Run slapd as a limited user.

- Relax the permission on /etc/ssl to allow generating snakeoil
certificate and key.
- Grant the slapd binary CAP_NET_BIND_SERVICE to allow binding to
privileged ports.
- Change owner of /etc/ldap/ldap.conf to allow modifying it in
entrypoint.
- Prepopulate volumes with the correct ownership, permissions and
directory structure to avoid doing it in the entrypoint without root.

slapd/Dockerfile

@@ -2,17 +2,30 @@ FROM debian:buster-slim
 # hadolint ignore=DL3008
 RUN apt-get update && \
     DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
+        fakeroot \
         gettext-base \
         gnutls-bin \
         ldap-utils \
+        libcap2-bin \
         slapd \
         ssl-cert \
         time \
     && \
     usermod -aG ssl-cert openldap && \
+    setcap CAP_NET_BIND_SERVICE=+ep /usr/sbin/slapd && \
     rm -rf /tmp/* /var/tmp/* /var/cache/apt/archives/* /var/lib/apt/lists/* && \
-    rm -rf /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/ssl/private/ssl-cert-snakeoil.key && \
-    rm -rf /var/lib/ldap/* /var/backups/ldap/* /run/slapd/* /etc/ldap/slapd.d
+    rm -rf /var/lib/ldap/* /var/backups/ldap/* /run/slapd/* /etc/ldap/slapd.d && \
+    install -d -o openldap -g ssl-cert -m 710 /etc/ssl/private && \
+    install -d -o openldap -g root -m 755 /etc/ssl/certs && \
+    install -o root -g ssl-cert -m 664 /dev/null /etc/ssl/certs/ssl-cert-snakeoil.pem && \
+    install -o root -g ssl-cert -m 664 /dev/null /etc/ssl/private/ssl-cert-snakeoil.key && \
+    install -o root -g ssl-cert -m 664 /dev/null /usr/share/slapd/dh.pem && \
+    chown openldap /etc/ldap/ldap.conf && \
+    install -d -o openldap -g openldap /run/slapd && \
+    install -d -o openldap -g openldap /var/backups/ldap && \
+    install -d -o openldap -g openldap /var/lib/ldap && \
+    install -d -o openldap -g openldap /var/lib/ldap/config && \
+    install -d -o openldap -g openldap /var/lib/ldap/data
 COPY --chown=root:root config.ldif /usr/share/slapd/
 COPY --chown=root:root skel.ldif /usr/share/slapd/
 COPY --chown=root:root entrypoint /usr/local/sbin/
@@ -26,6 +39,8 @@ ENV LDAP_URLS="ldap:/// ldapi:/// ldaps:///" \
     SSL_CERT_FILE="/etc/ssl/certs/ssl-cert-snakeoil.pem" \
     SSL_KEY_FILE="/etc/ssl/private/ssl-cert-snakeoil.key" \
     SSL_CA_FILE="/etc/ssl/certs/ssl-cert-snakeoil.pem"
+WORKDIR /var/lib/ldap
+USER openldap
 ENTRYPOINT [ "entrypoint" ]
 CMD [ "slapd", "-F", "/var/lib/ldap/config", "-u", "openldap", "-g", "openldap", "-h", "\"$LDAP_URLS\"", "-d", "$SLAPD_DEBUG_LEVEL" ]
 HEALTHCHECK CMD ldapsearch -b cn=config > /dev/null || exit 1

slapd/entrypoint

@@ -10,13 +10,6 @@ export PASSWORD_HASH
 # shellcheck disable=SC2039
 ulimit -n 1024 || true
 
-# Create and set owner for runtime directories.
-install -d -o openldap -g openldap /run/slapd
-install -d -o openldap -g openldap /var/backups/ldap
-install -d -o openldap -g openldap /var/lib/ldap
-install -d -o openldap -g openldap /var/lib/ldap/config
-install -d -o openldap -g openldap /var/lib/ldap/data
-
 # Base DN.
 BASE_DN="dc=$(echo "$LDAP_DOMAIN" | sed 's/^\.//; s/\.$//; s/\./,dc=/g')"
 export BASE_DN
@@ -30,7 +23,7 @@ if [ "${SSL_CERT_FILE:-}" = "/etc/ssl/certs/ssl-cert-snakeoil.pem" ] || \
    [ "${SSL_KEY_FILE:-}" = "/etc/ssl/private/ssl-cert-snakeoil.key" ]
 then
     echo Generating self-signed key and certificate. >&2
-    DEBIAN_FRONTEND=noninteractive time make-ssl-cert generate-default-snakeoil --force-overwrite
+    DEBIAN_FRONTEND=noninteractive time fakeroot make-ssl-cert generate-default-snakeoil --force-overwrite
 fi
 
 # Generate random DH parameters.
@@ -38,7 +31,7 @@ echo Generating DH parameters, this will take a while. >&2
 time openssl dhparam -out /usr/share/slapd/dh.pem 2048
 
 # Run slapadd with the correct user and location of the config directory.
-alias slapadd='chroot --userspec openldap:openldap / slapadd -gv -F /var/lib/ldap/config'
+alias slapadd='slapadd -gv -F /var/lib/ldap/config'
 
 # Create configuration is none is present.
 if [ -z "$(find /var/lib/ldap/config -maxdepth 1 -mindepth  1)" ]