Hello community,
here is the log from the commit of package opensuse-openldap-image for
openSUSE:Factory checked in at 2020-10-26 16:23:10
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/opensuse-openldap-image (Old)
and /work/SRC/openSUSE:Factory/.opensuse-openldap-image.new.3463 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "opensuse-openldap-image"
Mon Oct 26 16:23:10 2020 rev:2 rq:844087 version:1.0.0
Changes:
--------
---
/work/SRC/openSUSE:Factory/opensuse-openldap-image/opensuse-openldap-image.changes
2020-09-03 01:16:15.528516989 +0200
+++
/work/SRC/openSUSE:Factory/.opensuse-openldap-image.new.3463/opensuse-openldap-image.changes
2020-10-26 16:23:30.847282636 +0100
@@ -1,0 +2,17 @@
+Mon Oct 26 12:42:00 UTC 2020 - Thorsten Kukuk <[email protected]>
+
+- Check for errors when importing ldif files
+- Add support to import ldif files for mailserver setup
+
+-------------------------------------------------------------------
+Mon Sep 28 18:50:23 UTC 2020 - Thorsten Kukuk <[email protected]>
+
+- Add timezone package
+
+-------------------------------------------------------------------
+Thu Aug 27 08:16:26 UTC 2020 - Thorsten Kukuk <[email protected]>
+
+- Load postfix.ldif by default, delete duplicate file
+- Pre-process mailserver/*.ldif files
+
+-------------------------------------------------------------------
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ opensuse-openldap-image.kiwi ++++++
--- /var/tmp/diff_new_pack.sDaGJ4/_old 2020-10-26 16:23:31.423283099 +0100
+++ /var/tmp/diff_new_pack.sDaGJ4/_new 2020-10-26 16:23:31.423283099 +0100
@@ -54,6 +54,7 @@
<package name="openldap2-client"/>
<package name="openldap2-ppolicy-check-password"/>
<package name="openssl"/>
+ <package name="timezone"/>
<package name="mandoc"/>
<package name="ca-certificates"/>
<package name="ca-certificates-mozilla"/>
++++++ README.md ++++++
--- /var/tmp/diff_new_pack.sDaGJ4/_old 2020-10-26 16:23:31.467283135 +0100
+++ /var/tmp/diff_new_pack.sDaGJ4/_new 2020-10-26 16:23:31.471283138 +0100
@@ -103,41 +103,42 @@
## Supported environment variables:
### Generic variables:
-- `DEBUG=[0|1]` Enables "set -x" in the entrypoint script
-- `TZ` Timezone to use in the container
+- `DEBUG=[0|1]` Enables "set -x" in the entrypoint script
+- `TZ` Timezone to use in the container
### Variables for new database:
-- `LDAP_DOMAIN` Ldap domain. Defaults to `example.org`
-- `LDAP_BASE_DN` Ldap base DN. If empty automatically set from
`LDAP_DOMAIN` value. Defaults to (`empty`)
-- `LDAP_ORGANISATION` Organisation name. Defaults to `Example Inc.`
-- `LDAP_ADMIN_PASSWORD` Ldap admin password. It's required to supply
one if no database exists at startup.
-- `LDAP_CONFIG_PASSWORD` Ldap config password. It's required to supply
one if no database exists at startup.
-- `LDAP_BACKEND` Database backend, defaults to `mdb`
-- `LDAP_SEED_LDIF_PATH` Path with additional ldif files which will be loaded
-- `LDAP_SEED_SCHEMA_PATH` Path with additional schema which will be loaded
+- `LDAP_DOMAIN` Ldap domain. Defaults to `example.org`
+- `LDAP_BASE_DN` Ldap base DN. If empty automatically set from
`LDAP_DOMAIN` value. Defaults to (`empty`)
+- `LDAP_ORGANIZATION` Organization name. Defaults to `Example Inc.`
+- `LDAP_ADMIN_PASSWORD` Ldap admin password. It's required to supply
one if no database exists at startup.
