Merge branch 'release-1.1.10' into stable

Author: BertrandGouny

CHANGELOG.md

@@ -1,5 +1,13 @@
 # Changelog
 
+## 1.1.10
+Fix:
+  - Readme #145 #148
+  - Let ldapmodify and ldapadd use the same auth #146
+  - Enable matching uid's and gid's in the host and container. #156
+
+Update to light-baseimage:1.1.1
+
 ## 1.1.9
 Add :
   - LDAP_RFC2307BIS_SCHEMA option to use rfc2307bis schema instead of nis default schema

Makefile

@@ -1,5 +1,5 @@
 NAME = osixia/openldap
-VERSION = 1.1.9
+VERSION = 1.1.10
 
 .PHONY: build build-nocache test tag-latest push push-latest release git-tag-version
 

README.md

@@ -4,12 +4,15 @@
 ![Docker Stars](https://img.shields.io/docker/stars/osixia/openldap.svg)
 ![](https://images.microbadger.com/badges/image/osixia/openldap.svg)
 
-Latest release: 1.1.9 - OpenLDAP 2.4.44 -  [Changelog](CHANGELOG.md) | [Docker Hub](https://hub.docker.com/r/osixia/openldap/) 
+Latest release: 1.1.10 - OpenLDAP 2.4.44 -  [Changelog](CHANGELOG.md) | [Docker Hub](https://hub.docker.com/r/osixia/openldap/) 
+
+/!\ Security warning: Databases created with image version up to 1.1.10 creates two admin users with the same password, if you changed admin password after bootstrap you may be concerned by [issue #161](https://github.com/osixia/docker-openldap/issues/161).
 
 **A docker image to run OpenLDAP.**
 
 > OpenLDAP website : [www.openldap.org](http://www.openldap.org/)
 
+
 - [Contributing](#contributing)
 - [Quick Start](#quick-start)
 - [Beginner Guide](#beginner-guide)
@@ -34,7 +37,7 @@ Latest release: 1.1.9 - OpenLDAP 2.4.44 -  [Changelog](CHANGELOG.md) | [Docker H
 		- [Link environment file](#link-environment-file)
 		- [Make your own image or extend this image](#make-your-own-image-or-extend-this-image)
 - [Advanced User Guide](#advanced-user-guide)
-	- [Extend osixia/openldap:1.1.9 image](#extend-osixiaopenldap119-image)
+	- [Extend osixia/openldap:1.1.10 image](#extend-osixiaopenldap1110-image)
 	- [Make your own openldap image](#make-your-own-openldap-image)
 	- [Tests](#tests)
 	- [Kubernetes](#kubernetes)
@@ -52,7 +55,7 @@ If you find this image useful here's how you can help:
 ## Quick Start
 Run OpenLDAP docker image:
 
-	docker run --name my-openldap-container --detach osixia/openldap:1.1.9
+	docker run --name my-openldap-container --detach osixia/openldap:1.1.10
 
 This start a new container with OpenLDAP running inside. Let's make the first search in our LDAP container:
 
@@ -88,13 +91,24 @@ It will create an empty ldap for the company **Example Inc.** and the domain **e
 By default the admin has the password **admin**. All those default settings can be changed at the docker command line, for example:
 
 	docker run --env LDAP_ORGANISATION="My Company" --env LDAP_DOMAIN="my-company.com" \
-	--env LDAP_ADMIN_PASSWORD="JonSn0w" --detach osixia/openldap:1.1.9
+	--env LDAP_ADMIN_PASSWORD="JonSn0w" --detach osixia/openldap:1.1.10
 
 #### Data persistence
 
 The directories `/var/lib/ldap` (LDAP database files) and `/etc/ldap/slapd.d`  (LDAP config files) are used to persist the schema and data information, and should be mapped as volumes, so your ldap files are saved outside the container (see [Use an existing ldap database](#use-an-existing-ldap-database)). However it can be useful to not use volumes,
 in case the image should be delivered complete with test data - this is especially useful when deriving other images from this one.
 
