diff --git a/README.md b/README.md index b13730f..6901975 100644 --- a/README.md +++ b/README.md @@ -221,8 +221,9 @@ Gate with `KERBEROS_ENABLE=1`. When enabled, slapd is configured at first-run bo |---|---|---| | `KERBEROS_ENABLE` | `0` | Set to `1` to enable | | `KRB5_REALM` | — | Kerberos realm (uppercase, e.g. `EXAMPLE.ORG`) | -| `KRB5_SASL_HOST` | — | Hostname matching the `ldap/@REALM` service principal | -| `KRB5_KTNAME` | `/etc/ldap/ldap.keytab` | Path to the keytab inside the container | +| `KRB5_KDC_HOST` | — | Hostname of the Kerberos KDC | +| `LDAP_HOSTNAME` | — | Hostname matching the `ldap/@REALM` service principal | +| `KRB5_KTNAME` | `/etc/krb5.keytab` | Path to the keytab inside the container | ### Principal-to-DN mapping @@ -242,7 +243,7 @@ Gate with `KERBEROS_ENABLE=1`. When enabled, slapd is configured at first-run bo ```bash container cp kerberos:/tmp/ldap.keytab ~/app-data/openldap/ldap.keytab ``` -3. Mount it into the OpenLDAP container at `KRB5_KTNAME` (default `/etc/ldap/ldap.keytab`) and set the Kerberos env vars in `openldap.env`. +3. Mount it into the OpenLDAP container at `KRB5_KTNAME` (default `/etc/krb5.keytab`) and set the Kerberos env vars in `openldap.env`. 4. On first start, bootstrap applies the SASL configuration automatically. For an already-initialised instance apply it manually: ```bash ldapmodify -Q -Y EXTERNAL -H ldapi:/// <<'EOF' diff --git a/bootstrap/init.py b/bootstrap/init.py index 7de357c..339ad59 100644 --- a/bootstrap/init.py +++ b/bootstrap/init.py @@ -19,7 +19,7 @@ password = os.environ.get("LDAP_PASSWORD") or "changeit" tls_enabled = os.environ.get("TLS_ENABLED") == "1" kerberos_enabled = os.environ.get("KERBEROS_ENABLE") == "1" krb5_realm = os.environ.get("KRB5_REALM", "") -krb5_sasl_host = os.environ.get("KRB5_SASL_HOST", "") +ldap_hostname = os.environ.get("LDAP_HOSTNAME", "") admin_dn = f"cn=admin,{base_dn}" @@ -121,7 +121,7 @@ def main(): apply_ldif(LDIF_DIR / "config-tls.ldif", env) if kerberos_enabled: apply_ldif(LDIF_DIR / "config-sasl.ldif", env, - base_dn=base_dn, krb5_realm=krb5_realm, sasl_host=krb5_sasl_host) + base_dn=base_dn, krb5_realm=krb5_realm, ldap_hostname=ldap_hostname) print("cn=config updated.") diff --git a/bootstrap/ldif/config-sasl.ldif b/bootstrap/ldif/config-sasl.ldif index c60c2dd..40d66c5 100644 --- a/bootstrap/ldif/config-sasl.ldif +++ b/bootstrap/ldif/config-sasl.ldif @@ -1,7 +1,7 @@ dn: cn=config changetype: modify replace: olcSaslHost -olcSaslHost: {{ sasl_host }} +olcSaslHost: {{ ldap_hostname }} - replace: olcSaslRealm olcSaslRealm: {{ krb5_realm }} diff --git a/env.example b/env.example index e2865e5..186583d 100644 --- a/env.example +++ b/env.example @@ -8,5 +8,5 @@ LDAP_ADMIN_PASSWORD=changeit KERBEROS_ENABLE=0 KRB5_REALM=EXAMPLE.ORG KRB5_KDC_HOST=kerberos.example.org -KRB5_SASL_HOST=ldap.example.org +LDAP_HOSTNAME=ldap.example.org KRB5_KTNAME=/etc/krb5.keytab diff --git a/scripts/accounts_editor.py b/scripts/accounts_editor.py index 298ca45..c8973fb 100755 --- a/scripts/accounts_editor.py +++ b/scripts/accounts_editor.py @@ -21,7 +21,8 @@ ENV_VARS = { "LDAP_ADMIN_PASSWORD": "Admin Password", "KERBEROS_ENABLE": "Enable Kerberos", "KRB5_REALM": "Realm", - "KRB5_SASL_HOST": "SASL Host", + "KRB5_KDC_HOST": "KDC Host", + "LDAP_HOSTNAME": "LDAP Hostname", "KRB5_KTNAME": "Keytab Path", }