Cool thanks! I am more fan of Centos because then I can fall back on RedHat support, especially for production environments. I am not sure your script is takling the issue described here, but looking at it, I think you can add also --no-cache. You should beware of ENV LDAP_ROOTPASS that stays when the task is launched (at least on mesos), better work with the hashes. Furthermore I try to run as less tasks as possible under root so I am binding to a high port ;) I also need to be able to use slapadd otherwise syncing will take to long.
So at the moment mine looks like this ;)
# Version: 0.0.1 - openldap FROM centos:7
ENV SLAPD_USER="ldap" \ SLAPD_UID=10061 \ SLAPD_CFG_DIR="/etc/openldap/" \ SLAPD_DATA_DIR="/var/lib/ldap" \ SLAPD_KEY_DIR="/etc/pki/tls/private" \ SLAPD_CRT_DIR="/etc/pki/tls/certs" \ SLAPD_OPTS="-d 0 -4 -u ldap" \ SLAPD_URLS="ldap://0.0.0.0:8443/"
# create user/group RUN groupadd $SLAPD_USER -g $SLAPD_UID \ && useradd $SLAPD_USER -u $SLAPD_UID -g $SLAPD_UID --system --comment "Openldap server" --home-dir $SLAPD_DATA_DIR
# install xxxx-ca COPY ca-xxxx.crt /etc/pki/ca-trust/source/anchors/ca-xxxx.crt RUN update-ca-trust
# install necessary packages RUN yum install openldap-clients openldap-servers -y \ && yum clean all
# copy configuration files COPY ca-xxxx.crt $SLAPD_CFG_DIR/cacerts/ COPY ldap.local.key $SLAPD_KEY_DIR COPY ldap.local.crt $SLAPD_CRT_DIR ADD http://192.168.10.2/cobbler/tools/noarch/change-db.ldif $SLAPD_CFG_DIR/change-db.ldif ADD http://192.168.10.2/cobbler/tools/noarch/centos7/change-config.ldif $SLAPD_CFG_DIR/change-config.ldif ADD http://192.168.10.2/cobbler/tools/noarch/change-config-sendmail.ldif $SLAPD_CFG_DIR/change-config-sendmail.ldif ADD http://192.168.10.2/cobbler/tools/noarch/change-frontend.ldif $SLAPD_CFG_DIR/change-frontend.ldif ADD http://192.168.10.2/cobbler/tools/noarch/idnsZone.ldif $SLAPD_CFG_DIR/schema/idnsZone.ldif ADD http://192.168.10.2/cobbler/tools/noarch/sendmail.ldif $SLAPD_CFG_DIR/schema/sendmail.ldif ADD http://192.168.10.2/cobbler/tools/noarch/samba.ldif $SLAPD_CFG_DIR/schema/samba.ldif ADD http://192.168.10.2/cobbler/tools/noarch/apache.ldif $SLAPD_CFG_DIR/schema/apache.ldif ADD http://192.168.10.2/cobbler/tools/noarch/quota.ldif $SLAPD_CFG_DIR/schema/quota.ldif ADD http://192.168.10.2/cobbler/tools/noarch/xxxx.ldif $SLAPD_CFG_DIR/schema/xxxx.ldif ADD http://192.168.10.2/cobbler/tools/noarch/DB_CONFIG $SLAPD_DATA_DIR/DB_CONFIG COPY ldap-test.db.gz /tmp/ldap.db.gz
# change defaults in configs RUN sed -i "s#^olcTLSCertificateFile:.*#olcTLSCertificateFile: $SLAPD_CRT_DIR/ldap.local.crt#g" $SLAPD_CFG_DIR/change-config.ldif \ && sed -i "s#^olcTLSCertificateKeyFile:.*#olcTLSCertificateKeyFile: $SLAPD_KEY_DIR/ldap.local.key#g" $SLAPD_CFG_DIR/change-config.ldif \ && sed -i "s#^olcRootPW:.*#olcRootPW: {SSHA}xxx#g" $SLAPD_CFG_DIR/change-config.ldif
RUN sed -i "s#rid=326#rid=999#g" $SLAPD_CFG_DIR/change-db.ldif \ && sed -i 's/cn=app,ou=Hosts,dc=xxxx,dc=xxxx,dc=local/cn=mesosldap,ou=Hosts,dc=xxx x,dc=xxxx,dc=local/g' $SLAPD_CFG_DIR/change-db.ldif \ && sed -i "s#tls_cert="/etc/pki/tls/certs/app1.local.pem"#tls_cert="$SLAPD_CRT_ DIR/ldap.local.crt"#g" $SLAPD_CFG_DIR/change-db.ldif \ && sed -i "s#tls_key="/etc/pki/tls/certs/app1.local.pem"#tls_key="$SLAPD_KEY_DI R/ldap.local.key"#g" $SLAPD_CFG_DIR/change-db.ldif \ && sed -i "s/credentials="xxxx"/credentials="xxxx"/g" $SLAPD_CFG_DIR/change-db.ldif
