working

Dockerfile

@@ -2,7 +2,7 @@ FROM osixia/phpldapadmin
 ENV DEBIAN_FRONTEND=noninteractive
 RUN apt update && \
     apt install --no-install-recommends -y ca-certificates dnsutils iputils-ping && \
-    rm -rf /var/lib/apt/lists/*
-COPY ldap.conf /etc/ldap/ldap.conf
-COPY startup.sh /container/service/phpldapadmin/startup.sh
-
+    rm -rf /var/lib/apt/lists/* && \
+    rm /etc/ldap/ldap.conf
+COPY ldap_startup.sh /container/service/ldap-client/startup.sh
+COPY www_startup.sh /container/service/phpldapadmin/startup.sh

README.md

@@ -1,7 +1,8 @@
 Extended from Osixia/phpldapadmin
 
   - Adds ca-certificates package
-  - Points ldap.conf TLS_CACERT to the ISRG Root X1 CA (allows using let's Encrypt certificates for ldaps) 
+  - Points ldap.conf TLS_CACERT to a pem file under /etc/ssl/certs specified by 
   - Rips out the config.php bootstrap from startup
+  - Rips out most of the ldap client startup, opting to use a system CA cert instead
   - Expects an existing config (ie a volume mounted configMap) present at /container/service/phpldapadmin/assets/config/config.php 
   - The read-only config mount will be copied to /var/www/phpldapadmin/config/config.php at startup and chowned to www-data

ldap.conf

@@ -1 +0,0 @@
-TLS_CACERT /etc/ssl/certs/ISRG_Root_X1.pem

ldap_startup.sh

@@ -0,0 +1,24 @@
+#!/bin/bash -e
+
+# set -x (bash debug) if log level is trace
+# https://github.com/osixia/docker-light-baseimage/blob/stable/image/tool/log-helper
+log-helper level eq trace && set -x
+
+www_data_homedir=$( getent passwd "www-data" | cut -d: -f6 )
+
+FIRST_START_DONE="${CONTAINER_STATE_DIR}/docker-ldap-client-first-start-done"
+# container first start
+if [ ! -e "$FIRST_START_DONE" ]; then
+
+  if [ "${PHPLDAPADMIN_LDAP_CLIENT_TLS,,}" == "true" ]; then
+
+    echo "TLS_REQCERT $PHPLDAPADMIN_LDAP_CLIENT_TLS_REQCERT" >> /etc/ldap/ldap.conf
+    echo "TLS_CACERT /etc/ssl/certs/$PHPLDAPADMIN_LDAP_CLIENT_TLS_CA_CRT_FILENAME" >> /etc/ldap/ldap.conf
+
+  fi
+
+  touch $FIRST_START_DONE
+
+fi
+
+exit 0