feat: upgrade to Debian Trixie and OpenLDAP 2.6

2026-04-10 14:56:20 +02:00 · 2025-08-14 16:54:59 +02:00 · 2025-08-14 16:54:59 +02:00 · 3bf901be30
commit 3bf901be30
parent 050f36c438
6 changed files with 246 additions and 95 deletions
--- a/README.md
+++ b/README.md
@ -23,8 +23,8 @@ # vegardit/openldap <a href="https://github.com/vegardit/docker-openldap/" title
 ## <a name="what-is-it"></a>What is it?
-An opinionated, multi-arch Docker image - currently based on [Debian](https://www.debian.org/)'s [`debian:bookworm-slim`](https://hub.docker.com/_/debian/tags?name=bookworm-slim) -
+An opinionated, multi-arch Docker image - currently based on [Debian](https://www.debian.org/)'s [`debian:trixie-slim`](https://hub.docker.com/_/debian/tags?name=trixie-slim) -
-built for easy deployment of an [OpenLDAP 2.5](https://www.openldap.org/doc/admin25/) server.
+built for easy deployment of an [OpenLDAP 2.6](https://www.openldap.org/doc/admin26/) server.
 Automatically rebuilt **weekly** to include the latest OS security fixes.
@ -151,8 +151,8 @@ ### <a name="transport_encryption"></a>Transport Encryption (LDAPS/STARTTLS)
    |`LDAP_TLS_CERT_FILE`    |`/run/secrets/ldap/server.crt`|Path to the server certificate **inside** the container
    |`LDAP_TLS_KEY_FILE`     |`/run/secrets/ldap/server.key`|Path to the matching private key **inside** the container
    |`LDAP_TLS_CA_FILE`      |`/run/secrets/ldap/ca.crt`    |Path to the CA bundle for verifying *peer* certificates
-    |`LDAP_TLS_VERIFY_CLIENT`|`try`                         |Client certificate policy (see [`TLSVerifyClient`](https://www.openldap.org/doc/admin25/guide.html#TLSVerifyClient%20%7B%20never%20%7C%20allow%20%7C%20try%20%7C%20demand%20%7B)):<br>- `never` - don't request a client certificate<br>- `allow` - request a client certificate; ignore if missing or invalid<br>- `try` - request a client certificate; reject if invalid (ignore if missing)<br>- `demand` - require a valid client certificate
+    |`LDAP_TLS_VERIFY_CLIENT`|`try`                         |Client certificate policy (see [`TLSVerifyClient`](https://www.openldap.org/doc/admin26/guide.html#TLSVerifyClient%20%7B%20never%20%7C%20allow%20%7C%20try%20%7C%20demand%20%7B)):<br>- `never` - don't request a client certificate<br>- `allow` - request a client certificate; ignore if missing or invalid<br>- `try` - request a client certificate; reject if invalid (ignore if missing)<br>- `demand` - require a valid client certificate
-    |`LDAP_TLS_SSF`          |`128`                         |Minimum **Security Strength Factor** (SSF) required for **all** TLS sessions. `0` = clear-text allowed; `>=0` enforces that STARTTLS/LDAPS negotiate at minimum that strength (AES-128, AES-256). More details here: [OpenLDAP Admin Guide](https://www.openldap.org/doc/admin25/guide.html#Security%20Strength%20Factors)
+    |`LDAP_TLS_SSF`          |`128`                         |Minimum **Security Strength Factor** (SSF) required for **all** TLS sessions. `0` = clear-text allowed; `>=0` enforces that STARTTLS/LDAPS negotiate at minimum that strength (AES-128, AES-256). More details here: [OpenLDAP Admin Guide](https://www.openldap.org/doc/admin26/guide.html#Security%20Strength%20Factors)
    *How to generate a self-signed cert for testing:*
@ -348,7 +348,7 @@ ### <a name="troubleshooting"></a>Troubleshooting
