From d2dfa332d3c4071ebad1ffd2c99d08cbce1a6127 Mon Sep 17 00:00:00 2001 From: Jan Dittberner Date: Sat, 10 Feb 2024 11:39:58 +0100 Subject: [PATCH] Work on Bookworm image nss-ldap The classic libnss-ldap has been removed from Bookworm. nslcd is needed to make the new libnss-ldapd work. --- bookworm_php8/Dockerfile-base | 4 +- bookworm_php8/libnss-ldap.conf | 323 --------------------------------- bookworm_php8/nslcd.conf | 32 ++++ bookworm_php8/nsswitch.conf | 7 +- bookworm_php8/start-fpm.sh | 1 + 5 files changed, 39 insertions(+), 328 deletions(-) delete mode 100644 bookworm_php8/libnss-ldap.conf create mode 100644 bookworm_php8/nslcd.conf diff --git a/bookworm_php8/Dockerfile-base b/bookworm_php8/Dockerfile-base index 3ca189a..a94b3e9 100644 --- a/bookworm_php8/Dockerfile-base +++ b/bookworm_php8/Dockerfile-base @@ -7,7 +7,7 @@ RUN apt-get update \ apt-get install -y --no-install-recommends \ ca-certificates \ dumb-init \ - libnss-ldap \ + libnss-ldapd \ nullmailer \ openssl \ php-mail-mime \ @@ -33,4 +33,4 @@ RUN apt-get update \ # broken as of Tue Nov 15 07:42:37 CET 2022 # php-mail https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1000653 -ADD --chown=root:root nsswitch.conf libnss-ldap.conf /etc/ +ADD --chown=root:root nsswitch.conf nslcd.conf /etc/ diff --git a/bookworm_php8/libnss-ldap.conf b/bookworm_php8/libnss-ldap.conf deleted file mode 100644 index 068b433..0000000 --- a/bookworm_php8/libnss-ldap.conf +++ /dev/null @@ -1,323 +0,0 @@ -###DEBCONF### -# the configuration of this file will be done by debconf as long as the -# first line of the file says '###DEBCONF###' -# -# you should use dpkg-reconfigure libnss-ldap to configure this file. -# -# @(#)$Id: ldap.conf,v 2.48 2008/07/03 02:30:29 lukeh Exp $ -# -# This is the configuration file for the LDAP nameservice -# switch library and the LDAP PAM module. -# -# PADL Software -# http://www.padl.com -# - -# Your LDAP server. Must be resolvable without using LDAP. -# Multiple hosts may be specified, each separated by a -# space. How long nss_ldap takes to failover depends on -# whether your LDAP client library supports configurable -# network or connect timeouts (see bind_timelimit). -#host 127.0.0.1 - -# The distinguished name of the search base. -base dc=gnuviech,dc=internal - -# Another way to specify your LDAP server is to provide an -uri ldap://10.0.0.11/ -# Unix Domain Sockets to connect to a local LDAP Server. -#uri ldap://127.0.0.1/ -#uri ldaps://127.0.0.1/ -#uri ldapi://%2fvar%2frun%2fldapi_sock/ -# Note: %2f encodes the '/' used as directory separator - -# The LDAP version to use (defaults to 3 -# if supported by client library) -ldap_version 3 - -# The distinguished name to bind to the server with. -# Optional: default is to bind anonymously. -# Please do not put double quotes around it as they -# would be included literally. -#binddn cn=proxyuser,dc=padl,dc=com - -# The credentials to bind with. -# Optional: default is no credential. -#bindpw secret - -# The distinguished name to bind to the server with -# if the effective user ID is root. Password is -# stored in /etc/libnss-ldap.secret (mode 600) -# Use 'echo -n "mypassword" > /etc/libnss-ldap.secret' instead -# of an editor to create the file. -#rootbinddn cn=manager,dc=example,dc=net - -# The port. -# Optional: default is 389. -#port 389 - -# The search scope. -#scope sub -#scope one -#scope base - -# Search timelimit -#timelimit 30 - -# Bind/connect timelimit -#bind_timelimit 30 - -# Reconnect policy: -# hard_open: reconnect to DSA with exponential backoff if -# opening connection failed -# hard_init: reconnect to DSA with exponential backoff if -# initializing connection failed -# hard: alias for hard_open -# soft: return immediately on server failure -#bind_policy hard - -# Connection policy: -# persist: DSA connections are kept open (default) -# oneshot: DSA connections destroyed after request -#nss_connect_policy persist - -# Idle timelimit; client will close connections -# (nss_ldap only) if the server has not been contacted -# for the number of seconds specified below. -#idle_timelimit 3600 - -# Use paged rseults -#nss_paged_results yes - -# Pagesize: when paged results enable, used to set the -# pagesize to a custom value -#pagesize 1000 - -# Filter to AND with uid=%s -#pam_filter objectclass=account - -# The user ID attribute (defaults to uid) -#pam_login_attribute uid - -# Search the root DSE for