Last active
July 15, 2022 11:14
-
-
Save nevali/405be6ec90366c598349b6f5bb5a8ff2 to your computer and use it in GitHub Desktop.
Selected extracts from my scripts to prototype/operate an OpenLDAP server container
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
### config/01-realm-config.ldif.in | |
## ------------------------------------------------------------------------- ## | |
## Realm database configuration | |
## ------------------------------------------------------------------------- ## | |
dn: olcBackend=mdb,cn=config | |
objectClass: olcBackendConfig | |
olcBackend: mdb | |
dn: olcDatabase={1}mdb,cn=config | |
objectClass: olcDatabaseConfig | |
objectClass: olcMdbConfig | |
olcDatabase: {1}mdb | |
olcDbCheckpoint: 512 30 | |
olcLastMod: TRUE | |
olcSuffix: @REALM_DN@ | |
olcDbDirectory: /app/db/@REALM@ | |
# | |
# | |
olcRootDN: @ROOT_DN@,@REALM_DN@ | |
olcRootPW: @ROOT_PW@ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
### config/02-realm-base.ldif.in | |
# Adjust to your needs | |
dn: @REALM_DN@ | |
O: @REALM_ORGNAME@ | |
objectClass: organization | |
dNSDomainName: @REALM@ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
### config/config.ldif | |
## ------------------------------------------------------------------------- ## | |
## Global configuration | |
## ------------------------------------------------------------------------- ## | |
dn: CN=Config | |
objectClass: olcGlobal | |
CN: Config | |
olcPidFile: /run/slapd/slapd.pid | |
olcArgsFile: /run/slapd/slapd.args | |
olcLogLevel: none | |
olcToolThreads: 1 | |
## ------------------------------------------------------------------------- ## | |
## "Frontend" (global) database configuration - applies to all databases | |
## ------------------------------------------------------------------------- ## | |
dn: olcDatabase={-1}frontend,CN=Config | |
objectClass: olcDatabaseConfig | |
objectClass: olcFrontendConfig | |
olcDatabase: {-1}frontend | |
# | |
## Global settings: | |
# | |
# Subschema subentry DN (see also the global ACL, below) | |
# | |
olcSchemadn: CN=Schema | |
# | |
## Global limits: | |
# | |
# Operate in read-only mode (requires a restart if modified) | |
# | |
olcReadOnly: FALSE | |
# | |
# Maximum number of entries to return from a search | |
# | |
olcSizeLimit: 500 | |
# | |
## Global requirements: | |
# | |
#olcRequire: ... | |
# | |
## Global restrictions: | |
# | |
#olcRestrict: ... | |
# | |
## Global security factors: | |
# | |
#olcSecurity: ... | |
# | |
## Global ACLs: | |
# | |
# - Permit management access to everything by (uid=0,gid=0) | |
# Not usable unless slapd is started with the -h ldapi:/// option to | |
# listen on a local Unix socket | |
# | |
olcAccess: {0}to * | |
by DN.exact=gidNumber=0+uidNumber=0,CN=peercred,CN=external,CN=auth manage by * break | |
# | |
# - Allow read access to the root DSE | |
# | |
olcAccess: {1}to DN.exact="" by * read | |
# | |
# - Allow read access to the Subschema subentry (RFC4512) | |
# | |
olcAccess: {2}to DN.base="CN=Schema" by * read | |
## ------------------------------------------------------------------------- ## | |
## Configuration database configuration | |
## ------------------------------------------------------------------------- ## | |
dn: olcDatabase={0}Config,CN=Config | |
objectClass: olcDatabaseConfig | |
olcDatabase: {0}Config | |
olcAccess: to * | |
by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break | |
## ------------------------------------------------------------------------- ## | |
## Schema configuration | |
## ------------------------------------------------------------------------- ## | |
dn: CN=Schema,CN=Config | |
objectClass: olcSchemaConfig | |
CN: Schema | |
## ------------------------------------------------------------------------- ## | |
## Module configuration | |
## ------------------------------------------------------------------------- ## | |
dn: CN=Module{0},CN=Config | |
objectClass: olcModuleList | |
CN: Module{0} | |
olcModulePath: /usr/lib/ldap | |
olcModuleLoad: back_mdb |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
