diff --git a/base/Dockerfile b/base/Dockerfile index a6c19cc..80d190f 100644 --- a/base/Dockerfile +++ b/base/Dockerfile @@ -1,8 +1,8 @@ -FROM tier/shib-idp:latest4 as idp +FROM tier/shib-idp:4.3.1_20230818 as idp # latest 3.x is tier/shib-idp:3.4.7_20200702 # Grouper version for the entire GTE -FROM i2incommon/grouper:4.5.2 +FROM i2incommon/grouper:4.5.5 # Disable docker HEALTHCHECK inherited from tier/shib-sp HEALTHCHECK NONE @@ -16,17 +16,25 @@ LABEL author="tier-packaging@internet2.edu " \ ENV ENV=training \ USERTOKEN=gte-base -# 2021-01-13 the phpldapadmin in epel is 1.2.5 which is incompatible with php 5.4.x -RUN yum install -y epel-release \ - && yum install -y mariadb mariadb-server nano openldap openldap-clients openldap-servers phpMyAdmin golang \ - https://archive.fedoraproject.org/pub/archive/epel/7.2020-10-05/x86_64/Packages/p/phpldapadmin-1.2.3-10.el7.noarch.rpm \ - && yum clean all +RUN dnf install -y procps-ng nano nc mariadb mariadb-server openldap-clients php php-json php-mysqlnd golang https://archive.fedoraproject.org/pub/archive/epel/8.7/Everything/x86_64/Packages/p/phpldapadmin-1.2.6.3-1.el8.noarch.rpm \ + && dnf install -y 'dnf-command(config-manager)' \ + && dnf config-manager --set-enabled powertools \ + && dnf install -y openldap-servers \ + && dnf clean all + +RUN mkdir -p /tmp/phpmyadmin \ + && cd /tmp/phpmyadmin \ + && wget https://files.phpmyadmin.net/phpMyAdmin/5.2.1/phpMyAdmin-5.2.1-all-languages.zip \ + && unzip phpMyAdmin-*.zip \ + && mv phpMyAdmin-*-all-languages /usr/share/phpmyadmin \ + && mkdir -p /run/php-fpm/ /usr/share/phpmyadmin/tmp/ COPY container_files/seed-data/ /seed-data/ +# TODO get the my.cnf from the old server. These files are in cnf.d and don't have a lot of variables RUN mysql_install_db --force \ - && chown -R mysql:mysql /var/lib/mysql/ \ - && sed -i 's/^\(bind-address\s.*\)/# \1/' /etc/my.cnf \ + && chown -R mysql:mysql /var/lib/mysql/ /var/log/mariadb \ + && sed -i 's/^\(bind-address\s.*\)/# \1/' /etc/my.cnf.d/mariadb-server.cnf \ && sed -i 's/^\(log_error\s.*\)/# \1/' /etc/my.cnf \ && sed -i 's/\[mysqld\]/\[mysqld\]\ncharacter_set_server = utf8/' /etc/my.cnf \ && sed -i 's/\[mysqld\]/\[mysqld\]\ncollation_server = utf8_general_ci/' /etc/my.cnf \ @@ -34,42 +42,48 @@ RUN mysql_install_db --force \ && cat /etc/my.cnf \ && echo "/usr/bin/mysqld_safe &" > /tmp/config \ && echo "mysqladmin --silent --wait=30 ping || exit 1" >> /tmp/config \ - && echo "mysql -e 'GRANT ALL PRIVILEGES ON *.* TO \"root\"@\"%\" WITH GRANT OPTION;'" >> /tmp/config \ + && echo "mysql -e 'CREATE USER \"root\"@\"%\"; GRANT ALL PRIVILEGES ON *.* TO \"root\"@\"%\" WITH GRANT OPTION; FLUSH PRIVILEGES'" >> /tmp/config \ && echo "mysql -e 'CREATE DATABASE grouper CHARACTER SET utf8 COLLATE utf8_bin;'" >> /tmp/config \ && bash /tmp/config \ && rm -f /tmp/config # && mysql grouper < /seed-data/sisData.sql +# TODO error ERROR 1133 (28000) at line 1: Can't find any matching row in the user table + +# On Rocky Linux, slapd defaults to mdg not hdb +# use `ldapsearch -H ldapi:/// -Y EXTERNAL -b "cn=config" -LLL -Q "olcDatabase=*" dn` to config + +# On Rocky, don't need to import module memberOf (`cat /etc/openldap/slapd.d/cn=config/cn=module{0}.ldif`) + RUN cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG \ && mkdir -p /var/ldap/example \ && chown -R ldap:ldap /var/lib/ldap /etc/openldap/slapd.d /var/ldap \ && (/usr/sbin/slapd -h "ldap:/// ldaps:/// ldapi:///" -u ldap &) \ - && while ! curl -s ldap://localhost:389 > /dev/null; do echo waiting for ldap to start; sleep 1; done; \ - ldapmodify -Y EXTERNAL -H ldapi:/// -f /seed-data/domain.ldif \ + && while ! nc -z localhost 389 > /dev/null; do echo waiting for ldap to start; sleep 1; done \ + && ldapmodify -Y EXTERNAL -H ldapi:/// -f /seed-data/domain.ldif \ && ldapadd -H ldapi:/// -f /etc/openldap/schema/cosine.ldif \ && ldapadd -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif \ && ldapadd -H ldapi:/// -f /seed-data/memberOf.ldif \ && ldapadd -H ldapi:/// -f /seed-data/eduPerson.ldif \ && ldapadd -x -D cn=root,dc=internet2,dc=edu -w password -f /seed-data/users.ldif \ && pkill -HUP slapd \ - && while curl -s ldap://localhost:389 > /dev/null; do echo waiting for ldap to stop; sleep 1; done + && while nc -z localhost 389 > /dev/null; do echo waiting for ldap to stop; sleep 1; done RUN go install github.com/mailhog/MailHog@v1.0.1 COPY container_files/conf/* /opt/grouper/grouperWebapp/WEB-INF/classes/ -COPY container_files/conf/grouperText/* /opt/grouper/grouperWebapp/WEB-INF/classes/grouperText/ +#COPY container_files/conf/grouperText/* /opt/grouper/grouperWebapp/WEB-INF/classes/grouperText/ RUN (/usr/sbin/slapd -h "ldap:/// ldaps:/// ldapi:///" -u ldap &) \ - && while ! curl -s