fix: using LDAP_INIT_ORG_DN without o attribute prevents initialization

Author: sebthom

README.md

@@ -39,8 +39,9 @@ are only evaluated on the **first** container launch. Changing their values late
 To customize the **initial** configuration you can set the following environment variables:
 
 ```sh
-LDAP_INIT_ORG_DN='dc=example,dc=com'
+LDAP_INIT_ORG_DN='DC=example,DC=com'
 LDAP_INIT_ORG_NAME='Example Corporation'
+LDAP_INIT_ORG_ATTR_O='' # optional, if not defined will be derived from LDAP_INIT_ORG_DN, e.g. DC=example,DC=com -> example.com
 LDAP_INIT_ADMIN_GROUP_DN='cn=ldap-admins,ou=Groups,${LDAP_INIT_ORG_DN}'
 LDAP_INIT_PASSWORD_RESET_GROUP_DN='cn=ldap-password-reset,ou=Groups,${LDAP_INIT_ORG_DN}' # users in this group can set password/sshPublicKey attribute of other users
 LDAP_INIT_ROOT_USER_DN='uid=admin,${LDAP_INIT_ORG_DN}'
@@ -55,9 +56,9 @@ Environment variables can for example be set in one of the following ways:
 
    ```sh
    docker run -itd \
-     -e LDAP_INIT_ORG_DN='o=yourorg' \
+     -e LDAP_INIT_ORG_DN='DC=example,DC=com' \
      -e LDAP_INIT_ROOT_USER_PW='newpassword' \
-     -e LDAP_INIT_ORG_NAME='Company Inc' \
+     -e LDAP_INIT_ORG_NAME='Example Corporation' \
      -e LDAP_INIT_PPOLICY_PW_MIN_LENGTH='12' \
      -v /my_data/ldap/var/:/var/lib/ldap/ \
      -v /my_data/ldap/etc/:/etc/ldap/slapd.d/ \
@@ -76,9 +77,9 @@ Environment variables can for example be set in one of the following ways:
 
    ```sh
    # /path/on/docker/host/my_init.sh
-   LDAP_INIT_ORG_DN='o=yourorg'
+   LDAP_INIT_ORG_DN='DC=example,DC=com'
    LDAP_INIT_ROOT_USER_PW='newpassword'
-   LDAP_INIT_ORG_NAME='Company Inc'
+   LDAP_INIT_ORG_NAME='Example Corporation'
    LDAP_INIT_PPOLICY_PW_MIN_LENGTH='12'
    ```
 

example/docker-compose/docker-compose.yml

@@ -12,7 +12,7 @@ services:
     # https://github.com/vegardit/docker-openldap
     image: vegardit/openldap:latest # https://hub.docker.com/r/vegardit/openldap
     environment:
-      LDAP_INIT_ORG_DN: o=example.com
+      LDAP_INIT_ORG_DN: DC=example,DC=com
       LDAP_INIT_ORG_NAME: Example Inc.
       LDAP_INIT_ROOT_USER_PW: CHANGE@it
       LDAP_BACKUP_TIME: # disable backup by setting to empty string
@@ -32,7 +32,7 @@ services:
       ###############################
       # PHP LDAP Admin (Port 8080)
       ###############################
-      PHPLDAPADMIN_LDAP_BASE: o=example.com
+      PHPLDAPADMIN_LDAP_BASE: DC=example,DC=com
       PHPLDAPADMIN_LDAP_CLIENT_TLS: 'false'
       PHPLDAPADMIN_LDAP_HOSTS: ldap_service
       ###############################
@@ -41,8 +41,8 @@ services:
       DEBUG_MODE: 'false'
       #LDAP connection https://ltb-project.org/documentation/self-service-password/1.3/config_ldap
       LDAP_URL: ldap://ldap_service
-      LDAP_BASE_DN: ou=Users,o=example.com
-      LDAP_USER_DN: uid=self-service-password,ou=TechnicalAccounts,ou=Users,o=example.com
+      LDAP_BASE_DN: ou=Users,DC=example,DC=com
+      LDAP_USER_DN: uid=self-service-password,ou=TechnicalAccounts,ou=Users,DC=example,DC=com
       LDAP_USER_PASSWORD: CHANGE@it
