LDAP: add nested groups and work around memberof-bug in used docker image

openldap/Dockerfile

@@ -1,5 +1,40 @@
-FROM dinkel/openldap:latest
+# Based on https://github.com/dinkel/docker-openldap by Christian Luginbühl, MIT licensed
+# simplified to our needs to due https://github.com/dinkel/docker-openldap/issues/21
+# (Proposed my solution in https://github.com/dinkel/docker-openldap/issues/21#issuecomment-468839994)
+
+FROM debian:stretch
 
 MAINTAINER Arthur Schiwon <[email protected]>
 
+ENV OPENLDAP_VERSION 2.4.44
+
+RUN apt-get update && \
+    DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends -y \
+        slapd=${OPENLDAP_VERSION}* ldap-utils=${OPENLDAP_VERSION}* && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/*
+
+RUN mv /etc/ldap /etc/ldap.dist
+
+COPY modules/ /etc/ldap.dist/modules
 COPY LDIFs/* /etc/ldap/prepopulate/
+
+RUN cp -r /etc/ldap.dist/* /etc/ldap
+
+COPY slapf_config /tmp/slapd_config
+RUN cat /tmp/slapd_config | debconf-set-selections \
+    && dpkg-reconfigure -f noninteractive slapd >/dev/null 2>&1 \
+    && rm /tmp/slapd_config \
+    && sed -i "s/^#BASE.*/BASE c=nextcloud,dc=ci/g" /etc/ldap/ldap.conf \
+    && slapadd -n0 -F /etc/ldap/slapd.d -l "/etc/ldap/modules/memberof.ldif" \
+    && chown -R openldap:openldap /etc/ldap/slapd.d/ /var/lib/ldap/ /var/run/slapd/
+
+COPY entrypoint.sh /entrypoint.sh
+
+EXPOSE 389
+
+VOLUME ["/etc/ldap", "/var/lib/ldap"]
+
+ENTRYPOINT ["/entrypoint.sh"]
+
+CMD ["slapd", "-d", "32768", "-u", "openldap", "-g", "openldap"]

openldap/LDIFs/ordinary_small.ldif

@@ -20,7 +20,7 @@ userPassword: 123456
 mail: [email protected]
 mobile: +49 173 7484122
 employeeNumber: 92379
-# we misue roomNumber for an absolute path
+# we misuse roomNumber for an absolute path
 roomNumber: /dev/shm/alice-data
 jpegPhoto:< file:///etc/ldap/prepopulate/avatar-female.jpg
 
@@ -36,7 +36,7 @@ userPassword: 123456
 mail: [email protected]
 mobile: +49 173 7484144
 employeeNumber: 50194
-# we misue roomNumber for an absolute path
+# we misuse roomNumber for an absolute path
 roomNumber: /dev/shm/elisa-data
 
 dn: uid=ghost,ou=Users,ou=Ordinary,dc=nextcloud,dc=ci
@@ -47,6 +47,45 @@ givenname: Sam
 sn: Wheat
 description: a user without displayName that should be ignored by Nextcloud when configured userDisplayNameAttribute is set to displayname (default)
 
+dn: uid=clara,ou=Users,ou=Ordinary,dc=nextcloud,dc=ci
+objectclass: inetOrgPerson
+uid: clara
+cn: Clara Clausen
+sn: Clausen
+givenname: Clara
+initials: CC
+displayname: Clara
+userPassword: 123456
+mail: [email protected]
+mobile: +49 173 5481149
+employeeNumber: 54172
+
+dn: uid=gustaf,ou=Users,ou=Ordinary,dc=nextcloud,dc=ci
+objectclass: inetOrgPerson
+uid: gustaf
+cn: Gustaf Gulbrandsen
+sn: Gulbrandsen
+givenname: Gustaf
+initials: GG
+displayname: Gustaf
+userPassword: 123456
+mail: [email protected]
+mobile: +49 173 8462928
+employeeNumber: 59376
+
+dn: uid=jesper,ou=Users,ou=Ordinary,dc=nextcloud,dc=ci
+objectclass: inetOrgPerson
+uid: jesper
+cn: Jesper Jämsä
+sn: Jämsä
+givenname: Jesper
+initials: JJ
+displayname: Jämsä
+userPassword: 123456
+mail: [email protected]
+mobile: +49 173 8536421
+employeeNumber: 59463
+
 dn: ou=Groups,ou=Ordinary,dc=nextcloud,dc=ci
 objectclass: top
 objectclass: organizationalUnit
@@ -71,8 +110,58 @@ member: uid=alice,ou=Users,ou=Ordinary,dc=nextcloud,dc=ci
 dn: ou=OtherGroups,dc=nextcloud,dc=ci
 objectclass: top
 objectclass: organizationalUnit
-ou: Groups
+ou: OtherGroups
 
