Update images for Grouper v4

* Use Shib IDP v4 * Installed package changes to support Rocky Linux 8 * Additional php packages and configuration to support php apps and fcgi * mysql max_connections 750 * Openldap defaults to mdb instead of hdb * Curl does not have built-in ldap support, so use netcat for ping tests
docker · Aug 30, 2023 · 3ee0996 · 3ee0996
1 parent 8461a2e
commit 3ee0996
Showing 17 changed files with 385 additions and 188 deletions.
diff --git a/base/Dockerfile b/base/Dockerfile
@@ -1,8 +1,8 @@
-FROM tier/shib-idp:latest4 as idp
+FROM tier/shib-idp:4.3.1_20230818 as idp
 # latest 3.x is tier/shib-idp:3.4.7_20200702
 
 # Grouper version for the entire GTE
-FROM i2incommon/grouper:4.5.2
+FROM i2incommon/grouper:4.5.5
 
 # Disable docker HEALTHCHECK inherited from tier/shib-sp
 HEALTHCHECK NONE
@@ -16,84 +16,100 @@ LABEL author="tier-packaging@internet2.edu <tier-packaging@internet2.edu>" \
 ENV ENV=training \
     USERTOKEN=gte-base
 
-# 2021-01-13 the phpldapadmin in epel is 1.2.5 which is incompatible with php 5.4.x
-RUN yum install -y epel-release \
-    && yum install -y mariadb mariadb-server nano openldap openldap-clients openldap-servers phpMyAdmin golang \
-          https://archive.fedoraproject.org/pub/archive/epel/7.2020-10-05/x86_64/Packages/p/phpldapadmin-1.2.3-10.el7.noarch.rpm \
-    && yum clean all
+RUN dnf install -y procps-ng nano nc mariadb mariadb-server openldap-clients php php-json php-mysqlnd golang https://archive.fedoraproject.org/pub/archive/epel/8.7/Everything/x86_64/Packages/p/phpldapadmin-1.2.6.3-1.el8.noarch.rpm \
+    && dnf install -y 'dnf-command(config-manager)' \
+    && dnf config-manager --set-enabled powertools \
+    && dnf install -y openldap-servers \
+    && dnf clean all
+
+RUN mkdir -p /tmp/phpmyadmin \
+    && cd /tmp/phpmyadmin \
+    && wget https://files.phpmyadmin.net/phpMyAdmin/5.2.1/phpMyAdmin-5.2.1-all-languages.zip \
+    && unzip phpMyAdmin-*.zip \
+    && mv phpMyAdmin-*-all-languages /usr/share/phpmyadmin \
+    && mkdir -p /run/php-fpm/ /usr/share/phpmyadmin/tmp/
 
 COPY container_files/seed-data/ /seed-data/
 
+# TODO get the my.cnf from the old server. These files are in cnf.d and don't have a lot of variables
 RUN mysql_install_db --force \
-    && chown -R mysql:mysql /var/lib/mysql/ \
-    && sed -i 's/^\(bind-address\s.*\)/# \1/' /etc/my.cnf \
+    && chown -R mysql:mysql /var/lib/mysql/ /var/log/mariadb \
+    && sed -i 's/^\(bind-address\s.*\)/# \1/' /etc/my.cnf.d/mariadb-server.cnf \
     && sed -i 's/^\(log_error\s.*\)/# \1/' /etc/my.cnf \
     && sed -i 's/\[mysqld\]/\[mysqld\]\ncharacter_set_server = utf8/' /etc/my.cnf \
     && sed -i 's/\[mysqld\]/\[mysqld\]\ncollation_server = utf8_general_ci/' /etc/my.cnf \
     && sed -i 's/\[mysqld\]/\[mysqld\]\nport = 3306/' /etc/my.cnf \
     && cat  /etc/my.cnf \
     && echo "/usr/bin/mysqld_safe &" > /tmp/config \
     && echo "mysqladmin --silent --wait=30 ping || exit 1" >> /tmp/config \
-    && echo "mysql -e 'GRANT ALL PRIVILEGES ON *.* TO \"root\"@\"%\" WITH GRANT OPTION;'" >> /tmp/config \
+    && echo "mysql -e 'CREATE USER \"root\"@\"%\"; GRANT ALL PRIVILEGES ON *.* TO \"root\"@\"%\" WITH GRANT OPTION; FLUSH PRIVILEGES'" >> /tmp/config \
     && echo "mysql -e 'CREATE DATABASE grouper CHARACTER SET utf8 COLLATE utf8_bin;'" >> /tmp/config \
     && bash /tmp/config \
     && rm -f /tmp/config
 #    && mysql grouper < /seed-data/sisData.sql
 
