Merge branch 'hotfix-0.10.2' into stable

CHANGELOG.md

@@ -1,8 +1,30 @@
-## 0.10.1 (release date: 2015-05-17)
- - Add ldapi
- - Add custom ldap schema
- - Auto convert .schema to .ldif
- - Fixes issues #2 #3
+# Changelog
 
-## 0.10.0 (release date: 2015-03-03)
+## 0.10.2
+
+ - New features:
+ - Bootstrap config, only on non existing slapd config
+ - Limit max open file descriptors to fix slapd memory usage (#9)
+ - Don't disable network access from outside (#8)
+ - Make log level configurable via environment variable (#7)
+ - Support for ldaps (#10)
+
+
+ - Fixes:
+ - Unable to start container with the following invocation. (#6)
+
+## 0.10.1
+
+ - New features:
+ - Add ldapi
+ - Add ldapi
+ - Add custom ldap schema
+ - Auto convert .schema to .ldif
+
+
+ - Fixes :
+ - Docker VOLUME is not needed to be able to stop a container without losing data (#2)
+ - starting from old data (#3)
+
+## 0.10.0
  - New version initial release

Makefile

@@ -1,5 +1,5 @@
 NAME = osixia/openldap
-VERSION = 0.10.1
+VERSION = 0.10.2
 
 .PHONY: all build test tag_latest release
 
@@ -19,4 +19,3 @@ release: build test tag_latest
  @if ! head -n 1 CHANGELOG.md | grep -q 'release date'; then echo 'Please note the release date in Changelog.md.' && false; fi
  docker push $(NAME)
  @echo "*** Don't forget to run 'twgit release/hotfix finish' :)"
-

README.md

@@ -6,29 +6,27 @@ A docker image to run OpenLDAP.
 Fork of Nick Stenning docker-slapd :
 https:/nickstenning/docker-slapd
 
-Add support of tls. Use docker 1.5.0
+Add support of TLS and multi master replication.
 
 ## Quick start
 Run OpenLDAP docker image :
 
- docker run -d osixia/openldap
- 
+ docker run -h ldap.example.org -d osixia/openldap
+
 This start a new container with a OpenLDAP server running inside.
 The odd string printed by this command is the `CONTAINER_ID`.
 We are going to use this `CONTAINER_ID` to execute some commands inside the container.
 
-Wait 1 or 2 minutes the container startup to be completed.
-
 Then run a terminal on this container,
 make sure to replace `CONTAINER_ID` by your container id :
 
  docker exec -it CONTAINER_ID bash
 
-You should now be in the container terminal, 
+You should now be in the container terminal,
 and we can search on the ldap server :
- 
- ldapsearch -x -h 127.0.0.1 -b dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w admin
- 
+
+ ldapsearch -x -h ldap.example.org -b dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w admin
+
 This should output :
 
  # extended LDIF
@@ -38,17 +36,17 @@ This should output :
  # filter: (objectclass=*)
  # requesting: ALL
  #
- 
+
  [...]
 
  # numResponses: 3
  # numEntries: 2
- 
+
 if you have the following error, OpenLDAP is not started yet, wait some time.
 
   ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
- 
- 
+
+
 ## Examples
 
 ### Create new ldap server
@@ -58,7 +56,7 @@ It will create an empty ldap for the compagny **Example Inc.** and the domain **
 
 By default the admin has the password **admin**. All those default settings can be changed at the docker command line, for example :
 
- docker run -e LDAP_ORGANISATION="My Compagny" -e LDAP_DOMAIN="my-compagny.com" \
+ docker run -h ldap.example.org -e LDAP_ORGANISATION="My Compagny" -e LDAP_DOMAIN="my-compagny.com" \
  -e LDAP_ADMIN_PASSWORD="JonSn0w" -d osixia/openldap
 
 #### Data persitance
@@ -71,15 +69,15 @@ For more information about docker data volume, please refer to :
 
 > [https://docs.docker.com/userguide/dockervolumes/](https://docs.docker.com/userguide/dockervolumes/)
 
- 
+
 ### Use an existing ldap database
 
-This can be achieved by mounting host directories as volume. 
+This can be achieved by mounting host directories as volume.
 Assuming you have a LDAP database on your docker host in the directory `/data/slapd/database`
 and the corresponding LDAP config files on your docker host in the directory `/data/slapd/config`
 simply mount this directories as a volume to `/var/lib/ldap` and `/etc/ldap/slapd.d`:
 
- docker run -v /data/slapd/database:/var/lib/ldap \
+ docker run -h ldap.example.org -v /data/slapd/database:/var/lib/ldap \
  -v /data/slapd/config:/etc/ldap/slapd.d
  -d osixia/openldap
 
@@ -89,36 +87,86 @@ You can also use data volume containers. Please refer to :
 ### Using TLS
 
 #### Use autogenerated certificate
-By default TLS is enable, a certificate is created for the CN (common name) ldap.example.org. To work properly on your server adjust SERVER_NAME environment variable to match the ldap server CN.
+By default TLS is enable, a certificate is created with the container hostname (set by -h option eg: ldap.example.org).
 