+- `LDAP_CONFIG_PASSWORD` Ldap config password. It's required to supply one
if no database exists at startup.
+- `LDAP_BACKEND` Database backend, defaults to `mdb`
+- `LDAP_SEED_LDIF_PATH` Path with additional ldif files which will be loaded
+- `LDAP_SEED_SCHEMA_PATH` Path with additional schema which will be loaded
### Variables for TLS:
-- `LDAP_TLS=[1|0]` Enable TLS. Defaults to `1` (true).
-- `LDAP_TLS_CA_CRT` LDAP ssl CA certificate. Defaults to
`/etc/openldap/certs/ca.crt`.
-- `LDAP_TLS_CA_KEY` Private LDAP CA key. Defaults to
`/etc/openldap/certs/ca.key`.
-- `LDAP_TLS_CRT` LDAP ssl certificate. Defaults to
`/etc/openldap/certs/tls.crt`.
-- `LDAP_TLS_KEY` Private LDAP ssl key. Defaults to
`/etc/openldap/certs/tls.key`.
-- `LDAP_TLS_DH_PARAM` LDAP ssl certificate dh param file.
-- `LDAP_TLS_ENFORCE=[0|1]` Enforce TLS but except ldapi connections.
Defaults to `0` (false).
-- `LDAP_TLS_CIPHER_SUITE` TLS cipher suite.
-- `LDAP_TLS_VERIFY_CLIENT` TLS verify client. Defaults to `demand`.
+- `LDAP_TLS=[1|0]` Enable TLS. Defaults to `1` (true).
+- `LDAP_TLS_CA_CRT` LDAP ssl CA certificate. Defaults to
`/etc/openldap/certs/openldap-ca.crt`.
+- `LDAP_TLS_CA_KEY` Private LDAP CA key. Defaults to
`/etc/openldap/certs/openldap-ca.key`.
+- `LDAP_TLS_CRT` LDAP ssl certificate. Defaults to
`/etc/openldap/certs/tls.crt`.
+- `LDAP_TLS_KEY` Private LDAP ssl key. Defaults to
`/etc/openldap/certs/tls.key`.
+- `LDAP_TLS_DH_PARAM` LDAP ssl certificate dh param file.
+- `LDAP_TLS_ENFORCE=[0|1]` Enforce TLS but except ldapi connections. Defaults
to `0` (false).
+- `LDAP_TLS_CIPHER_SUITE` TLS cipher suite.
+- `LDAP_TLS_VERIFY_CLIENT` TLS verify client. Defaults to `demand`.
