NAME 'nisDomainObject' SUP top AUXILIARY 366 | DESC 'Associates a NIS domain with a naming context' 367 | MUST nisDomain ) 368 | 369 | 370 | objectclass ( 1.3.6.1.1.1.2.16 NAME 'automountMap' SUP top STRUCTURAL 371 | MUST ( automountMapName ) 372 | MAY description ) 373 | 374 | 375 | objectclass ( 1.3.6.1.1.1.2.17 NAME 'automount' SUP top STRUCTURAL 376 | DESC 'Automount information' 377 | MUST ( automountKey $ automountInformation ) 378 | MAY description ) 379 | 380 | 381 | objectclass ( 1.3.6.1.1.1.2.18 NAME 'groupOfMembers' SUP top STRUCTURAL 382 | DESC 'A group with members (DNs)' 383 | MUST cn 384 | MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ 385 | description $ member ) ) 386 | 387 | -------------------------------------------------------------------------------- /CHANGELOG.md: -------------------------------------------------------------------------------- 1 | ## 2.6-8.0.0 2025-12-19 2 | 3 | ### Changed 4 | - Change base image to nfrastack/base 5 | - Cleanup build code 6 | - Cleanup bootstrapping functions 7 | - Add LOG_PREFIX allowing to output proper human dates 8 | - Cracklib wordlist updated to 2.10.3 9 | - Removed S3 backup support 10 | - Change values of environment variables 11 | 12 | 13 | ## 2.6-7.7.99 2025-11-09 14 | 15 | Add EOL notice and deprecate image 16 | 17 | 18 | ## 2.6-7.7.8 2025-09-01 19 | 20 | ### Changed 21 | - Fix trailing - for TLS_DH_PARAM_LDIF_ENABLE environment variable 22 | 23 | 24 | ## 2.6-7.7.7 2025-09-01 25 | 26 | ### Changed 27 | - Fix issue with TLS scripting on initial boot (@credit devicarus) 28 | 29 | 30 | ## 2.6-7.7.6 2025-08-13 31 | 32 | ### Changed 33 | - Fix for 7.7.5 TLS LDIF Enabling 34 | 35 | 36 | ## 2.6-7.7.5 2025-08-13 37 | 38 | ### Added 39 | - Add TLS_ENABLE_DH_PARAM environment variable 40 | 41 | ### Changed 42 | - Change TLS Cipher Suites to HIGH:!aNULL:!MD5:!3DES:!RC4:!DES:!eNULL 43 | 44 | 45 | ## 2.6-7.7.4 2025-08-12 46 | 47 | ### Added 48 | - Add ca-certificates to run-deps 49 | 50 | 51 | ## 2.6-7.7.3 2025-05-22 52 | 53 | ### Added 54 | - OpenLDAP 2.6.10 55 | 56 | 57 | ## 2.6-2.6-7.8 2025-05-22 58 | 59 | ### Added 60 | - OpenLDAP 2.6.10 61 | 62 | 63 | ## 2.6-7.7.2 2024-12-07 64 | 65 | ### Added 66 | - Pin to tiredofit/alpine:3.21 67 | 68 | 69 | ## 2.6-7.7.1 2024-11-27 70 | 71 | ### Changed 72 | - Repair issues with 2.6-7.7.0 73 | 74 | 75 | ## 2.6-7.7.0 2024-11-27 76 | 77 | ### Added 78 | - Add memberOfAddCheck to memberOf Overlay (TRUE) 79 | - Add settings to enable nestgroup overlay on first init 80 | 81 | 82 | ## 2.6-7.6.13 2024-11-26 83 | 84 | ### Added 85 | - Add Audit log module 86 | - Add constraint module 87 | - Add deref module 88 | - Add dyngroup module 89 | - Add dynlist module 90 | - Add nestgroup module 91 | - Add proxycache module 92 | - Add Syslog Support 93 | - Add valsort module 94 | 95 | 96 | ## 2.6-7.6.12 2024-11-26 97 | 98 | ### Added 99 | - OpenLDAP 2.6.9 100 | 101 | ## 2.6-7.6.11 2024-07-05 102 | 103 | ### Added 104 | - Rebuild to support tiredofit/alpine:7.10.0 105 | 106 | 107 | ## 2.6-7.6.10 2024-06-17 108 | 109 | ### Added 110 | - Rebuild of 2.6-7.6.9 111 | 112 | 113 | ## 2.6-7.6.9 2024-05-23 114 | 115 | ### Added 116 | - Add libevent, libsasl, libuuid runtime dependencies 117 | 118 | 119 | ## 2.6-7.6.8 2024-05-22 120 | 121 | ### Added 122 | - Switch to tiredofit/alpine 3.20 base 123 | 124 | 125 | ## 2.6-7.6.7 2024-05-21 126 | 127 | ### Added 128 | - OpenLDAP 2.6.8 129 | 130 | 131 | ## 2.6-7.6.6 2023-12-08 132 | 133 | ### Added 134 | - Change base image to tiredofit/alpine:3.19 135 | 136 | 137 | ## 2.6-7.6.5 2023-12-04 138 | 139 | ### Changed 140 | - Change REPLICATION wrappers from <> to {} 141 | 142 | 143 | ## 2.6-7.6.4 2023-11-16 144 | 145 | ### Changed 146 | - Restore READONLY_USER_* variables on database initial creation 147 | 148 | 149 | ## 2.6-7.6.3 2023-07-31 150 | 151 | ### Added 152 | - OpenLDAP 2.6.6 153 | 154 | 155 | ## 2.6-7.6.2 2023-07-11 156 | 157 | ### Added 158 | - OpenLDAP 2.6.5 159 | 160 | 161 | ## 2.6-7.6.1 2023-05-31 162 | 163 | ### Changed 164 | - Fix for backups not being created in tar format 165 | - Transform config and data files into their own folder in tar file for better extraction 166 | 167 | 168 | ## 2.6-2.6-7.6 2023-05-10 169 | 170 | ### Changed 171 | - Alpine 3.18 base 172 | 173 | 174 | ## 2.6-7.5.0 2023-04-26 175 | 176 | ### Added 177 | - Add support for _FILE environment variables 178 | 179 | 180 | ## 2.6-7.4.2 2023-04-21 181 | 182 | ### Changed 183 | - Fix for enabling replication 184 | 185 | 186 | ## 2.6-7.4.1 2023-03-30 187 | 188 | ### Added 189 | - Add autoregister support for new OpenLDAP Zabbix backup template 190 | 191 | 192 | ## 2.6-7.4.0 2023-03-30 193 | 194 | ### Changed 195 | - Rework OpenLDAP Backup routines to become more in line with parent tiredofit/db-backup image 196 | - config and data both get compressed into same tar file going forward 197 | - Added ability to create "latest" symlink to last good backup 198 | - Added ability to "archive" backups to an archive folder after a specified period of time for better external backup capabilities 199 | 200 | 201 | ## 2.6-7.3.2 2023-03-07 202 | 203 | ### Changed 204 | - Fix for Custom schemas not loading 205 | 206 | 207 | ## 2.6-7.3.1 2023-02-23 208 | 209 | ### Changed 210 | - Fix for update_template function not firing 211 | 212 | 213 | ## 2.6-7.3.0 2023-02-22 214 | 215 | ### Added 216 | - Compatibility with Docker 23.0.0 and newer versions of Kubernetes 217 | - Modernize image 218 | 219 | 220 | ## 2.6-7.2.19 2023-02-21 221 | 222 | ### Changed 223 | - Modernize Dockerfile 224 | 225 | 226 | ## 2.6-7.2.18 2023-02-21 227 | 228 | ### Added 229 | - OpenLDAP 2.6.4 230 | 231 | 232 | ## 7.2.17 2022-11-23 233 | 234 | ### Added 235 | - Alpine 3.17 base 236 | 237 | 238 | ## 7.2.16 2022-11-03 239 | 240 | ### Changed 241 | - Switch ADD to COPY 242 | 243 | 244 | ## 7.2.15 2022-08-17 245 | 246 | ### Changed 247 | - Switch to using exec to launch process 248 | 249 | 250 | ## 7.2.14 2022-08-06 251 | 252 | ### Changed 253 | - Minor tweak to loading custom scripts 254 | 255 | 256 | ## 7.2.13 2022-07-14 257 | 258 | ### Changed 259 | - Silence warning with a dirty chown command 260 | 261 | 262 | ## 7.2.12 2022-07-14 263 | 264 | ### Changed 265 | - Stop patching one of the makefiles to allow successful builds 266 | 267 | 268 | ## 7.2.11 2022-07-14 269 | 270 | ### Added 271 | - OpenLDAP 2.6.3 272 | 273 | 274 | ## 7.2.10 2022-07-09 275 | 276 | ### Fixed 277 | - Custom Schemas not inserting properly 278 | 279 | 280 | ## 7.2.9 2022-07-05 281 | 282 | ### Changed 283 | - Version Bump for dependencies 284 | 285 | 286 | ## 7.2.8 2022-05-24 287 | 288 | ### Added 289 | - Alpine 3.16 base 290 | 291 | 292 | ## 7.2.7 2022-05-15 293 | 294 | ### Added 295 | - OpenLDAP 2.6.2 296 | 297 | 298 | ## 7.2.6 2022-04-25 299 | 300 | ### Changed 301 | - Fix to allow RFC2307bis schemas to install 302 | 303 | 304 | ## 7.2.5 2022-03-14 305 | 306 | ### Changed 307 | - Fix for slapd-restore and S6 Overlay 3.xx 308 | 309 | 310 | ## 7.2.4 2022-03-01 311 | 312 | ### Added 313 | - OpenLDAP 2.6.1 314 | 315 | ### Changed 316 | - Repair quirks with OpenLDAP script (S3 backups, temp directories) 317 | - Disable anonymous bind on initial OpenLDAP setup 318 | - Rework replication to deprecate olcMirrorMode attributes 319 | - Code Cleanup and modernization 320 | 321 | 322 | ## 7.2.3 2021-12-07 323 | 324 | ### Added 325 | - Add Zabbix Auto register support for templates 326 | 327 | 328 | ## 7.2.2 2021-11-24 329 | 330 | ### Added 331 | - Alpine 3.15 base 332 | 333 | 334 | ## 7.2.1 2021-11-12 335 | 336 | ### Changed 337 | - Fix for 7.2.0 - Ppolicy schema is wrapped into the module now, and solve some configuration test issues 338 | 339 | 340 | ## 7.2.0 2021-11-09 341 | 342 | ### Added 343 | - OpenLDAP 2.6.0 344 | 345 | 346 | ## 7.1.22 2021-09-15 347 | 348 | ### Changed 349 | - Wait for slapd to really be ready before running ldapmodify 350 | 351 | 352 | ## 7.1.21 2021-09-06 353 | 354 | ### Changed 355 | - Fix for ENABLE_BACKUP=FALSE disabling main slapd process 356 | 357 | 358 | ## 7.1.20 2021-09-04 359 | 360 | ### Changed 361 | - Change the way logrotation is configured for future log parsing capabilities 362 | 363 | 364 | ## 7.1.19 2021-09-01 365 | 366 | ### Changed 367 | - Change internal envionrment variables to accomodate for upstream changes 368 | 369 | 370 | ## 7.1.18 2021-07-05 371 | 372 | ### Added 373 | - OpenLDAP 2.4.59 374 | - Alpine 3.14 Base 375 | 376 | 377 | ## 7.1.17 2021-06-01 378 | 379 | ### Fixed 380 | - slapd-restore script wasn't restoring gzipped databases 381 | 382 | ## 7.1.16 2021-05-08 383 | 384 | ### Added 385 | - Introduce `REPLICATION_SAFETY_CHECK` variable to bypass DNS checking of replication hosts 386 | 387 | 388 | ## 7.1.15 2021-04-20 389 | 390 | ### Added 391 | - Add support for smbk5pwd overlay (credit: @ludwig-burtscher) 392 | - Fix custom script sorting 393 | 394 | 395 | ## 7.1.14 2021-03-18 396 | 397 | ### Added 398 | - OpenLDAP 2.4.58 399 | 400 | 401 | ## 7.1.13 2021-03-18 402 | 403 | ### Added 404 | - OpenLDAP 2.4.58 405 | 406 | 407 | ## 7.1.12 2021-03-18 408 | 409 | ### Added 410 | - Autogroup overlay 411 | 412 | 413 | ## 7.1.11 2021-03-15 414 | 415 | ### Changed 416 | - Fix sloppy S3 backup configuration 417 | 418 | 419 | ## 7.1.10 2021-02-13 420 | 421 | ### Changed 422 | - Fix to compile pixz with new musl base 423 | 424 | 425 | ## 7.1.9 2021-02-13 426 | 427 | ### Added 428 | - OpenLDAP 2.4.57 429 | 430 | ### Changed 431 | - Change /assets/custom-scripts/ location for executing post backups scripts to /assets/custom-backup-scripts/ 432 | 433 | 434 | ## 7.1.8 2021-01-14 435 | 436 | ### Changed 437 | - Alpine 3.13 Base 438 | 439 | 440 | ## 7.1.7 2020-11-25 441 | 442 | ### Changed 443 | - Change the way that custom scripts execute - Don't force chmod +x for files already. 