### schema/core.ldif | |
# OpenLDAP Core schema | |
# $OpenLDAP$ | |
## This work is part of OpenLDAP Software <http://www.openldap.org/>. | |
## | |
## Copyright 1998-2014 The OpenLDAP Foundation. | |
## All rights reserved. | |
## | |
## Redistribution and use in source and binary forms, with or without | |
## modification, are permitted only as authorized by the OpenLDAP | |
## Public License. | |
## | |
## A copy of this license is available in the file LICENSE in the | |
## top-level directory of the distribution or, alternatively, at | |
## <http://www.OpenLDAP.org/license.html>. | |
# | |
# The version of this file as distributed by the OpenLDAP Foundation | |
# contains text claiming copyright by the Internet Society and including | |
# the IETF RFC license, which does not meet Debian's Free Software | |
# Guidelines. However, apart from short and obvious comments, the text of | |
# this file is purely a functional interface specification, which is not | |
# subject to that license and is not copyrightable under US law. | |
# | |
# The license statement is retained below so as not to remove credit, but | |
# as best as we can determine, it is not applicable to the contents of | |
# this file. | |
## Portions Copyright (C) The Internet Society (1997-2003). | |
## All Rights Reserved. | |
## | |
## This document and translations of it may be copied and furnished to | |
## others, and derivative works that comment on or otherwise explain it | |
## or assist in its implementation may be prepared, copied, published | |
## and distributed, in whole or in part, without restriction of any | |
## kind, provided that the above copyright notice and this paragraph are | |
## included on all such copies and derivative works. However, this | |
## document itself may not be modified in any way, such as by removing | |
## the copyright notice or references to the Internet Society or other | |
## Internet organizations, except as needed for the purpose of | |
## developing Internet standards in which case the procedures for | |
## copyrights defined in the Internet Standards process must be | |
## followed, or as required to translate it into languages other than | |
## English. | |
## | |
## The limited permissions granted above are perpetual and will not be | |
## revoked by the Internet Society or its successors or assigns. | |
## | |
## This document and the information contained herein is provided on an | |
## "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING | |
## TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING | |
## BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION | |
## HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF | |
## MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. | |
# | |
# | |
# | |
# Includes LDAPv3 schema items from: | |
# RFC 2252/2256 (LDAPv3) | |
# | |
# Select standard track schema items: | |
# RFC 1274 (uid/dc) | |
# RFC 2079 (URI) | |
# RFC 2247 (dc/dcObject) | |
# RFC 2587 (PKI) | |
# RFC 2589 (Dynamic Directory Services) | |
# | |
# Select informational schema items: | |
# RFC 2377 (uidObject) | |
# | |
# | |
# Standard attribute types from RFC 2256 | |
# | |
dn: cn=core,cn=schema,cn=config | |
objectClass: olcSchemaConfig | |
cn: core | |
# | |
# system schema | |
#olcAttributeTypes: ( 2.5.4.0 NAME 'objectClass' | |
# DESC 'RFC2256: object classes of the entity' | |
# EQUALITY objectIdentifierMatch | |
# SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 ) | |
# | |
# system schema | |
#olcAttributeTypes: ( 2.5.4.1 NAME ( 'aliasedObjectName' 'aliasedEntryName' ) | |
# DESC 'RFC2256: name of aliased object' | |
# EQUALITY distinguishedNameMatch | |
# SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE ) | |
# | |
olcAttributeTypes: ( 2.5.4.2 NAME 'knowledgeInformation' | |
DESC 'RFC2256: knowledge information' | |
EQUALITY caseIgnoreMatch | |
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} ) | |
# | |
# system schema | |
#olcAttributeTypes: ( 2.5.4.3 NAME ( 'cn' 'commonName' ) | |
# DESC 'RFC2256: common name(s) for which the entity is known by' | |
# SUP name ) | |
# | |
olcAttributeTypes: ( 2.5.4.4 NAME ( 'sn' 'surname' ) | |
DESC 'RFC2256: last (family) name(s) for which the entity is known by' | |