### Various configuration variables:
-- `LDAP_NOFILE` Number of open files (ulimt -n), default `1024`
-- `LDAP_PORT` Port for ldap:///, defaults to `389`
-- `LDAPS_PORT` Port for ldaps:///, defaults to `636`
-- `LDAPI_URL` Ldapi url, defaults to `ldapi:///run/slapd/ldapi`
-- `LDAP_UID` UID of ldap user. All LDAP related files will be
changed to this UID
-- `LDAP_GID` GID of ldap group. All LDAP related files will be
changed to this GID
-- `LDAP_BACKEND` Database backend, defaults to `mdb`
-- `SLAPD_LOG_LEVEL` Slapd debug devel, defaults to `0`
+- `LDAP_NOFILE` Number of open files (ulimt -n), default `1024`
+- `LDAP_PORT` Port for ldap:///, defaults to `389`
+- `LDAPS_PORT` Port for ldaps:///, defaults to `636`
+- `LDAPI_URL` Ldapi url, defaults to `ldapi:///run/slapd/ldapi`
+- `LDAP_UID` UID of ldap user. All LDAP related files will be
changed to this UID
+- `LDAP_GID` GID of ldap group. All LDAP related files will be
changed to this GID
+- `LDAP_BACKEND` Database backend, defaults to `mdb`
+- `SLAPD_LOG_LEVEL` Slapd debug devel, defaults to `0`
+- `SETUP_FOR_MAILSERVER` The mail organization will be created
(ldif/mailserver/), defaults to `0`
## Data persistence volumes
-- `/etc/openldap/certs` TLS certificates for slapd
-- `/etc/openldap/slapd.d` Slapd configuration files
-- `/var/lib/ldap` OpenLDAP database
+- `/etc/openldap/certs` TLS certificates for slapd
+- `/etc/openldap/slapd.d` Slapd configuration files
+- `/var/lib/ldap` OpenLDAP database
++++++ config.sh ++++++
--- /var/tmp/diff_new_pack.sDaGJ4/_old 2020-10-26 16:23:31.495283158 +0100
+++ /var/tmp/diff_new_pack.sDaGJ4/_new 2020-10-26 16:23:31.495283158 +0100
@@ -16,6 +16,3 @@
# No default domain and standard password ...
rm /etc/openldap/slapd.conf
-# Fix path so that update-ca-certificates does not complain
-# [bsc#1175340]
-rm /etc/ssl/certs && ln -sf /var/lib/ca-certificates/pem /etc/ssl/certs
++++++ entrypoint.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/entrypoint/entrypoint.sh new/entrypoint/entrypoint.sh
--- old/entrypoint/entrypoint.sh 2020-08-26 17:58:22.000000000 +0200
+++ new/entrypoint/entrypoint.sh 2020-10-26 13:40:28.000000000 +0100
@@ -17,21 +17,24 @@
SLAPD_SLP_REG=${SLAPD_SLP_REG:-"-o slp=off"}
# Default values for new database
-LDAP_ORGANISATION=${LDAP_ORGANISATION:-"Example Inc."}
+LDAP_ORGANIZATION=${LDAP_ORGANIZATION:-"Example Inc."}
LDAP_DOMAIN=${LDAP_DOMAIN:-"example.org"}
LDAP_BASE_DN=${LDAP_BASE_DN:-""}
# TLS
LDAP_TLS=${LDAP_TLS:-"1"}
-LDAP_TLS_CA_CRT=${LDAP_TLS_CA_CRT:-"/etc/openldap/certs/ca.crt"}
-LDAP_TLS_CA_KEY=${LDAP_TLS_CA_KEA:-"/etc/openldap/certs/ca.key"}
+LDAP_TLS_CA_CRT=${LDAP_TLS_CA_CRT:-"/etc/openldap/certs/openldap-ca.crt"}
+LDAP_TLS_CA_KEY=${LDAP_TLS_CA_KEA:-"/etc/openldap/certs/openldap-ca.key"}