444 | 445 | 446 | ## 7.1.6 2020-11-14 447 | 448 | ### Added 449 | - Openldap 2.4.56 450 | 451 | 452 | ## 7.1.5 2020-11-06 453 | 454 | ### Added 455 | - OpenLDAP 2.4.55 456 | 457 | ## 7.1.4 2020-09-26 458 | 459 | ### Changed 460 | - Fix ldap.conf from being copied onto itself 461 | 462 | ## 7.1.3 2020-09-14 463 | 464 | ### Added 465 | - OpenLDAP 2.4.53 466 | 467 | ## 7.1.2 2020-08-31 468 | 469 | ### Changed 470 | - Fix for BASE_DN getting overwritten when DOMAIN environment variable exists 471 | 472 | ## 7.1.1 2020-08-31 473 | 474 | ### Changed 475 | - Delete OLC limits from replication 476 | 477 | 478 | ## 7.1.0 2020-08-11 479 | 480 | ### Added 481 | - Add SHA2 password support 482 | - Add Argon password support 483 | 484 | ### Reverted 485 | - Remove Nginx for Letsencrypt Certificate Generation - It served its purpose, there are better ways now. 486 | 487 | 488 | ## 7.0.3 2020-07-26 489 | 490 | ### Added 491 | - Add change-password shell script for quickly changing config/schema passwords 492 | 493 | 494 | ## 7.0.2 2020-06-25 495 | 496 | ### Added 497 | - Rewrote entire image seperating into functions 498 | - Rewrote TLS functionality, now generating CA, KEY, CERT via image instead of Cloudflare helper scripts - Check your settings! 499 | - Implemented Logging to File functionality with logrotate `LOG_TYPE=FILE`) 500 | - Rewrote Backup Routines - Now has the capabilities of backing up multiple times per day and various compression options 501 | - Support multiple log levels 502 | 503 | ### Changed 504 | - Reworked some Ppolicy routines 505 | 506 | ### Reverted 507 | - Helper scripts removed 508 | - Removed HDB Database functionality, only supporting mdb going forward 509 | 510 | 511 | ## 6.9.2 2020-06-18 512 | 513 | ### Changed 514 | - Fixed initialization script not pulling defaults properly 515 | 516 | 517 | ## 6.9.1 2020-06-15 518 | 519 | ### Added 520 | - Alpine 3.12 521 | 522 | 523 | ## 6.9.0 2020-06-09 524 | 525 | ### Added 526 | - Update to support tiredofit/alpine 5.0.0 base image 527 | 528 | 529 | ## 6.8.9 2020-06-01 530 | 531 | ### Changed 532 | - Patchup for 6.8.8 533 | 534 | 535 | ## 6.8.8 2020-06-01 536 | 537 | ### Changed 538 | - Repairs for LDAP local client referencing proper TLS CA, Cert, and Key Files 539 | 540 | 541 | ## 6.8.7 2020-05-06 542 | 543 | ### Added 544 | - OpenLDAP 2.4.50 545 | 546 | 547 | ## 6.8.6 2020-05-06 548 | 549 | ### Changed 550 | - Fix for TLS DH_PARAM environment variable substitution 551 | 552 | 553 | ## 6.8.5 2020-04-28 554 | 555 | ### Changed 556 | - Move code that was not a function out of functions file 557 | 558 | 559 | ## 6.8.3 2020-04-27 560 | 561 | ### Changed 562 | - Patchup for DHParam not utilizing full path when generating 563 | 564 | 565 | ## 6.8.2 2020-04-16 566 | 567 | ### Changed 568 | - Fix for SLAPD_ARGS variable default 569 | - Fix for TLS_RESET_PERMISSIONS 570 | - Fix for generating dhparam.pem files on read only file systems (credit eduardosan@github) 571 | 572 | 573 | ## 6.8.1 2020-04-16 574 | 575 | ### Added 576 | - Allow overriding slapd runtime arguments 577 | 578 | ### Changed 579 | - Fixed spelling mistake for OpenLDAP version 580 | 581 | ## 6.8.0 2020-04-15 582 | 583 | ### Added 584 | - Environment Variables to control keysize of DH Param file 585 | - New variables to define custom TLS Patches 586 | - New variables to skip changing ownership on TLS Certificates 587 | 588 | ### Changed 589 | - Moved environment variable defaults to /assets/functions/10-openldap 590 | - Cleanup of TLS functionality to support new environment variables 591 | - Properly support ULIMIT_N environment variable 592 | - Fix Default for Nginx 593 | 594 | 595 | ## 6.7.2 2020-03-04 596 | 597 | ### Added 598 | - Update image to support new tiredofit/alpine:4.4.0 base 599 | 600 | 601 | ## 6.7.1 2020-02-13 602 | 603 | ### Added 604 | - OpenLDAP 2.4.49 605 | 606 | 607 | ## 6.7.0 2020-01-14 608 | 609 | ### Added 610 | - Add Secrets support for `CONFIG_PASS` `ADMIN_PASS` `READONLY_USER_PASS` 611 | 612 | 613 | ## 6.6.2 2020-01-02 614 | 615 | ### Changed 616 | - Change to use LibreSSL instead of OpenSSL for creating dhparam.pem 617 | - Change warnings to notices 618 | - Fix when ENABLE_NGINX=FALSE container fails to initialize 619 | - Fix with Nginx run script looping with error 620 | 621 | 622 | ## 6.6.1 2019-12-30 623 | 624 | ### Added 625 | - Allow configurable ULIMIT_N environment variable for open file descriptors 626 | 627 | 628 | ## 6.6.0 2019-12-29 629 | 630 | ### Added 631 | - Update to support new tiredofit/alpine base image 632 | 633 | 634 | ## 6.5.1 2019-12-20 635 | 636 | ### Added 637 | - Alpine 3.11 Base 638 | 639 | 640 | ## 6.5 2019-08-25 641 | 642 | * OpenLDAP 2.4.48 643 | 644 | ## 6.4 2019-06-19 645 | 646 | * Alpine 3.10 647 | 648 | ## 6.3.2 2019-03-21 649 | 650 | * Fixup 651 | 652 | ## 6.3.1 2019-03-21 653 | 654 | * Update Cracklist Words to 2.9.7 655 | 656 | ## 6.3 2019-03-21 657 | 658 | * Expose 389, 636 and 80 Ports 659 | 660 | ## 6.2 2018-12-27 661 | 662 | * OpenLDAP 2.4.47 663 | 664 | ## 6.1 2018-12-05 665 | 666 | * Fix Replication upon container/pod restart 667 | 668 | ## 6.0.2 2018-09-13 669 | 670 | * Fix for Dockerfile Build when applying OpenLDAP Patches to be displayed correctly 671 | 672 | ## 6.0.1 2018-08-27 673 | 674 | * Fix with ppm.conf generation for bad characters 675 | 676 | ## 6.0 2018-08-18 677 | 678 | * Stop relying on slapd.conf on first time initialization 679 | * Properly apply ACLs for ppolicy 680 | * Generate Wordlist for ppm.so 681 | * Automatically generate check_password.conf and ppm.conf 682 | 683 | ## 5.5 2018-08-16 684 | 685 | * Fix for ACLs not applying on initial boot 686 | 687 | ## 5.4 2018-08-08 688 | 689 | * Add alternative Password Checking Module ppm.so 690 | * Provide Default Configurations for check_password.conf and ppm.conf 691 | 692 | ## 5.3 2018-07-24 693 | 694 | * Stop being so thorough with exiting script when replicating - Fixed cont-init.d/10-openldap prematurely exiting with error 20 695 | 696 | ## 5.2 2018-07-21 697 | 698 | * Zabbix Monitoring Fixup 699 | 700 | ## 5.1 2018-07-21 701 | 702 | * Add a sanity checker for Replication errors if hostname doesn't exist in DNS or malformed IP address which causes container start 703 | fail on 2nd try 704 | * Cleanup Config Pass item 705 | 706 | ## 5.0 2018-07-19 707 | 708 | * Rewrite entire image 709 | * Alpine 3.8 710 | * Compiled from source 711 | * ppolicy-check module included 712 | 713 | ## 4.1 2018-07-11 714 | 715 | * Fix Replication 716 | * Add Custom Assets 717 | 718 | ## 4.0 2017-10-20 719 | 720 | * Base update w/ S6 721 | * Add Fail2Ban 722 | * Script Cleanup 723 | 724 | ## 3.4 2017-07-05 725 | 726 | * Fix Daily Backup Routines 727 | 728 | ## 3.3 2017-07-05 729 | 730 | * Update Zabbix Checks 731 | 732 | 733 | ## 3.2 2017-07-03 734 | 735 | * Fix Cron Backup 736 | 737 | 738 | ## 3.1 2017-03-20 739 | 740 | * Added Dyanmic Zabbix Ports for LDAP Checking 741 | 742 | ## 3.0 2017-03-20 743 | 744 | * Full Rebuild From Ground Up - Simplified Dockerfile and Code 745 | * Self Signed Certs only at present 746 | 747 | 748 | ## 2.2 2017-02-22 749 | 750 | * Added nginx for dummy site to take advantage of Lets Encrypt SSL Certs 751 | 752 | ## 2.1 2017-02-22 753 | 754 | * Added man, vim 755 | 756 | ## 2.0 2017-02-14 757 | 758 | * Rebase with new Baseimage 759 | * Added Zabbix Agent 760 | 761 | 762 | ## 1.0 2017-01-03 763 | 764 | 765 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # nfrastack/container-openldap 2 | 3 | ## About 4 | 5 | This repository will build a container for [OpenLDAP](https://www.openldap.org) server for maintaining a directory. 