Revamp the LDAP Account Manager configuration.

Instead of a persistent volume with the configuration, use environment variables.

Revamp the LDAP Account Manager configuration.
bbe2609f · nimrod · c3a356a9 · bbe2609f · bbe2609f · bbe2609f
Commit bbe2609f authored 5 years ago by nimrod
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -21,6 +21,8 @@ services:
    build:
      context: nss-pam-ldapd/
    command: /usr/sbin/nslcd --debug --nofork
+    depends_on:
+      - ldap
    environment:
      LDAP_BASE_DN: "${LDAP_BASE_DN:-dc=nowhere,dc=com}"
    volumes:
@@ -29,21 +31,21 @@ services:
  ldap-account-manager:
    build:
      context: ldap-account-manager/
-    links:
+    depends_on:
      - ldap
+    environment:
+      LAM_PASSWORD: "${LAM_PASSWORD:-foo}"
+      LDAP_ADMIN_DN: "cn=admin,${LDAP_BASE_DN:-dc=nowhere,dc=com}"
+      LDAP_BASE_DN: "${LDAP_BASE_DN:-dc=nowhere,dc=com}"
    ports:
      - 80:80
    restart: always
    volumes:
      - _run_slapd:/run/slapd
-      - ldap-account-manager:/var/lib/ldap-account-manager

 volumes:
  _run_slapd:
  ldap:
-  ldap-account-manager:
-    labels:
-      snapshot: 'true'
  backup_ldap:
    labels:
      snapshot: 'true'

--- a/ldap-account-manager/Dockerfile
+++ b/ldap-account-manager/Dockerfile
 FROM debian:sid-slim
+# hadolint ignore=DL3008
 RUN apt-get update && \
    DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
-        ca-certificates=20190110 \
-        ldap-account-manager=6.7-1 \
-        patch=2.7.6-4 \
-        wget=1.20.1-1.1 \
+        ca-certificates \
+        gettext-base \
+        ldap-account-manager \
+        patch \
+        wget \
    && \
    chmod 755 /var/log/apache2 && \
    ln -sf /dev/stdout /var/log/apache2/access.log && \
    ln -sf /dev/stderr /var/log/apache2/error.log && \
    ln -sf /dev/stdout /var/log/apache2/lam.log && \
    ln -sf /dev/stdout /var/log/apache2/other_vhosts_access.log && \
-    mv /etc/ldap-account-manager/config.cfg /var/lib/ldap-account-manager/config/config.cfg && \
-    ln -sf /var/lib/ldap-account-manager/config/config.cfg /etc/ldap-account-manager/config.cfg && \
-    mv /var/lib/ldap-account-manager /var/lib/ldap-account-manager.orig && \
-    mkdir -m 755 /var/lib/ldap-account-manager && \
    rm -rf /tmp/* /var/tmp/* /var/lib/apt/lists/* /var/cache/apt/archives/*
 ENV APACHE_RUN_DIR=/run/apache2 \
    APACHE_LOG_DIR=/var/log/apache2 \
@@ -23,10 +21,12 @@ ENV APACHE_RUN_DIR=/run/apache2 \
    APACHE_PID_FILE=/run/apache2/apache2.pid
 COPY --chown=root:root patch.diff /root/
 COPY --chown=root:root entrypoint /entrypoint
+COPY --chown=root:root lam-setpass /usr/local/sbin/
 RUN patch --strip 0 --verbose --directory / --input /root/patch.diff && \
    apache2 -t
+ENV LDAP_URI=ldapi:/// \
+    LAM_PASSWORD=lam
 EXPOSE 80
-VOLUME /var/lib/ldap-account-manager
 ENTRYPOINT [ "/entrypoint" ]
 CMD [ "apache2", "-DFOREGROUND" ]
 HEALTHCHECK CMD wget --spider --quiet http://localhost/lam/ --user-agent 'Healthcheck' || exit 1
--- a/ldap-account-manager/README.md
+++ b/ldap-account-manager/README.md
@@ -2,13 +2,14 @@

 > Dockerized LDAP Account Manager.

