diff --git a/CHANGELOG.md b/CHANGELOG.md index f0ae000f..2ecf27a5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,12 +4,26 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html). +## [1.2.2] - 2018-09-04 +### Added + - Environment variable LDAP_NOFILE to setup a custom ulimit value #237 + +### Fixed + - Remove schema ambiguity #204 + - lidf typo in readme #217 + - Ignore all the folders started with . #232 + +### Security + - Fix self-edit security issue #239 + + Thanks to Yann Voumard for reporting this and @jonremy for the fix. + ## [1.2.1] - 2018-05-14 ### Security - The default "write" access to "*" by "self" in the file "config/bootstrap/ldif/02-security.ldif" allowed anyone to change all the data about himself. This includes the gid and uid numbers what could lead to serious security issues. - - This has been changed to ```olcAccess: to * by self read by dn="cn=admin,{{ LDAP_BASE_DN }}" write by * none"``` - + + This has been changed to ```olcAccess: to * by self read by dn="cn=admin,{{ LDAP_BASE_DN }}" write by * none"``` + Thanks to Francesc Escale for reporting this. ## [1.2.0] - 2018-03-02 diff --git a/Makefile b/Makefile index f088b93a..0f3cd49a 100644 --- a/Makefile +++ b/Makefile @@ -1,5 +1,5 @@ NAME = osixia/openldap -VERSION = 1.2.1 +VERSION = 1.2.2 .PHONY: build build-nocache test tag-latest push push-latest release git-tag-version diff --git a/README.md b/README.md index fa7bd512..599f50e3 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,7 @@ ![Docker Stars](https://img.shields.io/docker/stars/osixia/openldap.svg) ![](https://images.microbadger.com/badges/image/osixia/openldap.svg) -Latest release: 1.2.1 - OpenLDAP 2.4.44 - [Changelog](CHANGELOG.md) | [Docker Hub](https://hub.docker.com/r/osixia/openldap/)  +Latest release: 1.2.2 - OpenLDAP 2.4.44 - [Changelog](CHANGELOG.md) | [Docker Hub](https://hub.docker.com/r/osixia/openldap/)  **A docker image to run OpenLDAP.** @@ -35,7 +35,7 @@ Latest release: 1.2.1 - OpenLDAP 2.4.44 - [Changelog](CHANGELOG.md) | [Docker H - [Link environment file](#link-environment-file) - [Make your own image or extend this image](#make-your-own-image-or-extend-this-image) - [Advanced User Guide](#advanced-user-guide) - - [Extend osixia/openldap:1.2.1 image](#extend-osixiaopenldap121-image) + - [Extend osixia/openldap:1.2.2 image](#extend-osixiaopenldap122-image) - [Make your own openldap image](#make-your-own-openldap-image) - [Tests](#tests) - [Kubernetes](#kubernetes) @@ -55,7 +55,7 @@ If you find this image useful here's how you can help: ## Quick Start Run OpenLDAP docker image: - docker run --name my-openldap-container --detach osixia/openldap:1.2.1 + docker run --name my-openldap-container --detach osixia/openldap:1.2.2 This start a new container with OpenLDAP running inside. Let's make the first search in our LDAP container: @@ -91,7 +91,7 @@ It will create an empty ldap for the company **Example Inc.** and the domain **e By default the admin has the password **admin**. All those default settings can be changed at the docker command line, for example: docker run --env LDAP_ORGANISATION="My Company" --env LDAP_DOMAIN="my-company.com" \ - --env LDAP_ADMIN_PASSWORD="JonSn0w" --detach osixia/openldap:1.2.1 + --env LDAP_ADMIN_PASSWORD="JonSn0w" --detach osixia/openldap:1.2.2 #### Data persistence @@ -141,12 +141,12 @@ argument to entrypoint if you don't want to overwrite them. # single file example: docker run \ --volume ./bootstrap.ldif:/container/service/slapd/assets/config/bootstrap/ldif/50-bootstrap.ldif \ - osixia/openldap:1.2.1 --copy-service + osixia/openldap:1.2.2 --copy-service #directory example: docker run \ - --volume ./lidf:/container/service/slapd/assets/config/bootstrap/ldif/custom \ - osixia/openldap:1.2.1 --copy-service + --volume ./ldif:/container/service/slapd/assets/config/bootstrap/ldif/custom \ + osixia/openldap:1.2.2 --copy-service ### Use an existing ldap database @@ -157,7 +157,7 @@ simply mount this directories