[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Environment variable in slapd config

To: Marc Roos <M.Roos@f1-outsourcing.eu>, ogg <ogg@sr375.com>
Subject: Re: Environment variable in slapd config
From: Howard Chu <hyc@symas.com>
Date: Fri, 16 Aug 2019 15:30:13 +0100
Cc: michael <michael@stroeder.com>, openldap-technical <openldap-technical@openldap.org>
In-reply-to: <"H00000710014c329.1565965041.sx.f1-outsourcing.eu*"@MHS>
References: <"H00000710014c329.1565965041.sx.f1-outsourcing.eu*"@MHS>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 SeaMonkey/2.53

Marc Roos wrote:
>  
> Cool thanks! I am more fan of Centos because then I can fall back on 
> RedHat support, especially for production environments. I am not sure 
> your script is takling the issue described here, but looking at it, I 
> think you can add also --no-cache. You should beware of ENV 
> LDAP_ROOTPASS that stays when the task is launched (at least on mesos), 
> better work with the hashes. Furthermore I try to run as less tasks as 
> possible under root so I am binding to a high port ;) I also need to be 
> able to use slapadd otherwise syncing will take to long.
> 
> So at the moment mine looks like this ;)
> 
> 
> # Version: 0.0.1 - openldap
> FROM centos:7
> 
> ENV SLAPD_USER="ldap" \
>     SLAPD_UID=10061 \
>     SLAPD_CFG_DIR="/etc/openldap/" \
>     SLAPD_DATA_DIR="/var/lib/ldap" \
>     SLAPD_KEY_DIR="/etc/pki/tls/private" \
>     SLAPD_CRT_DIR="/etc/pki/tls/certs" \
>     SLAPD_OPTS="-d 0 -4 -u ldap" \ 
>     SLAPD_URLS="ldap://0.0.0.0:8443/"; 
> 
> # create user/group
> RUN groupadd $SLAPD_USER -g $SLAPD_UID \
>     && useradd $SLAPD_USER -u $SLAPD_UID -g $SLAPD_UID --system 
> --comment "Openldap server" --home-dir $SLAPD_DATA_DIR
> 
> # install xxxx-ca
> COPY ca-xxxx.crt /etc/pki/ca-trust/source/anchors/ca-xxxx.crt
> RUN update-ca-trust
> 
> # install necessary packages
> RUN yum install openldap-clients openldap-servers -y \
>     && yum clean all 
> 
> # copy configuration files
> COPY ca-xxxx.crt $SLAPD_CFG_DIR/cacerts/
> COPY ldap.local.key $SLAPD_KEY_DIR
> COPY ldap.local.crt $SLAPD_CRT_DIR
> ADD http://192.168.10.2/cobbler/tools/noarch/change-db.ldif 
> $SLAPD_CFG_DIR/change-db.ldif
> ADD http://192.168.10.2/cobbler/tools/noarch/centos7/change-config.ldif 
> $SLAPD_CFG_DIR/change-config.ldif
> ADD http://192.168.10.2/cobbler/tools/noarch/change-config-sendmail.ldif 
> $SLAPD_CFG_DIR/change-config-sendmail.ldif
> ADD http://192.168.10.2/cobbler/tools/noarch/change-frontend.ldif 
> $SLAPD_CFG_DIR/change-frontend.ldif
> ADD http://192.168.10.2/cobbler/tools/noarch/idnsZone.ldif 
> $SLAPD_CFG_DIR/schema/idnsZone.ldif
> ADD http://192.168.10.2/cobbler/tools/noarch/sendmail.ldif 
> $SLAPD_CFG_DIR/schema/sendmail.ldif
> ADD http://192.168.10.2/cobbler/tools/noarch/samba.ldif 
> $SLAPD_CFG_DIR/schema/samba.ldif
> ADD http://192.168.10.2/cobbler/tools/noarch/apache.ldif 
> $SLAPD_CFG_DIR/schema/apache.ldif
> ADD http://192.168.10.2/cobbler/tools/noarch/quota.ldif 
> $SLAPD_CFG_DIR/schema/quota.ldif
> ADD http://192.168.10.2/cobbler/tools/noarch/xxxx.ldif 
> $SLAPD_CFG_DIR/schema/xxxx.ldif
> ADD http://192.168.10.2/cobbler/tools/noarch/DB_CONFIG 
> $SLAPD_DATA_DIR/DB_CONFIG
> COPY ldap-test.db.gz /tmp/ldap.db.gz
> 
> # change defaults in configs
> RUN sed -i "s#^olcTLSCertificateFile:.*#olcTLSCertificateFile: 
> $SLAPD_CRT_DIR/ldap.local.crt#g" $SLAPD_CFG_DIR/change-config.ldif \
>     && sed -i "s#^olcTLSCertificateKeyFile:.*#olcTLSCertificateKeyFile: 
> $SLAPD_KEY_DIR/ldap.local.key#g" $SLAPD_CFG_DIR/change-config.ldif \
>     && sed -i "s#^olcRootPW:.*#olcRootPW: {SSHA}xxx#g" 
> $SLAPD_CFG_DIR/change-config.ldif

