diff --git a/pica-openldap/environment/pica.startup.yaml b/pica-openldap/environment/pica.startup.yaml index d9ca4f7141ef468267097759ec81464edc3697cf..345479c8040f3fde35f56d1661817d99ecc126df 100644 --- a/pica-openldap/environment/pica.startup.yaml +++ b/pica-openldap/environment/pica.startup.yaml @@ -1,63 +1,24 @@ -# This is the default image startup configuration file -# this file define environment variables used during the container **first start** in **startup files**. - -# This file is deleted right after startup files are processed for the first time, -# after that all these values will not be available in the container environment. -# This helps to keep your container configuration secret. -# more information : https://github.com/osixia/docker-light-baseimage +# See this page to know what variables can be used : https://github.com/osixia/docker-openldap#defaultstartupyaml +# Here we only let the modified default variables # Required and used for new ldap server only -LDAP_ORGANISATION: Picasoft +LDAP_ORGANISATION: Picasoft LDAP_DOMAIN: picasoft.net LDAP_BASE_DN: #if empty automatically set from LDAP_DOMAIN LDAP_ADMIN_PASSWORD: admin -LDAP_CONFIG_PASSWORD: config LDAP_READONLY_USER: true LDAP_READONLY_USER_USERNAME: nss -LDAP_READONLY_USER_PASSWORD: nss - -LDAP_RFC2307BIS_SCHEMA: false - -# Backend -LDAP_BACKEND: mdb -# Tls +# TLS LDAP_TLS: true LDAP_TLS_CRT_FILENAME: cert.pem LDAP_TLS_KEY_FILENAME: privkey.pem -LDAP_TLS_DH_PARAM_FILENAME: dhparam.pem LDAP_TLS_CA_CRT_FILENAME: chain.pem - -LDAP_TLS_ENFORCE: false -LDAP_TLS_CIPHER_SUITE: SECURE256:+SECURE128:-VERS-TLS-ALL:+VERS-TLS1.2:-RSA:-DHE-DSS:-CAMELLIA-128-CBC:-CAMELLIA-256-CBC +# Note 25/04 : This sets ssf to 128. Maybe it should set minssf to 128 instead to +# reject any non-encryption connexion on port 389. Testing required. +LDAP_TLS_ENFORCE: true LDAP_TLS_VERIFY_CLIENT: never -# Replication -LDAP_REPLICATION: false -# variables $LDAP_BASE_DN, $LDAP_ADMIN_PASSWORD, $LDAP_CONFIG_PASSWORD -# are automaticaly replaced at run time - -# if you want to add replication to an existing ldap -# adapt LDAP_REPLICATION_CONFIG_SYNCPROV and LDAP_REPLICATION_DB_SYNCPROV to your configuration -# avoid using $LDAP_BASE_DN, $LDAP_ADMIN_PASSWORD and $LDAP_CONFIG_PASSWORD variables -LDAP_REPLICATION_CONFIG_SYNCPROV: binddn="cn=admin,cn=config" bindmethod=simple credentials="$LDAP_CONFIG_PASSWORD" searchbase="cn=config" type=refreshAndPersist retry="60 +" timeout=1 starttls=critical -LDAP_REPLICATION_DB_SYNCPROV: binddn="cn=admin,$LDAP_BASE_DN" bindmethod=simple credentials="$LDAP_ADMIN_PASSWORD" searchbase="$LDAP_BASE_DN" type=refreshAndPersist interval=00:00:00:10 retry="60 +" timeout=1 starttls=critical -LDAP_REPLICATION_HOSTS: - - ldap://ldap.example.org # The order must be the same on all ldap servers - - ldap://ldap2.example.org - -# Do not change the ldap config -# - If set to true with an existing database, config will remain unchanged. Image tls and replication config will not be run. -# The container can be started with LDAP_ADMIN_PASSWORD and LDAP_CONFIG_PASSWORD empty or filled with fake data. -# - If set to true when bootstrapping a new database, bootstap ldif and schema will not be added and tls and replication config will not be run. -KEEP_EXISTING_CONFIG: false - -# Remove config after setup -LDAP_REMOVE_CONFIG_AFTER_SETUP: true - -# ssl-helper environment variables prefix -LDAP_SSL_HELPER_PREFIX: ldap # ssl-helper first search config from LDAP_SSL_HELPER_* variables, before SSL_HELPER_* variables. - -SSL_HELPER_AUTO_RENEW_SERVICES_IMPACTED: slapd +HOSTNAME: ldaps.picasoft.net