diff --git a/slapd/Dockerfile b/slapd/Dockerfile
index 956aeffbfa138972ea2b49acb151e1d9b115e32d..85c054075cc66998ec8785a74cb44f95133be359 100644
--- a/slapd/Dockerfile
+++ b/slapd/Dockerfile
@@ -2,17 +2,30 @@ FROM debian:buster-slim
# hadolint ignore=DL3008
RUN apt-get update && \
DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
+ fakeroot \
gettext-base \
gnutls-bin \
ldap-utils \
+ libcap2-bin \
slapd \
ssl-cert \
time \
&& \
usermod -aG ssl-cert openldap && \
+ setcap CAP_NET_BIND_SERVICE=+ep /usr/sbin/slapd && \
rm -rf /tmp/* /var/tmp/* /var/cache/apt/archives/* /var/lib/apt/lists/* && \
- rm -rf /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/ssl/private/ssl-cert-snakeoil.key && \
- rm -rf /var/lib/ldap/* /var/backups/ldap/* /run/slapd/* /etc/ldap/slapd.d
+ rm -rf /var/lib/ldap/* /var/backups/ldap/* /run/slapd/* /etc/ldap/slapd.d && \
+ install -d -o openldap -g ssl-cert -m 710 /etc/ssl/private && \
+ install -d -o openldap -g root -m 755 /etc/ssl/certs && \
+ install -o root -g ssl-cert -m 664 /dev/null /etc/ssl/certs/ssl-cert-snakeoil.pem && \
+ install -o root -g ssl-cert -m 664 /dev/null /etc/ssl/private/ssl-cert-snakeoil.key && \
+ install -o root -g ssl-cert -m 664 /dev/null /usr/share/slapd/dh.pem && \
+ chown openldap /etc/ldap/ldap.conf && \
+ install -d -o openldap -g openldap /run/slapd && \
+ install -d -o openldap -g openldap /var/backups/ldap && \
+ install -d -o openldap -g openldap /var/lib/ldap && \
+ install -d -o openldap -g openldap /var/lib/ldap/config && \
+ install -d -o openldap -g openldap /var/lib/ldap/data
COPY --chown=root:root config.ldif /usr/share/slapd/
COPY --chown=root:root skel.ldif /usr/share/slapd/
COPY --chown=root:root entrypoint /usr/local/sbin/
@@ -26,6 +39,8 @@ ENV LDAP_URLS="ldap:/// ldapi:/// ldaps:///" \
SSL_CERT_FILE="/etc/ssl/certs/ssl-cert-snakeoil.pem" \
SSL_KEY_FILE="/etc/ssl/private/ssl-cert-snakeoil.key" \
SSL_CA_FILE="/etc/ssl/certs/ssl-cert-snakeoil.pem"
+WORKDIR /var/lib/ldap
+USER openldap
ENTRYPOINT [ "entrypoint" ]
CMD [ "slapd", "-F", "/var/lib/ldap/config", "-u", "openldap", "-g", "openldap", "-h", "\"$LDAP_URLS\"", "-d", "$SLAPD_DEBUG_LEVEL" ]
HEALTHCHECK CMD ldapsearch -b cn=config > /dev/null || exit 1
diff --git a/slapd/entrypoint b/slapd/entrypoint
index 2317c15b8e4a88144998534205d5de69ab8c2099..862d6221fc9b51d734fe5cb69ba197c5db594b8f 100755
--- a/slapd/entrypoint
+++ b/slapd/entrypoint
@@ -10,13 +10,6 @@ export PASSWORD_HASH
# shellcheck disable=SC2039
ulimit -n 1024 || true
-# Create and set owner for runtime directories.
-install -d -o openldap -g openldap /run/slapd
-install -d -o openldap -g openldap /var/backups/ldap
-install -d -o openldap -g openldap /var/lib/ldap
-install -d -o openldap -g openldap /var/lib/ldap/config
-install -d -o openldap -g openldap /var/lib/ldap/data
-
# Base DN.
BASE_DN="dc=$(echo "$LDAP_DOMAIN" | sed 's/^\.//; s/\.$//; s/\./,dc=/g')"
export BASE_DN
@@ -30,7 +23,7 @@ if [ "${SSL_CERT_FILE:-}" = "/etc/ssl/certs/ssl-cert-snakeoil.pem" ] || \
[ "${SSL_KEY_FILE:-}" = "/etc/ssl/private/ssl-cert-snakeoil.key" ]
then
echo Generating self-signed key and certificate. >&2
- DEBIAN_FRONTEND=noninteractive time make-ssl-cert generate-default-snakeoil --force-overwrite
+ DEBIAN_FRONTEND=noninteractive time fakeroot make-ssl-cert generate-default-snakeoil --force-overwrite
fi
# Generate random DH parameters.
@@ -38,7 +31,7 @@ echo Generating DH parameters, this will take a while. >&2
time openssl dhparam -out /usr/share/slapd/dh.pem 2048
# Run slapadd with the correct user and location of the config directory.
-alias slapadd='chroot --userspec openldap:openldap / slapadd -gv -F /var/lib/ldap/config'
+alias slapadd='slapadd -gv -F /var/lib/ldap/config'
# Create configuration is none is present.
if [ -z "$(find /var/lib/ldap/config -maxdepth 1 -mindepth 1)" ]