6 | 7 | Upon starting this image it will give you a ready to run server with many configurable options. 8 | 9 | * Tracks latest release 10 | * Compiles from source 11 | * Multiple backends (bdb, hdb, mdb, sql) 12 | * All overlays compiled 13 | * Supports TLS encryption 14 | * Supports Replication 15 | * Scheduled Backups of Data 16 | * Ability to choose NIS or rfc2307bis Schema 17 | * Additional Password Modules (Argon, SHA2, PBKDF2) 18 | * Two Password Checking Modules - check_password.so and ppm.so 19 | * Zabbix Monitoring templates included 20 | 21 | ## Maintainer 22 | 23 | - [Nfrastack](https://www.nfrastack.com) 24 | 25 | ## Table of Contents 26 | 27 | - [About](#about) 28 | - [Maintainer](#maintainer) 29 | - [Table of Contents](#table-of-contents) 30 | - [Installation](#installation) 31 | - [Prebuilt Images](#prebuilt-images) 32 | - [Quick Start](#quick-start) 33 | - [Persistent Storage](#persistent-storage) 34 | - [Environment Variables](#environment-variables) 35 | - [Base Images used](#base-images-used) 36 | - [Core Configuration](#core-configuration) 37 | - [Logging Options](#logging-options) 38 | - [Backup Options](#backup-options) 39 | - [Password Policy Options](#password-policy-options) 40 | - [TLS options](#tls-options) 41 | - [Replication options](#replication-options) 42 | - [Other environment variables](#other-environment-variables) 43 | - [Users and Groups](#users-and-groups) 44 | - [Networking](#networking) 45 | - [Maintenance](#maintenance) 46 | - [Shell Access](#shell-access) 47 | - [Support & Maintenance](#support--maintenance) 48 | - [References](#references) 49 | - [License](#license) 50 | 51 | ## Installation 52 | 53 | ### Prebuilt Images 54 | 55 | Feature limited builds of the image are available on the [Github Container Registry](https://github.com/nfrastack/container-openldap/pkgs/container/container-openldap) and [Docker Hub](https://hub.docker.com/r/nfrastack/openldap). 56 | 57 | To unlock advanced features, one must provide a code to be able to change specific environment variables from defaults. Support the development to gain access to a code. 58 | 59 | To get access to the image use your container orchestrator to pull from the following locations: 60 | 61 | ``` 62 | ghcr.io/nfrastack/container-openldap:(image_tag) 63 | docker.io/nfrastack/openldap:(image_tag) 64 | ``` 65 | 66 | 67 | Image tag syntax is: 68 | 69 | `:--_` 70 | 71 | Example: 72 | `ghcr.io/nfrastack/container-openldap:2.6` or optionally 73 | 74 | `ghcr.io/nfrastack/container-openldap:2.6-1.0` or optionally 75 | 76 | `ghcr.io/nfrastack/container-openldap:2.6-1.0-alpine` or optinally 77 | 78 | 79 | - The `branch` will relate to the MAJOR eg `2` and MINOR `.6` release. 80 | - An optional `tag` may exist that matches the [CHANGELOG](CHANGELOG.md) - These are the safest 81 | - If it is built for multiple distributions there may exist a value of `alpine` or `debian` 82 | - If there are multiple distribution variations it may include a version - see the registry for availability 83 | 84 | Have a look at the container registries and see what tags are available. 85 | 86 | #### Multi-Architecture Support 87 | 88 | Images are built for `amd64` by default, with optional support for `arm64` and other architectures. 89 | 90 | ### Quick Start 91 | 92 | - The quickest way to get started is using [docker-compose](https://docs.docker.com/compose/). See the examples folder for a working [compose.yml](examples/compose.yml) that can be modified for your use. 93 | 94 | - Map [persistent storage](#persistent-storage) for access to configuration and data files for backup. 95 | - Set various [environment variables](#environment-variables) to understand the capabilities of this image. 96 | 97 | ### Persistent Storage 98 | 99 | The following directories are used for configuration and can be mapped for persistent storage. 100 | 101 | | Directory | Description | 102 | | ---------------------------------------------------------- | ----------------------------------------------------------------------- | 103 | | `/data/db` | OpenLDAP frontend database | 104 | | `/data/config` | OpenLDAP backend (config) files | 105 | | `/override/container/data/openldap/custom-scripts/` | If you'd like to execute a script during the initialization | 106 | | | process drop it here (Useful for using this image as a base) | 107 | | `/override/container/data/openldap/custom-backup-scripts/` | If you'd like to execute a script after the backup process drop it here | 108 | | `/certs/` | Drop TLS Certificates here (or use your own path) | 109 | | `/data/backup` | Backup Directory | 110 | 111 | ### Environment Variables 112 | 113 | #### Base Images used 114 | 115 | This image relies on a customized base image in order to work. 116 | Be sure to view the following repositories to understand all the customizable options: 117 | 118 | | Image | Description | 119 | | ------------------------------------------------------- | ----------- | 120 | | [OS Base](https://github.com/nfrastack/container-base/) | Base Image | 121 | 122 | Below is the complete list of available options that can be used to customize your installation. 123 | 124 | - Variables showing an 'x' under the `Advanced` column can only be set if the containers advanced functionality is enabled. 125 | 126 | #### Core Configuration 127 | 128 | | Parameter | Description | Default | `_FILE` | Advanced | 129 | | ---------------------- | ------------------------------------------------------------- | ---------------------- | ------- | -------- | 130 | | `DATA_PATH` | Base Data Folder | `/data/` | | | 131 | | `CONFIG_PATH` | Configuration files path | `${DATA_PATH}/config/` | | | 132 | | `DB_PATH` | Data Files path | `${DATA_PATH}/db/` | | | 133 | | `DOMAIN` | LDAP domain. | `example.org` | | | 134 | | `BASE_DN` | LDAP base DN. If empty automatically set from `DOMAIN` value. | (empty) | | | 135 | | `ADMIN_PASS` | Ldap Admin password. | `admin` | x | | 136 | | `CONFIG_PASS` | Ldap Config password. | `config` | x | | 137 | | `ORGANIZATION` | Organization Name | `Example Organization` | | | 138 | | `ENABLE_READONLY_USER` | Add a read only/Simple Security Object/DSA | `false` | | | 139 | | `READONLY_USER_USER` | Read only user username. | `readonly` | x | | 140 | | `READONLY_USER_PASS` | Read only user password. | `readonly` | x | | 141 | | `SCHEMA_TYPE` | Use `nis` or `rfc2307bis` core schema. | `nis` | | | 142 | 143 | #### Logging Options 144 | 145 | | Variable | Description | Default | Advanced | 146 | | ------------ | ----------------------------- | -------------- | -------- | 147 | | `LOG_FILE` | Filename for logging | `openldap.log` | | 148 | | `LOG_LEVEL` | Set LDAP Log Level | `256` | | 149 | | `LOG_PATH` | Path for Logs | `/logs/` | | 150 | | `LOG_TYPE` | Output to `CONSOLE` or `FILE` | `CONSOLE` | | 151 | | `LOG_PREFIX` | Prefix for log lines | | | 152 | 153 | #### Backup Options 154 | 155 | | Parameter | Description | Default | 156 | | ------------------------------ | ------------------------------------------------------------------------------------------ | ------------------------- | 157 | | `ENABLE_BACKUP` | Enable Backup System | `TRUE` | 158 | | `BACKUP_BEGIN` | What time to do the first dump. Defaults to immediate. Must be in one of two formats | `0400` | 159 | | | Absolute HHMM, e.g. `2330` or `0415` | | 160 | | | Relative +MM, i.e. how many minutes after starting the container, | | 161 | | | e.g. `+0` (immediate), `+10` (in 10 minutes), or `+90` in an hour and a half | | 162 | | `BACKUP_ARCHIVE_TIME` | Value in minutes to move all files older than (x) from `BACKUP_PATH` | | 163 | | | to `BACKUP_PATH_ARCHIVE` - which is useful when pairing against an external backup system. | | 164 | | `BACKUP_CHECKSUM` | `md5` or `sha1` | `md5` | 165 | | `BACKUP_COMPRESSION_LEVEL` | Numberical value of what level of compression to use, | | 166 | | | most allow `1` to `9` except for `ZSTD` which allows for `1` to `19` | `8` | 167 | | `BACKUP_COMPRESSION` | Use either Gzip `GZ`, Bzip2 `BZ`, XZip `XZ`, ZSTD `ZSTD` or `none` ` | `zstd` | 168 | | `BACKUP_CREATE_LATEST_SYMLINK` | Create a symbolic link pointing to last backup in this format | `TRUE` | 169 | | `BACKUP_ENABLE_CHECKSUM` | Enable checksum after backup `TRUE` or `FALSE` | `TRUE` | 170 | | `BACKUP_INTERVAL` | How often to do a dump, in minutes. Defaults to 1440 minutes, | `1440` | 171 | | | or once per day. | | 172 | | `BACKUP_PARALLEL_COMPRESSION` | Use multiple cores when compressing backups `TRUE` or `FALSE` | `TRUE` | 173 | | `BACKUP_PATH` | Filesystem path on where to place backups | `/data/backup` | 174 | | `BACKUP_PATH_ARCHIVE` | Optional Directory where the database dumps archives are kept. | `${BACKUP_PATH}/archive/` | 175 | | `BACKUP_RETENTION` | Value in minutes to delete old backups (only fired when dump | | 176 | | | freqency fires). 