as a volume to `/var/lib/ldap` and `/etc/ldap/slap docker run --volume /data/slapd/database:/var/lib/ldap \ --volume /data/slapd/config:/etc/ldap/slapd.d \ - --detach osixia/openldap:1.2.1 + --detach osixia/openldap:1.2.2 You can also use data volume containers. Please refer to: > [https://docs.docker.com/engine/tutorials/dockervolumes/](https://docs.docker.com/engine/tutorials/dockervolumes/) @@ -177,7 +177,7 @@ If you are looking for a simple solution to administrate your ldap server you ca #### Use auto-generated certificate By default, TLS is already configured and enabled, certificate is created using container hostname (it can be set by docker run --hostname option eg: ldap.example.org). - docker run --hostname ldap.my-company.com --detach osixia/openldap:1.2.1 + docker run --hostname ldap.my-company.com --detach osixia/openldap:1.2.2 #### Use your own certificate @@ -187,24 +187,24 @@ You can set your custom certificate at run time, by mounting a directory contain --env LDAP_TLS_CRT_FILENAME=my-ldap.crt \ --env LDAP_TLS_KEY_FILENAME=my-ldap.key \ --env LDAP_TLS_CA_CRT_FILENAME=the-ca.crt \ - --detach osixia/openldap:1.2.1 + --detach osixia/openldap:1.2.2 Other solutions are available please refer to the [Advanced User Guide](#advanced-user-guide) #### Disable TLS Add --env LDAP_TLS=false to the run command: - docker run --env LDAP_TLS=false --detach osixia/openldap:1.2.1 + docker run --env LDAP_TLS=false --detach osixia/openldap:1.2.2 ### Multi master replication Quick example, with the default config. #Create the first ldap server, save the container id in LDAP_CID and get its IP: - LDAP_CID=$(docker run --hostname ldap.example.org --env LDAP_REPLICATION=true --detach osixia/openldap:1.2.1) + LDAP_CID=$(docker run --hostname ldap.example.org --env LDAP_REPLICATION=true --detach osixia/openldap:1.2.2) LDAP_IP=$(docker inspect -f "{{ .NetworkSettings.IPAddress }}" $LDAP_CID) #Create the second ldap server, save the container id in LDAP2_CID and get its IP: - LDAP2_CID=$(docker run --hostname ldap2.example.org --env LDAP_REPLICATION=true --detach osixia/openldap:1.2.1) + LDAP2_CID=$(docker run --hostname ldap2.example.org --env LDAP_REPLICATION=true --detach osixia/openldap:1.2.2) LDAP2_IP=$(docker inspect -f "{{ .NetworkSettings.IPAddress }}" $LDAP2_CID) #Add the pair "ip hostname" to /etc/hosts on each containers, @@ -240,7 +240,7 @@ You may have some problems with mounted files on some systems. The startup scrip To fix that run the container with `--copy-service` argument : - docker run [your options] osixia/openldap:1.2.1 --copy-service + docker run [your options] osixia/openldap:1.2.2 --copy-service ### Debug @@ -249,11 +249,11 @@ Available levels are: `none`, `error`, `warning`, `info`, `debug` and `trace`. Example command to run the container in `debug` mode: - docker run --detach osixia/openldap:1.2.1 --loglevel debug + docker run --detach osixia/openldap:1.2.2 --loglevel debug See all command line options: - docker run osixia/openldap:1.2.1 --help + docker run osixia/openldap:1.2.2 --help ## Environment Variables @@ -318,7 +318,7 @@ Replication options: If you want to set this variable at docker run command add the tag `#PYTHON2BASH:` and convert the yaml in python: - docker run --env LDAP_REPLICATION_HOSTS="#PYTHON2BASH:['ldap://ldap.example.org','ldap://ldap2.example.org']" --detach osixia/openldap:1.2.1 + docker run --env LDAP_REPLICATION_HOSTS="#PYTHON2BASH:['ldap://ldap.example.org','ldap://ldap2.example.org']" --detach osixia/openldap:1.2.2 To convert yaml to python online: http://yaml-online-parser.appspot.com/ @@ -338,7 +338,7 @@ Other environment variables: Environment variables can be set by adding the --env argument in the command line, for example: docker run --env LDAP_ORGANISATION="My company" --env LDAP_DOMAIN="my-company.com" \ - --env LDAP_ADMIN_PASSWORD="JonSn0w" --detach osixia/openldap:1.2.1 + --env LDAP_ADMIN_PASSWORD="JonSn0w" --detach osixia/openldap:1.2.2 