initial commit

2025-02-27 10:13:40 -03:00 · 2025-02-27 10:13:40 -03:00 · 67a2568e52
commit 67a2568e52
17 changed files with 217 additions and 0 deletions
--- a/custom/00_schemas/groupOfEntries.ldif
+++ b/custom/00_schemas/groupOfEntries.ldif
@ -0,0 +1,6 @@
 # https://tools.ietf.org/html/draft-findlay-ldap-groupofentries-00
 #
 dn: cn=groupofentries,cn=schema,cn=config
 objectClass: olcSchemaConfig
 cn: groupofentries
 olcObjectClasses: {0}( 1.2.826.0.1.3458854.2.1.1.1 NAME 'groupOfEntries' DESC 'Replacement for groupOfNames object without required member attribute' SUP top STRUCTURAL MUST ( cn ) MAY ( member $ businessCategory $ seeAlso $ owner $ ou $ o $ description ) )
--- a/custom/00_schemas/sudo.ldif
+++ b/custom/00_schemas/sudo.ldif
@ -0,0 +1,11 @@
 dn: cn=sudo,cn=schema,cn=config
 objectClass: olcSchemaConfig
 cn: sudo
 olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may  run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Command(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC 'User(s) impersonated by sudo (deprecated)' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC 'Options(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.6 NAME 'sudoRunAsUser' DESC 'User(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.7 NAME 'sudoRunAsGroup' DESC 'Group(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 olcObjectClasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL DESC 'Sudoer Entries' MUST ( cn ) MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ description ) )
--- a/custom/10_modify/acl.ldif
+++ b/custom/10_modify/acl.ldif
@ -0,0 +1,10 @@
 dn: olcDatabase={1}{{ LDAP_BACKEND }},cn=config
 changetype: modify
 delete: olcAccess
 -
 add: olcAccess
 olcAccess: to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
 olcAccess: to * by dn="cn=admin,{{ LDAP_BASE_DN }}" manage by * break
 olcAccess: to * by set.expand="([cn=ldap_admin,ou=groups,{{ LDAP_BASE_DN }}])/member & user" write by * break
 olcAccess: to attrs=userPassword,shadowLastChange by self =w by anonymous auth by * none
 olcAccess: to * by self read by dn="cn={{ LDAP_READONLY_USER_USERNAME }},{{ LDAP_BASE_DN }}" read by * none
--- a/custom/10_modify/memberOf.ldif
+++ b/custom/10_modify/memberOf.ldif
@ -0,0 +1,9 @@
 dn: olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config
 changetype: modify
 replace: olcMemberOfGroupOC
 olcMemberOfGroupOC: groupOfEntries
 dn: olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config
 changetype: modify
 replace: olcMemberOfMemberAD
 olcMemberOfMemberAD: member
--- a/custom/README.md
+++ b/custom/README.md
@ -0,0 +1,15 @@
 Add your custom ldif files here if you don't want to overwrite image default boostrap ldif.
 at run time you can also mount a data volume with your ldif files to /container/service/slapd/assets/config/bootstrap/ldif/custom
 The startup script provides some substitutions in bootstrap ldif files. Following substitutions are supported:
 - `{{ LDAP_BASE_DN }}`
 - `{{ LDAP_BACKEND }}`
 - `{{ LDAP_DOMAIN }}`
 - `{{ LDAP_READONLY_USER_USERNAME }}`
 - `{{ LDAP_READONLY_USER_PASSWORD_ENCRYPTED }}`
 Other `{{ * }}` substitutions are left unchanged.
 Since startup script modifies `ldif` files,
 you **must** add `--copy-service` argument to entrypoint if you don't want to overwrite them.
