Work on Bookworm image nss-ldap

The classic libnss-ldap has been removed from Bookworm. nslcd is needed
to make the new libnss-ldapd work.

bookworm_php8/Dockerfile-base

@@ -7,7 +7,7 @@ RUN apt-get update \
     apt-get install -y --no-install-recommends \
     ca-certificates \
     dumb-init \
-    libnss-ldap \
+    libnss-ldapd \
     nullmailer \
     openssl \
     php-mail-mime \
@@ -33,4 +33,4 @@ RUN apt-get update \
 # broken as of Tue Nov 15 07:42:37 CET 2022
 # php-mail https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1000653
 
-ADD --chown=root:root nsswitch.conf libnss-ldap.conf /etc/
+ADD --chown=root:root nsswitch.conf nslcd.conf /etc/

bookworm_php8/libnss-ldap.conf

@@ -1,323 +0,0 @@
-###DEBCONF###
-# the configuration of this file will be done by debconf as long as the
-# first line of the file says '###DEBCONF###'
-#
-# you should use dpkg-reconfigure libnss-ldap to configure this file.
-#
-# @(#)$Id: ldap.conf,v 2.48 2008/07/03 02:30:29 lukeh Exp $
-#
-# This is the configuration file for the LDAP nameservice
-# switch library and the LDAP PAM module.
-#
-# PADL Software
-# http://www.padl.com
-#
-
-# Your LDAP server. Must be resolvable without using LDAP.
-# Multiple hosts may be specified, each separated by a 
-# space. How long nss_ldap takes to failover depends on
-# whether your LDAP client library supports configurable
-# network or connect timeouts (see bind_timelimit).
-#host 127.0.0.1
-
-# The distinguished name of the search base.
-base dc=gnuviech,dc=internal
-
-# Another way to specify your LDAP server is to provide an
-uri ldap://10.0.0.11/
-# Unix Domain Sockets to connect to a local LDAP Server.
-#uri ldap://127.0.0.1/
-#uri ldaps://127.0.0.1/   
-#uri ldapi://%2fvar%2frun%2fldapi_sock/
-# Note: %2f encodes the '/' used as directory separator
-
-# The LDAP version to use (defaults to 3
-# if supported by client library)
-ldap_version 3
-
-# The distinguished name to bind to the server with.
-# Optional: default is to bind anonymously.
-# Please do not put double quotes around it as they
-# would be included literally.
-#binddn cn=proxyuser,dc=padl,dc=com
-
-# The credentials to bind with. 
-# Optional: default is no credential.
-#bindpw secret
-
-# The distinguished name to bind to the server with
-# if the effective user ID is root. Password is
-# stored in /etc/libnss-ldap.secret (mode 600)
-# Use 'echo -n "mypassword" > /etc/libnss-ldap.secret' instead
-# of an editor to create the file.
-#rootbinddn cn=manager,dc=example,dc=net
-
-# The port.
-# Optional: default is 389.
-#port 389
-
-# The search scope.
-#scope sub
-#scope one
-#scope base
-
-# Search timelimit
-#timelimit 30
-
-# Bind/connect timelimit
-#bind_timelimit 30
-
-# Reconnect policy:
-#  hard_open: reconnect to DSA with exponential backoff if
-#             opening connection failed
-#  hard_init: reconnect to DSA with exponential backoff if
-#             initializing connection failed
-#  hard:      alias for hard_open
-#  soft:      return immediately on server failure
-#bind_policy hard
-
-# Connection policy:
-#  persist:   DSA connections are kept open (default)
-#  oneshot:   DSA connections destroyed after request
-#nss_connect_policy persist
-
-# Idle timelimit; client will close connections
-# (nss_ldap only) if the server has not been contacted
-# for the number of seconds specified below.
-#idle_timelimit 3600
-
-# Use paged rseults
-#nss_paged_results yes
-
-# Pagesize: when paged results enable, used to set the
-# pagesize to a custom value
-#pagesize 1000
-
-# Filter to AND with uid=%s
-#pam_filter objectclass=account
-
-# The user ID attribute (defaults to uid)
-#pam_login_attribute uid
-
-# Search the root DSE for the password policy (works
-# with Netscape Directory Server)
-#pam_lookup_policy yes
-
-# Check the 'host' attribute for access control
-# Default is no; if set to yes, and user has no
-# value for the host attribute, and pam_ldap is
-# configured for account management (authorization)
-# then the user will not be allowed to login.
-#pam_check_host_attr yes
-
-# Check the 'authorizedService' attribute for access
-# control
-# Default is no; if set to yes, and the user has no
-# value for the authorizedService attribute, and
-# pam_ldap is configured for account management
-# (authorization) then the user will not be allowed
-# to login.
-#pam_check_service_attr yes
-
-# Group to enforce membership of
-#pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com
-
-# Group member attribute
-#pam_member_attribute uniquemember
-
-# Specify a minium or maximum UID number allowed
-#pam_min_uid 0
-#pam_max_uid 0
-
-# Template login attribute, default template user
-# (can be overriden by value of former attribute
-# in user's entry)
-#pam_login_attribute userPrincipalName
-#pam_template_login_attribute uid
-#pam_template_login nobody
-
-# HEADS UP: the pam_crypt, pam_nds_passwd,
-# and pam_ad_passwd options are no
-# longer supported.
-#
-# Do not hash the password at all; presume
-# the directory server will do it, if
-# necessary. This is the default.
-#pam_password clear
-
-# Hash password locally; required for University of
-# Michigan LDAP server, and works with Netscape
-# Directory Server if you're using the UNIX-Crypt
-# hash mechanism and not using the NT Synchronization
-# service. 
-#pam_password crypt
-
-# Remove old password first, then update in
