Version 0.1.0

.editorconfig

@@ -3,21 +3,18 @@ root = true
 [*]
 charset = utf-8
 end_of_line = lf
-indent_size = 4
+indent_size = 2
 indent_style = space
 insert_final_newline = true
-max_line_length = 120
+max_line_length = 80
 trim_trailing_whitespace = true
 
 [*.md]
 max_line_length = off
 trim_trailing_whitespace = false
 
-[*.{ini, cfg}]
-indent_size = 2
-
 [*.{yaml, yml}]
-indent_size = 2
+max_line_length = 120
 
 [Makefile]
 indent_size = 1

.github/workflows/lint.yml

@@ -0,0 +1,35 @@
+---
+name: Lint
+
+'on':
+  push:
+    branches: ['*']
+  workflow_dispatch:
+
+jobs:
+  hadolint:
+    name: Hadolint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: docker://pipelinecomponents/hadolint:latest
+        with:
+          args: hadolint Dockerfile
+
+  shellcheck:
+    name: ShellCheck
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: docker://pipelinecomponents/shellcheck:latest
+        with:
+          args: shellcheck docker/docker-entrypoint.sh
+
+  yamllint:
+    name: Yamllint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: docker://pipelinecomponents/yamllint:latest
+        with:
+          args: yamllint .

.hadolint.yaml

@@ -0,0 +1,4 @@
+---
+
+ignored:
+  - DL3018

.shellcheckrc

@@ -0,0 +1,4 @@
+color=auto
+enable=all
+severity=warning
+shell=bash

Dockerfile

@@ -0,0 +1,53 @@
+FROM php:7.4-fpm-alpine
+
+RUN apk add --no-cache \
+    multirun \
+    # docker-entrypoint.sh
+    bash gettext openldap-clients patch \
+    # Web server
+    nginx phpldapadmin \
+    # OpenLDAP
+    openldap openldap-back-mdb \
+    # ldap.h for PHP 'ldap' package
+    openldap-dev \
+    # bindtextdomain() for PHP 'gettext'
+    musl-libintl \
+ && docker-php-ext-install -j "$(nproc)" gettext ldap \
+ && rm -rf /var/cache/apk/*
+
+
+WORKDIR /docker-entrypoint.d/
+COPY ./docker/ /
+
+
+# OpenLDAP
+ENV DOMAIN_NAME="local"
+ENV LDAPCONF=/etc/openldap/slapd.conf
+ENV LDAP_CONF_DIR=/etc/openldap/slapd.d
+ENV LDAP_INIT_DIR=/var/lib/openldap/openldap-init
+ENV LDAP_LOG_LEVEL="1024"
+ENV LDAP_ROOT_PASSWORD="changeme"
+ENV LDAP_ROOT_USERNAME="root"
+
+RUN mkdir -p "$LDAP_CONF_DIR" \
+ && mv /var/lib/openldap/openldap-data/DB_CONFIG.example /docker-entrypoint.d/openldap/DB_CONFIG \
+ && rm -f "$LDAPCONF"
+
+VOLUME /var/lib/openldap/openldap-data
+VOLUME /var/lib/openldap/openldap-init
+
+EXPOSE 389/tcp
+
+
+# Nginx, PHP, phpLDAPadmin
+RUN rm -rf /etc/nginx/conf.d/default.conf /usr/local/etc/php-fpm.d/*
+
+EXPOSE 80/udp
+
+
+# Entrypoint
+ENV DISABLE_PHPLDAPADMIN=""
+
+WORKDIR /
+
+CMD ["/docker-entrypoint.sh"]

Makefile

@@ -1,6 +1,32 @@
+NAME = homelab-ldap
+
+# Docker
+
+build:
+	@docker build -t $(NAME) .
+
+build-nocache:
+	@docker build -t $(NAME) --no-cache .
+
+run:
+	@docker rm -f $(NAME) || true
+	docker run --rm --name $(NAME) -p 8088:80 -p 389:389 $(NAME)
+
+# QA
+
+hadolint:
+	@hadolint --version
+	@hadolint Dockerfile
+
+shellcheck:
+	@shellcheck --version
+	@shellcheck docker/docker-entrypoint.sh
 
 yamllint:
 	@yamllint --version
 	@yamllint --strict .
 
