OpenLDAP cannot be setup using slapd.ldif
There is a minor inconvenience when running slapd (OpenLDAP) without init.d (i.e inside docker container). One of available options should be running it as follows:
CMD [ "slapd", "-F", "/etc/openldap/slapd.d", "-h", "ldapi:/// ldap:///", "-u", "ldap", "-g", "ldap" ]
To achieve this I would expect I must run prior to this (in some docker-entrypoint.sh):
slapadd -n0 -F "/etc/openldap/slapd.d" -l "/etc/openldap/slapd.ldif"
But that line will return error if default slapd.ldif is used:
5ce2c909 <= str2entry(olcDatabase=mdb,cn=config) -> 0x55c25f691b08
5ce2c909 oc_check_required entry (olcDatabase=mdb,cn=config), objectClass "olcMdbConfig"
5ce2c909 Entry (olcDatabase=mdb,cn=config): object class 'olcMdbConfig' requires attribute 'olcDbDirectory'
slapadd: dn="olcDatabase=mdb,cn=config" (line=668): (65) object class 'olcMdbConfig' requires attribute 'olcDbDirectory'
5ce2c909 slapadd shutdown: initiated
5ce2c909 slapadd destroy: freeing system resources.
Problem is that following patch: https://git.alpinelinux.org/aports/tree/main/openldap/configs.patch adds random empty lines which is unacceptable by *.ldif format (it instructs that directive group has ended). This is described in official docs: https://www.openldap.org/doc/admin24/dbtools.html\#The%20LDIF%20text%20entry%20format as “Multiple entries within the same LDIF file are separated by blank lines. Here’s an example of an LDIF file containing three entries.”
@@ -83,13 +85,16 @@
olcDatabase: mdb
olcSuffix: dc=my-domain,dc=com
olcRootDN: cn=Manager,dc=my-domain,dc=com
+
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd-config(5) for details.
# Use of strong authentication encouraged.
olcRootPW: secret
+
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
-olcDbDirectory: %LOCALSTATEDIR%/openldap-data
+olcDbDirectory: /var/lib/openldap/openldap-data
+
# Indices to maintain
olcDbIndex: objectClass eq
If those 3 empty lines would get removed everything is fine.
I don’t know how to submit patch to your infrastructure so I’m kindly ask to patch/fix this.
(from redmine: issue id 10472, created on 2019-05-20)