Commit bfa237e3 authored by nimrod's avatar nimrod
Browse files

Run slapd as a limited user.

- Relax the permission on /etc/ssl to allow generating snakeoil
certificate and key.
- Grant the slapd binary CAP_NET_BIND_SERVICE to allow binding to
privileged ports.
- Change owner of /etc/ldap/ldap.conf to allow modifying it in
entrypoint.
- Prepopulate volumes with the correct ownership, permissions and
directory structure to avoid doing it in the entrypoint without root.
parent 61116271
Loading
Loading
Loading
Loading
+17 −2
Original line number Diff line number Diff line
@@ -2,17 +2,30 @@ FROM debian:buster-slim
# hadolint ignore=DL3008
RUN apt-get update && \
    DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
        fakeroot \
        gettext-base \
        gnutls-bin \
        ldap-utils \
        libcap2-bin \
        slapd \
        ssl-cert \
        time \
    && \
    usermod -aG ssl-cert openldap && \
    setcap CAP_NET_BIND_SERVICE=+ep /usr/sbin/slapd && \
    rm -rf /tmp/* /var/tmp/* /var/cache/apt/archives/* /var/lib/apt/lists/* && \
    rm -rf /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/ssl/private/ssl-cert-snakeoil.key && \
    rm -rf /var/lib/ldap/* /var/backups/ldap/* /run/slapd/* /etc/ldap/slapd.d
    rm -rf /var/lib/ldap/* /var/backups/ldap/* /run/slapd/* /etc/ldap/slapd.d && \
    install -d -o openldap -g ssl-cert -m 710 /etc/ssl/private && \
    install -d -o openldap -g root -m 755 /etc/ssl/certs && \
    install -o root -g ssl-cert -m 664 /dev/null /etc/ssl/certs/ssl-cert-snakeoil.pem && \
    install -o root -g ssl-cert -m 664 /dev/null /etc/ssl/private/ssl-cert-snakeoil.key && \
    install -o root -g ssl-cert -m 664 /dev/null /usr/share/slapd/dh.pem && \
    chown openldap /etc/ldap/ldap.conf && \
    install -d -o openldap -g openldap /run/slapd && \
    install -d -o openldap -g openldap /var/backups/ldap && \
    install -d -o openldap -g openldap /var/lib/ldap && \
    install -d -o openldap -g openldap /var/lib/ldap/config && \
    install -d -o openldap -g openldap /var/lib/ldap/data
COPY --chown=root:root config.ldif /usr/share/slapd/
COPY --chown=root:root skel.ldif /usr/share/slapd/
COPY --chown=root:root entrypoint /usr/local/sbin/
@@ -26,6 +39,8 @@ ENV LDAP_URLS="ldap:/// ldapi:/// ldaps:///" \
    SSL_CERT_FILE="/etc/ssl/certs/ssl-cert-snakeoil.pem" \
    SSL_KEY_FILE="/etc/ssl/private/ssl-cert-snakeoil.key" \
    SSL_CA_FILE="/etc/ssl/certs/ssl-cert-snakeoil.pem"
WORKDIR /var/lib/ldap
USER openldap
ENTRYPOINT [ "entrypoint" ]
CMD [ "slapd", "-F", "/var/lib/ldap/config", "-u", "openldap", "-g", "openldap", "-h", "\"$LDAP_URLS\"", "-d", "$SLAPD_DEBUG_LEVEL" ]
HEALTHCHECK CMD ldapsearch -b cn=config > /dev/null || exit 1
+2 −9
Original line number Diff line number Diff line
@@ -10,13 +10,6 @@ export PASSWORD_HASH
# shellcheck disable=SC2039
ulimit -n 1024 || true

# Create and set owner for runtime directories.
install -d -o openldap -g openldap /run/slapd
install -d -o openldap -g openldap /var/backups/ldap
install -d -o openldap -g openldap /var/lib/ldap
install -d -o openldap -g openldap /var/lib/ldap/config
install -d -o openldap -g openldap /var/lib/ldap/data

# Base DN.
BASE_DN="dc=$(echo "$LDAP_DOMAIN" | sed 's/^\.//; s/\.$//; s/\./,dc=/g')"
export BASE_DN
@@ -30,7 +23,7 @@ if [ "${SSL_CERT_FILE:-}" = "/etc/ssl/certs/ssl-cert-snakeoil.pem" ] || \
   [ "${SSL_KEY_FILE:-}" = "/etc/ssl/private/ssl-cert-snakeoil.key" ]
then
    echo Generating self-signed key and certificate. >&2
    DEBIAN_FRONTEND=noninteractive time make-ssl-cert generate-default-snakeoil --force-overwrite
    DEBIAN_FRONTEND=noninteractive time fakeroot make-ssl-cert generate-default-snakeoil --force-overwrite
fi

# Generate random DH parameters.
@@ -38,7 +31,7 @@ echo Generating DH parameters, this will take a while. >&2
time openssl dhparam -out /usr/share/slapd/dh.pem 2048

# Run slapadd with the correct user and location of the config directory.
alias slapadd='chroot --userspec openldap:openldap / slapadd -gv -F /var/lib/ldap/config'
alias slapadd='slapadd -gv -F /var/lib/ldap/config'

# Create configuration is none is present.
if [ -z "$(find /var/lib/ldap/config -maxdepth 1 -mindepth  1)" ]