Skip to content

semhoun/docker_openldap

BranchesTags
Β 
Β 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

756 Commits
.github/workflows
.github/workflows
Β 
Β 
example
example
Β 
Β 
rootfs/opt
rootfs/opt
Β 
Β 
.gitignore
.gitignore
Β 
Β 
CHANGELOG.md
CHANGELOG.md
Β 
Β 
Dockerfile
Dockerfile
Β 
Β 
LICENSE
LICENSE
Β 
Β 
README.md
README.md
Β 
Β 

Repository files navigation

OpenLDAP Docker Image

Docker Pulls Docker Stars

Latest release: 2.1.0 - OpenLDAP 2.6.10 - Changelog | Docker HubΒ 

A docker image to run OpenLDAP.

OpenLDAP website : www.openldap.org

Acknowledgement

This project was forked from osixia/docker-openldap

I remove TLS and Replication parts.

Contributing

If you find this image useful here's how you can help:

  • Send a pull request with your new features and bug fixes
  • Help new users with issues they may encounter
  • Support the development of this image and star this repo !

Quick Start

Run OpenLDAP docker image:

docker run --name my-openldap-container --detach semhoun/openldap:latest

Do not forget to add the port mapping for both port 389 and 636 if you wish to access the ldap server from another machine.

docker run -p 389:389 --name my-openldap-container --detach semhoun/openldap:latest

Either command starts a new container with OpenLDAP running inside. Let's make the first search in our LDAP container:

docker exec my-openldap-container ldapsearch -x -H ldap://localhost -b dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w admin

This should output:

# extended LDIF
#
# LDAPv3
# base <dc=example,dc=org> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

[...]

# numResponses: 3
# numEntries: 2

If you have the following error, OpenLDAP is not started yet, maybe you are too fast or maybe your computer is too slow, as you want... but wait for some time before retrying.

	ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

Beginner Guide

Create new ldap server

This is the default behavior when you run this image. It will create an empty ldap for the company Example Inc. and the domain example.org.

By default the admin has the password admin. All those default settings can be changed at the docker command line, for example:

docker run \
	--env LDAP_ORGANISATION="My Company" \
	--env LDAP_DOMAIN="my-company.com" \
	--env LDAP_ADMIN_PASSWORD="JonSn0w" \
	--detach semhoun/openldap:latest

Data persistence

The directories /var/lib/ldap (LDAP database files) and /etc/ldap/slapd.d (LDAP config files) are used to persist the schema and data information, and should be mapped as volumes, so your ldap files are saved outside the container (see Use an existing ldap database). However it can be useful to not use volumes, in case the image should be delivered complete with test data - this is especially useful when deriving other images from this one.

The default uid and gid used by the image may map to surprising counterparts in the host. If you need to match uid and gid in the container and in the host, you can use build parameters LDAP_OPENLDAP_UID and LDAP_OPENLDAP_GID to set uid and gid explicitly:

docker build \
	--build-arg LDAP_OPENLDAP_GID=1234 \
	--build-arg LDAP_OPENLDAP_UID=2345 \
	-t my_ldap_image .
docker run --name my_ldap_container -d my_ldap_image
# this should output uid=2345(openldap) gid=1234(openldap) groups=1234(openldap)
docker exec my_ldap_container id openldap

For more information about docker data volume, please refer to:

[https://docs.docker.com/engine/tutorials/dockervolumes/

Edit your server configuration

Do not edit slapd.conf it's not used. To modify your server configuration use ldap utils: ldapmodify / ldapadd / ldapdelete

Seed ldap database with ldif

This image can load ldif files at startup with either ldapadd or ldapmodify. Mount .ldif in /service/slapd/assets/config/bootstrap/ldif directory if you want to overwrite image default bootstrap ldif files or in /service/slapd/assets/config/bootstrap/ldif/custom (recommended) to extend image config.

Files containing changeType: attributes will be loaded with ldapmodify.

The startup script provides some substitutions in bootstrap ldif files. Following substitutions are supported:

  • {{ LDAP_BASE_DN }}
  • {{ LDAP_BACKEND }}
  • {{ LDAP_DOMAIN }}
  • {{ LDAP_READONLY_USER_USERNAME }}
  • {{ LDAP_READONLY_USER_PASSWORD_ENCRYPTED }}

Other {{ * }} substitutions are left unchanged.