+# TODO error ERROR 1133 (28000) at line 1: Can't find any matching row in the user table
+
+# On Rocky Linux, slapd defaults to mdg not hdb
+# use `ldapsearch -H ldapi:/// -Y EXTERNAL -b "cn=config" -LLL -Q "olcDatabase=*" dn` to config
+
+# On Rocky, don't need to import module memberOf (`cat /etc/openldap/slapd.d/cn=config/cn=module{0}.ldif`)
+
 RUN cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG \
     && mkdir -p /var/ldap/example \
     && chown -R ldap:ldap /var/lib/ldap /etc/openldap/slapd.d /var/ldap \
     && (/usr/sbin/slapd -h "ldap:/// ldaps:/// ldapi:///" -u ldap &) \
-    && while ! curl -s ldap://localhost:389 > /dev/null; do echo waiting for ldap to start; sleep 1; done; \
-    ldapmodify -Y EXTERNAL -H ldapi:/// -f /seed-data/domain.ldif \
+    && while ! nc -z localhost 389 > /dev/null; do echo waiting for ldap to start; sleep 1; done \
+    && ldapmodify -Y EXTERNAL -H ldapi:/// -f /seed-data/domain.ldif \
     && ldapadd -H ldapi:/// -f /etc/openldap/schema/cosine.ldif \
     && ldapadd -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif \
     && ldapadd -H ldapi:/// -f /seed-data/memberOf.ldif \
     && ldapadd -H ldapi:/// -f /seed-data/eduPerson.ldif \
     && ldapadd -x -D cn=root,dc=internet2,dc=edu -w password -f /seed-data/users.ldif \
     && pkill -HUP slapd \
-    && while curl -s ldap://localhost:389 > /dev/null; do echo waiting for ldap to stop; sleep 1; done
+    && while nc -z localhost 389 > /dev/null; do echo waiting for ldap to stop; sleep 1; done
 
 RUN go install github.com/mailhog/MailHog@v1.0.1
 
 COPY container_files/conf/* /opt/grouper/grouperWebapp/WEB-INF/classes/
-COPY container_files/conf/grouperText/* /opt/grouper/grouperWebapp/WEB-INF/classes/grouperText/
+#COPY container_files/conf/grouperText/* /opt/grouper/grouperWebapp/WEB-INF/classes/grouperText/
 
 RUN (/usr/sbin/slapd -h "ldap:/// ldaps:/// ldapi:///" -u ldap &) \
-    && while ! curl -s ldap://localhost:389 > /dev/null; do echo waiting for ldap to start; sleep 1; done; \
+    && while ! nc -z localhost 389 > /dev/null; do echo waiting for ldap to start; sleep 1; done; \
     (mysqld_safe & ) \
-    && while ! curl -s localhost:3306 > /dev/null; do echo waiting for mysqld to start; sleep 3; done; \
+    && while ! nc -z localhost 3306 > /dev/null; do echo waiting for mysqld to start; sleep 3; done; \
     cd /opt/grouper/grouperWebapp/WEB-INF/bin \
     && ./gsh.sh -registry -check -runscript -noprompt \
-    && ./gsh.sh /seed-data/bootstrap.gsh \
     && pkill -HUP slapd \
-    && while curl -s ldap://localhost:389 > /dev/null; do echo waiting for ldap to stop; sleep 1; done; \
+    && while nc -z localhost 389 > /dev/null; do echo waiting for ldap to stop; sleep 1; done; \
     pkill -u mysql mysqld \
-    && while curl -s localhost:3306 > /dev/null; do echo waiting for mysqld to stop; sleep 1; done
+    && while nc -z localhost 3306 > /dev/null; do echo waiting for mysqld to stop; sleep 1; done
 
 COPY --from=idp /opt/shibboleth-idp/ /opt/shibboleth-idp/
 
 COPY container_files/etc/ /etc/
 COPY container_files/httpd/* /etc/httpd/conf.d/
 COPY container_files/shibboleth-idp/ /opt/shibboleth-idp/
 COPY container_files/shibboleth-sp/* /etc/shibboleth/
-COPY container_files/tomcat/ /opt/tomee/
+COPY container_files/tomcat/ /opt/tomcat/
 COPY container_files/tier-support/* /opt/tier-support/
 COPY container_files/tls/host-key.pem  /etc/pki/tls/private/
 COPY container_files/tls/* /etc/pki/tls/certs/
 COPY container_files/usr-local-bin/* /usr/local/bin/
 COPY container_files/var-www-html/ /var/www/html/
+COPY container_files/usr/share/ /usr/share/
 
-#RUN cp /opt/tier-support/grouper.xml /opt/tier-support/grouper-ws.xml /opt/tomee/conf/Catalina/localhost/ \
+#RUN cp /opt/tier-support/grouper.xml /opt/tier-support/grouper-ws.xml /opt/tomcat/conf/Catalina/localhost/ \
 RUN chown -R tomcat /opt/shibboleth-idp/ \
     && chmod -R 700 /opt/shibboleth-idp/ \
     && chmod +rx /var/www/html/app/index.py \
-    && /opt/shibboleth-idp/bin/build.sh \
-    && chmod go-w /etc/phpMyAdmin/config.inc.php
+    && ANT_OPTS="-Didp.noprompt=true -Didp.target.dir=/opt/shibboleth-idp" /opt/shibboleth-idp/bin/build.sh \
+    && chmod go-w /usr/share/phpmyadmin/config.inc.php
 
 
 RUN chown -R tomcat:tomcat /opt/grouper/grouperWebapp
-RUN chown -R tomcat:tomcat /opt/tomee
+RUN chown -R tomcat:tomcat /opt/tomcat
+RUN chown -R apache:apache /usr/share/phpmyadmin/tmp/
 