ldap://localhost:389 > /dev/null; do echo waiting for ldap to start; sleep 1; done; \ + && while ! nc -z localhost 389 > /dev/null; do echo waiting for ldap to start; sleep 1; done; \ (mysqld_safe & ) \ - && while ! curl -s localhost:3306 > /dev/null; do echo waiting for mysqld to start; sleep 3; done; \ + && while ! nc -z localhost 3306 > /dev/null; do echo waiting for mysqld to start; sleep 3; done; \ cd /opt/grouper/grouperWebapp/WEB-INF/bin \ && ./gsh.sh -registry -check -runscript -noprompt \ - && ./gsh.sh /seed-data/bootstrap.gsh \ && pkill -HUP slapd \ - && while curl -s ldap://localhost:389 > /dev/null; do echo waiting for ldap to stop; sleep 1; done; \ + && while nc -z localhost 389 > /dev/null; do echo waiting for ldap to stop; sleep 1; done; \ pkill -u mysql mysqld \ - && while curl -s localhost:3306 > /dev/null; do echo waiting for mysqld to stop; sleep 1; done + && while nc -z localhost 3306 > /dev/null; do echo waiting for mysqld to stop; sleep 1; done COPY --from=idp /opt/shibboleth-idp/ /opt/shibboleth-idp/ @@ -77,23 +91,25 @@ COPY container_files/etc/ /etc/ COPY container_files/httpd/* /etc/httpd/conf.d/ COPY container_files/shibboleth-idp/ /opt/shibboleth-idp/ COPY container_files/shibboleth-sp/* /etc/shibboleth/ -COPY container_files/tomcat/ /opt/tomee/ +COPY container_files/tomcat/ /opt/tomcat/ COPY container_files/tier-support/* /opt/tier-support/ COPY container_files/tls/host-key.pem /etc/pki/tls/private/ COPY container_files/tls/* /etc/pki/tls/certs/ COPY container_files/usr-local-bin/* /usr/local/bin/ COPY container_files/var-www-html/ /var/www/html/ +COPY container_files/usr/share/ /usr/share/ -#RUN cp /opt/tier-support/grouper.xml /opt/tier-support/grouper-ws.xml /opt/tomee/conf/Catalina/localhost/ \ +#RUN cp /opt/tier-support/grouper.xml /opt/tier-support/grouper-ws.xml /opt/tomcat/conf/Catalina/localhost/ \ RUN chown -R tomcat /opt/shibboleth-idp/ \ && chmod -R 700 /opt/shibboleth-idp/ \ && chmod +rx /var/www/html/app/index.py \ - && /opt/shibboleth-idp/bin/build.sh \ - && chmod go-w /etc/phpMyAdmin/config.inc.php + && ANT_OPTS="-Didp.noprompt=true -Didp.target.dir=/opt/shibboleth-idp" /opt/shibboleth-idp/bin/build.sh \ + && chmod go-w /usr/share/phpmyadmin/config.inc.php RUN chown -R tomcat:tomcat /opt/grouper/grouperWebapp -RUN chown -R tomcat:tomcat /opt/tomee +RUN chown -R tomcat:tomcat /opt/tomcat +RUN chown -R apache:apache /usr/share/phpmyadmin/tmp/ ENV GROUPER_START_DELAY_SECONDS=10 \ GROUPER_WS_GROUPER_AUTH=true diff --git a/base/container_files/conf/grouper.hibernate.properties b/base/container_files/conf/grouper.hibernate.properties index c9167e9..88c7570 100644 --- a/base/container_files/conf/grouper.hibernate.properties +++ b/base/container_files/conf/grouper.hibernate.properties @@ -28,4 +28,4 @@ hibernate.connection.username = root # Note: you can keep passwords external and encrypted: https://bugs.internet2.edu/jira/browse/GRP-122 hibernate.connection.password = -registry.auto.ddl.upToVersion = 2.5.* +registry.auto.ddl.upToVersion = 4.*.* diff --git a/base/container_files/conf/log4j2.xml b/base/container_files/conf/log4j2.xml index 8c53de0..26e9156 100644 --- a/base/container_files/conf/log4j2.xml +++ b/base/container_files/conf/log4j2.xml @@ -5,7 +5,7 @@ - + diff --git a/base/container_files/etc/my.cnf.d/mariadb-server.cnf b/base/container_files/etc/my.cnf.d/mariadb-server.cnf new file mode 100644 index 0000000..cc82204 --- /dev/null +++ b/base/container_files/etc/my.cnf.d/mariadb-server.cnf @@ -0,0 +1,56 @@ +# +# These groups are read by MariaDB server. +# Use it for options that only the server (but not clients) should see +# +# See the examples of server my.cnf files in /usr/share/mysql/ +# + +# this is read by the standalone daemon and embedded servers +[server] + +# this is only for the mysqld standalone daemon +# Settings user and group are ignored when systemd is used. +# If you need to run mysqld under a different user or group, +# customize your systemd unit file for mysqld/mariadb according to the +# instructions in http://fedoraproject.org/wiki/Systemd +[mysqld] +datadir=/var/lib/mysql +socket=/var/lib/mysql/mysql.sock +log-error=/var/log/mariadb/mariadb.log +pid-file=/run/mariadb/mariadb.pid +max_connections = 750 + + +# +# * Galera-related settings +# +[galera] +# Mandatory settings +#wsrep_on=ON +#wsrep_provider= +#wsrep_cluster_address= +#binlog_format=row +#default_storage_engine=InnoDB +#innodb_autoinc_lock_mode=2 +# +# Allow server to accept connections on all interfaces. +# +bind-address=0.0.0.0 +# +# Optional setting +#wsrep_slave_threads=1 +#innodb_flush_log_at_trx_commit=0 + +# this is only for embedded server +[embedded] + +# This group is only read by MariaDB servers, not by MySQL. +# If you use