Since startup script modifies ldif files, you must add --copy-service argument to entrypoint if you don't want to overwrite them.

# single file example:
docker run \
	--volume ./bootstrap.ldif:/service/slapd/assets/config/bootstrap/ldif/50-bootstrap.ldif \
	semhoun/openldap:latest --copy-service

# directory example:
docker run \
	--volume ./ldif:/service/slapd/assets/config/bootstrap/ldif/custom \
	semhoun/openldap:latest --copy-service

Seed from internal path

This image can load ldif and schema files at startup from an internal path. Additionally, certificates can be copied from an internal path. This is useful if a continuous integration service mounts automatically the working copy (sources) into a docker service, which has a relation to the ci job.

For example: Gitlab is not capable of mounting custom paths into docker services of a ci job, but Gitlab automatically mounts the working copy in every service container. So the working copy (sources) are accessible under /builds in every services of a ci job. The path to the working copy can be obtained via ${CI_PROJECT_DIR}. See also: https://docs.gitlab.com/runner/executors/docker.html#build-directory-in-service

This may also work with other CI services, if they automatically mount the working directory to the services of a ci job like Gitlab ci does.

In order to seed ldif or schema files from internal path you must set the specific environment variable LDAP_SEED_INTERNAL_LDIF_PATH and/or LDAP_SEED_INTERNAL_SCHEMA_PATH. If set this will copy any files in the specified directory into the default seeding directories of this image.

Example variables defined in gitlab-ci.yml:

variables:
  LDAP_SEED_INTERNAL_LDIF_PATH: "${CI_PROJECT_DIR}/docker/openldap/ldif"
  LDAP_SEED_INTERNAL_SCHEMA_PATH: "${CI_PROJECT_DIR}/docker/openldap/schema"

Use an existing ldap database

This can be achieved by mounting host directories as volume. Assuming you have a LDAP database on your docker host in the directory /data/slapd/database and the corresponding LDAP config files on your docker host in the directory /data/slapd/config simply mount this directories as a volume to /var/lib/ldap and /etc/ldap/slapd.d:

docker run \
	--volume /data/slapd/database:/var/lib/ldap \
	--volume /data/slapd/config:/etc/ldap/slapd.d \
	--detach semhoun/openldap:latest

You can also use data volume containers. Please refer to:

https://docs.docker.com/engine/tutorials/dockervolumes/

Note: By default this image is waiting an mdb database backend, if you want to use any other database backend set backend type via the LDAP_BACKEND environment variable.

Fix docker mounted file problems

You may have some problems with mounted files on some systems. The startup script try to make some file adjustment and fix files owner and permissions, this can result in multiple errors. See Docker documentation.

To fix that run the container with --copy-service argument :

	docker run [your options] semhoun/openldap:latest --copy-service

Debug

The container default log level is info. Available levels are: none, error, warning, info, debug and trace.

Example command to run the container in debug mode:

docker run --detach semhoun/openldap:latest --loglevel debug

See all command line options:

docker run semhoun/openldap:latest --help

Environment Variables

Environment variables defaults are set in image/environment/default.yaml and image/environment/default.startup.yaml.

See how to set your own environment variables

Default.yaml

Variables defined in this file are available at anytime in the container environment.

General container configuration:

Default.startup.yaml

Variables defined in this file are only available during the container first start in startup files. This file is deleted right after startup files are processed for the first time, then all of these values will not be available in the container environment.

This helps to keep your container configuration secret. If you don't care all environment variables can be defined in default.yaml and everything will work fine.

Required and used for new ldap server only:

  • LDAP_ORGANISATION: Organisation name. Defaults to Example Inc.

  • LDAP_DOMAIN: Ldap domain. Defaults to example.org

  • LDAP_BASE_DN: Ldap base DN. If empty automatically set from LDAP_DOMAIN value. Defaults to (empty)

  • LDAP_ADMIN_PASSWORD Ldap Admin password. Defaults to admin

  • LDAP_CONFIG_PASSWORD Ldap Config password. Defaults to config

  • LDAP_READONLY_USER Add a read only user. Defaults to false

    Note: The read only user does have write access to its own password.

