Merge pull request #81 from LDAPAccountManager/docker

Docker

lam-packaging/docker/.env

@@ -0,0 +1,18 @@
+# domain of LDAP database root entry, will be converted to dc=...,dc=...
+LDAP_DOMAIN=my-domain.com
+# LDAP base DN to overwrite value generated by LDAP_DOMAIN
+LDAP_BASE_DN=dc=my-domain,dc=com
+# LDAP server URL
+LDAP_SERVER=ldap://ldap:389
+# LDAP admin user (set as login user for LAM)
+LDAP_USER=cn=admin111,dc=my-domain,dc=com
+# LDAP admin password
+LDAP_ADMIN_PASSWORD=adminpw
+
+# LAM configuration master password and password for server profile "lam"
+LAM_PASSWORD=lam
+
+# docker-compose only, LDAP organisation name for OpenLDAP
+LDAP_ORGANISATION="LDAP Account Manager Demo"
+# docker-compose only, password for LDAP read-only user
+LDAP_READONLY_USER_PASSWORD=readonlypw

lam-packaging/docker/Dockerfile

@@ -25,32 +25,59 @@
 #  You can change the port 8080 if needed.
 #
 
-FROM debian:stretch
+FROM debian:buster-slim
-MAINTAINER Roland Gruber <post@rolandgruber.de>
+LABEL maintainer="Roland Gruber <post@rolandgruber.de>"
 
 ARG LAM_RELEASE=6.9
 
-# update OS
+ENV \
-RUN apt-get update \
+    DEBIAN_FRONTEND=noninteractive \
- && apt-get upgrade -y
+    DEBUG=''
 
-# install requirements
+RUN apt-get update && \
-RUN apt-get install -y wget apache2 libapache2-mod-php php php-ldap php-zip php-xml php-curl php-gd php-imagick php-mcrypt php-tcpdf php-phpseclib fonts-dejavu php-monolog
+    apt-get install --no-install-recommends -y \
+        apache2 \
+        ca-certificates \
+        dumb-init \
+        fonts-dejavu \
+        libapache2-mod-php \
+        php \
+        php-curl \
+        php-gd \
+        php-imagick \
+        php-ldap \
+        php-monolog \
+        php-phpseclib \
+        php-xml \
+        php-zip \
+        wget \
+    && \
+    rm /etc/apache2/sites-enabled/*default* && \
+    rm -rf /var/cache/apt /var/lib/apt/lists/*
 
 # install LAM
-RUN wget http://prdownloads.sourceforge.net/lam/ldap-account-manager_${LAM_RELEASE}-1_all.deb?download -O /tmp/ldap-account-manager_${LAM_RELEASE}-1_all.deb \
+RUN wget http://prdownloads.sourceforge.net/lam/ldap-account-manager_${LAM_RELEASE}-1_all.deb?download \
- && dpkg -i /tmp/ldap-account-manager_${LAM_RELEASE}-1_all.deb
+    -O /tmp/ldap-account-manager_${LAM_RELEASE}-1_all.deb && \
+    dpkg -i /tmp/ldap-account-manager_${LAM_RELEASE}-1_all.deb && \
+    rm -f /tmp/ldap-account-manager_${LAM_RELEASE}-1_all.deb
 
-# cleanup
+# redirect Apache logging
-RUN apt-get autoremove -y && apt-get clean all \
+RUN sed -e 's,^ErrorLog.*,ErrorLog "|/bin/cat",' -i /etc/apache2/apache2.conf
- && rm -f /tmp/ldap-account-manager_${LAM_RELEASE}-1_all.deb \
+# because there is no logging set in the lam vhost logging goes to other_vhost_access.log
- && rm /etc/apache2/sites-enabled/*default*
+RUN ln -sf /dev/stdout /var/log/apache2/other_vhosts_access.log
 
 # add redirect for /
 RUN a2enmod rewrite
 RUN echo "RewriteEngine on" >> /etc/apache2/conf-enabled/laminit.conf \
  && echo "RewriteRule   ^/$  /lam/ [R,L]" >> /etc/apache2/conf-enabled/laminit.conf
 
-# start Apache when container starts
+COPY start.sh /usr/local/bin/start.sh
-ENTRYPOINT service apache2 start && sleep infinity
 
+WORKDIR /var/lib/ldap-account-manager/config
+
+# start Apache when container starts
+ENTRYPOINT ["/usr/bin/dumb-init", "--"]
+CMD [ "/usr/local/bin/start.sh" ]
+
+HEALTHCHECK --interval=1m --timeout=10s \
+    CMD wget -qO- http://localhost/lam/ | grep -q '<title>LDAP Account Manager</title>'

