2016-02-16 21:49:39 +00:00
docker-openldap
===============
2015-02-18 15:23:34 +00:00
2016-03-24 20:33:42 +00:00
The image is based on alpine . The Dockerfile is inspired by
2015-02-18 15:23:34 +00:00
[cnry/openldap ](https://registry.hub.docker.com/u/cnry/openldap/ ), but as said
before, running a stable Debian and be a little less verbose, but more complete
in the configuration.
NOTE: On purpose, there is no secured channel (TLS/SSL), because I believe that
this service should never be exposed to the internet, but only be used directly
2015-03-11 22:35:56 +00:00
by other Docker containers using the `--link` option.
2015-02-18 15:23:34 +00:00
2016-02-16 21:49:39 +00:00
Usage
-----
2015-02-18 15:23:34 +00:00
The most simple form would be to start the application like so (however this is
2015-03-11 22:35:56 +00:00
not the recommended way - see below):
2015-02-18 15:23:34 +00:00
2016-03-24 20:33:42 +00:00
docker run -d -p 389:389 -e SLAPD_PASSWORD=mysecretpassword -e SLAPD_DOMAIN=ldap.example.org danielguerra/alpine-openldap
2015-02-18 15:23:34 +00:00
To get the full potential this image offers, one should first create a data-only
container (see "Data persistence" below), start the OpenLDAP daemon as follows:
2016-03-24 20:33:42 +00:00
docker run -d --name openldap --volumes-from your-data-container danielguerra/alpine-openldap
2015-02-18 15:23:34 +00:00
An application talking to OpenLDAP should then `--link` the container:
docker run -d --link openldap:openldap image-using-openldap
The name after the colon in the `--link` section is the hostname where the
OpenLDAP daemon is listening to (the port is the default port `389` ).
2016-02-16 21:49:39 +00:00
Configuration (environment variables)
-------------------------------------
2015-02-18 15:23:34 +00:00
2016-02-16 21:49:39 +00:00
For the first run, one has to set at least the first two environment variables.
After the first start of the image (and the initial configuration), these
2016-03-24 20:33:42 +00:00
envirnonment variables are not evaluated again.
2015-02-18 15:23:34 +00:00
2015-12-11 05:11:40 +00:00
* `SLAPD_PASSWORD` (required) - sets the password for the `admin` user.
* `SLAPD_DOMAIN` (required) - sets the DC (Domain component) parts. E.g. if one sets
it to `ldap.example.org` , the generated base DC parts would be `...,dc=ldap,dc=example,dc=org` .
* `SLAPD_ORGANIZATION` (defaults to $SLAPD_DOMAIN) - represents the human readable
company name (e.g. `Example Inc.` ).
* `SLAPD_CONFIG_PASSWORD` - allows password protected access to the `dn=config`
branch. This helps to reconfigure the server without interruption (read the
2015-02-18 19:43:34 +00:00
[official documentation ](http://www.openldap.org/doc/admin24/guide.html#Configuring%20slapd )).
2015-12-11 05:11:40 +00:00
* `SLAPD_ADDITIONAL_SCHEMAS` - loads additional schemas provided in the `slapd`
package that are not installed using the environment variable with comma-separated
enties. As of writing these instructions, there are the following additional schemas
available: `collective` , `corba` , `duaconf` , `dyngroup` , `java` , `misc` , `openldap` ,
`pmi` and `ppolicy` .
* `SLAPD_ADDITIONAL_MODULES` - comma-separated list of modules to load. It will try
to run `.ldif` files with a corresponsing name from the `module` directory.
Currently only `memberof` and `ppolicy` are avaliable.
2016-02-16 21:49:39 +00:00
2015-12-11 05:11:40 +00:00
### Setting up ppolicy
2016-02-16 21:49:39 +00:00
The ppolicy module provides enhanced password management capabilities that are
applied to non-rootdn bind attempts in OpenLDAP. In order to it, one has to load
both the schema `ppolicy` and the module `ppolicy` :
2015-12-11 05:11:40 +00:00
```
2016-02-16 21:49:39 +00:00
-e SLAPD_DOMAIN=ldap.example.org -e SLAPD_ADDITIONAL_SCHEMAS=ppolicy -e SLAPD_ADDITIONAL_MODULES=ppolicy`
2015-12-11 05:11:40 +00:00
```
2016-02-16 21:49:39 +00:00
There is one additional environment variable available:
* `SLAPD_PPOLICY_DN_PREFIX` - (defaults to `cn=default,ou=policies` ) sets the dn
prefix used in `modules/ppolicy.ldif` for the `olcPPolicyDefault` attribute. The
value used for `olcPPolicyDefault` is derived from `$SLAPD_PPOLICY_DN_PREFIX,(dc
component parts from $SLAPD_DOMAIN)`.
2016-02-28 17:15:16 +00:00
After loading the module, you have to load a default password policy, assuming you are on a host that has the client side tools installed (maybe you have to change the hostname as well):
2015-12-11 05:11:40 +00:00
```
2016-02-16 21:49:39 +00:00
ldapadd -h localhost -x -c -D 'cn=admin,dc=ldap,dc=example,dc=org' -w [$SLAPD_PASSWORD] -f default-policy.ldif
2015-12-11 05:11:40 +00:00
```
2016-02-16 21:49:39 +00:00
The contents of `default-policy.ldif` should look something like this:
2015-12-11 05:11:40 +00:00
```
# Define password policy
2016-02-16 21:49:39 +00:00
dn: ou=policies,dc=ldap,dc=example,dc=org
2015-12-11 05:11:40 +00:00
objectClass: organizationalUnit
ou: policies
2016-02-16 21:49:39 +00:00
dn: cn=default,ou=policies,dc=ldap,dc=example,dc=org
2015-12-11 05:11:40 +00:00
objectClass: applicationProcess
objectClass: pwdPolicy
cn: default
pwdAllowUserChange: TRUE
pwdAttribute: userPassword
pwdCheckQuality: 1
# 7 days
pwdExpireWarning: 604800
pwdFailureCountInterval: 0
pwdGraceAuthNLimit: 0
pwdInHistory: 5
pwdLockout: TRUE
# 30 minutes
pwdLockoutDuration: 1800
# 180 days
pwdMaxAge: 15552000
pwdMaxFailure: 5
pwdMinAge: 0
pwdMinLength: 6
pwdMustChange: TRUE
pwdSafeModify: FALSE
```
See the [docs ](http://www.zytrax.com/books/ldap/ch6/ppolicy.html ) for descriptions
on the available attributes and what they mean.
## Data persistence
2015-02-18 15:23:34 +00:00
2016-03-24 20:33:42 +00:00
The image exposes two directories (`VOLUME ["/etc/openldap", "/var/lib/openldap"]`).
2015-06-20 17:01:41 +00:00
The first holds the "static" configuration while the second holds the actual
2015-03-11 22:35:56 +00:00
database. Please make sure that these two directories are saved (in a data-only
container or alike) in order to make sure that everything is restored after a
restart of the container.
