[bitnami/openldap] feat: pldap and pldaps support

Support for 'proxied LDAP' and 'proxied LDAP over SSL'. Read 'https://www.openldap.org/doc/admin26/runningslapd.html#Command-Line%20Options' for additional info. Signed-off-by: Arano-kai <Arano-kai@users.noreply.github.com>
bitnami · Aug 16, 2024 · e6edec9 · e6edec9
1 parent 2bf5248
commit e6edec9
Show file tree

Hide file tree

Showing 5 changed files with 88 additions and 6 deletions.
diff --git a/bitnami/openldap/2.5/debian-12/rootfs/opt/bitnami/scripts/libopenldap.sh b/bitnami/openldap/2.5/debian-12/rootfs/opt/bitnami/scripts/libopenldap.sh
@@ -52,6 +52,9 @@ export LDAP_DAEMON_GROUP="slapd"
 # Settings
 export LDAP_PORT_NUMBER="${LDAP_PORT_NUMBER:-1389}"
 export LDAP_LDAPS_PORT_NUMBER="${LDAP_LDAPS_PORT_NUMBER:-1636}"
+export LDAP_ENABLE_PROXYPROTO="${LDAP_ENABLE_PROXYPROTO:-no}"
+export LDAP_PROXYPROTO_PORT_NUMBER="${LDAP_PROXYPROTO_PORT_NUMBER:-"${LDAP_PORT_NUMBER}"}"
+export LDAP_PROXYPROTO_LDAPS_PORT_NUMBER="${LDAP_PROXYPROTO_LDAPS_PORT_NUMBER:-"${LDAP_LDAPS_PORT_NUMBER}"}"
 export LDAP_ROOT="${LDAP_ROOT:-dc=example,dc=org}"
 export LDAP_SUFFIX="$(if [ -z "${LDAP_SUFFIX+x}" ]; then echo "${LDAP_ROOT}"; else echo "${LDAP_SUFFIX}"; fi)"
 export LDAP_ADMIN_USERNAME="${LDAP_ADMIN_USERNAME:-admin}"
@@ -136,7 +139,7 @@ ldap_validate() {
         error "$1"
         error_code=1
     }
-    for var in LDAP_SKIP_DEFAULT_TREE LDAP_ENABLE_TLS; do
+    for var in LDAP_SKIP_DEFAULT_TREE LDAP_ENABLE_TLS LDAP_ENABLE_PROXYPROTO; do
         if ! is_yes_no_value "${!var}"; then
             print_validation_error "The allowed values for $var are: yes or no"
         fi
@@ -172,6 +175,12 @@ ldap_validate() {
         fi
     fi
 
+    if [[ -n "$LDAP_PROXYPROTO_PORT_NUMBER" ]] && [[ -n "$LDAP_PROXYPROTO_LDAPS_PORT_NUMBER" ]]; then
+        if [[ "$LDAP_PROXYPROTO_PORT_NUMBER" -eq "$LDAP_PROXYPROTO_LDAPS_PORT_NUMBER" ]]; then
+            print_validation_error "LDAP_PROXYPROTO_PORT_NUMBER and LDAP_PROXYPROTO_LDAPS_PORT_NUMBER are bound to the same port!"
+        fi
+    fi
+
     [[ "$error_code" -eq 0 ]] || exit "$error_code"
 }
 

diff --git a/bitnami/openldap/2.5/debian-12/rootfs/opt/bitnami/scripts/openldap/run.sh b/bitnami/openldap/2.5/debian-12/rootfs/opt/bitnami/scripts/openldap/run.sh
@@ -37,10 +37,35 @@ flags_map["-d"]="${LDAP_LOGLEVEL}"
 flags_map["-h"]+="${flags_map["-h"]:+" "}ldapi:///"
 
 # Add LDAP URI
-flags_map["-h"]+="${flags_map["-h"]:+" "}ldap://:${LDAP_PORT_NUMBER}/"
+# Since 'proxied LDAP' default port number is same as 'LDAP',
+# enable LDAP URI when one of the following conditions are met:
+# * proxy protocol capability is disabled
+# * proxy protocol capability is enabled and proxy protocol port differ
+if ! is_boolean_yes "${LDAP_ENABLE_PROXYPROTO}" \
+    || [[ "${LDAP_PORT_NUMBER}" -ne "${LDAP_PROXYPROTO_PORT_NUMBER}" ]]
+then
+  flags_map["-h"]+="${flags_map["-h"]:+" "}ldap://:${LDAP_PORT_NUMBER}/"
+fi
 