lam-packaging/docker/docker-compose.yml

@@ -0,0 +1,44 @@
+version: '3.5'
+services:
+  ldap-account-manager:
+    build:
+      context: .
+      args:
+       - LAM_RELEASE=6.9
+    image: ldapaccountmanager/lam:latest
+    restart: unless-stopped
+    ports:
+      - "8080:80"
+    volumes:
+      - lametc/:/etc/ldap-account-manager
+      - lamconfig/:/var/lib/ldap-account-manager/config
+      - lamsession/:/var/lib/ldap-account-manager/sess
+    environment:
+      - LAM_PASSWORD=${LAM_PASSWORD}
+      - LAM_LANG=en_US
+      - LDAP_SERVER=${LDAP_SERVER}
+      - LDAP_DOMAIN=${LDAP_DOMAIN}
+      - LDAP_BASE_DN=${LDAP_BASE_DN}
+      - ADMIN_USER=cn=admin,${LDAP_BASE_DN}
+      - DEBUG=true
+  ldap:
+    image: osixia/openldap:latest
+    restart: unless-stopped
+    environment:
+      - LDAP_ORGANISATION=${LDAP_ORGANISATION}
+      - LDAP_DOMAIN=${LDAP_DOMAIN}
+      - LDAP_BASE_DN=${LDAP_BASE_DN}
+      - LDAP_ADMIN_PASSWORD=${LDAP_ADMIN_PASSWORD}
+      - LDAP_READONLY_USER=true
+      - LDAP_READONLY_USER_PASSWORD=${LDAP_READONLY_USER_PASSWORD}
+    command: "--loglevel info --copy-service"
+    volumes:
+      - ldap:/var/lib/ldap
+      - slapd:/etc/ldap/slapd.d
+
+volumes:
+  lametc:
+  lamconfig:
+  lamsession:
+  ldap:
+  slapd:

lam-packaging/docker/start.sh

@@ -0,0 +1,54 @@
+#!/bin/bash
+#
+#  Docker start script for LDAP Account Manager
+
+#  This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
+#  Copyright (C) 2019  Felix Bartels
+
+#  This program is free software; you can redistribute it and/or modify
+#  it under the terms of the GNU General Public License as published by
+#  the Free Software Foundation; either version 2 of the License, or
+#  (at your option) any later version.
+
+#  This program is distributed in the hope that it will be useful,
+#  but WITHOUT ANY WARRANTY; without even the implied warranty of
+#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#  GNU General Public License for more details.
+
+#  You should have received a copy of the GNU General Public License
+#  along with this program; if not, write to the Free Software
+#  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+
+
+set -eu # unset variables are errors & non-zero return values exit the whole script
+[ "$DEBUG" ] && set -x
+
+LAM_LANG="${LAM_LANG:-en_US}"
+export LAM_PASSWORD="${LAM_PASSWORD:-lam}"
+LAM_PASSWORD_SSHA=$(php -r '$password = getenv("LAM_PASSWORD"); mt_srand((microtime() * 1000000)); $rand = abs(hexdec(bin2hex(openssl_random_pseudo_bytes(5)))); $salt0 = substr(pack("h*", md5($rand)), 0, 8); $salt = substr(pack("H*", sha1($salt0 . $password)), 0, 4); print "{SSHA}" . base64_encode(pack("H*", sha1($password . $salt))) . " " . base64_encode($salt) . "\n";')
+LDAP_HOST="${LDAP_HOST:-ldap://ldap:389}"
+LDAP_DOMAIN="${LDAP_DOMAIN:-my-domain.com}"
+LDAP_BASE_DN="${LDAP_BASE_DN:-dc=${LDAP_DOMAIN//\./,dc=}}"
+LDAP_ADMIN_USER="${LDAP_USER:-cn=admin,${LDAP_BASE_DN}}"
+
+sed -i -f- /etc/ldap-account-manager/config.cfg <<- EOF
+	s|^password:.*|password: ${LAM_PASSWORD_SSHA}|;
+EOF
+unset LAM_PASSWORD
+
+sed -i -f- /var/lib/ldap-account-manager/config/lam.conf <<- EOF
+	s|^ServerURL:.*|ServerURL: ${LDAP_HOST}|;
+	s|^Admins:.*|Admins: ${LDAP_ADMIN_USER}|;
+	s|^Passwd:.*|Passwd: ${LAM_PASSWORD_SSHA}|;
+	s|^treesuffix:.*|treesuffix: ${LDAP_BASE_DN}|;
+	s|^defaultLanguage:.*|defaultLanguage: ${LAM_LANG}.utf8|;
+	s|^.*suffix_user:.*|types: suffix_user: ${LDAP_BASE_DN}|;
+	s|^.*suffix_group:.*|types: suffix_group: ${LDAP_BASE_DN}|;
+EOF
+
+echo "Starting Apache"
+rm -f /run/apache2/apache2.pid
+set +u
+# shellcheck disable=SC1091
+source /etc/apache2/envvars
+exec /usr/sbin/apache2 -DFOREGROUND

lam/HISTORY

@@ -4,6 +4,7 @@ December 2019 7.0
   - YubiKey: support to configure multiple verification servers
   - Deactivated non-maintained translations: Catalan, Czech, Hungarian, Polish and Turkish
     Contact us if you would like to take over. Translators get LAM Pro for free (commercial use included).
+  - Docker updates
   - Fixed bugs:
    -> Missing CSS for Duo
    -> Editing of DNs with comma on Windows (210)

lam/docs/manual-sources/chapter-installation.xml

@@ -318,6 +318,10 @@
 
       <para>You can run LAM inside Docker.</para>
 
+      <para>Possible environment variables are documented in the <ulink
+      url="https://github.com/LDAPAccountManager/lam/blob/develop/lam-packaging/docker/.env">sample
+      .env</ulink> file.</para>
+
       <para>See here:</para>
 
       <para><ulink