From e352f7bb3a1af7d3e2878c0161a19d6240e6c00b Mon Sep 17 00:00:00 2001
From: mrclemrkz <awesomeisme007@gmail.com>
Date: Sun, 4 Nov 2018 10:41:59 +0530
Subject: [PATCH] disable embedded ldap.

---
 docker-compose.yml          |   6 +-
 is/Dockerfile               |   1 +
 is/config/embedded-ldap.xml | 162 ++++++++++++++++++++++++++++++++++++
 is/config/user-mgt.xml      |   2 +-
 reset.sh                    |  12 +++
 docker-up.sh => start.sh    |  16 ++--
 6 files changed, 187 insertions(+), 12 deletions(-)
 create mode 100644 is/config/embedded-ldap.xml
 create mode 100644 reset.sh
 rename docker-up.sh => start.sh (71%)

diff --git a/docker-compose.yml b/docker-compose.yml
index 59fb1b0..030e17f 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -17,14 +17,14 @@ services:
     image: copper-openldap
     container_name: copper-openldap
     environment:
-      LDAP_DOMAIN: 'copper.opensource.lk'
+      LDAP_DOMAIN: "copper.opensource.lk"
     tty: true
     stdin_open: true
     ports:
       - "389:389"
       - "636:636"
-    domainname: "copper.opensource.lk" # important: same as hostname
-    hostname: "copper.opensource.lk"
+    # domainname: "copper-openldap" # important: same as hostname
+    # hostname: "copper-openldap"
 
     # cn=admin,dc=copper,dc=opensource,dc=lk
 
diff --git a/is/Dockerfile b/is/Dockerfile
index c7ff631..88f0b35 100644
--- a/is/Dockerfile
+++ b/is/Dockerfile
@@ -41,6 +41,7 @@ COPY --chown=wso2carbon:wso2 ./files/wso2carbon.jks ${WSO2_SERVER_SECURITY}/
 COPY --chown=wso2carbon:wso2 ./files/client-truststore.jks ${WSO2_SERVER_SECURITY}/
 
