Update to debian jessie

* Move most envvars into scripts
* Generate snake oil certificate on container build

Author: rroemhild

Dockerfile

@@ -1,21 +1,18 @@
-FROM debian:7
+FROM debian:jessie
 MAINTAINER Rafael Römhild <[email protected]>
 
-ENV DEBUG_LEVEL 256
-ENV LDAP_DOMAIN planetexpress.com
-ENV LDAP_ADMIN_SECRET GoodNewsEveryone
-ENV LDAP_ORGANISATION Planet Express, Inc.
-ENV DEBIAN_FRONTEND noninteractive
-
 # Install slapd and requirements
 RUN apt-get update \
-    && apt-get -y --no-install-recommends install \
-        slapd \
-        ldap-utils \
-        openssl \
-        ca-certificates \
+    && DEBIAN_FRONTEND=noninteractive apt-get \
+        install -y --no-install-recommends \
+            slapd \
+            ldap-utils \
+            openssl \
+            ca-certificates \
     && rm -rf /var/lib/apt/lists/*
 
+ENV LDAP_DEBUG_LEVEL=256
+
 # Create TLS certificate and bootstrap directory
 RUN mkdir /etc/ldap/ssl /bootstrap
 
@@ -33,5 +30,5 @@ VOLUME ["/etc/ldap/slapd.d", "/etc/ldap/ssl", "/var/lib/ldap", "/run/slapd"]
 EXPOSE 389
 EXPOSE 636
 
-CMD []
-ENTRYPOINT ["/bin/bash", "/run.sh"]
+CMD ["/bin/bash", "/run.sh"]
+ENTRYPOINT []

README.md

@@ -14,8 +14,7 @@ The Flask extension [flask-ldapconn][flaskldapconn] use this image for unit test
 
 ## Features
 
-* Support for TLS
-* Autogenerated snake oil cert
+* Support for TLS (snake oil cert on build)
 * Initialized with data from Futurama
 * ~180MB Images size
 
@@ -30,7 +29,7 @@ docker run --privileged -d -p 389:389 rroemhild/test-openldap
 ## Exposed ports
 
 * 389
-
+* 636
 
 ## Exposed volumes
 
@@ -155,4 +154,3 @@ docker run --privileged -d -p 389:389 rroemhild/test-openldap
 | ou               | Delivering Crew |
 | uid              | bender |
 | userPassword     | bender |
-

bootstrap/config/tls.ldif

@@ -8,4 +8,3 @@ olcTLSCertificateKeyFile: /etc/ldap/ssl/ldap.key
 -
 replace: olcTLSVerifyClient
 olcTLSVerifyClient: never
-

bootstrap/slapd-init.sh

@@ -4,23 +4,22 @@ set -eu
 readonly DATA_DIR="/bootstrap/data"
 readonly CONFIG_DIR="/bootstrap/config"
 
+readonly LDAP_DOMAIN=planetexpress.com
+readonly LDAP_ORGANISATION="Planet Express, Inc."
 readonly LDAP_BINDDN="cn=admin,dc=planetexpress,dc=com"
+readonly LDAP_SECRET=GoodNewsEveryone
 
-
-file_exist() {
-    local file=$1
-
-    [[ -e $file ]]
-}
+readonly LDAP_SSL_KEY="/etc/ldap/ssl/ldap.key"
+readonly LDAP_SSL_CERT="/etc/ldap/ssl/ldap.crt"
 
 
 reconfigure_slapd() {
     echo "Reconfigure slapd..."
     cat <<EOL | debconf-set-selections
-slapd slapd/internal/generated_adminpw password ${LDAP_ADMIN_SECRET}
-slapd slapd/internal/adminpw password ${LDAP_ADMIN_SECRET}
-slapd slapd/password2 password ${LDAP_ADMIN_SECRET}
-slapd slapd/password1 password ${LDAP_ADMIN_SECRET}
+slapd slapd/internal/generated_adminpw password ${LDAP_SECRET}
+slapd slapd/internal/adminpw password ${LDAP_SECRET}
+slapd slapd/password2 password ${LDAP_SECRET}
+slapd slapd/password1 password ${LDAP_SECRET}
 slapd slapd/dump_database_destdir string /var/backups/slapd-VERSION
 slapd slapd/domain string ${LDAP_DOMAIN}
 slapd shared/organization string ${LDAP_ORGANISATION}
@@ -32,7 +31,22 @@ slapd slapd/no_configuration boolean false
 slapd slapd/dump_database select when needed
 EOL
 
-    dpkg-reconfigure slapd
+    DEBIAN_FRONTEND=noninteractive dpkg-reconfigure slapd
+}
+
+
+make_snakeoil_certificate() {
+    echo "Make snakeoil certificate for ${LDAP_DOMAIN}..."
+    openssl req -subj "/CN=${LDAP_DOMAIN}" \
+                -new \
+                -newkey rsa:2048 \
+                -days 365 \
+                -nodes \
+                -x509 \
+                -keyout ${LDAP_SSL_KEY} \
+                -out ${LDAP_SSL_CERT}
+
+    chmod 600 ${LDAP_SSL_KEY}
 }
 
 
@@ -55,7 +69,7 @@ load_initial_data() {
         echo "Processing file ${ldif}..."
         ldapadd -x -H ldapi:/// \
           -D ${LDAP_BINDDN} \
-          -w ${LDAP_ADMIN_SECRET} \
+          -w ${LDAP_SECRET} \
           -f ${ldif}
     done
 }
@@ -64,7 +78,7 @@ load_initial_data() {
 ## Init
 
 reconfigure_slapd
-
+make_snakeoil_certificate
 chown -R openldap:openldap /etc/ldap
 slapd -h "ldapi:///" -u openldap -g openldap
 
@@ -75,4 +89,3 @@ load_initial_data
 kill -INT `cat /run/slapd/slapd.pid`
 
 exit 0
-

run.sh

@@ -1,31 +1,9 @@
 #!/bin/sh
 set -e
 
-readonly LDAP_SSL_KEY="/etc/ldap/ssl/ldap.key"
-readonly LDAP_SSL_CERT="/etc/ldap/ssl/ldap.crt"
-
-
-make_snakeoil_certificate() {
-    echo "Make snakeoil certificate for ${LDAP_DOMAIN}..."
-    openssl req -subj "/CN=${LDAP_DOMAIN}" \
-                -new \
-                -newkey rsa:2048 \
-                -days 365 \
-                -nodes \
-                -x509 \
-                -keyout ${LDAP_SSL_KEY} \
-                -out ${LDAP_SSL_CERT}
-
-    chmod 600 ${LDAP_SSL_KEY}
-}
-
-
-file_exist ${LDAP_SSL_CERT} \
-  || make_snakeoil_certificate
-
 echo "starting slapd on port 389 and 636..."
 chown -R openldap:openldap /etc/ldap
 exec /usr/sbin/slapd -h "ldap:/// ldapi:/// ldaps:///" \
   -u openldap \
   -g openldap \
-  -d ${DEBUG_LEVEL}
+  -d ${LDAP_DEBUG_LEVEL}