From c29b9b38e2663bf59530aa3f9d13b7c60667b63e Mon Sep 17 00:00:00 2001
From: Hideyuki Ogino <hideyuki.ogino@dotdata.com>
Date: Fri, 5 Jul 2019 12:50:14 +0000
Subject: [PATCH] SA-18152 Make OpenLDAP admin password changeable in upgrade
 scenario

- Update the version of `osixia/openldap` from 1.1.10 to 1.2.4 to use
  functionalites avaiable in the 1.2.4.

- Delete `startup.sh.diff` which was a workaround for the issue 167 of
  `osixia/openldap`, since the issue is fixed in 1.2.4 of
  `osixia/openldap`, and the workaround is not needed anymore.
  https://github.com/osixia/docker-openldap/issues/167

- Remove lines which setup multi-master replication from init.sh,
  since those setup is done in `osixia/openldap`.

- Change the repository for fusiondirectory pakcages in order to fix
  build issue. Fusiondirectory pakcages of v1.2-1 is not available in
  http://repos.fusiondirectory.org/fusiondirectory-current/debian-jessie
  anymore. Instead of that, we need to use the following repository:
  http://repos.fusiondirectory.org/fusiondirectory-releases/fusiondirectory-1.2/debian-jessie
---
 Dockerfile      |  8 ++------
 VERSION         |  2 +-
 init.dirs       |  9 +++++++--
 init.sh         | 53 -------------------------------------------------
 startup.sh.diff | 41 --------------------------------------
 5 files changed, 10 insertions(+), 103 deletions(-)
 delete mode 100644 startup.sh.diff

diff --git a/Dockerfile b/Dockerfile
index f3c9c96..16f7571 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,11 +1,11 @@
-FROM osixia/openldap:1.1.10
+FROM osixia/openldap:1.2.4
 LABEL maintainer="none@none.com" \
       version="1.1.10-1.2-1"
 
 ENV FUSIONDIRECTORY_VERSION=1.2-1
 
 RUN apt-key adv --keyserver hkp://pgp.mit.edu:80 --recv-keys D744D55EACDA69FF \
- && (echo "deb http://repos.fusiondirectory.org/fusiondirectory-current/debian-jessie jessie main"; \
+ && (echo "deb http://repos.fusiondirectory.org/fusiondirectory-releases/fusiondirectory-1.2/debian-jessie jessie main"; \
      echo "deb http://repos.fusiondirectory.org/fusiondirectory-extra/debian-jessie jessie main") \
     > /etc/apt/sources.list.d/fusiondirectory-jessie.list \
  && apt-get update \
@@ -22,10 +22,6 @@ RUN apt-key adv --keyserver hkp://pgp.mit.edu:80 --recv-keys D744D55EACDA69FF \
 
 COPY init.sh /sbin/init.sh
 COPY init.dirs /sbin/init.dirs
-#this startup.sh.diff is a workaround, remove when https://github.com/osixia/docker-openldap/issues/167 fixed and incorporated
-COPY startup.sh.diff /tmp/startup.sh.diff
-RUN patch --no-backup-if-mismatch /container/service/slapd/startup.sh /tmp/startup.sh.diff
-RUN rm -f /tmp/startup.sh.diff
 RUN chmod 755 /sbin/init.sh /sbin/init.dirs /container/service/slapd/startup.sh
 RUN sed -i "/^FIRST_START_DONE=/aFIRST_START_DONE=/etc/ldap/slapd.d/slapd-first-start-done" /container/service/slapd/startup.sh
 RUN sed -i "/# create dir if they not already exists/i/sbin/init.dirs\n" /container/service/slapd/startup.sh
diff --git a/VERSION b/VERSION
index a918a2a..faef31a 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-0.6.0
+0.7.0
diff --git a/init.dirs b/init.dirs
index 8d1cc7f..3e5afb2 100644
--- a/init.dirs
+++ b/init.dirs
@@ -11,10 +11,15 @@ if [ -d ${SINGLEDIR} ]; then
  ln -s ${SINGLEDIR}/data /var/lib/ldap
 fi
 
