Updated OpenLDAP

Author: djthorpe

_examples/openldap.tf

@@ -4,18 +4,18 @@ module "openldap" {
   source = "github.com/mutablelogic/tf-nomad//openldap"
 
   // Required parameters
-  dc             = "datacenter"              // Nomad datacenter for the cluster
-  hosts          = ["server1", "server2"]    // Host constraint for the job
-  basedn         = "dc=mutablelogic,dc=com"  // Distinquished name for the LDAP server
-  admin_password = local.LDAP_ADMIN_PASSWORD // Password for the LDAP 'admin' user
+  dc              = "datacenter"              // Nomad datacenter for the cluster
+  hosts           = ["server1", "server2"]    // Host constraint for the job
+  organization    = "My Organization"         // Distinquished name for the LDAP server
+  domain          = "example.com"             // Domain for the LDAP server
+  admin_password  = local.LDAP_ADMIN_PASSWORD // Password for the LDAP 'admin' user
+  config_password = local.LDAP_ADMIN_PASSWORD // Password for the LDAP 'config' user
 
   // Optional parameters
-  enabled    = true      // If false, no-op
-  namespace  = "default" // Nomad namespace for the nomad job
-  docker_tag = "latest"  // Pull the latest version of the docker image every job restart
-  port       = 389       // plaintext port to expose
-
-  // When persisting data, set uid and gid to 1000 for the container to 
-  // have write access to the data directory
-  data = "/var/lib/ldap"
+  enabled           = true                                           // If false, no-op
+  namespace         = "default"                                      // Nomad namespace for the nomad job
+  docker_tag        = "latest"                                       // Pull the latest version of the docker image every job restart
+  port              = 389                                            // plaintext port to expose
+  replication_hosts = ["ldap://server1:389/", "ldap://server2:389/"] // LDAP urls for replication
+  data              = "/var/lib/ldap"                                // Directory for data persistence
 }

openldap/input.tf

@@ -61,7 +61,7 @@ variable "port" {
 variable "data" {
   type        = string
   description = "Directory for data persistence"
-  default = ""
+  default     = ""
 }
 
 variable "admin_password" {
@@ -70,12 +70,23 @@ variable "admin_password" {
   sensitive   = true
 }
 
-variable "basedn" {
-  description = "LDAP distinguished name (required)"
+variable "config_password" {
+  description = "LDAP config password"
   type        = string
 }
 
+variable "replication_hosts" {
+  description = "LDAP urls for replication"
+  type        = list(string)
+  default     = []
+}
+
 variable "organization" {
-  description = "Organization name (required)"
+  description = "Organization name"
+  type        = string
+}
+
+variable "domain" {
+  description = "Organization domain"
   type        = string
 }

openldap/ldif/root.ldif

@@ -1,17 +1,10 @@
 
-# Root
-dn: {{ env "NOMAD_META_basedn" }}
-objectClass: top
-objectClass: domain
-dc: {{ env "NOMAD_META_organization" }}
-description: Organization
-
 # Groups
 dn: ou={{ env "NOMAD_META_groups" }},{{ env "NOMAD_META_basedn" }}
 ou: {{ env "NOMAD_META_groups" }}
 objectClass: top
 objectClass: organizationalUnit
-description: User groups
+description: Groups
 
 # Users
 dn: ou={{ env "NOMAD_META_users" }},{{ env "NOMAD_META_basedn" }}

openldap/locals.tf

@@ -1,5 +1,5 @@
 
 locals {
-    docker_image = "bitnami/openldap:${var.docker_tag}"
+    docker_image = "osixia/openldap:${var.docker_tag}"
     docker_always_pull = var.docker_tag == "latest" ? true : false
 }

openldap/main.tf

@@ -16,20 +16,19 @@ resource "nomad_job" "openldap" {
       service_dns        = jsonencode(var.service_dns)
       service_type       = var.service_type
 
-      port           = var.port
-      data           = var.data
-      admin_password = var.admin_password
-      basedn         = var.basedn
-      organization   = var.organization
+      port              = var.port
+      data              = var.data
+      admin_password    = var.admin_password
+      config_password   = var.config_password
+      replication_hosts = jsonencode(var.replication_hosts)
+      organization      = var.organization
+      domain            = var.domain
 
       # LDIF templates which are only applied when the data directory is empty (first run)
       ldif = jsonencode({
         "root" = file("${path.module}/ldif/root.ldif")
       })
-      schema = jsonencode({
-        "memberOf"   = file("${path.module}/schema/memberOf.ldif"),
-        "rfc2307bis" = file("${path.module}/schema/rfc2307bis.ldif")
-      })
+      schema = jsonencode({})
     }
   }
 }

openldap/nomad/openldap.hcl

@@ -1,6 +1,6 @@
 
 // OpenLDAP server
-// Docker Image: https://bitnami.com/stack/openldap
+// Docker Image: https://github.com/osixia/docker-openldap
 
 ///////////////////////////////////////////////////////////////////////////////
 // VARIABLES
@@ -31,7 +31,7 @@ variable "service_provider" {
 variable "service_name" {
   description = "Service name"
   type        = string
-  default     = "coredns-dns"
+  default     = "openldap-ldap"
 }
 
 variable "service_dns" {
@@ -65,49 +65,65 @@ variable "port" {
   default     = 389
 }
 