the same .cnf file for MySQL and MariaDB, +# you can put MariaDB-only options here +[mariadb] + +# This group is only read by MariaDB-10.3 servers. +# If you use the same .cnf file for MariaDB of different versions, +# use this group for options that older servers don't understand +[mariadb-10.3] + diff --git a/base/container_files/etc/phpMyAdmin/config.inc.php b/base/container_files/etc/phpMyAdmin/config.inc.php deleted file mode 100644 index ebb6dbd..0000000 --- a/base/container_files/etc/phpMyAdmin/config.inc.php +++ /dev/null @@ -1,117 +0,0 @@ -. - */ - -/* - * This is needed for cookie based authentication to encrypt password in - * cookie - */ -$cfg['blowfish_secret'] = 'd7Y5iRSDpGaQkvSqxKWPwHfazswioRBO'; /* YOU MUST FILL IN THIS FOR COOKIE AUTH! */ - -/** - * Server(s) configuration - */ -$i = 0; - -// The $cfg['Servers'] array starts with $cfg['Servers'][1]. Do not use -// $cfg['Servers'][0]. You can disable a server config entry by setting host -// to ''. If you want more than one server, just copy following section -// (including $i incrementation) serveral times. There is no need to define -// full server array, just define values you need to change. -$i++; -$cfg['Servers'][$i]['host'] = 'localhost'; // MySQL hostname or IP address -$cfg['Servers'][$i]['port'] = '3306'; // MySQL port - leave blank for default port -$cfg['Servers'][$i]['socket'] = ''; // Path to the socket - leave blank for default socket -$cfg['Servers'][$i]['connect_type'] = 'tcp'; // How to connect to MySQL server ('tcp' or 'socket') -$cfg['Servers'][$i]['extension'] = 'mysqli'; // The php MySQL extension to use ('mysql' or 'mysqli') -$cfg['Servers'][$i]['compress'] = FALSE; // Use compressed protocol for the MySQL connection - // (requires PHP >= 4.3.0) -$cfg['Servers'][$i]['controluser'] = ''; // MySQL control user settings - // (this user must have read-only -$cfg['Servers'][$i]['controlpass'] = ''; // access to the "mysql/user" - // and "mysql/db" tables). - // The controluser is also - // used for all relational - // features (pmadb) -$cfg['Servers'][$i]['auth_type'] = 'cookie'; // Authentication method (config, http or cookie based)? -$cfg['Servers'][$i]['user'] = ''; // MySQL user -$cfg['Servers'][$i]['password'] = ''; // MySQL password (only needed - // with 'config' auth_type) -$cfg['Servers'][$i]['only_db'] = 'grouper'; // If set to a db-name, only - // this db is displayed in left frame - // It may also be an array of db-names, where sorting order is relevant. -$cfg['Servers'][$i]['hide_db'] = ''; // Database name to be hidden from listings -$cfg['Servers'][$i]['verbose'] = ''; // Verbose name for this host - leave blank to show the hostname - -$cfg['Servers'][$i]['pmadb'] = ''; // Database used for Relation, Bookmark and PDF Features - // (see scripts/create_tables.sql) - // - leave blank for no support - // DEFAULT: 'phpmyadmin' -$cfg['Servers'][$i]['bookmarktable'] = ''; // Bookmark table - // - leave blank for no bookmark support - // DEFAULT: 'pma_bookmark' -$cfg['Servers'][$i]['relation'] = ''; // table to describe the relation between links (see doc) - // - leave blank for no relation-links support - // DEFAULT: 'pma_relation' -$cfg['Servers'][$i]['table_info'] = ''; // table to describe the display fields - // - leave blank for no display fields support - // DEFAULT: 'pma_table_info' -$cfg['Servers'][$i]['table_coords'] = ''; // table to describe the tables position for the PDF schema - // - leave blank for no PDF schema support - // DEFAULT: 'pma_table_coords' -$cfg['Servers'][$i]['pdf_pages'] = ''; // table to describe pages of relationpdf - // - leave blank if you don't want to use this - // DEFAULT: 'pma_pdf_pages' -$cfg['Servers'][$i]['column_info'] = ''; // table to store column information - // - leave blank for no column comments/mime types - // DEFAULT: 'pma_column_info' -$cfg['Servers'][$i]['history'] = ''; // table to store SQL history - // - leave blank for no SQL query history - // DEFAULT: 'pma_history' -$cfg['Servers'][$i]['verbose_check'] = TRUE; // set to FALSE if you know that your pma_* tables - // are up to date. This prevents compatibility - // checks and thereby increases performance. -$cfg['Servers'][$i]['AllowRoot'] = TRUE; // whether to allow root login -$cfg['Servers'][$i]['AllowDeny']['order'] // Host authentication order, leave blank to not use - = ''; -$cfg['Servers'][$i]['AllowDeny']['rules'] // Host authentication rules, leave blank for defaults - = array(); -$cfg['Servers'][$i]['AllowNoPassword'] // Allow logins without a password. Do not change the FALSE - = TRUE; // default unless you're running a passwordless MySQL server -$cfg['Servers'][$i]['designer_coords'] // Leave blank (default) for no Designer support, otherwise - = ''; // set to suggested 'pma_designer_coords' if really needed -$cfg['Servers'][$i]['bs_garbage_threshold'] // Blobstreaming: Recommented default value from upstream - = 50; // DEFAULT: '50' -$cfg['Servers'][$i]['bs_repository_threshold'] // Blobstreaming: Recommented default value from upstream - = '32M'; // DEFAULT: '32M' -$cfg['Servers'][$i]['bs_temp_blob_timeout'] // Blobstreaming: Recommented default value from upstream - = 600; // DEFAULT: '600' -$cfg['Servers'][$i]['bs_temp_log_threshold'] // Blobstreaming: Recommented default value from upstream - = '32M'; // DEFAULT: '32M' -/* - * End of servers configuration - */ - -/* - * Directories for saving/loading files from server - */ -$cfg['UploadDir'] = '/var/lib/phpMyAdmin/upload'; -$cfg['SaveDir'] = '/var/lib/phpMyAdmin/save'; - -/* - * Disable the default warning that is displayed on the DB Details Structure - * page if any of the required Tables for the relation features is not found - */ -$cfg['PmaNoRelation_DisableWarning'] = TRUE; - -/* - * phpMyAdmin 4.4.x is no longer maintained by upstream, but security fixes - * are still backported by downstream. - */ -$cfg['VersionCheck'] = FALSE; -?> \ No newline at end of file diff --git a/base/container_files/etc/phpldapadmin/config.php b/base/container_files/etc/phpldapadmin/config.php index 22461d8..2111c20 100644 --- a/base/container_files/etc/phpldapadmin/config.php +++ b/base/container_files/etc/phpldapadmin/config.php @@ -71,17 +71,37 @@ environments. */ # $config->custom->password['no_random_crypt_salt'] = true; +/* If you want to restrict password available types (encryption algorithms) + Should be subset of: + array( + ''=>'clear', + 'bcrypt'=>'bcrypt', + 'blowfish'=>'blowfish', + 'crypt'=>'crypt', + 'ext_des'=>'ext_des', + 'md5'=>'md5', + 'k5key'=>'k5key', + 'md5crypt'=>'md5crypt', + 'sha'=>'sha', + 'smd5'=>'smd5', + 'ssha'=>'ssha', + 'sha256'=>'sha256', + 'ssha256'=>'ssha256', + 'sha384'=>'sha384', + 'ssha384'=>'ssha384', + 'sha512'=>'sha512', + 'ssha512'=>'ssha512', + 'sha256crypt'=>'sha256crypt', + 'sha512crypt'=>'sha512crypt', + )*/ +# $config->custom->password['available_types'] = array(''=>'clear','md5'=>'md5'); + /* PHP script timeout control. If php runs longer than this many seconds then PHP will stop with an Maximum Execution time error. Increase this value from the default if queries to your LDAP server are slow. The default is either 30 seconds or the setting of max_exection_time if this is null. */ // $config->custom->session['timelimit'] = 30; -// $config->custom->appearance['show_clear_password'] = false; - -// $config->custom->search['size_limit'] = 50; -# $config->custom->search['size_limit'] = 1000; - /* Our local timezone This is to make sure that when we ask the system for the current time, we get the right local time. If this is not set, all time() calculations will @@ -178,6 +198,10 @@ // $config->custom->appearance['tree_width'] = null; # $config->custom->appearance['tree_width'] = 250; +/* Number of tree command icons to show, 0 = show all icons on 1 row. */ +// $config->custom->appearance['tree_icons'] = 0; +# $config->custom->appearance['tree_icons'] = 4; + /* Confirm create and update operations, allowing you to review the changes and optionally skip attributes during the create/update operation. */ // $config->custom->confirm['create'] = true; @@ -320,7 +344,7 @@ your situation. If you choose 'cookie', your cookie contents will be encrypted using blowfish and the secret your specify above as session['blowfish']. */ -$servers->setValue('login','auth_type','cookie'); +$servers->setValue('login','auth_type','session'); /* The DN of the user for phpLDAPadmin to bind with. For anonymous binds or 'cookie','session' or 'sasl' auth_types, LEAVE THE LOGIN_DN AND LOGIN_PASS @@ -339,6 +363,22 @@ /* Use TLS (Transport Layer Security) to connect to the LDAP server. */ // $servers->setValue('server','tls',false); +/* TLS Certificate Authority file (overrides ldap.conf, PHP 7.1+) */ +// $servers->setValue('server','tls_cacert',null); +# $servers->setValue('server','tls_cacert','/etc/openldap/certs/ca.crt'); + +/* TLS Certificate Authority hashed directory (overrides ldap.conf, PHP 7.1+) */ +// $servers->setValue('server','tls_cacertdir',null); +# $servers->setValue('server','tls_cacertdir','/etc/openldap/certs'); + +/* TLS Client Certificate file (PHP 7.1+) */ +// $servers->setValue('server','tls_cert',null); +# $servers->setValue('server','tls_cert','/etc/pki/tls/certs/ldap_user.crt'); + +/* TLS Client Certificate Key file (PHP 7.1+) */ +// $servers->setValue('server','tls_key',null); +# $servers->setValue('server','tls_key','/etc/pki/tls/private/ldap_user.key'); + /************************************ * SASL Authentication * ************************************/ @@ -346,11 +386,19 @@ /* Enable SASL authentication LDAP SASL authentication requires PHP 5.x configured with --with-ldap-sasl=DIR. If this option is disabled (ie, set to false), then all other sasl options are ignored. */ -// $servers->setValue('login','auth_type','sasl'); +# $servers->setValue('login','auth_type','sasl'); -/* SASL auth mechanism */ +/* SASL GSSAPI auth mechanism (requires auth_type of sasl) */ // $servers->setValue('sasl','mech','GSSAPI'); +/* SASL PLAIN support... this mech converts simple binds to SASL + PLAIN binds using any auth_type (or other bind_id/pass) as credentials. + NOTE: auth_type must be simple auth compatible (ie not sasl) */ +# $servers->setValue('sasl','mech','PLAIN'); + +/* SASL EXTERNAL support... really a different auth_type */ +# $servers->setValue('login','auth_type','sasl_external'); + /* SASL authentication realm name */ // $servers->setValue('sasl','realm',''); # $servers->setValue('sasl','realm','EXAMPLE.COM'); @@ -384,8 +432,8 @@ /* Default password hashing algorithm. One of md5, ssha, sha, md5crpyt, smd5, blowfish, crypt or leave blank for now default algorithm. */ -// $servers->setValue('appearance','password_hash','md5'); -$servers->setValue('appearance','password_hash',''); +// $servers->setValue('appearance','pla_password_hash','md5'); +$servers->setValue('appearance','pla_password_hash',''); /* If you specified 'cookie' or 'session' as the auth_type above, you can optionally specify here an attribute to use when logging in. If you enter @@ -407,6 +455,12 @@ setup. */ // $servers->setValue('login','class',array()); +/* If login_attr was set to 'dn', it is possible to specify a template string to + build the DN from. Use '%s' where user input should be inserted. A user may + still enter the complete DN. In this case the template will not be used. */ +// $servers->setValue('login','bind_dn_template',null); +# $servers->setValue('login','bind_dn_template','cn=%s,ou=people,dc=example,dc=com'); + /* If you specified something different from 'dn', for example 'uid', as the login_attr above, you can optionally specify here to fall back to authentication with dn. @@ -427,6 +481,9 @@ /* Set to true if you would like to initially open the first level of each tree. */ // $servers->setValue('appearance','open_tree',false); +/* Set to true to display authorization ID in place of login dn (PHP 7.2+) */ +// $servers->setValue('appearance','show_authz',false); + /* This feature allows phpLDAPadmin to automatically determine the next available uidNumber for a new entry. */ // $servers->setValue('auto_number','enable',true); @@ -553,7 +610,7 @@ $servers->setValue('sasl','authz_id_replacement','$1'); $servers->setValue('sasl','props',null); -$servers->setValue('appearance','password_hash','md5'); +$servers->setValue('appearance','pla_password_hash','md5'); $servers->setValue('login','attr','dn'); $servers->setValue('login','fallback_dn',false); $servers->setValue('login','class',null); @@ -580,4 +637,19 @@ $servers->setValue('server','custom_attrs',array('nsRoleDN','nsRole','nsAccountLock')); $servers->setValue('server','force_may',array('uidNumber','gidNumber','sambaSID')); */ -?> \ No newline at end of file + + +/*********************************************************************************** + * If you want to configure Google reCAPTCHA on autentication form, do so below. * + * Remove the commented lines and use this section as a template for all * + * reCAPTCHA v2 Generate on https://www.google.com/recaptcha/ * + * * + * IMPORTANT: Select reCAPTCHA v2 on Type of reCAPTCHA * + ***********************************************************************************/ + + +$config->custom->session['reCAPTCHA-enable'] = false; +$config->custom->session['reCAPTCHA-key-site'] = ''; +$config->custom->session['reCAPTCHA-key-server'] = ''; + +?> diff --git a/base/container_files/httpd/phpMyAdmin.conf b/base/container_files/httpd/phpMyAdmin.conf index 5a6413a..bf257a4 100644 --- a/base/container_files/httpd/phpMyAdmin.conf +++ b/base/container_files/httpd/phpMyAdmin.conf @@ -5,10 +5,10 @@ # But allowing phpMyAdmin to anyone other than localhost should be considered # dangerous unless properly secured by SSL -Alias /phpMyAdmin /usr/share/phpMyAdmin -Alias /phpmyadmin /usr/share/phpMyAdmin +Alias /phpMyAdmin /usr/share/phpmyadmin +Alias /phpmyadmin /usr/share/phpmyadmin - + AddDefaultCharset UTF-8 @@ -28,7 +28,7 @@ Alias /phpmyadmin /usr/share/phpMyAdmin - + # Apache 2.4 @@ -49,19 +49,19 @@ Alias /phpmyadmin /usr/share/phpMyAdmin # These directories do not require access over HTTP - taken from the original # phpMyAdmin upstream tarball # - + Order Deny,Allow Deny from All Allow from None - + Order Deny,Allow