LDAP_TLS_CRT=${LDAP_TLS_CRT:-"/etc/openldap/certs/tls.crt"}
LDAP_TLS_KEY=${LDAP_TLS_KEY:-"/etc/openldap/certs/tls.key"}
LDAP_TLS_DH_PARAM=${LDAP_TLS_DH_PARAM:-"/etc/openldap/certs/dhparam.pem"}
LDAP_TLS_ENFORCE=${LDAP_TLS_ENFORCE:-"0"}
LDAP_TLS_CIPHER_SUITE=${LDAP_TLS_CIPHER_SUITE:-"HIGH:-VERS-TLS-ALL:+VERS-TLS1.2:+VERS-TLS1.3:!SSLv3:!SSLv2:!ADH"}
-LDAP_TLS_VERIFY_CLIENT=${LDAP_TLS_VERIFY_CLIENT:-demand}
+LDAP_TLS_VERIFY_CLIENT=${LDAP_TLS_VERIFY_CLIENT:-try}
+
+# For mailserver setup
+SETUP_FOR_MAILSERVER=${SETUP_FOR_MAILSERVER:-0}
setup_timezone() {
@@ -194,7 +197,7 @@
objectClass: top
objectClass: dcObject
objectClass: organization
- o: ${LDAP_ORGANISATION}
+ o: ${LDAP_ORGANIZATION}
dc: $dc
dn: cn=admin,${LDAP_BASE_DN}
@@ -227,18 +230,39 @@
fi
}
+ function adjust_ldif_file() {
+ local LDIF_FILE
+
+ LDIF_FILE="$1"
+
+ sed -i "s|@LDAP_BASE_DN@|${LDAP_BASE_DN}|g" "${LDIF_FILE}"
+ sed -i "s|@LDAP_BACKEND@|${LDAP_BACKEND}|g" "${LDIF_FILE}"
+ sed -i "s|@LDAP_DOMAIN@|${LDAP_DOMAIN}|g" "${LDIF_FILE}"
+ if [ -n "${MAIL_ACCOUNT_READER_PASSWORD}" ]; then
+ sed -i
"s|@MAIL_ACCOUNT_READER_PASSWORD@|${MAIL_ACCOUNT_READER_PASSWORD}|g"
"${LDIF_FILE}"
+ fi
+ }
+
function ldap_add_or_modify() {
+ local failed
local LDIF_FILE=$1
- echo "Processing file ${LDIF_FILE}"
- sed -i "s|@LDAP_BASE_DN@|${LDAP_BASE_DN}|g" "${LDIF_FILE}"
- sed -i "s|@LDAP_BACKEND@|${LDAP_BACKEND}|g" "${LDIF_FILE}"
- sed -i "s|@LDAP_DOMAIN@|${LDAP_DOMAIN}|g" "${LDIF_FILE}"
+ echo "Processing file ${LDIF_FILE}"
+
+ adjust_ldif_file "${LDIF_FILE}"
if grep -iq changetype "${LDIF_FILE}" ; then
- ldapmodify -Y EXTERNAL -Q -H ldapi:/// -D
"cn=admin,${LDAP_BASE_DN}" -w "${LDAP_ADMIN_PASSWORD}" -f "${LDIF_FILE}"
+ ldapmodify -Y EXTERNAL -Q -H ldapi:/// -D
"cn=admin,${LDAP_BASE_DN}" -w "${LDAP_ADMIN_PASSWORD}" -f "${LDIF_FILE}" ||
failed=1
+ if [ "$failed" ]; then
+ echo "ERROR: ldapmodify failed!"
+ exit 1
+ fi
else
- ldapadd -Y EXTERNAL -Q -H ldapi:/// -D "cn=admin,${LDAP_BASE_DN}"
-w "$LDAP_ADMIN_PASSWORD" -f "${LDIF_FILE}"
+ ldapadd -Y EXTERNAL -Q -H ldapi:/// -D "cn=admin,${LDAP_BASE_DN}"
-w "$LDAP_ADMIN_PASSWORD" -f "${LDIF_FILE}" || failed=1
+ if [ "$failed" ]; then
+ echo "ERROR: ldapadd failed!"
+ exit 1
+ fi
fi
}
@@ -366,22 +390,39 @@
rm -f /entrypoint/ldif/security.ldif
ldap_add_or_modify /entrypoint/ldif/memberOf.ldif
ldap_add_or_modify /entrypoint/ldif/refint.ldif
+ ldap_add_or_modify /entrypoint/ldif/postfix.ldif
ldap_add_or_modify /entrypoint/ldif/index.ldif
# process config files (*.ldif) in custom directory
echo "Add image bootstrap ldif..."
for f in $(find /entrypoint/ldif/custom -mindepth 1 -maxdepth 1 -type f
-name \*.ldif | sort); do
- echo "Processing file ${f}"
ldap_add_or_modify "$f"
done
+ if [ "${SETUP_FOR_MAILSERVER}" = "1" ]; then
+ echo "Setup for mailserver..."
