Updates.

A lot of different fixes. What I have in production right now.

.gitlab-ci.yml

+---
+image: adarnimrod/ci-images:docker
+
+stages:
+  - test
+  - build
+  - run
+
+pre-commit:
+  stage: test
+  image: adarnimrod/ci-images:pre-commit
+  variables:
+    XDG_CACHE_HOME: "$CI_PROJECT_DIR/.cache"
+    # Disabled until https://github.com/pre-commit/pre-commit/issues/1387 is
+    # resolved.
+    SKIP: "hadolint,docker-compose"
+  script:
+    - pre-commit run --all-files
+  cache:
+    paths:
+      - .cache/
+
+build:
+  stage: build
+  tags: ["host01.shore.co.il"]
+  variables:
+    # COMPOSE_DOCKER_CLI_BUILD: "1"
+    # DOCKER_BUILDKIT: "1"
+  script:
+    - docker-compose build --no-cache --pull
+    - docker-compose pull --quiet
+
+run:
+  stage: run
+  tags: ["host01.shore.co.il"]
+  when: manual
+  script:
+    - docker-compose up --detach --remove-orphans
+    # yamllint disable rule:line-length
+    - |
+        for i in $(seq 12)
+        do
+            docker container inspect --format '{{ .State.Health.Status }}' $(docker-compose ps -q) | grep -v '^healthy$' || break
+            sleep 10
+        done
+        ! docker container inspect --format '{{ .State.Health.Status }}' $(docker-compose ps -q) | grep -v '^healthy$'

.pre-commit-config.yaml

@@ -19,14 +19,19 @@ repos:
     hooks:
       - id: proselint
         types: [plain-text]
-        exclude: LICENSE|requirements
-  - repo: https://www.shore.co.il/git/shell-pre-commit/
+        exclude: LICENSE
+  - repo: https://git.shore.co.il/nimrod/shell-pre-commit.git/
     rev: v0.6.0
     hooks:
       - id: shell-lint
       - id: shellcheck
-  - repo: https://www.shore.co.il/git/docker-pre-commit
+  - repo: https://git.shore.co.il/nimrod/docker-pre-commit.git/
     rev: v0.3.0
     hooks:
       - id: hadolint
       - id: docker-compose
+  - repo: https://github.com/Yelp/detect-secrets
+    rev: v0.13.0
+    hooks:
+      - id: detect-secrets
+        exclude: \.diff$

docker-compose.yml

@@ -10,53 +10,50 @@ services:
 
   ldap:
     build:
-      cache_from:
-        - adarnimrod/slapd
       context: slapd/
-    domainname: "${LDAP_HOSTNAME:-ldap}.${LDAP_DOMAIN:-nowhere.com}"
     environment:
       LDAP_ROOTPASS: &password "${LDAP_ROOTPASS:-foo}"
-      LDAP_DOMAIN: "${LDAP_DOMAIN:-nowhere.com}"
-      LDAP_ORGANIZATION: "${LDAP_ORGANIZATION:-none}"
-    hostname: "${LDAP_HOSTNAME:-ldap}"
+      LDAP_DOMAIN: "${LDAP_DOMAIN:-shore.co.il}"
+      LDAP_ORGANIZATION: "${LDAP_ORGANIZATION:-shore}"
+      #SLAPD_DEBUG_LEVEL: "any"
+      SSL_DHPARAMS_FILE: /var/ssl/dhparams
+    hostname: "${LDAP_HOSTNAME:-ldap}.${LDAP_DOMAIN:-shore.co.il}"
     image: adarnimrod/slapd
     restart: always
     volumes:
       - _run_slapd:/run/slapd
       - ldap:/var/lib/ldap
       - backup_ldap:/var/backups/ldap
-
-  nss-pam-ldapd:
-    build:
-      context: nss-pam-ldapd/
-    command: /usr/sbin/nslcd --debug --nofork
-    depends_on:
-      - ldap
-    environment:
-      LDAP_BASE_DN: &base_dn "${LDAP_BASE_DN:-dc=nowhere,dc=com}"
-    volumes:
-      - _run_slapd:/run/slapd
+      - /var/ssl/dhparams:/var/ssl/dhparams:ro
 
