Executing LDIF Files
The entrypoint script for the slapd images will use the ldapmodify
command to execute LDIF files
with a .ldif
extension found under the path /ldif/
inside the container.
More specifically:
-
Files found under
/ldif/admin/
will be executed using simple authentication as the directory root user and the unhashed directory root user password injected using the environment variableOLC_ROOT_PASSWORD
in order to affect the directory, such as bootstrapping a tree structure or adding system accounts. -
Files found under
/ldif/admin/first/
will be executed as above but only during the first bootstrap or startup of the container and not on subsequent startup. -
Files found under
/ldif/config/
will be executed using SASL authentication as the container root user in order to affect slapd configuration, such as adjusting access control and configuring modules. -
Files found under
/ldif/config/first/
will be executed as above but only during the first bootstrap or startup of the container and not on subsequent startup.
Any variables of the form %%.+%%
in the LDIF will be substituted with the
value from an injected environment variable without the %%
characters. The
_FILE
convention is respected. For example if the LDIF file contains
dn: uid=syncrepl,o=system,dc=my,dc=org
changetype: add
uid: syncrepl
ou: system
description: special account for SyncRepl
objectClass: account
objectClass: simpleSecurityObject
userPassword: %%SYNCREPL_USER_PASSWORD_HASH_FILE%%
and the environment variable SYNCREPL_USER_PASSWORD_HASH_FILE
is defined
and points to the file /var/run/secrets/syncrepl_user_password_hash
with
contents
{SSHA}emcy1JA+mxbHH0PMPcnasE9apBStAMks
then the LDIF executed will be
dn: uid=syncrepl,o=system,dc=my,dc=org
changetype: add
uid: syncrepl
ou: system
description: special account for SyncRepl
objectClass: account
objectClass: simpleSecurityObject
userPassword: {SSHA}emcy1JA+mxbHH0PMPcnasE9apBStAMks