 ## <a name="references"></a>References
- OpenLDAP Software 2.5 Administrator's Guide https://www.openldap.org/doc/admin25/guide.html
+- OpenLDAP Software 2.6 Administrator's Guide https://www.openldap.org/doc/admin26/guide.html
 - OpenLDAP Online Configuration Reference https://tylersguides.com/guides/openldap-online-configuration-reference/
 - `slapd-config(5)` - Linux man page https://linux.die.net/man/5/slapd-config
--- a/build-image.sh
+++ b/build-image.sh
@ -15,14 +15,14 @@ source "$shared_lib/lib/build-image-init.sh"
 # declare image meta
 #################################################
 image_repo=${DOCKER_IMAGE_REPO:-vegardit/openldap}
-base_image=${DOCKER_BASE_IMAGE:-debian:bookworm-slim}
+base_image=${DOCKER_BASE_IMAGE:-debian:trixie-slim}
 platforms="linux/amd64,linux/arm64/v8,linux/arm/v7"
 declare -A image_meta=(
  [authors]="Vegard IT GmbH (vegardit.com)"
  [title]="$image_repo"
-  [description]="Opinionated docker image built for easy deployment of an OpenLDAP 2.5 server"
+  [description]="Opinionated docker image built for easy deployment of an OpenLDAP 2.6 server"
  [source]="$(git config --get remote.origin.url)"
  [revision]="$(git rev-parse --short HEAD)"
  [version]="$(git rev-parse --short HEAD)"
@ -155,8 +155,8 @@ echo "ldap_version=$ldap_version"
 #################################################
 # extend tags
 #################################################
-tags+=("${ldap_version}")       # :2.5.12
+tags+=("${ldap_version}")       # :2.6.10
-tags+=("${ldap_version%.*}.x")  # :2.5.x
+tags+=("${ldap_version%.*}.x")  # :2.6.x
 tags+=("${ldap_version%%.*}.x") # :2.x
--- a/image/Dockerfile
+++ b/image/Dockerfile
@ -7,8 +7,8 @@
 # SPDX-License-Identifier: Apache-2.0
 # SPDX-ArtifactOfProjectHomePage: https://github.com/vegardit/docker-openldap
-# https://hub.docker.com/_/debian/tags?name=bookworm-slim
+# https://hub.docker.com/_/debian/tags?name=trixie-slim
-ARG BASE_IMAGE=debian:bookworm-slim
+ARG BASE_IMAGE=debian:trixie-slim
 #############################################################
 # build pqchecker
@ -40,7 +40,7 @@ EOF
 WORKDIR /opt/openldap-src
 RUN <<EOF
-  git clone --depth 1 --branch OPENLDAP_REL_ENG_2_5 https://github.com/openldap/openldap.git .
+  git clone --depth 1 --branch OPENLDAP_REL_ENG_2_6 https://github.com/openldap/openldap.git .
  ./configure
  make depend
 EOF
--- a/image/ldifs/init_module_ppolicy.ldif
+++ b/image/ldifs/init_module_ppolicy.ldif
@ -16,3 +16,4 @@ olcPPolicyHashCleartext: TRUE
 # return AccountLocked instead of InvalidCredentials error:
 olcPPolicyUseLockout: TRUE
 olcPPolicyForwardUpdates: FALSE
 olcPPolicyCheckModule: /usr/lib/ldap/pqchecker.so
--- a/image/ldifs/init_org_ppolicy.ldif
+++ b/image/ldifs/init_org_ppolicy.ldif
@ -37,4 +37,3 @@ pwdMaxAge: 0
 # Password Quality
 pwdMinLength: ${LDAP_INIT_PPOLICY_PW_MIN_LENGTH:-8}
 pwdCheckQuality: 2
 pwdCheckModule: /usr/lib/ldap/pqchecker.so
--- a/image/run.sh
+++ b/image/run.sh
@ -66,12 +66,56 @@ if [[ -n ${LDAP_OPENLDAP_GID:-} ]]; then
 fi
 chown -R openldap:openldap /etc/ldap
 chown -R openldap:openldap /var/lib/ldap
-chown -R openldap:openldap /var/lib/ldap_orig
+chown -R openldap:openldap /var/lib/ldap_orig || true
-chown -R openldap:openldap /var/run/slapd
+mkdir -p /run/slapd
 chown -R openldap:openldap /run/slapd
 #################################################################