 ENV GROUPER_START_DELAY_SECONDS=10 \
     GROUPER_WS_GROUPER_AUTH=true

diff --git a/base/container_files/conf/grouper.hibernate.properties b/base/container_files/conf/grouper.hibernate.properties
@@ -28,4 +28,4 @@ hibernate.connection.username         = root
 # Note: you can keep passwords external and encrypted: https://bugs.internet2.edu/jira/browse/GRP-122
 hibernate.connection.password         = 
 
-registry.auto.ddl.upToVersion = 2.5.*
+registry.auto.ddl.upToVersion = 4.*.*
diff --git a/base/container_files/conf/log4j2.xml b/base/container_files/conf/log4j2.xml
@@ -5,7 +5,7 @@
     </Properties>
     <Appenders>
         <File name="CATALINA" fileName="/tmp/logpipe">
-            <PatternLayout pattern="tomee;catalina.out;${env:ENV};${env:USERTOKEN};${layout}"/>
+            <PatternLayout pattern="tomcat;catalina.out;${env:ENV};${env:USERTOKEN};${layout}"/>
         </File>
         <Console name="stderr" target="SYSTEM_ERR">
           <PatternLayout pattern="grouper;${ENV};${USERTOKEN};${layout}"/>

diff --git a/base/container_files/etc/my.cnf.d/mariadb-server.cnf b/base/container_files/etc/my.cnf.d/mariadb-server.cnf
@@ -0,0 +1,56 @@
+#
+# These groups are read by MariaDB server.
+# Use it for options that only the server (but not clients) should see
+#
+# See the examples of server my.cnf files in /usr/share/mysql/
+#
+
+# this is read by the standalone daemon and embedded servers
+[server]
+
+# this is only for the mysqld standalone daemon
+# Settings user and group are ignored when systemd is used.
+# If you need to run mysqld under a different user or group,
+# customize your systemd unit file for mysqld/mariadb according to the
+# instructions in http://fedoraproject.org/wiki/Systemd
+[mysqld]
+datadir=/var/lib/mysql
+socket=/var/lib/mysql/mysql.sock
+log-error=/var/log/mariadb/mariadb.log
+pid-file=/run/mariadb/mariadb.pid
+max_connections = 750
+
+
+#
+# * Galera-related settings
+#
+[galera]
+# Mandatory settings
+#wsrep_on=ON
+#wsrep_provider=
+#wsrep_cluster_address=
+#binlog_format=row
+#default_storage_engine=InnoDB
+#innodb_autoinc_lock_mode=2
+#
+# Allow server to accept connections on all interfaces.
+#
+bind-address=0.0.0.0
+#
+# Optional setting
+#wsrep_slave_threads=1
+#innodb_flush_log_at_trx_commit=0
+
+# this is only for embedded server
+[embedded]
+
+# This group is only read by MariaDB servers, not by MySQL.
+# If you use the same .cnf file for MySQL and MariaDB,
+# you can put MariaDB-only options here
+[mariadb]
+
+# This group is only read by MariaDB-10.3 servers.
+# If you use the same .cnf file for MariaDB of different versions,
+# use this group for options that older servers don't understand
+[mariadb-10.3]
+
diff --git a/base/container_files/etc/phpMyAdmin/config.inc.php b/base/container_files/etc/phpMyAdmin/config.inc.php
diff --git a/base/container_files/etc/phpldapadmin/config.php b/base/container_files/etc/phpldapadmin/config.php
@@ -71,17 +71,37 @@
    environments. */
 #  $config->custom->password['no_random_crypt_salt'] = true;
 
+/* If you want to restrict password available types (encryption algorithms)
+	 Should be subset of:
+	 array(
+		''=>'clear',
+		'bcrypt'=>'bcrypt',
+		'blowfish'=>'blowfish',
+		'crypt'=>'crypt',
+		'ext_des'=>'ext_des',
+		'md5'=>'md5',
+		'k5key'=>'k5key',
+		'md5crypt'=>'md5crypt',
+		'sha'=>'sha',
+		'smd5'=>'smd5',
+		'ssha'=>'ssha',
+		'sha256'=>'sha256',
+		'ssha256'=>'ssha256',
+		'sha384'=>'sha384',
+		'ssha384'=>'ssha384',
+		'sha512'=>'sha512',
+		'ssha512'=>'ssha512',
+		'sha256crypt'=>'sha256crypt',
+		'sha512crypt'=>'sha512crypt',
+	 )*/
+#  $config->custom->password['available_types'] = array(''=>'clear','md5'=>'md5');
+
 /* PHP script timeout control. If php runs longer than this many seconds then
    PHP will stop with an Maximum Execution time error. Increase this value from
    the default if queries to your LDAP server are slow. The default is either
    30 seconds or the setting of max_exection_time if this is null. */
 // $config->custom->session['timelimit'] = 30;
 
