[bitnami/openldap] feat: pldap and pldaps support

bitnami/openldap/2.5/debian-12/rootfs/opt/bitnami/scripts/libopenldap.sh

@@ -52,6 +52,9 @@ export LDAP_DAEMON_GROUP="slapd"
 # Settings
 export LDAP_PORT_NUMBER="${LDAP_PORT_NUMBER:-1389}"
 export LDAP_LDAPS_PORT_NUMBER="${LDAP_LDAPS_PORT_NUMBER:-1636}"
+export LDAP_ENABLE_PROXYPROTO="${LDAP_ENABLE_PROXYPROTO:-no}"
+export LDAP_PROXYPROTO_PORT_NUMBER="${LDAP_PROXYPROTO_PORT_NUMBER:-"${LDAP_PORT_NUMBER}"}"
+export LDAP_PROXYPROTO_LDAPS_PORT_NUMBER="${LDAP_PROXYPROTO_LDAPS_PORT_NUMBER:-"${LDAP_LDAPS_PORT_NUMBER}"}"
 export LDAP_ROOT="${LDAP_ROOT:-dc=example,dc=org}"
 export LDAP_SUFFIX="$(if [ -z "${LDAP_SUFFIX+x}" ]; then echo "${LDAP_ROOT}"; else echo "${LDAP_SUFFIX}"; fi)"
 export LDAP_ADMIN_USERNAME="${LDAP_ADMIN_USERNAME:-admin}"
@@ -136,7 +139,7 @@ ldap_validate() {
         error "$1"
         error_code=1
     }
-    for var in LDAP_SKIP_DEFAULT_TREE LDAP_ENABLE_TLS; do
+    for var in LDAP_SKIP_DEFAULT_TREE LDAP_ENABLE_TLS LDAP_ENABLE_PROXYPROTO; do
         if ! is_yes_no_value "${!var}"; then
             print_validation_error "The allowed values for $var are: yes or no"
         fi
@@ -166,12 +169,24 @@ ldap_validate() {
         print_validation_error "Specify the same number of passwords on LDAP_PASSWORDS as the number of users on LDAP_USERS!"
     fi
 
+    for var in LDAP_PORT_NUMBER LDAP_LDAPS_PORT_NUMBER LDAP_PROXYPROTO_PORT_NUMBER LDAP_PROXYPROTO_LDAPS_PORT_NUMBER; do
+        if ! is_positive_int "${!var}"; then
+            print_validation_error "The value for $var must be positive integer!"
+        fi
+    done
+
     if [[ -n "$LDAP_PORT_NUMBER" ]] && [[ -n "$LDAP_LDAPS_PORT_NUMBER" ]]; then
         if [[ "$LDAP_PORT_NUMBER" -eq "$LDAP_LDAPS_PORT_NUMBER" ]]; then
             print_validation_error "LDAP_PORT_NUMBER and LDAP_LDAPS_PORT_NUMBER are bound to the same port!"
         fi
     fi
 
+    if [[ -n "$LDAP_PROXYPROTO_PORT_NUMBER" ]] && [[ -n "$LDAP_PROXYPROTO_LDAPS_PORT_NUMBER" ]]; then
+        if [[ "$LDAP_PROXYPROTO_PORT_NUMBER" -eq "$LDAP_PROXYPROTO_LDAPS_PORT_NUMBER" ]]; then
+            print_validation_error "LDAP_PROXYPROTO_PORT_NUMBER and LDAP_PROXYPROTO_LDAPS_PORT_NUMBER are bound to the same port!"
+        fi
+    fi
+
     [[ "$error_code" -eq 0 ]] || exit "$error_code"
 }
 

bitnami/openldap/2.5/debian-12/rootfs/opt/bitnami/scripts/openldap/run.sh

@@ -21,14 +21,60 @@ command="$(command -v slapd)"
 # https://github.com/docker/docker/issues/8231
 ulimit -n "$LDAP_ULIMIT_NOFILES"
 