- docker run -e SERVER_NAME=ldap.my-compagny.com -d osixia/openldap
+ docker run -h ldap.example.org -e SERVER_NAME=ldap.my-compagny.com -d osixia/openldap
 
 #### Use your own certificate
 
 Add your custom certificate, private key and CA certificate in the directory **image/service/slapd/assets/ssl** adjust filename in **image/env.yml** and rebuild the image ([see manual build](#manual-build)).
 
-Or you can set your custom certificate at run time, by mouting your a directory containing thoses files to **/osixia/slapd/ssl** and adjust there name with the following environment variables :
+Or you can set your custom certificate at run time, by mouting a directory containing thoses files to **/osixia/slapd/assets/ssl** and adjust there name with the following environment variables :
 
- docker run -v /path/to/certifates:/osixia/slapd/ssl \
+ docker run -h ldap.example.org -v /path/to/certifates:/osixia/slapd/assets/ssl \
  -e SSL_CRT_FILENAME=my-ldap.crt \
  -e SSL_KEY_FILENAME=my-ldap.key \
  -e SSL_CA_CRT_FILENAME=the-ca.crt \
  -d osixia/openldap
- 
+
 #### Disable TLS
 Add -e USE_TLS=false to the run command :
 
- docker run -e USE_TLS=false -d osixia/openldap
+ docker run -h ldap.example.org -e USE_TLS=false -d osixia/openldap
+
+### Multi master replication
+Quick example, with the default config.
+
+Create the first ldap server, save the container id in LDAP_CID and get its IP:
+
+ LDAP_CID=$(docker run -h ldap.example.org -e USE_REPLICATION=true -d osixia/openldap)
+ LDAP_IP=$(docker inspect -f "{{ .NetworkSettings.IPAddress }}" $LDAP_CID)
+
+Create the second ldap server, save the container id in LDAP2_CID and get its IP:
+
+ LDAP2_CID=$(docker run -h ldap2.example.org -e USE_REPLICATION=true -d osixia/openldap)
+ LDAP2_IP=$(docker inspect -f "{{ .NetworkSettings.IPAddress }}" $LDAP2_CID)
+
+Add the pair "ip hostname" to /etc/hosts on each containers,
+beacause ldap.example.org and ldap2.example.org are fake hostnames
+
+ docker exec $LDAP_CID /osixia/test/add-host.sh $LDAP2_IP ldap2.example.org
+ docker exec $LDAP2_CID /osixia/test/add-host.sh $LDAP_IP ldap.example.org
+
+We reload slapd to let him take into consideration /etc/hosts changes
+
+ docker exec $LDAP_CID pkill slapd
+ docker exec $LDAP2_CID pkill slapd
+
+That's it ! But a litle test to be sure :
+
+Add a new user "billy" on the first ldap server
+
+ docker exec $LDAP_CID ldapadd -x -D "cn=admin,dc=example,dc=org" -w admin -f /osixia/test/new-user.ldif -h ldap.example.org -ZZ
+
+Search on the second ldap server, and billy should show up !
+
+ docker exec $LDAP2_CID ldapsearch -x -h ldap2.example.org -b dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w admin -ZZ
+
+ [...]
+
+ # billy, example.org
+ dn: uid=billy,dc=example,dc=org
+ uid: billy
+ cn: billy
+ sn: 3
+ objectClass: top
+ objectClass: posixAccount
+ objectClass: inetOrgPerson
+ [...]
+
 
 ## Administrate your ldap server
 If you are looking for a simple solution to administrate your ldap server you can take a look at our phpLDAPadmin docker image :
 > [osixia/phpldapadmin](https:/osixia/docker-phpLDAPadmin)
 
 ## Environment Variables
 
-Environement variables defaults are set in **image/env.yml**. You can modify environment variable values directly in this file and rebuild the image ([see manual build](#manual-build)) or you can override those values at run time with -e argument. See example below.
+Environement variables defaults are set in **image/env.yml**. You can modify environment variable values directly in this file and rebuild the image ([see manual build](#manual-build)). You can also override those values at run time with -e argument or by setting your own env.yml file as a docker volume to `/etc/env.yml`. See examples below.
+
+General container configuration :
+- **LDAP_LOG_LEVEL**: Slap log level. defaults to `-1`. See table 5.1 in http://www.openldap.org/doc/admin24/slapdconf2.html for the available log levels.
 