-// $config->custom->appearance['show_clear_password'] = false;
-
-// $config->custom->search['size_limit'] = 50;
-#  $config->custom->search['size_limit'] = 1000;
-
 /* Our local timezone
    This is to make sure that when we ask the system for the current time, we
    get the right local time. If this is not set, all time() calculations will
@@ -178,6 +198,10 @@
 // $config->custom->appearance['tree_width'] = null;
 #  $config->custom->appearance['tree_width'] = 250;
 
+/* Number of tree command icons to show, 0 = show all icons on 1 row. */
+// $config->custom->appearance['tree_icons'] = 0;
+#  $config->custom->appearance['tree_icons'] = 4;
+
 /* Confirm create and update operations, allowing you to review the changes
    and optionally skip attributes during the create/update operation. */
 // $config->custom->confirm['create'] = true;
@@ -320,7 +344,7 @@
    your situation. If you choose 'cookie', your cookie contents will be
    encrypted using blowfish and the secret your specify above as
    session['blowfish']. */
-$servers->setValue('login','auth_type','cookie');
+$servers->setValue('login','auth_type','session');
 
 /* The DN of the user for phpLDAPadmin to bind with. For anonymous binds or
    'cookie','session' or 'sasl' auth_types, LEAVE THE LOGIN_DN AND LOGIN_PASS
@@ -339,18 +363,42 @@
 /* Use TLS (Transport Layer Security) to connect to the LDAP server. */
 // $servers->setValue('server','tls',false);
 
+/* TLS Certificate Authority file (overrides ldap.conf, PHP 7.1+) */
+// $servers->setValue('server','tls_cacert',null);
+#  $servers->setValue('server','tls_cacert','/etc/openldap/certs/ca.crt');
+
+/* TLS Certificate Authority hashed directory (overrides ldap.conf, PHP 7.1+) */
+// $servers->setValue('server','tls_cacertdir',null);
+#  $servers->setValue('server','tls_cacertdir','/etc/openldap/certs');
+
+/* TLS Client Certificate file (PHP 7.1+) */
+// $servers->setValue('server','tls_cert',null);
+#  $servers->setValue('server','tls_cert','/etc/pki/tls/certs/ldap_user.crt');
+
+/* TLS Client Certificate Key file (PHP 7.1+) */
+// $servers->setValue('server','tls_key',null);
+#  $servers->setValue('server','tls_key','/etc/pki/tls/private/ldap_user.key');
+
 /************************************
  *      SASL Authentication         *
  ************************************/
 
 /* Enable SASL authentication LDAP SASL authentication requires PHP 5.x
    configured with --with-ldap-sasl=DIR. If this option is disabled (ie, set to
    false), then all other sasl options are ignored. */
-// $servers->setValue('login','auth_type','sasl');
+#  $servers->setValue('login','auth_type','sasl');
 
-/* SASL auth mechanism */
+/* SASL GSSAPI auth mechanism (requires auth_type of sasl) */
 // $servers->setValue('sasl','mech','GSSAPI');
 
+/* SASL PLAIN support... this mech converts simple binds to SASL
+   PLAIN binds using any auth_type (or other bind_id/pass) as credentials.
+   NOTE: auth_type must be simple auth compatible (ie not sasl) */
+#  $servers->setValue('sasl','mech','PLAIN');
+
+/* SASL EXTERNAL support... really a different auth_type */
+#  $servers->setValue('login','auth_type','sasl_external');
+
 /* SASL authentication realm name */
 // $servers->setValue('sasl','realm','');
 #  $servers->setValue('sasl','realm','EXAMPLE.COM');
@@ -384,8 +432,8 @@
 
 /* Default password hashing algorithm. One of md5, ssha, sha, md5crpyt, smd5,
    blowfish, crypt or leave blank for now default algorithm. */
-// $servers->setValue('appearance','password_hash','md5');
-$servers->setValue('appearance','password_hash','');
+// $servers->setValue('appearance','pla_password_hash','md5');
+$servers->setValue('appearance','pla_password_hash','');
 
 /* If you specified 'cookie' or 'session' as the auth_type above, you can
    optionally specify here an attribute to use when logging in. If you enter
@@ -407,6 +455,12 @@
    setup. */
 // $servers->setValue('login','class',array());
 
+/* If login_attr was set to 'dn', it is possible to specify a template string to
+   build the DN from. Use '%s' where user input should be inserted. A user may
+   still enter the complete DN. In this case the template will not be used. */
+// $servers->setValue('login','bind_dn_template',null);
+#  $servers->setValue('login','bind_dn_template','cn=%s,ou=people,dc=example,dc=com');
+
 /* If you specified something different from 'dn', for example 'uid', as the
    login_attr above, you can optionally specify here to fall back to
    authentication with dn.
@@ -427,6 +481,9 @@
 /* Set to true if you would like to initially open the first level of each tree. */
 // $servers->setValue('appearance','open_tree',false);
 
+/* Set to true to display authorization ID in place of login dn (PHP 7.2+) */
+// $servers->setValue('appearance','show_authz',false);
+
 /* This feature allows phpLDAPadmin to automatically determine the next
    available uidNumber for a new entry. */
 // $servers->setValue('auto_number','enable',true);
@@ -553,7 +610,7 @@
 $servers->setValue('sasl','authz_id_replacement','$1');
 $servers->setValue('sasl','props',null);
 
