From d6a96adcec2b3c18b005b08fec38330d251fc106 Mon Sep 17 00:00:00 2001
From: Josh Haile <35245966+voxparcxls@users.noreply.github.com>
Date: Wed, 17 Aug 2022 09:54:27 -0700
Subject: [PATCH] OpenLDAP: open source docker ldap (#115)

* add openldap Docker setup
* update to cws-opensource-ldap and cws-certs
* test ldap server from inside Docker container
* clean up readme files
* re-title certs readme
---
 README.md                              |  6 ++-
 cws-certs/README.md                    | 10 +++++
 cws-opensource-ldap/Dockerfile         | 19 ++++++++++
 cws-opensource-ldap/README.md          | 51 ++++++++++++++++++++++++++
 cws-opensource-ldap/access.ldif        | 15 ++++++++
 cws-opensource-ldap/docker-compose.yml |  8 ++++
 cws-opensource-ldap/user.ldif          | 18 +++++++++
 7 files changed, 126 insertions(+), 1 deletion(-)
 create mode 100644 cws-certs/README.md
 create mode 100644 cws-opensource-ldap/Dockerfile
 create mode 100644 cws-opensource-ldap/README.md
 create mode 100644 cws-opensource-ldap/access.ldif
 create mode 100644 cws-opensource-ldap/docker-compose.yml
 create mode 100644 cws-opensource-ldap/user.ldif

diff --git a/README.md b/README.md
index a4e93ebe..34d73461 100644
--- a/README.md
+++ b/README.md
@@ -76,8 +76,12 @@ Open new Shell terminal designated for running ElasticSearch.
 docker-compose up
 ```
 
+#### _Updating Presets and Default Settings_
 
-
+Preset configuration variables like `default_smtp_hostname` and `default_cws_ldap_url` can be found in files:
+- `/install/installerPresets.properties`
+- `/install/example-cws-configuration.properties`
+- `utils.sh`
 -----
 ## Building CWS
 
diff --git a/cws-certs/README.md b/cws-certs/README.md
new file mode 100644
index 00000000..8fa27805
--- /dev/null
+++ b/cws-certs/README.md
@@ -0,0 +1,10 @@
+## Generate Self-signed Certs
+
+_Running this script will result in the replacement of existing keystore and truststore in `install/` by new certs_
+
+#### Execute script with command:
+
+```
+./generate-certs.sh
+```
+
diff --git a/cws-opensource-ldap/Dockerfile b/cws-opensource-ldap/Dockerfile
new file mode 100644
index 00000000..cf1dce66
--- /dev/null
+++ b/cws-opensource-ldap/Dockerfile
@@ -0,0 +1,19 @@
+# Based on the public GIT repository by rackerlabs
+# Reference: https://github.com/rackerlabs/dockerstack/tree/master/keystone/openldap
+FROM  ubuntu:latest
+
+RUN apt-get update
+RUN apt-get install -q -y vim ldapvi
+RUN echo 'slapd/root_password password password' | debconf-set-selections
+RUN echo 'slapd/root_password_again password password' | debconf-set-selections
+RUN DEBIAN_FRONTEND=noninteractive apt-get install -y slapd ldap-utils
+RUN rm -rf /var/lib/apt/lists/*
+
+ADD access.ldif user.ldif /
+
+RUN service slapd start ;\
+ldapadd -Y EXTERNAL -H ldapi:/// -f access.ldif &&\
+ldapadd -x -D cn=admin,dc=example,dc=com -w password -c -f user.ldif
+
+EXPOSE 389
+CMD slapd -h 'ldap:/// ldapi:///' -g openldap -u openldap -F /etc/ldap/slapd.d -d stats
diff --git a/cws-opensource-ldap/README.md b/cws-opensource-ldap/README.md
new file mode 100644
index 00000000..8c29d8d4
--- /dev/null
+++ b/cws-opensource-ldap/README.md
@@ -0,0 +1,51 @@
+# Deploy OpenLDAP Server
+
+### LDAP Server Configuration
+
+- The open source LDAP server, with default user configuration, can be activated using Docker.
+    - LDIF files _user.ldif_ and _access.ldif_ contain the default DN(distinguished name), UserId, and ldap user details.
