[bitnami/openldap] feat: pldap and pldaps support (#70999)

* [bitnami/openldap] refactor: use associative array to define startup flags

- Reduce dupes
- Allow advanced logic for each flag arguments

Signed-off-by: Arano-kai <Arano-kai@users.noreply.github.com>

* [bitnami/openldap] feat: pldap and pldaps support

Support for 'proxied LDAP' and 'proxied LDAP over SSL'.
Read 'https://www.openldap.org/doc/admin26/runningslapd.html#Command-Line%20Options' for additional info.

Signed-off-by: Arano-kai <Arano-kai@users.noreply.github.com>

* [bitnami/openldap] Launch cmd awareness

When the debugging is on, show what will actually run

Signed-off-by: Arano-kai <Arano-kai@users.noreply.github.com>

* [bitnami/openldap] Validate port related values

Assert that port related values are positive int

Signed-off-by: Arano-kai <Arano-kai@users.noreply.github.com>

---------

Signed-off-by: Arano-kai <Arano-kai@users.noreply.github.com>

bitnami/openldap/2.5/debian-12/rootfs/opt/bitnami/scripts/libopenldap.sh

@@ -52,6 +52,9 @@ export LDAP_DAEMON_GROUP="slapd"
 # Settings
 export LDAP_PORT_NUMBER="${LDAP_PORT_NUMBER:-1389}"
 export LDAP_LDAPS_PORT_NUMBER="${LDAP_LDAPS_PORT_NUMBER:-1636}"
+export LDAP_ENABLE_PROXYPROTO="${LDAP_ENABLE_PROXYPROTO:-no}"
+export LDAP_PROXYPROTO_PORT_NUMBER="${LDAP_PROXYPROTO_PORT_NUMBER:-"${LDAP_PORT_NUMBER}"}"
+export LDAP_PROXYPROTO_LDAPS_PORT_NUMBER="${LDAP_PROXYPROTO_LDAPS_PORT_NUMBER:-"${LDAP_LDAPS_PORT_NUMBER}"}"
 export LDAP_ROOT="${LDAP_ROOT:-dc=example,dc=org}"
 export LDAP_SUFFIX="$(if [ -z "${LDAP_SUFFIX+x}" ]; then echo "${LDAP_ROOT}"; else echo "${LDAP_SUFFIX}"; fi)"
 export LDAP_ADMIN_USERNAME="${LDAP_ADMIN_USERNAME:-admin}"
@@ -136,7 +139,7 @@ ldap_validate() {
         error "$1"
         error_code=1
     }
-    for var in LDAP_SKIP_DEFAULT_TREE LDAP_ENABLE_TLS; do
+    for var in LDAP_SKIP_DEFAULT_TREE LDAP_ENABLE_TLS LDAP_ENABLE_PROXYPROTO; do
         if ! is_yes_no_value "${!var}"; then
             print_validation_error "The allowed values for $var are: yes or no"
         fi
@@ -166,12 +169,24 @@ ldap_validate() {
         print_validation_error "Specify the same number of passwords on LDAP_PASSWORDS as the number of users on LDAP_USERS!"
     fi
 
+    for var in LDAP_PORT_NUMBER LDAP_LDAPS_PORT_NUMBER LDAP_PROXYPROTO_PORT_NUMBER LDAP_PROXYPROTO_LDAPS_PORT_NUMBER; do
+        if ! is_positive_int "${!var}"; then
+            print_validation_error "The value for $var must be positive integer!"
+        fi
+    done
+
     if [[ -n "$LDAP_PORT_NUMBER" ]] && [[ -n "$LDAP_LDAPS_PORT_NUMBER" ]]; then
         if [[ "$LDAP_PORT_NUMBER" -eq "$LDAP_LDAPS_PORT_NUMBER" ]]; then
             print_validation_error "LDAP_PORT_NUMBER and LDAP_LDAPS_PORT_NUMBER are bound to the same port!"
         fi
     fi
 