-Required for new ldap server :
+Required and used for new ldap server only :
 - **LDAP_ORGANISATION**: Organisation name. Defaults to `Example Inc.`
 - **LDAP_DOMAIN**: Ldap domain. Defaults to `example.org`
 - **LDAP_ADMIN_PASSWORD** Admin password. Defaults to `admin`
@@ -128,15 +176,25 @@ TLS options :
 - **SSL_CRT_FILENAME**: Ldap ssl certificate filename. Defaults to `ldap.crt`
 - **SSL_KEY_FILENAME**: Ldap ssl certificate private key filename. Defaults to `ldap.key`
 - **SSL_CA_CRT_FILENAME**: Ldap ssl CA certificate filename. Defaults to `ca.crt`
-- **SERVER_NAME**: Use by autogenerated certificate: Server CN. Defaults to `ldap.example.org`
+
+Replication options :
+- **USE_REPLICATION**: Add openldap replication capabilities. Defaults to `false`
+- **REPLICATION_CONFIG_SYNCPROV**: olcSyncRepl options used for the config database. Without **rid** and **provider** which are automaticaly added based on REPLICATION_HOSTS. Defaults to `binddn="cn=admin,cn=config" bindmethod=simple credentials=$LDAP_CONFIG_PASSWORD searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1 starttls=critical`
+- **REPLICATION_HDB_SYNCPROV**: olcSyncRepl options used for the HDB database. Without **rid** and **provider** which are automaticaly added based on REPLICATION_HOSTS. Defaults to `binddn="cn=admin,$BASE_DN" bindmethod=simple credentials=$LDAP_ADMIN_PASSWORD searchbase="$BASE_DN" type=refreshAndPersist interval=00:00:00:10 retry="5 5 300 5" timeout=1 starttls=critical`
+- **REPLICATION_HOSTS**: list of replication hosts, must contains the current container hostname set by -h on docker run command. Defaults to `['ldap://ldap.example.org', 'ldap://ldap2.example.org']`
 
 ### Set environment variables at run time :
 
 Environment variable can be set directly by adding the -e argument in the command line, for example :
- 
- docker run -e LDAP_ORGANISATION="My Compagny" -e LDAP_DOMAIN="my-compagny.com" \
+
+ docker run -h ldap.example.org -e LDAP_ORGANISATION="My Compagny" -e LDAP_DOMAIN="my-compagny.com" \
  -e LDAP_ADMIN_PASSWORD="JonSn0w" -d osixia/openldap
 
+Or by setting your own `env.yml` file as a docker volume to `/etc/env.yml`
+
+ docker run -h ldap.example.org -v /data/my-ldap-env.yml:/etc/env.yml \
+ -d osixia/openldap
+
 ## Manual build
 
 Clone this project :
@@ -148,18 +206,18 @@ Adapt Makefile, set your image NAME and VERSION, for example :
 
  NAME = osixia/openldap
  VERSION = 0.10.0
- 
+
  becomes :
  NAME = billy-the-king/openldap
  VERSION = 0.1.0
 
 Build your image :
- 
+
  make build
- 
+
 Run your image :
 
- docker run -d billy-the-king/openldap:0.1.0
+ docker run -h ldap.example.org -d billy-the-king/openldap:0.1.0
 
 ## Tests
 
@@ -170,5 +228,3 @@ We use **Bats** (Bash Automated Testing System) to test this image:
 Install Bats, and in this project directory run :
 
  make test
-
-

image/Dockerfile

@@ -1,4 +1,4 @@
-FROM osixia/baseimage:0.10.4
+FROM osixia/baseimage:0.10.5
 MAINTAINER Bertrand Gouny <[email protected]>
 
 # Use baseimage-docker's init system.
@@ -7,24 +7,21 @@ CMD ["/sbin/my_init"]
 # Add openldap user and group first to make sure their IDs get assigned consistently, regardless of whatever dependencies get added
 RUN groupadd -r openldap && useradd -r -g openldap openldap
 