+ file_env 'MAIL_ACCOUNT_READER_PASSWORD'
+ if [ -z "${MAIL_ACCOUNT_READER_PASSWORD}" ]; then
+ echo "Password for mail account reader
(MAIL_ACCOUNT_READER_PASSWORD) not set!" >&2
+ exit 1
+ fi
+
+ for f in /entrypoint/ldif/mailserver/*.ldif ; do
+ ldap_add_or_modify "$f"
+ done
+ else
+ for f in /entrypoint/ldif/mailserver/*.ldif ; do
+ echo "Adjusting $f"
+ adjust_ldif_file "$f"
+ done
+ fi
# Check or create certificates
setup_tls
}
# ldap client config
setup_ldap_conf() {
- if [ "${LDAP_TLS}" == "1" ]; then
+ if [ "${LDAP_TLS}" = "1" ]; then
echo "Configure ldap client TLS configuration..."
echo "TLS_CACERT ${LDAP_TLS_CA_CRT}" >> /etc/openldap/ldap.conf
echo "TLS_REQCERT ${LDAP_TLS_VERIFY_CLIENT}" >> /etc/openldap/ldap.conf
@@ -414,7 +455,7 @@
unset "$fileVar"
}
-# if command starts with an option, prepend postfix
+# if command starts with an option, prepend slapd
if [ "${1:0:1}" = '-' ]; then
set -- /usr/sbin/slapd "$@"
fi
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/entrypoint/ldif/examples/example-user.ldif
new/entrypoint/ldif/examples/example-user.ldif
--- old/entrypoint/ldif/examples/example-user.ldif 1970-01-01
01:00:00.000000000 +0100
+++ new/entrypoint/ldif/examples/example-user.ldif 2020-10-26
13:40:28.000000000 +0100
@@ -0,0 +1,14 @@
+dn: uid=mail000,ou=mail,@LDAP_BASE_DN@
+cn: mail000
+gidnumber: 20000
+homedirectory: /home/mail/mail000
+mailacceptinggeneralid: [email protected]
+mailacceptinggeneralid: [email protected]
+maildrop: [email protected]
+objectclass: account
+objectclass: posixAccount
+objectclass: postfixUser
+objectclass: top
+uid: mail000
+uidnumber: 20000
+userpassword: user
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/entrypoint/ldif/index.ldif
new/entrypoint/ldif/index.ldif
--- old/entrypoint/ldif/index.ldif 2020-08-26 17:58:22.000000000 +0200
+++ new/entrypoint/ldif/index.ldif 2020-10-26 13:40:28.000000000 +0100
@@ -8,3 +8,6 @@
olcDbIndex: entryCSN eq
olcDbIndex: entryUUID eq
olcDbIndex: objectClass eq
+# for postfix schema
+olcdbindex: mailacceptinggeneralid eq,sub
+olcdbindex: maildrop eq
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/entrypoint/ldif/mailserver/02-create-cn=mailAccountReader.ldif
new/entrypoint/ldif/mailserver/02-create-cn=mailAccountReader.ldif
--- old/entrypoint/ldif/mailserver/02-create-cn=mailAccountReader.ldif
1970-01-01 01:00:00.000000000 +0100
+++ new/entrypoint/ldif/mailserver/02-create-cn=mailAccountReader.ldif
2020-10-26 13:40:28.000000000 +0100
@@ -0,0 +1,10 @@
+dn: ou=Manager,@LDAP_BASE_DN@
+objectClass: organizationalUnit
+ou: Manager
+
+dn: cn=mailAccountReader,ou=Manager,@LDAP_BASE_DN@
+cn: mailAccountReader
+objectclass: organizationalRole
+objectclass: simpleSecurityObject
+objectclass: top
+userpassword: @MAIL_ACCOUNT_READER_PASSWORD@
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/entrypoint/ldif/mailserver/02-olcdbindex.ldif
new/entrypoint/ldif/mailserver/02-olcdbindex.ldif
--- old/entrypoint/ldif/mailserver/02-olcdbindex.ldif 2020-08-26
17:58:22.000000000 +0200
