wbyc/docker-openldap
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
docker-openldap/scripts/init-dit.sh
Patrick de Ruiter c556664056
Initial Commit
2025-12-25 12:36:39 +01:00

119 lines
2.9 KiB
Bash
Raw Blame History

#!/bin/sh
set -e
. /scripts/utils.sh
log_info "Creating base DIT structure..."
# Socket URL for ldapi - must use URL-encoded path
LDAPI_SOCKET="ldapi://%2Frun%2Fopenldap%2Fldapi"
# Start slapd temporarily
log_info "Starting slapd temporarily for DIT creation..."
/usr/sbin/slapd -h "$LDAPI_SOCKET" -F /etc/openldap/slapd.d -u ldap -g ldap
sleep 2
# Wait for slapd
wait_for_slapd 30 "$LDAPI_SOCKET"
# Create base DIT LDIF
cat > /tmp/base-dit.ldif << EOF
# Base entry
dn: ${LDAP_BASE_DN}
objectClass: top
objectClass: dcObject
objectClass: organization
dc: ${LDAP_DC}
o: ${LDAP_ORGANISATION}
# People OU
dn: ou=People,${LDAP_BASE_DN}
objectClass: organizationalUnit
ou: People
description: User accounts
# Groups OU
dn: ou=Groups,${LDAP_BASE_DN}
objectClass: organizationalUnit
ou: Groups
description: Authorization groups
# Services OU
dn: ou=Services,${LDAP_BASE_DN}
objectClass: organizationalUnit
ou: Services
description: Service accounts for application binding
# Domains OU (for virtual mail domains)
dn: ou=Domains,${LDAP_BASE_DN}
objectClass: organizationalUnit
ou: Domains
description: Virtual mail domains
# Policies OU
dn: ou=Policies,${LDAP_BASE_DN}
objectClass: organizationalUnit
ou: Policies
description: Password and access policies
# Kerberos OU (for future use)
dn: ou=Kerberos,${LDAP_BASE_DN}
objectClass: organizationalUnit
ou: Kerberos
description: Kerberos realm container (premium feature)
EOF
# Add base DIT
log_info "Adding base organizational units..."
ldapadd -x -H "$LDAPI_SOCKET" -D "cn=admin,${LDAP_BASE_DN}" -w "${LDAP_ADMIN_PASSWORD}" -f /tmp/base-dit.ldif
# Create default password policy
log_info "Creating default password policy..."
cat > /tmp/default-policy.ldif << EOF
dn: cn=default,ou=Policies,${LDAP_BASE_DN}
objectClass: pwdPolicy
objectClass: device
cn: default
pwdAttribute: userPassword
pwdMaxAge: 7776000
pwdExpireWarning: 1209600
pwdInHistory: 5
pwdCheckQuality: 2
pwdMinLength: 12
pwdMaxFailure: 5
pwdLockout: TRUE
pwdLockoutDuration: 900
pwdGraceAuthNLimit: 3
pwdFailureCountInterval: 900
pwdMustChange: FALSE
pwdAllowUserChange: TRUE
pwdSafeModify: FALSE
EOF
ldapadd -x -H "$LDAPI_SOCKET" -D "cn=admin,${LDAP_BASE_DN}" -w "${LDAP_ADMIN_PASSWORD}" -f /tmp/default-policy.ldif || \
log_warn "Password policy may already exist"
# Create default admin group
log_info "Creating default admin group..."
cat > /tmp/admin-group.ldif << EOF
dn: cn=admins,ou=Groups,${LDAP_BASE_DN}
objectClass: groupOfMembers
objectClass: posixGroup
cn: admins
gidNumber: 10000
description: LDAP Administrators
EOF
ldapadd -x -H "$LDAPI_SOCKET" -D "cn=admin,${LDAP_BASE_DN}" -w "${LDAP_ADMIN_PASSWORD}" -f /tmp/admin-group.ldif || \
log_warn "Admin group may already exist"
# Stop temporary slapd
log_info "Stopping temporary slapd..."
pkill slapd || true
sleep 2
# Cleanup
rm -f /tmp/base-dit.ldif /tmp/default-policy.ldif /tmp/admin-group.ldif
log_info "Base DIT creation complete"
Reference in New Issue View Git Blame Copy Permalink