--- a/custom/ou/groups.ldif
+++ b/custom/ou/groups.ldif
@ -0,0 +1,5 @@
 dn: ou=groups,{{ LDAP_BASE_DN }}
 changetype: add
 objectClass: organizationalUnit
 objectClass: top
 ou: groups
--- a/custom/ou/hosts.ldif
+++ b/custom/ou/hosts.ldif
@ -0,0 +1,5 @@
 dn: ou=hosts,{{ LDAP_BASE_DN }}
 changetype: add
 objectClass: organizationalUnit
 objectClass: top
 ou: hosts
--- a/custom/ou/mounts.ldif
+++ b/custom/ou/mounts.ldif
@ -0,0 +1,5 @@
 dn: ou=mounts,{{ LDAP_BASE_DN }}
 changetype: add
 objectClass: organizationalUnit
 objectClass: top
 ou: mounts
--- a/custom/ou/sudoers.ldif
+++ b/custom/ou/sudoers.ldif
@ -0,0 +1,5 @@
 dn: ou=sudoers,{{ LDAP_BASE_DN }}
 changetype: add
 objectClass: organizationalUnit
 objectClass: top
 ou: sudoers
--- a/custom/ou/users.ldif
+++ b/custom/ou/users.ldif
@ -0,0 +1,5 @@
 dn: ou=users,{{ LDAP_BASE_DN }}
 changetype: add
 objectClass: organizationalUnit
 objectClass: top
 ou: users
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -0,0 +1,77 @@
 services:
  openldap:
    image: osixia/openldap:1.5.0
    container_name: openldap
    restart: unless-stopped
    command: --loglevel debug --copy-service
    environment:
      LDAP_LOG_LEVEL: "256"
      LDAP_ORGANISATION: "Alice"
      LDAP_DOMAIN: "alice.ufsj"
      LDAP_BASE_DN: "dc=alice,dc=ufsj"
      LDAP_ADMIN_PASSWORD_FILE: "/run/secrets/ldap-admin"
      LDAP_CONFIG_PASSWORD_FILE: "/run/secrets/ldap-config"
      LDAP_READONLY_USER: "true"
      LDAP_READONLY_USER_USERNAME: "alice"
      LDAP_READONLY_USER_PASSWORD_FILE: "/run/secrets/ldap-readonly"
      LDAP_RFC2307BIS_SCHEMA: "true"
      LDAP_BACKEND: "mdb"
      LDAP_TLS: "false"
      # LDAP_TLS_CRT_FILENAME: "fullchain1.pem"
      # LDAP_TLS_KEY_FILENAME: "privkey1.pem"
      # LDAP_TLS_DH_PARAM_FILENAME: "dhparam.pem"
      # LDAP_TLS_CA_CRT_FILENAME: "ca/ca-certificates.crt"
      # LDAP_TLS_ENFORCE: "false"
      # LDAP_TLS_VERIFY_CLIENT: "demand"
      # LDAP_REPLICATION: "false"
      #LDAP_REPLICATION_CONFIG_SYNCPROV: 'binddn="cn=admin,cn=config" bindmethod=simple credentials="$$LDAP_CONFIG_PASSWORD" searchbase="cn=config" type=refreshAndPersist retry="60 +" timeout=1 starttls=critical'
      #LDAP_REPLICATION_DB_SYNCPROV: 'binddn="cn=admin,$$LDAP_BASE_DN" bindmethod=simple credentials="$$LDAP_ADMIN_PASSWORD" searchbase="$$LDAP_BASE_DN" type=refreshAndPersist interval=00:00:00:10 retry="60 +" timeout=1 starttls=critical'
      #LDAP_REPLICATION_HOSTS: "#PYTHON2BASH:['ldap://ldap.example.org','ldap://ldap2.example.org']"
      KEEP_EXISTING_CONFIG: "false"
      LDAP_REMOVE_CONFIG_AFTER_SETUP: "true"
      LDAP_SSL_HELPER_PREFIX: "ldap"
    tty: true
    stdin_open: true
    secrets:
      - ldap-admin
      - ldap-config
      - ldap-readonly
    volumes:
      - data:/var/lib/ldap
      - config:/etc/ldap/slapd.d
      - ./templates:/templates
      - ./custom:/container/service/slapd/assets/config/bootstrap/ldif/custom
    networks:
      - traefik-public
    labels:
      traefik.enable: true
      traefik.tcp.routers.ldaps.entrypoints: ldaps
      traefik.tcp.routers.ldaps.tls: true
      traefik.tcp.routers.ldaps.rule: HostSNI(`*`)