+++ new/entrypoint/ldif/mailserver/02-olcdbindex.ldif 1970-01-01
01:00:00.000000000 +0100
@@ -1,7 +0,0 @@
-dn: olcDatabase={1}@LDAP_BACKEND@,cn=config
-changetype: modify
-delete: olcdbindex
--
-add: olcdbindex
-olcdbindex: mailacceptinggeneralid eq,sub
-olcdbindex: maildrop eq
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/entrypoint/ldif/mailserver/03-add-olcAccess.ldif
new/entrypoint/ldif/mailserver/03-add-olcAccess.ldif
--- old/entrypoint/ldif/mailserver/03-add-olcAccess.ldif 1970-01-01
01:00:00.000000000 +0100
+++ new/entrypoint/ldif/mailserver/03-add-olcAccess.ldif 2020-10-26
13:40:28.000000000 +0100
@@ -0,0 +1,7 @@
+dn: olcDatabase={1}@LDAP_BACKEND@,cn=config
+changetype: modify
+delete: olcAccess
+-
+add: olcAccess
+olcAccess: to attrs=userPassword by self =xw by anonymous auth by * none
+olcAccess: to dn.subtree="ou=mail,@LDAP_BASE_DN@" by
dn.base="cn=mailAccountReader,ou=Manager,@LDAP_BASE_DN@" read by * none
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/entrypoint/ldif/mailserver/03-create-cn=mailAccountReader.ldif
new/entrypoint/ldif/mailserver/03-create-cn=mailAccountReader.ldif
--- old/entrypoint/ldif/mailserver/03-create-cn=mailAccountReader.ldif
2020-08-26 17:58:22.000000000 +0200
+++ new/entrypoint/ldif/mailserver/03-create-cn=mailAccountReader.ldif
1970-01-01 01:00:00.000000000 +0100
@@ -1,10 +0,0 @@
-dn: ou=Manager,@LDAP_BASE_DN@
-objectClass: organizationalUnit
-ou: Manager
-
-dn: cn=mailAccountReader,ou=Manager,@LDAP_BASE_DN@
-cn: mailAccountReader
-objectclass: organizationalRole
-objectclass: simpleSecurityObject
-objectclass: top
-userpassword: @MAIIL_ACCOUNT_READER_PASSWORD@
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/entrypoint/ldif/mailserver/04-add-olcAccess.dif
new/entrypoint/ldif/mailserver/04-add-olcAccess.dif
--- old/entrypoint/ldif/mailserver/04-add-olcAccess.dif 2020-08-26
17:58:22.000000000 +0200
+++ new/entrypoint/ldif/mailserver/04-add-olcAccess.dif 1970-01-01
01:00:00.000000000 +0100
@@ -1,7 +0,0 @@
-dn: olcDatabase={1}@LDAP_BACKEND@,cn=config
-changetype: modify
-delete: olcAccess
--
-add: olcAccess
-olcAccess: to attrs=userPassword by self =xw by anonymous auth by * none
-olcAccess: to dn.subtree="ou=mail,@LDAP_BASE_DN@" by
dn.base="cn=mailAccountReader,ou=Manager,@LDAP_BASE_DN@" read by * none
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/entrypoint/ldif/mailserver/example-user.ldif
new/entrypoint/ldif/mailserver/example-user.ldif
--- old/entrypoint/ldif/mailserver/example-user.ldif 2020-08-26
17:58:22.000000000 +0200
+++ new/entrypoint/ldif/mailserver/example-user.ldif 1970-01-01
01:00:00.000000000 +0100
@@ -1,14 +0,0 @@
-dn: uid=mail000,ou=mail,@LDAP_BASE_DN@
-cn: mail000
-gidnumber: 20000
-homedirectory: /home/mail/mail000
-mailacceptinggeneralid: [email protected]
-mailacceptinggeneralid: [email protected]
-maildrop: [email protected]
-objectclass: account
-objectclass: posixAccount
-objectclass: postfixUser
-objectclass: top
-uid: mail000
-uidnumber: 20000
-userpassword: user
