[bitnami/openldap:2.6] Additional env vars (#44732)

2026-03-16 14:57:44 +08:00 · 2023-08-18 09:01:43 +02:00
parent a0edfc73a0
commit 251243713c
2 changed files with 137 additions and 5 deletions
--- a/bitnami/openldap/2.6/debian-11/rootfs/opt/bitnami/scripts/libopenldap.sh
+++ b/bitnami/openldap/2.6/debian-11/rootfs/opt/bitnami/scripts/libopenldap.sh
@@ -67,9 +67,14 @@ export LDAP_PASSWORDS="${LDAP_PASSWORDS:-bitnami1,bitnami2}"
 export LDAP_USER_DC="${LDAP_USER_DC:-users}"
 export LDAP_GROUP="${LDAP_GROUP:-readers}"
 export LDAP_ENABLE_TLS="${LDAP_ENABLE_TLS:-no}"
+export LDAP_REQUIRE_TLS="${LDAP_REQUIRE_TLS:-no}"
 export LDAP_ULIMIT_NOFILES="${LDAP_ULIMIT_NOFILES:-1024}"
 export LDAP_ALLOW_ANON_BINDING="${LDAP_ALLOW_ANON_BINDING:-yes}"
 export LDAP_LOGLEVEL="${LDAP_LOGLEVEL:-256}"
+export LDAP_PASSWORD_HASH="${LDAP_PASSWORD_HASH:-{SSHA}}"
+export LDAP_CONFIGURE_PPOLICY="${LDAP_CONFIGURE_PPOLICY:-no}"
+export LDAP_PPOLICY_USE_LOCKOUT="${LDAP_PPOLICY_USE_LOCKOUT:-no}"
+export LDAP_PPOLICY_HASH_CLEARTEXT="${LDAP_PPOLICY_HASH_CLEARTEXT:-no}"