SUP name ) | |
# | |
olcAttributeTypes: ( 2.5.4.5 NAME 'serialNumber' | |
DESC 'RFC2256: serial number of the entity' | |
EQUALITY caseIgnoreMatch | |
SUBSTR caseIgnoreSubstringsMatch | |
SYNTAX 1.3.6.1.4.1.1466.115.121.1.44{64} ) | |
# | |
# RFC 4519 definition ('countryName' in X.500 and RFC2256) | |
olcAttributeTypes: ( 2.5.4.6 NAME ( 'c' 'countryName' ) | |
DESC 'RFC4519: two-letter ISO-3166 country code' | |
SUP name | |
SYNTAX 1.3.6.1.4.1.1466.115.121.1.11 | |
SINGLE-VALUE ) | |
# | |
olcAttributeTypes: ( 2.5.4.7 NAME ( 'l' 'localityName' ) | |
DESC 'RFC2256: locality which this object resides in' | |
SUP name ) | |
# | |
olcAttributeTypes: ( 2.5.4.8 NAME ( 'st' 'stateOrProvinceName' ) | |
DESC 'RFC2256: state or province which this object resides in' | |
SUP name ) | |
# | |
olcAttributeTypes: ( 2.5.4.9 NAME ( 'street' 'streetAddress' ) | |
DESC 'RFC2256: street address of this object' | |
EQUALITY caseIgnoreMatch | |
SUBSTR caseIgnoreSubstringsMatch | |
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) | |
# | |
olcAttributeTypes: ( 2.5.4.10 NAME ( 'o' 'organizationName' ) | |
DESC 'RFC2256: organization this object belongs to' | |
SUP name ) | |
# | |
olcAttributeTypes: ( 2.5.4.11 NAME ( 'ou' 'organizationalUnitName' ) | |
DESC 'RFC2256: organizational unit this object belongs to' | |
SUP name ) | |
# | |
olcAttributeTypes: ( 2.5.4.12 NAME 'title' | |
DESC 'RFC2256: title associated with the entity' | |
SUP name ) | |
# | |
# system schema | |
#olcAttributeTypes: ( 2.5.4.13 NAME 'description' | |
# DESC 'RFC2256: descriptive information' | |
# EQUALITY caseIgnoreMatch | |
# SUBSTR caseIgnoreSubstringsMatch | |
# SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} ) | |
# | |
# Deprecated by enhancedSearchGuide | |
olcAttributeTypes: ( 2.5.4.14 NAME 'searchGuide' | |
DESC 'RFC2256: search guide, deprecated by enhancedSearchGuide' | |
SYNTAX 1.3.6.1.4.1.1466.115.121.1.25 ) | |
# | |
olcAttributeTypes: ( 2.5.4.15 NAME 'businessCategory' | |
DESC 'RFC2256: business category' | |
EQUALITY caseIgnoreMatch | |
SUBSTR caseIgnoreSubstringsMatch | |
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) | |
# | |
olcAttributeTypes: ( 2.5.4.16 NAME 'postalAddress' | |
DESC 'RFC2256: postal address' | |
EQUALITY caseIgnoreListMatch | |
SUBSTR caseIgnoreListSubstringsMatch | |
SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 ) | |
# | |
olcAttributeTypes: ( 2.5.4.17 NAME 'postalCode' | |
DESC 'RFC2256: postal code' | |
EQUALITY caseIgnoreMatch | |
SUBSTR caseIgnoreSubstringsMatch | |
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{40} ) | |
# | |
olcAttributeTypes: ( 2.5.4.18 NAME 'postOfficeBox' | |
DESC 'RFC2256: Post Office Box' | |
EQUALITY caseIgnoreMatch | |
SUBSTR caseIgnoreSubstringsMatch | |
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{40} ) | |
# | |
olcAttributeTypes: ( 2.5.4.19 NAME 'physicalDeliveryOfficeName' | |
DESC 'RFC2256: Physical Delivery Office Name' | |
EQUALITY caseIgnoreMatch | |
SUBSTR caseIgnoreSubstringsMatch | |
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) | |
# | |
olcAttributeTypes: ( 2.5.4.20 NAME 'telephoneNumber' | |
DESC 'RFC2256: Telephone Number' | |
EQUALITY telephoneNumberMatch | |
SUBSTR telephoneNumberSubstringsMatch | |
SYNTAX 1.3.6.1.4.1.1466.115.121.1.50{32} ) | |
# | |
olcAttributeTypes: ( 2.5.4.21 NAME 'telexNumber' | |
DESC 'RFC2256: Telex Number' | |
SYNTAX 1.3.6.1.4.1.1466.115.121.1.52 ) | |
# | |
olcAttributeTypes: ( 2.5.4.22 NAME 'teletexTerminalIdentifier' | |
DESC 'RFC2256: Teletex Terminal Identifier' | |
SYNTAX 1.3.6.1.4.1.1466.115.121.1.51 ) | |
# | |
olcAttributeTypes: ( 2.5.4.23 NAME ( 'facsimileTelephoneNumber' 'fax' ) | |
DESC 'RFC2256: Facsimile (Fax) Telephone Number' | |
SYNTAX 1.3.6.1.4.1.1466.115.121.1.22 ) | |
# | |
olcAttributeTypes: ( 2.5.4.24 NAME 'x121Address' | |
DESC 'RFC2256: X.121 Address' | |
EQUALITY numericStringMatch | |
SUBSTR numericStringSubstringsMatch | |
SYNTAX 1.3.6.1.4.1.1466.115.121.1.36{15} ) | |
# | |
olcAttributeTypes: ( 2.5.4.25 NAME 'internationaliSDNNumber' | |
DESC 'RFC2256: international ISDN number' | |
EQUALITY numericStringMatch | |