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/entrypoint/ldif/mailserver/postfix.ldif
new/entrypoint/ldif/mailserver/postfix.ldif
--- old/entrypoint/ldif/mailserver/postfix.ldif 2020-08-26 17:58:22.000000000
+0200
+++ new/entrypoint/ldif/mailserver/postfix.ldif 1970-01-01 01:00:00.000000000
+0100
@@ -1,14 +0,0 @@
-#
https://raw.githubusercontent.com/68b32/postfix-ldap-schema/master/postfix.ldif
-dn: cn=postfix,cn=schema,cn=config
-cn: postfix
-objectclass: olcSchemaConfig
-olcattributetypes: {0}(1.3.6.1.4.1.4203.666.1.200 NAME 'mailacceptinggeneral
- id' DESC 'Postfix mail local address alias attribute' EQUALITY caseIgnoreMa
- tch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1
- 024})
-olcattributetypes: {1}(1.3.6.1.4.1.4203.666.1.201 NAME 'maildrop' DESC 'Post
- fix mail final destination attribute' EQUALITY caseIgnoreMatch SUBSTR caseI
- gnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024})
-olcobjectclasses: {0}(1.3.6.1.4.1.4203.666.1.100 NAME 'postfixUser' DESC 'Po
- stfix mail user class' SUP top AUXILIARY MAY(mailacceptinggeneralid $ maild
- rop))
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/entrypoint/ldif/security.ldif
new/entrypoint/ldif/security.ldif
--- old/entrypoint/ldif/security.ldif 2020-08-26 17:58:22.000000000 +0200
+++ new/entrypoint/ldif/security.ldif 2020-10-26 13:40:28.000000000 +0100
@@ -4,6 +4,5 @@
-
add: olcAccess
olcAccess: to * by
dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by *
break
-olcAccess: to attrs=userPassword,shadowLastChange by self write by
dn="cn=admin,@LDAP_BASE_DN@" write by anonymous auth
-by * none
+olcAccess: to attrs=userPassword,shadowLastChange by self write by
dn="cn=admin,@LDAP_BASE_DN@" write by anonymous auth by * none
olcAccess: to * by self read by dn="cn=admin,@LDAP_BASE_DN@" write by * none
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/entrypoint/ssl-helper new/entrypoint/ssl-helper
--- old/entrypoint/ssl-helper 2020-08-26 17:58:22.000000000 +0200
+++ new/entrypoint/ssl-helper 2020-10-26 13:40:28.000000000 +0100
@@ -7,6 +7,13 @@
CA_CERT_FILE=$3
CA_KEY_FILE=$4
+# Some defaults
+SSL_CA_CSR_COUNTRY=${SSL_CA_CSR_COUNTRY:-"DE"}
+SSL_CA_CSR_STATE=${SSL_CA_CSR_STATE:-"Bavaria"}
+SSL_CA_CSR_ORGANIZATION_UNIT=${SSL_CA_CSR_ORGANIZATION_UNIT:-"Dummy CA"}
+SSL_CA_CSR_CN=${SSL_CA_CSR_CN:-"$(hostname -f)"}
+SSL_ORGANIZATION_UNIT=${SSL_ORGANIZATION_UNIT:-"Server Certificate"}
+
if [ -z "${CERT_FILE}" ] || [ -z "${KEY_FILE}" ] || [ -z "${CA_CERT_FILE}" ]
|| [ -z "${CA_KEY_FILE}" ]; then
echo "Usage: ssl-helper cert_file key_file ca_cert_file ca_key_file" >&2
exit 1
@@ -15,42 +22,58 @@
if [ ! -e "${CA_CERT_FILE}" ]; then
echo "No CA cert file found, generating one"
- DEFAULT_CA_CSR_COUNTRY=${DEFAULT_CA_CSR_COUNTRY:-"DE"}
- DEFAULT_CA_CSR_STATE=${DEFAULT_CA_CSR_STATE:-"Bavaria"}
-
DEFAULT_CA_CSR_ORGANIZATION_UNIT=${DEFAULT_CA_CSR_ORGANIZATION_UNIT:-"OpenLDAP
Dummy CA"}
-
- # RSA: openssl genrsa -out "${DEFAULT_CA_DIR}/rootCA.key" 4096
- # ecdsa 384
if [ ! -e "${CA_KEY_FILE}" ]; then
echo "Generating private CA key..."