-## Usage
+## Environment variables

-The image isn't configured with environment variables, instead it uses a volume
-for `/var/lib/ldap-account-manager` that contains the application's
-configuration files. On first run the default files are copied to the volume and
-the configuration is done through the application itself. The default master
-password is `lam`.
+Name | Description | Default value
+--- | --- | ---
+`LAM_PASSWORD` | Password for administrating LAM | `lam`
+`LDAP_URI` | URI of the LDAP service | `ldapi:///`
+`LDAP_ADMIN_DN` | DN of the admin account
+`LDAP_BASE_DN` | Base DN

 ## License


--- a/ldap-account-manager/entrypoint
+++ b/ldap-account-manager/entrypoint
 #!/bin/sh
 set -eux

-install -d -m 755 -o root -g root /var/lib/ldap-account-manager
-cp --archive --no-clobber --verbose --no-target-directory /var/lib/ldap-account-manager.orig /var/lib/ldap-account-manager
+# Render environment variables in the config file.
+tempfile="$(mktemp)"
+envsubst < /var/lib/ldap-account-manager/config/lam.conf > "$tempfile"
+cat "$tempfile" > /var/lib/ldap-account-manager/config/lam.conf
+rm "$tempfile"
+
+# Set the password and unset the variable from memory.
+chroot --userspec=www-data / /usr/local/sbin/lam-setpass "$LAM_PASSWORD"
+unset LAM_PASSWORD
+
+# Start the process.
 eval exec "$@"
--- a/ldap-account-manager/lam-setpass
+++ b/ldap-account-manager/lam-setpass
+#!/usr/bin/env php
+<?php
+
+include_once('/usr/share/ldap-account-manager/lib/config.inc');
+
+// For the general settings.
+$cfg = new LAMCfgMain();
+$cfg->setPassword($argv[1]);
+$cfg->save();
+
+// For the server profiles.
+$conf = new LAMConfig("lam");
+$conf->set_Passwd($argv[1]);
+$conf->save();
+
--- a/ldap-account-manager/patch.diff
+++ b/ldap-account-manager/patch.diff
--- /var/lib/ldap-account-manager.orig/config/config.cfg	2019-03-25 18:21:36.000000000 +0200
-+++ /var/lib/ldap-account-manager.orig/config/config.cfg	2019-06-25 14:18:51.906120546 +0300
+--- /etc/ldap-account-manager/config.cfg	2019-03-25 18:21:36.000000000 +0200
+++ /etc/ldap-account-manager/config.cfg	2019-06-25 14:18:51.906120546 +0300
 @@ -9,4 +9,4 @@
 logLevel: 4
 
@@ -26,3 +26,46 @@
 </VirtualHost>
 
 # vim: syntax=apache ts=4 sw=4 sts=4 sr noet
+--- /var/lib/ldap-account-manager/config/lam.conf	2019-09-20 23:14:19.000000000 +0300
+++ /var/lib/ldap-account-manager/config/lam.conf	2019-09-20 23:59:56.291338527 +0300
+@@ -5,22 +5,22 @@
+ ###################################################################################################
+ 
+ # server address (e.g. ldap://localhost:389 or ldaps://localhost:636)
+-ServerURL: ldap://localhost:389
+ServerURL: ${LDAP_URI}
+ 
+ # list of users who are allowed to use LDAP Account Manager
+ # names have to be seperated by semicolons
+ # e.g. admins: cn=admin,dc=yourdomain,dc=org;cn=root,dc=yourdomain,dc=org
+-Admins: cn=Manager,dc=my-domain,dc=com
+Admins: ${LDAP_ADMIN_DN}
+ 
+ # password to change these preferences via webfrontend (default: lam)
+ Passwd: lam
+ 
+ # suffix of tree view
+ # e.g. dc=yourdomain,dc=org
+-treesuffix: dc=yourdomain,dc=org
+treesuffix: ${LDAP_BASE_DN}
+ 
+ # default language (a line from config/language)
+-defaultLanguage: en_GB.utf8
+defaultLanguage: en_US.utf8
+ 
+ # Path to external Script
+ scriptPath:
+@@ -52,11 +52,11 @@
+ activeTypes: user,group
+ 
+ 
+-types: suffix_user: ou=People,dc=my-domain,dc=com
+types: suffix_user: ou=People,${LDAP_BASE_DN}
+ types: attr_user: #uid;#givenName;#sn;#uidNumber;#gidNumber
+ types: modules_user: inetOrgPerson,posixAccount,shadowAccount
+ 
+-types: suffix_group: ou=group,dc=my-domain,dc=com
+types: suffix_group: ou=group,${LDAP_BASE_DN}
+ types: attr_group: #cn;#gidNumber;#memberUID;#description
+ types: modules_group: posixGroup
+