Be aware that environment variable added in command line will be available at any time in the container. In this example if someone manage to open a terminal in this container @@ -349,14 +349,14 @@ he will be able to read the admin password in clear text from environment variab For example if your environment files **my-env.yaml** and **my-env.startup.yaml** are in /data/ldap/environment docker run --volume /data/ldap/environment:/container/environment/01-custom \ - --detach osixia/openldap:1.2.1 + --detach osixia/openldap:1.2.2 Take care to link your environment files folder to `/container/environment/XX-somedir` (with XX < 99 so they will be processed before default environment files) and not directly to `/container/environment` because this directory contains predefined baseimage environment files to fix container environment (INITRD, LANG, LANGUAGE and LC_CTYPE). Note: the container will try to delete the **\*.startup.yaml** file after the end of startup files so the file will also be deleted on the docker host. To prevent that : use --volume /data/ldap/environment:/container/environment/01-custom**:ro** or set all variables in **\*.yaml** file and don't use **\*.startup.yaml**: docker run --volume /data/ldap/environment/my-env.yaml:/container/environment/01-custom/env.yaml \ - --detach osixia/openldap:1.2.1 + --detach osixia/openldap:1.2.2 #### Make your own image or extend this image @@ -364,13 +364,13 @@ This is the best solution if you have a private registry. Please refer to the [A ## Advanced User Guide -### Extend osixia/openldap:1.2.1 image +### Extend osixia/openldap:1.2.2 image If you need to add your custom TLS certificate, bootstrap config or environment files the easiest way is to extends this image. Dockerfile example: - FROM osixia/openldap:1.2.1 + FROM osixia/openldap:1.2.2 MAINTAINER Your Name ADD bootstrap /container/service/slapd/assets/config/bootstrap diff --git a/example/docker-compose.yml b/example/docker-compose.yml index ec33878d..c6c0520d 100644 --- a/example/docker-compose.yml +++ b/example/docker-compose.yml @@ -1,7 +1,7 @@ version: '2' services: openldap: - image: osixia/openldap:1.2.1 + image: osixia/openldap:1.2.2 container_name: openldap environment: LDAP_LOG_LEVEL: "256" diff --git a/example/extend-osixia-openldap/Dockerfile b/example/extend-osixia-openldap/Dockerfile index 29f4d416..c7b97fc9 100644 --- a/example/extend-osixia-openldap/Dockerfile +++ b/example/extend-osixia-openldap/Dockerfile @@ -1,4 +1,4 @@ -FROM osixia/openldap:1.2.1 +FROM osixia/openldap:1.2.2 MAINTAINER Your Name ADD bootstrap /container/service/slapd/assets/config/bootstrap diff --git a/example/kubernetes/simple/ldap-deployment.yaml b/example/kubernetes/simple/ldap-deployment.yaml index 3195a2c8..7d842e6c 100644 --- a/example/kubernetes/simple/ldap-deployment.yaml +++ b/example/kubernetes/simple/ldap-deployment.yaml @@ -13,7 +13,7 @@ spec: spec: containers: - name: ldap - image: osixia/openldap:1.2.1 + image: osixia/openldap:1.2.2 volumeMounts: - name: ldap-data mountPath: /var/lib/ldap diff --git a/example/kubernetes/using-secrets/ldap-deployment.yaml b/example/kubernetes/using-secrets/ldap-deployment.yaml index 84d7988d..f3f8e23e 100644 --- a/example/kubernetes/using-secrets/ldap-deployment.yaml +++ b/example/kubernetes/using-secrets/ldap-deployment.yaml @@ -13,7 +13,7 @@ spec: spec: containers: - name: ldap - image: osixia/openldap:1.2.1 + image: osixia/openldap:1.2.2 args: ["--copy-service"] volumeMounts: - name: ldap-data diff --git a/image/environment/default.startup.yaml b/image/environment/default.startup.yaml index 1c413d54..6a027d43 100644 --- a/image/environment/default.startup.yaml +++ b/image/environment/default.startup.yaml @@ -56,6 +56,9 @@ KEEP_EXISTING_CONFIG: false # Remove config after setup LDAP_REMOVE_CONFIG_AFTER_SETUP: true +# Ulimit +LDAP_NOFILE: 1024 + # ssl-helper environment variables prefix LDAP_SSL_HELPER_PREFIX: ldap # ssl-helper first search config from