# change permissions RUN chgrp $SLAPD_USER $SLAPD_KEY_DIR/ldap.local.key $SLAPD_CRT_DIR/ldap.local.crt \ && chmod u=r,g=r,o= $SLAPD_KEY_DIR/ldap.local.key \ && chmod a+r $SLAPD_DATA_DIR/DB_CONFIG \ && chmod +t,o+w /var/run/ RUN [ -f "/tmp/ldap.db.gz" ] && chown $SLAPD_USER /tmp/ldap.db.gz || echo "not-chown-db"
RUN slapd -u ldap -4 -h ldapi:/// \ && ldapadd -Q -D "cn=admin,cn=config" -Y EXTERNAL -H ldapi:/// -f $SLAPD_CFG_DIR/schema/cosine.ldif \ && ldapadd -Q -D "cn=admin,cn=config" -Y EXTERNAL -H ldapi:/// -f $SLAPD_CFG_DIR/schema/inetorgperson.ldif \ && ldapadd -Q -D "cn=admin,cn=config" -Y EXTERNAL -H ldapi:/// -f $SLAPD_CFG_DIR/schema/nis.ldif \ && ldapadd -Q -D "cn=admin,cn=config" -Y EXTERNAL -H ldapi:/// -f $SLAPD_CFG_DIR/schema/misc.ldif \
&& ldapadd -Q -D "cn=admin,cn=config" -Y EXTERNAL -H ldapi:/// -f $SLAPD_CFG_DIR/schema/sendmail.ldif \ && ldapadd -Q -D "cn=admin,cn=config" -Y EXTERNAL -H ldapi:/// -f $SLAPD_CFG_DIR/schema/idnsZone.ldif \ && ldapadd -Q -D "cn=admin,cn=config" -Y EXTERNAL -H ldapi:/// -f $SLAPD_CFG_DIR/schema/apache.ldif \ && ldapadd -Q -D "cn=admin,cn=config" -Y EXTERNAL -H ldapi:/// -f $SLAPD_CFG_DIR/schema/samba.ldif \ && ldapadd -Q -D "cn=admin,cn=config" -Y EXTERNAL -H ldapi:/// -f $SLAPD_CFG_DIR/schema/xxxx.ldif \ && ldapadd -Q -D "cn=admin,cn=config" -Y EXTERNAL -H ldapi:/// -f $SLAPD_CFG_DIR/schema/quota.ldif \
&& ldapadd -Q -D "cn=admin,cn=config" -Y EXTERNAL -H ldapi:/// -f $SLAPD_CFG_DIR/change-frontend.ldif \ && rm -f $SLAPD_CFG_DIR/change-frontend.ldif \ && ldapadd -Q -D "cn=admin,cn=config" -Y EXTERNAL -H ldapi:/// -f $SLAPD_CFG_DIR/change-db.ldif \ && rm -f $SLAPD_CFG_DIR/change-db.ldif \ && ldapadd -Q -D "cn=admin,cn=config" -Y EXTERNAL -H ldapi:/// -f $SLAPD_CFG_DIR/change-config-sendmail.ldif \
&& ldapadd -Q -Y EXTERNAL -H ldapi:/// -f $SLAPD_CFG_DIR/change-config.ldif \ && rm -f $SLAPD_CFG_DIR/change-config.ldif \ && kill -HUP $(cat /var/run/openldap/slapd.pid) \ && sync \ && chown $SLAPD_USER /var/run/ldapi
#ADD db.tgz /var/lib/ldap/ RUN [ -f "/tmp/ldap.db.gz" ] \ && runuser -l ldap -c 'gunzip -c /tmp/ldap.db.gz | slapadd -c 2> /tmp/import-errors' \ && cd /var/lib/ldap && db_checkpoint -1 -h /var/lib/ldap && db_archive -d \ && rm -f /tmp/ldap.db.gz || echo "not importing ldap.db"
COPY entrypoint.sh /sbin/
CMD ["/sbin/entrypoint.sh"]
-----Original Message----- From: Neal Lawson [mailto:ogg@sr375.com] Sent: vrijdag 16 augustus 2019 15:41 To: Howard Chu Cc: Marc Roos; michael; openldap-technical@openldap.org Subject: Re: Environment variable in slapd config
I have been working on a docker image with a script that likely does almost what you want with some mods, you’re welcome to steal it and make your own modifications. https://github.com/DoctorOgg/docker-openldap
On Aug 16, 2019, at 6:36 AM, Howard Chu hyc@symas.com wrote:
Marc Roos wrote:
Indeed. Ansible is just a tool you should use for the fitting job. Afaik I only have to set a few variables and I do not have in the hundreds of services. But I would not mind looking at your Dockerfile to see how you prepare the image. The ceph mailing list is 'full' of people using ansible, and then whining on what to do, and how to fix things when something does not work. Because they do not know how and where things are configured. All these 'easy' tools are like these higher level programming
languages. They just lower the threshold for the 'bunglers' to enter an area of expertise, they were not able to enter before. -----Original Message----- Subject: Re: Environment variable in slapd config Probably the original poster wanted to set several env vars and use them as distinct RID values for multiple syncrepl directives. This is a common pattern for poor man's config management. Ciao, Michael.
For this use case the simplest approach is to start with a template file that uses shell variables and just let the shell do the substitution for you. This is exactly what the OpenLDAP test suite does for its own config files. If you need to get fancier use sed or awk. These are basic Unix admin questions and have nothing to do with OpenLDAP. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/