-flags=("-h" "ldap://:${LDAP_PORT_NUMBER}/ ldapi:///")
+declare -a flags
+declare -A flags_map
+
+# Drop privileges if we start as root
+am_i_root && flags_map["-u"]="${LDAP_DAEMON_USER}"
+
+# Set config dir
+flags_map["-F"]="${LDAP_CONF_DIR}/slapd.d"
+
+# Enable debug with desired level
+flags_map["-d"]="${LDAP_LOGLEVEL}"
+
+# The LDAP IPC is always on
+flags_map["-h"]+="${flags_map["-h"]:+" "}ldapi:///"
+
+# Add LDAP URI
+# Since 'proxied LDAP' default port number is same as 'LDAP',
+# enable LDAP URI when one of the following conditions are met:
+# * proxy protocol capability is disabled
+# * proxy protocol capability is enabled and proxy protocol port differ
+if ! is_boolean_yes "${LDAP_ENABLE_PROXYPROTO}" \
+    || [[ "${LDAP_PORT_NUMBER}" -ne "${LDAP_PROXYPROTO_PORT_NUMBER}" ]]
+then
+  flags_map["-h"]+="${flags_map["-h"]:+" "}ldap://:${LDAP_PORT_NUMBER}/"
+fi
 
 # Add LDAPS URI when TLS is enabled
-is_boolean_yes "$LDAP_ENABLE_TLS" && flags=("-h" "ldap://:${LDAP_PORT_NUMBER}/ ldaps://:${LDAP_LDAPS_PORT_NUMBER}/ ldapi:///")
+# Since 'proxied LDAP over SSL' default port number is same as 'LDAP over SSL',
+# enable LDAPS URI when one of the following conditions are met:
+# * proxy protocol capability is disabled
+# * proxy protocol capability is enabled and proxy protocol tls port differ
+if is_boolean_yes "${LDAP_ENABLE_TLS}" \
+  && { ! is_boolean_yes "${LDAP_ENABLE_PROXYPROTO}" \
+    || [[ "${LDAP_LDAPS_PORT_NUMBER}" -ne "${LDAP_PROXYPROTO_LDAPS_PORT_NUMBER}" ]]; }
+then
+  flags_map["-h"]+="${flags_map["-h"]:+" "}ldaps://:${LDAP_LDAPS_PORT_NUMBER}/"
+fi
+
+# Add PLDAP URI when proxy protocol capability is enabled
+if is_boolean_yes "${LDAP_ENABLE_PROXYPROTO}"; then
+  flags_map["-h"]+="${flags_map["-h"]:+" "}pldap://:${LDAP_PROXYPROTO_PORT_NUMBER}/"
+  # Also add PLDAPS URI when TLS is enabled
+  is_boolean_yes "${LDAP_ENABLE_TLS}" \
+    && flags_map["-h"]+="${flags_map["-h"]:+" "}pldaps://:${LDAP_PROXYPROTO_LDAPS_PORT_NUMBER}/"
+fi
+
+# Build flags list
+for flag in "${!flags_map[@]}"; do
+  flags+=("${flag}" "${flags_map[${flag}]}")
+done
 
 # Add "@" so users can add extra command line flags
-flags+=("-F" "${LDAP_CONF_DIR}/slapd.d" "-d" "$LDAP_LOGLEVEL" "$@")
+flags+=("$@")
 
 info "** Starting slapd **"
-am_i_root && flags=("-u" "$LDAP_DAEMON_USER" "${flags[@]}")
+debug "Startup cmd: ${command}" "${flags[*]}"
 exec "${command}" "${flags[@]}"

