Hello community, here is the log from the commit of package opensuse-openldap-image for openSUSE:Factory checked in at 2020-10-26 16:23:10 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/opensuse-openldap-image (Old) and /work/SRC/openSUSE:Factory/.opensuse-openldap-image.new.3463 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "opensuse-openldap-image" Mon Oct 26 16:23:10 2020 rev:2 rq:844087 version:1.0.0 Changes: -------- --- /work/SRC/openSUSE:Factory/opensuse-openldap-image/opensuse-openldap-image.changes 2020-09-03 01:16:15.528516989 +0200 +++ /work/SRC/openSUSE:Factory/.opensuse-openldap-image.new.3463/opensuse-openldap-image.changes 2020-10-26 16:23:30.847282636 +0100 @@ -1,0 +2,17 @@ +Mon Oct 26 12:42:00 UTC 2020 - Thorsten Kukuk <ku...@suse.com> + +- Check for errors when importing ldif files +- Add support to import ldif files for mailserver setup + +------------------------------------------------------------------- +Mon Sep 28 18:50:23 UTC 2020 - Thorsten Kukuk <ku...@suse.com> + +- Add timezone package + +------------------------------------------------------------------- +Thu Aug 27 08:16:26 UTC 2020 - Thorsten Kukuk <ku...@suse.com> + +- Load postfix.ldif by default, delete duplicate file +- Pre-process mailserver/*.ldif files + +------------------------------------------------------------------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ opensuse-openldap-image.kiwi ++++++ --- /var/tmp/diff_new_pack.sDaGJ4/_old 2020-10-26 16:23:31.423283099 +0100 +++ /var/tmp/diff_new_pack.sDaGJ4/_new 2020-10-26 16:23:31.423283099 +0100 @@ -54,6 +54,7 @@ <package name="openldap2-client"/> <package name="openldap2-ppolicy-check-password"/> <package name="openssl"/> + <package name="timezone"/> <package name="mandoc"/> <package name="ca-certificates"/> <package name="ca-certificates-mozilla"/> ++++++ README.md ++++++ --- /var/tmp/diff_new_pack.sDaGJ4/_old 2020-10-26 16:23:31.467283135 +0100 +++ /var/tmp/diff_new_pack.sDaGJ4/_new 2020-10-26 16:23:31.471283138 +0100 @@ -103,41 +103,42 @@ ## Supported environment variables: ### Generic variables: -- `DEBUG=[0|1]` Enables "set -x" in the entrypoint script -- `TZ` Timezone to use in the container +- `DEBUG=[0|1]` Enables "set -x" in the entrypoint script +- `TZ` Timezone to use in the container ### Variables for new database: -- `LDAP_DOMAIN` Ldap domain. Defaults to `example.org` -- `LDAP_BASE_DN` Ldap base DN. If empty automatically set from `LDAP_DOMAIN` value. Defaults to (`empty`) -- `LDAP_ORGANISATION` Organisation name. Defaults to `Example Inc.` -- `LDAP_ADMIN_PASSWORD` Ldap admin password. It's required to supply one if no database exists at startup. -- `LDAP_CONFIG_PASSWORD` Ldap config password. It's required to supply one if no database exists at startup. -- `LDAP_BACKEND` Database backend, defaults to `mdb` -- `LDAP_SEED_LDIF_PATH` Path with additional ldif files which will be loaded -- `LDAP_SEED_SCHEMA_PATH` Path with additional schema which will be loaded +- `LDAP_DOMAIN` Ldap domain. Defaults to `example.org` +- `LDAP_BASE_DN` Ldap base DN. If empty automatically set from `LDAP_DOMAIN` value. Defaults to (`empty`) +- `LDAP_ORGANIZATION` Organization name. Defaults to `Example Inc.