116 lines
3.3 KiB
Bash
116 lines
3.3 KiB
Bash
#!/bin/sh
|
|
set -e
|
|
|
|
# Source utility functions
|
|
. /scripts/utils.sh
|
|
|
|
# LDAPI socket URL - must use URL-encoded path for Alpine
|
|
LDAPI_SOCKET="ldapi://%2Frun%2Fopenldap%2Fldapi"
|
|
export LDAPI_SOCKET
|
|
|
|
# Validate required environment variables
|
|
if [ -z "$LDAP_DOMAIN" ]; then
|
|
log_error "LDAP_DOMAIN is required"
|
|
exit 1
|
|
fi
|
|
|
|
if [ -z "$LDAP_ORGANISATION" ]; then
|
|
log_error "LDAP_ORGANISATION is required"
|
|
exit 1
|
|
fi
|
|
|
|
if [ -z "$LDAP_ADMIN_PASSWORD" ]; then
|
|
log_error "LDAP_ADMIN_PASSWORD is required"
|
|
exit 1
|
|
fi
|
|
|
|
# Generate base DN from domain if not provided
|
|
if [ -z "$LDAP_BASE_DN" ]; then
|
|
LDAP_BASE_DN=$(echo "$LDAP_DOMAIN" | sed 's/^/dc=/; s/\./,dc=/g')
|
|
fi
|
|
export LDAP_BASE_DN
|
|
|
|
# Extract DC component for base entry
|
|
LDAP_DC=$(echo "$LDAP_DOMAIN" | cut -d'.' -f1)
|
|
export LDAP_DC
|
|
|
|
# Set defaults for optional variables
|
|
export LDAP_CONFIG_PASSWORD="${LDAP_CONFIG_PASSWORD:-$(generate_password)}"
|
|
export LDAP_TLS_ENABLED="${LDAP_TLS_ENABLED:-true}"
|
|
export LDAP_TLS_CERT_FILE="${LDAP_TLS_CERT_FILE:-/certs/ldap.crt}"
|
|
export LDAP_TLS_KEY_FILE="${LDAP_TLS_KEY_FILE:-/certs/ldap.key}"
|
|
export LDAP_TLS_CA_FILE="${LDAP_TLS_CA_FILE:-/certs/ca.crt}"
|
|
export LDAP_TLS_VERIFY_CLIENT="${LDAP_TLS_VERIFY_CLIENT:-try}"
|
|
export LDAP_LOG_LEVEL="${LDAP_LOG_LEVEL:-256}"
|
|
export LDAP_READONLY="${LDAP_READONLY:-false}"
|
|
|
|
log_info "OpenLDAP Container Starting"
|
|
log_info "Domain: $LDAP_DOMAIN"
|
|
log_info "Base DN: $LDAP_BASE_DN"
|
|
log_info "Organisation: $LDAP_ORGANISATION"
|
|
|
|
# Check if already initialized
|
|
if [ ! -f /var/lib/openldap/openldap-data/data.mdb ]; then
|
|
log_info "First run - initializing OpenLDAP..."
|
|
|
|
# Initialize cn=config
|
|
/scripts/init-config.sh
|
|
|
|
# Load schemas in order
|
|
/scripts/init-schemas.sh
|
|
|
|
# Configure overlays
|
|
/scripts/init-overlays.sh
|
|
|
|
# Create base DIT
|
|
/scripts/init-dit.sh
|
|
|
|
# Configure ACLs
|
|
/scripts/init-acls.sh
|
|
|
|
# Create service accounts if requested
|
|
if [ "$LDAP_CREATE_SERVICE_ACCOUNTS" = "true" ]; then
|
|
/scripts/init-services.sh
|
|
fi
|
|
|
|
# Process custom LDIF files if present
|
|
if [ -d /ldif/custom ] && [ "$(ls -A /ldif/custom 2>/dev/null)" ]; then
|
|
log_info "Processing custom LDIF files..."
|
|
for ldif in /ldif/custom/*.ldif; do
|
|
if [ -f "$ldif" ]; then
|
|
log_info "Loading: $ldif"
|
|
ldapadd -x -H "$LDAPI_SOCKET" -D "cn=admin,$LDAP_BASE_DN" -w "$LDAP_ADMIN_PASSWORD" -f "$ldif" || \
|
|
log_warn "Failed to load $ldif (may already exist)"
|
|
fi
|
|
done
|
|
fi
|
|
|
|
log_info "Initialization complete."
|
|
else
|
|
log_info "Database exists - starting normally."
|
|
fi
|
|
|
|
# Ensure proper ownership
|
|
chown -R ldap:ldap /var/lib/openldap
|
|
chown -R ldap:ldap /etc/openldap/slapd.d
|
|
chown -R ldap:ldap /run/openldap
|
|
|
|
# Build slapd arguments
|
|
SLAPD_URLS="ldap:/// $LDAPI_SOCKET"
|
|
if [ "$LDAP_TLS_ENABLED" = "true" ]; then
|
|
if [ -f "$LDAP_TLS_CERT_FILE" ] && [ -f "$LDAP_TLS_KEY_FILE" ]; then
|
|
SLAPD_URLS="ldap:/// ldaps:/// $LDAPI_SOCKET"
|
|
log_info "TLS enabled - listening on ldaps://"
|
|
else
|
|
log_warn "TLS enabled but certificates not found - skipping ldaps://"
|
|
fi
|
|
fi
|
|
|
|
log_info "Starting slapd with URLs: $SLAPD_URLS"
|
|
|
|
# Start slapd
|
|
exec /usr/sbin/slapd -h "$SLAPD_URLS" \
|
|
-F /etc/openldap/slapd.d \
|
|
-u ldap -g ldap \
|
|
-d "${LDAP_LOG_LEVEL}"
|