SUBSTR numericStringSubstringsMatch | |
SYNTAX 1.3.6.1.4.1.1466.115.121.1.36{16} ) | |
# | |
olcAttributeTypes: ( 2.5.4.26 NAME 'registeredAddress' | |
DESC 'RFC2256: registered postal address' | |
SUP postalAddress | |
SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 ) | |
# | |
olcAttributeTypes: ( 2.5.4.27 NAME 'destinationIndicator' | |
DESC 'RFC2256: destination indicator' | |
EQUALITY caseIgnoreMatch | |
SUBSTR caseIgnoreSubstringsMatch | |
SYNTAX 1.3.6.1.4.1.1466.115.121.1.44{128} ) | |
# | |
olcAttributeTypes: ( 2.5.4.28 NAME 'preferredDeliveryMethod' | |
DESC 'RFC2256: preferred delivery method' | |
SYNTAX 1.3.6.1.4.1.1466.115.121.1.14 | |
SINGLE-VALUE ) | |
# | |
olcAttributeTypes: ( 2.5.4.29 NAME 'presentationAddress' | |
DESC 'RFC2256: presentation address' | |
EQUALITY presentationAddressMatch | |
SYNTAX 1.3.6.1.4.1.1466.115.121.1.43 | |
SINGLE-VALUE ) | |
# | |
olcAttributeTypes: ( 2.5.4.30 NAME 'supportedApplicationContext' | |
DESC 'RFC2256: supported application context' | |
EQUALITY objectIdentifierMatch | |
SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 ) | |
# | |
olcAttributeTypes: ( 2.5.4.31 NAME 'member' | |
DESC 'RFC2256: member of a group' | |
SUP distinguishedName ) | |
# | |
olcAttributeTypes: ( 2.5.4.32 NAME 'owner' | |
DESC 'RFC2256: owner (of the object)' | |
SUP distinguishedName ) | |
# | |
olcAttributeTypes: ( 2.5.4.33 NAME 'roleOccupant' | |
DESC 'RFC2256: occupant of role' | |
SUP distinguishedName ) | |
# | |
# system schema | |
#olcAttributeTypes: ( 2.5.4.34 NAME 'seeAlso' | |
# DESC 'RFC2256: DN of related object' | |
# SUP distinguishedName ) | |
# | |
# system schema | |
#olcAttributeTypes: ( 2.5.4.35 NAME 'userPassword' | |
# DESC 'RFC2256/2307: password of user' | |
# EQUALITY octetStringMatch | |
# SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128} ) | |
# | |
# Must be transferred using ;binary | |
# with certificateExactMatch rule (per X.509) | |
olcAttributeTypes: ( 2.5.4.36 NAME 'userCertificate' | |
DESC 'RFC2256: X.509 user certificate, use ;binary' | |
EQUALITY certificateExactMatch | |
SYNTAX 1.3.6.1.4.1.1466.115.121.1.8 ) | |
# | |
# Must be transferred using ;binary | |
# with certificateExactMatch rule (per X.509) | |
olcAttributeTypes: ( 2.5.4.37 NAME 'cACertificate' | |
DESC 'RFC2256: X.509 CA certificate, use ;binary' | |
EQUALITY certificateExactMatch | |
SYNTAX 1.3.6.1.4.1.1466.115.121.1.8 ) | |
# | |
# Must be transferred using ;binary | |
olcAttributeTypes: ( 2.5.4.38 NAME 'authorityRevocationList' | |
DESC 'RFC2256: X.509 authority revocation list, use ;binary' | |
SYNTAX 1.3.6.1.4.1.1466.115.121.1.9 ) | |
# | |
# Must be transferred using ;binary | |
olcAttributeTypes: ( 2.5.4.39 NAME 'certificateRevocationList' | |
DESC 'RFC2256: X.509 certificate revocation list, use ;binary' | |
SYNTAX 1.3.6.1.4.1.1466.115.121.1.9 ) | |
# | |
# Must be stored and requested in the binary form | |
olcAttributeTypes: ( 2.5.4.40 NAME 'crossCertificatePair' | |
DESC 'RFC2256: X.509 cross certificate pair, use ;binary' | |
SYNTAX 1.3.6.1.4.1.1466.115.121.1.10 ) | |
# | |
# 2.5.4.41 is defined above as it's used for subtyping | |
#olcAttributeTypes: ( 2.5.4.41 NAME 'name' | |
# EQUALITY caseIgnoreMatch | |
# SUBSTR caseIgnoreSubstringsMatch | |
# SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} ) | |
# | |
olcAttributeTypes: ( 2.5.4.42 NAME ( 'givenName' 'gn' ) | |
DESC 'RFC2256: first name(s) for which the entity is known by' | |
SUP name ) | |
# | |
olcAttributeTypes: ( 2.5.4.43 NAME 'initials' | |
DESC 'RFC2256: initials of some or all of names, but not the surname(s).' | |
SUP name ) | |
# | |
olcAttributeTypes: ( 2.5.4.44 NAME 'generationQualifier' | |
DESC 'RFC2256: name qualifier indicating a generation' | |
SUP name ) | |
# | |
olcAttributeTypes: ( 2.5.4.45 NAME 'x500UniqueIdentifier' | |
DESC 'RFC2256: X.500 unique identifier' | |
EQUALITY bitStringMatch | |
SYNTAX 1.3.6.1.4.1.1466.115.121.1.6 ) | |
# | |
olcAttributeTypes: ( 2.5.4.46 NAME 'dnQualifier' | |
DESC 'RFC2256: DN qualifier' | |
EQUALITY caseIgnoreMatch | |
ORDERING caseIgnoreOrderingMatch | |
SUBSTR caseIgnoreSubstringsMatch | |
SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 ) | |
# | |
olcAttributeTypes: ( 2.5.4.47 NAME 'enhancedSearchGuide' | |
DESC 'RFC2256: enhanced search guide' | |
SYNTAX 1.3.6.1.4.1.1466.115.121.1.21 ) | |
# | |
olcAttributeTypes: ( 2.5.4.48 NAME 'protocolInformation' | |
DESC 'RFC2256: protocol information' | |
EQUALITY protocolInformationMatch | |
SYNTAX 1.3.6.1.4.1.1466.115.121.1.42 ) | |
# | |
# 2.5.4.49 is defined above as it's used for subtyping | |
#olcAttributeTypes: ( 2.5.4.49 NAME 'distinguishedName' | |
# EQUALITY distinguishedNameMatch | |
# SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) | |
# | |
olcAttributeTypes: ( 2.5.4.50 NAME 'uniqueMember' | |
DESC 'RFC2256: unique member of a group' | |
EQUALITY uniqueMemberMatch | |
SYNTAX 1.3.6.1.4.1.1466.115.121.1.34 ) | |
# | |
olcAttributeTypes: ( 2.5.4.51 NAME 'houseIdentifier' | |
DESC 'RFC2256: house identifier' | |
EQUALITY caseIgnoreMatch | |
SUBSTR caseIgnoreSubstringsMatch | |
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} ) | |
# | |
# Must be transferred using ;binary | |
olcAttributeTypes: ( 2.5.4.52 NAME 'supportedAlgorithms' | |
DESC 'RFC2256: supported algorithms' | |
SYNTAX 1.3.6.1.4.1.1466.115.121.1.49 ) | |
# | |
# Must be transferred using ;binary | |
olcAttributeTypes: ( 2.5.4.53 NAME 'deltaRevocationList' | |
DESC 'RFC2256: delta revocation list; use ;binary' | |
SYNTAX 1.3.6.1.4.1.1466.115.121.1.9 ) | |
# | |
olcAttributeTypes: ( 2.5.4.54 NAME 'dmdName' | |
DESC 'RFC2256: name of DMD' | |
SUP name ) | |
# | |
olcAttributeTypes: ( 2.5.4.65 NAME 'pseudonym' | |
DESC 'X.520(4th): pseudonym for the object' | |
SUP name ) | |
# | |
# Standard object classes from RFC2256 | |
# | |
# system schema | |
#olcObjectClasses: ( 2.5.6.1 NAME 'alias' | |
# DESC 'RFC2256: an alias' | |
# SUP top STRUCTURAL | |
# MUST aliasedObjectName ) | |
# | |
olcObjectClasses: ( 2.5.6.2 NAME 'country' | |
DESC 'RFC2256: a country' | |
SUP top STRUCTURAL | |
MUST c | |
MAY ( searchGuide $ description ) ) | |
# | |
olcObjectClasses: ( 2.5.6.3 NAME 'locality' | |
DESC 'RFC2256: a locality' | |
SUP top STRUCTURAL | |
MAY ( street $ seeAlso $ searchGuide $ st $ l $ description ) ) | |
# | |
olcObjectClasses: ( 2.5.6.4 NAME 'organization' | |
DESC 'RFC2256: an organization' | |
SUP top STRUCTURAL | |
MUST o | |
MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $ | |
x121Address $ registeredAddress $ destinationIndicator $ | |
preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ | |
telephoneNumber $ internationaliSDNNumber $ | |
facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode $ | |
postalAddress $ physicalDeliveryOfficeName $ st $ l $ description ) ) | |
# | |
olcObjectClasses: ( 2.5.6.5 NAME 'organizationalUnit' | |
DESC 'RFC2256: an organizational unit' | |
SUP top STRUCTURAL | |
MUST ou | |
MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $ | |
x121Address $ registeredAddress $ destinationIndicator $ | |
preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ | |
telephoneNumber $ internationaliSDNNumber $ | |
facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode $ | |
postalAddress $ physicalDeliveryOfficeName $ st $ l $ description ) ) | |
# | |
olcObjectClasses: ( 2.5.6.6 NAME 'person' | |
DESC 'RFC2256: a person' | |
SUP top STRUCTURAL | |
MUST ( sn $ cn ) | |
MAY ( userPassword $ telephoneNumber $ seeAlso $ description ) ) | |
# | |
olcObjectClasses: ( 2.5.6.7 NAME 'organizationalPerson' | |
DESC 'RFC2256: an organizational person' | |
SUP person STRUCTURAL | |
MAY ( title $ x121Address $ registeredAddress $ destinationIndicator $ | |
preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ | |
telephoneNumber $ internationaliSDNNumber $ | |
facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode $ | |
postalAddress $ physicalDeliveryOfficeName $ ou $ st $ l ) ) | |
# | |
olcObjectClasses: ( 2.5.6.8 NAME 'organizationalRole' | |
DESC 'RFC2256: an organizational role' | |
SUP top STRUCTURAL | |
MUST cn | |
MAY ( x121Address $ registeredAddress $ destinationIndicator $ | |
preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ | |
telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $ | |
