Merge pull request #3 from SachinKSingh28/master

Updated ldap configuration with active directory support

Dockerfile

@@ -8,6 +8,7 @@ ENV LDAP_ENABLED=true \
     LDAP_SEARCH_BASE="" \
     LDAP_URL="" \
     LDAP_PORT=389 \
+    LDAP_AUTH_PROTOCOL=ldap \
     LDAP_USER_EMAIL_ATTRIBUTE=mail \
     LDAP_GROUPS_AS_ROLES=true \
     LDAP_GROUP_BASE_DN=ou=groups \
@@ -25,7 +26,7 @@ ENV LDAP_ENABLED=true \
 USER root
 
 COPY resources/nexus.sh /usr/local/bin/
-COPY resources/conf/ /resources/
+COPY resources/ /resources/
 
 RUN chmod u+x /usr/local/bin/nexus.sh
 

README.md

@@ -48,11 +48,12 @@ Example run command:
          -e LDAP_BIND_PASSWORD=password \ 
          accenture/adop-nexus:VERSION
 
-The image reads the following LDAP environment variables:
+The image reads the following LDAP environment variables for ADOP OpenLDAP or LDAP_TYPE is 'openldap':
 
   * searchBase - `${LDAP_SEARCH_BASE}`
   * systemUsername - `${LDAP_BIND_DN}`
   * systemPassword - `${LDAP_BIND_PASSWORD}`
+  * protocol - `${LDAP_AUTH_PROTOCOL}`
   * host - `${LDAP_URL}`
   * port - `${LDAP_PORT:-389}`
   * emailAddressAttribute - `${LDAP_USER_EMAIL_ATTRIBUTE:-mail}`
@@ -68,6 +69,16 @@ The image reads the following LDAP environment variables:
   * userBaseDn - `${LDAP_USER_BASE_DN}`
   * userRealNameAttribute - `${LDAP_USER_REAL_NAME_ATTRIBUTE:-cn}`
 
+Additionally, the image reads the following LDAP environment variables if you want to use a Windows Active Directory or LDAP_TYPE is 'active_directory':
+
+  * groupIdAttribute - `${LDAP_GROUP_ID_ATTRIBUTE:-cn}`
+  * groupMemberAttribute - `${LDAP_GROUP_MEMBER_ATTRIBUTE-uniqueMember}`
+  * groupObjectClass - `${LDAP_GROUP_OBJECT_CLASS:-groups}`
+  * userIdAttribute - `${LDAP_USER_ID_ATTRIBUTE:-sAMAccountName}`
+  * userObjectClass - `${LDAP_USER_OBJECT_CLASS:-person}`
+  * userBaseDn - `${LDAP_USER_BASE_DN}`
+  * userRealNameAttribute - `${LDAP_USER_REAL_NAME_ATTRIBUTE:-cn}`
+
 > [Sonatype/Nexus/plugin/LDAP/Documentation](https://books.sonatype.com/nexus-book/reference/ldap.html)
 
 ## Other configuration variables
@@ -77,7 +88,15 @@ The image reads the following LDAP environment variables:
  * `MIN_HEAP`, passed as -Xms. Defaults to 256m.
  * `JAVA_OPTS`. Additional options can be passed to the JVM via this variable. Default: -server -XX:MaxPermSize=192m -Djava.net.preferIPv4Stack=true.
  * `NEXUS_BASE_URL`, the nexus base URL
-
+ * `NEXUS_PROXY_HOST`, the proxy server that connects to Maven public repository. This is used if the Nexus Docker host has strict firewall implementation.
+ * `NEXUS_PROXY_PORT`, the proxy server port.
+ * `NEXUS_CENTRAL_REPO_URL`, if you want to change the Central Repo default maven public repository https://repo1.maven.org/maven2/
+ * `NEXUS_CREATE_CUSTOM_ROLES`, if set to true, create custom roles according to the environment custom role variables:.
+ * `NEXUS_CUSTOM_ADMIN_ROLE` , if set, create a custom group name with nx-admin role.
+ * `NEXUS_CUSTOM_DEV_ROLE` , if set, create a custom group name with nx-developer role.
+ * `NEXUS_CUSTOM_DEPLOY_ROLE`, if set, create a custom group name with nx-deployment role.
+
+
 # License
 Please view [licence information](LICENCE.md) for the software contained on this image.
 