-# Install OpenLDAP and ldap-utils (and ssl-kit from baseimage), remove default ldap db
+# Install OpenLDAP, ldap-utils and ssl-kit from baseimage, remove default ldap db
 RUN apt-get -y update && /sbin/enable-service ssl-kit \
- && LC_ALL=C DEBIAN_FRONTEND=noninteractive apt-get install -y --force-yes --no-install-recommends slapd ldap-utils \
- && rm -rf /var/lib/ldap
+ && LC_ALL=C DEBIAN_FRONTEND=noninteractive apt-get install -y --force-yes --no-install-recommends \
+ slapd ldap-utils ntp \
+ && rm -rf /var/lib/ldap /etc/ldap/slapd.d
 
-# Add OpenLDAP assets
-ADD service/slapd/assets /osixia/slapd
+# Add service directory to /osixia
+ADD service /osixia
 
-# Clean all
-RUN apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
+# Use baseimage service auto-install script and clean all
+RUN ./sbin/auto-install && apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
 
 # Add default env variables
 ADD env.yml /etc/env.yml
 
-# Add OpenLDAP container start config & daemon
-ADD service/slapd/container-start.sh /etc/my_init.d/slapd
-ADD service/slapd/daemon.sh /etc/service/slapd/run
-
 # Set OpenLDAP data and config directories in a data volume
 VOLUME ["/var/lib/ldap", "/etc/ldap/slapd.d"]
 

image/env.yml

@@ -1,11 +1,26 @@
 LDAP_ORGANISATION: Example Inc.
 LDAP_DOMAIN: example.org
 LDAP_ADMIN_PASSWORD: admin
-LDAP_LOG_LEVEL: -1
+LDAP_CONFIG_PASSWORD: config
 
-SERVER_NAME: ldap.example.org
+#See table 5.1 in http://www.openldap.org/doc/admin24/slapdconf2.html for the available log levels.
+LDAP_LOG_LEVEL: -1
 
 USE_TLS: true
 SSL_CRT_FILENAME: ldap.crt
 SSL_KEY_FILENAME: ldap.key
 SSL_CA_CRT_FILENAME: ca.crt
+
+
+USE_REPLICATION: false
+# variables $BASE_DN, $LDAP_ADMIN_PASSWORD, $LDAP_CONFIG_PASSWORD and $SSL_*
+# are automaticaly replaced at run time
+
+# if you want to add replication to an existing ldap
+# adapt REPLICATION_CONFIG_SYNCPROV and REPLICATION_HDB_SYNCPROV to your configuration
+# avoid using $BASE_DN, $LDAP_ADMIN_PASSWORD and $LDAP_CONFIG_PASSWORD variables
+REPLICATION_CONFIG_SYNCPROV: binddn="cn=admin,cn=config" bindmethod=simple credentials=$LDAP_CONFIG_PASSWORD searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1 starttls=critical
+REPLICATION_HDB_SYNCPROV: binddn="cn=admin,$BASE_DN" bindmethod=simple credentials=$LDAP_ADMIN_PASSWORD searchbase="$BASE_DN" type=refreshAndPersist interval=00:00:00:10 retry="5 5 300 5" timeout=1 starttls=critical
+REPLICATION_HOSTS:
+ - ldap://ldap.example.org # The order must be the same on all ldap servers
+ - ldap://ldap2.example.org

image/service/slapd/assets/config/bootstrap/README.md

@@ -0,0 +1 @@
+Bootstrap config, for a container started without an existing ldap config.

image/service/slapd/assets/config/bootstrap/ldif/config-password.ldif

@@ -0,0 +1,7 @@
+# Set config password
+dn: cn=config
+changeType: modify
+
+dn: olcDatabase={0}config,cn=config
+add: olcRootPW
+olcRootPW: {{ CONFIG_PASSWORD_ENCRYPTED }}

image/service/slapd/assets/config/bootstrap/ldif/index.ldif

@@ -0,0 +1,6 @@
+# Add indexes
+dn: olcDatabase={1}hdb,cn=config
+changetype: modify
+replace: olcDbIndex
+olcDbIndex: entryCSN eq
+olcDbIndex: entryUUID eq

image/service/slapd/assets/config/logging.ldif → image/service/slapd/assets/config/bootstrap/ldif/logging.ldif

@@ -1,4 +1,4 @@
 dn: cn=config
 changetype: modify
 replace: olcLogLevel
-olcLogLevel: stats
+olcLogLevel: stats

image/service/slapd/assets/config/bootstrap/schema/README.md

@@ -0,0 +1 @@
+Bootstrap schemas, for a container started without an existing ldap config.