Browse Source

rejig dockerfile to work around ineffective memberof bug

tags/openldap-7
Arthur Schiwon 6 months ago
parent
commit
020a61d9ce
No account linked to committer's email address
4 changed files with 103 additions and 1 deletions
  1. 36
    1
      openldap/Dockerfile
  2. 25
    0
      openldap/entrypoint.sh
  3. 33
    0
      openldap/modules/memberof.ldif
  4. 9
    0
      openldap/slapf_config

+ 36
- 1
openldap/Dockerfile View File

@@ -1,5 +1,40 @@
FROM dinkel/openldap:latest
# Based on https://github.com/dinkel/docker-openldap by Christian Luginbühl, MIT licensed
# simplified to our needs to due https://github.com/dinkel/docker-openldap/issues/21
# (Proposed my solution in https://github.com/dinkel/docker-openldap/issues/21#issuecomment-468839994)

FROM debian:stretch

MAINTAINER Arthur Schiwon <blizzz@arthur-schiwon.de>

ENV OPENLDAP_VERSION 2.4.44

RUN apt-get update && \
DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends -y \
slapd=${OPENLDAP_VERSION}* ldap-utils=${OPENLDAP_VERSION}* && \
apt-get clean && \
rm -rf /var/lib/apt/lists/*

RUN mv /etc/ldap /etc/ldap.dist

COPY modules/ /etc/ldap.dist/modules
COPY LDIFs/* /etc/ldap/prepopulate/

RUN cp -r /etc/ldap.dist/* /etc/ldap

COPY slapf_config /tmp/slapd_config
RUN cat /tmp/slapd_config | debconf-set-selections \
&& dpkg-reconfigure -f noninteractive slapd >/dev/null 2>&1 \
&& rm /tmp/slapd_config \
&& sed -i "s/^#BASE.*/BASE c=nextcloud,dc=ci/g" /etc/ldap/ldap.conf \
&& slapadd -n0 -F /etc/ldap/slapd.d -l "/etc/ldap/modules/memberof.ldif" \
&& chown -R openldap:openldap /etc/ldap/slapd.d/ /var/lib/ldap/ /var/run/slapd/

COPY entrypoint.sh /entrypoint.sh

EXPOSE 389

VOLUME ["/etc/ldap", "/var/lib/ldap"]

ENTRYPOINT ["/entrypoint.sh"]

CMD ["slapd", "-d", "32768", "-u", "openldap", "-g", "openldap"]

+ 25
- 0
openldap/entrypoint.sh View File

@@ -0,0 +1,25 @@
#!/bin/bash

# When not limiting the open file descritors limit, the memory consumption of
# slapd is absurdly high. See https://github.com/docker/docker/issues/8231
ulimit -n 8192

set -em

"$@" &

# apt install errors with conflicts due to the slapd state (and its version perhaps) in the Dockerfile
# marking it "hold" does not work due to other dependencies.
#apt update && \
# DEBIAN_FRONTEND=noninteractive apt install --no-install-recommends -y ldap-utils && \
# apt clean && \
# rm -rf /var/lib/apt/lists/*
# we enable job control to send the slapd to background, but still to be able to pre-populate
# the directory AND having memberof already working.
sleep 2 # might be a race condition
for file in `ls /etc/ldap/prepopulate/*.ldif`; do
ldapadd -x -D "cn=admin,dc=nextcloud,dc=ci" -w "$SLAPD_PASSWORD" -f "$file"
done
fg



+ 33
- 0
openldap/modules/memberof.ldif View File

@@ -0,0 +1,33 @@
dn: cn=module,cn=config
cn: module
objectClass: olcModuleList
objectClass: top
olcModulePath: /usr/lib/ldap
olcModuleLoad: memberof.la

dn: olcOverlay={0}memberof,olcDatabase={1}hdb,cn=config
objectClass: olcConfig
objectClass: olcMemberOf
objectClass: olcOverlayConfig
objectClass: top
olcOverlay: memberof
olcMemberOfDangling: ignore
olcMemberOfRefInt: TRUE
olcMemberOfGroupOC: groupOfNames
olcMemberOfMemberAD: member
olcMemberOfMemberOfAD: memberOf

dn: cn=module,cn=config
cn: module
objectClass: olcModuleList
objectClass: top
olcModulePath: /usr/lib/ldap
olcModuleLoad: refint.la

dn: olcOverlay={1}refint,olcDatabase={1}hdb,cn=config
objectClass: olcConfig
objectClass: olcOverlayConfig
objectClass: olcRefintConfig
objectClass: top
olcOverlay: {1}refint
olcRefintAttribute: memberof member manager owner

+ 9
- 0
openldap/slapf_config View File

@@ -0,0 +1,9 @@
slapd slapd/no_configuration boolean false
slapd slapd/password1 password admin
slapd slapd/password2 password admin
slapd shared/organization string Nextcloud
slapd slapd/domain string nextcloud.ci
slapd slapd/backend select HDB
slapd slapd/allow_ldap_v2 boolean false
slapd slapd/purge_database boolean false
slapd slapd/move_old_database boolean true

Loading…
Cancel
Save