 # Add LDAPS URI when TLS is enabled
-is_boolean_yes "${LDAP_ENABLE_TLS}" && flags_map["-h"]+="${flags_map["-h"]:+" "}ldaps://:${LDAP_LDAPS_PORT_NUMBER}/"
+# Since 'proxied LDAP over SSL' default port number is same as 'LDAP over SSL',
+# enable LDAPS URI when one of the following conditions are met:
+# * proxy protocol capability is disabled
+# * proxy protocol capability is enabled and proxy protocol tls port differ
+if is_boolean_yes "${LDAP_ENABLE_TLS}" \
+  && { ! is_boolean_yes "${LDAP_ENABLE_PROXYPROTO}" \
+    || [[ "${LDAP_LDAPS_PORT_NUMBER}" -ne "${LDAP_PROXYPROTO_LDAPS_PORT_NUMBER}" ]]; }
+then
+  flags_map["-h"]+="${flags_map["-h"]:+" "}ldaps://:${LDAP_LDAPS_PORT_NUMBER}/"
+fi
+
+# Add PLDAP URI when proxy protocol capability is enabled
+if is_boolean_yes "${LDAP_ENABLE_PROXYPROTO}"; then
+  flags_map["-h"]+="${flags_map["-h"]:+" "}pldap://:${LDAP_PROXYPROTO_PORT_NUMBER}/"
+  # Also add PLDAPS URI when TLS is enabled
+  is_boolean_yes "${LDAP_ENABLE_TLS}" \
+    && flags_map["-h"]+="${flags_map["-h"]:+" "}pldaps://:${LDAP_PROXYPROTO_LDAPS_PORT_NUMBER}/"
+fi
 
 # Build flags list
 for flag in "${!flags_map[@]}"; do

diff --git a/bitnami/openldap/2.6/debian-12/rootfs/opt/bitnami/scripts/libopenldap.sh b/bitnami/openldap/2.6/debian-12/rootfs/opt/bitnami/scripts/libopenldap.sh
@@ -52,6 +52,9 @@ export LDAP_DAEMON_GROUP="slapd"
 # Settings
 export LDAP_PORT_NUMBER="${LDAP_PORT_NUMBER:-1389}"
 export LDAP_LDAPS_PORT_NUMBER="${LDAP_LDAPS_PORT_NUMBER:-1636}"
+export LDAP_ENABLE_PROXYPROTO="${LDAP_ENABLE_PROXYPROTO:-no}"
+export LDAP_PROXYPROTO_PORT_NUMBER="${LDAP_PROXYPROTO_PORT_NUMBER:-"${LDAP_PORT_NUMBER}"}"
+export LDAP_PROXYPROTO_LDAPS_PORT_NUMBER="${LDAP_PROXYPROTO_LDAPS_PORT_NUMBER:-"${LDAP_LDAPS_PORT_NUMBER}"}"
 export LDAP_ROOT="${LDAP_ROOT:-dc=example,dc=org}"
 export LDAP_SUFFIX="$(if [ -z "${LDAP_SUFFIX+x}" ]; then echo "${LDAP_ROOT}"; else echo "${LDAP_SUFFIX}"; fi)"
 export LDAP_ADMIN_USERNAME="${LDAP_ADMIN_USERNAME:-admin}"
@@ -136,7 +139,7 @@ ldap_validate() {
         error "$1"
         error_code=1
     }
-    for var in LDAP_SKIP_DEFAULT_TREE LDAP_ENABLE_TLS; do
+    for var in LDAP_SKIP_DEFAULT_TREE LDAP_ENABLE_TLS LDAP_ENABLE_PROXYPROTO; do
         if ! is_yes_no_value "${!var}"; then
             print_validation_error "The allowed values for $var are: yes or no"
         fi
@@ -172,6 +175,12 @@ ldap_validate() {
         fi
     fi
 
+    if [[ -n "$LDAP_PROXYPROTO_PORT_NUMBER" ]] && [[ -n "$LDAP_PROXYPROTO_LDAPS_PORT_NUMBER" ]]; then
+        if [[ "$LDAP_PROXYPROTO_PORT_NUMBER" -eq "$LDAP_PROXYPROTO_LDAPS_PORT_NUMBER" ]]; then
+            print_validation_error "LDAP_PROXYPROTO_PORT_NUMBER and LDAP_PROXYPROTO_LDAPS_PORT_NUMBER are bound to the same port!"
+        fi
+    fi
+
     [[ "$error_code" -eq 0 ]] || exit "$error_code"
 }
 

diff --git a/bitnami/openldap/2.6/debian-12/rootfs/opt/bitnami/scripts/openldap/run.sh b/bitnami/openldap/2.6/debian-12/rootfs/opt/bitnami/scripts/openldap/run.sh
@@ -37,10 +37,35 @@ flags_map["-d"]="${LDAP_LOGLEVEL}"
 flags_map["-h"]+="${flags_map["-h"]:+" "}ldapi:///"
 