 # Install TLS certificates if needed (must be before any slapd starts)
 #################################################################
 case "${LDAP_TLS_ENABLED:-}" in
  true|false) ;;
  auto) [[ -f $LDAP_TLS_CERT_FILE && -f $LDAP_TLS_KEY_FILE ]] && LDAP_TLS_ENABLED=true || LDAP_TLS_ENABLED=false ;;
  *) log ERROR "LDAP_TLS_ENABLED must be auto|true|false"; exit 1 ;;
 esac
 if [[ $LDAP_TLS_ENABLED == true ]]; then
  if ! [[ "$LDAP_TLS_SSF" =~ ^[0-9]+$ ]] || (( LDAP_TLS_SSF < 0 || LDAP_TLS_SSF > 256 )); then
    log ERROR "LDAP_TLS_SSF must be an integer between 0 and 256 (got '$LDAP_TLS_SSF')"
    exit 1
  fi
  case "${LDAP_LDAPS_ENABLED:-}" in
    true|false) log INFO "LDAPS enabled (port 636): $LDAP_LDAPS_ENABLED";;
    *) log ERROR "LDAP_LDAPS_ENABLED must be true|false"; exit 1 ;;
  esac
  case "${LDAP_TLS_VERIFY_CLIENT:-}" in
    never|allow|try|demand) log INFO "TLS_VERIFY_CLIENT: $LDAP_TLS_VERIFY_CLIENT";;
    *) log ERROR "LDAP_LDAPS_ENABLED must be true|false"; exit 1 ;;
  esac
  if [[ ! -f ${LDAP_TLS_KEY_FILE:-} ]]; then
    log ERROR "TLS requested but LDAP_TLS_KEY_FILE [${LDAP_TLS_KEY_FILE:-}] not accessible"
    exit 1
  fi
  if [[ ! -f ${LDAP_TLS_CERT_FILE:-} ]]; then
    log ERROR "TLS requested but LDAP_TLS_CERT_FILE [${LDAP_TLS_CERT_FILE:-}] not accessible"
    exit 1
  fi
  log INFO "Installing TLS certificates..."
  install -d -o openldap -g openldap -m 0755 /etc/ldap/certs
  install -o openldap -g openldap -m 0600 "$LDAP_TLS_KEY_FILE" /etc/ldap/certs/server.key
  install -o openldap -g openldap -m 0644 "$LDAP_TLS_CERT_FILE" /etc/ldap/certs/server.crt
  if [[ -f ${LDAP_TLS_CA_FILE:-} ]]; then
    install -o openldap -g openldap -m 0644 "$LDAP_TLS_CA_FILE" /etc/ldap/certs/ca.crt
  fi
 fi
 #################################################################
-# Configure LDAP server on initial container launch
+# Configure LDAP server on initial container launch or after version upgrade
 #################################################################
 function ldif() {
  log INFO "---------------------------------------"
@ -86,10 +130,109 @@ function ldif() {
  rm -f "$tmpfile"
 }
-if [ ! -e /etc/ldap/slapd.d/initialized ]; then
+function slapd() {
-  log INFO "======================================="
+  local cmd="${1:-}"
-  log INFO "Applying initial configuration"
+  local -r RUNDIR="/run/slapd"
-  log INFO "======================================="
+  local -r LOGFILE="${SLAPD_LOG_FILE:-/tmp/slapd.log}"
  local -r PIDFILE="${SLAPD_INIT_PIDFILE:-$RUNDIR/.init.pid}"
  local -r URLS="ldap:/// ldapi:///${SLAPD_EXTRA_URLS:-}"
  local -a dbg_opts=()
  # Debug levels for init runs (independent from final exec)
  # e.g. export SLAPD_INIT_LOG_LEVELS="stats config sync"
  for lvl in ${SLAPD_INIT_LOG_LEVELS:-stats config}; do
    dbg_opts+=(-d "$lvl")
  done
  case "$cmd" in
    start)
      log INFO "Starting slapd for init/migration..."
      mkdir -p "$RUNDIR"
      chown openldap:openldap "$RUNDIR"
      chmod 770 "$RUNDIR"
      # truncate previous log
      : > "$LOGFILE"
      # Run in foreground (because of -d ...) and capture logs; background with &
      /usr/sbin/slapd \
        "${dbg_opts[@]}" \
        -h "$URLS" \
        -u openldap \
        -g openldap \
        -F /etc/ldap/slapd.d \
        > "$LOGFILE" 2>&1 &
      local pid=$!