-$servers->setValue('appearance','password_hash','md5');
+$servers->setValue('appearance','pla_password_hash','md5');
 $servers->setValue('login','attr','dn');
 $servers->setValue('login','fallback_dn',false);
 $servers->setValue('login','class',null);
@@ -580,4 +637,19 @@
 $servers->setValue('server','custom_attrs',array('nsRoleDN','nsRole','nsAccountLock'));
 $servers->setValue('server','force_may',array('uidNumber','gidNumber','sambaSID'));
 */
-?>
+
+
+/***********************************************************************************
+ * If you want to configure Google reCAPTCHA on autentication form, do so below.   *
+ * Remove the commented lines and use this section as a template for all           *
+ * reCAPTCHA v2  Generate on https://www.google.com/recaptcha/                     *
+ *                                                                                 *
+ * IMPORTANT: Select reCAPTCHA v2   on  Type of reCAPTCHA                          *
+ ***********************************************************************************/
+
+
+$config->custom->session['reCAPTCHA-enable'] = false;
+$config->custom->session['reCAPTCHA-key-site'] = '<put-here-key-site>';
+$config->custom->session['reCAPTCHA-key-server'] = '<put-here-key-server>';
+
+?>
diff --git a/base/container_files/httpd/phpMyAdmin.conf b/base/container_files/httpd/phpMyAdmin.conf
@@ -5,10 +5,10 @@
 # But allowing phpMyAdmin to anyone other than localhost should be considered
 # dangerous unless properly secured by SSL
 
-Alias /phpMyAdmin /usr/share/phpMyAdmin
-Alias /phpmyadmin /usr/share/phpMyAdmin
+Alias /phpMyAdmin /usr/share/phpmyadmin
+Alias /phpmyadmin /usr/share/phpmyadmin
 
-<Directory /usr/share/phpMyAdmin/>
+<Directory /usr/share/phpmyadmin/>
    AddDefaultCharset UTF-8
 
    <IfModule mod_authz_core.c>
@@ -28,7 +28,7 @@ Alias /phpmyadmin /usr/share/phpMyAdmin
    </IfModule>
 </Directory>
 
-<Directory /usr/share/phpMyAdmin/setup/>
+<Directory /usr/share/phpmyadmin/setup/>
    <IfModule mod_authz_core.c>
      # Apache 2.4
      <RequireAny>
@@ -49,19 +49,19 @@ Alias /phpmyadmin /usr/share/phpMyAdmin
 # These directories do not require access over HTTP - taken from the original
 # phpMyAdmin upstream tarball
 #
-<Directory /usr/share/phpMyAdmin/libraries/>
+<Directory /usr/share/phpmyadmin/libraries/>
     Order Deny,Allow
     Deny from All
     Allow from None
 </Directory>
 
-<Directory /usr/share/phpMyAdmin/setup/lib/>
+<Directory /usr/share/phpmyadmin/setup/lib/>
     Order Deny,Allow
     Deny from All
     Allow from None
 </Directory>
 
-<Directory /usr/share/phpMyAdmin/setup/frames/>
+<Directory /usr/share/phpmyadmin/setup/frames/>
     Order Deny,Allow
     Deny from All
     Allow from None
@@ -71,7 +71,7 @@ Alias /phpmyadmin /usr/share/phpMyAdmin
 # filtering SQL etc.  This may break your mod_security implementation.
 #
 #<IfModule mod_security.c>
-#    <Directory /usr/share/phpMyAdmin/>
+#    <Directory /usr/share/phpmyadmin/>
 #        SecRuleInheritance Off
 #    </Directory>
 #</IfModule>
diff --git a/base/container_files/seed-data/bootstrap.gsh b/base/container_files/seed-data/bootstrap.gsh
diff --git a/base/container_files/seed-data/domain.ldif b/base/container_files/seed-data/domain.ldif
@@ -1,14 +1,14 @@
-dn: olcDatabase={2}hdb,cn=config
+dn: olcDatabase={2}mdb,cn=config
 changetype: modify
 replace: olcSuffix
 olcSuffix: dc=internet2,dc=edu
 
-dn: olcDatabase={2}hdb,cn=config
+dn: olcDatabase={2}mdb,cn=config
 changetype: modify
 replace: olcRootDN
 olcRootDN: cn=root,dc=internet2,dc=edu
 
-dn: olcDatabase={2}hdb,cn=config
+dn: olcDatabase={2}mdb,cn=config
 changetype: modify
 add: olcRootPW
 olcRootPW: password
diff --git a/base/container_files/seed-data/memberOf.ldif b/base/container_files/seed-data/memberOf.ldif
@@ -5,7 +5,7 @@ objectclass: top
 olcmoduleload: memberof.la
 olcmodulepath: /usr/lib64/openldap
 
-dn: olcOverlay={0}memberof,olcDatabase={2}hdb,cn=config
+dn: olcOverlay={0}memberof,olcDatabase={2}mdb,cn=config
 objectClass: olcConfig
 objectClass: olcMemberOf
 objectClass: olcOverlayConfig
@@ -19,7 +19,7 @@ objectclass: top
 olcmoduleload: refint.la
 olcmodulepath: /usr/lib64/openldap
 
