wbyc/docker-openldap
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
docker-openldap/scripts/init-services.sh
Patrick de Ruiter c556664056
Initial Commit
2025-12-25 12:36:39 +01:00

109 lines
3.7 KiB
Bash
Raw Permalink Blame History

#!/bin/sh
set -e
. /scripts/utils.sh
log_info "Creating service accounts..."
# Socket URL for ldapi - must use URL-encoded path
LDAPI_SOCKET="ldapi://%2Frun%2Fopenldap%2Fldapi"
# Start slapd temporarily
log_info "Starting slapd temporarily for service account creation..."
/usr/sbin/slapd -h "$LDAPI_SOCKET" -F /etc/openldap/slapd.d -u ldap -g ldap
sleep 2
# Wait for slapd
wait_for_slapd 30 "$LDAPI_SOCKET"
# Generate passwords for each service if not provided
LDAP_SERVICE_KEYCLOAK_PASSWORD="${LDAP_SERVICE_KEYCLOAK_PASSWORD:-$(generate_password)}"
LDAP_SERVICE_NEXTCLOUD_PASSWORD="${LDAP_SERVICE_NEXTCLOUD_PASSWORD:-$(generate_password)}"
LDAP_SERVICE_GITEA_PASSWORD="${LDAP_SERVICE_GITEA_PASSWORD:-$(generate_password)}"
LDAP_SERVICE_POSTFIX_PASSWORD="${LDAP_SERVICE_POSTFIX_PASSWORD:-$(generate_password)}"
LDAP_SERVICE_DOVECOT_PASSWORD="${LDAP_SERVICE_DOVECOT_PASSWORD:-$(generate_password)}"
LDAP_SERVICE_SSSD_PASSWORD="${LDAP_SERVICE_SSSD_PASSWORD:-$(generate_password)}"
# Create service accounts LDIF
cat > /tmp/service-accounts.ldif << EOF
# Keycloak service account
dn: cn=keycloak,ou=Services,${LDAP_BASE_DN}
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: keycloak
description: Keycloak LDAP federation service account
userPassword: ${LDAP_SERVICE_KEYCLOAK_PASSWORD}
# Nextcloud service account
dn: cn=nextcloud,ou=Services,${LDAP_BASE_DN}
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: nextcloud
description: Nextcloud LDAP backend service account
userPassword: ${LDAP_SERVICE_NEXTCLOUD_PASSWORD}
# Gitea service account
dn: cn=gitea,ou=Services,${LDAP_BASE_DN}
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: gitea
description: Gitea LDAP authentication service account
userPassword: ${LDAP_SERVICE_GITEA_PASSWORD}
# Postfix service account
dn: cn=postfix,ou=Services,${LDAP_BASE_DN}
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: postfix
description: Postfix virtual mailbox lookup service account
userPassword: ${LDAP_SERVICE_POSTFIX_PASSWORD}
# Dovecot service account
dn: cn=dovecot,ou=Services,${LDAP_BASE_DN}
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: dovecot
description: Dovecot authentication service account
userPassword: ${LDAP_SERVICE_DOVECOT_PASSWORD}
# SSSD service account
dn: cn=sssd,ou=Services,${LDAP_BASE_DN}
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: sssd
description: SSSD NSS/PAM service account
userPassword: ${LDAP_SERVICE_SSSD_PASSWORD}
EOF
# Add service accounts
ldapadd -x -H "$LDAPI_SOCKET" -D "cn=admin,${LDAP_BASE_DN}" -w "${LDAP_ADMIN_PASSWORD}" -f /tmp/service-accounts.ldif || \
log_warn "Some service accounts may already exist"
# Output generated passwords to a file for reference
cat > /var/lib/openldap/service-passwords.txt << EOF
# Service Account Passwords (generated on first run)
# IMPORTANT: Store these securely and delete this file after noting passwords
LDAP_SERVICE_KEYCLOAK_PASSWORD=${LDAP_SERVICE_KEYCLOAK_PASSWORD}
LDAP_SERVICE_NEXTCLOUD_PASSWORD=${LDAP_SERVICE_NEXTCLOUD_PASSWORD}
LDAP_SERVICE_GITEA_PASSWORD=${LDAP_SERVICE_GITEA_PASSWORD}
LDAP_SERVICE_POSTFIX_PASSWORD=${LDAP_SERVICE_POSTFIX_PASSWORD}
LDAP_SERVICE_DOVECOT_PASSWORD=${LDAP_SERVICE_DOVECOT_PASSWORD}
LDAP_SERVICE_SSSD_PASSWORD=${LDAP_SERVICE_SSSD_PASSWORD}
EOF
chmod 600 /var/lib/openldap/service-passwords.txt
chown ldap:ldap /var/lib/openldap/service-passwords.txt
log_info "Service account passwords saved to /var/lib/openldap/service-passwords.txt"
log_warn "IMPORTANT: Retrieve these passwords and delete the file for security"
# Stop temporary slapd
log_info "Stopping temporary slapd..."
pkill slapd || true
sleep 2
# Cleanup
rm -f /tmp/service-accounts.ldif
log_info "Service account creation complete"
Reference in New Issue View Git Blame Copy Permalink