fix: include TLS config in initial cn=config entry

slapadd doesn't understand LDIF change records (changetype: modify). Move TLS configuration attributes directly into the cn=config entry instead of using a separate modify operation.
2025-12-28 02:06:15 +01:00 · 2025-12-28 02:06:15 +01:00 · 82bfb701a9
commit 82bfb701a9
parent 9b15cc31cb
1 changed files with 15 additions and 29 deletions
--- a/scripts/init-config.sh
+++ b/scripts/init-config.sh
@ -13,6 +13,20 @@ export LDAP_ADMIN_PASSWORD_HASH LDAP_CONFIG_PASSWORD_HASH
 # Create initial slapd.d configuration
 rm -rf /etc/openldap/slapd.d/*

+# Build TLS attributes if enabled
+TLS_CONFIG=""
+if [ "$LDAP_TLS_ENABLED" = "true" ] && [ -f "$LDAP_TLS_CERT_FILE" ] && [ -f "$LDAP_TLS_KEY_FILE" ]; then
+    log_info "Adding TLS configuration..."
+    TLS_CONFIG="olcTLSCertificateFile: ${LDAP_TLS_CERT_FILE}
+olcTLSCertificateKeyFile: ${LDAP_TLS_KEY_FILE}"
+    if [ -f "$LDAP_TLS_CA_FILE" ]; then
+        TLS_CONFIG="${TLS_CONFIG}
+olcTLSCACertificateFile: ${LDAP_TLS_CA_FILE}"
+    fi
+    TLS_CONFIG="${TLS_CONFIG}
+olcTLSVerifyClient: ${LDAP_TLS_VERIFY_CLIENT}"
+fi
+
 # Create base cn=config LDIF
 cat > /tmp/init-config.ldif << EOF
 dn: cn=config
@ -21,6 +35,7 @@ cn: config
 olcArgsFile: /run/openldap/slapd.args
 olcPidFile: /run/openldap/slapd.pid
 olcLogLevel: ${LDAP_LOG_LEVEL}
+${TLS_CONFIG}

 dn: cn=module{0},cn=config
 objectClass: olcModuleList
@ -68,35 +83,6 @@ olcDbIndex: entryUUID eq
 olcDbMaxSize: 1073741824
 EOF

-# Add TLS configuration if enabled and certs exist
-if [ "$LDAP_TLS_ENABLED" = "true" ] && [ -f "$LDAP_TLS_CERT_FILE" ] && [ -f "$LDAP_TLS_KEY_FILE" ]; then
-    log_info "Adding TLS configuration..."
-    cat >> /tmp/init-config.ldif << EOF
-
-dn: cn=config
-changetype: modify
-add: olcTLSCertificateFile
-olcTLSCertificateFile: ${LDAP_TLS_CERT_FILE}
-
-add: olcTLSCertificateKeyFile
-olcTLSCertificateKeyFile: ${LDAP_TLS_KEY_FILE}
-EOF
-
-    if [ -f "$LDAP_TLS_CA_FILE" ]; then
-        cat >> /tmp/init-config.ldif << EOF
-
-add: olcTLSCACertificateFile
-olcTLSCACertificateFile: ${LDAP_TLS_CA_FILE}
-EOF
-    fi
-
-    cat >> /tmp/init-config.ldif << EOF
-
-add: olcTLSVerifyClient
-olcTLSVerifyClient: ${LDAP_TLS_VERIFY_CLIENT}
-EOF
-fi
-
 # Import the configuration
 log_info "Importing cn=config with slapadd..."
 /usr/sbin/slapadd -n 0 -F /etc/openldap/slapd.d -l /tmp/init-config.ldif