   ldap-account-manager:
     build:
-      cache_from:
-        - adarnimrod/ldap-account-manager
       context: ldap-account-manager/
     depends_on:
       - ldap
     environment:
-      LAM_PASSWORD: *password
-      LDAP_ADMIN_DN: "cn=admin,${LDAP_BASE_DN:-dc=nowhere,dc=com}"
-      LDAP_BASE_DN: *base_dn
+      LAM_PASSWORD: *password  # pragma: allowlist secret
+      LDAP_ADMIN_DN: "cn=admin,${LDAP_BASE_DN:-dc=shore,dc=co,dc=il}"
+      LDAP_BASE_DN: &base_dn "${LDAP_BASE_DN:-dc=shore,dc=co,dc=il}"
     image: adarnimrod/ldap-account-manager
-    ports:
-      - 80:80
     restart: always
     volumes:
       - _run_slapd:/run/slapd
 
+  # nss-pam-ldapd:
+  #   build:
+  #     context: nss-pam-ldapd/
+  #   command: /usr/sbin/nslcd --debug --nofork
+  #   depends_on:
+  #     - ldap
+  #   environment:
+  #     LDAP_BASE_DN: *base_dn
+  #   volumes:
+  #     - _run_slapd:/run/slapd
+
 volumes:
   _run_slapd:
+    name: run_slapd
   ldap:
   backup_ldap:
     labels:

ldap-account-manager/Dockerfile

-FROM debian:sid-slim
+FROM debian:bullseye-slim
 # hadolint ignore=DL3008
 RUN apt-get update && \
     DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
@@ -15,7 +15,6 @@ RUN apt-get update && \
     a2enmod status && \
     ln -sf /dev/stdout /var/log/apache2/access.log && \
     ln -sf /dev/stderr /var/log/apache2/error.log && \
-    ln -sf /dev/stdout /var/log/apache2/lam.log && \
     ln -sf /dev/stdout /var/log/apache2/other_vhosts_access.log && \
     rm -rf /tmp/* /var/tmp/* /var/lib/apt/lists/* /var/cache/apt/archives/*
 ENV APACHE_RUN_DIR=/run/apache2 \
@@ -28,8 +27,7 @@ COPY --chown=root:root entrypoint /usr/local/bin/
 COPY --chown=root:root lam-setpass /usr/local/bin/
 RUN patch --strip 0 --verbose --directory / --input /root/patch.diff && \
     apache2 -t
-ENV LDAP_URI=ldapi:/// \
-    LAM_PASSWORD=lam
+ENV LDAP_URI=ldapi:///
 EXPOSE 80
 USER "www-data"
 WORKDIR /var/www

ldap-account-manager/README.md

@@ -6,7 +6,7 @@
 
 Name | Description | Default value
 --- | --- | ---
-`LAM_PASSWORD` | Password for administrating LAM | `lam`
+`LAM_PASSWORD` | Password for administering LAM | `lam`
 `LDAP_URI` | URI of the LDAP service | `ldapi:///`
 `LDAP_ADMIN_DN` | DN of the admin account
 `LDAP_BASE_DN` | Base DN

ldap-account-manager/patch.diff

@@ -5,7 +5,7 @@
  
  # log destination
 -logDestination: SYSLOG
-+logDestination: /var/log/apache2/lam.log
++logDestination: /dev/stdout
 --- /etc/apache2/sites-available/000-default.conf	2018-11-03 13:34:33.000000000 +0200
 +++ /etc/apache2/sites-available/000-default.conf	2019-06-25 14:55:43.956626591 +0300
 @@ -18,7 +18,7 @@

slapd/Dockerfile

@@ -43,5 +43,5 @@ WORKDIR /var/lib/ldap
 USER openldap
 ENTRYPOINT [ "entrypoint" ]
 CMD [ "slapd", "-F", "/var/lib/ldap/config", "-u", "openldap", "-g", "openldap", "-h", "\"$LDAP_URLS\"", "-d", "$SLAPD_DEBUG_LEVEL" ]
-HEALTHCHECK CMD ldapsearch -b cn=config > /dev/null || exit 1
+HEALTHCHECK --start-period=5m CMD ldapsearch -b cn=config > /dev/null || exit 1
 STOPSIGNAL INT