+The default uid and gid used by the image may map to surprising
+counterparts in the host. If you need to match uid and gid in the
+container and in the host, you can use build parameters
+`LDAP_OPENLDAP_UID` and `LDAP_OPENLDAP_GID` to set uid and gid
+explicitly:
+
+	docker build --build-arg LDAP_OPENLDAP_GID=1234 --build-arg LDAP_OPENLDAP_UID=2345 -t my_ldap_image .
+	docker run --name my_ldap_container -d my_ldap_image
+	# this should output uid=2345(openldap) gid=1234(openldap) groups=1234(openldap)
+	docker exec my_ldap_container id openldap
+
 For more information about docker data volume, please refer to:
 
 > [https://docs.docker.com/engine/tutorials/dockervolumes/](https://docs.docker.com/engine/tutorials/dockervolumes/)
@@ -122,12 +136,12 @@ argument to entrypoint if you don't want to overwrite them.
 		# single file example:
 		docker run \
       --volume ./bootstrap.ldif:/container/service/slapd/assets/config/bootstrap/ldif/50-bootstrap.ldif \
-      osixia/openldap:1.1.9 --copy-service
+      osixia/openldap:1.1.10 --copy-service
 
 		#directory example:
 		docker run \
 	     --volume ./lidf:/container/service/slapd/assets/config/bootstrap/ldif/custom \
-	     osixia/openldap:1.1.9 --copy-service
+	     osixia/openldap:1.1.10 --copy-service
 
 ### Use an existing ldap database
 
@@ -138,7 +152,7 @@ simply mount this directories as a volume to `/var/lib/ldap` and `/etc/ldap/slap
 
 	docker run --volume /data/slapd/database:/var/lib/ldap \
 	--volume /data/slapd/config:/etc/ldap/slapd.d \
-	--detach osixia/openldap:1.1.9
+	--detach osixia/openldap:1.1.10
 
 You can also use data volume containers. Please refer to:
 > [https://docs.docker.com/engine/tutorials/dockervolumes/](https://docs.docker.com/engine/tutorials/dockervolumes/)
@@ -158,7 +172,7 @@ If you are looking for a simple solution to administrate your ldap server you ca
 #### Use auto-generated certificate
 By default, TLS is already configured and enabled, certificate is created using container hostname (it can be set by docker run --hostname option eg: ldap.example.org).
 
-	docker run --hostname ldap.my-company.com --detach osixia/openldap:1.1.9
+	docker run --hostname ldap.my-company.com --detach osixia/openldap:1.1.10
 
 #### Use your own certificate
 
@@ -168,24 +182,24 @@ You can set your custom certificate at run time, by mounting a directory contain
 	--env LDAP_TLS_CRT_FILENAME=my-ldap.crt \
 	--env LDAP_TLS_KEY_FILENAME=my-ldap.key \
 	--env LDAP_TLS_CA_CRT_FILENAME=the-ca.crt \
-	--detach osixia/openldap:1.1.9
+	--detach osixia/openldap:1.1.10
 
 Other solutions are available please refer to the [Advanced User Guide](#advanced-user-guide)
 
 #### Disable TLS
 Add --env LDAP_TLS=false to the run command:
 
-	docker run --env LDAP_TLS=false --detach osixia/openldap:1.1.9
+	docker run --env LDAP_TLS=false --detach osixia/openldap:1.1.10
 
 ### Multi master replication
 Quick example, with the default config.
 
 	#Create the first ldap server, save the container id in LDAP_CID and get its IP:
-	LDAP_CID=$(docker run --hostname ldap.example.org --env LDAP_REPLICATION=true --detach osixia/openldap:1.1.9)
+	LDAP_CID=$(docker run --hostname ldap.example.org --env LDAP_REPLICATION=true --detach osixia/openldap:1.1.10)
 	LDAP_IP=$(docker inspect -f "{{ .NetworkSettings.IPAddress }}" $LDAP_CID)
 