+variable "tls_port" {
+  description = "Port for TLS connections"
+  type        = number
+  default     = 636
+}
+
 variable "data" {
   description = "Data persistence directory"
   type        = string
   default     = ""
 }
 
-variable "ldif" {
-  description = "Custom LDIF rules, optional"
-  type        = map(string)
+variable "admin_password" {
+  description = "LDAP admin password"
+  type        = string
 }
 
-variable "schema" {
-  description = "Custom schemas, optional"
-  type        = map(string)
+variable "config_password" {
+  description = "LDAP config password"
+  type        = string
 }
 
-variable "extra_schemas" {
-  description = "Extra schemas, optional"
-  type        = string
-  default     = "cosine,inetorgperson"
+variable "replication_hosts" {
+  description = "LDAP urls for replication"
+  type        = list(string)
 }
 
-variable "admin_password" {
-  description = "LDAP admin password"
+variable "organization" {
+  description = "Organization name"
   type        = string
 }
 
-variable "basedn" {
-  description = "Distinguished name"
+variable "domain" {
+  description = "Organization domain"
   type        = string
 }
 
-variable "organization" {
-  description = "Organization name"
-  type        = string
+variable "ldif" {
+  description = "Custom LDIF rules, optional"
+  type        = map(string)
+}
+
+variable "schema" {
+  description = "Custom schemas, optional"
+  type        = map(string)
+}
+
+variable "debug" {
+  description = "Debug output"
+  type        = bool
+  default     = false
 }
 
 ///////////////////////////////////////////////////////////////////////////////
 // LOCALS
 
 locals {
-  ldif_path   = format("%s/data/ldif",NOMAD_ALLOC_DIR)
-  schema_path   = format("%s/data/schema",NOMAD_ALLOC_DIR)
+  ldif_path   = format("%s/data/ldif", NOMAD_ALLOC_DIR)
+  schema_path = format("%s/data/schema", NOMAD_ALLOC_DIR)
 }
 
 ///////////////////////////////////////////////////////////////////////////////
@@ -143,6 +159,10 @@ job "openldap" {
         static = var.port
         to     = 389
       }
+      port "ldaps" {
+        static = var.tls_port
+        to     = 636
+      }
     }
 
     service {
@@ -154,12 +174,12 @@ job "openldap" {
 
     task "daemon" {
       driver = "docker"
-      user   = "root"
 
       // Metadata for ldif and schema templates
       meta {
-        basedn       = var.basedn
         organization = var.organization
+        domain       = "{{ LDAP_DOMAIN }}"
+        basedn       = "{{ LDAP_BASE_DN }}"
         users        = "users"
         groups       = "groups"
       }
@@ -183,27 +203,27 @@ job "openldap" {
       }
 
       env {
-        LDAP_ADMIN_USERNAME     = "admin"
-        LDAP_ADMIN_PASSWORD     = var.admin_password
-        LDAP_PORT_NUMBER        = NOMAD_PORT_ldap
-        LDAP_ROOT               = var.basedn
-        LDAP_ADD_SCHEMAS        = var.extra_schemas == "" ? "no" : "yes"
-        LDAP_EXTRA_SCHEMAS      = var.extra_schemas
-        LDAP_SKIP_DEFAULT_TREE  = "yes"
-        LDAP_CUSTOM_LDIF_DIR    = local.ldif_path
-        //LDAP_CUSTOM_SCHEMA_DIR  = local.schema_path
-        LDAP_CONFIGURE_PPOLICY  = "yes"
-        LDAP_ALLOW_ANON_BINDING = "no"
-        BITNAMI_DEBUG           = "true"
+        LDAP_DOMAIN                    = var.domain
+        LDAP_ORGANISATION              = var.organization
+        LDAP_ADMIN_PASSWORD            = var.admin_password
+        LDAP_CONFIG_PASSWORD           = var.config_password
+        LDAP_RFC2307BIS_SCHEMA         = "true"
+        LDAP_REMOVE_CONFIG_AFTER_SETUP = "false"
+        LDAP_SEED_INTERNAL_LDIF_PATH   = length(var.ldif) == 0 ? "" : local.ldif_path
+        LDAP_SEED_INTERNAL_SCHEMA_PATH = length(var.schema) == 0 ? "" : local.schema_path
+        LDAP_REPLICATION_HOSTS         = length(var.replication_hosts) == 0 ? "" : format("#PYTHON2BASH:%s", jsonencode(var.replication_hosts))
+        LDAP_TLS                       = "false"
       }
 
       config {
         image       = var.docker_image
         force_pull  = var.docker_always_pull
-        ports       = ["ldap"]
+        ports       = ["ldap", "ldaps"]
         dns_servers = var.service_dns
+        args        = ["--copy-service", "--loglevel", var.debug ? "debug" : "info"]
         volumes = compact([
-          var.data == "" ? "" : format("%s:/bitnami/openldap", var.data),
+          var.data == "" ? "" : format("%s/data:/var/lib/ldap", var.data),
+          var.data == "" ? "" : format("%s/slapd.d:/etc/ldap/slapd.d", var.data),
         ])
       }