-# cleartext. Necessary for use with Novell
-# Directory Services (NDS)
-#pam_password nds
-
-# RACF is an alias for the above. For use with
-# IBM RACF
-#pam_password racf
-
-# Update Active Directory password, by
-# creating Unicode password and updating
-# unicodePwd attribute.
-#pam_password ad
-
-# Use the OpenLDAP password change
-# extended operation to update the password.
-#pam_password exop
-
-# Redirect users to a URL or somesuch on password
-# changes.
-#pam_password_prohibit_message Please visit http://internal to change your password.
-
-# Use backlinks for answering initgroups()
-#nss_initgroups backlink
-
-# Enable support for RFC2307bis (distinguished names in group
-# members)
-#nss_schema rfc2307bis
-
-# RFC2307bis naming contexts
-# Syntax:
-# nss_base_XXX		base?scope?filter
-# where scope is {base,one,sub}
-# and filter is a filter to be &'d with the
-# default filter.
-# You can omit the suffix eg:
-# nss_base_passwd	ou=People,
-# to append the default base DN but this
-# may incur a small performance impact.
-#nss_base_passwd	ou=People,dc=padl,dc=com?one
-#nss_base_shadow	ou=People,dc=padl,dc=com?one
-#nss_base_group		ou=Group,dc=padl,dc=com?one
-#nss_base_hosts		ou=Hosts,dc=padl,dc=com?one
-#nss_base_services	ou=Services,dc=padl,dc=com?one
-#nss_base_networks	ou=Networks,dc=padl,dc=com?one
-#nss_base_protocols	ou=Protocols,dc=padl,dc=com?one
-#nss_base_rpc		ou=Rpc,dc=padl,dc=com?one
-#nss_base_ethers	ou=Ethers,dc=padl,dc=com?one
-#nss_base_netmasks	ou=Networks,dc=padl,dc=com?ne
-#nss_base_bootparams	ou=Ethers,dc=padl,dc=com?one
-#nss_base_aliases	ou=Aliases,dc=padl,dc=com?one
-#nss_base_netgroup	ou=Netgroup,dc=padl,dc=com?one
-
-# attribute/objectclass mapping
-# Syntax:
-#nss_map_attribute	rfc2307attribute	mapped_attribute
-#nss_map_objectclass	rfc2307objectclass	mapped_objectclass
-
-# configure --enable-nds is no longer supported.
-# NDS mappings
-#nss_map_attribute uniqueMember member
-
-# Services for UNIX 3.5 mappings
-#nss_map_objectclass posixAccount User
-#nss_map_objectclass shadowAccount User
-#nss_map_attribute uid msSFU30Name
-#nss_map_attribute uniqueMember msSFU30PosixMember
-#nss_map_attribute userPassword msSFU30Password
-#nss_map_attribute homeDirectory msSFU30HomeDirectory
-#nss_map_attribute homeDirectory msSFUHomeDirectory
-#nss_map_objectclass posixGroup Group
-#pam_login_attribute msSFU30Name
-#pam_filter objectclass=User
-#pam_password ad
-
-# configure --enable-mssfu-schema is no longer supported.
-# Services for UNIX 2.0 mappings
-#nss_map_objectclass posixAccount User
-#nss_map_objectclass shadowAccount user
-#nss_map_attribute uid msSFUName
-#nss_map_attribute uniqueMember posixMember
-#nss_map_attribute userPassword msSFUPassword
-#nss_map_attribute homeDirectory msSFUHomeDirectory
-#nss_map_attribute shadowLastChange pwdLastSet
-#nss_map_objectclass posixGroup Group
-#nss_map_attribute cn msSFUName
-#pam_login_attribute msSFUName
-#pam_filter objectclass=User
-#pam_password ad
-
-# RFC 2307 (AD) mappings
-#nss_map_objectclass posixAccount user
-#nss_map_objectclass shadowAccount user
-#nss_map_attribute uid sAMAccountName
-#nss_map_attribute homeDirectory unixHomeDirectory
-#nss_map_attribute shadowLastChange pwdLastSet
-#nss_map_objectclass posixGroup group
-#nss_map_attribute uniqueMember member
-#pam_login_attribute sAMAccountName
-#pam_filter objectclass=User
-#pam_password ad
-
-# configure --enable-authpassword is no longer supported
-# AuthPassword mappings
-#nss_map_attribute userPassword authPassword
-
-# AIX SecureWay mappings
-#nss_map_objectclass posixAccount aixAccount
-#nss_base_passwd ou=aixaccount,?one
-#nss_map_attribute uid userName
-#nss_map_attribute gidNumber gid
-#nss_map_attribute uidNumber uid
-#nss_map_attribute userPassword passwordChar
-#nss_map_objectclass posixGroup aixAccessGroup
-#nss_base_group ou=aixgroup,?one
-#nss_map_attribute cn groupName
-#nss_map_attribute uniqueMember member
-#pam_login_attribute userName
-#pam_filter objectclass=aixAccount
-#pam_password clear
-
-# For pre-RFC2307bis automount schema
-#nss_map_objectclass automountMap nisMap
-#nss_map_attribute automountMapName nisMapName
-#nss_map_objectclass automount nisObject
-#nss_map_attribute automountKey cn
-#nss_map_attribute automountInformation nisMapEntry
-
-# Netscape SDK LDAPS
-#ssl on
-
-# Netscape SDK SSL options
-#sslpath /etc/ssl/certs
-
-# OpenLDAP SSL mechanism
-# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
-#ssl start_tls
-#ssl on
-
-# OpenLDAP SSL options
-# Require and verify server certificate (yes/no)
-# Default is to use libldap's default behavior, which can be configured in
-# /etc/openldap/ldap.conf using the TLS_REQCERT setting.  The default for
-# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
-#tls_checkpeer yes
-
-# CA certificates for server certificate verification
-# At least one of these are required if tls_checkpeer is "yes"
-#tls_cacertfile /etc/ssl/ca.cert
-#tls_cacertdir /etc/ssl/certs
-
-# Seed the PRNG if /dev/urandom is not provided
-#tls_randfile /var/run/egd-pool
-
-# SSL cipher suite
-# See man ciphers for syntax
-#tls_ciphers TLSv1
-
-# Client certificate and key
-# Use these, if your server requires client authentication.
-#tls_cert
-#tls_key
-
-# Disable SASL security layers. This is needed for AD.
-#sasl_secprops maxssf=0
-
-# Override the default Kerberos ticket cache location.
-#krb5_ccname FILE:/etc/.ldapcache
-