the password policy (works -# with Netscape Directory Server) -#pam_lookup_policy yes - -# Check the 'host' attribute for access control -# Default is no; if set to yes, and user has no -# value for the host attribute, and pam_ldap is -# configured for account management (authorization) -# then the user will not be allowed to login. -#pam_check_host_attr yes - -# Check the 'authorizedService' attribute for access -# control -# Default is no; if set to yes, and the user has no -# value for the authorizedService attribute, and -# pam_ldap is configured for account management -# (authorization) then the user will not be allowed -# to login. -#pam_check_service_attr yes - -# Group to enforce membership of -#pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com - -# Group member attribute -#pam_member_attribute uniquemember - -# Specify a minium or maximum UID number allowed -#pam_min_uid 0 -#pam_max_uid 0 - -# Template login attribute, default template user -# (can be overriden by value of former attribute -# in user's entry) -#pam_login_attribute userPrincipalName -#pam_template_login_attribute uid -#pam_template_login nobody - -# HEADS UP: the pam_crypt, pam_nds_passwd, -# and pam_ad_passwd options are no -# longer supported. -# -# Do not hash the password at all; presume -# the directory server will do it, if -# necessary. This is the default. -#pam_password clear - -# Hash password locally; required for University of -# Michigan LDAP server, and works with Netscape -# Directory Server if you're using the UNIX-Crypt -# hash mechanism and not using the NT Synchronization -# service. -#pam_password crypt - -# Remove old password first, then update in -# cleartext. Necessary for use with Novell -# Directory Services (NDS) -#pam_password nds - -# RACF is an alias for the above. For use with -# IBM RACF -#pam_password racf - -# Update Active Directory password, by -# creating Unicode password and updating -# unicodePwd attribute. -#pam_password ad - -# Use the OpenLDAP password change -# extended operation to update the password. -#pam_password exop - -# Redirect users to a URL or somesuch on password -# changes. -#pam_password_prohibit_message Please visit http://internal to change your password. - -# Use backlinks for answering initgroups() -#nss_initgroups backlink - -# Enable support for RFC2307bis (distinguished names in group -# members) -#nss_schema rfc2307bis - -# RFC2307bis naming contexts -# Syntax: -# nss_base_XXX base?scope?filter -# where scope is {base,one,sub} -# and filter is a filter to be &'d with the -# default filter. -# You can omit the suffix eg: -# nss_base_passwd ou=People, -# to append the default base DN but this -# may incur a small performance impact. -#nss_base_passwd ou=People,dc=padl,dc=com?one -#nss_base_shadow ou=People,dc=padl,dc=com?one -#nss_base_group ou=Group,dc=padl,dc=com?one -#nss_base_hosts ou=Hosts,dc=padl,dc=com?one -#nss_base_services ou=Services,dc=padl,dc=com?one -#nss_base_networks ou=Networks,dc=padl,dc=com?one -#nss_base_protocols ou=Protocols,dc=padl,dc=com?one -#nss_base_rpc ou=Rpc,dc=padl,dc=com?one -#nss_base_ethers ou=Ethers,dc=padl,dc=com?one -#nss_base_netmasks ou=Networks,dc=padl,dc=com?ne -#nss_base_bootparams ou=Ethers,dc=padl,dc=com?one -#nss_base_aliases ou=Aliases,dc=padl,dc=com?one -#nss_base_netgroup ou=Netgroup,dc=padl,dc=com?one - -# attribute/objectclass mapping -# Syntax: -#nss_map_attribute rfc2307attribute mapped_attribute -#nss_map_objectclass rfc2307objectclass mapped_objectclass - -# configure --enable-nds is no longer supported. -# NDS mappings -#nss_map_attribute uniqueMember member - -# Services for UNIX 3.5 mappings -#nss_map_objectclass posixAccount User -#nss_map_objectclass shadowAccount User -#nss_map_attribute uid msSFU30Name -#nss_map_attribute uniqueMember msSFU30PosixMember -#nss_map_attribute userPassword msSFU30Password -#nss_map_attribute homeDirectory msSFU30HomeDirectory -#nss_map_attribute homeDirectory msSFUHomeDirectory -#nss_map_objectclass posixGroup Group -#pam_login_attribute msSFU30Name -#pam_filter objectclass=User -#pam_password ad - -# configure --enable-mssfu-schema is no longer supported. -# Services for UNIX 2.0 mappings -#nss_map_objectclass posixAccount User -#nss_map_objectclass shadowAccount user -#nss_map_attribute uid msSFUName -#nss_map_attribute uniqueMember posixMember -#nss_map_attribute userPassword msSFUPassword -#nss_map_attribute