1440 would delete anything above 1 day old. | | 177 | | | You don't need to set this variable if you want to hold onto everything. | | 178 | | `BACKUP_TEMP_LOCATION` | If you wish to specify a different location, enter it here | `/tmp/backups/` | 179 | 180 | 181 | #### Password Policy Options 182 | 183 | If you already have a check_password.conf or ppm.conf in /etc/openldap/ the following environment variables will not be applied 184 | 185 | | Variable | Description | Default | 186 | | ------------------------------ | ----------------------------------------- | ------- | 187 | | `ENABLE_PPOLICY` | Enable PPolicy Module utilization | `TRUE` | 188 | | `PPOLICY_CHECK_RDN` | Check RDN Parameter (ppm.so) | `0` | 189 | | `PPOLICY_FORBIDDEN_CHARACTERS` | Forbidden Characters (ppm.so) | `` | 190 | | `PPOLICY_MAX_CONSEC` | Maximum Consective Character Pattern | `0` | 191 | | `PPOLICY_MIN_DIGIT` | Minimum Digit Characters | `0` | 192 | | `PPOLICY_MIN_LOWER` | Minimum Lowercase Characters | `0` | 193 | | `PPOLICY_MIN_POINTS` | Minimum Points required to pass checker | `3` | 194 | | `PPOLICY_MIN_PUNCT` | Minimum Punctuation Characters | `0` | 195 | | `PPOLICY_MIN_UPPER` | Minimum Uppercase Characters | `0` | 196 | | `PPOLICY_USE_CRACKLIB` | Use Cracklib for verifying words (ppm.so) | `1` | 197 | 198 | #### TLS options 199 | 200 | | Variable | Description | Default | 201 | | ----------------------- | ------------------------------------------------------------------------- | ----------------------------------------- | 202 | | `ENABLE_TLS` | Add TLS capabilities. Can't be removed once set to `TRUE`. | `true` | 203 | | `TLS_CA_NAME` | Selfsigned CA Name | `ldap-selfsigned-ca` | 204 | | `TLS_CA_SUBJECT` | Selfsigned CA Subject | `/C=XX/ST=LDAP/L=LDAP/O=LDAP/CN=` | 205 | | `TLS_CA_CERT_SUBJECT` | SelfSigned CA Cert Sujbject | `${TLS_CA_SUBJECT}${TLS_CA_NAME}` | 206 | | `TLS_CA_CERT_FILE` | CA Cert filename | `${TLS_CA_AME}.crt` | 207 | | `TLS_CA_KEY_FILE` | CA Key filename | `${TLS_CA_NAME}.key` | 208 | | `TLS_CA_CERT_PATH` | CA Certificates path | `/certs/${TLS_CA_NAME}/` | 209 | | `TLS_CIPHER_SUITE` | Cipher Suite to use | `HIGH:!aNULL:!MD5:!3DES:!RC4:!DES:!eNULL` | 210 | | `TLS_CREATE_SELFSIGNED` | Automatically create locally signed CA, cert and key if they do not exist | `TRUE` | 211 | | `TLS_CERT_FILE` | TLS cert filename | `cert.pem` | 212 | | `TLS_CERT_PATH` | TLS cert path | `/certs/` | 213 | | `TLS_ENABLE_DH_PARAM` | Enable DH Param Functionality | `TRUE` | 214 | | `TLS_DH_PARAM_FILE` | DH Param filename | `dhparam.pem` | 215 | | `TLS_DH_PARAM_KEYSIZE` | Keysize for DH Param | `2048` | 216 | | `TLS_DH_PARAM_PATH` | DH Param path | `/certs/` | 217 | | `TLS_ENFORCE` | Enforce TLS Usage | `FALSE` | 218 | | `TLS_KEY_FILE` | TLS Key filename | `key.pem` | 219 | | `TLS_KEY_PATH` | TLS Key path | `/certs/` | 220 | | `TLS_RESET_PERMISSIONS` | Change permissions on certificate directories for OpenLDAP to read | `TRUE` | 221 | | `TLS_VERIFY_CLIENT` | TLS verify client. | `try` | 222 | 223 | >> Changing TLS Options are best done manually upon initial image deployment 224 | 225 | Help: http://www.openldap.org/doc/admin26/tls.html 226 | 227 | #### Replication options 228 | 229 | | Variable | Description | Default | `_FILE` | 230 | | ----------------------------- | ------------------------------------------------------------------------ | ------------------------------------------------- | ------- | 231 | | `ENABLE_REPLICATION` | Add replication capabilities. Multimaster only at present. | `false` | | 232 | | `REPLICATION_CONFIG_SYNCPROV` | olcSyncRepl options used for the config database. | `binddn="cn=config" bindmethod=simple` | x | 233 | | | Without rid and provider which are automatically | `credentials=$CONFIG_PASS searchbase="cn=config"` | | 234 | | | added based on `REPLICATION_HOSTS`. | `type=refreshAndPersist retry="5 5 60 +"` | | 235 | | | | `timeout=1 filter="(!(objectclass=olcGlobal))"` | | 236 | | | | | | 237 | | `REPLICATION_DB_SYNCPROV` | olcSyncRepl options used for the database. Without rid | `binddn="cn=admin,$BASE_DN"` | x | 238 | | | and provider which are automatically added based | `bindmethod=simple credentials=$ADMIN_PASS` | | 239 | | | on `REPLICATION_HOSTS`. | `searchbase="$BASE_DN"` `type=refreshAndPersist` | | 240 | | | | `interval=00:00:00:10 retry="5 5 60 +" timeout=1` | | 241 | | | | | | 242 | | | | | | 243 | | | | | | 244 | | `REPLICATION_HOSTS` | List of replication hosts seperated by a space, must contain the current | | x | 245 | | | container hostname set by --hostname on docker run command. | | | 246 | | | If replicating all hosts must be set in the same order. Example: | | | 247 | | `REPLICATION_SAFETY_CHECK` | Check to see if all hosts resolve before starting replication | | | 248 | | | Introduced as a safety measure to avoid slapd not starting. | `TRUE` | | 249 | | `WAIT_FOR_REPLICAS` | Should we wait for configured replicas to come online | `false` | | 250 | | | (respond to ping) before startup? | | | 251 | 252 | #### Other environment variables 253 | 254 | | Variable | Description | Default | 255 | | --------------------------- | --------------------------------------------------------------------------- | ---------------------------------------------- | 256 | | `REMOVE_CONFIG_AFTER_SETUP` | Delete config folder after setup. | `true` | 257 | | `SLAPD_ARGS` | If you want to override slapd runtime arguments place here . Default (null) | | 258 | | `SLAPD_HOSTS` | Allow overriding the default listen parameters | `ldap://$HOSTNAME ldaps://$HOSTNAME ldapi:///` | 259 | | `ULIMIT_N` | Set Open File Descriptor Limit | `1024` | 260 | 261 | ## Users and Groups 262 | 263 | | Type | Name | ID | 264 | | ----- | ------ | --- | 265 | | User | `ldap` | 389 | 266 | | Group | `ldap` | 389 | 267 | 268 | ### Networking 269 | 270 | | Port | Protocol | Description | 271 | | ----- | -------- | ---------------- | 272 | | `389` | tcp | slapd daemon | 273 | | `636` | tcp | TLS slapd daemon | 274 | 275 | * * * 276 | 277 | ## Maintenance 278 | 279 | ### Shell Access 280 | 281 | For debugging and maintenance, `bash` and `sh` are available in the container. 282 | 283 | ## Support & Maintenance 284 | 285 | - For community help, tips, and community discussions, visit the [Discussions board](/discussions). 286 | - For personalized support or a support agreement, see [Nfrastack Support](https://nfrastack.com/). 287 | - To report bugs, submit a [Bug Report](issues/new). Usage questions will be closed as not-a-bug. 288 | - Feature requests are welcome, but not guaranteed. For prioritized development, consider a support agreement. 289 | - Updates are best-effort, with priority given to active production use and support agreements. 290 | 291 | ### References 292 | 293 | * 294 | 295 | ## License 296 | 297 | This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details. 298 | -------------------------------------------------------------------------------- /zabbix_templates/app-openlap.json: -------------------------------------------------------------------------------- 1 | { 2 | "zabbix_export": { 3 | "version": "5.4", 4 | "date": "2021-12-20T23:51:36Z", 5 | "groups": [ 6 | { 7 | "uuid": "7df96b18c230490a9a0a9e2307226338", 8 | "name": "Templates" 9 | } 10 | ], 11 | "templates": [ 12 | { 13 | "uuid": "260b658d9fc34bb9ab05585bd10ba45b", 14 | "template": "OpenLDAP", 15 | "name": "OpenLDAP", 16 | "description": "OpenLDAP Directory server monitoring. \n\nThis template is meant to be used specifically for https://github.com/nfrastack/container-openldap", 17 | "groups": [ 18 | { 19 | "name": "Templates" 20 | } 21 | ], 22 | "items": [ 23 | { 24 | "uuid": "96616cbb80af418db28e9aa038a34525", 25 | "name": "OpenLDAP: Operations - Adbandoned - Completed", 26 | "type": "ZABBIX_ACTIVE", 27 | "key": "openldap.statistics.[abandon,operations,monitorOpCompleted]", 28 | "history": "7d", 29 | "tags": [ 30 | { 31 | "tag": "Application", 32 | "value": "OpenLDAP" 33 | } 34 | ] 35 | }, 36 | { 37 | "uuid": "50851abe80654fad885ecc9a73c9d213", 38 | "name": "OpenLDAP: Operations - Abandoned - Initiated", 39 | "type": "ZABBIX_ACTIVE", 40 | "key": "openldap.statistics.[abandon,operations,monitorOpInitiated]", 41 | "history": "7d", 42 | "tags": [ 43 | { 44 | "tag": "Application", 45 | "value": "OpenLDAP" 46 | } 47 | ] 48 | }, 49 | { 50 | "uuid": "59a433816a2747198e42295bab962977", 51 | "name": "OpenLDAP: Threads - Active", 52 | "type": "ZABBIX_ACTIVE", 53 | "key": "openldap.statistics.