resources/conf/security.xml → resources/conf/unmanaged/security.xml

@@ -11,6 +11,9 @@
       <email>adop@adop</email>
     </user>
   </users>
+  <roles>
+  <!--insert-roles-->
+  </roles>
   <userRoleMappings>
     <userRoleMapping>
       <userId>admin</userId>
@@ -20,4 +23,4 @@
       </roles>
     </userRoleMapping>
   </userRoleMappings>
-</security>
+</security>

resources/nexus.sh

@@ -6,67 +6,151 @@ echo "$(date) - LDAP Enabled: ${LDAP_ENABLED}"
 
 # Copy config files.
 mkdir -p ${NEXUS_HOME}conf
-cp -R /resources/* ${NEXUS_HOME}conf
+
+# Nexus configuration is split into two catagories -
+# * Managed : Configuration which is updated everytime container is restarted 
+# * Unmanaged : Configuration which is copied only if the files is missing.
+cp -R /resources/conf/managed/* ${NEXUS_HOME}conf
+cp -R -n /resources/conf/unmanaged/* ${NEXUS_HOME}conf
+
 
 # Delete lock file if instance was not shutdown cleanly.
 if [ -e "${NEXUS_HOME}/nexus.lock" ] 
-	then
-	echo "$(date) Application was not shutdown cleanly, deleting lock file."
-	rm -rf ${NEXUS_HOME}/nexus.lock
+       then
+       echo "$(date) Application was not shutdown cleanly, deleting lock file."
+       rm -rf ${NEXUS_HOME}/nexus.lock
 fi
-
+ 
 if [ -n "${NEXUS_BASE_URL}" ]
-	then
-	# Add base url - requests timeout if incorrect
-	sed -i "s#<baseUrl>.*#<baseUrl>${NEXUS_BASE_URL}</baseUrl>#" ${NEXUS_HOME}/conf/nexus.xml
-	echo "$(date) Base URL: ${NEXUS_BASE_URL}"
+       then
+       # Add base url - requests timeout if incorrect
+       sed -i "s#<baseUrl>.*#<baseUrl>${NEXUS_BASE_URL}</baseUrl>#" ${NEXUS_HOME}/conf/nexus.xml
+       echo "$(date) - Base URL: ${NEXUS_BASE_URL}"
 fi
 