-dn: olcOverlay={1}refint,olcDatabase={2}hdb,cn=config
+dn: olcOverlay={1}refint,olcDatabase={2}mdb,cn=config
 objectClass: olcConfig
 objectClass: olcOverlayConfig
 objectClass: olcRefintConfig

diff --git a/base/container_files/tier-support/supervisord-training.conf b/base/container_files/tier-support/supervisord-training.conf
@@ -33,8 +33,8 @@ priority=15
 
 [program:tomcat]
 user=tomcat
-#command=bash -c "while ! curl -s localhost:3306 > /dev/null; do echo waiting for mysql to start; sleep 3; done; while ! curl -s ldap://localhost:389 > /dev/null; do echo waiting for ldap to start; sleep 3; done; exec /opt/tomee/bin/catalina.sh run"
-command=/opt/tomee/bin/catalina.sh run
+#command=bash -c "while ! curl -s localhost:3306 > /dev/null; do echo waiting for mysql to start; sleep 3; done; while ! curl -s ldap://localhost:389 > /dev/null; do echo waiting for ldap to start; sleep 3; done; exec /opt/tomcat/bin/catalina.sh run"
+command=/opt/tomcat/bin/catalina.sh run
 stderr_logfile = /tmp/logtomcat
 stderr_logfile_maxbytes=0
 stdout_logfile = /tmp/logtomcat
@@ -58,10 +58,18 @@ stdout_logfile = /tmp/logpipe
 stdout_logfile_maxbytes=0
 priority=10
 