-#if previous start was not complete (or never was) wipe so we can start fresh
+# If previous start was not complete (or never was), wipe all LDAP configuration so we can start fresh.
+# It can be judged by checking the existence of the file `FIRST_START_DONE` and `IS_IN_UPGRADE`.
+# Only when both files don't exist, we can start fresh.
+# In the upgrade scenario (when the file `IS_IN_UPGRADE` exists), don't wipe files
+# even if the file `FIRST_START_DONE` doesn't exist.
 FIRST_START_DONE=/etc/ldap/slapd.d/slapd-first-start-done
+IS_IN_UPGRADE=/etc/ldap/slapd.d/is-in-upgrade
 mkdir -p /etc/ldap/slapd.d /var/lib/ldap
-if [ ! -e "${FIRST_START_DONE}" ]; then
+if [ ! -e "${FIRST_START_DONE}" -a ! -e "${IS_IN_UPGRADE}" ]; then
  find /etc/ldap/slapd.d -mindepth 1 -delete
  find /var/lib/ldap -mindepth 1 -delete
 fi
diff --git a/init.sh b/init.sh
index 0805c52..cf45349 100644
--- a/init.sh
+++ b/init.sh
@@ -269,59 +269,6 @@ olcOverlay: auditlog
 olcAuditlogFile: ${LDAP_AUDIT_FILE}
 EOF
 