+    if [[ -n "$LDAP_PROXYPROTO_PORT_NUMBER" ]] && [[ -n "$LDAP_PROXYPROTO_LDAPS_PORT_NUMBER" ]]; then
+        if [[ "$LDAP_PROXYPROTO_PORT_NUMBER" -eq "$LDAP_PROXYPROTO_LDAPS_PORT_NUMBER" ]]; then
+            print_validation_error "LDAP_PROXYPROTO_PORT_NUMBER and LDAP_PROXYPROTO_LDAPS_PORT_NUMBER are bound to the same port!"
+        fi
+    fi
+
     [[ "$error_code" -eq 0 ]] || exit "$error_code"
 }
 

bitnami/openldap/2.5/debian-12/rootfs/opt/bitnami/scripts/openldap/run.sh

@@ -21,14 +21,60 @@ command="$(command -v slapd)"
 # https://github.com/docker/docker/issues/8231
 ulimit -n "$LDAP_ULIMIT_NOFILES"
 
-flags=("-h" "ldap://:${LDAP_PORT_NUMBER}/ ldapi:///")
+declare -a flags
+declare -A flags_map
+
+# Drop privileges if we start as root
+am_i_root && flags_map["-u"]="${LDAP_DAEMON_USER}"
+
+# Set config dir
+flags_map["-F"]="${LDAP_CONF_DIR}/slapd.d"
+
+# Enable debug with desired level
+flags_map["-d"]="${LDAP_LOGLEVEL}"
+
+# The LDAP IPC is always on
+flags_map["-h"]+="${flags_map["-h"]:+" "}ldapi:///"
+
+# Add LDAP URI
+# Since 'proxied LDAP' default port number is same as 'LDAP',
+# enable LDAP URI when one of the following conditions are met:
+# * proxy protocol capability is disabled
+# * proxy protocol capability is enabled and proxy protocol port differ
+if ! is_boolean_yes "${LDAP_ENABLE_PROXYPROTO}" \
+    || [[ "${LDAP_PORT_NUMBER}" -ne "${LDAP_PROXYPROTO_PORT_NUMBER}" ]]
+then
+  flags_map["-h"]+="${flags_map["-h"]:+" "}ldap://:${LDAP_PORT_NUMBER}/"
+fi
 
 # Add LDAPS URI when TLS is enabled
-is_boolean_yes "$LDAP_ENABLE_TLS" && flags=("-h" "ldap://:${LDAP_PORT_NUMBER}/ ldaps://:${LDAP_LDAPS_PORT_NUMBER}/ ldapi:///")
+# Since 'proxied LDAP over SSL' default port number is same as 'LDAP over SSL',
+# enable LDAPS URI when one of the following conditions are met:
+# * proxy protocol capability is disabled
+# * proxy protocol capability is enabled and proxy protocol tls port differ
+if is_boolean_yes "${LDAP_ENABLE_TLS}" \
+  && { ! is_boolean_yes "${LDAP_ENABLE_PROXYPROTO}" \
+    || [[ "${LDAP_LDAPS_PORT_NUMBER}" -ne "${LDAP_PROXYPROTO_LDAPS_PORT_NUMBER}" ]]; }
+then
+  flags_map["-h"]+="${flags_map["-h"]:+" "}ldaps://:${LDAP_LDAPS_PORT_NUMBER}/"
+fi
+
+# Add PLDAP URI when proxy protocol capability is enabled
+if is_boolean_yes "${LDAP_ENABLE_PROXYPROTO}"; then
+  flags_map["-h"]+="${flags_map["-h"]:+" "}pldap://:${LDAP_PROXYPROTO_PORT_NUMBER}/"
+  # Also add PLDAPS URI when TLS is enabled
+  is_boolean_yes "${LDAP_ENABLE_TLS}" \
+    && flags_map["-h"]+="${flags_map["-h"]:+" "}pldaps://:${LDAP_PROXYPROTO_LDAPS_PORT_NUMBER}/"
+fi
+
+# Build flags list
+for flag in "${!flags_map[@]}"; do
+  flags+=("${flag}" "${flags_map[${flag}]}")
+done
 
 # Add "@" so users can add extra command line flags
-flags+=("-F" "${LDAP_CONF_DIR}/slapd.d" "-d" "$LDAP_LOGLEVEL" "$@")
+flags+=("$@")
 
 info "** Starting slapd **"
-am_i_root && flags=("-u" "$LDAP_DAEMON_USER" "${flags[@]}")
+debug "Startup cmd: ${command}" "${flags[*]}"
 exec "${command}" "${flags[@]}"