+[program:php-fpm]
+command=/usr/sbin/php-fpm --nodaemonize
+stderr_logfile = /tmp/logpipe
+stderr_logfile_maxbytes=0
+stdout_logfile = /tmp/logpipe
+stdout_logfile_maxbytes=0
+priority=400
+
 [program:mailhog]
 command=/root/go/bin/MailHog -ui-web-path mail
 stderr_logfile = /tmp/logpipe
 stderr_logfile_maxbytes=0
 stdout_logfile = /tmp/logpipe
 stdout_logfile_maxbytes=0
-priority=400
+priority=500
diff --git a/base/container_files/usr/share/phpmyadmin/config.inc.php b/base/container_files/usr/share/phpmyadmin/config.inc.php
@@ -0,0 +1,160 @@
+<?php
+/**
+ * phpMyAdmin sample configuration, you can use it as base for
+ * manual configuration. For easier setup you can use setup/
+ *
+ * All directives are explained in documentation in the doc/ folder
+ * or at <https://docs.phpmyadmin.net/>.
+ */
+
+declare(strict_types=1);
+
+/**
+ * This is needed for cookie based authentication to encrypt the cookie.
+ * Needs to be a 32-bytes long string of random bytes. See FAQ 2.10.
+ */
+$cfg['blowfish_secret'] = 'd7Y5iRSDpGaQkvSqxKWPwHfazswioRBO'; /* YOU MUST FILL IN THIS FOR COOKIE AUTH! */
+
+/**
+ * Servers configuration
+ */
+$i = 0;
+
+/**
+ * First server
+ */
+$i++;
+/* Authentication type */
+$cfg['Servers'][$i]['auth_type'] = 'cookie';
+/* Server parameters */
+$cfg['Servers'][$i]['host'] = 'localhost';
+$cfg['Servers'][$i]['compress'] = false;
+$cfg['Servers'][$i]['AllowNoPassword'] = true;
+
+/**
+ * phpMyAdmin configuration storage settings.
+ */
+
+/* User used to manipulate with storage */
+// $cfg['Servers'][$i]['controlhost'] = '';
+// $cfg['Servers'][$i]['controlport'] = '';
+// $cfg['Servers'][$i]['controluser'] = 'pma';
+// $cfg['Servers'][$i]['controlpass'] = 'pmapass';
+
+/* Storage database and tables */
+// $cfg['Servers'][$i]['pmadb'] = 'phpmyadmin';
+// $cfg['Servers'][$i]['bookmarktable'] = 'pma__bookmark';
+// $cfg['Servers'][$i]['relation'] = 'pma__relation';
+// $cfg['Servers'][$i]['table_info'] = 'pma__table_info';
+// $cfg['Servers'][$i]['table_coords'] = 'pma__table_coords';
+// $cfg['Servers'][$i]['pdf_pages'] = 'pma__pdf_pages';
+// $cfg['Servers'][$i]['column_info'] = 'pma__column_info';
+// $cfg['Servers'][$i]['history'] = 'pma__history';
+// $cfg['Servers'][$i]['table_uiprefs'] = 'pma__table_uiprefs';
+// $cfg['Servers'][$i]['tracking'] = 'pma__tracking';
+// $cfg['Servers'][$i]['userconfig'] = 'pma__userconfig';
+// $cfg['Servers'][$i]['recent'] = 'pma__recent';
+// $cfg['Servers'][$i]['favorite'] = 'pma__favorite';
+// $cfg['Servers'][$i]['users'] = 'pma__users';
+// $cfg['Servers'][$i]['usergroups'] = 'pma__usergroups';
+// $cfg['Servers'][$i]['navigationhiding'] = 'pma__navigationhiding';
+// $cfg['Servers'][$i]['savedsearches'] = 'pma__savedsearches';
+// $cfg['Servers'][$i]['central_columns'] = 'pma__central_columns';
+// $cfg['Servers'][$i]['designer_settings'] = 'pma__designer_settings';
+// $cfg['Servers'][$i]['export_templates'] = 'pma__export_templates';
+
+/**
+ * End of servers configuration
+ */
+
+/**
+ * Directories for saving/loading files from server
+ */
+$cfg['UploadDir'] = '';
+$cfg['SaveDir'] = '';
+
+/**
+ * Whether to display icons or text or both icons and text in table row
+ * action segment. Value can be either of 'icons', 'text' or 'both'.
+ * default = 'both'
+ */
+//$cfg['RowActionType'] = 'icons';
+
+/**
+ * Defines whether a user should be displayed a "show all (records)"
+ * button in browse mode or not.
+ * default = false
+ */
+//$cfg['ShowAll'] = true;
+
+/**
+ * Number of rows displayed when browsing a result set. If the result
+ * set contains more rows, "Previous" and "Next".
+ * Possible values: 25, 50, 100, 250, 500
+ * default = 25
+ */
+//$cfg['MaxRows'] = 50;
+
+/**
+ * Disallow editing of binary fields
+ * valid values are:
+ *   false    allow editing
+ *   'blob'   allow editing except for BLOB fields
+ *   'noblob' disallow editing except for BLOB fields
+ *   'all'    disallow editing
+ * default = 'blob'
+ */
+//$cfg['ProtectBinary'] = false;
+
+/**
+ * Default language to use, if not browser-defined or user-defined
+ * (you find all languages in the locale folder)
+ * uncomment the desired line:
+ * default = 'en'
+ */
+//$cfg['DefaultLang'] = 'en';
+//$cfg['DefaultLang'] = 'de';
+
+/**
+ * How many columns should be used for table display of a database?
+ * (a value larger than 1 results in some information being hidden)
+ * default = 1
+ */
+//$cfg['PropertiesNumColumns'] = 2;
+
+/**
+ * Set to true if you want DB-based query history.If false, this utilizes
+ * JS-routines to display query history (lost by window close)
+ *
+ * This requires configuration storage enabled, see above.
+ * default = false
+ */
+//$cfg['QueryHistoryDB'] = true;
+
+/**
+ * When using DB-based query history, how many entries should be kept?
+ * default = 25
+ */
+//$cfg['QueryHistoryMax'] = 100;
+
+/**
+ * Whether or not to query the user before sending the error report to
+ * the phpMyAdmin team when a JavaScript error occurs
+ *
+ * Available options
+ * ('ask' | 'always' | 'never')
+ * default = 'ask'
+ */
+//$cfg['SendErrorReports'] = 'always';
+
+/**
+ * 'URLQueryEncryption' defines whether phpMyAdmin will encrypt sensitive data from the URL query string.
+ * 'URLQueryEncryptionSecretKey' is a 32 bytes long secret key used to encrypt/decrypt the URL query string.
+ */
+//$cfg['URLQueryEncryption'] = true;
+//$cfg['URLQueryEncryptionSecretKey'] = '';
+
+/**
+ * You can find more configuration options in the documentation
+ * in the doc/ folder or at <https://docs.phpmyadmin.net/>.
+ */
diff --git a/ex101/ex101.1.1/Dockerfile b/ex101/ex101.1.1/Dockerfile
@@ -19,15 +19,15 @@ COPY container_files/seed-data/ /seed-data/
 RUN . /usr/local/bin/library.sh \
     && prep_conf && prep_finish; \
     (/usr/sbin/slapd -h "ldap:/// ldaps:/// ldapi:///" -u ldap &) \
-    && while ! curl -s ldap://localhost:389 > /dev/null; do echo waiting for ldap to start; sleep 1; done; \
+    && while ! nc -z localhost 389 > /dev/null; do echo waiting for ldap to start; sleep 1; done; \
     (mysqld_safe & ) \
-    && while ! curl -s localhost:3306 > /dev/null; do echo waiting for mysqld to start; sleep 3; done; \
+    && while ! nc -z localhost 3306 > /dev/null; do echo waiting for mysqld to start; sleep 3; done; \
     cd /opt/grouper/grouperWebapp/WEB-INF/bin \
     && ldapadd -x -D cn=root,dc=internet2,dc=edu -w password -f /seed-data/users.ldif \
     && mysql grouper < /seed-data/sisData.sql \
     && cp -r /opt/grouper/grouperWebapp/WEB-INF/libUiAndDaemon/* /opt/grouper/grouperWebapp/WEB-INF/lib/ \
     && sudo --preserve-env=PATH -u tomcat ./gsh.sh /seed-data/bootstrap.gsh \
     && pkill -HUP slapd \
-    && while curl -s ldap://localhost:389 > /dev/null; do echo waiting for ldap to stop; sleep 1; done; \
+    && while nc -z localhost 389 > /dev/null; do echo waiting for ldap to stop; sleep 1; done; \
     pkill -u mysql mysqld \
-    && while curl -s localhost:3306 > /dev/null; do echo waiting for mysqld to stop; sleep 1; done
+    && while nc -z localhost 3306 > /dev/null; do echo waiting for mysqld to stop; sleep 1; done
diff --git a/ex101/ex101.1.1/container_files/seed-data/bootstrap.gsh b/ex101/ex101.1.1/container_files/seed-data/bootstrap.gsh
@@ -577,6 +577,10 @@ def group = new GroupSave(gs).assignName("ref:role:all_facstaff").assignDisplayE
 assignObjectTypeForGroup(group, "ref", "HR, IAM", "Combines the All Faculty plus All Staff reference groups")
 