-lint-all: yamllint
+lint-all: hadolint shellcheck yamllint
+
+
+.PHONY: build build-nocache hadolint run shellcheck yamllint

README.md

@@ -1,7 +1,82 @@
-[![QA Build Status](https://travis-ci.com/danie1k/homelab-???.svg?branch=master)](https://travis-ci.com/danie1k/homelab-???)
-[![Docker Hub Build Status](https://img.shields.io/docker/cloud/build/danie1k/homelab-???)](https://hub.docker.com/repository/docker/danie1k/homelab-???)
-[![Docker Image Version](https://img.shields.io/docker/v/danie1k/homelab-???)](https://hub.docker.com/repository/docker/danie1k/homelab-???)
-[![MIT License](https://img.shields.io/github/license/danie1k/homelab-???)](https://github.com/danie1k/homelab-???/blob/master/LICENSE)
+[![QA Build Status](https://github.com/danie1k/homelab-ldap/workflows/Lint/badge.svg)](https://github.com/danie1k/homelab-ldap/actions?query=workflow%3ALint)
+[![Docker Hub Build Status](https://img.shields.io/docker/cloud/build/danie1k/homelab-ldap)](https://hub.docker.com/repository/docker/danie1k/homelab-ldap)
+[![Docker Image Version](https://img.shields.io/docker/v/danie1k/homelab-ldap)](https://hub.docker.com/repository/docker/danie1k/homelab-ldap)
+[![MIT License](https://img.shields.io/github/license/danie1k/homelab-ldap)](https://github.com/danie1k/homelab-ldap/blob/master/LICENSE)
 
-# 
+# OpenLDAP server with built-in phpLDAPadmin
 
+This container is far from perfect and set only the minimum needed settings (especially when it comes to [OpenLDAP] server),
+but does its job and can be a great base for building much more complex solution.
+
+Based on:
+- https://github.com/docker-library/php/blob/master/7.4/alpine3.13/fpm/Dockerfile
+- https://github.com/nextcloud/docker/blob/master/20.0/apache/Dockerfile
+
+## Included services
+- [nginx]
+- [OpenLDAP]
+- [phpLDAPadmin]
+
+
+## Environment Variables you should set
+
+- `DOMAIN_NAME` -- Domain name for LDAP suffix
+- `LDAP_ROOT_USERNAME` -- root/admin user name for [OpenLDAP]
+- `LDAP_ROOT_PASSWORD` -- password for [OpenLDAP] root/admin user \*
+
+\* Plain-text password is possible, but not recommended! To generate password hash,
+   use the [`slappasswd`] command and set this environment variable to value returned by [`slappasswd`].  
+   If you don't want to install this command, use:
+
+   ```shell
+   $ docker run --rm -it alpine:latest sh -c 'apk add openldap 2>/dev/null; slappasswd'
+   ```
+
+*nginx, php & phpLDAPadmin can be disabled altogether by setting `DISABLE_PHPLDAPADMIN="1"` environment variable.*
+
+
+## Exposed Ports
+
+- `80` (tcp) -- [phpLDAPadmin] via [nginx]
+- `389` (tcp) -- [OpenLDAP]
+
+
+## Volumes
+
+- `/var/lib/openldap/openldap-data` -- [OpenLDAP] database
+- `/var/lib/openldap/openldap-init` -- custom [LDIF] config files for [OpenLDAP]
+
+
+## Useful commands
+
+- Test LDAP root login:
+  ```shell
+  ldapsearch -D 'cn=root,dc=example,dc=com' -W '(objectclass=*)' -b 'dc=example,dc=com'
+  ```
+
+
+## Useful links
+
+### LDAP/OpenLDAP (`slapd`) documentation
+
+- https://wiki.archlinux.org/index.php/OpenLDAP
+- https://linux.die.net/man/5/slapd.conf
+- https://ldapwiki.com/wiki/
+- [log levels](ttp://www.openldap.org/doc/admin24/slapdconf2.html)
+
+### phpLDAPadmin documentation
+
+- https://wiki.archlinux.org/index.php/PhpLDAPadmin
+- http://phpldapadmin.sourceforge.net/wiki/index.php/LDAP_server_definitions
+
+
+## License 
+
+MIT
+
+
+[LDIF]: https://www.openldap.org/software//man.cgi?query=LDIF&sektion=5&apropos=0&manpath=OpenLDAP+2.4-Release
+[OpenLDAP]: https://www.openldap.org/
+[nginx]: https://www.nginx.com/
+[phpLDAPadmin]: http://phpldapadmin.sourceforge.net/
+[`slappasswd`]: https://command-not-found.com/slappasswd