 # Add LDAP URI
-flags_map["-h"]+="${flags_map["-h"]:+" "}ldap://:${LDAP_PORT_NUMBER}/"
+# Since 'proxied LDAP' default port number is same as 'LDAP',
+# enable LDAP URI when one of the following conditions are met:
+# * proxy protocol capability is disabled
+# * proxy protocol capability is enabled and proxy protocol port differ
+if ! is_boolean_yes "${LDAP_ENABLE_PROXYPROTO}" \
+    || [[ "${LDAP_PORT_NUMBER}" -ne "${LDAP_PROXYPROTO_PORT_NUMBER}" ]]
+then
+  flags_map["-h"]+="${flags_map["-h"]:+" "}ldap://:${LDAP_PORT_NUMBER}/"
+fi
 
 # Add LDAPS URI when TLS is enabled
-is_boolean_yes "${LDAP_ENABLE_TLS}" && flags_map["-h"]+="${flags_map["-h"]:+" "}ldaps://:${LDAP_LDAPS_PORT_NUMBER}/"
+# Since 'proxied LDAP over SSL' default port number is same as 'LDAP over SSL',
+# enable LDAPS URI when one of the following conditions are met:
+# * proxy protocol capability is disabled
+# * proxy protocol capability is enabled and proxy protocol tls port differ
+if is_boolean_yes "${LDAP_ENABLE_TLS}" \
+  && { ! is_boolean_yes "${LDAP_ENABLE_PROXYPROTO}" \
+    || [[ "${LDAP_LDAPS_PORT_NUMBER}" -ne "${LDAP_PROXYPROTO_LDAPS_PORT_NUMBER}" ]]; }
+then
+  flags_map["-h"]+="${flags_map["-h"]:+" "}ldaps://:${LDAP_LDAPS_PORT_NUMBER}/"
+fi
+
+# Add PLDAP URI when proxy protocol capability is enabled
+if is_boolean_yes "${LDAP_ENABLE_PROXYPROTO}"; then
+  flags_map["-h"]+="${flags_map["-h"]:+" "}pldap://:${LDAP_PROXYPROTO_PORT_NUMBER}/"
+  # Also add PLDAPS URI when TLS is enabled
+  is_boolean_yes "${LDAP_ENABLE_TLS}" \
+    && flags_map["-h"]+="${flags_map["-h"]:+" "}pldaps://:${LDAP_PROXYPROTO_LDAPS_PORT_NUMBER}/"
+fi
 
 # Build flags list
 for flag in "${!flags_map[@]}"; do

diff --git a/bitnami/openldap/README.md b/bitnami/openldap/README.md
@@ -274,6 +274,20 @@ This new feature is not mutually exclusive, which means it is possible to listen
       ...
     ```
 
+### Run behind load balancer
+
+OpenLDAP supports the HAProxy proxy protocol version 2 to detect real client IP that is masked when server runs behind load balancer. You can enable and configure this feature with the following environment variables:
+
+* `LDAP_ENABLE_PROXYPROTO`: Whether to enable proxy protocol support for traffic or not. Defaults to `no`.
+* `LDAP_PROXYPROTO_PORT_NUMBER`: The port OpenLDAP is listening for requests that is wrapped in proxy protocol. Default: the **LDAP_PORT_NUMBER** value.
+* `LDAP_PROXYPROTO_LDAPS_PORT_NUMBER`: Port used for TLS secure traffic that is wrapped in proxy protocol. Default: the **LDAP_LDAPS_PORT_NUMBER** value.
+
+Enabling this feature will replace regular and TLS ports with proxy protocol capable analogs. To use both port types, set **LDAP_PROXYPROTO_PORT_NUMBER** to some different value than **LDAP_PORT_NUMBER**. The same statement applied to **LDAP_PROXYPROTO_LDAPS_PORT_NUMBER** and **LDAP_LDAPS_PORT_NUMBER** pair.
+
+**Security warning**: To prevent client IP spoofing, it is highly advised to secure the proxy protocol capable ports by firewall that allow traffic only from load balancer hosts.
+
+Check the official page [OpenLDAP, Running slapd, Command-Line Options](https://www.openldap.org/doc/admin26/runningslapd.html#Command-Line%20Options) for additional information.
+
 ### Initializing a new instance
 
 The [Bitnami OpenLDAP](https://github.com/bitnami/containers/blob/main/bitnami/openldap) image allows you to use your custom scripts to initialize a fresh instance.