seeAlso $ roleOccupant $ preferredDeliveryMethod $ street $ | |
postOfficeBox $ postalCode $ postalAddress $ | |
physicalDeliveryOfficeName $ ou $ st $ l $ description ) ) | |
# | |
olcObjectClasses: ( 2.5.6.9 NAME 'groupOfNames' | |
DESC 'RFC2256: a group of names (DNs)' | |
SUP top STRUCTURAL | |
MUST ( member $ cn ) | |
MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ description ) ) | |
# | |
olcObjectClasses: ( 2.5.6.10 NAME 'residentialPerson' | |
DESC 'RFC2256: an residential person' | |
SUP person STRUCTURAL | |
MUST l | |
MAY ( businessCategory $ x121Address $ registeredAddress $ | |
destinationIndicator $ preferredDeliveryMethod $ telexNumber $ | |
teletexTerminalIdentifier $ telephoneNumber $ internationaliSDNNumber $ | |
facsimileTelephoneNumber $ preferredDeliveryMethod $ street $ | |
postOfficeBox $ postalCode $ postalAddress $ | |
physicalDeliveryOfficeName $ st $ l ) ) | |
# | |
olcObjectClasses: ( 2.5.6.11 NAME 'applicationProcess' | |
DESC 'RFC2256: an application process' | |
SUP top STRUCTURAL | |
MUST cn | |
MAY ( seeAlso $ ou $ l $ description ) ) | |
# | |
olcObjectClasses: ( 2.5.6.12 NAME 'applicationEntity' | |
DESC 'RFC2256: an application entity' | |
SUP top STRUCTURAL | |
MUST ( presentationAddress $ cn ) | |
MAY ( supportedApplicationContext $ seeAlso $ ou $ o $ l $ | |
description ) ) | |
# | |
olcObjectClasses: ( 2.5.6.13 NAME 'dSA' | |
DESC 'RFC2256: a directory system agent (a server)' | |
SUP applicationEntity STRUCTURAL | |
MAY knowledgeInformation ) | |
# | |
olcObjectClasses: ( 2.5.6.14 NAME 'device' | |
DESC 'RFC2256: a device' | |
SUP top STRUCTURAL | |
MUST cn | |
MAY ( serialNumber $ seeAlso $ owner $ ou $ o $ l $ description ) ) | |
# | |
olcObjectClasses: ( 2.5.6.15 NAME 'strongAuthenticationUser' | |
DESC 'RFC2256: a strong authentication user' | |
SUP top AUXILIARY | |
MUST userCertificate ) | |
# | |
olcObjectClasses: ( 2.5.6.16 NAME 'certificationAuthority' | |
DESC 'RFC2256: a certificate authority' | |
SUP top AUXILIARY | |
MUST ( authorityRevocationList $ certificateRevocationList $ | |
cACertificate ) MAY crossCertificatePair ) | |
# | |
olcObjectClasses: ( 2.5.6.17 NAME 'groupOfUniqueNames' | |
DESC 'RFC2256: a group of unique names (DN and Unique Identifier)' | |
SUP top STRUCTURAL | |
MUST ( uniqueMember $ cn ) | |
MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ description ) ) | |
# | |
olcObjectClasses: ( 2.5.6.18 NAME 'userSecurityInformation' | |
DESC 'RFC2256: a user security information' | |
SUP top AUXILIARY | |
MAY ( supportedAlgorithms ) ) | |
# | |
olcObjectClasses: ( 2.5.6.16.2 NAME 'certificationAuthority-V2' | |
SUP certificationAuthority | |
AUXILIARY MAY ( deltaRevocationList ) ) | |
# | |
olcObjectClasses: ( 2.5.6.19 NAME 'cRLDistributionPoint' | |
SUP top STRUCTURAL | |
MUST ( cn ) | |
MAY ( certificateRevocationList $ authorityRevocationList $ | |
deltaRevocationList ) ) | |
# | |
olcObjectClasses: ( 2.5.6.20 NAME 'dmd' | |
SUP top STRUCTURAL | |
MUST ( dmdName ) | |
MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $ | |
x121Address $ registeredAddress $ destinationIndicator $ | |
preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ | |
telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $ | |
street $ postOfficeBox $ postalCode $ postalAddress $ | |
physicalDeliveryOfficeName $ st $ l $ description ) ) | |
# | |
# | |
# Object Classes from RFC 2587 | |
# | |
olcObjectClasses: ( 2.5.6.21 NAME 'pkiUser' | |
DESC 'RFC2587: a PKI user' | |
SUP top AUXILIARY | |
MAY userCertificate ) | |
# | |
olcObjectClasses: ( 2.5.6.22 NAME 'pkiCA' | |
DESC 'RFC2587: PKI certificate authority' | |
SUP top AUXILIARY | |
MAY ( authorityRevocationList $ certificateRevocationList $ | |
cACertificate $ crossCertificatePair ) ) | |
# | |
olcObjectClasses: ( 2.5.6.23 NAME 'deltaCRL' | |
DESC 'RFC2587: PKI user' | |
SUP top AUXILIARY | |
MAY deltaRevocationList ) | |
# | |
# | |
# Standard Track URI label schema from RFC 2079 | |
# system schema | |
#olcAttributeTypes: ( 1.3.6.1.4.1.250.1.57 NAME 'labeledURI' | |
# DESC 'RFC2079: Uniform Resource Identifier with optional label' | |
# EQUALITY caseExactMatch | |
# SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) | |
# | |
olcObjectClasses: ( 1.3.6.1.4.1.250.3.15 NAME 'labeledURIObject' | |