      echo "$pid" > "$PIDFILE"
      # Wait up to 10s for readiness via ldapi:///
      for _ in {1..20}; do
        if ldapwhoami -H ldapi:/// >/dev/null 2>&1; then
          log INFO "slapd started (pid $pid)"
          return 0
        fi
        sleep 0.5
      done
      log ERROR "Timeout waiting for slapd to become ready"
      # Show immediate diagnostics
      tail -n 80 "$LOGFILE" | log ERROR
      return 1
      ;;
    stop)
      log INFO "Stopping slapd..."
      local pid=""
      if [[ -r "$PIDFILE" ]]; then
        pid="$(cat "$PIDFILE" 2>/dev/null || true)"
      fi
      if [[ -n "$pid" ]] && kill -0 "$pid" 2>/dev/null; then
        kill "$pid" 2>/dev/null || true
      else
        # Fallback: scan /proc for a foreground slapd we started
        for p in /proc/[0-9]*; do
          if [[ -r "$p/comm" ]] && [[ "$(cat "$p/comm")" == "slapd" ]]; then
            pid="${p##*/}"
            kill "$pid" 2>/dev/null || true
          fi
        done
      fi
      # Wait up to 10s for it to exit (ldapi should drop when slapd is gone)
      for _ in {1..20}; do
        if ! ldapwhoami -H ldapi:/// >/dev/null 2>&1; then
          log INFO "slapd stopped"
          rm -f "$PIDFILE"
          return 0
        fi
        sleep 0.5
      done
      log WARN "Graceful stop timed out — dumping last log lines before forcing kill:"
      tail -n 120 "$LOGFILE" | log WARN
      # Force kill any remaining slapd processes
      for p in /proc/[0-9]*; do
        if [[ -r "$p/comm" ]] && [[ "$(cat "$p/comm")" == "slapd" ]]; then
          kill -9 "${p##*/}" 2>/dev/null || true
        fi
      done
      rm -f "$PIDFILE"
      log INFO "slapd forced to stop"
      ;;
    *)
      log ERROR "Usage: slapd {start|stop}"
      return 2
      ;;
  esac
 }
 initialized_file=/etc/ldap/slapd.d/initialized
 config_version="2.6"
 if [ ! -e "$initialized_file" ]; then
  log BOX "Applying initial configuration..."
  function substr_before() {
    # shellcheck disable=SC2295  # Expansions inside ${..} need to be quoted separately, otherwise they match as patterns
    echo "${1%%${2}*}"
@ -156,14 +299,7 @@ if [ ! -e /etc/ldap/slapd.d/initialized ]; then
    chown openldap:openldap -R /etc/ldap/slapd.d
  fi
-  /etc/init.d/slapd start 2>&1 | log INFO
+  slapd start
  # await ldap server start
  for _ in {1..8}; do
    if ldapwhoami -H ldapi:/// | log INFO; then
      break
    fi
    sleep 1
  done
  ldif add    -Y EXTERNAL /opt/ldifs/schema_sudo.ldif
  ldif add    -Y EXTERNAL /opt/ldifs/schema_ldapPublicKey.ldif
@ -212,14 +348,85 @@ dc: $LDAP_INIT_ORG_ATTR_DC"
  log INFO "---------------------------------------"
-  echo "1" >/etc/ldap/slapd.d/initialized
+  echo "$config_version" >"$initialized_file"
  rm -f /tmp/*.ldif
  log INFO "Creating LDAP backup at [$LDAP_BACKUP_FILE]..."
  slapcat -n 1 -l "$LDAP_BACKUP_FILE" || true
-  /etc/init.d/slapd stop | log INFO
+  slapd stop
-  sleep 3
+
 else
  # System is already initialized - check for migrations
  last_version=$(cat "$initialized_file")
  # Handle legacy format (just "1" means pre-versioning, treat as 2.5)
  if [[ "$last_version" == "1" ]]; then
    last_version="2.5"
  fi
  # Check if we need to migrate from 2.5 to 2.6
  if [[ "$last_version" == "2.5" ]]; then
    log BOX "Migrating config to OpenLDAP 2.6..."