[active,threads,monitoredInfo]", 54 | "history": "7d", 55 | "tags": [ 56 | { 57 | "tag": "Application", 58 | "value": "OpenLDAP" 59 | } 60 | ] 61 | }, 62 | { 63 | "uuid": "bda7c64bbef34e00aa4bb6b1403414bd", 64 | "name": "OpenLDAP: Operations - Add - Completed", 65 | "type": "ZABBIX_ACTIVE", 66 | "key": "openldap.statistics.[add,operations,monitorOpCompleted]", 67 | "history": "7d", 68 | "tags": [ 69 | { 70 | "tag": "Application", 71 | "value": "OpenLDAP" 72 | } 73 | ] 74 | }, 75 | { 76 | "uuid": "7cf662555fc747208943067d290dca28", 77 | "name": "OpenLDAP: Operations - Add - Initiated", 78 | "type": "ZABBIX_ACTIVE", 79 | "key": "openldap.statistics.[add,operations,monitorOpInitiated]", 80 | "history": "7d", 81 | "tags": [ 82 | { 83 | "tag": "Application", 84 | "value": "OpenLDAP" 85 | } 86 | ] 87 | }, 88 | { 89 | "uuid": "e8b16c12e92f4e0eb08fd566615296c6", 90 | "name": "OpenLDAP: Threads - Backload", 91 | "type": "ZABBIX_ACTIVE", 92 | "key": "openldap.statistics.[backload,threads,monitoredInfo]", 93 | "history": "7d", 94 | "tags": [ 95 | { 96 | "tag": "Application", 97 | "value": "OpenLDAP" 98 | } 99 | ] 100 | }, 101 | { 102 | "uuid": "519cb16d96134b5082fd129292000e50", 103 | "name": "OpenLDAP - Operations - Bind - Completed", 104 | "type": "ZABBIX_ACTIVE", 105 | "key": "openldap.statistics.[bind,operations,monitorOpCompleted]", 106 | "history": "7d", 107 | "tags": [ 108 | { 109 | "tag": "Application", 110 | "value": "OpenLDAP" 111 | } 112 | ] 113 | }, 114 | { 115 | "uuid": "59620884e6a14a92a67fcb17a2f0bceb", 116 | "name": "OpenLDAP: Operations - Bind - Initiated", 117 | "type": "ZABBIX_ACTIVE", 118 | "key": "openldap.statistics.[bind,operations,monitorOpInitiated]", 119 | "history": "7d", 120 | "tags": [ 121 | { 122 | "tag": "Application", 123 | "value": "OpenLDAP" 124 | } 125 | ] 126 | }, 127 | { 128 | "uuid": "cee57dd0b6944b9f8bba0b2d11e7068e", 129 | "name": "OpenLDAP: Operations - Compare - Completed", 130 | "type": "ZABBIX_ACTIVE", 131 | "key": "openldap.statistics.[compare,operations,monitorOpCompleted]", 132 | "history": "7d", 133 | "tags": [ 134 | { 135 | "tag": "Application", 136 | "value": "OpenLDAP" 137 | } 138 | ] 139 | }, 140 | { 141 | "uuid": "4846c85ed0bd4630aa662d556f85d487", 142 | "name": "OpenLDAP: Operations - Compare - Initiated", 143 | "type": "ZABBIX_ACTIVE", 144 | "key": "openldap.statistics.[compare,operations,monitorOpInitiated]", 145 | "history": "7d", 146 | "tags": [ 147 | { 148 | "tag": "Application", 149 | "value": "OpenLDAP" 150 | } 151 | ] 152 | }, 153 | { 154 | "uuid": "802c481fe3bc463a8ef690a9b48dc40a", 155 | "name": "OpenLDAP: Connections - Current", 156 | "type": "ZABBIX_ACTIVE", 157 | "key": "openldap.statistics.[current,connections]", 158 | "history": "7d", 159 | "tags": [ 160 | { 161 | "tag": "Application", 162 | "value": "OpenLDAP" 163 | } 164 | ] 165 | }, 166 | { 167 | "uuid": "94b97f55e1824f7ab080ef255e6cc886", 168 | "name": "OpenLDAP: Operations - Delete - Completed", 169 | "type": "ZABBIX_ACTIVE", 170 | "key": "openldap.statistics.[delete,operations,monitorOpCompleted]", 171 | "history": "7d", 172 | "tags": [ 173 | { 174 | "tag": "Application", 175 | "value": "OpenLDAP" 176 | } 177 | ] 178 | }, 179 | { 180 | "uuid": "039b47d1e03e4596a186187e01ee23a0", 181 | "name": "OpenLDAP: Operations - Delete - Initiated", 182 | "type": "ZABBIX_ACTIVE", 183 | "key": "openldap.statistics.[delete,operations,monitorOpInitiated]", 184 | "history": "7d", 185 | "tags": [ 186 | { 187 | "tag": "Application", 188 | "value": "OpenLDAP" 189 | } 190 | ] 191 | }, 192 | { 193 | "uuid": "4e1a44fe90a142a3a128e9fe09709a2b", 194 | "name": "OpenLDAP: Entries", 195 | "type": "ZABBIX_ACTIVE", 196 | "key": "openldap.statistics.[entries,statistics]", 197 | "history": "7d", 198 | "tags": [ 199 | { 200 | "tag": "Application", 201 | "value": "OpenLDAP" 202 | } 203 | ] 204 | }, 205 | { 206 | "uuid": "f517b08bc0d94663af26ede44c6d9136", 207 | "name": "OpenLDAP: Operations - Extended - Completed", 208 | "type": "ZABBIX_ACTIVE", 209 | "key": "openldap.statistics.[extended,operations,monitorOpCompleted]", 210 | "history": "7d", 211 | "tags": [ 212 | { 213 | "tag": "Application", 214 | "value": "OpenLDAP" 215 | } 216 | ] 217 | }, 218 | { 219 | "uuid": "b2046047f8b04c8f8ffe7255110fdbbd", 220 | "name": "OpenLDAP: Operations - Extended - Initiated", 221 | "type": "ZABBIX_ACTIVE", 222 | "key": "openldap.statistics.[extended,operations,monitorOpInitiated]", 223 | "history": "7d", 224 | "tags": [ 225 | { 226 | "tag": "Application", 227 | "value": "OpenLDAP" 228 | } 229 | ] 230 | }, 231 | { 232 | "uuid": "ff0e6040b85a4d2695a31147f49d0b44", 233 | "name": "OpenLDAP: Threads - Max", 234 | "type": "ZABBIX_ACTIVE", 235 | "key": "openldap.statistics.[max,threads,monitoredInfo]", 236 | "history": "7d", 237 | "tags": [ 238 | { 239 | "tag": "Application", 240 | "value": "OpenLDAP" 241 | } 242 | ] 243 | }, 244 | { 245 | "uuid": "341b638e3cd0424d9c211601e4aba278", 246 | "name": "OpenLDAP: Operations - Modify - Completed", 247 | "type": "ZABBIX_ACTIVE", 248 | "key": "openldap.statistics.[modify,operations,monitorOpCompleted]", 249 | "history": "7d", 250 | "tags": [ 251 | { 252 | "tag": "Application", 253 | "value": "OpenLDAP" 254 | } 255 | ] 256 | }, 257 | { 258 | "uuid": "09d4827cc04d4d02a05129253ff145eb", 259 | "name": "OpenLDAP: Operations - Modify - Initiated", 260 | "type": "ZABBIX_ACTIVE", 261 | "key": "openldap.statistics.[modify,operations,monitorOpInitiated]", 262 | "history": "7d", 263 | "tags": [ 264 | { 265 | "tag": "Application", 266 | "value": "OpenLDAP" 267 | } 268 | ] 269 | }, 270 | { 271 | "uuid": "f95249886fc74b2095547c3e4e7807f6", 272 | "name": "OpenLDAP: Operations - ModRDN - Completed", 273 | "type": "ZABBIX_ACTIVE", 274 | "key": "openldap.statistics.[modrdn,operations,monitorOpCompleted]", 275 | "history": "7d", 276 | "tags": [ 277 | { 278 | "tag": "Application", 279 | "value": "OpenLDAP" 280 | } 281 | ] 282 | }, 283 | { 284 | "uuid": "997d9fb0b3b34a90bb3353efe7f41818", 285 | "name": "OpenLDAP: Operations - ModRDN - Initiated", 286 | "type": "ZABBIX_ACTIVE", 287 | "key": "openldap.statistics.[modrdn,operations,monitorOpInitiated]", 288 | "history": "7d", 289 | "tags": [ 290 | { 291 | "tag": "Application", 292 | "value": "OpenLDAP" 293 | } 294 | ] 295 | }, 296 | { 297 | "uuid": "51575223988648bf8780dee16dc6f457", 298 | "name": "OpenLDAP: Threads - Open", 299 | "type": "ZABBIX_ACTIVE", 300 | "key": "openldap.statistics.[open,threads,monitoredInfo]", 301 | "history": "7d", 302 | "tags": [ 303 | { 304 | "tag": "Application", 305 | "value": "OpenLDAP" 306 | } 307 | ] 308 | }, 309 | { 310 | "uuid": "c4577553d89b49f2b1baa1198ad496e6", 311 | "name": "OpenLDAP: Threads - Pending", 312 | "type": "ZABBIX_ACTIVE", 313 | "key": "openldap.statistics.[pending,threads,monitoredInfo]", 314 | "history": "7d", 315 | "tags": [ 316 | { 317 | "tag": "Application", 318 | "value": "OpenLDAP" 319 | } 320 | ] 321 | }, 322 | { 323 | "uuid": "e630a69989bd4b08a0959c4686f63981", 324 | "name": "OpenLDAP: Waiters - Read", 325 | "type": "ZABBIX_ACTIVE", 326 | "key": "openldap.statistics.[read,waiters]", 327 | "history": "7d", 328 | "tags": [ 329 | { 330 | "tag": "Application", 331 | "value": "OpenLDAP" 332 | } 333 | ] 334 | }, 335 | { 336 | "uuid": "61533b5cece14d9e9e629b3a86652073", 337 | "name": "OpenLDAP: Threads - Run Queue", 338 | "type": "ZABBIX_ACTIVE", 339 | "key": "openldap.statistics.[runqueue,threads,monitoredInfo]", 340 | "history": "7d", 341 | "status": "DISABLED", 342 | "tags": [ 343 | { 344 | "tag": "Application", 345 | "value": "OpenLDAP" 346 | } 347 | ] 348 | }, 349 | { 350 | "uuid": "21b917464c664e37ae1a831811907615", 351 | "name": "OpenLDAP: Operations - Search - Completed", 352 | "type": "ZABBIX_ACTIVE", 353 | "key": "openldap.statistics.[search,operations,monitorOpCompleted]", 354 | "history": "7d", 355 | "tags": [ 356 | { 357 | "tag": "Application", 358 | "value": "OpenLDAP" 359 | } 360 | ] 361 | }, 362 | { 363 | "uuid": "635a4e8c7efe4377b49f292df61faa52", 364 | "name": "OpenLDAP: Operations - Search - Initiated", 365 | "type": "ZABBIX_ACTIVE", 366 | "key": "openldap.statistics.[search,operations,monitorOpInitiated]", 367 | "history": "7d", 368 | "tags": [ 369 | { 370 | "tag": "Application", 371 | "value": "OpenLDAP" 372 | } 373 | ] 374 | }, 375 | { 376 | "uuid": "754ccf2dfe314e0eb9f437b729fb9537", 377 | "name": "OpenLDAP: Threads - Starting", 378 | "type": "ZABBIX_ACTIVE", 379 | "key": "openldap.statistics.[starting,threads,monitoredInfo]", 380 | "delay": "30s", 381 | "history": "7d", 382 | "tags": [ 383 | { 384 | "tag": "Application", 385 | "value": "OpenLDAP" 386 | } 387 | ] 388 | }, 389 | { 390 | "uuid": "1ea9c45a62de49f3b3a6df223a9b1f3a", 391 | "name": "OpenLDAP: Threads - State", 392 | "type": "ZABBIX_ACTIVE", 393 | "key": "openldap.statistics.