DESC 'RFC2079: object that contains the URI attribute type' | |
MAY ( labeledURI ) | |
SUP top AUXILIARY ) | |
# | |
# | |
# Derived from RFC 1274, but with new "short names" | |
# | |
#olcAttributeTypes: ( 0.9.2342.19200300.100.1.1 | |
# NAME ( 'uid' 'userid' ) | |
# DESC 'RFC1274: user identifier' | |
# EQUALITY caseIgnoreMatch | |
# SUBSTR caseIgnoreSubstringsMatch | |
# SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) | |
# | |
olcAttributeTypes: ( 0.9.2342.19200300.100.1.3 | |
NAME ( 'mail' 'rfc822Mailbox' ) | |
DESC 'RFC1274: RFC822 Mailbox' | |
EQUALITY caseIgnoreIA5Match | |
SUBSTR caseIgnoreIA5SubstringsMatch | |
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) | |
# | |
olcObjectClasses: ( 0.9.2342.19200300.100.4.19 NAME 'simpleSecurityObject' | |
DESC 'RFC1274: simple security object' | |
SUP top AUXILIARY | |
MUST userPassword ) | |
# | |
# RFC 1274 + RFC 2247 | |
olcAttributeTypes: ( 0.9.2342.19200300.100.1.25 | |
NAME ( 'dc' 'domainComponent' ) | |
DESC 'RFC1274/2247: domain component' | |
EQUALITY caseIgnoreIA5Match | |
SUBSTR caseIgnoreIA5SubstringsMatch | |
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) | |
# | |
# RFC 2247 | |
olcObjectClasses: ( 1.3.6.1.4.1.1466.344 NAME 'dcObject' | |
DESC 'RFC2247: domain component object' | |
SUP top AUXILIARY MUST dc ) | |
# | |
# RFC 2377 | |
olcObjectClasses: ( 1.3.6.1.1.3.1 NAME 'uidObject' | |
DESC 'RFC2377: uid object' | |
SUP top AUXILIARY MUST uid ) | |
# | |
# From COSINE Pilot | |
olcAttributeTypes: ( 0.9.2342.19200300.100.1.37 | |
NAME 'associatedDomain' | |
DESC 'RFC1274: domain associated with object' | |
EQUALITY caseIgnoreIA5Match | |
SUBSTR caseIgnoreIA5SubstringsMatch | |
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) | |
# | |
# RFC 2459 -- deprecated in favor of 'mail' (in cosine.schema) | |
olcAttributeTypes: ( 1.2.840.113549.1.9.1 | |
NAME ( 'email' 'emailAddress' 'pkcs9email' ) | |
DESC 'RFC3280: legacy attribute for email addresses in DNs' | |
EQUALITY caseIgnoreIA5Match | |
SUBSTR caseIgnoreIA5SubstringsMatch | |
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} ) | |
# |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
FROM debian:stable-slim AS core | |
WORKDIR /root | |
ENV LC_ALL C | |
ENV TZ=UTC | |
ENV DEBIAN_FRONTEND noninteractive | |
RUN echo 'APT::Install-Recommends "0"; \n\ | |
APT::Install-Suggests "0"; \n\ | |
APT::Get::Assume-Yes "true"; \n\ | |
' > /etc/apt/apt.conf.d/noninteractive | |
ONBUILD RUN apt-get update | |
FROM smallstep/step-cli as step | |
FROM core AS ds | |
COPY --from=step /usr/local/bin/step /usr/local/bin/ | |
RUN apt-get install slapd ldap-utils | |
EXPOSE 389 | |
EXPOSE 636 | |
RUN mkdir -p /app /app/share/init/schema /app/db/config | |
VOLUME /app/db | |
COPY entrypoint.sh /app/entrypoint | |
ENTRYPOINT [ "/app/entrypoint" ] | |
CMD [ "run" ] | |
COPY config/*.ldif.in /app/share/ | |
COPY config/config.ldif /app/share/init/config.ldif | |
COPY schema/*.ldif /app/share/init/schema/ | |
RUN slapadd -F /app/db/config -b "CN=Config" -l /app/share/init/config.ldif | |
RUN for file in /app/share/init/schema/*.ldif ; do \ | |
printf "Importing schema: %s\n" "$file" >&2 ; \ | |
slapadd -F /app/db/config -b "CN=Config" -l "$file" || exit $? ; \ | |
done | |
RUN rm -rf /app/share/init | |
RUN chown -R openldap:openldap /app/db |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#! /bin/sh | |
# /app/entrypoint | |
set -e | |
REALM="${REALM:-EXAMPLE.COM}" | |
REALM_DNS="${REALM_DNS:-$(echo ${REALM} | tr A-Z a-z)}" | |
REALM_ORGNAME="${REALM_ORGNAME:-Example Enterprises}" | |
REALM_DN="${REALM_DN:-O=${REALM_ORGNAME}}" | |
ROOT_DN="${ROOT_DN:-CN=root}" | |
ROOT_PW="${ROOT_PW:-abc123}" | |
FIRST_LDAP_NODE="${FIRST_LDAP_NODE:-LDAP01}" | |
FIRST_LDAP_DNS="${FIRST_LDAP_DNS:-$(echo ${FIRST_LDAP_NODE} | tr A-Z a-z).${REALM_DNS}}" | |
FIRST_USER_UID="${FIRST_USER_UID:-otto}" | |
FIRST_USER_CN="${FIRST_USER_CN:-${FIRST_USER_UID}}" | |
LISTEN="ldap:///" | |
DAEMON="/usr/sbin/slapd" | |
RUNROOT="/run/slapd" | |
DBROOT="/app/db" | |
