From 0d87372473efa7ccbe3e97860defb217ab0fdb09 Mon Sep 17 00:00:00 2001 From: Bryce Gibson Date: Fri, 14 May 2021 16:19:51 +1000 Subject: [PATCH] Ensure files are owned by the openldap user. By default these are created as root (the current user) so chown them to openldap to respect the configured uid:gid. ``` $ find slapd.d -uid 0 -o -gid 0 slapd.d/docker-openldap-was-admin-password-set slapd.d/docker-openldap-was-started-with-tls ``` After this change these are owned by the intended uid:gid. --- image/service/slapd/startup.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/image/service/slapd/startup.sh b/image/service/slapd/startup.sh index dae1bd2..5d14247 100755 --- a/image/service/slapd/startup.sh +++ b/image/service/slapd/startup.sh @@ -426,12 +426,14 @@ EOF echo "export PREVIOUS_LDAP_TLS_CRT_PATH=${LDAP_TLS_CRT_PATH}" >> $WAS_STARTED_WITH_TLS echo "export PREVIOUS_LDAP_TLS_KEY_PATH=${LDAP_TLS_KEY_PATH}" >> $WAS_STARTED_WITH_TLS echo "export PREVIOUS_LDAP_TLS_DH_PARAM_PATH=${LDAP_TLS_DH_PARAM_PATH}" >> $WAS_STARTED_WITH_TLS + chown openldap:openldap $WAS_STARTED_WITH_TLS # enforce TLS if [ "${LDAP_TLS_ENFORCE,,}" == "true" ]; then log-helper info "Add enforce TLS..." ldapmodify -Y EXTERNAL -Q -H ldapi:/// -f ${CONTAINER_SERVICE_DIR}/slapd/assets/config/tls/tls-enforce-enable.ldif 2>&1 | log-helper debug touch $WAS_STARTED_WITH_TLS_ENFORCE + chown openldap:openldap $WAS_STARTED_WITH_TLS_ENFORCE # disable tls enforcing (not possible for now) #else @@ -519,6 +521,7 @@ EOF else touch "$WAS_ADMIN_PASSWORD_SET" + chown openldap:openldap "$WAS_ADMIN_PASSWORD_SET" fi # @@ -559,6 +562,7 @@ EOF # log-helper info "First start is done..." touch $FIRST_START_DONE + chown openldap:openldap $FIRST_START_DONE fi ln -sf ${CONTAINER_SERVICE_DIR}/slapd/assets/.ldaprc $HOME/.ldaprc