-#set up replication
-[ -n "${LDAP_SERVERID}" -a -n "${LDAP_REPLICATION_URI1}" -a -n "${LDAP_REPLICATION_URI2}" ] && ldapmodify -Q -Y EXTERNAL -H ldapi:/// << EOF
-dn: cn=config
-changetype: modify
-add: olcServerID
-olcServerID: ${LDAP_SERVERID}
-
-dn: cn=module{0},cn=config
-changetype: modify
-add: olcModuleLoad
-olcModuleLoad: syncprov.la
-
-dn: olcDatabase={1}hdb,cn=config
-changetype: modify
-add: olcSyncRepl
-olcSyncRepl: rid=001
-  provider=${LDAP_REPLICATION_URI1}
-  bindmethod=simple
-  binddn="cn=admin,${SUFFIX}"
-  credentials="${LDAP_ADMIN_PASSWORD}"
-  searchbase="${SUFFIX}"
-  scope=sub
-  schemachecking=on
-  type=refreshOnly
-  retry="2 5 3 10 5 +"
-  interval=00:00:00:05
-  timeout=3
-  keepalive=60:5:60
-olcSyncRepl: rid=002
-  provider=${LDAP_REPLICATION_URI2}
-  bindmethod=simple
-  binddn="cn=admin,${SUFFIX}"
-  credentials="${LDAP_ADMIN_PASSWORD}"
-  searchbase="${SUFFIX}"
-  scope=sub
-  schemachecking=on
-  type=refreshOnly
-  retry="2 5 3 10 5 +"
-  interval=00:00:00:05
-  timeout=3
-  keepalive=60:5:60
--
-add: olcMirrorMode
-olcMirrorMode: TRUE
-
-dn: olcOverlay=syncprov,olcDatabase={1}hdb,cn=config
-changetype: add
-objectClass: olcOverlayConfig
-objectClass: olcSyncProvConfig
-olcOverlay: syncprov
-olcSpSessionLog: 300
-EOF
-
 #is subject to replication, only one container should have LDAP_INI_GROUP_N configured
 lig_cnt=1
 lig_name="LDAP_INI_GROUP_${lig_cnt}"
diff --git a/startup.sh.diff b/startup.sh.diff
deleted file mode 100644
index efea3ab..0000000
--- a/startup.sh.diff
+++ /dev/null
@@ -1,41 +0,0 @@
---- startup.sh.orig	2017-11-30 10:01:53.101173145 +0100
-+++ startup.sh	2017-11-30 10:06:06.449957863 +0100
-@@ -70,9 +70,9 @@
-     sed -i "s|{{ LDAP_BASE_DN }}|${LDAP_BASE_DN}|g" $LDIF_FILE
-     sed -i "s|{{ LDAP_BACKEND }}|${LDAP_BACKEND}|g" $LDIF_FILE
-     if grep -iq changetype $LDIF_FILE ; then
--        ldapmodify -Y EXTERNAL -Q -H ldapi:/// -f $LDIF_FILE 2>&1 | log-helper debug || ldapmodify -h localhost -p 389 -D cn=admin,$LDAP_BASE_DN -w $LDAP_ADMIN_PASSWORD -f $LDIF_FILE 2>&1 | log-helper debug
-+        ldapmodify -Y EXTERNAL -Q -H ldapi:/// -f $LDIF_FILE 2>&1 | log-helper debug || ldapmodify -h localhost -p 389 -D cn=admin,$LDAP_BASE_DN -w "$LDAP_ADMIN_PASSWORD" -f $LDIF_FILE 2>&1 | log-helper debug
-     else
--        ldapadd -Y EXTERNAL -Q -H ldapi:/// -f $LDIF_FILE |& log-helper debug || ldapadd -h localhost -p 389 -D cn=admin,$LDAP_BASE_DN -w $LDAP_ADMIN_PASSWORD -f $LDIF_FILE 2>&1 | log-helper debug
-+        ldapadd -Y EXTERNAL -Q -H ldapi:/// -f $LDIF_FILE |& log-helper debug || ldapadd -h localhost -p 389 -D cn=admin,$LDAP_BASE_DN -w "$LDAP_ADMIN_PASSWORD" -f $LDIF_FILE 2>&1 | log-helper debug
-     fi
-   }
- 
-@@ -230,7 +230,7 @@
-       done
- 
-       # set config password
--      LDAP_CONFIG_PASSWORD_ENCRYPTED=$(slappasswd -s $LDAP_CONFIG_PASSWORD)
-+      LDAP_CONFIG_PASSWORD_ENCRYPTED=$(slappasswd -s "$LDAP_CONFIG_PASSWORD")
-       sed -i "s|{{ LDAP_CONFIG_PASSWORD_ENCRYPTED }}|${LDAP_CONFIG_PASSWORD_ENCRYPTED}|g" ${CONTAINER_SERVICE_DIR}/slapd/assets/config/bootstrap/ldif/01-config-password.ldif
- 
-       # adapt security config file
-@@ -255,7 +255,7 @@
- 
-         log-helper info "Add read only user..."
- 
--        LDAP_READONLY_USER_PASSWORD_ENCRYPTED=$(slappasswd -s $LDAP_READONLY_USER_PASSWORD)
-+        LDAP_READONLY_USER_PASSWORD_ENCRYPTED=$(slappasswd -s "$LDAP_READONLY_USER_PASSWORD")
-         sed -i "s|{{ LDAP_READONLY_USER_USERNAME }}|${LDAP_READONLY_USER_USERNAME}|g" ${CONTAINER_SERVICE_DIR}/slapd/assets/config/bootstrap/ldif/readonly-user/readonly-user.ldif
-         sed -i "s|{{ LDAP_READONLY_USER_PASSWORD_ENCRYPTED }}|${LDAP_READONLY_USER_PASSWORD_ENCRYPTED}|g" ${CONTAINER_SERVICE_DIR}/slapd/assets/config/bootstrap/ldif/readonly-user/readonly-user.ldif
-         sed -i "s|{{ LDAP_BASE_DN }}|${LDAP_BASE_DN}|g" ${CONTAINER_SERVICE_DIR}/slapd/assets/config/bootstrap/ldif/readonly-user/readonly-user.ldif
-@@ -266,7 +266,7 @@
-         sed -i "s|{{ LDAP_BACKEND }}|${LDAP_BACKEND}|g" ${CONTAINER_SERVICE_DIR}/slapd/assets/config/bootstrap/ldif/readonly-user/readonly-user-acl.ldif
- 
-         log-helper debug "Processing file ${CONTAINER_SERVICE_DIR}/slapd/assets/config/bootstrap/ldif/readonly-user/readonly-user.ldif"
--        ldapmodify -h localhost -p 389 -D cn=admin,$LDAP_BASE_DN -w $LDAP_ADMIN_PASSWORD -f ${CONTAINER_SERVICE_DIR}/slapd/assets/config/bootstrap/ldif/readonly-user/readonly-user.ldif 2>&1 | log-helper debug
-+        ldapmodify -h localhost -p 389 -D cn=admin,$LDAP_BASE_DN -w "$LDAP_ADMIN_PASSWORD" -f ${CONTAINER_SERVICE_DIR}/slapd/assets/config/bootstrap/ldif/readonly-user/readonly-user.ldif 2>&1 | log-helper debug
- 
-         log-helper debug "Processing file ${CONTAINER_SERVICE_DIR}/slapd/assets/config/bootstrap/ldif/readonly-user/readonly-user-acl.ldif"
-         ldapmodify -Y EXTERNAL -Q -H ldapi:/// -f ${CONTAINER_SERVICE_DIR}/slapd/assets/config/bootstrap/ldif/readonly-user/readonly-user-acl.ldif 2>&1 | log-helper debug