diff --git a/contrib/openldap/.dockerignore b/contrib/openldap/.dockerignore new file mode 100644 index 00000000..ec33ca8c --- /dev/null +++ b/contrib/openldap/.dockerignore @@ -0,0 +1,2 @@ +assets/*.docker +assets/*.aci diff --git a/contrib/openldap/.gitignore b/contrib/openldap/.gitignore new file mode 100644 index 00000000..7e2f179b --- /dev/null +++ b/contrib/openldap/.gitignore @@ -0,0 +1 @@ +assets diff --git a/contrib/openldap/Dockerfile b/contrib/openldap/Dockerfile new file mode 100644 index 00000000..bc986603 --- /dev/null +++ b/contrib/openldap/Dockerfile @@ -0,0 +1,25 @@ +FROM alpine + +MAINTAINER eric.chiang@coreos.com + +# groll installs soelim, which is required by the build. + +RUN apk add --update alpine-sdk openssl-dev db-dev groff + +ADD assets/openldap-2.4.44 /openldap-2.4.44 + +WORKDIR /openldap-2.4.44 + +RUN ./configure + +RUN make depend + +RUN make + +RUN make install + +RUN apk del groff alpine-sdk + +ADD scripts/entrypoint.sh /entrypoint.sh + +ENTRYPOINT ["/entrypoint.sh"] diff --git a/contrib/openldap/Makefile b/contrib/openldap/Makefile new file mode 100644 index 00000000..7068b688 --- /dev/null +++ b/contrib/openldap/Makefile @@ -0,0 +1,36 @@ +image=quay.io/coreos/openldap:2.4.44 +image_file=assets/openldap_2_4_44.docker + +aci_file=quay.io-coreos-openldap-2.4.44.aci + +$(shell mkdir -p assets) + +user=$(shell id -u -n) +group=$(shell id -g -n) + +.PHONY: build +build: $(image_file) + +$(image_file): assets/openldap-2.4.44.tgz Dockerfile scripts/entrypoint.sh + sudo docker build -t $(image) . + sudo docker save -o $(image_file) $(image) + # Change ownership of the container. + sudo chown $(user):$(group) $(image_file) + +assets/openldap-2.4.44.tgz: scripts/download.sh + ./scripts/download.sh + +$(aci_file): $(image_file) + docker2aci $(image_file) + mv $(aci_file) assets/$(aci_file) + +.PHONY: import-aci +import-aci: $(aci_file) + sudo rkt fetch --insecure-options=image ./assets/quay.io-coreos-openldap-2.4.44.aci + +clean: + rm -rf assets/* + +.PHONY: push +push: + sudo docker push quay.io/coreos/openldap:2.4.44 diff --git a/contrib/openldap/README.md b/contrib/openldap/README.md new file mode 100644 index 00000000..9ea69255 --- /dev/null +++ b/contrib/openldap/README.md @@ -0,0 +1,63 @@ +# An OpenLDAP container + +## Running with rkt + +First be sure to clean any existing containers and turn SELinux to Permissive (this is due to a known issue in rkt). + + sudo setenforce Permissive + sudo rkt gc --grace-period=0s + +Run the OpenLDAP container at a predefined IP, this will set some initial values. + + sudo rkt run --net=default:IP=172.16.28.25 quay.io/coreos/openldap:2.4.44 + +OpenLDAP will then be available on port 389. To work with the container's examples install the openldap client programs on your host. + + sudo dnf install -y openldap-clients + +`ldapadd` can be used to add new entries to the directory. + + ldapadd \ + -h 172.16.28.25 \ + -D "cn=Manager,dc=example,dc=com" \ + -w "secret" \ + -f examples/example.ldif + +The created entries can be searched with the `ldapsearch` command. + + ldapsearch \ + -h 172.16.28.25 \ + -D "cn=Manager,dc=example,dc=com" \ + -w "secret" \ + -b "dc=example,dc=com" \ + '(objectClass=*)' + +## Customizing the created directory + +The container uses environment variables defined in the `scripts/entrypoint.sh` bash file for initial configuration. Overriding these values will cause the + + sudo rkt run \ + --set-env=LDAP_DOMAIN="dc=dex,dc=coreos,dc=com" \ + --set-env=LDAP_ROOT_CN="cn=admin" \ + --set-env=LDAP_ROOT_PW="password" \ + --net=default:IP=172.16.28.25 \ + quay.io/coreos/openldap:2.4.44 + +## Development + +The `Makefile` can be used to build the container using Docker. This will download OpenLDAP, compile it in a container, then add the entrypoint script. + + make + +General development looks like. + + vim scripts/entrypoint.sh + make + sudo docker run -it --rm --entrypoint=/bin/sh quay.io/coreos/openldap:2.4.44 + # poke around or run /entrypoint.sh manually + +## TODO + +* TLS support. +* Seed with initial data through mounted volume. +* Better `objectClass` schemas that match other LDAP deployments. diff --git a/contrib/openldap/examples/example.ldif b/contrib/openldap/examples/example.ldif new file mode 100644 index 00000000..29bd0d52 --- /dev/null +++ b/contrib/openldap/examples/example.ldif @@ -0,0 +1,9 @@ +dn: dc=example,dc=com +objectclass: dcObject +objectclass: organization +o: Example Company +dc: example + +dn: cn=Manager,dc=example,dc=com +objectclass: organizationalRole +cn: Manager diff --git a/contrib/openldap/scripts/download.sh b/contrib/openldap/scripts/download.sh new file mode 100755 index 00000000..bc582edc --- /dev/null +++ b/contrib/openldap/scripts/download.sh @@ -0,0 +1,7 @@ +#!/bin/bash -e +# USAGE: scripts/download.sh + +wget -O /tmp/openldap-2.4.44.tgz ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/openldap-2.4.44.tgz +sha512sum -c scripts/openldap-2.4.44.tgz.sha512 +mv /tmp/openldap-2.4.44.tgz assets/openldap-2.4.44.tgz +tar -zxvf assets/openldap-2.4.44.tgz -C assets diff --git a/contrib/openldap/scripts/entrypoint.sh b/contrib/openldap/scripts/entrypoint.sh new file mode 100755 index 00000000..fd91f6cd --- /dev/null +++ b/contrib/openldap/scripts/entrypoint.sh @@ -0,0 +1,53 @@ +#!/bin/sh -e + +# Provide sane defaults for these values. +DOMAIN=${LDAP_DOMAIN:-"dc=example,dc=com"} +ROOT_CN=${LDAP_ROOT_CN:-"cn=Manager"} +ROOT_PW=${LDAP_ROOT_PW:-"secret"} +LOG_LEVEL=${LDAP_LOG_LEVEL:-"any"} + +ROOT_DN="$ROOT_CN,$DOMAIN" + +cat < /usr/local/etc/openldap/slapd.ldif +# Global config +dn: cn=config +objectClass: olcGlobal +cn: config + +# Schema definition +dn: cn=schema,cn=config +objectClass: olcSchemaConfig +cn: schema + +include: file:///usr/local/etc/openldap/schema/core.ldif + +# Default frontend configuration. +dn: olcDatabase=frontend,cn=config +objectClass: olcDatabaseConfig +objectClass: olcFrontendConfig +olcDatabase: frontend + +# Template in RootDN values and RootPW. +dn: olcDatabase=mdb,cn=config +objectClass: olcDatabaseConfig +objectClass: olcMdbConfig +olcDatabase: mdb +OlcDbMaxSize: 1073741824 +olcSuffix: $DOMAIN +olcRootDN: $ROOT_DN +olcRootPW: $ROOT_PW +olcDbDirectory: /usr/local/var/openldap-data +olcDbIndex: objectClass eq +EOF + +mkdir -p /usr/local/etc/cn=config + +/usr/local/sbin/slapadd \ + -n 0 \ + -F /usr/local/etc/cn=config \ + -l /usr/local/etc/openldap/slapd.ldif + +# Begin slapd with `-d` so it attaches rather than running it as a daemon process. +/usr/local/libexec/slapd \ + -d $LOG_LEVEL \ + -F /usr/local/etc/cn=config diff --git a/contrib/openldap/scripts/openldap-2.4.44.tgz.sha512 b/contrib/openldap/scripts/openldap-2.4.44.tgz.sha512 new file mode 100644 index 00000000..85412e29 --- /dev/null +++ b/contrib/openldap/scripts/openldap-2.4.44.tgz.sha512 @@ -0,0 +1,2 @@ +# Computed +132eb81798f59a364c9246d08697e1c7ebb6c2c3b983f786b14ec0233df09696cbad33a1f35f3076348b5efb77665a076ab854a24122c31e8b58310b7c7fd136 /tmp/openldap-2.4.44.tgz