koszewscy/openldap
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
551c2ac64b71e67d35a381726f83209c95b1ba03
openldap/entrypoint.sh
T
slawek 551c2ac64b Fix Kerberos support in entrypoint.sh and env.example 
- Update KRB5_KTNAME path to /etc/krb5.keytab for consistency
- Add KRB5_KDC_HOST variable to env.example
- Implement error handling for missing keytab file in entrypoint.sh
- Write krb5.conf configuration dynamically based on environment variables
2026-05-17 00:32:44 +02:00

113 lines
3.1 KiB
Bash
Raw Blame History

#!/bin/sh
set -eu
CERTS_DIR="/etc/ldap/certs"
DATA_DIR="/var/lib/ldap"
SLAPD_D="/etc/ldap/slapd.d"
INITIALIZED_FLAG="$DATA_DIR/.initialized"
CA_CERT_NAME="ca_cert.pem"
SERVER_CERT_NAME="server_cert.pem"
SERVER_KEY_NAME="server_key.pem"
echo "Starting OpenLDAP entrypoint..."
base_dn="${LDAP_BASE_DN:-dc=example,dc=org}"
domain="${LDAP_DOMAIN:-example.org}"
org="${LDAP_ORG:-Example Org}"
password="${LDAP_PASSWORD:-changeit}"
admin_password="${LDAP_ADMIN_PASSWORD:-$password}"
echo "Base DN : $base_dn"
echo "Domain : $domain"
echo "Org : $org"
tls_enabled="0"
if [ -f "$CERTS_DIR/$CA_CERT_NAME" ] && [ -f "$CERTS_DIR/$SERVER_CERT_NAME" ] && [ -f "$CERTS_DIR/$SERVER_KEY_NAME" ]; then
tls_enabled="1"
fi
if [ "$tls_enabled" = "1" ]; then
echo "TLS : enabled"
else
echo "TLS : disabled"
fi
kerberos_enabled="0"
if [ "${KERBEROS_ENABLE:-0}" = "1" ]; then
kerberos_enabled="1"
export KRB5_KTNAME="${KRB5_KTNAME:-/etc/krb5.keytab}"
echo "Kerberos : enabled (keytab: $KRB5_KTNAME)"
if [ ! -f "$KRB5_KTNAME" ]; then
echo "Error: keytab not found at $KRB5_KTNAME" >&2
exit 1
fi
krb5_kdc_host="${KRB5_KDC_HOST:?KRB5_KDC_HOST must be set when KERBEROS_ENABLE=1}"
cat > /etc/krb5.conf <<EOF
[libdefaults]
default_realm = ${KRB5_REALM:?KRB5_REALM must be set when KERBEROS_ENABLE=1}
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
${KRB5_REALM} = {
kdc = ${krb5_kdc_host}
admin_server = ${krb5_kdc_host}
}
[domain_realm]
.${domain} = ${KRB5_REALM}
${domain} = ${KRB5_REALM}
EOF
echo "Kerberos : krb5.conf written (realm: ${KRB5_REALM}, kdc: ${krb5_kdc_host})"
else
echo "Kerberos : disabled"
fi
echo "Ensuring slapd runtime directory..."
mkdir -p /var/run/slapd
chown openldap:openldap /var/run/slapd
if [ ! -f "$INITIALIZED_FLAG" ]; then
echo "First run - configuring slapd via debconf..."
cat <<EOF | debconf-set-selections
slapd slapd/no_configuration boolean false
slapd slapd/dump_database select when needed
slapd slapd/dump_database_destdir string /var/backups/slapd-VERSION
slapd slapd/move_old_database boolean false
slapd slapd/domain string $domain
slapd shared/organization string $org
slapd slapd/password1 password $admin_password
slapd slapd/password2 password $admin_password
slapd slapd/purge_database boolean false
slapd slapd/internal/adminpw1 password $admin_password
slapd slapd/internal/generated_adminpw password $admin_password
EOF
echo "Running dpkg-reconfigure slapd..."
DEBIAN_FRONTEND=noninteractive dpkg-reconfigure -f noninteractive slapd
echo "dpkg-reconfigure complete."
echo "Running bootstrap init..."
LDAP_BASE_DN="$base_dn" \
LDAP_PASSWORD="$password" \
TLS_ENABLED="$tls_enabled" \
KERBEROS_ENABLE="$kerberos_enabled" \
python3 -u /bootstrap/init.py
else
echo "Already initialised - skipping bootstrap."
fi
slapd_url="ldapi:/// ldap://:389/"
if [ "$tls_enabled" = "1" ]; then
slapd_url="$slapd_url ldaps://:636/"
fi
echo "Launching slapd (URLs: $slapd_url)..."
exec slapd \
-F "$SLAPD_D" \
-u openldap \
-g openldap \
-d 0 \
-h "$slapd_url"
Reference in New Issue View Git Blame Copy Permalink