[state,threads,monitoredInfo]", 394 | "history": "7d", 395 | "status": "DISABLED", 396 | "tags": [ 397 | { 398 | "tag": "Application", 399 | "value": "OpenLDAP" 400 | } 401 | ] 402 | }, 403 | { 404 | "uuid": "703eedd7bcf9473abea7c67d5db70dfe", 405 | "name": "OpenLDAP: Threads - Tasklist", 406 | "type": "ZABBIX_ACTIVE", 407 | "key": "openldap.statistics.[tasklist,threads,monitoredInfo]", 408 | "history": "7d", 409 | "status": "DISABLED", 410 | "tags": [ 411 | { 412 | "tag": "Application", 413 | "value": "OpenLDAP" 414 | } 415 | ] 416 | }, 417 | { 418 | "uuid": "225ffa0bdbb84bc98f17f43f0be14929", 419 | "name": "OpenLDAP: Connections - Total", 420 | "type": "ZABBIX_ACTIVE", 421 | "key": "openldap.statistics.[total,connections]", 422 | "history": "7d", 423 | "tags": [ 424 | { 425 | "tag": "Application", 426 | "value": "OpenLDAP" 427 | } 428 | ] 429 | }, 430 | { 431 | "uuid": "6c1dfea99478466f8b70146c2e5b913d", 432 | "name": "OpenLDAP: Operations - Unbind - Completed", 433 | "type": "ZABBIX_ACTIVE", 434 | "key": "openldap.statistics.[unbind,operations,monitorOpCompleted]", 435 | "history": "7d", 436 | "tags": [ 437 | { 438 | "tag": "Application", 439 | "value": "OpenLDAP" 440 | } 441 | ] 442 | }, 443 | { 444 | "uuid": "f1dea70169614d46bbfc159aa44652aa", 445 | "name": "OpenLDAP: Operations - Unbind - Initiated", 446 | "type": "ZABBIX_ACTIVE", 447 | "key": "openldap.statistics.[unbind,operations,monitorOpInitiated]", 448 | "history": "7d", 449 | "tags": [ 450 | { 451 | "tag": "Application", 452 | "value": "OpenLDAP" 453 | } 454 | ] 455 | }, 456 | { 457 | "uuid": "748c9f1abb884c2ab3ff6146675ec915", 458 | "name": "OpenLDAP: Waiters - Write", 459 | "type": "ZABBIX_ACTIVE", 460 | "key": "openldap.statistics.[write,waiters]", 461 | "history": "7d", 462 | "tags": [ 463 | { 464 | "tag": "Application", 465 | "value": "OpenLDAP" 466 | } 467 | ] 468 | }, 469 | { 470 | "uuid": "30bc2bb4744e450ca1c520141e9caf9d", 471 | "name": "OpenLDAP: CPU Utilization", 472 | "type": "ZABBIX_ACTIVE", 473 | "key": "proc.cpu.util['slapd']", 474 | "history": "7d", 475 | "value_type": "FLOAT", 476 | "units": "%", 477 | "tags": [ 478 | { 479 | "tag": "Application", 480 | "value": "OpenLDAP" 481 | } 482 | ] 483 | }, 484 | { 485 | "uuid": "e552becc79914f788187ea2128c1d12b", 486 | "name": "OpenLDAP: Memory usage (Physical)", 487 | "type": "ZABBIX_ACTIVE", 488 | "key": "proc.mem['slapd',,,,rss]", 489 | "history": "7d", 490 | "units": "B", 491 | "tags": [ 492 | { 493 | "tag": "Application", 494 | "value": "OpenLDAP" 495 | } 496 | ] 497 | }, 498 | { 499 | "uuid": "c7a03d5390384511adb2089f7b3b16ce", 500 | "name": "OpenLDAP: Memory usage (Virtual)", 501 | "type": "ZABBIX_ACTIVE", 502 | "key": "proc.mem['slapd',,,,vsize]", 503 | "history": "7d", 504 | "units": "B", 505 | "tags": [ 506 | { 507 | "tag": "Application", 508 | "value": "OpenLDAP" 509 | } 510 | ] 511 | }, 512 | { 513 | "uuid": "88f353e78c0e49dba35ffd81cb388c9d", 514 | "name": "OpenLDAP: Processes", 515 | "type": "ZABBIX_ACTIVE", 516 | "key": "proc.num['slapd']", 517 | "history": "7d", 518 | "tags": [ 519 | { 520 | "tag": "Application", 521 | "value": "OpenLDAP" 522 | } 523 | ], 524 | "triggers": [ 525 | { 526 | "uuid": "9ace945099724adeaadaec46af65db33", 527 | "expression": "sum(/OpenLDAP/proc.num['slapd'],#3)=0", 528 | "name": "OpenLDAP: Process is not running", 529 | "priority": "HIGH" 530 | } 531 | ] 532 | } 533 | ], 534 | "valuemaps": [ 535 | { 536 | "uuid": "4e64cde352814ebe869ec00dc0e8cea9", 537 | "name": "Service state", 538 | "mappings": [ 539 | { 540 | "value": "0", 541 | "newvalue": "Down" 542 | }, 543 | { 544 | "value": "1", 545 | "newvalue": "Up" 546 | } 547 | ] 548 | } 549 | ] 550 | } 551 | ], 552 | "graphs": [ 553 | { 554 | "uuid": "bfd12eb36afc4417b064a812fe8a1f2c", 555 | "name": "Bind Connections", 556 | "graph_items": [ 557 | { 558 | "color": "1A7C11", 559 | "item": { 560 | "host": "OpenLDAP", 561 | "key": "openldap.statistics.[bind,operations,monitorOpCompleted]" 562 | } 563 | }, 564 | { 565 | "sortorder": "1", 566 | "color": "F63100", 567 | "item": { 568 | "host": "OpenLDAP", 569 | "key": "openldap.statistics.[bind,operations,monitorOpInitiated]" 570 | } 571 | }, 572 | { 573 | "sortorder": "2", 574 | "color": "2774A4", 575 | "item": { 576 | "host": "OpenLDAP", 577 | "key": "openldap.statistics.[unbind,operations,monitorOpCompleted]" 578 | } 579 | } 580 | ] 581 | }, 582 | { 583 | "uuid": "823b2a9abee94aeb9df9f9f75a34fc65", 584 | "name": "Connections", 585 | "graph_items": [ 586 | { 587 | "color": "1A7C11", 588 | "item": { 589 | "host": "OpenLDAP", 590 | "key": "openldap.statistics.[current,connections]" 591 | } 592 | } 593 | ] 594 | }, 595 | { 596 | "uuid": "f46d8c4f1f2948eaa9ac61104d66fa72", 597 | "name": "Operations - Abandoned", 598 | "graph_items": [ 599 | { 600 | "color": "1A7C11", 601 | "item": { 602 | "host": "OpenLDAP", 603 | "key": "openldap.statistics.[abandon,operations,monitorOpCompleted]" 604 | } 605 | }, 606 | { 607 | "sortorder": "1", 608 | "color": "F63100", 609 | "item": { 610 | "host": "OpenLDAP", 611 | "key": "openldap.statistics.[abandon,operations,monitorOpInitiated]" 612 | } 613 | } 614 | ] 615 | }, 616 | { 617 | "uuid": "ce5cf3f84559410688c7c2187c6ba02c", 618 | "name": "Operations - Add", 619 | "graph_items": [ 620 | { 621 | "color": "2774A4", 622 | "item": { 623 | "host": "OpenLDAP", 624 | "key": "openldap.statistics.[add,operations,monitorOpCompleted]" 625 | } 626 | }, 627 | { 628 | "sortorder": "1", 629 | "color": "A54F10", 630 | "item": { 631 | "host": "OpenLDAP", 632 | "key": "openldap.statistics.[add,operations,monitorOpInitiated]" 633 | } 634 | } 635 | ] 636 | }, 637 | { 638 | "uuid": "4158e28023fd46d3ac1230a8e13137ef", 639 | "name": "Operations - ALL", 640 | "graph_items": [ 641 | { 642 | "color": "1A7C11", 643 | "item": { 644 | "host": "OpenLDAP", 645 | "key": "openldap.statistics.[abandon,operations,monitorOpCompleted]" 646 | } 647 | }, 648 | { 649 | "sortorder": "1", 650 | "color": "F63100", 651 | "item": { 652 | "host": "OpenLDAP", 653 | "key": "openldap.statistics.[abandon,operations,monitorOpInitiated]" 654 | } 655 | }, 656 | { 657 | "sortorder": "2", 658 | "color": "2774A4", 659 | "item": { 660 | "host": "OpenLDAP", 661 | "key": "openldap.statistics.[compare,operations,monitorOpCompleted]" 662 | } 663 | }, 664 | { 665 | "sortorder": "3", 666 | "color": "A54F10", 667 | "item": { 668 | "host": "OpenLDAP", 669 | "key": "openldap.statistics.[compare,operations,monitorOpInitiated]" 670 | } 671 | }, 672 | { 673 | "sortorder": "4", 674 | "color": "FC6EA3", 675 | "item": { 676 | "host": "OpenLDAP", 677 | "key": "openldap.statistics.[delete,operations,monitorOpCompleted]" 678 | } 679 | }, 680 | { 681 | "sortorder": "5", 682 | "color": "6C59DC", 683 | "item": { 684 | "host": "OpenLDAP", 685 | "key": "openldap.statistics.[delete,operations,monitorOpInitiated]" 686 | } 687 | }, 688 | { 689 | "sortorder": "6", 690 | "color": "AC8C14", 691 | "item": { 692 | "host": "OpenLDAP", 693 | "key": "openldap.statistics.[extended,operations,monitorOpCompleted]" 694 | } 695 | }, 696 | { 697 | "sortorder": "7", 698 | "color": "611F27", 699 | "item": { 700 | "host": "OpenLDAP", 701 | "key": "openldap.statistics.[extended,operations,monitorOpInitiated]" 702 | } 703 | }, 704 | { 705 | "sortorder": "8", 706 | "color": "F230E0", 707 | "item": { 708 | "host": "OpenLDAP", 709 | "key": "openldap.statistics.[search,operations,monitorOpCompleted]" 710 | } 711 | }, 712 | { 713 | "sortorder": "9", 714 | "color": "5CCD18", 715 | "item": { 716 | "host": "OpenLDAP", 717 | "key": "openldap.statistics.[search,operations,monitorOpInitiated]" 718 | } 719 | } 720 | ] 721 | }, 722 | { 723 | "uuid": "6463d798f33e46ffa39fd619b84ace23", 724 | "name": "Operations - Compare", 725 | "graph_items": [ 726 | { 727 | "color": "1A7C11", 728 | "item": { 729 | "host": "OpenLDAP", 730 | "key": "openldap.statistics.[compare,operations,monitorOpCompleted]" 731 | } 732 | }, 733 | { 734 | "sortorder": "1", 735 | "color": "F63100", 736 | "item": { 737 | "host": "OpenLDAP", 738 | "key": "openldap.statistics.[compare,operations,monitorOpInitiated]" 739 | } 740 | } 741 | ] 742 | }, 743 | { 744 | "uuid": "d24d287343654a48b7b7375f0f3113cf", 745 | "name": "Operations - Delete", 746 | "graph_items": [ 747 | { 748 | "color": "1A7C11", 749 | "item": { 750 | "host": "OpenLDAP", 751 | "key": "openldap.statistics.[delete,operations,monitorOpCompleted]" 752 | } 753 | }, 754 | { 755 | "sortorder": "1", 756 | "color": "F63100", 757 | "item": { 758 | "host": "OpenLDAP", 759 | "key": "openldap.statistics.