homeDirectory msSFUHomeDirectory -#nss_map_attribute shadowLastChange pwdLastSet -#nss_map_objectclass posixGroup Group -#nss_map_attribute cn msSFUName -#pam_login_attribute msSFUName -#pam_filter objectclass=User -#pam_password ad - -# RFC 2307 (AD) mappings -#nss_map_objectclass posixAccount user -#nss_map_objectclass shadowAccount user -#nss_map_attribute uid sAMAccountName -#nss_map_attribute homeDirectory unixHomeDirectory -#nss_map_attribute shadowLastChange pwdLastSet -#nss_map_objectclass posixGroup group -#nss_map_attribute uniqueMember member -#pam_login_attribute sAMAccountName -#pam_filter objectclass=User -#pam_password ad - -# configure --enable-authpassword is no longer supported -# AuthPassword mappings -#nss_map_attribute userPassword authPassword - -# AIX SecureWay mappings -#nss_map_objectclass posixAccount aixAccount -#nss_base_passwd ou=aixaccount,?one -#nss_map_attribute uid userName -#nss_map_attribute gidNumber gid -#nss_map_attribute uidNumber uid -#nss_map_attribute userPassword passwordChar -#nss_map_objectclass posixGroup aixAccessGroup -#nss_base_group ou=aixgroup,?one -#nss_map_attribute cn groupName -#nss_map_attribute uniqueMember member -#pam_login_attribute userName -#pam_filter objectclass=aixAccount -#pam_password clear - -# For pre-RFC2307bis automount schema -#nss_map_objectclass automountMap nisMap -#nss_map_attribute automountMapName nisMapName -#nss_map_objectclass automount nisObject -#nss_map_attribute automountKey cn -#nss_map_attribute automountInformation nisMapEntry - -# Netscape SDK LDAPS -#ssl on - -# Netscape SDK SSL options -#sslpath /etc/ssl/certs - -# OpenLDAP SSL mechanism -# start_tls mechanism uses the normal LDAP port, LDAPS typically 636 -#ssl start_tls -#ssl on - -# OpenLDAP SSL options -# Require and verify server certificate (yes/no) -# Default is to use libldap's default behavior, which can be configured in -# /etc/openldap/ldap.conf using the TLS_REQCERT setting. The default for -# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes". -#tls_checkpeer yes - -# CA certificates for server certificate verification -# At least one of these are required if tls_checkpeer is "yes" -#tls_cacertfile /etc/ssl/ca.cert -#tls_cacertdir /etc/ssl/certs - -# Seed the PRNG if /dev/urandom is not provided -#tls_randfile /var/run/egd-pool - -# SSL cipher suite -# See man ciphers for syntax -#tls_ciphers TLSv1 - -# Client certificate and key -# Use these, if your server requires client authentication. -#tls_cert -#tls_key - -# Disable SASL security layers. This is needed for AD. -#sasl_secprops maxssf=0 - -# Override the default Kerberos ticket cache location. -#krb5_ccname FILE:/etc/.ldapcache - diff --git a/bookworm_php8/nslcd.conf b/bookworm_php8/nslcd.conf new file mode 100644 index 0000000..ca893ae --- /dev/null +++ b/bookworm_php8/nslcd.conf @@ -0,0 +1,32 @@ +# /etc/nslcd.conf +# nslcd configuration file. See nslcd.conf(5) +# for details. + +# The user and group nslcd should run as. +uid nslcd +gid nslcd + +# The location at which the LDAP server(s) should be reachable. +uri ldap://10.0.0.11/ + +# The search base that will be used for all queries. +base dc=gnuviech,dc=internal + +# The LDAP protocol version to use. +#ldap_version 3 + +# The DN to bind with for normal lookups. +#binddn cn=annonymous,dc=example,dc=net +#bindpw secret + +# The DN used for password modifications by root. +#rootpwmoddn cn=admin,dc=example,dc=com + +# SSL options +#ssl off +#tls_reqcert never +tls_cacertfile /etc/ssl/certs/ca-certificates.crt + +# The search scope. +#scope sub + diff --git a/bookworm_php8/nsswitch.conf b/bookworm_php8/nsswitch.conf index 1d69bd7..8f60129 100644 --- a/bookworm_php8/nsswitch.conf +++ b/bookworm_php8/nsswitch.conf @@ -4,9 +4,10 @@ # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. -passwd: compat ldap -group: compat ldap -shadow: compat +passwd: files ldap +group: files ldap +shadow: files ldap +gshadow: files hosts: files dns networks: files diff --git a/bookworm_php8/start-fpm.sh b/bookworm_php8/start-fpm.sh index 0536dca..0d14803 100755 --- a/bookworm_php8/start-fpm.sh +++ b/bookworm_php8/start-fpm.sh @@ -6,6 +6,7 @@ sed "s/@user@/${FPM_USER}/g; s/@variant@/${FPM_VARIANT}/g" \ < /usr/local/etc/fpm-pool.conf.tmpl \ > "/etc/php/8.2/fpm/pool.d/${FPM_USER}.conf" +/etc/init.d/nslcd start /etc/init.d/nullmailer start mkdir -p /run/php /usr/sbin/php-fpm8.2 --nodaemonize