 	#Create the second ldap server, save the container id in LDAP2_CID and get its IP:
-	LDAP2_CID=$(docker run --hostname ldap2.example.org --env LDAP_REPLICATION=true --detach osixia/openldap:1.1.9)
+	LDAP2_CID=$(docker run --hostname ldap2.example.org --env LDAP_REPLICATION=true --detach osixia/openldap:1.1.10)
 	LDAP2_IP=$(docker inspect -f "{{ .NetworkSettings.IPAddress }}" $LDAP2_CID)
 
 	#Add the pair "ip hostname" to /etc/hosts on each containers,
@@ -221,7 +235,7 @@ You may have some problems with mounted files on some systems. The startup scrip
 
 To fix that run the container with `--copy-service` argument :
 
-		docker run [your options] osixia/openldap:1.1.9 --copy-service
+		docker run [your options] osixia/openldap:1.1.10 --copy-service
 
 ### Debug
 
@@ -230,11 +244,11 @@ Available levels are: `none`, `error`, `warning`, `info`, `debug` and `trace`.
 
 Example command to run the container in `debug` mode:
 
-	docker run --detach osixia/openldap:1.1.9 --loglevel debug
+	docker run --detach osixia/openldap:1.1.10 --loglevel debug
 
 See all command line options:
 
-	docker run osixia/openldap:1.1.9 --help
+	docker run osixia/openldap:1.1.10 --help
 
 
 ## Environment Variables
@@ -299,7 +313,7 @@ Replication options:
 
 	If you want to set this variable at docker run command add the tag `#PYTHON2BASH:` and convert the yaml in python:
 
-		docker run --env LDAP_REPLICATION_HOSTS="#PYTHON2BASH:['ldap://ldap.example.org','ldap://ldap2.example.org']" --detach osixia/openldap:1.1.9
+		docker run --env LDAP_REPLICATION_HOSTS="#PYTHON2BASH:['ldap://ldap.example.org','ldap://ldap2.example.org']" --detach osixia/openldap:1.1.10
 
 	To convert yaml to python online: http://yaml-online-parser.appspot.com/
 
@@ -319,7 +333,7 @@ Other environment variables:
 Environment variables can be set by adding the --env argument in the command line, for example:
 
 	docker run --env LDAP_ORGANISATION="My company" --env LDAP_DOMAIN="my-company.com" \
-	--env LDAP_ADMIN_PASSWORD="JonSn0w" --detach osixia/openldap:1.1.9
+	--env LDAP_ADMIN_PASSWORD="JonSn0w" --detach osixia/openldap:1.1.10
 
 Be aware that environment variable added in command line will be available at any time
 in the container. In this example if someone manage to open a terminal in this container
@@ -330,28 +344,28 @@ he will be able to read the admin password in clear text from environment variab
 For example if your environment files **my-env.yaml** and **my-env.startup.yaml** are in /data/ldap/environment
 
 	docker run --volume /data/ldap/environment:/container/environment/01-custom \
-	--detach osixia/openldap:1.1.9
+	--detach osixia/openldap:1.1.10
 
 Take care to link your environment files folder to `/container/environment/XX-somedir` (with XX < 99 so they will be processed before default environment files) and not  directly to `/container/environment` because this directory contains predefined baseimage environment files to fix container environment (INITRD, LANG, LANGUAGE and LC_CTYPE).
 
 Note: the container will try to delete the **\*.startup.yaml** file after the end of startup files so the file will also be deleted on the docker host. To prevent that : use --volume /data/ldap/environment:/container/environment/01-custom**:ro** or set all variables in **\*.yaml** file and don't use **\*.startup.yaml**:
 
 	docker run --volume /data/ldap/environment/my-env.yaml:/container/environment/01-custom/env.yaml \
-	--detach osixia/openldap:1.1.9
+	--detach osixia/openldap:1.1.10
 
 #### Make your own image or extend this image
 
 This is the best solution if you have a private registry. Please refer to the [Advanced User Guide](#advanced-user-guide) just below.
 
 ## Advanced User Guide
 
-### Extend osixia/openldap:1.1.9 image
+### Extend osixia/openldap:1.1.10 image
 
 If you need to add your custom TLS certificate, bootstrap config or environment files the easiest way is to extends this image.
 