 
+/***** Empty the changelog temp now, to save on the first container startup ****/
+
+loaderRunOneJob("CHANGE_LOG_changeLogTempToChangeLog")
+
 /***** Schedule jobs is an upgrade task for 2.5.55 ****/
 
 GrouperLoader.scheduleJobs()

diff --git a/ex201/ex201.end/Dockerfile b/ex201/ex201.end/Dockerfile
@@ -18,14 +18,14 @@ COPY container_files/seed-data/ /seed-data/
 RUN . /usr/local/bin/library.sh \
     && prep_conf && prep_finish; \
     (/usr/sbin/slapd -h "ldap:/// ldaps:/// ldapi:///" -u ldap &) \
-    && while ! curl -s ldap://localhost:389 > /dev/null; do echo waiting for ldap to start; sleep 1; done; \
+    && while ! nc -z localhost 389 > /dev/null; do echo waiting for ldap to start; sleep 1; done; \
     (mysqld_safe & ) \
-    && while ! curl -s localhost:3306 > /dev/null; do echo waiting for mysqld to start; sleep 3; done; \
+    && while ! nc -z localhost 3306 > /dev/null; do echo waiting for mysqld to start; sleep 3; done; \
     cd /opt/grouper/grouperWebapp/WEB-INF \
     && ldapadd -x -D cn=root,dc=internet2,dc=edu -w password -f /seed-data/users.ldif \
     && mysql grouper < /seed-data/sisData.sql \
     && sudo --preserve-env=PATH -u tomcat bin/gsh.sh /seed-data/bootstrap.gsh \
     && pkill -HUP slapd \
-    && while curl -s ldap://localhost:389 > /dev/null; do echo waiting for ldap to stop; sleep 1; done; \
+    && while nc -z localhost 389 > /dev/null; do echo waiting for ldap to stop; sleep 1; done; \
     pkill -u mysql mysqld \
-    && while curl -s localhost:3306 > /dev/null; do echo waiting for mysqld to stop; sleep 1; done
+    && while nc -z localhost 3306 > /dev/null; do echo waiting for mysqld to stop; sleep 1; done
diff --git a/ex401/ex401.end/Dockerfile b/ex401/ex401.end/Dockerfile
@@ -18,15 +18,15 @@ COPY container_files/seed-data/ /seed-data/
 RUN . /usr/local/bin/library.sh \
     && prep_conf && prep_finish; \
     (/usr/sbin/slapd -h "ldap:/// ldaps:/// ldapi:///" -u ldap &) \
-    && while ! curl -s ldap://localhost:389 > /dev/null; do echo waiting for ldap to start; sleep 1; done; \
+    && while ! nc -z localhost 389 > /dev/null; do echo waiting for ldap to start; sleep 1; done; \
     (mysqld_safe & ) \
-    && while ! curl -s localhost:3306 > /dev/null; do echo waiting for mysqld to start; sleep 3; done; \
+    && while ! nc -z localhost 3306 > /dev/null; do echo waiting for mysqld to start; sleep 3; done; \
     cd /opt/grouper/grouperWebapp/WEB-INF \
     && ldapadd -x -D cn=root,dc=internet2,dc=edu -w password -f /seed-data/users.ldif \
     && mysql grouper < /seed-data/sisData.sql \
     && cp -r /opt/grouper/grouperWebapp/WEB-INF/libUiAndDaemon/* /opt/grouper/grouperWebapp/WEB-INF/lib/ \
     && sudo --preserve-env=PATH -u tomcat bin/gsh.sh /seed-data/bootstrap.gsh \
     && pkill -HUP slapd \
-    && while curl -s ldap://localhost:389 > /dev/null; do echo waiting for ldap to stop; sleep 1; done; \
+    && while nc -z localhost 389 > /dev/null; do echo waiting for ldap to stop; sleep 1; done; \
     pkill -u mysql mysqld \
-    && while curl -s localhost:3306 > /dev/null; do echo waiting for mysqld to stop; sleep 1; done
+    && while nc -z localhost 3306 > /dev/null; do echo waiting for mysqld to stop; sleep 1; done
diff --git a/gte b/gte
@@ -1,7 +1,9 @@
 #! /bin/bash
 
 REPOSITORY=tier/gte
-VERSION_TAG=202310
+if [ -z "$VERSION_TAG" ]; then
+  VERSION_TAG=202310
+fi
 
 EXTRA_ARGS=