slapd/backup

 #!/bin/sh
 set -eux
 
+alias slapcat='slapcat -vF /var/lib/ldap/config'
+
 slapcat -n0 -v -l /var/backups/ldap/config.ldif
 
 for dn in $(ldapsearch -Y EXTERNAL -LLL -s base -b '' o namingContexts | sed -n '/namingContexts/ s/namingContexts: //gp')
 do
-    slapcat -b "$dn" -v -l "/var/backups/$dn.ldif"
+    slapcat -b "$dn" -v -l "/var/backups/ldap/$dn.ldif"
 done

slapd/config.ldif

@@ -18,7 +18,7 @@ olcTLSCertificateFile: ${SSL_CERT_FILE}
 olcTLSCertificateKeyFile: ${SSL_KEY_FILE}
 olcTLSCipherSuite: SECURE256:+SECURE128
 olcTLSProtocolMin: 3.1
-olcTLSDHParamFile: /usr/share/slapd/dh.pem
+olcTLSDHParamFile: ${SSL_DHPARAMS_FILE}
 
 # Frontend settings
 dn: olcDatabase={-1}frontend,cn=config
@@ -29,16 +29,20 @@ olcDatabase: {-1}frontend
 olcSizeLimit: 500
 # Allow unlimited access to local connection from the local root user
 olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
+# Allow unlimited access to local connection from the local slapd user
+olcAccess: {1}to * by dn.exact=gidNumber=${SLAPD_GID}+uidNumber=${SLAPD_UID},cn=peercred,cn=external,cn=auth manage by * break
 # Allow unauthenticated read access for schema and base DN autodiscovery
-olcAccess: {1}to dn.exact="" by * read
-olcAccess: {2}to dn.base="cn=Subschema" by * read
+olcAccess: {2}to dn.exact="" by * read
+olcAccess: {3}to dn.base="cn=Subschema" by * read
 
 # Config db settings
 dn: olcDatabase=config,cn=config
 objectClass: olcDatabaseConfig
 olcDatabase: config
 # Allow unlimited access to local connection from the local root user
-olcAccess: to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
+olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
+# Allow unlimited access to local connection from the local slapd user
+olcAccess: {1}to * by dn.exact=gidNumber=${SLAPD_GID}+uidNumber=${SLAPD_UID},cn=peercred,cn=external,cn=auth manage by * break
 olcRootDN: cn=admin,cn=config
 
 # Load schemas

slapd/entrypoint

@@ -27,8 +27,12 @@ then
 fi
 
 # Generate random DH parameters.
+if [ -z "${SSL_DHPARAMS_FILE:-}" ] || [ ! -f "${SSL_DHPARAMS_FILE:-}" ]
+then
     echo Generating DH parameters, this will take a while. >&2
-time openssl dhparam -out /usr/share/slapd/dh.pem 2048
+    export SSL_DHPARAMS_FILE='/usr/share/slapd/dh.pem'
+    time openssl dhparam -out "$SSL_DHPARAMS_FILE" 2048
+fi
 
 # Run slapadd with the correct user and location of the config directory.
 alias slapadd='slapadd -gv -F /var/lib/ldap/config'
@@ -37,6 +41,10 @@ alias slapadd='slapadd -gv -F /var/lib/ldap/config'
 if [ -z "$(find /var/lib/ldap/config -maxdepth 1 -mindepth  1)" ]
 then
     echo No configuration found, generating a new one. >&2
+    SLAPD_UID="$(id -u openldap)"
+    export SLAPD_UID
+    SLAPD_GID="$(id -g openldap)"
+    export SLAPD_GID
     # shellcheck disable=SC2002
     cat /usr/share/slapd/config.ldif | envsubst | slapadd -b 'cn=config'
 fi
@@ -50,7 +58,7 @@ then
 fi
 
 # Configure the client.
-cat << EOF >> /etc/ldap/ldap.conf
+cat >> /etc/ldap/ldap.conf <<EOF
 URI         ldapi:///
 SASL_MECH   EXTERNAL
 BASE        $BASE_DN