[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: Environment variable in slapd config
Cool thanks! I am more fan of Centos because then I can fall back on
RedHat support, especially for production environments. I am not sure
your script is takling the issue described here, but looking at it, I
think you can add also --no-cache. You should beware of ENV
LDAP_ROOTPASS that stays when the task is launched (at least on mesos),
better work with the hashes. Furthermore I try to run as less tasks as
possible under root so I am binding to a high port ;) I also need to be
able to use slapadd otherwise syncing will take to long.
So at the moment mine looks like this ;)
# Version: 0.0.1 - openldap
FROM centos:7
ENV SLAPD_USER="ldap" \
SLAPD_UID=10061 \
SLAPD_CFG_DIR="/etc/openldap/" \
SLAPD_DATA_DIR="/var/lib/ldap" \
SLAPD_KEY_DIR="/etc/pki/tls/private" \
SLAPD_CRT_DIR="/etc/pki/tls/certs" \
SLAPD_OPTS="-d 0 -4 -u ldap" \
SLAPD_URLS="ldap://0.0.0.0:8443/";
# create user/group
RUN groupadd $SLAPD_USER -g $SLAPD_UID \
&& useradd $SLAPD_USER -u $SLAPD_UID -g $SLAPD_UID --system
--comment "Openldap server" --home-dir $SLAPD_DATA_DIR
# install xxxx-ca
COPY ca-xxxx.crt /etc/pki/ca-trust/source/anchors/ca-xxxx.crt
RUN update-ca-trust
# install necessary packages
RUN yum install openldap-clients openldap-servers -y \
&& yum clean all
# copy configuration files
COPY ca-xxxx.crt $SLAPD_CFG_DIR/cacerts/
COPY ldap.local.key $SLAPD_KEY_DIR
COPY ldap.local.crt $SLAPD_CRT_DIR
ADD http://192.168.10.2/cobbler/tools/noarch/change-db.ldif
$SLAPD_CFG_DIR/change-db.ldif
ADD http://192.168.10.2/cobbler/tools/noarch/centos7/change-config.ldif
$SLAPD_CFG_DIR/change-config.ldif
ADD http://192.168.10.2/cobbler/tools/noarch/change-config-sendmail.ldif
$SLAPD_CFG_DIR/change-config-sendmail.ldif
ADD http://192.168.10.2/cobbler/tools/noarch/change-frontend.ldif
$SLAPD_CFG_DIR/change-frontend.ldif
ADD http://192.168.10.2/cobbler/tools/noarch/idnsZone.ldif
$SLAPD_CFG_DIR/schema/idnsZone.ldif
ADD http://192.168.10.2/cobbler/tools/noarch/sendmail.ldif
$SLAPD_CFG_DIR/schema/sendmail.ldif
ADD http://192.168.10.2/cobbler/tools/noarch/samba.ldif
$SLAPD_CFG_DIR/schema/samba.ldif
ADD http://192.168.10.2/cobbler/tools/noarch/apache.ldif
$SLAPD_CFG_DIR/schema/apache.ldif
ADD http://192.168.10.2/cobbler/tools/noarch/quota.ldif
$SLAPD_CFG_DIR/schema/quota.ldif
ADD http://192.168.10.2/cobbler/tools/noarch/xxxx.ldif
$SLAPD_CFG_DIR/schema/xxxx.ldif
ADD http://192.168.10.2/cobbler/tools/noarch/DB_CONFIG
$SLAPD_DATA_DIR/DB_CONFIG
COPY ldap-test.db.gz /tmp/ldap.db.gz
# change defaults in configs
RUN sed -i "s#^olcTLSCertificateFile:.*#olcTLSCertificateFile:
$SLAPD_CRT_DIR/ldap.local.crt#g" $SLAPD_CFG_DIR/change-config.ldif \
&& sed -i "s#^olcTLSCertificateKeyFile:.*#olcTLSCertificateKeyFile:
$SLAPD_KEY_DIR/ldap.local.key#g" $SLAPD_CFG_DIR/change-config.ldif \
&& sed -i "s#^olcRootPW:.*#olcRootPW: {SSHA}xxx#g"
$SLAPD_CFG_DIR/change-config.ldif
RUN sed -i "s#rid=326#rid=999#g" $SLAPD_CFG_DIR/change-db.ldif \
&& sed -i
's/cn=app,ou=Hosts,dc=xxxx,dc=xxxx,dc=local/cn=mesosldap,ou=Hosts,dc=xxx
x,dc=xxxx,dc=local/g' $SLAPD_CFG_DIR/change-db.ldif \
&& sed -i
"s#tls_cert=\"/etc/pki/tls/certs/app1.local.pem\"#tls_cert=\"$SLAPD_CRT_
DIR/ldap.local.crt\"#g" $SLAPD_CFG_DIR/change-db.ldif \
&& sed -i
"s#tls_key=\"/etc/pki/tls/certs/app1.local.pem\"#tls_key=\"$SLAPD_KEY_DI
R/ldap.local.key\"#g" $SLAPD_CFG_DIR/change-db.ldif \
&& sed -i "s/credentials=\"xxxx\"/credentials=\"xxxx\"/g"
$SLAPD_CFG_DIR/change-db.ldif
# change permissions
RUN chgrp $SLAPD_USER $SLAPD_KEY_DIR/ldap.local.key
$SLAPD_CRT_DIR/ldap.local.crt \
&& chmod u=r,g=r,o= $SLAPD_KEY_DIR/ldap.local.key \
&& chmod a+r $SLAPD_DATA_DIR/DB_CONFIG \
&& chmod +t,o+w /var/run/
RUN [ -f "/tmp/ldap.db.gz" ] && chown $SLAPD_USER /tmp/ldap.db.gz ||
echo "not-chown-db"
RUN slapd -u ldap -4 -h ldapi:/// \
&& ldapadd -Q -D "cn=admin,cn=config" -Y EXTERNAL -H ldapi:/// -f
$SLAPD_CFG_DIR/schema/cosine.ldif \
&& ldapadd -Q -D "cn=admin,cn=config" -Y EXTERNAL -H ldapi:/// -f
$SLAPD_CFG_DIR/schema/inetorgperson.ldif \
&& ldapadd -Q -D "cn=admin,cn=config" -Y EXTERNAL -H ldapi:/// -f
$SLAPD_CFG_DIR/schema/nis.ldif \
&& ldapadd -Q -D "cn=admin,cn=config" -Y EXTERNAL -H ldapi:/// -f
$SLAPD_CFG_DIR/schema/misc.ldif \
&& ldapadd -Q -D "cn=admin,cn=config" -Y EXTERNAL -H ldapi:/// -f
$SLAPD_CFG_DIR/schema/sendmail.ldif \
&& ldapadd -Q -D "cn=admin,cn=config" -Y EXTERNAL -H ldapi:/// -f
$SLAPD_CFG_DIR/schema/idnsZone.ldif \
&& ldapadd -Q -D "cn=admin,cn=config" -Y EXTERNAL -H ldapi:/// -f
$SLAPD_CFG_DIR/schema/apache.ldif \
&& ldapadd -Q -D "cn=admin,cn=config" -Y EXTERNAL -H ldapi:/// -f
$SLAPD_CFG_DIR/schema/samba.ldif \
&& ldapadd -Q -D "cn=admin,cn=config" -Y EXTERNAL -H ldapi:/// -f
$SLAPD_CFG_DIR/schema/xxxx.ldif \
&& ldapadd -Q -D "cn=admin,cn=config" -Y EXTERNAL -H ldapi:/// -f
$SLAPD_CFG_DIR/schema/quota.ldif \
&& ldapadd -Q -D "cn=admin,cn=config" -Y EXTERNAL -H ldapi:/// -f
$SLAPD_CFG_DIR/change-frontend.ldif \
&& rm -f $SLAPD_CFG_DIR/change-frontend.ldif \
&& ldapadd -Q -D "cn=admin,cn=config" -Y EXTERNAL -H ldapi:/// -f
$SLAPD_CFG_DIR/change-db.ldif \
&& rm -f $SLAPD_CFG_DIR/change-db.ldif \
&& ldapadd -Q -D "cn=admin,cn=config" -Y EXTERNAL -H ldapi:/// -f
$SLAPD_CFG_DIR/change-config-sendmail.ldif \
&& ldapadd -Q -Y EXTERNAL -H ldapi:/// -f
$SLAPD_CFG_DIR/change-config.ldif \
&& rm -f $SLAPD_CFG_DIR/change-config.ldif \
&& kill -HUP $(cat /var/run/openldap/slapd.pid) \
&& sync \
&& chown $SLAPD_USER /var/run/ldapi
#ADD db.tgz /var/lib/ldap/
RUN [ -f "/tmp/ldap.db.gz" ] \
&& runuser -l ldap -c 'gunzip -c /tmp/ldap.db.gz | slapadd -c 2>
/tmp/import-errors' \
&& cd /var/lib/ldap && db_checkpoint -1 -h /var/lib/ldap &&
db_archive -d \
&& rm -f /tmp/ldap.db.gz || echo "not importing ldap.db"
COPY entrypoint.sh /sbin/
CMD ["/sbin/entrypoint.sh"]
-----Original Message-----
From: Neal Lawson [mailto:ogg@sr375.com]
Sent: vrijdag 16 augustus 2019 15:41
To: Howard Chu
Cc: Marc Roos; michael; openldap-technical@openldap.org
Subject: Re: Environment variable in slapd config
I have been working on a docker image with a script that likely does
almost what you want with some mods, you’re welcome to steal it and
make your own modifications.
https://github.com/DoctorOgg/docker-openldap
On Aug 16, 2019, at 6:36 AM, Howard Chu <hyc@symas.com> wrote:
Marc Roos wrote:
Indeed. Ansible is just a tool you should use for the fitting
job. Afaik
I only have to set a few variables and I do not have in the
hundreds of
services. But I would not mind looking at your Dockerfile to
see how you
prepare the image.
The ceph mailing list is 'full' of people using ansible, and
then
whining on what to do, and how to fix things when something
does not
work. Because they do not know how and where things are
configured.
All these 'easy' tools are like these higher level programming
languages. They just lower the threshold for the 'bunglers' to
enter an
area of expertise, they were not able to enter before.
-----Original Message-----
Subject: Re: Environment variable in slapd config
Probably the original poster wanted to set several env vars
and use them
as distinct RID values for multiple syncrepl directives. This
is a
common pattern for poor man's config management.
Ciao, Michael.
For this use case the simplest approach is to start with a template
file that uses
shell variables and just let the shell do the substitution for you.
This is exactly
what the OpenLDAP test suite does for its own config files.
If you need to get fancier use sed or awk. These are basic Unix
admin questions and
have nothing to do with OpenLDAP.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/