#!/bin/sh set -e . /scripts/utils.sh log_info "Initializing cn=config..." # Generate password hashes LDAP_ADMIN_PASSWORD_HASH=$(hash_password "$LDAP_ADMIN_PASSWORD") LDAP_CONFIG_PASSWORD_HASH=$(hash_password "$LDAP_CONFIG_PASSWORD") export LDAP_ADMIN_PASSWORD_HASH LDAP_CONFIG_PASSWORD_HASH # Create initial slapd.d configuration rm -rf /etc/openldap/slapd.d/* # Create base cn=config LDIF cat > /tmp/init-config.ldif << EOF dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /run/openldap/slapd.args olcPidFile: /run/openldap/slapd.pid olcLogLevel: ${LDAP_LOG_LEVEL} dn: cn=module{0},cn=config objectClass: olcModuleList cn: module{0} olcModulePath: /usr/lib/openldap olcModuleLoad: back_mdb.so olcModuleLoad: memberof.so olcModuleLoad: refint.so olcModuleLoad: unique.so olcModuleLoad: ppolicy.so olcModuleLoad: syncprov.so dn: cn=schema,cn=config objectClass: olcSchemaConfig cn: schema dn: olcDatabase={-1}frontend,cn=config objectClass: olcDatabaseConfig objectClass: olcFrontendConfig olcDatabase: {-1}frontend olcSizeLimit: 500 olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break olcAccess: {1}to dn.base="" by * read olcAccess: {2}to dn.base="cn=subschema" by * read dn: olcDatabase={0}config,cn=config objectClass: olcDatabaseConfig olcDatabase: {0}config olcRootDN: cn=admin,cn=config olcRootPW: ${LDAP_CONFIG_PASSWORD_HASH} olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break dn: olcDatabase={1}mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: {1}mdb olcSuffix: ${LDAP_BASE_DN} olcRootDN: cn=admin,${LDAP_BASE_DN} olcRootPW: ${LDAP_ADMIN_PASSWORD_HASH} olcDbDirectory: /var/lib/openldap/openldap-data olcDbIndex: objectClass eq olcDbIndex: cn eq,pres,sub olcDbIndex: entryCSN eq olcDbIndex: entryUUID eq olcDbMaxSize: 1073741824 EOF # Add TLS configuration if enabled and certs exist if [ "$LDAP_TLS_ENABLED" = "true" ] && [ -f "$LDAP_TLS_CERT_FILE" ] && [ -f "$LDAP_TLS_KEY_FILE" ]; then log_info "Adding TLS configuration..." cat >> /tmp/init-config.ldif << EOF dn: cn=config changetype: modify add: olcTLSCertificateFile olcTLSCertificateFile: ${LDAP_TLS_CERT_FILE} - add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: ${LDAP_TLS_KEY_FILE} EOF if [ -f "$LDAP_TLS_CA_FILE" ]; then cat >> /tmp/init-config.ldif << EOF - add: olcTLSCACertificateFile olcTLSCACertificateFile: ${LDAP_TLS_CA_FILE} EOF fi cat >> /tmp/init-config.ldif << EOF - add: olcTLSVerifyClient olcTLSVerifyClient: ${LDAP_TLS_VERIFY_CLIENT} EOF fi # Import the configuration log_info "Importing cn=config with slapadd..." /usr/sbin/slapadd -n 0 -F /etc/openldap/slapd.d -l /tmp/init-config.ldif # Set proper ownership chown -R ldap:ldap /etc/openldap/slapd.d chown -R ldap:ldap /var/lib/openldap log_info "cn=config initialization complete"