` +- `LDAP_ADMIN_PASSWORD` Ldap admin password. It's required to supply one if no database exists at startup. +- `LDAP_CONFIG_PASSWORD` Ldap config password. It's required to supply one if no database exists at startup. +- `LDAP_BACKEND` Database backend, defaults to `mdb` +- `LDAP_SEED_LDIF_PATH` Path with additional ldif files which will be loaded +- `LDAP_SEED_SCHEMA_PATH` Path with additional schema which will be loaded ### Variables for TLS: -- `LDAP_TLS=[1|0]` Enable TLS. Defaults to `1` (true). -- `LDAP_TLS_CA_CRT` LDAP ssl CA certificate. Defaults to `/etc/openldap/certs/ca.crt`. -- `LDAP_TLS_CA_KEY` Private LDAP CA key. Defaults to `/etc/openldap/certs/ca.key`. -- `LDAP_TLS_CRT` LDAP ssl certificate. Defaults to `/etc/openldap/certs/tls.crt`. -- `LDAP_TLS_KEY` Private LDAP ssl key. Defaults to `/etc/openldap/certs/tls.key`. -- `LDAP_TLS_DH_PARAM` LDAP ssl certificate dh param file. -- `LDAP_TLS_ENFORCE=[0|1]` Enforce TLS but except ldapi connections. Defaults to `0` (false). -- `LDAP_TLS_CIPHER_SUITE` TLS cipher suite. -- `LDAP_TLS_VERIFY_CLIENT` TLS verify client. Defaults to `demand`. +- `LDAP_TLS=[1|0]` Enable TLS. Defaults to `1` (true). +- `LDAP_TLS_CA_CRT` LDAP ssl CA certificate. Defaults to `/etc/openldap/certs/openldap-ca.crt`. +- `LDAP_TLS_CA_KEY` Private LDAP CA key. Defaults to `/etc/openldap/certs/openldap-ca.key`. +- `LDAP_TLS_CRT` LDAP ssl certificate. Defaults to `/etc/openldap/certs/tls.crt`. +- `LDAP_TLS_KEY` Private LDAP ssl key. Defaults to `/etc/openldap/certs/tls.key`. +- `LDAP_TLS_DH_PARAM` LDAP ssl certificate dh param file. +- `LDAP_TLS_ENFORCE=[0|1]` Enforce TLS but except ldapi connections. Defaults to `0` (false). +- `LDAP_TLS_CIPHER_SUITE` TLS cipher suite. +- `LDAP_TLS_VERIFY_CLIENT` TLS verify client. Defaults to `demand`. ### Various configuration variables: -- `LDAP_NOFILE` Number of open files (ulimt -n), default `1024` -- `LDAP_PORT` Port for ldap:///, defaults to `389` -- `LDAPS_PORT` Port for ldaps:///, defaults to `636` -- `LDAPI_URL` Ldapi url, defaults to `ldapi:///run/slapd/ldapi` -- `LDAP_UID` UID of ldap user. All LDAP related files will be changed to this UID -- `LDAP_GID` GID of ldap group. All LDAP related files will be changed to this GID -- `LDAP_BACKEND` Database backend, defaults to `mdb` -- `SLAPD_LOG_LEVEL` Slapd debug devel, defaults to `0` +- `LDAP_NOFILE` Number of open files (ulimt -n), default `1024` +- `LDAP_PORT` Port for ldap:///, defaults to `389` +- `LDAPS_PORT` Port for ldaps:///, defaults to `636` +- `LDAPI_URL` Ldapi url, defaults to `ldapi:///run/slapd/ldapi` +- `LDAP_UID` UID of ldap user. All LDAP related files will be changed to this UID +- `LDAP_GID` GID of ldap group. All LDAP related files will be changed to this GID +- `LDAP_BACKEND` Database backend, defaults to `mdb` +- `SLAPD_LOG_LEVEL` Slapd debug devel, defaults to `0` +- `SETUP_FOR_MAILSERVER` The mail organization will be created (ldif/mailserver/), defaults to `0` ## Data persistence