 dn: cn=SquareGroup,ou=OtherGroups,dc=nextcloud,dc=ci
 objectClass: groupOfNames
 member: uid=alice,ou=Users,ou=Ordinary,dc=nextcloud,dc=ci
+
+# nested groups
+
+dn: cn=Gardeners,ou=OtherGroups,dc=nextcloud,dc=ci
+objectClass: groupOfNames
+member: cn=Olericulture,ou=OtherGroups,dc=nextcloud,dc=ci
+member: cn=Orcharding,ou=OtherGroups,dc=nextcloud,dc=ci
+member: cn=Landscapers,ou=OtherGroups,dc=nextcloud,dc=ci
+
+dn: cn=Olericulture,ou=OtherGroups,dc=nextcloud,dc=ci
+objectClass: groupOfNames
+member: uid=clara,ou=Users,ou=Ordinary,dc=nextcloud,dc=ci
+member: uid=jesper,ou=Users,ou=Ordinary,dc=nextcloud,dc=ci
+
+dn: cn=Orcharding,ou=OtherGroups,dc=nextcloud,dc=ci
+objectClass: groupOfNames
+member: uid=alice,ou=Users,ou=Ordinary,dc=nextcloud,dc=ci
+member: uid=elisa,ou=Users,ou=Ordinary,dc=nextcloud,dc=ci
+
+dn: cn=Landscapers,ou=OtherGroups,dc=nextcloud,dc=ci
+objectClass: groupOfNames
+member: uid=gustaf,ou=Users,ou=Ordinary,dc=nextcloud,dc=ci
+
+
+# numeric groups
+
+dn: ou=NumericGroups,dc=nextcloud,dc=ci
+objectclass: top
+objectclass: organizationalUnit
+ou: NumericGroups
+
+dn: cn=2000,ou=NumericGroups,dc=nextcloud,dc=ci
+objectClass: groupOfNames
+member: cn=3000,ou=NumericGroups,dc=nextcloud,dc=ci
+member: cn=3001,ou=NumericGroups,dc=nextcloud,dc=ci
+member: cn=3002,ou=NumericGroups,dc=nextcloud,dc=ci
+
+dn: cn=3000,ou=NumericGroups,dc=nextcloud,dc=ci
+objectClass: groupOfNames
+member: uid=clara,ou=Users,ou=Ordinary,dc=nextcloud,dc=ci
+member: uid=jesper,ou=Users,ou=Ordinary,dc=nextcloud,dc=ci
+
+dn: cn=3001,ou=NumericGroups,dc=nextcloud,dc=ci
+objectClass: groupOfNames
+member: uid=alice,ou=Users,ou=Ordinary,dc=nextcloud,dc=ci
+member: uid=elisa,ou=Users,ou=Ordinary,dc=nextcloud,dc=ci
+
+dn: cn=3002,ou=NumericGroups,dc=nextcloud,dc=ci
+objectClass: groupOfNames
+member: uid=gustaf,ou=Users,ou=Ordinary,dc=nextcloud,dc=ci

openldap/entrypoint.sh

@@ -0,0 +1,25 @@
+#!/bin/bash
+
+# When not limiting the open file descritors limit, the memory consumption of
+# slapd is absurdly high. See https://github.com/docker/docker/issues/8231
+ulimit -n 8192
+
+set -em
+
+"$@" &
+
+# apt install errors with conflicts due to the slapd state (and its version perhaps) in the Dockerfile
+# marking it "hold" does not work due to other dependencies.
+#apt update && \
+#    DEBIAN_FRONTEND=noninteractive apt install --no-install-recommends -y ldap-utils && \
+#    apt clean && \
+#    rm -rf /var/lib/apt/lists/*
+# we enable job control to send the slapd to background, but still to be able to pre-populate
+# the directory AND having memberof already working.
+sleep 2 # might be a race condition
+for file in `ls /etc/ldap/prepopulate/*.ldif`; do
+    ldapadd -x -D "cn=admin,dc=nextcloud,dc=ci" -w "$SLAPD_PASSWORD" -f "$file"
+done
+fg
+
+

openldap/modules/memberof.ldif

@@ -0,0 +1,33 @@
+dn: cn=module,cn=config
+cn: module
+objectClass: olcModuleList
+objectClass: top
+olcModulePath: /usr/lib/ldap
+olcModuleLoad: memberof.la
+
+dn: olcOverlay={0}memberof,olcDatabase={1}hdb,cn=config
+objectClass: olcConfig
+objectClass: olcMemberOf
+objectClass: olcOverlayConfig
+objectClass: top
+olcOverlay: memberof
+olcMemberOfDangling: ignore
+olcMemberOfRefInt: TRUE
+olcMemberOfGroupOC: groupOfNames
+olcMemberOfMemberAD: member
+olcMemberOfMemberOfAD: memberOf
+
+dn: cn=module,cn=config
+cn: module
+objectClass: olcModuleList
+objectClass: top
+olcModulePath: /usr/lib/ldap
+olcModuleLoad: refint.la
+
+dn: olcOverlay={1}refint,olcDatabase={1}hdb,cn=config
+objectClass: olcConfig
+objectClass: olcOverlayConfig
+objectClass: olcRefintConfig
+objectClass: top
+olcOverlay: {1}refint
+olcRefintAttribute: memberof member manager owner

openldap/slapf_config

@@ -0,0 +1,9 @@
+slapd slapd/no_configuration boolean false
+slapd slapd/password1 password admin
+slapd slapd/password2 password admin
+slapd shared/organization string Nextcloud
+slapd slapd/domain string nextcloud.ci
+slapd slapd/backend select HDB
+slapd slapd/allow_ldap_v2 boolean false
+slapd slapd/purge_database boolean false
+slapd slapd/move_old_database boolean true