bookworm_php8/nslcd.conf

@@ -0,0 +1,32 @@
+# /etc/nslcd.conf
+# nslcd configuration file. See nslcd.conf(5)
+# for details.
+
+# The user and group nslcd should run as.
+uid nslcd
+gid nslcd
+
+# The location at which the LDAP server(s) should be reachable.
+uri ldap://10.0.0.11/
+
+# The search base that will be used for all queries.
+base dc=gnuviech,dc=internal
+
+# The LDAP protocol version to use.
+#ldap_version 3
+
+# The DN to bind with for normal lookups.
+#binddn cn=annonymous,dc=example,dc=net
+#bindpw secret
+
+# The DN used for password modifications by root.
+#rootpwmoddn cn=admin,dc=example,dc=com
+
+# SSL options
+#ssl off
+#tls_reqcert never
+tls_cacertfile /etc/ssl/certs/ca-certificates.crt
+
+# The search scope.
+#scope sub
+

bookworm_php8/nsswitch.conf

@@ -4,9 +4,10 @@
 # If you have the `glibc-doc-reference' and `info' packages installed, try:
 # `info libc "Name Service Switch"' for information about this file.
 
-passwd:         compat ldap
-group:          compat ldap
-shadow:         compat
+passwd:         files ldap
+group:          files ldap
+shadow:         files ldap
+gshadow:        files
 
 hosts:          files dns
 networks:       files

bookworm_php8/start-fpm.sh

@@ -6,6 +6,7 @@ sed "s/@user@/${FPM_USER}/g; s/@variant@/${FPM_VARIANT}/g" \
     < /usr/local/etc/fpm-pool.conf.tmpl \
     > "/etc/php/8.2/fpm/pool.d/${FPM_USER}.conf"
 
+/etc/init.d/nslcd start
 /etc/init.d/nullmailer start
 mkdir -p /run/php
 /usr/sbin/php-fpm8.2 --nodaemonize