volumes -- `/etc/openldap/certs` TLS certificates for slapd -- `/etc/openldap/slapd.d` Slapd configuration files -- `/var/lib/ldap` OpenLDAP database +- `/etc/openldap/certs` TLS certificates for slapd +- `/etc/openldap/slapd.d` Slapd configuration files +- `/var/lib/ldap` OpenLDAP database ++++++ config.sh ++++++ --- /var/tmp/diff_new_pack.sDaGJ4/_old 2020-10-26 16:23:31.495283158 +0100 +++ /var/tmp/diff_new_pack.sDaGJ4/_new 2020-10-26 16:23:31.495283158 +0100 @@ -16,6 +16,3 @@ # No default domain and standard password ... rm /etc/openldap/slapd.conf -# Fix path so that update-ca-certificates does not complain -# [bsc#1175340] -rm /etc/ssl/certs && ln -sf /var/lib/ca-certificates/pem /etc/ssl/certs ++++++ entrypoint.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/entrypoint/entrypoint.sh new/entrypoint/entrypoint.sh --- old/entrypoint/entrypoint.sh 2020-08-26 17:58:22.000000000 +0200 +++ new/entrypoint/entrypoint.sh 2020-10-26 13:40:28.000000000 +0100 @@ -17,21 +17,24 @@ SLAPD_SLP_REG=${SLAPD_SLP_REG:-"-o slp=off"} # Default values for new database -LDAP_ORGANISATION=${LDAP_ORGANISATION:-"Example Inc."} +LDAP_ORGANIZATION=${LDAP_ORGANIZATION:-"Example Inc."} LDAP_DOMAIN=${LDAP_DOMAIN:-"example.org"} LDAP_BASE_DN=${LDAP_BASE_DN:-""} # TLS LDAP_TLS=${LDAP_TLS:-"1"} -LDAP_TLS_CA_CRT=${LDAP_TLS_CA_CRT:-"/etc/openldap/certs/ca.crt"} -LDAP_TLS_CA_KEY=${LDAP_TLS_CA_KEA:-"/etc/openldap/certs/ca.key"} +LDAP_TLS_CA_CRT=${LDAP_TLS_CA_CRT:-"/etc/openldap/certs/openldap-ca.crt"} +LDAP_TLS_CA_KEY=${LDAP_TLS_CA_KEA:-"/etc/openldap/certs/openldap-ca.key"} LDAP_TLS_CRT=${LDAP_TLS_CRT:-"/etc/openldap/certs/tls.crt"} LDAP_TLS_KEY=${LDAP_TLS_KEY:-"/etc/openldap/certs/tls.key"} LDAP_TLS_DH_PARAM=${LDAP_TLS_DH_PARAM:-"/etc/openldap/certs/dhparam.pem"} LDAP_TLS_ENFORCE=${LDAP_TLS_ENFORCE:-"0"} LDAP_TLS_CIPHER_SUITE=${LDAP_TLS_CIPHER_SUITE:-"HIGH:-VERS-TLS-ALL:+VERS-TLS1.2:+VERS-TLS1.3:!SSLv3:!SSLv2:!ADH"} -LDAP_TLS_VERIFY_CLIENT=${LDAP_TLS_VERIFY_CLIENT:-demand} +LDAP_TLS_VERIFY_CLIENT=${LDAP_TLS_VERIFY_CLIENT:-try} + +# For mailserver setup +SETUP_FOR_MAILSERVER=${SETUP_FOR_MAILSERVER:-0} setup_timezone() { @@ -194,7 +197,7 @@ objectClass: top objectClass: dcObject objectClass: organization - o: ${LDAP_ORGANISATION} + o: ${LDAP_ORGANIZATION} dc: $dc dn: cn=admin,${LDAP_BASE_DN} @@ -227,18 +230,39 @@ fi } + function adjust_ldif_file() { + local LDIF_FILE + + LDIF_FILE="$1" + + sed -i "s|@LDAP_BASE_DN@|${LDAP_BASE_DN}|g" "${LDIF_FILE}" + sed -i "s|@LDAP_BACKEND@|${LDAP_BACKEND}|g" "${LDIF_FILE}" + sed -i "s|@LDAP_DOMAIN@|${LDAP_DOMAIN}|g" "${LDIF_FILE}" + if [ -n "${MAIL_ACCOUNT_READER_PASSWORD}" ]; then + sed -i "s|@MAIL_ACCOUNT_READER_PASSWORD@|${MAIL_ACCOUNT_READER_PASSWORD}|g" "${LDIF_FILE}" + fi + } + function ldap_add_or_modify() { + local failed local LDIF_FILE=$1 - echo "Processing file ${LDIF_FILE}" - sed -i "s|@LDAP_BASE_DN@|${LDAP_BASE_DN}|g" "${LDIF_FILE}" - sed -i "s|@LDAP_BACKEND@|${LDAP_BACKEND}|g" "${LDIF_FILE}" - sed -i "s|@LDAP_DOMAIN@|${LDAP_DOMAIN}|g" "${LDIF_FILE}" + echo "Processing file ${LDIF_FILE}" + + adjust_ldif_file "${LDIF_FILE}" if grep -iq changetype "${LDIF_FILE}" ; then - ldapmodify -Y EXTERNAL -Q -H ldapi:/// -D "cn=admin,${LDAP_BASE_DN}" -w "${LDAP_ADMIN_PASSWORD}" -f "${LDIF_FILE}" + ldapmodify -Y EXTERNAL -Q -H ldapi:/// -D "cn=admin,${LDAP_BASE_DN}" -w "${LDAP_ADMIN_PASSWORD}" -f "${LDIF_FILE}" || failed=1 + if [ "$failed" ]; then + echo "ERROR: ldapmodify failed!" + exit 1 + fi else - ldapadd -Y EXTERNAL -Q -H ldapi:/// -D "cn=admin,${LDAP_BASE_DN}" -w "$LDAP_ADMIN_PASSWORD" -f "${LDIF_FILE}" + ldapadd -Y EXTERNAL -Q -H ldapi:/// -D "cn=admin,${LDAP_BASE_DN}" -w "$LDAP_ADMIN_PASSWORD" -f "${LDIF_FILE}" || failed=1 + if [ "$failed" ]; then + echo "ERROR: ldapadd failed!" + exit 1 + fi fi } @@ -366,22 +390,39 @@ rm -f /entrypoint/ldif/security.ldif ldap_add_or_modify /entrypoint/ldif/memberOf.ldif ldap_add_or_modify /entrypoint/ldif/refint.ldif + ldap_add_or_modify /entrypoint/ldif/postfix.ldif ldap_add_or_modify /entrypoint/ldif/index.ldif # process config files (*.ldif) in custom directory echo "Add image bootstrap ldif..." for f in $(find /entrypoint/ldif/custom -mindepth 1 -maxdepth 1 -type f -name \*.ldif | sort); do - echo "Processing file ${f}" ldap_add_or_modify "$f" done + if [ "${SETUP_FOR_MAILSERVER}" = "1" ]; then + echo "Setup for mailserver..." + file_env 'MAIL_ACCOUNT_READER_PASSWORD' + if [ -z "${MAIL_ACCOUNT_READER_PASSWORD}" ]; then + echo "Password for mail account reader (MAIL_ACCOUNT_READER_PASSWORD) not set!" >&2 + exit 1 + fi + + for f in /entrypoint/ldif/mailserver/*.ldif ; do + ldap_add_or_modify "$f" + done + else + for f in /entrypoint/ldif/mailserver/*.ldif ; do + echo "Adjusting $f" + adjust_ldif_file "$f" + done + fi # Check or create certificates setup_tls } # ldap client config setup_ldap_conf() { - if [ "${LDAP_TLS}" == "1" ]; then + if [ "${LDAP_TLS}" = "1" ]; then echo "Configure ldap client TLS configuration..." echo "TLS_CACERT ${LDAP_TLS_CA_CRT}" >> /etc/openldap/ldap.conf echo "TLS_REQCERT ${LDAP_TLS_VERIFY_CLIENT}" >> /etc/openldap/ldap.conf @@ -414,7 +455,7 @@ unset "$fileVar" } -# if command starts with an option, prepend postfix +# if command starts with an option, prepend slapd if [ "${1:0:1}" = '-' ]; then set -- /usr/sbin/slapd "$@" fi diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/entrypoint/ldif/examples/example-user.ldif new/entrypoint/ldif/examples/example-user.ldif --- old/entrypoint/ldif/examples/example-user.ldif 1970-01-01 01:00:00.000000000 +0100 +++ new/entrypoint/ldif/examples/example-user.ldif 2020-10-26 13:40:28.000000000 +0100 @@ -0,0 +1,14 @@ +dn: uid=mail000,ou=mail,@LDAP_BASE_DN@ +cn: mail000 +gidnumber: 20000 +homedirectory: /home/mail/mail000 +mailacceptinggeneralid: te...@hosted-domain.com +mailacceptinggeneralid: te...@hosted-domain.com +maildrop: mail...