 # By setting an environment variable matching *_FILE to a file path, the prefixed environment
 # variable will be overridden with the value specified in that file
@@ -402,6 +407,11 @@ dn: cn=config
 changetype: modify
 add: olcDisallows
 olcDisallows: bind_anon
+
+dn: cn=config
+changetype: modify
+add: olcRequires
+olcRequires: authc
 EOF
    debug_execute ldapmodify -Y EXTERNAL -H "ldapi:///" -f "${LDAP_SHARE_DIR}/disable_anon_bind.ldif"
 }
@@ -586,9 +596,6 @@ ldap_initialize() {
        if [ "$LDAP_ALLOW_ANON_BINDING" == 'no' ]; then
            ldap_disable_anon_binding
        fi
-        if is_boolean_yes "$LDAP_ENABLE_TLS"; then
-            ldap_configure_tls
-        fi
        # Initialize OpenLDAP with schemas/tree structure
        if is_boolean_yes "$LDAP_ADD_SCHEMAS"; then
            ldap_add_schemas
@@ -606,6 +613,20 @@ ldap_initialize() {
        else
            info "Skipping default schemas/tree structure"
        fi
+        # additional configuration
+        if ! [ "$LDAP_PASSWORD_HASH" == '{SSHA}' ]; then
+            ldap_configure_password_hash
+        fi
+        if is_boolean_yes "$LDAP_CONFIGURE_PPOLICY"; then
+            ldap_configure_ppolicy
+        fi
+        # enable tls
+        if is_boolean_yes "$LDAP_ENABLE_TLS"; then
+            ldap_configure_tls
+            if is_boolean_yes "$LDAP_REQUIRE_TLS"; then
+                ldap_configure_tls_required
+            fi
+        fi
        ldap_stop
    fi
 }
@@ -680,3 +701,109 @@ EOF
    fi
    debug_execute ldapmodify -Y EXTERNAL -H "ldapi:///" -f "${LDAP_SHARE_DIR}/certs.ldif"
 }
+
+########################
+# OpenLDAP configure connections to require TLS
+# Globals:
+#   LDAP_*
+# Arguments:
+#   None
+# Returns:
+#   None
+#########################
+ldap_configure_tls_required() {
+    info "Configuring LDAP connections to require TLS"
+    cat > "${LDAP_SHARE_DIR}/tls_required.ldif" << EOF
+dn: cn=config
+changetype: modify
+add: olcSecurity
+olcSecurity: tls=1
+EOF
+    debug_execute ldapmodify -Y EXTERNAL -H "ldapi:///" -f "${LDAP_SHARE_DIR}/tls_required.ldif"
+}
+
+########################
+# OpenLDAP enable module
+# Globals:
+#   LDAP_*
+# Arguments:
+#   $1: Module path
+#   $2: Module file name
+# Returns:
+#   None
+#########################
+ldap_load_module() {
+    info "Enable LDAP $2 module from $1"
+    cat > "${LDAP_SHARE_DIR}/enable_module_$2.ldif" << EOF
+dn: cn=module,cn=config
+cn: module
+objectClass: olcModuleList
+olcModulePath: $1
+olcModuleLoad: $2
+EOF
+    debug_execute ldapadd -Y EXTERNAL -H "ldapi:///" -f "${LDAP_SHARE_DIR}/enable_module_$2.ldif"
+}
+
+########################
+# OpenLDAP configure ppolicy
+# Globals:
+#   LDAP_*
+# Arguments:
+#   None
+# Returns:
+#   None
+#########################
+ldap_configure_ppolicy() {
+    info "Configuring LDAP ppolicy"
+    ldap_load_module "/opt/bitnami/openldap/lib/openldap" "ppolicy.so"
+    # create configuration
+    cat > "${LDAP_SHARE_DIR}/ppolicy_create_configuration.ldif" << EOF
+dn: olcOverlay={0}ppolicy,olcDatabase={2}mdb,cn=config
+objectClass: olcOverlayConfig
+objectClass: olcPPolicyConfig
+olcOverlay: {0}ppolicy
+EOF
+    debug_execute ldapadd -Q -Y EXTERNAL -H "ldapi:///" -f "${LDAP_SHARE_DIR}/ppolicy_create_configuration.ldif"
+    # enable ppolicy_hash_cleartext
+    if is_boolean_yes "$LDAP_PPOLICY_HASH_CLEARTEXT"; then
+        info "Enabling ppolicy_hash_cleartext"
+        cat > "${LDAP_SHARE_DIR}/ppolicy_configuration_hash_cleartext.ldif" << EOF
+dn: olcOverlay={0}ppolicy,olcDatabase={2}mdb,cn=config
+changetype: modify
+add: olcPPolicyHashCleartext
+olcPPolicyHashCleartext: TRUE
+EOF
+    debug_execute ldapmodify -Q -Y EXTERNAL -H "ldapi:///" -f "${LDAP_SHARE_DIR}/ppolicy_configuration_hash_cleartext.ldif"
+    fi
+    # enable ppolicy_use_lockout
+    if is_boolean_yes "$LDAP_PPOLICY_USE_LOCKOUT"; then
+        info "Enabling ppolicy_use_lockout"
+        cat > "${LDAP_SHARE_DIR}/ppolicy_configuration_use_lockout.ldif" << EOF
+dn: olcOverlay={0}ppolicy,olcDatabase={2}mdb,cn=config
+changetype: modify
+add: olcPPolicyUseLockout
+olcPPolicyUseLockout: TRUE
+EOF
+        debug_execute ldapmodify -Q -Y EXTERNAL -H "ldapi:///" -f "${LDAP_SHARE_DIR}/ppolicy_configuration_use_lockout.ldif"
+    fi
+}
+
+########################
+# OpenLDAP configure olcPasswordHash
+# Globals:
+#   LDAP_*
+# Arguments:
+#   None
+# Returns:
+#   None
+#########################
+ldap_configure_password_hash() {
+    info "Configuring LDAP olcPasswordHash"
+    cat > "${LDAP_SHARE_DIR}/password_hash.ldif" << EOF
+dn: olcDatabase={-1}frontend,cn=config
+changetype: modify
+add: olcPasswordHash
+olcPasswordHash: $LDAP_PASSWORD_HASH
+EOF
+    debug_execute ldapmodify -Y EXTERNAL -H "ldapi:///" -f "${LDAP_SHARE_DIR}/password_hash.ldif"
+}
--- a/bitnami/openldap/README.md
+++ b/bitnami/openldap/README.md
@@ -194,17 +194,22 @@ The Bitnami Docker OpenLDAP can be easily setup with the following environment v
 * `LDAP_CUSTOM_SCHEMA_DIR`: Location of a directory containing custom internal schema files that could not be added as custom ldif files (i.e. containing some `structuralObjectClass`). This can be used in addition to or instead of `LDAP_CUSTOM_SCHEMA_FILE` (above) to add multiple schema files. Default: **/schemas**
 * `LDAP_ULIMIT_NOFILES`: Maximum number of open file descriptors. Default: **1024**.
 * `LDAP_ALLOW_ANON_BINDING`: Allow anonymous bindings to the LDAP server. Default: **yes**.
-* `LDAP_LOGLEVEL`: Set the loglevel for the OpenLDAP server (see <https://www.openldap.org/doc/admin25/slapdconfig.html> for possible values). Default: **256**.
+* `LDAP_LOGLEVEL`: Set the loglevel for the OpenLDAP server (see <https://www.openldap.org/doc/admin26/slapdconfig.html> for possible values). Default: **256**.
+* `LDAP_PASSWORD_HASH`: Hash to be used in generation of user passwords. Must be one of {SSHA}, {SHA}, {SMD5}, {MD5}, {CRYPT}, and {CLEARTEXT}. Default: **{SSHA}**.
+* `LDAP_CONFIGURE_PPOLICY`: Enables the ppolicy module and creates an empty configuration. Default: **no**
+* `LDAP_PPOLICY_USE_LOCKOUT`: Whether bind attempts to locked accounts will always return an error. Will only be applied with `LDAP_CONFIGURE_PPOLICY` active. Default: **no**
+* `LDAP_PPOLICY_HASH_CLEARTEXT`: Whether plaintext passwords should be hashed automatically. Will only be applied with `LDAP_CONFIGURE_PPOLICY` active. Default: **no**