+# Update Remote proxy configuration
+if [[ -n "${NEXUS_PROXY_HOST}" ]] && [[ -n "${NEXUS_PROXY_PORT}" ]]
+    then
+    echo "$(date) - Proxy Host: ${NEXUS_PROXY_HOST}"
+    echo "$(date) - Proxy Port: ${NEXUS_PROXY_PORT}"
+    REMOTE_PROXY_SETTINGS="<remoteProxySettings>\
+    \n    <httpProxySettings>\
+    \n      <proxyHostname>${NEXUS_PROXY_HOST}</proxyHostname>\
+    \n      <proxyPort>${NEXUS_PROXY_PORT}</proxyPort>\
+    \n    </httpProxySettings>\
+    \n  </remoteProxySettings>"
+   sed -i "s+<remoteProxySettings />+${REMOTE_PROXY_SETTINGS}+" ${NEXUS_HOME}/conf/nexus.xml
+fi 
+
+# Update Central Repo configuration
+if [ ! -z "${NEXUS_CENTRAL_REPO_URL}" ]
+        then
+        echo "$(date) - Central Repository URL: ${NEXUS_CENTRAL_REPO_URL}"
+        sed -i "s#https://repo1.maven.org/maven2/#${NEXUS_CENTRAL_REPO_URL}#" ${NEXUS_HOME}/conf/nexus.xml
+fi
+
+insert_role () {
+	ROLE=$1
+	ROLE_TYPE=$2
+	INSERT_ROLE="<role>\
+         \n      <id>${ROLE}</id>\
+         \n      <name>${ROLE}</name>\
+         \n      <roles>\
+         \n        <role>nx-${ROLE_TYPE}</role>\
+         \n      </roles>\
+         \n    </role>"
+	if egrep "<id>${ROLE}</id>" ${NEXUS_HOME}/conf/security.xml >/dev/null ; then
+		echo "$(date) - Role ${ROLE} already exists, Skipping..."
+	else
+		echo "$(date) - ${ROLE_TYPE} role added: ${ROLE}"
+		sed -i "s+<!--insert-roles-->+<!--insert-roles-->\n    ${INSERT_ROLE}+" ${NEXUS_HOME}/conf/security.xml
+	fi
+}
+
 if [ "${LDAP_ENABLED}" = true ]
   then
+
+  if [ ${NEXUS_CREATE_CUSTOM_ROLES} = true ]; then
+    echo "$(date) - Creating custom roles and mappings..."
+    [[ -n "${NEXUS_CUSTOM_ADMIN_ROLE}" ]] && insert_role ${NEXUS_CUSTOM_ADMIN_ROLE} admin
+    [[ -n "${NEXUS_CUSTOM_DEPLOY_ROLE}" ]] && insert_role ${NEXUS_CUSTOM_DEPLOY_ROLE} deployment
+    [[ -n "${NEXUS_CUSTOM_DEV_ROLE}" ]] && insert_role ${NEXUS_CUSTOM_DEV_ROLE} developer
+  fi
+
+  echo "$(date) - Disabling default XMLauth..."
+  # Delete default authentication realms (XMLauth..) from Nexus if LDAP auth is enabled
+  # If you get locked out of nexus, restart nexus with LDAP_ENABLED=false.
+  sed -i "/[a-zA-Z]*Xml*[a-zA-Z]/d"  ${NEXUS_HOME}/conf/security-configuration.xml
+
+  # Define the correct LDAP user and group mapping configurations
+  LDAP_TYPE=${LDAP_TYPE:-openldap}
+  echo "$(date) - LDAP Type: ${LDAP_TYPE}"
+
+  case $LDAP_TYPE in
+  'openldap')
+   LDAP_USER_GROUP_CONFIG="  <userAndGroupConfig>
+        <emailAddressAttribute>${LDAP_USER_EMAIL_ATTRIBUTE:-mail}</emailAddressAttribute>
+        <ldapGroupsAsRoles>${LDAP_GROUPS_AS_ROLES:-true}</ldapGroupsAsRoles>
+        <groupBaseDn>${LDAP_GROUP_BASE_DN}</groupBaseDn>
+        <groupIdAttribute>${LDAP_GROUP_ID_ATTRIBUTE:-cn}</groupIdAttribute>
+        <groupMemberAttribute>${LDAP_GROUP_MEMBER_ATTRIBUTE-uniqueMember}</groupMemberAttribute>
+        <groupMemberFormat>\${${LDAP_GROUP_MEMBER_FORMAT:-dn}}</groupMemberFormat>
+        <groupObjectClass>${LDAP_GROUP_OBJECT_CLASS:-groupOfUniqueNames}</groupObjectClass>
+        <preferredPasswordEncoding>${LDAP_PREFERRED_PASSWORD_ENCODING:-crypt}</preferredPasswordEncoding>
+        <userIdAttribute>${LDAP_USER_ID_ATTRIBUTE:-uid}</userIdAttribute>
+        <userPasswordAttribute>${LDAP_USER_PASSWORD_ATTRIBUTE:-password}</userPasswordAttribute>
+        <userObjectClass>${LDAP_USER_OBJECT_CLASS:-inetOrgPerson}</userObjectClass>
+        <userBaseDn>${LDAP_USER_BASE_DN}</userBaseDn>
+        <userRealNameAttribute>${LDAP_USER_REAL_NAME_ATTRIBUTE:-cn}</userRealNameAttribute>
+      </userAndGroupConfig>"
+  ;;
 
- # Delete default authentication realms (XMLauth..) from Nexus if LDAP auth is enabled
- # If you get locked out of nexus, restart nexus with LDAP_ENABLED=false.
- sed -i "/[a-zA-Z]*Xml*[a-zA-Z]/d"  ${NEXUS_HOME}/conf/security-configuration.xml
+  'active_directory')
+   LDAP_USER_GROUP_CONFIG="  <userAndGroupConfig>
+        <emailAddressAttribute>${LDAP_USER_EMAIL_ATTRIBUTE:-mail}</emailAddressAttribute>
+        <ldapGroupsAsRoles>${LDAP_GROUPS_AS_ROLES:-true}</ldapGroupsAsRoles>
+	<groupBaseDn>${LDAP_GROUP_BASE_DN}</groupBaseDn>
+        <groupIdAttribute>${LDAP_GROUP_ID_ATTRIBUTE:-cn}</groupIdAttribute>
+        <groupMemberAttribute>${LDAP_GROUP_MEMBER_ATTRIBUTE-uniqueMember}</groupMemberAttribute>
+        <groupMemberFormat>\${${LDAP_GROUP_MEMBER_FORMAT:-dn}}</groupMemberFormat>
+        <groupObjectClass>${LDAP_GROUP_OBJECT_CLASS:-groups}</groupObjectClass>
+        <userIdAttribute>${LDAP_USER_ID_ATTRIBUTE:-sAMAccountName}</userIdAttribute>
+        <userObjectClass>${LDAP_USER_OBJECT_CLASS:-person}</userObjectClass>
+        <userBaseDn>${LDAP_USER_BASE_DN}</userBaseDn>
+        <userRealNameAttribute>${LDAP_USER_REAL_NAME_ATTRIBUTE:-cn}</userRealNameAttribute>
+      </userAndGroupConfig>"
+   ;;
+  *)
+   echo "Unsupported LDAP_TYPE - ${LDAP_TYPE}. Only supports openldap or active_directory."
+   exit 1
+   ;;
+  esac
+
+cat > ${NEXUS_HOME}/conf/ldap.xml <<- EOM
+<?xml version="1.0" encoding="UTF-8"?>
+<ldapConfiguration>
+  <version>2.8.0</version>
+  <connectionInfo>
+    <searchBase>${LDAP_SEARCH_BASE}</searchBase>
+    <systemUsername>${LDAP_BIND_DN}</systemUsername>
+    <systemPassword>${LDAP_BIND_PASSWORD}</systemPassword>
+    <authScheme>simple</authScheme>
+    <protocol>${LDAP_AUTH_PROTOCOL:-ldap}</protocol>
+    <host>${LDAP_URL}</host>
+    <port>${LDAP_PORT:-389}</port>
+  </connectionInfo>
+${LDAP_USER_GROUP_CONFIG}
+</ldapConfiguration>
+EOM
 