[delete,operations,monitorOpInitiated]" 760 | } 761 | } 762 | ] 763 | }, 764 | { 765 | "uuid": "b143c67de3594598abdbe3696d98c22f", 766 | "name": "Operations - Extended", 767 | "graph_items": [ 768 | { 769 | "color": "1A7C11", 770 | "item": { 771 | "host": "OpenLDAP", 772 | "key": "openldap.statistics.[extended,operations,monitorOpCompleted]" 773 | } 774 | }, 775 | { 776 | "sortorder": "1", 777 | "color": "F63100", 778 | "item": { 779 | "host": "OpenLDAP", 780 | "key": "openldap.statistics.[extended,operations,monitorOpInitiated]" 781 | } 782 | } 783 | ] 784 | }, 785 | { 786 | "uuid": "217fc853845146cb8620b6268df92803", 787 | "name": "Operations - Search", 788 | "graph_items": [ 789 | { 790 | "color": "1A7C11", 791 | "item": { 792 | "host": "OpenLDAP", 793 | "key": "openldap.statistics.[search,operations,monitorOpCompleted]" 794 | } 795 | }, 796 | { 797 | "sortorder": "1", 798 | "color": "F63100", 799 | "item": { 800 | "host": "OpenLDAP", 801 | "key": "openldap.statistics.[search,operations,monitorOpInitiated]" 802 | } 803 | } 804 | ] 805 | } 806 | ] 807 | } 808 | } -------------------------------------------------------------------------------- /rootfs/container/functions/10-openldap: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 Nfrastack 2 | # 3 | # SPDX-License-Identifier: MIT 4 | 5 | certificates() { 6 | certificates_create_certificate_authority() { 7 | if [ ! -f "${TLS_CA_CERT_PATH%/}"/"${TLS_CA_CERT_FILE}" ]; then 8 | 9 | print_debug "Certificates: Creating Self Signed Certificate Authority" 10 | mkdir -p "${TLS_CA_CERT_PATH}" 11 | echo "000a" >"${TLS_CA_CERT_PATH%/}"/serial 12 | touch "${TLS_CA_CERT_PATH%/}"/certindex 13 | 14 | silent eval "openssl req \ 15 | -newkey rsa:4096 -keyout ${TLS_CA_CERT_PATH%/}/${TLS_CA_KEY_FILE} \ 16 | -x509 -days 3650 -nodes -out ${TLS_CA_CERT_PATH%/}/${TLS_CA_CERT_FILE} \ 17 | -subj \"${TLS_CA_CERT_SUBJECT}\"" 18 | 19 | cat </dev/null 2>&1 150 | fi 151 | fi 152 | fi 153 | } 154 | 155 | case "${1,,}" in 156 | "dhparam") 157 | if var_true "${ENABLE_TLS}"; then 158 | certificates_check_dhparam 159 | fi 160 | ;; 161 | *) 162 | if var_true "${ENABLE_TLS}"; then 163 | certificates_check_certificates "${1}" 164 | certificates_trust_ca 165 | fi 166 | ;; 167 | esac 168 | } 169 | 170 | openldap_bootstrap_filesystem() { 171 | create_folder "${DB_PATH},${CONFIG_PATH},/container/state/openldap" ldap:ldap 700 172 | if [ "${DB_PATH%/}" != "/var/lib/openldap" ] ; then 173 | rm -rf /var/lib/openldap 174 | ln -sf "${DB_PATH%/}" /var/lib/openldap 175 | fi 176 | if [ "${CONFIG_PATH%/}" != "/etc/openldap/slapd.d" ] ; then 177 | rm -rf /etc/openldap/slapd.d 178 | ln -sf "${CONFIG_PATH%/}" /etc/openldap/slapd.d 179 | fi 180 | } 181 | 182 | openldap_configure_backup() { 183 | if var_true "${ENABLE_BACKUP}"; then 184 | print_notice "Enabling OpenLDAP scheduled backup routines" 185 | cat </dev/null; do sleep 2.0; done 466 | 467 | ### Setup bootstrap config - Part 2 468 | if var_true "${new_install}"; then 469 | # Convert schemas to ldif 470 | print_notice "Converting schemas to LDIF" 471 | schemas="" 472 | for schema in $(find /container/data/openldap/config/bootstrap/schema -not -path "/container/data/openldap/config/bootstrap/schema/rfc2307bis/*" -name \*.schema -type f 2>/dev/null); do 473 | schemas="$schemas ${schema}" 474 | done 475 | schema2ldif "${schemas}" 476 | 477 | # Add converted schemas 478 | print_notice "Adding converted schemas" 479 | for schema_file in $(find /container/data/openldap/config/bootstrap/schema -not -path "/container/data/openldap/config/bootstrap/schema/rfc2307bis/*" -name \*.ldif -type f 2>/dev/null); do 480 | # Add schema if it doesn't already exist 481 | schema=$(basename "${schema_file}" .ldif) 482 | add_schema=$(is_new_schema "$schema") 483 | if [ "$add_schema" -eq 1 ]; then 484 | silent ldapadd -c -Y EXTERNAL -Q -H ldapi:/// -f "${schema_file}" 485 | else 486 | print_warn "schema ${schema_file} already exists" 487 | fi 488 | done 489 | 490 | if var_true "${ENABLE_READONLY_USER}"; then 491 | READONLY_USER_PASS_ENCRYPTED="$(slappasswd -s "${READONLY_USER_PASS}")" 492 | for readonly_ldif in /container/data/openldap/config/bootstrap/ldif/readonly-user/*.ldif; do 493 | update_template "${readonly_ldif}" \ 494 | BASE_DN \ 495 | READONLY_USER_USER \ 496 | READONLY_USER_PASS_ENCRYPTED 497 | done 498 | fi 499 | 500 | # Adapt security and ACLs 501 | print_notice "Setting Security and ACLs" 502 | get_ldap_base_dn 503 | update_template /container/data/openldap/config/bootstrap/ldif/01-acls.ldif \ 504 | BASE_DN 505 | 506 | # Process config files (*.ldif) in bootstrap directory 507 | print_notice "Add bootstrap LDIFs" 508 | for ldif_file in $(find /container/data/openldap/config/bootstrap/ldif -mindepth 1 -maxdepth 1 -type f -name \*.ldif | sort); do 509 | print_debug "Bootstrap LDIF: Processing file ${ldif_file}" 510 | update_template "${ldif_file}" \ 511 | BASE_DN 512 | ldap_add_or_modify "${ldif_file}" 513 | done 514 | # Custom LDIF injection 515 | if [ -d /container/data/openldap/config/bootstrap/ldif/custom ]; then 516 | print_notice "Add custom bootstrap ldifs" 517 | for ldif_file in $(find /container/data/openldap/config/bootstrap/ldif/custom -type f -name \*.ldif | sort); do 518 | print_debug "LDIF: Processing file ${ldif_file}" 519 | update_template "${ldif_file}" \ 520 | BASE_DN 521 | ldap_add_or_modify "${ldif_file}" 522 | done 523 | fi 524 | fi 525 | 526 | ## Log Prefix 527 | case "${LOG_PREFIX,,}" in 528 | ancient | debug | hex | impossible ) 529 | slapd_log_prefix=debug 530 | ;; 531 | datetime | localtime| modern | normal | syslog-localtime ) 532 | slapd_log_prefix=syslog-localtime 533 | ;; 534 | syslog-utc | utc ) 535 | slapd_log_prefix=syslog-utc 536 | ;; 537 | datetime | localtime| modern | normal | syslog-localtime | *) 538 | slapd_log_prefix=syslog-localtime 539 | ;; 540 | esac 541 | 542 | update_template /container/data/openldap/config/log/log-enable.ldif \ 543 | slapd_log_file \ 544 | slapd_log_prefix \ 545 | slapd_log_type 546 | 547 | silent ldapmodify -c -Y EXTERNAL -Q -H ldapi:/// -f /container/data/openldap/config/log/log-enable.ldif 548 | 549 | ## TLS 550 | if [ -e "${was_started_with_tls}" ] && [ "${ENABLE_TLS,,}" != "true" ]; then 551 | print_error "ENABLE_TLS=false but the container was previously started with ENABLE_TLS=true" 552 | print_error "TLS can't be disabled once added. Ignoring ENABLE_TLS=false." 553 | ENABLE_TLS=true 554 | fi 555 | 556 | if [ -e "${was_started_with_tls_enforce}" ] && [ "${TLS_ENFORCE,,}" != "true" ]; then 557 | print_error "TLS_ENFORCE=false but the container was previously started with TLS_ENFORCE=true" 558 | print_error "TLS enforcing can't be disabled once added. Ignoring TLS_ENFORCE=false." 559 | TLS_ENFORCE=true 560 | fi 561 | 562 | if var_true "${ENABLE_TLS}"; then 563 | print_notice "Starting TLS configuration - Please wait.." 564 | 565 | # Generate a self signed certificate and key along with CA if not found 566 | certificates "${TLS_CERT_PATH%/}"/"${TLS_CERT_FILE}" 567 | 568 | # Create DHParamFile if not found 569 | certificates dhparam 570 | 571 | if var_true "${TLS_RESET_PERMISSIONS}"; then 572 | chmod 600 "${TLS_CERT_PATH%/}"/"${TLS_CERT_FILE}" "${TLS_KEY_PATH%/}"/"${TLS_KEY_FILE}" "${TLS_DH_PARAM_PATH%/}"/"${TLS_DH_PARAM_FILE}" 573 | chown ldap:ldap "${TLS_CERT_PATH%/}"/"${TLS_CERT_FILE}" "${TLS_KEY_PATH%/}"/"${TLS_KEY_FILE}" "${TLS_DH_PARAM_PATH%/}"/"${TLS_DH_PARAM_FILE}" 574 | fi 575 | 576 | # Fix file permissions 577 | chown -R ldap:ldap //container/data/openldap || true 578 | 579 | # Adapt TLS ldif 580 | if var_true "${TLS_ENABLE_DH_PARAM}"; then 581 | TLS_DH_PARAM_LDIF_ENABLE="- 582 | replace: olcTLSDHParamFile 583 | olcTLSDHParamFile: ${TLS_DH_PARAM_PATH%/}/${TLS_DH_PARAM_FILE} 584 | -" 585 | else 586 | TLS_DH_PARAM_LDIF_ENABLE="" 587 | fi 588 | # Always attempt to delete olcTLSDHParamFile on disable 589 | TLS_DH_PARAM_LDIF_DISABLE="-\ndelete: olcTLSDHParamFile\n-" 590 | update_template /container/data/openldap/config/tls/tls-enable.ldif \ 591 | TLS_CA_CERT_PATH \ 592 | TLS_CA_CERT_FILE \ 593 | TLS_CERT_PATH \ 594 | TLS_CERT_FILE \ 595 | TLS_KEY_PATH \ 596 | TLS_KEY_FILE \ 597 | TLS_DH_PARAM_PATH \ 598 | TLS_DH_PARAM_FILE \ 599 | TLS_CIPHER_SUITE \ 600 | TLS_VERIFY_CLIENT \ 601 | TLS_DH_PARAM_LDIF_ENABLE 602 | 603 | silent ldapmodify -Y EXTERNAL -Q -H ldapi:/// -f /container/data/openldap/config/tls/tls-enable.ldif 604 | 605 | if [ -f "${was_started_with_tls}" ] ; then 606 | rm -f "$was_started_with_tls" 607 | fi 608 | echo "export PREVIOUS_TLS_CA_CERT_PATH=${TLS_CA_CERT_PATH%/}/${TLS_CA_CERT_FILE}" | silent tee "${was_started_with_tls}" 609 | echo "export PREVIOUS_TLS_CERT_PATH=${TLS_CERT_PATH%/}/${TLS_CERT_FILE}" | silent tee -a "${was_started_with_tls}" 610 | echo "export