- Notifications
You must be signed in to change notification settings - Fork24
OpenLDAP based on Alpine Linux
License
gitphill/ldap-alpine
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
The Lightweight Directory Access Protocol (LDAP) is an open, vendor-neutral,industry standard application protocol for accessing and maintainingdistributed directory information services over an Internet Protocol (IP)network.
This image is based on Alpine Linux and OpenLDAP.
Override the following environment variables when running the docker containerto customise LDAP:
| VARIABLE | DESCRIPTION | DEFAULT |
|---|---|---|
| ORGANISATION_NAME | Organisation name | Example Ltd |
| SUFFIX | Organisation distinguished name | dc=example,dc=com |
| ROOT_USER | Root username | admin |
| ROOT_PW | Root password | password |
| USER_UID | Initial user's uid | pgarrett |
| USER_GIVEN_NAME | Initial user's given name | Phill |
| USER_SURNAME | Initial user's surname | Garrett |
| USER_EMAIL | Initial user's email | pgarrett@example.com |
| USER_PW | Initial user's password | password |
| ACCESS_CONTROL | Global access control | access to * by * read |
| LOG_LEVEL | LDAP logging level, see below for valid values. | stats |
For example:
docker run -t -p 389:389 \ -e ORGANISATION_NAME="Beispiel gmbh" \ -e SUFFIX="dc=beispiel,dc=de" \ -e ROOT_PW="geheimnis" \ pgarrett/ldap-alpineSearch for user:
ldapsearch -x -b "dc=beispiel,dc=de" "uid=pgarrett"| NAME | DESCRIPTION |
|---|---|
| any | enable all debugging (warning! lots of messages will be output) |
| trace | trace function calls |
| packets | debug packet handling |
| args | heavy trace debugging |
| conns | connection management |
| BER | print out packets sent and received |
| filter | search filter processing |
| config | configuration processing |
| ACL | access control list processing |
| stats | stats log connections/operations/results |
| stats2 | stats log entries sent |
| shell | print communication with shell backends |
| parse | print entry parsing debugging |
| sync | syncrepl consumer processing |
| none | only messages that get logged whatever log level is set |
*.ldif files can be used to add lots of people to the organisation onstartup.
Copy ldif files to /ldif and the container will execute them. This can bedone either by extending this Dockerfile with your own:
FROM pgarrett/ldap-alpineCOPY my-users.ldif /ldif/Or by mounting your scripts directory into the container:
docker run -t -p 389:389 -v /my-ldif:/ldif pgarrett/ldap-alpineThe container uses a standard mdb backend. To persist this database outside thecontainer mount/var/lib/openldap/openldap-data. For example:
docker run -t -p 389:389 -v /my-backup:/var/lib/openldap/openldap-data pgarrett/ldap-alpineThe container can be started using the encrypted LDAPS protocol. You mustprovide all three TLS environment variables.
| VARIABLE | DESCRIPTION | EXAMPLE |
|---|---|---|
| CA_FILE | PEM-format file containing certificates for the CA's that slapd will trust | /etc/ssl/certs/ca.pem |
| KEY_FILE | The slapd server private key | /etc/ssl/certs/public.key |
| CERT_FILE | The slapd server certificate | /etc/ssl/certs/public.crt |
| TLS_VERIFY_CLIENT | Slapd option for client certificate verification | try, never, demand |
Note these variables inform the entrypoint script (executed on startup) whereto find the SSL certificates inside the container. So the certificates mustalso be mounted at runtime too, for example:
docker run -t -p 389:389 \ -v /my-certs:/etc/ssl/certs \ -e CA_FILE /etc/ssl/certs/ca.pem \ -e KEY_FILE /etc/ssl/certs/public.key \ -e CERT_FILE /etc/ssl/certs/public.crt \ pgarrett/ldap-alpineWhere/my-certs on the host contains the three certificate filesca.pem,public.key andpublic.crt.
To disable client certificates setTLS_VERIFY_CLIENT tonever ortry.
Global access to your directory can be configured via the ACCESS_CONTROL environment variable.
The default policy allows anyone and everyone to read anything but restricts updates to rootdn.
access to * by * readNote rootdn can always read and writeeverything!
You can find detailed documentation on access control herehttps://www.openldap.org/doc/admin24/access-control.html
This following access control allows the user to modify their entry, allows anonymous to authenticate against these entries,and allows all others to read these entries:
docker run -t -p 389:389 \ -e ACCESS_CONTROL="access to * by self write by anonymous auth by users read" \ pgarrett/ldap-alpineNowldapsearch -x -b "dc=example,dc=com" "uid=pgarret" will return no results.
In order to search you will need to authenticate (bind) first:
ldapsearch -D "uid=pgarrett,ou=Users,dc=example,dc=com" -w password -b "dc=example,dc=com" "uid=pgarrett"