-	cat > ${NEXUS_HOME}/conf/ldap.xml <<- EOM  
-		<?xml version="1.0" encoding="UTF-8"?>
-		<ldapConfiguration>
-		  <version>2.8.0</version>
-		  <connectionInfo>
-		    <searchBase>${LDAP_SEARCH_BASE}</searchBase>
-		    <systemUsername>${LDAP_BIND_DN}</systemUsername>
-		    <systemPassword>${LDAP_BIND_PASSWORD}</systemPassword>
-		    <authScheme>simple</authScheme>
-		    <protocol>ldap</protocol>
-		    <host>${LDAP_URL}</host>
-		    <port>${LDAP_PORT:-389}</port>
-		  </connectionInfo>
-		  <userAndGroupConfig>
-		    <emailAddressAttribute>${LDAP_USER_EMAIL_ATTRIBUTE:-mail}</emailAddressAttribute>
-		    <ldapGroupsAsRoles>${LDAP_GROUPS_AS_ROLES:-true}</ldapGroupsAsRoles>
-		    <groupBaseDn>${LDAP_GROUP_BASE_DN}</groupBaseDn>
-		    <groupIdAttribute>${LDAP_GROUP_ID_ATTRIBUTE:-cn}</groupIdAttribute>
-		    <groupMemberAttribute>${LDAP_GROUP_MEMBER_ATTRIBUTE-uniqueMember}</groupMemberAttribute>
-		    <groupMemberFormat>\${${LDAP_GROUP_MEMBER_FORMAT:-dn}}</groupMemberFormat>
-		    <groupObjectClass>${LDAP_GROUP_OBJECT_CLASS:-groupOfUniqueNames}</groupObjectClass>
-		    <preferredPasswordEncoding>${LDAP_PREFERRED_PASSWORD_ENCODING:-crypt}</preferredPasswordEncoding>
-		    <userIdAttribute>${LDAP_USER_ID_ATTRIBUTE:-uid}</userIdAttribute>
-		    <userPasswordAttribute>${LDAP_USER_PASSWORD_ATTRIBUTE:-password}</userPasswordAttribute>
-		    <userObjectClass>${LDAP_USER_OBJECT_CLASS:-inetOrgPerson}</userObjectClass>
-		    <userBaseDn>${LDAP_USER_BASE_DN}</userBaseDn>
-		    <userRealNameAttribute>${LDAP_USER_REAL_NAME_ATTRIBUTE:-cn}</userRealNameAttribute>
-		  </userAndGroupConfig>
-		</ldapConfiguration>
-	EOM
 else
-	# Delete LDAP realm
-	sed -i "/[a-zA-Z]*Ldap*[a-zA-Z]/d" ${NEXUS_HOME}/conf/security-configuration.xml
+    # Delete LDAP realm
+    sed -i "/[a-zA-Z]*Ldap*[a-zA-Z]/d" ${NEXUS_HOME}/conf/security-configuration.xml
 fi
-
+ 
 # chown the nexus home directory
 chown -R nexus:nexus ${NEXUS_HOME}
-
+ 
 # start nexus as the nexus user
 su -c "java \
 -Dnexus-work=${SONATYPE_WORK} -Dnexus-webapp-context-path=${CONTEXT_PATH} \