 # conecting external ldap
+COPY --chown=wso2carbon:wso2 ./config/embedded-ldap.xml ${WSO2_SERVER_CONF}/identity/
 COPY --chown=wso2carbon:wso2 ./config/carbon.xml ${WSO2_SERVER_CONF}/
 COPY --chown=wso2carbon:wso2 ./config/tenant-mgt.xml ${WSO2_SERVER_CONF}/
 COPY --chown=wso2carbon:wso2 ./config/user-mgt.xml ${WSO2_SERVER_CONF}/
diff --git a/is/config/embedded-ldap.xml b/is/config/embedded-ldap.xml
new file mode 100644
index 0000000..420933f
--- /dev/null
+++ b/is/config/embedded-ldap.xml
@@ -0,0 +1,162 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+~ Copyright (c) 2011, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
+~
+~ Licensed under the Apache License, Version 2.0 (the "License");
+~ you may not use this file except in compliance with the License.
+~ You may obtain a copy of the License at
+~
+~ http://www.apache.org/licenses/LICENSE-2.0
+~
+~ Unless required by applicable law or agreed to in writing, software
+~ distributed under the License is distributed on an "AS IS" BASIS,
+~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+~ See the License for the specific language governing permissions and
+~ limitations under the License.
+ -->
+
+<!--
+	All carbon based products comes with a LDAP user store. 
+	For this we use an embedded LDAP in carbon based products. 
+	This file contains necessary configurations to control the behavior of embedded LDAP.
+	You may use this file to enable, disable LDAP server, configure connection admin password, etc ...
+	In addition to embedded-ldap server configurations this file also has Kerberos KDC (Key Distribution Center) 
+	specific configurations.
+-->
+
+<EmbeddedLDAPConfig>
+
+  <!-- 
+	LDAP server configurations 
+	==========================
+	This section contains LDAP server specific configurations.
+
+	Property                Usage
+	=======                 ====
+	enable                  If true the embedded LDAP server will start when server starts up.
+				            Else embedded LDAP server will not start. Thus user has to use a different
+				            user store.
+	instanceid              An id given to the LDAP server instance.
+	connectionPassword      The password of the admin. (uid=admin,ou=system)
+	workingDirectory        Location where LDAP will store its schema files.
+	AdminEntryObjectClass   Object class which encapsulate attributes needed by claims.
+	allowAnonymousAccess    Should allow users to access LDAP server without credentials. Default false.
+	accessControlEnabled    Should access control be enabled among partitions. Default true.
+	saslHostName            Default host name to be used in SASL (Simple Authentication and Security Layer).
+				            This property comes from apacheds implementation itself.
+	saslPrincipalName       Default SASL principal name. Again this property also comes from apacheds implementation
+				            itself.
+  -->
+  <EmbeddedLDAP>
+    <Property name="enable">false</Property>
+    <Property name="port">${Ports.EmbeddedLDAP.LDAPServerPort}</Property>
+    <Property name="instanceId">default</Property>
+    <Property name="connectionPassword">admin</Property>
+    <Property name="workingDirectory">.</Property>
+    <Property name="AdminEntryObjectClass">identityPerson</Property>
+    <Property name="allowAnonymousAccess">false</Property>
+    <Property name="accessControlEnabled">true</Property>
+    <Property name="denormalizeOpAttrsEnabled">false</Property>
+    <Property name="maxPDUSize">2000000</Property>
+    <Property name="saslHostName">localhost</Property>
+    <Property name="saslPrincipalName">ldap/localhost@EXAMPLE.COM</Property>
+  </EmbeddedLDAP>
+
+  <!-- 
+	Default partition configurations
+	================================ 
+	When embedded LDAP server starts for the first time it will create a default partition. 
+	Following properties configure values for the default partition.
+	
+	Property                        Usage
+	=======                         =====
+	id                              Each partition is given an id. The id given to the default paritition.
+	realm                           Realm is the place where we store user principals and service principals.
+                                        The name of the realm for default partition.
+	kdcPassword                     This parameter is used when KDC (Key Distribution Center) is enabled. In apacheds
+                                        KDC also has a server principal. This defines a password for KDC server principal.
+	ldapServerPrinciplePassword     If LDAP server is also defined as a server principal, this will be the password.
+	
+  -->
+  <DefaultPartition>
+    <Property name="id">root</Property>
+    <Property name="realm">WSO2.ORG</Property>    
+    <Property name="kdcPassword">secret</Property>
+    <Property name="ldapServerPrinciplePassword">randall</Property>
+  </DefaultPartition>
+
+  <!-- 
+	Default partition admin configurations
+	======================================
+	In a multi-tenant scenario each tenant will have a separate partition. Thus tenant admin will be the partition admin.
+	Following configurations define admin attributes for above created default partition.
+
+	Property            Usage
+	========            =====
+	uid                 UID attribute for partition admin.