 Dockerfile example:
 
-	FROM osixia/openldap:1.1.9
+	FROM osixia/openldap:1.1.10
 	MAINTAINER Your Name <[email protected]>
 
 	ADD bootstrap /container/service/slapd/assets/config/bootstrap

example/docker-compose.yml

@@ -1,7 +1,7 @@
 version: '2'
 services:
   openldap:
-    image: osixia/openldap:1.1.9
+    image: osixia/openldap:1.1.10
     container_name: openldap
     environment:
       LDAP_LOG_LEVEL: "256"

example/extend-osixia-openldap/Dockerfile

@@ -1,4 +1,4 @@
-FROM osixia/openldap:1.1.9
+FROM osixia/openldap:1.1.10
 MAINTAINER Your Name <[email protected]>
 
 ADD bootstrap /container/service/slapd/assets/config/bootstrap

example/kubernetes/simple/ldap-deployment.yaml

@@ -13,7 +13,7 @@ spec:
     spec:
       containers:
         - name: ldap
-          image: osixia/openldap:1.1.9
+          image: osixia/openldap:1.1.10
           volumeMounts:
             - name: ldap-data
               mountPath: /var/lib/ldap

example/kubernetes/using-secrets/ldap-deployment.yaml

@@ -13,7 +13,7 @@ spec:
     spec:
       containers:
         - name: ldap
-          image: osixia/openldap:1.1.9
+          image: osixia/openldap:1.1.10
           args: ["--copy-service"]
           volumeMounts:
             - name: ldap-data

image/Dockerfile

@@ -1,10 +1,15 @@
 # Use osixia/light-baseimage
 # sources: https://github.com/osixia/docker-light-baseimage
-FROM osixia/light-baseimage:1.1.0
+FROM osixia/light-baseimage:1.1.1
 MAINTAINER Bertrand Gouny <[email protected]>
 
+ARG LDAP_OPENLDAP_GID
+ARG LDAP_OPENLDAP_UID
+
 # Add openldap user and group first to make sure their IDs get assigned consistently, regardless of whatever dependencies get added
-RUN groupadd -r openldap && useradd -r -g openldap openldap
+# If explicit uid or gid is given, use it.
+RUN if [ -z "${LDAP_OPENLDAP_GID}" ]; then groupadd -r openldap; else groupadd -r -g ${LDAP_OPENLDAP_GID} openldap; fi \
+    && if [ -z "${LDAP_OPENLDAP_UID}" ]; then useradd -r -g openldap openldap; else useradd -r -g openldap -u ${LDAP_OPENLDAP_UID} openldap; fi
 
 # Install OpenLDAP, ldap-utils and ssl-tools from baseimage and clean apt-get files
 # sources: https://github.com/osixia/docker-light-baseimage/blob/stable/image/tool/add-service-available

image/service/slapd/assets/config/replication/replication-enable.ldif

@@ -41,3 +41,6 @@ add: olcSyncRepl
 -
 add: olcMirrorMode
 olcMirrorMode: TRUE
+-
+add: olcLimits
+olcLimits: dn.exact="cn=admin,$LDAP_BASE_DN" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited

image/service/slapd/startup.sh

@@ -69,7 +69,7 @@ if [ ! -e "$FIRST_START_DONE" ]; then
     if grep -iq changetype $LDIF_FILE ; then
         ldapmodify -Y EXTERNAL -Q -H ldapi:/// -f $LDIF_FILE 2>&1 | log-helper debug || ldapmodify -h localhost -p 389 -D cn=admin,$LDAP_BASE_DN -w $LDAP_ADMIN_PASSWORD -f $LDIF_FILE 2>&1 | log-helper debug
     else
-        ldapadd -Y EXTERNAL -Q -H ldapi:/// -f $LDIF_FILE |& log-helper debug
+        ldapadd -Y EXTERNAL -Q -H ldapi:/// -f $LDIF_FILE |& log-helper debug || ldapadd -h localhost -p 389 -D cn=admin,$LDAP_BASE_DN -w $LDAP_ADMIN_PASSWORD -f $LDIF_FILE 2>&1 | log-helper debug
     fi
   }