diff --git a/README.md b/README.md index a0a760c..8824f1b 100644 --- a/README.md +++ b/README.md @@ -44,6 +44,7 @@ ### Initial configuration LDAP_INIT_ROOT_USER_DN='uid=admin,${LDAP_INIT_ORG_DN}' LDAP_INIT_ROOT_USER_PW='changeit' LDAP_INIT_RFC2307BIS_SCHEMA=0 # 0=use NIS (RFC2307) schema, 1=use RFC2307bis schema +LDAP_INIT_ALLOW_CONFIG_ACCESS='true' # if set to true, the "cn=config" namespace can be read/edited by LDAP admins ``` Environment variables can for example be set using `docker run` with `-e`, e.g. diff --git a/image/Dockerfile b/image/Dockerfile index 9ed8791..4be8485 100644 --- a/image/Dockerfile +++ b/image/Dockerfile @@ -90,6 +90,7 @@ ENV \ LDAP_INIT_ADMIN_GROUP_DN='cn=ldapadmins,ou=Groups,${LDAP_INIT_ORG_DN}' \ LDAP_INIT_ROOT_USER_DN='uid=admin,${LDAP_INIT_ORG_DN}' \ LDAP_INIT_ROOT_USER_PW='' \ + LDAP_INIT_ALLOW_CONFIG_ACCESS='false' \ LDAP_INIT_PPOLICY_DEFAULT_DN='cn=DefaultPasswordPolicy,ou=Policies,${LDAP_INIT_ORG_DN}' \ LDAP_INIT_PPOLICY_PW_MIN_LENGTH=8 \ LDAP_INIT_PPOLICY_MAX_FAILURES=3 \ diff --git a/image/ldifs/init_config_admin_access.ldif b/image/ldifs/init_config_admin_access.ldif new file mode 100644 index 0000000..cf2078b --- /dev/null +++ b/image/ldifs/init_config_admin_access.ldif @@ -0,0 +1,7 @@ +dn: olcDatabase={0}config,cn=config +changetype: modify +add: olcAccess +olcAccess: to * + by dn="${LDAP_INIT_ROOT_USER_DN}" write + by group/groupOfUniqueNames/uniqueMember="${LDAP_INIT_ADMIN_GROUP_DN}" write + by * none diff --git a/image/run.sh b/image/run.sh index a909445..3cd7638 100644 --- a/image/run.sh +++ b/image/run.sh @@ -138,6 +138,10 @@ if [ ! -e /etc/ldap/slapd.d/initialized ]; then ldif add -Y EXTERNAL /opt/ldifs/init_module_unique.ldif ldif add -Y EXTERNAL /opt/ldifs/init_module_ppolicy.ldif + if [ "${LDAP_INIT_ALLOW_CONFIG_ACCESS:-false}" == "true" ]; then + ldif modify -Y EXTERNAL /opt/ldifs/init_config_admin_access.ldif + fi + LDAP_INIT_ORG_DN_ATTR=$(substr_before $LDAP_INIT_ORG_DN "," | str_replace "=" ": ") # referenced by init_org_tree.ldif ldif add -x -D "$LDAP_INIT_ROOT_USER_DN" -w "$LDAP_INIT_ROOT_USER_PW" /opt/ldifs/init_org_tree.ldif ldif add -x -D "$LDAP_INIT_ROOT_USER_DN" -w "$LDAP_INIT_ROOT_USER_PW" /opt/ldifs/init_org_ppolicy.ldif