@mail.example.com +objectclass: account +objectclass: posixAccount +objectclass: postfixUser +objectclass: top +uid: mail000 +uidnumber: 20000 +userpassword: user diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/entrypoint/ldif/index.ldif new/entrypoint/ldif/index.ldif --- old/entrypoint/ldif/index.ldif 2020-08-26 17:58:22.000000000 +0200 +++ new/entrypoint/ldif/index.ldif 2020-10-26 13:40:28.000000000 +0100 @@ -8,3 +8,6 @@ olcDbIndex: entryCSN eq olcDbIndex: entryUUID eq olcDbIndex: objectClass eq +# for postfix schema +olcdbindex: mailacceptinggeneralid eq,sub +olcdbindex: maildrop eq diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/entrypoint/ldif/mailserver/02-create-cn=mailAccountReader.ldif new/entrypoint/ldif/mailserver/02-create-cn=mailAccountReader.ldif --- old/entrypoint/ldif/mailserver/02-create-cn=mailAccountReader.ldif 1970-01-01 01:00:00.000000000 +0100 +++ new/entrypoint/ldif/mailserver/02-create-cn=mailAccountReader.ldif 2020-10-26 13:40:28.000000000 +0100 @@ -0,0 +1,10 @@ +dn: ou=Manager,@LDAP_BASE_DN@ +objectClass: organizationalUnit +ou: Manager + +dn: cn=mailAccountReader,ou=Manager,@LDAP_BASE_DN@ +cn: mailAccountReader +objectclass: organizationalRole +objectclass: simpleSecurityObject +objectclass: top +userpassword: @MAIL_ACCOUNT_READER_PASSWORD@ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/entrypoint/ldif/mailserver/02-olcdbindex.ldif new/entrypoint/ldif/mailserver/02-olcdbindex.ldif --- old/entrypoint/ldif/mailserver/02-olcdbindex.ldif 2020-08-26 17:58:22.000000000 +0200 +++ new/entrypoint/ldif/mailserver/02-olcdbindex.ldif 1970-01-01 01:00:00.000000000 +0100 @@ -1,7 +0,0 @@ -dn: olcDatabase={1}@LDAP_BACKEND@,cn=config -changetype: modify -delete: olcdbindex -- -add: olcdbindex -olcdbindex: mailacceptinggeneralid eq,sub -olcdbindex: maildrop eq diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/entrypoint/ldif/mailserver/03-add-olcAccess.ldif new/entrypoint/ldif/mailserver/03-add-olcAccess.ldif --- old/entrypoint/ldif/mailserver/03-add-olcAccess.ldif 1970-01-01 01:00:00.000000000 +0100 +++ new/entrypoint/ldif/mailserver/03-add-olcAccess.ldif 2020-10-26 13:40:28.000000000 +0100 @@ -0,0 +1,7 @@ +dn: olcDatabase={1}@LDAP_BACKEND@,cn=config +changetype: modify +delete: olcAccess +- +add: olcAccess +olcAccess: to attrs=userPassword by self =xw by anonymous auth by * none +olcAccess: to dn.subtree="ou=mail,@LDAP_BASE_DN@" by dn.base="cn=mailAccountReader,ou=Manager,@LDAP_BASE_DN@" read by * none diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/entrypoint/ldif/mailserver/03-create-cn=mailAccountReader.ldif new/entrypoint/ldif/mailserver/03-create-cn=mailAccountReader.ldif --- old/entrypoint/ldif/mailserver/03-create-cn=mailAccountReader.ldif 2020-08-26 17:58:22.000000000 +0200 +++ new/entrypoint/ldif/mailserver/03-create-cn=mailAccountReader.ldif 1970-01-01 01:00:00.000000000 +0100 @@ -1,10 +0,0 @@ -dn: ou=Manager,@LDAP_BASE_DN@ -objectClass: organizationalUnit -ou: Manager - -dn: cn=mailAccountReader,ou=Manager,@LDAP_BASE_DN@ -cn: mailAccountReader -objectclass: organizationalRole -objectclass: simpleSecurityObject -objectclass: top -userpassword: @MAIIL_ACCOUNT_READER_PASSWORD@ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/entrypoint/ldif/mailserver/04-add-olcAccess.dif new/entrypoint/ldif/mailserver/04-add-olcAccess.dif --- old/entrypoint/ldif/mailserver/04-add-olcAccess.dif 2020-08-26 17:58:22.000000000 +0200 +++ new/entrypoint/ldif/mailserver/04-add-olcAccess.dif 1970-01-01 01:00:00.000000000 +0100 @@ -1,7 +0,0 @@ -dn: olcDatabase={1}@LDAP_BACKEND@,cn=config -changetype: modify -delete: olcAccess -- -add: olcAccess -olcAccess: to attrs=userPassword by self =xw by anonymous auth by * none -olcAccess: to dn.subtree="ou=mail,@LDAP_BASE_DN@" by dn.base="cn=mailAccountReader,ou=Manager,@LDAP_BASE_DN@" read by * none diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/entrypoint/ldif/mailserver/example-user.ldif new/entrypoint/ldif/mailserver/example-user.ldif --- old/entrypoint/ldif/mailserver/example-user.ldif 2020-08-26 17:58:22.000000000 +0200 +++ new/entrypoint/ldif/mailserver/example-user.ldif 1970-01-01 01:00:00.000000000 +0100 @@ -1,14 +0,0 @@ -dn: uid=mail000,ou=mail,@LDAP_BASE_DN@ -cn: mail000 -gidnumber: 20000 -homedirectory: /home/mail/mail000 -mailacceptinggeneralid: te...@hosted-domain.com -mailacceptinggeneralid: te...@hosted-domain.com -maildrop: mail...@mail.example.com -objectclass: account -objectclass: posixAccount -objectclass: postfixUser -objectclass: top -uid: mail000 -uidnumber: 20000 -userpassword: user diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/entrypoint/ldif/mailserver/postfix.ldif new/entrypoint/ldif/mailserver/postfix.ldif --- old/entrypoint/ldif/mailserver/postfix.ldif 2020-08-26 17:58:22.000000000 +0200 +++ new/entrypoint/ldif/mailserver/postfix.ldif 1970-01-01 01:00:00.000000000 +0100 @@ -1,14 +0,0 @@ -# https://raw.githubusercontent.com/68b32/postfix-ldap-schema/master/postfix.ldif -dn: cn=postfix,cn=schema,cn=config -cn: postfix -objectclass: olcSchemaConfig -olcattributetypes: {0}(1.3.6.1.4.1.4203.666.1.200 NAME 'mailacceptinggeneral - id' DESC 'Postfix mail local address alias attribute' EQUALITY caseIgnoreMa - tch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1 - 024}) -olcattributetypes: {1}(1.3.6.1.4.1.4203.666.1.201 NAME 'maildrop' DESC 'Post - fix mail final destination attribute' EQUALITY caseIgnoreMatch SUBSTR caseI - gnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024}) -olcobjectclasses: {0}(1.3.6.1.4.1.4203.666.1.100 NAME 'postfixUser' DESC 'Po - stfix mail user class' SUP top AUXILIARY MAY(mailacceptinggeneralid $ maild - rop)) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/entrypoint/ldif/security.ldif new/entrypoint/ldif/security.ldif --- old/entrypoint/ldif/security.ldif 2020-08-26 17:58:22.000000000 +0200 +++ new/entrypoint/ldif/security.ldif 2020-10-26 13:40:28.000000000 +0100 @@ -4,6 +4,5 @@ - add: olcAccess olcAccess: to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break -olcAccess: to attrs=userPassword,shadowLastChange by self write by dn="cn=admin,@LDAP_BASE_DN@" write by anonymous auth -by * none +olcAccess: to attrs=userPassword,shadowLastChange by self write by dn="cn=admin,@LDAP_BASE_DN@" write by anonymous auth by * none olcAccess: to * by self read by dn="cn=admin,@LDAP_BASE_DN@" write by * none diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/entrypoint/ssl-helper new/entrypoint/ssl-helper --- old/entrypoint/ssl-helper 