You're just replacing once constant with another here, why not just set it
correctly once, in the source file?

Why use a rootpw at all?

> RUN sed -i "s#rid=326#rid=999#g" $SLAPD_CFG_DIR/change-db.ldif \
>     && sed -i 
> 's/cn=app,ou=Hosts,dc=xxxx,dc=xxxx,dc=local/cn=mesosldap,ou=Hosts,dc=xxx
> x,dc=xxxx,dc=local/g' $SLAPD_CFG_DIR/change-db.ldif \
>     && sed -i 
> "s#tls_cert=\"/etc/pki/tls/certs/app1.local.pem\"#tls_cert=\"$SLAPD_CRT_
> DIR/ldap.local.crt\"#g" $SLAPD_CFG_DIR/change-db.ldif \
>     && sed -i 
> "s#tls_key=\"/etc/pki/tls/certs/app1.local.pem\"#tls_key=\"$SLAPD_KEY_DI
> R/ldap.local.key\"#g" $SLAPD_CFG_DIR/change-db.ldif \
>     && sed -i "s/credentials=\"xxxx\"/credentials=\"xxxx\"/g" 
> $SLAPD_CFG_DIR/change-db.ldif

Again, why not just set this once, in the source file?
> 
> # change permissions
> RUN chgrp $SLAPD_USER $SLAPD_KEY_DIR/ldap.local.key 
> $SLAPD_CRT_DIR/ldap.local.crt \
>     && chmod u=r,g=r,o= $SLAPD_KEY_DIR/ldap.local.key \ 
>     && chmod a+r $SLAPD_DATA_DIR/DB_CONFIG \
>     && chmod +t,o+w /var/run/ 
> RUN [ -f "/tmp/ldap.db.gz" ] && chown $SLAPD_USER /tmp/ldap.db.gz || 
> echo "not-chown-db"
> 
Why aren't you using slapadd to initialize the config?