bitnami/openldap/2.6/debian-12/rootfs/opt/bitnami/scripts/libopenldap.sh

@@ -52,6 +52,9 @@ export LDAP_DAEMON_GROUP="slapd"
 # Settings
 export LDAP_PORT_NUMBER="${LDAP_PORT_NUMBER:-1389}"
 export LDAP_LDAPS_PORT_NUMBER="${LDAP_LDAPS_PORT_NUMBER:-1636}"
+export LDAP_ENABLE_PROXYPROTO="${LDAP_ENABLE_PROXYPROTO:-no}"
+export LDAP_PROXYPROTO_PORT_NUMBER="${LDAP_PROXYPROTO_PORT_NUMBER:-"${LDAP_PORT_NUMBER}"}"
+export LDAP_PROXYPROTO_LDAPS_PORT_NUMBER="${LDAP_PROXYPROTO_LDAPS_PORT_NUMBER:-"${LDAP_LDAPS_PORT_NUMBER}"}"
 export LDAP_ROOT="${LDAP_ROOT:-dc=example,dc=org}"
 export LDAP_SUFFIX="$(if [ -z "${LDAP_SUFFIX+x}" ]; then echo "${LDAP_ROOT}"; else echo "${LDAP_SUFFIX}"; fi)"
 export LDAP_ADMIN_USERNAME="${LDAP_ADMIN_USERNAME:-admin}"
@@ -136,7 +139,7 @@ ldap_validate() {
         error "$1"
         error_code=1
     }
-    for var in LDAP_SKIP_DEFAULT_TREE LDAP_ENABLE_TLS; do
+    for var in LDAP_SKIP_DEFAULT_TREE LDAP_ENABLE_TLS LDAP_ENABLE_PROXYPROTO; do
         if ! is_yes_no_value "${!var}"; then
             print_validation_error "The allowed values for $var are: yes or no"
         fi
@@ -166,12 +169,24 @@ ldap_validate() {
         print_validation_error "Specify the same number of passwords on LDAP_PASSWORDS as the number of users on LDAP_USERS!"
     fi
 
+    for var in LDAP_PORT_NUMBER LDAP_LDAPS_PORT_NUMBER LDAP_PROXYPROTO_PORT_NUMBER LDAP_PROXYPROTO_LDAPS_PORT_NUMBER; do
+        if ! is_positive_int "${!var}"; then
+            print_validation_error "The value for $var must be positive integer!"
+        fi
+    done
+
     if [[ -n "$LDAP_PORT_NUMBER" ]] && [[ -n "$LDAP_LDAPS_PORT_NUMBER" ]]; then
         if [[ "$LDAP_PORT_NUMBER" -eq "$LDAP_LDAPS_PORT_NUMBER" ]]; then
             print_validation_error "LDAP_PORT_NUMBER and LDAP_LDAPS_PORT_NUMBER are bound to the same port!"
         fi
     fi
 
+    if [[ -n "$LDAP_PROXYPROTO_PORT_NUMBER" ]] && [[ -n "$LDAP_PROXYPROTO_LDAPS_PORT_NUMBER" ]]; then
+        if [[ "$LDAP_PROXYPROTO_PORT_NUMBER" -eq "$LDAP_PROXYPROTO_LDAPS_PORT_NUMBER" ]]; then
+            print_validation_error "LDAP_PROXYPROTO_PORT_NUMBER and LDAP_PROXYPROTO_LDAPS_PORT_NUMBER are bound to the same port!"
+        fi
+    fi
+
     [[ "$error_code" -eq 0 ]] || exit "$error_code"
 }
 

bitnami/openldap/2.6/debian-12/rootfs/opt/bitnami/scripts/openldap/run.sh

@@ -21,14 +21,60 @@ command="$(command -v slapd)"
 # https://github.com/docker/docker/issues/8231
 ulimit -n "$LDAP_ULIMIT_NOFILES"
 
-flags=("-h" "ldap://:${LDAP_PORT_NUMBER}/ ldapi:///")
+declare -a flags
+declare -A flags_map
+
+# Drop privileges if we start as root
+am_i_root && flags_map["-u"]="${LDAP_DAEMON_USER}"
+
+# Set config dir
+flags_map["-F"]="${LDAP_CONF_DIR}/slapd.d"
+
+# Enable debug with desired level
+flags_map["-d"]="${LDAP_LOGLEVEL}"
+
+# The LDAP IPC is always on
+flags_map["-h"]+="${flags_map["-h"]:+" "}ldapi:///"
+
+# Add LDAP URI
+# Since 'proxied LDAP' default port number is same as 'LDAP',
+# enable LDAP URI when one of the following conditions are met:
+# * proxy protocol capability is disabled
+# * proxy protocol capability is enabled and proxy protocol port differ
+if ! is_boolean_yes "${LDAP_ENABLE_PROXYPROTO}" \
+    || [[ "${LDAP_PORT_NUMBER}" -ne "${LDAP_PROXYPROTO_PORT_NUMBER}" ]]
+then
+  flags_map["-h"]+="${flags_map["-h"]:+" "}ldap://:${LDAP_PORT_NUMBER}/"
+fi
 