Deny from All Allow from None - + Order Deny,Allow Deny from All Allow from None @@ -71,7 +71,7 @@ Alias /phpmyadmin /usr/share/phpMyAdmin # filtering SQL etc. This may break your mod_security implementation. # # -# +# # SecRuleInheritance Off # # \ No newline at end of file diff --git a/base/container_files/seed-data/bootstrap.gsh b/base/container_files/seed-data/bootstrap.gsh deleted file mode 100644 index 16d354d..0000000 --- a/base/container_files/seed-data/bootstrap.gsh +++ /dev/null @@ -1,4 +0,0 @@ -gs = GrouperSession.startRootSession() - -// As long as the loader job works, this shouldn't be needed any longer, since banderson is in the IAM staff group which is in etc:sysadmingroup -//addMember("etc:sysadmingroup","banderson"); diff --git a/base/container_files/seed-data/domain.ldif b/base/container_files/seed-data/domain.ldif index 0078944..d13828c 100644 --- a/base/container_files/seed-data/domain.ldif +++ b/base/container_files/seed-data/domain.ldif @@ -1,14 +1,14 @@ -dn: olcDatabase={2}hdb,cn=config +dn: olcDatabase={2}mdb,cn=config changetype: modify replace: olcSuffix olcSuffix: dc=internet2,dc=edu -dn: olcDatabase={2}hdb,cn=config +dn: olcDatabase={2}mdb,cn=config changetype: modify replace: olcRootDN olcRootDN: cn=root,dc=internet2,dc=edu -dn: olcDatabase={2}hdb,cn=config +dn: olcDatabase={2}mdb,cn=config changetype: modify add: olcRootPW olcRootPW: password diff --git a/base/container_files/seed-data/memberOf.ldif b/base/container_files/seed-data/memberOf.ldif index 8baa583..12a773c 100644 --- a/base/container_files/seed-data/memberOf.ldif +++ b/base/container_files/seed-data/memberOf.ldif @@ -5,7 +5,7 @@ objectclass: top olcmoduleload: memberof.la olcmodulepath: /usr/lib64/openldap -dn: olcOverlay={0}memberof,olcDatabase={2}hdb,cn=config +dn: olcOverlay={0}memberof,olcDatabase={2}mdb,cn=config objectClass: olcConfig objectClass: olcMemberOf objectClass: olcOverlayConfig @@ -19,7 +19,7 @@ objectclass: top olcmoduleload: refint.la olcmodulepath: /usr/lib64/openldap -dn: olcOverlay={1}refint,olcDatabase={2}hdb,cn=config +dn: olcOverlay={1}refint,olcDatabase={2}mdb,cn=config objectClass: olcConfig objectClass: olcOverlayConfig objectClass: olcRefintConfig diff --git a/base/container_files/tier-support/supervisord-training.conf b/base/container_files/tier-support/supervisord-training.conf index c5c10b2..4df6a93 100644 --- a/base/container_files/tier-support/supervisord-training.conf +++ b/base/container_files/tier-support/supervisord-training.conf @@ -33,8 +33,8 @@ priority=15 [program:tomcat] user=tomcat -#command=bash -c "while ! curl -s localhost:3306 > /dev/null; do echo waiting for mysql to start; sleep 3; done; while ! curl -s ldap://localhost:389 > /dev/null; do echo waiting for ldap to start; sleep 3; done; exec /opt/tomee/bin/catalina.sh run" -command=/opt/tomee/bin/catalina.sh run +#command=bash -c "while ! curl -s localhost:3306 > /dev/null; do echo waiting for mysql to start; sleep 3; done; while ! curl -s ldap://localhost:389 > /dev/null; do echo waiting for ldap to start; sleep 3; done; exec /opt/tomcat/bin/catalina.sh run" +command=/opt/tomcat/bin/catalina.sh run stderr_logfile = /tmp/logtomcat stderr_logfile_maxbytes=0 stdout_logfile = /tmp/logtomcat @@ -58,10 +58,18 @@ stdout_logfile = /tmp/logpipe stdout_logfile_maxbytes=0 priority=10 +[program:php-fpm] +command=/usr/sbin/php-fpm --nodaemonize +stderr_logfile = /tmp/logpipe +stderr_logfile_maxbytes=0 +stdout_logfile = /tmp/logpipe +stdout_logfile_maxbytes=0 +priority=400 + [program:mailhog] command=/root/go/bin/MailHog -ui-web-path mail stderr_logfile = /tmp/logpipe stderr_logfile_maxbytes=0 stdout_logfile = /tmp/logpipe stdout_logfile_maxbytes=0 -priority=400 +priority=500 diff --git a/base/container_files/usr/share/phpmyadmin/config.inc.php b/base/container_files/usr/share/phpmyadmin/config.inc.php new file mode 100644 index 0000000..45ecdfb --- /dev/null +++ b/base/container_files/usr/share/phpmyadmin/config.inc.php @@ -0,0 +1,160 @@ +. + */ + +declare(strict_types=1); + +/** + * This is needed for cookie based authentication to encrypt the cookie. + * Needs to be a 32-bytes long string of random bytes. See FAQ 2.10. + */ +$cfg['blowfish_secret'] = 'd7Y5iRSDpGaQkvSqxKWPwHfazswioRBO'; /* YOU MUST FILL IN THIS FOR COOKIE AUTH! */ + +/** + * Servers configuration + */ +$i = 0; + +/** + * First server + */ +$i++; +/* Authentication type */ +$cfg['Servers'][$i]['auth_type'] = 'cookie'; +/* Server parameters */ +$cfg['Servers'][$i]['host'] = 'localhost'; +$cfg['Servers'][$i]['compress'] = false; +$cfg['Servers'][$i]['AllowNoPassword'] = true; + +/** + * phpMyAdmin configuration storage settings. + */ + +/* User used to manipulate with storage */ +// $cfg['Servers'][$i]['controlhost'] = ''; +// $cfg['Servers'][$i]['controlport'] = ''; +// $cfg['Servers'][$i]['controluser'] = 'pma'; +// $cfg['Servers'][$i]['controlpass'] = 'pmapass'; + +/* Storage database and tables */ +// $cfg['Servers'][$i]['pmadb'] = 'phpmyadmin'; +// $cfg['Servers'][$i]['bookmarktable'] = 'pma__bookmark'; +// $cfg['Servers'][$i]['relation'] = 'pma__relation'; +// $cfg['Servers'][$i]['table_info'] = 'pma__table_info'; +// $cfg['Servers'][$i]['table_coords'] = 'pma__table_coords'; +// $cfg['Servers'][$i]['pdf_pages'] = 'pma__pdf_pages'; +// $cfg['Servers'][$i]['column_info'] = 'pma__column_info'; +// $cfg['Servers'][$i]['history'] = 'pma__history'; +// $cfg['Servers'][$i]['table_uiprefs'] = 'pma__table_uiprefs'; +// $cfg['Servers'][$i]['tracking'] = 'pma__tracking'; +// $cfg['Servers'][$i]['userconfig'] = 'pma__userconfig'; +// $cfg['Servers'][$i]['recent'] = 'pma__recent'; +// $cfg['Servers'][$i]['favorite'] = 'pma__favorite'; +// $cfg['Servers'][$i]['users'] = 'pma__users'; +// $cfg['Servers'][$i]['usergroups'] = 'pma__usergroups'; +// $cfg['Servers'][$i]['navigationhiding'] = 'pma__navigationhiding'; +// $cfg['Servers'][$i]['savedsearches'] = 'pma__savedsearches'; +// $cfg['Servers'][$i]['central_columns'] = 'pma__central_columns'; +// $cfg['Servers'][$i]['designer_settings'] = 'pma__designer_settings'; +// $cfg['Servers'][$i]['export_templates'] = 'pma__export_templates'; + +/** + * End of servers configuration + */ + +/** + * Directories for saving/loading files from server + */ +$cfg['UploadDir'] = ''; +$cfg['SaveDir'] = ''; + +/** + * Whether to display icons or text or both icons and text in table row + * action segment. Value can be either of 'icons', 'text' or 'both'. + * default = 'both' + */ +//$cfg['RowActionType'] = 'icons'; + +/** + * Defines whether a user should be displayed a "show all (records)" + * button in browse mode or not. + * default = false + */ +//$cfg['ShowAll'] = true; + +/** + * Number of rows displayed when browsing a result set. If the result + * set contains more rows, "Previous" and "Next". + * Possible values: 25, 50, 100, 250, 500 + * default = 25 + */ +//$cfg['MaxRows'] = 50; + +/** + * Disallow editing of binary fields + * valid values are: + * false allow editing + * 'blob' allow editing except for BLOB fields + * 'noblob' disallow editing except for BLOB fields + * 'all' disallow editing + * default = 'blob' + */ +//$cfg['ProtectBinary'] = false; + +/** + * Default language to use, if not browser-defined or user-defined + * (you find all languages in the locale folder) + * uncomment the desired line: + * default = 'en' + */ +//$cfg['DefaultLang'] = 'en'; +//$cfg['DefaultLang'] = 'de'; + +/** + * How many columns should be used for table display of a database? + * (a value larger than 1 results in some information being hidden) + * default = 1 + */ +//$cfg['PropertiesNumColumns'] = 2; + +/** + * Set to true if you want DB-based query history.If false, this utilizes + * JS-routines to display query history (lost by window close) + * + * This requires configuration storage enabled, see above. + * default = false + */ +//$cfg['QueryHistoryDB'] = true; + +/** + * When using DB-based query history, how many entries should be kept? + * default = 25 + */ +//$cfg['QueryHistoryMax'] = 100; + +/** + * Whether or not to query the user before sending the error report to + * the phpMyAdmin team when a JavaScript error occurs + * + * Available options + * ('ask' | 'always' | 'never') + * default = 'ask' + */ +//$cfg['SendErrorReports'] = 'always'; + +/** + * 'URLQueryEncryption' defines whether phpMyAdmin will encrypt sensitive data from the URL query string. + * 'URLQueryEncryptionSecretKey' is a 32 bytes long secret key used to encrypt/decrypt the URL query string. + */ +//$cfg['URLQueryEncryption'] = true; +//$cfg['URLQueryEncryptionSecretKey'] = ''; + +/** + * You can find more configuration options in the documentation + * in the doc/ folder or at . + */ diff --git a/ex101/ex101.1.1/Dockerfile b/ex101/ex101.1.1/Dockerfile index 7737fc0..f768173 100644 --- a/ex101/ex101.1.1/Dockerfile +++ b/ex101/ex101.1.1/Dockerfile @@ -19,15 +19,15 @@ COPY container_files/seed-data/ /seed-data/ RUN . /usr/local/bin/library.sh \ && prep_conf && prep_finish; \ (/usr/sbin/slapd -h "ldap:/// ldaps:/// ldapi:///" -u ldap &) \ - && while ! curl -s ldap://localhost:389 > /dev/null; do echo waiting for ldap to start; sleep 1; done; \ + && while ! nc -z localhost 389 > /dev/null; do echo waiting for ldap to start; sleep 1; done; \ (mysqld_safe & ) \ - && while ! curl -s localhost:3306 > /dev/null; do echo waiting for mysqld to start; sleep 3; done; \ + && while ! nc -z localhost 3306 > /dev/null; do echo waiting for mysqld to start; sleep 3; done; \ cd /opt/grouper/grouperWebapp/WEB-INF/bin \ && ldapadd -x -D cn=root,dc=internet2,dc=edu -w password -f /seed-data/users.ldif \ && mysql grouper < /seed-data/sisData.sql \ && cp -r /opt/grouper/grouperWebapp/WEB-INF/libUiAndDaemon/* /opt/grouper/grouperWebapp/WEB-INF/lib/ \ && sudo --preserve-env=PATH -u tomcat ./gsh.sh /seed-data/bootstrap.gsh \ && pkill -HUP slapd \ - && while curl -s ldap://localhost:389 > /dev/null; do echo waiting for ldap to stop; sleep 1; done; \ + && while nc -z localhost 389 > /dev/null; do echo waiting for ldap to stop; sleep 1; done; \ pkill -u mysql mysqld \ - && while curl -s localhost:3306 > /dev/null; do echo waiting for mysqld to stop; sleep 1; done + && while nc -z localhost 3306 > /dev/null; do echo waiting for mysqld to stop; sleep 1; done diff --git a/ex101/ex101.1.1/container_files/seed-data/bootstrap.gsh b/ex101/ex101.1.1/container_files/seed-data/bootstrap.gsh index 11917bc..9dc2074 100644 --- a/ex101/ex101.1.1/container_files/seed-data/bootstrap.gsh +++ b/ex101/ex101.1.1/container_files/seed-data/bootstrap.gsh @@ -577,6 +577,10 @@ def group = new GroupSave(gs).assignName("ref:role:all_facstaff").assignDisplayE assignObjectTypeForGroup(group, "ref", "HR, IAM", "Combines the All Faculty plus All Staff reference groups") +/***** Empty the changelog temp now, to save on the first container startup ****/ + +loaderRunOneJob("CHANGE_LOG_changeLogTempToChangeLog") + /***** Schedule jobs is an upgrade task for 2.5.55 ****/ GrouperLoader.scheduleJobs() diff --git a/ex201/ex201.end/Dockerfile b/ex201/ex201.end/Dockerfile index ee8bad2..95f2ff8 100644 --- a/ex201/ex201.end/Dockerfile +++ b/ex201/ex201.end/Dockerfile @@ -18,14 +18,14 @@ COPY container_files/seed-data/ /seed-data/ RUN . /usr/local/bin/library.sh \ && prep_conf && prep_finish; \ (/usr/sbin/slapd -h "ldap:/// ldaps:/// ldapi:///" -u ldap &) \ - && while ! curl -s ldap://localhost:389 > /dev/null; do echo waiting for ldap to start; sleep 1; done; \ + && while ! nc -z localhost 389 > /dev/null; do echo waiting for ldap to start; sleep 1; done; \ (mysqld_safe & ) \ - && while ! curl -s localhost:3306 > /dev/null; do echo waiting for mysqld to start; sleep 3; done; \ + && while ! nc -z localhost 3306 > /dev/null; do echo waiting for mysqld to start; sleep 3; done; \ cd /opt/grouper/grouperWebapp/WEB-INF \ && ldapadd -x -D cn=root,dc=internet2,dc=edu -w password -f /seed-data/users.ldif \ && mysql grouper < /seed-data/sisData.sql \ && sudo --preserve-env=PATH -u tomcat bin/gsh.sh /seed-data/bootstrap.gsh \ && pkill -HUP slapd \ - && while curl -s ldap://localhost:389 > /dev/null; do echo waiting for ldap to stop; sleep 1; done; \ + && while nc -z localhost 389 > /dev/null; do echo waiting for ldap to stop; sleep 1; done; \ pkill -u mysql mysqld \ - && while curl -s localhost:3306 > /dev/null; do echo waiting for mysqld to stop; sleep 1; done + && while nc -z localhost 3306 > /dev/null; do echo waiting for mysqld to stop; sleep 1; done diff --git a/ex401/ex401.end/Dockerfile b/ex401/ex401.end/Dockerfile index b70d4c0..37aaa14 100644 --- a/ex401/ex401.end/Dockerfile +++ b/ex401/ex401.end/Dockerfile @@ -18,15 +18,15 @@ COPY container_files/seed-data/ /seed-data/ RUN . /usr/local/bin/library.sh \ && prep_conf && prep_finish; \ (/usr/sbin/slapd -h "ldap:/// ldaps:/// ldapi:///" -u ldap &) \ - && while ! curl -s ldap://localhost:389 > /dev/null; do echo waiting for ldap to start; sleep 1; done; \ + && while ! nc -z localhost 389 > /dev/null; do echo waiting for ldap to start; sleep 1; done; \ (mysqld_safe & ) \ - && while ! curl -s localhost:3306 > /dev/null; do echo waiting for mysqld to start; sleep 3; done; \ + && while ! nc -z localhost 3306 > /dev/null; do echo waiting for mysqld to start; sleep 3; done; \ cd /opt/grouper/grouperWebapp/WEB-INF \ && ldapadd -x -D cn=root,dc=internet2,dc=edu -w password -f /seed-data/users.ldif \ && mysql grouper < /seed-data/sisData.sql \ && cp -r /opt/grouper/grouperWebapp/WEB-INF/libUiAndDaemon/* /opt/grouper/grouperWebapp/WEB-INF/lib/ \ && sudo --preserve-env=PATH -u tomcat bin/gsh.sh /seed-data/bootstrap.gsh \ && pkill -HUP slapd \ - && while curl -s ldap://localhost:389 > /dev/null; do echo waiting for ldap to stop; sleep 1; done; \ + && while nc -z localhost 389 > /dev/null; do echo waiting for ldap to stop; sleep 1; done; \ pkill -u mysql mysqld \ - && while curl -s localhost:3306 > /dev/null; do echo waiting for mysqld to stop; sleep 1; done + && while nc -z localhost 3306 > /dev/null; do echo waiting for mysqld to stop; sleep 1; done diff --git a/gte b/gte index 2015137..c053ac6 100755 --- a/gte +++ b/gte @@ -1,7 +1,9 @@ #! /bin/bash REPOSITORY=tier/gte -VERSION_TAG=202310 +if [ -z "$VERSION_TAG" ]; then + VERSION_TAG=202310 +fi EXTRA_ARGS=