2020-08-26 17:58:22.000000000 +0200 +++ new/entrypoint/ssl-helper 2020-10-26 13:40:28.000000000 +0100 @@ -7,6 +7,13 @@ CA_CERT_FILE=$3 CA_KEY_FILE=$4 +# Some defaults +SSL_CA_CSR_COUNTRY=${SSL_CA_CSR_COUNTRY:-"DE"} +SSL_CA_CSR_STATE=${SSL_CA_CSR_STATE:-"Bavaria"} +SSL_CA_CSR_ORGANIZATION_UNIT=${SSL_CA_CSR_ORGANIZATION_UNIT:-"Dummy CA"} +SSL_CA_CSR_CN=${SSL_CA_CSR_CN:-"$(hostname -f)"} +SSL_ORGANIZATION_UNIT=${SSL_ORGANIZATION_UNIT:-"Server Certificate"} + if [ -z "${CERT_FILE}" ] || [ -z "${KEY_FILE}" ] || [ -z "${CA_CERT_FILE}" ] || [ -z "${CA_KEY_FILE}" ]; then echo "Usage: ssl-helper cert_file key_file ca_cert_file ca_key_file" >&2 exit 1 @@ -15,42 +22,58 @@ if [ ! -e "${CA_CERT_FILE}" ]; then echo "No CA cert file found, generating one" - DEFAULT_CA_CSR_COUNTRY=${DEFAULT_CA_CSR_COUNTRY:-"DE"} - DEFAULT_CA_CSR_STATE=${DEFAULT_CA_CSR_STATE:-"Bavaria"} - DEFAULT_CA_CSR_ORGANIZATION_UNIT=${DEFAULT_CA_CSR_ORGANIZATION_UNIT:-"OpenLDAP Dummy CA"} - - # RSA: openssl genrsa -out "${DEFAULT_CA_DIR}/rootCA.key" 4096 - # ecdsa 384 if [ ! -e "${CA_KEY_FILE}" ]; then echo "Generating private CA key..." + # RSA: openssl genrsa -out "${CA_KEY_FILE}" 4096 + # ecdsa 384: openssl ecparam -genkey -name secp384r1 -noout -out "${CA_KEY_FILE}" chmod 600 "${CA_KEY_FILE}" fi echo "Generating CA certificate..." - openssl req -x509 -new -nodes -key "${CA_KEY_FILE}" -sha256 -days 1024 -subj "/C=${DEFAULT_CA_CSR_COUNTRY}/ST=${DEFAULT_CA_CSR_STATE}/O=${DEFAULT_CA_CSR_ORGANIZATION_UNIT}/CN=OpenLDAP" -out "${CA_CERT_FILE}" + openssl req -x509 -new -nodes -key "${CA_KEY_FILE}" -sha256 -days 1024 \ + -subj "/C=${SSL_CA_CSR_COUNTRY}/ST=${SSL_CA_CSR_STATE}/O=${SSL_CA_CSR_ORGANIZATION_UNIT}/CN=${SSL_CA_CSR_CN}" \ + -out "${CA_CERT_FILE}" fi if [ ! -e "${CERT_FILE}" ] && [ ! -e "${KEY_FILE}" ]; then + function buildExtCnf() { + cat << EOF > "${WORKDIR}/v3.ext" +authorityKeyIdentifier=keyid,issuer +basicConstraints=CA:FALSE +keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment +subjectAltName = @alt_names +[alt_names] +DNS.1 = localhost +EOF + + if [ -n "${HOSTNAME}" ]; then + echo "DNS.2 = ${HOSTNAME}" >> "${WORKDIR}/v3.ext" + else + echo "DNS.2 = $(hostname -f)" >> "${WORKDIR}/v3.ext" + echo "DNS.3 = $(hostname)" >> "${WORKDIR}/v3.ext" + fi + } + echo "No certificate file and certificate key provided, generate:" echo "${CERT_FILE} and ${KEY_FILE}" WORKDIR="$(mktemp -d)" - if [ -z "%${HOSTNAME}" ]; then - HOSTNAME=$(hostname -f) - fi + + buildExtCnf echo "Generating certificate key..." openssl genrsa -out "${KEY_FILE}" 2048 echo "Generating sign request..." openssl req -new -sha256 -key "${KEY_FILE}" \ - -subj "/O=OpenLDAP Dummy CA/CN=${HOSTNAME}" \ - -out "${WORKDIR}/openldap.csr" + -subj "/O=${SSL_ORGANIZATION_UNIT}/CN=${HOSTNAME}" \ + -out "${WORKDIR}/cert.csr" echo "Generating certificate..." - openssl x509 -req -in "${WORKDIR}/openldap.csr" -CA "${CA_CERT_FILE}" \ + openssl x509 -req -in "${WORKDIR}/cert.csr" -CA "${CA_CERT_FILE}" \ -CAkey "${CA_KEY_FILE}" -CAcreateserial -days 365 -sha256 \ + -extfile "${WORKDIR}/v3.ext" \ -out "${CERT_FILE}" rm -rf "${WORKDIR}"