Add openldap/slapd as a docker service

This service gets populated with the same data set as the in memory albeit, the InMemoryLDAPServer and slapd use two separate file for data now InMemoryLdapServer uses ./uaa/src/test/resources/ldap_init.ldif (same as before) docker-compose uses ./scripts/ldap/ldap_slapd_data.ldif (new, copy of ldap_init.ldif for now) docker-compose uses ./scripts/ldap/ldap_slapd_schema.ldif (new, copy of ldap_db_init.ldif for now)) The old scripts still use ./uaa/src/test/resources/ldap_db_init.ldif but will be removed in future PR
cloudfoundry · Jan 10, 2025 · 31533d7 · 31533d7
1 parent e09db03
commit 31533d7
Show file tree

Hide file tree

Showing 12 changed files with 551 additions and 152 deletions.
diff --git a/scripts/docker-compose.yml b/scripts/docker-compose.yml
@@ -1,7 +1,7 @@
 name: uaa
 
 services:
-  postgres:
+  postgresql:
     image: "postgres:15"
     ports:
       - 5432:5432
@@ -33,22 +33,19 @@ services:
       - TZ=${TZ}
     command:
       - --sql_mode=ONLY_FULL_GROUP_BY,STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_ENGINE_SUBSTITUTION,PAD_CHAR_TO_FULL_LENGTH
+
   openldap:
-    image: docker.io/bitnami/openldap:2.6
+    build:
+      context: .
+      dockerfile: ldap/Dockerfile
     ports:
-      - '389:1389'
-      - '636:1636'
-    # docs of these env vars: https://github.com/bitnami/containers/tree/2724f9cd02b3b4e7986a1e2a0b0b30af3737bbd2/bitnami/openldap#configuration
-    environment:
-      - LDAP_ROOT=dc=test,dc=com
-      - LDAP_ADMIN_USERNAME=admin
-      - LDAP_ADMIN_PASSWORD=password
-      - LDAP_USERS=user01,user02
-      - LDAP_PASSWORDS=password1,password2
-      - LDAP_GROUP=some-ldap-group
+      - '389:389'
+      - '636:636'
+    entrypoint: [ "/bin/bash", "-c" ]
+    command:
+      - "/uaa/ldap/ldap-start-and-populate.sh"
+    tty: true
     volumes:
-      - 'openldap_data:/bitnami/openldap'
+      - ./ldap:/uaa/ldap/
+      - ./certificates:/uaa/certificates/
 
-volumes:
-  openldap_data:
-    driver: local
diff --git a/scripts/ldap/Dockerfile b/scripts/ldap/Dockerfile
@@ -0,0 +1,20 @@
+FROM ubuntu:jammy
+
+STOPSIGNAL SIGQUIT
+
+SHELL ["/bin/bash", "-xo", "pipefail", "-c"]
+
+# Generate locale C.UTF-8
+ENV LANG=C.UTF-8
+ENV TZ=UTC
+
+RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone
+
+RUN DEBIAN_FRONTEND=noninteractive apt-get -qy update
+RUN DEBIAN_FRONTEND=noninteractive apt-get -qy install slapd ldap-utils
+RUN DEBIAN_FRONTEND=noninteractive apt-get -qy install libssl-dev ca-certificates
+
+RUN mkdir -p /uaa/ldap/
+RUN mkdir -p /uaa/certificates/
+
+STOPSIGNAL SIGQUIT
diff --git a/scripts/ldap/docker-compose.yml b/scripts/ldap/docker-compose.yml
diff --git a/scripts/ldap/docker-confirm-ldapquery.sh b/scripts/ldap/docker-confirm-ldapquery.sh
@@ -6,10 +6,10 @@ set -e
 
 echo ==================================GET all userApplication attributes using anonymous bind=============================================
 
-ldapsearch -vvv -x -L -H ldap://localhost -b dc=test,dc=com
+LDAPTLS_REQCERT=never ldapsearch -vvv -x -L -H ldaps://localhost -b dc=test,dc=com
 
 echo =====================================Bind with Admin and Seach for user01==========================================
 
-ldapsearch -vvv -x -L -H ldap://localhost -b dc=test,dc=com -D "cn=admin,dc=test,dc=com" -w password "(cn=user01)"
+LDAPTLS_REQCERT=never ldapsearch -vvv -x -L -H ldaps://localhost -b dc=test,dc=com -D "cn=admin,dc=test,dc=com" -w password "(cn=user01)"
 
 echo -e "\n*********** SUCCESS"
diff --git a/scripts/ldap/install-ldap.sh b/scripts/ldap/install-ldap.sh
@@ -1,7 +1,11 @@
 #!/bin/bash
 
+## TODO - remove this script. The ../docker-compose.yml has a container with the same setup
+
 set -e
 
+SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
+
 cd `dirname $0`/../..
 