PIDFILE="${RUNROOT}/slapd.pid" | |
ARGSFILE="${RUNROOT}/slapd.args" | |
DBPATH="${DBROOT}/${REALM}" | |
CFGPATH="${DBROOT}/config" | |
GROUP="openldap" | |
USER="openldap" | |
OWNER="${USER}:${GROUP}" | |
DSPID=0 | |
self="ds[${REALM}]" | |
ds_is_running() { | |
DSPID=$(cat ${PIDFILE} 2>/dev/null) | |
if kill -0 "${DSPID}" 2>/dev/null ; then | |
return 0 | |
fi | |
DSPID=0 | |
return 1 | |
} | |
ds_start() | |
{ | |
[ $DSPID -gt 0 ] && return 0 | |
chown -R ${OWNER} "${DBROOT}" | |
$DAEMON -F "${CFGPATH}" -n "${self}" -u ${USER} -g ${GROUP} "$@" | |
if ! ds_is_running ; then | |
printf "%s: failed to start Directory Service\n" "${self}" >&2 | |
return 150 | |
fi | |
} | |
ds_start_local() | |
{ | |
ds_start -h ldapi:/// | |
} | |
ds_stop() | |
{ | |
while ds_is_running ; do | |
kill ${DSPID} | |
for c in 1 2 3 4 ; do | |
if ds_is_running ; then | |
sleep 1 | |
else | |
DSPID=0 | |
return 0 | |
fi | |
done | |
printf "%s: waiting for Directory Service shutdown...\n" "${self}" >&2 | |
done | |
} | |
ds_import_file() | |
{ | |
ldapadd -Y EXTERNAL -H ldapi:/// -f "$1" | |
} | |
ds_prepare() | |
{ | |
mkdir -p /run/slapd /app/db/config | |
if ds_is_running ; then | |
printf "%s: Directory Service is already running (PID %d)\n" "${self}" "$DSPID" >&2 | |
return 0 | |
fi | |
if test -d "${DBPATH}" ; then | |
if test -f "${DBPATH}/base" ; then | |
base=$(cat "${DBPATH}/base") | |
if ! test x"$base" = x"${REALM_DN}" ; then | |
printf "%s: Realm database %s was previously configured with a base DN of %s (specified base DN is %s); base DNs must match. Aborting.\n" "$self" "${REALM}" "${base}" "${BASE_DN}" >&2 | |
return 100 | |
fi | |
else | |
printf "%s: Realm database %s: directory exists but does not contain a populated database; please move it out of the way before proceeding.\n" "$self" "${REALM}" >&2 | |
return 101 | |
fi | |
return 0 | |
fi | |
printf "%s: Creating new realm database %s with base DN: %s\n" "$self" "${REALM}" "${REALM_DN}" >&2 | |
mkdir -p "${DBPATH}" | |
echo "${REALM_DN}" > "${DBPATH}/base" | |
ds_start_local | |
for template in /app/share/*.ldif.in ; do | |
printf "%s: Importing %s...\n" "${self}" "${template}" >&2 | |
initfile="/tmp/init.$$.ldif" | |
sed \ | |
-e "s!@REALM@!${REALM}!g" \ | |
-e "s!@REALM_DNS@!${REALM_DNS}!g" \ | |
-e "s!@REALM_DN@!${REALM_DN}!g" \ | |
-e "s!@REALM_ORGNAME@!${REALM_ORGNAME}!g" \ | |
-e "s!@ROOT_DN@!${ROOT_DN}!g" \ | |
-e "s!@ROOT_PW@!${ROOT_PW}!g" \ | |
-e "s!@SCHEMA_OPTIONS@!${SCHEMA_OPTIONS}!g" \ | |
-e "s!@FIRST_LDAP_NODE@!${FIRST_LDAP_NODE}!g" \ | |
-e "s!@FIRST_LDAP_DNS@!${FIRST_LDAP_DNS}!g" \ | |
-e "s!@FIRST_USER_UID@!${FIRST_USER_UID}!g" \ | |
-e "s!@FIRST_USER_CN@!${FIRST_USER_CN}!g" \ | |
< ${template} > ${initfile} | |
ds_import_file ${initfile} | |
rm ${initfile} | |
sync ; sleep 1 | |
done | |
ds_stop | |
printf "%s: Realm database %s created\n" "${self}" "${REALM}" >&2 | |
} | |
case "$1" in | |
status) | |
if ds_is_running ; then | |
printf "%s: Directory Service is running (PID %d)\n" "${self}" "$DSPID" >&2 | |
exit 0 | |
else | |
printf "%s: Directory Service is not running\n" "${self}" >&2 | |
exit 1 | |
fi | |
;; | |
prepare) | |
ds_prepare | |
;; | |
start) | |
ds_prepare | |
printf "%s: Starting Directory Service...\n" "${self}" >&2 | |
if ds_start -h "${LISTEN}" ; then | |
exit 0 | |
fi | |
printf "%s: failed to start Directory Service\n" "${self}" >&2 | |
exit 1 | |
;; | |
stop) | |
ds_stop | |
;; | |
run) | |
ds_prepare | |
printf "%s: Starting Directory Service in foreground mode...\n" "${self}" >&2 | |
ds_start -h "${LISTEN}" -d 0 | |
;; | |
shell) | |
exec /bin/bash --login | |
;; | |
dump) | |
exec slapcat -F /app/db/config | |
;; | |
*) | |
echo "Usage: $0 status | start | stop | prepare | shell | run" >&2 | |
exit 255 | |
esac |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# /etc/default/slapd | |
SLAPD_CONF=/app/config | |
SLAPD_USER="openldap" | |
SLAPD_GROUP="openldap" | |
SLAPD_PIDFILE=/run/ds/slapd.pid | |
SLAPD_SERVICES="ldap:///" | |
#SLAPD_NO_START=1 | |
#SLAPD_SENTINEL_FILE=/etc/ldap/noslapd | |
#export KRB5_KTNAME=/etc/krb5.keytab | |
#SLAPD_OPTIONS="" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment