Add option to use a CA certificate

This commit is contained in:
Brian Lycett 2019-01-16 15:05:55 +00:00
parent 50960490ef
commit 13aea6e6c7
2 changed files with 14 additions and 4 deletions

View File

@ -8,8 +8,6 @@ Quick start
--- ---
``` ```
docker build -t lum .
docker run \ docker run \
--detach \ --detach \
--name=lum \ --name=lum \
@ -22,7 +20,7 @@ docker run \
-e LDAP_ADMINS_GROUP=admins \ -e LDAP_ADMINS_GROUP=admins \
-e LDAP_ADMIN_BIND_DN="cn=admin,dc=example,dc=com" \ -e LDAP_ADMIN_BIND_DN="cn=admin,dc=example,dc=com" \
-e LDAP_ADMIN_BIND_PWD=secret\ -e LDAP_ADMIN_BIND_PWD=secret\
lum wheelybird/ldap-user-manager
``` ```
Now go to https://lum.example.com/setup. Now go to https://lum.example.com/setup.
@ -66,6 +64,8 @@ Optional:
* `LDAP_REQUIRE_STARTTLS` (default: *TRUE*): If *TRUE* then a TLS connection is required for this interface to work. If set to *FALSE* then the interface will work without STARTTLS, but a warning will be displayed on the page. * `LDAP_REQUIRE_STARTTLS` (default: *TRUE*): If *TRUE* then a TLS connection is required for this interface to work. If set to *FALSE* then the interface will work without STARTTLS, but a warning will be displayed on the page.
* `LDAP_TLS_CACERT` (no default): If you need to use a specific CA certificate for TLS connections to the LDAP server (when `LDAP_REQUIRE_STARTTLS` is set) then assign the contents of the CA certificate to this variable. e.g. `-e LDAP_TLS_CERT=$(</path/to/ca.crt)`
* `DEFAULT_USER_GROUP` (default: *everybody*): The group that new accounts are automatically added to when created. *NOTE*: If this group doesn't exist then a group is created with the same name as the username and the user is added to that group. * `DEFAULT_USER_GROUP` (default: *everybody*): The group that new accounts are automatically added to when created. *NOTE*: If this group doesn't exist then a group is created with the same name as the username and the user is added to that group.
* `DEFAULT_USER_SHELL` (default: */bin/bash*): The shell that will be launched when the user logs into a server. * `DEFAULT_USER_SHELL` (default: */bin/bash*): The shell that will be launched when the user logs into a server.
* `EMAIL_DOMAIN` (no default): The domain name to append to the email address when creating an account (username@email_domain). If unset then the mail attribute won't be set. * `EMAIL_DOMAIN` (no default): The domain name to append to the email address when creating an account (username@email_domain). If unset then the mail attribute won't be set.
@ -115,7 +115,7 @@ Currently the available macros are:
* `{first_name}` : the first name in lowercase * `{first_name}` : the first name in lowercase
* `{first_name_initial}` : the first letter of the first name in lowercase * `{first_name_initial}` : the first letter of the first name in lowercase
* `{last_name}`: the last name in lowercase * `{last_name}`: the last name in lowercase
* '{last_name_initial}`: the first initial of the last name in lowercase * `{last_name_initial}`: the first initial of the last name in lowercase
Anything else in the `USERNAME_FORMAT` string is left as defined, but the username is also checked for validity against `USERNAME_REGEX`. This is to ensure that there aren't any characters forbidden by other systems (i.e. email or Linux/Unix accounts). Anything else in the `USERNAME_FORMAT` string is left as defined, but the username is also checked for validity against `USERNAME_REGEX`. This is to ensure that there aren't any characters forbidden by other systems (i.e. email or Linux/Unix accounts).

View File

@ -3,6 +3,16 @@ set -e
if [ ! "$SERVER_HOSTNAME" ]; then export SERVER_HOSTNAME=example.com; fi if [ ! "$SERVER_HOSTNAME" ]; then export SERVER_HOSTNAME=example.com; fi
#If LDAP_TLS_CACERT is set then write it out as a file
#and set up the LDAP client conf to use it.
if [ "$LDAP_TLS_CACERT" ]; then
echo "$LDAP_TLS_CACERT" >/opt/ca.crt
sed -i "s/TLS_CACERT.*/TLS_CACERT /opt/ca.crt/" /etc/ldap/ldap.conf
fi
######################## ########################
#If there aren't any SSL certs then create a self-signed certificate. #If there aren't any SSL certs then create a self-signed certificate.