LDAP_SSL_HELPER_* variables, before SSL_HELPER_* variables. diff --git a/image/service/slapd/assets/config/bootstrap/ldif/readonly-user/readonly-user-acl.ldif b/image/service/slapd/assets/config/bootstrap/ldif/readonly-user/readonly-user-acl.ldif index ff13eaf5..56f77282 100644 --- a/image/service/slapd/assets/config/bootstrap/ldif/readonly-user/readonly-user-acl.ldif +++ b/image/service/slapd/assets/config/bootstrap/ldif/readonly-user/readonly-user-acl.ldif @@ -4,4 +4,4 @@ delete: olcAccess - add: olcAccess olcAccess: to attrs=userPassword,shadowLastChange by self write by dn="cn=admin,{{ LDAP_BASE_DN }}" write by anonymous auth by * none -olcAccess: to * by self write by dn="cn=admin,{{ LDAP_BASE_DN }}" write by dn="cn={{ LDAP_READONLY_USER_USERNAME }},{{ LDAP_BASE_DN }}" read by * none +olcAccess: to * by self read by dn="cn=admin,{{ LDAP_BASE_DN }}" write by dn="cn={{ LDAP_READONLY_USER_USERNAME }},{{ LDAP_BASE_DN }}" read by * none diff --git a/image/service/slapd/process.sh b/image/service/slapd/process.sh index 7bf3413c..4fc54143 100755 --- a/image/service/slapd/process.sh +++ b/image/service/slapd/process.sh @@ -7,6 +7,6 @@ log-helper level eq trace && set -x # Reduce maximum number of number of open file descriptors to 1024 # otherwise slapd consumes two orders of magnitude more of RAM # see https://github.com/docker/docker/issues/8231 -ulimit -n 1024 +ulimit -n $LDAP_NOFILE exec /usr/sbin/slapd -h "ldap://$HOSTNAME ldaps://$HOSTNAME ldapi:///" -u openldap -g openldap -d $LDAP_LOG_LEVEL diff --git a/image/service/slapd/startup.sh b/image/service/slapd/startup.sh index 702d9063..dd291b35 100755 --- a/image/service/slapd/startup.sh +++ b/image/service/slapd/startup.sh @@ -8,7 +8,7 @@ log-helper level eq trace && set -x # Reduce maximum number of number of open file descriptors to 1024 # otherwise slapd consumes two orders of magnitude more of RAM # see https://github.com/docker/docker/issues/8231 -ulimit -n 1024 +ulimit -n $LDAP_NOFILE # create dir if they not already exists [ -d /var/lib/ldap ] || mkdir -p /var/lib/ldap @@ -54,7 +54,7 @@ if [ ! -e "$FIRST_START_DONE" ]; then } function is_new_schema() { - local COUNT=$(ldapsearch -Q -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config cn | grep -c $1) + local COUNT=$(ldapsearch -Q -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config cn | grep -c "}$1,") if [ "$COUNT" -eq 0 ]; then echo 1 else @@ -87,8 +87,8 @@ if [ ! -e "$FIRST_START_DONE" ]; then # database and config directory are empty # setup bootstrap config - Part 1 # - if [ -z "$(ls -A -I lost+found -I .rmtab -I .gitignore /var/lib/ldap)" ] && \ - [ -z "$(ls -A -I lost+found -I .rmtab -I .gitignore /etc/ldap/slapd.d)" ]; then + if [ -z "$(ls -A -I lost+found --ignore=.* /var/lib/ldap)" ] && \ + [ -z "$(ls -A -I lost+found --ignore=.* /etc/ldap/slapd.d)" ]; then BOOTSTRAP=true log-helper info "Database and config directory are empty..." @@ -133,14 +133,14 @@ EOF # # Error: the database directory (/var/lib/ldap) is empty but not the config directory (/etc/ldap/slapd.d) # - elif [ -z "$(ls -A -I lost+found -I .rmtab /var/lib/ldap)" ] && [ ! -z "$(ls -A -I lost+found -I .rmtab /etc/ldap/slapd.d)" ]; then + elif [ -z "$(ls -A -I lost+found --ignore=.* /var/lib/ldap)" ] && [ ! -z "$(ls -A -I lost+found --ignore=.* /etc/ldap/slapd.d)" ]; then log-helper error "Error: the database directory (/var/lib/ldap) is empty but not the config directory (/etc/ldap/slapd.d)" exit 1 # # Error: the config directory (/etc/ldap/slapd.d) is empty but not the database directory (/var/lib/ldap) # - elif [ ! -z "$(ls -A -I lost+found -I .rmtab /var/lib/ldap)" ] && [ -z "$(ls -A -I lost+found -I .rmtab /etc/ldap/slapd.d)" ]; then + elif [ ! -z "$(ls -A -I lost+found --ignore=.* /var/lib/ldap)" ] && [ -z "$(ls -A -I lost+found --ignore=.* /etc/ldap/slapd.d)" ]; then log-helper error "Error: the config directory (/etc/ldap/slapd.d) is empty but not the database directory (/var/lib/ldap)" exit 1