fix: fix #104 - LDAP userPassword attribute can be read without auth

config/ldap/init-ldap-acls.sh

@@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+set -eu
+
+# load OpenLDAP environment and functions
+. /opt/bitnami/scripts/libopenldap.sh
+
+trap ldap_stop EXIT
+
+# start LDAP in background
+ldap_start_bg
+
+# wait until LDAP is started
+while ! ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=admin,dc=opencloud,dc=eu" >/dev/null 2>&1; do
+    echo "Waiting for LDAP to start..."
+    sleep 1
+done
+
+# apply acls
+echo -n "Applying acls... "
+ldapmodify -Y EXTERNAL -H ldapi:/// -f /opt/bitnami/openldap/etc/schema/50_acls.ldif
+if [ $? -eq 0 ]; then
+    echo "done."
+else
+    echo "failed."
+fi
+

config/ldap/ldif/50_acls.ldif

@@ -0,0 +1,12 @@
+# OpenCloud ldap acl file which gets applied during the first db initialisation
+dn: olcDatabase={2}mdb,cn=config
+changetype: modify
+replace: olcAccess
+olcAccess: {0}to dn.subtree="dc=opencloud,dc=eu" attrs=entry,uid,objectClass,entryUUID
+  by * read
+olcAccess: {1}to attrs=userPassword
+  by self write
+  by * auth
+olcAccess: {2}to *
+  by dn.base="uid=admin,ou=users,dc=opencloud,dc=eu" write
+  by * none

idm/ldap-keycloak.yml

@@ -54,6 +54,8 @@ services:
     volumes:
       - ./config/ldap/ldif/10_base.ldif:/ldifs/10_base.ldif
       - ./config/ldap/ldif/20_admin.ldif:/ldifs/20_admin.ldif
+      - ./config/ldap/ldif/50_acls.ldif:/opt/bitnami/openldap/etc/schema/50_acls.ldif
+      - ./config/ldap/init-ldap-acls.sh:/docker-entrypoint-initdb.d/init-ldap-acls.sh
       - ./config/ldap/docker-entrypoint-override.sh:/opt/bitnami/scripts/openldap/docker-entrypoint-override.sh
       - ldap-certs:/opt/bitnami/openldap/share
       - ldap-data:/bitnami/openldap