 # Add LDAPS URI when TLS is enabled
-is_boolean_yes "$LDAP_ENABLE_TLS" && flags=("-h" "ldap://:${LDAP_PORT_NUMBER}/ ldaps://:${LDAP_LDAPS_PORT_NUMBER}/ ldapi:///")
+# Since 'proxied LDAP over SSL' default port number is same as 'LDAP over SSL',
+# enable LDAPS URI when one of the following conditions are met:
+# * proxy protocol capability is disabled
+# * proxy protocol capability is enabled and proxy protocol tls port differ
+if is_boolean_yes "${LDAP_ENABLE_TLS}" \
+  && { ! is_boolean_yes "${LDAP_ENABLE_PROXYPROTO}" \
+    || [[ "${LDAP_LDAPS_PORT_NUMBER}" -ne "${LDAP_PROXYPROTO_LDAPS_PORT_NUMBER}" ]]; }
+then
+  flags_map["-h"]+="${flags_map["-h"]:+" "}ldaps://:${LDAP_LDAPS_PORT_NUMBER}/"
+fi
+
+# Add PLDAP URI when proxy protocol capability is enabled
+if is_boolean_yes "${LDAP_ENABLE_PROXYPROTO}"; then
+  flags_map["-h"]+="${flags_map["-h"]:+" "}pldap://:${LDAP_PROXYPROTO_PORT_NUMBER}/"
+  # Also add PLDAPS URI when TLS is enabled
+  is_boolean_yes "${LDAP_ENABLE_TLS}" \
+    && flags_map["-h"]+="${flags_map["-h"]:+" "}pldaps://:${LDAP_PROXYPROTO_LDAPS_PORT_NUMBER}/"
+fi
+
+# Build flags list
+for flag in "${!flags_map[@]}"; do
+  flags+=("${flag}" "${flags_map[${flag}]}")
+done
 
 # Add "@" so users can add extra command line flags
-flags+=("-F" "${LDAP_CONF_DIR}/slapd.d" "-d" "$LDAP_LOGLEVEL" "$@")
+flags+=("$@")
 
 info "** Starting slapd **"
-am_i_root && flags=("-u" "$LDAP_DAEMON_USER" "${flags[@]}")
+debug "Startup cmd: ${command}" "${flags[*]}"
 exec "${command}" "${flags[@]}"

bitnami/openldap/README.md

@@ -274,6 +274,20 @@ This new feature is not mutually exclusive, which means it is possible to listen
       ...
     ```
 
+### Run behind load balancer
+
+OpenLDAP supports the HAProxy proxy protocol version 2 to detect real client IP that is masked when server runs behind load balancer. You can enable and configure this feature with the following environment variables:
+
+* `LDAP_ENABLE_PROXYPROTO`: Whether to enable proxy protocol support for traffic or not. Defaults to `no`.
+* `LDAP_PROXYPROTO_PORT_NUMBER`: The port OpenLDAP is listening for requests that is wrapped in proxy protocol. Default: the **LDAP_PORT_NUMBER** value.
+* `LDAP_PROXYPROTO_LDAPS_PORT_NUMBER`: Port used for TLS secure traffic that is wrapped in proxy protocol. Default: the **LDAP_LDAPS_PORT_NUMBER** value.
+
+Enabling this feature will replace regular and TLS ports with proxy protocol capable analogs. To use both port types, set **LDAP_PROXYPROTO_PORT_NUMBER** to some different value than **LDAP_PORT_NUMBER**. The same statement applied to **LDAP_PROXYPROTO_LDAPS_PORT_NUMBER** and **LDAP_LDAPS_PORT_NUMBER** pair.
+
+**Security warning**: To prevent client IP spoofing, it is highly advised to secure the proxy protocol capable ports by firewall that allow traffic only from load balancer hosts.
+
+Check the official page [OpenLDAP, Running slapd, Command-Line Options](https://www.openldap.org/doc/admin26/runningslapd.html#Command-Line%20Options) for additional information.
+
 ### Initializing a new instance
 
 The [Bitnami OpenLDAP](https://github.com/bitnami/containers/blob/main/bitnami/openldap) image allows you to use your custom scripts to initialize a fresh instance.