 You can bootstrap the contents of your database by putting LDIF files in the directory `/ldifs` (or the one you define in `LDAP_CUSTOM_LDIF_DIR`). Those may only contain content underneath your base DN (set by `LDAP_ROOT`). You can **not** set configuration for e.g. `cn=config` in those files.

-Check the official [OpenLDAP Configuration Reference](https://www.openldap.org/doc/admin25/guide.html) for more information about how to configure OpenLDAP.
+Check the official [OpenLDAP Configuration Reference](https://www.openldap.org/doc/admin26/guide.html) for more information about how to configure OpenLDAP.

 ### Securing OpenLDAP traffic

 OpenLDAP clients and servers are capable of using the Transport Layer Security (TLS) framework to provide integrity and confidentiality protections and to support LDAP authentication using the SASL EXTERNAL mechanism. Should you desire to enable this optional feature, you may use the following environment variables to configure the application:

 * `LDAP_ENABLE_TLS`: Whether to enable TLS for traffic or not. Defaults to `no`.
+* `LDAP_REQUIRE_TLS`: Whether connections must use TLS. Will only be applied with `LDAP_ENABLE_TLS` active. Defaults to `no`.
 * `LDAP_LDAPS_PORT_NUMBER`: Port used for TLS secure traffic. Priviledged port is supported (e.g. `636`). Default: **1636** (non privileged port).
 * `LDAP_TLS_CERT_FILE`: File containing the certificate file for the TLS traffic. No defaults.
 * `LDAP_TLS_KEY_FILE`: File containing the key for certificate. No defaults.