  • LDAP_READONLY_USER_USERNAME Read only user username. Defaults to readonly

  • LDAP_READONLY_USER_PASSWORD Read only user password. Defaults to readonly

  • LDAP_RFC2307BIS_SCHEMA Use rfc2307bis schema instead of nis schema. Defaults to false

Backend:

Other environment variables:

  • KEEP_EXISTING_CONFIG: Do not change the ldap config. Defaults to false
    • if set to true with an existing database, config will remain unchanged. Image tls and replication config will not be run. The container can be started with LDAP_ADMIN_PASSWORD and LDAP_CONFIG_PASSWORD empty or filled with fake data.
    • if set to true when bootstrapping a new database, bootstrap ldif and schema will not be added and tls and replication config will not be run.
  • LDAP_REMOVE_CONFIG_AFTER_SETUP: delete config folder after setup. Defaults to true
  • HOSTNAME: set the hostname of the running openldap server. Defaults to whatever docker creates.
  • DISABLE_CHOWN: do not perform any chown to fix file ownership. Defaults to false
  • LDAP_OPENLDAP_UID: runtime docker user uid to run container as
  • LDAP_OPENLDAP_GID: runtime docker user gid to run container as

Set your own environment variables

Use command line argument

Environment variables can be set by adding the --env argument in the command line, for example:

docker run \
	--env LDAP_ORGANISATION="My company" \
	--env LDAP_DOMAIN="my-company.com" \
	--env LDAP_ADMIN_PASSWORD="JonSn0w" \
	--detach semhoun/openldap:latest

Be aware that environment variable added in command line will be available at any time in the container. In this example if someone manage to open a terminal in this container he will be able to read the admin password in clear text from environment variables.

Link environment file

For example if your environment files my-env.yaml and my-env.startup.yaml are in /data/ldap/environment

docker run \
	--volume /data/ldap/environment:/container/environment/01-custom \
	--detach semhoun/openldap:latest

Take care to link your environment files folder to /container/environment/XX-somedir (with XX < 99 so they will be processed before default environment files) and not directly to /container/environment because this directory contains predefined baseimage environment files to fix container environment (INITRD, LANG, LANGUAGE and LC_CTYPE).

Note: the container will try to delete the *.startup.yaml file after the end of startup files so the file will also be deleted on the docker host. To prevent that : use --volume /data/ldap/environment:/container/environment/01-custom**:ro** or set all variables in *.yaml file and don't use *.startup.yaml:

docker run \
	--volume /data/ldap/environment/my-env.yaml:/container/environment/01-custom/env.yaml \
	--detach semhoun/openldap:latest

Docker Secrets

As an alternative to passing sensitive information via environmental variables, _FILE may be appended to the listed variables, causing the startup.sh script to load the values for those values from files presented in the container. This is particular useful for loading passwords using the Docker secrets mechanism. For example:

docker run \
	--env LDAP_ORGANISATION="My company" \
	--env LDAP_DOMAIN="my-company.com" \
	--env LDAP_ADMIN_PASSWORD_FILE=/run/secrets/ \
	authentication_admin_pw \
	--detach semhoun/openldap:1.2.4

Currently this is only supported for LDAP_ADMIN_PASSWORD, LDAP_CONFIG_PASSWORD, LDAP_READONLY_USER_PASSWORD

Make your own image or extend this image

This is the best solution if you have a private registry. Please refer to the Advanced User Guide just below.

Advanced User Guide

Extend semhoun/openldap:latest image

If you need to add your custom TLS certificate, bootstrap config or environment files the easiest way is to extends this image.

Dockerfile example:

FROM semhoun/openldap
MAINTAINER Your Name <your@name.com>

ADD bootstrap /container/service/slapd/assets/config/bootstrap
ADD environment /container/environment/01-custom

See complete example in example/extend-semhoun-openldap

Warning: if you want to install new packages from debian repositories, this image has a configuration to prevent documentation and locales to be installed. If you need the doc and locales remove the following files : /etc/dpkg/dpkg.cfg.d/01_nodoc and /etc/dpkg/dpkg.cfg.d/01_nolocales

Changelog

Please refer to: CHANGELOG.md

About

OpenLDAP container image 🐳🌴

Topics

docker docker-image openldap ldap-server

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

2 tags

Packages

 
 
 

Contributors

Languages

  • Shell 93.2%
  • Dockerfile 6.8%