docker/docker-entrypoint.d/nginx/default.conf

@@ -0,0 +1,21 @@
+server {
+  listen 80 default_server;
+
+  root /usr/share/webapps/phpldapadmin/htdocs;
+  index index.php index.html;
+
+  location = /favicon.ico {
+    return 404;
+    log_not_found off;
+  }
+
+  location ~ \.php$ {
+    include fastcgi_params;
+    fastcgi_index index.php;
+    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+    fastcgi_param SCRIPT_NAME $fastcgi_script_name;
+    fastcgi_pass  127.0.0.1:9000;
+    # Mitigate https://httpoxy.org/ vulnerabilities
+    fastcgi_param HTTP_PROXY "";
+  }
+}

docker/docker-entrypoint.d/nginx/nginx.conf

@@ -0,0 +1,20 @@
+pid /var/run/nginx.pid;
+user www-data www-data;
+worker_processes 2;
+
+events {
+  worker_connections 1024;
+}
+
+http {
+  access_log   off;
+  aio          on;
+  default_type application/octet-stream;
+  directio     8m;
+  error_log    /proc/self/fd/2 warn;
+  include      mime.types;
+  sendfile     on;
+  tcp_nopush   on;
+
+  include /etc/nginx/http.d/*.conf;
+}

docker/docker-entrypoint.d/openldap/base-init.template.ldif

@@ -0,0 +1,6 @@
+dn: ${LDAP_DN}
+objectClass: dcObject
+objectClass: organization
+${LDAP_DC_VERTICAL}
+o: ${DOMAIN_NAME}
+description: Example directory

docker/docker-entrypoint.d/openldap/base-root-user.template.ldif

@@ -0,0 +1,4 @@
+dn: ${LDAP_ROOTDN}
+objectClass: organizationalRole
+cn: ${LDAP_ROOT_USERNAME}
+description: Directory Manager

docker/docker-entrypoint.d/openldap/slapd.template.conf

@@ -0,0 +1,68 @@
+include  /etc/openldap/schema/core.schema
+include  /etc/openldap/schema/cosine.schema
+include  /etc/openldap/schema/inetorgperson.schema
+include  /etc/openldap/schema/nis.schema
+
+# Define global ACLs to disable default read access.
+
+# Do not enable referrals until AFTER you have a working directory
+# service AND an understanding of referrals.
+#referral	ldap://root.openldap.org
+
+pidfile	  /var/run/slapd.pid
+argsfile  /var/run/slapd.args
+
+# Load dynamic backend modules:
+modulepath  /usr/lib/openldap
+moduleload  back_mdb.so
+
+# Sample security restrictions
+#	Require integrity protection (prevent hijacking)
+#	Require 112-bit (3DES or better) encryption for updates
+#	Require 63-bit encryption for simple bind
+# security ssf=1 update_ssf=112 simple_bind=64
+
+# Sample access control policy:
+#	Root DSE: allow anyone to read it
+#	Subschema (sub)entry DSE: allow anyone to read it
+#	Other DSEs:
+#		Allow self write access
+#		Allow authenticated users read access
+#		Allow anonymous users to authenticate
+#	Directives needed to implement policy:
+# access to dn.base="" by * read
+# access to dn.base="cn=Subschema" by * read
+# access to *
+#	by self write
+#	by users read
+#	by anonymous auth
+#
+# if no access controls are present, the default policy
+# allows anyone and everyone to read anything but restricts
+# updates to rootdn.  (e.g., "access to * by * read")
+#
+# rootdn can always read and write EVERYTHING!
+
+#######################################################################
+# MDB database definitions
+#######################################################################
+
+database  mdb
+maxsize	  1073741824
+suffix	  "${LDAP_DN}"
+
+rootdn	  "${LDAP_ROOTDN}"
+rootpw	  ${LDAP_ROOTPW}
+
+# The database directory MUST exist prior to running slapd AND
+# should only be accessible by the slapd and slap tools.
+# Mode 700 recommended.
+directory	/var/lib/openldap/openldap-data
+
+# Indices to maintain
+index  objectClass  eq
+index  uid          pres,eq
+index  mail         pres,sub,eq
+index  cn           pres,sub,eq
+index  sn           pres,sub,eq
+index  dc           eq