      traefik.tcp.services.ldaps.loadbalancer.server.port: 389
    # ports:
    #   - "389:389"
      # - "636:636"
    # For replication to work correctly, domainname and hostname must be
    # set correctly so that "hostname"."domainname" equates to the
    # fully-qualified domain name for the host.
    # domainname: "example.org"
    # hostname: "ldap-server"
 volumes:
  data:
  config:
 networks:
  traefik-public:
    external: true
 secrets:
  ldap-admin:
    file: ./secrets/ldap-admin
  ldap-config:
    file: ./secrets/ldap-config
  ldap-readonly:
    file: ./secrets/ldap-readonly
--- a/templates/ldifs/acl.ldif
+++ b/templates/ldifs/acl.ldif
@ -0,0 +1,9 @@
 dn: olcDatabase={1}mdb,cn=config
 changetype: modify
 add: olcAccess
 olcAccess: to * by self read by dn="cn=admin,dc=alice,dc=ufsj" write by dn="cn=alice,dc=alice,dc=ufsj" read by users read by * none
 dn: olcDatabase={1}mdb,cn=config
 changetype: modify
 delete: olcAccess
 olcAccess: {2}
--- a/templates/ldifs/groupOfNames.ldif
+++ b/templates/ldifs/groupOfNames.ldif
@ -0,0 +1,9 @@
 dn: olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config
 changetype: modify
 replace: olcMemberOfGroupOC
 olcMemberOfGroupOC: groupOfEntries
 dn: olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config
 changetype: modify
 replace: olcMemberOfMemberAD
 olcMemberOfMemberAD: member
--- a/templates/schemas/groupofentries.ldif
+++ b/templates/schemas/groupofentries.ldif
@ -0,0 +1,6 @@
 # https://tools.ietf.org/html/draft-findlay-ldap-groupofentries-00
 #
 dn: cn=groupofentries,cn=schema,cn=config
 objectClass: olcSchemaConfig
 cn: groupofentries
 olcObjectClasses: {0}( 1.2.826.0.1.3458854.2.1.1.1 NAME 'groupOfEntries' DESC 'Replacement for groupOfNames object without required member attribute' SUP top STRUCTURAL MUST ( cn ) MAY ( member $ businessCategory $ seeAlso $ owner $ ou $ o $ description ) )
--- a/templates/schemas/groupofentries.schema
+++ b/templates/schemas/groupofentries.schema
@ -0,0 +1,9 @@
 objectclass ( 1.2.826.0.1.3458854.2.1.1.1 NAME 'groupOfEntries' SUP top STRUCTURAL 
            MUST ( cn )
            MAY ( member $
                  businessCategory $
                  seeAlso $
                  owner $
                  ou $
                  o $
                  description ) )
--- a/templates/schemas/openssh-lpk.schema
+++ b/templates/schemas/openssh-lpk.schema
@ -0,0 +1,20 @@
 #
 # LDAP Public Key Patch schema for use with openssh-ldappubkey
 # Author: Eric AUGE <eau@phear.org>
 #
 # Based on the proposal of : Mark Ruijter
 #
 # octetString SYNTAX
 attributetype ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey'
 	DESC 'OpenSSH Public key'
 	EQUALITY octetStringMatch
 	SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
 # printableString SYNTAX yes|no
 objectclass ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY
 	DESC 'OpenSSH LPK objectclass'
 	MUST uid
 	MAY sshPublicKey
 	)
--- a/templates/schemas/sudoers.schema
+++ b/templates/schemas/sudoers.schema
@ -0,0 +1,11 @@
 dn: cn=sudo,cn=schema,cn=config
 objectClass: olcSchemaConfig
 cn: sudo
 olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may  run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Command(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC 'User(s) impersonated by sudo (deprecated)' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC 'Options(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.6 NAME 'sudoRunAsUser' DESC 'User(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.7 NAME 'sudoRunAsGroup' DESC 'Group(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 olcObjectClasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL DESC 'Sudoer Entries' MUST ( cn ) MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ description ) )