> RUN slapd -u ldap -4 -h ldapi:/// \
>     && ldapadd -Q -D "cn=admin,cn=config" -Y EXTERNAL -H ldapi:/// -f 
> $SLAPD_CFG_DIR/schema/cosine.ldif \
>     && ldapadd -Q -D "cn=admin,cn=config" -Y EXTERNAL -H ldapi:/// -f 
> $SLAPD_CFG_DIR/schema/inetorgperson.ldif \ 
>     && ldapadd -Q -D "cn=admin,cn=config" -Y EXTERNAL -H ldapi:/// -f 
> $SLAPD_CFG_DIR/schema/nis.ldif \
>     && ldapadd -Q -D "cn=admin,cn=config" -Y EXTERNAL -H ldapi:/// -f 
> $SLAPD_CFG_DIR/schema/misc.ldif \
> 
>     && ldapadd -Q -D "cn=admin,cn=config" -Y EXTERNAL -H ldapi:/// -f 
> $SLAPD_CFG_DIR/schema/sendmail.ldif \
>     && ldapadd -Q -D "cn=admin,cn=config" -Y EXTERNAL -H ldapi:/// -f 
> $SLAPD_CFG_DIR/schema/idnsZone.ldif \
>     && ldapadd -Q -D "cn=admin,cn=config" -Y EXTERNAL -H ldapi:/// -f 
> $SLAPD_CFG_DIR/schema/apache.ldif \
>     && ldapadd -Q -D "cn=admin,cn=config" -Y EXTERNAL -H ldapi:/// -f 
> $SLAPD_CFG_DIR/schema/samba.ldif \
>     && ldapadd -Q -D "cn=admin,cn=config" -Y EXTERNAL -H ldapi:/// -f 
> $SLAPD_CFG_DIR/schema/xxxx.ldif \
>     && ldapadd -Q -D "cn=admin,cn=config" -Y EXTERNAL -H ldapi:/// -f 
> $SLAPD_CFG_DIR/schema/quota.ldif \
> 
>     && ldapadd -Q -D "cn=admin,cn=config" -Y EXTERNAL -H ldapi:/// -f 
> $SLAPD_CFG_DIR/change-frontend.ldif \
>     && rm -f $SLAPD_CFG_DIR/change-frontend.ldif \
>     && ldapadd -Q -D "cn=admin,cn=config" -Y EXTERNAL -H ldapi:/// -f 
> $SLAPD_CFG_DIR/change-db.ldif \
>     && rm -f $SLAPD_CFG_DIR/change-db.ldif \
>     && ldapadd -Q -D "cn=admin,cn=config" -Y EXTERNAL -H ldapi:/// -f 
> $SLAPD_CFG_DIR/change-config-sendmail.ldif \
> 
>     && ldapadd -Q -Y EXTERNAL -H ldapi:/// -f 
> $SLAPD_CFG_DIR/change-config.ldif \
>     && rm -f $SLAPD_CFG_DIR/change-config.ldif \
>     && kill -HUP $(cat /var/run/openldap/slapd.pid) \
>     && sync \
>     && chown $SLAPD_USER /var/run/ldapi
> 
> #ADD db.tgz /var/lib/ldap/
> RUN [ -f "/tmp/ldap.db.gz" ] \
>     && runuser -l ldap -c 'gunzip -c /tmp/ldap.db.gz | slapadd -c 2> 
> /tmp/import-errors' \
>     && cd /var/lib/ldap && db_checkpoint -1 -h /var/lib/ldap && 
> db_archive -d \
>     && rm -f /tmp/ldap.db.gz || echo "not importing ldap.db"
> 
> 
> COPY entrypoint.sh /sbin/
> 
> CMD ["/sbin/entrypoint.sh"]
> 
> 
> 
> 
> -----Original Message-----
> From: Neal Lawson [mailto:ogg@sr375.com] 
> Sent: vrijdag 16 augustus 2019 15:41
> To: Howard Chu
> Cc: Marc Roos; michael; openldap-technical@openldap.org
> Subject: Re: Environment variable in slapd config
> 
> I have been working on a docker image with a script that likely does 
> almost what you want with some mods, you’re welcome to steal it and 
> make your own modifications. 
> https://github.com/DoctorOgg/docker-openldap
> 
> 
> 
> 	On Aug 16, 2019, at 6:36 AM, Howard Chu <hyc@symas.com> wrote:
> 
> 	Marc Roos wrote:
> 	
> 
> 
> 		Indeed. Ansible is just a tool you should use for the fitting 
> job. Afaik 
> 		I only have to set a few variables and I do not have in the 
> hundreds of 
> 		services. But I would not mind looking at your Dockerfile to 
> see how you 
> 		prepare the image.
> 		
> 		The ceph mailing list is 'full' of people using ansible, and 
> then 
> 		whining on what to do, and how to fix things when something 
> does not 
> 		work. Because they do not know how and where things are 
> configured.
> 		All these 'easy' tools are like these higher level programming 
> 
> 		languages. They just lower the threshold for the 'bunglers' to 
> enter an 
> 		area of expertise, they were not able to enter before. 
> 		
> 		
> 		-----Original Message-----
> 		Subject: Re: Environment variable in slapd config
> 		
> 		
> 		
> 		Probably the original poster wanted to set several env vars 
> and use them 
> 		as distinct RID values for multiple syncrepl directives. This 
> is a 
> 		common pattern for poor man's config management.
> 		
> 		Ciao, Michael.
> 		
> 
> 
> 	For this use case the simplest approach is to start with a template 
> file that uses
> 	shell variables and just let the shell do the substitution for you. 
> This is exactly
> 	what the OpenLDAP test suite does for its own config files.
> 	
> 	If you need to get fancier use sed or awk. These are basic Unix 
> admin questions and
> 	have nothing to do with OpenLDAP.



-- 
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Follow-Ups:
- RE: Environment variable in slapd config
  - From: "Marc Roos" <M.Roos@f1-outsourcing.eu>

References:
- RE: Environment variable in slapd config
  - From: "Marc Roos" <M.Roos@f1-outsourcing.eu>

Prev by Date: Re: Multi-master replication : read_config: no serverID / URL match found. Check slapd -h arguments.
Next by Date: Re: recommended ppolicy pwdCheckModule
Index(es):
- Chronological
- Thread