    slapd start
    # Find the actual ppolicy overlay DN (it might have an index like {0}ppolicy)
    ppolicy_dn=$(ldapsearch -H ldapi:/// -Y EXTERNAL -b "olcDatabase={1}mdb,cn=config" "(objectClass=olcPPolicyConfig)" dn 2>/dev/null | grep "^dn:" | head -1 | sed 's/^dn: //')
    if [[ -z "$ppolicy_dn" ]]; then
      log WARN "ppolicy overlay not found in configuration, skipping password policy migration"
    else
      log INFO "Found ppolicy overlay at: $ppolicy_dn"
      # Check if ppolicy overlay already has the new configuration
      if ldapsearch -H ldapi:/// -Y EXTERNAL -b "$ppolicy_dn" -s base "(objectClass=*)" olcPPolicyCheckModule 2>/dev/null | grep -q "olcPPolicyCheckModule"; then
        log INFO "Password policy overlay already configured for 2.6, skipping migration"
      else
        # Check for legacy pwdCheckModule entries
        has_legacy_config=false
        if ldapsearch -H ldapi:/// -Y EXTERNAL -b "${LDAP_INIT_ORG_DN:-DC=example,DC=com}" "(pwdCheckModule=*)" pwdCheckModule 2>/dev/null | grep -q "pwdCheckModule"; then
          has_legacy_config=true
          log INFO "Found legacy pwdCheckModule configuration in password policy entries"
        fi
        # Add new overlay configuration
        log INFO "Adding OpenLDAP 2.6 password policy overlay configuration..."
        cat >/tmp/migrate_ppolicy_26.ldif <<EOF
 dn: $ppolicy_dn
 changetype: modify
 add: olcPPolicyCheckModule
 olcPPolicyCheckModule: /usr/lib/ldap/pqchecker.so
 EOF
        if ldapmodify -H ldapi:/// -Y EXTERNAL -f /tmp/migrate_ppolicy_26.ldif 2>&1 | log INFO; then
          log INFO "Successfully migrated password policy overlay configuration"
          if [[ $has_legacy_config == true ]]; then
            log WARN "Legacy pwdCheckModule entries found in password policy entries."
            log WARN "These are now ignored in OpenLDAP 2.6 and can be removed manually if desired."
            log WARN "The password checking functionality is now handled by the overlay configuration."
          fi
        else
          log ERROR "Failed to apply password policy overlay migration"
          exit 1
        fi
        rm -f /tmp/migrate_ppolicy_26.ldif
      fi
    fi
    # Update version in initialized file
    echo "$config_version" > "$initialized_file"
    # Stop LDAP server after migrations
    slapd stop
    log INFO "Configuration migration completed"
  elif [[ "$last_version" != "$config_version" ]]; then
    log WARN "Unknown configuration version: $last_version (expected: $config_version)"
    log WARN "Skipping migrations - manual intervention may be required"
  else
    log INFO "Configuration is up to date (version: $config_version)"
  fi
 fi
 echo "$LDAP_PPOLICY_PQCHECKER_RULE" >/etc/ldap/pqchecker/pqparams.dat
@ -228,53 +435,10 @@ echo "$LDAP_PPOLICY_PQCHECKER_RULE" >/etc/ldap/pqchecker/pqparams.dat
 #################################################################
 # TLS configuration
 #################################################################
 case "${LDAP_TLS_ENABLED:-}" in
  true|false) ;;
  auto) [[ -f $LDAP_TLS_CERT_FILE && -f $LDAP_TLS_KEY_FILE ]] && LDAP_TLS_ENABLED=true || LDAP_TLS_ENABLED=false ;;
  *) log ERROR "LDAP_TLS_ENABLED must be auto|true|false"; exit 1 ;;
 esac
 SLAPD_EXTRA_URLS=""
 if [[ $LDAP_TLS_ENABLED == true ]]; then
-  log INFO "======================================="
+  log BOX "Enabling TLS support..."
  log INFO "Enabling TLS support..."
