forked from openshift/openldap
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathrun-openldap.sh
executable file
·126 lines (107 loc) · 4.82 KB
/
run-openldap.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
#!/bin/bash
# Reduce maximum number of number of open file descriptors to 1024
# otherwise slapd consumes two orders of magnitude more of RAM
# see https://github.com/docker/docker/issues/8231
ulimit -n 1024
OPENLDAP_ROOT_PASSWORD=${OPENLDAP_ROOT_PASSWORD:-admin}
OPENLDAP_ROOT_DN_PREFIX=${OPENLDAP_ROOT_DN_PREFIX:-'cn=Manager'}
OPENLDAP_ROOT_DN_SUFFIX=${OPENLDAP_ROOT_DN_SUFFIX:-'dc=example,dc=com'}
OPENLDAP_DEBUG_LEVEL=${OPENLDAP_DEBUG_LEVEL:-256}
OPENLDAP_LISTEN_URIS=${OPENLDAP_LISTEN_URIS:-"ldaps:/// ldap:///"}
# Only run if no config has happened fully before
if [ ! -f /etc/openldap/CONFIGURED ]; then
user=`id | grep -Po "(?<=uid=)\d+"`
if (( user == 0 ))
then
# We are root, we can use user input!
# Bring in default databse config
cp /usr/local/etc/openldap/DB_CONFIG /var/lib/ldap/DB_CONFIG
# start the daemon in another process and make config changes
slapd -h "ldapi:///" -d $OPENLDAP_DEBUG_LEVEL &
for ((i=30; i>0; i--))
do
ping_result=`ldapsearch -Y EXTERNAL -H ldapi:/// 2>&1 | grep "Can.t contact LDAP server"`
if [ -z "$ping_result" ]
then
break
fi
sleep 1
done
if [ $i -eq 0 ]
then
echo "slapd did not start correctly"
exit 1
fi
# Generate hash of password
OPENLDAP_ROOT_PASSWORD_HASH=$(slappasswd -s "${OPENLDAP_ROOT_PASSWORD}")
# Update configuration with root password, root DN, and root suffix
sed -e "s OPENLDAP_ROOT_PASSWORD ${OPENLDAP_ROOT_PASSWORD_HASH} g" \
-e "s OPENLDAP_ROOT_DN ${OPENLDAP_ROOT_DN_PREFIX} g" \
-e "s OPENLDAP_SUFFIX ${OPENLDAP_ROOT_DN_SUFFIX} g" /usr/local/etc/openldap/first_config.ldif |
ldapmodify -Y EXTERNAL -H ldapi:/// -d $OPENLDAP_DEBUG_LEVEL
# add test schema
ldapadd -Y EXTERNAL -H ldapi:/// -f /usr/local/etc/openldap/testPerson.ldif -d $OPENLDAP_DEBUG_LEVEL
# add useful schemas
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif -d $OPENLDAP_DEBUG_LEVEL
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif -d $OPENLDAP_DEBUG_LEVEL
# load memberOf and refint modules
ldapadd -Y EXTERNAL -H ldapi:/// -f /usr/local/etc/openldap/load_modules.ldif -d $OPENLDAP_DEBUG_LEVEL
# configure memberOf module
ldapadd -Y EXTERNAL -H ldapi:/// -f /usr/local/etc/openldap/configure_memberof.ldif -d $OPENLDAP_DEBUG_LEVEL
# configure refint module
ldapadd -Y EXTERNAL -H ldapi:/// -f /usr/local/etc/openldap/configure_refint.ldif -d $OPENLDAP_DEBUG_LEVEL
# extract dc name from root DN suffix
dc_name=$(echo "${OPENLDAP_ROOT_DN_SUFFIX}" | grep -Po "(?<=^dc\=)[\w\d]+")
# create base organization object
sed -e "s OPENLDAP_SUFFIX ${OPENLDAP_ROOT_DN_SUFFIX} g" \
-e "s FIRST_PART ${dc_name} g" \
usr/local/etc/openldap/base.ldif |
ldapadd -H ldapi:/// -x \
-D "$OPENLDAP_ROOT_DN_PREFIX,$OPENLDAP_ROOT_DN_SUFFIX" \
-w "$OPENLDAP_ROOT_PASSWORD"
# stop the daemon
pid=$(ps -A | grep slapd | awk '{print $1}')
kill -2 $pid || echo $?
# ensure the daemon stopped
for ((i=30; i>0; i--))
do
exists=$(ps -A | grep $pid)
if [ -z "${exists}" ]
then
break
fi
sleep 1
done
if [ $i -eq 0 ]
then
echo "slapd did not stop correctly"
exit 1
fi
else
# We are not root, we need to populate from the default bind-mount source
if [ -f /opt/openshift/config/slapd.d/cn\=config/olcDatabase\=\{0\}config.ldif ]
then
# Use provided default config, get rid of current data
rm -rf /var/lib/ldap/*
rm -rf /etc/openldap/*
# Bring in associated default database files
mv -f /opt/openshift/lib/* /var/lib/ldap
mv -f /opt/openshift/config/* /etc/openldap
else
# Something has gone wrong with our image build
echo "FAILURE: Default configuration files from /contrib/ are not present in the image at /opt/openshift."
exit 1
fi
fi
# Test configuration files, log checksum errors. Errors may be tolerated and repaired by slapd so don't exit
LOG=`slaptest 2>&1`
CHECKSUM_ERR=$(echo "${LOG}" | grep -Po "(?<=ldif_read_file: checksum error on \").+(?=\")")
for err in $CHECKSUM_ERR
do
echo "The file ${err} has a checksum error. Ensure that this file is not edited manually, or re-calculate the checksum."
done
rm -rf /opt/openshift/*
touch /etc/openldap/CONFIGURED
fi
# Start the slapd service
exec slapd -h "${OPENLDAP_LISTEN_URIS}" -d $OPENLDAP_DEBUG_LEVEL