+      - `dn: cn=cwsuser,ou=Users,dc=example,dc=com`
+      - `uid: cwsuser`
+      - You can configure the user directory data by editing the `user.ldif` file. You can find more LDAP and LDIF instructions, [here](https://docs.oracle.com/cd/A87860_01/doc/network.817/a86101/syntax.htm). 
+      
+### Start OpenLDAP Container
+- While inside this folder run command:
+  
+```
+docker-compose up -d
+```
+
+#### *Test LDAP Server*
+Once `openldap_container` is up, run a ldapsearch command to verify user configuration.
+- Enter Docker container:
+```
+docker exec -it openldap_container bash
+```
+- Run ldapsearch command: 
+```
+ldapsearch -x -LLL -H ldap://localhost:389 -b dc=example,dc=com -D "cn=<cn>,ou=Users,dc=example,dc=com" -w <userpassword> uid=<uid>
+```
+
+#### CWS LDAP Authorization Plugin
+
+- The LDAP plugin property settings below match the default configuration for the openldap server.
+
+```
+    <property name="serverUrl"                   value="__CWS_LDAP_URL__" />
+    <property name="acceptUntrustedCertificates" value="false" />
+    <property name="baseDn"                      value="dc=example,dc=com" />
+    <property name="userSearchBase"              value="ou=Users" />
+    <property name="userSearchFilter"            value="(objectclass=inetOrgPerson)" />
+    <property name="userIdAttribute"             value="uid" />
+    <property name="userFirstnameAttribute"      value="givenName" />
+    <property name="userLastnameAttribute"       value="sn" />
+    <property name="userEmailAttribute"          value="mail" />
+    <property name="userPasswordAttribute"       value="userpassword" />
+    <property name="groupSearchBase"             value="ou=Users" />
+    <property name="groupSearchFilter"           value="(|(cn=your.first.group)(cn=your.other.group))" />
+    <property name="groupIdAttribute"            value="cn" />
+    <property name="groupNameAttribute"          value="cn" />
+    <property name="groupMemberAttribute"        value="uniqueMember" />
+```
+
+_Based on the public GIT repository by rackerlabs, reference: https://github.com/rackerlabs/dockerstack/tree/master/keystone/openldap_
\ No newline at end of file
diff --git a/cws-opensource-ldap/access.ldif b/cws-opensource-ldap/access.ldif
new file mode 100644
index 00000000..27bbdb11
--- /dev/null
+++ b/cws-opensource-ldap/access.ldif
@@ -0,0 +1,15 @@
+version: 1
+changeType: add
+dn: olcDatabase={2}mdb,cn=config
+objectClass: olcDatabaseConfig
+objectClass: olcMdbConfig
+olcDatabase: {2}mdb
+olcDbDirectory: /var/lib/ldap
+olcSuffix: dc=example,dc=com
+olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=example,dc=com" write by * none
+olcAccess: {1}to dn.base="" by * read
+olcAccess: {2}to * by self write by dn="cn=admin,dc=example,dc=com" write by * read
+olcLastMod: TRUE
+olcRootDN: cn=admin,dc=example,dc=com
+olcRootPW: password
+olcDbIndex: objectClass eq
\ No newline at end of file
diff --git a/cws-opensource-ldap/docker-compose.yml b/cws-opensource-ldap/docker-compose.yml
new file mode 100644
index 00000000..6999b0f8
--- /dev/null
+++ b/cws-opensource-ldap/docker-compose.yml
@@ -0,0 +1,8 @@
+version: "3.2"
+services:
+  openldap:
+    build: .
+    image: openldap
+    container_name: openldap_container
+    ports:
+      - "389:389"
diff --git a/cws-opensource-ldap/user.ldif b/cws-opensource-ldap/user.ldif
new file mode 100644
index 00000000..761254e9
--- /dev/null
+++ b/cws-opensource-ldap/user.ldif
@@ -0,0 +1,18 @@
+dn: dc=example,dc=com
+dc: example
+objectClass: dcObject
+objectClass: organizationalUnit
+ou: example
+
+dn: ou=Users,dc=example,dc=com
+objectClass: organizationalUnit
+ou: Users
+
+dn: cn=cwsuser,ou=Users,dc=example,dc=com
+objectclass: inetOrgPerson
+cn: cwsuser
+givenName: cws
+sn: user
+uid: cwsuser
+userpassword: ldapcwspassword
+mail: cws.user@example.com
\ No newline at end of file