+ # RSA: openssl genrsa -out "${CA_KEY_FILE}" 4096
+ # ecdsa 384:
openssl ecparam -genkey -name secp384r1 -noout -out "${CA_KEY_FILE}"
chmod 600 "${CA_KEY_FILE}"
fi
echo "Generating CA certificate..."
- openssl req -x509 -new -nodes -key "${CA_KEY_FILE}" -sha256 -days 1024
-subj
"/C=${DEFAULT_CA_CSR_COUNTRY}/ST=${DEFAULT_CA_CSR_STATE}/O=${DEFAULT_CA_CSR_ORGANIZATION_UNIT}/CN=OpenLDAP"
-out "${CA_CERT_FILE}"
+ openssl req -x509 -new -nodes -key "${CA_KEY_FILE}" -sha256 -days 1024 \
+ -subj
"/C=${SSL_CA_CSR_COUNTRY}/ST=${SSL_CA_CSR_STATE}/O=${SSL_CA_CSR_ORGANIZATION_UNIT}/CN=${SSL_CA_CSR_CN}"
\
+ -out "${CA_CERT_FILE}"
fi
if [ ! -e "${CERT_FILE}" ] && [ ! -e "${KEY_FILE}" ]; then
+ function buildExtCnf() {
+ cat << EOF > "${WORKDIR}/v3.ext"
+authorityKeyIdentifier=keyid,issuer
+basicConstraints=CA:FALSE
+keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
+subjectAltName = @alt_names
+[alt_names]
+DNS.1 = localhost
+EOF
+
+ if [ -n "${HOSTNAME}" ]; then
+ echo "DNS.2 = ${HOSTNAME}" >> "${WORKDIR}/v3.ext"
+ else
+ echo "DNS.2 = $(hostname -f)" >> "${WORKDIR}/v3.ext"
+ echo "DNS.3 = $(hostname)" >> "${WORKDIR}/v3.ext"
+ fi
+ }
+
echo "No certificate file and certificate key provided, generate:"
echo "${CERT_FILE} and ${KEY_FILE}"
WORKDIR="$(mktemp -d)"
- if [ -z "%${HOSTNAME}" ]; then
- HOSTNAME=$(hostname -f)
- fi
+
+ buildExtCnf
echo "Generating certificate key..."
openssl genrsa -out "${KEY_FILE}" 2048
echo "Generating sign request..."
openssl req -new -sha256 -key "${KEY_FILE}" \
- -subj "/O=OpenLDAP Dummy CA/CN=${HOSTNAME}" \
- -out "${WORKDIR}/openldap.csr"
+ -subj "/O=${SSL_ORGANIZATION_UNIT}/CN=${HOSTNAME}" \
+ -out "${WORKDIR}/cert.csr"
echo "Generating certificate..."
- openssl x509 -req -in "${WORKDIR}/openldap.csr" -CA "${CA_CERT_FILE}" \
+ openssl x509 -req -in "${WORKDIR}/cert.csr" -CA "${CA_CERT_FILE}" \
-CAkey "${CA_KEY_FILE}" -CAcreateserial -days 365 -sha256 \
+ -extfile "${WORKDIR}/v3.ext" \
-out "${CERT_FILE}"
rm -rf "${WORKDIR}"