       LDAP_FILTER: '(\&(objectClass=inetOrgPerson)(uid={login}))' # backslash is mandatory!
       LDAP_LOGIN_ATTRIBUTE: 'uid'

example/docker-compose/ldifs/init_org_tree.ldif

@@ -7,7 +7,7 @@ dn: ${LDAP_INIT_ORG_DN}
 description: ${LDAP_INIT_ORG_NAME}
 objectClass: top
 objectClass: organization
-${LDAP_INIT_ORG_DN_ATTR}
+o: ${LDAP_INIT_ORG_ATTR_O}
 
 dn: ou=Groups,${LDAP_INIT_ORG_DN}
 ou: Groups

example/docker/example.env

@@ -2,13 +2,13 @@
 
 #INIT_SH_FILE=
 
-LDAP_INIT_ORG_DN=o=yourorg
+LDAP_INIT_ORG_DN=DC=example,DC=com
 LDAP_INIT_ORG_NAME=Example Inc
-#LDAP_INIT_ADMIN_GROUP_DN=cn=ldap-admins,ou=Groups,o=yourorg
-#LDAP_INIT_ROOT_USER_DN=uid=admin,o=yourorg
+#LDAP_INIT_ADMIN_GROUP_DN=cn=ldap-admins,ou=Groups,DC=example,DC=com
+#LDAP_INIT_ROOT_USER_DN=uid=admin,DC=example,DC=com
 LDAP_INIT_ROOT_USER_PW=password
 
-#LDAP_INIT_PPOLICY_DEFAULT_DN=cn=DefaultPasswordPolicy,ou=Policies,o=yourorg
+#LDAP_INIT_PPOLICY_DEFAULT_DN=cn=DefaultPasswordPolicy,ou=Policies,DC=example,DC=com
 LDAP_INIT_PPOLICY_PW_MIN_LENGTH=8
 #LDAP_INIT_PPOLICY_MAX_FAILURES=3
 #LDAP_INIT_PPOLICY_LOCKOUT_DURATION=300

image/Dockerfile

@@ -101,8 +101,9 @@ LABEL \
 ENV \
   INIT_SH_FILE='' \
   #
-  LDAP_INIT_ORG_DN='o=example.com' \
+  LDAP_INIT_ORG_DN='DC=example,DC=com' \
   LDAP_INIT_ORG_NAME='Example Corporation' \
+  LDAP_INIT_ORG_ATTR_O='' \
   LDAP_INIT_ADMIN_GROUP_DN='cn=ldap-admins,ou=Groups,${LDAP_INIT_ORG_DN}' \
   LDAP_INIT_PASSWORD_RESET_GROUP_DN='cn=ldap-password-reset,ou=Groups,${LDAP_INIT_ORG_DN}' \
   LDAP_INIT_ROOT_USER_DN='uid=admin,${LDAP_INIT_ORG_DN}' \

image/run.sh

@@ -160,7 +160,21 @@ if [ ! -e /etc/ldap/slapd.d/initialized ]; then
      ldif modify -Y EXTERNAL /opt/ldifs/init_config_admin_access.ldif
    fi
 
-   LDAP_INIT_ORG_DN_ATTR=$(substr_before $LDAP_INIT_ORG_DN "," | str_replace "=" ": ") # referenced by init_org_tree.ldif
+   if [[ -z ${LDAP_INIT_ORG_ATTR_O:-} ]]; then
+     # derive LDAP_INIT_ORG_ATTR_O (referenced by init_org_tree.ldif) from LDAP_INIT_ORG_DN
+     if [[ "$LDAP_INIT_ORG_DN" =~ [oO]=([^,]*) ]]; then # check if "o=..." attribute is present in DN
+       # e.g. LDAP_INIT_ORG_DN="O=example.com"               -> LDAP_INIT_ORG_ATTR_O="example.com"
+       # e.g. LDAP_INIT_ORG_DN="O=Example,DC=example,DC=com" -> LDAP_INIT_ORG_ATTR_O="Example"
+       LDAP_INIT_ORG_DN_ATTR=${BASH_REMATCH[1]}
+     elif [[ "${LDAP_INIT_ORG_DN}" =~ [dD][cC]= ]]; then
+       # e.g. LDAP_INIT_ORG_DN="DC=example,DC=com" -> LDAP_INIT_ORG_ATTR_O="example.com"
+       LDAP_INIT_ORG_DN_ATTR=$(echo $LDAP_INIT_ORG_DN | grep -ioP 'DC=\K[^,]+' | paste -sd '.')
+     else
+       log ERROR "Unable to derive required 'o' attribute of objectClass 'organization' from LDAP_INIT_ORG_DN='$LDAP_INIT_ORG_DN'"
+       exit 1
+     fi
+   fi
+
    ldif add -x -D "$LDAP_INIT_ROOT_USER_DN" -w "$LDAP_INIT_ROOT_USER_PW" /opt/ldifs/init_org_tree.ldif
    ldif add -x -D "$LDAP_INIT_ROOT_USER_DN" -w "$LDAP_INIT_ROOT_USER_PW" /opt/ldifs/init_org_ppolicy.ldif
    ldif add -x -D "$LDAP_INIT_ROOT_USER_DN" -w "$LDAP_INIT_ROOT_USER_PW" /opt/ldifs/init_org_entries.ldif