+	commonName          The cn attribute for admin
+	lastName            The sn attribute for admin
+	email               The email attribute for admin
+	passwordType        The password hashing mechanism. Following hashing mechanisms are available, "SHA", "MD5".
+                        "PLAIN_TEXT" is also a valid value. If KDC is enabled password type will be enforced to be
+                        plain text.
+  -->
+  <PartitionAdmin>
+    <Property name="uid">admin</Property>
+    <Property name="firstName">admin</Property>
+    <Property name="lastName">admin</Property>
+    <Property name="email">admin@wso2.com</Property>
+    <Property name="password">admin</Property>
+    <Property name="passwordType">SHA</Property>
+  </PartitionAdmin>
+
+  <!-- 
+	Default partition admin's group configuration 
+	=============================================
+	Embedded LDAP is capable of keeping group information also.
+	If LDAP groups are enabled in user store (usr-mgt.xml) group information will be
+	recorded in a separate sub-context. Following configuration defines the group
+	properties.
+
+	Property                Usage
+	=======                 =====
+	adminRoleName		    The name of the role/group that admin should be included.
+	groupNameAttribute	    The attribute which group name will be recorded.
+	memberNameAttribute	    The attribute which memebers are recorded.
+  -->
+  <PartitionAdminGroup>
+    <Property name="adminRoleName">admin</Property>
+    <Property name="groupNameAttribute">cn</Property>
+    <Property name="memberNameAttribute">member</Property>
+  </PartitionAdminGroup>
+
+    <!--
+      KDC configurations
+      =================
+      Following configurations are applicable to KDC server. Generally, the KDC is only enabled in
+      Identity Server. You may enable KDC server if you wish to do so. But if you dont have any Kerberos specific
+      programs, it is recommended to disable KDC server.
+
+      Property                          Usage
+      =======                           =====
+      name                              Name given to default KDC server.
+      enabled                           If true a KDC server will start when starting LDAP server.
+                                          Else a KDC server will not start with a LDAP server.
+      protocol                          Default protocol to be used in KDC communication. Default is UDP.
+      maximumTicketLifeTime             The maximum life time of a ticket issued by the KDC.
+      maximumRenewableLifeTime          Life time which a ticket can be used by renewing it several times.
+      preAuthenticationTimeStampEnabled Pre-authentication is a feature in latest Kerberos protocol.
+                                          This property says whether to enable it or disable it.
+    -->
+  <KDCServer>
+    <Property name="name">defaultKDC</Property>
+    <Property name="enabled">false</Property>
+    <Property name="protocol">UDP</Property>
+    <Property name="host">localhost</Property>
+    <Property name="port">${Ports.EmbeddedLDAP.KDCServerPort}</Property>
+    <Property name="maximumTicketLifeTime">8640000</Property>
+    <Property name="maximumRenewableLifeTime">604800000</Property>
+    <Property name="preAuthenticationTimeStampEnabled">true</Property>
+  </KDCServer>
+
+</EmbeddedLDAPConfig>
diff --git a/is/config/user-mgt.xml b/is/config/user-mgt.xml
index c3179a6..4a341c5 100644
--- a/is/config/user-mgt.xml
+++ b/is/config/user-mgt.xml
@@ -205,7 +205,7 @@
             <Property name="MaxUserNameListLength">100</Property>
             <Property name="MaxRoleNameListLength">100</Property>
             <Property name="kdcEnabled">false</Property>
-            <Property name="defaultRealmName">localhost.com</Property>
+            <Property name="defaultRealmName">WSO2.ORG</Property>
             <Property name="UserRolesCacheEnabled">true</Property>
             <Property name="ConnectionPoolingEnabled">false</Property>
             <Property name="LDAPConnectionTimeout">5000</Property>
diff --git a/reset.sh b/reset.sh
new file mode 100644
index 0000000..575a9f1
--- /dev/null
+++ b/reset.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+
+# remove containers
+
+docker stop $(docker ps -a -q)
+docker rm $(docker ps -a -q)
+
+
+# remove images
+
+docker rmi copper-is
+docker rmi copper-openldap
\ No newline at end of file
diff --git a/docker-up.sh b/start.sh
similarity index 71%
rename from docker-up.sh
rename to start.sh
index cbda9d5..3928a41 100644
--- a/docker-up.sh
+++ b/start.sh
@@ -2,17 +2,17 @@
 
 docker-compose up --build -d
 
-# STATUS="0"
+STATUS="0"
 
-# until [[ ${STATUS} == *"ok"* ]]; do
-#     echo "   wating until slpd is started"
-#     STATUS=`docker exec -ti copper-openldap sh -c "service slapd status"`
-#     sleep 5
-# done
+until [[ ${STATUS} == *"ok"* ]]; do
+    echo "   wating until slpd is started"
+    STATUS=`docker exec -ti copper-openldap sh -c "service slapd status"`
+    sleep 5
+done
 
-# echo "   slapd has started!"
+echo "   slapd has started!"
 
-sleep 20
+# sleep 30
 
 docker exec -it copper-openldap /usr/bin/ldapadd -Y EXTERNAL -H ldapi:// -f /home/97-wso2Person.ldif
 docker exec -it copper-openldap /usr/bin/ldapadd -Y EXTERNAL -H ldapi:// -f /home/98-scimPerson.ldif