 sudo apt-get -qy purge slapd ldap-utils
@@ -49,5 +53,5 @@ olcTLSCertificateKeyFile: /etc/ssl/private/ldap01_slapd_key.pem" > /etc/ssl/cert
 
 fi
 
-sudo ldapadd -Y EXTERNAL -H ldapi:/// -f uaa/src/test/resources/ldap_db_init.ldif
-sudo ldapadd -x -D 'cn=admin,dc=test,dc=com' -w password -f uaa/src/test/resources/ldap_init.ldif
+sudo ldapadd -Y EXTERNAL -H ldapi:/// -f ${SCRIPT_DIR}/ldap_slapd_schema.ldif
+sudo ldapadd -x -D 'cn=admin,dc=test,dc=com' -w password -f ${SCRIPT_DIR}/ldap_slapd_data.ldif
diff --git a/scripts/ldap/ldap-start-and-populate.sh b/scripts/ldap/ldap-start-and-populate.sh
@@ -0,0 +1,104 @@
+#!/bin/bash
+
+# Used by ../docker-compose.yml
+set -e
+SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
+
+LDAP_TLS_CHK=/tmp/ldap-tls-run-once
+LDAP_SCHEMA_CHK=/tmp/ldap-schema-run-once
+
+function restart_ldap() {
+  ### service slapd restart|stop doesn't kill the slapd daemon
+  pid=$(pgrep slapd || echo "0")
+  if [[ "$pid" -gt "0" ]]; then
+    echo "Sending QUIT signal to slapd"
+    kill -3 $pid
+    sleep 1
+    pid=$(pgrep slapd || echo "0")
+    if [[ "$pid" == "0" ]]; then
+      echo "slapd stop [OK]"
+    else
+      echo "slapd stop [ERROR]"
+      kill -9 $pid
+    fi
+  fi
+  service slapd start
+}
+
+function generate_certs_if_needed() {
+  if
+    [ ! -f /uaa/certificates/server.crt ] ||
+    [ ! -f /uaa/certificates/server.key ] ||
+    [ ! -f /uaa/certificates/CA.crt ] ||
+    [ ! -f /uaa/certificates/CA.key ]; then
+    /uaa/certificates/generate.sh
+  fi
+}
+
+function configure_slapd_tls() {
+  cp /uaa/certificates/CA.key /etc/ldap/sasl2/
+  cp /uaa/certificates/CA.crt /etc/ldap/sasl2/
+  cp /uaa/certificates/server.crt /etc/ldap/sasl2/
+  cp /uaa/certificates/server.key /etc/ldap/sasl2/
+  cp /etc/ssl/certs/ca-certificates.crt /etc/ldap/sasl2/
+  cat /etc/ldap/sasl2/CA.crt >> /etc/ldap/sasl2/ca-certificates.crt
+  chown -R openldap:openldap /etc/ldap/sasl2
+
+  echo "dn: cn=config
+changetype: modify
+add: olcTLSCACertificateFile
+olcTLSCACertificateFile: /etc/ldap/sasl2/ca-certificates.crt
+-
+add: olcTLSCertificateFile
+olcTLSCertificateFile: /etc/ldap/sasl2/server.crt
+-
+add: olcTLSCertificateKeyFile
+olcTLSCertificateKeyFile: /etc/ldap/sasl2/server.key" > /etc/ldap/sasl2/uaa-certinfo.ldif
+  ## TODO start LDAP server here
+  restart_ldap
+  echo "Adding LDAP Certs"
+  ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ldap/sasl2/uaa-certinfo.ldif
+  echo "LDAP Certs added"
+  sed -i "s/^SLAPD_SERVICES.*/SLAPD_SERVICES=\"ldap\:\/\/\/ ldapi\:\/\/\/ ldaps\:\/\/\/\"/g" /etc/default/slapd
+  sed -i "s/^TLS/\#TLS/g" /etc/ldap/ldap.conf
+  echo "TLS_CACERT /etc/ldap/sasl2/ca-certificates.crt
+TLS_REQCERT allow
+" >> /etc/ldap/ldap.conf
+  restart_ldap
+}
+
+if [ ! -f ${LDAP_SCHEMA_CHK} ]; then
+  generate_certs_if_needed
+  configure_slapd_tls
+  touch ${LDAP_TLS_CHK}
+fi
+
+echo "LDAP server Status:"
+service slapd status || true
+
+if [ ! -f ${LDAP_SCHEMA_CHK} ]; then
+  echo "Starting LDAP server."
+  restart_ldap
+  echo "Creating LDAP schema."
+  ldapadd -Y EXTERNAL -H ldapi:/// -f $SCRIPT_DIR/ldap_slapd_schema.ldif
+  echo "Populating LDAP database entries."
+  ldapadd -x -D 'cn=admin,dc=test,dc=com' -w password -f $SCRIPT_DIR/ldap_slapd_data.ldif
+  touch ${LDAP_SCHEMA_CHK}
+else
+  echo "Starting LDAP server with existing data."
+  restart_ldap
+fi
+
+doExit() {
+  echo "Caught SIGTERM signal."
+  exit 0
+}
+
+trap doExit SIGINT SIGQUIT SIGTERM
+
+echo "LDAP server is READY"
+
+# Do not exit the container in docker compose
+while true; do
+    sleep 1
+done