  log INFO "======================================="
  if ! [[ "$LDAP_TLS_SSF" =~ ^[0-9]+$ ]] || (( LDAP_TLS_SSF < 0 || LDAP_TLS_SSF > 256 )); then
    log ERROR "LDAP_TLS_SSF must be an integer between 0 and 256 (got '$LDAP_TLS_SSF')"
    exit 1
  fi
  case "${LDAP_LDAPS_ENABLED:-}" in
    true|false) log INFO "LDAPS enabled (port 636): $LDAP_LDAPS_ENABLED";;
    *) log ERROR "LDAP_LDAPS_ENABLED must be true|false"; exit 1 ;;
  esac
  case "${LDAP_TLS_VERIFY_CLIENT:-}" in
    never|allow|try|demand) log INFO "TLS_VERIFY_CLIENT: $LDAP_TLS_VERIFY_CLIENT";;
    *) log ERROR "LDAP_LDAPS_ENABLED must be true|false"; exit 1 ;;
  esac
  if [[ ! -f ${LDAP_TLS_KEY_FILE:-} ]]; then
    log ERROR "TLS requested but LDAP_TLS_KEY_FILE [${LDAP_TLS_KEY_FILE:-}] not accessible"
    exit 1
  fi
  if [[ ! -f ${LDAP_TLS_CERT_FILE:-} ]]; then
    log ERROR "TLS requested but LDAP_TLS_CERT_FILE [${LDAP_TLS_CERT_FILE:-}] not accessible"
    exit 1
  fi
  install -d -o openldap -g openldap -m 0755 /etc/ldap/certs
  install -o openldap -g openldap -m 0600 "$LDAP_TLS_KEY_FILE" /etc/ldap/certs/server.key
  install -o openldap -g openldap -m 0644 "$LDAP_TLS_CERT_FILE" /etc/ldap/certs/server.crt
  if [[ -f ${LDAP_TLS_CA_FILE:-} ]]; then
    install -d -o openldap -g openldap -m 0755 /etc/ldap/certs
    install -o openldap -g openldap -m 0644 "$LDAP_TLS_CA_FILE" /etc/ldap/certs/ca.crt
  fi
  # configure TLS key material
  cat >/tmp/tls.ldif <<EOF
@ -316,9 +480,7 @@ EOF
  fi
 else
-  log INFO "======================================="
+  log BOX "Ensuring TLS support is disabled..."
  log INFO "Ensuring TLS support is disabled..."
  log INFO "======================================="
  cat >/tmp/tls.ldif <<EOF
 dn: cn=config
 changetype: modify
@ -336,14 +498,7 @@ EOF
 fi
 # apply TLS configuration
-/etc/init.d/slapd start 2>&1 | log INFO
+slapd start
 # await ldap server start
 for _ in {1..8}; do
  if ldapwhoami -H ldapi:/// | log INFO; then
    break
  fi
  sleep 1
 done
 if [[ ${LDAP_TLS_ENABLED} == true ]]; then
  ldif modify -Y EXTERNAL /tmp/tls.ldif
 else
@ -352,8 +507,8 @@ fi
 rm -f /tmp/tls.ldif
-/etc/init.d/slapd stop | log INFO
+slapd stop
-sleep 3
+
 #################################################################
 # Configure background task for LDAP backup
@ -365,9 +520,7 @@ if [[ -n ${LDAP_BACKUP_TIME:-} ]]; then
    exit 1
  fi
-  log INFO "======================================="
+  log BOX "Configuring LDAP backup task to run daily: time=[${LDAP_BACKUP_TIME}] file=[$LDAP_BACKUP_FILE]..."
  log INFO "Configuring LDAP backup task to run daily: time=[${LDAP_BACKUP_TIME}] file=[$LDAP_BACKUP_FILE]..."
  log INFO "======================================="
  if [[ ! $LDAP_BACKUP_TIME =~ ^([01][0-9]|2[0-3]):[0-5][0-9]$ ]]; then
    log ERROR "The configured value [$LDAP_BACKUP_TIME] for LDAP_BACKUP_TIME is not in the expected 24-hour format [hh:mm]!"
    exit 1
@ -394,11 +547,9 @@ fi
 #################################################################
 # Start LDAP service
 #################################################################
-log INFO "***************************************"
+log BOX "Starting OpenLDAP: slapd..."
 log INFO "* Starting OpenLDAP: slapd..."
 log INFO "***************************************"
-# build an array of “-d <level>” for each level in LDAP_LOG_LEVELS
+# build an array of "-d <level>" for each level in LDAP_LOG_LEVELS
 log_opts=()
 for lvl in ${LDAP_LOG_LEVELS:-}; do
  log_opts+=("-d" "$lvl")