PREVIOUS_TLS_KEY_PATH=${TLS_KEY_PATH%/}/${TLS_KEY_FILE}" | silent tee -a "${was_started_with_tls}" 611 | if var_true "${TLS_ENABLE_DH_PARAM}"; then 612 | echo "export PREVIOUS_TLS_DH_PARAM_PATH=${TLS_DH_PARAM_PATH%/}/${TLS_DH_PARAM_FILE}" | silent tee -a "${was_started_with_tls}" 613 | fi 614 | 615 | # Enforce TLS 616 | if var_true "${TLS_ENFORCE}"; then 617 | print_notice "Adding TLS enforcement" 618 | silent ldapmodify -Y EXTERNAL -Q -H ldapi:/// -f /container/data/openldap/config/tls/tls-enforce-enable.ldif 619 | touch "${was_started_with_tls_enforce}" 620 | fi 621 | fi 622 | 623 | ## Replication 624 | set +e 625 | if var_true "${ENABLE_REPLICATION}"; then 626 | print_notice "Configuring replication" 627 | replication_disable || true 628 | 629 | transform_var file \ 630 | REPLICATION_HOSTS \ 631 | REPLICATION_HOSTS_CONFIG_SYNC_PROV \ 632 | REPLICATION_HOSTS_DB_SYNC_PROV 633 | 634 | i=1 635 | replhosts=$(echo "${REPLICATION_HOSTS}" | tr " " "\n") 636 | get_ldap_base_dn 637 | for replhost in $replhosts; do 638 | sed -i \ 639 | -e "s|{{REPLICATION_HOSTS}}|olcServerID: $i $replhost\n{{REPLICATION_HOSTS}}|g" \ 640 | -e "s|{{REPLICATION_HOSTS_CONFIG_SYNC_REPL}}|olcSyncRepl: rid=00$i provider=$replhost ${REPLICATION_CONFIG_SYNCPROV:-"binddn=\"cn=config\" bindmethod=simple credentials=$CONFIG_PASS searchbase=\"cn=config\" type=refreshAndPersist retry=\"5 5 60 +\" timeout=1 filter=\"(!(objectclass=olcGlobal))\""}\n{{REPLICATION_HOSTS_CONFIG_SYNC_REPL}}|g" \ 641 | -e "s|{{REPLICATION_HOSTS_DB_SYNC_REPL}}|olcSyncRepl: rid=10$i provider=$replhost ${REPLICATION_DB_SYNCPROV:-"binddn=\"cn=admin,$BASE_DN\" bindmethod=simple credentials=$ADMIN_PASS searchbase=\"$BASE_DN\" type=refreshAndPersist interval=00:00:00:10 retry=\"5 5 60 +\" timeout=1"}\n{{REPLICATION_HOSTS_DB_SYNC_REPL}}|g" \ 642 | /container/data/openldap/config/replication/replication-enable.ldif 643 | ((i++)) 644 | done 645 | 646 | sed -i \ 647 | -e "/{{REPLICATION_HOSTS}}/d" \ 648 | -e "/{{REPLICATION_HOSTS_CONFIG_SYNC_REPL}}/d" \ 649 | -e "/{{REPLICATION_HOSTS_DB_SYNC_REPL}}/d" \ 650 | -e "s|{{BACKEND}}|${BACKEND}|g" \ 651 | /container/data/openldap/config/replication/replication-enable.ldif 652 | 653 | silent ldapmodify -c -Y EXTERNAL -Q -H ldapi:/// -f /container/data/openldap/config/replication/replication-enable.ldif 654 | 655 | [[ -f "$was_started_with_replication" ]] && rm -f "${was_started_with_replication}" 656 | echo "export PREVIOUS_HOSTNAME=${HOSTNAME}" | silent tee "${was_started_with_replication}" 657 | else 658 | print_debug "Disabling replication config" 659 | replication_disable || true 660 | fi 661 | set +x 662 | ## Execute Custom Scripts (To be used for example for nfrastack/openldap-fusiondirectory) 663 | if [ -d /container/data/openldap/config/bootstrap/custom/ ]; then 664 | custom_scripts /container/data/openldap/config/bootstrap/custom/ 665 | elif [ -f /override/data/openldap/config/bootstrap/custom/ ]; then 666 | custom_scripts /override/data/openldap/config/bootstrap/custom/ 667 | else 668 | if var_true "${ADD_DEFAULT_DATA}"; then 669 | print_notice "Adding default top level data configuration" 670 | chmod +x /container/data/openldap/config/bootstrap/default/default.sh 671 | /container/data/openldap/config/bootstrap/default/default.sh 672 | if var_true "${ENABLE_READONLY_USER}"; then 673 | print_notice "Adding read only (DSA) user" 674 | ldap_add_or_modify "/container/data/openldap/config/bootstrap/ldif/readonly-user/readonly-user.ldif" 675 | ldapmodify -H 'ldapi:///' -f /container/data/openldap/config/bootstrap/ldif/readonly-user/readonly-user-acl.ldif 676 | fi 677 | fi 678 | fi 679 | 680 | print_debug "Stopping OpenLDAP initialization routines" 681 | slapd_pid="$(cat /run/openldap/slapd.pid)" 682 | kill -15 "${slapd_pid}" 683 | while [ -e /proc/"${slapd_pid}" ]; do sleep 0.1; done # wait until slapd is terminated 684 | fi 685 | 686 | touch "${first_start_done}" 687 | fi 688 | } 689 | 690 | openldap_configure_logging() { 691 | log_level_array=$(echo "${LOG_LEVEL}" | tr "," "\n") 692 | for level in $log_level_array; do 693 | log_level="${log_level} -d ${level} " 694 | done 695 | } 696 | 697 | openldap_configure_ppolicy_check_modules() { 698 | if var_true "${ENABLE_PPOLICY}"; then 699 | print_notice "Configuring PPolicy check modules" 700 | ### check_password.so 701 | if [ ! -f "${CONFIG_PATH%/}"/check_password.conf ]; then 702 | cat <,?;.:/!§ù%*µ^¨$£²&é~"#'{([-|è\`_\ç^à@)]°=}+ ${PPOLICY_MIN_PUNCT} 1 731 | EOF 732 | chown ldap:ldap "${CONFIG_PATH%/}"/ppm.conf 733 | fi 734 | fi 735 | } 736 | 737 | 738 | #create_data_directories() { 739 | # print_notice "Setting up directories" 740 | # #create_fodler "${DB_PATH},${CONFIG_PATH%/}/slapd.d,/container/state/openldap" ldap:ldap 700 741 | # create_folder "${DB_PATH},${CONFIG_PATH},/container/state/openldap" ldap:ldap 700 742 | # #if [ ! -d "${DB_PATH}" ]; then mkdir -p "${DB_PATH}"; fi 743 | # #if [ ! -d "${CONFIG_PATH%/}"/slapd.d ]; then mkdir -p "${CONFIG_PATH%/}"/slapd.d; fi 744 | # #if [ ! -d /container/state/openldap ]; then mkdir -p /container/state/openldap; fi 745 | # 746 | # #chown -R ldap:ldap /container/slapd 747 | #} 748 | 749 | openldap_configure_networking() { 750 | print_debug "Configuring Networking" 751 | etc_hosts="$(cat /etc/hosts | sed "/${HOSTNAME}/d")" 752 | echo "0.0.0.0 ${HOSTNAME}" | silent tee /etc/hosts 753 | echo "${etc_hosts}" | silent tee -a /etc/hosts 754 | } 755 | 756 | get_ldap_base_dn() { 757 | if [ -z "${BASE_DN}" ]; then 758 | IFS='.' read -ra BASE_DN_TABLE <<<"${DOMAIN}" 759 | for i in "${BASE_DN_TABLE[@]}"; do 760 | EXT="dc=$i," 761 | BASE_DN=$BASE_DN$EXT 762 | done 763 | 764 | IFS='.' read -a domain_elems <<<"${DOMAIN}" 765 | SUFFIX="" 766 | ROOT="" 767 | 768 | for elem in "${domain_elems[@]}"; do 769 | if [ "x${SUFFIX}" = x ]; then 770 | SUFFIX="dc=${elem}" 771 | ROOT="${elem}" 772 | fi 773 | done 774 | 775 | BASE_DN=${BASE_DN::-1} 776 | fi 777 | } 778 | 779 | is_new_schema() { 780 | local count="$(ldapsearch -Q -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config cn | grep -c "${1}")" 781 | if [ "${count}" -eq 0 ]; then 782 | echo 1 783 | else 784 | echo 0 785 | fi 786 | } 787 | 788 | ldap_add_or_modify() { 789 | local ldif_file=$1 790 | update_template "${ldif_file}" \ 791 | BACKEND \ 792 | BASE_DN 793 | if grep -iq changetype "${ldif_file}"; then 794 | silent ldapmodify -Y EXTERNAL -Q -H ldapi:/// -f "${ldif_file}" 795 | else 796 | silent ldapadd -Y EXTERNAL -Q -H ldapi:/// -f "${ldif_file}" 797 | fi 798 | } 799 | 800 | replication_disable() { 801 | sed -i "s|{{BACKEND}}|${BACKEND}|g" /container/data/openldap/config/replication/replication-disable.ldif 802 | silent ldapmodify -c -Y EXTERNAL -Q -H ldapi:/// -f /container/data/openldap/config/replication/replication-disable.ldif 803 | [[ -f "${was_started_with_replication}" ]] && rm -f "${was_started_with_replication}" 804 | } 805 | 806 | schema2ldif() { 807 | schemas=$1 808 | 809 | if [ "${SCHEMA_TYPE,,}" = "rfc2307bis" ]; then 810 | cp -R /container/data/openldap/config/bootstrap/schema/rfc2307bis/rfc2307bis.schema /etc/openldap/schema/ 811 | SCHEMA_TYPE="rfc2307bis" 812 | else 813 | SCHEMA_TYPE="nis" 814 | fi 815 | 816 | tmpd=$(mktemp -d) 817 | pushd "${tmpd}" >>/dev/null 818 | echo "include /etc/openldap/schema/core.schema" | silent tee -a convert.dat 819 | echo "include /etc/openldap/schema/cosine.schema" | silent tee -a convert.dat 820 | echo "include /etc/openldap/schema/${SCHEMA_TYPE}.schema" | silent tee -a convert.dat 821 | echo "include /etc/openldap/schema/inetorgperson.schema" | silent tee -a convert.dat 822 | 823 | for schema in ${schemas}; do 824 | echo "include ${schema}" | silent tee -a convert.dat 825 | done 826 | 827 | slaptest_tmp="$(mktemp -d)" 828 | silent slaptest -f convert.dat -F "${slaptest_tmp}" 829 | 830 | if [ "${?}" -ne 0 ]; then 831 | print_error "slaptest conversion failed!" 832 | exit 833 | fi 834 | 835 | for schema in ${schemas}; do 836 | schema_name=$(basename "${schema}" .schema) 837 | schema_dir=$(dirname "${schema}") 838 | ldif_file=${schema_dir}/${schema_name}.ldif 839 | find "${slaptest_tmp}" -name *\}${schema_name}.ldif -exec mv '{}' "${ldif_file}" \; 840 | sed -i \ 841 | -e "/dn:/ c dn: cn=${schema_name},cn=schema,cn=config" \ 842 | -e "/cn:/ c cn: ${schema_name}" \ 843 | -e '/structuralObjectClass/ d' \ 844 | -e '/entryUUID/ d' \ 845 | -e '/creatorsName/ d' \ 846 | -e '/createTimestamp/ d' \ 847 | -e '/entryCSN/ d' \ 848 | -e '/modifiersName/ d' \ 849 | -e '/modifyTimestamp/ d' \ 850 | "${ldif_file}" 851 | sed -i '/^ *$/d' "${ldif_file}" 852 | done 853 | popd >>/dev/null 854 | rm -rf "${tmpd}" 855 | } 856 | --------------------------------------------------------------------------------